WO2005101217A1 - アドレス変換方法、アクセス制御方法、及びそれらの方法を用いた装置 - Google Patents
アドレス変換方法、アクセス制御方法、及びそれらの方法を用いた装置 Download PDFInfo
- Publication number
- WO2005101217A1 WO2005101217A1 PCT/JP2005/007254 JP2005007254W WO2005101217A1 WO 2005101217 A1 WO2005101217 A1 WO 2005101217A1 JP 2005007254 W JP2005007254 W JP 2005007254W WO 2005101217 A1 WO2005101217 A1 WO 2005101217A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- access control
- address conversion
- address
- unit
- rule
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2557—Translation policies or rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
Definitions
- the present invention relates to an address conversion technology and an access control technology (firewall technology) for a terminal in a private network to communicate via the global network without having an address in the global network.
- WAN power also translate the destination address of the packet to the terminal device in the LAN from the global IP address to a private address, and translate the source address of the packet from the terminal device in the LAN to the WAN to the global IP address.
- NAT Network Address Translation
- access control technology that checks the destination and source of packets from the WAN and allows only packets that are permitted according to the set security policy is passed. is there. Then, a relay device having an address change and an access control function, an address conversion device having only an address change, and a firewall device having only an access control function are known.
- IPsec packets can be sent to one terminal device. Because you can only set this, you can not use IPsec with multiple terminals at the same time. This is the same as when communicating from inside the LAN to the Internet, so it is difficult to use IPsec with the terminal in the LAN.
- IPsec packets are encapsulated into UDP packets and sent (see, for example, Patent Document 2).
- it is necessary to correspond to the encapsulation in the UDP packet for both IPsec communication and it is necessary to correspond to the encapsulation in the UDP packet. It was impossible to communicate with the terminal.
- Patent Document 3 there is also a technology in which the security policy set in the firewall apparatus can be changed even from the Internet by the access of the user power confirmed by the authentication (see, for example, Patent Document 3).
- the technique shown in Patent Document 3 will be described with reference to FIG. If you want to change the access control rules in the access control table 900 a in the user power 220 of the user terminal 220 connected to the Internet (WAN) 200, the user terminal 220 is connected to the LAN 300.
- the port number of the authentication server 390 is recorded in the access control table 900a as a condition for passing any packet.
- the authentication request includes the user's ID (identification information) and the user's signature data, and the access content to be executed includes the own IP address and port number, and the IP address and port number of the access destination.
- Authentication server 900 performs verification on the received authentication request, and if verification passes, it requests firewall apparatus 900 to set the access content executed during the authentication request in access control table 900 a. Do. Therefore, this request is, for example, the user terminal 2 In the case of access to a web server 310 connected to the LAN 300 from 20, the user can access the web server 310 from the user terminal 220 and download contents, for example. As described above, the permission of the access set in the access control table 900a also for the firewall apparatus external force is restored when the predetermined period has elapsed or when the access becomes equal to or more than the predetermined period.
- Patent Document 1 Japanese Patent Application Laid-Open No. 2002-185517
- Patent Document 2 Japanese Patent Application Laid-Open No. 2002-232450
- Patent Document 3 Japanese Patent Application Laid-Open No. 2003-132020
- a plurality of servers can be disclosed with the same port number even between terminals corresponding to a capsule, or a plurality of communications can be performed even with a protocol without a port number.
- An object of the present invention is to provide an address conversion technique that can be performed.
- access control technology it aims to provide access control technology that can secure security even if the security policy, that is, passage conditions, is changed dynamically.
- an access control rule defined for each transmission source device or transmission source network on the global network side an address conversion rule defined for each transmission source device, and Are recorded in the database section.
- access control rules including source information When packets from the global network are received, access from the global network to the private network is restricted according to the access control rules including source information. Also, according to the address conversion rule including the source information, the destination address is translated, and the information from the global network side is transmitted to the private network side.
- the source address is translated according to the address conversion rule including the source information, and the information from the private network side is transmitted to the global network side.
- an access control rule and an address conversion rule between a destination desired for communication and a sender are authenticated. If the authentication is successful, an access control rule is defined for each transmission source device or each transmission source network, and an address conversion rule is defined for each transmission source device and recorded in the database unit. When communication is completed, the access control rule and address conversion rule added are deleted from the database unit.
- access control rules and address conversion rules In response to an access request from the private network side, if there are no access control rules and address conversion rules between the destination and the source that you want to communicate in the database unit, access control rules and address conversion for each source. Define rules and record them in the database section. When communication is completed, the added access control rule and address conversion rule are deleted from the database unit.
- the method to be performed by the authentication processing unit inside the relay device, and an authentication server installed in the global network, and the access control rule (pass condition setting to the firewall device) addition to the relay device is added.
- firewall technology notifies the request source of the communication status of that session by the secure session.
- the access control rule and the address conversion rule for the packet are registered, and if not, the access control rule and the address conversion rule for the packet are added. Therefore, it is possible to automatically register the access control rule and the address conversion rule of the communication initiated from the terminal of the private network, and communicate without the registration of the advance access control rule and the address conversion rule. It can be performed.
- the access control technology it is possible to dynamically change the passage conditions of the firewall device external force firewall device so that packets of the corresponding user terminal power can pass through the firewall device. Also, when the secure session is disconnected, the access permission (access control rule) is released. Therefore, an unauthorized bucket after the session disconnection can not pass through the firewall device. Also, when notifying the request source of the communication status in the established session, the request source can monitor unauthorized communication. Furthermore, when only a request from a predetermined authentication server is received and the setting of the firewall device or the address conversion rule is changed, the port scan does not detect the presence of the device, the provision of the service, etc. Network power can also change access control and address conversion settings.
- FIG. 1 shows a system configuration for explaining a conventional firewall device.
- FIG. 2 is a diagram showing an example of a functional configuration of a relay device according to the first embodiment.
- FIG. 3 shows an initial state of the access control table in the first embodiment.
- FIG. 4 is a diagram showing an initial state of the address conversion table in the first embodiment.
- FIG. 5 is a diagram showing a processing flow of the first embodiment.
- FIG. 6 is a view showing an access control table after adding an access control rule in the first embodiment.
- FIG. 7 is a diagram showing an address conversion table after addition of the address conversion rule in the first embodiment.
- FIG. 8 A diagram showing a configuration of a first relay device and a second relay device capable of communicating via the Internet, and a LAN and a terminal connected to them in the second embodiment.
- FIG. 9 A diagram showing a processing flow of Embodiment 2.
- FIG. 10 shows an access control rule to be added to the first relay device in the second embodiment.
- FIG. 11 A diagram showing an address conversion rule to be added to the first relay device in the second embodiment.
- FIG. 12 is a diagram showing an address conversion rule to be added to a second relay device in the second embodiment.
- FIG. 13 is a view showing an access control rule to be added to a second relay device in the second embodiment.
- FIG. 14 A diagram showing an example of a functional configuration of a relay device using the authentication server on the WAN according to the third embodiment.
- FIG. 15 shows an initial state of the access control table in the third embodiment.
- FIG. 16 is a diagram showing an initial state of the address conversion table in the third embodiment.
- FIG. 17 is a diagram showing the configuration of an authentication server and terminals on the Internet and terminals and servers on a LAN according to the third embodiment.
- FIG. 18 is a diagram showing a process flow of Example 3.
- FIG. 19 A diagram showing an access control rule for the authentication server of the third embodiment to request for tracking.
- FIG. 20 is a diagram showing an address conversion rule for the authentication server of the third embodiment to seek a tracking request.
- FIG. 21 is a view showing an access control table after addition of access control rules in the third embodiment.
- FIG. 22 is a diagram showing an address conversion table after adding an address conversion rule in the third embodiment.
- FIG. 22 A diagram showing an example of a functional configuration of an address conversion device according to a fourth embodiment.
- FIG. 24 shows an initial state of the address conversion table of the fourth embodiment.
- FIG. 25 is a diagram showing an address conversion table after addition of the address conversion rule of the fourth embodiment.
- FIG. 26 is a diagram showing a process flow until communication opening of the address conversion device of the fourth embodiment.
- FIG. 27 is a diagram showing a processing flow of the address conversion device of the fourth embodiment after the communication is opened.
- ⁇ 28] Diagram showing an example of functional configuration of a firewall device.
- FIG. 29 A diagram showing the processing flow of the firewall device.
- FIG. 30 shows an initial state of the access control table (passing condition table) of the fifth embodiment.
