JP2016116146A - Network connection control device, network connection control method, network connection control program, and network connection control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make it difficult for an attacker to estimate a key that is a condition for connection permission.SOLUTION: A network connection control device 500 for controlling connection in a network device to which a plurality of terminals are connected through a plurality of switches includes: communication state storage means 502 for storing a communication state between respective terminals; connection condition storage means 504 for storing at least one connection control rule including a condition expression for regulating communication states of a plurality of points of the network device as a connection rule between the terminals, and a control instruction for regulating each control content corresponding to the establishment/non-establishment of the condition expression; and connection control means 506 for determining a connection control rule about communication with reference to the connection condition storage means when communication is started between prescribed terminals, instructing control content during the establishment by determining whether a communication state of a plurality of points regulated by a condition expression of the determined connection control rule exists in the communication state storage means, and instructing control contents during the non-establishment when the condition expression is not established.SELECTED DRAWING: Figure 5

Description

  The present invention relates to a network connection control device, a network connection control method, a network connection control program, and a network connection control system that control network connection in a network device in which a plurality of terminals are connected via a plurality of switches.

  As a defense method against a cyber attack on a system in which IT (Information Technology) devices are connected through a network, there is a method of controlling connection based on information that is difficult for an attacker to know.

  Non-Patent Document 1 discloses a connection control method using port knocking. In this method, a target port is opened by following a procedure of transmitting packets to a server port in a predetermined order.

  Patent Document 1 discloses a connection control method using Single Packet Authentication. In this method, the target port is opened by following the procedure of transmitting and receiving an encrypted special packet to the server.

  Normally, the port connected to the application on the server is closed. However, by detecting the reception of the packet transmitted by the predetermined procedure as described above on the server side, the port is opened and can be connected. . For this reason, an attacker who does not know the key for opening this port (that is, the above-defined procedure) cannot connect to the application.

  Patent Document 2 describes a technique for determining the validity of communication information (source address, destination address, service type, etc.) for an access request and physically disconnecting the network line when the communication information is not valid. Has been.

  In Patent Document 3, an expiration date is set for each communication partner based on communication history information (number of calls, time, amount) in a certain target period, and communication access is permitted / not permitted based on the expiration date. The technique to judge is described.

US Published Patent US2007 / 0234428 JP 2005-5809 A Re-specialized WO2009 / 8482

Krzywinski M (2003) .Port knocking: network authentication across closed ports, SysAdmin Magazine, vol 12 (6), 12-170.

  However, in the techniques of Non-Patent Document 1, Patent Document 1, and Patent Document 2, when a terminal that attempts to access a server is in a condition in which a packet sent to the server can be observed, information that is a condition for permitting connection (For example, a key packet, a packet sequence, or communication information) is easily estimated. By estimating the information that is a condition, the risk of unauthorized access by an attacker increases. In the above, the state where the packet can be observed is, for example, a case where the packet is wiretapped by a man-in-the-middle attack or the like.

  On the other hand, in the case of the technique of Patent Document 3, since access is not permitted if the communication histories do not match, the occurrence of unauthorized access due to packet eavesdropping or the like can be reduced. However, even in the case of Patent Document 3, unauthorized access cannot be prevented if the terminal itself is infected.

  The present invention has been made in view of such circumstances, and a network connection control device, a network connection control method, a network connection control program, and a network connection that are difficult for an attacker to estimate a key that is a condition for permitting connection An object is to provide a control system.

  The network connection control device of the present invention is a network connection control device that controls network connection in a network device in which a plurality of terminals are connected via a plurality of switches, and stores a communication state between the terminals. A storage unit, and a connection rule between the terminals, including a conditional expression that defines a communication state of a plurality of locations of the network device, and a control instruction that defines each control content according to the establishment / non-establishment of the conditional expression, When the communication between the connection condition storage means for storing at least one connection control rule and the predetermined terminal is to be started, the connection control rule for the communication is determined with reference to the connection condition storage means Whether the communication state storage means includes a plurality of communication states defined by the conditional expression of the determined connection control rule. A connection condition determination unit that determines whether or not the conditional expression is satisfied by determining whether or not the conditional expression is satisfied. If not established, a connection control means is provided for instructing the network device of the contents of control when it is not established.

