JP7249820B2 - Gateway device, network system, control method, and program - Google Patents

Description

The present invention relates to distributed Internet gateways for large private networks.

In a large-scale private network used by a company, when an end-user terminal accesses a web server on the Internet, communication is performed via a web proxy in order to avoid auditing of communication content and security problems. There are many.

The gateway for communicating from such a private network to the Internet is called "Internet Gateway (IGW)", and in addition to using Web Proxy, there is also a method of communicating via NAPT (Network Address Port Translation). However, hereinafter, the method using Web Proxy is called IGW.

The IGW connects the Web Proxy device to both the private network and the Internet, temporarily terminates Web communication from terminals within the private network, and accesses an external Web server as a proxy for the terminal.

IGW is often used in combination with advanced security features called Unified Threat Management (UTM) to detect and avoid security issues, such as malware downloads from external websites, in addition to WebProxy functionality. .

JP 2016-144144 A

When a company builds an IGW in a large-scale private network, it has been common to build the IGW at one base using a physical machine. However, especially when the private network is distributed over a wide area, there is a problem that the communication quality of a terminal located away from the installation location of the IGW may deteriorate.

It should be noted that the above-described problem is a problem that can arise not only in a gateway device between a private network and the Internet.

The present invention has been made in view of the above points, and is a technique that makes it possible to avoid deterioration in communication quality of terminals in a system provided with a gateway device between a first network and a second network. intended to provide

According to the disclosed technology, in a network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, A gateway device used as one of the plurality of gateway devices,
The plurality of gateway devices are built on a virtual platform so that they can be increased or decreased by software control,
a proxy unit that accesses the server as a proxy for the terminal;
a metric collection unit that acquires a metric value indicating the state of the gateway device;
In determining the IP address of the terminal, setting information including information on a gateway device to be preferentially connected to each IP address of the terminal, metrics values collected from the plurality of gateway devices, and the connection destination of the terminal A gateway device comprising: a distributed control unit that determines a gateway device to be used by the terminal from among the plurality of gateway devices based on the setting information and a priority indicating which of the metric values to give priority to be done.

According to the disclosed technique, there is provided a technique that makes it possible to avoid deterioration of terminal communication quality in a system that includes a gateway device between a first network and a second network.

Fig. 3 shows a centralized IGW configuration; FIG. 2 is a diagram showing an IGW configuration on a virtualized environment; FIG. 4 is a diagram showing distributed arrangement of cells; It is a figure which shows traffic distribution control. FIG. 4 is a diagram showing an example of setting information held by a distributed control unit; FIG. 10 is a sequence diagram for explaining a processing procedure; It is a figure which shows the hardware configuration example of an apparatus.

An embodiment (this embodiment) of the present invention will be described below with reference to the drawings. The embodiments described below are merely examples, and embodiments to which the present invention is applied are not limited to the following embodiments. Hereinafter, after describing the problem in more detail, the technology according to the embodiment of the present invention will be described.

Although this embodiment deals with a gateway device between a private network and the Internet, the present invention is applicable not only to a gateway device between a private network and the Internet. For example, the present invention can be applied to a gateway device between private networks of different companies.

(Challenges of centralized IGW)
As described above, when a company builds an IGW on a large-scale private network, it combines Web Proxy and UTM to build an IGW system at one base. Since traffic from end terminals is concentrated on this IGW, it is called a centralized IGW.

A configuration example of a centralized IGW is shown in FIG. As shown in FIG. 1, IGW 10 is connected to both private network 20 and Internet 30 . In the example of FIG. 1, terminals a to c are present at bases A to C, and are connected to a private network 20, respectively. A web server 40 that is accessed by the terminal is connected to the Internet 30 . The IGW 10 has multiple Web proxies 11 and multiple UTMs as a redundant configuration.

When constructing a single IGW 10 as in FIG. 1, traffic from terminals concentrates on one IGW 10, and the IGW 10 may become a bottleneck.

In addition, in order to avoid communication failures due to device or line failures, as in the example of Fig. 1, devices such as Web Proxy and UTM and lines have a redundant Act/Sby configuration, and when a failure occurs on the Act side, the Sby device It is often designed to switch to However, when the system is operating normally, the Sby equipment is not utilized, resulting in a problem of low utilization efficiency of the equipment.

