JP2017212572A - Remote access service system, information processing device, gateway device, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow both of remote access to an external network and access to a network apparatus in a local network to be implemented while maintaining security without setting a policy.SOLUTION: A path control unit 15 transmits a packet destined to a NAS 7 obtained in response to an access request from a user to a gateway device 20 via a VPN. A path control unit 26 returns a packet transmitted via the VPN by a terminal device 10 to a local network system 1 including the NAS 7, the destination of the packet. The path control unit 15 transmits the packet returned by the gateway device 20 to the NAS 7, an original destination.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a remote access service system, an information processing apparatus, a gateway apparatus, and a program.

  In recent years, it is not uncommon to take a terminal device such as a personal computer (PC) from a company and access a computer in the office from home or away from home. When performing work at home, the telecommuter connects to the corporate network with a VPN (Virtual Private Network) from the viewpoint of security. In some cases, NAS (Network Attached Storage) connected to a local network at home is used.

  In general, the in-house network has sufficient security measures compared to the local network at home, and therefore all communication including communication to the Internet is performed on a RAS (Remote Access Service) server ( This is often performed via a gateway device equipped with a RAS function. However, if you do this, you will not be able to access the NAS in your home. Conventionally, you can set a policy to distribute the internal network that passes through the VPN and the local network that does not pass through the VPN. In other words, a technology that enables RAS clients to access NAS has been proposed (for example, Patent Document 1).

JP 2008-098937 A

  An object of the present invention is to enable both remote access to an external network and access to a network device in a local network while maintaining security without setting a policy.

  A remote access service system according to the present invention is connected to a local network together with a network device, and is connected to an information processing apparatus equipped with a client remote access service function and an external network different from the local network, and remote access for a server. A gateway device having a service function, and a virtual private network connecting the information processing device and the gateway device, the information processing device being acquired in response to an access request to the network device from a user A first transmission unit configured to transmit the packet addressed to the network device to the gateway device via the virtual private network, wherein the gateway device transmits the packet transmitted by the first transmission unit. Is sent back to the information processing device via the virtual private network, and the information processing device sends the gateway device from the gateway device via the virtual private network in response to transmission by the first sending device. It has the 2nd transmission means which transmits the returned packet to the network apparatus, It is characterized by the above-mentioned.

  An information processing apparatus according to the present invention provides a packet addressed to a network device acquired in response to an access request from a user to a network device connected to the same local network via an external network different from the local network via a virtual private network. A first transmission unit configured to transmit to a gateway device connected to the network; and the packet returned from the gateway device via the virtual private network in response to transmission by the first transmission unit is transmitted to the network device. And a second transmission means.

  The gateway device according to the present invention is a gateway device connected to an external network different from a local network to which the information processing device and the network device are connected, and the information processing device is acquired in response to an access request from the user to the network device. And a return means for returning the packet addressed to the network device and transmitted from the information processing apparatus via the virtual private network to the information processing apparatus via the virtual private network. To do.

  The program according to the present invention differs from the local network through a virtual private network for a packet addressed to the network device acquired by a computer in response to a user access request to a network device connected to the same local network. First transmission means for transmitting to a gateway device connected to an external network, and transmitting the packet returned from the gateway device via the virtual private network to the network device in response to transmission by the first transmission means It functions as a second transmission means.

  The program according to the present invention includes a computer installed in a gateway device connected to an external network different from a local network to which the information processing device and the network device are connected, and the information processing device requests an access from the user to the network device. Function as a return means for returning a packet addressed to the network device acquired in response to the packet and transmitted from the information processing apparatus via the virtual private network to the information processing apparatus via the virtual private network Let

  A remote access service system according to the present invention includes a first information processing apparatus equipped with a client remote access service function, and a second information process connected to a local network together with a network device and equipped with a client remote access service function. And a gateway device connected to an external network different from a local network to which the first information processing device and the second information processing device are connected, and equipped with a server remote access service function, and the first information processing A virtual private network that connects each of the device and the second information processing device to the gateway device, and the first information processing device acquires the network in response to an access request to the network device from a user A first transmission unit configured to transmit a packet addressed to the gateway to the gateway device via the virtual private network, and the gateway device transmits the packet transmitted by the first transmission unit via the virtual private network. Transfer means for transferring to the second information processing apparatus, the second information processing apparatus being transferred from the gateway apparatus via the virtual private network in response to transmission by the first transmission means. It has the 2nd transmission means which transmits a packet to the said network apparatus, It is characterized by the above-mentioned.

