JP2013077995A - Vpn system and vpn connection method - Google Patents

Vpn system and vpn connection method Download PDF

Info

Publication number
JP2013077995A
JP2013077995A JP2011216893A JP2011216893A JP2013077995A JP 2013077995 A JP2013077995 A JP 2013077995A JP 2011216893 A JP2011216893 A JP 2011216893A JP 2011216893 A JP2011216893 A JP 2011216893A JP 2013077995 A JP2013077995 A JP 2013077995A
Authority
JP
Japan
Prior art keywords
user terminal
vpn
user
unit
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
JP2011216893A
Other languages
Japanese (ja)
Inventor
Daisuke Yamashita
乃丞 山下
Shinichi Watabe
伸一 渡部
Yoshiki Ishida
芳樹 石田
Junko Ito
純子 伊藤
Teruaki Hata
照明 畑
Kazuhiro Kuwazoe
和浩 桑添
Toru Kakinuma
徹 柿沼
Original Assignee
Ntt Data Corp
株式会社エヌ・ティ・ティ・データ
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ntt Data Corp, 株式会社エヌ・ティ・ティ・データ filed Critical Ntt Data Corp
Priority to JP2011216893A priority Critical patent/JP2013077995A/en
Publication of JP2013077995A publication Critical patent/JP2013077995A/en
Application status is Pending legal-status Critical

Links

Images

Abstract

PROBLEM TO BE SOLVED: To perform VPN connection of a user terminal to a plurality of foothold information servers.SOLUTION: A VPN relay server connected to the plurality of information servers through a first VPN channel connects to a user terminal through a second VPN channel in response to a request from the user terminal, and transmits to the user terminal a connection list associated with the user in response to a request from the user terminal. On receiving a communication request to an information server included in the connection list from the user terminal, the VPN relay server relays communication between the user terminal and the information server through the first VPN channel and the second VPN channel.

Description

  The present invention relates to a technology for connecting VPNs.

  An information communication network has been developed, and various information is communicated via the network. Here, when the user terminal and the information server communicate via a network, for example, communication based on HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) is performed to prevent eavesdropping by a third party and perform secure communication. It is possible. In this case, however, communication using a protocol other than HTTP (Hypertext Transfer Protocol) cannot be performed safely. Therefore, by connecting bases such as different LANs (Local Area Networks) with a VPN (Virtual Private Network) line, communication by various protocols can be safely performed via the VPN line. Japanese Patent Application Laid-Open No. 2004-133867 describes connecting a network of a plurality of bases by a VPN line.

JP 2011-166375 A

  However, when a single user terminal connects to a plurality of bases via a plurality of VPN lines, the connection is performed by performing different authentications at different bases. For this reason, a user terminal attempting to connect to a plurality of bases via a VPN line must manage authentication information such as accounts and passwords and communication processing for each of the bases, and management of VPN lines in the user terminal is difficult. It becomes complicated. Therefore, it is desirable to connect simply and efficiently even when a single user terminal is connected to a plurality of bases via a plurality of VPN lines.

  The present invention has been made in view of such circumstances, and provides a VPN system and a VPN connection method in which a user terminal makes a VPN connection to an information server at a plurality of sites.

  In order to solve the above-described problem, the present invention is a VPN system including a user terminal of a user and a VPN relay server connected to the user terminal via a network, and the VPN relay server includes a plurality of pieces of information. A connection list in which a server communication unit connected to a server via a first VPN line, a user, and an information server that accepts a connection from the user terminal of the user among a plurality of information servers is stored is stored. A connection list storage unit, a user communication unit connected to the user terminal via the second VPN line in response to a request from the user terminal, and a connection list corresponding to the user in response to a request from the user terminal When a communication request to the information server included in the connection list is received from the user terminal and the connection list transmission unit that transmits the first VPN to the user terminal Through the lines and the second VPN line, characterized in that it comprises a relay unit for relaying communication between the user terminal and the information server.

  In addition, according to the present invention, when a user terminal receives a communication request that transmits a communication request to a destination of the communication request and a communication request that is destined for the information server is input to the communication unit in response to the input communication request A destination conversion unit that rewrites the destination of the communication request to a VPN relay server and transmits the destination to the communication unit.

  Further, according to the present invention, a process storage in which a user terminal stores process identification information for identifying a process operating on its own hardware resource and child process identification information for identifying a child process of the process in association with each other. The destination conversion unit determines whether the process that has input the communication request to the communication unit is a process activated based on the connection list or a child process of the process, and is activated based on the connection list. If it is determined that the process is a process or a child process of the process, the destination of the communication request is rewritten to the VPN relay server.

