CN102822838B - Connection destination limitation system, connection destination limitation method, terminal setting control system, terminal setting control method, and program - Google Patents
Connection destination limitation system, connection destination limitation method, terminal setting control system, terminal setting control method, and program Download PDFInfo
- Publication number
- CN102822838B CN102822838B CN201280000402.0A CN201280000402A CN102822838B CN 102822838 B CN102822838 B CN 102822838B CN 201280000402 A CN201280000402 A CN 201280000402A CN 102822838 B CN102822838 B CN 102822838B
- Authority
- CN
- China
- Prior art keywords
- mentioned
- terminal
- server
- network
- internal network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000004891 communication Methods 0.000 claims abstract description 103
- 230000008569 process Effects 0.000 claims abstract description 32
- 238000012545 processing Methods 0.000 claims description 51
- 230000004044 response Effects 0.000 claims description 10
- 230000005540 biological transmission Effects 0.000 abstract description 17
- 241000700605 Viruses Species 0.000 description 22
- 238000010586 diagram Methods 0.000 description 15
- 230000009471 action Effects 0.000 description 13
- 230000006870 function Effects 0.000 description 12
- 238000007639 printing Methods 0.000 description 12
- 230000008859 change Effects 0.000 description 10
- 230000002155 anti-virotic effect Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000002123 temporal effect Effects 0.000 description 3
- 238000013329 compounding Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000004321 preservation Methods 0.000 description 2
- 230000001052 transient effect Effects 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000000704 physical effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/64—Hybrid switching systems
- H04L12/6418—Hybrid transport
Abstract
A communication management server (11) executes a key-packet transmission AP (21) to intermittently perform multi-address transmission of key-packets to an internal network (4). A local terminal (15) (remote terminal (16)) executes a key-packet reception AP (23) to receive information which has been transmitted by multi-address transmission to the internal network (4), and sets a reception flag on the basis of the presence/absence of the reception of a key-packet from the communication management server (11). Further, the local terminal (15) (remote terminal (16)) executes a connection destination limitation AP (25) to determine whether or not the local terminal itself is physically connected to the internal network (4) on the basis of the reception flag. When it is determined that the local terminal itself is physically connected to the internal network (4), a connection process is executed for the logical connection request.
Description
Technical field
The present invention relates to a kind of network to terminal and connect the system that manages etc.Particularly, the present invention relates to a kind of logic to terminal and connect the connection destination restriction system that limits destination etc.In addition, the present invention relates to the correspondingly terminal setting control system etc. of the setting of control terminal of a kind of and be connected network.
Background technology
Personal computer), portable data assistance (Personal Digital Assistant: personal digital assistant), the problem of portable phone, dull and stereotyped terminal, smart mobile phone etc. (being designated hereinafter simply as " the terminal ") secure context when taking out of and utilizing outside company in the past, the PC that pointed out in Liao Jiang company to utilize (Personal Computer:.If these terminals are not applied to any restriction, these terminals can with LAN (Local Area Network)) etc. internet, oneself LAN (Local Area Network: directly carry out logic and be connected.At this, " directly carrying out logic with internet, oneself LAN etc. is connected " refers to, in the situation that such as be based on TCP/IP (Transmission Control Protocol/Internet Protocol: communication transmission control protocol/Internet protocol) using the external server via internet, be arranged at oneself the IP address of other terminal etc. with port numbers (address information) as the connected mode that is connected destination, it also comprises that terminal and the communication facilities that is arranged at external network directly carry out physical connection (no matter wired's, wireless) situation.
In terminal and internet, oneself LAN etc., directly carry out logic be connected in the situation that, cannot limit the access to the website on internet, or the virus code file that cannot detect antivirus software news more not, so potential safety hazard uprises.In addition, in terminal and internet, oneself LAN etc., directly carried out logic be connected in the situation that, cannot obtaining communication trace, therefore in the easy intentional situation of reveal information.
For example, in patent documentation 1, disclose following network connection control method, its object is to prevent in the destination of going out etc. to be connected on the secure networks such as the LAN of intra-company by the computing machine of the illegal program invasions such as virus, spyware (Spyware).(1) when starting user terminal 10 and attempt being connected to the LAN of intra-company, temporarily stop the connection to network, user terminal 10 is carried out to the contrast with the contrast Huo Yu intra-company lan environment of the environment of action last time.(2) at the environment with action last time, do not have in vicissitudinous situation and directly recover being connected to the LAN of intra-company, but, if be judged as, when moving last time, be connected to beyond the LAN of intra-company, confirming antivirus software carries out viral etc. inspection after whether being latest edition.(3), after confirming the security of user terminal 10, recover the connection to the LAN of intra-company.(4), in the situation that being judged as Bu Shi intra-company lan environment, be directly connected with external network.
In addition, now, terminal receives a lot of services via network.Wide area network), household internal LAN etc. (no matter wired, wireless) at this, network refers to the LAN of intra-company, the WAN of intra-company (Wide Area Network:, mean the locality computer network that connects computing machine, communication facilities etc.On this locality network, the situation of connecting Internet is more conventionally.
If the example to the service that belongs to the user of the tissues such as enterprise and provide via network (also comprising the situation via internet) is provided, have: utilize the mail transmission/reception service of mail server, utilize OS (Operating System: operating system) the OS patch file update service of patch update server, utilize the virus code file update service of virus code update server, utilize printing server (also to comprise compounding machine, printer etc.) printout service, utilize the internet Connection Service of proxy server, utilize VPN (Virtual Private Network: VPN (virtual private network)) server and VPN Connection Service company's internal network etc.In order to accept these services, conventionally in terminal, according to each service, different software is installed.
But, in the situation that user is connected to heterogeneous networks by terminal, in order to accept the service via network, need to change the set information of terminal.Under present situation, need to carry out correspondingly the change of the set information of terminal with each software.In addition, according to software, user must be by manually carrying out change setting information.
For example, main office's working, branch office's working, the workplaces such as working of being in have following expectation with the user who changes working day: the network that hope connects without consciousness terminal is accepted service.Specifically, there is following expectation: even if wish the network change that terminal connects, also without accepting service by manual change setting information or from terminal request confirmation set information.
In patent documentation 2, recorded and a kind ofly can carry out easily the technology of network switching.Specifically, intermittently obtain routing table, according to the information of the gateway of the default path of recording in routing table, judge whether to have occurred network change.When being judged as, there is network when change, judged whether registered configuration file (profile), in the situation that having registered configuration file, according to this configuration file, completed and being connected of this network, the in the situation that of unregistered configuration file, the configuration file of newly-built this network is also registered.
Patent documentation 1: TOHKEMY 2007-213550 communique
Patent documentation 2: TOHKEMY 2004-102464 communique
Summary of the invention
the problem that invention will solve
Yet, in the mechanism of recording at patent documentation 1, cannot prevent that after all terminal and external network from directly carrying out logic and being connected.And, at least cannot limit the access to the website on internet, cannot obtaining communication trace.Thereby, cannot improve the situation for the high situation of the potential safety hazard of terminal and easily intentional reveal information.
In addition, in the technology of patent documentation 2, in the judgement of network change is processed, there is the disconnected possibility of erroneous judgement high.For example, consider following situation: when the terminal that connected the LAN of intra-company being brought back to oneself user and being connected to use with household internal LAN, gateway to the LAN of intra-company and this two side of household internal LAN is set with same private address (for example, 192.168.0.1).In this case, the information of the gateway of the default path of recording in routing table is consistent, therefore in the technology of patent documentation 2, be judged as network change does not occur, thereby it is disconnected that erroneous judgement occurs.Like this, according to the technology of patent documentation 2, cannot tackle user's expectation of wishing the network connecting without consciousness terminal and accept service in the networks such as the LAN of intra-company, household internal LAN.
