WO2006067831A1 - 中継処理プログラム及び通信処理プログラム、並びにファイアウォールシステム - Google Patents
中継処理プログラム及び通信処理プログラム、並びにファイアウォールシステム Download PDFInfo
- Publication number
- WO2006067831A1 WO2006067831A1 PCT/JP2004/019035 JP2004019035W WO2006067831A1 WO 2006067831 A1 WO2006067831 A1 WO 2006067831A1 JP 2004019035 W JP2004019035 W JP 2004019035W WO 2006067831 A1 WO2006067831 A1 WO 2006067831A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- connection request
- destination
- communication
- information
- connection
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/563—Data redirection of data network streams
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
Definitions
- the present invention relates to a relay processing program, a communication processing program, and a firewall system, and more particularly, a relay processing program that relays data communication via a firewall that is installed at a connection point between an external network and an internal network and performs communication management. And a communication processing program and a firewall system.
- TCP / IP Transmission Control Protocol / Internet Protocol
- TCPZlP an IP address and an IP address are used to identify the target computer device.
- TCP port the communication port of the target computer device specified by the IP address and TCP port is defined as a port or socket.
- a control mechanism called a firewall is provided for communication used between the computer devices so that only communication at a specific port can be performed.
- a firewall is installed at a connection point between an external network and an internal network.
- an access request exceeding the external network firewall is received, whether or not the firewall is capable of accepting the access request based on preset regulation conditions. This prevents unauthorized access to the internal network.
- there is a firewall method that makes effective use of network resources by establishing a connection with the computer device that is the access request source only when it is permitted for example, Patent Document 1).
- FIG. 12 is a diagram illustrating an example of a communication control function by a firewall.
- Firewall 901 includes an external network to which communication source client 902 is connected, Whether access requests from the communication source client 902 are permitted based on the preset restriction conditions, placed at the connection point of the internal network to which the communication destination server 1 (903) and communication destination server 2 (904) are connected Judge whether.
- the communication source client 902 makes an access request to the communication destination server 1 (903) or the communication destination server 2 (904) beyond the firewall using a specific TCP port for each application.
- the firewall 901 has an IP address “111.123.1.50”, a TCP port “8 0”, an IP address “111.123.1.51”, and a TCP port “81”. Assume that the access request is set to be accepted. In this case, IP address “111.123.1.50”, TCP port “80”, or IP address “111.123.1.51”, TCP port, which is the access request power restriction condition received from the source client 902 Pass through firewall 901 only if it matches “81”.
- Patent Document 1 Japanese Patent Laid-Open No. 10-215248 (paragraph number [0013] one [0020], FIG. 1) Disclosure of the Invention
- the port to be used for each application must be permitted, so when there are multiple applications, the number of ports to be managed becomes large. There is a problem that a great deal of labor is required for security management.
- the port for requesting access from the external network A separate port for sending event results from the network must be configured on the firewall.
- the firewall must be set and managed! /, And the number of ports tends to increase according to the system scale. If there are many ports to be managed, the firewall settings must be done correctly when installing a new application. There is a high possibility that mistakes will occur. In addition, if there are many force registrations that require firewall settings to be changed according to application deletion or change, the need for changes due to power mistakes may be overlooked or neglected. Also occurs. And security errors may occur due to such setting mistakes or forgotten version upgrades, and security may be greatly reduced. In fact, it is known that security holes are often caused by human error.
- the present invention has been made in view of the above points, and facilitates security management in a firewall, and can perform a relay processing program via a firewall that can prevent a decrease in security due to human error. And to provide a firewall system.
- the present invention provides a relay processing program for causing a computer to execute the processing shown in FIG.
- the relay processing program according to the present invention includes an external network to which the communication source client 4 is connected and an internal network to which the communication destination server A (3a), the communication destination server B (3b), and the communication destination server C (3c) are connected. It is applied to the relay server 2 that relays communications that pass through the firewall 1 installed at the connection point.
- the aggregate port that aggregates one or more ports that permit access is set to be permitted in the firewall 1.
- the access input through the external network is monitored, and only the access to the aggregate port is passed
- Let The relay server 2 has an aggregation port, and an access that has passed through the firewall 1 is input through the aggregation port.
- the communication source client 4 issues a connection request by issuing connection request information with the aggregation port as a destination when access is required according to a predetermined application. In the connection request information, the target connection destination of the internal network that the communication source client 4 originally requests connection is set in advance.
- the relay server 2 includes a connection request information acquisition unit 21 that acquires connection request information passed by the firewall 1, and a relay unit 22 that relays the connection request information to a target connection request destination based on the connection request information 22 It comprises.
- the connection request information acquisition means 21 The connection request information issued by ant 4 and input via the aggregation port is acquired and transmitted to the relay means 22.
- the relay means 22 changes the connection request destination to the target connection request destination set in the connection request information, transmits the connection request information to the target connection request destination, and makes a connection request. Acquire connection result information from the destination, and send it to the communication source client 4.
- the firewall 1 the relay machine Sano 2, and the communication source client 4, when the communication source client 4 connects to the target connection request destination in the internal network, the target connection request destination is described. Issued connection request information with the aggregated port as the destination.
- Firewall 1 passes the connection request information that is destined for the aggregate port for which permission is set.
- the connection request information acquisition means 21 acquires connection request information input via the aggregation port and transmits it to the relay means 22. Based on the connection request information, the relay means 22 changes the destination to the target connection request destination and transmits the connection request information.
- the connection result information is acquired from the target connection destination, it is transmitted with the destination as the communication source client 4.