  According to the first aspect of the present invention, it is possible to realize both remote access to an external network and access to a network device in a local network while maintaining security without setting a policy.

  According to the second aspect of the present invention, it is possible to realize both remote access to an external network and access to a network device in a local network while maintaining security without setting a policy.

  According to the third aspect of the present invention, it is possible to realize both remote access to an external network and access to a network device in a local network while maintaining security without setting a policy.

  According to the fourth aspect of the present invention, it is possible to realize both remote access to an external network and access to a network device in a local network while maintaining security without setting a policy.

  According to the fifth aspect of the present invention, it is possible to realize both remote access to an external network and access to a network device in a local network while maintaining security without setting a policy.

  According to the invention described in claim 6, it is possible to realize both remote access to an external network and access to a network device in a local network while maintaining security without setting a policy.

It is the block block diagram which showed Embodiment 1 of the remote access service system which concerns on this invention. FIG. 2 is a hardware configuration diagram of a computer forming the terminal device in the first embodiment. 3 is a flowchart showing VPN connection processing in the first embodiment. 6 is a diagram illustrating a communication flow performed between the terminal device and the gateway device when the terminal device accesses the NAS in Embodiment 1. FIG. FIG. 6 is a block configuration diagram of a remote access service system in a second embodiment.

  Hereinafter, preferred embodiments of the present invention will be described with reference to the drawings.

Embodiment 1 FIG.
FIG. 1 is a block diagram showing an embodiment of a remote access service system according to the present invention. FIG. 1 shows a configuration in which a local network system 1 and an in-house network system 2 are each connected to the Internet 3. The local network system 1 is a network system built at home for employees in a company where the in-house network system 2 is built. FIG. 1 shows a configuration in which a terminal device 10 corresponding to an information processing apparatus of the present invention and a broadband router 4 are connected to a network 6. The broadband router 4 is connected to a NAS 7 as a network device. Note that a plurality of terminal devices 10 may be connected to the network 6. A plurality of local network systems 1 may be connected to the Internet 3, but each has an equivalent configuration, so only one local network system 1 is shown in FIG. 1.

  The in-house network system 2 is a network system built in a certain company and corresponds to an external network system when viewed from the local network system 1. FIG. 1 shows a configuration in which the gateway device 20 and the PC 8 are connected to the network 9. A plurality of PCs 8 may be connected to the network 9.

  In the present embodiment, “remote access service (hereinafter also simply referred to as“ RAS ”)” means functions, data, etc. of a remote computer (in-house network system 2 in this embodiment) via a network. This is a service that makes it possible to use the resources of a remote site. For this purpose, a client RAS function is installed in a remote computer (terminal device 10) that accesses the computer, and a server RAS function is installed in a computer (gateway device 20) that provides RAS. It is.

  FIG. 2 is a hardware configuration diagram of a computer forming the terminal device 10 according to the present embodiment. In the present embodiment, the computer forming the terminal device 10 can be realized with a general-purpose hardware configuration such as a PC. That is, as shown in FIG. 2, the computer includes a CPU 31, a ROM 32, a RAM 33, a hard disk drive (HDD) 34, a mouse 35 provided as user interface means, a keyboard 36, and a display 37. A network controller 39 provided as means is connected to the internal bus 40.

  In addition, the gateway device 20 in the present embodiment may be realized by a general-purpose hardware configuration that has existed in the past. Although the user interface means may be unnecessary as in the terminal device 10, it has a CPU, a ROM, a RAM, and the like because it has a built-in computer.

  Returning to FIG. 1, the terminal device 10 in the present embodiment includes an application execution unit 11, a communication unit 12, a VPN connection request unit 13, a VPN communication unit 14, and a path control unit 15. The application execution unit 11 executes an application (local process) designated by the user. The communication unit 12 executes data communication without using VPN with the in-house network system 2. The VPN connection request unit 13 operates as a network device (VPN client) for VPN access that can be recognized by the OS of the terminal device 10 by the client RAS function installed in the terminal device 10 in advance, and when the VPN connection is established, the VPN communication unit 14 Is generated. The VPN communication unit 14 performs data communication via the VPN with the gateway device 20 connected by VPN. The path control unit 15 functions as a first transmission unit that transmits a packet addressed to the NAS 7 acquired in response to an access request to the NAS 7 from the user to the gateway device 20 via the VPN. Furthermore, the path control unit 15 functions as a second transmission unit that transmits a packet returned from the gateway device 20 in response to transmission by the first transmission unit to the NAS 7 that is the original destination of the packet. The communication agent receiving unit 151 included in the route control unit 15 receives the communication agent sent from the gateway device 20.

