JP2011019125A - Communication controller, communication control method and communication control program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce a burden on a manager for network connection management and to prevent the waste of resources and unauthorized access.SOLUTION: When a virtual network interface for connecting a client apparatus and an internal network to which the client apparatus should belong, is not present within a VLAN (Virtual LAN) interface being set at present, an RAS (Remote Access Service) gateway dynamically sets the VLAN interface. Further, the RAS gateway monitors the situation of utilizing the set VLAN interface and erases an interface that no client terminal utilizes.

Description

  The present invention relates to a communication control device, a communication control method, and a communication control program.

  In recent years, many techniques for network access in which a predetermined network or computer is accessed from another network via a VLAN (Virtual LAN) or the like have been proposed.

  For example, regarding the network access described above, there is a technology called dynamic VLAN (see Non-Patent Document 1). In this dynamic VLAN technology, “MAC address” and “VLAN ID” are registered in a database called VMPS (VLAN Membership Policy Server), and when a host is connected, the switch automatically assigns the VLAN. It is.

  A technology using RADIUS (Remote Authentication Dial In User Service) as a technology for dynamically allocating remote access users accessing from an external network using a VPN to a specific VLAN or VRF (Virtual Routing and Forwarding) Is also present.

  In this technology using RADIUS, the administrator presets user authentication information, network setting information, and information about the network to which the user belongs in a RADIUS server (database) regarding the internal network that the user uses via the VLAN. To do. Further, the administrator performs communication settings for the VLAN such as an interface in advance in the gateway device for remote access that establishes the VLAN with the user terminal.

“Aiming to acquire CISCO CCNA qualification”, [online], [Search May 1, 2009], Internet <URL: http://getciscoccna.seesaa.net/category/589612-1.html>

  However, the above-described technique using RADIUS has the following problems. That is, each time an internal network needs to be added or deleted, the administrator needs to make settings related to the VLAN in the RADIUS server or the remote access gateway device, so network connection management is complicated and burdensome. There is a problem.

  In order to reduce the burden on the administrator, for example, it may be possible to leave a VLAN interface or the like set in the gateway device for remote access. However, the resources of the gateway device for remote access are not only wastefully consumed when communication is not performed, but may also cause unauthorized access.

  The present invention has been made in view of the above, and can reduce a burden on an administrator related to network connection management, and can prevent a waste of resources and unauthorized access, a communication control apparatus, a communication control method, and An object is to provide a communication control program.

  In order to solve the above-described problems and achieve the object, the present invention provides communication that controls communication between a client device that is a transmission source of a remote access request and an internal network that can be connected via a virtual network interface. A control device for identifying a virtual network interface that enables connection between the client device and an internal network to which the client device belongs from an authentication device that authenticates the client device in response to a remote access request If the specific information acquisition means for acquiring specific information and the virtual network interface specified by the specific information acquired by the specific information acquisition means do not exist in the virtual network interface currently being set, the specific information Virtual network associated with information Interface setting means for newly setting a network interface, an internal network connectable via the virtual network interface set by the interface setting means, and communication control means for controlling communication between the client devices It is characterized by that.

  According to the present invention, it is possible to reduce the burden on an administrator regarding network connection management, and to prevent waste of resources and unauthorized access.

FIG. 1 is a diagram for explaining the RAS gateway according to the first embodiment. FIG. 2 is a diagram for explaining the configuration according to the first embodiment. FIG. 3 is a diagram for explaining the client authentication information according to the first embodiment. FIG. 4 is a diagram for explaining the VLAN management information according to the first embodiment. FIG. 5 is a diagram for explaining the switching information according to the first embodiment. FIG. 6 is a diagram for explaining the flow of a new VLAN interface setting process according to the first embodiment. FIG. 7 is a diagram for explaining the flow of erasure processing of the VLAN interface according to the first embodiment. FIG. 8 is a diagram for explaining the VLAN management information according to the second embodiment. FIG. 9 is a diagram for explaining the flow of a new VLAN interface setting process according to the second embodiment. FIG. 10 is a diagram for explaining the flow of the VLAN interface erasing process according to the second embodiment. FIG. 11 is a diagram illustrating a computer that executes a communication control program.