- the relay server 2 is connected to the communication source client 4 and any of the communication destination server A (3a), communication destination server B (3b), and communication destination server C (3c) that are target connection request destinations. Relay the connection process between the heels. Then, after the connection request is granted, the communication between the communication source client 4 and the target connection request destination server is relayed.
- a communication processing program that performs communication processing with a server that is installed at a connection point between an external network and an internal network and that connects to the internal network beyond a firewall that performs communication management.
- the communication processing program according to the present invention is applied to the communication source client.
- the communication source client implements a communication processing means by executing a communication processing program.
- connection request information including the target connection request destination is created, connection request information is issued with the aggregate port as the destination, a connection request is issued, and relayed to the target connection request destination by the relay server having the aggregate port.
- the connection result information created by the target connection request destination is received via the relay server.
- connection request information including the target connection request destination is created, and the connection request is issued by issuing the connection request information with the aggregation port as the destination.
- the connection request information passes through the firewall and is transmitted to the relay server having the aggregation port.
- the connection result information created by the target connection request destination as a response to the connection request information relayed by the relay server to the target connection request destination is sent to the communication source client via the relay server. Receive this.
- a firewall system including a relay server, a communication source client, and a firewall.
- the firewall is set to allow aggregate ports that aggregate one or more ports that allow access, captures access from the source client connected to the external network, and passes only access destined for the aggregate port.
- the communication source client accesses the target connection request destination that connects to the internal network through the firewall, it creates connection request information including the target connection request destination and issues the connection request information with the aggregated port as the destination.
- the connection request is made and the connection result information for the connection request information created by the target connection request destination is received.
- An aggregation port is set for the relay server, and a connection request information acquisition unit that acquires connection request information from the communication source client that the firewall has passed, and a destination based on the acquired connection request information.
- relay means for receiving connection result information from the target connection request destination and transmitting it to the communication source client.
- a connection including information on a connection request destination for which a connection request is originally made is requested. Create request information and issue the destination as an aggregation port of the relay server.
- the connection request information is input to the relay server through the firewall.
- the relay server acquires the connection request information, changes the destination to the target connection request destination based on the connection request information, and transmits this connection request information to the target connection request destination.
- the connection result information created by the target connection request destination is received, This is transmitted with the destination as the communication source client.
- the relay server since the relay server once aggregates the requests received from the communication source client connected to the external network and distributes the request to the communication destination server connected to the internal network, the port set in the firewall Can be aggregated into one at a minimum. This makes it easy to manage the ports set in the firewall. As a result, security holes can be avoided by setting errors and human errors such as forgetting to upgrade the version, and the security level is maintained. be able to.
- FIG. 1 is a conceptual diagram of the invention applied to the embodiment.
- FIG. 2 is a schematic diagram showing the configuration of the first embodiment.
- FIG. 3 is a block diagram illustrating a hardware configuration example of a communication source client according to the present embodiment.
- FIG. 4 is a diagram showing a software module configuration example of the relay server according to the embodiment.
- FIG. 5 is a diagram illustrating a flow of HTTP relay processing according to the embodiment.
- FIG. 6 is a diagram showing a conversion example of connection request information (HTTP header) of the communication source client according to the embodiment.
- FIG. 7 is a diagram illustrating a conversion example of connection request information (HTTP header) of the relay server according to the embodiment.
- FIG. 8 is a diagram showing an SSL communication procedure in the present embodiment.
- FIG. 9 is a diagram showing a flow of SSL tunneling communication according to the present embodiment.
- FIG. 10 is a diagram showing a communication example of SSL tunneling communication according to the present embodiment.
- FIG. 11 is a diagram showing an event notification procedure according to the present embodiment.
- FIG. 12 is a diagram showing an example of a communication control function by a firewall.
- FIG. 1 is a conceptual diagram of the invention applied to the embodiment.
- the firewall system includes a communication source client 4 connected to an external network, a machine server 2, a communication destination server A (3a), and a communication destination server B (3b) connected to the internal network. And a destination server C (3c) and a firewall 1 installed at the connection point between the external network and the internal network, and packets are transmitted between the source client 4 and the destination server (3a, 3b, 3c). Communication is in progress (hereinafter referred to as communication destination servers (3a, 3b, 3c) unless otherwise specified.) 0
- the external network is a network in which access to the internal network is restricted by the firewall 1
- the internal network is a network with a high security level that is protected by external attacks and unauthorized access by the firewall 1.
- the firewall 1 and the relay server 2 may be configured as either separate devices or a single device.
- the figure shows the flow of packets that continue to the communication destination servers (3a, 3b, 3c) via the firewall 1 and the relay server 2 in the communication source client 4 as well.
- a response packet flows from the communication destination server (3a, 3b, 3c) to the communication source client 4 via the relay server 2 and the firewall 1.
- Firewall 1 monitors communications performed via an external network and an internal network, and determines whether or not to allow a connection request based on preset regulation conditions. Only pass through.
- the restriction condition is set to allow only access requests to one or more aggregated ports.
- at least one port of the Central Server 2 (port 8080 in the example of Fig. 1) is set as the aggregation port. For this reason, the source client 4 connected to the external network When accessing the communication destination server (3a, 3b, 3c) in the work, you must always go through the machine I server 2.
- the relay server 2 includes connection request information acquisition means (hereinafter referred to as header acquisition means) 21 for acquiring connection request information, relay means 22 for performing relay processing, and tunneling means 23 for performing tunneling processing. It has.
- the header acquisition means 21 acquires the header part of the communication packet including the connection request information, analyzes the contents of the header part, and activates the tunneling means 23 when the tunneling process is necessary. In other cases, the relay means 22 is activated as it is.