- FIG. 31 is a view showing an access control table (pass condition table) after the access control rule (pass condition) of the fifth embodiment is added.
- FIG. 32 is a view showing an access control table (pass condition table) after the access control rule (pass condition) of the sixth embodiment is added.
- FIG. 33 is a view showing the access control table (pass condition table) after the access control rule (pass condition) of the seventh embodiment is added.
- FIG. 34 is a diagram showing a process flow of the firewall device of the eighth embodiment.
- FIG. 2 is a diagram showing an example of a functional configuration of the relay device 10 according to the first embodiment.
- the relay device 10 transmits and receives packets with the WAN interface unit 11 that transmits and receives packets with a wide area network (WAN (Wide Area Network)) 200 such as the Internet and the LAN 300.
- the access control unit 13 performs access control by analyzing the packets received by the LAN interface unit 12, the WAN interface unit 11, and the LAN interface unit 12, and the packets permitted to pass by the access control unit 13.
- Internal LAN power An address conversion unit 14 that analyzes packets sent to the WAN side and performs address conversion, an authentication processing unit 15 that performs user authentication processing at the request of the access control unit 13, data for access control,
- a database unit 16 is provided which stores data for address conversion and authentication data.
- the relay device 10 has an access control function (firewall function), and the access control unit 13 is recorded in the database unit 16 and is based on an access control table as shown in FIG. Then, decide whether to send the packet received by the WAN interface unit 11 to the LAN side via the LAN interface unit 12! /.
- the access control unit 13 is recorded in the database unit 16 and is based on an access control table as shown in FIG. Then, decide whether to send the packet received by the WAN interface unit 11 to the LAN side via the LAN interface unit 12! /.
- the "Source IP Address” column indicates the source IP address of the packet received by the WAN interface unit 11
- the "Protocol, source port number” column indicates the packet received by the WAN interface unit 11. Shows the protocol name of the port and the source port number when using the port number in the protocol, and the column of “destination IP address” shows the destination IP address of the packet received by the WAN interface unit 11
- the column “destination port number” indicates the protocol name of the packet received by the WAN interface unit 11 and the destination port number when using the port number in the protocol
- the “operation” column indicates the WAN When the transmission source and destination of the packet received by the interface unit 11 match the respective values of the corresponding row, the operation to be performed on the packet is shown.
- protocol name used in the “Protocol, source port number” and “Protocol, destination port number” columns the protocol name associated with the preset protocol name and port number is used. can do.
- the first line in Figure 3 shows the source IP address, the destination IP address related to the port number, and the power S “ll l. 111. 111. 2”.
- a packet that is HyperText Transport Protocol, for example, TCP (Transmission Control Protocol) 80) is indicated to be sent to the LAN side (pass: accept).
- the source IP address is “123. 123. 123. 1”
- the destination IP address is “111. 111. 111. 2”
- the protocol name is “SSH”.
- Packets that are (Secure Shell, eg T CP22) are sent to the LAN side, and in line 3 all packets are dropped (drop: drop).
- the access control unit 13 verifies the power of such a table from the top row to match the received packet, and if it matches, the designated operation is performed, and the processing for that packet is completed. That is, in the table of FIG. 3, the condition set in the upper row is a condition to be processed with higher priority.
- the relay device 10 records an address conversion table as shown in FIG. 4 in the database unit 16.
- the address conversion unit 14 converts the destination IP address of the packet received by the WAN interface unit 11 and passed through the access control unit 13 into an IP address inside the LAN based on this address conversion table, Transmit to the LAN side via the LAN interface unit 12.
- the fax control unit 13 transmits the permitted packet to the WAN side via the WAN interface unit 11. Send to
- the “source IP address” column indicates the source IP address of the packet received by the WAN interface unit 11
- the “destination IP address” column is the packet received by the WAN interface unit 11.
- the “Protocol, Destination port number” column shows the protocol name of the packet received by the WAN interface unit 11 and the destination port number when using the port number in that protocol.
- the "Internal IP Address” column is the LAN private address to be set as the destination IP address of the packet when the source and destination of the packet received by the WAN interface unit 11 match the respective values in the corresponding row.
- the “Protocol and port number” column shows the performance received by the WAN interface unit 11
- the row of Tsu bets shows a port number to be set to the destination port number of the packet.
- any address may be used.
- a packet in which the destination IP address relating to the source IP address is “111. 1 11. 111.2” and the destination port number is “TCP 80 (http)” is , Indicates that the destination IP address is rewritten to "192. 168. 100. 5" and the destination port number is sent to the LAN side as it is.
- the second line in Figure 4 shows that the source IP address is “123. 123. 123. 1”, the destination IP address is “1 11. 111. 111. 2”, and the destination port number is “TCP 22 (SSH)”. Indicates that the destination IP address is rewritten to “192. 168. 100. 5” and the destination port number is sent to the LAN side as it is! /.
- the address conversion unit 14 searches the address conversion table as shown in FIG. 4 from the upper line, and if the received packet matches, the designated operation is performed, and the processing for the packet is completed. That is, in the address conversion table of FIG. 4, the conditions set in the upper row are more preferentially processed.
- Figure 4 shows the initial state of the address conversion table (no communication terminal, state!).
- the relay device 10 requires communication requests from the terminals in the LAN or the terminal power on the WAN side.
- the access control rule is added to the access control table of FIG. 3 by the request, and the address conversion rule is added to the address conversion table of FIG.
- step S1 When the access control unit 13 receives an access request packet of https (HyperText Transfer Protocol Security) addressed to the global address of the own device via the WAN interface unit 11 (step S1), the terminal of the transmission source and the SSL (Secure Socket) Layer) Establish a session (step S2). If the session is successfully established, the IP address of the source terminal acquired at session establishment is stored (step S3). Next, in order to authenticate the user, the HTML file for inputting the user identification information and the password is encrypted and transmitted to the request source terminal through the WAN interface unit 11 (step S4).
- https HyperText Transfer Protocol Security
- SSL Secure Socket Layer
- the access control unit 13 receives the encrypted identification information of the user and the password from the request source terminal (step S5). Next, the access control unit 13 performs decryption, transmits identification information of the user and the password to the authentication processing unit 15, and requests authentication of the user.
- the authentication processing unit 15 searches the user information stored in the database unit 16 for a user having identification information that matches the received user identification information. If a matching user is found, the received password is compared with the stored password of the user (step S6). If the passwords match, the authentication processing unit 15 transmits to the access control unit 13 that the authentication is normal. If no matching user is found, or if the password is not correct, an authentication error is sent to the access control unit 13 (step S7).
- the access control unit 13 When the access control unit 13 receives a successful authentication from the authentication processing unit 15, the access control unit 13 encrypts the HTML file for entering the private address, protocol, port number, etc. in the LAN of the server to be accessed, To the terminal on the WAN interface unit 11 (step S9).
- the access control unit 13 receives the encrypted private address and protocol / port number from the request source terminal (step S10). Next, the access control unit 13 stores the decryption line, stores the source IP address of the https access request packet as “source IP address”, the received protocol, and the port number as “protocol, destination port Add the access control rule of “number” to the access control table of the database unit 16 (step SL1). Further, the access control unit 13 sends the sender IP address of the access request packet of https, the received private address, protocol, and port number to the address conversion unit 14, and requests addition of the address conversion rule.
- the address conversion unit 14 When the address conversion unit 14 receives the add request of the address conversion rule, the source IP address of the https access request packet is “source IP address”, the received private address is “internal IP address”, protocol, port The address conversion rule with the number “protocol, destination port number” is added to the address conversion table of the database unit 16 (step S12).
- the access control unit 13 encrypts the HTM L file, which displays that the authentication is normal and the address conversion is set, the private address, the protocol, the port number, etc. in the LAN to be converted, To (step S13).
- this HTML file a program for accessing the relay device 10 is embedded at predetermined time intervals predetermined by the terminal.
- the terminal can confirm the information of the set address conversion by decoding and displaying the transmitted HTML file. Also, with the program embedded in the HTML file, the terminal starts sending a signal to the relay device 10 at regular intervals. In this way, access control rules and address conversion rules are set, and communication with terminals in the LAN is performed. When the user ends communication, the user can select the end communication button from the screen displayed by the HTM L file received from the relay device 10, close the browser displaying the HTML file HTML file Close the displayed terminal (power off, log off, etc.).