In addition, when the private network 20 is widely distributed, terminals located away from the installation location of the IGW 10 may experience a large communication path and delay to reach the website via the IGW 10, resulting in deterioration in communication quality. There is

Techniques according to embodiments of the present invention for solving the above-described problems will be described below.

(IGW using virtualization technology)
In recent years, the virtualization of communication devices (Network Function Virtualization: NFV) has progressed, and it has become possible to build a communication system on a virtualization platform. The use of NFV eliminates the need for physical work such as equipment installation and wiring.

In addition, many services such as clouds that provide virtualization infrastructure for building NFV have been provided both in Japan and overseas, and cloud services that can be directly connected to private networks have also been provided. By combining a virtual version of Web Proxy or UTM with a virtualization platform that can be directly connected to a private network, it is possible to construct an IGW system similar to the case of using a physical device.

FIG. 2 shows a configuration example of the IGW on the virtual environment. As shown in FIG. 2, the IGW 100 is constructed on the virtualization platform. The IGW 100 has Web proxy 110 and UTM 120 .

(Distributed IGW)
In this embodiment, the IGW on the virtualization environment is not constructed as a centralized configuration, but is distributed in different virtualization environments, and the traffic from the terminal is distributedly controlled, thereby realizing a distributed IGW. I am planning to build. This distributed IGW system is referred to herein as the Micro Internet Gateway (MIGW). Distributed placement in different virtualization environments means, for example, that data centers that provide virtualization environments are distributed in multiple geographical locations, and IGWs on virtualization environments are constructed in each data center. means to be

In MIGW, the functional set of IGW on the virtualized environment is called "cell". In other words, each IGW in a plurality of distributed IGWs is called a "cell". In the distributed IWG, as shown in FIG. 3, a plurality of cells are constructed on virtualization infrastructures in different regions, and traffic from end terminals is distributed and processed by the plurality of cells. For example, in the example of FIG. 3, the cell 100-1 processes the traffic from the terminal a of the site A, the cell 100-2 processes the traffic from the terminal b of the site B, and the cell 100-3 processes the traffic from the site C. Process traffic from terminal c. A configuration having a plurality of cells may be called a network system.

In the distributed IGW according to the present embodiment, communication quality is optimized by controlling communication from an end terminal to pass through a cell closer to the terminal among a plurality of cells. Also, when a failure occurs in a cell among a plurality of cells, the traffic is controlled so as to pass through the cell in which the failure does not occur. Examples of these control methods will be described later.

(Advantages of MIGW)
By making the IGW distributed, the MIGW has the following advantages over the centralized IGW.

・Because all cells are actively used, all facilities can be used effectively, resulting in high facility utilization efficiency.

- Since the end terminal can pass through the most suitable cell among multiple cells, deterioration of communication quality can be avoided.

・When a failure occurs in a cell, the impact of the failure can be avoided by controlling traffic to pass through another cell.

- By constructing a cell in a distant area, it is possible to realize DR (Disaster Recovery) that avoids a large-scale failure that occurs in a specific area.

• When traffic increases, the capacity of traffic to be processed can be increased by constructing additional cells.

(Traffic distribution method among multiple cells)
FIG. 4 shows a configuration example for implementing traffic distribution control among multiple cells. In FIG. 4, cells are provided in each of regions X and Y, and the respective internal configurations are shown. Since the cell of area X and the cell of area Y have the same configuration, the cell 100 of area X will be referred to and explained here.

<Equipment configuration, function>
As shown in FIG. 4, the cell 100 has a UTM 110, a Web proxy 120, a distribution control section 130, an internal DNS section 140, and a metric collection section 150. FIG. The distribution control unit, metric collection unit, and internal DNS unit may also be called a distribution control function, metric collection function, and internal DNS function, respectively. The internal DNS unit may also be called an internal DNS server.

The UTM 110, the Web proxy 120, the distributed control unit 130, the internal DNS unit 140, and the metric collection unit 150 are functional units built on a virtualization platform such as a cloud, but are actually programs that run on a computer. . Also, each of the UTM 110, the Web proxy 120, the distributed control unit 130, the internal DNS unit 140, and the metric collection unit 150 may be realized by one or more physical machines instead of on the virtualization infrastructure. Also, a set of multiple function units in arbitrary combination among the UTM 110, Web proxy 120, distributed control unit 130, internal DNS unit 140, and metric collection unit 150 may be realized by one or more physical machines.

