WO2010116642A1 - Monitoring system and communication management device - Google Patents

Monitoring system and communication management device Download PDF

Info

Publication number
WO2010116642A1
WO2010116642A1 PCT/JP2010/002119 JP2010002119W WO2010116642A1 WO 2010116642 A1 WO2010116642 A1 WO 2010116642A1 JP 2010002119 W JP2010002119 W JP 2010002119W WO 2010116642 A1 WO2010116642 A1 WO 2010116642A1
Authority
WO
WIPO (PCT)
Prior art keywords
connection
terminals
terminal
monitoring
sip
Prior art date
Application number
PCT/JP2010/002119
Other languages
French (fr)
Japanese (ja)
Inventor
藤沢正幸
Original Assignee
セコム株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by セコム株式会社 filed Critical セコム株式会社
Priority to CN201080014851.1A priority Critical patent/CN102378982B/en
Priority to KR1020117024357A priority patent/KR101516708B1/en
Publication of WO2010116642A1 publication Critical patent/WO2010116642A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/18Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast

Definitions

  • the present invention relates to a monitoring system in which a terminal to be monitored that acquires monitoring information and a terminal on the user side that acquires and uses the monitoring information are communicably connected.
  • a monitoring system has been put into practical use, in which a monitoring camera is installed at a monitoring target such as a store or a factory, and a monitoring image is remotely monitored.
  • the surveillance video is sent to the remote surveillance center and to the office of the owner to be monitored.
  • a general public line such as ISDN is used for transmission of surveillance video (for example, Patent Document 1).
  • SIP Session Initiation Protocol
  • SIP Session Initiation Protocol
  • the monitoring target is a store and terminals of a plurality of stores are connected to the monitoring center.
  • the monitoring center is also connected to the terminal of the owner of each store.
  • the terminals of each store should be able to connect only to the terminals of the corresponding owner.
  • connection is possible between any terminals whose address is registered in the SIP server.
  • the SIP server can perform password and ID authentication as a basic authentication function. However, this is limited to authentication between the terminal and the SIP server.
  • the combination of the terminals via the SIP server can not be restricted. Therefore, the connection between the shop terminal and the owner terminal can not be restricted. Therefore, there is a possibility that the owner can obtain monitoring information of other stores.
  • An object of the present invention is to provide a monitoring system that can improve the security when applying SIP to the monitoring system.
  • One aspect of the present invention is a monitoring system, which has a plurality of terminals communicating monitoring information, and a communication management device managing communication of a plurality of terminals, each of the plurality of terminals Is a monitoring system provided on the monitoring target side or on the user side using monitoring information received from the monitoring target, and when one of a plurality of terminals requests connection to another terminal, the terminal of the connection source Is configured to send an invitation message of SIP including identification information of a terminal of connection destination to the communication management apparatus, and the communication management apparatus is a connection authorization information indicating a combination of a SIP server and a terminal whose connection should be authorized.
  • the authorization server stores the authorization information, and the authorization processing unit which determines whether to authorize the connection between the terminals by referring to the connection authorization information, and the SIP server receives the invitation message from the terminal of the connection source.
  • the SIP server transmits the invitation message from the connection source terminal to the connection destination terminal Supply to.
  • the SIP server includes an authorization information storage unit storing connection authorization information representing a combination of terminals, and an authorization processing unit that determines whether to authorize connection between the terminals by referring to the connection authorization information.
  • the authorization processing unit determines, based on the identification information of the connection destination terminal included in the invitation message, between the terminals. If the authorization processing unit authorizes the connection, the SIP server supplies an invitation message from the terminal of the connection source to the terminal of the connection destination.
  • FIG. 1 is a diagram showing the overall configuration of the monitoring system of the present invention.
  • FIG. 2 is a block diagram more specifically showing the configuration of the monitoring system.
  • FIG. 3 is a block diagram showing the main configuration of the monitoring system of the present invention.
  • FIG. 4 is a diagram showing an example of a table of connection authorization information stored in the authorization information storage unit.
  • FIG. 5 is a diagram showing an operation when performing communication between terminals in the monitoring system.
  • FIG. 6 is a diagram showing an operation in which the monitoring apparatus serves as a connection source and performs communication between terminals.
  • FIG. 7 is a diagram showing an operation in which the user apparatus is a connection source and performs communication between terminals.
  • the present invention has a plurality of terminals for communicating monitoring information and a communication management device for managing communication of the plurality of terminals, and each of the plurality of terminals utilizes the monitoring information received from the monitoring target side or the monitoring target
  • the terminal of the connection source transmits an SIP invitation message including identification information of the terminal of the connection destination.
  • the communication management apparatus is configured to transmit data to the communication management apparatus, and the communication management apparatus refers to the authorization information storage unit storing connection authorization information representing the combination of the SIP server and the terminal to which connection should be authorized, and the connection authorization information.
  • an authorization processing unit that determines whether to authorize the connection between the terminals, and the SIP server acquires identification information of the connection destination terminal included in the invitation message when the SIP server acquires the invitation message from the connection source terminal. Authority It is supplied to the parts, if the authorization unit is authorized to connect between terminals and supplies SIP server the invitation message from the connection source terminal to the destination terminal.
  • a plurality of terminals of a monitoring system are connected to a communication management apparatus provided with a SIP server.
  • the communication management apparatus authorizes the connection between the terminals with reference to the connection authorization information and an authorization information storage unit storing connection authorization information representing a combination of terminals to be authorized for connection in addition to the SIP server
  • an authorization processing unit for determining In SIP signaling, an invitation message is sent from the terminal of the connection source to the SIP server.
  • the authorization processing unit determines whether to authorize the connection.
  • the SIP server sends an invitation message from the connection source terminal to the connection destination terminal, and SIP signaling succeeds.
  • information on a combination of terminals to which connection should be authorized is stored in advance, and authorization of connection between terminals is performed at the time of SIP signaling.
  • authorization between terminals via the SIP server, that is, P2P can be performed, and users of the monitoring information can be suitably restricted.
  • the security in applying SIP to the monitoring system can be improved.
  • the connection destination terminal may transmit a SIP OK message to the communication management device when receiving the invitation message from the communication management device, and the invitation message and the OK message indicate the connection source and connection destination terminals after establishing the SIP session.
  • Connection establishment information used to establish an end-to-end connection not via the communication management device may be added.
  • monitoring information can be communicated between the terminals without passing through the communication management device.
  • the first stage communication is SIP and is performed via the communication management device.
  • the second stage communication is an inter-terminal connection not via the communication management device.
  • Signaling is performed during SIP connection, and an invitation message and an OK message are exchanged in the signaling.
  • the present invention uses SIP signaling messages to exchange connection establishment information for establishing an end-to-end connection.
  • terminal-to-terminal connection can be performed using SIP well. Then, the amount of communication between the communication management device and the terminal can be reduced, and the load on the communication management device can be reduced.
  • the end-to-end connection not via the communication management apparatus may be an end-to-end VPN that establishes and connects a VPN between the ends.
  • security can be enhanced by applying VPN (Virtual Private Network) to communication between terminals (second communication after the above-described SIP connection).
  • VPN Virtual Private Network
  • Two-way message exchange in SIP signaling is suitably used for exchanging information necessary for establishing a VPN connection.
  • the invitation message may include the IP address of the connection source terminal and the electronic certificate as connection establishment information
  • the OK message may include the IP address of the connection destination terminal and the electronic certificate as connection establishment information.
  • the communication management device may be provided in a monitoring center that monitors a monitoring target using communication with a plurality of terminals. Thereby, communication between the monitoring center and the terminal and communication between the terminals can be suitably performed using the communication management device.
  • the connection between the communication management device and the plurality of terminals may be made by the VPN between center terminals establishing a VPN between the communication management device and the plurality of terminals, and the SIP server communicates with the plurality of terminals via the VPN between center terminals. SIP messages may be communicated. Thereby, SIP communication is performed on the VPN between center terminals.
  • the center-to-center terminal VPN here is a VPN between the center and each terminal.
  • the monitoring information may include at least one of an image captured by the monitoring target, a monitoring signal detected by the monitoring target, and control information generated by the user. This enables communication of useful monitoring information between terminals.
  • Another aspect of the present invention is a communication management device that manages communication of a plurality of terminals that communicate monitoring information.
  • This communication management apparatus determines whether or not to authorize connection between terminals with reference to the connection authorization information, and an authorization information storage unit storing connection authorization information representing a combination of a SIP server and terminals to be authorized for connection.
  • the authorization processing unit has an authorization processing unit that determines the invitation message, and the SIP processing unit acquires an invitation message of SIP including identification information to another terminal from one of the plurality of terminals. Based on the identification information of the connection destination terminal included in, it is determined whether or not the connection between the terminals is authorized, and when the authorization processing unit authorizes the connection, the SIP server receives an invitation message from the terminal of the connection source. To the connected terminal.
  • the various configurations described above may be applied to this aspect as well.
  • the present invention is not limited to the aspects of the monitoring system and the communication management device. Another aspect of the present invention is, for example, a terminal device. Furthermore, the present invention may be embodied in the form of a method, a program, or a computer readable recording medium having the program recorded thereon.
  • the present invention can improve security when applying SIP to a monitoring system.
  • FIG. 1 shows the overall configuration of the monitoring system of the present invention.
  • the monitoring system 1 communication is performed among the monitoring center 3, the monitoring target 5, and the user base 7.
  • the user means a user of the monitoring service of the monitoring target 5 by the monitoring system 1.
  • the monitoring target 5 is a store
  • the user base 7 is an office of a store owner.
  • the monitoring center 3 is provided with a communication management device 11 and a plurality of center devices 13, which are communicably connected.
  • the communication management device 11 and the plurality of center devices 13 may be geographically separated.
  • the plurality of center devices 13 may be respectively disposed in a plurality of responsible areas.
  • the plurality of center devices 13 may share functions.
  • one center device 13 may function as a control center device that processes signals related to security, and another center device 13 may function as an image center device that mainly processes surveillance video.
  • the number of the center device 13 may be one within the scope of the present invention.
  • a monitoring device 15 and a user device 17 are provided in the monitoring target 5 and the user base 7, respectively.
  • the monitoring device 15 and the user device 17 correspond to the terminal of the present invention.
  • the monitoring device 15 sends monitoring information to the center device 13 and the user device 17.
  • the monitoring information is, for example, an image of the monitoring camera, and is a monitoring signal detected by the monitoring target 5.
  • the monitoring signal is, for example, a security signal indicating occurrence of abnormality, and the security signal is generated based on a detection signal from a sensor installed in the monitoring target 5, or generated when the alarm button (switch) is operated. Be done.
  • the user device 17 sends a control signal or an audio signal to the monitoring device 15. Such a signal from the user device 17 to the monitoring device 15 is also included in the monitoring information.
  • FIG. 1 one monitoring target 5 and one user site 7 are shown.
  • the monitoring center 3 communicates with the plurality of monitoring targets 5 and the plurality of user bases 7. Therefore, the communication management device 11 also communicates with the plurality of monitoring devices 15 and the plurality of user devices 17. Each monitoring device 15 communicates with the associated user device 17 (the terminal of the store owner).
  • the monitoring device 15 detects an abnormality based on a sensor signal or the like.
  • a security signal as monitoring information is transmitted to the monitoring center 3 together with the video of the monitoring target 5.
  • the operator confirms the guard signal and the image on the monitor of the center apparatus 13, and issues a necessary instruction to the guard.
  • the guard who received the instruction rushes to the monitoring target 5 to deal with the abnormality.
  • the monitoring device 15 sends the video or the like of the monitoring target 5 to the user device 17 periodically or according to other settings. For example, when a visitor is detected by the sensor, an image or the like is sent to the user device 17. In addition, transmission of a video or the like may be requested from the user device 17.
  • the owner can grasp the situation of the store by the image etc. In addition, the owner can send a voice or the like from the user device 17 to the monitoring device 15, and can instruct the store clerk with necessary items.
  • the communication management device 11, the monitoring device 15, and the user device 17 are connected to the Internet.
  • the communication management device 11 is connected to the monitoring device 15 and the user device 17 by an inter-center terminal VPN (Virtual Private Network) 21 over the Internet.
  • VPN Virtual Private Network
  • the communication management apparatus 11 is provided with a VPN server function, and the monitoring apparatus 15 and the user apparatus 17 are provided with a VPN client function.
  • VPN a VPN tunnel is constructed, encrypted communication is performed, and high security is realized.
  • the monitoring device 15 and the user device 17 perform SIP communication 23 via the communication management device 11.
  • the SIP communication 23 is performed via the above-described center-to-center VPN 21.
  • the communication management apparatus 11 is provided with a SIP server function.
  • the monitoring device 15 and the user device 17 are directly connected by the inter-terminal VPN 25 without passing through the communication management device 11.
  • the user apparatus 17 is provided with a VPN server function
  • the monitoring apparatus 15 is provided with a VPN client function.
  • the center-to-center terminal VPN 21 is always connected to construct a VPN tunnel, and is used for communication between the center device 13 and the monitoring device 15 and the user device 17.
  • the end-to-end VPN 25 is constructed only when necessary.
  • the surveillance system 1 communicates large-volume data such as video.
  • the load on the communication management apparatus 11 becomes enormous. Therefore, by performing communication between the monitoring device 15 and the user device 17 by the inter-terminal VPN 25, the load on the communication management device 11 is reduced while securing security.
  • the role of the SIP communication 23 in the present embodiment is special, which is different from ordinary IP telephones and the like. That is, in the present embodiment, SIP signaling is regarded as processing for preparation before VPN connection. More specifically, signaling is performed when establishing a SIP 23 session. Two-way communication is performed by this signaling, and an invitation message and an OK message are exchanged. On the other hand, in order to establish a VPN connection, it is necessary to exchange information. In the present embodiment, the IP address and the electronic certificate are exchanged. The electronic certificate is used when verifying the legitimacy of the electronic signature or the like, and is issued by a trusted third party. Therefore, the signaling of the SIP communication 23 is used as a means of information exchange for establishing a VPN connection.
  • the overall configuration of the monitoring system 1 has been described above.
  • two types of VPNs are used.
  • the communication management apparatus 11 includes a firewall 31, an HTTP server 33, a VPN server 35, a SIP server 37, a STUN server 39, an account management server 41, a database 43, and a log server 45.
  • the firewall 31 is a device that blocks data other than communication data used between the communication management device 11 and the monitoring device 15 and the user device 17.
  • the HTTP server 33 is a configuration for Internet connection.
  • the VPN server 35 is a server that performs authentication and encryption for establishing a VPN tunnel.
  • the VPN server 35 is configured to realize the inter-center terminal VPN 21, constructs a VPN between the communication management device 11 and the monitoring device 15, and constructs a VPN between the communication management device 11 and the user device 17. .
  • the signal from the monitoring device 15 is decoded by the VPN server 35 and transmitted to the center device 13.
  • the signal from the center device 13 is encrypted by the VPN server 35 and transmitted to the monitoring device 15.
  • encryption is performed by the VPN server 35.
  • the VPN server 35 similarly performs encryption and decryption.
  • the SIP server 37 processes signaling according to the SIP protocol, and connects the monitoring device 15 and the user device 17.
  • the SIP server 37 performs the function of SIP connection control when the user device 17 requests a connection from the monitoring device 15 or when the monitoring device 15 requests a connection from the user device 17.
  • the STUN server 39 provides a STUN function to support the NAT function of the monitoring device 15 and the router of the user device 17.
  • the account management server 41 is a server that manages various types of information such as authentication.
  • Information to be managed is stored in the database 43.
  • the information to be managed includes IP line accounts, electronic certificates for VPN connection (tunnel construction), and information on key pairs.
  • authentication and authorization are performed for connection between terminals in the process of signaling of SIP. Information for this process is also held in the database 43 and used by the account management server 41.
  • the authentication and authorization for the connection between the terminals may be performed by the SIP server itself.
  • the authorization processing unit and the authorization information storage unit of the present invention are provided in the SIP server.
  • the log server 45 is a server for storing the log generated by the monitoring device 15.
  • the center device 13 includes a monitoring console 51 and a line connection device 53.
  • the monitoring console 51 is connected to the communication management unit 11 via the line connection unit 53.
  • a monitoring video is supplied to the monitoring console 51 and managed by the monitoring console 51.
  • security-related information is supplied to the monitoring console 51.
  • the surveillance video is also suitably displayed on the monitor of the control center.
  • the monitoring video or the like may be communicated between the center devices.
  • the monitoring device 15 includes a controller 61, an IP line unit 63, a router 65, peripheral devices 67, a multi-line adapter 69, and a PC (personal computer) 71 to be monitored.
  • the controller 61 is configured by a computer, and cooperates with the peripheral device 67 to realize a monitoring function.
  • the controller 61 is connected to the monitoring center 3 via the IP line unit 63.
  • the controller 61 is also connected to the user device 17 via the IP line unit 63.
  • a surveillance camera 73, a sensor 75 and an alarm button 77 are illustrated as the peripheral device 67.
  • the controller 61 performs image recognition processing on the monitoring video to detect an abnormality. Further, the controller 61 detects an abnormality based on a detection signal input from the sensor 75. An abnormality is also detected when the alarm button 77 is pressed. Other peripherals may be used for anomaly detection. When an abnormality occurs, the controller 61 communicates with the center device 13 to transmit a guard signal and an image signal. A microphone is provided together with the surveillance camera 73, and an audio signal is also transmitted. Thus, the controller 61 implements the security function of the monitoring target 5.