The present invention completes in view of the above problems, the object of the present invention is to provide a kind ofly can prevent that terminal and external server etc. from directly carrying out connection destination restriction system that logic is connected etc.In addition, the object of the present invention is to provide and a kind ofly without the consciousness network that connects of terminal, can accept reliably via the terminal setting control system of the service of network etc.
for the scheme of dealing with problems
In order to achieve the above object, the first invention is a kind of connection destination restriction system, have with internal network and external network and carry out the terminal of physical connection and carry out the communication management server of physical connection with above-mentioned internal network, this connection destination restriction system connects destination to the logic of above-mentioned terminal to be limited, above-mentioned communication management server possesses communication control unit, this communication control unit is intermittently reported the permission information that sends the logic connection request that represents the above-mentioned terminal of permission to above-mentioned internal network, above-mentioned terminal possesses: communication control unit, it receives reports to above-mentioned internal network the information sending, and control part, it is when the above-mentioned communication control unit by above-mentioned terminal receives above-mentioned permission information, be judged as above-mentioned terminal and above-mentioned internal network has carried out physical connection, in the situation that being judged as above-mentioned terminal and above-mentioned internal network and having carried out physical connection, for above-mentioned logic connection request, carry out to connect and process.According to the first invention, can prevent that terminal from directly carrying out logic with external server etc. and being connected.
The above-mentioned connection destination control system of expectation the first invention also has vpn server, and this vpn server and above-mentioned internal network carry out physical connection, and above-mentioned vpn server possesses: communication control unit, and it receives reports to above-mentioned internal network the information sending, and control part, it is when the above-mentioned communication control unit by above-mentioned vpn server receives above-mentioned permission information, be judged as above-mentioned vpn server and above-mentioned internal network has carried out physical connection, wherein, in the situation that be judged as above-mentioned terminal not carrying out physical connection with above-mentioned internal network by the above-mentioned control part of above-mentioned terminal, the above-mentioned communication control unit of above-mentioned terminal sends VPN connection request to above-mentioned vpn server, the above-mentioned communication control unit of above-mentioned vpn server is when receiving VPN connection request from above-mentioned terminal, the judged result of the above-mentioned control part of above-mentioned vpn server is sent to above-mentioned terminal, at the above-mentioned communication control unit of above-mentioned terminal, from above-mentioned vpn server, receive while representing that above-mentioned vpn server and above-mentioned internal network have carried out the judged result of the meaning of physical connection, the above-mentioned control part of above-mentioned terminal is judged as with legal above-mentioned vpn server and is connected, in the situation that be judged as with legal above-mentioned vpn server, carried out being connected, for above-mentioned logic connection request, carry out VPN and connect processing.Thus, even in the situation that terminal and external network have carried out physical connection, also can prevent that terminal and external server etc. from directly carrying out logic and being connected, can connect processing by VPN simultaneously and carry out actuating logic connection request.
In addition, the above-mentioned control part of the above-mentioned terminal in expectation the first invention carries out the response for above-mentioned logic connection request all the time, and only according to the address information of pre-stored above-mentioned vpn server in above-mentioned terminal, carries out VPN connection.The user that thus, can prevent from utilizing in company outside terminal is by using network adapter that the network adapter indicated from keeper is different etc. to visit server beyond legal vpn server etc.
The second invention is a kind of connection destination method for limiting connecting in the restriction system of destination, this connection destination restriction system has with internal network and external network and carries out the terminal of physical connection and carry out the communication management server of physical connection with above-mentioned internal network, this connection destination restriction system connects destination to the logic of above-mentioned terminal to be limited, the method comprises the following steps: above-mentioned communication management server is intermittently reported the permission information that sends the logic connection request that represents the above-mentioned terminal of permission to above-mentioned internal network, above-mentioned terminal receives reports to above-mentioned internal network the information sending, above-mentioned terminal is judged as above-mentioned terminal when receiving above-mentioned permission information and above-mentioned internal network has carried out physical connection, above-mentioned terminal is in the situation that being judged as above-mentioned terminal and above-mentioned internal network and having carried out physical connection, for above-mentioned logic connection request, carry out to connect and process.According to the second invention, can prevent that terminal from directly carrying out logic with external server etc. and being connected.
The 3rd invention is a kind of terminal setting control system, comprise server and terminal, for the setting of above-mentioned terminal is controlled, above-mentioned server possesses communication control unit, this communication control unit will send to multicast address (multicast address) or unicast address (unicast address) for identifying the identifying information of the network that above-mentioned server connects, above-mentioned terminal possesses control part, whether this control part judgement receives above-mentioned identifying information at the appointed time, at the situation that the receives above-mentioned identifying information represented network of above-mentioned identifying information that judges, based on judged result, obtain the set information relevant with the service providing via network, above-mentioned set information based on getting upgrades the setting of above-mentioned terminal.According to the 3rd invention, the network that user connects without consciousness terminal just can be accepted the service via network reliably.
Expect that the above-mentioned terminal in the 3rd invention also possesses communication control unit, the network that this communication control unit connects above-mentioned terminal is reported the request that sends above-mentioned identifying information, and the above-mentioned communication control unit of above-mentioned server only sends above-mentioned identifying information to the transmission source of the request of above-mentioned identifying information when the request that receives above-mentioned identifying information.Thus, in the situation that number of terminals is fewer, needn't for no reason waste the network bandwidth.
In addition, the above-mentioned communication control unit of the above-mentioned server in expectation the 3rd invention is by the relevant information in the place of the network connecting with above-mentioned server, send together with above-mentioned identifying information with at least one information in relevant information of time and the information relevant with the pattern of above-mentioned terminal of utilizing of above-mentioned terminal.Thus, can be limited the utilization of each software, or when surpassing automatic shutdown while utilizing the time, or the utilization of power supply is limited.
The 4th invention is the terminal setting control method in a kind of terminal setting control system, this terminal setting control system comprises server and terminal, setting to above-mentioned terminal is controlled, the method comprises the following steps: above-mentioned server will send to multicast address or unicast address for identifying the identifying information of the network that above-mentioned server connects, whether above-mentioned terminal judges receives above-mentioned identifying information at the appointed time, at the situation that the receives above-mentioned identifying information represented network of above-mentioned identifying information that judges, based on judged result, obtain the set information relevant with the service providing via network, above-mentioned set information based on getting upgrades the setting of above-mentioned terminal.According to the 4th invention, the network that user connects without consciousness terminal just can be accepted the service via network reliably.
The 5th invention is the program that a kind of computing machine can read, make the following function of the first computing machine performance: will send to multicast address or unicast address for identifying the identifying information of the network that above-mentioned the first computing machine connects, make the following function of second computer performance: whether judgement receives above-mentioned identifying information at the appointed time, at the situation that the receives above-mentioned identifying information represented network of above-mentioned identifying information that judges, based on judged result, obtain the set information relevant with the service providing via network, above-mentioned set information based on getting upgrades the setting of above-mentioned second computer.According to the program of the 5th invention, can build the terminal setting control system of the 3rd invention, can carry out the terminal setting control method of the 4th invention.
the effect of invention
According to the present invention, can provide a kind of and can prevent that terminal and external server etc. from directly carrying out connection destination restriction system that logic is connected etc.And, and then can improve the situation for the high situation of the potential safety hazard of terminal and easily intentional reveal information.In addition, according to the present invention, can provide a kind of and without the consciousness network that connects of terminal, can accept reliably via the terminal setting control system of the service of network etc.
