JP2023157298A - Communication system, information acquisition method, and program - Google Patents

Abstract

To allow packet information that can be acquired by a user to be limited in a communication system in which the packet information can be acquired from a terminal device using a communication device in a local network.SOLUTION: A communication system includes: a communication device that is connected to a first network and acquires packet information in the first network; and a server device that is connected to a second network different from the first network and can communicate with the communication device. The server device includes an acquisition control unit that controls acquisition of the packet information by the communication device in response to a request from a user, and a reception unit that receives setting information that limits the packet information that the user can acquire using the communication device.SELECTED DRAWING: Figure 3

Description

The present invention relates to a communication system, an information acquisition method, and a program.

In recent years, due to work style reforms and the spread of telecommuting, there has been an increasing need for remote access to access various services provided by a destination device connected to a local network from an access source device connected to an external network. There is.

Further, there is known an information processing device that is communicably connected to an external device in a remote location and filters packets received from the external device according to filter information in which address information including device identification information that can identify the device is registered. (For example, see Patent Document 1).

In remote access systems, there is a demand for acquiring and analyzing packet information within a local network, for example, when access from an access source terminal to a service provided by an access destination terminal fails.

In such a case, in the conventional technology, administrator authority is required in order to obtain packet information from the access source terminal using a communication device within the local network. However, if a user is given administrator authority, the user can obtain all packet information in the local network, and there is a problem in that the packet information that the user can obtain cannot be restricted.

An embodiment of the present invention has been made in view of the above-mentioned problems, and provides a communication system in which packet information can be acquired from a terminal device using a communication device in a local network. Enable to limit packet information.

In order to solve the above problems, a communication system according to an embodiment of the present invention includes a communication device that connects to a first network and acquires packet information in the first network; A communication system including a server device connected to a different second network and capable of communicating with the communication device, wherein the server device causes the communication device to acquire the packet information in response to a request from a user. The information processing apparatus includes an acquisition control unit that controls, and a reception unit that receives setting information that limits the packet information that the user can acquire using the communication device.

According to an embodiment of the present invention, in a communication system in which packet information can be acquired from a terminal device using a communication device in a local network, it becomes possible to limit the packet information that a user can acquire.

1 is a diagram illustrating an example of a system configuration of a communication system according to an embodiment. FIG. 1 is a diagram illustrating an example of a hardware configuration of a computer according to an embodiment. FIG. 1 is a diagram illustrating an example of a functional configuration of a communication system according to an embodiment. FIG. 1 is a diagram (1) illustrating an example of information managed by a communication system according to an embodiment. FIG. 2 is a diagram (2) illustrating an example of information managed by the communication system according to an embodiment. FIG. 2 is a sequence diagram illustrating an example of setting processing according to the first embodiment. It is a figure (1) showing an example of a setting screen concerning a 1st embodiment. FIG. 2 is a diagram (2) showing an example of a setting screen according to the first embodiment. FIG. 2 is a sequence diagram (1) illustrating an example of packet information acquisition processing according to the first embodiment. FIG. 3 is a sequence diagram (2) illustrating an example of packet information acquisition processing according to the first embodiment. FIG. 3 is a diagram showing an example of a reception screen according to the first embodiment. FIG. 3 is a diagram showing an image of a packet information display screen according to the first embodiment. FIG. 7 is a sequence diagram illustrating an example of notification processing according to the second embodiment. FIG. 7 is a diagram (1) illustrating an example of a setting screen for notification processing according to the second embodiment. FIG. 12 is a diagram (2) illustrating an example of a setting screen for notification processing according to the second embodiment.

Embodiments of the present invention will be described in detail below with reference to the drawings.
<System configuration>
FIG. 1 is a diagram illustrating an example of a system configuration of a communication system according to a first embodiment. The communication system 1 includes, for example, an application server 11, a service platform 12, and a relay server 13 that connect to a communication network 2 such as the Internet, a secure box 14 that connects to a local network 100, and the like. The communication system 1 also connects to each of one or more remote networks 110a, 100b, . This includes the management terminal 5, etc. used by the above. In the following description, "remote network 110" is used to refer to any remote network among one or more remote networks 110a, 100b, . . . .

The communication system 1 is a system for using a service provided by a user terminal 111 connected to an external network, an access destination terminal connected to the local network via a secure box 14 connected to the local network 100.

The remote network 110 is an example of an external network (second network) that is different from the local network (first network) 100 and is provided at, for example, a home or a remote office. The user terminal 111 is not limited to the remote network 110, but can be connected to a communication network 2 such as the Internet using a WAN (Wide Area Network), a public wireless LAN (Local Area Network), etc. from outside the home, for example. You can leave it there. Note that the communication network 2 is another example of an external network (second network) different from the local network (first network) 100. Here, as an example, the following explanation will be given assuming that the user terminal 111 is connected to a remote network 110 provided at a user's home or the like.

The user terminal (second terminal device) 111 is an information terminal equipped with a web browser function, such as a PC (Personal Computer), a tablet terminal, or a smartphone, which is used by a user. The user terminal 111 can access the application server 11, the relay server 13, etc. via the remote network 110 and the communication network 2.

The local network 100 is a network, such as an in-house LAN (Local Area Network), in which access from external networks such as the communication network 2 or the remote network 110 is restricted by a firewall or the like. Note that the local network 100 is an example of a first network to which the secure box (communication device) 14 is connected.

In FIG. 1, it is assumed that the service platform 12 and the secure box 14 are configured in advance to be able to communicate, for example, using a communication protocol such as MQTT (Message Queue Telemetry Transport). Further, it is assumed that access from the user terminal 111, relay server 13, etc. to the secure box 14, information processing device 101, image forming device 102, etc. in the local network 100 is prohibited.

The information processing device (access destination terminal) 101 is an information processing device such as a PC connected to the local network 100, and provides a predetermined service such as a remote desktop service. The image forming apparatus (access destination terminal) 102 is an electronic device connected to the local network 100, and provides a predetermined service such as a FAX service, for example.

Note that the information processing device 101 and the image forming device 102 are examples of access destination terminals that are connected to the local network 100 and provide predetermined services. The access destination terminal may be, for example, a PJ (Projector), an IWB (Interactive White Board: a whiteboard having an electronic blackboard function that allows mutual communication), a digital signage, or the like. Further, the access destination terminal may be, for example, an industrial machine, an imaging device, a sound collection device, a medical device, a network appliance, a smartphone, a tablet terminal, a game console, a PDA (Personal Digital Assistant), a digital camera, or the like.

