JP2020058011A - Gateway device, network system, control method and program - Google Patents

Abstract

To avoid reduction in communication quality of a terminal, in a system that comprises a gateway device between a first network and a second network.SOLUTION: Provided is a gateway device used as any one of a plurality of gateway devices in a network system that comprises a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server that is an access destination of the terminal is connected. The gateway device comprises: a proxy part that executes access to the server on behalf of the terminal; a metric collection part that acquires a metric value indicating a state of the gateway device; and a distribution controller that determines a gateway device to be used by the terminal among the plurality of gateway devices on the basis of an IP address of the terminal, setting information, the metric values collected from the plurality of gateway devices.SELECTED DRAWING: Figure 4

Description

  The present invention relates to a distributed Internet gateway for large private networks.

  In a large-scale private network used by a company, when an end-user terminal accesses a Web server on the Internet, the communication is performed via Web Proxy in order to avoid communication audits and security problems. There are many.

  Such a gateway for communicating from the private network to the Internet is called "Internet Gateway (IGW)", and there is also a method of communicating via NAPT (Network Address Port Translation) in addition to the method using Web Proxy. However, hereinafter, a method using Web Proxy is referred to as IGW.

  The IGW connects the Web Proxy device to both the private network and the Internet, temporarily terminates Web communication from a terminal in the private network, and accesses an external Web server as a proxy for the terminal.

  The IGW is often used in combination with an advanced security function called Unified Threat Management (UTM) to detect and avoid security problems such as malware downloads from external websites as well as WebProxy functions. .

JP-A-2006-144144

  When a company constructs an IGW in a large-scale private network, it is common to construct the IGW at one location using a physical machine. However, there is a problem that the communication quality of a terminal located far from the installation location of the IGW may be deteriorated particularly when the private network is distributed over a wide area.

  It should be noted that the above problem is a problem that can occur not only in the gateway device between the private network and the Internet.

  The present invention has been made in view of the above points, and has been made in view of the above, and is a technology that enables a system including a gateway device between a first network and a second network to avoid a decrease in communication quality of a terminal. The purpose is to provide.

According to the disclosed technology, in a network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected A gateway device used as any one of the plurality of gateway devices,
A proxy unit that executes access to the server on behalf of the terminal;
A metric collection unit that acquires a metric value indicating a state of the gateway device;
A distributed control unit that determines a gateway device to be used by the terminal from among the plurality of gateway devices based on the IP address of the terminal, setting information, and a metric value collected from the plurality of gateway devices. A gateway device is provided.

  According to the disclosed technology, in a system including a gateway device between a first network and a second network, a technology is provided that can avoid a decrease in communication quality of a terminal.

It is a figure showing a centralized type IGW configuration. FIG. 2 is a diagram illustrating an IGW configuration in a virtual environment. FIG. 3 is a diagram illustrating a distributed arrangement of cells. It is a figure which shows traffic distribution control. FIG. 4 is a diagram illustrating an example of setting information held by a distribution control unit. It is a sequence diagram for explaining a processing procedure. FIG. 2 is a diagram illustrating an example of a hardware configuration of an apparatus.

  Hereinafter, embodiments of the present invention (the present embodiment) will be described with reference to the drawings. The embodiments described below are merely examples, and embodiments to which the present invention is applied are not limited to the following embodiments. Hereinafter, after describing the problem in more detail, the technology according to the embodiment of the present invention will be described.

  Although the present embodiment is directed to a gateway device between a private network and the Internet, the present invention is applicable not only to a gateway device between a private network and the Internet. For example, the present invention can be applied to a gateway device between private networks of different companies.

(Issues of centralized IGW)
As described above, when a company constructs an IGW on a large-scale private network, a Web Proxy or UTM is combined to construct an IGW system at one site. Since the traffic from the end terminal concentrates on this IGW, this is called a centralized IGW.

  FIG. 1 shows a configuration example of the centralized IGW. As shown in FIG. 1, the IGW 10 is connected to both the private network 20 and the Internet 30. In the example of FIG. 1, terminals a to c exist at bases A to C, respectively, and are connected to the private network 20. A Web server 40 to which the terminal accesses is connected to the Internet 30. The IGW 10 has a plurality of Web proxies 11 and a plurality of UTMs as a redundant configuration.