  Each component 11-15 in the terminal device 10 is implement | achieved by cooperation operation | movement with the program which operate | moves with the computer which forms the terminal device 10, and CPU31 mounted in the computer.

  The gateway device 20 in this embodiment includes an intra-area communication unit 21, a communication unit 22, a VPN connection accepting unit 23, a VPN communication unit 24, a security inspection unit 25, a path control unit 26, a communication agent management unit 27, and a communication agent storage. A portion 28 is provided. The in-area communication unit 21 performs data communication with the PC 8 connected to the network. The communication unit 22 performs data communication with the local network system 1 without using VPN. The VPN connection accepting unit 23 accepts a VPN connection request from the terminal device 10 and generates a VPN communication unit 24 to establish a VPN with the terminal device 10. The VPN communication unit 24 executes data communication via the VPN with the terminal device 10 connected by VPN. The security inspection unit 25 performs a security inspection of packets exchanged with the terminal device 10. The route control unit 26 functions as a return unit that returns the packet transmitted from the terminal device 10 via the VPN. The communication agent storage unit 28 stores communication agents. The “communication agent” in the present embodiment refers to a mechanism (program) that performs communication on behalf of an application by, for example, a port forward function of OpenSSH (Open Secure Shell). The communication agent management unit 27 manages the communication agent provided to the terminal device 10 using the communication agent storage unit 28.

  Each component 21 to 27 in the gateway device 20 is realized by a cooperative operation of a computer mounted on the gateway device 20 and a program operating on a CPU mounted on the computer. The communication agent storage unit 28 is realized by an HDD or a RAM mounted on the gateway device 20. Alternatively, an external storage means may be used via a network.

  Further, the program used in this embodiment can be provided not only by communication means but also by storing it in a computer-readable recording medium such as a CD-ROM or USB memory. The program provided from the communication means or the recording medium is installed in the computer, and various processes are realized by the CPU of the computer sequentially executing the program.

  Next, the operation in this embodiment will be described. In the present embodiment, the terminal device 10 lent from the company is taken home, and the file stored in the NAS 7 is downloaded to the terminal device 10 by HTTP (Hypertext Transfer Protocol) while making a VPN connection to the in-house network system 2. Will be described as an example.

  First, the VPN connection process will be described with reference to the flowchart shown in FIG. 3, but basically the same process as before may be performed.

  That is, the user selects the use of the VPN in order to ensure the communication with the in-house network system 2 that maintains the security. For this purpose, the VPN connection request unit 13 is activated by performing a predetermined operation. .

  When activated, the VPN connection request unit 13 receives a VPN connection request from the user (step 111), and starts the VPN connection by transmitting the VPN connection request to the gateway device 20 (step 112).

  When the VPN connection accepting unit 23 in the gateway device 20 accepts the VPN connection request from the terminal device 10, the VPN connection accepting unit 23 cooperates with the VPN connection requesting unit 13 to generate the VPN communication units 14 and 24, respectively. VPN is established between them (step 113).

  When the VPN is established in this way, the route control unit 15 starts route control for guiding all communications by the application executed by the application execution unit 11 to the gateway device 20 (step 114). This may be realized, for example, by setting the default gateway of the terminal device 10 as the RAS server, that is, the gateway device 20 and deleting other routes.

  Thus, all access requests from the application to the local network system 1 including the NAS 7 are sent to the gateway device 20. As will be described later, since the terminal device 10 receives the communication agent transmitted from the gateway device 20, the path control unit 15 starts up a reception service (communication agent reception unit 151) for this purpose. Wait for reception. Also, for example, packet reception from the port 10022 of the VPN communication unit 14 is constantly monitored and waited.

  Next, a flow of processing when the user downloads a file stored in the NAS 7 to the terminal device 10 after the VPN connection processing is completed will be described with reference to the communication flowchart shown in FIG.

  First, when the user of the terminal device 10 activates an application (for example, a browser) by a predetermined operation and inputs and designates the address of the NAS 7, the activated application requests an access request for downloading a file stored in the NAS 7. Put out. When the path control unit 15 receives an access request to the NAS 7 (step 121), since the request source is a local process, the path control unit 15 transfers the transmission destination of the packet acquired according to the access request to the gateway device 20. Thereby, the path control unit 15 causes the VPN communication unit 14 to transmit the packet to the gateway device 20 that is the default gateway via the VPN (step 122).