The management terminal (first terminal device) 5 is, for example, an administrator (such as a system administrator) who manages the communication system 1 or an administrator who manages users who use the user terminal 111 using the communication system 1. This is an information terminal equipped with a web browser function that is used by people (such as managers).

The application server 11 is, for example, an information processing device having a computer configuration, or a system including a plurality of information processing devices. For example, the application server 11 uses the communication system 1 to send web content, etc. to the user terminal 111 for use at a terminal to be accessed, such as the information processing device 101 or the image forming device 102 in the local network 100. It has the function of a web server that provides services.

Furthermore, the application server 11 according to the present embodiment provides the user terminal 111 with web content that displays a reception screen that accepts an acquisition request requesting to acquire packet information in the local network 100. Further, the application server 11 according to the present embodiment provides the management terminal 5 with web content that displays a setting screen for setting setting information that limits the packet information that the user can obtain using the secure box 14.

The service platform 12 is, for example, an information processing device having a computer configuration or a system including a plurality of information processing devices. The service platform 12 cooperates with the application server 11 to execute device management processing for managing communication devices such as the secure box 14 . The service platform 12 also performs authentication processing for authenticating a user, administrator, secure box 14, etc., for example.

The relay server 13 is, for example, an information processing device having a computer configuration or a system including a plurality of information processing devices. Relay server 13 relays communication between user terminal 111 and secure box 14.

Note that the functions of the application server 11 and the service platform 12 may be realized by one management server 10, or may be realized by more server devices. Further, the service platform 12 may be provided outside the management server 10 or may use a service outside the communication system 1. In this way, the application server 11 and the service platform 12 can have various system configurations, so in the following description, the application server 11 and the service platform 12 may be simply referred to as the management server 10 without making a particular distinction. . Furthermore, the management server 10 may further have the function of the relay server 13.

The secure box (communication device) 14 is, for example, a communication device or an information processing device that has a computer configuration and a communication function. The secure box 14 connects to the relay server 13 under the control of the management server 10, and provides security between the user terminal 111 and the access destination terminal (information processing device 101 or image forming device 102) connected to the local network 100. relays communications. Note that the secure box 14 is an example of a communication device connected to the local network (first network) 100.

In the above system configuration, the user terminal 111 can connect to the communication network 2 from the remote network 110, but cannot access the information processing device 101 and image forming device 102 connected to the local network 100. Can not.

Conventionally, in such cases, in order to communicate from the user terminal 111 to the access destination terminal connected to the local network 100, the communication was encrypted using, for example, a VPN (Virtual Private Network).

For example, IPsec (Internet Protocol Security) is known as a method for connecting a user terminal 111 connected to the remote network 110 to an access destination terminal connected to the local network 100 using a VPN. When using this method, an administrator or the like needs to appropriately configure network settings, such as router routing settings and firewall access control list settings, so that communication can be performed correctly using IPsec.

Therefore, in the communication system 1 according to the present embodiment, a secure box 14 that performs encrypted communication with the management server 10 is installed in the local network 100, and access from the user terminal 111 via the management server 10 and the secure box 14 is provided. Perform encrypted communication with the destination terminal. As a result, a user using the user terminal 111 can securely communicate with an access destination terminal connected to the local network 100 with simple settings.

(Overview of connection processing)
In the above system configuration, when a user using the user terminal 111 uses a remote desktop service provided by the information processing device 101, for example, a user uses a web browser or the like to access a predetermined web page provided by the application server 11. to access. The user can request a connection to, for example, a remote desktop service provided by the information processing device 101 (or a fax service provided by the image forming device 102, etc.) by selecting the service he or she wishes to use from this web page. I can do it. Note that the user is not limited to the web browser included in the user terminal 111, but can access a predetermined web page by using, for example, an application program (hereinafter referred to as an application) for the communication system 1 that has a web browser function. May be accessed.

When the application server 11 receives a connection request from the user terminal 111, it generates (issues) a session ID, which is identification information for identifying a session, for example. Further, the application server 11 uses the service platform 12 to notify the secure box 14 of the generated session ID and requests connection to the relay server 13, and also sends the session ID to the user terminal 111 that made the request. Notice.

In accordance with the request from the management server 10, the secure box 14 connects to the relay server 13 using the first encrypted communication 3 using the notified session ID. For example, the secure box 14 establishes a session with the relay server 13 through first encrypted communication 3 using Web Socket over HTTPS (Hypertext Transfer Protocol Secure) (hereinafter referred to as WWS).

Further, the user terminal 111 uses the session ID notified from the management server 10 to connect to the relay server 13 using the second encrypted communication 4. For example, the user terminal 111 establishes a session with the relay server 13 using second encrypted communication 4 using WWS.

The relay server 13 allows the user terminal 111 and the secure box 14, which have established a session with the relay server 13 using the same session ID (identification information), to participate in the same session. Relay communication between For example, the relay server 13 communicably connects the user terminal 111 and the secure box 14 by tunneling the first encrypted communication 3 and the second encrypted communication 4.

Preferably, the secure box 14 has a protocol conversion function for using, for example, a remote desktop service provided by the information processing device 101 connected to the local network 100 from a web browser of the user terminal 111. For example, the secure box 14 converts an RDP (Remote Desktop Protocol) format remote desktop screen from a remote desktop service provided by the information processing device 101 into image data in a format that can be displayed on the web browser of the user terminal 111. Furthermore, the secure box 14 converts the WWS operation information received from the user terminal 111 into RDP format operation information and sends it to the remote desktop service.

Through the above processing, the user terminal 111 can easily use the remote desktop service provided by the information processing device 101 connected to the local network 100 without having to perform complicated tasks such as changing the network configuration. become able to.

(About the assignment)
In the communication system 1 shown in FIG. 1, a request is made from a user terminal 111 to obtain and analyze packet information in the local network 100, for example when access to a remote desktop service provided by the information processing device 101 fails. be.

In such a case, in the conventional technology, administrator authority is required in order to obtain packet information from the access source terminal using a communication device within the local network. However, if a user is given administrator authority, the user can obtain all packet information in the local network, and there is a problem in that the packet information that the user can obtain cannot be restricted.

Therefore, the management server 10 according to the present embodiment has a function of controlling the acquisition of packet information by the secure box 14 and a function of restricting the packet information that the user can acquire using the secure box 14, in response to a request from the user. It has a function to accept setting information. As a result, according to the communication system 1 according to the present embodiment, in the communication system 1 in which packet information can be obtained from the user terminal 111 using the secure box 14 in the local network 100, the packet information that the user can obtain is limited. become able to.