  The network connection control method according to the present invention is a network connection control method for controlling network connection in a network device in which a plurality of terminals are connected via a plurality of switches, wherein the communication state storage means stores the communication state between the terminals. And, as a connection rule between the terminals, a conditional expression that defines the communication state of a plurality of locations of the network device, and a control instruction that defines each control content according to the establishment / non-establishment of the conditional expression, At least one connection control rule is stored in the connection condition storage means, and when the communication between predetermined terminals is to be started, the connection control rule for the communication is determined with reference to the connection condition storage means Whether or not the communication status storage means includes a plurality of communication statuses defined in the conditional expression of the determined connection control rule. By determining, whether the conditional expression is satisfied or not is determined, and when the conditional expression is satisfied, the network device is instructed to control contents when the conditional expression is satisfied, and when the conditional expression is not satisfied, the network device In contrast, the control content at the time of failure is instructed.

  The network connection control program according to the present invention provides a communication state storage means for storing a communication state between the terminals in a computer of a network connection control device that controls network connection in a network device in which a plurality of terminals are connected via a plurality of switches. And a process for storing the data, a conditional expression for defining communication states at a plurality of locations of the network device, and a control instruction for defining each control content according to the establishment / non-establishment of the conditional expression. Including the process of storing at least one connection control rule in the connection condition storage means, and when the communication between predetermined terminals is to be started, the connection for the communication is referred to with reference to the connection condition storage means A control rule is determined, and the communication states at a plurality of locations specified in the conditional expression of the determined connection control rule are A process for determining whether or not the conditional expression is satisfied by determining whether or not the condition storage unit exists, and if the conditional expression is satisfied, the network device is instructed about the control contents when the conditional expression is satisfied. When the conditional expression is not satisfied, the program causes the network device to execute a process for instructing the control content when the conditional expression is not satisfied.

  The network connection control system of the present invention includes a network device in which a plurality of terminals are connected via a plurality of switches, and a network connection control device that controls network connection in the network device, and the network connection control device includes: A communication state storage means for storing a communication state between the terminals, a conditional expression for defining a communication state at a plurality of locations of the network device as a connection rule between the terminals, and depending on whether the conditional expression is satisfied or not A connection condition storage unit that stores at least one connection control rule including a control instruction that defines each control content, and when the communication between a predetermined terminal is to be started, refer to the connection condition storage unit And determining the connection control rule for the communication and specifying the conditional expression of the determined connection control rule A connection condition determination unit that determines whether the conditional expression is satisfied or not by determining whether or not the communication states at a plurality of locations exist in the communication state storage unit, and when the conditional expression is satisfied, the network Connection control means for instructing the control contents when the condition is satisfied to the apparatus and instructing the control contents when the condition is not satisfied to the network apparatus when the conditional expression is not satisfied.

  According to the present invention, it is possible to make it difficult for an attacker to estimate a key that is a condition for permitting connection.

It is a block diagram which shows the structural example of the network connection control system which concerns on the 1st Embodiment of this invention. It is a block diagram which shows the structural example of the network connection control apparatus shown by FIG. It is a table | surface which shows an example of the connection control rule memorize | stored in the connection condition memory | storage part shown by FIG. It is a flowchart for demonstrating the operation example of a network connection control apparatus. It is a block diagram which shows the structural example of the network connection control apparatus which concerns on the 2nd Embodiment of this invention.

[First Embodiment]
(Description of configuration)
FIG. 1 is a block diagram showing a configuration example of a network connection control system 1 according to the first embodiment of the present invention.

  The network connection control system 1 includes a network device 10 and a network connection control device 20. A plurality of terminals 400 to 450 are connected to the network device 10. 1 illustrates the case where the number of terminals is six (400, 410, 420, 430, 440, 450, 460), the number of terminals is not limited to six. The terminals 400 to 450 are, for example, client PCs (Personal Computers) and servers that communicate with each other via the network device 10.

  The network device 10 establishes a communication path such that a communication packet transmitted from any of the connected terminals 400 to 450 is transmitted to any other terminal, or discards the packet. The communication path is blocked or the communication of the packet is interrupted.

  The network device 10 includes a controller 200 and a plurality of switches 300 to 320. In addition, although the case where the number of switches is three (300, 310, 320) is illustrated in FIG. 1, the number of switches is not limited to three.

  The controller 200 grasps network topology information such as which switch is connected to which other switch, and calculates an optimum communication path between terminals based on the grasped information. Then, the controller 200 instructs each of the switches 300 to 320 based on the route calculation result about the transfer destination and processing method of the communication packet.