- the relay means 22 performs a relay process of converting the destination of the packet transmitted by the communication source client 4 into a target connection request destination and transmitting it to the communication destination servers (3a, 3b, 3c). It also performs relay processing to send the destination of the response packet acquired from the destination server (3a, 3b, 3c) to the source client 4.
- the transmission process is performed after updating the header part. For example, if the connection request information includes route information related to the server that is routed to the target connection request destination, and the route information includes information about the local device (relay server 2), the route information power is also relayed. Delete information about machine server 2.
- response information from the communication destination servers (3a, 3b, 3c) is added with route information and transmitted to the communication source client 4.
- the tunneling means 23 secures connections with the communication source client 4 and with the communication destination servers (3a, 3b, 3c).
- the packet destination is simply the destination server (3a, 3b, 3c), and the packet contents are transmitted without any manipulation.
- the response packet received from the destination server (3a, 3b, 3c) is also sent to the destination server.
- the packet contents are transmitted without any manipulation just by setting it as the transmission source client.
- the process in which the relay server 2 changes the destination without relaying the packet contents and relays it is referred to as a tunneling process. Details of the tunneling process, including the negotiation procedure to ensure the connection with both parties, will be described later.
- the communication destination server A (3a), the communication destination server B (3b), and the communication destination server C (3c) are connection destinations to which the communication source client 4 performs data communication. Via Data communication with the communication source client 4 is performed.
- the communication source client 4 includes a plurality of applications, an application A (41a), an application B (41b), and an application C (41c), and includes a communication processing means 42 that performs communication processing.
- application 41a, 41b, 41c
- it is written as application (41a, 41b, 41c).
- Each of the applications executes predetermined application processing and accesses the communication destination server (3a, 3b, 3c) as necessary.
- a header part including connection request information describing the designation of the connection request destination and the request to the connection request destination is created, and communication processing means 42 is requested to communicate.
- the content of the header varies depending on the application.
- the communication protocol used may be different. For example, there are cases where communication is performed with a web server using HTTP, or communication is performed with security secured using SSL.
- event information that occurs at the destination server (3a, 3b, 3c) may be required.
- the communication processing means 42 accesses the communication destination servers (3a, 3b, 3c) connected to the internal network through the firewall 1 in response to a request from the application (41a, 41b, 41c).
- the application (41a, 41b, 41c) also acquires the header part, if necessary, it changes the contents of the header part and issues a connection request by issuing connection request information with the aggregated port as the destination. For example, when it is necessary to set information related to a relay server that relays packets in the header part, the route information is added to the header part, and then the packet is transmitted to the aggregation port. As a response, connection result information created by the target connection request destination is received via the relay server 2.
- event information that occurs at any timing of the destination server (3a, 3b, 3c) is required, packets for requesting event information are repeatedly sent in the above procedure until the event information is acquired. To do.
- each processing means of the relay machine Sano 2 described above realizes its processing function when the computer executes the relay processing program.
- each processing means and application of the communication source client 4 described above realizes its processing function when the computer executes the communication processing program and the application program.
- firewall 1 The operation of the firewall system having such a configuration will be described.
- the firewall 1 only the aggregate port (8080) to which a predetermined port of the relay server 2 is assigned in advance is permitted.
- the communication source client 4 When the communication source client 4 obtains connection request information from the application (41a, 41b, 41c), it performs header conversion processing such as adding route information regarding the relay server 2 that performs relaying as necessary. Set the destination to the aggregation port (8080) of relay server 2 and send the packet.
- the firewall 1 that monitors the packet permits the passage of the packet whose destination is the aggregation port (8080), and the packet is received by the relay server 2.
- the header acquisition means 21 reads out the header part and prays for the contents, and activates the tunneling means 23 if tunneling processing is necessary.
- the relay means 22 is activated as it is.
- the relay means 22 performs header conversion processing such as deleting the route information added to the connection request information of the packet acquired from the communication source client 4, and then sends the destination to the communication destination server (3a, Set 3b, 3c) to transmit the packet.
- header conversion processing such as deleting the route information added to the connection request information of the packet acquired from the communication source client 4
- a response packet including connection result information is received from the communication destination server (3a, 3b, 3c)
- the destination is set to the communication source client 4 and transmitted. .
- the tunneling means 23 is activated, and first, between the communication source client 4 and the communication destination servers (3a, 3b, 3c) that are the target connection request destinations. Both connections are secured. After the connection with both sides is secured, the destination of the packet exchanged between the communication source client 4 and the communication destination server (3a, 3b, 3c) is changed, and the packet received from the communication source client 4 is Packets received from the destination server (3a, 3b, 3c) are sent to the source client 4 to the destination server (3a, 3b, 3c).
- the relay server performs relay processing for relaying packets to the original connection request destination based on the connection request information, and therefore relays the request from the communication source client connected to the external network. It can be aggregated once on the machine server and distributed from there to the communication destination server that is the original connection request destination. Therefore, the minimum number of ports that must be allowed in the firewall to achieve a given application can be aggregated to 1. As a result, port management in the firewall can be facilitated. It is possible to avoid the occurrence of security holes due to mistakes when setting the port by force. Power depending on system scale Conventionally, the number of ports that have to be set in the firewall may reach tens of thousands, and if this can be aggregated to a minimum, the security level can be maintained. A great effect can be expected.
- HTTP consists of a request to transfer information and the response of the server.
- the communication source client sends information such as the URL path name, Web browser type, and language used to the server with a GET request, and acquires data and error codes from Sano as a response.