Note that the system configuration of the communication system 1 shown in FIG. 1 is an example. For example, in the example of FIG. 1, the local network 100 is connected to the communication network 2 via the secure box 14. However, this is just an example, and the local network 100 may be connected to the communication network 2 via a router, a firewall, or the like. In this case, the secure box 14 communicates with the service platform 12 and relay server via a router and a firewall.

Further, the secure box 14 is an example of a communication device connected to the local network 100. The communication device may be, for example, a server device that has a communication function and executes a predetermined program. Furthermore, the communication network 2 may include, for example, a connection section using mobile communication or wireless communication such as a wireless LAN.

<Hardware configuration>
The user terminal 111, the information processing device 101, the management terminal 5, and the like have, for example, the hardware configuration of a computer 200 as shown in FIG. Further, the application server 11, service platform 12, relay server 13, management server 10, etc. are realized by one or more computers 200.

FIG. 2 is a diagram illustrating an example of the hardware configuration of a computer according to an embodiment. For example, as shown in FIG. 2, the computer 200 includes a CPU (Central Processing Unit) 201, a ROM (Read Only Memory) 202, a RAM (Random Access Memory) 203, an HD (Hard Disk) 204, and an HDD (Hard Disk Drive). ) controller 205, display 206, external device connection I/F (Interface) 207, one or more network I/F 208, keyboard 209, pointing device 210, DVD-RW (Digital Versatile Disk Rewritable) drive 212, media I/F 214 , and a bus line 215.

Among these, the CPU 201 controls the operation of the computer 200 as a whole. The ROM 202 stores a program used to start the computer 200, such as an IPL (Initial Program Loader). The RAM 203 is used, for example, as a work area for the CPU 201. The HD 204 stores programs such as an OS (Operating System), applications, device drivers, and various data. The HDD controller 205 controls reading and writing of various data to the HD 204 under the control of the CPU 201, for example.

The display 206 displays various information such as a cursor, menu, window, characters, or images. Note that the display 206 may be provided outside the computer 200. The external device connection I/F 207 is, for example, an interface such as a USB (Universal Serial Bus) for connecting an external device to the computer 200. One or more network I/Fs 208 are interfaces for data communication using, for example, the communication network 2, the local network 100, or the remote network 110.

The keyboard 209 is a type of input means that includes a plurality of keys for inputting characters, numbers, various instructions, and the like. The pointing device 210 is a type of input means for selecting and executing various instructions, selecting a processing target, moving a cursor, and the like. Note that the keyboard 209 and pointing device 210 may be provided outside the computer 200.

The DVD-RW drive 212 controls reading and writing of various data to the DVD-RW 211, which is an example of a removable recording medium. Note that the DVD-RW 211 is not limited to the DVD-RW, and may be any other removable recording medium. The media I/F 214 controls reading or writing (storage) of data to the media 213 such as a flash memory. The bus line 215 includes an address bus, a data bus, various control signals, etc. for electrically connecting each of the above components.

Note that the configuration of the computer 200 shown in FIG. 2 is an example. The computer 200 may have any other configuration as long as it includes, for example, a CPU 201, a ROM 202, a RAM 203, one or more network I/Fs 208, and a bus line 215. Further, for example, the hardware configuration of the access destination terminal such as the image forming apparatus 102 may be any configuration as long as it has a communication function and a computer configuration.

<Functional configuration>
Next, the functional configuration of each device and server related to the communication system 1 will be explained. FIG. 3 is a diagram illustrating an example of a functional configuration of a communication system according to an embodiment.

(Functional configuration of management server)
The management server (server device) 10, for example, executes a predetermined program on one or more computers 200, so that the reception section 301, the communication control section 302, the acquisition control section 303, the notification section 304, the authentication section 305, and the device It implements a management section 306, an information management section 307, a storage section 308, and the like. Note that at least some of the above functional configurations may be realized by hardware.

The reception unit 301 is realized, for example, by a program executed by the CPU 201 included in the application server 11, and receives various request information such as a connection request from the user terminal 111, a request to obtain packet information, or a setting request from the management terminal 5. Execute the reception process to accept the request. For example, the reception unit 301 functions as a web server that provides web content such as a web UI (User Interface) for using services provided by the management server 10 and a web API (Application Programming Interface).

The communication control unit 302 is realized, for example, by a program executed by the CPU 201 included in the application server 11, and establishes a communication session between the user terminal 111 and the secure box 14 in response to a request from the user terminal 111. Executes communication control processing. For example, the communication control unit 302 generates a session ID in response to a connection request from the user terminal 111, and notifies the secure box 14 and the requesting user terminal 111 of the generated session ID.

The secure box 14 and the user terminal 111 connect to the relay server 13 using the session ID notified from the communication control unit 302. Furthermore, the relay server 13 allows the secure box 14 and the user terminal 111 connected to the relay server 13 using the same session ID to participate in the same session, and relays communication between the secure box 14 and the user terminal 111. This allows the user terminal 111 to use, for example, a remote desktop service provided by the information processing device 101 in the local network 100 via the secure box 14.

The acquisition control unit 303 is realized, for example, by a program executed by the CPU 201 included in the application server 11, and executes an acquisition control process to control acquisition of packet information by the secure box (communication device) 14 in response to a request from a user. do. For example, the acquisition control unit 303 causes the secure box 14 to start and stop acquiring packet information, and the secure box 14 provides acquired packet information, in response to a request from a user.

The notification unit 304 is realized, for example, by a program executed by the CPU 201 included in the application server 11, and monitors packets in the local network 100 using the secure box 14, and notifies the administrator etc. when predetermined conditions are met. Execute the notification processing to be performed. For example, the notification unit 304 may display a message or a notification screen on the management terminal 5 or the like indicating that a predetermined condition has been met, or may send an e-mail, chat, SMS (Short Message Service), etc. may be used to notify the administrator.

The authentication unit 305 is realized, for example, by a program executed by the CPU 201 or the like included in the service platform 12 (hereinafter referred to as service PF 12). The authentication unit 305 executes authentication processing to authenticate, for example, a user who uses the user terminal 111, an administrator who uses the management terminal 5, or the secure box 14 connected to the management server 10. Note that the communication system 1 may perform authentication processing using, for example, an external authentication server or the like.

The device management unit 306 is realized, for example, by a program executed by the CPU 201 included in the service PF 12, and executes device management processing for managing communication devices such as the secure box 14 connected to the local network 100. For example, the device management unit 306 establishes communication (for example, constant connection using MQTT) between the secure box 14 and the management server 10 in response to a request from the secure box 14 connected to the local network 100. Thereby, each functional configuration included in the management server 10 can communicate with the secure box 14 using the device management section 306.

The information management unit 307 is realized, for example, by a program executed by the CPU 201 included in the application server 11, and stores and manages various information managed by the communication system 1 in the storage unit 308 and the like.

