JP2009100226A - Communication guidance device, communication control server device, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To increase availability by not installing a resident program in a client terminal upon guidance of communication, and by reducing a load of a server which causes rate-limiting. <P>SOLUTION: A communication guidance device 100 detects an ARP request which occurs within a network 300, guides communication by returning a false ARP response to a source of the ARP request when a communication guidance has not been executed to a source IP address of the ARP request, and then returns a DNS response indicating an IP address of a guidance destination server device 800 to the DNS request guided by the false ARP response to guide the communication. Then, by an end notification of the guide destination server device 800, the guidance of the communication is released. In such a guidance of the communication, a resident program is not installed in a client terminal 100. Also, a communication control server device 600 does not exist in a communication between the client terminal 100 and the guidance destination server device 800. Accordingly, the problem can be solved. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a communication guiding device, a communication control server device, and a program, and does not install a resident program in a client terminal when guiding communication, and can reduce the load on a rate-limiting server and improve availability. The present invention relates to a communication control server device and a program.

  Conventionally, as a method for inducing communication, a first method of acquiring communication in-line and transferring the communication using a network address translation (NAT) or a proxy, and a resident program for inducing communication are installed on the client. Thus, a second method is known in which a resident program determines where to communicate and performs communication.

  According to the first method, since it is necessary to always access a server specified by NAT, proxy, or the like, it takes time and effort to perform setting for specifying the server on the client side. Further, since these servers always pass through, there is a disadvantage that communication is rate-limited by the processing capability on the server side and a high load is applied to the server. Further, since communication is stopped due to a server failure, there is a disadvantage that the availability is low.

  According to the second method, since the resident program is installed in the client terminal, there are inconveniences that it takes time and it is necessary to manage the resident program. Also, depending on the client environment, there may be a disadvantage that the guidance process by the resident program does not operate due to interference with the filtering process.

As a technique related to the present application, a technique for restricting unauthorized access from a personal computer (PC) on a network using ARP (address resolution protocol) is known (see, for example, Patent Document 1). . However, unlike the first and second methods described above, the technique described in Patent Document 1 cannot guide access from a correct user to a specific page.
JP 2004-185498 A

  As described above, the method for inducing communication has the disadvantage of installing a resident program in the client terminal. In addition, there are inconvenience that it takes time and effort to specify the server on the client side, inconvenience that the load of the server that is the rate limiting of communication is high, and inconvenience that the availability is low.

  The present invention has been made in consideration of the above-mentioned circumstances, and at the time of inducing communication, the installation of the resident program and other settings are not performed on the client terminal, and the load on the rate-limiting server can be reduced and the availability can be improved. An object is to provide a communication guiding device, a communication control server device, and a program.

  A first invention is a communication guidance device for guiding communication of a client terminal to a guidance destination server device via a communication control server device before communicating with an access target server device to be accessed by the client terminal. Communication-committed terminal information indicating a client terminal to which communication has been guided, communication control server apparatus information indicating an IP address of the communication control server apparatus, and communication between the client terminal and the destination server apparatus is permitted. Storage means storing the transfer condition information for transfer, and an ARP request generated in the network is detected, and the source IP address of the ARP request is registered in the communication induced terminal information in the storage means If the result of determination by the registration determination means and the registration determination means is not already registered, the MAC address of its own device Means for returning to the source of the ARP request at a timing when a fake ARP response indicating no response is received after the regular ARP response, and the domain name of the access target server device from the DNS request derived by the fake ARP response And a client terminal specifying information indicating the transmission source of the DNS request, a response request including the extracted domain name and client terminal specifying information is generated, and the response request is transmitted to the communication control server in the storage unit. A means for transmitting based on device information and response information from the communication control server device are received, and a DNS response indicating the IP address of the destination server device included in the response information is transmitted to the source of the DNS request. Match the transfer condition information in the storage means based on the means and the source and destination of the received packet A transfer determination means for determining whether or not, a result of determination by the transfer determination means, if the packet does not match, the packet is discarded, and if it matches, the packet is transferred to the destination of the packet; It is a communication guidance device provided with.

  According to a second aspect of the present invention, there is provided a communication control server device for guiding communication of a client terminal to a guidance destination server device by a communication guidance device before communicating with an access target server device to be accessed by the client terminal. Client terminal specifying information indicating a client terminal that has already communicated with the guidance destination server device, guidance destination server device information indicating an IP address of the guidance destination server device, execution status information of communication with the guidance destination server device, And a table storage unit that stores a terminal state management table that associates the registration date and time information with each other, a first condition that communication with the destination server device has been executed within a predetermined time, and when the first condition is not satisfied, Policy information storage for storing policy information including a second condition for inducing communication to the destination server device A device information storage means for storing communication guidance device information indicating an IP address of the communication guidance server device, and guidance destination server information indicating an IP address of the guidance destination server device, and a domain name of the access target server device When the response request including the DNS request indicating client terminal and client terminal specifying information is received from the communication guiding device, the answer request is divided into a DNS request and client terminal specifying information, and the terminal is based on the divided client terminal specifying information. Means for searching the state management table, means for sending the IP address of the destination server device based on a second condition in the policy information when there is no corresponding executed state information as a result of the search, and The DNS response indicating the IP address of the destination server device that has been sent is shaped into response information, and the response information Based on the transmission source IP address of the termination notification received from the guidance destination server device, the guidance destination server device information in the device information storage unit is retrieved, and the termination notification A registration determination unit that determines whether or not a transmission source IP address is registered in the guidance destination server device information; a unit that sends out an end notification if registered as a result of the determination by the registration determination unit; Based on the sent end notification, the client terminal specifying information is written into the terminal status management table in the table storage means after the client terminal specifying information, the destination server device information, the executed status information, and the registration date / time information are written. Based on the transmitted client terminal identification information, the terminal status management table is searched, and the corresponding client is identified. Ant terminal identification information, guidance destination server device information, executed status information, and registration date / time information, and based on the transmitted client terminal identification information, guidance destination server device information, executed status information, and registration date / time information A policy information determination unit that determines whether or not the policy information in the policy information storage unit is satisfied, and a communication that targets the client terminal identification information when the determination result by the policy information determination unit satisfies the policy information Means for transmitting a guidance release command to the communication guidance device based on the communication guidance device information in the device information storage means.