  Hereinafter, an embodiment of a communication control device, a communication control method, and a communication control program according to the present invention will be described in detail with reference to the drawings. In the embodiment described below, an embodiment of a RAS (Remote Access Service) gateway corresponding to the communication control device will be described. In addition, this invention is not limited by the Example demonstrated below.

  In the following first embodiment, the outline and features of the RAS gateway according to the first embodiment, the configuration and processing according to the first embodiment will be described in order, and finally the effects of the first embodiment will be described.

  An outline of the RAS gateway according to the first embodiment is to control communication between a client terminal that is a transmission source of a remote access request and an internal network that can be connected via a VLAN interface.

  In the RAS gateway according to the first embodiment, when the virtual network interface that enables the connection between the client device and the internal network to which the client device belongs does not exist in the VLAN interface that is currently set, It is characterized in that the interface is dynamically set, the usage status of the set VLAN interface is monitored, and the interface without the client terminal being used is deleted.

  The features described above will be specifically described with reference to FIG. FIG. 1 is a diagram for explaining the characteristics of the RAS gateway according to the first embodiment.

  As illustrated in FIG. 1, for example, when the RAS gateway according to the first embodiment receives a connection request (remote access request) from a terminal 1 that is one of client terminals (see (1) in FIG. 1), the terminal 1 The authentication information is acquired from the authentication information, and the authentication request of the terminal 1 is sent to the authentication server together with the acquired authentication information.

  The authentication server has authentication information for authenticating the terminal, a group ID indicating an internal network to which the terminal should belong, network related information of the terminal, etc. in the DB in advance. When receiving the authentication request from the RAS gateway, the authentication server refers to the DB and executes the authentication phase with the terminal 1 to authenticate the terminal 1 (see (2) in FIG. 1). When the authentication server succeeds in authenticating the terminal 1, the authentication server returns an authentication result and a group ID (for example, 40) associated with the internal network to which the terminal 1 belongs to the RAS gateway (see (3) in FIG. 1). ).

  When the RAS gateway receives the authentication result and the group ID from the authentication server, if there is no VLAN interface having an ID that matches the group ID in the currently set VLAN interface, a new VLAN interface is set and the group interface is set. An ID identical to the ID is assigned as a VLAN-ID (for example, VLAN: 40), and a communication path is established with the terminal 1 (see (4) in FIG. 1).

  After the communication path is established, when the communication from the terminal 1 to the VLAN 40 is started (see (5) in FIG. 1), the RAS gateway gives a VLAN-ID (VLAN 40) to the packet addressed to the VLAN 40 received from the terminal 1. Then, transfer to the VLAN switch. The VLAN switch flows the packet received from the RAS gateway to the corresponding network (for example, NW4).

  Further, the RAS gateway deletes an interface that does not have a client terminal in use among the set VLAN interfaces (see (6) in FIG. 1).

  As described above, the RAS gateway according to the first embodiment uses the VLAN interface when the VLAN interface associated with the internal network to which the client terminal belongs does not exist in the VLAN interface that is currently set. Set dynamically. Further, if there is no terminal using the VLAN interface set in response to a request from the client terminal, the VLAN interface is deleted. For this reason, it is possible to reduce the burden on the administrator regarding network connection management, and to prevent waste of resources and unauthorized access.

[Configuration according to Embodiment 1]
FIG. 2 is a diagram for explaining the configuration according to the first embodiment. As shown in the figure, the RAS gateway 200 according to the first embodiment is communicable with the client terminal 100, the authentication server 300, and the VLAN switch 400 via a public telephone network, the Internet, and a WAN (Wide Area Network). It is connected.

  The client terminal 100 communicates with a plurality of internal networks under the control of the RAS gateway 200 using VLAN.

  The authentication server 300 authenticates the client terminal 100 in response to a remote access request from the client device 100, and includes a client authentication information storage unit 310, a communication control I / F unit 320, and an authentication processing unit 330 as shown in FIG. Have.

  The client authentication information storage unit 310 stores client authentication information for authenticating the client terminal 100. For example, as illustrated in FIG. 3, the authentication information, the group ID, and the NW related information are stored in association with each other.