Accompanying drawing explanation
Fig. 1 means the figure of the summary that connects destination restriction system 1.
Fig. 2 is the hardware structure diagram of computing machine 30.
Fig. 3 means the figure of the structure that connects destination restriction AP 25
Fig. 4 means the process flow diagram that sends the processing of AP 21 realizations by critical packet.
Fig. 5 means the process flow diagram that receives the processing of AP 23 realizations by critical packet.
Fig. 6 means the process flow diagram that is connected the processing of AP 24 realizations by connecting destination restriction AP 25 with VPN.
Fig. 7 means the process flow diagram of the processing realizing by communication trace management AP 22.
Fig. 8 means the figure of the summary of terminal setting control system.
Fig. 9 is hardware structure of computer figure.
Figure 10 is an example of set information for main office.
Figure 11 is an example of set information for branch office.
Figure 12 is the example from family expenses set information.
Figure 13 means the process flow diagram of the action of the terminal in the situation of unicast communication.
Figure 14 means the process flow diagram of the action of the terminal setup control server in the situation of unicast communication.
Figure 15 means the process flow diagram of the action of the terminal setup control server in the situation of cast communication.
Figure 16 means the process flow diagram of the action of the terminal in the situation of cast communication.
Figure 17 is an example of position data bag.
Embodiment
Based on accompanying drawing, describe embodiments of the present invention in detail below.
< the first embodiment >
First, the structure of the connection destination restriction system 1 of the first embodiment is described with reference to Fig. 1 ~ Fig. 3.In the first embodiment, for example, establish (the Open Systems Interconnection: Open System Interconnection) connection of the Physical layer in reference model is called " physical connection " by OSI.In addition, for example, the connection of the data link layer ~ application layer in OSI Reference Model is called to " logic connection ".In the related connection destination restriction system 1 of the first embodiment, object by the other side of " logic connection " (is for example, if the communication based on TCP/IP, for IP address and port numbers) be defined as the computing machine being for example arranged on, in secure network (, enterprise etc. internal network).
Fig. 1 means the figure of the summary that connects destination restriction system 1.As shown in Figure 1, in the first embodiment, case of internal network 4, communication management server 11, service server 12, fire wall (fire wall) 13 and VPN (Virtual Private Network) server 14 and local terminal 15 etc. are present in the intra-company 2 of enterprise etc.In addition, in the first embodiment, case of external network 5, remote terminal 16 and external server 17 etc. are present in the company outside 3 of enterprise etc.
In addition, for convenience of explanation, local terminal 15 and remote terminal 16 having been marked to different marks, is identical but both difference is only to exist place, hardware and software.That is,, if local terminal 15 is carried over into company outside 3, become remote terminal 16.
Prevent that local terminal 15 (remote terminal 16) and external server etc. from directly carrying out the structure that logic is connected necessary connection destination restriction system 1 is communication management server 11 and local terminal 15 (remote terminal 16).In addition, the VPN of remote terminal 16 by the vpn server 14 with legal is connected that to process the structure of the necessary connection of actuating logic connection request destination restriction system 1 be communication management server 11, vpn server 14 and remote terminal 16.
About internal network 4, can enumerate the LAN of intra-company of enterprise etc., the WAN of intra-company (the Wide Area Network) LAN that is layed in a plurality of strong points being connected by industrial siding etc. etc.In Fig. 1, as the physical property network equipment that forms internal network 4, exemplified with fire wall 13.As other network equipment, can enumerate router (no matter wired, wireless), switch, hub, Relay Server etc.Physical connection is carried out with internal network 4 in communication management server 11, service server 12, vpn server 14 and local terminal 15.At this, physical connection mode be wired, wireless can.In addition, VPN (Virtual Private Network) is the service that common line can be utilized as dedicated line, has guaranteed the security equal with internal network 4.
At this, the hardware structure of computer that is used for realizing communication management server 11, service server 12, fire wall 13, VPN (Virtual Private Network) server 14, local terminal 15 (remote terminal 16) and external server 17 etc. is described.
Fig. 2 is the hardware structure diagram of computing machine 30.In addition, the hardware configuration of Fig. 2 is an example, according to purposes, object, can adopt various structures.In computing machine 30, control part 31, storage part 32, input part 33, display part 34, communication control unit 35 etc. are connected by bus 36.
CPU (central processing unit)), RAM (Random Access Memory: the formation such as random access memory) control part 31 is by CPU (Central Processing Unit:.CPU carries out the routine call being kept in storage part 32 and storage medium etc. to the working storage on RAM, each device connecting by bus 36 is driven to control, realizes the processing of being undertaken by computing machine 30.RAM is volatile memory, the program that temporary transient preservation loads from storage part 32 and storage medium etc., data etc., and possess the workspace of using when control part 31 carries out various processing.
ROM (read-only memory)), flash memory (flash memory), HDD (hard disk drive) etc. storage part 32 is ROM (Read Only Memory:, preserve the required data of program, the executive routine carried out by control part 31 etc.About program, preserve with BIOS (Basic Input/Output System: Basic Input or Output System (BIOS)), bootstrap loader (boot loader), control program that OS (Operating System) is suitable, for making control part 31 carry out the application program of processing described later.These each program codes are to move on to RAM after being read as required by control part 31, and by CPU, are read and carry out as various unit.USB (universal serial bus)) etc. in addition, storage part 32 can be also by USB (UniversalSerial Bus: the external memory (USB storage, externally positioned type hard disk etc.) connecting.
Return to the explanation of Fig. 1.Each device (terminal and server) shown in Fig. 1 can be both one, can be also a plurality of.In addition, each server both can be realized by a cabinet (computing machine 30), also can realize by a plurality of cabinets.For example, if communication management server 11, both critical packet can have been sent to AP (application program) 21 and be arranged in a cabinet with trace management AP 22 these two sides that communicate by letter, also can be arranged on respectively independently in cabinet.
In communication management server 11, critical packet is installed and sends AP 21 and the trace management AP 22 etc. that communicates by letter.It is for making communication management server 11 carry out the application program of the processing shown in Fig. 4 described later that critical packet sends AP 21.The control part 31 of communication management server 11 sends by carrying out critical packet the permission information (hereinafter referred to as " critical packet (キ mono-パ ケ ッ ト) ") that AP 21 carrys out internal network 4 intermittently to report the logic connection request that sends expression permission terminal.
Specifically, communication management server 11 is for example by IP (Internet Protocol: Internet protocol) broadcast communication (broadcast communication) of level intermittently sends critical packet.In the broadcast communication of IP level, sending destination address setting, for being called as the special address of " broadcast address ", is sent to critical packet.Critical packet is not particularly limited, but expectation is for example made as disposal password like that according to the difference of time period and different contents.In addition, critical packet for example also can be encrypted rear transmission, makes to be decrypted by regular vpn server 14, local terminal 16.