  Although the first and second inventions are expressed as “devices”, the present invention is not limited thereto, and may be expressed as “methods”, “programs”, or “computer-readable storage media”.

(Function)
In the first invention, the communication guiding device detects an ARP request generated in the network, and returns a false ARP response to the ARP request source if the source IP address of the ARP request has not been induced. Then, in response to the DNS request guided by the fake ARP response, a DNS response indicating the IP address of the destination server device is returned to guide the communication.

  In addition, in the second invention, when the communication control server device has no corresponding executed state information for the DNS request and the reply request including the client terminal specifying information received from the communication guiding device, the guiding server device A DNS response indicating the IP address is returned as reply information to the communication guiding device, and a communication guidance release command is transmitted to the communication guiding device based on the end notification received from the guiding server device.

  According to the first and second inventions as described above, the resident program is not installed in the client terminal and the setting is not changed when the communication is induced. In addition, the communication control server device does not intervene in the communication between the client terminal and the guidance destination server device after returning the DNS response indicating the IP address of the guidance destination server device, so that the load on the rate limiting server is reduced. And improve availability.

  As described above, according to the present invention, it is possible to reduce the load of the rate-limiting server and improve the availability without performing installation of the resident program and other settings on the client terminal when inducing communication.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. Each of the following devices can be implemented for each device with either a hardware configuration or a combination configuration of hardware resources and software. As the software of the combined configuration, a program that is installed in advance on a computer of a corresponding device from a network or a storage medium and that realizes the function of the corresponding device is used.

(First embodiment)
FIG. 1 is a schematic diagram showing the configuration of a communication system according to the first embodiment of the present invention. In this communication system, a communication guiding device 100 and a client terminal 200 are connected to an external network 500 via a network 300 and a default gateway device 400. A communication control server device 600, an access target server device 700, a guidance destination server device 800, and a DNS (domain name system) server device 900 are connected to the external network 500.

  Here, the communication guiding device 100 includes a storage device 110, an ARP request processing unit 120, a transfer unit 130, a DNS request processing unit 140, an inter-server communication control unit 150, and a communication guidance opening unit 160, as shown in FIG. ing.

  The storage device 110 is a storage device that can be read / written from each unit 120 to 160, and stores communication-guided terminal information 111, communication control server device information 112, and transfer condition information 113. Note that the storage device 110 is not limited to a single storage device, and may be implemented so as to share the information 111 to 113 as a plurality of storage devices.

  The communication-guided terminal information 111 is information indicating a client terminal that has been communication-guided by the communication-guiding device 100, and the implementation form is not limited. For example, as shown in FIG. 3, the list may be a combination of an IP (internet protocol) address and a MAC (media access control) address of a client terminal that has undergone communication guidance.

  The communication control server device information 112 is information for connecting to the communication control server device 600, and includes, for example, the IP address and communication port of the communication control server device 600 as shown in FIG.

  The transfer condition information 113 is information for permitting transfer by the transfer unit 130, and includes, for example, an IP address, a communication port, and a TCP / UDP type of communication that permit transfer as shown in FIG. Specifically, for example, the IP address and port between the two parties, and whether the communication type is TCP or UDP are stored as the transfer condition information. In this example, a TCP communication with an IP address of 172.24.30.2 or 172.24.30.50 permits transfer. In addition, the IP address of 172.24.30.100 that is UDP-communication using the 54th port permits transfer. In this example, transfer to the communication control server device 600, the guidance destination server device 800, and the DNS server device 900 is permitted.

  The ARP request processing unit 120 detects an ARP request generated in the network 300 and determines whether or not the transmission source IP address of the ARP request is registered in the communication guided terminal information 111 in the storage device 110. If not registered, instead of communication to the default gateway device 400, a function for generating a fake ARP response for causing the communication guiding device 100 to communicate, and a fake ARP response than the ARP response of the default gateway device 400. And a function of returning to the client terminal 200 at a timing such that it is received later.

  The transfer unit 130 detects the DNS request guided by the fake ARP response, sends the DNS request to the DNS request processing unit 140, and based on the transmission source and destination of the received packet in the storage device 110. The transfer condition information 113 is determined, and if not, the packet is discarded, and if it matches, the packet is transferred. The DNS request can be detected from the communication protocol and connection port of the request packet, for example.

  The DNS request processing unit 140 extracts the domain name of the access target server device 700 and the client terminal specifying information from the DNS request received from the transfer unit 130, and the domain name of the access target server device 700, the client terminal specifying information, Is provided to the inter-server communication control unit 150, and the DNS response received from the inter-server communication control unit 150 is shaped and returned to the client terminal 200. The client terminal identification information may be, for example, a MAC address, an IP address in the case of a fixed IP, token information passed in advance, or information such as a certificate, but here it is an IP address.

  The inter-server communication control unit 150 generates a response request including the domain name of the access target server device 700 received from the DNS request processing unit 140 and the client terminal identification information, and stores the response request in the storage device 110. It has a function of transmitting to the communication control server apparatus 600 based on the communication control server apparatus information 112 and a function of transmitting a DNS response in the answer information received from the communication control server apparatus 600 to the DNS request processing unit 140.

  The communication guidance release unit 160 executes processing for releasing the communication guidance of the client terminal 200 based on the communication guidance release command received from the communication control server device 600 by the inter-server communication control unit 150. Note that the word “open” may be read as “cancel” or “end”. The word “guidance” may be read as “control”.

  The client terminal 200 is a normal computer terminal operated by a user, and is connected to the network 300.

  The network 300 is a network in which the client terminal 200 and the communication guiding apparatus 100 are located, and is a network in a broadcast domain from the client terminal 200.

  The default gateway device 400 is a device for connecting both networks 300 and 500.

  The external network 500 is a network to which various server devices 400, 600 to 900 and terminals (not shown) are connected.