- FIG. 2 is a schematic diagram showing the configuration of the first embodiment. Components identical to those in FIG.
- the relay server 2 is a request distribution service unit that performs an HTTP server process between the communication source clients 4a, 4b, and 4c and a request distribution service unit that performs a request distribution service between the communication destination servers 3a and 3b.
- the HTTP server processing unit 201 responds to the request source communication source clients 4a, 4b, 4c according to the packet input from the communication source clients 4a, 4b, 4c via the aggregated port permitted for the firewall 1. Connect and hand over the bucket to the request delivery service unit 202. Then, the response packet received by the request delivery service unit 202 is transmitted to the request source communication source clients 4a, 4b, 4c.
- the return delivery service unit 202 functions as an HTTP client for the communication destination servers 3a and 3b that are the original connection request destinations. According to the connection request information of the HTTP packet delivered from the HTTP server unit 201, the destination is changed to the target connection request destination (communication destination servers 3a and 3b) and transmitted. Then, the response packet acquired as a response is delivered to the HTTP server unit 201
- the communication destination servers 3a and 3b have the same configuration and include an HTTP server unit 301 that performs HTTP server processing and a resource manager part 302 that performs resource management.
- the HTTP server 301 analyzes the HTTP packet acquired via the relay server 2, and if the packet is found to be normal, passes the processing to the resource manager part 302 and uses the obtained data. Create a response packet and send it to repeater Sano 2.
- Resource manager The unit 302 performs request processing such as data reading and returns the result to the HTTP server unit 301.
- the communication source clients 4a, 4b, and 4c have the same configuration and include an application unit 401 that performs application processing and an HTTP client unit 402 that performs HTTP client processing.
- the application unit 401 performs predetermined application processing, and makes an access request to the communication destination servers 3a and 3b to the HTTP client unit 402 as necessary.
- the HTTP client unit 402 creates a request packet for the communication destination servers 3a and 3b according to the HTTP protocol.
- the target communication destination server (3a, 3b) is set in the connection request information, and the packet is transmitted with the aggregation port of the relay server 2 as the destination.
- the received packet is delivered to the application unit 401.
- a request packet is transmitted from the HTTP client 402 by the request from the application unit 401.
- the target connection request destination (communication destination server 3a) is set in the connection request information, and the destination is transmitted as the aggregation port of the relay server 2.
- This packet passes through the firewall 1 where the aggregation port is permitted, is received by the HTTP server unit 201 of the relay server 2, and is sent to the target connection request destination (communication destination server 3a) by the request distribution service unit 202. The destination is converted and sent.
- the communication destination server 3a receives this packet by the HTTP server unit 301, and a response packet as a result of request processing by the resource manager part 302 is created by the HTTP server 301 and transmitted to the relay server 2.
- the request distribution service unit 202 converts the destination to the communication source client 4a and transmits the destination to the communication source client 4a from the HTTP server 201.
- the HTTP client 402 receives the response packet, and the request data is transferred to the application unit 401.
- firewall 1, the relay server 2, the communication destination servers 3a and 3b, and the communication source clients 4a, 4b, and 4c realize processing functions when the computer executes a program.
- the hardware configuration of each device will be described using a communication source client as an example.
- Figure 3 shows the actual It is a block diagram which shows the hardware structural example of the communication origin client of embodiment.
- the communication source client 4 is entirely controlled by a CPU (Central Processing Unit) 101.
- a random access memory (RAM) 102, a hard disk drive (HDD) 103, a graphic processing device 104, an input interface 105, and a communication interface 106 are connected to the CPU 101 via a bus 107.
- the RAM 102 temporarily stores at least part of an OS (Operating System) program application program to be executed by the CPU 101.
- the RAM 102 stores various data necessary for processing by the CPU 101.
- the HDD 103 stores the OS and application programs.
- a monitor 108 is connected to the graphic processing device 104, and an image is displayed on the screen of the monitor 108 according to a command from the CPU 101.
- a keyboard 109a and mouse 109b are connected to the input interface 105, and signals sent from the keyboard 109a and mouse 109b are transmitted to the CPU 101 via the bus 107.
- the communication interface 106 is connected to the network 5 and transmits / receives data to / from the relay server 2 via the network 5.
- the processing functions of the present embodiment can be realized.
- the hardware configurations of the power firewall, relay server, and communication destination server showing the hardware configuration of the communication source client are the same.
- FIG. 4 is a diagram illustrating a software module configuration example of the relay server according to the embodiment.
- the HTTP session 210 includes HTTPS tunneling 211, request 212, response 213, chunk input stream 214, chunk output stream 215, HTTP header 216, size management input stream 217, It has modules such as size management output stream 218 and GZIP response 219.
- the HTTP session 210 manages HTTP communication in general, such as generating information for establishing communication.
- HTTPS tunneling 211 controls the tunneling process when SSL is applied.
- a request 212 is a module for managing data communication flowing from the communication source client to the communication destination server.
- the request 212 is sent from the chunk input stream 214 for managing the flow of data sent from the requesting client and the processing destination communication server.
- Data is controlled by the chunk output stream 215 that manages the data flow and the HT TP header 216 that performs HTTP header operations.
- the response 213 is a module for managing data communication flowing from the communication destination server to the communication source client.
- the size management input stream 217 for controlling the data stream sent to the communication destination server and the control of the data stream sent from the communication destination server. Data control is performed using the size management output stream 218 and the HTTP header 216.
- the compressed data is decoded by the GZIP response 219 as necessary.
- FIG. 5 is a diagram illustrating a flow of HTTP relay processing according to the embodiment.
- a connection request from the communication source client 4 to the communication destination server 3 is issued with the relay server 2 as the destination.