In broadcast address, for example can specify the address that is called as limited broadcast address (limited broadcast address) or direct broadcast address (directed broadcast address).Limited broadcast address refers to that all positions are all 1 IP address.For example,, if IPv4 is (Internet Protocol version 4: internet protocol version 4), " 255.255.255.255 " is limited broadcast address.When specifying limited broadcast address to carry out broadcast communication, all computing machines 30 in the network segment that transmission source is connected (if Ethernet (registered trademark) is conflict section) send critical packet.On the other hand, to other network segment connecting via router, do not send packet.Directly broadcast address refers to that network address part is constant and the position of host address part is all made as to 1 IP address.For example, for " 192.168.0 " this network address in IPv4, make host address part (least-significant byte) all be made as 1 " 192.168.0.255 " and be direct broadcast address.When specifying direct broadcast address to carry out broadcast communication, to there are all computing machines 30 of the specific network address (being " 192.168.0 ") in above-mentioned example, send critical packet.
Communication trace management AP 22 is for making communication management server 11 carry out the application program that the part shown in Fig. 7 described later is processed.The control part 31 of communication management server 11 is stored the communication trace daily record of local terminal 15 (remote terminal 16) etc. by executive communication trace management AP 22.
Critical packet reception AP 23 is installed in vpn server 14 and is connected AP 24 etc. with VPN.It is for making vpn server 14 and local terminal 15 (remote terminal 16) etc. carry out the application program of the processing shown in Fig. 5 described later that critical packet receives AP 23.The control part 31 of vpn server 14 receives by carrying out critical packet reception AP 23 information of internal network 4 being reported to transmission.In addition, the control part 31 of vpn server 14 grades is set as " Y " (receiving) or " N " (not receiving) according to whether receiving from the critical packet of communication management server 11 by the receiving flag being kept in RAM etc.
It is for making vpn server 14 carry out the processing of server side and the application program of the processing of the part shown in Fig. 6 described later that VPN connects that VPN connects AP 24.The control part 31 of vpn server 14 carries out the processing of the server side in VPN connection by carrying out VPN connection AP 24.In addition, the control part 31 of vpn server 14 judges according to the receiving flag being kept in RAM etc. whether oneself has carried out physical connection with internal network 4.In addition, the control part 31 of vpn server 14 is carrying out VPN while being connected with remote terminal 16, and the judged result whether oneself has been carried out to be connected with internal network 4 sends to remote terminal 16.
Critical packet is installed in local terminal 15 (remote terminal 16) to be received AP23 and is connected destination restriction AP 25 etc.Critical packet receives AP 23 as mentioned above.That is, the control part 31 of local terminal 15 (remote terminal 16) receives by carrying out critical packet reception AP 23 information of internal network 4 being reported to transmission.In addition, the control part 31 of local terminal 15 (remote terminal 16) is set as " Y " or " N " according to whether receiving from the critical packet of communication management server 11 by the receiving flag being kept in RAM etc.
Connecting destination restriction AP 25 is for making local terminal 15 (remote terminal 16) carry out the processing of client-side and the application program of the processing of the part shown in Fig. 6 described later that VPN connects.The control part 31 of local terminal 15 (remote terminal 16) connects destination restriction AP 25 by execution and judges according to the receiving flag being kept in RAM etc. whether oneself has carried out physical connection with internal network 4.In addition, the control part 31 of local terminal 15 (remote terminal 16) is being judged as ownly carried out physical connection with internal network 4 in the situation that, carries out to connect process for logic connection request.
On the other hand, the control part 31 of local terminal 15 (remote terminal 16), being judged as oneself do not carry out physical connection with internal network 4 in the situation that, carries out VPN connection to vpn server 14.And whether the control part 31 of local terminal 15 (remote terminal 16) has carried out the judged result (receiving from vpn server 14) of physical connection according to vpn server 14 with internal network 4, judge whether to be connected on legal vpn server 14.The control part 31 of local terminal 15 (remote terminal 16) in the situation that be judged as is connected to for logic connection request, to carry out to connect on legal vpn server 14 and processes.
Fig. 3 means the figure of the structure that connects destination restriction AP 25.(the Application Programming Interface: application programming interface) 44 etc. that connects that destination restriction AP 25 comprises the IP address 41 of vpn server, the port numbers 42 of vpn server, connection judgment program 43, socket API.The IP address 41 of vpn server and the port numbers 42 of vpn server are for example stored in to be only had in the enactment document that keeper can read and write.
At this, expectation is provided with the local terminal 15 (remote terminal 16) that connects destination restriction AP 25 structure for for example, being responded from the logic connection request of other program (, the device driver of network adapter etc.) by 43 pairs of connection judgment programs all the time.Utilize this structure, even if utilize the user of remote terminal 16 to want to use the network adapter different network adapter indicated from supvr to carry out illegal in company outside 3, also cannot avoid the connection judgment of being undertaken by connection destination restriction AP 25 and process.
In order to realize above-mentioned structure, for example, the wrap function have each function that socket API 44 comprises is described in connection judgment program 43.While in addition, being set as when other routine call socket function, connect function etc., carry out the wrap function of connection judgment program 43.And, in the wrap function of connection judgment program 43, describe and have: in the situation that the result that connection judgment is processed connects for carrying out VPN, abandon the address information that the logic of setting by other program connects destination in parameter, the port numbers 42 of the IP address 41 of predefined vpn server and vpn server is set as to parameter, calls each function that common socket API 44 comprises.Thus, the computing machine 30 that connects destination restriction AP 25 has been installed and in the situation that carrying out VPN connection, has only been linked into the single vpn server 14 predetermining.In addition, in connection judgment program 43, also comprise following function: in the situation that carrying out physical connection with internal network 4, make to connect destination restriction AP 25 application program in addition and cannot utilize the IP address 41 of predefined vpn server and the port numbers of vpn server 42 to carry out VPN connection.Thus, prevent that illegal application program from utilizing the IP address 41 of vpn server and the port numbers of vpn server 42 to carry out illegal communication.
In the situation that practice connects destination restriction system 1, for example consider following gimmick: in advance connection destination restriction AP 25 itself is stored in external memory as OS, set and make when local terminal 15 (remote terminal 16) switched on power, the OS (=connection destination restriction AP 25) being stored in external memory is activated.
Return to the explanation of Fig. 1.External server 17 is WWW (the World Wide Web: WWW) server etc. in internet.17 pairs of external servers are from (HyperText Transfer Protocol: HTTP) request is carried out response and processed, and returns to http response such as the HTTP of local terminal 15 (remote terminal 16) etc.
Then, with reference to Fig. 4 ~ Fig. 7, describe the processing connecting in destination restriction system 1 in detail.For example, the processing shown in Fig. 5 and Fig. 6 (Fig. 6 is a part) is all carried out by local terminal 15 (remote terminal 16).Therefore, local terminal 15 (remote terminal 16) carrys out almost to carry out both processing by multitask (processing time of CPU is divided into subsection, seems as carried out the structure of the OS of a plurality of processing simultaneously) simultaneously.In addition, in addition, by single device, carry out and by multitask, realize equally by the processing of time series repetition.
Fig. 4 means the process flow diagram that sends the processing of AP 21 realizations by critical packet.Critical packet sends AP 21 and is carried out by communication management server 11.31 pairs of internal networks of control part 4 of communication management server 11 are reported and are sent critical packet (S101).Then, the 31 standby stipulated time of control part (S102) of communication management server 11, and repeat the processing of S101.