  The switches 300 to 320 transfer communication packets transmitted from the terminals 400 to 450 to other terminals based on an instruction from the controller 200. In addition, the switches 300 to 320 discard communication packets whose transfer destination is not specified. As a processing method, when an instruction to lower the priority of a packet is given, the switches 300 to 320 deteriorate communication quality due to delay or loss. On the other hand, as a processing method, when an instruction to change a transfer destination to a terminal different from the destination indicated in the packet is given, the switches 300 to 320 interfere with communication by redirection or the like. That is, the controller 200 can establish, block, or block a communication path between specific terminals through instructions to the switches 300 to 320.

  Furthermore, the switches 300 to 320 notify the controller 200 of the presence or absence (that is, the communication state) of communication packets that are transmitted and received by the terminals 400 to 450. By this notification, the controller 200 can grasp the communication state between all terminals. As such a controller and a switch, for example, an SDN (Software-Defined Networking) controller and an SDN switch equipped with an Openflow protocol can be cited.

  The network connection control device 20 receives the communication state from the network device 10 and determines the control content of the communication path between the terminals based on this information. The network connection control device 20 notifies the network device 10 of the determined control content.

  FIG. 2 is a block diagram showing a configuration example of the network connection control device 20 shown in FIG.

  The network connection control device 20 includes a communication state collection unit 101, a connection condition determination unit 102, a connection control unit 103, a communication state storage unit 111, and a connection condition storage unit 112.

  The communication state collection unit 101 receives a communication state between terminals from the network device 10 and stores it in the communication state storage unit 111.

  The communication state stored in the communication state storage unit 111 stores communication states at a plurality of locations in the network. Specifically, the communication state is a state of communication between a transmission source terminal and a transmission destination terminal of packets transmitted and received between terminals. The communication state may further include header information, statistical information, packet payload, and the like. For example, the header information includes a MAC (Media Access Control) address, an IP (Internet Protocol) address, a port number, and a protocol number. The statistical information includes the number of packets, the number of bytes, and the communication duration.

  The connection condition storage unit 112 stores a connection control rule that defines a rule for the network connection control device 20 to control communication connection between terminals.

  Here, the connection control rule will be described.

  FIG. 3 is a table showing an example of connection control rules stored in the connection condition storage unit 112. The connection control rule includes a communication condition and a control instruction. The communication condition includes a reference condition and a conditional expression. In the control instruction, the control content corresponding to the determination result of the conditional expression is described.

  The reference condition is a condition for referring to the connection control rule (that is, a condition for determining which connection control rule the communication received from the network device 10 corresponds to).

  The conditional expression is a condition configured by a set of a plurality of communications, and includes accompanying information such as designation of the order of occurrence of each communication and a time range for determining communication as valid.

  The control instruction is a communication control instruction instructed from the network connection control device 20 to the controller 200 after evaluation of the communication conditions. The control instruction includes control instruction contents when the conditional expression is satisfied and control instruction contents when the conditional expression is not satisfied. The control instruction content includes instructions such as connection, disconnection, and obstruction. The connection is an instruction that enables communication between terminals, and the disconnection is an instruction that disconnects communication that has already been established or blocks new communication. The jamming is an instruction such as insertion of a delay or loss for communication or redirection to another terminal.

  For example, in the first rule shown in FIG. 3, the reference condition is “communication from terminal 400 to terminal 410”. The conditional expression in this case is “communication between the terminal 420 and the terminal 430 and communication between the terminal 440 and the terminal 450 are simultaneously established”. The control instruction when the conditional expression is satisfied is “communication connection from terminal 400 to terminal 410”.

  On the other hand, in the second rule shown in FIG. 3, the reference condition is “communication from terminal 400 to terminal 450”. The conditional expression in this case is “communication between the terminal 400 and the terminal 420, communication between the terminal 400 and the terminal 430, and communication between the terminal 400 and the terminal 440 occurs in this order”. The control instruction when the conditional expression is satisfied is “communication connection from terminal 400 to terminal 450”.

  Here, the description of FIG. 2 is resumed. The connection condition determination unit 102 refers to the connection condition storage unit 112 and the communication information storage unit 111, and determines a connection control rule condition. Specifically, the connection condition determination unit 102 searches for a connection control rule corresponding to communication by referring to the connection control rule reference condition stored in the connection condition storage unit 112. The connection condition determination unit 102 determines whether or not the communication state included in the searched connection control rule conditional expression exists in the communication state storage unit 111.