  In the present invention, the VPN relay server stores a security policy that associates a user with an operation that is permitted to operate in response to a request from the user among processing operations performed by the user terminal. A first security policy storage unit and a security policy transmission unit that transmits a security policy corresponding to the user to the user terminal in response to a request from the user terminal. The user terminal stores the security policy. A second security policy storage unit, and a security policy registration unit that requests a security policy from the VPN relay server, receives a security policy transmitted from the VPN relay server in response to the request, and stores the security policy in the second security policy storage unit And the security policy stored in the second security policy storage unit Based on, characterized in that it comprises, an operation inhibiting unit that controls the operation of the user terminal.

  In addition, the present invention is characterized in that the security policy is associated with availability of operation for each hardware resource included in the user terminal.

  According to the present invention, the user terminal reads a control program from a storage medium storing a control program that causes the user terminal to function as at least one of the destination conversion unit and the operation suppression unit, and based on the control program An installation control unit constituting at least one of a destination conversion unit and an operation suppression unit is provided.

  The present invention also provides a user terminal of a user, a server communication unit connected to the user terminal via a network, and connected to a plurality of information servers via a first VPN line, a user, and a plurality of information servers. A VPN relay server of a VPN system comprising: a connection list storage unit storing a connection list associated with an information server that accepts a connection from a user terminal of the user; Connecting to the user terminal via the second VPN line in response to a request from the user terminal, and transmitting a connection list corresponding to the user to the user terminal in response to a request from the user terminal; When a communication request is received from the user terminal to the information server included in the connection list, the request is transmitted via the first VPN line and the second VPN line. A step of relaying the communication between the user terminal and the information server, a VPN connection method, characterized in that it comprises a.

  As described above, according to the present invention, a VPN relay server connected to a plurality of information servers via a first VPN line can receive a user terminal and a second VPN line in response to a request from the user terminal. In response to a request from the user terminal, a connection list corresponding to the user is transmitted to the user terminal via the second VPN line, and communication from the user terminal to the information server included in the connection list is performed. When the request is received, the communication between the user terminal and the information server is relayed via the first VPN line and the second VPN line, so that the user terminal makes a VPN connection to the information server at a plurality of locations. Is possible.

It is a block diagram which shows the structural example of the VPN system by one Embodiment of this invention. It is a figure which shows the example of data of the connection list by one Embodiment of this invention. It is a figure which shows the example of data of the security policy by one Embodiment of this invention. It is a figure which shows the example of data of the correspondence by one Embodiment of this invention. It is a figure which shows the example of data of the process information by one Embodiment of this invention. It is a figure which shows the example of the application menu screen by one Embodiment of this invention. It is a sequence diagram which shows the operation example of the VPN system by one Embodiment of this invention. It is a flowchart which shows the operation example of the destination conversion process by the user terminal by one Embodiment of this invention. It is a flowchart which shows the operation example of the operation | movement suppression process by the user terminal by one Embodiment of this invention.

Hereinafter, an embodiment of the present invention will be described with reference to the drawings.
FIG. 1 is a block diagram illustrating a configuration example of a VPN system 1 according to the present embodiment. The VPN system 1 includes a VPN relay server 10, a user terminal 20, and a plurality of bases 30 (bases 30-1, bases 30-2,...) Connected to the VPN relay server 10 via VPN lines. ing. Here, since the plurality of bases 30 have the same configuration, “−1”, “−2”, etc. will be omitted and described as the bases 30 unless otherwise distinguished. Although two bases 30 are shown in the figure, three or more bases 30 may be connected to the VPN relay server 10. Each base 30 is provided with a GW 31 and an information server 32 (information server 32-1, information server 32-2,...) Connected to the GW 31 for each base. The information server 32 is a computer device that provides an application via a network. The provided application may be different, but “−1”, “−2”, and the like are omitted unless particularly distinguished. The information server 32 will be described. Although the figure shows an example in which one information server 32 is connected to each site, two or more information servers 32 connected to the GW 31 may be used.

