JP2007200209A - Communication system, server, communication method and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To increase security in communication between server and client using the TCP/IP protocol. <P>SOLUTION: A communication system comprises a server and a client that communicates with applications in the server by the TCP/IP protocol. The server 104 has a server reception part 120 for receiving a program identifier uniquely specifying any of the applications from the client, a server side port number assignment part 124 for dynamically assigning a port number to the application specified by the program identifier received by the server reception part, and a server transmission part 122 for transmitting the port number assigned by the server side port number assignment part to the client. The client 102 communicates with the application in the server 104 via the dynamically assigned port number. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a communication system, a server, a communication method, and a computer program. Specifically, a communication system including a server including one or more application programs and a client that communicates with the application programs of the server using the TCP / IP protocol, a server used in the communication system, a communication method, and a computer Regarding the program.

  Conventionally, in communication between a server and a client using the TCP / IP protocol, a fixed port number is assigned to each application program (hereinafter also referred to as an application) that performs communication in the server, and the client is a known fixed number. The port number was used to establish communication connection with the application in the server. In particular, a fixed port number assigned to a widely used application such as an HTTP server, a TELNET server, and an FTP server is defined in RFC (Request for Comments) 1060 and is called a well-known port number. .

  Well-known port numbers are made public, and anyone can obtain the information. Therefore, anyone can obtain a list of applications running on the computer by performing port scan on the computer through the well-known port number. Also, anyone can obtain a list of computers on which the target application is operating by performing an IP address sweep. In addition, these applications can easily know the version number by default.

  Therefore, for example, when a vulnerability is found in an application, a computer on which the application is operating is specified by a third party by port scanning or IP address sweep. In addition, damage such as unauthorized access to and intrusion of the computer by the third party to tamper with data or a stepping stone for attacks on other computers has occurred. More recently, a large number of programs called worms have been created in which such illegal acts by third parties have been automated, and a large number of computers are connected to the Internet in the state of worm infection. there is a possibility.

  Therefore, a method for performing communication between a server and a client without using a well-known port number is provided (see, for example, Patent Document 1). In this method, a server and a client can establish a communication connection between a server and a client without using a well-known port number by deriving and using each port number by a predetermined common port number determination method. It is possible.

JP 2004-265122 A

  However, the above method is a method in which the server and the client are used by using the same port number determination method, and is a method of VPN. In other words, it is not suitable for application to an unspecified number of computers because it operates for the first time by implementing and synchronizing a unique method on a server and a client that are premised on communication. In the above method, since the port number used on the server side can be derived on the client side, if the above method is widely applied to an unspecified number of computers, a third party can use the port number to It is possible to gain unauthorized access, and security protection by the above method is meaningless.

  Therefore, the present invention has been made in view of such a problem, and an object of the present invention is to improve security in communication between a server and a client by the TCP / IP protocol, and to an unspecified number of computers. It is an object of the present invention to provide a new and improved communication system, server, communication method, and computer program that can be applied.

  In order to solve the above-described problem, according to one aspect of the present invention, there is provided a communication system including a server including one or more application programs and a client communicating with the application programs using the TCP / IP protocol. Is done. In the communication system, the server receives a program identifier for uniquely identifying one of one or more application programs from a client; an application program identified by the program identifier received by the receiver; A server-side port number assigning unit that dynamically assigns a port number; and a server transmission unit that transmits the port number assigned by the server-side port number assigning unit to the client as the server-side port number.

  The client includes a client transmission unit that transmits a program identifier of an application program to be communicated to the server; and a client reception unit that receives a server-side port number from the server. The client is a server received by the client reception unit. It communicates with the server application program using the side port number.

  According to the above invention, communication between the server application and the client is performed using the port number dynamically assigned by the server. Therefore, since the well-known port number is not used, unauthorized access to the application through the well-known port number can be prevented. In addition, since the port number is dynamically determined by the server, the client cannot know the port number unless it receives a notification from the server. Therefore, it is possible to prevent the client from illegally accessing the server application through a known port number, and to improve communication security.

  The server further includes a client-side port number specifying unit for specifying the port number on the client side when the application program to which the port number is assigned communicates with the client, and the server transmitting unit is specified by the client-side port number specifying unit The transmitted port number may be transmitted to the client as the client-side port number. According to such a configuration, since the server also specifies the port number on the client side, the communication partner with the application can be controlled in units of the port number on the client side, and security can be further improved.

In order to solve the above problems, according to another aspect of the present invention, in a communication system including a server including one or more application programs and a client communicating with the application programs using the TCP / IP protocol. The server determines the procedure definition table that defines the procedure for accessing the application program; and determines whether to allow communication between the application program and the client based on the access procedure defined in the procedure definition table A communication start / stop determining unit that, when communication is permitted by the communication enable / disable determining unit, causes the application program designated by the client to start communication with the client;
A communication system is provided.

  The communication permission / inhibition determining unit may determine permission / non-permission of communication so that communication between the client and the application program is permitted when the client accesses the server according to a predetermined procedure. .

  According to the above invention, the server permits communication with the client only when the client accesses the server according to a predetermined procedure. For this reason, access to applications in the server by a third party can be restricted, and communication security can be improved.

  In the above communication system, the server sends the port number assigned by the server side port number assigning unit to the client as the server side port number, which dynamically assigns a port number to the application program. A server transmission unit that performs communication, and in this case, the communication start unit, when communication is permitted by the communication availability determination unit, serves as a server-side port number assigning unit and is designated by the client as an application program. A port number may be assigned to the server, and a server transmission unit may be used to transmit the port number to the client. According to this configuration, the server dynamically determines the application port number. Therefore, since the well-known port number is not used, unauthorized access to the application through the well-known port number can be prevented. In addition, since the port number is dynamically determined by the server, the client cannot know the port number unless it receives a notification from the server. Therefore, it is possible to prevent the client from illegally accessing the server application through a known port number, thereby further improving the security of communication.

  In the communication system, the server may further include a server reception unit that receives a program identifier that uniquely identifies one or more application programs from the client. In this case, the communication start unit determines whether communication is possible. When the communication is permitted by the unit, the server receiving unit may receive the program identifier from the client, and the application program specified by the received program identifier may be the application program specified by the client. According to such a configuration, the access procedure can be commonly set for each application program of the server.