The storage unit 308 is realized by, for example, a program executed by the CPU 201 included in the management server 10, the HD 204, the HDD controller 205, and the like, and stores various information managed by the communication system 1. Note that examples of information managed by the communication system 1 will be described later.

Note that the functional configuration of the management server 10 shown in FIG. 3 is an example. Each functional configuration included in the management server 10 can be realized by a program executed by any computer 200 included in the management server 10. Further, the relay server 13 may be provided inside the management server 10.

(Functional configuration of secure box)
Before explaining the functional configuration of the secure box 14, an overview of an example of the local network 100 will be explained. In the example of FIG. 3, the local network 100 is connected to the communication network 2 via a router 321 and a firewall 322. Further, a secure box 14, an information processing device 101, an image forming device 102, and the like are connected to the local network 100. Note that the local network 100 is not limited to the information processing apparatus 101 and the image forming apparatus 102, and various information processing apparatuses, electronic devices, or systems may be connected. Further, since the router 321 and the firewall 322 are existing general network devices, their explanations will be omitted here.

Next, the functional configuration of the secure box 14 will be explained. The secure box (communication device) 14 realizes a communication section 311, a control section 312, a relay section 313, an acquisition section 314, a storage section 315, etc. by executing a predetermined program on a computer 200 included in the secure box 14. ing. Note that at least some of the above functional configurations may be realized by hardware.

The communication unit 311 connects the secure box 14 to the local network 100 using, for example, the network I/F 208 and performs communication processing to communicate with other devices.

The control unit 312 executes control processing to control the entire secure box 14. For example, when the secure box 14 is activated, the control unit 312 establishes communication (for example, constant connection using MQTT) between the secure box 14 and the management server 10. Further, the control unit 312 controls the communication unit 311, the relay unit 313, the acquisition unit 314, etc. according to control information from the management server 10.

For example, the relay unit 313 establishes a session with the relay server 13 using the first encrypted communication 3 using the session ID notified from the management server. The relay unit 313 also connects to an access source terminal (for example, the user terminal 111) via the relay server 13, and connects the access source terminal and the access destination service (for example, a remote desktop provided by the information processing apparatus 101). services). Furthermore, the relay unit 313 executes conversion processing to mutually convert the protocol used by the access source terminal and the protocol used by the access destination terminal, as necessary.

The acquisition unit 314 executes an acquisition process to acquire packet information in the local network 100 according to control information from the management server 10 .

The storage unit 315 is realized by a program executed by the CPU 201 etc. included in the secure box 14, the HD 204, the HDD controller 205, etc., and stores various information such as setting information of the secure box 14 and packet information acquired by the acquisition unit 314. remember.

Note that the secure box 14 is an example of a communication device that connects to the local network (first network) 100 and acquires packet information in the local network 100. For example, each functional configuration of the secure box 14 shown in FIG. 3 may be realized by a program executed by a server device, an information terminal, a firewall, or the like connected to the local network 100.

(Functional configuration of user terminal and management terminal)
The user terminal 111 includes a general web browser 323. Alternatively, the web browser 323 may be realized by an application having a web browser function executed by the user terminal 111. Similarly, the management terminal 5 includes a general web browser 324. Alternatively, the web browser 324 may be realized by an application having the function of a web browser executed by the management terminal 5.

Note that the functional configuration of the relay server 13 is not related to the packet acquisition process according to the present embodiment, and therefore a description thereof will be omitted here.

<Information managed by the communication system>
4 and 5 are diagrams illustrating examples of information managed by the communication system according to one embodiment.

(user list)
FIG. 4(A) shows an image of an example of a user list 401 managed by the communication system 1. The information management unit 307 stores and manages, for example, a user list 401 as shown in FIG. 4(A) in a storage unit 308 or the like. In the example of FIG. 4A, the user list 401 includes information such as "user ID", "user name", "password", "role", and "display name" as items.

“User ID” is identification information that identifies a user registered in the communication system 1 (or management server 10). Note that the users include, for example, a user who uses the user terminal 111, an administrator who uses the management terminal 5, and the like. "User name" is information indicating the user's name, etc. "Password" is an example of authentication information for authenticating a user. The authentication information may be, for example, an electronic certificate, a card ID, or biometric information other than a password.

For example, the authentication unit 305 of the management server 10 allows the user to log in if the combination of user ID and password included in the login information requesting the management server 10 to log in is stored in the user list 401. .

“Role” is information indicating the user's role (for example, the role of administrator, general user, etc.). A user who has the role of administrator (hereinafter referred to as administrator) can perform various settings regarding the communication system 1 by logging into the management server 10 using the management terminal 5. A user having the role of general user (hereinafter referred to as a user) can use the user terminal 111 to use remote access services, packet information acquisition services, etc. provided by the communication system 1. Note that the administrator can also use the remote access service, packet information acquisition service, etc. provided by the communication system 1 using the management terminal 5 or the user terminal 111.

The “display name” is information used on various display screens provided by the management server 10 and indicates the user's name and the like. Note that the user name and display name may be the same information. Further, the user list 401 does not need to include display name information.

(user group list)
FIG. 4(B) shows an image of an example of the user group list 402 managed by the communication system 1. The management server 10 stores and manages, for example, a user group list 402 as shown in FIG. 4(B) in a storage unit 308 or the like. In the example of FIG. 4B, the user group list 402 includes information such as "user group ID,""user group name," and "member list" as items.

"User group ID" is identification information that identifies a user group. Note that the user group is a group of users registered in the management server 10, and is a group of users in arbitrary units such as department, floor, or building, for example. Here, as an example, the following explanation will be given assuming that the group corresponds to the department to which the user belongs.

"User group name" is information indicating the name of the above-mentioned user group. In the example of FIG. 4(B), the user group name indicates the department name. The "member list" is a list of user IDs of users included in the user group.

(Service list)
FIG. 4C shows an image of an example of the service list 403 managed by the communication system 1. The management server 10 stores and manages, for example, a service list 403 as shown in FIG. 4(C) in a storage unit 308 or the like. In the example of FIG. 4C, the service list 403 includes information such as "user group ID", "service ID", "service name", "type", "device ID", and "destination" as items. include.

As described above, the "user group ID" is identification information that identifies a user group. The "service ID" is identification information that identifies each service, such as a remote desktop service and a FAX service, for example. “Service name” is information indicating the name given to each service. "Type" is information representing the type of each service such as remote desktop service and FAX service, where "RDP" corresponds to remote desktop service and "FAX" corresponds to FAX service.