Also, the distributed control unit 130 and the metric collection unit 150 may be functional units inside the Web proxy 120 .

Also, as an original function of the IGW in the cell 100, providing the UTM 110 in addition to the Web proxy 120 is an example. The UTM 110 may not be provided, or functional units other than the UTM 110 may be provided. The function of each functional unit is as follows.

The UTM 110 detects and avoids security issues such as malware downloads from external web sites. The web proxy 120 temporarily terminates web access (HTTP communication) from the terminal, and accesses an external web server on behalf of the terminal.

The metric collection unit 150 periodically acquires the metric value indicating the state of the cell 100 and stores it in the storage means. The metric values acquired by the metric collection unit 150 are, for example, a value indicating the normality of the Internet connection of the cell 100, a value indicating the normality of the Web Proxy 120, a value indicating the normality of the UTM 110, the load of the Web Proxy 120, and the load of the UTM 110. and so on. The metric collection unit 150 may acquire all of these, or may acquire any one or more of them.

The distributed controller 130 periodically collects metric values from the metric collectors of all cells that constitute the distributed IGW. For example, in the example of FIG. 4, the distributed control unit 130 collects metric values from the metric collection unit 150 of its own cell and also collects metric values from the metric collection units of cells in region Y. FIG.

In addition, the distribution control unit 130 stores, as setting information, information about the MIGW cell to be preferentially connected to the IP address of the terminal and priority information for determining the optimum cell. The same setting information is synchronized and stored in all cells. That is, in the example of FIG. 4, the distributed control unit 130 in region X and the distributed control unit in region Y hold the same information as setting information.

Also, the distribution control unit 130 selects the optimum cell according to the IP address of the terminal using the latest metric information and setting information.

When the internal DNS unit 140 receives an inquiry about the name resolution of the Web Proxy 120 from a terminal, the internal DNS unit 140 inquires of the distribution control unit 130 about the IP address of the inquiry source terminal and the IP address of the optimum MIGW cell. In other words, the internal DNS unit 140 notifies the distribution control unit 130 of the IP address of the terminal acquired by the inquiry, thereby inquiring of the distribution control unit 130 about the cell (which may be referred to as a gateway device) used by the terminal. The internal DNS unit 140 returns the IP address for which the response was received from the distribution control unit 130 to the terminal as a response to the DNS query.

FIG. 5 is a diagram showing an example of a table that is (a part of) setting information held in the storage means by the distributed control unit 130. As shown in FIG. In the example of FIG. 5, the table consists of the connection priority of each cell for each IP address of the terminal. Regarding the priority, it is assumed that the smaller the value, the higher the priority. For example, a terminal of IP-A is most preferentially connected to cell 2 . The distributed control unit 130 also holds the IP address of each cell in its storage means.

In addition to the table shown in FIG. 5, the distribution control unit 130 also provides, as setting information, a priority for each metric and a priority indicating whether the metric or the table should be given priority in determining the connection destination of the terminal. may be retained.

<Processing sequence>
Referring to FIG. 6, as an example, when terminal a accesses Web server 400, a processing sequence until terminal a is notified of the IP address of the optimum cell will be described.

In S<b>101 , the terminal a transmits a Web proxy name resolution inquiry to the internal DNS unit 140 . Regarding the communication at the stage of accessing the internal DNS unit from terminal a, access may be routed to the internal DNS unit of the geographically closest cell based on the IP address of terminal a. , the IP address of the internal DNS unit to be the communication destination may be preset in the terminal a.

In S102, the internal DNS unit 140 transmits an IP address inquiry of the optimum cell to the distributed control unit 130 together with the IP address of the inquiry source terminal a. Note that the IP address inquiry message may include the IP address of the inquiry source terminal a. It may also mean that you are doing something.

As described above, the distributed control unit 130 collects and holds the metric values of all cells of the distributed IGW.

In S103, the distributed control unit 130 determines the optimum cell to be accessed by the terminal a based on the IP address, setting information, and metric information of the terminal a as the inquiry source.