  • the monitoring video and audio are also transmitted when requested by the center device 13. Furthermore, surveillance video and audio are also sent to the user device 17.
  • the transmission to the user device 17 is performed, for example, periodically, and is performed according to other settings. For example, when a visitor is detected by the sensor 75, an image or the like is sent to the user device 17. Also, when requested by the user device 17, the monitoring device 15 transmits a video or the like.
  • the IP line unit 63 constructs a VPN tunnel for the controller 61 to communicate with the communication management apparatus 11.
  • the controller 61 constructs a VPN tunnel for communicating with the user device 17.
  • the former corresponds to the VPN between center terminals, and the latter corresponds to the VPN 25 between terminals.
  • the IP line unit 63 implements the function of the VPN client.
  • the IP line unit 63 is shown as an internal configuration of the controller 61. This represents the physical arrangement. As a communication configuration, the IP line unit 63 is disposed between the controller 61 and the router 65. The IP line unit 63 is LAN-connected to the controller 61 by Ethernet (registered trademark). The router 65 is a router for a broadband line.
  • the multi-line adapter 69 is connected to the center device 13 via a mobile phone network.
  • the multi-line adapter 69 is used to transmit a guard signal when the broadband line is disconnected.
  • a security signal is sent from the controller 61 to the multi-line adapter 69 via the IP line unit 63 and is sent from the multi-line adapter 69 to the center device 13.
  • the monitoring target PC 71 is a PC installed in the monitoring target 5.
  • the monitoring target 5 is a store. Therefore, the monitoring target PC 71 may be a shop PC.
  • the user device 17 includes a VPN termination device (hereinafter, VTE) 81, a router 83, and a user PC (personal computer) 85.
  • VTE VPN termination device
  • router 83 a router 83
  • user PC personal computer
  • the VTE 81 is a line termination device for broadband connection. Then, the VTE 81 constructs a VPN tunnel with the VPN server 35 of the communication management apparatus 11, and constructs a VPN tunnel with the IP line unit 63 of the monitoring apparatus 15. In the former, VTE 81 functions as a VPN client, and in the latter, VTE 81 functions as a VPN server.
  • the router 83 is a router for a broadband line.
  • the VTE 81 is connected to the user PC 85.
  • the VTE 81 transfers the video, audio and control signal received from the controller 61 of the monitoring device 15 to the user PC 85.
  • the VTE 81 also transfers the voice and control signal received from the user PC 85 to the controller 61.
  • the user base 7 is an office or the like of the shop owner. Therefore, the user PC 85 may be a shop owner's PC.
  • the user PC 85 is used by the owner to watch the surveillance video of the surveillance target 5.
  • application software capable of displaying and switching the monitoring image of the monitoring target 5 by communicating with the controller 61 is installed in the user PC 85.
  • the user device 17 is fixed.
  • the function of the user device 17 may be incorporated in a portable terminal or the like to be movable.
  • FIG. 3 is a part of the monitoring system 1 shown in FIGS. 1 and 2 and shows the main part of the present invention.
  • the elements described in FIG. 1 and FIG. 2 are given the same reference numerals.
  • the communication management apparatus 11 includes an authorization information storage unit 101 and an authorization processing unit 103 in addition to the VPN server 35 and the SIP server 37.
  • the authorization information storage unit 101 stores connection authorization information representing a combination of terminals (the monitoring device 15 and the user device 17) whose connection should be authorized. Then, the authorization processing unit 103 refers to the connection authorization information to determine whether to authorize the connection between the terminals.
  • the authorization information storage unit 101 and the authorization processing unit 103 are realized by the database 43 and the account management server 41 of FIG.
  • FIG. 4 shows an example of connection authorization information to be stored in the authorization information storage unit 101.
  • the connection authorization information is a table representing a combination of terminal IDs.
  • each user store owner
  • monitoring device ID ID of monitoring device 15
  • user device ID ID of user device 17
  • the monitoring device ID and the user device ID may be any information that can identify the monitoring device 15 and the user device 17.
  • the monitoring device ID is the ID of the IP line unit 63
  • the user device ID is the ID of the VTE 81.
  • One owner may have multiple stores.
  • one monitoring device 15 is combined with a plurality of user devices 17.
  • the user C has two stores, and two monitoring devices 15 (C01, C02) are associated with the user device 17 (C11).
  • one monitoring device 15 may be associated with a plurality of user devices 17.
  • the IP line unit 63 has a SIP processing unit 111, a VPN processing unit 113, and a storage unit 115.
  • the SIP processing unit 111 and the VPN processing unit 113 perform processing related to SIP and VPN, respectively.
  • the storage unit 115 stores various types of information processed by the IP line unit 63. In particular, in relation to the present invention, the storage unit 115 stores the IP address of the IP line unit 63 and the electronic certificate. These pieces of information correspond to the connection establishment information of the present invention, and are provided to the connection partner for VPN connection. Further, the storage unit 115 stores an IP line unit ID (ID of the IP line unit 63), and this IP line unit ID is used as the ID of the monitoring target 5.
  • ID IP line unit ID
  • the VTE 81 of the user device 17 also has a SIP processing unit 121, a VPN processing unit 123, and a storage unit 125.
  • the storage unit 125 stores the IP address of the VTE 81 and the electronic certificate.
  • the storage unit 125 stores VTE-ID (ID of VTE 81).
  • the inter-center terminal VPN 21 is always established between the communication management device 11 and the monitoring device 15. Between the communication management device 11 and the user device 17 also, an inter-center terminal VPN 21 is constantly established.
  • the inter-terminal VPN 25 is constructed directly between the monitoring device 15 and the user device 17 by the following operation separately from the inter-center-terminal VPN 21.
  • SIP connection is established between arbitrary addresses registered in the SIP server 37.
  • the monitoring device 15 may be connected to the unrelated user device 17, which is not desirable in terms of security.
  • signaling is performed as follows. In the following, one of the monitoring device 15 and the user device 17 is used as a SIP connection source terminal, and the other is used as a SIP connection destination terminal. Further, the SIP message is transmitted on the inter-center terminal VPN 21.
  • connection source terminal sends an INVITE message (specifically, a SIP INVITE message, hereinafter the same) to the SIP server 37 (S1).
  • INVITE message specifically, a SIP INVITE message, hereinafter the same
  • SIP server 37 S1
  • the ID of the connection source terminal and the ID of the connection destination terminal, and the IP address and the electronic certificate of the connection source terminal are added.
  • the SIP server 37 When the SIP server 37 receives the INVITE message, the SIP server 37 supplies the ID of the connection source terminal and the ID of the connection destination terminal to the authorization processing unit 103, and inquires the authorization processing unit 103 whether the connection source terminal and connection destination terminal can be connected. (S3).
  • the authorization processing unit 103 refers to the connection authorization information of the authorization information storage unit 101, and determines whether or not to authorize the connection (S5). If the combination of the connection source terminal and the connection destination terminal is registered in the authorization information storage unit 101, the connection is authorized.
  • the SIP server 37 receives the authorization result from the authorization processing unit 103 (S7). When the connection is approved by the authorization processing unit 103, the SIP server 37 transmits an INVITE message to the connection destination terminal (S9). This INVITE message includes the IP address of the connection source terminal and the electronic certificate.
  • connection destination terminal When the connection destination terminal receives the INVITE message, it sends an OK message (specifically, a SIP 200 OK message, hereinafter the same) to the SIP server 37 (S11).
  • OK message (specifically, a SIP 200 OK message, hereinafter the same)
  • SIP server 37 S11
  • the IP address of the connection destination terminal and the electronic certificate are added to the OK message.
  • This OK message is transmitted to the connection source terminal via the SIP server 37 (S13).
  • SIP server 37 S13
  • the IP address and the electronic certificate are exchanged by SIP signaling.
  • authentication is performed using the electronic certificate included in the connection request and the electronic certificate exchanged earlier, and the inter-terminal VPN 25 is constructed (S15).
  • the SIP server 37 when the INVITE message is received by the SIP server 37, processing for authorizing the combination of terminals is performed. If the connection is not authorized, the INVITE message is not sent to the destination terminal, and neither the SIP processing nor the VPN processing is performed. Only when the combination of the monitoring device 15 and the user device 17 is correct, the connection is authorized, an INVITE message is sent to the connection destination terminal, the subsequent SIP processing is performed, and the VPN connection is finally possible. .
  • FIGS. 6 and 7. Details of the operation of the monitoring system 1 will be described with reference to FIGS. 6 and 7.
  • the monitoring device 15 is a connection source terminal
  • the case where the user device 17 is a connection source will be described.
  • the controller 61 and the IP line unit 63 have the configuration of the monitoring device 15, and the SIP server 37 and the authorization information storage unit 101 (account management server 41) have the configuration of the communication management device 11.
  • the user PC 85 is a configuration of the user device 17.
  • the controller 61 sends a connection instruction (P2P connection instruction) including the VTE-ID (ID of the VTE 81) to the IP circuit unit 63 (S101).
  • a connection instruction P2P connection instruction
  • the VTE-ID is used as the connection destination terminal ID.
  • the IP line unit 63 reads the IP line unit IP address (the IP address of the IP line unit 63) and the IP line unit individual certificate from the storage unit 115.
  • the IP circuit unit individual certificate is an electronic certificate assigned to each IP circuit.
  • the IP line unit 63 reads the IP line unit ID (ID of the IP line unit 63) as the connection source terminal ID from the storage unit 115. Then, the IP circuit unit 63 adds these pieces of information to the INVITE message, and sends the INVITE message to the SIP server 37 (S103).
  • the INVITE message includes an IP line unit IP address, an IP line unit ID, a VTE-ID, and an IP line unit individual certificate.
  • the SIP server 37 receives the INVITE message, transmits the IP circuit unit ID and the VTE-ID to the authorization processing unit 103, and inquires whether to authorize the connection (S105).
  • the authorization processing unit 103 refers to the connection authorization information of the authorization information storage unit 101, and determines whether to authorize the connection (S107). Here, the table of FIG. 4 is read out. Then, the authorization processing unit 103 determines whether the combination of the terminal IDs of the inquiry is registered in the table. If the corresponding combination is registered, the authorization processing unit 103 authorizes the connection.
  • the authorization result is transmitted from the authorization processing unit 103 to the SIP server 37 (S109).
  • the SIP server 37 transmits an INVITE message to the VTE 81 (S111).
  • the IP line unit IP address and the IP line unit individual certificate are added to the INVITE message.
  • step S107 if the connection is not approved in step S107, the SIP server 37 does not send the INVITE message to the VTE 81. Therefore, subsequent processing of SIP is not performed, and further subsequent VPN connection is not performed.
  • the VTE 81 When the VTE 81 receives the INVITE message, the VTE 81 holds the IP circuit unit IP address and the IP circuit unit individual certificate in the storage unit 125, and inquires of the user PC 85 for a connection request (P2P connection request) (S113). An IP line unit IP address is added to this connection request. Then, the user PC 85 sends a connection response to the VTE 81 (S115).
  • P2P connection request P2P connection request
  • the VTE 81 reads out the VTE-IP address (the IP address of the VTE 81) and the VTE individual certificate (the electronic certificate allocated to the VTE 81) from the storage unit 125. Then, the VTE 81 transmits an OK message to the SIP server 37 (S117). The VTE-IP address and VTE individual certificate are added to this OK message.
  • the SIP server 37 transmits an OK message to the IP circuit unit 63 together with the VTE-IP address and the VTE individual certificate (S119).
  • the IP line unit 63 receives the OK message, it holds the VTE-IP address and VTE individual certificate in the storage unit 115, sends an ACK message to the SIP server 37 (S121), and the SIP server 37 further sends an ACK message. It is sent to the VTE 81 (S123).
  • the IP line unit 63 obtains the IP address and the electronic certificate of the VTE 81. Also, the VTE 81 has acquired the IP address of the IP line unit 63 and the electronic certificate. Therefore, the other party is recognized using these pieces of information, and it becomes possible to establish a VPN connection between the IP circuit unit 63 and the VTE 81. This is the end-to-end VPN 25.
  • the IP line unit 63 makes a VPN connection request to the VTE 81 (S125).
  • a VPN connection is directly required without going through the SIP server 37.
  • the VTE 81 performs authentication using the IP line unit individual certificate included in the VPN connection request and the individual certificate of the IP line unit held in the storage unit 125, and uses incoming information including the IP line unit IP address of the other party. It sends to the person's PC 85 (S127).
  • the IP line unit IP address is used by the user PC 85 for VPN communication.
  • the VTE 81 notifies the IP circuit unit 63 that it has processed the VPN connection as a VPN server (S129).
  • the IP line unit 63 notifies the controller 61 that the connection result is OK, and notifies the controller 61 of the VTE-IP address of the other party (S131).
  • the VTE-IP address is used by the controller 61 for VPN communication.
  • the VPN connection is established, and the information is communicated via the end-to-end VPN 25.
  • Monitoring video and audio are provided from the monitoring device 15 to the user device 17.
  • connection instruction P2P connection instruction
  • VTE 81 VTE 81
  • the VTE 81 reads the VTE-IP address and the VTE individual certificate from the storage unit 125. Further, the VTE 81 reads the VTE-ID as the connection source terminal ID from the storage unit 125. Then, the VTE 81 adds the information to the INVITE message, and sends the INVITE message to the SIP server 37 (S203). Specifically, the INVITE message includes a VTE-IP address, a VTE-ID, an IP circuit unit ID, and a VTE individual certificate.
  • the SIP server 37 receives the INVITE message, transmits the VTE-ID and the IP circuit unit ID to the authorization processing unit 103, and inquires whether to authorize the connection (S205).
  • the authorization processing unit 103 refers to the connection authorization information of the authorization information storage unit 101 in the same manner as described above, determines whether to authorize the connection (S207), and sends the authorization result to the SIP server 37 (S209). That is, if the combination of VTE-ID and IP line unit ID is registered, the connection is authorized.
  • the SIP server 37 transmits an INVITE message to the IP circuit unit 63 (S211).
  • the VTE-IP address and the VTE individual certificate are added to this INVITE message.
  • step S207 if the connection is not approved in step S207, the SIP server 37 does not send the INVITE message to the IP circuit unit 63. Therefore, subsequent processing of SIP is not performed, and further subsequent VPN connection is not performed.
  • the IP line unit 63 When the IP line unit 63 receives the INVITE message, the IP line unit 63 holds the VTE-IP address and the VTE individual certificate in the storage unit 115. Also, the IP line unit 63 inquires the controller 61 of a connection request (P2P connection request) (S213). The VTE-IP address is added to this connection request. Then, the controller 61 sends a connection response to the IP line unit 63 (S215).
  • P2P connection request P2P connection request
  • the IP line unit 63 reads the IP line unit IP address and the IP line unit individual certificate from the storage unit 115. And. The IP line unit 63 transmits an OK message to the SIP server 37 (S217). The IP line unit IP address and IP line unit individual certificate are added to the OK message.
  • the SIP server 37 transmits an OK message to the VTE 81 together with the IP circuit unit IP address and the IP circuit unit individual certificate (S219).
  • the VTE 81 receives the OK message
  • the VTE 81 holds the IP line unit IP address and the IP line unit individual certificate in the storage unit 125, and sends an ACK message to the SIP server 37 (S221).
  • the establishment of the connection is notified (S223).
  • the SIP server 37 transmits an ACK message to the IP circuit unit 63 (S225).
  • the IP address and the electronic certificate are exchanged between the IP line unit 63 and the VTE 81.
  • the IP line unit 63 receives the ACK message, it makes a VPN connection request to the VTE 81 (S227).
  • the VPN connection is performed without the SIP server 37.
  • the VTE 81 sends incoming information including the VTE-IP address of the other party to the user PC 85 (S229).
  • the VTE 81 notifies the IP circuit unit 63 that it has processed the VPN connection as a VPN server (S231).
  • the IP line unit 63 sends the incoming call information including the VTE-IP address of the other party to the controller 61 (S233).
  • the VPN connection is established, and the information is communicated via the end-to-end VPN 25.
  • the VPN connection request is sent from the IP circuit unit 63 to the VTE 81.
  • the reason is as follows.
  • a connection request needs to be sent from the client to the server.
  • the function of the VPN server is provided only in the VTE 81. Therefore, a VPN connection request is sent from the IP circuit unit 63 to the VTE 81 in both of FIG. 6 and FIG.
  • a plurality of terminals are connected to the communication management device 11 provided with the SIP server 37.
  • the communication management apparatus 11 has an authorization information storage unit 101 and an authorization processing unit 103 in addition to the SIP server 37.
  • an INVITE (invited) message is sent from the terminal of the connection source to the SIP server.
  • the authorization processing unit 103 determines whether to authorize the connection. Only when the authorization processing unit 103 authorizes the connection, the SIP server 37 sends an INVITE message from the connection source terminal to the connection destination terminal, and SIP signaling succeeds.
  • information on a combination of terminals to which connection should be authorized is stored in advance, and authorization of connection between terminals is performed at the time of SIP signaling.
  • authorization between terminals via the SIP server 37, that is, P2P can be performed, and users of the monitoring information can be suitably restricted.
  • the security in the case of applying the SIP to the monitoring system 1 can be improved.
  • connection establishment information used for establishing an end-to-end connection not via the communication management apparatus 11 may be added to the exchange of the INVITE message and the OK message in the signaling of SIP.
  • connection establishment information can be exchanged between terminals, and an inter-terminal connection can be established.
  • terminal-to-terminal connection can be made by using SIP well. Then, the amount of communication between the communication management apparatus 11 and the terminal can be reduced, and the load on the communication management apparatus 11 can be reduced.
  • the IP address and the electronic certificate are described as the connection establishment information as an example, but the other party may be authenticated using other information instead of the electronic certificate.
  • a common name included in the electronic certificate may be used as connection establishment information.
  • the inter-terminal connection not via the communication management apparatus 11 may be the inter-terminal VPN 25 which establishes and connects a VPN between the terminals.
  • Bidirectional message exchange in SIP signaling can be suitably used for exchanging information necessary for establishing a VPN connection, and application of VPN can increase security.
  • the invitation message includes the IP address of the connection source terminal and the electronic certificate as connection establishment information
  • the OK message includes the IP address of the connection destination terminal and the electronic certificate as connection establishment information. Good.
  • SIP can be suitably used to exchange information used for VPN connection and secure communication can be performed between terminals.
  • the communication management device 11 may be provided in the monitoring center 3. Thereby, communication between the monitoring center 3 and the terminal and communication between the terminals can be suitably performed by using the communication management apparatus 11.
  • connection between the communication management apparatus 11 and the plurality of terminals may be connected between the communication management apparatus 11 and the plurality of terminals by the inter-center terminal VPN 21 establishing a VPN, and the SIP server 37 SIP messages may be communicated with a plurality of terminals via the VPN between center terminals.
  • SIP communication is performed on the inter-center terminal VPN 21.
  • the end-to-end VPN 25 established after the SIP session is the end-to-end VPN
  • the inter-center end VPN 21 is a VPN between the communication management apparatus 11 and the end.
  • the monitoring information may include at least one of an image captured by the monitoring target 5, a monitoring signal detected by the monitoring target 5, and control information generated by the user. This enables communication of useful monitoring information between terminals.
  • the monitoring system according to the present invention is useful for monitoring a store or the like from a remote place using communication.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Multimedia (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Closed-Circuit Television Systems (AREA)
  • Alarm Systems (AREA)