  For example, when communication from the terminal 400 to the terminal 410 occurs, the first rule (see FIG. 3) is referred to. When the communication between the terminal 420 and the terminal 430 and the communication between the terminal 440 and the terminal 450 are stored in the communication state storage unit 111, the connection condition determination unit 102 determines that the conditional expression is satisfied. .

The connection control unit 103 issues a communication control instruction to the network device 10 based on the determination result of the connection condition determination unit 102. Based on this control instruction, the controller 200 of the network device 10 performs communication connection control between terminals.
(Description of operation)
FIG. 4 is a flowchart for explaining an operation example of the network connection control device 20. In the following, the connection control rules shown in FIG. 3 are used in order to make the description clearer. Of course, the operation of the network connection control device 20 is not limited to the connection control rules shown in FIG.

  The switch that has received the first packet associated with the start of new communication by a predetermined terminal in the network device 10 notifies the controller 200 of the occurrence of communication between the terminals. For example, when the terminal 400 is about to start communication with the terminal 410, the switch 300 notifies the occurrence of communication. The controller 200 notifies the network connection control device 20 of a “new communication occurrence notification”. The new communication occurrence notification includes, for example, information on a terminal (transmission source terminal) that starts communication and information on a terminal (transmission destination terminal) to which a packet is transmitted.

  The communication state collection unit 101 of the network connection control device 20 receives a new communication occurrence notification from the controller 200 (step S10). The communication state collection unit 101 stores a new communication occurrence notification as a communication state in the communication state storage unit 111 and transmits it to the connection condition determination unit 102.

  The connection condition determination unit 102 searches for a connection control rule corresponding to the communication of the new communication occurrence notification from the reference condition of the connection condition storage unit 112 (step S11). For example, when the new communication occurrence notification is the start of new communication from the terminal 400 to the terminal 410, the first rule is searched.

  If there is no corresponding connection control rule (“no rule” in step S11), the processing of this flow ends (that is, connection control is not executed).

  On the other hand, if a connection control rule exists (“rule present” in step S11), the connection condition determination unit 102 searches the communication state storage unit 111 for a communication state included in the conditional expression of the connection control rule (step S12). ). For example, in the case of the first rule, the connection condition determination unit 102 determines that “communication between the terminal 420 and the terminal 430” described in the conditional expression from the communication state storage unit 111 and “the terminal 440 and the terminal 450 are connected. Search for “communication between”.

  The connection condition determination unit 102 determines a control instruction to instruct the controller 200 according to the search result (step S13). When the conditional expression is satisfied (when the communication state included in the conditional expression is retrieved from the communication state storage unit 111), the connection condition determination unit 102 sends a control instruction “when the condition is satisfied” in the connection control rule to the controller. 200 is determined as a control instruction for instructing 200. On the other hand, when the conditional expression is not satisfied (when the communication state included in the conditional expression is not retrieved from the communication state storage unit 111), the connection condition determination unit 102 gives a control instruction “when the condition is not satisfied” in the connection control rule, The control instruction is determined as an instruction to the controller 200.

  For example, in the case of the first rule, when both the communication between the terminal 420 and the terminal 430 and the communication between the terminal 440 and the terminal 450 are confirmed (that is, the conditional expression of the first rule is satisfied). The connection condition determination unit 102 selects “connect communication between terminal 400 and terminal 410” as a control instruction. On the other hand, when at least one of the communication between the terminal 420 and the terminal 430 and the communication between the terminal 440 and the terminal 450 is not confirmed (that is, the conditional expression of the first rule is not satisfied), the connection condition determination Unit 102 selects “block of communication between terminal 400 and terminal 410” as a control instruction.

  The connection control unit 103 transmits the control instruction determined by the connection condition determination unit 102 to the controller 200 (step S14).