  In the above procedure definition table, a different access procedure may be defined for each of one or more application programs. In this case, the communication start unit is a client permitted to communicate with the application by the communication availability determination unit. The application designated by the client may be specified in accordance with the access procedure executed by. According to such a configuration, different procedures are determined for each application program, so that even if one access procedure leaks, unauthorized access to other application programs can be prevented.

  In the above procedure definition table, different access procedures may be defined for each of one or more application programs and for each application usage mode. In this case, the communication start unit may be a communication availability determination unit. The application specified by the client and the usage mode may be specified according to the access procedure executed by the client permitted to communicate with the application. According to such a configuration, different procedures are determined for each application and for each usage mode. Therefore, even if one access procedure is leaked, it is illegal for application programs based on other usage modes or other application programs. Access can be prevented.

  The usage mode may include either or both of a client authentication method executed by the application program and a network type to which the client can connect via the application program.

  The access procedure may be a combination of the port number received by the server from the client and the order of reception of the port number.

  In the communication system, the server may further include an access procedure update unit that updates an access procedure defined in the procedure definition table at a predetermined timing. According to such a configuration, since the access procedure is updated, even if the access procedure leaks once, the access in the leaked access procedure becomes invalid after the update.

  The communication system may include an access procedure generation server that generates an access procedure at a predetermined timing and stores the generated access procedure in an access procedure storage unit. May acquire the access procedure from the access procedure generation server at a predetermined timing, and update the procedure definition table according to the acquired access procedure.

  In order to solve the above-described problems, according to another aspect of the present invention, there is provided a server that includes one or more application programs and controls communication between the application program and the client using the TCP / IP protocol. The server determines whether to allow communication between the application program and the client based on the procedure definition table that defines the procedure for accessing the application program; and the access procedure defined in the procedure definition table. And a communication start unit for causing an application program designated by the client to start communication with the client when communication is permitted by the communication enable / disable determination unit.

  In order to solve the above problems, according to another aspect of the present invention, a computer program that causes a computer to function as the server is provided. The computer program is stored in a storage device included in the computer and is read and executed by a CPU included in the computer, thereby causing the computer to function as the server. A computer-readable recording medium on which a computer program is recorded is also provided. The recording medium is, for example, a magnetic disk or an optical disk.

  In order to solve the above problems, according to another aspect of the present invention, a communication method executed by any one of the above communication systems is provided.

  As described above, according to the present invention, a new and improved communication system that can improve security in communication between a server and a client using the TCP / IP protocol and can be applied to an unspecified number of computers. , Server, communication method, and computer program can be provided.

  Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the present specification and drawings, components having substantially the same functional configuration are denoted by the same reference numerals, and redundant description is omitted.

(First embodiment)
First, an outline of a communication system according to the first embodiment will be described with reference to FIG. A communication system 100 according to the present embodiment includes a server 104 that includes one or more application programs (hereinafter also referred to as applications) and a client 102 that performs communication using an TCP / IP protocol between the applications included in the server 104. Consists of. There may be a plurality of clients 102.

  The client 102 and the server 104 are computers having a communication function. In response to a request from the client 102, the server 104 activates an application included in the server 104 and causes communication between the application and the client 102 to provide a service required by the client 102. When the application of the server 104 and the client 102 communicate, a unique port number is assigned to each application so that the server 104 can identify the application. The client 102 can communicate with a specific application in the server 104 using this port number.

  Conventionally, the server and the client communicate with each other by using a known well-known port number called a well-known port number. In this embodiment, even if the client 102 accesses the server 104 by specifying a well-known port number as in the conventional case, the server 104 does not start communication with the application. In this embodiment, the server 104 dynamically assigns a port number to each application and uses the port number to communicate between the server and the client, thereby preventing the port number from being known to a third party. Communication security. Hereinafter, the communication system 100 will be described in detail.

  First, the functional configurations of the client 102 and the server 104 will be described with reference to FIG. The client 102 mainly includes an input unit 110, a client transmission unit 112, and a client reception unit 114. The server 104 mainly includes a server reception unit 120, a server transmission unit 122, a server side port number assignment unit 124, and a communication information storage unit 128. Hereinafter, the functions of the client 102 and the server 104 will be described along the data flow.

  The input unit 110 of the client 102 inputs an identifier of a service to be used via an input unit such as a mouse or a keyboard provided in the client 102. The service identifier corresponds to an identifier that uniquely identifies the application of the server 104 and is hereinafter referred to as a program identifier. The input unit 110 provides the input program identifier to the client transmission unit 112.

  The client transmission unit 112 inquires of the server 104 that is the communication partner about the service to be used. Specifically, the client transmission unit 112 inquires about the service specified by the program identifier acquired from the input unit 110 using a protocol for inquiring about the service. As a protocol for inquiring services, for example, ICMP can be used. In that case, the client transmission unit 112 transmits the program identifier acquired from the input unit 110 to the server 104 by ICMP.

  The server receiving unit 120 receives a program identifier that uniquely identifies one or more application programs from the client 102. Specifically, the server receiving unit 120 receives a program identifier transmitted from the client 102 by ICMP. The server receiving unit 120 provides the received program identifier to the server side port number assigning unit 124.

  The server-side port number assigning unit 124 dynamically assigns a port number to the application specified by the program identifier acquired from the server receiving unit 120. The dynamic port number assigning method by the server-side port number assigning unit 124 includes, for example, a method of assigning available free port numbers in order from a small number, a method of randomly assigning usable free port numbers, and at the time of granting. For example, a method of assigning a port number calculated by a predetermined calculation formula from the date and time or the like can be considered. The method of dynamically determining the port number is not limited to the above, and various known methods can be used. The server-side port number assigning unit 124 stores the port number assigned to the application in the communication information storage unit 128 in association with the identifier that uniquely identifies the client 102 that has transmitted the program identifier of the application. The server-side port number assigning unit 124 provides the assigned port number to the server transmitting unit 122.

  The communication information storage unit 128 includes a memory such as a RAM or a hard disk, and stores the identifier of the client 102 and the port number assigned to the application in the server 104 in association with each other. FIG. 2 shows an example of information stored in the communication information storage unit 128. As shown in FIG. 2, the communication information storage unit 128 stores an ID 1280, a client identifier 1282, and a server-side port number 1284 in association with each other.