Abstract

A communication management device (11) is connected to a plurality of terminals. The plurality of terminals are a monitoring device (15) and a user device (17). When communication between terminals is performed, a connection source terminal transmits an invitation message of SIP to the communication management device (11). The communication management device (11) is provided with a permission information storage unit (101) which stores connection permission information storing a combination of terminals which should be permitted for connection, in addition to the SIP server (37); and a permission processing unit (103) which permits a connection between terminals with reference to the connection permission information. When the SIP server (37) acquires the invitation message from the connection source terminal, if the permission processing unit (103) permits the connection between the connection source and connection destination terminals, the SIP server (37) supplies the invitation message from the connection source terminal to the connection destination terminal. Thereby, a monitoring system capable of improving the security when applying the SIP to the monitoring system is provided.

Description

監視システムおよび通信管理装置Monitoring system and communication management device
 本発明は、監視情報を取得する監視対象の端末と、監視情報を入手して利用する利用者側の端末とを、通信可能に接続した監視システムに関する。 The present invention relates to a monitoring system in which a terminal to be monitored that acquires monitoring information and a terminal on the user side that acquires and uses the monitoring information are communicably connected.
 従来、店舗、工場等の監視対象に監視カメラを設置し、監視映像を遠隔地で監視する監視システムが実用化されている。監視映像は、遠隔の監視センタに送信され、また、監視対象の所有者(オーナー)の事務所に送信される。監視映像の送信には、ISDNなどの一般公衆回線が用いられる(例えば特許文献1)。 2. Description of the Related Art Conventionally, a monitoring system has been put into practical use, in which a monitoring camera is installed at a monitoring target such as a store or a factory, and a monitoring image is remotely monitored. The surveillance video is sent to the remote surveillance center and to the office of the owner to be monitored. A general public line such as ISDN is used for transmission of surveillance video (for example, Patent Document 1).
 近年、ADSLやFTTHといったブロードバンド回線の普及により、監視システムにおける監視映像等の送受信をインターネット上で実現することに対するニーズが高まっている。インターネットの利用により、コストの節減や、システムの柔軟性の向上が期待できる。 In recent years, with the spread of broadband lines such as ADSL and FTTH, there is a growing need for realizing transmission and reception of surveillance video and the like in a surveillance system over the Internet. Use of the Internet can be expected to reduce costs and improve system flexibility.
 インターネット上で音声や映像を伝送する技術としては、SIP(Session Initiation Protocol)と呼ばれるプロトコルが知られている。SIPは、IP電話やテレビ会議等に適用される。SIPで2拠点間を接続するためには、SIPサーバに各拠点のアドレスが登録される。これにより、アドレスが登録された拠点間でSIPの通信が可能になる。 As a technology for transmitting voice and video over the Internet, a protocol called SIP (Session Initiation Protocol) is known. SIP is applied to IP phones, video conferences, and the like. In order to connect two bases by SIP, the address of each base is registered in the SIP server. This enables SIP communication between sites where addresses are registered.
 しかし、監視システムにSIPを適用しようとすると、セキュリティ上の問題が考えられる。すなわち、監視対象の映像等を外部から監視する監視システムでは高いセキュリティ性が求められる。これに対して、SIPでは、アドレスを登録することによって任意の拠点間を接続できる。そのため、監視システムにSIPをそのまま適用するのは、セキュリティ性の観点から望ましくない。 However, when trying to apply SIP to a surveillance system, there are security issues. That is, high security is required in a monitoring system that monitors a video or the like to be monitored from the outside. On the other hand, in SIP, arbitrary locations can be connected by registering an address. Therefore, applying SIP as it is to a monitoring system is not desirable from the viewpoint of security.
 例えば、監視対象が店舗であり、複数の店舗の端末が監視センタに接続されたと仮定する。監視センタは、各店舗のオーナーの端末とも接続される。この場合、各店舗の端末に接続できるのは、該当するオーナーの端末に限られるべきである。 For example, it is assumed that the monitoring target is a store and terminals of a plurality of stores are connected to the monitoring center. The monitoring center is also connected to the terminal of the owner of each store. In this case, the terminals of each store should be able to connect only to the terminals of the corresponding owner.
 しかし、従来のSIPでは、SIPサーバにアドレスが登録されている任意の端末間で接続が可能である。SIPサーバは、基本的な認証機能として、パスワード及びIDの認証は行うことが可能である。しかし、これは、端末とSIPサーバとの間の認証に限られる。端末とSIPサーバの接続が許可されてしまうと、SIPサーバを介した端末同士の組合せを制限することはできない。したがって、店舗の端末とオーナー端末間の接続を制限することもできない。そのため、オーナーが自分以外の店舗の監視情報を入手できる可能性がある。 However, in the conventional SIP, connection is possible between any terminals whose address is registered in the SIP server. The SIP server can perform password and ID authentication as a basic authentication function. However, this is limited to authentication between the terminal and the SIP server. Once the connection between the terminal and the SIP server is permitted, the combination of the terminals via the SIP server can not be restricted. Therefore, the connection between the shop terminal and the owner terminal can not be restricted. Therefore, there is a possibility that the owner can obtain monitoring information of other stores.
特開2001-54102号公報JP 2001-54102 A
 本発明は、上記背景の下でなされたものである。本発明の目的は、監視システムにSIPを適用する場合のセキュリティを向上できる監視システムを提供することにある。 The present invention has been made under the above background. An object of the present invention is to provide a monitoring system that can improve the security when applying SIP to the monitoring system.
 本発明の一の態様は、監視システムであり、この監視システムは、監視情報を通信する複数の端末と、複数の端末の通信を管理する通信管理装置と、を有し、複数の端末の各々が、監視対象側又は監視対象から受信した監視情報を利用する利用者側に設けられた監視システムであって、複数の端末の一つが他の端末に接続を要求するとき、該接続元の端末は、接続先の端末の識別情報を含むSIPの招待メッセージを通信管理装置に送信するように構成され、通信管理装置は、SIPサーバと、接続が認可されるべき端末の組合せを表す接続認可情報を記憶した認可情報記憶部と、接続認可情報を参照して端末間の接続を認可するか否かを判定する認可処理部と、を有し、SIPサーバは、接続元の端末から招待メッセージを取得したとき、招待メッセージに含まれる接続先の端末の識別情報を認可処理部に供給し、認可処理部が端末間の接続を認可した場合に、SIPサーバが接続元の端末からの招待メッセージを接続先の端末へ供給する。 One aspect of the present invention is a monitoring system, which has a plurality of terminals communicating monitoring information, and a communication management device managing communication of a plurality of terminals, each of the plurality of terminals Is a monitoring system provided on the monitoring target side or on the user side using monitoring information received from the monitoring target, and when one of a plurality of terminals requests connection to another terminal, the terminal of the connection source Is configured to send an invitation message of SIP including identification information of a terminal of connection destination to the communication management apparatus, and the communication management apparatus is a connection authorization information indicating a combination of a SIP server and a terminal whose connection should be authorized. The authorization server stores the authorization information, and the authorization processing unit which determines whether to authorize the connection between the terminals by referring to the connection authorization information, and the SIP server receives the invitation message from the terminal of the connection source. When acquired The identification information of the connection destination terminal included in the invitation message is supplied to the authorization processing unit, and when the authorization processing unit authorizes the connection between the terminals, the SIP server transmits the invitation message from the connection source terminal to the connection destination terminal Supply to.
 本発明の別の態様は、通信管理装置であり、この通信管理装置は、監視情報を通信する複数の端末の通信を管理する通信管理装置であって、SIPサーバと、接続が認可されるべき端末の組合せを表す接続認可情報を記憶した認可情報記憶部と、接続認可情報を参照して端末間の接続を認可するか否かを判定する認可処理部と、を有し、SIPサーバが、複数の端末のうちの一つから、他の端末への識別情報を含むSIPの招待メッセージを取得したとき、認可処理部が、招待メッセージに含まれる接続先の端末の識別情報に基づき、端末間の接続を認可するか否かを判定し、認可処理部が接続を認可した場合に、SIPサーバが、接続元の端末からの招待メッセージを接続先の端末へ供給する。 Another aspect of the present invention is a communication management apparatus, which is a communication management apparatus for managing communication of a plurality of terminals communicating monitoring information, and connection with the SIP server should be authorized. The SIP server includes an authorization information storage unit storing connection authorization information representing a combination of terminals, and an authorization processing unit that determines whether to authorize connection between the terminals by referring to the connection authorization information. When an SIP invitation message including identification information to another terminal is acquired from one of a plurality of terminals, the authorization processing unit determines, based on the identification information of the connection destination terminal included in the invitation message, between the terminals. If the authorization processing unit authorizes the connection, the SIP server supplies an invitation message from the terminal of the connection source to the terminal of the connection destination.
 以下に説明するように、本発明には他の態様が存在する。したがって、この発明の開示は、本発明の一部の態様の提供を意図しており、ここで記述され請求される発明の範囲を制限することは意図していない。 As described below, there are other aspects of the present invention. Accordingly, the disclosure of the present invention is intended to provide some aspects of the present invention, and is not intended to limit the scope of the invention described and claimed herein.
図1は、本発明の監視システムの全体的な構成を示す図である。FIG. 1 is a diagram showing the overall configuration of the monitoring system of the present invention. 図2は、監視システムの構成をより具体的に示すブロック図である。FIG. 2 is a block diagram more specifically showing the configuration of the monitoring system. 図3は、本発明の監視システムにおける主要な構成を示すブロック図である。FIG. 3 is a block diagram showing the main configuration of the monitoring system of the present invention. 図4は、認可情報記憶部に記憶される接続認可情報のテーブルの例を示す図である。FIG. 4 is a diagram showing an example of a table of connection authorization information stored in the authorization information storage unit. 図5は、監視システムにて端末間の通信を行うときの動作を示す図である。FIG. 5 is a diagram showing an operation when performing communication between terminals in the monitoring system. 図6は、監視装置が接続元になって端末間の通信を行う動作を示す図である。FIG. 6 is a diagram showing an operation in which the monitoring apparatus serves as a connection source and performs communication between terminals. 図7は、利用者装置が接続元になって端末間の通信を行う動作を示す図である。FIG. 7 is a diagram showing an operation in which the user apparatus is a connection source and performs communication between terminals.
 以下に本発明の詳細な説明を述べる。ただし、以下の詳細な説明と添付の図面は発明を限定するものではない。 The detailed description of the present invention will be described below. However, the following detailed description and the attached drawings do not limit the invention.
 本発明は、監視情報を通信する複数の端末と、複数の端末の通信を管理する通信管理装置を有し、複数の端末の各々が、監視対象側又は監視対象から受信した監視情報を利用する利用者側に設けられた監視システムであって、複数の端末の一つが他の端末に接続を要求するとき、該接続元の端末は、接続先の端末の識別情報を含むSIPの招待メッセージを通信管理装置に送信するように構成され、通信管理装置は、SIPサーバと、接続が認可されるべき端末の組合せを表す接続認可情報を記憶した認可情報記憶部と、接続認可情報を参照して端末間の接続を認可するか否かを判定する認可処理部とを有し、SIPサーバは、接続元の端末から招待メッセージを取得したとき、招待メッセージに含まれる接続先の端末の識別情報を認可処理部に供給し、認可処理部が端末間の接続を認可した場合に、SIPサーバが接続元の端末からの招待メッセージを接続先の端末へ供給する。 The present invention has a plurality of terminals for communicating monitoring information and a communication management device for managing communication of the plurality of terminals, and each of the plurality of terminals utilizes the monitoring information received from the monitoring target side or the monitoring target In a monitoring system provided on the user side, when one of a plurality of terminals requests connection to another terminal, the terminal of the connection source transmits an SIP invitation message including identification information of the terminal of the connection destination. The communication management apparatus is configured to transmit data to the communication management apparatus, and the communication management apparatus refers to the authorization information storage unit storing connection authorization information representing the combination of the SIP server and the terminal to which connection should be authorized, and the connection authorization information. And an authorization processing unit that determines whether to authorize the connection between the terminals, and the SIP server acquires identification information of the connection destination terminal included in the invitation message when the SIP server acquires the invitation message from the connection source terminal. Authority It is supplied to the parts, if the authorization unit is authorized to connect between terminals and supplies SIP server the invitation message from the connection source terminal to the destination terminal.
 上記のように本発明によれば、監視システムの複数の端末が、SIPサーバを備えた通信管理装置と接続される。通信管理装置は、SIPサーバに加え、接続が認可されるべき端末の組合せを表す接続認可情報を記憶した認可情報記憶部と、接続認可情報を参照して端末間の接続を認可するか否かを判定する認可処理部とを有する。SIPのシグナリングでは、招待メッセージが接続元の端末からSIPサーバへ送られる。このとき、本発明では、認可処理部が、接続を認可するか否かを判定する。認可処理部が接続を認可した場合、SIPサーバが接続元の端末からの招待メッセージを接続先の端末に送り、SIPのシグナリングが成功する。 As described above, according to the present invention, a plurality of terminals of a monitoring system are connected to a communication management apparatus provided with a SIP server. Whether the communication management apparatus authorizes the connection between the terminals with reference to the connection authorization information and an authorization information storage unit storing connection authorization information representing a combination of terminals to be authorized for connection in addition to the SIP server And an authorization processing unit for determining In SIP signaling, an invitation message is sent from the terminal of the connection source to the SIP server. At this time, in the present invention, the authorization processing unit determines whether to authorize the connection. When the authorization processing unit authorizes the connection, the SIP server sends an invitation message from the connection source terminal to the connection destination terminal, and SIP signaling succeeds.
 このように、本発明では、接続が認可されるべき端末の組合せの情報を予め記憶しておき、SIPのシグナリングの際に端末間の接続の認可を行う。これにより、端末とSIPサーバ間の単なる認証ではなく、SIPサーバを介した端末間つまりP2Pについての認可を行うことができ、監視情報の利用者を好適に制限できる。こうして、監視システムにSIPを適用する場合のセキュリティ性を向上できる。 As described above, according to the present invention, information on a combination of terminals to which connection should be authorized is stored in advance, and authorization of connection between terminals is performed at the time of SIP signaling. In this way, not only authentication between the terminal and the SIP server, but authorization between terminals via the SIP server, that is, P2P can be performed, and users of the monitoring information can be suitably restricted. Thus, the security in applying SIP to the monitoring system can be improved.
 接続先の端末は、招待メッセージを通信管理装置から受信したときにSIPのOKメッセージを通信管理装置に送信してよく、招待メッセージ及びOKメッセージには、SIPセッション確立後に接続元及び接続先の端末間で通信管理装置を介さない端末間接続を確立するために使われる接続確立情報が付加されてよい。 The connection destination terminal may transmit a SIP OK message to the communication management device when receiving the invitation message from the communication management device, and the invitation message and the OK message indicate the connection source and connection destination terminals after establishing the SIP session. Connection establishment information used to establish an end-to-end connection not via the communication management device may be added.
 これにより、SIPセッション確立後に、通信管理装置を介さずに端末間で監視情報を通信できる。この発明では、2段階の通信が行われる。1段階目の通信はSIPであり、通信管理装置を介して行われる。2段階目の通信は、通信管理装置を介さない端末間接続である。SIPの接続の際にはシグナリングが行われ、シグナリングでは招待メッセージとOKメッセージが交換される。本発明は、SIPのシグナリングのメッセージを利用して、端末間接続の確立のための接続確立情報を交換する。こうして、SIPを上手く利用して、端末間接続を行うことができる。そして、通信管理装置と端末の通信量を低減し、通信管理装置の負荷を軽減できる。 Thus, after the SIP session is established, monitoring information can be communicated between the terminals without passing through the communication management device. In the present invention, two-step communication is performed. The first stage communication is SIP and is performed via the communication management device. The second stage communication is an inter-terminal connection not via the communication management device. Signaling is performed during SIP connection, and an invitation message and an OK message are exchanged in the signaling. The present invention uses SIP signaling messages to exchange connection establishment information for establishing an end-to-end connection. Thus, terminal-to-terminal connection can be performed using SIP well. Then, the amount of communication between the communication management device and the terminal can be reduced, and the load on the communication management device can be reduced.
 通信管理装置を介さない端末間接続は、端末間にVPNを構築して接続する端末間VPNであってよい。これにより、端末間通信(上記のSIP接続後の2段階目の通信)にVPN(仮想プライベートネットワーク)を適用することで、セキュリティ性を高くできる。SIPのシグナリングにおける双方向のメッセージ交換が、VPN接続確立に必要な情報の交換に好適に利用される。 The end-to-end connection not via the communication management apparatus may be an end-to-end VPN that establishes and connects a VPN between the ends. Thereby, security can be enhanced by applying VPN (Virtual Private Network) to communication between terminals (second communication after the above-described SIP connection). Two-way message exchange in SIP signaling is suitably used for exchanging information necessary for establishing a VPN connection.
 招待メッセージは、接続元の端末のIPアドレスと電子証明書を接続確立情報として含み、OKメッセージは、接続先の端末のIPアドレスと電子証明書を接続確立情報として含んでよい。これにより、SIPを好適に利用して、VPN接続に使う情報を交換し、端末間で安全な通信を行える。 The invitation message may include the IP address of the connection source terminal and the electronic certificate as connection establishment information, and the OK message may include the IP address of the connection destination terminal and the electronic certificate as connection establishment information. In this way, SIP can be suitably used to exchange information used for VPN connection and secure communication can be performed between terminals.
 通信管理装置は、複数の端末との通信を利用して監視対象を監視する監視センタに設けられてよい。これにより、通信管理装置を利用して、監視センタと端末の通信及び端末間の通信を好適に行うことができる。 The communication management device may be provided in a monitoring center that monitors a monitoring target using communication with a plurality of terminals. Thereby, communication between the monitoring center and the terminal and communication between the terminals can be suitably performed using the communication management device.
 通信管理装置と複数の端末との接続は、通信管理装置と複数の端末間にVPNを構築したセンタ端末間VPNにより接続されてよく、SIPサーバは、センタ端末間VPNを介して複数の端末とSIPメッセージを通信してよい。これにより、SIP通信が、センタ端末間VPN上で行われる。前述では、SIPセッション確立後に、端末間でVPN接続を行うことを述べた。ここでのセンタ端末間VPNは、センタと各々の端末の間のVPNである。センタ端末間VPNを用いることにより、監視センタと各端末の通信のセキュリティを確保でき、そして、SIP通信のセキュリティも確保できる。 The connection between the communication management device and the plurality of terminals may be made by the VPN between center terminals establishing a VPN between the communication management device and the plurality of terminals, and the SIP server communicates with the plurality of terminals via the VPN between center terminals. SIP messages may be communicated. Thereby, SIP communication is performed on the VPN between center terminals. In the foregoing, it has been described that VPN connection is made between the terminals after establishing the SIP session. The center-to-center terminal VPN here is a VPN between the center and each terminal. By using the VPN between center terminals, security of communication between the monitoring center and each terminal can be secured, and security of SIP communication can also be secured.