- the target connection request destination is set as connection request information.
- the relay server 2 receives the connection request issued by the communication source client 4 and confirms its contents.
- the relay server 2 updates the content of the connection request information according to the target connection request destination. For example, if the connection request information includes route information regarding the relay server 2, this is deleted.
- the relay server 2 transmits the updated connection request information with the destination communication destination server 3 as the destination.
- the communication destination server 3 receives the connection request from the communication source client 4 relayed by the relay server 2, and transmits a connection result to the relay server 2 after executing a predetermined process.
- the relay server 2 receives the connection result of the communication destination server 3, and updates the contents of the acquired connection result information according to the communication source client. For example, if the relay information about relay server 2 has been deleted, relay information is added.
- the relay server 2 transmits the updated connection result information to the communication source client 4.
- a series of communication processing is executed by the above procedure.
- FIG. 6 is a diagram illustrating a conversion example of connection request information (HTTP header) of the communication source client according to the embodiment.
- the communication source client 4 uses the original HTTP header 501 created according to the application, the request address indicating the target connection request destination, and the address information 502 of the relay address indicating the relay server, Create client conversion HTTP header 503 with route information added to HTTP header.
- the target connection request destination is added to the original GET command for conversion.
- connection request destination is converted into the connection request target power to the relay server.
- the connection request destination is converted into the connection request target power to the relay server.
- the relay server 2 also receives the client conversion HTTP header 503 by the communication source client 4 and converts the header.
- FIG. 7 is a diagram illustrating a conversion example of connection request information (H TTP header) of the relay server according to the embodiment.
- relay server 2 first, the target connection request destination added to the GET command is deleted.
- [GETZhttp: ZZwww.def.co.jp/index.htmlHTTP/1.0] in the client conversion HTTP header 503 is deleted and [www.def.co.jp] is deleted, and the server conversion HTTP header is deleted. Convert to [GETZindex.htmlHTTP / 1.0] shown in 504.
- connection request destination is converted.
- [Host: proxy, abc.co.jp] representing the relay server indicated in the client conversion HTTP header 503 is changed to server conversion HTTP. It is converted into [Host: www. De f.
- the original HTTP header is transmitted to the target connection request destination.
- the same operation is also performed on the HTTP header of the response packet sent from the target connection request destination, and sent to the communication source client 4 via the relay server 2.
- an SSL communication protocol may be used as a security function.
- SSL is located between the TCP layer and the application layer, and encrypts and transmits higher-level HTTP data.
- connection information and communication contents can only be owned by the target connection source and connection destination, and the HTTP header cannot be analyzed and changed as described above. Therefore, a tunneling communication function that relays the connection source and destination of communication without touching the contents of SSL communication is realized.
- FIG. 8 shows the SSL communication procedure in the present embodiment.
- a tunneling initialization procedure for establishing a connection among the communication source client 4, the relay server 2 and the communication destination server 3 is performed, and then the SSL after tunneling initialization is completed.
- a communication procedure is performed.
- the tunneling initialization procedure is started by transmitting a tunneling request 601 for requesting SSL tunneling communication with the communication destination server 3 from the communication source client 4 to the relay server 2.
- the relay server 2 secures a connection with the communication source client 4 and makes a connection request 602 to the SSL server socket of the communication destination server 3 to establish a connection with the communication destination server 3.
- the tunneling initialization completion 603 is transmitted to the communication source client 4.
- connection between the communication source client 4 and the relay server 2 and the relay server The connection between the server 2 and the communication destination server 3 is secured.
- the SSL communication connection between the communication source client 4 and the communication destination server 3 is established via the relay server 2.
- the SSL communication procedure is started when the SSL communication connection between the communication source client 4 and the communication destination server 3 is established via the intermediate server 2.
- the SSL handshake start 604 is transmitted from the communication source client 4, the communication destination Sano 3 receives it via the relay server 2, and a handshake is performed.
- SSL communication is started (605) and the result is returned (606).
- the relay server 2 converts the packet sent from the communication source client 4 to the socket of the relay server 2 and sends it to the SSL server socket of the communication destination server 3, and sends it from the communication destination server 3. Socket conversion processing to send the result to the communication source client 4 is performed.
- the relay server 2 only performs socket conversion and does not perform data operations.
- FIG. 9 is a diagram showing a flow of SSL tunneling communication according to the present embodiment.
- the communication contents are encrypted by the connection source and the connection destination, and it is very difficult to grasp the communication contents by the relay server.
- the character “CONNECT” is described in the first line of the HTTP header as a connection request. Therefore, based on the character string “CONNECT”, it can be determined whether the communication is SSL communication.
- a connection request for SSL communication is issued from the source client 4 via the relay Sano 2.
- the first line of the HTTP header contains "CON NECTJ!”
- the relay server 2 receives the connection request and confirms the connection request content.
- Relay server 2 determines that it is SSL tunneling communication by detecting “CONNECT”, and starts SSL tunneling processing. At this time, since the connection request from the connection source communication source client 4 is already owned, the connection request is issued to the SSL server socket of the communication destination server 3. [0075] (4) A connection result is returned from the communication destination server 3.
- the relay server 2 secures the connection for tunneling communication.
- the relay server 2 establishes a connection with the communication source client 4 and secures the connection state in response to the connection request (1) from the communication source client 4 in order to perform tunneling communication. .
- the relay server 2 has acquired the connection result (4) received from the communication destination server 3 on the way, so that a connection request is sent to the communication source client 4 that is the connection source. On behalf of the destination communication destination server 3.