  When the VPN communication unit 24 in the gateway device 20 receives a packet transmitted from the terminal device 10 via the VPN (step 221), the security inspection unit 25 executes a security inspection of the received packet (step 222). For example, a virus scan that transparently checks whether a virus is included in the HTTP content is executed. Note that the inspection may be performed not when the packet is received (when the request is sent to the NAS 7) but when the packet is returned.

  Subsequently, the path control unit 26 acquires the destination and the communication destination port by analyzing the destination of the received packet (step 223). Here, since the destination of the packet is NAS 7 as in this example, the path control unit 26 notifies the communication agent management unit 27 of the set of the destination and the communication destination port when it is on the local network system 1 side. Note that the destination of the packet may be determined by the route control unit 26 using a network address, or information may be provided to the terminal device 10.

  The communication agent management unit 27 retrieves the communication agent corresponding to the notified combination of the destination and the communication destination port from the communication agent storage unit 28. If the communication agent does not exist, a communication agent is newly generated and activated, and an entry and a communication agent including a destination, a communication destination port, a communication agent ID, and a redirect port are registered in the communication agent storage unit 28 ( Step 224).

  In this way, when the communication agent management unit 27 sends a communication agent corresponding to the combination of the destination of the received packet and the communication destination port to the route control unit 26, the route control unit 26 sends the communication agent to the VPN communication. The unit 24 is transferred to the terminal device 10 via the VPN (step 225). The communication agent receiving unit 151 receives and activates the communication agent transferred from the gateway device 20 (step 124). If the communication agent has previously transferred, there is no need to retransmit.

  For example, in the case of OpenSSH, assuming that the address of NAS7 is 10.0.0.254, the communication destination port is 80, the address of the VPN communication unit 14 is 172.16.0.1, and the redirect port is 10080, “Opensh -p 10022 -L 10080: 10.0.0.254: 80 172.16.0.1 ". When the SSH connection is completed, the port 10080 is transferred to the port 80.0.0254. More specifically, the path control unit 26 performs a process of redirecting a packet addressed to 10.0.0.254:80 from the VPN communication unit 24 to 10080.

  After transferring the communication agent, the route control unit 26 returns the received packet to the terminal device 10 (step 226).

  The route control unit 15 in the terminal device 10 receives the packet returned from the gateway device 20, but the packet received from the 10022 port of the VPN communication unit 14 is a packet of the packet under the control of the communication agent. It is transferred to the original NAS 7 (step 126).

  In FIG. 1, the route of the packet addressed to the NAS 7 sent from the above-described application is indicated by Rn (n = 1 to 11). As is clear from FIG. 1, when the path control unit 15 in the present embodiment acquires a packet in response to an access request to the NAS 7 from the application, the route control unit 15 transmits the packet via the VPN instead of the original destination NAS 7. To the gateway device 20. On the other hand, in the case of a packet redirected by the gateway device 20 and returned via the VPN, the path control unit 15 transmits the packet to the NAS 7 that is the original destination. In this way, the user of the terminal device 10 can be made to access the NAS 7 without setting a troublesome policy. Further, since the network device on the local network system 1 side is accessed via the in-house network system 2 in which security measures are sufficiently taken compared to the home, security is also maintained. .

Embodiment 2. FIG.
FIG. 5 is a block diagram of the remote access service system in the present embodiment. In addition, although the name of a component etc. is abbreviate | omitted on drawing, the same code | symbol is attached | subjected to the same component as Embodiment 1, and description is abbreviate | omitted suitably. However, in the case of this embodiment, since two sets of local network systems 1a and 1b are connected to the Internet 3, they are distinguished from each other by adding subscripts “a” and “b”. The hardware configuration in the present embodiment may be the same as that in the first embodiment.

  In the first embodiment, the case where the terminal device 10 accesses the NAS 7 in the same local network system 1 has been described as an example. In this embodiment, it is a case of accessing a network device existing in a different local network system. Specifically, the terminal device 10a included in the local network system 1a accesses the NAS 7b included in a different local network system 1b. Basically, the same processing as in the first embodiment is performed. Good.

  In other words, after establishing the VPN, when the path control unit 15a acquires an access request to the NAS 7b, the path control unit 15a transmits the packet addressed to the NAS 7b acquired at that time to the gateway device 20 via the VPN. The route control unit 26 in the gateway device 20 refers to the destination of the packet sent from the terminal device 10a and transmits it to the local network system 1b including the NAS 7b via the VPN. At this time, the route control unit 26 transmits the communication agent to the terminal device 10b if it has not been transmitted in advance. The route control unit 15b in the terminal device 10b transfers the packet transmitted from the gateway device 20 via the VPN to the NAS 7b.