The VPN relay server 10 is a computer device connected to the user terminal 20 via a network, and includes a server communication unit 11, a connection list storage unit 12, a security policy storage unit 13, a user VPN communication unit 14, and a user. A control unit 15, a correspondence relationship storage unit 16, a relay unit 17, and a user communication unit 18 are provided.
The server communication unit 11 is connected to a plurality of GWs 31 each connected to the information server via a VPN line, and communicates with the information server via the GW 31. The GW 31 is a VPN line termination device, and connects the base 30 and the VPN relay server 10 via VPN. The VIP (Virtual-IP (Internet Protocol) address) of the GW 31-1 is “aa.aa.aa.aa”, and the VIP of the GW 31-2 is “bb.bb.bb.bb”. The information server 32 is a computer device that responds to a communication request from the user terminal 20. The information server 32 is, for example, a web server that provides an application such as a business application via a network, such as SaaS (Software as a Service) or ASP (Application Service Provider), or a computer that operates by a remote desktop. A terminal, a computer device that provides an application for performing communication based on SIP (Session Initiation Protocol), or the like can be applied. The server communication unit 11 connects different VPN lines to the GWs 31 at the plurality of bases 30, and relays communication between the user terminal 20 and the information server 32.

  The connection list storage unit 12 stores a connection list in which a user of the user terminal 20 is associated with an information server 32 that accepts a connection from the user terminal 20 of the user among the plurality of information servers 32. FIG. 2 is a diagram illustrating an example of connection list data stored in the connection list storage unit 12. In the connection list, a user ID (IDentifier), an application name, and a user terminal VIP are stored in association with each other. The user ID is identification information for identifying a predetermined user. The application name is information indicating an application that is permitted to be used from the user terminal 20 that is authenticated based on the corresponding user ID. The user terminal side VIP is information indicating the VIP of the VPN relay server 10 that is a destination to which a communication request is transmitted from the user terminal 20 when the corresponding application is used. Here, a different VIP is associated with each information server 32 that provides an application.

  The security policy storage unit 13 stores a security policy that associates a user with an operation permitted to operate in response to a request from the user among processing operations performed by the user terminal 20 of the user. Has been. FIG. 3 is a diagram showing an example of security policy data stored in the security policy storage unit 13. The security policy is associated with whether or not an operation is possible for each processing operation performed by the user terminal 20. Here, for each user ID, a type of processing operation is associated with information indicating whether the operation is permitted. In the permission column, “◯” indicates that the corresponding processing operation is permitted, and “X” indicates that the corresponding processing operation is not permitted. For example, it is indicated that the user whose user ID is “user A” is permitted to “write to local storage” and not “write to external storage” that is “removable device”. . In this embodiment, as described above, description will be made using table format data in which the availability of operations is associated with each type of processing operation. However, a white list that is a list of processing operations that are permitted, and a processing operation that is not permitted. You may make it memorize | store the black list which is a list | wrist.

The user communication unit 18 communicates with the user terminal 20. For example, the user communication unit 18 performs HTTPS communication with the user terminal 20 and transmits / receives information for user authentication, information for VPN communication, and the like.
In response to a request from the user terminal 20, the user VPN communication unit 14 connects a VPN line between the user terminal 20 and the user VPN communication unit 14, and performs communication via the connected VPN line. In addition, the user VPN communication unit 14 is different for each application provided by the information server 32 (“xx.xx.xx.xx”, “yy.yy.yy.yy”, “zz.zz.zz.zz.zz”). ,...) Are disclosed to the user terminal 20 and communicated.

  The user control unit 15 communicates with the user terminal 20 via the user communication unit 18 and controls information for each user. For example, the user control unit 15 performs user authentication in response to a request from the user terminal 20. Account information in which a user ID and a password are associated with each other is stored in the storage area of the user control unit 15 in advance. If there is no data matching the user account and password transmitted from the user terminal 20, it is determined that the authentication has failed.

If the user control unit 15 determines that the user authentication is successful, the user control unit 15 reads out a connection list corresponding to the user ID from the connection list storage unit 12, and reads the read connection list via the user communication unit 18. Send to.
When the user control unit 15 determines that the user authentication is successful, the user control unit 15 reads the security policy corresponding to the user ID from the security policy storage unit 13, and reads the read security policy via the user communication unit 18. Send to.

  The correspondence relationship storage unit 16 stores a correspondence relationship in which the VIP of the VPN line made public to the user terminal 20 by the user VPN communication unit 14 is associated with the VIP of the GW 31 corresponding to the VIP. Yes. FIG. 4 is a diagram illustrating an example of correspondence data stored in the correspondence storage unit 16. For example, it is indicated that the VIP “xx.xx.xx.xx” disclosed to the user terminal 20 corresponds to “aa.aa.aa.aa” which is the VIP of the GW 31-1.