 監視情報は、監視対象で撮影された画像、監視対象で検出された監視信号、利用者側にて生成された制御情報の少なくとも1つを含んでよい。これにより、端末間で有用な監視情報を通信できる。 The monitoring information may include at least one of an image captured by the monitoring target, a monitoring signal detected by the monitoring target, and control information generated by the user. This enables communication of useful monitoring information between terminals.
 本発明の別の態様は、監視情報を通信する複数の端末の通信を管理する通信管理装置である。この通信管理装置は、SIPサーバと、接続が認可されるべき端末の組合せを表す接続認可情報を記憶した認可情報記憶部と、接続認可情報を参照して端末間の接続を認可するか否かを判定する認可処理部とを有し、SIPサーバが、複数の端末のうちの一つから、他の端末への識別情報を含むSIPの招待メッセージを取得したとき、認可処理部が、招待メッセージに含まれる接続先の端末の識別情報に基づき、端末間の接続を認可するか否かを判定し、認可処理部が接続を認可した場合に、SIPサーバが、接続元の端末からの招待メッセージを接続先の端末へ供給する。この態様にも、上記の各種の構成が適用されてよい。 Another aspect of the present invention is a communication management device that manages communication of a plurality of terminals that communicate monitoring information. This communication management apparatus determines whether or not to authorize connection between terminals with reference to the connection authorization information, and an authorization information storage unit storing connection authorization information representing a combination of a SIP server and terminals to be authorized for connection. The authorization processing unit has an authorization processing unit that determines the invitation message, and the SIP processing unit acquires an invitation message of SIP including identification information to another terminal from one of the plurality of terminals. Based on the identification information of the connection destination terminal included in, it is determined whether or not the connection between the terminals is authorized, and when the authorization processing unit authorizes the connection, the SIP server receives an invitation message from the terminal of the connection source. To the connected terminal. The various configurations described above may be applied to this aspect as well.
 本発明は、上記監視システム及び通信管理装置の態様に限定されない。本発明の別の態様は、例えば端末装置である。また、本発明は、方法、プログラム、又は同プログラムを記録したコンピュータで読取可能な記録媒体のかたちで実現されてよい。 The present invention is not limited to the aspects of the monitoring system and the communication management device. Another aspect of the present invention is, for example, a terminal device. Furthermore, the present invention may be embodied in the form of a method, a program, or a computer readable recording medium having the program recorded thereon.
 上述のように、本発明は、監視システムにSIPを適用する場合のセキュリティを向上できる。 As described above, the present invention can improve security when applying SIP to a monitoring system.
 以下、本発明の実施の形態の監視システムについて、図面を用いて説明する。 Hereinafter, a monitoring system according to an embodiment of the present invention will be described with reference to the drawings.
 図1は、本発明の監視システムの全体的な構成を示している。図示のように、監視システム1では、監視センタ3、監視対象5及び利用者拠点7の間で通信が行われる。ここで利用者とは、監視システム1による監視対象5の監視サービスの利用者を意味する。本実施の形態の例では、監視対象5が店舗であり、利用者拠点7は店舗のオーナーの事務所である。 FIG. 1 shows the overall configuration of the monitoring system of the present invention. As illustrated, in the monitoring system 1, communication is performed among the monitoring center 3, the monitoring target 5, and the user base 7. Here, the user means a user of the monitoring service of the monitoring target 5 by the monitoring system 1. In the example of the present embodiment, the monitoring target 5 is a store, and the user base 7 is an office of a store owner.
 監視センタ3には、通信管理装置11及び複数のセンタ装置13が備えられており、これらは通信可能に接続されている。通信管理装置11及び複数のセンタ装置13は、地理的には離れた場所に配置されてよい。複数のセンタ装置13は、複数の担当地域にそれぞれ配置されてよい。また、複数のセンタ装置13は機能を分担してよい。例えば、あるセンタ装置13が、警備関連の信号を処理する管制センタ装置として機能してよく、別のセンタ装置13が、監視映像を主に処理する画像センタ装置として機能してよい。なお、本発明の範囲でセンタ装置13が一つでもよい。 The monitoring center 3 is provided with a communication management device 11 and a plurality of center devices 13, which are communicably connected. The communication management device 11 and the plurality of center devices 13 may be geographically separated. The plurality of center devices 13 may be respectively disposed in a plurality of responsible areas. Also, the plurality of center devices 13 may share functions. For example, one center device 13 may function as a control center device that processes signals related to security, and another center device 13 may function as an image center device that mainly processes surveillance video. The number of the center device 13 may be one within the scope of the present invention.
 監視対象5及び利用者拠点7には、それぞれ、監視装置15及び利用者装置17が設けられている。監視装置15及び利用者装置17は本発明の端末に相当する。監視装置15は、監視情報をセンタ装置13及び利用者装置17へ送る。監視情報は、例えば、監視カメラの画像であり、また、監視対象5にて検出された監視信号である。監視信号は、例えば異常発生を示す警備信号であり、警備信号は、監視対象5に設置されたセンサからの検出信号に基づいて生成され、あるいは、警報ボタン(スイッチ)が操作されたときに生成される。また、利用者装置17は、監視装置15へ制御信号や、音声信号を送る。このような利用者装置17から監視装置15への信号も、監視情報に含まれる。 A monitoring device 15 and a user device 17 are provided in the monitoring target 5 and the user base 7, respectively. The monitoring device 15 and the user device 17 correspond to the terminal of the present invention. The monitoring device 15 sends monitoring information to the center device 13 and the user device 17. The monitoring information is, for example, an image of the monitoring camera, and is a monitoring signal detected by the monitoring target 5. The monitoring signal is, for example, a security signal indicating occurrence of abnormality, and the security signal is generated based on a detection signal from a sensor installed in the monitoring target 5, or generated when the alarm button (switch) is operated. Be done. Also, the user device 17 sends a control signal or an audio signal to the monitoring device 15. Such a signal from the user device 17 to the monitoring device 15 is also included in the monitoring information.
 図1では、1つの監視対象5及び1つの利用者拠点7が示されている。しかし、実際には、監視センタ3は複数の監視対象5及び複数の利用者拠点7と通信する。したがって、通信管理装置11も、複数の監視装置15及び複数の利用者装置17と通信する。各々の監視装置15は関連づけられた利用者装置17(店舗のオーナーの端末)と通信する。 In FIG. 1, one monitoring target 5 and one user site 7 are shown. However, in practice, the monitoring center 3 communicates with the plurality of monitoring targets 5 and the plurality of user bases 7. Therefore, the communication management device 11 also communicates with the plurality of monitoring devices 15 and the plurality of user devices 17. Each monitoring device 15 communicates with the associated user device 17 (the terminal of the store owner).
 図1の監視システム1によれば、例えば、監視装置15がセンサ信号等により異常を検出したとする。この場合、監視情報として警備信号が、監視対象5の映像と共に、監視センタ3へ送信される。監視センタ3では、オペレータがセンタ装置13のモニタで警備信号や映像を確認し、警備員に必要な指示を出す。指示を受けた警備員が監視対象5に急行し、異常に対処する。 According to the monitoring system 1 of FIG. 1, for example, it is assumed that the monitoring device 15 detects an abnormality based on a sensor signal or the like. In this case, a security signal as monitoring information is transmitted to the monitoring center 3 together with the video of the monitoring target 5. In the monitoring center 3, the operator confirms the guard signal and the image on the monitor of the center apparatus 13, and issues a necessary instruction to the guard. The guard who received the instruction rushes to the monitoring target 5 to deal with the abnormality.
 また例えば、監視装置15は、監視対象5の映像等を定期的に、あるいはその他の設定に従って利用者装置17へ送る。例えば、センサによって来客が検出されたときに、映像等が利用者装置17へ送られる。また、利用者装置17から映像等の送信が要求されることもある。オーナーは、映像等によって店舗の様子を把握できる。また、オーナーは、利用者装置17から監視装置15に音声等を送り、店員に必要事項を指示することができる。 Further, for example, the monitoring device 15 sends the video or the like of the monitoring target 5 to the user device 17 periodically or according to other settings. For example, when a visitor is detected by the sensor, an image or the like is sent to the user device 17. In addition, transmission of a video or the like may be requested from the user device 17. The owner can grasp the situation of the store by the image etc. In addition, the owner can send a voice or the like from the user device 17 to the monitoring device 15, and can instruct the store clerk with necessary items.
 次に、監視システム1の通信形態について説明する。通信管理装置11、監視装置15及び利用者装置17は、インターネットに接続されている。 Next, the communication form of the monitoring system 1 will be described. The communication management device 11, the monitoring device 15, and the user device 17 are connected to the Internet.
 さらに、通信管理装置11は、インターネット上でセンタ端末間VPN(仮想プライベートネットワーク)21によって監視装置15及び利用者装置17と接続される。センタ端末間VPN21を構築するために、通信管理装置11にVPNサーバ機能が備えられ、監視装置15及び利用者装置17にVPNクライアント機能が備えられる。VPNでは、VPNトンネルが構築され、暗号化通信が行われ、高いセキュリティ性が実現される。 Furthermore, the communication management device 11 is connected to the monitoring device 15 and the user device 17 by an inter-center terminal VPN (Virtual Private Network) 21 over the Internet. In order to construct the inter-center terminal VPN 21, the communication management apparatus 11 is provided with a VPN server function, and the monitoring apparatus 15 and the user apparatus 17 are provided with a VPN client function. In VPN, a VPN tunnel is constructed, encrypted communication is performed, and high security is realized.
 また、監視装置15と利用者装置17は、通信管理装置11を介してSIP通信23を行う。SIP通信23は、上記のセンタ端末間VPN21を介して行われる。通信管理装置11にはSIPサーバ機能が備えられている。 Also, the monitoring device 15 and the user device 17 perform SIP communication 23 via the communication management device 11. The SIP communication 23 is performed via the above-described center-to-center VPN 21. The communication management apparatus 11 is provided with a SIP server function.
 また、監視装置15と利用者装置17は、通信管理装置11を介さずに、直接に端末間VPN25によって接続される。この端末間VPN25を構築するために、利用者装置17にVPNサーバ機能が備えられ、監視装置15にVPNクライアント機能が備えられる。 Further, the monitoring device 15 and the user device 17 are directly connected by the inter-terminal VPN 25 without passing through the communication management device 11. In order to construct the end-to-end VPN 25, the user apparatus 17 is provided with a VPN server function, and the monitoring apparatus 15 is provided with a VPN client function.
 ここで、センタ端末間VPN21は、常時接続されVPNトンネルが構築されており、センタ装置13と監視装置15及び利用者装置17の間での通信に利用される。これに対して、端末間VPN25は、必要なときのみ構築される。 Here, the center-to-center terminal VPN 21 is always connected to construct a VPN tunnel, and is used for communication between the center device 13 and the monitoring device 15 and the user device 17. On the other hand, the end-to-end VPN 25 is constructed only when necessary.
 端末間VPN25を用いる理由を説明する。監視システム1では映像等の大容量のデータが通信される。センタ端末間VPN21がすべての通信に使われると、通信管理装置11の負荷が膨大になる。そこで、監視装置15と利用者装置17の通信を端末間VPN25によって行うことで、セキュリティ性を確保しつつ、通信管理装置11の負荷を軽減している。 The reason for using the end-to-end VPN 25 will be described. The surveillance system 1 communicates large-volume data such as video. When the inter-center terminal VPN 21 is used for all communications, the load on the communication management apparatus 11 becomes enormous. Therefore, by performing communication between the monitoring device 15 and the user device 17 by the inter-terminal VPN 25, the load on the communication management device 11 is reduced while securing security.
 また、本実施の形態におけるSIP通信23の役割は、通常のIP電話等とは異なる特別なものである。すなわち、本実施の形態は、SIPのシグナリングを、VPN接続前の準備の処理として位置づけている。より詳細には、SIP23のセッションを確立するときには、シグナリングが行われる。このシグナリングにて双方向通信が行われ、招待メッセージとOKメッセージが交換される。一方、VPN接続を確立するためには、情報の交換が必要である。本実施の形態では、IPアドレス及び電子証明書が交換される。電子証明書は、電子署名等の正当性を検証する際に利用され、信頼のある第三者機関から発行されるものを用いる。そこで、SIP通信23のシグナリングが、VPN接続確立のための情報交換の手段として利用される。 In addition, the role of the SIP communication 23 in the present embodiment is special, which is different from ordinary IP telephones and the like. That is, in the present embodiment, SIP signaling is regarded as processing for preparation before VPN connection. More specifically, signaling is performed when establishing a SIP 23 session. Two-way communication is performed by this signaling, and an invitation message and an OK message are exchanged. On the other hand, in order to establish a VPN connection, it is necessary to exchange information. In the present embodiment, the IP address and the electronic certificate are exchanged. The electronic certificate is used when verifying the legitimacy of the electronic signature or the like, and is issued by a trusted third party. Therefore, the signaling of the SIP communication 23 is used as a means of information exchange for establishing a VPN connection.
 以上に、監視システム1の全体構成を説明した。上記のように、本実施の形態では、2種類のVPNが使用される。一方は、通信管理装置11と端末(監視装置15又は利用者装置17)を接続し、他方は、端末同士(監視装置15と利用者装置17)を接続する。そこで、図1では、これら2つのVPNを区別するため、センタ端末間VPN21と端末間VPN25といった用語を用いている。ただし、単にVPN21、VPN25といった用語が用いられてよい。 The overall configuration of the monitoring system 1 has been described above. As described above, in the present embodiment, two types of VPNs are used. One connects the communication management device 11 and a terminal (monitoring device 15 or user device 17), and the other connects the terminals (monitoring device 15 and user device 17). Therefore, in FIG. 1, in order to distinguish these two VPNs, terms such as the inter-center terminal VPN 21 and the inter-terminal VPN 25 are used. However, the terms simply VPN21 and VPN25 may be used.
 次に、図2を参照し、監視システム1の構成をより具体的に説明する。通信管理装置11は、ファイアウォール31、HTTPサーバ33、VPNサーバ35、SIPサーバ37、STUNサーバ39、アカウント管理サーバ41、データベース43及びログサーバ45を備える。 Next, the configuration of the monitoring system 1 will be more specifically described with reference to FIG. The communication management apparatus 11 includes a firewall 31, an HTTP server 33, a VPN server 35, a SIP server 37, a STUN server 39, an account management server 41, a database 43, and a log server 45.
 ファイアウォール31は、通信管理装置11と監視装置15及び利用者装置17との間で使用される通信データ以外のデータを遮断する装置である。HTTPサーバ33はインターネット接続のための構成である。VPNサーバ35は、VPNトンネル構築のための認証と暗号化を行うサーバである。 The firewall 31 is a device that blocks data other than communication data used between the communication management device 11 and the monitoring device 15 and the user device 17. The HTTP server 33 is a configuration for Internet connection. The VPN server 35 is a server that performs authentication and encryption for establishing a VPN tunnel.
 VPNサーバ35は、センタ端末間VPN21を実現する構成であり、通信管理装置11と監視装置15の間にVPNを構築し、また、通信管理装置11と利用者装置17の間にVPNを構築する。監視装置15からの信号は、VPNサーバ35で復号化されて、センタ装置13へ送信される。また、センタ装置13からの信号は、VPNサーバ35で暗号化されて、監視装置15へ送信される。また、通信管理装置11が監視装置15に信号を送るときも、VPNサーバ35で暗号化が行われる。通信管理装置11と利用者装置17の通信でも、VPNサーバ35が同様に暗号化及び復号化を行う。 The VPN server 35 is configured to realize the inter-center terminal VPN 21, constructs a VPN between the communication management device 11 and the monitoring device 15, and constructs a VPN between the communication management device 11 and the user device 17. . The signal from the monitoring device 15 is decoded by the VPN server 35 and transmitted to the center device 13. Also, the signal from the center device 13 is encrypted by the VPN server 35 and transmitted to the monitoring device 15. Also, when the communication management apparatus 11 sends a signal to the monitoring apparatus 15, encryption is performed by the VPN server 35. Also in the communication between the communication management apparatus 11 and the user apparatus 17, the VPN server 35 similarly performs encryption and decryption.
 SIPサーバ37は、SIPプロトコルに従ってシグナリングの処理を行い、監視装置15と利用者装置17を接続する。SIPサーバ37は、利用者装置17が監視装置15に接続を要求する場合に、もしくは、監視装置15が利用者装置17に接続を要求する場合に、SIPの接続制御の機能を果たす。 The SIP server 37 processes signaling according to the SIP protocol, and connects the monitoring device 15 and the user device 17. The SIP server 37 performs the function of SIP connection control when the user device 17 requests a connection from the monitoring device 15 or when the monitoring device 15 requests a connection from the user device 17.
 SIPのシグナリングでは、メッセージが交換される。具体的には、INVITE(招待)メッセージとOKメッセージが交換される。このメッセージ交換を利用して、前述したように、VPN接続確立のためにIPアドレス及び電子証明書が交換される。 In SIP signaling, messages are exchanged. Specifically, an INVITE (invited) message and an OK message are exchanged. This message exchange is used to exchange IP addresses and electronic certificates for establishing a VPN connection, as described above.
 STUNサーバ39は、監視装置15及び利用者装置17のルータのNAT機能に対応するためにSTUN機能を提供する。 The STUN server 39 provides a STUN function to support the NAT function of the monitoring device 15 and the router of the user device 17.
 アカウント管理サーバ41は、認証等の各種の情報を管理するサーバである。管理される情報は、データベース43に格納される。管理される情報は、IP回線のアカウント、VPN接続(トンネル構築)のための電子証明書、鍵ペアの情報を含む。また、本実施の形態では、SIPのシグナリングの過程で、端末間の接続について認証及び認可が行われる。この処理のための情報も、データベース43に保持され、アカウント管理サーバ41に使用される。尚、端末間の接続についての認証及び認可は、SIPサーバ自身が行うようにすることもでき、この場合は本発明の認可処理部及び認可情報記憶部がSIPサーバに備えられることになる。 The account management server 41 is a server that manages various types of information such as authentication. Information to be managed is stored in the database 43. The information to be managed includes IP line accounts, electronic certificates for VPN connection (tunnel construction), and information on key pairs. Also, in the present embodiment, authentication and authorization are performed for connection between terminals in the process of signaling of SIP. Information for this process is also held in the database 43 and used by the account management server 41. The authentication and authorization for the connection between the terminals may be performed by the SIP server itself. In this case, the authorization processing unit and the authorization information storage unit of the present invention are provided in the SIP server.
 ログサーバ45は、監視装置15で生成したログを保存するためのサーバである。 The log server 45 is a server for storing the log generated by the monitoring device 15.
 センタ装置13は、監視卓51と回線接続装置53を備える。監視卓51が回線接続装置53を介して通信管理装置11に接続される。例えば、センタ装置13が画像センタである場合、監視映像が監視卓51に供給され、監視卓51にて管理される。また、センタ装置13が管制センタである場合、警備関連の情報が監視卓51に供給される。監視映像も管制センタのモニタに好適に表示される。監視映像等は、センタ装置同士の間でも通信されてよい。 The center device 13 includes a monitoring console 51 and a line connection device 53. The monitoring console 51 is connected to the communication management unit 11 via the line connection unit 53. For example, when the center device 13 is an image center, a monitoring video is supplied to the monitoring console 51 and managed by the monitoring console 51. Further, when the center device 13 is a control center, security-related information is supplied to the monitoring console 51. The surveillance video is also suitably displayed on the monitor of the control center. The monitoring video or the like may be communicated between the center devices.
 次に、監視装置15について説明する。監視装置15は、コントローラ61、IP回線ユニット63、ルータ65、周辺機器67、マルチ回線アダプタ69及び監視対象PC(パーソナルコンピュータ)71で構成されている。 Next, the monitoring device 15 will be described. The monitoring device 15 includes a controller 61, an IP line unit 63, a router 65, peripheral devices 67, a multi-line adapter 69, and a PC (personal computer) 71 to be monitored.
 コントローラ61はコンピュータで構成されており、周辺機器67と連携して、監視機能を実現する。コントローラ61は、監視センタ3とはIP回線ユニット63を介して接続される。また、コントローラ61は、利用者装置17とも、IP回線ユニット63を介して接続される。 The controller 61 is configured by a computer, and cooperates with the peripheral device 67 to realize a monitoring function. The controller 61 is connected to the monitoring center 3 via the IP line unit 63. The controller 61 is also connected to the user device 17 via the IP line unit 63.
 図2では、周辺機器67として監視カメラ73、センサ75及び警報ボタン77が例示されている。コントローラ61は、監視映像に対して画像認識処理を施して異常を検出する。また、コントローラ61は、センサ75から入力される検出信号により、異常を検出する。警報ボタン77が押されたときにも異常が検出される。その他の周辺機器が異常検出に用いられてよい。異常が発生すると、コントローラ61はセンタ装置13と通信し、警備信号と画像信号を送信する。監視カメラ73と共にマイクが備えられており、音声信号も送信される。このようにして、コントローラ61は監視対象5の警備機能を実現する。 In FIG. 2, a surveillance camera 73, a sensor 75 and an alarm button 77 are illustrated as the peripheral device 67. The controller 61 performs image recognition processing on the monitoring video to detect an abnormality. Further, the controller 61 detects an abnormality based on a detection signal input from the sensor 75. An abnormality is also detected when the alarm button 77 is pressed. Other peripherals may be used for anomaly detection. When an abnormality occurs, the controller 61 communicates with the center device 13 to transmit a guard signal and an image signal. A microphone is provided together with the surveillance camera 73, and an audio signal is also transmitted. Thus, the controller 61 implements the security function of the monitoring target 5.