- the access control unit 13 of the relay device 10 When the access control unit 13 of the relay device 10 receives a packet for communication termination, the access control unit 13 does not transmit the signal from the terminal for a certain period of time, and thus the browser is closed or the terminal is terminated. If it is detected (step S14), the table rewritten as shown in FIG. 6 is returned to the original state as shown in FIG. 3, and the source IP address, destination IP address and protocol are sent to the address conversion unit 14 The end of the communication is notified (step S15). When receiving the notification of the end of communication, the address conversion unit 14 returns the table rewritten as shown in FIG. 7 to the original state as shown in FIG. 4 (step S16).
- the access control rule and the address conversion rule using the source IP address are set in the access control table and the address conversion table. Therefore, even if the destination is the same port number, it is possible to distribute to different servers by source IP address, or to communicate with different terminals by source IP address even in a protocol without port number.
- the addition of the address conversion rule and the access control rule is accepted by the access of https.
- http Session Initiation Protocol (SIP), SSH, telnet, etc. may be used! .
- FIG. 8 shows a configuration of a first relay device 10a and a second relay device 10b that can communicate via the Internet, and a LAN and terminals connected to them.
- the case of IPsec communication between the terminal of LAN 300 and the terminal of LAN 400 will be described using FIG. Light up.
- the terminal 410a requests https access request to the first relay device 10a. Send a packet
- the first relay device 10a When the first relay device 10a receives the access request packet of https, the first relay device 10a establishes an SSL session with the source terminal (step S21), authenticates the user (step S22), and if authenticated, Send an HTML file to the terminal 410a of the request source to enter the private address, protocol, port number, etc. inside the LAN of the server you want to access.
- this HTML file a program for accessing the relay device 10a is embedded at fixed time intervals predetermined by the terminal.
- the terminal 410a displays the received HTML file (step S23), and allows the user to input the access destination information.
- the private IP address 192. 168. 100. 2 of the terminal 310a to be connected and IPsec as the protocol are input.
- the terminal 410a transmits the input private address and protocol to the first relay device 10a.
- the first relay device 10a When the first relay device 10a receives the private address and the protocol, the first relay device 10a records the private address and the protocol in the database unit 16 and transmits the source IP address of the access request packet of https (the IP address of the second relay device 10b 111. (Source IP address), IPsec (Protocol, source port number), Global address of own device 211. 250. 250. 100 (Destination IP address), IPsec Add the access control rule shown in Fig. 10 as "Protocol, destination port number".
- the source IP address of the access request packet for https is “source IP address”, the global address of the own device 211. 25 0. 250. 100 is “destination IP address”, and IPsec is “protocol, destination port number 192. 168.
- Add the address conversion rule shown in Fig. 11 with "internal IP address" step S24).
- the address conversion unit 14 of the second relay device 10b registers the address conversion rule for IPsec communication in the address conversion table. Find out if it is. Specifically, the destination IP address of the packet, the source IP address of the address conversion table, the source IP address of the packet, and the address It is searched whether there is an address conversion rule in which the conversion table and the internal IP address match (step S26).
- the source IP address is rewritten to the address of the destination IP address of that address conversion rule (step S 27), and the rewritten packet is transmitted through the access control unit 13.
- the destination IP address is "source IP address", and the IP address of the own device (in this case 111. 222. 234. 123) is "destination IP address”.
- the access control unit 13 adds an access control rule that permits the passing of the IPsec packet of the source IP address 211. 25 0. 250. 100 and the destination IP address power ⁇ 111. Request a bribe.
- the access control unit 13 adds the access control rule shown in FIG.
- the address conversion unit 14 adds the access control rule of the access control unit 13, it sends the source IP address of the received packet to the global IP address of its own device (in this case, 11 1. 222. 234. 123 ) And transmit the rewritten packet via the access control unit 13. After that, communication according to IPsec is performed between the terminal 310a and the terminal 410a.
- the user of the terminal 410a can select the end of communication button from the screen displayed in the HTML file received from the first relay device 10a, and display the HT ML file and! / Close the browser, display the HTML file and exit the terminal (step S30).
- the access control unit 13 of the first relay device 10a is that the browser has been closed due to the reception of the communication end packet and the signal from the terminal 410a not being transmitted for a certain period of time, or the terminal
- the access control rule shown in FIG. 10 is deleted. Further, it notifies the address conversion unit 14 that the communication power S of the source IP address 111. 222. 234. 123, the destination IP address 211. 250. 250. 100, and the protocol IPsec has ended.
- the address conversion unit 14 deletes the address conversion rule shown in FIG. 11 (step S32).
- the access control unit 13 of the second relay device 10b receives the packet for the end of communication, the browser is closed because the signal from the terminal 410a is not transmitted for a certain period of time, or the terminal
- the access control rule shown in FIG. 13 is deleted. Also, it notifies the address translation unit 14 that the source IP address 211. 250. 250. 100, the destination IP address 111. 222. 234. 123, the communication power S of the protocol IPsec has ended.
- the address conversion unit 14 deletes the address conversion rule shown in FIG. 12 (step S34).
- the access control rule and the address conversion rule using the source IP address are respectively set in the access control table and the address conversion table. Therefore, even when the destination is the same port number, it is possible to distribute to different servers for each source IP address, or to perform communication with different terminals for each source IP address even in the case of a protocol without a port number. .
- address conversion rules for the destination IP address and source IP address of IPsec packets received from the LAN side are registered. Even in this case, the address conversion rules for IPsec communication started from a terminal in the LAN are: Since registration can be performed automatically, IPsec communication can be performed without registering address conversion rules in advance.
- the address conversion rule and access control rule are added by the first packet of IPsec communication, but the address conversion rule and access control rule are added by the first packet of IKE (Internet Key Exchange). Even! /.
- IKE Internet Key Exchange
- authentication of the terminal on the WAN side is performed by the authentication processing unit 15 in the relay device 10
- authentication is performed by the authentication server via the authentication server on the WAN
- Access control rules and address conversion rules may be added or deleted at the request of the authentication server. By doing this, it is possible to operate with stealth on WAN (with concealed accessible protocols and port numbers).
- FIG. 14 is a diagram showing an example of a functional configuration of a relay apparatus using an authentication server on the WAN.
- the relay device 20 in FIG. 14 is connected to a wide area network (WAN) such as the Internet, and performs packet transmission / reception with the WAN, and a packet with the LAN.
- the LAN interface unit 12 that performs transmission and reception, the access control unit 23 that analyzes the packets received by the WAN interface unit 11 and the LAN interface unit 12 and performs access control, the destination address of the packet from the WAN side to the LAN, It comprises an address conversion unit 24 for converting a source address of a packet from within the LAN to the WAN side, and a database unit 26 for storing data for access control and data for address conversion.
- the authentication server 100 that authenticates the terminal on the WAN side and requests the relay device 20 to add an access control rule or the like.
- the authentication server 100 includes an interface unit 101 that communicates with a terminal on the WAN side and the relay device 20, a control unit 102 that controls the authentication server 100, an authentication processing unit 105 that performs authentication processing, authentication information, and information during communication. It comprises a database unit 106 for recording information.
- the relay device 20 has a firewall function. Specifically, based on the access control table shown in FIG. 15, which is recorded in the database unit 26, the access control unit 23 determines whether to transmit a packet received from the WAN side into the LAN. It is. In FIG. 15, the “source IP address” column indicates the source IP address of the packet received by the WAN interface unit 11, and the “source port number” column indicates the transmission of the packet received by the WAN interface unit 11.
- the source port number is shown
- the "destination IP address” column shows the destination IP address of the packet received by the WAN interface unit 11
- the "protocol / destination port number” column is the WAN interface unit 11 Shows the protocol name of the packet received in step 1 and the destination port number in the case of using a port number in that protocol, and the column of “Operation” indicates the source and destination of the packet received by WAN interface section 11 Indicates the action to be taken on the packet when it matches each value.
- Protocol name used in the “Protocol, destination port number” column
- protocol name associated with a preset protocol name and port number can be used.
- the destination IP address relating to the source IP address and port number is “123. 123. 123. 123”, and the protocol name is “https (HyperText Transfer Protocol Security, eg TCP 443) Packets) are sent to the LAN side (pass : Accept).
- the source IP address is “211. 250. 250. 100”
- the destination IP address is “123. 123. 123. 123”
- the protocol name is “ Packets that are SSH (Secure Shell, eg TCP22) "are sent to the LAN side, and in line 3 all packets are dropped (drop).
- the access control unit 23 verifies whether or not the received packets in the upper line match in the table as described above match, and if they match, the designated operation is performed, and the processing for that packet is ended. That is, in the table of FIG. 15, the condition set in the upper row is a condition to be processed with higher priority.