  ID 1280 is a number assigned to each combination of a client identifier and a server-side port number. The client identifier 1282 is an identifier that uniquely identifies the client 102, and can be, for example, the IP address of the client 102. The server side port number 1284 is a port number assigned to an application in the server 104. Specifically, it is a port number assigned to an application that communicates with the client 102 specified by the client identifier 1282 associated with the same ID.

  When the server 104 receives data including the port number of the application that is the communication partner of the client 102 from the client 102, the server 104 refers to the communication information storage unit 128, receives the IP address of the client 102 that is the data transmission source, and the reception When the port number included in the data is associated in the communication information storage unit 128, communication between the client 102 and the application specified by the port number can be relayed. The communication information storage unit 128 may further store an application identifier specified by the server-side port number in association with each other.

  Returning to FIG. The server transmission unit 122 transmits the port number acquired from the server-side port number assigning unit 124 to the client 102. Specifically, the server transmission unit 122 transmits the port number to the client 102 as a response to the service inquiry from the client 102. For example, the server transmission unit 122 transmits the port number to the client 102 by an ICMP response.

  The client receiving unit 114 receives a port number from the server 104. Thereafter, the client 102 accesses the server 104 using the port number received by the client receiving unit 114, so that the server 104 can communicate with the application to which the port number is assigned.

  A communication method executed by the communication system 100 configured as described above will be described with reference to FIG.

  As shown in FIG. 3, first, the client 102 inquires of the server 104 about a service to be used (S100). More specifically, the client 102 transmits an identifier of a service to be used to the server 104 by using a protocol for inquiring a service such as ICMP. Upon receiving the inquiry, if the server 104 provides the corresponding service, the server 104 dynamically assigns a port number to the application corresponding to the service (S102). Specifically, if the server 104 has an application specified by the program identifier included in the data received from the client 102, the server 104 dynamically assigns a port number to the application. Subsequently, the server 104 associates the port number assigned to the application with the identifier of the client 102 as the service inquiry source, and stores it in the communication information storage unit 128 (S104). Then, the server 104 transmits the port number assigned in S102 to the client 102 (S106).

  After receiving the port number, the client 102 requests connection to the server 104 using the received port number (S108). Upon receiving the request, the server 104 executes a connection sequence for each protocol and application (S110). Specifically, the server 104 activates an application identified by the port number included in the data received from the client 102 based on the communication information storage unit 128. Thereafter, the started application establishes communication connection with the client 102 and executes communication.

  According to the above configuration, the server 104 receives a service inquiry from the client 102 and dynamically assigns a port number to an application corresponding to the service. Then, the server 104 transmits the port number assigned to the application to the client 102 as a response to the inquiry. By using the port number, the client 102 can communicate with a desired application in the server 104. Thus, since the port number is dynamically assigned by the server 104, it is possible to prevent the port number from being known to a third party.

  As for port scan, it was possible to send a packet to all ports and see the response of each port in the past. However, in the above configuration, the process of specifying and checking the service one by one is confirmed. Necessary. Therefore, the server 104 can easily limit the number of simultaneous accesses from the same client 102, and can extend the time required for port scanning. In general, a client that requests a large number of services in order is not normally operated, so that there is an advantage that an unauthorized client can be easily found.

  In addition, IP address sweep is normal access for each server 104, but a host device such as ISP or IDS can observe a large amount of ICMP traffic from the same transmission source, so it is illegally noticed. There is an advantage that it is easy.

(Modification 1)
In the present embodiment, the server 104 also specifies the port number on the client side, so that security can be further improved. In this case, as shown in FIG. 1, the server 104 is provided with a client-side port number designation unit 126. The client-side port number specifying unit 126 acquires the client identifier and the server-side port number assigned to the application by the server-side port number assigning unit from the server-side port number assigning unit 124. The client-side port number designating unit 126 designates the port number on the client 102 side to be used by the client 102 when the client 102 identified by the client identifier communicates with the application identified by the server-side port number. To do.

  The client-side port number designating unit 126 associates the client identifier, the server-side port number, and the designated client-side port number and stores them in the communication information storage unit 128. In addition, the client-side port number designating unit 126 provides the designated client-side port number to the server transmitting unit 122. The server transmission unit 122 transmits the client-side port number acquired from the client-side port number specifying unit 126 and the server-side port number acquired from the server-side port number unnecessary unit 124 to the client 102.

  As shown in FIG. 2, the communication information storage unit 128 stores a client-side port number 1286 in addition to the above-described data. The client-side port number 1286 is a client-side port number used by the client 102 when an application in the server 104 specified by the server-side port number 1284 communicates with the client identified by the client identifier 1282. is there. The server 104 can also accept communication from any port number by designating the port number of the client 102 as “Any”.

  When the server 104 receives data including the port number of the application that is the communication partner of the client 102 from the client 102, the server 104 refers to the communication information storage unit 128, the IP address of the client 102 that is the data transmission source, and the client When the communication information storage unit 128 associates the client-side port number used by the client 102 with the server-side port number included in the received data, the client 102 and the application identified by the port number You can relay communication with.

  A communication method in the communication system 100 when the server 104 also designates a client-side port number will be described with reference to FIG.

  As shown in FIG. 4, first, the client 102 inquires of the server 104 about a service to be used (S200). In response to the inquiry, if the server 104 provides the corresponding service, the server 104 dynamically assigns a port number to the application corresponding to the service (S202). Further, the server 104 designates a port number on the client side (S204). Subsequently, the server 104 associates the port number assigned to the application, the identifier of the client 102 as the service inquiry source, and the designated client-side port number, and stores them in the communication information storage unit 128 (S206). . Then, the server 104 transmits the server-side port number assigned in S202 and the client-side port number specified in S204 to the client 102 (S208).

  After receiving the server-side port number and the client-side port number, the client 102 requests connection to the server 104 using the two received port numbers (S210). Upon receiving the request, the server 104 executes a connection sequence for each protocol and application (S212).

  According to the above configuration, the server 104 can also specify the port number of the client 102 that communicates with the application in the server 104. Therefore, the server 104 can permit the communication connection between the client 102 and the application only when the specified client-side port number is used, even if the connection request from the same client 102 is made to the application. Security in communication between the server and the client can be further improved.