  The communication control server device 600 manages the communication guiding device 100 and controls communication of the target client terminal 200 in response to a request from the communication guiding device 100. Specifically, as shown in FIG. 6, the communication control server device 600 includes a storage device 610, an external device communication control unit 620, a policy control unit 630, a DNS request processing unit 640, a terminal state confirmation unit 650, a communication guide. An opening unit 660 and a guidance destination server request processing unit 670 are provided.

  The storage device 610 is a storage device that can be read / written from the respective units 620 to 670, and stores a terminal state management table 611, policy information 612, communication guidance device information 613, and guidance destination server device information 614. Note that the storage device 610 is not limited to a single storage device, and may be implemented as a plurality of storage devices so that the tables 611 and the information 612 to 614 are shared and stored in the storage devices. Good.

  The terminal state management table 611 manages the implementation status of the rules described in the policy of the client terminal 200. For example, as shown in FIG. 7, the client terminal specifying information and the source IP address (server information) Guide destination server device 800), executed state information, and registration date information are stored in association with each other. The “server information” in the terminal information management table 611 corresponds to “guidance destination server device information” when the transmission source IP address indicates the guidance destination server device 800, and the transmission source IP address is the access target server device. In the case of 700, it corresponds to “access target server device information”. That is, the “server information” in the terminal information management table 611 corresponds to server device information corresponding to the transmission source IP address.

  The policy information 612 includes a determination condition as to whether or not the communication from the client terminal 200 is guided to the guidance destination server device 800. For example, as shown in FIG. 8, the policy information 612 indicates that the service on the destination server device 800 of “172.24.30.50” has been executed within 8 hours or “172.24.30.60”. A first condition that a service on a server device (not shown) has been executed within 8 hours, and “172.24.30.50” when the first condition is not satisfied (= when the service is not executed). The second condition of guiding to the guidance destination server device 800 is included. One policy information 612 may be set for each segment or for each individual segment. In the following, it is assumed that one policy information is set for the whole. The condition of “within 8 hours” is an example of “within a predetermined time”, and may be changed to a time of another value or may be omitted.

  The communication guidance device information 613 is an IP address of the communication guidance device 100.

  The guidance destination server device information 614 is the IP address of the guidance destination server device 800.

  The inter-apparatus communication control unit 620 divides the response request received from the communication guiding device 100 into a DNS request and client terminal specifying information and passes it to the policy control unit 630, and the IP address “received from the policy control unit 630“ A DNS response including 172.24.30.50 "is formed into response information, a function of returning this response information to the communication guiding apparatus 100, and a transmission source IP address (guidance) received from the destination server apparatus 800 The destination server device information 614 in the storage device 610 based on the destination server device 800), and a function for confirming whether the source IP address of the end notification is registered in the destination server device information 614; If the IP address is registered, a function for notifying the destination server request processing unit 670 of the completion of processing, and a destination server request processing unit When the determination result received from 70 does not satisfy the policy information, the processing is terminated as it is, and when the policy information is satisfied, the function of passing the client terminal identification information to the communication guidance release unit 660 and the communication guidance release unit 660 And a function of transmitting a communication guidance release command for the client terminal identification information based on the IP address of the communication guidance device 100 (which has the same network 300 as the client terminal identification information). Note that the IP address received by the external device communication control unit 620 from the policy control unit 630 is not limited to the IP address “172.24.30.50” of the guidance destination server device 800, but the IP address “of the access target server device 400” 172.24.30.100 ". This case will be described in detail in the second embodiment.

  The policy control unit 630 is a control unit that operates in response to requests from the inter-apparatus communication control unit 620 and the guidance destination server request processing unit 670. The policy control unit 630 requires client terminal specifying information as input information, May be accompanied. The policy control unit 630 determines the policy information from the input client terminal identification information, determines the degree of policy matching of the terminal, and if it is accompanied by a request for name resolution, In cooperation with the processing unit 640, name resolution is performed and a correct answer is returned. If the names do not match, the IP address of the guidance destination server device described in the policy information 612 is returned.

  Specifically, the policy control unit 630 receives the DNS request and the client terminal specifying information from the external device communication control unit 620, acquires the policy information 612 to be applied to the client terminal 200 from the storage device 610, and In parallel with this acquisition, in order to acquire the state of the client terminal 200, a function of passing client terminal identification information to the terminal state confirmation unit 650, and a response of no executed state information from the terminal state confirmation unit 650, Based on the policy information 612, the function of sending the IP address of the guidance destination server device 800 specified in the policy information 612 to the external device communication control unit 620, and the client terminal specifying information received from the guidance destination server request processing unit 670 To the terminal state confirmation unit 650 and the client received from the terminal state confirmation unit 650 A function for determining whether or not the policy information is satisfied based on the host terminal identification information, the transmission source IP address (guidance destination server device 800), the executed state information, and the registration date and time information, and the DNS request is acquired. Therefore, only the determination result is returned to the guidance destination server request processing unit 670.

  The DNS request processing unit 640 changes the DNS request received from the policy control unit 630 (received from the client terminal 200) to the DNS request format, inquires the DNS server device 900, and the DNS response received from the DNS server device 900. And the function of returning the IP address of the access target server device 700 to the policy control unit 630. The operation of the DNS request processing unit 640 will be described in the second embodiment.

  The terminal state confirmation unit 650 manages the state of the client terminal 200 that has transmitted the DNS request (such as the policy conformity state), and stores in the storage device 610 based on the client terminal identification information received from the policy control unit 630. A function for searching the terminal state management table 611, a function for returning to the policy control unit 630 that there is no executed state information when there is no executed state information related to the client terminal specifying information, and the client terminal specifying information When there is related executed status information, based on the terminal status management table 611, the corresponding client terminal identification information, the source IP address (guidance destination server device 800), the executed status information, and the registration date / time information (written in ST18) Information) to the policy control unit 630.

  Based on the client terminal specifying information received from the inter-apparatus communication control unit 620, the communication guide opening unit 660 searches the communication guide device information 613 in the storage device 610, and sets the IP address of the corresponding communication guide device 100 to the external It has a function of returning to the inter-device communication control unit 620.