- the relay device 20 stores the address conversion table shown in FIG. 16 in the database unit 26, and the address conversion unit 24 determines the destination of the packet received on the WAN side based on this table. Convert IP address to IP address inside LAN, and send it inside LAN. In addition, the source IP address of the packet received from the LAN side is converted to the IP address (global address) of the WAN, and sent to the WAN side.
- the “source IP address” column indicates the source IP address of the packet received by the WAN interface unit 11, and the “destination IP address” column indicates the packet received by the WAN interface unit 11.
- the destination IP address is shown, and the “Protocol, Destination port number” column shows the protocol name of the bucket received by the WAN interface unit 11 and the destination port number when using the port number in the protocol,
- the "Internal IP Address” column is the LAN private address to be set as the destination IP address of the packet when the source and destination of the packet received by the WAN interface unit 11 match the values in the corresponding row.
- the “Protocol and port number” column shows packets received by the WAN interface unit 11 Source and destination of, if they match each value in the row indicates the port number to be set to the destination port number of the packet.
- a packet in which the destination IP address relating to the source IP address is “123. 123. 123. 123” and the destination port number is “TCP 443 (https)” is The destination IP address is rewritten to "192. 168. 100. 5" and the destination port number remains unchanged. Is sent to the LAN side.
- the destination IP address is rewritten to“ 192. 168. 100. 5 ”
- the destination port number is sent to the LAN side as it is.
- the address conversion unit 24 verifies whether the received packet with the above line power also matches in the table as described above, and if it matches, the designated operation is performed, and the processing for that packet is ended. That is, in the table of FIG. 16, the condition set in the upper row is a condition to be processed more preferentially.
- the state shown in FIG. 16 is an initial state (a state in which there is no terminal in communication).
- An address conversion rule is added according to the communication request of the terminal power in the LAN and the request from the server on the WAN side described later, and packets from the LAN to the WAN side and packets from the WAN to the LAN will be added.
- the addresses of are translated according to the table in Figure 16 and sent.
- FIG. 17 shows the configuration of an authentication server and terminals on the Internet, and terminals and servers on a LAN.
- the relay device 20 is connected to the LAN 300, and terminals 310a and 310b and servers 311a and 311b are connected to the LAN 300.
- the relay device 20 can add the access control rule to the access control table of FIG. 15 only by the request from the authentication server 100 on the Internet 200, and add the address conversion rule to the address conversion table of FIG.
- the authentication server 100 includes authentication information for authenticating a user who can access the relay device 20, an address of the relay device 20 to which access is permitted for each user, an access control rule to be added, an address conversion rule, etc. Access information is recorded in the database section 106.
- the authentication server 100 authenticates the user based on the authentication information recorded in the database unit 106, and if the authentication is normal, the authentication server 100 transmits an access control rule and an address conversion rule to the relay device. Require addition.
- a user operating the terminal 220a connects to the authentication server 100 on the Internet 200 and receives authentication.
- This authentication may be from simple identification information (ID) and password, to authentication using advanced software functions by one-time password or biometric information.
- ID simple identification information
- biometric information it is preferable to encrypt and transmit information used for such authentication in order to prevent information leakage on the Internet.
- the authentication server 100 When receiving the authentication request, the authentication server 100 stores the address of the terminal 220a that has made the authentication request as a sender address (step S41), and authenticates the user based on the authentication information (step S42).
- authentication server 100 records an access control rule and an address conversion rule that use the address of terminal! Request for 20. For example, in the case where only http access from the terminal 220a to the server 311a is permitted, the authentication server 100 is permitted to access http using the address (111. 22 2. 234. 123) of the terminal 220a shown in FIG. Adding a rule, the address (111. 222. 234. 123) of the terminal 220a shown in FIG. 20 ⁇ The transmission destination of the http packet of the source, the address of the server 311a (192. 168. 100. 4 Request to add an address conversion rule to be changed to).
- access control unit 23 of relay device 20 When receiving the access control rule addition request and the address conversion rule addition request from authentication server 100, access control unit 23 of relay device 20 adds the received access control rule to the access control table of database unit 26. Do. Further, the access control unit 23 requests the address conversion unit 24 to add the address conversion rule received from the authentication server 100.
- the address conversion unit 24 adds the received address conversion rule to the address conversion table of the database unit 26 (step S44). For example, when the http access from the above-mentioned terminal 220a to the server 311a is permitted, the access control rule of FIG. 19 is added to the access control table of FIG. 15, and the access control table is as shown in FIG. Also, the address conversion rule of FIG. 20 is added to the address conversion table of FIG. 16 to make the address conversion table as shown in FIG. After the addition of the access control rule and the address conversion rule, the access control unit 23 returns the addition completion to the authentication server 100.
- the authentication server 100 When receiving the addition completion from the relay device 20, the authentication server 100 stores the address of the stored terminal 22 Oa, the address of the relay device 20, the added access control rule, and the address conversion rule in association with each other as information in communication. (Step S45). In addition, the authentication server 100 can communicate that the terminal 220a has become accessible and the service name (for example, an IP address and port number such as a Web camera, etc. may be permitted). Send as possible information.
- the service name for example, an IP address and port number such as a Web camera, etc. may be permitted.
- the received information is displayed (step S46) to inform the user that access has become possible and accessible information.
- the http access from the terminal 220a is distributed to the Sano 31 la, and the http access from other terminals is denied.
- a user who has learned that access has been made starts communication with a terminal or server in the LAN 300.
- the termination information is input from the terminal 220a (step S51), and the authentication server 100 is notified of the termination of communication.
- authentication server 100 searches the address of the transmission source of the communication end notification to see if there is a match with the terminal side address of the in-communication information (step S 52). If there is a match to the information during communication (step S53), the associated relay device 20 is requested to delete the access control rule and the address conversion rule.
- the access control unit 23 of the relay device 20 When the access control unit 23 of the relay device 20 receives the deletion request for the access control rule and the address conversion rule, the access control unit 23 deletes the received access control rule from the access control table of the database unit 26. Further, the access control unit 23 requests the address conversion unit 24 to delete the address conversion rule received from the authentication server 100. When receiving the address conversion rule deletion request from the access control unit 23, the address conversion unit 24 deletes the corresponding address conversion rule from the address conversion table of the database unit 26 (step S54). In this way, the access control table of the relay device 20 is returned as shown in FIG. 15 and the address conversion table is returned as shown in FIG. 16 by the communication end notification from the user. Therefore, unauthorized access using the added access control rules and address conversion rules can be prevented.
- the relay device 20 changes the access control rule and the address conversion rule without detecting the port by the port scan, which can be accepted by receiving requests for addition or deletion of the access control rule and the address conversion rule from the authentication server 100 only. can do.
- authentication is performed by the authentication server 100, it is possible to easily perform higher-level authentication from authentication using an ID and a password.
- the access control rule and the address conversion rule are deleted by notification of communication termination from the terminal 220a, it is determined that communication is terminated when packet transmission / reception is lost for a predetermined time or more, or when a predetermined time has elapsed from the start of communication. Then delete access control rules and address translation rules.
- the authentication server 100 may be provided with a function as an http server so that acceptance of authentication, display of accessible information, notification of communication termination, etc. can be performed on the home page.
- a SIP (Session Initiation Protocol) server may be used as the authentication server 100.
- the access control rule By setting the access control rule to pass for all access, it can also function as an address conversion device.
- the first to third embodiments show the functional configuration and processing flow of the relay apparatus using the access control technology and the address conversion technology.
- the address conversion technology is used to show an address conversion apparatus and a processing flow.
- FIG. 23 shows an example of the functional configuration of the address conversion device.
- the address conversion device 30 includes a WAN interface unit 11, a LAN interface unit 12, a database unit 33, an address conversion unit 34, and an authentication processing unit 35.
- the database unit 33 stores data for address conversion including an address conversion table, data for user authentication, and the like.
- An example of the address conversion table is shown in FIG. FIG. 25 shows an example of an address conversion table after an address conversion rule including a source IP address described later as a source IP address is added to the address conversion table of FIG.
- the “source IP address” column indicates the source IP address of the packet received by the WAN interface unit 11 (in the case of “any”, any address may be used). o) Also, the “destination IP address” column shows the destination IP address of the packet received by the WAN interface section 11. The column “Protocol, Destination port number” indicates the protocol and destination port number of the packet received by the WAN interface unit 11. Also, the column of “internal IP address” is set to the destination IP address of the packet when the source and destination of the packet received by WAN interface unit 11 match the respective values of the corresponding row.