- the relay server 2 returns the result of the connection destination (communication destination server 3) to the connection from the connection source (communication source client 4) for which the connection is ensured, and the connection destination (communication destination) Server 3) The result of the connection source (source client 4) is passed to the force connection.
- FIG. 10 is a diagram showing a communication example of SSL tunneling communication according to the present embodiment.
- the communication destination server 3 is set as the request address and the relay server 2 is set as the relay address, and the original HTTPS header 510 is created and transmitted with the relay server 2 as the destination.
- the HTTP header according to the SSL communication protocol is expressed as an HTTPS header. Since 1 ⁇ ? 3 header 510 is encrypted except for the first line and cannot be decrypted by relay server 2, header conversion is not performed. In this way, the original HTTPS header 510 is received by the relay server 2.
- the relay server 2 decodes the first line of the HTTPS header 510, determines that it is SSL communication, and requests connection HYPERLINK "http://www.xyz.com" (www.xyz. com). Therefore, the received HTTPS header 510 is transmitted as it is as the communication destination server 3 (www.xyz.com) obtained from the HTTPS header 510 as the request address.
- connection approval from the communication destination server 3 is also sent via the relay device Sano 2 to the communication source client.
- the relay server 2 uses only the destination as the communication source client and transfers the content as it is.
- the relay server 2 sets the packet received from the communication source client 4 and the communication destination server 3 to be relayed to the transfer destination that changes the contents other than the connection at the transfer destination of each other. Forward. Therefore, there is no change to the encrypted communication name contents other than the transfer destination connection.
- the SSL tunneling function enables relaying communications while ensuring highly secure communications using SSL, and minimizes the number of ports that are permitted to be set in the firewall.
- event notification communication started by such a server-side event.
- event notification communication started by such a server-side event.
- event notification is performed via a firewall
- powerful power that must be set in the firewall for the event notification port
- data communication from the communication source client Event notification is performed using the aggregation port used for.
- FIG. 11 is a diagram showing an event notification procedure according to the present embodiment.
- the communication destination server 3 starts the event monitoring function and monitors the occurrence of the event.
- the event notification 703 is received, the contents are temporarily stored in the apparatus.
- the communication source client 4 that receives the event notification starts the event acquisition process and issues an event acquisition notification 701 to the communication destination server 3 via the relay server 2.
- the relay server 2 performs relay processing and transfers the event acquisition notification 701 to the communication destination server 3.
- a result notification 702 of “no event” is issued.
- the result notification 702 of “no event” is relayed by the relay machine 2 and received by the communication source client 4.
- the communication source client 4 Since the communication source client 4 has been unable to obtain the event result, it performs polling again at an appropriate timing and issues an event acquisition notification 704.
- the relay server 2 performs relay processing and transfers the event acquisition notification 704 to the communication destination server 3.
- the communication destination server 3 acquires the event notification 703 and temporarily stores the information. Therefore, as a response to the event acquisition notification 704, the “event occurrence” result notification 705 Is issued.
- the “event occurrence” result notification 705 is relayed by the relay server 2 and received by the communication source client 4. In this way, the communication source client 4 obtains the event notification.
- the event notification can be performed via the aggregation port.
- processing functions described above can be realized by a server computer and a client computer.
- a server program that describes the processing contents of the functions that the relay server should have and a client program that describes the processing contents of the functions that the communication source client should have are provided.
- the processing functions of the relay server are realized on the server computer.
- the processing function of the communication source client is realized on the client computer by executing the communication processing program on the client computer.
- the server program and the client program describing the processing contents can be recorded on a computer-readable recording medium.
- the computer-readable recording medium include a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory.
- Magnetic recording devices include hard disk drives (HDD), flexible disks (FD), and magnetic tapes.
- Optical disks include DVD (Digital Versatile Disc), DVD-RAM (Random Access Memory;), CD—ROM (Compact Disc Read Only Memory), CD—R (Recordable), ZRW (Rewritable), etc.
- Magneto-optical recording medium Includes MO (Magno-Optical disk).
- each program Portable recording media such as DVDs and CD-ROMs with recorded gram are sold.
- the client program is stored in a storage device of the server computer, and the client program is transferred from the server computer to the client computer via the network.
- the server computer that executes the server program stores, for example, the server program recorded in a portable recording medium in its own storage device. Then, the server computer reads its own storage device server program and executes processing according to the server program. The server computer can also read the server program directly from the portable recording medium and execute processing according to the server program.