  The guidance destination server request processing unit 670 stores the client in the terminal state management table 611 in the storage device 610 based on the processing completion notification received from the inter-apparatus communication control unit 620 (received from the guidance destination server device 800). A function of writing terminal identification information, a source IP address (guidance destination server apparatus 800) as server information, executed state information, and registration date and time information; and a function of passing only client terminal identification information to the policy control unit 630 And a function of returning the determination result received from the policy control unit 630 to the external device communication control unit 620.

  The access target server device 700 is an arbitrary server device that the client wants to access from the client terminal 200.

  The guidance destination server device 800 is a server device that provides a service to a client when the communication guidance device 100 guides the client terminal 200 as described in the policy information. It has a function of transmitting the result and client terminal specifying information for specifying the terminal that provided the service to the communication control server apparatus 600. Any service can be used as long as it involves communication such as http (hypertext transfer protocol), ftp (file transfer protocol), and a service by an application.

  The DNS server device 900 is a domain name server, and upon receiving a DNS request for a domain name, returns a DNS response including an IP address corresponding to the domain name.

  Next, the operation of the communication system configured as described above will be described with reference to the sequence diagram of FIG.

(System prerequisites)
As shown in FIG. 10, the system environment is separated into a network 300 to which the client terminal 200 belongs and an external network 500 to which the access target server device 700 that the client terminal 200 tries to access belongs. An environment in which 500 is connected to a basic LAN (local area network) will be described as an example.

  The network address of the network 300 is 172.24.24.0/24, and the network address of the external network 500 is 172.24.30.0/24.

  The IP address of the client terminal 200 is set to 172.24.24.50, and the MAC address is set to 00: 00: 08: 00: 00: 01.

  The IP address of the default gateway device 400 is set to 172.24.24.254, and the MAC address is set to 00: 00: 09: 00: 00: 01.

  The IP address of the communication control server device 600 is set to 172.24.30.2.

  The IP address of the destination server device 800 is set to 172.24.30.50.

  It is assumed that the address of the access target server device 700 is 172.24.30.100. It is assumed that the access target server device 700 performs an HTTP service.

(System operation trigger)
Consider a situation where the client terminal 200 is opening a Web browser and trying to connect to the access target server device 700. It is assumed that a URL (uniform resource identifier) is input on the Web browser, and DNS-based name information (hereinafter referred to as a domain name) is input in the host designation portion on the URL.

  The client terminal 200 performs name resolution in order to obtain an IP address from the domain name of the access target server device 700. That is, the client terminal 200 connects to the DNS server device 900 specified in advance on the system and requests name resolution. However, the DNS server device 900 exists on a broadcast domain (segment) different from that of the client terminal 200. Therefore, the client terminal 200 first connects to the default gateway device 400 and tries to establish a connection to the DNS server device 900 through the default gateway device 400.

  Here, in order to resolve the Ether address (MAC address) of default gateway device 400, client terminal 200 transmits an ARP request including the IP address of default gateway device 400 by broadcast communication (ST1). Since the ARP request is broadcast communication, not only the default gateway device 400 but also the communication guiding device 100 can be detected.

  The default gateway device 400 detects the ARP request and returns an ARP response to the client terminal 200 (ST2). The ARP response of the default gateway device 400 is a regular ARP response.

  On the other hand, in the communication guiding apparatus 100, the ARP request processing unit 120 that has detected the ARP request determines whether or not the transmission source IP address of the ARP request is registered in the communication guided terminal information 111 in the storage device 110. .

  If not registered, the ARP request processing unit 120 generates a false ARP response for causing the communication guiding apparatus 100 to communicate instead of communicating with the default gateway apparatus 400 in order to prevent this communication.

  Specifically, the ARP request processing unit 120 extracts the source IP address, the MAC address, and the destination IP address from the ARP request. Ignore the destination MAC address. Subsequently, since the ARP request processing unit 120 sets the MAC address corresponding to the IP address of the destination for the transmission source as its own MAC address (the MAC address of the communication guiding device 100 itself), A fake ARP response is generated using the MAC address corresponding to the IP address of the transmission source as its own MAC address (the MAC address of the communication guiding apparatus 100 itself).

  In addition, the ARP request processing unit 120 returns a fake ARP response to the client terminal 200 at a timing received after the ARP response of the default gateway device 400 (ST3).

  In the client terminal 200, the ARP response in step ST2 and the fake ARP response in step ST3 are written in the ARP table, but the ARP table is rewritten to a fake ARP response because the postscript is prioritized.

  Since the communication is interrupted by the fake ARP response, the client terminal 200 misunderstands that the communication guiding device 100 is the default gateway device 400 and transmits a DNS request for the domain name of the access target server device 700 to the communication guiding device 100 ( ST4).

  In the communication guiding apparatus 100, the transfer unit 130 receives this DNS request. The transfer unit 130 detects a DNS request at the initial stage (it may be any time before the transfer), and passes the DNS request packet to the DNS request processing unit 140. The detection method is arbitrary, but may be determined by, for example, “connection to UDP port 53”.

  The DNS request processing unit 140 analyzes this DNS request (ST5), and extracts the domain name of the access target server device 700. Thereafter, the domain name of the access target server device 700 and the client terminal identification information are passed to the inter-server communication control unit 150. The client terminal specifying information has already been agreed with the communication control server device 600, for example, whether it is a MAC address, an IP address in the case of a fixed IP, token information passed in advance, or information such as a certificate. Any information that can recognize an individual terminal may be used.

  The inter-server communication control unit 150 generates a reply request in a predetermined format based on the domain name of the access target server device 700 and the client terminal specifying information. This response request includes a DNS request for the domain name of the access target server device 700 and client terminal specifying information.

  Thereafter, the inter-server communication control unit 150 transmits an answer request to the communication control server device 600 via the transfer unit 130 based on the communication control server device information 112 in the storage device 110 (ST6), and waits for a response. .

  The communication control server device 600 receives this response request at the external device communication control unit 620, divides it into a DNS request and client terminal identification information, and passes them to the policy control unit 630.