“Device ID” is identification information that identifies the secure box (communication device) 14 used in each service. “Destination” is information indicating the IP address (address information), port number (port information), protocol (protocol information), etc. of the secure box 14 used in each service. For example, when the management server 10 receives a request to use a service with the service name "Information Department Shared PC" from a user included in the user group with the user group ID "g_001", the management server 10 requests the secure box 14 with the device ID "d_1101" to use the service. Select. Specifically, the management server 10 uses the IP address "192.18.1.10", the port number "443", and the protocol "TCP" to send the session ID to the secure box 14 with the device ID "d_1101". and instructs connection to the relay server 13.

(permission list)
FIG. 5A shows an image of an example of a permission list 501 managed by the communication system 1. The permission list 501 stores information such as "permitted IP address,""permittedport," and "permitted protocol" for each user, user group, or role.

“Allowed IP address” indicates an IP address that allows the corresponding user, user group, or role to acquire packet information. Note that "any" indicates that acquisition of packet information of all IP addresses is permitted.

"Permitted port" indicates a port number that allows the corresponding user, user group, or role to obtain packet information. Note that "any" indicates that acquisition of packet information of all port numbers is permitted.

“Permitted protocol” indicates a protocol that allows the corresponding user, user group, or role to acquire packet information. Note that "any" indicates that acquisition of packet information of all protocols is permitted.

(reject list)
FIG. 5(B) shows an image of an example of the rejection list 502 managed by the communication system 1. The rejection list 502 stores information such as "rejected IP address", "rejected port", and "rejected protocol" for each user, user group, or role. Note that "Everyone" in the user, user group, and role indicates all users registered in the management server 10.

The "denied IP address" indicates an IP address that refuses to obtain packet information for the corresponding user, user group, or role. Note that "any" indicates that acquisition of packet information of all IP addresses is refused.

"Reject port" indicates a port number that refuses to obtain packet information for the corresponding user, user group, or role. Note that "any" indicates that acquisition of packet information for all port numbers is refused.

"Reject protocol" indicates a protocol that denies acquisition of packet information to a corresponding user, user group, or role. Note that "any" indicates that acquisition of packet information of all protocols is refused.

In addition, in this embodiment, the priority of the setting values of the permission list 501 and the rejection list 502 is set as follows.
Permission list setting value > Rejection list setting value User setting value > Role setting value As a result, even if the user is denied the acquisition of certain packet information in the rejection list 502, the user can receive the packet information in the permission list 501. If acquisition is permitted, the packet information can be acquired. Furthermore, for example, the role of the user with the user ID "u_00001" is "general user", but as shown in FIG. 1.10" can be obtained.

<Processing flow>
Next, the flow of processing of the information acquisition method according to this embodiment will be explained.

[First embodiment]
(Setting process)
FIG. 6 is a sequence diagram illustrating an example of setting processing according to the first embodiment. This process is an example of a process in which the administrator uses the management terminal 5 to set, for example, a permission list 501 as shown in FIG. 5(A) or a deny list 502 as shown in FIG. 5(B). It shows. It is assumed that at the start of the process shown in FIG. 6, the administrator has already logged into the management server 10 using the management terminal 5.

In step S601, the administrator operates the web browser 324 of the management terminal 5 to display a setting screen. For example, the administrator uses the web browser 324 of the management terminal 5 to input a URL (Uniform Resource Locator) for displaying a setting screen, select a bookmark, or the like.

In step S602, the web browser 324 of the management terminal 5, upon receiving the administrator's operation to display the settings screen, requests the management server 10 to display the settings screen.

In step S603, the reception unit 301 of the management server 10 transmits, for example, a setting screen (web UI) 700 as shown in FIG. 7 to the management terminal 5 in response to a request from the management terminal 5. Thereby, in step S604, the web browser 324 of the management terminal 5 displays the setting screen 700.

7 and 8 are diagrams showing examples of setting screens according to the first embodiment. In the example of FIG. 7, the setting screen 700 includes a setting field 710 for setting a permission list 501 as shown in FIG. 5(A), and a setting field 710 for setting a deny list 502 as shown in FIG. 5(B). Setting fields 720 and the like are displayed.

A setting column 710 for setting the permission list 501 displays a list 711 of setting values set in the permission list 501 and a button 712 for adding items to the permission list 501. Further, in a setting column 710 for setting the rejection list 502, a list 721 of setting values set in the rejection list 502 and a button 722 for adding an item to the rejection list 502 are displayed.

For example, when the administrator selects a button 722 for adding an item to the rejection list 502 on the settings screen 700, a settings dialog 800 as shown in FIG. 8 is displayed on the settings screen 700. In the settings dialog 800, the administrator can set the rejection list 502 by inputting a setting value in the settings column 801 of the item to be rejected and selecting the "Decide" button 802.

In this way, the administrator can use the setting screen 700 to set packet information to permit or deny acquisition by the secure box (communication device) 14 for each user, user group, or user role.

Now, returning to FIG. 6, the explanation of the sequence diagram will be continued. In step S605, the administrator performs a setting operation for setting information on a setting screen 700 and a setting dialog 800 as shown in FIGS. 7 and 8.

In step S606, the web browser 324 of the management terminal 5, upon receiving the setting information setting operation by the administrator, transmits a setting information registration request to the management server 10. This setting information registration request includes setting information of the permission list 501 or denial list 502 set by the administrator.

In step S607, the reception unit 301 of the management server 10 notifies the information management unit 307 of the setting information registration request received from the management terminal 5.

In step S608, the information management unit 307 of the management server 10 updates the permission list 501 or the rejection list 502 stored in the storage unit 308 in accordance with the setting information registration request notified from the reception unit 301. Further, in step S609, the information management unit 307 notifies the reception unit 301 of a completion notification indicating that the registration of the setting information has been completed.

In step S610, the reception unit 301 of the management server 10 transmits, for example, a completion screen to the management terminal 5 indicating that the registration of the setting information is completed. Thereby, in step S611, the web browser 324 of the management terminal 5 displays a completion screen.

Through the setting process shown in FIG. 6, the administrator can set, for example, a permission list 501 as shown in FIG. 5(A) and a deny list 502 as shown in FIG. 5(B) in the communication system 1. I can do it.

(Packet information acquisition process)
9 and 10 are sequence diagrams illustrating an example of packet information acquisition processing according to the first embodiment. This process shows an example of a packet information acquisition process in which a user uses the user terminal 111 to acquire packet information in the local network 100. Note that at the start of the process shown in FIG. 9, the user has already registered the setting information corresponding to the user in the permission list 501 by requesting the administrator, and the packet information regarding the information processing device 101 in the local network 100 has been registered. It shall be assumed that the acquisition is permitted. Further, it is assumed that the user has already logged in to the management server 10 using the user terminal 111.