- the client computer that executes the client program stores, for example, the client program recorded on the portable recording medium or the client program to which the server computer power is transferred in its own storage device. Then, the client computer reads its own storage device client program and executes processing according to the client program. The client computer can also read the client program directly from the portable recording medium and execute processing according to the client program. In addition, each time the client computer-powered client program is transferred, the client computer can sequentially execute processing according to the received client program.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP04807392A EP1840748A4 (en) | 2004-12-20 | 2004-12-20 | REPETITION PROGRAM, COMMUNICATION PROGRAM, AND FIREWALL SYSTEM |
JP2006548631A JP4570628B2 (ja) | 2004-12-20 | 2004-12-20 | システム、中継処理プログラム、中継装置、中継処理方法、通信処理プログラム、通信装置及び通信処理方法 |
PCT/JP2004/019035 WO2006067831A1 (ja) | 2004-12-20 | 2004-12-20 | 中継処理プログラム及び通信処理プログラム、並びにファイアウォールシステム |
US11/818,215 US7644164B2 (en) | 2004-12-20 | 2007-06-13 | Relay program, communication processing program, and firewall system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2004/019035 WO2006067831A1 (ja) | 2004-12-20 | 2004-12-20 | 中継処理プログラム及び通信処理プログラム、並びにファイアウォールシステム |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/818,215 Continuation US7644164B2 (en) | 2004-12-20 | 2007-06-13 | Relay program, communication processing program, and firewall system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006067831A1 true WO2006067831A1 (ja) | 2006-06-29 |
Family
ID=36601444
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2004/019035 WO2006067831A1 (ja) | 2004-12-20 | 2004-12-20 | 中継処理プログラム及び通信処理プログラム、並びにファイアウォールシステム |
Country Status (4)
Country | Link |
---|---|
US (1) | US7644164B2 (ja) |
EP (1) | EP1840748A4 (ja) |
JP (1) | JP4570628B2 (ja) |
WO (1) | WO2006067831A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013002100A1 (en) * | 2011-06-29 | 2013-01-03 | Canon Kabushiki Kaisha | Image processing apparatus, control method therefor and storage medium |
JP2019062512A (ja) * | 2017-09-27 | 2019-04-18 | 有限会社シモウサ・システムズ | エンドツーエンド暗号化通信システム |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI376923B (en) * | 2008-07-24 | 2012-11-11 | Ind Tech Res Inst | One-way media streaming system and method thereof |
JP5561173B2 (ja) * | 2009-02-03 | 2014-07-30 | 日本電気株式会社 | アプリケーションスイッチシステム、及びアプリケーションスイッチ方法 |
JP5473474B2 (ja) * | 2009-08-17 | 2014-04-16 | キヤノン株式会社 | 通信装置、通信方法、プログラム |
US20110289227A1 (en) * | 2010-05-18 | 2011-11-24 | Bruce Hsu | Method of multi-terminal connection traversing nat without third party interfacing |
CN102377629B (zh) | 2010-08-20 | 2014-08-20 | 华为技术有限公司 | 终端穿越私网与ims核心网中服务器通信的方法、装置及网络系统 |
CN104168173B (zh) * | 2010-08-20 | 2018-01-16 | 华为技术有限公司 | 终端穿越私网与ims核心网中服务器通信的方法、装置及网络系统 |
US9710425B2 (en) | 2010-12-13 | 2017-07-18 | Vertical Computer Systems, Inc. | Mobile proxy server for internet server having a dynamic IP address |
US10305915B2 (en) | 2010-12-13 | 2019-05-28 | Vertical Computer Systems Inc. | Peer-to-peer social network |
US9112832B1 (en) | 2010-12-13 | 2015-08-18 | Vertical Computer Systems, Inc. | System and method for running a web server on a mobile internet device |
WO2012170705A1 (en) * | 2011-06-07 | 2012-12-13 | Vertical Computer Systems, Inc. | System and method for running an internet server behind a closed firewall |
JP6167579B2 (ja) * | 2013-03-14 | 2017-07-26 | 株式会社リコー | 情報システム、ファイルサーバ、情報システムの制御方法及びファイルサーバの制御方法、並びに、それら方法のプログラム及びそのプログラムを記録した記録媒体 |
JP6256442B2 (ja) * | 2015-09-29 | 2018-01-10 | コニカミノルタ株式会社 | 画像処理システム、接続仲介サーバー、中継サーバー及びプログラム |
KR101830792B1 (ko) * | 2016-01-27 | 2018-02-21 | 건국대학교 산학협력단 | 항균 펩타이드를 포함하는 불용성 융합단백질 및 이를 이용한 항균 펩타이드의 제조 방법 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001076187A1 (en) | 2000-04-04 | 2001-10-11 | Global Knowledge Network | Methods and apparatus usable with or applicable to the use of the internet |
US20020078371A1 (en) | 2000-08-17 | 2002-06-20 | Sun Microsystems, Inc. | User Access system using proxies for accessing a network |
JP2002288098A (ja) * | 2001-03-23 | 2002-10-04 | Hitachi Kokusai Electric Inc | プレゼンテーションシステム方法とその装置 |
JP2003030064A (ja) * | 2001-07-10 | 2003-01-31 | Hirotomo Okazawa | ネットワークシステム及び通信方法 |
JP2004222181A (ja) * | 2003-01-17 | 2004-08-05 | Toshiba Corp | Httpトンネリングサーバを用いた通信方法および通信装置、プログラム |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3591753B2 (ja) | 1997-01-30 | 2004-11-24 | 富士通株式会社 | ファイアウォール方式およびその方法 |
US6006268A (en) * | 1997-07-31 | 1999-12-21 | Cisco Technology, Inc. | Method and apparatus for reducing overhead on a proxied connection |
US7136359B1 (en) * | 1997-07-31 | 2006-11-14 | Cisco Technology, Inc. | Method and apparatus for transparently proxying a connection |