Fig. 5 means the process flow diagram that receives the processing of AP 23 realizations by critical packet.Critical packet receives AP 23 and is carried out by vpn server 14 and local terminal 15 (remote terminal 16).31 pairs of critical packet of control part of vpn server 14 and local terminal 15 (remote terminal 16) monitor (S201), confirm whether to receive at the appointed time critical packet (S202).
Receive at the appointed time in the situation of critical packet ("Yes" of S202), the control part 31 of vpn server 14 and local terminal 15 (remote terminal 16) is set as " Y " (S203) by oneself the receiving flag being kept in RAM etc., and repeats from S201.
On the other hand, do not receive at the appointed time in the situation of critical packet ("No" of S202), the control part 31 of vpn server 14 and local terminal 15 (remote terminal 16) is set as " N " (S204) by oneself the receiving flag being kept in RAM etc., (S205) processed in the force disconnect that execution is forcibly cut off the communication in connection by interruption, and repeats from S201.
By the processing shown in Fig. 4 and Fig. 5, vpn server 14 and the local terminal 15 of having carried out physical connection with internal network 4 can receive critical packet termly, are judged as oneself and have carried out physical connection with internal network 4.
Fig. 6 means the process flow diagram that is connected the processing of AP 24 realizations by connecting destination restriction AP 25 with VPN.Connecting destination restriction AP 25 is carried out by local terminal 15 (remote terminal 16).VPN connects AP 24 to be carried out by vpn server 14.The control part 31 of local terminal 15 (remote terminal 16), when operation by user etc. receives logic connection request (S301), is confirmed (S302) to the receiving flag being kept in oneself RAM etc.
In the situation that the receiving flag of oneself is " Y " (S302 " Y "), the control part 31 of local terminal 15 (remote terminal 16) is judged as oneself and has carried out physical connection with internal network 4, for logic connection request, directly carry out to connect and process (S303), and end process.
In the situation that the receiving flag of oneself is " N " (S302 " N "), the control part 31 of local terminal 15 (remote terminal 16) is judged as oneself and does not carry out physical connection with internal network 4, to vpn server 14, sends VPN connection request (S304).At this, as mentioned above, the single vpn server 14 that control part 31 accesses of local terminal 15 (remote terminal 16) predetermine.
The control part 31 of vpn server 14 sends the receiving flag (S305) in the RAM etc. be kept at oneself to local terminal 15 (remote terminal 16).(S306) confirmed in the receiving flag of 31 pairs of vpn servers 14 of control part of local terminal 15 (remote terminal 16).
In the situation that the receiving flag of vpn server 14 is " Y " (S306 " Y "), the control part 31 of local terminal 15 (remote terminal 16) is judged as with legal vpn server 14 and is connected, directly carry out VPN and connect processing (S307), and end process.
On the other hand, in the situation that the receiving flag of vpn server 14 is " N " (S306 " N "), the control part 31 of local terminal 15 (remote terminal 16) is not judged as and is not connected with legal vpn server 14, error process (S308), and end process.In the mistake of S308 is processed, the control part 31 of local terminal 15 (remote terminal 16) for example will represent that the message of not carrying out physical connection with internal network 4 and not being connected with legal vpn server 14 is presented on display part 34.
By the processing shown in Fig. 6, can prevent that terminal from directly carrying out logic with external server 17 grades and being connected.In the situation that local terminal 15 in the situation that (terminal and internal network 4 have carried out physical connection), directly carry out to connect and process, therefore can make it and be arranged on service server 12 grades in internal network 4 and directly carry out logic and be connected.In addition, in the situation that remote terminal 16 in the situation that (terminal and external network 5 have carried out physical connection), carry out VPN and connect and process, therefore can make it be connected with external server 17 grades via vpn server 14.
Fig. 7 means the process flow diagram of the processing realizing by communication trace management AP 22.Communication trace management AP 22 is carried out by communication management server 11.
In Fig. 7, as an example of logic connection request, show external server 17 is carried out to the processing in the situation of HTTP request.As the prerequisite of the processing shown in Fig. 7, establish the connection shown in the execution graph 6 of local terminal 15 (remote terminal 16) and process (VPN connects processing).In addition, the logic connection request of local terminal 15 (remote terminal 16) is all sent to external server 17 via communication management server 11.
In addition, the in the situation that of remote terminal 16, will be via vpn server 14 before communication management server 11, but for the ease of understand with the daily record of communication trace obtain the relevant explanation of processing, in Fig. 7, omitted the relay process of vpn server 14.In addition, the in the situation that of remote terminal 16, vpn server 14 also can be functioned in an acting capacity of the processing of communication management server 11.
The control part 31 of local terminal 15 (remote terminal 16) sends HTTP request (S401) to communication management server 11.The in the situation that of remote terminal 16, must send HTTP request via vpn server 14.The control part 31 storing communication trace daily records (S402) of communication management server 11, send HTTP request (S403) to external server 17.
The control part 31 of external server 17 is carried out the response of HTTP request and is processed (S404), to communication management server 11, sends http response (S405).The control part 31 storing communication trace daily records (S406) of communication management server 11, to local terminal, 15 (remote terminal 16) sends http response (S407).The in the situation that of remote terminal 16, must send http response via vpn server 14.The control part 31 of local terminal 15 (remote terminal 16) based on http response by picture disply (S408) on display part 34.
By the processing shown in Fig. 7, can unified management local terminal 15 and all trace daily records of communicating by letter of remote terminal 16.And, no matter be intra-company 2 or company outside 3, can both be by passing on the situation of having obtained all communication trace daily records to prevent intentional leakage information to user.
In addition, in the example shown in Fig. 7, communication management server 11 only communicates the processing of obtaining of trace daily record, but can also carry out for the restrict access of the website on internet, the detection that the renewal of the virus code of antivirus software is omitted.Thus, can reduce the potential safety hazard for terminal.
According to the connection destination restriction system 1 of the first embodiment, can prevent that terminal from directly carrying out logic with external server etc. and being connected.And, and then can improve the situation for the high situation of the potential safety hazard of terminal and easily intentional leakage information.
< the second embodiment >
First, the structure of the terminal setting control system of the second embodiment is described with reference to Fig. 8 and Fig. 9.Fig. 8 means the figure of the summary of terminal setting control system.Terminal setting control system 100 is following systems: the setting to terminal is controlled, even if make user terminal 105 be moved to various places and terminal 105 is connected on the network different from last time, also can accept reliably the service via network.In the example shown in Fig. 8, as different networks, exemplified with main corporate network 102a, the network 102b of branch office and oneself network 103.
Main corporate network 102a with the network 102b of branch office such as being configured to the LAN at each strong point, (no matter wired, wireless) such as WAN who the LAN that is layed in a plurality of strong points is connected by industrial siding etc.In addition, for example, also can be configured to by floor and divide network, in a strong point, have a plurality of networks.In addition, oneself network 103 is for example configured to household internal LAN (no matter wired, wireless).As the physical aspect of LAN, for example, if wired lan, consider type that Ethernet (registered trademark) and TCP/IP are combined, if WLAN is considered IEEE 802.11 etc.
In terminal setting control system 100, each network (main corporate network 102a, the network 102b of branch office) is arranged to terminal setup control server (the terminal setup control server 104a of main office, the terminal setup control server 104b of branch office).But, also can there is the network that terminal setup control server is not set as oneself network 103.; terminal 105 both can be connected with the network (main corporate network 102a, the network 102b of branch office) that is provided with terminal setup control server, also can be connected with the network (oneself network 103) that terminal setup control server is not set.