(Second Embodiment)
Next, a communication system 200 according to the second embodiment will be described. First, an outline of a communication system according to the present embodiment will be described based on FIG. A communication system 200 according to the present embodiment includes a server 204 including one or more applications and a client 202 that performs communication using the TCP / IP protocol between applications included in the server 204. There may be a plurality of clients 202.

  The client 202 and the server 204 are computers having a communication function. In response to a request from the client 202, the server 204 activates an application included in the server 204 and causes communication between the application and the client 202 to provide a service required by the client 202. When the application of the server 204 and the client 202 communicate, a unique port number is assigned to each application so that the server 204 can identify the application. The client 202 can communicate with a specific application in the server 204 using this port number.

  In this embodiment, as in the first embodiment, even if the client 202 accesses the server 204 by specifying a well-known port number as in the conventional case, the server 204 does not start communication with the application. In the first embodiment, a server receives a service inquiry from a client, dynamically assigns a port number to an application corresponding to the service, and performs communication between the server and the client using the port number. In the present embodiment, whether or not the server 204 permits communication with an application in the server 204 is determined based on whether or not the client 202 has accessed the server 204 according to a predetermined procedure. Only when the client 202 accesses the server 204 in accordance with a predetermined procedure, by allowing the client 202 to communicate with the application in the server 204, a third party can illegally Access is prevented and communication security is improved. Hereinafter, the communication system 200 will be described in detail.

  The functional configuration of the client 202 and the server 204 will be described based on FIG. The client 202 mainly includes an input unit 210, a client transmission unit 212, and a client procedure definition table storage unit 216. The server 204 mainly includes a server reception unit 220, a communication availability determination unit 230, a server definition procedure table storage unit 232, and a communication start unit 234. Hereinafter, each function of the client 202 and the server 204 will be described along the data flow.

  The input unit 210 of the client 202 inputs an identifier of a service to be used via an input unit such as a mouse or a keyboard provided in the client 202. The service identifier corresponds to an identifier that uniquely identifies the application of the server 204, and is hereinafter referred to as a program identifier. The input unit 210 provides the input program identifier to the client transmission unit 212.

  The client transmission unit 212 accesses the server 204 according to a predetermined procedure according to the service desired to be used. Specifically, the client transmission unit 212 refers to the access procedure stored in the client procedure definition table storage unit 216, and accesses the server 204 according to the access procedure predetermined for each application. The client procedure definition table storage unit 216 stores a procedure definition table that defines an access procedure for each application in the server 204. The procedure definition table stored in the client procedure definition table storage unit 216 is the same as or a part of the procedure definition table stored in the server procedure definition table storage unit 232 of the server 204. Here, the procedure definition table will be described with reference to FIG.

  As shown in FIG. 6, an application 2320 and an access procedure 2322 are associated with the procedure definition table. The application 2320 stores a program identifier that is an identifier of an application that the server 204 has or can hold. The access procedure 2322 stores a procedure for accessing the server 204 for allowing the server 204 to establish a communication connection with the application specified by the program identifier. In this embodiment, the access procedure is the connection destination of the connection request and its order. Specifically, the type of protocol and port number, and their order.

  Specifically, according to the example of FIG. 6, in order for the client 202 to communicate with the http server application in the server 204, the client 202 first specifies a port number 80 by TCP and makes a connection request to the server 204. Next, the port number 80 is designated by TCP and a connection request is made to the server 204. Next, the port number 80 is designated by TCP and the connection request is made to the server 204. In other words, the access procedure for the client 202 to communicate with the http server application in the server 204 is to make three consecutive connection requests specifying the port number 80 in TCP. As shown in FIG. 6, an access procedure unique to each application is defined for other applications such as FTP and TELNET.

  Returning to FIG. 5, the description of the client transmission unit 212 is continued. The client transmission unit 212 searches the client procedure definition table storage unit 216 for the program identifier acquired from the input unit 210, and refers to the access procedure associated with the corresponding program identifier. Then, according to the access procedure, a connection request is made to the server 204 and accessed.

  The server receiving unit 220 accepts access from the client 202. Specifically, the server reception unit 220 receives a connection request from the client 202 and provides the received connection request to the communication availability determination unit 230 according to the received order.

  Based on the access procedure defined in the procedure definition table, the communication availability determination unit 230 allows the communication between the client 202 and the application when the client 202 accesses the server 204 according to the access procedure. It is determined whether communication between the application and the client 202 is permitted. Specifically, the communication availability determination unit 230 searches the procedure definition table stored in the server procedure definition table storage unit 232 for the type and order of the connection requests acquired by the server reception unit 220. When the corresponding access procedure is defined in the procedure definition table, the server 204 permits communication between the client 202 and the application specified by the program identifier associated with the access procedure, and The program identifier is notified to the communication start unit 234. On the other hand, if the corresponding access procedure is not defined in the procedure definition table, the server 204 does not allow the client 202 to communicate with any application in the server 204, and the server 204 Do not respond to connection requests. Alternatively, the server 204 may notify the client 202 that communication is not permitted.

  The communication start unit 234 causes the application designated by the client 202 to start communication with the client 202 when communication is permitted by the communication availability determination unit 230. Specifically, the communication start unit 234 acquires a program identifier from the communication availability determination unit 230 and activates an application specified by the program identifier. Then, the communication start unit 234 opens the well-known port of the application and starts communication between the application and the client 202 via the well-known port. Thereafter, the client 202 can communicate with a desired application in the server 204 via the well-known port and receive a service.

  A communication method executed by the communication system 200 having the above configuration will be described with reference to FIG. First, the client 202 refers to the access procedure of the service desired to be used from the procedure definition table (S300). Next, the client 202 accesses the server 204 according to the referred procedure (S302).

  When the server 204 receives an access from the client 202, the server 204 checks whether the access procedure from the client 202 is a predetermined procedure based on the procedure definition table, and determines whether to permit communication. (S304). When permitting communication, the server 204 opens a well-known port of the application requested from the client 202 and responds to the client 202 (S306).

  According to the above configuration, the server 204 permits communication between the client 202 and the application only when accessed from the client 202 by a procedure predetermined for each application. Therefore, even when the well-known port of the application is used for communication between the application in the server 204 and the client 202, only the client 202 who knows the access procedure can access the application. Therefore, unauthorized access to the application in the server 204 can be prevented and security can be improved. Also, by defining different access procedures for each application, it is possible to prevent unauthorized access to other applications even if one access procedure is leaked.