 また、監視映像及び音声は、センタ装置13から要求されたときにも送信される。さらに、監視映像及び音声は、利用者装置17にも送られる。利用者装置17への送信は、例えば定期的に行われ、また、その他の設定に従って行われる。例えば、センサ75により来客が検知されると、映像等が利用者装置17に送られる。また、利用者装置17から要求されたときも、監視装置15は映像等を送信する。 The monitoring video and audio are also transmitted when requested by the center device 13. Furthermore, surveillance video and audio are also sent to the user device 17. The transmission to the user device 17 is performed, for example, periodically, and is performed according to other settings. For example, when a visitor is detected by the sensor 75, an image or the like is sent to the user device 17. Also, when requested by the user device 17, the monitoring device 15 transmits a video or the like.
 IP回線ユニット63は、コントローラ61が通信管理装置11と通信するためのVPNトンネルを構築する。また、コントローラ61が利用者装置17と通信するためのVPNトンネルを構築する。前者は、センタ端末間VPN21に対応し、後者は、端末間VPN25に対応する。これらの接続において、IP回線ユニット63は、VPNクライアントの機能を実現する。 The IP line unit 63 constructs a VPN tunnel for the controller 61 to communicate with the communication management apparatus 11. In addition, the controller 61 constructs a VPN tunnel for communicating with the user device 17. The former corresponds to the VPN between center terminals, and the latter corresponds to the VPN 25 between terminals. In these connections, the IP line unit 63 implements the function of the VPN client.
 図2では、IP回線ユニット63がコントローラ61の内部構成として示されている。これは、物理的な配置を表現している。通信構成としては、IP回線ユニット63は、コントローラ61とルータ65の間に配置されている。そして、IP回線ユニット63は、コントローラ61と、イーサネット(登録商標)でLAN接続されている。ルータ65は、ブロードバンド回線用のルータである。 In FIG. 2, the IP line unit 63 is shown as an internal configuration of the controller 61. This represents the physical arrangement. As a communication configuration, the IP line unit 63 is disposed between the controller 61 and the router 65. The IP line unit 63 is LAN-connected to the controller 61 by Ethernet (registered trademark). The router 65 is a router for a broadband line.
 マルチ回線アダプタ69は、携帯電話網を介してセンタ装置13と接続される。マルチ回線アダプタ69は、ブロードバンド回線が不通のときに警備信号を送信するために使用される。警備信号が、コントローラ61からIP回線ユニット63を介してマルチ回線アダプタ69に送られ、マルチ回線アダプタ69からセンタ装置13へと送信される。 The multi-line adapter 69 is connected to the center device 13 via a mobile phone network. The multi-line adapter 69 is used to transmit a guard signal when the broadband line is disconnected. A security signal is sent from the controller 61 to the multi-line adapter 69 via the IP line unit 63 and is sent from the multi-line adapter 69 to the center device 13.
 監視対象PC71は、監視対象5に設置されるPCである。本実施の形態の例では、監視対象5が店舗である。したがって、監視対象PC71は店舗用のPCでよい。 The monitoring target PC 71 is a PC installed in the monitoring target 5. In the example of the present embodiment, the monitoring target 5 is a store. Therefore, the monitoring target PC 71 may be a shop PC.
 次に、利用者装置17について説明する。利用者装置17は、VPN終端装置(以下、VTE)81、ルータ83及び利用者PC(パーソナルコンピュータ)85で構成されている。 Next, the user device 17 will be described. The user device 17 includes a VPN termination device (hereinafter, VTE) 81, a router 83, and a user PC (personal computer) 85.
 VTE81は、ブロードバンド接続のための回線終端装置である。そして、VTE81は、通信管理装置11のVPNサーバ35とVPNトンネルを構築し、また、監視装置15のIP回線ユニット63とVPNトンネルを構築する。前者では、VTE81がVPNクライアントとして機能し、後者では、VTE81がVPNサーバとして機能する。ルータ83は、ブロードバンド回線用のルータである。 The VTE 81 is a line termination device for broadband connection. Then, the VTE 81 constructs a VPN tunnel with the VPN server 35 of the communication management apparatus 11, and constructs a VPN tunnel with the IP line unit 63 of the monitoring apparatus 15. In the former, VTE 81 functions as a VPN client, and in the latter, VTE 81 functions as a VPN server. The router 83 is a router for a broadband line.
 VTE81は、利用者PC85と接続される。VTE81は、監視装置15のコントローラ61から受信した映像、音声及び制御信号を利用者PC85に転送する。また、VTE81は、利用者PC85から受信した音声及び制御信号をコントローラ61へ転送する。 The VTE 81 is connected to the user PC 85. The VTE 81 transfers the video, audio and control signal received from the controller 61 of the monitoring device 15 to the user PC 85. The VTE 81 also transfers the voice and control signal received from the user PC 85 to the controller 61.
 本実施の形態では、利用者拠点7が、店舗のオーナーの事務所等である。したがって、利用者PC85は、店舗のオーナーのPCでよい。利用者PC85は、オーナーが監視対象5の監視映像を見るために用いられる。この機能を提供するために、利用者PC85には、コントローラ61と通信することによって監視対象5の監視映像を表示及び切り換えることができるアプリケーションソフトがインストールされている。 In the present embodiment, the user base 7 is an office or the like of the shop owner. Therefore, the user PC 85 may be a shop owner's PC. The user PC 85 is used by the owner to watch the surveillance video of the surveillance target 5. In order to provide this function, application software capable of displaying and switching the monitoring image of the monitoring target 5 by communicating with the controller 61 is installed in the user PC 85.
 本実施の形態では、利用者装置17が固定されている。しかし、利用者装置17の機能が携帯端末等に組み込まれて、移動可能であってもよい。 In the present embodiment, the user device 17 is fixed. However, the function of the user device 17 may be incorporated in a portable terminal or the like to be movable.
 以上に、監視システム1の全体的な構成を説明した。次に、本発明の特徴に係る構成について説明する。 The overall configuration of the monitoring system 1 has been described above. Next, the configuration according to the feature of the present invention will be described.
 図3は、図1及び図2に示された監視システム1の一部であって、本発明の主要な部分を示している。図3において、図1及び図2で説明された要素には、同一の符号が付されている。 FIG. 3 is a part of the monitoring system 1 shown in FIGS. 1 and 2 and shows the main part of the present invention. In FIG. 3, the elements described in FIG. 1 and FIG. 2 are given the same reference numerals.
 図3に示すように、通信管理装置11は、VPNサーバ35、SIPサーバ37に加えて、認可情報記憶部101及び認可処理部103を備えている。認可情報記憶部101は、接続が認可されるべき端末(監視装置15及び利用者装置17)の組合せを表す接続認可情報を記憶する。そして、認可処理部103は、接続認可情報を参照して端末間の接続を認可するか否かを判定する。認可情報記憶部101及び認可処理部103は、図2のデータベース43及びアカウント管理サーバ41によってそれぞれ実現される。 As shown in FIG. 3, the communication management apparatus 11 includes an authorization information storage unit 101 and an authorization processing unit 103 in addition to the VPN server 35 and the SIP server 37. The authorization information storage unit 101 stores connection authorization information representing a combination of terminals (the monitoring device 15 and the user device 17) whose connection should be authorized. Then, the authorization processing unit 103 refers to the connection authorization information to determine whether to authorize the connection between the terminals. The authorization information storage unit 101 and the authorization processing unit 103 are realized by the database 43 and the account management server 41 of FIG.
 図4は、認可情報記憶部101に記憶されるべき接続認可情報の例を示している。この例では、接続認可情報が、端末IDの組合せを表すテーブルである。このテーブルは、各利用者(店舗のオーナー)と、監視装置ID(監視装置15のID)と、利用者装置ID(利用者装置17のID)とを対応づけている。監視装置ID及び利用者装置IDは、監視装置15及び利用者装置17を特定可能な任意の情報でよい。後述の例では、監視装置IDがIP回線ユニット63のIDであり、利用者装置IDがVTE81のIDである。 FIG. 4 shows an example of connection authorization information to be stored in the authorization information storage unit 101. In this example, the connection authorization information is a table representing a combination of terminal IDs. In this table, each user (store owner), monitoring device ID (ID of monitoring device 15), and user device ID (ID of user device 17) are associated. The monitoring device ID and the user device ID may be any information that can identify the monitoring device 15 and the user device 17. In an example described later, the monitoring device ID is the ID of the IP line unit 63, and the user device ID is the ID of the VTE 81.
 一人のオーナーが複数の店舗を有する場合がある。この場合、一つの監視装置15が、複数の利用者装置17と組み合わせられる。図4の例では、利用者Cが2つの店舗を有しており、2つの監視装置15(C01、C02)が、利用者装置17(C11)と対応づけられている。その他、一人のオーナーが複数の利用者装置17を使う場合等は、一つの監視装置15が複数の利用者装置17と対応づけられてよい。 One owner may have multiple stores. In this case, one monitoring device 15 is combined with a plurality of user devices 17. In the example of FIG. 4, the user C has two stores, and two monitoring devices 15 (C01, C02) are associated with the user device 17 (C11). In addition, when one owner uses a plurality of user devices 17, one monitoring device 15 may be associated with a plurality of user devices 17.
 図3に戻り、監視装置15において、IP回線ユニット63は、SIP処理部111、VPN処理部113及び記憶部115を有する。SIP処理部111及びVPN処理部113は、それぞれ、SIP及びVPNに関する処理を行う。記憶部115は、IP回線ユニット63で処理される各種の情報を記憶する。特に、本発明に関連して、記憶部115は、IP回線ユニット63のIPアドレスと電子証明書とを記憶している。これら情報は、本発明の接続確立情報に相当し、VPN接続のために接続相手に提供される。また、記憶部115は、IP回線ユニットID(IP回線ユニット63のID)を記憶しており、このIP回線ユニットIDが監視対象5のIDとして用いられる。 Returning to FIG. 3, in the monitoring device 15, the IP line unit 63 has a SIP processing unit 111, a VPN processing unit 113, and a storage unit 115. The SIP processing unit 111 and the VPN processing unit 113 perform processing related to SIP and VPN, respectively. The storage unit 115 stores various types of information processed by the IP line unit 63. In particular, in relation to the present invention, the storage unit 115 stores the IP address of the IP line unit 63 and the electronic certificate. These pieces of information correspond to the connection establishment information of the present invention, and are provided to the connection partner for VPN connection. Further, the storage unit 115 stores an IP line unit ID (ID of the IP line unit 63), and this IP line unit ID is used as the ID of the monitoring target 5.
 図3に示すように、利用者装置17のVTE81も、SIP処理部121、VPN処理部123及び記憶部125を有している。記憶部125は、VTE81のIPアドレスと電子証明書とを記憶している。また、記憶部125は、VTE-ID(VTE81のID)を記憶している。 As shown in FIG. 3, the VTE 81 of the user device 17 also has a SIP processing unit 121, a VPN processing unit 123, and a storage unit 125. The storage unit 125 stores the IP address of the VTE 81 and the electronic certificate. In addition, the storage unit 125 stores VTE-ID (ID of VTE 81).
 次に、本実施の形態の動作を説明する。ここでは、端末間VPN25を構築するときの動作、すなわち、監視装置15と利用者装置17の間のVPN接続を行う際の動作を説明する。 Next, the operation of the present embodiment will be described. Here, an operation at the time of establishing the end-to-end VPN 25, that is, an operation at the time of performing a VPN connection between the monitoring device 15 and the user device 17 will be described.
 まず、動作の概要を説明する。既に説明したように、通信管理装置11と監視装置15の間には、センタ端末間VPN21が常時構築されている。通信管理装置11と利用者装置17の間にもセンタ端末間VPN21が常時構築されている。これらのセンタ端末間VPN21とは別に、以下の動作により、監視装置15と利用者装置17の間に直接に端末間VPN25が構築される。 First, an outline of the operation will be described. As described above, the inter-center terminal VPN 21 is always established between the communication management device 11 and the monitoring device 15. Between the communication management device 11 and the user device 17 also, an inter-center terminal VPN 21 is constantly established. The inter-terminal VPN 25 is constructed directly between the monitoring device 15 and the user device 17 by the following operation separately from the inter-center-terminal VPN 21.
 端末間VPN25を接続するときには、情報の交換が行われる。本実施の形態では、IPアドレスと電子証明書が、監視装置15と利用者装置17の間で交換される。この情報交換の手段として、本実施の形態は、SIPに着目している。SIPのシグナリングでは、端末間でメッセージが交換される。これらのSIPメッセージに、上記のIPアドレス及び電子証明書が組み込まれる。これにより、SIPのシグナリング過程にて、端末間VPN25の構築準備のための情報交換を行える。 When the end-to-end VPN 25 is connected, exchange of information is performed. In the present embodiment, the IP address and the electronic certificate are exchanged between the monitoring device 15 and the user device 17. As a means of this information exchange, this embodiment focuses on SIP. In SIP signaling, messages are exchanged between terminals. The above IP address and electronic certificate are incorporated into these SIP messages. Thereby, in the signaling process of SIP, the information exchange for the preparation of construction of VPN25 between terminals can be performed.
 SIPの基本的機能では、SIPサーバ37に登録されている任意のアドレス間でSIPの接続が確立される。この場合、監視装置15が関係ない利用者装置17と接続される可能性があり、セキュリティ上望ましくない。この点に配慮し、本実施の形態では、下記のようにしてシグナリングが行われる。以下では、監視装置15及び利用者装置17の一方を、SIPの接続元端末とし、他方をSIPの接続先端末とする。また、SIPのメッセージは、センタ端末間VPN21上で送信される。 In the basic function of SIP, SIP connection is established between arbitrary addresses registered in the SIP server 37. In this case, the monitoring device 15 may be connected to the unrelated user device 17, which is not desirable in terms of security. Taking this point into consideration, in the present embodiment, signaling is performed as follows. In the following, one of the monitoring device 15 and the user device 17 is used as a SIP connection source terminal, and the other is used as a SIP connection destination terminal. Further, the SIP message is transmitted on the inter-center terminal VPN 21.
 図5を参照すると、まず、接続元端末が、INVITEメッセージ(詳細にはSIP INVITEメッセージ、以下同じ)を、SIPサーバ37に送る(S1)。INVITEメッセージには、接続元端末のID及び接続先端末のIDと、接続元端末のIPアドレス及び電子証明書が付加される。 Referring to FIG. 5, first, the connection source terminal sends an INVITE message (specifically, a SIP INVITE message, hereinafter the same) to the SIP server 37 (S1). In the INVITE message, the ID of the connection source terminal and the ID of the connection destination terminal, and the IP address and the electronic certificate of the connection source terminal are added.
 SIPサーバ37は、INVITEメッセージを受け取ると、接続元端末のIDと接続先端末のIDを認可処理部103に供給し、それら接続元端末と接続先端末の接続の可否を認可処理部103に問い合わせる(S3)。認可処理部103は、認可情報記憶部101の接続認可情報を参照し、接続を認可するか否かの判定を行う(S5)。接続元端末と接続先端末の組み合わせが認可情報記憶部101に登録されていれば、接続が認可される。 When the SIP server 37 receives the INVITE message, the SIP server 37 supplies the ID of the connection source terminal and the ID of the connection destination terminal to the authorization processing unit 103, and inquires the authorization processing unit 103 whether the connection source terminal and connection destination terminal can be connected. (S3). The authorization processing unit 103 refers to the connection authorization information of the authorization information storage unit 101, and determines whether or not to authorize the connection (S5). If the combination of the connection source terminal and the connection destination terminal is registered in the authorization information storage unit 101, the connection is authorized.
 SIPサーバ37は、認可処理部103から認可結果を受け取る(S7)。SIPサーバ37は、認可処理部103によって接続が認可されると、INVITEメッセージを接続先端末へ送信する(S9)。このINVITEメッセージは、接続元端末のIPアドレス及び電子証明書を含む。 The SIP server 37 receives the authorization result from the authorization processing unit 103 (S7). When the connection is approved by the authorization processing unit 103, the SIP server 37 transmits an INVITE message to the connection destination terminal (S9). This INVITE message includes the IP address of the connection source terminal and the electronic certificate.
 接続先端末は、INVITEメッセージを受信すると、SIPサーバ37へOKメッセージ(詳細には、SIP 200OKメッセージ、以下、同じ)を送る(S11)。OKメッセージには、接続先端末のIPアドレスと電子証明書が付加される。このOKメッセージがSIPサーバ37を介して接続元端末へ送信される(S13)。こうして、SIPのシグナリングによってIPアドレス及び電子証明書が交換される。そして、端末間でVPNを構築しようとするときは、接続要求に含まれる電子証明書と先に交換した電子証明書により認証を行い、端末間VPN25が構築される(S15)。 When the connection destination terminal receives the INVITE message, it sends an OK message (specifically, a SIP 200 OK message, hereinafter the same) to the SIP server 37 (S11). The IP address of the connection destination terminal and the electronic certificate are added to the OK message. This OK message is transmitted to the connection source terminal via the SIP server 37 (S13). Thus, the IP address and the electronic certificate are exchanged by SIP signaling. Then, when attempting to establish a VPN between the terminals, authentication is performed using the electronic certificate included in the connection request and the electronic certificate exchanged earlier, and the inter-terminal VPN 25 is constructed (S15).
 上述のように、本実施の形態では、INVITEメッセージがSIPサーバ37に受信されたときに、端末の組合せを認可する処理が行われる。接続が認可されなければ、INVITEメッセージは接続先端末に送られず、その後のSIPの処理も、VPNの処理も行われない。監視装置15と利用者装置17の組合せが適正である場合のみ、接続が認可され、INVITEメッセージが接続先端末に送られ、その後のSIPの処理が行われ、最終的にVPN接続が可能である。 As described above, in the present embodiment, when the INVITE message is received by the SIP server 37, processing for authorizing the combination of terminals is performed. If the connection is not authorized, the INVITE message is not sent to the destination terminal, and neither the SIP processing nor the VPN processing is performed. Only when the combination of the monitoring device 15 and the user device 17 is correct, the connection is authorized, an INVITE message is sent to the connection destination terminal, the subsequent SIP processing is performed, and the VPN connection is finally possible. .
 次に、図6及び図7を参照し、監視システム1の動作の詳細を説明する。ここでは、まず、監視装置15が接続元端末である場合について説明し、次に、利用者装置17が接続元である場合について説明する。 Next, details of the operation of the monitoring system 1 will be described with reference to FIGS. 6 and 7. Here, first, the case where the monitoring device 15 is a connection source terminal will be described, and then, the case where the user device 17 is a connection source will be described.
 図6のタイムチャートにおいて、コントローラ61及びIP回線ユニット63が監視装置15の構成であり、SIPサーバ37及び認可情報記憶部101(アカウント管理サーバ41)が通信管理装置11の構成であり、VTE81及び利用者PC85が利用者装置17の構成である。 In the time chart of FIG. 6, the controller 61 and the IP line unit 63 have the configuration of the monitoring device 15, and the SIP server 37 and the authorization information storage unit 101 (account management server 41) have the configuration of the communication management device 11. The user PC 85 is a configuration of the user device 17.
 コントローラ61は、VTE-ID(VTE81のID)を含む接続指示(P2P接続指示)をIP回線ユニット63に送る(S101)。ここでは、VTE-IDが、接続先端末IDとして用いられている。 The controller 61 sends a connection instruction (P2P connection instruction) including the VTE-ID (ID of the VTE 81) to the IP circuit unit 63 (S101). Here, the VTE-ID is used as the connection destination terminal ID.
 IP回線ユニット63は、記憶部115からIP回線ユニットIPアドレス(IP回線ユニット63のIPアドレス)及びIP回線ユニット個別証明書を読み出す。IP回線ユニット個別証明書は、IP回線ごとに割り振られた電子証明書である。また、IP回線ユニット63は、記憶部115から、接続元端末IDとしてのIP回線ユニットID(IP回線ユニット63のID)を読み出す。そして、IP回線ユニット63は、これら情報をINVITEメッセージに付加し、INVITEメッセージをSIPサーバ37に送る(S103)。具体的には、INVITEメッセージは、IP回線ユニットIPアドレス、IP回線ユニットID、VTE-ID及びIP回線ユニット個別証明書を含む。 The IP line unit 63 reads the IP line unit IP address (the IP address of the IP line unit 63) and the IP line unit individual certificate from the storage unit 115. The IP circuit unit individual certificate is an electronic certificate assigned to each IP circuit. Also, the IP line unit 63 reads the IP line unit ID (ID of the IP line unit 63) as the connection source terminal ID from the storage unit 115. Then, the IP circuit unit 63 adds these pieces of information to the INVITE message, and sends the INVITE message to the SIP server 37 (S103). Specifically, the INVITE message includes an IP line unit IP address, an IP line unit ID, a VTE-ID, and an IP line unit individual certificate.
 SIPサーバ37は、INVITEメッセージを受信し、IP回線ユニットID及びVTE-IDを認可処理部103に伝え、接続を認可するか否かを問い合わせる(S105)。認可処理部103は、認可情報記憶部101の接続認可情報を参照し、接続を認可するか否かを判定する(S107)。ここでは、図4のテーブルが読み出される。そして、認可処理部103は、問合せの端末IDの組合せがテーブルに登録されているか否かを判定する。該当する組合せが登録されていれば、認可処理部103は接続を認可する。認可結果は、認可処理部103からSIPサーバ37へ伝えられる(S109)。SIPサーバ37は、認可処理部103が接続を認可した場合に、INVITEメッセージをVTE81へ送信する(S111)。このINVITEメッセージには、IP回線ユニットIPアドレス及びIP回線ユニット個別証明書が付加される。 The SIP server 37 receives the INVITE message, transmits the IP circuit unit ID and the VTE-ID to the authorization processing unit 103, and inquires whether to authorize the connection (S105). The authorization processing unit 103 refers to the connection authorization information of the authorization information storage unit 101, and determines whether to authorize the connection (S107). Here, the table of FIG. 4 is read out. Then, the authorization processing unit 103 determines whether the combination of the terminal IDs of the inquiry is registered in the table. If the corresponding combination is registered, the authorization processing unit 103 authorizes the connection. The authorization result is transmitted from the authorization processing unit 103 to the SIP server 37 (S109). When the authorization processing unit 103 authorizes the connection, the SIP server 37 transmits an INVITE message to the VTE 81 (S111). The IP line unit IP address and the IP line unit individual certificate are added to the INVITE message.