  When the relay unit 17 receives a communication request for the information server 32 included in the connection list from the user terminal 20, the relay unit 17 connects the user terminal via the VPN line between the user terminal 20 and the VPN line of the corresponding base 30. 20 and the information server 32 are relayed. For example, when the user VPN communication unit 14 receives a communication request transmitted with the user terminal side VIP “xx.xx.xx.xx” as the destination, the VPN relay server 10 receives the VIP “xx.xx.xx.xx”. GW-VIP “aa.aa.aa.aa” corresponding to the GW-VIP “aa.aa.aa.aa” is converted from the correspondence storage unit 16, and the communication request destination is converted to GW31-1. Send.

  Returning to FIG. 1, the user terminal 20 includes a process storage unit 21, a security policy storage unit 22, a connection list storage unit 23, an OS kernel 24, a communication unit 25, a VPN application control unit 26, and a destination conversion unit. 27, an application control unit 28, and an operation suppression unit 29, to which a card reader 40 is connected. Here, one user terminal 20 is illustrated and described, but a plurality of user terminals 20 may be connected to the VPN relay server 10. The user terminal 20 includes a display device such as a display and an input device such as a keyboard and a mouse.

  The process storage unit 21 stores process identification information for identifying a process operating on the hardware resource of the user terminal 20 and child process identification information for identifying a child process of the process in association with each other. FIG. 5 is a diagram illustrating a data example of process information stored in the process storage unit 21. In the process information, a process name for identifying an application, its process ID, and a child process ID for identifying a process that is a process activated based on the process are stored in association with each other. Here, for convenience of explanation, it is assumed that the process information is stored in a table format. However, the process information may not actually be in the table format, and from the process management function of the OS (Operating System) that operates the user terminal 20, It is sufficient if the relationship between the process and the child process can be acquired.

The security policy storage unit 22 stores a security policy transmitted from the VPN relay server 10 and corresponding to the user of the user terminal 20.
The connection list storage unit 23 stores a connection list corresponding to the user of the user terminal 20 transmitted from the VPN relay server 10.

The OS kernel 24 is a control unit that controls the processing operation of each unit included in the user terminal 20. When a processing operation is performed in the user terminal 20, an operation request is input to the OS kernel 24, and each part of the hardware is operated by the OS kernel 24.
The communication unit 25 communicates with the VPN relay server 10. For example, in response to a communication request input from the OS kernel 24, the communication unit 25 transmits a communication request to the destination of the communication request.

  The VPN application control unit 26 controls communication operations performed with the information server 32 via the VPN relay server 10. For example, is the VPN application control unit 26 issued based on information read from the IC card by the card reader 40 to the user who is determined to use the VPN relay server 10 in advance? Determine whether or not. The VPN application control unit 26 receives an input of a user ID and a user account for connecting to the VPN relay server 10 and transmits an authentication request including the input user ID and user account to the VPN relay server 10. To do. When the VPN relay server 10 determines that the authentication is successful, the VPN relay server 10 is requested for a security policy and a connection list. Also, in response to the transmitted request, the security policy and connection list transmitted from the VPN relay server 10 are received, the security policy is stored in the security policy storage unit 22, and the connection list is stored in the connection list storage unit 23. .

  Further, the VPN application control unit 26 displays the connection list stored in the connection list storage unit 23 on the display unit included in the user terminal 20. FIG. 6 is a diagram illustrating a screen example of a connection list displayed on the display unit of the user terminal 20. Here, since the connection destination included in the connection list corresponds to the application, it is displayed on the screen as an “application menu”. When one of the displayed applications is selected and pressed, the VPN application control unit 26 inputs a communication request addressed to the information server 32 corresponding to the application to the OS kernel 24. In response to this, when a communication request is transmitted to the information server 32 and connected, a process for operating the selected application is activated in the user terminal 20. If such a process is, for example, an Internet browser that communicates with an information server 32 that is a web server, the link contained in the HTML (HyperText Markup Language) page displayed on the Internet browser is the IP address of the information server 32. Is shown. However, since this IP address is an IP address in the base 30, even if a communication request is transmitted with this IP address as the destination, the information server 32 is not reached. Therefore, the destination conversion unit 27 converts the destination.

The destination conversion unit 27 monitors a communication request input to the OS kernel 24. When a communication request destined for the information server 32 is input to the OS kernel 24, the destination conversion unit 27 stores the communication request in the storage area of the connection list storage unit 23. The corresponding user terminal side VIP is read out from the connected list, and the destination of the communication request is rewritten to the user terminal side VIP of the corresponding VPN relay server 10 and transmitted to the communication unit 25.
Here, the destination conversion unit 27 determines whether the process that has input the communication request to the OS kernel 24 is a process started based on the connection list or a child process of the process. Here, when it is determined that the process is started based on the connection list or a child process of the process, the destination of the communication request is rewritten to the user terminal side VIP of the corresponding VPN relay server 10.