On main corporate network 102a, be connected with the terminal setup control server 104a of main office, the gateway 121a of main office, the OS of main office patch update server 122a, the virus code update server 123a of main office, vpn server 124, the printing server 125a of main office, terminal 105 etc.In addition, on branch office's network 102b, be connected with the terminal setup control server 104b of branch office, the gateway 121b of branch office, the OS of branch office patch update server 122b, the virus code update server 123b of branch office, the printing server 125b of branch office, terminal 105 etc.In addition, on oneself network 103, be connected with oneself gateway 131, oneself printing server 132 etc.In addition, on internet 109, be connected with outside OS patch update server 111, outside virus code update server 112 etc.
Terminal setup control server (the terminal setup control server 104a of main office, the terminal setup control server 104b of branch office) will send to multicast address or unicast address for identifying the identifying information of the own network connecting.At this, network can be considered to own residing place for computing machine, therefore below the packet that comprises identifying information is called by " position data bag ".The details of the processing of terminal setup control server are narrated with reference to Figure 14, Figure 15 in the back.
Whether terminal 105 judgements receive position data bag at the appointed time, at the situation that the receives position data bag represented network of position data bag that judges, based on judged result, obtain the set information relevant with the service providing via network, the set information based on getting upgrades the setting of oneself.Thus, even if terminal 105 network changes also can be accepted the service via network reliably.The details of the processing of terminal 105 are narrated with reference to Figure 13, Figure 16 in the back.
The gateway of each network (the gateway 121a of main office, the gateway 121b of branch office, oneself gateway 131) is for entering the entrance of internet 109.In internet 109, the communication facilitiess such as router, the computing machine arranging as proxy server and fire wall etc. play the effect of gateway.
In the example shown in Fig. 8, as the server providing via the service of network, exemplified with OS patch update server, virus code update server, vpn server and printing server.The following describes the summary of each server.
In OS patch update server, have towards the OS patch update server of tissue and outside OS patch update server 111 these two kinds.OS patch update server (OS of main office patch update server 122a, the OS of branch office patch update server 122b) towards tissue provides OS patch file update service to the terminal 105 in the own network connecting.On the other hand, it is set that outside OS patch update server 111 is to provide enterprise of OS etc., to all computing machines of object OS have been installed, all provides OS patch file update service.
Similarly, in virus code update server, also have towards the virus code update server of tissue and outside virus code update server 112 these two kinds.Virus code update server (the virus code update server 123a of main office, the virus code update server 123b of branch office) towards tissue provides the service of virus code file update to the terminal 105 in the own network connecting.On the other hand, it is set that outside virus code update server 112 is to provide enterprise of antivirus software etc., to all computing machines of object antivirus software have been installed, all provides the service of virus code file update.
Vpn server 124 provides the VPN Connection Service with main corporate network 102a.VPN Connection Service is the service that common line can be utilized as dedicated line.By VPN Connection Service, for example, even be connected to the terminal 105 on oneself network 103, the computing machine that also can access main corporate network 102a when maintaining security.
Printing server (the printing server 125a of main office, the printing server 125b of branch office, oneself printing server 132) provides printout service to the terminal 105 in the own network connecting.Printing server is not limited to computing machine, can be also compounding machine, printer etc.
Fig. 9 is hardware structure of computer figure.Fig. 9 represents to realize the hardware configuration of the computing machine 140 of the illustrated various servers of Fig. 8 and terminal 105.In addition, the hardware configuration of Fig. 9 is an example, according to purposes, object, can adopt various structures.
As shown in Figure 9, in computing machine 140, control part 141, storage part 142, input part 143, display part 144, communication control unit 145 etc. are connected by bus 146.
Then, with reference to Figure 10 ~ Figure 12, the information that the terminal 105 in the second embodiment is utilized is described.Set information for main office shown in Figure 10 ~ Figure 12, branch office are with set information and in family expenses set information also can the pre-stored storage part 142 in terminal 105.For example, or these information also can be stored in the storage part 142 of other computing machine (terminal setup control server), by terminal 105, for example, from other computing machine (terminal setup control server), receive these information when needed.
Figure 10 is an example of set information for main office.Main office means that with set information 151 terminal 105 being connected on main corporate network 102a accepts the information via the required setting of the service of network.For example, for service " OS patch file update service " by name, connect destination corresponding with " computer name or the IP address of the OS of main office patch update server 122a ".In addition,, for the terminal 105 being connected on main corporate network 102a, due to without VPN Connection Service is provided, therefore connect destination for not setting ("-").
Figure 11 is an example of set information for branch office.Branch office means that with set information 152 terminal 105 being connected on the network 102b of branch office accepts the information via the required setting of the service of network.For example, for service " OS patch file update service " by name, connect destination corresponding with " computer name or the IP address of the OS of branch office patch update server 122b ".In addition,, for the terminal 105 being connected on the network 102b of branch office, due to without VPN Connection Service is provided, therefore connect destination for not setting ("-").
Figure 12 is the example from family expenses set information.From family expenses set information 153, mean that the terminal 105 being connected on oneself network 103 accepts the information via the required setting of the service of network.For example, for service by name " OS patch file update service ", connect destination corresponding with " URL of outside OS patch update server 111 (Uniform Resource Locator: URL(uniform resource locator)) ".In addition, the terminal 105 for being connected on oneself network 2b, need to provide VPN Connection Service, therefore connects destination for " IP address and the port numbers of vpn server 124 ".
Then, with reference to Figure 13 ~ Figure 16, terminal setup control server in the second embodiment and the contents processing of terminal 105 are described.Below, in the situation that the terminal setup control server 104a of Bu Dui main office and the setup control server 104b of branch office distinguish, be expressed as " terminal setup control server 4 ".
In Figure 13, Figure 14, show the contents processing that clean culture sends the mode (clean culture send mode) of position data bag.On the other hand, in Figure 15, Figure 16, show the contents processing that multicast sends the mode (multicast sender formula) of position data bag.
First, instruction book is broadcast send mode.As shown in figure 13, the network that first control part 141 of terminal 105 connects terminal 105 is reported the request (S501) that sends position data bag.Report transmission can be any in broadcast transmission mode and multicast sender formula.
To this, as shown in figure 14, the control part 141 of terminal setup control server 4 monitors the request (S601) of position data bag afterwards in startup.When receiving the request of position data bag ("Yes" of S602), the control part 141 of terminal setup control server 4 sends position data bag (S603) to unicast address.In more detail, the control part 141 of terminal setup control server 4 only the transmission source of the request of positional data bag send and to comprise for identifying the position data bag of the identifying information of the own network connecting.
Return to the explanation of Figure 13.Then,, in S502, in the stipulated time that control part 141 judgements of terminal 105 rise at request position data bag, whether receive position data bag.The control part 141 of terminal 105 ("Yes" of S502) in the situation that receiving position data bag enters S503, and in the situation that not receiving position data bag, ("No" of S502) enters S506.In the situation that terminal 105 is connected on main corporate network 102a or the networking 102b of branch office, terminal 105 is at the appointed time from the terminal setup control server 104a of main office or the terminal setup control server 104b of branch office receiving position packet.On the other hand, in the situation that terminal 105 is connected on oneself network 103, terminal 105 is receiving position packet not.
In S503, the represented network of position data bag that control part 141 judgements of terminal 105 receive.The control part 141 of terminal 105 is in the situation that the position data bag receiving represents that " main office " (S503 " main office ") enters S504, in the situation that the position data bag receiving represents that " branch office " (S505 " branch office ") enters S505.