 上記の処理において、ステップS107で接続が認可されなければ、SIPサーバ37はINVITEメッセージをVTE81へ送らない。したがって、その後のSIPの処理は行われず、さらにその後のVPN接続も行われない。 In the above process, if the connection is not approved in step S107, the SIP server 37 does not send the INVITE message to the VTE 81. Therefore, subsequent processing of SIP is not performed, and further subsequent VPN connection is not performed.
 VTE81は、INVITEメッセージを受信すると、IP回線ユニットIPアドレス及びIP回線ユニット個別証明書を記憶部125に保持し、利用者PC85に接続要求(P2P接続要求)の問い合わせを行う(S113)。この接続要求には、IP回線ユニットIPアドレスが付加される。そして、利用者PC85がVTE81に接続応答を送る(S115)。 When the VTE 81 receives the INVITE message, the VTE 81 holds the IP circuit unit IP address and the IP circuit unit individual certificate in the storage unit 125, and inquires of the user PC 85 for a connection request (P2P connection request) (S113). An IP line unit IP address is added to this connection request. Then, the user PC 85 sends a connection response to the VTE 81 (S115).
 VTE81は、VTE-IPアドレス(VTE81のIPアドレス)及びVTE個別証明書(VTE81に割り振られた電子証明書)を記憶部125から読み出す。そして、VTE81は、OKメッセージをSIPサーバ37に送信する(S117)。このOKメッセージには、VTE-IPアドレス、VTE個別証明書が付加される。 The VTE 81 reads out the VTE-IP address (the IP address of the VTE 81) and the VTE individual certificate (the electronic certificate allocated to the VTE 81) from the storage unit 125. Then, the VTE 81 transmits an OK message to the SIP server 37 (S117). The VTE-IP address and VTE individual certificate are added to this OK message.
 SIPサーバ37は、VTE-IPアドレス及びVTE個別証明書と共にOKメッセージをIP回線ユニット63に送信する(S119)。IP回線ユニット63は、OKメッセージを受信すると、VTE-IPアドレス及びVTE個別証明書を記憶部115に保持して、ACKメッセージをSIPサーバ37に送り(S121)、更にSIPサーバ37がACKメッセージをVTE81へ送る(S123)。 The SIP server 37 transmits an OK message to the IP circuit unit 63 together with the VTE-IP address and the VTE individual certificate (S119). When the IP line unit 63 receives the OK message, it holds the VTE-IP address and VTE individual certificate in the storage unit 115, sends an ACK message to the SIP server 37 (S121), and the SIP server 37 further sends an ACK message. It is sent to the VTE 81 (S123).
 上記の過程で、IP回線ユニット63は、VTE81のIPアドレス及び電子証明書を取得している。また、VTE81は、IP回線ユニット63のIPアドレス及び電子証明書を取得している。したがって、これら情報を用いて相手方を認識してIP回線ユニット63とVTE81の間でVPN接続確立が可能となる。これが、端末間VPN25である。 In the above process, the IP line unit 63 obtains the IP address and the electronic certificate of the VTE 81. Also, the VTE 81 has acquired the IP address of the IP line unit 63 and the electronic certificate. Therefore, the other party is recognized using these pieces of information, and it becomes possible to establish a VPN connection between the IP circuit unit 63 and the VTE 81. This is the end-to-end VPN 25.
 図示のように、IP回線ユニット63が、VTE81へVPN接続要求を行う(S125)。ここでは、SIPサーバ37を介さずに、直接にVPN接続が要求される。VTE81は、VPN接続要求に含まれるIP回線ユニット個別証明書と記憶部125に保持してあるIP回線ユニットの個別証明書により認証を行い、相手先のIP回線ユニットIPアドレスを含む着信情報を利用者PC85に送る(S127)。IP回線ユニットIPアドレスは、利用者PC85にてVPN通信のために使用される。また、VTE81は、VPNサーバとして、VPN接続の処理を行ったことをIP回線ユニット63に通知する(S129)。IP回線ユニット63は、接続結果がOKであることをコントローラ61に通知し、また相手先のVTE-IPアドレスをコントローラ61に通知する(S131)。VTE-IPアドレスは、コントローラ61にてVPN通信のために使用される。こうして、VPN接続が確立され、端末間VPN25を介して情報が通信される。監視映像及び音声等が、監視装置15から利用者装置17へと提供される。 As illustrated, the IP line unit 63 makes a VPN connection request to the VTE 81 (S125). Here, a VPN connection is directly required without going through the SIP server 37. The VTE 81 performs authentication using the IP line unit individual certificate included in the VPN connection request and the individual certificate of the IP line unit held in the storage unit 125, and uses incoming information including the IP line unit IP address of the other party. It sends to the person's PC 85 (S127). The IP line unit IP address is used by the user PC 85 for VPN communication. Also, the VTE 81 notifies the IP circuit unit 63 that it has processed the VPN connection as a VPN server (S129). The IP line unit 63 notifies the controller 61 that the connection result is OK, and notifies the controller 61 of the VTE-IP address of the other party (S131). The VTE-IP address is used by the controller 61 for VPN communication. Thus, the VPN connection is established, and the information is communicated via the end-to-end VPN 25. Monitoring video and audio are provided from the monitoring device 15 to the user device 17.
 次に、図7を参照し、利用者装置17が接続元である場合について説明する。利用者(オーナー)が例えば映像表示の指示を利用者PC85に入力したとする。利用者PC85は、IP回線ユニットIDを含む接続指示(P2P接続指示)をVTE81に送る(S201)。ここでは、IP回線ユニットIDが、接続先端末のIDとして用いられている。 Next, a case where the user device 17 is a connection source will be described with reference to FIG. For example, it is assumed that the user (owner) inputs an instruction to display an image to the user PC 85, for example. The user PC 85 sends a connection instruction (P2P connection instruction) including the IP circuit unit ID to the VTE 81 (S201). Here, the IP line unit ID is used as the ID of the connection destination terminal.
 VTE81は、記憶部125からVTE-IPアドレス及びVTE個別証明書を読み出す。また、VTE81は、記憶部125から、接続元端末IDとしてのVTE-IDを読み出す。そして、VTE81は、これら情報をINVITEメッセージに付加し、INVITEメッセージをSIPサーバ37に送る(S203)。具体的には、INVITEメッセージは、VTE-IPアドレス、VTE-ID、IP回線ユニットID及びVTE個別証明書を含む。 The VTE 81 reads the VTE-IP address and the VTE individual certificate from the storage unit 125. Further, the VTE 81 reads the VTE-ID as the connection source terminal ID from the storage unit 125. Then, the VTE 81 adds the information to the INVITE message, and sends the INVITE message to the SIP server 37 (S203). Specifically, the INVITE message includes a VTE-IP address, a VTE-ID, an IP circuit unit ID, and a VTE individual certificate.
 SIPサーバ37は、INVITEメッセージを受信して、VTE-ID、IP回線ユニットIDを認可処理部103に伝え、接続を認可するか否かを問い合わせる(S205)。認可処理部103は、前述と同様にして認可情報記憶部101の接続認可情報を参照し、接続を認可するか否かを判定し(S207)、認可結果をSIPサーバ37へ送る(S209)。すなわち、VTE-ID、IP回線ユニットIDの組合せが登録されていれば、接続が認可される。SIPサーバ37は、認可処理部103が接続を認可した場合に、INVITEメッセージをIP回線ユニット63へ送信する(S211)。このINVITEメッセージには、VTE-IPアドレス及びVTE個別証明書が付加される。 The SIP server 37 receives the INVITE message, transmits the VTE-ID and the IP circuit unit ID to the authorization processing unit 103, and inquires whether to authorize the connection (S205). The authorization processing unit 103 refers to the connection authorization information of the authorization information storage unit 101 in the same manner as described above, determines whether to authorize the connection (S207), and sends the authorization result to the SIP server 37 (S209). That is, if the combination of VTE-ID and IP line unit ID is registered, the connection is authorized. When the authorization processing unit 103 authorizes the connection, the SIP server 37 transmits an INVITE message to the IP circuit unit 63 (S211). The VTE-IP address and the VTE individual certificate are added to this INVITE message.
 上記の処理において、ステップS207で接続が認可されなければ、SIPサーバ37はINVITEメッセージをIP回線ユニット63へ送らない。したがって、その後のSIPの処理は行われず、さらにその後のVPN接続も行われない。 In the above process, if the connection is not approved in step S207, the SIP server 37 does not send the INVITE message to the IP circuit unit 63. Therefore, subsequent processing of SIP is not performed, and further subsequent VPN connection is not performed.
 IP回線ユニット63は、INVITEメッセージを受信すると、VTE-IPアドレス及びVTE個別証明書を記憶部115に保持する。また、IP回線ユニット63は、コントローラ61に接続要求(P2P接続要求)の問い合わせを行う(S213)。この接続要求には、VTE-IPアドレスが付加される。そして、コントローラ61がIP回線ユニット63に接続応答を送る(S215)。 When the IP line unit 63 receives the INVITE message, the IP line unit 63 holds the VTE-IP address and the VTE individual certificate in the storage unit 115. Also, the IP line unit 63 inquires the controller 61 of a connection request (P2P connection request) (S213). The VTE-IP address is added to this connection request. Then, the controller 61 sends a connection response to the IP line unit 63 (S215).
 IP回線ユニット63は、IP回線ユニットIPアドレス及びIP回線ユニット個別証明書を記憶部115から読み出す。そして。IP回線ユニット63は、OKメッセージをSIPサーバ37に送信する(S217)。このOKメッセージには、IP回線ユニットIPアドレス、IP回線ユニット個別証明書が付加される。 The IP line unit 63 reads the IP line unit IP address and the IP line unit individual certificate from the storage unit 115. And. The IP line unit 63 transmits an OK message to the SIP server 37 (S217). The IP line unit IP address and IP line unit individual certificate are added to the OK message.
 SIPサーバ37は、IP回線ユニットIPアドレス及びIP回線ユニット個別証明書と共にOKメッセージをVTE81に送信する(S219)。VTE81は、OKメッセージを受信すると、IP回線ユニットIPアドレス及びIP回線ユニット個別証明書を記憶部125に保持して、ACKメッセージをSIPサーバ37へ返信し(S221)、また、利用者PC85にSIP接続の確立を通知する(S223)。SIPサーバ37は、ACKメッセージをIP回線ユニット63に送信する(S225)。 The SIP server 37 transmits an OK message to the VTE 81 together with the IP circuit unit IP address and the IP circuit unit individual certificate (S219). When the VTE 81 receives the OK message, the VTE 81 holds the IP line unit IP address and the IP line unit individual certificate in the storage unit 125, and sends an ACK message to the SIP server 37 (S221). The establishment of the connection is notified (S223). The SIP server 37 transmits an ACK message to the IP circuit unit 63 (S225).
 上記の過程で、IP回線ユニット63とVTE81の間で、IPアドレス及び電子証明書が交換されている。IP回線ユニット63は、ACKメッセージを受信すると、VPN接続要求をVTE81に対して行う(S227)。VPN接続は、SIPサーバ37を介さずに行われる。VTE81は、相手先のVTE-IPアドレスを含む着信情報を利用者PC85に送る(S229)。また、VTE81は、VPNサーバとして、VPN接続の処理を行ったことをIP回線ユニット63に通知する(S231)。IP回線ユニット63は、相手先のVTE-IPアドレスを含む着信情報をコントローラ61に送る(S233)。こうして、VPN接続が確立され、端末間VPN25を介して情報が通信される。 In the above process, the IP address and the electronic certificate are exchanged between the IP line unit 63 and the VTE 81. When the IP line unit 63 receives the ACK message, it makes a VPN connection request to the VTE 81 (S227). The VPN connection is performed without the SIP server 37. The VTE 81 sends incoming information including the VTE-IP address of the other party to the user PC 85 (S229). Also, the VTE 81 notifies the IP circuit unit 63 that it has processed the VPN connection as a VPN server (S231). The IP line unit 63 sends the incoming call information including the VTE-IP address of the other party to the controller 61 (S233). Thus, the VPN connection is established, and the information is communicated via the end-to-end VPN 25.
 図6、図7に示されるように、両図の処理で、VPN接続要求は、IP回線ユニット63からVTE81へ送られている。この理由は以下の通りである。VPNでは、接続要求がクライアントからサーバへ送られる必要がある。本実施の形態では、VPNサーバの機能が、VTE81のみに設けられている。そのため、図6及び図7の双方において、VPN接続要求がIP回線ユニット63からVTE81へ送られる。 As shown in FIG. 6 and FIG. 7, in the process of both figures, the VPN connection request is sent from the IP circuit unit 63 to the VTE 81. The reason is as follows. In VPN, a connection request needs to be sent from the client to the server. In the present embodiment, the function of the VPN server is provided only in the VTE 81. Therefore, a VPN connection request is sent from the IP circuit unit 63 to the VTE 81 in both of FIG. 6 and FIG.
 以上に本発明の好適な実施の形態について説明した。本実施の形態によれば、複数の端末(監視装置15、利用者装置17)が、SIPサーバ37を備えた通信管理装置11と接続される。図3に示したように、通信管理装置11は、SIPサーバ37に加え、認可情報記憶部101と認可処理部103とを有する。SIPのシグナリングでは、INVITE(招待)メッセージが接続元の端末からSIPサーバへ送られる。このとき、認可処理部103が、接続を認可するか否かを判定する。認可処理部103が接続を認可した場合のみ、SIPサーバ37が接続元の端末からのINVITEメッセージを接続先の端末に送り、SIPのシグナリングが成功する。 The preferred embodiments of the present invention have been described above. According to the present embodiment, a plurality of terminals (the monitoring device 15 and the user device 17) are connected to the communication management device 11 provided with the SIP server 37. As shown in FIG. 3, the communication management apparatus 11 has an authorization information storage unit 101 and an authorization processing unit 103 in addition to the SIP server 37. In SIP signaling, an INVITE (invited) message is sent from the terminal of the connection source to the SIP server. At this time, the authorization processing unit 103 determines whether to authorize the connection. Only when the authorization processing unit 103 authorizes the connection, the SIP server 37 sends an INVITE message from the connection source terminal to the connection destination terminal, and SIP signaling succeeds.
 このように、本発明では、接続が認可されるべき端末の組合せの情報を予め記憶しておき、SIPのシグナリングの際に端末間の接続の認可を行う。これにより、端末とSIPサーバ37間の単なる認証ではなく、SIPサーバ37を介した端末間つまりP2Pについての認可を行うことができ、監視情報の利用者を好適に制限できる。こうして、監視システム1にSIPを適用する場合のセキュリティ性を向上できる。 As described above, according to the present invention, information on a combination of terminals to which connection should be authorized is stored in advance, and authorization of connection between terminals is performed at the time of SIP signaling. Thus, not only authentication between the terminal and the SIP server 37, but authorization between terminals via the SIP server 37, that is, P2P can be performed, and users of the monitoring information can be suitably restricted. Thus, the security in the case of applying the SIP to the monitoring system 1 can be improved.
 また、本発明では、SIPのシグナリングにおけるINVITEメッセージとOKメッセージの交換に、通信管理装置11を介さない端末間接続の確立に使う接続確立情報が付加されてよい。これにより、接続確立情報が端末間で交換され、端末間接続を確立できる。このようして、SIPを上手く利用して、端末間接続を行うことができる。そして、通信管理装置11と端末の通信量を低減し、通信管理装置11の負荷を軽減できる。 Further, in the present invention, connection establishment information used for establishing an end-to-end connection not via the communication management apparatus 11 may be added to the exchange of the INVITE message and the OK message in the signaling of SIP. Thus, connection establishment information can be exchanged between terminals, and an inter-terminal connection can be established. In this manner, terminal-to-terminal connection can be made by using SIP well. Then, the amount of communication between the communication management apparatus 11 and the terminal can be reduced, and the load on the communication management apparatus 11 can be reduced.
 尚、本実施の形態では、接続確立情報としてIPアドレスと電子証明書を例に説明したが、電子証明書の代わりに他の情報を用いて相手方の認証を行うようにしても良い。例えば電子証明書に含まれるコモンネームなどを接続確立情報として用いても良い。 In the present embodiment, the IP address and the electronic certificate are described as the connection establishment information as an example, but the other party may be authenticated using other information instead of the electronic certificate. For example, a common name included in the electronic certificate may be used as connection establishment information.
 また、本発明によれば、通信管理装置11を介さない端末間接続が、端末間にVPNを構築して接続する端末間VPN25であってよい。SIPのシグナリングにおける双方向のメッセージ交換を、VPN接続確立に必要な情報の交換に好適に利用でき、そして、VPNの適用によりセキュリティ性を高くできる。 Further, according to the present invention, the inter-terminal connection not via the communication management apparatus 11 may be the inter-terminal VPN 25 which establishes and connects a VPN between the terminals. Bidirectional message exchange in SIP signaling can be suitably used for exchanging information necessary for establishing a VPN connection, and application of VPN can increase security.
 また、本発明によれば、招待メッセージが接続元の端末のIPアドレスと電子証明書を接続確立情報として含み、OKメッセージが接続先の端末のIPアドレスと電子証明書を接続確立情報として含んでよい。これにより、SIPを好適に利用して、VPN接続に使う情報を交換し、端末間で安全な通信を行える。 Further, according to the present invention, the invitation message includes the IP address of the connection source terminal and the electronic certificate as connection establishment information, and the OK message includes the IP address of the connection destination terminal and the electronic certificate as connection establishment information. Good. In this way, SIP can be suitably used to exchange information used for VPN connection and secure communication can be performed between terminals.
 また、本発明によれば、通信管理装置11が監視センタ3に設けられてよい。これにより、通信管理装置11を利用して、監視センタ3と端末の通信及び端末間の通信を好適に行うことができる。 Further, according to the present invention, the communication management device 11 may be provided in the monitoring center 3. Thereby, communication between the monitoring center 3 and the terminal and communication between the terminals can be suitably performed by using the communication management apparatus 11.
 また、本発明によれば、通信管理装置11と複数の端末との接続は、通信管理装置11と複数の端末間にVPNを構築したセンタ端末間VPN21により接続されてよく、SIPサーバ37は、センタ端末間VPN21を介して複数の端末とSIPメッセージを通信してよい。これにより、SIP通信が、センタ端末間VPN21上で行われる。SIPセッション後に確立される端末間VPN25が端末間のVPNであるのに対して、センタ端末間VPN21は通信管理装置11と端末の間のVPNである。センタ端末間VPN21を用いることにより、監視センタ3と各端末の通信のセキュリティを確保でき、そして、SIP通信のセキュリティも確保できる。 Further, according to the present invention, the connection between the communication management apparatus 11 and the plurality of terminals may be connected between the communication management apparatus 11 and the plurality of terminals by the inter-center terminal VPN 21 establishing a VPN, and the SIP server 37 SIP messages may be communicated with a plurality of terminals via the VPN between center terminals. Thereby, SIP communication is performed on the inter-center terminal VPN 21. The end-to-end VPN 25 established after the SIP session is the end-to-end VPN, whereas the inter-center end VPN 21 is a VPN between the communication management apparatus 11 and the end. By using the VPN between center terminals, security of communication between the monitoring center 3 and each terminal can be secured, and security of SIP communication can also be secured.
 また、本発明によれば、監視情報が、監視対象5で撮影された画像、監視対象5で検出された監視信号、利用者側にて生成された制御情報の少なくとも1つを含んでよい。これにより、端末間で有用な監視情報を通信できる。 Further, according to the present invention, the monitoring information may include at least one of an image captured by the monitoring target 5, a monitoring signal detected by the monitoring target 5, and control information generated by the user. This enables communication of useful monitoring information between terminals.
 以上に本発明の好適な実施の形態を説明した。しかし、本発明は上述の実施の形態に限定されず、当業者が本発明の範囲内で上述の実施の形態を変形可能なことはもちろんである。 The preferred embodiments of the present invention have been described above. However, the present invention is not limited to the above-described embodiment, and it goes without saying that those skilled in the art can modify the above-described embodiment within the scope of the present invention.
 以上に現時点で考えられる本発明の好適な実施の形態を説明したが、本実施の形態に対して多様な変形が可能なことが理解され、そして、本発明の真実の精神と範囲内にあるそのようなすべての変形を添付の請求の範囲が含むことが意図されている。 While the presently preferred embodiments of the present invention have been described, it will be appreciated that various modifications may be made to the embodiments and are within the true spirit and scope of the present invention. It is intended that the appended claims cover all such variations.
 以上のように、本発明にかかる監視システムは、通信を使って遠隔地から店舗等を監視するために有用である。 As described above, the monitoring system according to the present invention is useful for monitoring a store or the like from a remote place using communication.
 1 監視システム
 3 監視センタ
 5 監視対象
 7 利用者拠点
 11 通信管理装置
 13 センタ装置
 15 監視装置
 17 利用者装置
 21 センタ端末間VPN
 23 SIP通信
 25 端末間VPN
 33 HTTPサーバ
 35 VPNサーバ
 37 SIPサーバ
 41 アカウント管理サーバ
 43 データベース
 61 コントローラ
 63 IP回線ユニット
 65、83 ルータ
 69 マルチ回線アダプタ
 73 監視カメラ
 81 VPN終端装置(VTE)
 85 利用者PC
 101 認可情報記憶部
 103 認可処理部 Reference Signs List 1 monitoring system 3 monitoring center 5 monitoring target 7 user base 11 communication management device 13 center device 15 monitoring device 17 user device 21 VPN between center terminals
23 SIP communication 25 End-to-end VPN
33 HTTP Server 35 VPN Server 37 SIP Server 41 Account Management Server 43 Database 61 Controller 63 IP Line Unit 65, 83 Router 69 Multi-Line Adapter 73 Surveillance Camera 81 VPN Terminal Device (VTE)
85 User PC
101 Authorization Information Storage Unit 103 Authorization Processing Unit