The application control unit 28 controls the operation of the user terminal 20 based on the application program stored in the storage area of the user terminal 20. For example, there are a sentence creation program and a spreadsheet program stored in the storage area of the user terminal 20.
The operation suppression unit 29 controls the operation of the user terminal 20 based on the security policy stored in the security policy storage unit 22. For example, the operation suppression unit 29 monitors an operation request input to the OS kernel 24, and when the operation request is input, the operation suppression unit 29 compares the security policy stored in the security policy storage unit 22 with the input operation. If the request is not permitted, the operation request is discarded and the operation is not performed. As a result, it is possible to prevent information used via the VPN line from remaining in the storage area of the user terminal 20, and the user terminal 20 can be used as a thin client terminal.
The card reader 40 reads information stored in the IC card.

Next, an operation example of the VPN system 1 according to the present embodiment will be described with reference to the drawings. FIG. 7 is a sequence diagram illustrating an operation example in which the user terminal 20 communicates with the information server 32-1.
When the user brings the IC card close to the card reader 40, the card reader 40 reads information stored in the IC card. The VPN application control unit 26 determines whether or not the IC card has been issued in advance to the user of the VPN relay server 10 based on the IC card information read by the card reader 40. If the VPN application control unit 26 determines that the IC card has not been issued in advance to the user of the VPN relay server 10, the process is terminated.

  If the VPN application control unit 26 determines that the IC card has been issued in advance to the user of the VPN relay server 10, it accepts input of a user ID and a password. The VPN application control unit 26 transmits an authentication request including the input user ID and password to the VPN relay server 10 (step S1). When the user communication unit 18 of the VPN relay server 10 receives the authentication request transmitted from the user terminal 20, the user control unit 15 performs an authentication process in response to the authentication request. If the user control unit 15 of the VPN relay server 10 determines that the authentication has failed, the process ends as an error. If the user control unit 15 of the VPN relay server 10 determines that the authentication is successful, the user VPN communication unit 14 connects a VPN line with the user terminal 20 (step S2).

  The user control unit 15 of the VPN relay server 10 reads the connection list stored in the connection list storage unit 12 in association with the user ID that has been successfully authenticated, and the security policy stored in the security policy storage unit 13. The read connection list and the security policy are transmitted to the user terminal 20 via the user communication unit 18 (step S3). The VPN application control unit 26 stores the connection list received from the VPN relay server 10 in the connection list storage unit 23 and stores the security policy in the security policy storage unit 22.

  The VPN application control unit 26 of the user terminal 20 reads the connection list stored in the connection list storage unit 23 and causes the display unit to display an application selection screen. Then, the VPN application control unit 26 accepts selection of any application (step S4). The VPN application control unit 26 transmits a communication request to the information server 32 corresponding to the selected application to the VPN relay server 10 (step S5). When receiving the communication request transmitted from the user terminal 20, the relay unit 17 of the VPN relay server 10 reads the VIP of the GW 31 corresponding to the information server 32 from the correspondence storage unit 16 (step S6), and reads the read VIP. A communication request is transmitted as a destination (step S7). When receiving the communication request, the information server 32 transmits a response (step S8). The VPN relay server 10 transfers a response from the information server 32 to the user terminal 20 that has transmitted the communication request via the user VPN communication unit 14 and relays communication between the user terminal 20 and the information server 32 through the VPN line. (Step S9).

  Here, although it has been described that the VPN connection is made in advance between the server communication unit 11 of the VPN relay server 10 and the GW 31 in the base 30, the embodiment is not limited thereto. For example, when the VPN relay server 10 receives a communication request from the user terminal 20 to the information server 32 in step S5, it is determined whether there is a VPN connection with the GW 31 connected to the information server 32 corresponding to the communication request. If there is no VPN connection, a VPN connection may be made to communicate with the information server 32.

Next, an operation example of the destination conversion process performed by the destination conversion unit 27 in the user terminal 20 will be described with reference to FIG.
The destination conversion unit 27 monitors a request input to the OS kernel 24 (step S10). If the operation request input to the OS kernel 24 is not a communication request (step S11: NO), the process is terminated. If the operation request input to the OS kernel 24 is a communication request (step S11: YES), the destination conversion unit 27 has the process ID of the process requesting the communication request activated by the VPN application control unit 26. It is determined whether it is a thing (step S12).