  When the policy control unit 630 receives the DNS request and the client terminal specifying information, the policy control unit 630 acquires the policy information 612 to be applied to the client terminal 200 from the storage device 610. In parallel with this, the policy control unit 630 passes the client terminal specifying information to the terminal state confirmation unit 650 in order to acquire the state of the client terminal 200.

  The terminal state confirmation unit 650 searches the terminal state management table 611 in the storage device 610 based on the client terminal identification information. In this case, it is assumed that there is no executed state information related to the client terminal specifying information. Therefore, terminal state confirmation unit 650 returns a response that there is no executed state information to policy control unit 630 (ST7).

  Policy control section 630 generates a DNS response based on this response and policy information 612.

  Here, in the policy information 612, the service on the guidance destination server device 800 of “172.24.30.50” has been executed within 8 hours, or the server device (not shown) of “172.24.30.60” The first condition that the above service has been executed within 8 hours is described. The policy information 612 describes the second condition that when the service is not executed, the service information is guided to the guide destination server device 800 of “172.24.30.50”.

  Accordingly, the policy control unit 630 responds that there is no executed state information (= no service is executed), so the IP address “172.24.30.50 of the guidance destination server device 800 specified in the policy information 612. "As a DNS response to the external device communication control unit 620 (ST8). If it has been executed within 8 hours, as described in the second embodiment, a DNS request is sent to the DNS server device 900, the communication guidance of the client terminal 200 is released, and the DNS response of the DNS server device 900 is released. Is sent to the client terminal 200.

  The external device communication control unit 620 shapes the DNS response received from the policy control unit 630 into response information according to a predetermined format, and returns this response information to the communication guiding device 100 (ST9). If the communication used at this time is TCP, a response is tied to the session. Therefore, it is not always necessary to attach information or a session ID for identifying the terminal received earlier to the response. When UDP or the like is used, processing for attaching such information is necessary.

  When the server-to-server communication control unit 150 receives the response information, it extracts the DNS response in the response information in association with the response request that requested the response information, and sends the response associated with the DNS request to the DNS request processing unit 140. .

  The DNS request processing unit 140 shapes this response into a DNS response and sends it back to the client terminal 200 (ST10).

  The client terminal 200 creates an HTTP request based on the IP address of the guidance destination server device 800 in the DNS response and transmits the request to the guidance destination server device 800. At this time, as with the DNS request, communication to the default gateway device 400 is transmitted to the communication guiding device 100 (ST11).

  The communication guiding apparatus 100 receives the http request at the transfer unit 130. Transfer section 130 looks at the source and destination of the received packet and determines whether it matches transfer condition information 113 in storage device 110 (ST12).

  The transfer unit 130 discards the packet if they do not match, and transfers the packet if they match. In this case, it is assumed that the guide destination server device 800 is designated as the transfer destination and is described in the transfer condition information. The transferred packet passes through the default gateway device 400 and is transmitted to the destination server device 800 of the connection destination.

  Thereafter, the client terminal 200 performs communication with the guidance destination server apparatus 800 and performs predetermined processing with the guidance destination server apparatus 800 (ST13 to ST16).

  When the predetermined process ends, the destination server device 800 transmits a process end notification to the communication control server device 600 (ST17). At this time, the client terminal identification information is included in the processing end notification.

  The communication control server device 600 receives the processing end notification by the external device communication control unit 620. The inter-external device communication control unit 620 searches the guidance destination server device information 614 in the storage device 610 based on the termination notification source IP address (guidance destination server device 800), and the termination notification source IP address. Is registered in the guidance destination server device information 614. If the transmission source IP address is registered, a process end notification is sent to the guidance destination server request processing unit 670.

  In the destination server request processing unit 670, based on the processing end notification, the terminal state management table 611 in the storage device 610 stores the client terminal identification information, the source IP address as the server information (guidance destination server device 800), The executed state information and registration date information are written (ST18). Thereafter, only the client terminal specifying information is passed to the policy control unit 630.

  Policy control unit 630 sends this client terminal identification information to terminal state confirmation unit 650. The terminal status confirmation unit 650 searches the terminal status management table 611 in the storage device 610 based on the client terminal identification information, and executes the corresponding client terminal identification information, the transmission source IP address (guidance destination server apparatus 800), and execution. Completed status information and registration date and time information (information written in ST18) are returned to policy control section 630.

  The policy control unit 630 determines whether or not the policy information is satisfied based on the client terminal specifying information, the transmission source IP address (guidance destination server device 800), the executed state information, and the registration date and time information (ST19).

  Further, since the policy control unit 630 has not received a DNS request from the client terminal 200, the policy control unit 630 returns only the determination result of step ST19 to the guidance destination server request processing unit 670.

  The destination server request processing unit 670 returns the determination result of step ST19 to the external device communication control unit 620 as it is.

  If the determination result in step ST19 does not satisfy the policy information, the external device communication control unit 620 terminates the process as it is, and passes the client terminal specifying information to the communication guide opening unit 660 if the policy information is satisfied.

  Based on the client terminal identification information, the communication guide opening unit 660 searches the communication guide device information 613 in the storage device 610 and returns the IP address of the corresponding communication guide device 100 to the external device communication control unit 620.

  Based on the IP address of the communication guiding device 100, the external device communication control unit 620 transmits a communication guiding release command including the client terminal specifying information to the communication guiding device 100 (ST20).

  The communication guidance device 100 receives the communication guidance release command by the inter-server communication control unit 150. The inter-server communication control unit 150 sends the client terminal specifying information in the communication guidance release command to the communication guidance release unit 160.

  The communication guidance release unit 160 adds terminal information indicating the client terminal 200 to the communication guided terminal information 111 in the storage device 110 and writes the terminal information indicating the client terminal 200 based on the client terminal identification information.

  Thereafter, the communication guide opening unit 160 performs an operation for opening the communication guide to the client terminal 200 (ST21). This is because, for example, in the case of the present embodiment, the ARP table of the client terminal 200 is contaminated with a fake ARP response (MAC address of the communication guiding device 100). MAC address) may be rewritten, and additional software is required. However, a module may be inserted in the client terminal 200 and information generated by communication guidance in the client terminal 200 may be deleted.