Specifically, for example, if the setting information indicates that the use of a table such as that shown in FIG. As long as the load (e.g. Web proxy load and UTM load respectively) is not bad compared to some threshold, determine the best cell according to the settings in the table. If the metric value of the cell indicated to connect with the highest priority is worse than the threshold, then determine the metric value of the next priority cell in the table and if it is not worse than the threshold. , to determine that cell as the optimal cell.

Further, for example, if the setting information is set to give priority to the metric value over the setting of the table as shown in FIG. extracts cells whose Web proxy load is equal to or less than a predetermined threshold, and if there is only one cell, determines that cell as the optimum cell. If there are multiple cells whose web proxy load is equal to or less than the predetermined threshold, the table is referred to and the cell with the highest priority among the multiple is determined as the optimum cell.

In S104, the distribution control unit 130 notifies the internal DNS unit 140 of the IP address of the cell determined in S103 (specifically, the IP address of the Web proxy, for example). In S105, the internal DNS unit 140 returns the IP address received from the distributed control unit 130 to the terminal a as a response to the name resolution inquiry. After that, the terminal a accesses the Web using the IP address as the destination.

In this embodiment, distributed control section 130 selects the optimum cell by using the IP address of the source of the name resolution query as the IP address of the terminal, but this is just an example. It is also possible to acquire the IP address of the terminal and select the optimum cell by means other than the name resolution inquiry.

(How to increase or decrease MIGW capacity)
Since MIGW is a distributed IGW built on a virtual infrastructure, adding cells instead of increasing the performance of individual cells (the amount of resources used in the virtual infrastructure and the capacity of VNF licenses) will increase the overall MIGW. can increase the amount of traffic that can be handled as

Conversely, if there is room in the processing performance of the cells, some of the cells are abolished and the processing of the abolished cells is distributed to the remaining cells, thereby reducing the capacity of the MIGW as a whole.

By using the virtualization platform and NFV, these capacity increases and decreases do not require equipment installation and wiring work, and can be easily realized by software control. MIGW users can gradually increase the capacity of the entire MIGW by adding cells, so that the IGW can be introduced at the optimum cost without a large initial investment at the time of system introduction.

(Hardware configuration example)
A cell in the MIGW described in the present embodiment, each of a plurality of functional units constituting the cell, or a group of a plurality of functional units out of all the functional units constituting the cell are the above-described Although it is built on a virtualization platform, its substance is a computer and a program. In addition, "a cell, each of a plurality of functional units constituting a cell, or a group of a plurality of functional units out of all the functional units constituting a cell" is collectively referred to as a "gateway device". You can call The gateway device is not limited to one built on a virtualization platform, and may be realized by a physical machine (that is, a computer) and a program.

That is, the gateway device can be realized by causing a computer to execute a program describing the processing contents described in the present embodiment.

The gateway device can be realized by executing a program corresponding to the processing performed by the gateway device using hardware resources such as a CPU and memory built into the computer. The above program can be recorded in a computer-readable recording medium (portable memory, etc.), saved, or distributed. It is also possible to provide the above program through a network such as the Internet or e-mail.

FIG. 7 is a diagram showing a hardware configuration example of the computer in this embodiment. The computer of FIG. 7 has a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, an input device 1007, and the like, which are connected to each other via a bus B, respectively.

A program for realizing processing by the computer is provided by a recording medium 1001 such as a CD-ROM or a memory card, for example. When the recording medium 1001 storing the program is set in the drive device 1000 , the program is installed from the recording medium 1001 to the auxiliary storage device 1002 via the drive device 1000 . However, the program does not necessarily need to be installed from the recording medium 1001, and may be downloaded from another computer via the network. The auxiliary storage device 1002 stores installed programs, as well as necessary files and data.

The memory device 1003 reads and stores the program from the auxiliary storage device 1002 when a program activation instruction is received. The CPU 1004 implements functions related to the gateway device according to programs stored in the memory device 1003 . The interface device 1005 is used as an interface for connecting to the network. A display device 1006 displays a program-based GUI (Graphical User Interface) or the like. An input device 1007 is composed of a keyboard, a mouse, buttons, a touch panel, or the like, and is used to input various operational instructions.