  If the destination conversion unit 27 determines that the process ID of the process that is the request source of the communication request is not activated by the VPN application control unit 26 (step S12: NO), the process proceeds to step S14. If the destination conversion unit 27 determines that the process ID of the process requesting the communication request is started by the VPN application control unit 26 (step S12: YES), the process is stored in the connection list storage unit 23. And the IP address of the information server 32 that is the destination of the communication request is rewritten to the user terminal side VIP of the corresponding VPN relay server 10 (step S13). The OS kernel 24 transmits a communication request to the communication unit 25 (step S14).

Next, with reference to FIG. 9, an operation example of the operation suppression process performed by the operation suppression unit 29 in the user terminal 20 will be described.
The operation suppression unit 29 monitors a request input to the OS kernel 24 (step S21). If no operation request is input to the OS kernel 24 (step S22: NO), the process ends. If an operation request is input to the OS kernel 24 (step S22: YES), the operation suppression unit 29 reads the security policy stored in the security policy storage unit 22, and the operation request is an operation defined in the security policy. It is determined whether or not there is (step S23).

  If the operation suppression unit 29 determines that the input operation request is not an operation defined in the security policy (step S23: NO), the process proceeds to step S26. If the operation suppression unit 29 determines that the input operation request is an operation defined in the security policy (step S23: YES), it determines whether the operation is permitted (step S24). When determining that the operation is not permitted (step S24: NO), the operation suppression unit 29 discards the operation request and does not operate (step S25). When determining that the operation is permitted (step S24: YES), the operation suppression unit 29 causes the OS kernel 24 to execute the operation request and operate the operation (step S26).

  In the present embodiment, the VPN relay server 10 that is one computer device has been described as including all of the functional units from the server communication unit 11 to the relay unit 17, but different computers may be used depending on functions and scales. It can comprise so that a functional part may be provided. For example, different computers are used as an authentication server that performs user login authentication, a menu server that transmits a connection list corresponding to a user who has successfully performed login authentication to the user terminal 20, and a relay server that relays communication between the user terminal 20 and the base 30 The device can be configured.

  In the present embodiment, the security policy storage unit 22, the connection list storage unit 23, the OS kernel 24, the VPN application control unit 26, the destination conversion unit 27, and the operation suppression for the user terminal 20 to communicate with the VPN relay server 10. The functional units of the unit 29 are provided in the user terminal 20 in advance. However, the control program constituting these functional units is stored in the storage area of the card reader 40, and the card reader 40 is connected to the user terminal 20. May be installed in the user terminal 20. In this case, when the card reader 40 is connected to the user terminal 20, the application control unit 28 of the user terminal 20 reads and installs the control program stored in the card reader 40 to configure each functional unit. As a result, if the user has the card reader 40, the VPN relay is performed by connecting the card reader 40 to the user terminal 20 and installing the control program even if the user terminal 20 does not include each function unit in advance. It can be operated as a client terminal of the server 10.

  As described above, according to the present embodiment, the user terminal 20 connects to the plurality of GWs 31 via the VPN line by communicating with the VPN relay server 10 and communicates with the information servers 32 at the plurality of bases. It becomes possible. In particular, in recent years, applications provided in a cloud format called SaaS, ASP, and the like are increasing, and there are cases where connection is made through a VPN line in order to use such applications. In such a case, the user terminal 20 can use the application by connecting to the VPN relay server 10 without connecting the VPN line corresponding to each application. Further, since it is possible to define a security policy and a connection list for each user, the VPN system 1 is managed by managing information stored in the connection list storage unit 12 and the security policy storage unit 13 of the VPN relay server 10. It is possible to collectively manage the operations of the user terminals 20 connected to the.

  The program for realizing the function of the processing unit in the present invention is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into the computer system and executed to make a VPN connection. May be. Here, the “computer system” includes an OS and hardware such as peripheral devices. The “computer system” includes a WWW system having a homepage providing environment (or display environment). The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

DESCRIPTION OF SYMBOLS 1 VPN system 10 VPN relay server 11 Server communication part 12 Connection list memory | storage part 13 Security policy memory | storage part 14 User VPN communication part 15 User control part 16 Correspondence relationship memory | storage part 17 Relay part 18 User communication part 20 User terminal 21 Process memory part 22 Security policy storage unit 23 Connection list storage unit 24 OS kernel 25 Communication unit 26 VPN application control unit 27 Destination conversion unit 28 Application control unit 29 Operation suppression unit 30 Base 31 GW
32 Information server 40 Card reader