  As for port scan and IP address sweep, in the above configuration, even if a third party knows the access procedure, the service provided by the server 204 (the application that the server 204 has) In order to obtain a list of services, access procedures must be executed for each service, which requires a great deal of processing. Accordingly, there is an advantage that it is difficult to make a script and it is easy for the administrator to notice the port scan or the like, so that it is possible to prevent a port scan or IP address sweep from being easily performed by a third party.

  In addition, when considering an application that performs encrypted communication such as VPN, it is possible to execute a connection request with unique specifications so that the server does not know whether it is a VPN communication server. There is an advantage that you can. Note that the conventional authentication method can be used for connection to the VPN service, further improving security.

(Modification 1)
In this embodiment, the server 204 may dynamically assign a port number to the application as in the first embodiment, instead of using the well-known port of the application as described above. Further, the server 204 may designate a port number on the client side. In this case, as shown in FIG. 5, the server 204 includes a server-side port number assigning unit 224, a client-side port number specifying unit 226, a communication information storage unit 228, and a server transmission unit 222. A receiving unit 214 is provided. The server-side port number assigning unit 224, the client-side port number specifying unit 226, the communication information storage unit 228, the server transmitting unit 222, and the client receiving unit 214 are the server-side port number assigning unit 124, the client according to the first embodiment. The functions are the same as those of the side port number designation unit 126, the communication information storage unit 128, the server transmission unit 122, and the client reception unit 114, and thus description thereof is omitted.

  A communication method when the server 204 dynamically assigns a port number on the server side will be described with reference to FIG. First, the client 202 refers to the access procedure of the service desired to be used from the procedure definition table (S400). Next, the client 202 accesses the server 204 according to the referred procedure (S402).

  When the server 204 receives an access from the client 202, the server 204 checks whether the access procedure from the client 202 is a predetermined procedure based on the procedure definition table, and determines whether to permit communication. (S404). When permitting communication, the server 204 dynamically assigns a port number to the requested application (S406), associates the identifier of the client 202 with the port number, and stores them in the communication information storage unit 228 (S408). . Next, the server 204 transmits the port number assigned in S406 to the client 202 (S410).

  After receiving the port number, the client 202 requests connection to the server 204 using the received port number (S412). In response to the request, the server 204 executes a connection sequence for each protocol and application (S414).

  FIG. 9 shows a specific data flow between the server 204 and the client 202 by the communication method. In FIG. 9, the flow of data between the server 204 and the client 202 when the client 202 requests the server 204 to establish a communication connection with the ftp server application in the server 204 based on the procedure definition table shown in FIG. Is shown.

  The client 202 first transmits an ICMP echo command to the server 204 in accordance with the access procedure (S430). Next, the client 202 designates the port number 80 by TCP and makes a connection request to the server 204 (S432). Next, the client 202 designates the port number 999 by UDP and makes a connection request to the server 204 (S434). Next, the client 202 makes a connection request to the server 204 by designating the port number 2 by TCP (S436).

  Since the client 202 has accessed the ftp server application according to a predetermined procedure, the server 204 permits communication and dynamically assigns the port number n to the ftp application (S438).

  The server 204 transmits the port number n assigned in S438 to the client 202 (S440). The client 202 makes a connection request by specifying the received port number n (S442), and establishes a communication connection between the client 202 and the ftp application in the server 204 (S444).

  According to the above configuration, since the server 204 dynamically determines the port number, it is possible to prevent the port number from being known to a third party, and security can be further improved.

(Modification 2)
In the second embodiment, the access procedure may be set for each usage mode of the application. Specifically, for example, even when accessing the same application, a different access procedure may be set in the procedure definition table for each authentication method performed between the client 202 and the application. Further, for example, even when accessing the same application, a different access procedure may be set in the procedure definition table for each content of processing executed by the application.

  An example of the procedure definition table in this modification is shown in FIG. As shown in FIG. 10, an application 2320, an access procedure 2322, and a usage mode 2324 are associated with the procedure definition table. The application 2320 and the access procedure 2322 are the same as those in FIG. The usage mode 2324 stores a usage mode when the client 202 uses a corresponding application when the client 202 accesses the server 204 by the procedure stored in the access procedure 2322. As shown in FIG. 10, in this modification, a plurality of access procedures are defined for one application. Examples of usage modes include the difference in authentication method and the contents of processing executed by the application, for example, the type of network to which the client 202 can connect via the application.

  Specifically, for example, even when the client 202 requests communication connection to the same ssh server application, when performing password authentication between the ssh and the client 202, the certificate authentication is performed between the ssh and the client 202. A longer and more complex procedure can be established than when performing Thus, if the access procedure is changed depending on the authentication method, the security of the authentication method can be supplemented.

  Further, even when the client 202 requests a communication connection to the same server application, when the squid relays both the access to the Internet and the access to the intranet by the client 202, the squid Can define a longer and more complicated procedure than when only the access to the Internet by the client 202 is relayed.

  A communication method in this modification will be described with reference to FIG. First, the client 202 refers to the access procedure from the procedure definition table in accordance with the service to be used and the usage mode (S500). Subsequently, the client 202 accesses the server 204 according to the referred access procedure (S502).

  When the server 204 receives an access from the client 202, the server 204 checks whether the access procedure from the client 202 is a predetermined procedure based on the procedure definition table, and determines whether to permit communication. (S504). The server 204 recognizes whether or not communication is possible and the application requested for communication and its usage mode according to the access procedure from the client (S506). Then, when permitting communication, the server 204 opens a well-known port of the application requested by the client 202 and responds to the client 202 (S508).

  FIG. 12 shows a specific data flow between the server 204 and the client 202 by the communication method. In FIG. 12, the client 202 is connected to the squid server application in the server 204 based on the procedure definition table shown in FIG. 10, and the squid server application requests the relay access to the Internet. , The data flow between the server 204 and the client 202 is shown.

  In accordance with the access procedure, the client 202 first designates the port number 55 by UDP and requests connection to the server 204 (S530). Next, the client 202 specifies a port number 880 by TCP and requests connection to the server 204 (S532). Next, the client 202 transmits ICMP to the server 204 (S534). Next, the client 202 specifies a port number 3128 by TCP and requests connection to the server 204 (S536).

  The server 204 allows the communication because the client 202 has accessed the Squid server application according to a predetermined procedure, and recognizes the usage mode of the Squid requested from the client 202 by the access procedure.