- the address conversion unit 34 adds and deletes address conversion rules to and from the address conversion table, and performs address conversion of packets received by the WAN interface unit 11 and the LAN interface unit 12 based on the address conversion table.
- the address conversion unit 34 refers to the address conversion table by the source IP address and the destination IP address, and the destination IP address is the IP address in the LAN ( Convert to internal IP address) and send to the LAN side via the LAN interface 12.
- a packet whose destination IP address relating to the source IP address is “123. 123. 123. 123” and whose destination port number is “TCP 443 (https)” is the destination IP address Is rewritten to "192. 168. 100. 5", and the destination port number is sent to the LAN side as it is.
- the address conversion unit 34 interprets the destination IP address of the packet as the source IP address, and then converts the internal IP address same as the source IP address of the packet to the address conversion table. It searches in, converts the packet source IP address to the global IP address in the WAN, and sends it to the WAN side via the WAN interface unit 11.
- the address conversion unit 34 refers to the above-mentioned address conversion table according to the contents of the received packet also with the upper line power, and if it matches, the designated operation is performed, and the processing for that packet is completed. That is, in the address conversion tables shown in FIGS. 24 and 25, the condition set in the upper row is a condition to be processed with higher priority.
- the authentication processing unit 35 performs user authentication processing in response to a request from the address conversion unit 34.
- FIG. 26 and FIG. 27 are flowcharts showing the processing flow of the address conversion device, and the operation of the present address conversion device will be described in detail below according to this.
- the address conversion unit 34 receives an http access request (communication start request) packet addressed to its own address from the terminal device 220 on the WAN side via the WAN interface unit 11 (step S 61), HTML (Hyper Text Markup Language) for storing the source IP address of the request packet as the IP address of the source terminal (step S62) and entering the user identification information and password necessary for user authentication.
- the file is transmitted to the terminal device 220 of the access request source via the WAN interface unit 11 (step S63).
- Address conversion unit 34 receives the identification information and password of the user from terminal device 220 of the access request source (step S 64), transfers the received identification information and password of the user to authentication processing unit 35, and Request authentication (step S65).
- the authentication processing unit 35 searches the user information stored in the database unit 33 for a user having identification information that matches the received user identification information. If a matching user is found, the stored password of the user is compared with the received password, and if they match, an authentication success is sent to the address conversion unit 34 (step S66). If the matching user finds power too If the words do not match, an authentication error is sent to the address conversion unit. At this time, the user is again required to input the user's identification information and password, and even if it is repeated a predetermined number of times, they do not match.
- the access request source is an HTML file for inputting a private address, a protocol, a port number, etc. inside the LAN of the accessed server.
- the address conversion unit 34 sets the source IP address of the http access request packet recorded to the source IP address, An address conversion rule is added to the address conversion table of the database unit 33 with the received private address as the internal IP address and the protocol and port number as the protocol and destination port number (step S 69).
- the source IP address of the http access request packet is “111. 222. 234. 123”
- the destination IP address is “123. 123. 123. 123”
- the destination port number is “TCP 22”.
- the address conversion unit 34 confirms that the authentication is normal, that the address conversion rule has been set, and the private address in the LAN of the conversion destination for the access request source terminal device 220, Send an HTML file that displays the protocol, port number, etc. (Step S70).
- this HTML file a program for accessing the relay device 10a is embedded at predetermined time intervals predetermined by the terminal! /.
- the terminal device 220 as the access request source can confirm the information of the set address conversion by displaying the transmitted HTML file. Further, after that, the terminal device 220 automatically performs http communication with the address conversion device 30 at fixed time intervals by a program such as a script embedded in the HTML file.
- the address conversion unit 34 After setting the address conversion rule, the address conversion unit 34 also receives a packet from the WAN interface unit 11 (steps S 72 and S 74), and refers to the address conversion table by the source IP address and the destination IP address. (Step S75), convert the destination IP address into an IP address (internal IP address) in the LAN (step S76), and transmit it to the LAN via the LAN interface unit 12.
- the address conversion unit 34 when the address conversion unit 34 receives a packet from the LAN interface unit 12 (steps S72 and S74), the address conversion unit 34 refers to the address conversion table by its internal IP address (step S77). Next, the address conversion unit 34 converts the source IP address of the packet from the internal IP address to the global IP address in the WAN (step S 78), and transmits it to the WAN via the WAN interface unit 11.
- Communication with the server (terminal device) in the LAN is performed as described above.
- the user of the terminal device 220 ends communication, the user selects the end button of communication from the screen of the HTML file received from the address conversion device 30, and transmits the communication end packet. close up.
- the address conversion unit 34 of the address conversion device 30 detects the disconnection of the communication by the end of the HT ML screen of the terminal device 220 of the access request source (step S71) or receives the packet of the communication end (step S73), The address conversion rule added is deleted from the address conversion tape rewritten as shown in FIG. 25 (step S79), and the initial state shown in FIG. 24 is restored.
- the address translation rule can be set under the condition including the source IP address, so that packets to the same port number can be distributed to different servers for each source IP address. Even with a protocol without a port number, communication can be performed with a separate terminal for each source IP address.
- the power h tps using http for accessing the terminal power address translation apparatus, telnet, SIP (Session Initiation Protocol), or the like. Further, in the present embodiment, the user is authenticated, but no authentication request may be made for a previously set terminal power request.
- Figures 28 and 29 show an example of the functional configuration of the firewall device and an example procedure of the firewall method.
- the firewall apparatus 40 of this embodiment is connected to a wide area network (W AN: Wide Area Network) 200 such as the Internet, and transmits / receives packets with the WAN 200.
- W AN interface unit 11 transmits / receives packets with the LAN 300.
- the access control unit 46 analyzes the packets received by the LAN interface unit 12 for performing the communication, the WAN interface unit 11 and the LAN interface unit 12 and performs access control, and the user (user And an authentication processing unit 47 for performing authentication processing, and a database unit 48 for storing data for access control and authentication data!
- a table as shown in FIG. 30 is stored in the access control table (passing condition table) 48 a of the database unit 48, and the access control unit 46 uses the WAN interface unit 11 based on this table. It is determined whether the received packet is to be transferred to the LAN 300 side via the LAN interface unit 12.
- the “Source IP Address” column indicates the source IP address of the packet received by the WAN interface unit 11, and the “Source port number” column indicates the transmission of the packet received by the WAN interface unit 11.
- the source port number is shown
- the "destination IP address” column shows the destination IP address of the packet received by the WAN interface unit 11
- the "protocol / destination port number” column is the WAN interface unit 11
- Indicates the destination port number of the packet received in in this case, indicated by the protocol name corresponding to the port number
- the "Operation” column is received by the WAN interface unit 11.
- Source information and destination information of the received packet are shown in the row corresponding to the source IP address and source port number, destination IP address and protocol, and destination port number in the passage condition table (access control table) 48a. It indicates that the action is to be performed on the packet.
- the correspondence between the protocol name and the port number used in the “Protocol, destination port number” column is set in advance. Also, setting a numerical value, that is, the port number itself in the "Protocol, destination port number” column does not force even if, for example, the source IP address and source port number are Since the IP address and port number are “111. 111. 111. 2” and the destination port number is “http (Hypertext Transport Protocol, for example, TCP (Transmission Control)”.
- the packet that is “Protocol) 80)” is forwarded to the LAN 12 (pass: accept).
- the source IP address is "123. 123. 123. 1”
- the upper destination IP address is "111. 111. 111”
- the destination port number is Packets that are "https (Hypertext Transfer Protocol Security, for example TCP 443)” are transferred to the LAN300
- the source and destination fields are both "any” and the "action” field is Since it is "drop", all packets are dropped (drop: drop).
- the search unit 46a in the access control unit 46 verifies whether or not the transmission source and transmission destination information of the received packet matches the above-mentioned passage condition table 48a from the upper row, and transfers the specified operation if they match.
- the control unit 46b performs the process for the packet.
- the condition set in the upper row is the condition to be processed more preferentially than the passage condition table 48a in FIG.
- step S8 1 When receiving the https transit condition setting request packet addressed to the address of the firewall device 40 (step S8 1), establishing a secure session (SSL (Secure Socket Layer) session) with the user terminal 220 of the transmission source connected to the WAN 200 Session establishment and disconnection unit 46c (step S82). If the session is established successfully, the source The IP address of the user terminal 220 is stored, for example, in the database unit 48 (step S83). Further, the request unit 46dl of the communication information generation unit 46d transmits an authentication information request to the user terminal 220 (step S84). For example, the H.