  The authentication information is information including secret information such as a user ID and password for authenticating the client terminal 100. The group ID is information corresponding to a VLAN for the client terminal 100 to access the internal network using a predetermined user ID. The NW related information is information such as an IP address paid out to the client terminal 100 that has been successfully authenticated. FIG. 3 is a diagram for explaining the client authentication information according to the first embodiment.

  The authentication server 300 accepts settings such as authentication information (user ID), group ID, and IP address for setting the VLAN interface from the administrator according to the addition or deletion of the internal network, and the client authentication information storage unit 310. To remember.

  The communication control I / F unit 320 controls communication related to the exchange of various data performed between the client terminal 100 and the RAS gateway 200.

  Upon receiving an authentication request for the client terminal 100 from the RAS gateway 200, the authentication processing unit 330 acquires authentication information from the client authentication information storage unit 310, and executes an authentication phase with the client terminal 100 to be authenticated. Thus, the authentication process of the client terminal 100 is performed.

  When the authentication processing unit 330 succeeds in authenticating the client terminal 100, the authentication processing unit 330 and the authentication result indicating that the authentication is successful, and network related information (the group corresponding to the VLAN for the client terminal 100 to access the internal network). ID, IP address for the client terminal 100 to perform communication, etc.) are returned to the RAS gateway 200. On the other hand, when the client terminal 100 is not successfully authenticated, only the authentication result indicating that the authentication has failed is returned to the RAS gateway 200.

  The RAS gateway device 200 dynamically sets the VLAN interface associated with the internal network according to the addition or deletion of the internal network based on the information indicating the VLAN interface such as the group ID received from the authentication server 300. The remote access of the client terminal 100 is controlled. The RAS gateway 200 includes a communication control I / F unit 210, a storage unit 220, and a control unit 230, as shown in FIG.

  The communication control I / F unit 210 controls communication related to the exchange of various data performed between the client terminal 100, the authentication server 300, and the VLAN switch 400.

  The storage unit 220 stores data, programs, and the like necessary for various processes performed by the control unit 230, and particularly includes a VLAN management information storage unit 221 for managing the currently set VLAN interface.

  As shown in FIG. 4, the VLAN management information storage unit 221 associates a VLAN-ID (I / F), a user ID, an IP address, and a communication path ID and stores them as VLAN management information. The VLAN-ID (I / F) is assigned with the same value as the group ID as information for specifying the VLAN interface. The user ID is an ID used by the client terminal 100 during remote access to the internal network. The IP address is an IP address issued from the authentication server 300. The communication path ID is an ID for identifying a communication path such as VPN established with the client terminal 100. FIG. 4 is a diagram for explaining the VLAN management information according to the first embodiment.

  The control unit 230 has an internal memory for storing a predetermined control program, a program defining various processing procedures, and necessary data, and executes various processes for dynamically setting the VLAN interface. The control unit 230 particularly includes a connection control unit 231, a VLAN control unit 232, and a communication control unit 233.

  Upon receiving a connection request (remote access request) from the client terminal 100, the connection control unit 231 requests authentication information from the client terminal 100. Then, the connection control unit 231 acquires authentication information from the client terminal 100 and sends an authentication request of the client terminal 100 to the authentication server 300 together with the acquired authentication information.

  When the VLAN control unit 232 receives the authentication result and group ID for the client terminal 100 that is the transmission source of the remote access request from the authentication server 300, the VLAN control unit 232 refers to the VLAN management information stored in the VLAN management information storage unit 221. Then, it is determined whether or not there is a VLAN interface having an ID that matches the group ID among the currently set VLAN interfaces.

  As a result of the determination, if there is no VLAN interface having an ID that matches the group ID in the currently set VLAN interface, a new VLAN interface is set, and the same ID as the group ID is assigned as the VLAN-ID. Register in the VLAN management information storage unit 221. On the other hand, if there is a VLAN interface with an ID that matches the group ID among the currently set VLAN interfaces, the VLAN interface is used as a VLAN interface that is used by the client terminal 100 that is the transmission source of the remote access request.

  In addition, the VLAN control unit 232 monitors the VLAN management information storage unit 221 and deletes the interface that does not have the client terminal 100 being used among the set VLAN interfaces.

