JP5617108B2 - Static NAT forming device, reverse proxy server, and virtual connection control device - Google Patents

Description

The present invention relates to a static NAT forming device, a reverse proxy server, and a virtual connection control device.
More specifically, the problem of the conventional virtual private network (Virtual Private Network: “VPN”) is solved, and flexible operability and strong security are realized by adding extremely lightweight software and hardware. The present invention relates to a static NAT forming device, a reverse proxy server, and a virtual connection control device used for a new virtual private network system.

  Today, IP networks originating from the Internet are indispensable for our social life and corporate activities. A company has a LAN in the office, and a server such as a file server including confidential company information is also connected to the LAN. An employee uses a terminal such as a personal computer connected to a LAN to perform business using information resources provided by the server. Generally, a corporate LAN is provided with a firewall at the connection point between the LAN and the Internet in order to protect servers including confidential information. Thus, the LAN is configured so that a malicious third party cannot easily enter the corporate LAN from the Internet.

This firewall is a hindrance when employees want to work while connected to the corporate LAN using a laptop computer or other terminal. VPN is used as a technology for securely connecting to the corporate LAN from the Internet through a firewall.
There are various types of VPNs depending on their connection form, but they can be roughly classified into two types.
One is a method of assigning an IP address belonging to a LAN subnet to a terminal existing outside the LAN.
The other is a technique called port forwarding or static NAT (Network Address Translation).

JP 2009-227771 A

"Introduction to PacketiX VPN-Features of PacketiXVPN" Soft Ether Co., Ltd. [Search on March 25, 2010], Internet <URL: http://www.softether.co.jp/jp/vpn2/introduction/about_vpn.aspx> “Special Feature: Broadband Router Thorough Strategy Guide” IT Media Co., Ltd. [Search on March 25, 2010], Internet <URL: http://www.atmarkit.co.jp/fpc/special/bbrouter_desc/portforward_dmz.html> "Let's manage the server with ssh over the Internet-@IT" IT Media Co., Ltd. [Search March 25, 2010], Internet <URL: http://www.atmarkit.co.jp/fnetwork/rensai /tcp27/01.html>

First, the former method of assigning an IP address belonging to a LAN subnet to a terminal existing outside the LAN will be described. This is a technique disclosed in Non-Patent Document 1.
Most corporate LANs use IPv4 private addresses. Therefore, a private address belonging to the subnet of the corporate LAN is also assigned to a terminal connected to the outside of the LAN, that is, the Internet. However, a network interface card (hereinafter referred to as “NIC”) provided in the terminal has already been assigned a global IP address by an Internet service provider (hereinafter referred to as “ISP”). Therefore, a virtual NIC is realized by software, and an IP address belonging to the subnet of the corporate LAN is assigned to this. The communication with the virtual NIC is encrypted and passed through the firewall.

The problem with this method is that the terminal belongs to the LAN subnet but is not protected by a firewall, or is directly connected to the Internet. In other words, there are very security issues. The terminal is exposed to threats such as computer viruses, worms, and denial of service attacks called DoS. There is also a high possibility of information leakage.
Furthermore, when the IP address assigned by the ISP is a private address, the IP address assigned by the ISP may collide with the IP address assigned by the VPN. Even now, in public Internet connection bases such as cable television ISPs and Internet cafes, private addresses are assigned to terminals. In addition to this, “Carrier Grade NAT” (http://itpro.nikkeibp.co.jp/article/COLUMN/20080625/309452/), which is expected to spread with the exhaustion of IPv4 addresses, will be widely implemented in the future. Then, the possibility of IP address collision can be expected to increase dramatically.

Next, the latter method called port forwarding or static NAT will be described. This is a technique disclosed in Non-Patent Document 2 and Non-Patent Document 3.
For example, assume that a private network of 192.168.0.0/24 is built in a certain home. If you want to build a web server in this home LAN and publish it to the Internet via a broadband router, you can send a packet with a specific port number called "Port Forward Setting" or "Static NAT Setting" to the broadband router. Set to redirect to a specific machine (server).

Now, the broadband gateway is assigned the default gateway “192.168.10.1” as the IP address of the home LAN, and the dynamic global IP address assigned by the ISP is “203.178.83. 194 ". In the broadband router, a packet coming to port 80 of “203.178.83.194” is sent to port 80 of a machine to which another IP address “192.168.10.2” of the home LAN is assigned. Set to forward to No. The broadband router rewrites the destination IP address of the packet from “203.178.83.194” to “192.168.10.2” and transfers the packet to the server. Thus, the server in the LAN can provide a service as a web server to the outside (the Internet). This is the technique disclosed in Non-Patent Document 2. In addition, not only the IP address but also the port number can be rewritten with respect to the packet.
Such a technique called static NAT is often implemented as a kernel function (driver) of a POSIX OS such as Linux (registered trademark).

Since the broadband router simply redirects packets coming from the Internet into the LAN, there is a problem in security. Therefore, an application such as OpenSSH (http://www.openssh.com/en/), which is a type of SSH (Secure Shell), is a method for improving security with encryption and authentication of communication paths. . This is disclosed in Non-Patent Document 3.
However, OpenSH requires time and effort to generate and distribute a public key for each connected user, and it is necessary to install an SSH client and a public key in a terminal that is a client. Also, technologies such as OpenSSH have not completely eliminated potential security risks. In other words, it depends on the level of security vulnerability of OpenSH itself. Since the SSH server, which is an Open SSH server, opens port 22 by default, there is a risk of DoS attacks on port 22 and the like. Furthermore, since OpenSSH does nothing about the security of the terminal itself as a client, it is necessary to take measures in consideration of the security of the terminal separately.

  All of the VPN methods described above are specially constructed only for the purpose of “connecting from the Internet to a server in the LAN”. In addition, the connection technology is not perfect because there are many setting items and the possibility of connection failure cannot be eliminated. Security measures must be taken into consideration separately.

  In view of the above technical background, the inventor has solved the above-described problems of the conventional VPN, and has realized a flexible operability and strong security by adding extremely lightweight software and hardware. A system, a static NAT forming apparatus, and a reverse proxy server were invented and filed (Japanese Patent Application No. 2010-89873, hereinafter “Patent Application 1”).

  In patent application 1, a static NAT forming device and a reverse proxy server are connected between a terminal and a server in order to connect the terminal and the server beyond a single firewall preventing IP Reachability. And the server and the server realize a virtual connection through two-stage IP address conversion processing of port forward (static NAT) and reverse proxy according to the control of the reverse proxy server.

However, such a simple network configuration exists in the market. There are a plurality of factors that hinder the possibility of IP connection until the server that is the connection target is reached, and there is also a network configuration in which connection cannot be made without passing through several gateways.
For example, assume that a company A and a company B merge. It is conceivable to provide a gateway server for realizing interconnection between the in-house LAN of company A and the in-house LAN of company B by the merger. However, in order to realize the interconnection between the company A and the company B, the security policy of the mutual in-house LAN is affected, so that easy connection is not recommended. Furthermore, since the company A and the company B have not built an in-house LAN on the assumption that they will merge in advance, there is a possibility that private IP addresses used in the respective LANs overlap. When subnets and IP addresses overlap somewhere on the route, it is usually impossible to construct an IP reachable (IP reachable) environment.

  The present invention solves such problems, solves the problems of the conventional VPN described above, and can be connected to a server existing in an environment that is not IP reachable by adding extremely lightweight software and hardware. It is an object of the present invention to provide a static NAT forming device, a reverse proxy server, and a virtual connection control device used for the above.

In order to solve the above problems, a static NAT forming apparatus of the present invention includes a first NIC connected to a terminal and a first network that is IP reachable, and a second NIC that is not IP reachable with respect to the first NIC. The second NIC used for the terminal to connect to the server arranged on the network of the network, and the virtual IP address performed by the terminal is interposed between the second NIC and the first NIC . Based on the connection, it includes a NAT setting unit that sets a static NAT to be applied to a packet communicated with the server through the reverse proxy server existing on the second network.

  After the static NAT forming apparatus performs authentication through the control session, if the terminal requests connection to a server in the private network existing ahead of the reverse proxy server, the static NAT forming apparatus uses the static NAT and the reverse proxy server. Sets up a reverse proxy to form a data session between the terminal and the server. By constructing the network system in this way, it is possible to realize a connection to a server of a terminal across a firewall in a virtual connection form without private address collision.

  The present invention provides a static NAT forming device, a reverse proxy server, and a virtual connection control device for use in a new network system that realizes flexible operability and strong security by adding extremely lightweight software and hardware. it can.

It is the schematic of the network system of this embodiment. It is the schematic of the network system which paid its attention to the 1st terminal. It is the schematic of the network system which paid its attention to the 2nd terminal. It is an external appearance perspective view of a local master BOX. It is a block diagram which shows the hardware constitutions of a local master BOX. It is a functional block diagram of a local master BOX. It is a functional block diagram of a soft local master. It is a functional block diagram of RTA. It is a functional block diagram of a stepping node. It is a functional block diagram of a stepping node. It is a functional block diagram of a conductor. It is a figure which shows the structure of the table contained in a conductor. It is a time chart which shows the flow of the whole operation | movement of the network system of this embodiment. It is a time chart of an apparatus specific ID authentication sequence. It is a time chart of a user authentication sequence and a menu acquisition sequence. It is a time chart of a menu acquisition sequence. It is a time chart of a VPC establishment sequence. It is a time chart of a VPC establishment sequence and a VPC data transfer state. It is the schematic which shows the outline | summary of the packet which flows into a VPC establishment sequence, and a VPC establishment request command. It is a time chart which shows a VPC disconnection sequence in case the protocol of communication which passes a VPC tunnel is connection type communication. It is a time chart which shows a user logout sequence and a local master shutdown.

[Outline of Embodiment]
An outline of the present embodiment will be described.
The present invention is a technical content developed from the technical content disclosed in Patent Application 1. The network system described below provides a mechanism for realizing a remote office service in a wide area private network system of a large company. An employee operates a terminal in a company from a remote office or a secondee, and realizes the desktop environment of his / her own terminal in the department to which the employee originally belongs on the secondee's terminal. A server that provides a remote desktop environment exists in a server in a subnet that is not directly IP reachable from a secondee. The network system according to the present embodiment implements a virtual private connection (hereinafter abbreviated as “VPC”) to a server resource that is not directly IP reachable by using a local master and a stepping node described later.
In this embodiment, the remote desktop refers to a mounting form implemented in Windows (registered trademark) called Remote Desktop Protocol (RDP), but is not limited to this. It may be VNC (Virtual Network Computing) and X Window System which are well-known and widely spread.

The VPC forms an IP reachable path (tunnel) between a terminal and a server that are not directly IP reachable. Hereinafter, a path formed by VPC is called a VPC tunnel. A VPC tunnel connects terminals and local masters, local masters and stepping nodes, stepping nodes and stepping nodes and servers, and IP reachable devices via a “data session”. The local master and each stepping node use static NAT. And the reverse proxy is operated at the stepping node closest to the server.
In order to realize this VPC, the following apparatuses and programs are newly provided. The four types of devices and programs described below are all uniquely named by the inventor and the applicant because there is no device or the like that provides an equivalent function in the conventional network technology. Each device and program forms a “control session”, which is a communication channel for mutual control, in order to form a data session.

・ Stepping Node
Stepping nodes, which can be called reverse proxy servers, are provided at various locations in the network and perform two operations.
One is an operation for forming a data session with a static NAT with a local master or another stepping node described later to form a virtually IP reachable state.
The other is to activate a reverse proxy between a local master or other stepping node, which will be described later, and an IP reachable server to form a data session, and virtually IP reachable between the terminal and the server. This is an operation to form a new state.
At first glance, the stepping node appears to be a reverse proxy server or a gateway running static NAT, but it starts the reverse proxy process only when there is a connection request from the terminal, or sets static NAT. . In particular, when starting the reverse proxy process, authentication is performed with a conductor described later.
Therefore, unlike a normal server, a stepping node cannot open a port unnecessarily, which is advantageous in terms of security.

・ Local Master
The local master, which can also be called a static NAT forming device, contains a device identification ID indicating that the device itself is qualified to connect to a stepping node, and performs device authentication (individual authentication) for the conductor described later. To do.
When the device authentication is completed, the local master forms a control session, which is a control communication path, between the terminal and the conductor. A player, which will be described later, installed in the terminal performs communication of control information with the conductor using this control session. Next, when the player requests the conductor for information related to the server to which the user can connect and restriction setting information that is information for performing various controls on the terminal, the player simultaneously obtains the information received from the conductor, The terminal prepares to form a data session for VPC connection to a remote server.
If necessary, a packet filter is also set for ensuring security based on the limit setting information.
A data session is formed by static NAT (port forwarding).

The packet filter is set to limit the operation of the terminal only to the connection with the server, and to eliminate the cause of the accident such as inadvertently connecting to an arbitrary server on the Internet. The restriction setting information transmitted from the conductor enumerates a range of IP addresses for which transmission / reception is prohibited (or transmission / reception is permitted), and the packet filter is set according to the restriction setting information.
Packets to and from a server that sends and receives through a stepping node that is a reverse proxy by static NAT are rewritten as a packet for the NIC located on the local side of the terminal, and the port number is rewritten as necessary. It is done. The terminal can communicate with a server in the LAN as if it were communicating with a local NIC.

There are two types of local masters: one configured as hardware connected to the terminal (hereinafter “local master BOX”) and one configured as software installed in the terminal (hereinafter “soft local master”). There are forms. Both provide the same functions. The difference is that the local master BOX performs static NAT for the built-in local NIC, while the soft local master sets static NAT for the loopback virtual NIC built in the network OS as standard.
The local master is a device and a program in which functions are further rearranged and improved based on the technique disclosed in Patent Document 1 filed by the inventor in the past.
Hereinafter, when simply describing “local master”, it is defined as a word indicating both the local master BOX and the soft local master. In addition, “local master encrypted communication processing unit 606” is a notation indicating a functional block common to both the local master BOX and the soft local master.