In S504, the control part 141 of terminal 105 obtains set information 151 for main office.At this, pre-stored in the situation that in the storage part 142 of terminal 105, the control part 141 of terminal 105 extracts set information 151 for main office from storage part 142 with set information 151 in main office.In addition, in the situation that main office is stored in set information 151 in the storage part 142 of terminal setup control server 4, the control part 141 of terminal 105 receives set information 151 for main office from terminal setup control server 4.
Similarly, in S505, the control part 141 of terminal 105 obtains set information 152 for branch office.In addition, in S506, the control part 141 of terminal 105 is obtained from family expenses set information 153.In addition from family expenses set information 153, need in the pre-stored storage part 142 in terminal 105.
In S507, the control part 141 of terminal 105 upgrades the setting of terminal 105 according to the set information getting.For example, in terminal 105, be connected to get main office with set information 151 on main corporate network 102a and in S504 in the situation that, according to main office, with the setting of 151 pairs of terminals 105 of set information, upgrade.
Then, multicast sender formula is described.As shown in figure 15, the control part 141 of terminal setup control server 4 repeatedly carries out the multicast transmission (S701) of position data bag and the standby (S702) of stipulated time after startup.In more detail, the control part 141 of terminal setup control server 4 intermittently sends to multicast address by comprising for identifying the position data bag of the identifying information of the own network connecting.
To this, as shown in figure 16, the control part 141 of terminal 105 monitors position data bag (S801) after startup.If receive position data bag ("Yes" of S802) in the stipulated time from starting monitoring, enter S803, if receive position data bag ("No" of S802), do not enter S806.Below, the details of S803 ~ S807 are identical with the S503 ~ S507 shown in Figure 13, and therefore description thereof is omitted.
In the situation that allow the quantity of the network of connection terminal 105, be 2, whether terminal 105 only receives the judgement of position data bag in S502 (or S802) is processed, the set information that judgement will be obtained.On the other hand, in the situation that allow the quantity of the network of connection terminal 105, be more than 3, terminal 105 is also carried out the judgement of the represented network of position data bag, the set information that judgement will be obtained in S503 (or S803).
In the situation that the quantity of terminal 105 is fewer, in order not waste the network bandwidth, utilize clean culture send mode.On the other hand, in the situation that the quantity of terminal 105 is many, multicast sender formula is effective.This be because, in the situation that the consumption of the network bandwidth of the many multicast sender formulas of the quantity of terminal 150 is still less.That is to say, when unicast address (terminal 105) increases, also likely to network bandwidth build-up of pressure, it is effective therefore adopting multicast sender formula.
At this, the terminal setup control server 4 in the system architecture example of key diagram 8 and two kinds of action cases of terminal 105.Action case 1 is that user is connected to the situation on main corporate network 102a by terminal 105.Action case 2 is that user is connected to the situation on oneself network 103 by terminal 105.
(action case 1)
When terminal 105 is connected on main corporate network 102a, the terminal setup control server 5a of terminal 105Cong main office receiving position packet.Thus, terminal 105 is obtained set information 151 for main office, based on main office, with the setting of 151 pairs of set informations oneself, upgrades.Consequently, terminal 105 is accepted the various services via network from following server.
OS patch file update service: the OS of main office patch update server 122a
Virus code file update service: the virus code update server 123a of main office
Printout service: the printing server 125a of main office
(action case 2)
Even if terminal 105 is connected on oneself network 103, terminal 105 can not receiving position packet.Thus, terminal 105 is obtained from family expenses set information 153, based on upgrading from the setting of 153 pairs of family expenses set informations oneself.Consequently, terminal 105 is accepted the various services via network from following server.
OS patch file update service: outside OS patch update server 111
Virus code file update service: outside virus code update server 112
Printout service: oneself printing server 132
VPN Connection Service with main corporate network 102a: vpn server 124
Figure 17 is an example of position data bag.In position packet 161, except the identifying information for recognition network, can also comprise various information.In Figure 17, show and comprise " identifying information ", " place information ", " utilizing temporal information " and " pattern information " these four information as the example of the position data bag 161 of information classification.
" identifying information " is the identifier of network, such as being " 001 ", " 002 " etc." place information " is the information relevant with the place of network, such as being " 1 layer of main office ", " A branch office " etc." utilize temporal information " and be with terminal 105 utilize relevant information of time, be " not restriction ", " 1 hour ", " 3 hours " etc." pattern information " is the information relevant with the pattern of terminal 105, is " not restriction ", " pattern on off-day ", " battery saving mode " etc.
For example, terminal 105 also can apply restriction to the use of each software according to " place information ".In addition, terminal 105 also can surpass automatic shutdown while utilizing the time according to " utilizing temporal information ".In addition, terminal 105 can also, according to " pattern ", apply restriction to the use of power supply.
Above, according to the second embodiment, terminal 105 judges whether to receive represented network of position data bag, position data bag etc., and the corresponding set information of network based on be connected upgrades the setting of oneself.Thus, even if terminal 105 is connected on the network different from last time, also can accept reliably the service via network.In addition, terminal 105 is unified and automatically upgrade the setting relevant with a plurality of services, therefore, do not need to process one by one by each software, and, do not need user by manually carrying out change setting information yet.Thereby user can accept the service via network reliably without the consciousness network that connects of terminal.
Above, the preferred implementation of the system managing with reference to the accompanying drawings of the connection of the network to terminal involved in the present invention etc., but the present invention is not limited to above-mentioned example.If those skilled in the art can expect various modifications or modification in the category of the disclosed technological thought of the application, this is apparent, should understand them and certainly also belong to technical scope of the present invention.
description of reference numerals
1: connect destination restriction system; 4: internal network; 5: external network; 11: communication management server; 12: service server; 13: fire wall; 14:VPN server; 15: local terminal; 16: remote terminal; 17: external server; 21: critical packet sends AP; 22: communication trace management AP; 23: critical packet receives AP; 24:VPN connects AP; 25: connect destination restriction AP; 101: terminal setting control system; 102a: main corporate network; 102b: branch office's network; 103: oneself network; 104a: main office's terminal setup control server; 104b: branch office's terminal setup control server; 104: terminal setup control server; 105: terminal.
Claims (4)
1. one kind connects destination restriction system, have with internal network and external network and carry out the terminal of physical connection and carry out the communication management server of physical connection with above-mentioned internal network, this connection destination restriction system connects destination to the logic of above-mentioned terminal to be limited
Above-mentioned communication management server possesses communication control unit, and this communication control unit is intermittently reported the permission information that sends the logic connection request that represents the above-mentioned terminal of permission to above-mentioned internal network,
Above-mentioned terminal possesses:
Communication control unit, it receives reports to above-mentioned internal network the information sending; And
Control part, it is when the above-mentioned communication control unit by above-mentioned terminal receives above-mentioned permission information, be judged as above-mentioned terminal and above-mentioned internal network has carried out physical connection, in the situation that being judged as above-mentioned terminal and above-mentioned internal network and having carried out physical connection, for above-mentioned logic connection request, carry out to connect and process.