  When the VLAN control unit 232 completes the setting of the VLAN interface, the communication control unit 233 sends the authentication result and the IP address to the client terminal 100 that is the transmission source of the remote access request, and establishes a communication path with the client terminal 100. Establish.

  After establishing the communication path, the communication control unit 233 takes a state in which data (packet) transfer from the client terminal 100 can be started, and starts managing terminal information. When managing terminal information, the IP address (or user ID) issued from the authentication server 300 to the client terminal 100 and the communication path ID of the communication path established with the client terminal are newly set. This is performed by registering in the VLAN management information storage unit 221 in association with the VLAN-ID.

  After accepting data (packet) from the client terminal 100 after taking a state where data (packet) transfer can be started, the communication control unit 233 sets the VLAN tag of the data (packet) from the client terminal 100 to VLAN. -Assign ID and transfer to VLAN switch 400.

  The VLAN switch 400 flows data (packets) from the RAS gateway 200 to the corresponding internal network. As illustrated in FIG. 2, the VLAN switch 400 includes a communication control unit 410 and a switching information storage unit 420.

  As shown in FIG. 5, the switching information storage unit 420 associates the VLAN-ID with the network ID for identifying the port of the switch to which the internal network is assigned, and stores it as switching information. FIG. 5 is a diagram for explaining the switching information according to the first embodiment.

  When receiving the data (packet) from the RAS gateway 200, the communication control unit 410 refers to the switching information storage unit 420 and transfers the data (packet) to the internal network corresponding to the VLAN-ID assigned to the data (packet). Shed.

[Processing according to Example 1]
Subsequently, a processing flow according to the first embodiment will be described with reference to FIGS. 6 and 7.

[New VLAN interface setting process]
FIG. 6 is a diagram for explaining the flow of a new VLAN interface setting process according to the first embodiment. As shown in the figure, the client terminal 100 sends a remote access request to the RAS gateway 200 (step S1). When sending a remote access request, the client apparatus 100 can use a protocol such as L2TP (Layer 2 Tunneling Protocol), IPsec (Security Architecture for Internet Protocol), or PPP (Point to Point Protocol).

  When receiving a remote access request from the client terminal 100, the RAS gateway 200 requests authentication information from the client terminal 100 (step S2). When receiving a request for authentication information from the RAS gateway 200, the client terminal 100 sends the authentication information to the RAS gateway 200 (step S3).

  When acquiring the authentication information from the client terminal 100, the RAS gateway 200 sends an authentication request of the client terminal 100 together with the acquired authentication information to the authentication server 300 (step S4).

  When the authentication server 300 receives an authentication request for the client terminal 100 from the RAS gateway 200, the authentication server 300 acquires the authentication information from the client authentication information storage unit 310 and executes an authentication phase with the client terminal 100 to be authenticated. Then, the authentication process of the client terminal 100 is performed (step S5). Note that the authentication server 300 executes an authentication phase by transmitting and receiving information to and from the client terminal 100 using a protocol such as CHAP (Challenge Handshake Authentication Protocol) or TLS (Transport Layer Security).

  Then, the authentication server 300 determines the authentication result of the client terminal 100 (step S6). If the authentication is successful, the authentication result indicating that the authentication is successful and the network related information (the client terminal 100 belongs) The group ID associated with the internal network to be communicated, the IP address for the client terminal 100 to perform communication, etc.) are returned to the RAS gateway 200 (step S7).

  When the RAS gateway 200 receives the authentication result and network related information for the client terminal 100 that is the transmission source of the remote access request from the authentication server 300, the RAS gateway 200 refers to the VLAN management information stored in the VLAN management information storage unit 221. If there is no VLAN interface having an ID that matches the group ID received as the network-related information in the currently set VLAN interface, a new VLAN interface is set (step S8). Then, the RAS gateway 200 assigns the same ID as the group ID as a VLAN-ID and registers it in the VLAN management information storage unit 221.

  When the VLAN interface setting by the VLAN control unit 232 is completed, the RAS gateway 200 sends the authentication result and the IP address to the client terminal 100 that is the transmission source of the remote access request (step S9), and between the client terminal 100 A communication path is established (step S10). When establishing communication with the client terminal 100, the RAS gateway 200, for example, a protocol such as L2TP (Layer 2 Tunneling Protocol), IPsec (Security Architecture for Internet Protocol), PPP (Point to Point Protocol), or the like. Can be used.