Claims (7)

  1. A VPN system comprising a user terminal of a user and a VPN relay server connected to the user terminal via a network,
    The VPN relay server is
    A server communication unit connected to a plurality of information servers via a first VPN line;
    A connection list storage unit storing a connection list in which the user and an information server that accepts a connection from the user terminal among the plurality of information servers are associated;
    In response to a request from the user terminal, a user communication unit connected to the user terminal via a second VPN line;
    A connection list transmitting unit that transmits the connection list corresponding to the user to the user terminal in response to a request from the user terminal;
    When a communication request to the information server included in the connection list is received from the user terminal, the communication between the user terminal and the information server is relayed via the first VPN line and the second VPN line. A relay section to
    A VPN system comprising:
  2. The user terminal is
    A communication unit that transmits the communication request to a destination of the communication request in response to the input communication request;
    When a communication request addressed to the information server is input to the communication unit, a destination conversion unit that rewrites the destination of the communication request to the VPN relay server and transmits the communication request to the communication unit;
    The VPN system according to claim 1, comprising:
  3. The user terminal is
    A process storage unit for storing process identification information for identifying a process operating on its own hardware resource and child process identification information for identifying a child process of the process in association with each other;
    The destination conversion unit determines whether the process that has input the communication request to the communication unit is a process started based on the connection list or a child process of the process, and based on the connection list The VPN system according to claim 2, wherein when it is determined that the process is a started process or a child process of the process, the destination of the communication request is rewritten to the VPN relay server.
  4. The VPN relay server is
    A first security policy storage unit that stores a security policy that associates the user with an operation that is permitted to operate in response to a request from the user among processing operations performed by the user terminal. When,
    A security policy transmission unit that transmits the security policy corresponding to the user to the user terminal in response to a request from the user terminal;
    The user terminal is
    A second security policy storage unit for storing the security policy;
    A security policy registration unit that requests the security policy from the VPN relay server, receives the security policy transmitted from the VPN relay server in response to the request, and stores the security policy in the second security policy storage unit;
    An operation suppression unit that controls the operation of the user terminal based on the security policy stored in the second security policy storage unit;
    The VPN system according to any one of claims 1 to 3, further comprising:
  5. The VPN system according to claim 4, wherein the security policy is associated with availability of operation for each hardware resource included in the user terminal.
  6. The user terminal is
    The control program is read from a storage medium storing a control program that causes the user terminal to function as at least one of the destination conversion unit and the operation suppression unit. Based on the control program, the destination conversion unit The VPN system according to any one of claims 2 to 5, further comprising an installation control unit that constitutes at least one of the operation suppression unit.
  7. A user terminal of a user, a server communication unit connected to the user terminal via a network, and connected to a plurality of information servers via a first VPN line; the user; and the plurality of information servers, A VPN system comprising: a connection list storage unit that stores a connection list associated with an information server that accepts a connection from the user terminal of the user;
    The VPN relay server is
    Connecting to the user terminal via a second VPN line in response to a request from the user terminal;
    Transmitting the connection list corresponding to the user to the user terminal in response to a request from the user terminal;
    When a communication request to the information server included in the connection list is received from the user terminal, the communication between the user terminal and the information server is relayed via the first VPN line and the second VPN line. And steps to
    A VPN connection method comprising:
JP2011216893A 2011-09-30 2011-09-30 Vpn system and vpn connection method Pending JP2013077995A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2011216893A JP2013077995A (en) 2011-09-30 2011-09-30 Vpn system and vpn connection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2011216893A JP2013077995A (en) 2011-09-30 2011-09-30 Vpn system and vpn connection method

Publications (1)

Publication Number Publication Date
JP2013077995A true JP2013077995A (en) 2013-04-25

Family

ID=48481154

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2011216893A Pending JP2013077995A (en) 2011-09-30 2011-09-30 Vpn system and vpn connection method

Country Status (1)

Country Link
JP (1) JP2013077995A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015142227A (en) * 2014-01-28 2015-08-03 富士通株式会社 Communication control device, communication control method, and communication control program