The switches 300 to 320 execute connection control based on an instruction from the controller 200. For example, the switches 300 to 320 transfer communication packets transmitted from the terminals 400 to 450 to other terminals. In addition, the switches 300 to 320 discard communication packets whose transfer destination is not specified. Further, as a processing method, when an instruction to lower the priority of a packet is given, the switches 300 to 320 deteriorate communication quality due to delay or loss. On the other hand, as a processing method, when an instruction to change a transfer destination to a terminal different from the destination indicated in the packet is given, the switches 300 to 320 interfere with communication by redirection or the like. That is, the controller 200 can establish, block, or block a communication path between specific terminals through instructions to the switches 300 to 320.
(Explanation of effect)
In the first embodiment described above, the communication state at a plurality of locations in the network is the key to the connection condition, as shown in the “conditional expression” in FIG. Therefore, in the network connection control system of the first embodiment, in order for an attacker to specify a key, it is necessary to grasp all communication contents flowing on the network and to identify a specific communication state that is a key for connection conditions. There is a need to.

  For example, in order to perform communication between the terminal 400 and the terminal 410, the communication contents of all terminals including the terminal 420 to the terminal 450 as well as the terminal 400 and the terminal 410 are grasped, and further, the connection condition It is necessary to estimate a specific communication state that is the key to the above.

In order to achieve this, it is necessary to have a very complicated process of simultaneously infecting all terminals in the network with malicious software and simultaneously eavesdropping all (or many) packets flowing on the network. It becomes. Therefore, it is extremely difficult to estimate a key that is a condition for permitting connection.
[Second Embodiment]
FIG. 5 is a block diagram showing a configuration example of the network connection control apparatus 500 according to the second embodiment of the present invention.

  The network connection control device 500 controls network connection in a network device to which a plurality of terminals are connected via a plurality of switches.

  The network connection control device 500 includes a communication state storage unit 502, a connection condition storage unit 504, a connection condition determination unit 506, and a connection control unit 508.

  The communication state storage unit 502 stores the communication state between the terminals.

  The connection condition storage unit 504 includes, as connection rules between terminals, a conditional expression that defines a communication state between a plurality of different terminals, and a control instruction that defines each control content according to whether the conditional expression is established or not, At least one connection control rule is stored.

  When the communication between the predetermined terminals is about to start, the connection condition determination unit 506 refers to the connection condition storage unit to determine the connection control rule for the communication, and the condition of the determined connection control rule Whether or not the conditional expression is satisfied is determined by determining whether or not a plurality of communication states defined by the expression exist in the communication state storage unit.

  When the conditional expression is satisfied, the connection control unit 508 instructs the network device about the control contents when the conditional expression is satisfied, and when the conditional expression is not satisfied, the connection control unit 508 instructs the network device about the control content when the conditional expression is not satisfied.

  In the second embodiment described above, communication states at a plurality of locations on the network are the key to connection conditions. Therefore, in the network device to be controlled by the network connection control device of the second embodiment, in order for an attacker to specify the key, it is necessary to grasp all communication contents flowing on the network and to be a key for the connection condition. It is necessary to sort out a specific communication state.

In order to achieve this, it is necessary to have a very complicated process of simultaneously infecting all terminals in the network with malicious software and simultaneously eavesdropping all (or many) packets flowing on the network. It becomes. Therefore, it is extremely difficult to estimate a key that is a condition for permitting connection.
<Description of modification>
A program for realizing all or part of the functions of the embodiments described above is recorded on a computer-readable recording medium. The program recorded on the recording medium is read and executed by the computer system.

  As an example of the “computer system”, for example, a CPU (Central Processing Unit) can be cited.

  The “computer-readable recording medium” is, for example, a non-transitory storage device. Examples of non-temporary storage devices include a magneto-optical disk, a ROM (Read Only Memory), a portable medium such as a nonvolatile semiconductor memory, and a hard disk built in a computer system. The “computer-readable recording medium” may be a temporary storage device. As an example of a temporary storage device, for example, a communication line in the case of transmitting a program via a network such as the Internet or a communication line such as a telephone line, or a volatile memory inside a computer system can be cited.

  Further, the program may be for realizing a part of the above-described functions, and further, the program described above may be realized in combination with a program already recorded in the computer system. Good.

  As mentioned above, although this invention was demonstrated using each embodiment, the technical scope of this invention is not limited to description of said each embodiment. It is obvious to those skilled in the art that various modifications or improvements can be added to the above embodiments. Therefore, it is needless to say that embodiments with such changes or improvements are also included in the technical scope of the present invention. The numerical values and names of the components used in the embodiments described above are illustrative and can be changed as appropriate.