  After establishing the communication path, the communication control unit 233 enters a state where data (packet) transfer from the client terminal 100 can be started, and starts managing terminal information (step S11).

  The client terminal 100 starts communication with the VLAN (remote access to the internal network) (step S12).

[Erase processing of VLAN interface]
FIG. 7 is a diagram for explaining the flow of erasure processing of the VLAN interface according to the first embodiment. As shown in the figure, when the communication path is disconnected by the client terminal 100 or the RAS gateway 200 (step S1), a terminal disconnection notification is sent from the RAS gateway 200 to the authentication server 300 (step S2).

  When receiving the terminal disconnection notification from the RAS gateway 200, the authentication server 300 returns a terminal disconnection notification response to the RAS gateway 200 (step S3).

  When receiving a terminal disconnection notification response from the authentication server 300, the RAS gateway 200 deletes the corresponding VLAN interface if all the terminals using the VLAN are disconnected (step S4).

[Effects of Example 1]
As described above, the administrator performs setting only in the authentication server 300 according to addition or deletion of the internal network. Furthermore, if there is no VLAN interface whose ID matches the group ID associated with the internal network to which the client terminal 100 belongs in the currently set VLAN interface, the RAS gateway 200 creates a new VLAN interface. Is dynamically set, and the same value as the group ID is assigned as VLAN-ID. Further, the RAS gateway 200 deletes the interface that does not use the client terminal among the set VLAN interfaces.

  For this reason, it is possible to reduce the burden on the administrator regarding network connection management, and to prevent waste of resources and unauthorized access.

  In the first embodiment, the embodiment in which the same value as the group ID associated with the internal network to which the client terminal 100 should belong is used as the VLAN-ID. However, the present invention is not limited to this. Absent. For example, each time a new VLAN interface is set, a new VLAN-ID may be generated and associated with the group ID.

[Configuration according to Embodiment 2]
FIG. 8 is a diagram for explaining the VLAN management information according to the second embodiment. The configuration according to the second embodiment is basically the same as that of the first embodiment, but differs in the points described below. As shown in the figure, the RAS gateway 200 further stores a group ID in association with a VLAN-ID (I / F), a user ID, an IP address, and a communication path ID.

  When the VLAN control unit 232 receives the authentication result and group ID for the client terminal 100 that is the transmission source of the remote access request from the authentication server 300, the VLAN control unit 232 refers to the VLAN management information stored in the VLAN management information storage unit 221. Then, it is determined whether there is a VLAN interface associated with the group ID received from the authentication server 300 among the currently set VLAN interfaces.

  As a result of the determination, if there is no VLAN interface associated with the group ID received from the authentication server 300 among the currently set VLAN interfaces, a new VLAN interface is set and assigned to the new VLAN interface. The correspondence relationship between the VLAN-ID and the group ID is registered in the VLAN management information storage unit 221.

  After setting the new VLAN interface, the VLAN control unit 232 transmits a VLAN interface generation notification including the correspondence between the VLAN-ID and the group ID of the new VLAN interface to the VLAN switch 400.

  Further, the VLAN control unit 232 monitors the VLAN management information storage unit 221 and deletes an interface without the client terminal 100 being used, and then sends a VLAN deletion notification including the VLAN-ID to the VLAN switch 400. When the VLAN control unit 232 receives a VLAN deletion notification response from the VLAN switch 400, the VLAN control unit 232 receives the response and completes the VLAN deletion.

  When receiving the VLAN interface generation notification response from the VLAN switch 400, the communication control unit 233 sends the authentication result and the IP address to the client terminal 100 that is the transmission source of the remote access request, and communicates with the client terminal 100. Establish.

  When the VLAN switch 400 receives a VLAN interface generation notification including the correspondence between the VLAN-ID and the group ID of the new VLAN interface from the RAS gateway 200, the VLAN switch 400 displays the correspondence between the VLAN-ID and the group ID. Register with. After the registration is completed, the VLAN switch 400 sends a VLAN interface generation notification response to the RAS gateway 200.