  As a result, the client terminal 200 is released from communication guidance and can perform normal communication (ST22, ST23).

  As described above, according to the present embodiment, the communication guiding device 100 detects an ARP request generated in the network 300, and if the transmission source IP address of the ARP request is not already inducted, a false ARP response is sent to the ARP request. In response to the DNS request guided by the fake ARP response, the DNS response indicating the IP address of the destination server device 800 is returned to guide the communication. Thereafter, the guidance of the communication is released by an end notification of the guidance destination server device 800.

  On the other hand, in the communication control server device 600, when there is no corresponding executed state information with respect to the response request including the DNS request and the client terminal specifying information received from the communication guiding device 100, the IP address of the guidance destination server device 800 is set. A DNS response shown is returned as reply information to the communication guiding device, and a communication guidance release command is transmitted to the communication guiding device 100 based on the end notification received from the guidance destination server device 800.

  In such communication guidance, the resident program is not installed in the client terminal 100, and the setting is not changed. In addition, since the communication control server device 600 does not intervene in the communication between the client terminal 100 and the guidance destination server device 800 after returning the DNS response indicating the IP address of the guidance destination server device 800, the rate limiting server Can reduce the load and improve availability.

  In other words, according to the present embodiment, communication can be induced by collecting communication using a communication protocol and dynamically changing a response of a name resolution request generated when the communication occurs. .

  Further, when it is no longer necessary to guide, communication can be bypassed by stopping collection, and even if a device that performs communication control fails, it can be avoided that communication stops.

  Further, according to the present embodiment, HTTP communication interception processing (S54: TCP session from client terminal, S55: communication control device) shown in FIG. 8 of Japanese Patent Application No. 2006-168191 which is an unpublished prior application at the time of filing of the present application It is possible to induce communication without executing complicated processing with high load such as TCP jack by S56, HTTP request from client terminal, and S57: page return for redirection from communication control device.

(Second Embodiment)
Next, a second embodiment of the present invention will be described using the sequence diagram of FIG.
FIG. 11 is a sequence diagram showing a modification of the operation of the first embodiment. That is, in this embodiment, in the communication system described above, when the client terminal 200 satisfies the policy information 612 of the communication control server device 600, the communication guiding device 100 transmits the communication of the client terminal 200 to the communication control server device 600. It relates to the operation when transferred.

  This operation occurs when the client terminal 200 satisfies the policy information 612 but is not written in the communication guided terminal information 111 of the communication guiding apparatus 100.

  In FIG. 11, the operations from step ST1 to ST6 are the same as the operations described in FIG.

  After step ST6, the communication control server device 600 receives the reply request transmitted from the communication guiding device 100 by the external device communication control unit 620, specifies the DNS request for the domain name of the access target server device 700 and the client terminal specification. The information is divided into information and passed to the policy control unit 630. The external device communication control unit 620 holds information on the client terminal 200.

  When the policy control unit 630 receives the DNS request and the client terminal specifying information, the policy control unit 630 acquires the policy information 612 from the storage device 610. In parallel with this, the policy control unit 630 passes the client terminal specifying information to the terminal state confirmation unit 650 in order to acquire the state of the client terminal 200.

  The terminal state confirmation unit 650 searches the terminal state management table 611 in the storage device 610 based on the client terminal identification information. In this case, it is assumed that the client terminal 200 satisfies the policy information 612. Therefore, the terminal state confirmation unit 650, based on the terminal state management table 611, includes the corresponding client terminal identification information, the transmission source IP address (guidance destination server device 800), the executed state information, and the registration date / time information (written in ST18). Information) is returned to the policy control unit 630 (ST31).

  The policy control unit 630 determines whether or not the policy information is satisfied based on the client terminal specifying information, the transmission source IP address (guidance destination server device 800), the executed state information, and the registration date and time information (ST32).

  If the policy information 612 is satisfied, the policy control unit 630 passes the DNS request received from the client terminal 200 to the DNS request processing unit 640 (ST32).

  The DNS request processing unit 640 changes the received DNS request to the DNS request format, and makes an inquiry to the DNS server apparatus 900 (ST33).

  In response to the DNS request for the domain name of the access target server device 700, the DNS server device 900 returns a correct DNS response including the IP address “172.24.30.100” of the access target server device 700 (ST34).

  The DNS request processing unit 640 returns the IP address of the access target server device 700 in the DNS response to the policy control unit 630.

  The policy control unit 630 returns the determination result of step ST32 and the IP address of the access target server device 700 to the external device communication control unit 620.

  When the determination result in step ST32 satisfies the policy information 612, the external device communication control unit 620 passes the client terminal specifying information to the communication guide opening unit 660.

  Based on the client terminal identification information, the communication guide opening unit 660 searches the communication guide device information 613 in the storage device 610 and returns the IP address of the corresponding communication guide device 100 to the external device communication control unit 620.

  Based on the IP address of this communication guiding device 100, the external device communication control unit 620 transmits a communication guidance opening command for the client terminal identification information (ST35).

  The communication guidance device 100 receives the communication guidance release command by the inter-server communication control unit 150. The inter-server communication control unit 150 sends the client terminal specifying information in the communication guidance release command to the communication guidance release unit 160.

  In the communication guidance release unit 160, the terminal information of the client terminal 200 is added and written to the communication guidance terminal information 111 in the storage device 110 based on the client terminal identification information. Thereafter, the communication guide opening unit 160 performs an operation for opening the communication guide to the client terminal 200 (ST36). Steps ST35 to ST36 are the same processes as steps ST20 to ST21 described above.

  After step ST36, the external device communication control unit 620 shapes the IP address of the access target server device 700 in the DNS response received in step ST34 into reply information according to a predetermined format, and sends this reply information to the communication guiding apparatus 100. Reply (ST37).

  The inter-server communication control unit 150 sends the IP address of the access target server device 700 included in the answer information to the DNS request processing unit 140.