・ Player
If the terminal is connected to the Internet and further connected to a server in the LAN through a local master and a stepping node, various security concerns arise. Therefore, this player is installed in the terminal in order to strongly limit the operation of the terminal.
A player, which can also be called a behavior restriction unit, communicates with the local master to provide a user interface for personal authentication, and when communication between the local master and the stepping node is established, some application program interfaces (Application Program Interface) of the OS are established. : "API" below).
The restriction setting information transmitted from the stepping node and given through the local master lists application programs that are prohibited (or permitted to be executed), files that are prohibited from being viewed, edited, moved, or deleted. ing. The player monitors the API hooked according to the restriction setting information, and strongly restricts the behavior of the terminal.

  The player also provides a personal authentication function. A well-known login screen is displayed on the terminal, personal authentication information of the user is obtained through an authentication means such as a keyboard, an IC card reader, or a fingerprint authentication device, and transmitted to the conductor through a control session. If the personal authentication is successful, the player requests the conductor for information on a server to which the user can connect and restriction setting information which is information for performing various controls on the terminal.

  Further, the player also provides a function as a shell. When the personal authentication ends normally, the player requests the conductor for information on a server to which the user can connect and restriction setting information that is information for performing various controls on the terminal. When the user receives information about a server that can be connected, the player displays a window on the terminal screen and displays an icon in the window. The icon includes an application startup parameter (command line), and an application name that permits execution and a server name of a server that permits access are specified as arguments of the application. Since the application is activated as a child process of the player, the player can easily grasp the behavior of the application.

  The player applies API hook technology such as virus checker and malware. Since the player is under the control of the stepping node, if an abnormal behavior is detected by the hooked API, the execution can be stopped immediately and reported to the stepping node. If this technology is applied to a high level, it will be possible to defend against unknown viruses. Therefore, the “zero-day attack” (a program security hole has been announced and a patch that corrects the security hole of the program has become a problem in recent years. It is also possible to cope with an attack that actually attacks the security hole by a malicious person or a malicious program that exploits the security hole appears at a time before the provision of the security hole. Even if a virus is accidentally mixed in a terminal, once the player starts up and is connected to the stepping node, the suspicious behavior is immediately determined from the result of the API hook. Emergency measures such as forcibly disconnecting can be executed instantaneously.

・ Conductor
A terminal goes through a plurality of stepping nodes when connecting to a server via a VPC. In order for the terminal to establish a VPC connection with the server (the terminal reaches the server), it must go through an appropriate stepping node. The conductor provides the local master with route information for forming this VPC tunnel. In the network system according to the present embodiment, the conductor serves as a “conductor” that provides control information to the stepping node to form the VPC tunnel.
As described above, the conductor performs device authentication for the local master and personal authentication for the user who operates the terminal. And the information of the server which the said user is permitted to connect is provided with respect to the terminal which completed apparatus authentication and personal authentication.

As described above, with the four devices and programs, a terminal that exists on the network is a server that a user wants to connect to through a local NAT and a static NAT by a stepping node on a midway route and a reverse proxy by a stepping node that is closest to the server. Can be connected to. At that time, the behavior of the terminal is allowed only by the player to communicate with the server, and other behaviors are greatly limited.
In this connection form, a large number of IP addresses attached to packets are rewritten in each of the static NAT and the reverse proxy. As a result, the terminal does not enter a state in which the IP address in the LAN is assigned as disclosed in Non-Patent Document 1, but is close to the static NAT connection mode disclosed in Non-Patent Document 3. become.

[overall structure]
FIG. 1 is a schematic diagram of a network system according to the present embodiment.
The LAN 102 of a certain company has a configuration in which many employees are working and cannot be easily accessed across subnets for security reasons. With such a LAN 102, a remote desktop environment is introduced, and the same desktop environment is intended to be realized on the destination terminal regardless of where the employee moves in the company.
In order to realize a remote desktop environment with a minimum additional investment without changing the security policy of the existing LAN 102, the inventor arranges stepping nodes in various places in the LAN 102, and the terminal starts from the nearest IP reachable stepping node. Following the IP reachable stepping node, we built an environment to connect to the target server.

In FIG. 1, the first terminal 105 and the second terminal 106 and two terminals are shown. This is shown to show that both can equally connect to the server 103.
The first terminal 105 and the second terminal 106 are well-known notebook personal computers or small personal computers, and a known Linux (registered trademark) is installed as an OS. The OS is a general multitasking network OS, and is not limited to Linux (registered trademark), but may be, for example, Windows (registered trademark). The terminal is a well-known thin client (Thin Client: a lightweight terminal that minimizes hardware resources, provides only the minimum functions such as screen display and operation input, and executes many application programs on a server). Configure.

An IC card reader 104 for personal authentication is connected to the first terminal 105 and the second terminal 106.
The first terminal 105 and the second terminal 106 are accompanied by a local master when connecting to the LAN 102.
The first terminal 105 is connected to a local master BOX 109 that is a local master configured by hardware. The local master box 109 is interposed between the LAN 102 and the first terminal 105.
In the second terminal 106, a soft local master 113, which is a local master configured by software, is installed. The second terminal 106 is connected to the LAN 102 via the soft local master 113 when the soft local master 113 is installed and operated.

The local master BOX 109 or the soft local master 113 connects the network connection formed by the programs running on the first terminal 105 and the second terminal 106 to the first SN 107 that is the nearest first stepping node by static NAT.
That is, the application of the first terminal 105 does not connect directly to the IP address of the first SN 107, but connects to the virtual IP address provided by the local master BOX 109. Then, the local master box 109 rewrites the IP header of the packet issued by the application of the first terminal 105 with static NAT. Specifically, the source IP address is rewritten from the IP address of the first terminal 105 to the IP address of the local master box 109, and the destination IP address is rewritten from the IP address of the local master box 109 to the IP address of the first SN 107.

The first SN 107 is connected to the local master box 109 and the soft local master 113. The first SN 107 connects the network connection formed by the local master BOX 109 and the soft local master 113 to the second SN which is the nearest second stepping node that is static NAT and IP reachable.
The first SN 107 rewrites the IP header of the packet issued by the local master BOX 109 or the soft local master 113 using static NAT. Specifically, the source IP address is rewritten from the IP address of the local master box 109 or soft local master 113 to the IP address of the first SN 107, and the destination IP address is rewritten from the IP address of the first SN 107 to the IP address of the second SN 107. .

The second SN 108 is connected to the first SN 107. The second SN 108 connects the network connection formed by the first SN 107 to the third SN 112, which is the nearest third stepping node in static NAT.
The second SN 108 rewrites the IP header of the packet issued by the first SN 107 with static NAT. Specifically, the source IP address is rewritten from the IP address of the first SN 107 to the IP address of the second SN 108, and the destination IP address is rewritten from the IP address of the second SN 108 to the IP address of the third SN 112.

A third SN 112 is connected to the second SN 108. The third SN 112 connects the network connection formed by the second SN 108 to the fourth SN 114, which is the nearest fourth stepping node in static NAT.
The third SN 112 rewrites the IP header of the packet issued by the second SN 108 with static NAT. Specifically, the source IP address is rewritten from the IP address of the second SN 108 to the IP address of the third SN 112, and the destination IP address is rewritten from the IP address of the third SN 112 to the IP address of the fourth SN 114.

A fourth SN 114 is connected to the third SN 112. The fourth SN 114 connects the network connection formed by the third SN 112 to the nearest server 103 using a reverse proxy.
The fourth SN 114 rewrites the IP header of the packet issued by the third SN 112 with the reverse proxy. Specifically, the source IP address is rewritten from the IP address of the third SN 112 to the IP address of the fourth SN 114, and the destination IP address is rewritten from the IP address of the fourth SN 114 to the IP address of the server 103.

As mentioned above, the connection form connecting with the static NAT and the reverse proxy from the terminal to the server 103 through the local master, the first SN 107, the second SN 108, the third SN 112, and the fourth SN 114 is referred to as VPC. A connection path constituted by a static NAT and a reverse proxy, which is formed by a VPC between the terminal and the server 103, indicated by a dotted line in FIG.
A feature of the VPC tunnel is that the terminals (first terminal 105 and second terminal 106) do not know the real IP address of the server 103, and the server 103 does not know the real IP address of the connected terminal. . The terminal communicates with the virtual IP address provided by the local master, and the server 103 communicates with the fourth SN 114. To the terminal, the server 103 appears to be assigned a virtual IP address provided by the local master, and to the server 103, the terminal appears to be the fourth SN 114.

A conductor 115 is further connected to the second SN 108 and the third SN 112. The conductor 115, which can be called a virtual connection control device, performs authentication of the terminal and the local master, and provides route information for forming a VPC tunnel to the local master in response to a request from the local master.
Although not shown in FIG. 1, the stepping node may exist in addition to the first SN 107, the second SN 108, the third SN 112, and the fourth SN 114 shown in FIG. In such a situation, the information of the stepping node traced for the terminal to connect to the server 103 by VPC is the route information.
Details of the route information will be described later.

The terminal is allowed to connect to the LAN 102 via the local master box 109 or the soft local master 113.
The local master is IP reachable with the first SN 107, but is not IP reachable with the second SN 108, the third SN 112, the fourth SN 114, and the server 103. Also, the conductor 115 is not IP reachable.
In FIG. 1, the mutually IP reachable subnet to which the first SN 107, the local master box 109, and the second terminal 106 are connected can be said to be the first network.

The first SN 107 is IP reachable with the local master and the second SN 108, but is not IP reachable with the terminal, the third SN 112, the fourth SN 114, and the server 103. Also, the conductor 115 is not IP reachable.
The second SN 108 is IP reachable with the first SN 107, the third SN 112, and the conductor 115, but the terminal, the first SN 107, the fourth SN 114, and the server 103 are not IP reachable.
The third SN 112 is IP reachable with the second SN 108, the fourth SN 114, and the conductor 115, but is not IP reachable with the terminal, the first SN 107, and the server 103.

The fourth SN 114 is IP reachable with the third SN 112 and the server 103, but is not IP reachable with the terminal, the first SN 107, and the second SN 108. Also, the conductor 115 is not IP reachable.
In FIG. 1, the mutually IP reachable subnet to which the fourth SN 114 and the server 103 are connected can be said to be a second network that is not IP reachable from the first network.

  As described above, in the network system 101 according to the present embodiment, in a non-IP reachable environment between the terminal and the server 103, a stepping node is arranged at an IP reachable location, and the stepping node is a static NAT or a reverse proxy. By connecting IP reachable connection partners, non-IP reachable devices are virtually made IP reachable.

FIG. 2 is a schematic diagram of the network system 101 focusing on the first terminal 105. For reasons of space, the third SN 112 is not shown in FIG. 2 and FIG. 3 described later.
An OS 201 is installed in the first terminal 105, and an application program such as the third application 203 is executed through the shell 202 that is a part of the OS 201. In addition, a player 111 is installed in the first terminal 105 and is executed by a predetermined operation.
The OS 201 grasps data input / output with the storage 204 such as a hard disk, the operation unit 205 such as a keyboard and a mouse, the display unit 206 such as a liquid crystal display, and the built-in USB interface 207, which are the hardware of the first terminal 105. An API is provided to allow applications to easily use these hardware.

  When the player 111 completes the personal authentication, the player 111 hooks some APIs of the OS 201 and greatly restricts the behavior of the entire first terminal 105. Further, when an abnormality is detected, the occurrence state at that time is reported to the conductor 115 through the local master box 109, the first SN 107, and the second SN 108.

  Furthermore, the player 111 also provides a function as a shell that can be called an application activation control unit. A user interface provided by the player 111 for the user to connect to the server 103 is a dedicated shell 208. When the personal authentication ends normally, the dedicated shell 208 of the player 111 displays a window on the screen of the first terminal 105 and displays an icon in the window. The icon includes an application startup parameter (command line), and an application name that permits execution, a server name of the server 103 that permits access, a virtual IP address provided by the local master BOX, and the like are arguments of the application. Is specified as The application programs started as child processes of the player 111 in this way are the first application 209 and the second application 210 in FIG. Since the application is activated as a child process of the player 111, the player 111 can easily grasp the behavior of the application.

  In FIG. 2, a first application 209 and a second application 210 started from the dedicated shell 208 are displayed. On the other hand, the shell 202 and the third application 203 of the OS 201 that are already executed until the first terminal 105 completes the personal authentication are in a state where they are separately activated. Since these are not applications started as child processes of the dedicated shell 208 of the player 111, the behavior is greatly limited by the API hook function of the player 111. In addition, activation of an application that is prohibited from being executed or a file that is prohibited from the “open file” operation is inhibited by the player 111 and cannot be executed.

  A local master box 109 is connected to the built-in USB interface 207 of the first terminal 105. The local master box 109 incorporates a DHCP client, which will be described later, and is connected to the LAN 102 by the DHCP server 110 and can communicate with an IP reachable device such as the first SN 107.

FIG. 3 is a schematic diagram of the network system 101 focusing on the second terminal 106.
The difference between the second terminal 106 and the first terminal 105 is that a soft local master 113 is installed in the second terminal 106 instead of the local master BOX 109, and is interposed between the OS 201 and the player 111. The second terminal 106 is connected to the LAN 102 via the built-in NIC 301. Therefore, in the first terminal 105, the DHCP server 110 assigns a dynamic IP address to the local master BOX 109, but in the second terminal 106, the DHCP server 110 is directly connected to the built-in NIC 301 built in the second terminal 106. A dynamic IP address will be assigned. Since the soft local master 113 is installed in the second terminal 106, message passing and sharing can be performed without transmitting / receiving predetermined control information via the IP network as in the case of the first terminal 105 and the local master BOX 109. A general interprocess communication mechanism such as a memory or a named pipe can be used.