DESCRIPTION OF SYMBOLS 1 Network connection control system 10 Network apparatus 20 Network connection control apparatus 101 Communication state collection part 102 Connection condition determination part 103 Connection control part 111 Communication state memory | storage part 112 Connection condition memory | storage part 200 Controller 300-320 Switch 400-450 Terminal 500 Network connection Control device 502 Communication state storage means 504 Connection condition storage means 506 Connection condition determination means 508 Connection control means

Claims (8)

A network connection control device that controls network connection in a network device in which a plurality of terminals are connected via a plurality of switches,
Communication state storage means for storing a communication state between the terminals;
As a connection rule between the terminals, at least one connection including a conditional expression that defines communication states at a plurality of locations of the network device and a control instruction that defines each control content according to the establishment / non-establishment of the conditional expression Connection condition storage means for storing control rules;
When communication between predetermined terminals is about to be started, the connection condition storage unit is referred to determine the connection control rule for the communication, and is defined in the conditional expression of the determined connection control rule A connection condition determination unit that determines whether the conditional expression is satisfied or not by determining whether or not the communication state of a plurality of locations is present in the communication state storage unit;
Connection control means for instructing the network device when the condition is satisfied when the conditional expression is satisfied, and for instructing the network device when the conditional expression is not satisfied when the conditional expression is not satisfied A network connection control device comprising:   The network connection control device according to claim 1, wherein the conditional expression of the connection control rule includes a conditional expression in which communication at a plurality of locations is simultaneously established.   The network connection control device according to claim 1, wherein the conditional expression of the connection control rule includes a conditional expression in which communication at a plurality of locations is established in a predetermined order.   The network connection control according to any one of claims 1 to 3, wherein the control content of the connection control rule is one of communication connection, communication disconnection, and communication interruption. apparatus.   5. The network connection control apparatus according to claim 4, wherein the interference of communication is insertion of a delay or loss for communication, or redirection to another terminal. A network connection control method for controlling network connection in a network device in which a plurality of terminals are connected via a plurality of switches,
Storing the communication state between the terminals in a communication state storage means;
As a connection rule between the terminals, at least one connection including a conditional expression that defines communication states at a plurality of locations of the network device and a control instruction that defines each control content according to the establishment / non-establishment of the conditional expression Store the control rule in the connection condition storage means,
When communication between predetermined terminals is about to be started, the connection condition storage unit is referred to determine the connection control rule for the communication, and is defined in the conditional expression of the determined connection control rule Determining whether or not the conditional expression is satisfied by determining whether or not the communication states at a plurality of locations are present in the communication state storage means;
When the conditional expression is satisfied, the network device is instructed to control contents when it is satisfied, and when the conditional expression is not satisfied, the network device is instructed to control contents when it is not satisfied. Network connection control method. In a computer of a network connection control device that controls network connection in a network device in which a plurality of terminals are connected via a plurality of switches,
Processing for storing a communication state between the terminals in a communication state storage unit;
As a connection rule between the terminals, at least one connection including a conditional expression that defines communication states at a plurality of locations of the network device and a control instruction that defines each control content according to the establishment / non-establishment of the conditional expression Processing for storing the control rule in the connection condition storage means;
When communication between predetermined terminals is about to be started, the connection condition storage unit is referred to determine the connection control rule for the communication, and is defined in the conditional expression of the determined connection control rule A process for determining whether or not the conditional expression is satisfied by determining whether or not the communication states at a plurality of locations exist in the communication state storage unit;
When the conditional expression is satisfied, the network device is instructed to control contents when it is satisfied, and when the conditional expression is not satisfied, the network device is instructed to control contents when it is not satisfied. Network connection control program to be executed. A network device in which a plurality of terminals are connected via a plurality of switches;
A network connection control device for controlling network connection in the network device,
The network connection control device includes:
Communication state storage means for storing a communication state between the terminals;
As a connection rule between the terminals, at least one connection including a conditional expression that defines communication states at a plurality of locations of the network device and a control instruction that defines each control content according to the establishment / non-establishment of the conditional expression Connection condition storage means for storing control rules;
When communication between predetermined terminals is about to be started, the connection condition storage unit is referred to determine the connection control rule for the communication, and is defined in the conditional expression of the determined connection control rule A connection condition determination unit that determines whether the conditional expression is satisfied or not by determining whether or not the communication state of a plurality of locations is present in the communication state storage unit;
Connection control means for instructing the network device when the condition is satisfied when the conditional expression is satisfied, and for instructing the network device when the conditional expression is not satisfied when the conditional expression is not satisfied And a network connection control system comprising:

Images