  The server 204 opens a well-known port of the Squid server application, sends a communication OK response to the client 202 (S540), and establishes a communication connection between the client 202 and the Squid server application in the server 204 (S542). . Thereafter, the client 202 can use a Squid server application that can access the Internet, and the client 202 can access the Internet through relaying by the Squid server application in the server 204. In this case, the scan server application in the server 204 relays only access to the Internet by the client 202 and does not relay access to the intranet.

  According to the above configuration, by setting a different access procedure for each usage mode, the server 204 can perform access restrictions more finely, and security can be further improved. In this modification, the server 204 may dynamically assign a port number to the application.

(Modification 3)
In the above embodiment, a different access procedure is defined for each application, but an access procedure common to all applications may be defined. In that case, the client 202 first accesses the server 204 according to a predetermined procedure, and the server 204 determines whether or not communication with the client 202 is possible. Thereafter, when communication is permitted, the server 204 may inquire about an application to be used with respect to the client 202, and the client 202 may transmit the identifier of the application to the server 204 in response to the inquiry.

  A communication method according to this modification will be described with reference to FIG. First, the client 202 refers to an access procedure common to all services from the procedure definition table (S600). The client 202 accesses the server 204 according to the referenced access procedure (S602). Upon receiving access from the client 202, the server 204 determines whether to permit communication with the client 202 based on the procedure definition table (S604). When permitting communication, the server 204 inquires of the client 202 about a service to be used (S606). If communication is not permitted, the server 204 does not respond.

  In response to the inquiry from the server 204, the client 202 transmits the identifier of the service to be used to the server 204 (S608). The server 204 dynamically assigns a port number to the application specified by the received identifier (S610), and associates the identifier of the client 202 with the port number and stores them in the communication information storage unit 228 (S612). Next, the server 204 transmits the port number assigned in S610 to the client 202 (S614).

  After receiving the port number, the client 202 requests connection to the server 204 using the received port number (S616). Upon receiving the request, the server 204 executes a connection sequence for each protocol and application (S618).

  FIG. 14 shows a specific data flow between the server 204 and the client 202 by the communication method. FIG. 14 shows a data flow between the server 204 and the client 202 when the client 202 requests a connection with the squid server application in the server 204.

  The client 202 first transmits an ICMP echo to the server 204 in accordance with an access procedure common to all services (S630). Next, the client 202 designates the port number 80 by TCP and requests connection to the server 204 (S632).

  Since the server 204 is accessed from the client 202 according to a predetermined procedure, the server 204 permits communication with the client 202 and inquires about the service (S634). In response to the inquiry, the client 202 transmits an identifier of a service to be used (here, a well-known port of the squid server application) to the server 204 (S636).

  The server 204 dynamically assigns the port number n to the squid server application (S638), and transmits the assigned port number n to the client 202 (S640). The client 202 designates the received port number n and makes a connection request (S642), and a communication connection is established between the client 202 and the squad application in the server 204 (S644).

(Third embodiment)
Next, a communication system 300 according to the third embodiment will be described. The communication system 300 according to the present embodiment employs the communication method between the client and the server using the access procedure in the communication system 200 of the second embodiment, and updates the access procedure at a predetermined timing. By updating the access procedure, once the access procedure has been leaked to a third party, the access procedure can be updated thereafter to prevent unauthorized access to the server by the third party. Security can be further improved. Hereinafter, the description will focus on differences from the second embodiment.

  First, the overall configuration of the communication system 300 will be described with reference to FIG. The communication system 300 mainly includes a client 302, a server 304, and an access procedure generation server 306.

  The access procedure generation server 306 generates an access procedure used between the client 302 and the server 304. The access procedure generation server 306 is connected to the client 302 and the server 304 via a communication network, and provides an access procedure generated in response to a request from the client 302 or the server 304. It should be noted that the access procedure generation server 306 is configured such that the client 302 and the server 302 and the server at a predetermined interval such as every day, every week, every predetermined time such as 0:00 every day, or every time a new access procedure is generated. The access procedure may be forcibly transmitted to 304.

  Next, functional configurations of the access procedure generation server 306, the client 302, and the server 304 will be described with reference to FIG. In addition, about the thing which has the same function as the client 202 and the server 204 concerning 2nd Embodiment, the same code | symbol is provided and description is abbreviate | omitted.

  The access procedure generation server 306 mainly includes an access procedure generation unit 340 that generates an access procedure, and an access procedure storage unit 342 that stores the generated access procedure. The access procedure generation unit 340 generates an access procedure at predetermined intervals or at predetermined times, and stores the generated access procedure in the access procedure storage unit 342. The access procedure storage unit 342 includes a memory such as a RAM or a hard disk, and stores an access procedure. Note that the access procedure storage unit 342 may store only the latest access procedure, or may store a plurality of versions of access procedures so that the versions can be recognized.

  The client procedure update unit 318 of the client 302 accesses the access procedure generation server 306 at a predetermined timing and acquires the latest access procedure. The client procedure update unit 318 updates the procedure definition table stored in the client procedure definition table storage unit 216 with the acquired latest access procedure. Note that the client procedure update unit 318 may add the latest access procedure to the procedure definition table. In that case, a plurality of versions of access procedures are stored in the procedure definition table of the client procedure definition table storage unit 216 so that the versions can be identified.

  The client transmission unit 312 has substantially the same function as the client transmission unit 212 according to the second embodiment, but acquires the latest access procedure from the client access procedure update unit 318 before referring to the access procedure from the procedure definition table. Thus, the procedure definition table is updated to be different from the client transmission unit 212. In this case, the predetermined timing at which the client access procedure update unit 318 acquires the access procedure from the access procedure generation server 306 is the timing requested by the client transmission unit 312. Note that the predetermined timing can be arbitrarily set at predetermined intervals, a predetermined time, or the like.

  The server access procedure update unit 336 accesses the access procedure generation server 306 at a predetermined timing and acquires the latest access procedure. The server access procedure update unit 336 updates the procedure definition table stored in the server procedure definition table storage unit 232 with the acquired access procedure. The predetermined timing can be arbitrarily set at a predetermined interval, a predetermined time, or the like.