  When a single IGW 10 is constructed as shown in FIG. 1, traffic from a terminal is concentrated on one IGW 10, and the IGW 10 may become a bottleneck.

  In addition, in order to avoid a communication failure due to a failure of a device or a line, a device or a line such as a Web Proxy or a UTM has a redundant configuration of Act / Sby as shown in the example of FIG. It is often designed to switch to However, there is a problem that the Sby device is not used in a state where the system operates normally, and the utilization efficiency of the equipment is low.

  Further, when the private network 20 is distributed over a wide area, a terminal located far from the installation location of the IGW 10 may have a large communication path and delay to a Web site via the IGW 10 and may have a deteriorated communication quality. There is.

  Hereinafter, a technology according to an embodiment of the present invention that solves the above-described problem will be described.

(IGW using virtualization technology)
In recent years, virtualization of communication devices (Network Function Virtualization: NFV) has advanced, and it has become possible to construct a communication system on a virtualization platform. By utilizing NFV, physical work such as installation of equipment and wiring is not required.

  In addition, a number of services such as a cloud providing a virtual infrastructure for constructing an NFV have been provided in Japan and overseas, and a cloud service which can be directly connected to a private network has also been provided. By combining a virtual version of Web Proxy or UTM with a virtualization platform that can be directly connected to a private network, an IGW system similar to the case where a physical device is used can be constructed.

  FIG. 2 shows a configuration example of an IGW in a virtual environment. As shown in FIG. 2, the IGW 100 is built on the virtualization platform. The IGW 100 includes a Web proxy 110 and a UTM 120.

(Distributed IGW)
In the present embodiment, instead of constructing the IGW in the virtualization environment as a centralized configuration, the IGW in the virtualization environment is distributed and arranged in different virtualization environments, and traffic from terminals is controlled in a distributed manner. We are going to build. This distributed IGW system is referred to herein as Micro Internet Gateway (MIGW). Note that the distributed arrangement in different virtualization environments means that, for example, data centers providing the virtualization environment are dispersedly arranged in a plurality of geographical locations, and an IGW on the virtualization environment is constructed in each data center. Means to be done.

  In MIGW, a function set of the IGW in the virtual environment is called a “cell”. That is, each IGW among the plurality of IGWs arranged in a distributed manner is called a “cell”. In the distributed IWG, as shown in FIG. 3, a plurality of cells are constructed on virtualization platforms in different regions, and traffic from an end terminal is distributed and processed in a plurality of cells. For example, in the example of FIG. 3, the cell 100-1 processes traffic from the terminal A at the site A, the cell 100-2 processes traffic from the terminal b at the site B, and the cell 100-3 operates at the terminal C at the site C. Process traffic from terminal c. Note that a configuration having a plurality of cells may be called a network system.

  In the distributed IGW according to the present embodiment, communication quality is optimized by controlling communication from an end terminal to pass through a cell closer to the terminal among a plurality of cells. In addition, when a failure occurs in a certain cell among a plurality of cells, the traffic is controlled to pass through a cell in which no failure has occurred. Examples of these control methods will be described later.

(Advantages of MIGW)
The MIGW has the following advantages over the centralized IGW by making the IGW a distributed type.

  -Since all the cells are used in Active, all facilities can be effectively used, and the utilization efficiency of facilities is high.

  -Since the end terminal can pass through the optimum cell from among a plurality of cells, it is possible to avoid a decrease in communication quality.

  When a failure occurs in a cell, the influence of the failure can be avoided by controlling the traffic so as to pass through another cell.

  -By constructing a cell in a remote area, DR (Disaster Recovery) that avoids a large-scale failure occurring in a specific area can be realized.

  -When traffic increases, the traffic capacity to be processed can be increased by constructing additional cells.

(Traffic distribution method among multiple cells)
FIG. 4 shows a configuration example for realizing traffic distribution control between a plurality of cells. In FIG. 4, cells are provided in each of the area X and the area Y, and the internal configuration of each is shown. Since the cell of the region X and the cell of the region Y have the same configuration, the description will be given here with reference to the cell 100 of the region X.

<Device configuration and functions>
As shown in FIG. 4, the cell 100 includes a UTM 110, a Web proxy 120, a distribution control unit 130, an internal DNS unit 140, and a metric collection unit 150. Note that the distribution control unit, the metric collection unit, and the internal DNS unit may be called a distribution control function, a metric collection function, and an internal DNS function, respectively. Further, the internal DNS unit may be called an internal DNS server.

  The UTM 110, the Web proxy 120, the distribution control unit 130, the internal DNS unit 140, and the metric collection unit 150 are functional units built on a virtualization platform such as a cloud, but the entities are programs that run on a computer. . Further, each of the UTM 110, the Web proxy 120, the distribution control unit 130, the internal DNS unit 140, and the metric collection unit 150 may be realized by one or a plurality of physical machines, not on the virtualization platform. In addition, a unit of a plurality of functional units of any combination among the UTM 110, the Web proxy 120, the distribution control unit 130, the internal DNS unit 140, and the metric collection unit 150 may be realized by one or a plurality of physical machines.

  Further, the distribution control unit 130 and the metric collection unit 150 may be function units inside the Web proxy 120.

  The provision of the UTM 110 in addition to the Web proxy 120 as an original function of the IGW in the cell 100 is an example. The UTM 110 may not be provided, or a functional unit other than the UTM 110 may be provided. The function of each functional unit is as follows.

  The UTM 110 detects and avoids security problems such as downloading malware from an external website. The Web proxy 120 temporarily terminates Web access (HTTP communication) from the terminal, and accesses an external Web server on behalf of the terminal.

  The metric collection unit 150 periodically acquires a metric value indicating the state of the cell 100 and stores the metric value in the storage unit. The metric value acquired by the metric collection unit 150 is, for example, a value indicating the normality of the Internet connection of the cell 100, a value indicating the normality of the Web Proxy 120, a value indicating the normality of the UTM 110, a load of the Web Proxy 120, a load of the UTM 110. And so on. The metric collection unit 150 may acquire all of them, or may acquire one or more of them.

  The distribution control unit 130 periodically collects metric values from the metric collection units of all cells constituting the distributed IGW. For example, in the example of FIG. 4, the distribution control unit 130 collects the metric value from the metric collection unit 150 of the own cell and collects the metric value from the metric collection unit of the cell in the area Y.

  Further, the distribution control unit 130 stores, as setting information, information of a MIGW cell to be connected preferentially to an IP address of a terminal and information of a priority for determining an optimal cell. As for the setting information, the same information is synchronized and stored in all cells. That is, in the example of FIG. 4, the distribution control unit 130 in the area X and the distribution control unit in the area Y hold the same information as the setting information.

  Further, the distribution control unit 130 uses the latest metric information and setting information to select an optimum cell according to the IP address of the terminal.

  When receiving an inquiry about the name resolution of the Web Proxy 120 from the terminal, the internal DNS unit 140 inquires the distribution control unit 130 about the optimal IP address of the MIGW cell together with the IP address of the inquiry source terminal. That is, the internal DNS unit 140 notifies the distribution control unit 130 of the cell (may be referred to as a gateway device) used by the terminal by notifying the distribution control unit 130 of the IP address of the terminal acquired by the inquiry. The internal DNS unit 140 returns the IP address that has received a response from the distribution control unit 130 to the terminal as a response to the DNS inquiry.

  FIG. 5 is a diagram illustrating an example of a table that is (part of) setting information held by the distribution control unit 130 in the storage unit. In the example of FIG. 5, the table includes the connection priority of each cell for each IP address of the terminal. As for the priority, the smaller the value, the higher the priority. For example, an IP-A terminal connects to cell 2 with the highest priority. Note that the distribution control unit 130 also stores the IP address of each cell in the storage unit.

  In addition to the table as shown in FIG. 5, the distribution control unit 130 may provide, as setting information, a priority for each metric and a priority indicating which of the metric and the table is to be prioritized in determining the connection destination of the terminal. May be held.

<Processing sequence>
With reference to FIG. 6, as an example, a processing sequence until the terminal a is notified of the optimal IP address of the cell when the terminal a accesses the Web server 400 will be described.

  In step S101, the terminal a transmits an inquiry about name resolution of a Web proxy to the internal DNS unit 140. In the communication at the stage of accessing the internal DNS unit from the terminal a, the access may be routed to the internal DNS unit of the geographically closest cell based on the IP address of the terminal a. Alternatively, the IP address of the internal DNS unit as a communication destination may be set in advance in the terminal a.

  In S102, the internal DNS unit 140 transmits an IP address inquiry of the optimum cell together with the IP address of the terminal a of the inquiry source to the distribution control unit 130. It should be noted that the IP address inquiry message may include the IP address of the terminal a of the inquiry source, or the transmission of the IP address of the terminal a of the inquiry source to the distribution control unit 130 It may also mean that you are doing.

  As described above, the distribution control unit 130 collects and holds the metric values of all the cells of the distributed IGW.

  In S103, the distribution control unit 130 determines an optimal cell to be accessed by the terminal a based on the IP address, the setting information, and the metric information of the terminal a as the inquiry source.

  More specifically, for example, when the setting information indicates that the use of the table as shown in FIG. 5 is given the highest priority, the metric value of the cell indicated to be connected with the highest priority in the table Unless the load (eg, the load of the Web proxy and the load of the UTM) is not bad compared with a certain threshold, the optimum cell is determined according to the setting in the table. If the metric value of the cell indicated to be connected with the highest priority is lower than the threshold, determine the metric value of the next priority cell in the table, and if it is not lower than the threshold, , And determine that cell as the optimal cell.

  Further, for example, if the setting information is set so that the metric value is prioritized over the setting in the table as shown in FIG. 5 and the highest-priority metric value is the load of the Web proxy, for example, the distribution control unit 130 Extracts a cell having a Web proxy load equal to or less than a predetermined threshold value, and if there is only one cell, determines that cell as an optimal cell. If there are a plurality of cells whose Web proxy load is equal to or less than the predetermined threshold, the cell having the highest priority among the plurality is determined as the optimum cell by referring to the table.

  In S104, the distribution control unit 130 notifies the internal DNS unit 140 of the IP address of the cell determined in S103 (specifically, for example, the IP address of the Web proxy). In S105, the internal DNS unit 140 returns the IP address received from the distribution control unit 130 to the terminal a as a response to the name resolution inquiry. Then, the terminal a performs Web access with the IP address as a destination.

  Note that, in the present embodiment, the distribution control unit 130 selects an optimal cell by using the IP address of the transmission source of the name resolution inquiry as the IP address of the terminal, but this is an example. The IP address of the terminal may be acquired by means other than the name resolution inquiry, and an optimal cell may be selected.

(How to increase / decrease the capacity of MIGW)
Since the MIGW is a distributed IGW built on a virtual infrastructure, the entire MIGW is not added by increasing the performance of a single cell (the amount of resources used by the virtual infrastructure or the capacity of the VNF license) but by adding a cell. Can increase the traffic capacity that can be processed.

  Conversely, if there is room in the processing performance of the cell, a part of the cell is abolished, and the processing of the abolished cell is distributed to the remaining cells, whereby the capacity of the entire MIGW can be reduced.

  The use of a virtualization base or NFV does not require equipment installation and wiring work, and can be easily realized by software control. Since the users of the MIGW can gradually increase the capacity of the entire MIGW by adding cells, it is possible to introduce the IGW at an optimum cost without a large initial investment when introducing the system.

(Example of hardware configuration)
The cell in the MIGW described in the present embodiment, or each of a plurality of functional units constituting a cell, or a group of a plurality of functional units among all the functional units constituting a cell is described above. As described above, it is built on a virtualization platform, but its substance is a computer and a program. In addition, "a cell, or one of a plurality of functional units constituting a cell, or a group of a plurality of functional units among all the functional units constituting a cell" is collectively referred to as a "gateway device". May be called. The gateway device is not limited to the one built on the virtualization platform, but may be realized by a physical machine (that is, a computer) and a program.

  That is, the gateway device can be realized by causing a computer to execute a program describing the processing content described in the present embodiment.

  The gateway device can be realized by executing a program corresponding to a process performed by the gateway device using hardware resources such as a CPU and a memory built in the computer. The above-mentioned program can be recorded on a computer-readable recording medium (a portable memory or the like) and can be stored or distributed. Further, the above program can be provided through a network such as the Internet or electronic mail.

  FIG. 7 is a diagram illustrating an example of a hardware configuration of the computer according to the present embodiment. The computer in FIG. 7 includes a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, an input device 1007, and the like, which are interconnected by a bus B.

  A program for realizing the processing by the computer is provided by a recording medium 1001 such as a CD-ROM or a memory card. When the recording medium 1001 storing the program is set in the drive device 1000, the program is installed from the recording medium 1001 to the auxiliary storage device 1002 via the drive device 1000. However, the program need not always be installed from the recording medium 1001, and may be downloaded from another computer via a network. The auxiliary storage device 1002 stores installed programs and also stores necessary files and data.

  The memory device 1003 reads the program from the auxiliary storage device 1002 and stores it when there is an instruction to start the program. The CPU 1004 implements functions related to the gateway device according to a program stored in the memory device 1003. The interface device 1005 is used as an interface for connecting to a network. The display device 1006 displays a GUI (Graphical User Interface) or the like by a program. The input device 1007 includes a keyboard, a mouse, buttons, a touch panel, and the like, and is used to input various operation instructions.

(Summary of Embodiment)
As described above, this specification discloses at least the gateway device, the network system, the control method, and the program described in the following sections.
(Section 1)
In a network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, A gateway device used as one of the gateway devices,
A proxy unit that executes access to the server on behalf of the terminal;
A metric collection unit that acquires a metric value indicating a state of the gateway device;
A distributed control unit that determines a gateway device to be used by the terminal from among the plurality of gateway devices based on the IP address of the terminal, setting information, and a metric value collected from the plurality of gateway devices. Gateway device to be equipped.
(Section 2)
An internal DNS unit that inquires the distributed control unit of a gateway device used by the terminal by receiving a name resolution inquiry from the terminal and notifying the distributed control unit of an IP address of the terminal obtained based on the inquiry; The gateway device according to claim 1, further comprising:
(Section 3)
3. The gateway device according to claim 1, wherein the setting information includes information on a gateway device to which connection is preferentially performed for each IP address of the terminal.
(Section 4)
The gateway device according to any one of claims 1 to 3, wherein the first network is a private network, and the second network is the Internet.
(Section 5)
A network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, wherein the plurality of gateway devices are provided. 5. A network system, wherein each of the devices is the gateway device according to any one of Items 1 to 4.
(Section 6)
In a network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, A control method executed by one of the gateway devices,
The gateway device includes a proxy unit that executes access to the server on behalf of the terminal,
A metric collection step of obtaining a metric value indicating the state of the gateway device;
A distributed control step of determining a gateway device used by the terminal from among the plurality of gateway devices based on the IP address of the terminal, setting information, and a metric value collected from the plurality of gateway devices. Control method to be provided.
(Section 7)
A program for causing a computer to function as each unit in the gateway device according to any one of Items 1 to 4.

  Although the present embodiment has been described above, the present invention is not limited to the specific embodiment, and various modifications and changes may be made within the scope of the present invention described in the appended claims. It is possible.

10, 100 IGW
11,110 Web proxy
12, 120 UTM
20, 200 Private network 30, 300 Internet 40, 400 Web server 140 Internal DNS unit 130 Distributed control unit 150 Metric collection unit 1000 Drive device 1002 Auxiliary storage device 1003 Memory device 1004 CPU
1005 interface device 1006 display device 1007 input device

Claims (7)

In a network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, A gateway device used as one of the gateway devices,
A proxy unit that executes access to the server on behalf of the terminal;
A metric collection unit that acquires a metric value indicating a state of the gateway device;
A distributed control unit that determines a gateway device to be used by the terminal from among the plurality of gateway devices based on the IP address of the terminal, setting information, and a metric value collected from the plurality of gateway devices. Gateway device to be equipped. An internal DNS unit that inquires the distributed control unit of a gateway device used by the terminal by receiving a name resolution inquiry from the terminal and notifying the distributed control unit of an IP address of the terminal obtained based on the inquiry; The gateway device according to claim 1, further comprising: The gateway device according to claim 1, wherein the setting information includes information on a gateway device to be connected preferentially for each terminal IP address. The gateway device according to any one of claims 1 to 3, wherein the first network is a private network, and the second network is the Internet. A network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, wherein the plurality of gateway devices are provided. A network system, wherein each of the devices is the gateway device according to any one of claims 1 to 4. In a network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, A control method executed by one of the gateway devices,
The gateway device includes a proxy unit that executes access to the server on behalf of the terminal,
A metric collection step of obtaining a metric value indicating the state of the gateway device;
A distributed control step of determining a gateway device used by the terminal from among the plurality of gateway devices based on the IP address of the terminal, setting information, and a metric value collected from the plurality of gateway devices. Control method to be provided.   A program for causing a computer to function as each unit in the gateway device according to any one of claims 1 to 4.

Images