  When the VLAN switch 400 receives a VLAN deletion notification including the VLAN-ID from the RAS gateway 200, the VLAN switch 400 deletes the corresponding relationship between the VLAN-ID and the group ID from the switching information storage unit 420. Then, the VLAN switch 400 sends a VLAN deletion notification response to the RAS gateway 200.

[Processing according to Example 2]
Subsequently, a flow of processing according to the second embodiment will be described with reference to FIGS. 9 and 10.

  FIG. 9 is a diagram for explaining the flow of a new VLAN interface setting process according to the second embodiment. In the new VLAN interface setting process according to the second embodiment, the processes from step S8 to step S13 shown in FIG. 9 are different from the process described in the first embodiment (see FIG. 6).

  That is, as illustrated in FIG. 9, when the RAS gateway 200 receives an authentication result and network-related information for the client terminal 100 that is a transmission source of the remote access request from the authentication server 300, the RAS gateway 200 is stored in the VLAN management information storage unit 221. With reference to the VLAN management information, it is determined whether there is a VLAN interface associated with the group ID received from the authentication server 300 among the currently set VLAN interfaces.

  As a result of the determination, if there is no VLAN interface associated with the group ID received from the authentication server 300 in the currently set VLAN interface, the RAS gateway 200 sets a new VLAN interface (step S8). ). Then, the correspondence between the VLAN-ID assigned to the new VLAN interface and the group ID is registered in the VLAN management information storage unit 221.

  After setting the new VLAN interface, the RAS gateway 200 transmits a VLAN interface generation notification including the correspondence between the VLAN-ID of the new VLAN interface and the group ID to the VLAN switch 400 (step S9).

  When the VLAN switch 400 receives a VLAN interface generation notification including the correspondence between the VLAN-ID and the group ID of the new VLAN interface from the RAS gateway 200, the VLAN switch 400 displays the correspondence between the VLAN-ID and the group ID. And create or reserve use of the VLAN (step S10). Then, after the registration is completed, the VLAN switch 400 sends a VLAN interface generation notification response to the RAS gateway 200 (step S11).

  When receiving the VLAN interface generation notification response from the VLAN switch 400, the RAS gateway 200 sends the authentication result and the IP address to the client terminal 100 that is the transmission source of the remote access request (step S12), and between the client terminal 100 and the client terminal 100. Is established (step S13).

[Erase processing of VLAN interface]
FIG. 10 is a diagram for explaining the flow of the VLAN interface erasing process according to the second embodiment. In the new VLAN interface erasing process according to the second embodiment, the process from step S5 to step S7 shown in FIG. 10 is different from the process described in the first embodiment (see FIG. 7).

  That is, as shown in FIG. 10, the RAS gateway 200 monitors the VLAN management information storage unit 221 and deletes an interface without the client terminal 100 being used (step S4), and then includes a VLAN including the VLAN-ID. Is sent to the VLAN switch 400 (step S5).

  When the VLAN switch 400 receives a VLAN deletion notification including the VLAN-ID from the RAS gateway 200, the VLAN switch 400 deletes the corresponding relationship between the VLAN-ID and the group ID from the switching information storage unit 420, and deletes or stops using the VLAN. (Step S6). Then, the VLAN switch 400 sends a VLAN deletion notification response to the RAS gateway 200 (step S7).

  When the RAS gateway 200 receives a VLAN deletion notification response from the VLAN switch 400, the RAS gateway 200 completes the VLAN deletion with this response reception.

  As described above, according to the second embodiment, a VLAN-ID to be assigned to a new VLAN interface can be assigned a value different from the group ID. The burden on the administrator regarding connection management can be reduced, and resource waste and unauthorized access can be prevented.

  In the first and second embodiments described above, the case of using a VLAN-ID or a VLAN switch has been described. However, the present invention is not limited to this. For example, by adopting VRF (Virtual Routing and Forwarding) technology, using a VRF name instead of VLAN-ID and using a VRF device instead of a VLAN switch, the same processing as in the first and second embodiments described above can be performed. realizable.

  Hereinafter, Example 3 will be described as another embodiment of the communication control device, the communication control method, and the communication control program according to the present invention.