In step S901, the user operates the web browser 323 of the user terminal 111 to display a reception screen. For example, the user uses the web browser 323 of the user terminal 111 to input a URL for displaying a reception screen, select a bookmark, or the like.

In step S902, the web browser 323 of the user terminal 111, upon receiving the user's operation to display the reception screen, requests the management server 10 to display the reception screen.

In step S903, the reception unit 301 of the management server 10 transmits, for example, a reception screen (web UI) 1100 as shown in FIG. 11 to the user terminal 111 in response to a request from the user terminal 111. Thereby, in step S904, the web browser 323 of the user terminal 111 displays the reception screen 1100.

FIG. 11 is a diagram showing an example of a reception screen according to the first embodiment. In the example of FIG. 11, the reception screen 1100 displays setting information 1101 corresponding to the user, a "start" button 1102, a "stop" button 1103, a "list" button 1104, and the like. The setting information 1101 corresponding to the user includes, for example, the user terminal 111 selected from among the setting information set in the permission list 501 shown in FIG. 5(A) and the deny list 502 shown in FIG. 5(B). Setting information about the user is displayed.

By selecting the "Start" button 1102, the user can perform a start operation to start the packet information acquisition process. Furthermore, by selecting a "stop" button 1103, the user can perform a stop operation to stop the packet information acquisition process. Furthermore, by selecting a “list” button 1104, the user can perform an acquisition operation to acquire a list of acquired packet information.

Now, returning to FIG. 9, the explanation of the sequence diagram will be continued. In step S905, the user selects the "start" button 1102 on the reception screen 1100 to perform a start operation to start the packet information acquisition process.

In step S906, upon receiving the start operation from the user, the web browser 323 of the user terminal 111 transmits a start request to the management server 10 requesting the start of the packet information acquisition process. This start request (first acquisition request) includes, for example, the setting information 1101 corresponding to the user described in FIG. 11.

In step S907, the reception unit 301 of the management server 10 notifies the acquisition control unit 303 of the start request received from the user terminal 111.

In step S908, the acquisition control unit 303 of the management server 10 transmits a start instruction to start acquiring packet information to the secure box 14 in accordance with the start request notified from the reception unit 301. This start instruction includes, for example, the setting information 1101 corresponding to the user described in FIG. 11.

In step S909, the acquisition unit 314 of the secure box 14 starts acquiring packet information in the local network 100 according to the setting information 1101 corresponding to the user included in the start instruction received from the management server 10. For example, the acquisition unit 314 selectively acquires information on packets whose source IP address or destination IP address is "192.168.1.10" and whose port number is "443" or "80". . Further, in step S910, the acquisition unit 314 transmits a start notification indicating that acquisition of packet information has started to the management server 10.

In step S911, the acquisition control unit 303 of the management server 10 notifies the reception unit 301 of the start notification received from the secure box 14.

In step S912, the reception unit 301 of the management server 10 transmits a start message to the user terminal 111 indicating that the acquisition of packet information has started. Thereby, in step S913, the web browser 323 of the user terminal 111 displays the start message received from the management server 10 on the reception screen 1100 or the like.

Through the processing in steps S901 to S913 described above, the user can start acquiring packet information within the local network 100 using the secure box 14. Further, when the user wants to stop acquiring packet information, the user executes the process of step S921.

In step S921, the user selects a "stop" button 1103 on the reception screen 1100 as shown in FIG. 11, for example, to perform a stop operation to stop the packet information acquisition process.

In step S922, upon receiving the stop operation from the user, the web browser 323 of the user terminal 111 transmits a stop request to the management server 10 requesting to stop the packet information acquisition process.

In step S923, the reception unit 301 of the management server 10 notifies the acquisition control unit 303 of the stop request received from the user terminal 111.

In step S924, the acquisition control unit 303 of the management server 10 transmits a stop instruction to the secure box 14 to stop the acquisition of packet information in response to the stop request notified from the reception unit 301.

In step S925, the acquisition unit 314 of the secure box 14 stops acquiring packet information in accordance with the stop instruction received from the management server 10. Furthermore, in step S926, the acquisition unit 314 transmits a stop notification indicating that the acquisition of packet information has been stopped to the management server 10.

In step S927, the acquisition control unit 303 of the management server 10 notifies the receiving unit 301 of the stop notification received from the secure box 14.

In step S928, the reception unit 301 of the management server 10 transmits a stop message to the user terminal 111 indicating that the acquisition of packet information has been stopped. Thereby, in step S929, the web browser 323 of the user terminal 111 displays the stop message received from the management server 10 on the reception screen 1100 or the like.

Furthermore, the communication system 1 executes the processes of steps S930 to S933 in parallel to the processes of steps S926 to S929.

In step S930, the acquisition unit 314 of the secure box 14 stores the acquired packet information in the storage unit 315 or the like. Further, in step S931, the acquisition unit 314 transmits the acquired packet information to the management server 10.

In step S932, the acquisition control unit 303 of the management server 10 stores the packet information received from the secure box 14 in the storage unit 308 or the like. Further, in step S933, the acquisition control unit 303 transmits a completion notification to the secure box 14 indicating that the acquisition of the packet information has been completed.

Through the processing in steps S921 to S933 described above, the user can stop acquiring packet information. Further, FIG. 10 shows an example of processing when the user views or obtains the obtained packet information.

In step S941, the user selects the "list" button 1104 on the reception screen 1100 and performs an acquisition operation to acquire a list of packet information.

In step S942, the web browser 323 of the user terminal 111, upon receiving the user's operation to obtain a list, transmits a request to obtain a list of packet information to the management server 10.

In step S943, the reception unit 301 of the management server 10 notifies the acquisition control unit 303 of the list acquisition request received from the user terminal 111.

In steps S944 and S945, the acquisition control unit 303 of the management server 10 creates a list of packet information stored in the storage unit 308, and transmits the created list of packet information to the reception unit 301. Preferably, the acquisition control unit 303 creates a list of packet information acquired by the user using the user terminal 111 from among the packet information stored in the storage unit 308, and transmits the list to the reception unit 301.

In step S946, the reception unit 301 of the management server 10 transmits the list of packet information received from the acquisition control unit 303 to the user terminal 111. Thereby, in step S947, the web browser 323 of the user terminal 111 displays a list 1105 of packet information on a reception screen 1100 as shown in FIG. 11, for example.

In step S951, the user can acquire packet information by performing a packet information acquisition operation on the packet information list 1105. For example, the user performs a packet information acquisition operation by selecting the "DL" button 1106 displayed in the packet information list 1105 on the reception screen 1100.