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002077275A (en) * 2000-09-04 2002-03-15 Nippon Telegr & Teleph Corp <Ntt> Inter-closed network connection system, inter-closed network connection method, and storage medium with processing program therefor stored thereon, and hosting service system
JP2004153366A (en) * 2002-10-29 2004-05-27 Crc Solutions Corp Virtual private network (vpn) system and relay node
WO2006043463A1 (en) * 2004-10-19 2006-04-27 Nec Corporation Vpn gateway device and hosting system
JP2007202036A (en) * 2006-01-30 2007-08-09 Fujitsu Ltd Packet repeating method and packet repeating system
JP2007281919A (en) * 2006-04-07 2007-10-25 Shinshu Univ Communication system on public line for performing access restriction, terminal connection apparatus, and server connection restriction apparatus
JP2009089062A (en) * 2007-09-28 2009-04-23 Fuji Xerox Co Ltd Virtual network system and virtual network connection device
JP2011100207A (en) * 2009-11-04 2011-05-19 Nippon Yunishisu Kk Remote access device, program, method and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002077275A (en) * 2000-09-04 2002-03-15 Nippon Telegr & Teleph Corp <Ntt> Inter-closed network connection system, inter-closed network connection method, and storage medium with processing program therefor stored thereon, and hosting service system
JP2004153366A (en) * 2002-10-29 2004-05-27 Crc Solutions Corp Virtual private network (vpn) system and relay node
WO2006043463A1 (en) * 2004-10-19 2006-04-27 Nec Corporation Vpn gateway device and hosting system
JP2007202036A (en) * 2006-01-30 2007-08-09 Fujitsu Ltd Packet repeating method and packet repeating system
JP2007281919A (en) * 2006-04-07 2007-10-25 Shinshu Univ Communication system on public line for performing access restriction, terminal connection apparatus, and server connection restriction apparatus
JP2009089062A (en) * 2007-09-28 2009-04-23 Fuji Xerox Co Ltd Virtual network system and virtual network connection device
JP2011100207A (en) * 2009-11-04 2011-05-19 Nippon Yunishisu Kk Remote access device, program, method and system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
CSND200900457009; 'LGPセキュリティ管理術' Windows Server World Vol.14 No.8, 20090801, (株)IDGジャパン *
JPN6014051541; 'LGPセキュリティ管理術' Windows Server World Vol.14 No.8, 20090801, (株)IDGジャパン *
JPN6015011816; '「プロキシサーバー」って何のこと?' 日経トレンディネット , 20030909 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015142227A (en) * 2014-01-28 2015-08-03 富士通株式会社 Communication control device, communication control method, and communication control program

Similar Documents

Publication Publication Date Title
US7500262B1 (en) Implementing single sign-on across a heterogeneous collection of client/server and web-based applications
US8418238B2 (en) System, method, and apparatus for managing access to resources across a network
JP5139423B2 (en) Policy-driven credentials delegation for single sign-on and secure access to network resources
EP1678885B1 (en) Encapsulating protocol for session persistence and reliability
JP3526435B2 (en) Network system
US9246979B2 (en) Method and system for providing secure remote access and control
TWI400922B (en) Authentication of a principal in a federation
US20150020185A1 (en) Communication Session Transfer Between Devices
AU2004202269B2 (en) Architecture for connecting a remote client to a local client desktop
US8578465B2 (en) Token-based control of permitted sub-sessions for online collaborative computing sessions
EP1839224B1 (en) Method and system for secure binding register name identifier profile
US7984157B2 (en) Persistent and reliable session securely traversing network components using an encapsulating protocol
US8528066B2 (en) Methods and apparatus for enabling context sharing
EP1705598A2 (en) Method and system for providing user access to a secure application
ES2601009T3 (en) Procedures for authorizing access to protected content
US9240977B2 (en) Techniques for protecting mobile applications
US8966594B2 (en) Proxy authentication
CN100437530C (en) Method and system for providing secure access to private networks with client redirection
US20100121959A1 (en) Low-level remote sharing of local devices in a remote access session across a computer network
US8094337B2 (en) Device and system for assisting printer selection through a network
US9264435B2 (en) Apparatus and methods for access solutions to wireless and wired networks
EP2883340B1 (en) Authorization method, apparatus, and system
KR20050013559A (en) Method and system for user-determined authentication and single-sign-on in a federated environment
KR20060096474A (en) An apparatus and method for determining a program neighborhood for a client node in a client-server network
US10404678B2 (en) Security object creation, validation, and assertion for single sign on authentication

Legal Events

Date Code Title Description
RD02 Notification of acceptance of power of attorney

Free format text: JAPANESE INTERMEDIATE CODE: A7422

Effective date: 20130516

RD04 Notification of resignation of power of attorney

Free format text: JAPANESE INTERMEDIATE CODE: A7424

Effective date: 20130816

A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20140219

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20141113

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20141209

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20150206

A02 Decision of refusal

Free format text: JAPANESE INTERMEDIATE CODE: A02

Effective date: 20150401