(1) Device Configuration, etc. Each component of the RAS gateway 200 shown in FIG. 2 is functionally conceptual and does not necessarily need to be physically configured as illustrated. That is, the specific form of distribution / integration of the RAS gateway 200 is not limited to the illustrated one, and for example, the VLAN control unit 232 and the communication control unit 233 are integrated. As described above, all or a part of the RAS gateway 200 can be configured to be functionally or physically distributed / integrated in an arbitrary unit according to various loads or usage conditions.

  Furthermore, each processing function (for example, see FIGS. 6, 7, 9, 10 and the like) performed in the RAS gateway 200 is entirely or arbitrarily part of the CPU and a program that is analyzed and executed by the CPU. It can be realized or can be realized as hardware by wired logic.

(2) Communication processing program Various processes of the RAS gateway 200 described in the above embodiment (see, for example, FIGS. 6, 7, 9, 10 and the like) are programs prepared in advance, such as personal computers and workstations. It can implement | achieve by running with a computer system. In the following, an example of a computer that executes a communication control program having the same function as that of the above embodiment will be described with reference to FIG. FIG. 11 is a diagram illustrating a computer that executes a communication control program.

  As shown in the figure, a computer 500 as the RAS gateway 200 is configured by connecting a communication control unit 510, an HDD 520, a RAM 530, and a CPU 540 via a bus 600.

  Here, the communication control unit 510 controls communication related to the exchange of various information. The HDD 520 stores information necessary for the CPU 540 to execute various processes. The RAM 530 temporarily stores various information. The CPU 540 executes various arithmetic processes.

  As shown in FIG. 11, the HDD 520 stores in advance a communication control program 521 that exhibits the same function as each processing unit of the RAS gateway 200 shown in the above embodiment, and communication control data 522. ing. Note that the communication control program 521 can be appropriately distributed and stored in a storage unit of another computer that is communicably connected via a network.

  The CPU 540 reads out the communication control program 521 from the HDD 520 and expands it in the RAM 530, so that the communication control program 521 functions as a communication control process 531 as shown in FIG. That is, the communication control process 531 reads out the communication control data 522 and the like from the HDD 520, expands them in the area allocated to itself in the RAM 530, and executes various processes based on the expanded data and the like.

  Note that the communication control process 531 corresponds to processing executed in the control unit 230 (connection control unit 231, VLAN control unit 232, communication control unit 233, etc.) of the RAS gateway 200 shown in FIG.

  The communication control program 521 is not necessarily stored in the HDD 520 from the beginning. For example, a flexible disk (FD), a CD-ROM, a DVD disk, a magneto-optical disk, and an IC inserted into the computer 500 are not necessary. Each program is stored in a “portable physical medium” such as a card, and “another computer (or server)” connected to the computer 500 via a public line, the Internet, a LAN, a WAN, or the like. The computer 500 may read out and execute each program from these.

(3) Communication Control Method The following communication control method is realized by the RAS gateway 200 described in the above embodiment.

  That is, a communication control method for controlling communication between a client device that is a source of a remote access request and an internal network that can be connected via a virtual network interface, and authenticates the client device in response to the remote access request A specific information acquisition step of acquiring specific information for specifying a virtual network interface that enables connection between the client device and the internal network to which the client device should belong, from the authentication device (for example, step S7 in FIG. 6). If the virtual network interface specified by the specific information acquired in the specific information acquisition step does not exist in the virtual network interface currently being set up, the virtual network interface is newly associated with the specific information. An interface setting step to be set in (see, for example, step S8 in FIG. 6), a communication control for controlling communication between the internal network connectable via the virtual network interface set in the interface setting step and the client device And a communication control method including steps (see, for example, steps S9 to S12 in FIG. 6).

  As described above, the communication control device, the communication control method, and the communication control program according to the present invention perform communication between a client terminal that is a transmission source of a remote access request and an internal network that can be connected via a VLAN interface. Useful when controlling. In particular, the communication control device, the communication control method, and the communication control program according to the present invention are suitable for reducing the burden on the administrator regarding network connection management and preventing waste of resources and unauthorized access.