- SSL Secure Socket Layer
- TML file for inputting the user identification information and the password is encrypted and transmitted to the user terminal 220 of the request source via the WAN interface unit 11.
- other conditions included in the condition setting request packet are also stored in the passage condition table (access control table) 48a of the database unit.
- the encrypted authentication information is decrypted by the decryption unit 46e.
- the identification information of the decrypted user and the password are sent to the authentication processing unit 47 to request authentication of the user (step S87).
- the authentication processing unit 47 uses the user information stored in the authentication information unit 48 b in the database unit 48 to identify the user having identification information that matches the received user identification information. Search for. If a matching user is found, the user's password stored in the authentication information unit 48 b is compared with the received password, and if they match, an authentication success is sent to the access control unit 46. If there is no matching user, or if the password is incorrect, the authentication processing unit 47 transmits an authentication error to the access control unit 46.
- the access control unit 46 When the access control unit 46 receives the authentication success (pass) from the authentication processing unit 47 (step S 88), the access control unit 46 allows the packet to pass based on the information on the passage condition setting request of the user who has become the authentication success.
- the row to be added is added to the passage condition table (access control table) 48a (step S89).
- the request source user terminal 2 20 [the IP address “123. 123. 111. 1” that has been successfully authenticated] [this, the IP address “111. 111. 111. 3” Sano (f series i LAN 300 [this If access (ftp) of FTP (File Transfer Protocol) of the connected web server 310) is permitted (permitted), as shown in FIG. 31, the top row of the passage condition table 28a in FIG.
- the address information of the request source user terminal 220 and the Web server 310 and the “operation” add an access control rule (pass condition) of “pass”.
- the source address is "any"
- the IP address of the request source user terminal 220 is also set.
- the access control unit 46 determines that the authentication was normal, that the access was permitted, accessible information (such as the name of a service to which access is permitted (for example, a Web camera), or an IP address. , Port number), communication status (user terminal 220 of IP address “123. 123. 111. 1”, IP address “111. 111. 111. 3”, port number “ftp” Sano 310 and power ⁇ HTML file that indicates that communication is in progress is generated by permission section 46d2 and status section 46d3 of notification information generation section 46d, encrypted by encryption section 46f, and transmitted to request source user terminal 220 (Step S 90).
- accessible information such as the name of a service to which access is permitted (for example, a Web camera), or an IP address. , Port number
- communication status user terminal 220 of IP address “123. 123. 111. 1”, IP address “111. 111. 111. 3”, port number “ftp” Sano 310 and power ⁇ HTML file that indicates that communication is in progress is generated by permission
- the user terminal 220 can display the accessible information and the access status by decrypting and displaying the HTML file transmitted from the firewall device 40.
- the access control unit 46 monitors the access from the user terminal 220 with the monitoring unit 46g (step S91), When an abnormality in the access from the user terminal 220 is detected by the abnormality detection unit 46gl (step S92), the abnormality notification is generated by the abnormality unit 46d4 of the notification information generation unit 46d, and to the user terminal 220 through the SSL session. Send (step S93). Specifically, for example, it is as follows.
- the traffic per unit time of packets from the user terminal (for example, MBZs etc.) is almost constant for each service such as video service and voice service. Therefore, access control unit 46 monitors the traffic per unit time of packets from the terminal for which an SSL session has been established, and traffic exceeding the traffic volume set in advance for each service is generated.
- the HTML file that displays the service name, the generated traffic volume, etc. is encrypted and transmitted to the user terminal 220.
- the user terminal 220 decrypts and displays the transmitted HTML file to display information on the access that seems abnormal, and the user of the user terminal 220 is aware that there is unauthorized access. I can know.
- the user When the user who has been permitted access as described above and has communicated with the server 310 in the LAN 300 ends communication, the user receives it from the firewall device 40, and the user terminal 220 receives the HTML file From the screen displayed in, select the End Communication button. Force Disconnect the SSL session.
- the access control unit 46 of the firewall device 40 receives a packet for communication termination or detects disconnection of the SSL session (step S94), the passage condition table 48a rewritten as shown in FIG. Is returned to the original state shown in FIG. 30 (step S95).
- the pass condition table 48a is returned to the original state, and the SSL session is disconnected.
- step S94 the communication is terminated or the session is disconnected! / If not, the process returns to step S81. If it is determined in step S81 that there is no request for setting the passage condition, the access monitoring is performed in step S91. If the authentication is not successful in step S88, the session establishment 'disconnection unit 46c disconnects the SSL session in step S96 and jumps to step S81.
- Steps S91, S92 and S93 constitute a communication status monitoring step. Also, in FIG. 28, the control unit 49 operates each unit in sequence, Read, write, erase, etc.
- the user is authenticated in the session of https, and if the authentication is normal, the access permission (passing condition) corresponding to the user is Since the https session is requested to be added to the IP address that has been requested! /, the security policy (passing condition) of the firewall device 40 can be changed more safely from the outside of the firewall device 40. If a session is disconnected, it will immediately delete the additional passage condition, preventing unauthorized access.
- the service name that permitted access to the https session, and the communication status with the IP address that permitted access are displayed to the user, and the user can confirm this to gain unauthorized access. You can prevent.
- the present invention can be applied to an access control rule addition request (pass condition setting request) on a network unit basis with an access control rule (pass condition) defined for each terminal of a user. .
- the present embodiment shows an example in which the method of adding the access control rule (passing condition) on a network basis is applied to the configuration shown in the fifth embodiment.
- a home network 210 in the home shown by a broken line in FIG. 28 is connected to the WAN 200 and a plurality of user terminals 220 are connected to the home network 210.
- a pass condition setting request for each network is sent together with the user identification information and password, and based on the user's access information, the access for each network is permitted.
- the access control unit 46 sets the access permission (the passage condition with "operation" set to "pass") for the network address of the IP address acquired at the time of establishing the SSL session.
- IP address 123. 123. 111. 0/24 upper 24 bit power ⁇ 123. 123. 111, lower bit power ⁇ ), 1, 2, ⁇ ⁇ ⁇ ⁇ 254!
- FTP File Transfer Protocol
- Figure 30 the passage conditions shown in Figure 30 In the top row of Table 48a, add a transit condition that uses the network address of the network 210 (an IP address whose upper 24 bits of the IP address is 12 3. 123. 111) as the source IP address. After that, it looks like Figure 32.
- the SSL session is being established, access from any of the user terminals 220 in the network 210 can be permitted, and the user does not have a browser in the network 210.
- the terminal can also access the permitted destination.
- the communication status is sent to the user terminal having the browser that made the SSL session establishment request, that is, the passage condition setting request.
- the access control rule (passing condition) is added on a network basis to the firewall device 40 of the fifth embodiment.
- the relay device 10 of the first embodiment is compared with the relay device 10 of the first embodiment. The following shows the case where access control rules (passing conditions) are added on a network basis.
- a home network 210 in the home shown by a broken line in FIG. 2 is connected to the WAN 200 and a plurality of user terminals 220 are connected to the home network 210.
- a communication condition setting request for each network is sent together with the user's identification information and password, and based on the user's access information, access for each network is permitted. That is, the access control unit 13 sets the access permission (the passage condition with “operation” set to “pass”) for the network address of the IP address acquired at the time of establishing the SSL session.
- IP address is 123. 123. 111.
- IP address 111. 111. 111. 3 Sano 310 ftp Fra Transfer In the top row of the access control table shown in FIG. 3, the network address of the network 210 (the upper 24 bits of the IP address is 123. 123. 111) is given in the top row of the access control table shown in FIG. Add a pass condition to be a source IP address. After addition, it looks like Figure 33.
- a pass condition for the IP address or network address of the user terminal 220 is added, and when an SSL session with the user terminal 220 is established, the connection from the user terminal 220 to a different destination is requested. It is also conceivable to receive a packet. Specifically, the user's ability of the user terminal that has established an SSL session with the firewall device 40, for example, when it is desired to receive a service other than the service currently being received. In such a case, ask the user terminal whether or not to allow the new connection request with the SSL session already established.
- the user terminal 220 transmits a new pass condition setting request to the access control unit 46 using the SSL session being established.
- the access control unit 46 performs an addition setting process S97, as indicated by a broken line after step S81 in FIG. An example of this additional setting process procedure (step S97) is shown in FIG.
- the access control unit 46 checks whether it is an additional setting request from the user terminal 220 of the SSL session under establishment of the request source IP address power of the received passage condition setting request (step S 97 a).