(Summary of embodiment)
As described above, this specification discloses at least the gateway device, the network system, the control method, and the program described in the following items.
(Section 1)
In a network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, the plurality of gateway devices A gateway device used as one of the gateway devices,
a proxy unit that accesses the server as a proxy for the terminal;
a metric collection unit that acquires a metric value indicating the state of the gateway device;
a distributed control unit that determines a gateway device to be used by the terminal from among the plurality of gateway devices based on the IP address of the terminal, setting information, and metric values collected from the plurality of gateway devices; gateway device.
(Section 2)
An internal DNS unit that receives a name resolution inquiry from the terminal and notifies the distributed control unit of the IP address of the terminal obtained based on the inquiry, thereby inquiring of the distributed control unit about the gateway device used by the terminal. The gateway device according to claim 1, further comprising:
(Section 3)
3. The gateway device according to claim 1 or 2, wherein the setting information includes information on a gateway device to be preferentially connected for each IP address of the terminal.
(Section 4)
4. The gateway device according to any one of claims 1 to 3, wherein said first network is a private network and said second network is the Internet.
(Section 5)
A network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, the plurality of gateways A network system, wherein each device is the gateway device according to any one of items 1 to 4.
(Section 6)
In a network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, the plurality of gateway devices A control method executed by one of the gateway devices,
The gateway device includes a proxy unit that accesses the server as a proxy for the terminal,
a metric collection step of obtaining a metric value indicating the state of the gateway device;
a distributed control step of determining a gateway device to be used by the terminal from among the plurality of gateway devices based on the IP address of the terminal, setting information, and metric values collected from the plurality of gateway devices; Control method provided.
(Section 7)
A program for causing a computer to function as each unit in the gateway device according to any one of items 1 to 4.

Although the present embodiment has been described above, the present invention is not limited to such a specific embodiment, and various modifications and changes can be made within the scope of the gist of the present invention described in the claims. It is possible.

10, 100IGW
11, 110 Web proxy
12, 120 UTM
20, 200 Private network 30, 300 Internet 40, 400 Web server 140 Internal DNS unit 130 Distribution control unit 150 Metric collection unit 1000 Drive device 1002 Auxiliary storage device 1003 Memory device 1004 CPU
1005 interface device 1006 display device 1007 input device

Claims (6)

In a network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, among the plurality of gateway devices A gateway device used as one of the gateway devices of
The plurality of gateway devices are built on a virtual platform so that they can be increased or decreased by software control,
a proxy unit that accesses the server as a proxy for the terminal;
a metric collection unit that acquires a metric value indicating the state of the gateway device;
In determining the IP address of the terminal, setting information including information on a gateway device to be preferentially connected to each IP address of the terminal, metrics values collected from the plurality of gateway devices, and the connection destination of the terminal A gateway device comprising: a distributed control unit that determines a gateway device to be used by the terminal from among the plurality of gateway devices based on the setting information and a priority indicating which of the metric values is to be given priority . An internal DNS unit that receives a name resolution inquiry from the terminal and notifies the distributed control unit of the IP address of the terminal obtained based on the inquiry, thereby inquiring of the distributed control unit about the gateway device used by the terminal. The gateway device according to claim 1, further comprising: 3. The gateway device according to claim 1, wherein said first network is a private network and said second network is the Internet. A network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, the plurality of gateways A network system, wherein each device is a gateway device according to any one of claims 1 to 3. In a network system having a plurality of gateway devices provided between a first network to which a terminal is connected and a second network to which a server to be accessed by the terminal is connected, among the plurality of gateway devices A control method executed by any one of the gateway devices of
The plurality of gateway devices are built on a virtual platform so that they can be increased or decreased by software control,
The gateway device includes a proxy unit that accesses the server as a proxy for the terminal,
a metric collection step of obtaining a metric value indicating the state of the gateway device;
In determining the IP address of the terminal, setting information including information on a gateway device to be preferentially connected to each IP address of the terminal, metrics values collected from the plurality of gateway devices, and the connection destination of the terminal A control method comprising: a distributed control step of determining a gateway device to be used by the terminal from among the plurality of gateway devices, based on the setting information and a priority indicating which of the metric values is to be given priority . A program for causing a computer to function as each unit in the gateway device according to any one of claims 1 to 3.

Images