  A communication method between the client 302 and the server 304 in the communication system 300 having the above-described configuration will be described with a focus on a part that involves updating the procedure definition table. FIG. 16 shows a communication method when the versions of the procedure definition tables of the client 302 and the server 304 are the same. FIGS. 17 and 18 show a communication method when the versions of the procedure definition tables of the client 302 and the server 304 are different when the client 302 accesses the server 304. In particular, FIG. 17 shows a case where the procedure definition table of the server 304 is the latest version, but the procedure definition table of the client 302 is not updated and is an old version. FIG. 18 shows a case where the procedure definition table of the client 302 is the latest version, but the procedure definition table of the server 304 is not updated and is an old version.

  First, a description will be given with reference to FIG. The server 304 periodically requests an access procedure from the access procedure generation server 306 (S700). In response to a request from the server 304, the access procedure generation server 306 transmits the latest access procedure stored in the access procedure storage unit 342 to the server 304 (S702). The server 304 receives the access procedure from the access procedure generation server 306, and updates the procedure definition table according to the received access procedure (S704).

  On the other hand, when the client 302 wants to communicate with the application of the server 304, it first requests the access procedure generation server 306 for the access procedure of the service to be used (S706). In response to a request from the client 302, the access procedure generation server 306 transmits the latest access procedure stored in the access procedure storage unit 342 to the client 302 (S708). The client 302 receives the access procedure from the access procedure generation server 306, and updates the procedure definition table according to the received access procedure (S710). Thereafter, the client 302 accesses the server 304 according to the access procedure (S712).

  The server 304 determines whether communication is possible based on the procedure definition table (S714). When permitting communication, the server 304 opens a well-known port of the requested application and responds to the client 302 (S716). The steps after S714 are the same as in the second embodiment, and the server 304 dynamically assigns a port number to the application and notifies the client 302 of the port number in addition to responding to the client 302 by opening a well-known port. You may make it do.

  Next, a description will be given with reference to FIG. The server 304 periodically requests an access procedure from the access procedure generation server 306 (S730). In response to the request from the server 304, the access procedure generation server 306 transmits the latest access procedure stored in the access procedure storage unit 342 to the server 304 (S732). The server 304 receives the access procedure from the access procedure generation server 306, and updates the procedure definition table according to the received access procedure (S734).

  On the other hand, in this example, the client 302 refers to the access procedure of the service desired to be used from the procedure definition table without updating the procedure definition table in advance (S736), and accesses the server 304 according to the referenced procedure (S738). . The server 304 determines whether communication is possible based on the procedure definition table 714 (S740).

  In this example, the version of the procedure definition table referred to by the client 302 in S736 and the procedure definition table referred to by the server 304 in S740 are different. Therefore, since the access procedure executed by the client 302 is not defined in the procedure definition table referred to by the server 304, the verification fails and the server determines that communication is not permitted. The server 304 notifies that communication is not permitted (S742). Note that the server 304 does not need to make any response.

  The client 302 receives the communication disapproval notification (or recognizes that there is no response from the server 304), and requests the access procedure generation server 306 for the access procedure of the service to be used (S744).

  In response to a request from the client 302, the access procedure generation server 306 transmits the latest access procedure stored in the access procedure storage unit 342 to the client 302 (S746). The client 302 receives the access procedure from the access procedure generation server 306, and updates the procedure definition table according to the received access procedure (S748). Thereafter, the client 302 accesses the server 304 again according to the updated access procedure (S750). The server 304 determines whether communication is possible based on the procedure definition table (S752). This time, since the version of the procedure definition table referred to by the client 302 in S750 and the procedure definition table referred to by the server 304 in S752 are the same, the verification succeeds and the server 304 permits communication.

  Next, a description will be given with reference to FIG. When the client 302 wishes to communicate with the application of the server 304, it first requests the access procedure generation server 306 for the access procedure of the service to be used (S770). In response to a request from the client 302, the access procedure generation server 306 transmits the latest access procedure stored in the access procedure storage unit 342 to the client 302 (S772). The client 302 receives the access procedure from the access procedure generation server 306, and adds the received access procedure to the procedure definition table (S774). Thereafter, the client 302 accesses the server 304 according to the latest access procedure (S776). The server 304 determines whether communication is possible based on the procedure definition table (S778).

  In this example, even if the server 304 has not updated the procedure definition table or has updated it periodically, the update timing is later than the update in S774 by the client 302. The version of the procedure definition table to be referenced differs from the procedure definition table to which the server 304 refers in S778. For this reason, the server 304 fails to verify the access procedure and determines that communication is not permitted. The server 304 notifies the client 302 that communication is not permitted (S780). Alternatively, the server 304 may not return any response.

  The client 302 receives the notification of communication disapproval (or recognizes that there is no response from the server 304), and recognizes that the procedure definition table of the server 304 is not the latest. Then, the client 302 refers to the access procedure of the previous version stored in the procedure definition table, and accesses the server 304 again according to the referenced access procedure (S782). The server 304 determines whether communication is possible based on the procedure definition table (S784). In this case, since the access was made according to the access procedure of the same version, the server 304 succeeds in collation and permits communication (S784).

  According to the communication system 300 according to the present embodiment, an access procedure that is a basis for determining whether the server 304 permits communication between the application in the server 304 and the client 302 is sequentially updated at a predetermined timing. . Therefore, even if the access procedure is leaked to a third party, access to the server 304 by the leaked access procedure is invalid after a predetermined timing when the access procedure is updated. Therefore, unauthorized access to an application in the server 304 by a third party can be prevented, and security can be improved.

  According to the above embodiments and modifications, higher security can be realized while maintaining compatibility with existing TCP / IP.

  As mentioned above, although preferred embodiment of this invention was described referring an accompanying drawing, it cannot be overemphasized that this invention is not limited to the example which concerns. It will be apparent to those skilled in the art that various changes and modifications can be made within the scope of the claims, and these are naturally within the technical scope of the present invention. Understood.