US6473406B1 (en) * | 1997-07-31 | 2002-10-29 | Cisco Technology, Inc. | Method and apparatus for transparently proxying a connection |
US6421732B1 (en) * | 1998-08-27 | 2002-07-16 | Ip Dynamics, Inc. | Ipnet gateway |
JP2000163346A (ja) * | 1998-11-27 | 2000-06-16 | Nippon Telegr & Teleph Corp <Ntt> | セッション識別方法およびセッション管理方法、ならびにそれを実現するための情報提供システムとそのプログラムを記録した記録媒体 |
JP2000215137A (ja) * | 1999-01-21 | 2000-08-04 | Hitachi Ltd | 遠隔端末制御方法 |
US7016348B2 (en) * | 2001-08-28 | 2006-03-21 | Ip Unity | Method and system for direct access to web content via a telephone |
JP2004048520A (ja) * | 2002-07-15 | 2004-02-12 | Hitachi Ltd | ポートアクセス制御システム |
KR20040093656A (ko) * | 2002-07-29 | 2004-11-06 | 아이피 토크 가부시키가이샤 | 인터넷 통신 시스템 및 인터넷 통신 방법 및 세션 관리서버 및 무선 통신 장치 및 통신 중계 서버 및 프로그램 |
-
2004
- 2004-12-20 EP EP04807392A patent/EP1840748A4/en not_active Withdrawn
- 2004-12-20 JP JP2006548631A patent/JP4570628B2/ja not_active Expired - Fee Related
- 2004-12-20 WO PCT/JP2004/019035 patent/WO2006067831A1/ja active Application Filing
-
2007
- 2007-06-13 US US11/818,215 patent/US7644164B2/en not_active Expired - Fee Related
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001076187A1 (en) | 2000-04-04 | 2001-10-11 | Global Knowledge Network | Methods and apparatus usable with or applicable to the use of the internet |
US20020078371A1 (en) | 2000-08-17 | 2002-06-20 | Sun Microsystems, Inc. | User Access system using proxies for accessing a network |
JP2002288098A (ja) * | 2001-03-23 | 2002-10-04 | Hitachi Kokusai Electric Inc | プレゼンテーションシステム方法とその装置 |
JP2003030064A (ja) * | 2001-07-10 | 2003-01-31 | Hirotomo Okazawa | ネットワークシステム及び通信方法 |
JP2004222181A (ja) * | 2003-01-17 | 2004-08-05 | Toshiba Corp | Httpトンネリングサーバを用いた通信方法および通信装置、プログラム |
Non-Patent Citations (1)
Title |
---|
See also references of EP1840748A4 |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013002100A1 (en) * | 2011-06-29 | 2013-01-03 | Canon Kabushiki Kaisha | Image processing apparatus, control method therefor and storage medium |
JP2013010257A (ja) * | 2011-06-29 | 2013-01-17 | Canon Inc | 画像処理装置、その制御方法、及びプログラム |
US9122482B2 (en) | 2011-06-29 | 2015-09-01 | Canon Kabushiki Kaisha | Image processing apparatus, control method therefor and storage medium |
JP2019062512A (ja) * | 2017-09-27 | 2019-04-18 | 有限会社シモウサ・システムズ | エンドツーエンド暗号化通信システム |
JP7203297B2 (ja) | 2017-09-27 | 2023-01-13 | 有限会社シモウサ・システムズ | エンドツーエンド暗号化通信システム |
Also Published As
Publication number | Publication date |
---|---|
EP1840748A1 (en) | 2007-10-03 |
US7644164B2 (en) | 2010-01-05 |
JPWO2006067831A1 (ja) | 2008-06-12 |
US20080028078A1 (en) | 2008-01-31 |
JP4570628B2 (ja) | 2010-10-27 |
EP1840748A4 (en) | 2012-08-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7644164B2 (en) | Relay program, communication processing program, and firewall system | |
JP4307448B2 (ja) | 分散オブジェクトを単一表現として管理するシステムおよび方法 | |
JP5372083B2 (ja) | クライアント側の加速技術を提供するシステムおよび方法 | |
JP4734592B2 (ja) | クライアントリダイレクトによるプライベートネットワークへの安全なアクセス提供方法およびシステム | |
US7587467B2 (en) | Managed peer-to-peer applications, systems and methods for distributed data access and storage | |
JP4738344B2 (ja) | リモートアプリケーションディスカバリのためのウェブサービス | |
US7024497B1 (en) | Methods for accessing remotely located devices | |
US8311225B2 (en) | Scalable key archival | |
JP5293580B2 (ja) | ウェブサービスシステム、ウェブサービス方法及びプログラム | |
BR0000702B1 (pt) | Sistema e método para transmissão segura de um arquivo contendo um programa de computador | |
JP5445262B2 (ja) | 検疫ネットワークシステム、検疫管理サーバ、仮想端末へのリモートアクセス中継方法およびそのプログラム | |
WO2004112312A1 (ja) | ユーザ認証システム | |
US20040093607A1 (en) | System providing operating system independent access to data storage devices | |
US11729334B2 (en) | Communication system, device, and recording medium for remote access to electronic device through relaying device and converter | |
US10447818B2 (en) | Methods, remote access systems, client computing devices, and server devices for use in remote access systems | |
JP2007505409A (ja) | プロトコルゲートウェイでソフトウェアを動的に更新するシステム及び方法 | |
JP4541994B2 (ja) | 制御装置、制御方法及びプログラム | |
WO2000028428A1 (en) | Agent method and computer system | |
CN111988269A (zh) | 经由分布式数据存储库提供授权信息的策略管理系统 | |
JP2003108503A (ja) | データ提供方法、データ取得方法、データ提供サーバ、データ提供プログラム、データ取得プログラム及び記憶媒体 | |
JP2019092106A (ja) | ネットワーク監視装置、ネットワーク監視方法及びネットワーク監視プログラム | |
JP4787524B2 (ja) | コンテンツ更新システム、コンテンツ更新方法、更新サーバ及びコンテンツ更新プログラム | |
JP4873743B2 (ja) | 通信管理システム及びソケット管理サーバ及び通信管理方法 | |
JP5294098B2 (ja) | 中継処理装置、及びその制御方法、プログラム | |
JP2000090048A (ja) | セキュリティ情報更新システム及び記録媒体 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2006548631 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11818215 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2004807392 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWP | Wipo information: published in national office |
Ref document number: 2004807392 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 11818215 Country of ref document: US |