DESCRIPTION OF SYMBOLS 100 Client apparatus 200 RAS gateway 210 Communication control I / F part 220 Storage part 221 VLAN management information storage part 230 Control part 231 Connection control part 232 VLAN control part 233 Communication control part 300 Authentication server 310 Client authentication information storage part 320 Communication control I / F unit 330 Authentication processing unit 400 VLAN switch 410 Communication control unit 420 Switching information storage unit 500 Computer 510 Communication control unit 520 HDD (Hard Disk Drive)
521 Communication control program 522 Communication control data 530 RAM (Random Access Memory)
531 Communication Control Process 540 CPU (Central Processing Unit)

Claims (7)

A communication control device that controls communication between a client device that is a source of a remote access request and an internal network that can be connected via a virtual network interface,
Specification for acquiring specific information for specifying a virtual network interface that enables connection between the client device and an internal network to which the client device belongs, from an authentication device that authenticates the client device in response to a remote access request Information acquisition means;
If the virtual network interface specified by the specific information acquired by the specific information acquisition means does not exist in the virtual network interface currently being set, a new virtual network interface is set in association with the specific information Interface setting means to
A communication control apparatus comprising: an internal network connectable via a virtual network interface set by the interface setting means; and communication control means for controlling communication between the client apparatuses. ID management means for managing an interface ID for identifying a virtual network interface that is currently being set,
If the interface ID that matches the specific information does not exist in the interface ID managed by the management unit, the interface setting unit newly sets and sets a virtual network interface in association with the specific information. The communication control apparatus according to claim 1, wherein an interface ID that matches the specific information is registered in the management unit as information for specifying the virtual network interface. A correspondence relationship managing means for managing a correspondence relationship between the identification information and an interface ID for identifying the virtual network interface currently being set;
When the interface ID specified by the specific information acquired by the specific information acquisition unit does not exist in the correspondence managed by the management unit, the interface setting unit associates the virtual ID with the specific information. 2. The communication control according to claim 1, wherein a network interface is newly set, and a correspondence relationship between an interface ID newly given to the newly set virtual network interface and the specific information is registered in the management unit. apparatus. The ID management means manages the information of the client terminal that is using the virtual network interface corresponding to the interface ID in association with the interface ID for specifying the virtual network interface currently being set,
Deleting means for deleting information corresponding to the client terminal whose access has been disconnected from the information of the client terminal managed by the ID management means;
3. The interface setting erasing unit for erasing a setting of a virtual network interface that is not used by the client terminal with reference to information on the client terminal managed by the ID management unit. The communication control device described. The correspondence management means manages information of a client terminal that is using a virtual network interface corresponding to the interface ID in association with an interface ID for specifying a virtual network interface that is currently being set,
Deleting means for deleting information corresponding to the client terminal whose access has been disconnected from the information of the client terminal managed by the correspondence management means;
4. An interface setting deleting unit that deletes a setting of a virtual network interface that is not used by the client terminal with reference to information on the client terminal managed by the correspondence management unit. The communication control device according to 1. A communication control method for controlling communication between a client device that is a source of a remote access request and an internal network connectable via a virtual network interface,
Specification for acquiring specific information for specifying a virtual network interface that enables connection between the client device and an internal network to which the client device belongs, from an authentication device that authenticates the client device in response to a remote access request An information acquisition step;
If the virtual network interface specified by the specific information acquired in the specific information acquisition step does not exist in the virtual network interface that is currently being set, a virtual network interface is newly set in association with the specific information. An interface configuration step;
A communication control method comprising: an internal network connectable via the virtual network interface set by the interface setting step; and a communication control step for controlling communication between the client devices. A communication control program for causing a computer to execute processing for controlling communication between a client device that is a transmission source of a remote access request and an internal network connectable via a virtual network interface,
Specification for acquiring specific information for specifying a virtual network interface that enables connection between the client device and an internal network to which the client device belongs, from an authentication device that authenticates the client device in response to a remote access request Information acquisition procedure;
If the virtual network interface specified by the specific information acquired by the specific information acquisition procedure does not exist in the virtual network interface currently being set, a virtual network interface is newly set in association with the specific information. Interface setting procedure,
A communication control program causing a computer to execute an internal network connectable via a virtual network interface set by the interface setting procedure and a communication control procedure for controlling communication between the client devices.

Images