- the notification information generation unit 46 d generates an HTML file that displays a button to be selected, encrypts it, and transmits it to the user terminal 220 using the SSL session (step S 97 b).
- the user of the user terminal 220 is notified that the additional setting request has been received by decrypting and displaying the transmitted HTML file. . Therefore, the user can be made to confirm that the additional setting request is known to the user.
- step S97c When a response to the request is received (step S97c), the access control unit 46 checks the response. If the answer from the user terminal 220 is “permit additional setting (allow additional passing condition setting;;)” (step S 97 d), the access control unit 46 passes the additional setting request. The condition is additionally set in the passage condition table 48a (step S97e) o After that, the packet satisfying the added passage condition is forwarded to the destination server in the LAN by the already established SSL session. If the answer from the user terminal is “Deny connection” in step S 97 d, the access control unit 46 discards the new connection request (additional setting request) packet (step S 97 f). .
- a new passing condition is added to the passing condition table 48a using the established S SL session for connection to a server providing different services.
- it can be processed as follows. If the access control unit 46 performs the processing of steps S97a, S97b, S97c, and S97d shown in FIG. 34 !, and the response power of step S97d is ⁇ permission, the service request packet is transferred to the corresponding server (step S97e).
- the parenthesis of) may be used.
- an SSL session that has already been established does not need to perform authentication processing particularly for additional condition setting requests from the requesting user terminal 220 and access requests to other destinations. May be forwarded to the destination server.
- the method described above can prevent unauthorized access because it is possible to use the SSL session to ask the user of the user terminal 220 whether or not the power of permitting the new connection request is met.
- https is used as a secure session from the user terminal, but a secure session such as SSH (Secure Shell) may be used.
- SSH Secure Shell
- a secure session with the request source terminal may be established first, and then the authentication process may be performed first, the authentication process may be performed. That is, when the passage condition setting request is received in step S81, as shown by a broken line in FIG.
- step S84 performs authentication processing, and if the authentication passes, the database unit 48 is selected in step S89.
- a pass condition may be set, and a secure session may be established with the request source terminal.
- the authentication processing unit 47 may be provided outside the force provided in the firewall device 40, or may be an authentication server connected to the LAN 300, for example. In that case, the authentication information unit 48b is omitted from the database unit 48.
- the user identification information and password were requested as authentication processing, and it was determined whether or not this was in the authentication information section 48b, but it was decided whether authentication passed or not. It is also possible to use high authentication methods.
- the relay device, the address conversion device, and the firewall device (access control device) shown in the first to eighth embodiments may be functioned by a computer.
- a program that causes the computer to execute each processing flow is installed in the computer by using a recording medium such as a CD-ROM, magnetic disk, or semiconductor storage device, or down via a communication line. You just have to run that program on that computer.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/558,629 US8667170B2 (en) | 2004-04-14 | 2005-04-14 | Address conversion method, access control method, and device using these methods |
JP2006508513A JP4362132B2 (ja) | 2004-04-14 | 2005-04-14 | アドレス変換方法、アクセス制御方法、及びそれらの方法を用いた装置 |
EP05730621A EP1632862B1 (en) | 2004-04-14 | 2005-04-14 | Address conversion method, access control method, and device using these methods |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2004118740 | 2004-04-14 | ||
JP2004-118740 | 2004-04-14 | ||
JP2004209367 | 2004-07-16 | ||
JP2004-209367 | 2004-07-16 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005101217A1 true WO2005101217A1 (ja) | 2005-10-27 |
Family
ID=35150177
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2005/007254 WO2005101217A1 (ja) | 2004-04-14 | 2005-04-14 | アドレス変換方法、アクセス制御方法、及びそれらの方法を用いた装置 |
Country Status (4)
Country | Link |
---|---|
US (1) | US8667170B2 (ja) |
EP (1) | EP1632862B1 (ja) |
JP (1) | JP4362132B2 (ja) |
WO (1) | WO2005101217A1 (ja) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006352567A (ja) * | 2005-06-16 | 2006-12-28 | Fujitsu Ltd | サービス提供装置および通信制御プログラム |
JP2011048455A (ja) * | 2009-08-25 | 2011-03-10 | Nippon Telegr & Teleph Corp <Ntt> | 中継装置、中継方法,プログラム、およびアクセス制御システム |
US8136144B2 (en) | 2006-06-26 | 2012-03-13 | Kabushiki Kaisha Toshiba | Apparatus and method for controlling communication through firewall, and computer program product |
JP2014517609A (ja) * | 2011-05-13 | 2014-07-17 | クアルコム,インコーポレイテッド | ユーザ機器とアプリケーションサーバとの間でデータを交換するための方法および装置 |
JP2015130021A (ja) * | 2014-01-07 | 2015-07-16 | 富士ゼロックス株式会社 | 情報処理装置及び情報処理プログラム |
US11153278B2 (en) * | 2018-03-28 | 2021-10-19 | Beijing Xiaomi Mobile Software Co., Ltd. | Method and device for information interaction |
Families Citing this family (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100667333B1 (ko) * | 2004-12-16 | 2007-01-12 | 삼성전자주식회사 | 홈 네트워크에서 디바이스 및 사용자 인증 시스템 및 방법 |
JP4190521B2 (ja) * | 2005-07-14 | 2008-12-03 | 株式会社東芝 | マルチプロトコルアドレス登録方法、マルチプロトコルアドレス登録システム、マルチプロトコルアドレス登録サーバおよびマルチプロトコルアドレス通信端末 |
US8185642B1 (en) * | 2005-11-18 | 2012-05-22 | Juniper Networks, Inc. | Communication policy enforcement in a data network |
US8873555B1 (en) * | 2006-02-02 | 2014-10-28 | Marvell Israel (M.I.S.L.) Ltd. | Privilege-based access admission table |
DE102006046212A1 (de) * | 2006-09-29 | 2008-04-17 | Siemens Home And Office Communication Devices Gmbh & Co. Kg | Verfahren zur Verbindungs-Zugangs-Steuerung und Vorrichtungen |
US8316427B2 (en) * | 2007-03-09 | 2012-11-20 | International Business Machines Corporation | Enhanced personal firewall for dynamic computing environments |
US8695081B2 (en) * | 2007-04-10 | 2014-04-08 | International Business Machines Corporation | Method to apply network encryption to firewall decisions |
JP5002337B2 (ja) * | 2007-05-31 | 2012-08-15 | 株式会社東芝 | ネットワークアクセスを認証または中継する通信システム、中継装置、認証装置、および通信方法 |
US7990947B2 (en) * | 2007-06-12 | 2011-08-02 | Robert W. Twitchell, Jr. | Network watermark |
US20100275008A1 (en) | 2009-04-27 | 2010-10-28 | Motorola, Inc. | Method and apparatus for secure packet transmission |
US8448235B2 (en) | 2010-08-05 | 2013-05-21 | Motorola Solutions, Inc. | Method for key identification using an internet security association and key management based protocol |
KR20120065131A (ko) * | 2010-12-10 | 2012-06-20 | 한국전자통신연구원 | 다중 단말 가상화 장치 및 그 방법 |
US8918835B2 (en) * | 2010-12-16 | 2014-12-23 | Futurewei Technologies, Inc. | Method and apparatus to create and manage virtual private groups in a content oriented network |