  The DNS request processing unit 140 shapes the IP address of the access target server device 700 as a DNS response and transmits it to the client terminal 200 (ST38). The client terminal 200 can receive a service by transmitting an HTTP request to the access target server apparatus 700 based on the IP address of the access target server apparatus 700 in the DNS response (ST39).

  As described above, according to the present embodiment, in addition to the effects of the first embodiment, the client terminal 200 is written in the communication guided terminal information 111 of the communication guiding apparatus 100 even though the client terminal 200 satisfies the policy information 612. Even if the communication guiding apparatus 100 transfers the communication of the client terminal 200 to the communication control server apparatus 600, the communication control server apparatus 600 confirms that the client terminal 200 satisfies the policy information 612 and communicates. Communication guidance by the guidance device 100 can be released.

  Note that the method described in the above embodiment includes a magnetic disk (floppy (registered trademark) disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a magneto-optical disk (MO) as programs that can be executed by a computer. ), And can be distributed in a storage medium such as a semiconductor memory.

  In addition, as long as the storage medium can store a program and can be read by a computer, the storage format may be any form.

  In addition, an OS (operating system) running on a computer based on an instruction of a program installed in the computer from a storage medium, MW (middleware) such as database management software, network software, and the like realize the above-described embodiment. A part of each process may be executed.

  Furthermore, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium that downloads and stores or temporarily stores a program transmitted via a LAN, the Internet, or the like.

  Further, the number of storage media is not limited to one, and the case where the processing in the above embodiment is executed from a plurality of media is also included in the storage media in the present invention, and the media configuration may be any configuration.

  The computer according to the present invention executes each process in the above-described embodiment based on a program stored in a storage medium, and is a single device such as a personal computer or a system in which a plurality of devices are connected to a network. Any configuration may be used.

  In addition, the computer in the present invention is not limited to a personal computer, but includes an arithmetic processing device, a microcomputer, and the like included in an information processing device, and is a generic term for devices and devices that can realize the functions of the present invention by a program. .

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, you may combine the component covering different embodiment suitably.

It is a schematic diagram which shows the structure of the communication system which concerns on the 1st Embodiment of this invention. It is a schematic diagram which shows the structure of the communication guidance apparatus in the embodiment. It is a schematic diagram for demonstrating the terminal information for communication control in the embodiment. It is a schematic diagram for demonstrating the communication control server apparatus information in the embodiment. It is a schematic diagram for demonstrating the transfer condition information in the embodiment. It is a schematic diagram which shows the structure of the communication control server apparatus in the embodiment. It is a schematic diagram for demonstrating the terminal state management table in the embodiment. It is a schematic diagram for demonstrating the policy information in the same embodiment. It is a sequence diagram for demonstrating the operation | movement in the embodiment. It is a schematic diagram for demonstrating the system environment in the embodiment. It is a sequence diagram for demonstrating operation | movement of the communication system which concerns on the 2nd Embodiment of this invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 100 ... Communication guidance apparatus, 110,610 ... Memory | storage device, 111 ... Communication guidance completed terminal information, 112 ... Communication control server apparatus information, 113 ... Transfer condition information, 120 ... ARP request process part, 130 ... Transfer part, 140 ... DNS Request processing unit, 150 ... server communication control unit, 160, 660 ... communication guidance release unit, 200 ... client terminal, 300, 500 ... network, 400 ... default gateway device, 600 ... communication control server device, 611 ... terminal state management Table, 612 ... Policy information, 613 ... Communication guidance device information, 614 ... Guidance destination server device information, 620 ... External device communication control unit, 630 ... Policy control unit, 640 ... DNS request processing unit, 650 ... Terminal status confirmation unit 670 ... Guide destination server request processing unit 700 ... Access target server device 800 ... Guide destination server Server apparatus, 900 ... DNS server device.

Claims (6)