[Local Master Box 109]
FIG. 4 is an external perspective view of the local master box 109. One USB-B connector 403 and one network connector 404 are provided on the back surface of the local master box 109. The USB-B connector 403 is connected to a terminal through a USB-B cable (not shown). A LAN cable is connected to the network connector 404, and the DHCP server 110 is connected to the end of the LAN cable.

FIG. 5 is a block diagram showing a hardware configuration of the local master box 109.
In the local master box 109 formed of a microcomputer, a CPU 502, a RAM 503, a flash memory 504 serving as a nonvolatile storage also serving as a ROM, a USB interface 505, and a first NIC 507 are connected to a bus 508.
The flash memory 504 stores a main part such as a kernel and library of the OS 201 and a management command. The OS 201 is, for example, Linux (registered trademark).
The local master box 109 receives power supply from the first terminal 105, which is a personal computer, through a USB cable. That is, the local master box 109 is a bus powered device.
A second NIC 601 not described in FIG. 5, which will be described later with reference to FIG. 6, is virtually created by the OS 201 and application programs stored in the flash memory 504.

FIG. 6 is a functional block diagram of the local master box 109.
The local master BOX 109 includes two network interfaces.
The first NIC 507 is a NIC configured as hardware as illustrated in FIG. 5, and becomes IP reachable with the first SN 107 by being connected to the LAN 102.
Although not shown in FIG. 5, the second NIC 601 is virtually created by an OS and application programs stored in the flash memory 504. When viewed from the first terminal 105, the second NIC 601 is recognized as an external NIC connected by USB. That is, the second NIC 601 is a device that is included in the subnet configured by the network system 101 of the first terminal 105 and can be directly accessed from the first terminal 105.

  When the first NIC 507 of the local master box 109 is connected to the LAN 102, the DHCP client 602 receives network configuration information such as an IP address, a netmask, a default gateway (in an IP network), a name resolver, and the like from the DHCP server 110. The first NIC 507 is set so that the first NIC 507 is in an IP reachable state with a device on the LAN 102.

  Next, the address duplication avoiding unit 603 refers to the network configuration information acquired by the DHCP client 602, and if the IP address to be assigned to the second NIC 601 belongs to the subnet of the first NIC 507, the second NIC 601 In order to belong to a network of a different subnet from the first NIC 507, the startup parameters of the DHCP server 604 are adjusted. Specifically, when a global IP address is assigned to the first NIC 507, the second NIC 601 has a default value of 192.168.8.0, which is an IP address belonging to the network address 192.168.0.0/24. 1. If the network address of the first NIC 507 is 192.168.0.0/24, the IP address of 192.168.1.0/24 is 192.168.1. 1 is given.

  In a state where the first NIC 507 of the local master box 109 is set by the DHCP server 110 and a private IP address is also assigned to the second NIC 601 by the DHCP server 604, the NAT setting unit 605 forms a general dynamic NAT. Thereby, network connection is established between the first NIC 507 and the second NIC 601 without any trouble. At this time, the encrypted communication processing unit 606 does not perform encryption processing and decryption processing on the payload portion of the packet flowing between the second NIC 601 and the first NIC 507.

On the other hand, when the control session management unit 609 knows that the first NIC 507 is connected to the network, it immediately attempts device authentication with respect to the conductor 115. The device identification ID 608 transmitted to the conductor 115 is transmitted to the stepping node described in the default gateway address 612. In the present embodiment, as shown in FIG.
The device identification ID 608 used for device authentication is encrypted by the encrypted communication processing unit 606 and transmitted to the conductor 115 through the first SN 107 and the second SN 108. When the notification of the success of device authentication and the session ID (hereinafter “SSID”) are received from the conductor 115 through the encrypted communication processing unit 606, the control session management unit stores the SSID in the SSID memory 613.
At this point, a control session is formed between the local master box 109 and the first SN 107, the second SN 108, and the conductor 115.
The “default gateway” described in the present embodiment has a different meaning from the default gateway of a general IP network, and indicates the IP address or host name of an IP reachable device that is traced to connect to the conductor 115.

The control session is a kind of connection-type TCP, and the payload is encrypted by the encrypted communication processing unit 606. It is a protocol originally developed by the inventor and similar to SSL-TELNET (TELNET protocol encrypted by SSL). The difference from SSL-TELNET is that screen control is not performed. Since only command and data transmission / reception needs to be realized, it does not have a screen control function using an escape sequence such as a VT terminal.
The formation of a control session between the local master and the conductor 115 is similar to TELNET multiple connections. That is, after the TELNET login from the local master to the first SN 107, the first SN 107 is used as a step to log in to the second SN 108, and the second SN 108 is used as a step to log in to the conductor 115.

When activated, the player 111 of the first terminal 105 requests the connected local master box 109 for an SSID through a control session. This operation is repeated until the local master box 109 returns the SSID. That is, the player 111 polls for an SSID request.
When the control session management unit 609 receives a request for an SSID from the player 111, the control session management unit 609 returns a SSID stored in the SSID memory 613. Otherwise, that is, when the device authentication for the conductor 115 is not completed and the SSID is not received from the conductor 115, an error is returned to the player 111.
Upon receiving the SSID from the local master box 109, the player 111 recognizes that the local master box 109 has succeeded in device authentication. When the received SSID is stored in a RAM (not shown), the player 111 next displays a login screen on the display unit 206 of the first terminal 105.
The user performs personal authentication of the user using the IC card reader 104 or the operation unit 205 of the first terminal 105. The personal authentication information input by the user is transmitted by the player 111 to the local master box 109 through the control session. There are various kinds of personal authentication information. When the operation unit 205 is used, a general user ID and password are used. In addition, there is a method of using information used for personal authentication obtained from a device that realizes personal authentication, such as a fingerprint authentication device or an IC card reader 104. Hereinafter, information for authenticating a user who uses these terminals is collectively referred to as personal authentication information.

The personal authentication information is encrypted by the encrypted communication processing unit 606 controlled through the control session management unit 609 and transmitted to the conductor 115. The notification of the success of the personal authentication returned from the conductor 115 reaches the first terminal 105.
When the player 111 receives a notification of successful personal authentication from the conductor 115, the player 111 requests the conductor 115 for information regarding services available to the user. In response to this, the conductor 115 transmits information related to services that the user can enjoy and information for limiting the behavior of the first terminal 105 and the local master box 109.
Information relating to services that can be enjoyed by the user is stored in the player 111 as service menu information 614, and the service menu information 614 is stored when the local master box 109 is also transferred.
Information for restricting the behavior of the first terminal 105 and the local master BOX 109 is stored in the player 111 as restriction setting information 610, and the restriction setting information 610 is also stored when the local master BOX 109 is transferred.

  The control session management unit 609 of the local master box 109 reads the packet filtering setting information described in the restriction setting information 610 received from the conductor 115 and controls the packet filter setting unit 611. The packet filter setting unit 611 configures a packet filter in accordance with the packet filtering setting information given from the control session management unit 609.

Next, the control session management unit 609 of the local master box 109 sets the packet monitoring unit 615 to monitor the port number forming the data session based on the stored service menu information 614.
The packet monitoring unit 615 reports a TCP SYN packet to the control session management unit 609 when the IP address assigned to the second NIC 601 reaches the port number targeted for the data session. Upon receiving this report, the control session management unit 609 starts communication for forming a data session.

The packet monitoring unit 615 also monitors a TCP FIN packet when the data session to be set is connection-type communication. In the case of a protocol such as RDP or SSH in which a TCP FIN packet is transmitted for the first time upon client termination, the data session can be immediately terminated (closed) by detecting the arrival of the TCP FIN packet.
Conversely, when the data session to be set is a connectionless type protocol such as HTTP, a TCP FIN packet is transmitted each time one data stream is transmitted. Therefore, in the case of the connectionless type protocol, the TCP FIN packet should not be a trigger for closing the data session. In other words, a VPC tunnel passing through HTTP must correctly transfer a TCP FIN packet. In this case, the terminal explicitly notifies the end of the data session through the control session.

[Soft local master 113]
FIG. 7 is a functional block diagram of the soft local master 113.
The soft local master 113 includes two network interfaces.
The built-in NIC 301 is a NIC built in the second terminal 106 as hardware, and is connected to the LAN 102.
The loopback virtual NIC 701 is a known loopback interface that is installed in the second terminal 106 and is provided as a standard in the network OS 201 of the IPv4 protocol. Even if the terminal is not equipped with a NIC, as long as the OS 201 supports the IPv4 protocol, a loopback interface to which an IP address of 127.0.0.1 is always assigned is configured in the OS 201. Unless special settings are made, the packet transmitted to the loopback interface is sent to the packet reception target of the terminal itself. In other words, “loop back” returns to the starting point, that is, the terminal itself so that the transmitted packet draws a circle.

  In the case of the local master box 109, the first NIC 507 is not a device that can be directly accessed from the first terminal 105. However, in the case of the soft local master 113, both the built-in NIC 301 and the loopback virtual NIC 701 are devices that can be equally accessed from the OS 201 and applications of the second terminal 106.

  When the built-in NIC 301 of the soft local master 113 is connected to the LAN 102, the DHCP client 702 built in the OS 201 receives network configuration information such as an IP address, a netmask, a default gateway, and a name resolver from the DHCP server 110 through the built-in NIC 301. Then, the built-in NIC 301 is set so that the built-in NIC 301 can be connected to the network.

  In the case of the local master BOX 109, after this procedure, it was necessary to perform processing so that the subnets of the first NIC 507 and the second NIC 601 do not overlap, but the loopback virtual NIC 701 is assigned a global or private IP address. Since the network segment does not necessarily overlap with the built-in NIC 301, there is no need to provide the address duplication avoiding unit 603. Further, since the loopback address is fixed, the DHCP server 604 is also unnecessary.

  When the built-in NIC 301 of the soft local master 113 is connected to the LAN 102, the NAT setting unit 705 does nothing. Also, the packet filter setting unit 706 does nothing. Accordingly, the OS 201 and the application can be connected to the network through the built-in NIC 301 without any trouble. At this time, the encrypted communication processing unit 606 does not perform encryption processing and decryption processing of a packet flowing between the loopback virtual NIC 701 and the built-in NIC 301.

On the other hand, when the control session management unit 609 knows that the built-in NIC 301 is connected to the network, it immediately attempts device authentication with respect to the conductor 115. The device identification ID 608 transmitted to the conductor 115 is transmitted to the stepping node described in the default gateway address 612. In the present embodiment, as shown in FIG.
The device identification ID 608 used for device authentication is encrypted by the encrypted communication processing unit 606 and transmitted to the conductor 115 through the first SN 107 and the second SN 108. Upon receiving a notification of successful device authentication and a session ID (hereinafter “SSID”) from the conductor 115 through the encrypted communication processing unit 606, the control session management unit 609 stores the SSID in the SSID memory 613.
At this point, a control session is formed between the soft local master 113, the first SN 107, the second SN 108, and the conductor 115.

When activated, the player 111 of the first terminal 105 requests the connected local master box 109 for an SSID through a control session. This operation is repeated until the local master box 109 returns the SSID. That is, the player 111 polls for an SSID request.
When the control session management unit 609 receives a request for an SSID from the player 111, the control session management unit 609 returns a SSID stored in the SSID memory 613. Otherwise, that is, when the device authentication for the conductor 115 is not completed and the SSID is not received from the conductor 115, an error is returned to the player 111.
Upon receiving the SSID from the soft local master 113, the player 111 recognizes that the soft local master 113 has succeeded in device authentication. When the received SSID is stored in a RAM (not shown), the player 111 next displays a login screen on the display unit 206 of the first terminal 105.
The user performs personal authentication using the IC card reader 104 or the operation unit 205 of the first terminal 105. The personal authentication information is transmitted by the player 111 to the local master box 109 through the control session.

The personal authentication information is encrypted by the encrypted communication processing unit 606 controlled through the control session management unit 609 and transmitted to the conductor 115. The notification of the success of personal authentication returned from the conductor 115 is transferred to the first terminal 105.
When the player 111 receives a notification of successful personal authentication from the conductor 115, the player 111 requests the conductor 115 for information regarding services available to the user. In response to this, the conductor 115 transmits information related to services that the user can enjoy and information for limiting the behavior of the first terminal 105 and the local master box 109.
Information regarding services that the user can enjoy is stored in the player 111 as service menu information. This service menu information is also used by the soft local master 113.
Information for restricting the behavior of the first terminal 105 and the local master box 109 is stored in the player 111 as restriction setting information 610. This restriction setting information 610 also uses the soft local master 113.

  In the case of the local master box 109, the restriction setting information 610 and the service menu information 614 transferred to the player 111 are acquired and stored when the local master box 109 is transferred to the player 111. Since the soft local master 113 and the player 111 coexist in the second terminal 106, the restriction setting information 610 received from the conductor 115 can be referred to by the player 111 immediately. Therefore, the procedure in which the soft local master 113 transmits the restriction setting information 610 to the player 111 of the second terminal 106 cannot essentially occur.

  The control session management unit 609 of the soft local master 113 reads the packet filtering setting information described in the restriction setting information 610 received from the conductor 115 and controls the packet filter setting unit 706. The packet filter setting unit 706 configures a packet filter in accordance with the packet filtering setting information given from the control session management unit 609.

Next, the control session management unit 609 of the soft local master 113 sets the packet monitoring unit 615 to monitor the port number forming the data session based on the stored service menu information.
The packet monitoring unit 615 reports a TCP SYN packet to the control session management unit 609 when the IP address assigned to the second NIC 601 reaches the port number targeted for the data session. Upon receiving this report, the control session management unit 609 starts communication for forming a data session.

The packet monitoring unit 615 also monitors a TCP FIN packet when the data session to be set is connection-type communication. In the case of a protocol such as RDP (Remote Desktop Protocol) or SSH in which a TCP FIN packet is transmitted for the first time upon client termination, the data session is immediately terminated (closed) by detecting the arrival of the TCP FIN packet. be able to.
Conversely, when the data session to be set is a connectionless type protocol such as HTTP, a TCP FIN packet is transmitted each time one data stream is transmitted. Therefore, in the case of the connectionless type protocol, the TCP FIN packet should not be a trigger for closing the data session. In other words, a VPC tunnel passing through HTTP must correctly transfer a TCP FIN packet. In this case, the terminal explicitly notifies the end of the data session through the control session.

The local master box 109 and the soft local master 113 have been described above.
As apparent from the above description, the local master is generated from the OS 201 running on the terminal or an application running through the OS 201 based on the instruction of the conductor 115, specifically, the restriction setting information 610 created by the conductor 115. Restrict communication with a packet filter. Then, in order to realize a virtual connection to the server 103 permitted by the user, a static NAT is set for the nearest stepping node.
By performing static NAT, the terminal can connect to the server 103 via the Internet 107 and a firewall in the same state as when connecting to the server 103 in the LAN 102.

[Player 111]
FIG. 8 is a functional block diagram of the player 111.
Based on instructions from the conductor 115, specifically, the restriction setting information 610 transmitted from the conductor 115, the player 111 monitors the application that is activated at the terminal and the device that is used in accordance with the operation of the application. Then, control such as limiting the operation as necessary, and management of log recording and the like. In order to realize such a function, the player 111 hooks an API provided in the OS 201 and constantly monitors the behavior of the application and the OS 201. When the API matches the restriction condition described in the restriction setting information 610, the player 111 blocks the activation of the API and reports it to the conductor 115 through the local master.

In FIG. 8, the OS 201 and applications that are indispensable when describing the player 111 are also expressed as functional blocks.
Although various functions are included in the OS 201, when explaining the present embodiment, the OS 201 can be considered as a collection of device drivers for making the hardware easy to handle from an application. The device driver can be said to be a collection of APIs. In FIG. 8, functional blocks are described mainly focusing on these hardware and device drivers.

The main hardware provided in the terminal includes an operation unit 205 that is a pointing device such as a keyboard and a mouse, a display unit 206 such as a liquid crystal display, a storage 204 such as a hard disk, and a NIC. However, in the case of the first terminal 105 described above, the NIC is virtually provided as the second NIC 601 inside the local master box 109. In any case, the NIC exists as long as it is connected to the network.
The operation driver 801 delivers operation information issued by the operation unit 205 and personal authentication information output by the IC card reader 104 to the application, the shell 202, the control session management unit 807, and the like.
The display control unit 802 converts screen drawing instruction information generated from the application, the shell 202, and the like into actual screen drawing information and passes it to the display unit 206.

The file system 803 configures files and directories in the storage 204, and operates the files and directories in accordance with instructions from the application and the shell 202.
The process control unit 804 controls execution and termination of applications, libraries, and the like existing in the storage 204 through the applications, the shell 202, and the like.
The clipboard buffer 805 functions as a temporary buffer for copying, moving, and deleting data objects between applications and shells 202.
A network driver 806 that can also be called a TCP / IP protocol stack establishes an environment in which communication can be performed between the application or shell 202 and the network, and controls the communication.

The network driver 806 also includes a DHCP client 702.
When the local master BOX 109 is used, the DHCP client 602 in the local master BOX 109 gives a dynamic IP address to the first NIC 507 in the local master BOX 109 based on the network configuration information received from the DHCP server 110 of the LAN 102. Further, the DHCP client 702 which is a function of the network driver 806 gives a dynamic IP address to the second NIC 601 in the local master BOX 109 based on the network configuration information received from the DHCP server 604 in the local master BOX 109.
When using the soft local master 113, the DHCP client 702, which is a function of the network driver 806, gives the built-in NIC 301 a dynamic IP address based on the network configuration information received from the DHCP server 110 of the LAN 102.

When the player 111 is activated by an initial activation process of the OS 201, a user operation through the shell 202, or automatically executed by connecting a USB memory to a terminal while being stored in the USB memory, The control session management unit 807 requests the SSID from the local master box 109 or the soft local master 113.
If the acquisition of the SSID from the local master box 109 or the soft local master 113 is successful, the control session management unit 807 next executes personal authentication. The control session management unit 807 transmits the personal authentication information acquired by the IC card reader 104 or the operation unit 205 to the conductor 115 and waits for the result of personal authentication.

Upon receiving a report from the conductor 115 that the personal authentication has been successful through the local master box 109 or the soft local master 113, the control session management unit 807 next requests the conductor 115 for restriction setting information 610 and service menu information 614.
When the soft local master 113 is used, after successful personal authentication, the player 111 downloads the restriction setting information 610 and the service menu information 614 from the conductor 115, and stores the restriction setting information 610 in the RAM (not shown) of the terminal. Hold. The held restriction setting information 610 and service menu information 614 are shared with the soft local master 113.

  When the local master BOX 109 is used, after the personal authentication is successful, the player 111 downloads the restriction setting information 610 and the service menu information 614 from the conductor 115 and holds the restriction setting information 610 in the RAM (not shown) of the terminal. In this case, since the local master box 109 is configured by hardware separate from the terminal, the local master box 109 needs to acquire the restriction setting information 610 and the service menu information 614 separately. For this reason, in this embodiment, the local master BOX 109 once holds the limit setting information 610 and the service menu information 614 immediately before the player 111 receives the intervening communication between the player 111 and the conductor 115. It is acquired by a method of transmitting to the player 111. Of course, the method is not limited to this method, and a method of explicitly transmitting the restriction setting information 610 and the service menu information 614 received by the player 111 to the local master BOX 109 may be used.

  When the restriction setting information 610 is obtained from the conductor 115, the control session management unit 807 of the player 111, in accordance with the restriction setting information 610, the operation information acquisition unit 808, the screen capture processing unit 809, the file system monitoring unit 810, the process monitoring unit 811, Settings are made in the clipboard monitoring unit 812 and the API hook processing unit 813.

The file system monitoring unit 810 monitors copying, moving, deleting, and renaming as behavior for a specific file or directory specified by the restriction setting information 610.
The process monitoring unit 811 monitors activation of a process such as a specific application designated by the restriction setting information 610 and a self-process concealing action.
The clipboard monitoring unit 812 monitors operations such as copying, moving, and deleting a data object with respect to the clipboard buffer 805 by a specific application specified by the restriction setting information 610.

  In the API hook processing unit 813, the file system monitoring unit 810 performs API hook processing for the file system 803, the process monitoring unit 811 performs API hook processing for the process control unit 804, and the clipboard monitoring unit 812 performs API hook processing for the clipboard buffer 805. , Each realized. When the shell 202 or application tries to cause some operation on a file or process by the API hook processing unit 813, the file system monitoring unit 810 or the process monitoring unit 811 is called each time, and should the corresponding API be executed? It is determined whether or not.

When the operation information acquisition unit 808 meets the conditions described in the information according to the information described in the restriction setting information 610, the operation information acquisition unit 808 transmits the operation information obtained from the operation driver 801 through the local master box 109 or the soft local master 113. Report to conductor 115.
When the screen capture processing unit 809 meets the conditions described in the information according to the information described in the restriction setting information 610, the screen capture processing unit 809 converts the bitmap screen information obtained from the display control unit 802 into the local master BOX 109 or the soft local Report to the conductor 115 through the master 113.

  The dedicated shell 208 specifies the application program name of the application that the user is allowed to execute and the resource name (resource: “information resource”) of the server 103 that the user is allowed to access according to the description of the restriction setting information 610. Create an icon that contains. The contents of the icon are a command line character string, and the name of the application program to be executed and the resource name of the server 103 are described as its argument. Further, depending on the application program, various option switches required at the time of activation are also included. Application programs started by clicking this icon with a pointing device such as a mouse are the first application 209 and the second application 210 in FIG. Since the first application 209 and the second application 210 are started as child processes of the dedicated shell 208, the behavior of the first application 209 and the second application 210 can be completely grasped through the dedicated shell 208.

  On the other hand, the OS 201 has a shell 202 provided as a standard. Of course, there is also an application program started from the shell 202. The process monitoring unit 811 has a file system monitoring unit 810, a process monitoring unit 811, and a clipboard monitoring unit 812 for the shell 202 and the application that do not pass through the dedicated shell 208 (the third application 203 corresponds to this in FIG. 8). The behavior is strictly monitored, and operations that may become a security threat to the server 103 are immediately stopped. In addition, the process monitoring unit 811 forcibly terminates the application program whose activation itself is prohibited.

[Stepping node]
There are two types of stepping nodes: devices that do not include a firewall and devices that include a firewall. Each function will be described below.
FIG. 9 is a functional block diagram of the stepping node. The stepping node disclosed in FIG. 9 is a device of a type without a firewall.
The stepping node 901 is a computer on which the network OS operates. As an example, the OS is preferably a POSIX OS such as Linux (registered trademark).
The stepping node 901 according to the present embodiment is arranged at a main point of the LAN 102 and specializes in gateways between IP reachable stepping nodes or servers.
A fixed IP address is assigned to the fifth NIC 902 connected to the LAN 102.

  The encrypted communication processing unit 904 connected to the fifth NIC 902 makes a pair with the encrypted communication processing unit 606 provided in the local master BOX 109 and the soft local master 113. That is, the authentication information is transmitted / received to / from the player 111 and the local master, and the control session and the data session are encrypted.

  The control session management unit 909 makes a pair with the control session management unit 609 provided in the local master box 109 and the soft local master 113 and the control session management unit 807 provided in the player 111. That is, a control session is formed with the local master, and various control information is transmitted and received with the local master or the player 111. For this purpose, a default gateway address 612 or a conductor address 908 is stored.

The data session management unit 910 activates a reverse proxy corresponding to the server 103 or sets static NAT in response to a connection request to the server 103 from the local master through the control session management unit 909. A data session is formed with an IP reachable local master, another stepping node, or the server 103.
As shown in FIG. 9, the reverse proxy process activated by the data session management unit 910 is based on the number of data sessions formed between the first reverse proxy 911, the second reverse proxy 912,... Increase or decrease accordingly.
Similarly, as shown in FIG. 9, the static NAT setting set by the data session management unit 910 includes a data session formed between the first NAT 914, a second NAT (not shown), and the terminal. Increase or decrease according to the number.

The number of data sessions increases / decreases depending on the number formed from the terminals, and also increases / decreases depending on the number of terminals and the number of users who use the terminals. For example, user A's HTTP data session and user A's RDP data session are independent. User B's HTTP data session and User B's RDP data session are also independent. These data sessions are all formed independently. In particular, in the case of a protocol such as SSH, a plurality of data sessions are formed by one user according to the number of SSH servers to be connected. In these data sessions, the reverse proxy process is activated if the stepping node is terminated, and static NAT is set if it is not terminated.
Note that “static NAT setting” refers to the case where the static NAT is set by setting the OS function of the stepping node. For example, in the case of Linux (registered trademark), it refers to an operation for setting a static NAT using an iptables utility for a kernel Netfilter driver. If the static NAT is also configured by an independent program and multiple activation is performed according to the number of data sessions, in this case, “static NAT program activation” is performed. That is, the expression changes depending on the method for realizing static NAT.

The data session management unit 910 sets static NAT for the connection between the local master and another stepping node or between stepping nodes. This is because it is not necessary to decrypt the payload portion of the packet, and it is only necessary to rewrite the IP address and port number described in the IP header portion of the packet.
On the other hand, the data session management unit 910 sets a reverse proxy for the connection between the local master or another stepping node and the server 103. This is because it is necessary to decrypt the payload portion of the packet for communication with the server 103, and processing according to the fourth layer (application) of TCP / IP may be required. As an example, instead of the server 103, as an HTTP error process, a “400 Bad Request” returned by the web server when there is an error in the URL calling method or syntax is reduced, thereby reducing the load on the server 103. , Etc. can be considered.

The packet monitor 905 monitors TCP ACK + SYN packets coming into the data session.
The VPC tunnel is formed by static NAT or reverse proxy according to the VPC establishment request command sent by the local master in response to the TCP SYN packet issued by the terminal, but the server 103 responds to the request of the terminal due to some trouble or the like. If not, the set VPC tunnel must be discarded. Therefore, the static NAT or reverse proxy temporarily set according to the VPC establishment request command transmitted from the local master has a time limit using a timer. In FIG. 9, when the data session management unit 910 activates the first reverse proxy 911, the first timer 906 is activated at the same time. Similarly, when the data session management unit 910 activates the second reverse proxy 912, the second timer 907 is activated at the same time, and when the first NAT 914 is set, the third timer 913 is activated at the same time.
These timers are used to determine whether or not the temporarily activated reverse proxy or the temporarily set static NAT can be maintained as it is.
If a TCP ACK + SYN packet comes in from a server 103 into a VPC tunnel provided by a reverse proxy or static NAT, it is understood that the server 103 is in a state where communication with the terminal is possible. Therefore, the packet monitor 905 monitors the arrival of the TCP ACK + SYN packet, and when the TCP ACK + SYN packet arrives, stops the timing operation of the timer operating in conjunction with the corresponding reverse proxy or static NAT.
If the TCP ACK + SYN packet does not arrive within the time set in the timer, the timer stops the corresponding reverse proxy or static NAT after measuring a predetermined time. In other words, the temporarily set VPC tunnel is discarded when it expires.

  A reverse proxy server program (not shown) is prepared according to a protocol used when accessing the server 103. If HTTP, the proxy mode result code is implemented. In the case of CIFS (Common Internet File System: Windows (registered trademark) file sharing service protocol (SMB: Server Message Block) extended protocol) or RDP, only IP address rewriting is performed.

  The control session management unit 909 is connected with an SNID 915 that is information for uniquely identifying a stepping node. The SNID 915 is information used for setting a reverse proxy in the procedure of forming a VPC tunnel described in the present embodiment, and is important as information used when the conductor 115 described later creates route information.

FIG. 10 is a functional block diagram of the stepping node. Unlike the stepping node 901 of FIG. 9, the stepping node 1001 disclosed in FIG. 10 is a device with a firewall.
The stepping node 1001 of this embodiment is disposed between different adjacent subnets in the LAN 102 and also serves as a gateway between the IP reachable stepping nodes 1001 or the server 103.

A fixed IP address is assigned to the third NIC 1002 connected to the LAN 102.
The fourth NIC 1003 connected to the LAN 102 is assigned a fixed IP address different from that of the third NIC 1002.

  Between the third NIC 1002 and the fourth NIC 1003, a host (terminal, server 103, etc.) connected to the subnet on the fourth NIC 1003 side is connected to a terminal connected to the LAN 102 to the subnet on the third NIC 1002 side. And a firewall 1004 having a packet filtering function for protecting the host on the fourth NIC 1003 side from network security threats.

The stepping node 1001 in FIG. 10 is particularly suitable when the in-house LAN is installed as a firewall for connecting to the Internet. In this case, the network on the third NIC 1002 side is the Internet, and the network on the fourth NIC 1003 side is an in-house LAN. The IP address of the fourth NIC 1003 is the gateway address of the in-house LAN.
The stepping node 1001 in FIG. 10 has the same operation as the stepping node 1001 in FIG. 9 except for the presence of the firewall 1004 and the fourth NIC 1003. The reverse proxy activated from the data session management unit 910, such as the first reverse proxy 911 or the second reverse proxy 912, is a server 103 arranged on the fourth NIC 1003 side and a local master arranged on the third NIC 1002 side. Alternatively, communication with the stepping node 1001 is realized. The static NAT set by the data session management unit 910, such as the first NAT 914, realizes communication between the local master arranged on the third NIC 1002 side and the stepping node 1001 or the stepping nodes 1001.

  If the terminal simply connects to the server 103 that exists on the other side of the firewall 1004, a reverse proxy may be set in a gateway of the LAN 102 or a device arranged at the boundary between the LAN 102 and the Internet 107. . However, in this case, the terminal connects to the IP address of the machine where the reverse proxy operates. Such a connection form may cause various adverse effects depending on the security setting originally provided in the application.

  Specifically, for example, in a web browser “Internet Explorer” (hereinafter abbreviated as “IE”) provided as standard in Windows (registered trademark) of Microsoft Corporation, the IP address of the web server to be connected, FQDN (Full Security settings such as whether to execute scripts or external applications embedded in HTML (Hyper Text Markup Language) documents according to host names that do not include a Qualified Domain Name (fully qualified domain name) or domain name It has a function to change. Web applications are built on the assumption that the web server in the LAN 102 is accessed from a terminal in the LAN 102. Scripts that are dangerous and cannot be executed on the web server on the Internet 107 also prioritize convenience. Are included in the HTML document. In other words, even if the reverse proxy alone is connected to the server 103 in the LAN 102 from the Internet 107, it is not possible to guarantee that a desired application such as an IE operates normally, or there is a possibility of causing a bad effect such as abnormal termination. Is expensive.

  In order to solve this problem, it is necessary to provide a mechanism that “makes it feel as if it is connected to a server in the LAN” for an application running on a terminal such as an IE. The solution for this is static NAT. Connecting to the server 103 through static NAT means connecting to a private address in the same subnet as the terminal in the case of the local master BOX 109, and to a loopback address in the case of the soft local master 113. It becomes. In any case, when viewed from the IE, the destination IP address attached to the packet belongs to the “local intranet” that can lower the security setting of the application. In this way, the terminal realizes access as a “local intranet” without limitation to the server 103 beyond the firewall 1004 beyond the Internet 107.

The merit of converting the IP address is not limited to the above example.
There are cases where companies want to connect each other's LANs for reasons such as mergers or business / organizations having business alliances. In this case, since each company did not construct an in-house LAN on the premise of merging in advance, it is highly possible that private IP addresses used in each LAN overlap.
Further, in the case of a company that provides a network service to a plurality of companies or organizations, the possibility that the IP addresses of the LANs of the companies or organizations that intend to provide the service will be greatly increased. In order to avoid duplication of IP addresses, it is inefficient to reconnect networks every maintenance service.
By using the network system of the present embodiment to convert IP addresses using static NAT and reverse proxy and virtualizing network connections, it is necessary to worry about duplication of IP addresses when connecting multiple networks. Disappears.

[Conductor 115]
FIG. 11 is a functional block diagram of the conductor 115.
FIG. 12 is a diagram showing a field configuration of a table included in the conductor 115.
The conductor 115 of this embodiment is specialized for communication with the player 111 and the local master of the terminal through the control session. Unlike a stepping node, it does not form a data session.
The conductor 115 is a computer on which the network OS operates. As an example, the OS is preferably a POSIX OS such as Linux (registered trademark).
A fixed IP address is assigned to the sixth NIC 1101 connected to the LAN 102.

The encrypted communication processing unit 1102 connected to the sixth NIC 1101 makes a pair with the encrypted communication processing unit 606 provided in the local master BOX 109 and the soft local master 113. That is, the authentication information is transmitted / received to / from the local master and the control session is encrypted.
The authentication processing unit 1103 refers to the device identification ID master 1105 and the user master 1106 to perform device authentication and personal authentication. Further, the authentication processing unit 1103 generates authentication information called SSID for each local master that has succeeded in device authentication, which changes for each session instead of the device identification ID, and writes the combination of the device identification ID and the SSID in the SSID table 1113. . Then, for the player 111 who has succeeded in personal authentication, a set of SSID and user ID is written in the SSID table 1113. That is, when device authentication and personal authentication are normally completed, a record of a set of device identification ID, SSID, and user ID is formed in the SSID table 1113, and the device identification ID, SSID, and user ID are linked. And device authentication and personal authentication can be performed by performing SSID authentication.

  The route setting unit 1104 creates route information using the SN server master 1110, the SN map master 1111, and the LM / SN master 1112, and records the route information in the route table 1114. Further, the virtual IP address is described in the route table 1114 with reference to the device identification ID master 1105.

The device identification ID master 1105 is a table in which the device identification ID of the local master that the conductor 115 permits connection and the virtual IP address range are listed.
The virtual IP address range is a target IP address to which the application program tries to access when the application program of the terminal tries to access the server 103.

The network system 101 of this embodiment virtually connects a terminal that is not IP reachable and a server through a VPC tunnel.
When the application program accesses the server 103, the application program accesses a virtual IP address that is not the original IP address assigned to the server 103. The virtual IP address is configured to be assigned from the terminal to the local master that is IP reachable.
In the case of the local master box 109 in FIG. 6, the virtual IP address belongs to the subnet of the second NIC 601. For example, if the subnet of the second NIC 601 is 192.168.1.0/24 and the IP address of the second NIC 601 is 192.168.1.2, the virtual IP address is from 192.168.1.1 to 192. .IP addresses up to 168.1.2254 are used.
In the case of the soft local master 113 in FIG. 7, the virtual IP address belongs to the subnet of the loopback virtual NIC 701. In most network OSs, 127.0.0.1 is assigned to the loopback virtual NIC 701 and the subnet is 127.0.0.0/8, so the virtual IP address is 127.0.0.1. IP addresses from 1 to 127.255.255.254 can be used.

  The virtual IP address range field of the device identification ID master 1105 is provided so that the optimum virtual IP address can be provided to the local master and, consequently, the terminal based on the configuration of the local master. When the service menu information 614 is transmitted to the user, the setting of the virtual IP address is described from the range described in the virtual IP address range field.

  The user master 1106 stores personal authentication information such as a user ID and a password of a user permitted to be connected by the conductor 115, and restriction setting information of the user.

The server master 1107 stores a virtual server IDX, a server name or a server IP address, a protocol type used for accessing the server 103, a port number, a terminal resource character string, and the like.
The virtual server IDX is information for uniquely identifying the record of the server master 1107. In order to uniquely identify a server instead of a server name, etc., considering the possibility that the same subnet exists at different locations and servers that provide the same IP address and the same service exist on the subnet. Index information is provided.
The virtual server IDX is information included in the service menu information 614. In the VPC establishment sequence that starts in response to the terminal application transmitting a connection request to the server 103, the local master communicates with the conductor 115. Included in commands that request creation of a VPC tunnel.

The server name or the IP address of the server is information necessary when the stepping node closest to the server makes an IP connection to the server together with the port number. If name resolution is possible at the stepping node, the server name is used. If name resolution is possible, the server name may be FQDN or just the host name. Otherwise, the IP address is used.
As the protocol type, for example, a well-known protocol name such as RDP, HTTP, or SSH, or identification information according to this is stored.
The port number is a port number used for accessing the server. In many cases, it is determined for each protocol such as 80 for HTTP, 3389 for RDP, 22 for SSH, 5900 to 5906 for VNC, and the like. However, depending on the server settings, settings may be changed intentionally such as shifting the port number. In this case, the server settings are adjusted.

The terminal resource character string is a character string used when the terminal accesses the server, and the terminal application program identifies the information resource of the connection partner, and is an application argument embedded in the icon provided by the dedicated shell of the player 111 But there is. For example, in the case of HTTP, it is a URL, and in the case of CIFS, it is a resource name indicating a route through which a server provides resources.
In many cases, all or a part of the terminal resource character string includes a server name or an IP address of the server. Therefore, depending on the protocol, all or part of the terminal resource character string may be replaced with the virtual IP address.

For example, in the case of RDP or SSH, the terminal resource character string matches the server name or the server IP address. Therefore, in the case of such a protocol, the terminal resource character string is completely replaced by the virtual IP address.
In the case of CIFS, part of the terminal resource character string may match the server name or the server IP address. Therefore, in the case of such a protocol, the terminal resource character string is partially replaced by the virtual IP address.
In the case of HTTP, a web browser is likely to connect to an unspecified number of web servers based on a hyperlink embedded in one html document. Set the IP address. When the web browser is set in this manner, the web browser itself does not perform name resolution at all, and transmits the terminal resource character string as it is to the VPC tunnel that is the proxy server. The operation for acquiring the actual web content is executed by a reverse proxy operating at the stepping node closest to the web server. Therefore, in the case of such a protocol, the terminal resource character string is not replaced by the virtual IP address.

  The user server master 1108 stores a set of a user ID and a virtual server IDX of the server 103 that can be used by a user with the user ID. Accordingly, the user server master 1108 is narrowed down by the user ID, and the record obtained by searching the server master 1107 using the obtained virtual server IDX as a key is the server 103 that can be used by the user, and the server 103 is used. It will contain the information necessary to do.

The SN master 1109 has a SNID for uniquely identifying a stepping node, a set of a host name (SN host name) or IP address of the stepping node, and whether or not a server exists in the IP reachable range of the stepping node. Is a table made up of end flags indicating.
When the route setting unit 1104 creates route information using an SN server master 1110, an SN map master 1111 and an LM / SN master 1112 which will be described later, the route setting unit 1104 creates original data of the route information using the SNID. Finally, the SNID is converted into an SN host name or IP address to complete the route information and send it to the local master.

The SN server master 1110 is a table composed of a set of the SNID of the stepping node closest to the server and the virtual server IDX.
The stepping node closest to the server is a stepping node in which the value of the termination flag field of the SN master 1109 is logical “true”.

There is not necessarily only one IP reachable stepping node for one server. That is, there can be a plurality of stepping nodes that can be connected to a certain server. Also, the number of IP reachable servers is not limited to one for a stepping node. That is, there can be a plurality of servers that can be connected from a certain stepping node. That is, there can be a plurality of paths from a certain local master to a certain server.
In such a network, network traffic occupies an important position as well as a network distance as an element for determining how to select an optimum route.
Therefore, the network system 101 of this embodiment is designed so that a plurality of IP reachable stepping nodes can exist for a certain server. The SN server master 1110 is a table describing the relationship between the server and the IP reachable stepping node.
When the load of a stepping node that can be connected to a server is increasing, if the VPC tunnel can be switched so as to connect to the server from another stepping node, the load on the network can be instantaneously and appropriately distributed. it can.

The SN map master 1111 is a table composed of a set of SNIDs of stepping nodes and SNIDs of stepping nodes adjacent to the stepping node.
When the SN map master 1111 is searched by SNID, the SNIDs of all stepping nodes adjacent to a certain stepping node are obtained.

The LM / SN master 1112 is a table composed of a set of a device identification ID of a local master and an SNID of a stepping node adjacent to the local master.
When the LM / SN master 1112 is searched by SNID, the SNIDs of all stepping nodes adjacent to a certain local master are obtained.

The route setting unit 1104 creates route information for reaching the server from the local master using a known route search algorithm such as Dijkstra method. At that time, the LM / SN master 1112 is used to obtain the SNIDs of all the stepping nodes reaching the local master of the transmission source. Similarly, the SN server master 1110 is used to obtain the SNIDs of all the stepping nodes that reach the target server, and the virtual server IDX corresponding thereto. After creating a combination of the plurality of start points and end points, optimal route information is created for each combination. Then, optimum route information is selected based on traffic information or the like reported separately from the stepping node.
In a LAN with a simple configuration, there is a method in which a plurality of route information is created in advance, and when the route information is requested from the local master, the optimum route information is read and returned.

  The route table 1114 is a table including a set of SSID, virtual server IDX, virtual IP address, server name or server IP address, protocol type, port number, and route information.

  When the terminal completes the personal authentication and requests the service menu information 614, the authentication processing unit 1103 searches the SSID table 1113 with the SSID transmitted from the terminal and acquires the corresponding user ID. Next, the authentication processing unit 1103 searches the user server master 1108 with this user ID, and creates a list of virtual server IDX of the server 103 that can be used by the user. Then, the server master 1107 is searched using the list information of the virtual server IDX as a search key, and information necessary for using the server 103 available to the user is formed. Further, the route setting unit 1104 is inquired to calculate the optimum route information at the present time, and is added to the search result of the server master 1107. This is service menu information 614.

  Although not shown in FIGS. 11 and 12, the service menu information 614 includes SSID, virtual server IDX, virtual IP address, server name or server IP address, protocol type, port number, and terminal information. It is a table consisting of a set of resource character strings.

The conductor 115 forms service menu information 614 in response to a service menu information acquisition request from the terminal (player 111). The formed service menu information 614 is temporarily stored in the route table 1114. At this time, the route information is left blank. Then, service menu information 614 is returned to the requesting terminal.
Next, the conductor 115 operates the route setting unit 1104 in response to the route information acquisition request from the local master, and creates route information. Since the local master transmits the SSID and the virtual server IDX, the virtual server IDX is used as a search key to search for a stepping node adjacent to the server, and the SSID table 1113 is searched using the SSID as a search key to search the device identification ID 608. And the LM / SN master 1112 is searched using the device identification ID 608 as a search key to search for a stepping node adjacent to the local master. When the optimum route information is calculated using the SN map master 1111, the route information is written in the route information field of the route table 1114 and returned to the local master.

When the local master transmits a command for requesting creation of a VPC tunnel, a static NAT is set in a stepping node existing in the route information based on the route information included in the command. When the command reaches the stepping node closest to the server, the stepping node requests the conductor 115 for authentication again and information indicating the server specifications. The conductor 115 returns the host name or IP address of the server, the protocol type, and the port number, which are information necessary for the stepping node to set the reverse proxy.
The conductor 115 confirms whether or not the SNID is included in the inquiry in order to distinguish between the inquiry issued by the local master and the inquiry issued by the stepping node nearest to the server.
If there is no SNID in the inquiry, it is an inquiry issued by the local master, so route information is returned.
If there is an SNID in the inquiry, it is an inquiry issued by the stepping node nearest to the server, so the server host name or IP address, protocol type, and port number are returned.

As is clear from the above description, the conductor 115 performs dual authentication of device authentication and personal authentication with respect to the local master, and forms a control session with the local master. Then, in order to realize connection with the server 103 for the user operating the terminal, route information for reaching the target server 103 from the local master via an appropriate stepping node is formed in response to a request from the terminal. And send it to the local master.
In the procedure for forming the VPC tunnel, SSID authentication is performed for the local master that is the start of the VPC tunnel and the stepping node that is positioned at the end. If the SSID authentication of the local master is successful, route information is transmitted to the local master. When the SSID authentication of the stepping node is successful, information on the server 103 for setting the reverse proxy and connecting to the server 103 is transmitted to the stepping node.

[Outline of operation]
From FIG. 13 to FIG. 21, except for FIG. 19, in the network system 101 of this embodiment, the terminal is connected to the server 103 that is remotely located on the network, and the resources of the server 103 can be used. It is a time chart which shows the flow of operation | movement until it ends service after that.
First, an outline of the flow of operation will be described.
FIG. 13 is a time chart showing the overall operation flow of the network system 101 of the present embodiment.
When activated, the local master immediately attempts to authenticate the conductor identification ID 608 to the conductor 115 through a control session. This is the device identification ID authentication sequence (S1301).
When the local master succeeds in authenticating the device identification ID 608 in the device identification ID authentication sequence, the terminal player 111 displays a login screen on the display unit 206. From this state, the user performs personal authentication. The personal authentication information is transmitted to the conductor 115 through the control session, and the authentication result is returned to the player 111 of the terminal. This is the personal authentication sequence (S1302).
When the personal authentication sequence ends normally, the player 111 requests the conductor 115 through the control session to obtain the service menu information 614 immediately. The conductor 115 returns service menu information 614 and restriction setting information 610 to the player 111. This is the menu acquisition sequence (S1303).

When the user performs an operation such as clicking an icon displayed on the terminal screen, the application program described in the command line character string embedded in the icon is executed. The application program transmits a connection request packet (TCP SYN packet) to the local master. When the local master confirms this connection request packet, it requests path information from the conductor 115 through the control session. The conductor 115 returns the path information to the local master. The conductor 115 creates a VPC establishment request command including the received route information and transmits it to the stepping node according to the route information through the control session. The stepping nodes described in the path information except for the last stepping node transfer a VPC establishment request command and set a VPC, that is, a static NAT for forming a data session. When the last stepping node described in the route information recognizes that it is the stepping node located at the end of the route information, it inquires about information on the server to be connected to the conductor, and the IP address of the server from the conductor. Get port number and protocol type. And based on these information, an appropriate reverse proxy is performed. Then, the connection request packet issued by the terminal reaches the server 103 by the last stepping node described in the route information. The response packet returned from the server 103 determines the temporarily formed VPC tunnel and reaches the terminal. This is the VPC establishment sequence (S1304).
After the VPC establishment sequence is performed, the terminal and the server 103 perform communication in a virtual connection state using the formed VPC tunnel. This is the VPC data transfer state (S1305).

The destruction of the VPC tunnel is basically performed by transmitting information indicating active termination of the terminal. This is the VPC disconnection sequence (S1306).
If the user wants to stop using the terminal, declare logout. The logout declaration is sent to the conductor 115 through the control session and returned to the terminal. This is the user logout sequence (S1307).
When the local master BOX 109 is turned off through the terminal or the operation of the local master is terminated by shutting down the terminal in which the soft local master 113 is installed, the information is notified to the conductor 115. This is the local master shutdown (S1308).

[Device Specific ID Authentication Sequence]
FIG. 14 is a time chart of the device identification ID authentication sequence. It is a detail of step S1301 of FIG.
When the local master is activated (S1401) and recognizes that it is connected to the LAN 102 and becomes IP reachable, it immediately transmits an authentication request for the device identification ID 608 to the conductor 115 through the control session (S1402).
The local master does not know the address of the conductor 115 directly. However, when communicating with the conductor 115, the host name or IP address of the “default gateway” indicating which IP reachable stepping node should be tried to communicate is held inside. In the present embodiment, the default gateway is the first SN 107. Therefore, the local master transmits a device authentication request for the conductor 115 to the first SN 107 through the control session.

  When the first SN 107 receives an authentication request for the device identification ID 608 from the local master, the control session management unit 609 recognizes that the request is for the conductor 115. Then, the authentication request for the device identification ID 608 is transferred to the stepping node (second SN 108 in this embodiment) described in the default gateway address 612 (S1403).

The second SN 108 is IP reachable with the conductor 115. Therefore, unlike the local master box 109 and the first SN 107, the host name or IP address of the conductor 115 is held in the conductor address 908 instead of the “default gateway”.
Similarly to the first SN 107, the second SN 108 receives the authentication request for the device identification ID 608 from the first SN 107, and transfers the authentication request for the device identification ID 608 to the conductor 115 described in the conductor address 908 (S1404). Thus, the conductor 115 receives the authentication request for the device identification ID 608 transmitted by the local master.

The conductor 115 searches the device identification ID master 1105 with the device identification ID 608 of the local master received from the second SN 108, and confirms whether or not the device identification ID 608 is information indicating a regular local master (S1405). The search result (device identification ID authentication result) is returned to the partner received immediately before, that is, the second SN 108 (S1406).
The control session management unit 609 of the second SN 108 transfers the device identification ID authentication result received from the conductor 115 to the first SN 107 (S1407).
The control session management unit 609 of the first SN 107 transfers the device identification ID authentication result received from the second SN 108 to the local master (S1408).
The local master looks at the device identification ID authentication result received from the first SN 107 and confirms whether or not the authentication has been normally performed (S1409). If the authentication is not successful (NO in S1409), the process ends abnormally, and subsequent operations are impossible (S1410). If the authentication is successful (YES in S1409), the control session management unit 609 of the local master stores the SSID included in the device identification ID authentication result in the SSID memory 613 (S1411).

On the other hand, when the player 111 of the terminal is activated (S1412), it requests the local master to transfer the SSID.
In a state where the local master has not acquired and stored the SSID from the conductor 115, the SSID transfer request fails (S1413). However, after the local master has acquired and stored the SSID from the conductor 115, the SSID transfer request. In response to (S1414), the local master reads the SSID stored in the SSID memory 613 (S1415) and responds to the terminal (S1416), so that the player 111 receives the SSID (S1417) and stores it. (S1418).
In the case of the soft local master 113, since the SSID memory 613 is shared with the player 111, steps S1417 and S1418 are omitted.
In response to the successful completion of SSID acquisition, the player 111 displays a login screen on the display unit 206 (S1419).
The above is the device identification ID authentication sequence.

  When the device identification ID authentication sequence ends normally, the local master can be identified by the SSID instead of the device master ID 608 being transmitted thereafter. Although the device identification ID 608 is fixed, the SSID changes every time the local master is activated, which contributes to improving security.

[Personal authentication sequence and menu acquisition sequence]
FIGS. 15A and 15B are time charts of a personal authentication sequence and a menu acquisition sequence. FIG. 16 is a time chart of the menu acquisition sequence. It is the detail of step S1302 and step S1303 of FIG.
FIG. 15A shows a personal authentication sequence.
The user operates the IC card reader 104 or the keyboard of the terminal to input personal authentication information such as a user ID and password. The personal authentication information is transferred to the local master through the control session by the player 111 with the SSID (S1501).
The local master that has received the personal authentication information and the SSID from the player 111 transfers it to the first SN 107 according to the default gateway address 612 (S1502).
The first SN 107 that has received the personal authentication information and the SSID from the local master transfers it to the second SN 108 according to the default gateway address 612 (S1503).
The second SN 108 that has received the personal authentication information and the SSID from the first SN 107 transfers it to the conductor 115 according to the conductor address 908 (S1504).

The conductor 115 that has received the personal authentication information and the SSID from the second SN 108 searches the user master 1106 with the personal authentication information (S1505), and to the partner who has received the search result (user ID authentication result) immediately before, ie, the second SN 108. A reply is made (S1506). If the user ID authentication result is normal, the user ID is described in the SSID table 1113 (S1507).
The second SN 108 transfers the user ID authentication result received from the conductor 115 to the first SN 107 (S1508).
The first SN 107 transfers the user ID authentication result received from the second SN 108 to the local master (S1509).
The local master transfers the user ID authentication result received from the first SN 107 to the terminal (S1510).

The player 111 of the terminal looks at the user ID authentication result received from the local master and confirms whether or not the authentication has been normally performed (S1511). If authentication has failed (NO in S1511), an error message is displayed on the display unit 206 (S1512), and then a login screen is displayed again (S1419 in FIG. 14).
If the authentication is successful (YES in S1511), the process proceeds to the menu acquisition sequence.
The above is the personal authentication sequence.

  If the personal authentication sequence ends normally, it means that after that (in step S1507) the user ID and the SSID are linked, that is, “who is using which terminal”. . Therefore, when SSID authentication is performed, device identification and personal authentication can be performed simultaneously. Although the personal authentication information is fixed, the SSID changes every time the local master is activated, which contributes to improving security.

FIG. 15B and FIG. 16 show a menu acquisition sequence.
The player 111 of the terminal looks at the user ID authentication result received from the local master and confirms whether or not the authentication has been normally performed (S1511). The conductor 115 is requested to authenticate the SSID through the control session (S1513).
The SSID authentication request is transferred to the local master (S1514), the first SN 107 (S1515), and the second SN 108 (S1516) and reaches the conductor 115. The conductor 115 searches the SSID table 1113 with the received SSID (S1517), and returns the search result (SSID authentication result) to the partner that has just received it, that is, the second SN 108 (S1518).
The SSID authentication result returned from the conductor 115 is transferred to the second SN 108 (S1519), the first SN 107 (S1520), and the local master (S1521), and returned to the player 111 of the terminal.
The player 111 of the terminal looks at the SSID authentication result received from the local master and confirms whether or not the authentication has been normally performed (S1522). If authentication has failed (NO in S1522), an error message is displayed on the display unit 206 (S1523), and then a login screen is displayed again (S1419 in FIG. 14).

The description of the menu acquisition sequence will be continued with reference to FIG.
If the authentication is successful in step S1511 (YES in S1511), the player 111 requests the conductor 115 to transmit the service menu information 614 (S1624).
The service menu information request transmitted by the player 111 is transferred to the local master (S1625), the first SN 107 (S1626), and the second SN 108 (S1627) and reaches the conductor 115. The conductor 115 searches the SSID table 1113, the user server master 1108, and the server master 1107 (S1628), and returns the search result (service menu information 614) to the partner who has just received it, that is, the second SN 108 (S1629). At this time, the restriction setting information 610 is also read from the user master 1106 and returned together with the service menu information 614.
The service menu information 614 and the restriction setting information 610 returned from the conductor 115 are transferred to the second SN 108 (S1630) and the first SN 107 (S1631).

Upon receiving the service menu information 614 and the restriction setting information 610 from the first SN 107, the local master stores them internally and transfers them to the terminal (S1632). Then, various settings are made based on the service menu information 614 and the restriction setting information 610 (S1633).
Upon receiving the service menu information 614 and the restriction setting information 610 from the local master, the player 111 of the terminal stores them internally (S1634). Then, various settings are made based on the service menu information 614 and the restriction setting information 610 (S1635).

The operation from step S1624 to step S1635 (P1636) is repeatedly executed for each protocol corresponding to the service (P1637). For example, when the protocols usable by the user are RDP and HTTP, first, the procedure P1636 is executed for RDP, and then the procedure P1636 is executed for HTTP.
When the acquisition of the service menu information 614 corresponding to all services that the user can enjoy is completed, the terminal displays the menu on the display unit 206 (S1638).
The above is the menu acquisition sequence.

[VPC establishment sequence and VPC data transfer status]
FIG. 17 is a time chart of the VPC establishment sequence. FIG. 18 is a time chart of the VPC establishment sequence and the VPC data transfer state. It is the detail of step S1304 and step S1305 of FIG.
When the user starts an application program by operating an icon formed by the dedicated shell 208 of the player 111 of the terminal and displayed on the display unit 206, a TCP SYN packet is generated from the application program (S1701). When the packet monitoring unit 615 of the local master captures the TCP SYN packet, the local master packet monitoring unit 615 determines the server 103 and the protocol requested by the application program from the destination IP address and the port number of the TCP SYN packet. Then, it requests the conductor 115 to acquire route information. However, since authentication is required prior to the acquisition of the route information, first, the conductor 115 is requested to perform SSID authentication (S1702).

  In step S1702, the packet monitoring unit 615 of the local master needs to determine the server 103 and protocol requested by the application program from the destination IP address and port number of the TCP SYN packet. Therefore, each service record listed in the service menu information 614 must be unique in the combination of the destination IP address and the port number. When providing a user with a service provided by a plurality of servers using a single protocol, the uniqueness of each record of the service menu information 614 is set by changing the virtual IP address or, if possible, the port number. Secure.

The SSID authentication request issued from the local master is transferred to the first SN 107 (S 1703) and the second SN 108 (S 1704), and reaches the conductor 115. The conductor 115 searches the SSID table 1113 (S1705), and returns an SSID authentication result (S1706). The SSID authentication result is transferred to the second SN 108 (S1707) and the first SN 107 (S1708), and reaches the local master.
If the SSID authentication result is an abnormal value (NO in S1709), the local master reports the fact to the terminal. In this case, the terminal displays an error on the display unit 206 (S1710).
If the SSID authentication result is a normal value (YES in S1709), the SSID authentication sequence started from step S1702 ends.

When the local master recognizes that the SSID authentication sequence has been normally completed, the local master next requests the conductor 115 to acquire route information to the target server 103 (S1711).
The route information acquisition request issued from the local master is transferred to the first SN 107 (S 1712) and the second SN 108 (S 1713) and reaches the conductor 115.
The route setting unit 1104 of the conductor 115 creates route information for reaching the server from the local master using a well-known route search algorithm such as Dijkstra method, and sends it back (S1715). The route information is transferred to the second SN 108 (S1716) and the first SN 107 (S1717), and reaches the local master. The local master temporarily stores the received route information in the RAM (S1718). At this point, the route information acquisition sequence starting from step S1711 ends.

The description of the VPC establishment sequence is continued with reference to FIG.
The local master creates a VPC establishment request command based on the path information received from the conductor 115, and transmits it to the first SN 107 that is the first stepping node based on the path information (S1819).

  When receiving the VPC establishment request command from the local master, the first SN 107 checks whether or not it is the last of the route information. If it is determined that the route information is not the last stepping node, a static NAT is set between the local master and the second SN 108 located next to the route information. Then, based on the route information, it is transmitted to the second SN 108 which is the first stepping node (S1820).

  When the second SN 108 receives the VPC establishment request command from the first SN 107, the second SN 108 checks whether or not it is the last of the route information. If it is determined that the route information is not the last stepping node, a static NAT is set between the first SN 107 and the third SN 112 located next to the route information. Then, based on the route information, it transmits to the third SN 112, which is the first stepping node (S1821).

  When receiving the VPC establishment request command from the second SN 108, the third SN 112 checks whether or not it is the last of the route information. If it is determined that it is not the last stepping node of the route information, a static NAT is set between the second SN 108 and the fourth SN 114 located next to the route information. Then, based on the route information, it transmits to the fourth SN 114, which is the first stepping node (S1822).

  When receiving the VPC establishment request command from the third SN 112, the fourth SN 114 checks whether or not it is the last of the route information. If it is determined that it is the last stepping node in the path information (S1823), the SSID included in the VPC establishment request command is used to request the conductor 115 for SSID authentication (S1824).

The SSID authentication request issued from the fourth SN 114 is transferred by the third SN 112 (S1825) and reaches the conductor 115. The conductor 115 searches the SSID table 1113 (S1826), and returns an SSID authentication result (S1827). The SSID authentication result is transferred by the third SN 112 (S1828) and reaches the fourth SN 114.
If the SSID authentication result is an abnormal value (NO in S1829), the fourth SN 114 ends abnormally (S1830). In this case, the NAT setting set by the first SN 107 in step S1820, the second SN 108 in step S1821, and the third SN 112 in step S1822 disappears when the timer set at the time of NAT setting times out. To do.
If the SSID authentication result is a normal value (YES in S1829), then the IP address of the server 103, which is information necessary for setting the reverse proxy for the target server 103 for the conductor 115, A port number and a protocol type are requested (S1831).
The server information request issued from the fourth SN 114 is transferred by the third SN 112 (S1832) and reaches the conductor 115.
Upon receiving the server information request, the path setting unit 1104 of the conductor 115 searches the path table 1114 using the virtual server IDX included in the server information request, and determines the IP address, port number, and protocol type of the server 103. It returns to 4th SN114 (S1834).
The server information transmitted by the conductor 115 is transferred by the third SN 112 (S1835) and reaches the fourth SN 114.
The fourth SN 114 sets a reverse proxy between the third SN 112 and the server 103 using the IP address, port number, and protocol type of the server 103 (S1836). Then, a TCP SYN packet is transmitted to the host name or IP address and port number of the server 103 (S1837).
Thus, the TCP SYN packet issued by the terminal application program in step S1701 in FIG. 17 reaches the server 103 in step S1838.

  The server 103 that has received the TCP SYN packet from the fourth SN 114 returns a TCP ACK + SYN packet to the fourth SN 114 in accordance with the well-known TCP three-way handshake regardless of the VPC or the like (S1826). The TCP ACK + SYN packet passes through the data session (VPC tunnel) temporarily set in the fourth SN 114, the third SN 112, the second SN 108, the first SN 107, and the local master (from S1839 to S1845).

  When the packet monitor 905 of the fourth SN 114 detects a TCP ACK + SYN packet passing through the data session, the packet monitor 905 reports that fact to the data session management unit 910. The data session management unit 910 stops the timer set for the corresponding reverse proxy, and determines the reverse proxy temporarily executed in step S1836 (S1840).

  When the packet monitor 905 of the third SN 112 detects a TCP ACK + SYN packet passing through the data session, the packet monitor 905 reports that fact to the data session management unit 910. The data session management unit 910 stops the timer set for the corresponding static NAT, and determines the static NAT temporarily executed in step S1822 (S1841).

  When the packet monitor 905 of the second SN 108 detects a TCP ACK + SYN packet passing through the data session, the packet monitor 905 reports that fact to the data session management unit 910. The data session management unit 910 stops the timer set for the corresponding static NAT, and determines the static NAT temporarily executed in step S1821 (S1842).

  When the packet monitor 905 of the first SN 107 detects a TCP ACK + SYN packet passing through the data session, the packet monitor 905 reports that fact to the data session management unit 910. The data session management unit 910 stops the timer set for the corresponding static NAT, and determines the static NAT temporarily executed in step S1820 (S1843).

When the packet monitoring unit 615 of the local master detects a TCP ACK + SYN packet passing through the data session, the packet monitoring unit 615 reports that fact to the control session management unit 609. The control session management unit 609 determines the corresponding static NAT (S1844).
At this time, the VPC tunnel formed by the local master, the first SN 107, the second SN 108, the third SN 112, and the fourth SN 114 existing between the terminal and the server 103 is determined (S1846).

  When receiving the TCP ACK + SYN packet returned from the server 103 via the VPC tunnel, the terminal returns a TCP ACK packet to the server 103 via the VPC tunnel in accordance with the well-known TCP 3-way handshake (S1845). . Thereafter, the terminal accesses the server 103 through the VPC tunnel by processing according to the TCP / IP layer 4 (application) (S1847), and the server 103 responds to the client access in the same manner (S1848).

FIG. 19 is a schematic diagram showing an outline of a packet flowing in the VPC establishment sequence and a VPC establishment request command.
The TCP SYN packet transmitted from the first terminal 105 is transmitted in the data session.
When receiving the TCP SYN packet, the local master BOX 109 creates a VPC establishment request command and transmits it to the first SN 107 through the control session.
The path information included in the VPC establishment request command is composed of the host name or IP address of the stepping node.
When receiving the VPC establishment request command received in the control session, the fourth SN 114, which is the final point of the stepping node that forms the VPC tunnel, transmits a TCP SYN packet from the data session to the server 103.
When receiving the TCP SYN packet, the server 103 returns a TCP ACK + SYN packet through the data session. This TCP ACK + SYN packet reaches the first terminal 105 through a data session consisting of a reverse proxy and a static NAT that has already been formed in each stepping node, that is, a VPC tunnel. Then, this TCP ACK + SYN packet determines the reverse proxy or static NAT of each stepping node that is in the temporary setting state.

As can be seen from FIG. 17, FIG. 18, and FIG. 19, the network system of the present embodiment intervenes in the transfer of the first TCP SYN packet in the well-known TCP 3-way handshake.
When the local master detects the TCP SYN packet (S1702), it requests path information from the conductor 115 (S1711) after the SSID authentication sequence (from S1702 to S1709).
Then, the conductor 115 creates the best route information at that time (S1714) and transmits it to the local master (S1715).
The local master transmits a VPC establishment command including route information to the stepping node described at the beginning of the route information (S1819).
The stepping node that has not received the VPC establishment command and that is not the last of the routing information transfers the command to the next stepping node according to the routing information included in the command and sets a static NAT in the data session (S1820, S1821, S1822).
When the stepping node located at the end of the route information that has received the VPC establishment command recognizes that it is the end of the route information (S1823), the SSID authentication sequence ( After executing S1824 to S1829, server information is requested from the conductor 115 (S1831). Then, the conductor 115 searches the server information (S1833) and transmits it to the stepping node located at the end of the route information (S1834).
The stepping node located at the end of the path information sets a reverse proxy based on the server information (S1836), and transmits a TCP SYN packet to the server (S1837).

In the VPN product of the prior art, user authentication is performed in a form intervening in an application program, and a VPN tunnel is formed. For this reason, if the number of application programs to be connected via VPN increases, it is necessary to prepare a program for personal authentication corresponding to the program.
However, in the network system of the present embodiment, the device authentication and personal authentication are completely separated from the procedure for forming the VPC tunnel. If the device authentication and the personal authentication are successful in the initial authentication procedure, then the application program for connecting to the server listed in the service menu information 614 does not need to be accompanied by any special program, and is simply a designated command line. What is necessary is just to access the resource described in the character string. In the VPC establishment sequence, authentication using the SSID is executed by the local master that is the beginning of the VPC tunnel and the stepping node that is located at the end, but neither the user nor the application program needs to be aware of this.

[VPC disconnection sequence]
FIG. 20 is a time chart showing the VPC disconnection sequence when the communication protocol passing through the VPC tunnel is connection-type communication. It is a detail of step S1306 of FIG.
When the communication protocol that passes through the VPC tunnel is a connectionless type such as HTTP, it is necessary to transfer all packets including TCP FIN packets without delay. However, in the case of a connection type such as RDP or SSH. Means that the application program is terminated when the TCP FIN packet is transmitted. That is, without sending a dedicated command for disconnection through the control session, it is possible to monitor the normal TCP communication end procedure and trigger the VPC tunnel end.
When the user ends the communication by operating the application program of the terminal, the application program performs a known communication end procedure in TCP (S2001). At this time, when the TCP FIN packet transmitted by the application program reaches the local master, the local master also performs a communication end procedure in TCP (S2002). When the local master finishes the TCP communication end procedure, the local master cancels the static NAT setting that has formed the VPC tunnel (S2003).

  The local master also performs a TCP communication end procedure for the first SN 107. At this time, when the TCP FIN packet transmitted by the local master reaches the first SN 107, the first SN 107 also performs a procedure for terminating communication in TCP (S2004). When the first SN 107 finishes the TCP communication end procedure, the first SN 107 cancels the setting of the static NAT forming the VPC tunnel (S2005).

  The first SN 107 also performs a communication end procedure in TCP for the second SN 108. At this time, when the TCP FIN packet transmitted by the first SN 107 reaches the second SN 108, the second SN 108 also performs a procedure for terminating communication in TCP (S2006). When the second SN 108 finishes the TCP communication termination procedure, the second SN 108 cancels the setting of the static NAT forming the VPC tunnel (S2007).

  The second SN 108 also performs a communication end procedure in TCP for the third SN 112. At this time, when the TCP FIN packet transmitted by the second SN 108 reaches the third SN 112, the third SN 112 also performs a TCP communication end procedure (S2008). When the third SN 112 finishes the TCP communication end procedure, the third SN 112 cancels the setting of the static NAT forming the VPC tunnel (S2009).

The third SN 112 performs a TCP communication end procedure for the fourth SN 114 as well. At this time, when the TCP FIN packet transmitted by the third SN 112 reaches the fourth SN 114, the fourth SN 114 also performs a communication end procedure in TCP (S2010). When the fourth SN 114 finishes the TCP communication end procedure, the fourth SN 114 cancels the setting of the reverse proxy that formed the VPC tunnel (S2011).
The server 103 performs a communication termination procedure in response to the TCP FIN packet transmitted by the fourth SN 114 (S2012).