Claims (7)

  1.  監視情報を通信する複数の端末と、前記複数の端末の通信を管理する通信管理装置と、を有し、前記複数の端末の各々が、監視対象側又は前記監視対象から受信した前記監視情報を利用する利用者側に設けられた監視システムであって、
     前記複数の端末の一つが他の端末に接続を要求するとき、該接続元の端末は、接続先の端末の識別情報を含むSIPの招待メッセージを前記通信管理装置に送信するように構成され、
     前記通信管理装置は、
     SIPサーバと、
     接続が認可されるべき端末の組合せを表す接続認可情報を記憶した認可情報記憶部と、
     前記接続認可情報を参照して端末間の接続を認可するか否かを判定する認可処理部と、
    を有し、
     前記SIPサーバは、
     前記接続元の端末から前記招待メッセージを取得したとき、前記招待メッセージに含まれる前記接続先の端末の識別情報を前記認可処理部に供給し、前記認可処理部が前記端末間の接続を認可した場合に、前記SIPサーバが前記接続元の端末からの招待メッセージを前記接続先の端末へ供給することを特徴とする監視システム。     A plurality of terminals for communicating monitoring information, and a communication management device for managing communication of the plurality of terminals, each of the plurality of terminals receiving the monitoring information received from the monitoring target side or the monitoring target It is a monitoring system provided on the user side to use,
    When one of the plurality of terminals requests connection to another terminal, the connection source terminal is configured to transmit a SIP invitation message including identification information of a connection destination terminal to the communication management apparatus.
    The communication management device is
    SIP server,
    An authorization information storage unit storing connection authorization information representing a combination of terminals to which connection is to be authorized;
    An authorization processing unit that determines whether to authorize the connection between terminals by referring to the connection authorization information;
    Have
    The SIP server is
    When the invitation message is acquired from the connection source terminal, the identification information of the connection destination terminal included in the invitation message is supplied to the authorization processing unit, and the authorization processing unit authorizes the connection between the terminals. In this case, the SIP server supplies an invitation message from the terminal of the connection source to the terminal of the connection destination.
  2.  前記接続先の端末は、前記招待メッセージを前記通信管理装置から受信したときにSIPのOKメッセージを前記通信管理装置に送信し、
     前記招待メッセージ及び前記OKメッセージには、SIPセッション確立後に前記接続元及び接続先の端末間で前記通信管理装置を介さない端末間接続を確立するために使われる接続確立情報が付加されることを特徴とする請求項1に記載の監視システム。     When the terminal of the connection destination receives the invitation message from the communication management apparatus, the terminal transmits a SIP OK message to the communication management apparatus.
    Connection establishment information used to establish an inter-terminal connection not via the communication management apparatus between the connection source and the connection destination after the establishment of the SIP session is added to the invitation message and the OK message. The monitoring system according to claim 1, characterized in that:
  3.  前記通信管理装置を介さない端末間接続は、端末間にVPNを構築して接続する端末間VPNであることを特徴とする請求項2に記載の監視システム。 3. The monitoring system according to claim 2, wherein the end-to-end connection not via the communication management device is an end-to-end VPN that establishes and connects a VPN between the ends.
  4.  前記招待メッセージは、前記接続元の端末のIPアドレスと電子証明書を前記接続確立情報として含み、前記OKメッセージは、前記接続先の端末のIPアドレスと電子証明書を前記接続確立情報として含むことを特徴とする請求項3に記載の監視システム。 The invitation message includes the IP address of the connection source terminal and an electronic certificate as the connection establishment information, and the OK message includes the IP address of the connection destination terminal and an electronic certificate as the connection establishment information. The monitoring system according to claim 3, characterized in that
  5.  前記通信管理装置と前記複数の端末との接続は、前記通信管理装置と前記複数の端末間にVPNを構築したセンタ端末間VPNにより接続されており、
     前記SIPサーバは、前記センタ端末間VPNを介して前記複数の端末とSIPメッセージを通信することを特徴とする請求項1に記載の監視システム。     The connection between the communication management device and the plurality of terminals is connected between the communication management device and the plurality of terminals by a VPN between center terminals that establishes a VPN,
    The monitoring system according to claim 1, wherein the SIP server communicates SIP messages with the plurality of terminals via the center-to-center VPN.
  6.  前記監視情報は、前記監視対象で撮影された画像、前記監視対象で検出された監視信号、前記利用者側にて生成された制御情報の少なくとも1つを含むことを特徴とする請求項1~5のいずれかに記載の監視システム。 The monitoring information includes at least one of an image captured by the monitoring target, a monitoring signal detected by the monitoring target, and control information generated by the user. The monitoring system according to any one of 5.
  7.  監視情報を通信する複数の端末の通信を管理する通信管理装置であって、
     前記通信管理装置は、
     SIPサーバと、
     接続が認可されるべき端末の組合せを表す接続認可情報を記憶した認可情報記憶部と、
     前記接続認可情報を参照して端末間の接続を認可するか否かを判定する認可処理部と、を有し、
     前記SIPサーバが、前記複数の端末のうちの一つから、他の端末への識別情報を含むSIPの招待メッセージを取得したとき、前記認可処理部が、前記招待メッセージに含まれる前記接続先の端末の識別情報に基づき、前記端末間の接続を認可するか否かを判定し、
     前記認可処理部が接続を認可した場合に、前記SIPサーバが、前記接続元の端末からの招待メッセージを前記接続先の端末へ供給することを特徴とする通信管理装置。     A communication management apparatus that manages communication of a plurality of terminals that communicate monitoring information, comprising:
    The communication management device is
    SIP server,
    An authorization information storage unit storing connection authorization information representing a combination of terminals to which connection is to be authorized;
    An authorization processing unit that determines whether to authorize the connection between terminals by referring to the connection authorization information;
    When the SIP server acquires a SIP invitation message including identification information to another terminal from one of the plurality of terminals, the authorization processing unit determines that the connection destination is included in the invitation message. Based on the identification information of the terminal, it is determined whether to authorize the connection between the terminals,
    The communication management apparatus, wherein the SIP server supplies an invitation message from the terminal of the connection source to the terminal of the connection destination when the authorization processing unit approves the connection.
PCT/JP2010/002119 2009-03-30 2010-03-25 Monitoring system and communication management device WO2010116642A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201080014851.1A CN102378982B (en) 2009-03-30 2010-03-25 Monitoring system and communication management device
KR1020117024357A KR101516708B1 (en) 2009-03-30 2010-03-25 Monitoring system and communication management device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2009081307A JP4781447B2 (en) 2009-03-30 2009-03-30 Monitoring system
JP2009-081307 2009-03-30