BR112013017925A2 (pt) | 2011-01-12 | 2016-10-11 | Adaptive Spectrum & Signal | sistemas e métodos para otimizar em conjunto comunicações de rede wan e lan |
US8825879B2 (en) * | 2012-02-02 | 2014-09-02 | Dialogic, Inc. | Session information transparency control |
US20130254553A1 (en) * | 2012-03-24 | 2013-09-26 | Paul L. Greene | Digital data authentication and security system |
WO2013150925A1 (ja) | 2012-04-03 | 2013-10-10 | 日本電気株式会社 | ネットワークシステム、コントローラ、及びパケット認証方法 |
CN105052106B (zh) * | 2013-03-15 | 2018-01-02 | 柏思科技有限公司 | 用于接收和传输互联网协议(ip)数据包的方法和系统 |
JP6127618B2 (ja) * | 2013-03-15 | 2017-05-17 | 株式会社リコー | 情報処理装置、情報処理システム、中継方法およびプログラム |
US9641551B1 (en) | 2013-08-13 | 2017-05-02 | vIPtela Inc. | System and method for traversing a NAT device with IPSEC AH authentication |
US10110712B2 (en) | 2014-06-04 | 2018-10-23 | Nicira, Inc. | Efficient packet classification for dynamic containers |
US9774707B2 (en) * | 2014-06-04 | 2017-09-26 | Nicira, Inc. | Efficient packet classification for dynamic containers |
CN105471828B (zh) * | 2014-09-05 | 2019-07-26 | 联想(北京)有限公司 | 网络接入设备及其控制方法 |
CN104539752B (zh) * | 2014-12-31 | 2018-03-09 | 浙江宇视科技有限公司 | 多级域平台间的访问方法及系统 |
CN105100109B (zh) * | 2015-08-19 | 2019-05-24 | 华为技术有限公司 | 一种部署安全访问控制策略的方法及装置 |
US10412048B2 (en) | 2016-02-08 | 2019-09-10 | Cryptzone North America, Inc. | Protecting network devices by a firewall |
US9560015B1 (en) | 2016-04-12 | 2017-01-31 | Cryptzone North America, Inc. | Systems and methods for protecting network devices by a firewall |
JP2018061201A (ja) * | 2016-10-07 | 2018-04-12 | 株式会社リコー | 通信制御装置、通信制御プログラム、及び、ネットワーク通信システム |
US10554633B2 (en) * | 2017-09-19 | 2020-02-04 | ColorTokens, Inc. | Enhanced packet formating for security inter-computing system communication |
US11876790B2 (en) * | 2020-01-21 | 2024-01-16 | The Boeing Company | Authenticating computing devices based on a dynamic port punching sequence |
CN112532639B (zh) * | 2020-12-03 | 2023-03-14 | 中盈优创资讯科技有限公司 | 一种地址开放端口核查方法及装置 |
CN116579019B (zh) * | 2023-06-05 | 2023-11-17 | 山东泰航信息技术有限公司 | 一种计算机信息安全监管系统 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002185517A (ja) * | 2001-10-09 | 2002-06-28 | Nec Corp | 端末装置、中継装置、通信方法及びその通信プログラムを記録した記録媒体 |
JP2002232450A (ja) * | 2001-01-31 | 2002-08-16 | Furukawa Electric Co Ltd:The | ネットワーク中継装置、データ通信システム、データ通信方法およびその方法をコンピュータに実行させるプログラム |
JP2003085059A (ja) * | 2001-03-16 | 2003-03-20 | Matsushita Electric Ind Co Ltd | ファイアウォール設定方法およびその装置 |
JP2003132020A (ja) * | 2001-10-26 | 2003-05-09 | Cyber Sign Japan Inc | アクセス制御装置及び認証装置及びそれらに関連する装置 |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10308756A (ja) | 1997-03-06 | 1998-11-17 | Toshiba Corp | 通信装置および通信方法 |
JP4236364B2 (ja) * | 2000-04-04 | 2009-03-11 | 富士通株式会社 | 通信データ中継装置 |
US6931437B2 (en) * | 2000-04-27 | 2005-08-16 | Nippon Telegraph And Telephone Corporation | Concentrated system for controlling network interconnections |
JP4524906B2 (ja) | 2000-11-06 | 2010-08-18 | ソニー株式会社 | 通信中継装置、通信中継方法、および通信端末装置、並びにプログラム記憶媒体 |
JP3760767B2 (ja) * | 2000-12-21 | 2006-03-29 | 株式会社日立製作所 | ネットワーク管理装置及びネットワーク管理方法 |
WO2002076062A1 (en) * | 2001-03-16 | 2002-09-26 | Matsushita Electric Industrial Co., Ltd. | Method and apparatus for setting up a firewall |
TWI234969B (en) * | 2002-11-26 | 2005-06-21 | Ind Tech Res Inst | Dynamic network address translation system and method of transparent private network device |
-
2005
- 2005-04-14 EP EP05730621A patent/EP1632862B1/en not_active Expired - Fee Related
- 2005-04-14 WO PCT/JP2005/007254 patent/WO2005101217A1/ja not_active Application Discontinuation
- 2005-04-14 US US10/558,629 patent/US8667170B2/en not_active Expired - Fee Related
- 2005-04-14 JP JP2006508513A patent/JP4362132B2/ja active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002232450A (ja) * | 2001-01-31 | 2002-08-16 | Furukawa Electric Co Ltd:The | ネットワーク中継装置、データ通信システム、データ通信方法およびその方法をコンピュータに実行させるプログラム |
JP2003085059A (ja) * | 2001-03-16 | 2003-03-20 | Matsushita Electric Ind Co Ltd | ファイアウォール設定方法およびその装置 |
JP2002185517A (ja) * | 2001-10-09 | 2002-06-28 | Nec Corp | 端末装置、中継装置、通信方法及びその通信プログラムを記録した記録媒体 |
JP2003132020A (ja) * | 2001-10-26 | 2003-05-09 | Cyber Sign Japan Inc | アクセス制御装置及び認証装置及びそれらに関連する装置 |
Non-Patent Citations (1)
Title |
---|
See also references of EP1632862A4 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006352567A (ja) * | 2005-06-16 | 2006-12-28 | Fujitsu Ltd | サービス提供装置および通信制御プログラム |
JP4498984B2 (ja) * | 2005-06-16 | 2010-07-07 | 富士通株式会社 | サービス提供装置および通信制御プログラム |
US8136144B2 (en) | 2006-06-26 | 2012-03-13 | Kabushiki Kaisha Toshiba | Apparatus and method for controlling communication through firewall, and computer program product |
JP2011048455A (ja) * | 2009-08-25 | 2011-03-10 | Nippon Telegr & Teleph Corp <Ntt> | 中継装置、中継方法,プログラム、およびアクセス制御システム |
JP2014517609A (ja) * | 2011-05-13 | 2014-07-17 | クアルコム,インコーポレイテッド | ユーザ機器とアプリケーションサーバとの間でデータを交換するための方法および装置 |
JP2015130021A (ja) * | 2014-01-07 | 2015-07-16 | 富士ゼロックス株式会社 | 情報処理装置及び情報処理プログラム |
US10380080B2 (en) | 2014-01-07 | 2019-08-13 | Fuji Xerox Co., Ltd. | Information processing apparatus, storage medium, and information processing method |
US11153278B2 (en) * | 2018-03-28 | 2021-10-19 | Beijing Xiaomi Mobile Software Co., Ltd. | Method and device for information interaction |
Also Published As
Publication number | Publication date |
---|---|
JP4362132B2 (ja) | 2009-11-11 |
US20060259583A1 (en) | 2006-11-16 |
EP1632862A1 (en) | 2006-03-08 |
EP1632862A4 (en) | 2008-02-13 |
EP1632862B1 (en) | 2011-11-30 |
US8667170B2 (en) | 2014-03-04 |
JPWO2005101217A1 (ja) | 2008-03-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4362132B2 (ja) | アドレス変換方法、アクセス制御方法、及びそれらの方法を用いた装置 | |
US11936786B2 (en) | Secure enrolment of security device for communication with security server | |
JP4648148B2 (ja) | 接続支援装置 | |
EP1678918B1 (en) | A persistent and reliable session securely traversing network components using an encapsulating protocol | |
US7913084B2 (en) | Policy driven, credential delegation for single sign on and secure access to network resources | |
KR101038612B1 (ko) | 정보 처리 장치, 및 정보 처리 방법 | |
JP5494816B2 (ja) | 通信制御装置、システム、方法及びプログラム | |
TW200935848A (en) | Selectively loading security enforcement points with security association information | |
JP4109273B2 (ja) | ネットワーク接続システム、ネットワーク接続装置およびプログラム | |
JP2012064007A (ja) | 情報処理装置、通信中継方法およびプログラム | |
CN114301967B (zh) | 窄带物联网控制方法、装置及设备 | |
CN100470518C (zh) | 地址变换方法、访问控制方法及使用这些方法的装置 | |
JP4564739B2 (ja) | サーバ装置および通信システム | |
EP1643709A1 (en) | Data processing system and method | |
Lucenius et al. | Security technologies in home and wireless networking environments | |
JP2007006108A (ja) | パケット中継方法、並びに中継装置、サーバ装置、及びこれらを備えた通信システム | |
Prasetijo et al. | Firewalling a Secure Shell Service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006508513 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2005730621 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006259583 Country of ref document: US Ref document number: 2005800330X Country of ref document: CN Ref document number: 10558629 Country of ref document: US |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWP | Wipo information: published in national office |
Ref document number: 2005730621 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
WWP | Wipo information: published in national office |
Ref document number: 10558629 Country of ref document: US |