  In FIG. 5, the route of the packet addressed to the NAS 7b sent from the application operating on the terminal device 10a is indicated by Rn (n = 1 to 11). As is clear from FIG. 5, when the path control unit 15a in the present embodiment acquires a packet in response to an access request to the NAS 7b from the application, the path control unit 15a directly transmits the packet to the original destination NAS 7b. Rather than via the VPN. The route control unit 26 in the gateway device 20 refers to the destination of the transmitted packet and transmits it to the local network system 1b. The path control unit 15b transfers the packet transmitted from the gateway device 20 via the VPN to the NAS 7b that is the original destination.

  As described above, according to the present embodiment, an application can be applied to a network device included in a local network system 1b that is different from the operating local network system 1a without setting a troublesome policy. Since each terminal device 10a, 10b is able to access and send / receive packets via the in-house network system 2 with sufficient security measures, security is also maintained. Yes.

1, 1a, 1b Local network system, 2 in-house network system, 3 Internet, 4 broadband router, 6,9 network, 7 NAS, 8 PC, 10, 10a, 10b terminal device, 11 application execution unit, 12, 22 communication unit , 13 VPN connection request unit, 14, 24 VPN communication unit, 15, 15a, 15b, 26 route control unit, 20 gateway device, 21 intra-area communication unit, 23 VPN connection reception unit, 25 security inspection unit, 27 communication agent management Unit, 28 communication agent storage unit, 31 CPU, 32 ROM, 33 RAM, 34 hard disk drive (HDD), 35 mouse, 36 keyboard, 37 display, 38 I / O controller, 39 network controller, 40 internal bus.

Claims (6)

An information processing apparatus connected to a local network together with network devices and equipped with a client remote access service function;
A gateway device connected to an external network different from the local network and equipped with a server remote access service function;
A virtual private network connecting the information processing device and the gateway device;
Have
The information processing apparatus has first transmission means for transmitting a packet addressed to the network device acquired in response to a request for access to the network device from a user to the gateway device via the virtual private network,
The gateway device has return means for returning the packet transmitted by the first transmission means to the information processing apparatus via the virtual private network;
The information processing apparatus includes second transmission means for transmitting the packet returned from the gateway device via the virtual private network to the network device in response to transmission by the first transmission means.
A remote access service system characterized by that. A packet addressed to the network device acquired in response to an access request from a user to a network device connected to the same local network is transmitted to a gateway device connected to an external network different from the local network via a virtual private network. First transmitting means for
Second transmission means for transmitting the packet returned from the gateway device via the virtual private network to the network device in response to transmission by the first transmission means;
An information processing apparatus comprising: In the gateway device connected to an external network different from the local network to which the information processing device and the network device are connected,
A packet addressed to the network device acquired by the information processing device in response to an access request from the user to the network device and transmitted from the information processing device via the virtual private network is transferred to the virtual private network. A gateway device comprising return means for returning the information to the information processing device. Computer
A packet addressed to the network device acquired in response to an access request from a user to a network device connected to the same local network is transmitted to a gateway device connected to an external network different from the local network via a virtual private network. First transmitting means for
Second transmission means for transmitting the packet returned from the gateway device via the virtual private network to the network device in response to transmission by the first transmission means;
Program to function as. A computer mounted on a gateway device connected to an external network different from the local network to which the information processing device and the network device are connected,
A packet addressed to the network device acquired by the information processing device in response to an access request from the user to the network device and transmitted from the information processing device via the virtual private network is transferred to the virtual private network. A program for functioning as a return means for returning to the information processing apparatus. A first information processing apparatus equipped with a client remote access service function;
A second information processing apparatus connected to a local network together with a network device and equipped with a client remote access service function;
A gateway device connected to an external network different from a local network to which the first information processing device and the second information processing device are connected, and equipped with a server remote access service function;
A virtual private network connecting each of the first information processing apparatus and the second information processing apparatus and the gateway apparatus;
Have
The first information processing apparatus includes first transmission means for transmitting a packet addressed to the network device acquired in response to a request for access to the network device from a user to the gateway device via the virtual private network. ,
The gateway device includes a transfer unit configured to transfer the packet transmitted by the first transmission unit to the second information processing device via the virtual private network;
The second information processing apparatus includes second transmission means for transmitting the packet transferred from the gateway apparatus via the virtual private network to the network device in response to transmission by the first transmission means.
A remote access service system characterized by that.

Images