Publications (1)

Publication Number Publication Date
WO2010116642A1 true WO2010116642A1 (en) 2010-10-14

Family

ID=42935943

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2010/002119 WO2010116642A1 (en) 2009-03-30 2010-03-25 Monitoring system and communication management device

Country Status (4)

Country Link
JP (1) JP4781447B2 (en)
KR (1) KR101516708B1 (en)
CN (1) CN102378982B (en)
WO (1) WO2010116642A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012141896A (en) * 2011-01-05 2012-07-26 Ricoh Co Ltd Device management system, device, device management method and program
JP2013038684A (en) * 2011-08-10 2013-02-21 Refiner Inc Vpn connection management system

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10834094B2 (en) 2013-08-06 2020-11-10 Bedrock Automation Platforms Inc. Operator action authentication in an industrial control system
US9191203B2 (en) 2013-08-06 2015-11-17 Bedrock Automation Platforms Inc. Secure industrial control system
US9727511B2 (en) 2011-12-30 2017-08-08 Bedrock Automation Platforms Inc. Input/output module with multi-channel switching capability
US11967839B2 (en) 2011-12-30 2024-04-23 Analog Devices, Inc. Electromagnetic connector for an industrial control system
US8971072B2 (en) 2011-12-30 2015-03-03 Bedrock Automation Platforms Inc. Electromagnetic connector for an industrial control system
US9467297B2 (en) 2013-08-06 2016-10-11 Bedrock Automation Platforms Inc. Industrial control system redundant communications/control modules authentication
US9437967B2 (en) 2011-12-30 2016-09-06 Bedrock Automation Platforms, Inc. Electromagnetic connector for an industrial control system
US8862802B2 (en) 2011-12-30 2014-10-14 Bedrock Automation Platforms Inc. Switch fabric having a serial communications interface and a parallel communications interface
US11314854B2 (en) 2011-12-30 2022-04-26 Bedrock Automation Platforms Inc. Image capture devices for a secure industrial control system
US10834820B2 (en) 2013-08-06 2020-11-10 Bedrock Automation Platforms Inc. Industrial control system cable
US10613567B2 (en) 2013-08-06 2020-04-07 Bedrock Automation Platforms Inc. Secure power supply for an industrial control system
CN105635078A (en) * 2014-11-07 2016-06-01 中兴通讯股份有限公司 Method and system of realizing session initiation protocol (SIP) session transmission
CN105933198B (en) * 2016-04-21 2020-01-14 浙江宇视科技有限公司 Device for establishing direct connection VPN tunnel
JP7085826B2 (en) * 2016-12-16 2022-06-17 ベドロック・オートメーション・プラットフォームズ・インコーポレーテッド Image capture device for secure industrial control systems
CN110087034B (en) * 2019-04-25 2020-11-10 山西潞安金源煤层气开发有限责任公司 Coal bed gas remote monitoring system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001054102A (en) * 1999-08-13 2001-02-23 Secom Co Ltd Image transmitter
JP2008219239A (en) * 2007-03-01 2008-09-18 Yamaha Corp Vpn dynamic setting system
JP2009027652A (en) * 2007-07-23 2009-02-05 Nippon Telegr & Teleph Corp <Ntt> Connection control system, connection control method, connection control program, and relay device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005073236A (en) * 2003-08-06 2005-03-17 Matsushita Electric Ind Co Ltd Relay server, relay server service management method, service providing system, and program
JP4415311B2 (en) * 2003-12-25 2010-02-17 日本ビクター株式会社 Monitoring system and output control device
JP4410070B2 (en) * 2004-09-17 2010-02-03 富士通株式会社 Wireless network system and communication method, communication apparatus, wireless terminal, communication control program, and terminal control program
JP4551866B2 (en) * 2005-12-07 2010-09-29 株式会社リコー COMMUNICATION SYSTEM, CALL CONTROL SERVER DEVICE, AND PROGRAM

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001054102A (en) * 1999-08-13 2001-02-23 Secom Co Ltd Image transmitter
JP2008219239A (en) * 2007-03-01 2008-09-18 Yamaha Corp Vpn dynamic setting system
JP2009027652A (en) * 2007-07-23 2009-02-05 Nippon Telegr & Teleph Corp <Ntt> Connection control system, connection control method, connection control program, and relay device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012141896A (en) * 2011-01-05 2012-07-26 Ricoh Co Ltd Device management system, device, device management method and program
JP2013038684A (en) * 2011-08-10 2013-02-21 Refiner Inc Vpn connection management system

Also Published As

Publication number Publication date
CN102378982A (en) 2012-03-14
KR101516708B1 (en) 2015-05-04
JP4781447B2 (en) 2011-09-28
CN102378982B (en) 2015-05-27
KR20120028298A (en) 2012-03-22
JP2010233167A (en) 2010-10-14

Similar Documents

Publication Publication Date Title
WO2010116642A1 (en) Monitoring system and communication management device
CN103460674B (en) For supplying/realize the method for sending out notice session and pushing provision entity
JP5148540B2 (en) Monitoring system
US20200213250A1 (en) Apparatus and Method for Subscription to a Service and Use of the Service
JP2009536759A (en) User interface for communication devices
JP2009232045A (en) Ip telephone terminal, server apparatus, authentication apparatus, communication system, communication method and program
KR101981812B1 (en) Network communication systems and methods
JP2009111859A (en) Apparatus, method and program, for registering user address information
JP4750869B2 (en) Communication control device and monitoring device
JP5357619B2 (en) Communication failure detection system
JP2017063480A (en) Authentication system keeping confidentiality of secret data
JP4472566B2 (en) Communication system and call control method
KR101210938B1 (en) Encrypted Communication Method and Encrypted Communication System Using the Same
JP2006108768A (en) Communication connection method and communication system for concealing identification information of user terminal
KR101114921B1 (en) Processing apparatus and method for providing virtual private network service on mobile communication
JP2009088670A (en) Remote location monitoring system and method
JP7329437B2 (en) nurse call system
JP2016035621A (en) Work support system and work support method
KR100911364B1 (en) Method, server and system for monitoring participants in multi-participants conference service based on session initiation protocol
JP4061239B2 (en) Communication apparatus and communication establishment method
EP1715690A1 (en) Method of videophone data transmission
JP2006229926A (en) Communication system, onboard server, information terminal and translation server used therefor
JP2008113427A (en) Network access device, method for establishing network connection, and mobile communication system using the same
JP5302076B2 (en) Communication failure detection system
KR20100033698A (en) Virtual private network service method and its system

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201080014851.1

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10761350

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 20117024357

Country of ref document: KR

Kind code of ref document: A

122 Ep: pct application non-entry in european phase

Ref document number: 10761350

Country of ref document: EP

Kind code of ref document: A1