Before communicating with an access target server device to be accessed by a client terminal, a communication guiding device for guiding communication of the client terminal to a guidance destination server device via a communication control server device,
Communication guided terminal information indicating a client terminal that has been guided to communication, communication control server apparatus information indicating an IP address of the communication control server apparatus, and communication between the client terminal and the destination server apparatus is permitted and transferred. Storage means for storing transfer condition information for
A registration determination unit that detects an ARP request generated in the network and determines whether the transmission source IP address of the ARP request has been registered in the communication guided terminal information in the storage unit;
If the result of the determination by the registration determination means is not registered, means for returning a fake ARP response indicating the MAC address of the own device to the transmission source of the ARP request at a timing received after the regular ARP response; ,
Means for extracting the domain name of the access target server device and the client terminal specifying information indicating the transmission source of the DNS request from the DNS request guided by the fake ARP response;
Means for generating a reply request including the retrieved domain name and client terminal identification information, and transmitting the reply request based on communication control server device information in the storage means;
Means for receiving response information from the communication control server device and transmitting a DNS response indicating an IP address of the guidance destination server device included in the response information to a transmission source of the DNS request;
A transfer determination unit that determines whether or not the transfer condition information in the storage unit is matched based on a transmission source and a destination of the received packet;
As a result of the determination by the transfer determination means, if the packet does not match, the packet is discarded, and if it matches, the packet is transferred to the destination of the packet;
A communication guiding device comprising: The communication guiding device according to claim 1,
Upon receiving the communication guidance release command transmitted by the communication control server device that has received the end notification from the guidance destination server device, terminal information indicating the client terminal is obtained based on the client terminal identification information in the communication guidance release command. Means for additionally registering in the communication guided terminal information in the storage means;
Means for releasing the communication guidance by rewriting the MAC address of the own device in the ARP table of the client terminal to the MAC address indicated by the regular ARP response after the additional registration;
A communication guiding device comprising: Before communicating with an access target server device to be accessed by a client terminal, a communication control server device for guiding communication of the client terminal to a guidance destination server device by a communication guidance device,
Client terminal identification information indicating a client terminal that has already communicated with the guidance destination server device, guidance destination server device information indicating an IP address of the guidance destination server device, execution status information of communication with the guidance destination server device, and Table storage means for storing a terminal state management table in which registration date and time information is associated with each other;
Stores policy information including a first condition that communication with the guidance destination server apparatus has been executed within a predetermined time and a second condition that induces communication to the guidance destination server apparatus when the first condition is not satisfied. Policy information storage means for
Device information storage means for storing communication guidance device information indicating an IP address of the communication guidance device and guidance destination server device information indicating an IP address of the guidance destination server device;
When a response request including a DNS request indicating the domain name of the access target server device and client terminal specifying information is received from the communication guiding device, the response request is divided into a DNS request and client terminal specifying information, and the divided client terminals Means for searching the terminal state management table based on the specific information;
As a result of the search, if there is no corresponding executed state information, means for sending the IP address of the destination server device based on the second condition in the policy information;
A DNS response indicating the sent IP address of the destination server device is formed into response information, and the response information is returned to the communication induction device;
Based on the transmission source IP address of the termination notification received from the guidance destination server device, the guidance destination server device information in the device information storage unit is searched, and the transmission source IP address of the termination notification is the guidance destination server device information. Registration determination means for determining whether or not registered in
If the result of determination by the registration determination means is registered, means for sending the end notification;
Based on the sent end notification, the client terminal specifying information is written into the terminal status management table in the table storage means after the client terminal specifying information, the destination server device information, the executed status information, and the registration date / time information are written. Means for sending
Means for searching the terminal status management table based on the transmitted client terminal identification information, and transmitting corresponding client terminal identification information, guidance destination server device information, executed status information and registration date and time information;
Policy information determination means for determining whether or not the policy information in the policy information storage means is satisfied based on the sent client terminal identification information, guidance destination server device information, executed state information, and registration date and time information;
When the determination result by the policy information determination unit satisfies the policy information, a communication guidance release command for the client terminal identification information is transmitted to the communication guidance device based on the communication guidance device information in the device information storage unit. Means,
A communication control server device comprising: A communication that includes a storage unit and a computer that guides the communication of the client terminal to the destination server device via the communication control server device before communicating with the access target server device to be accessed by the client terminal A program used in the communication guidance device for the guidance device,
The communication guiding device;
Communication guided terminal information indicating a client terminal that has been guided to communication, communication control server apparatus information indicating an IP address of the communication control server apparatus, and communication between the client terminal and the destination server apparatus is permitted and transferred. Means for writing transfer condition information to the storage means,
A registration determination unit that detects an ARP request generated in the network and determines whether the transmission source IP address of the ARP request has been registered in the communication guided terminal information in the storage unit;
If the result of determination by the registration determination means is not registered, means for returning a false ARP response indicating the MAC address of the own device to the transmission source of the ARP request at a timing received after the regular ARP response;
Means for extracting the domain name of the access target server device and the client terminal specifying information indicating the source of the DNS request from the DNS request guided by the fake ARP response;
Means for generating an answer request including the extracted domain name and client terminal specifying information, and transmitting the answer request based on communication control server device information in the storage means;
Means for receiving response information from the communication control server device and transmitting a DNS response indicating an IP address of the guidance destination server device included in the response information to a transmission source of the DNS request;
Transfer determination means for determining whether or not the transfer condition information in the storage means is met based on the source and destination of the received packet;
If the result of determination by the transfer determination means does not match, the packet is discarded; if it matches, the packet is transferred to the destination of the packet;
Program to function as. The program according to claim 4, wherein
The communication guiding device;
Upon receiving the communication guidance release command transmitted by the communication control server device that has received the end notification from the guidance destination server device, terminal information indicating the client terminal is obtained based on the client terminal identification information in the communication guidance release command. Means for additionally registering in the communication guided terminal information in the storage means;
Means for releasing the communication guidance by rewriting the MAC address of the own device in the ARP table of the client terminal to the MAC address indicated by the regular ARP response after the additional registration;
As a program to further function as. A computer for guiding communication of the client terminal to the destination server device by the communication guidance device before communicating with the access target server device to be accessed by the client terminal, and a table storage unit, a policy information storage unit, and A program used in the communication control server device for a communication control server device provided with device information storage means,
The communication control server device;
Client terminal identification information indicating a client terminal that has already communicated with the guidance destination server device, guidance destination server device information indicating an IP address of the guidance destination server device, execution status information of communication with the guidance destination server device, and Means for writing a terminal status management table in which registration date information is associated with each other into the table storage means;
Policy information including a first condition that communication with the guide destination server apparatus has been executed within a predetermined time and a second condition that guides communication to the guide destination server apparatus when the first condition is not satisfied. Means for writing to the policy information storage means;
Means for writing communication guidance device information indicating an IP address of the communication guidance device and guidance destination server device information indicating an IP address of the guidance destination server device in the device information storage means;
When a response request including a DNS request indicating the domain name of the access target server device and client terminal specifying information is received from the communication guiding device, the response request is divided into a DNS request and client terminal specifying information, and the divided client terminals Means for searching the terminal state management table based on the specific information;
Means for sending the IP address of the destination server device based on the second condition in the policy information when there is no corresponding executed state information as a result of the search;
Means for shaping a DNS response indicating the IP address of the sent destination server device into reply information and returning the reply information to the communication guidance device;
Based on the transmission source IP address of the termination notification received from the guidance destination server device, the guidance destination server device information in the device information storage unit is searched, and the transmission source IP address of the termination notification is the guidance destination server device information. Registration determination means for determining whether or not it is registered in
If the result of determination by the registration determining means is registered, means for sending the end notice,
Based on the sent end notification, the client terminal specifying information is written into the terminal status management table in the table storage means after the client terminal specifying information, the destination server device information, the executed status information, and the registration date / time information are written. Means for sending
Means for searching the terminal status management table based on the transmitted client terminal identification information, and transmitting corresponding client terminal identification information, guidance destination server device information, executed status information and registration date and time information;
Policy information determination means for determining whether or not the policy information in the policy information storage means is satisfied based on the sent client terminal identification information, guidance destination server device information, executed state information, and registration date and time information,
When the determination result by the policy information determination unit satisfies the policy information, a communication guidance release command for the client terminal identification information is transmitted to the communication guidance device based on the communication guidance device information in the device information storage unit. means,
Program to function as.

Images