In step S952, when the web browser 323 of the user terminal 111 receives the packet information acquisition operation (second acquisition request) from the user, it transmits a packet information acquisition request to the management server 10. This packet information acquisition request includes, for example, the file name of the packet information whose acquisition is requested.

In step S953, the reception unit 301 of the management server 10 notifies the acquisition control unit 303 of the packet information acquisition request received from the user terminal 111.

In steps S954 and S955, the acquisition control unit 303 of the management server 10 acquires the packet information of the file name specified in the packet information acquisition request from among the packet information stored in the storage unit 308, and acquires the acquired packet information. is transmitted to the reception unit 301.

In step S956, the reception unit 301 of the management server 10 provides the user terminal 111 with the packet information received from the acquisition control unit 303. As an example, the reception unit 301 may transmit the packet information file received from the acquisition control unit 303 to the user terminal 111 as is. In this case, the user can view the packet information by opening the packet information file provided by the management server 10 with an application such as a viewer.

As another example, the receiving unit 301 may, for example, create a packet information display screen 1200 as shown in FIG. 12 and transmit the created packet information display screen 1200 to the user terminal 111. In this case, the user can use the web browser 323 to view packet information 1201 on a packet information display screen 1200 as shown in FIG. Note that the packet information display screen 1200 is an example of a web screen that displays packet information acquired by the communication device (secure box 14).

In the example of FIG. 12, the packet information 1201 displays information about packets transmitted and received within the local network 100 by the information processing apparatus 101 whose IP address is "192.168.1.10."

As described above, according to the communication system 1 according to the first embodiment, in the communication system 1 in which packet information can be obtained from the user terminal 111 using the secure box 14 in the local network 100, packet information that can be obtained by the user is be able to limit.

Note that the sequence diagrams and display screens described in FIGS. 6 to 12 are merely examples, and the communication system 1 according to the first embodiment can be modified and applied in various ways.

For example, in the process of FIG. 9, the acquisition control unit 303 controls the secure box 14 to acquire only the packet information transmitted and received by the information processing apparatus 101. However, this is just an example, and the acquisition control unit 303 may control the secure box 14 to further acquire information on the information processing device 101 (for example, CPU information, memory information, etc.). Further, the reception unit 301 may provide the user terminal 111 with the packet information and the information on the information processing device 101 that the acquisition control unit 303 acquired by controlling the secure box 14 .

[Second embodiment]
The management server 10 controls the secure box 14 to monitor packet information within the local network 100, and when the packet information acquired by the secure box 14 satisfies a predetermined condition, notifies the administrator of predetermined information. It may further have a function to do so.

(Notification processing)
FIG. 13 is a sequence diagram illustrating an example of notification processing according to the second embodiment. It is assumed that at the start of the process shown in FIG. 13, the administrator has already logged into the management server 10 using the management terminal 5.

In step S1301, the administrator performs a display operation on the web browser 324 of the management terminal 5 to display a notification processing setting screen. For example, the administrator uses the web browser 324 of the management terminal 5 to input a URL for displaying a notification processing setting screen, or select a bookmark.

In step S1302, the web browser 324 of the management terminal 5, upon receiving the administrator's operation to display a settings screen, requests the management server 10 to display a settings screen for notification processing.

In step S1303, the reception unit 301 of the management server 10 transmits, for example, a notification processing setting screen (web UI) 1400 as shown in FIG. 14 to the management terminal 5 in response to a request from the management terminal 5. As a result, in step S1304, the web browser 324 of the management terminal 5 displays a notification processing setting screen 1400.

14 and 15 are diagrams showing examples of setting screens for notification processing according to the second embodiment. In the example of FIG. 14, a notification processing setting screen 1400 displays a notification method setting field 1401 and a notification item setting field 1402.

In the notification method setting column 1401, the administrator can set a notification method for notifying the administrator of predetermined information when the packet information acquired by the secure box 14 satisfies a predetermined condition. In the example of FIG. 14, the administrator selects the notification method from email, web notification, or both email and web notification.

Further, the administrator can set notification conditions in a setting field 1402 for notification items. For example, the administrator can display a settings dialog 1500 as shown in FIG. 15 by selecting an "add item" button 1403. Further, the administrator can set notification conditions by inputting setting values for notification conditions such as items, values, and frequency in the settings dialog 1500 and selecting a "determine" button 1501.

Now, returning to FIG. 13, the explanation of the sequence diagram will be continued. In step S1305, the administrator performs a notification condition setting operation on the notification processing setting screen 1400 and the setting dialog 1500.

In step S1306, the web browser 324 of the management terminal 5, upon receiving the notification condition setting operation by the administrator, transmits a notification condition setting request to the management server 10. This notification condition setting request includes the notification conditions set in the setting dialog 1500 by the administrator.

In step S1307, the reception unit 301 of the management server 10 notifies the device management unit 306 of the notification condition setting request received from the management terminal 5. In response, in step S1308, the device management unit 306 sets the requested notification condition in the secure box 14.

In steps S1309 to S1311, the secure box 14 monitors packets according to the notification conditions set by the device management unit 306, and when it detects that the notification conditions are satisfied, sends a notification to the management server 14 indicating that the notification conditions are satisfied. Send to. This notification includes, for example, information such as the detected notification condition and the detected time. However, the information contained in this notice is not limited to this.

In step S1312, the device management unit 306 of the management server 10 transfers the notification received from the secure box 14 to the reception unit 301.

In step S1313, the reception unit 301 of the management server 10 transmits the notification received from the device management unit 306 indicating that a predetermined notification condition is satisfied to the management terminal 5. Thereby, in step S1314, the web browser 324 of the management terminal 5 displays a notification screen indicating that the predetermined notification condition is satisfied.

Note that the processing in steps S1313 and S1314 is an example. The reception unit 301 of the management server 10 may notify the administrator that a predetermined condition has been met using e-mail, chat, SMS, or the like, for example.

In this way, according to the second embodiment, the administrator can monitor packets within the local network 100 using the secure box 14 and receive notification when predetermined conditions are met.

The administrator who received the notification may acquire and analyze packet information within the local network 100 using the packet information acquisition process described in the first embodiment. Further, the administrator may use the presence or absence of the notification as a reference when determining whether or not to permit the user to acquire packet information, or the items to be permitted, in response to a user's request.

As described above, according to each embodiment of the present invention, an administrator can easily restrict packet information that a user can obtain from a communication device connected to a local network using a terminal device connected to an external network. It becomes like this.