It is a block diagram which shows the communication system in the 1st Embodiment of this invention. It is explanatory drawing which shows the memory content of the communication information storage part in the embodiment. It is a flowchart which shows the communication method between the server and client in the embodiment. It is a flowchart which shows the communication method between the server and client in the modification of the embodiment. It is a block diagram which shows the communication system in the 2nd Embodiment of this invention. It is explanatory drawing which shows the procedure definition table in the embodiment. It is a flowchart which shows the communication method between the server and client in the embodiment. It is a flowchart which shows the communication method between the server and client in the modification 1 of the embodiment. It is a flowchart which shows the specific example of the communication method in the modification 1 of the embodiment. It is explanatory drawing which shows the procedure definition table in the modification 2 of the embodiment. It is a flowchart which shows the communication method between the server and client in the modification 2 of the embodiment. It is a flowchart which shows the specific example of the communication method in the modification 2 of the embodiment. It is a flowchart which shows the communication method between the server and client in the modification 3 of the embodiment. It is a flowchart which shows the specific example of the communication method in the modification 3 of the embodiment. It is a block diagram which shows the communication system in the 3rd Embodiment of this invention. It is a flowchart which shows the communication method between the server and client in the embodiment. It is a flowchart which shows the communication method between the server and client in the embodiment. It is a flowchart which shows the communication method between the server and client in the embodiment.

Explanation of symbols

100, 200, 300 Communication system 102, 202, 302 Client 104, 204, 304 Server 306 Access procedure generation server 112, 212, 312 Client transmission unit 114, 214 Client reception unit 120, 220 Server reception unit 122, 222 Server transmission unit 124, 224 Server-side port number assigning unit 126, 226 Client-side port number specifying unit 128, 228 Communication information storage unit 216 Client procedure definition table storage unit 230 Communication availability determination unit 232 Server procedure definition table storage unit 234 Communication start unit 340 Access Procedure generation unit 342 Access procedure storage unit 318 Client access procedure update unit 336 Server access procedure update unit

Claims (15)

In a communication system comprising a server comprising one or more application programs and a client communicating with the application programs using a TCP / IP protocol:
The server
A server receiver that receives a program identifier that uniquely identifies one of the one or more application programs from the client;
A server-side port number assigning unit that dynamically assigns a port number to the application program specified by the program identifier received by the server receiving unit;
A server transmission unit that transmits the port number assigned by the server-side port number assigning unit as a server-side port number to the client;
With
The client
A client transmitter that transmits the program identifier of the application program to be communicated to the server;
A client receiver that receives the server-side port number from the server;
With
The communication system, wherein the client communicates with the application program of the server using the server-side port number received by the client receiving unit. The server
A client-side port number designating unit that designates the client-side port number when the application program to which the port number is assigned communicates with the client;
2. The communication system according to claim 1, wherein the server transmission unit transmits the port number designated by the client-side port number designation unit to the client as a client-side port number. In a communication system comprising a server comprising one or more application programs and a client communicating with the application programs using a TCP / IP protocol:
The server
A procedure definition table defining a procedure for accessing the application program;
A communication enable / disable determining unit that determines whether to permit communication between the application program and the client based on the access procedure set in the procedure definition table;
A communication start unit for causing the application program designated by the client to start communication with the client when communication is permitted by the communication permission determination unit;
A communication system comprising: The server
A server-side port number assigning unit that dynamically assigns a port number to the application program;
A server transmission unit that transmits the port number assigned by the server-side port number assigning unit as a server-side port number to the client;
Further comprising
The communication start unit, when communication is permitted by the communication permission determination unit, causes the server-side port number assigning unit to assign a port number to the application program designated by the client, and The communication system according to claim 3, wherein the port number is transmitted to the client. The server further includes a server reception unit that receives a program identifier that uniquely identifies one of the one or more application programs from the client,
The communication start unit, when communication is permitted by the communication permission determination unit, causes the server reception unit to receive the program identifier from the client, and determines the application program specified by the received program identifier. 5. The communication system according to claim 3, wherein the communication program is an application program designated by the client. In the procedure definition table, different access procedures are defined for each of the one or more application programs.
The communication start unit specifies the application designated by the client in accordance with the access procedure executed by the client permitted to communicate with the application by the communication availability determination unit. The communication system according to claim 3 or 4. In the procedure definition table, a different access procedure is defined for each of the one or more application programs, and for each usage mode of the application.
The communication start unit specifies the application specified by the client and the usage mode in accordance with the access procedure executed by the client permitted to communicate with the application by the communication availability determination unit. The communication system according to claim 3 or 4, characterized by the above.   The usage mode includes one or both of an authentication method of the client executed by the application program and a network type to which the client can connect via the application program. 8. The communication system according to 7.   The communication according to any one of claims 3 to 8, wherein the access procedure is a combination of a port number received by the server from the client and a reception order of the port numbers. system. The server is
The communication system according to any one of claims 3 to 9, further comprising an access procedure updating unit that updates the access procedure defined in the procedure definition table at a predetermined timing. An access procedure generation server for generating the access procedure at a predetermined timing and storing the generated access procedure in an access procedure storage unit;
The access procedure update unit of the server acquires the access procedure from the access procedure generation server at the predetermined timing, and updates the procedure definition table according to the acquired access procedure. Item 11. The communication system according to Item 10. In a server that includes one or more application programs and controls communication between the application programs and clients using a TCP / IP protocol:
A procedure definition table defining a procedure for accessing the application program;
A communication enable / disable determining unit that determines whether to permit communication between the application program and the client based on the access procedure set in the procedure definition table;
A communication start unit for causing the application program designated by the client to start communication with the client when communication is permitted by the communication permission determination unit;
A server comprising: Computer
Comprising at least one application program, controlling communication between the application program and the client by TCP / IP protocol;
A communication availability determination unit that determines whether to allow communication between the application program and the client based on a procedure for accessing the application program, which is defined in a procedure definition table;
A communication start unit for causing the application program designated by the client to start communication with the client when communication is permitted by the communication permission determination unit;
A computer program for causing a computer to function as a server. In a communication method executed by a server including one or more application programs and a client that communicates with the application programs using a TCP / IP protocol:
The client sending a program identifier uniquely identifying the application program with which it wishes to communicate;
The server receiving the program identifier from the client;
The server dynamically assigning a port number to the application program specified by the received program identifier;
The server sending the assigned port number to the client;
The client receiving the port number from the server;
And the client communicates with the application program of the server using the port number received from the server. In a communication method executed by a server including one or more application programs and a client that communicates with the application programs using a TCP / IP protocol:
Determining whether or not the server permits communication between the application program and the client based on a procedure for accessing the application program defined in a procedure definition table;
When the server permits communication between the application program and the client, causing the application program designated by the client to start communication with the client;
A communication method, comprising:

Images