[User logout sequence and local master shutdown]
FIGS. 21A and 21B are time charts showing a user logout sequence and a local master shutdown. It is the detail of step S1307 and step S1308 of FIG.
When the user wants to stop using the terminal, the user operates the dedicated shell 208 of the terminal to declare logout (S2101). The logout declaration is transmitted to the conductor 115 through the control session (S2102), transferred to the first SN 107 (S2103) and the second SN 108 (S2104), and then reaches the terminal (S2105). The conductor 115 deletes the user ID of the user described in the SSID table 1113 as the user logout process (S2105). That is, the association between the SSID and the user ID is released. The logout process completion report is transmitted from the conductor 115 (S2106), and reaches the terminal via the second SN 108 (S2107), the first SN 107 (S2108), and the local master (S2109) (S2111).
At this time, the local master receives the user logout and discards the service menu information 614 and the restriction setting information 610 (S2110).
Similarly, the player 111 of the terminal receives the user logout and discards the service menu information 614 and the restriction setting information 610 (S2112).

  When the local master BOX 109 is turned off through the terminal or the operation of the local master is terminated by shutting down the terminal in which the soft local master 113 is installed (S2113), the information includes the first SN 107 (S2114) and the second The conductor 115 is notified through the SN 108 (S2115). In response to this notification, the conductor 115 deletes the SSID from the SSID table 1113 (S2116).

  As can be understood from the above description, in the network system 101 of the present embodiment, when a terminal application program tries to connect to the server 103, a data session is formed with a port different from the control session for the first time. If the server to which the terminal is to connect is different, a different data session is formed each time. Since the resource of the server 103 that the conductor 115 can use for each user is managed by the routing table 1114, a virtual connection service can be easily provided to a large number of users without causing an accident such as duplication of data sessions. Can do.

This embodiment can be applied as follows.
(1) The device identification ID master 1105 and the user master 1106 of the conductor 115 may be placed on a server 103 different from the conductor 115 and referred to by the authentication processing unit 1103 through a network.

  (2) The local master can access the plurality of conductors 115 simultaneously. In this case, immediately after completing the personal authentication, the local master reports the target address for the terminal that has already been assigned by the previously connected stepping node, and the terminal at each stepping node. Arbitration is required so that the target address does not overlap.

(3) The functional configuration of the soft local master 113 can be the same as that of the local master BOX 109.
The soft local master 113 in FIG. 7 uses the loopback virtual NIC 701 for access using the VPC. However, instead of the loopback virtual NIC 701, the software local master 113 is configured by software like the second NIC 601 of the local master box 109 in FIG. It can be replaced with the NIC that performs. In the case of Windows (registered trademark), the NIC of such software is publicly known such as TAP-Win32 (http://cipe-win32.sourceforge.net/) in addition to the software product disclosed in Non-Patent Document 1. There are several programs. In the case of Linux (registered trademark), the kernel driver is provided with the name “Universal TUN / TAP device driver”.

  (4) If the terminal is stationary and the possibility of moving from the LAN 102 is very low, the API hook processing unit 813 of the player 111 may not be operated to limit the behavior of the terminal. In this case, the player 111 is required to have a function of holding the service menu information 614 and starting the dedicated shell 208 for the network system 101.

  (5) The stepping node may not have the function of starting the reverse proxy when there is no IP reachable server on the network to which the stepping node is connected.

In this embodiment, the network driver 806 and the static NAT forming device (local master BOX 109, soft local master 113), terminal management device (player 111), reverse proxy server (stepping node), and virtual network connection control used therefor An apparatus (conductor 115) has been disclosed.
After the local master BOX 109 or the soft local master 113 and the stepping node perform device authentication and personal authentication through the control session, the terminal application program requests connection to the server 103 in the private network existing ahead of the conductor 115. The local master BOX 109 or the soft local master 113 and the stepping node in the middle of the route set a static NAT, and the stepping node closest to the server 103 sets a reverse proxy to form a data session between the terminal and the server 103. By constructing the network system 101 in this way, it is possible to realize a connection between the server 103 and a terminal that is not directly IP reachable in a virtual connection form without private address collision. Furthermore, since the player 111 strongly restricts the behavior of the terminal at the time of connection, security vulnerability can be protected.

  Generally, the BSD socket programming method for configuring a server is to open a port that waits for a client connection, and when a client is connected, open the port again to wait for the next client connection. It is. In other words, the server always has a specific port open. If the port is left open, a malicious third party can search for the vulnerability of the server program through the port.

  The inventor has a port that is always open and an actual terminal in order to eliminate the possibility of being exploited by a third party for vulnerabilities that may exist in a plurality of reverse proxy programs corresponding to a plurality of protocols possessed by the stepping node. Separated the port for connecting data. The data session formed by the stepping node is different from the server operation in the original BSD socket programming, and even if the data session is established, the port corresponding to the same data session is not opened. As long as there is no connection request from the terminal, a data session is not formed and a port for that purpose is not opened. When a third party port scans a stepping node, it appears that only the port for the control session is open.

Furthermore, a device identification ID 608 for uniquely identifying each local master is given to the local master connected to the network system 101 according to the present embodiment. This device identification ID 608 is different from the IP address and is used only as authentication information in the control session.
Here, the packet flowing in the data session of the network system 101 of this embodiment will be considered and described.

In the case of the soft local master 113, the packet issued from the terminal is the loopback address (127.0.0.1) as the transmission source IP address, and the transmission destination IP address is in the class C subnet to which the loopback address belongs. It is the included address (127.0.0.x). In the case of the local master box 109, the source IP address is a private address (for example, 192.168.0.1), and the destination IP address is an address (192.168.8.0) included in the class C subnet to which the private address belongs. X).
In these packets, the soft local master 113 or the local master BOX 109 rewrites the transmission source IP address and the transmission destination IP address (and the port number if necessary) by static NAT. The source IP address is the IP address assigned to the soft local master 113 or the local master BOX 109 from the DHCP server, the destination IP address and the port number are the IP address of the nearest stepping node and the port number for the data session, Each can be rewritten.

Furthermore, these packets pass through a plurality of stepping nodes. The source IP address and the destination IP address (and the port number if necessary) are rewritten one after another by static NAT or reverse proxy set by the stepping nodes constituting the VPC tunnel. In the packet finally reaching the server 103, the source IP address is rewritten to the IP address of the stepping node closest to the server 103, and the destination IP address and port number are rewritten to the private address and port number of the server 103, respectively. .
Thus, in the situation where the IP address of the packet passing through the communication path is rewritten one after another every time it passes through the base, the device identification ID 608 that is information for guaranteeing the uniqueness of the terminal must be used for what. Therefore, it can be understood that the device identification ID 608 is information indicating that “the terminal is qualified to connect to the server 103”. This information does not necessarily have to be held by the server 103 that provides a service to the terminal, and it is only necessary that a device (conductor 115) capable of executing predetermined authentication exists.

  As is well known, IPv4 faces an urgent problem that addresses are running out. So why are addresses running out? At first glance, you would normally think that there are not enough bits in the IP address. However, a more fundamental problem is that an attempt is made to obtain the uniqueness of a terminal in an IP address that determines a destination of a packet that passes through a communication path. The IP address is defined as a protocol and is a bit string that is always attached to a packet. Therefore, it must have a fixed length, and the bit string cannot be easily expanded. The inventor thought that this was the source of the mistake.

  The information for determining the uniqueness of the terminal may be used only for the situation for determining the uniqueness of the terminal, that is, for authentication, and should be clearly distinguished from the information for determining the destination of the packet. Based on this technical idea, the inventor denies that the uniqueness of the terminal is obtained from the IP address, and the IP address is divisible by information used only for the destination of the packet, and the communication path is virtualized and authenticated. Based on the behavior, we tried to reconstruct the network system. This is the present embodiment.

  The device identification ID 608 included in the local master of the present embodiment is data that is defined only as a protocol and is used only for authentication, not an IP address incorporated as a packet header. Therefore, even if an action such as enlarging the bit string or changing the format as many times as necessary according to the scale of the network driver 806 or the necessity, the packet format does not change, so no problem occurs. In the present embodiment, the inventor assigned 12 bytes to the device identification ID 608 when creating the prototype, but of course, a longer bit string may be used.

As can be seen from FIG. 1, the network system 101 of the present embodiment can safely cross between subnets that are not IP reachable by following the stepping node. When this technology is applied, the network system 101 of this embodiment is established even if a plurality of identical subnets exist on the route as long as they are not adjacent to each other. That is, in principle, it is possible to construct a vast network that is almost infinite with only private IP addresses.
As described above, the network system 101 of this embodiment also includes one aspect as a technique for expanding the possibilities of the IPv4 protocol.

  The embodiment of the present invention has been described above. However, the present invention is not limited to the above-described embodiment, and other modifications, Includes application examples.

  DESCRIPTION OF SYMBOLS 101 ... Network system, 102 ... LAN, 103 ... Server, 104 ... IC card reader, 105 ... First terminal, 106 ... Second terminal, 107 ... Internet, 109 ... Local master BOX, 110 ... DHCP server, 111 ... Player, 113 ... Soft local master, 115 ... Conductor, 201 ... Network OS, 202 ... Shell, 203 ... Third application, 204 ... Storage, 205 ... Operation unit, 206 ... Display unit, 207 ... Built-in USB interface, 208 ... Dedicated shell, 209 ... First application, 210 ... Second application, 301 ... Built-in NIC, 403 ... USB-B connector, 404 ... Network connector, 502 ... CPU, 503 ... RAM, 504 ... Flash memory, 505 ... USB interface 507 ... first NIC, 508 ... bus, 601 ... second NIC, 602 ... DHCP client, 603 ... address duplication avoiding unit, 604 ... DHCP server, 605 ... NAT setting unit, 606 ... encrypted communication processing unit, 608 ... device identification ID, 609 ... control session management part, 610 ... restriction setting information, 611 ... packet filter setting part, 612 ... default gateway address, 613 ... SSID memory, 614 ... service menu information, 615 ... packet monitoring part, 701 ... Loopback virtual NIC, 702 ... DHCP client, 705 ... NAT setting unit, 706 ... Packet filter setting unit, 801 ... Operation driver, 802 ... Display control unit, 803 ... File system, 804 ... Process control unit, 805 ... Clipboard buffer 806: Network driver, 807 ... Control session management unit, 808 ... Operation information acquisition unit, 809 ... Screen capture processing unit, 810 ... File system monitoring unit, 811 ... Process monitoring unit, 812 ... Clipboard monitoring unit, 813 ... API hook processing 901: Stepping node, 902: Fifth NIC, 904: Encrypted communication processing unit, 905 ... Packet monitor, 906 ... First timer, 907 ... Second timer, 908 ... Conductor address, 909 ... Control session management unit, 910 ... Data session management unit, 911 ... First reverse proxy, 912 ... Second reverse proxy, 913 ... Third timer, 914 ... First NAT, 915 ... SNID, 1001 ... Stepping node, 1002 ... Third NIC, 1003 ... Fourth NIC, 1 004 ... Firewall, 1101 ... Sixth NIC, 1102 ... Encrypted communication processing unit, 1103 ... Authentication processing unit, 1104 ... Route setting unit, 1105 ... Device identification ID master, 1106 ... User master, 1107 ... Server master, 1108 ... User Server master, 1109 ... SN master, 1110 ... SN server master, 1111 ... SN map master, 1112 ... LM / SN master, 1113 ... SSID table, 1114 ... route table

Claims (7)

A first NIC connected to a terminal and a first network that is IP reachable ;
The server disposed on the second network is not the IP reachable to the first NIC, and a second NIC used for the terminal makes a connection,
A packet that is interposed between the second NIC and the first NIC and communicates with the server through a reverse proxy server that exists on the second network based on a connection to the virtual IP address performed by the terminal. A static NAT forming apparatus comprising a NAT setting unit that sets a static NAT to be applied. Furthermore,
A device identification ID that uniquely identifies each device;
When connecting to the reverse proxy server, a control session is formed for the virtual connection control device that executes a predetermined authentication procedure, and device authentication is performed using the device identification ID through the control session. The static NAT forming device according to claim 1, further comprising a control session management unit that transmits and receives control information to and from the virtual connection control device through the control session when successful.   The control session management unit performs personal authentication for authenticating a user used by the terminal after completing the device authentication, and corresponds to the server and the server that can be used by the user when the personal authentication is successful. The static NAT forming apparatus according to claim 2, wherein the virtual IP address information is received from the virtual connection control apparatus. A first NIC connected to the network;
A control session management unit that forms a control session for transmitting and receiving control information to and from the terminal;
Connection to the virtual IP address virtual IP to connect to the server based on connection to the address and start the reverse proxy to form said terminal and data session through the first NIC, the terminal performs the terminal performs A reverse connection comprising a data session management unit that sets up a static NAT and forms a data session with the terminal through the first NIC when connecting to another device required to reach the server based on Proxy server. A first NIC connected to the network;
A second NIC connected to a network in which a server to be connected exists based on a connection to a virtual IP address performed by a terminal;
A control session management unit for forming a control session for transmitting and receiving control information to and from the terminal;
The terminal forms a data session between the first NIC to start the reverse proxy and the second NIC is to connect to the server, the terminal other necessary to reach the server A reverse proxy server comprising a data session management unit which sets a static NAT when connecting to a device and forms a data session with the terminal through the first NIC. A device identification ID master in which a device identification ID included in the static NAT forming device is stored;
A user master that stores personal authentication information of a user who is connected to the static NAT forming apparatus or uses a terminal incorporating the static NAT forming apparatus;
Receiving the device identification ID from the static NAT forming device and performing device authentication using the device identification ID master, and receiving the personal authentication information of the user from the terminal and using the user master An authentication processing unit for performing authentication;
In response to a request from the static NAT forming apparatus that is connected to or built in the terminal for which the device authentication and the personal authentication have been normally completed, the terminal is connected to a desired server based on the connection to the virtual IP address performed by the terminal. A virtual connection control device comprising a route setting unit that creates route information for performing virtual connection. The device specific ID master Moreover, the scope of the virtual IP address of application program running on the terminal is trying to connect is stored, the virtual connection control apparatus according to claim 6, wherein.

Images