<Supplement>
Each function of each embodiment described above can be realized by one or more processing circuits. Here, the term "processing circuit" as used herein refers to a processor programmed to execute each function by software, such as a processor implemented by an electronic circuit, or a processor designed to execute each function explained above. This includes devices such as ASICs (Application Specific Integrated Circuits), DSPs (Digital Signal Processors), FPGAs (Field Programmable Gate Arrays), and conventional circuit modules.

Additionally, the devices described in the examples are merely illustrative of one of multiple computing environments for implementing the embodiments disclosed herein. In some embodiments, management server 10 includes multiple computing devices, such as a server cluster. The plurality of computing devices are configured to communicate with each other via any type of communication link, including a network, shared memory, etc., to perform the processes disclosed herein.

The secure box 14 is an example of a communication device that connects to a first network (local network 100) and acquires packet information in the first network. The communication device may be, for example, a network device such as the firewall 322 connected to the local network 100, an information terminal such as the information processing device 101, an electronic device such as the image forming device 102, or another device having a communication function such as a server. You can.

The management server 10 is an example of a server device that is connected to a second network different from the first network (local network 100) and can communicate with communication devices. Each functional configuration of the management server 10 may be combined into one server device, or may be divided into multiple devices. Moreover, at least a part of the functional configuration included in the management server 10 may be included in the relay server 13.

<Additional notes>
This specification discloses a communication system, an information acquisition method, and a program in each section below.
(Section 1)
a communication device that connects to a first network and acquires packet information in the first network; and a server device that connects to a second network different from the first network and can communicate with the communication device. A communication system comprising:
The server device includes:
an acquisition control unit that controls acquisition of the packet information by the communication device in response to a request from a user;
a reception unit that receives setting information that limits the packet information that the user can obtain using the communication device;
A communication system with
(Section 2)
The reception unit displays a setting screen for setting the setting information on a first terminal device used by an administrator,
The acquisition control unit limits the packet information acquired by the communication device according to the setting information set on the setting screen.
The communication system according to paragraph 2.
(Section 3)
The reception unit displays a reception screen for accepting the packet information acquisition request on a second terminal device used by the user,
The acquisition control unit controls acquisition of the packet information by the communication device based on the first acquisition request received on the reception screen and the setting information.
The communication system according to item 1 or 2.
(Section 4)
The reception unit provides a web screen that displays the packet information acquired by the communication device or the packet information to the second terminal device in response to the second acquisition request received on the reception screen.
The communication system according to paragraph 3.
(Section 5)
3. The communication system according to claim 2, wherein the setting screen allows setting of information on packets to be permitted or denied for acquisition by the communication device for each user, user group, or user role.
(Section 6)
6. The communication system according to claim 5, wherein the information on the packet that is permitted or denied to be acquired by the communication device includes address information, port information, or protocol information of the packet.
(Section 7)
Any one of paragraphs 1 to 6, wherein the server device has a notification unit that notifies an administrator of predetermined information when the packet information acquired by the communication device satisfies a preset condition. The communication system described in .
(Section 8)
2. The communication system according to claim 1, wherein the acquisition control unit can control the communication device to further acquire information on devices connected to the first network.
(Section 9)
a communication device that connects to a first network and acquires packet information in the first network; and a server device that connects to a second network different from the first network and can communicate with the communication device. In a communication system that includes
The server device includes:
an acquisition control process that controls acquisition of the packet information by the communication device in response to a request from a user;
reception processing for accepting setting information that limits the packet information that the user can obtain using the communication device;
How to obtain information.
(Section 10)
a communication device that connects to a first network and acquires packet information in the first network; and a server device that connects to a second network different from the first network and can communicate with the communication device. In a communication system that includes
In the server device,
an acquisition control process that controls acquisition of the packet information by the communication device in response to a request from a user;
reception processing for accepting setting information that limits the packet information that the user can obtain using the communication device;
A program to run.

Although the embodiments of the present invention have been described above, the present invention is not limited to such specific embodiments, and various modifications and changes can be made within the scope of the gist of the present invention as described in the claims. , or can be applied.

1 Communication system 2 Communication network (second network)
5 Management terminal (first terminal device)
10 Management server (server device)
14 Secure box (communication device)
100 Local network (first network)
110, 110a, 110b, 120 remote network (second network)
111 User terminal (second terminal device)
301 Reception unit 303 Acquisition control unit 304 Notification unit 308 Storage unit 501 Permission list 502 Rejection list 700 Setting screen 1100 Reception screen 1200 Packet information display screen

Japanese Patent Application Publication No. 2013-090089

Claims (10)

a communication device that connects to a first network and acquires packet information in the first network; and a server device that connects to a second network different from the first network and can communicate with the communication device. A communication system comprising:
The server device includes:
an acquisition control unit that controls acquisition of the packet information by the communication device in response to a request from a user;
a reception unit that receives setting information that limits the packet information that the user can obtain using the communication device;
A communication system with The reception unit displays a setting screen for setting the setting information on a first terminal device used by an administrator,
The acquisition control unit limits the packet information acquired by the communication device according to the setting information set on the setting screen.
The communication system according to claim 1. The reception unit displays a reception screen for accepting the packet information acquisition request on a second terminal device used by the user,
The acquisition control unit controls acquisition of the packet information by the communication device based on the first acquisition request received on the reception screen and the setting information.
The communication system according to claim 1 or 2. The reception unit provides a web screen that displays the packet information acquired by the communication device or the packet information to the second terminal device in response to the second acquisition request received on the reception screen.
The communication system according to claim 3. 3. The communication system according to claim 2, wherein information on packets to be permitted or denied to be acquired by the communication device can be set on the setting screen for each user, user group, or user role. 6. The communication system according to claim 5, wherein the information on the packet for which acquisition by the communication device is permitted or denied includes address information, port information, or protocol information of the packet. The communication system according to claim 1, wherein the server device includes a notification unit that notifies an administrator of predetermined information when the packet information acquired by the communication device satisfies a preset condition. The communication system according to claim 1, wherein the acquisition control unit is capable of controlling the communication device to further acquire information on devices connected to the first network. a communication device that connects to a first network and acquires packet information in the first network; and a server device that connects to a second network different from the first network and can communicate with the communication device. In a communication system that includes
The server device includes:
an acquisition control process that controls acquisition of the packet information by the communication device in response to a request from a user;
reception processing for accepting setting information that limits the packet information that the user can obtain using the communication device;
How to obtain information. a communication device that connects to a first network and acquires packet information in the first network; and a server device that connects to a second network different from the first network and can communicate with the communication device. In a communication system that includes
In the server device,
an acquisition control process that controls acquisition of the packet information by the communication device in response to a request from a user;
reception processing for accepting setting information that limits the packet information that the user can obtain using the communication device;
A program to run.

Images