2. connection according to claim 1 destination restriction system, is characterized in that,
Above-mentioned connection destination restriction system also has vpn server, and this vpn server and above-mentioned internal network carry out physical connection,
Above-mentioned vpn server possesses:
Communication control unit, it receives reports to above-mentioned internal network the information sending; And
Control part, it is judged as above-mentioned vpn server and above-mentioned internal network has carried out physical connection when the above-mentioned communication control unit by above-mentioned vpn server receives above-mentioned permission information,
Wherein, in the situation that be judged as above-mentioned terminal carrying out physical connection with above-mentioned internal network by the above-mentioned control part of above-mentioned terminal, the above-mentioned communication control unit of above-mentioned terminal sends VPN connection request to above-mentioned vpn server,
The above-mentioned communication control unit of above-mentioned vpn server, when receiving VPN connection request from above-mentioned terminal, sends to above-mentioned terminal by the judged result of the above-mentioned control part of above-mentioned vpn server,
At the above-mentioned communication control unit of above-mentioned terminal, from above-mentioned vpn server, receive while representing that above-mentioned vpn server and above-mentioned internal network have carried out the judged result of the meaning of physical connection, the above-mentioned control part of above-mentioned terminal is judged as with legal above-mentioned vpn server and is connected, in the situation that be judged as with legal above-mentioned vpn server, carried out being connected, for above-mentioned logic connection request, carried out VPN and connect processing.
3. connection according to claim 2 destination restriction system, is characterized in that,
The above-mentioned control part of above-mentioned terminal carries out the response for above-mentioned logic connection request all the time, and only according to the address information of pre-stored above-mentioned vpn server in above-mentioned terminal, carries out VPN connection.
4. the connection destination method for limiting connecting in the restriction system of destination, this connection destination restriction system has with internal network and external network and carries out the terminal of physical connection and carry out the communication management server of physical connection with above-mentioned internal network, this connection destination restriction system connects destination to the logic of above-mentioned terminal to be limited, and the method comprises the following steps:
Above-mentioned communication management server is intermittently reported the permission information that sends the logic connection request that represents the above-mentioned terminal of permission to above-mentioned internal network,
Above-mentioned terminal receives reports to above-mentioned internal network the information sending,
Above-mentioned terminal is judged as above-mentioned terminal when receiving above-mentioned permission information and above-mentioned internal network has carried out physical connection,
Above-mentioned terminal, in the situation that being judged as above-mentioned terminal and above-mentioned internal network and having carried out physical connection, is carried out to connect for above-mentioned logic connection request and is processed.
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2011069266A JP4882030B1 (en) | 2011-03-28 | 2011-03-28 | Connection destination restriction system, connection destination restriction method |
| JP2011-069266 | 2011-03-28 | ||
| JP2011152533 | 2011-07-11 | ||
| JP2011-152533 | 2011-07-11 | ||
| PCT/JP2012/054709 WO2012132697A1 (en) | 2011-03-28 | 2012-02-27 | Connection destination limitation system, connection destination limitation method, terminal setting control system, terminal setting control method, and program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102822838A CN102822838A (en) | 2012-12-12 |
| CN102822838B true CN102822838B (en) | 2014-03-26 |
Family
ID=46930453
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201280000402.0A Expired - Fee Related CN102822838B (en) | 2011-03-28 | 2012-02-27 | Connection destination limitation system, connection destination limitation method, terminal setting control system, terminal setting control method, and program |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102822838B (en) |
| WO (1) | WO2012132697A1 (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA3022204C (en) * | 2016-06-06 | 2022-09-27 | Hitachi Systems, Ltd. | Data migration system and data migration method |
| EP3564842B1 (en) * | 2017-01-20 | 2021-02-24 | Mitsubishi Electric Corporation | Data determination device, data determination method, and data determination program |
| JP7432524B2 (en) | 2018-12-10 | 2024-02-16 | フリービット株式会社 | Internet connection management system and method for information communication equipment, Internet connection management program installed in information communication equipment |
| EP3979025A4 (en) | 2019-05-29 | 2023-06-28 | Sintokogio, Ltd. | Information processing system, gateway, server, and information processing method |
| JP7146124B1 (en) * | 2021-03-31 | 2022-10-03 | アドソル日進株式会社 | Terminal, method and program |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1501264A (en) * | 2002-11-13 | 2004-06-02 | ض� | Network protecting authentication proxy |
| CN101087209A (en) * | 2006-06-05 | 2007-12-12 | 三星电子株式会社 | Communication method for device in network system and system for managing network devices |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3764125B2 (en) * | 2002-04-26 | 2006-04-05 | 富士通株式会社 | Gateway, communication terminal device, and communication control program |
| JP2003323363A (en) * | 2002-04-30 | 2003-11-14 | Fujitsu Ltd | Environment setting unit, environment setting program and information processor |
| JP2004246751A (en) * | 2003-02-17 | 2004-09-02 | Seiko Epson Corp | Network identification method, computer device, computer program and recording medium |
| JP4618455B2 (en) * | 2008-04-09 | 2011-01-26 | 日本電気株式会社 | Terminal device, network connection method, and program |
| JP4832574B2 (en) * | 2010-03-26 | 2011-12-07 | 株式会社野村総合研究所 | Usage management system and usage management method |
-
2012
- 2012-02-27 CN CN201280000402.0A patent/CN102822838B/en not_active Expired - Fee Related
- 2012-02-27 WO PCT/JP2012/054709 patent/WO2012132697A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1501264A (en) * | 2002-11-13 | 2004-06-02 | ض� | Network protecting authentication proxy |
| CN101087209A (en) * | 2006-06-05 | 2007-12-12 | 三星电子株式会社 | Communication method for device in network system and system for managing network devices |
Non-Patent Citations (1)
| Title |
|---|
| JP特开2009-253811A 2009.10.29 |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2012132697A1 (en) | 2012-10-04 |
| CN102822838A (en) | 2012-12-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102822838B (en) | Connection destination limitation system, connection destination limitation method, terminal setting control system, terminal setting control method, and program | |
| US9363285B2 (en) | Communication system, network for qualification screening/setting, communication device, and network connection method | |
| CN101159552B (en) | System and method for controlling communications performed by a computer terminal connected to a network | |
| CN100553202C (en) | The method and system that is used for dynamic device address management | |
| JP5293580B2 (en) | Web service system, web service method and program | |
| TWI485567B (en) | Relay communication system and access management device | |
| CN101202709A (en) | Relay server and relay communication system | |
| CN101090402A (en) | Thin client system using session managing server and session managing method | |
| CN1649309A (en) | Network managing method and system and computer | |
| JP2008148125A (en) | Relay server | |
| US20220311661A1 (en) | System and method for automated information technology services management | |
| US20060242271A1 (en) | System and method for accessing devices with a console server | |
| US20050135269A1 (en) | Automatic configuration of a virtual private network | |
| US20070199065A1 (en) | Information processing system | |
| US7631350B2 (en) | Transmitting data across firewalls | |
| US20200099602A1 (en) | System and method for managing it asset inventories using low power, short range network technologies | |
| JP2020030626A (en) | Processing system, control system, relay device and communication method | |
| JP6819405B2 (en) | Communication equipment, communication methods, programs and communication systems | |
| CN103533071A (en) | Update method, device and system for terminal software | |
| CN103563305A (en) | System and method for providing push service to reduce network load | |
| JP4882030B1 (en) | Connection destination restriction system, connection destination restriction method | |
| CN110286861B (en) | Information processing apparatus, device management apparatus, and recording medium | |
| KR101662602B1 (en) | Micro server management system for small office amd home office | |
| JP2002169707A (en) | System and method for computer operation management | |
| JP2005130511A (en) | Computer network management method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140326 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |