JP2008234410A - Remote access system, information processing device, remote access program, and remote access method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent information leak to the Internet while preventing the Intranet from being infected with the computer virus when a business terminal is used in the inside and the outside of the Intranet. <P>SOLUTION: The remote access system is provided with: a connection location storage means which stores connection location information specifying which of the Internet and the Intranet the connection locations of the network accesses of this time and the last time are by the information processing device which can connect with the Internet and a prescribed Intranet; a connection destination storage means which stores connection destination information specifying which of the Internet and the Intranet respectively the network access destinations of this time and the last time by the device; and a network access management part which controls so that the device cannot connect both of the Internet and the Intranet at the same time, based on connection location information of this time, connection location information of the last time, connection destination information of this time, and connection destination information of the last time. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention prevents damage caused by computer viruses and prevents information leakage from business terminals by taking business terminals out of the company intranet and performing remote access in the same way as the company intranet. The present invention relates to a remote access system, an information processing apparatus, a remote access program, and a remote access method.

In recent years, social interest in security fields such as computer virus countermeasures and information leakage countermeasures has increased.
Under such circumstances, an in-house intranet, which is a network built in a company, is generally operated in accordance with a security policy established in-house, and it can be said that the intranet is generally a safe network environment.

  That is, in an intranet, browsing of a Web site whose safety is not guaranteed by a business terminal in the network is restricted by using filtering software, a proxy server, or the like. In addition, asset management software or the like is often used to manage the security patch application status of business terminals, the installation status of anti-virus software, and the like.

Furthermore, in an intranet, access control is performed by a firewall or a proxy server for access from the Internet.
For this reason, when using a business terminal connected to an intranet, there are risks such as infection of a computer virus due to Web browsing, alteration of business data due to hijacking of the business terminal, and leakage of confidential information due to a computer virus such as Annyny. It is low.

On the other hand, there are cases where a business terminal used in an in-house intranet is taken out of the office and directly connected to a public network such as the Internet from a home LAN or PHS.
However, in the public network, security measures such as an intranet are not implemented, and safety is not guaranteed.
For this reason, when taking a business terminal outside the company, risks such as computer virus or worm infection on the business terminal, leakage of confidential information stored on the business terminal, use of a business terminal step board (illegal relay), etc. Will become high.

  In order to solve such problems, the security of the communication path is ensured by establishing a VPN (Virtual Private Network) between the taken out business terminal and the intranet, and the business terminal is connected to the Internet via an intranet firewall or proxy server. There are cases where a method of connecting to is taken.

However, since this method cannot restrict the network to which the business terminal is connected, there is a problem that the user can simultaneously access the business terminal to the intranet and the Internet.
For this reason, there is a risk that the business terminal is infected with a computer virus on the Internet, and the range of infection spreads to the intranet using the business terminal as a stepping stone.

In addition, when a business terminal is infected with a computer virus, there is a risk that memory information and confidential information files used in the business may leak to the Internet due to the computer virus process.
Furthermore, when a large number of business terminals are connected to the Internet via an intranet by VPN, there is a problem that a communication load on the intranet becomes high.

Here, as a prior art relating to security measures at the time of remote access of a computer, for example, a remote proxy system described in Patent Document 1 can be cited.
In this remote proxy system, communication encryption, filtering, and the like are performed during remote access of a computer.

Further, according to the reverse proxy network communication method described in Patent Document 2, access from a device outside the protection network to a device on the protection network and access from a device on the protection network to a device outside the protection network are performed. It is possible.
Further, in Patent Document 3, a USB device is attached to a home PC, the communication method of the home PC is detected, the response data is acquired by connecting to the external server based on the IP address of the external server in the position determination table, and the response When the data matches the response data in the position determination table, the corresponding position is determined as the current position of the home PC, and processing corresponding to the current position in the connection method table is executed, so that the home PC is automatically set to the intranet. An invention to connect is disclosed.

Japanese National Patent Publication No. 11-507152 JP 2003-050756 A Japanese Patent Laying-Open No. 2005-092723

However, even if the inventions described in these prior art documents are used, when a business terminal is taken out of the office, it cannot be restricted that the business terminal accesses the intranet and the Internet at the same time.
For this reason, there is no way to eliminate the risk that a business terminal will be infected with a computer virus on the Internet, and the range of infection will spread to the intranet using that business terminal as a stepping stone. It was not possible to prevent leakage to

Therefore, when a business terminal is taken out of the office, it is necessary to restrict the business terminal from accessing the intranet and the Internet at the same time to prevent such problems from occurring.
In other words, when taking out business terminals and using them, (i) restrict network access when connected to the Internet and intranet, (ii) restrict access to confidential information files when connected to the Internet and intranet, (iii) Isolate processes when connected to the Internet and intranet, (iv) Mechanism to isolate memory information when connected to the Internet and intranet, and (v) Network load due to Internet access via the intranet It is necessary to provide a mechanism that does not apply.

  The present invention has been considered in view of the above circumstances. When a business terminal is used to connect to the intranet or the Internet from inside or outside the intranet, the terminal is restarted according to certain conditions, and only when certain conditions are satisfied It is an object of the present invention to provide a remote access system, an information processing apparatus, a remote access program, and a remote access method that prevent damage caused by a computer virus and prevent information leakage from a business terminal by decrypting an encrypted file.

  In order to achieve the above object, a remote access system of the present invention is a remote access system that controls network access by an information processing apparatus that can be connected to the Internet and a predetermined intranet. Connection location storage means for storing network connection location information for specifying whether the connection location of the current and previous network access is the Internet or an intranet, and the current and previous network access destinations by the information processing device are: A connection destination storage means for storing network connection destination information for identifying whether the Internet or an intranet, network connection position information of this time, network connection position information of the previous time, network connection destination information of this time, and Based on previous network connection destination information, it is constituted that the information processing apparatus and a network access management unit at the same time to both the Internet and intranet controlled not be connected.

If the remote access system has such a configuration, the information processing apparatus can be prevented from accessing the Internet and the intranet at the same time.
That is, based on the current and previous network connection location information of the information processing device and the network connection destination information accessed this time and the previous time, the information processing device determines the respective network access connection destinations for Internet access and intranet access. You can restrict access to the Internet and intranet at the same time.
For this reason, it becomes possible to eliminate the risk that the information processing apparatus is infected with a computer virus on the Internet and the infection range extends from the information processing apparatus to the intranet. It is also possible to prevent information on the intranet from leaking to the Internet via the information processing apparatus.

The current network connection location information is information for specifying the current location of the information processing apparatus in the network, and is used when the network access management unit 11a receives a network access request from the current application execution unit 12. This is network connection position information.
The previous network connection location information is information for specifying the location when the information processing apparatus was connected to the previous network, and the network access management unit 11a receives the network access request from the previous application execution unit 12. Network connection position information related to access at the time of access.
As the network connection position information, for example, IP address information of the information processing apparatus can be used.

  In the remote access system of the present invention, the network access management unit determines that the information is based on the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information. After the processing device communicates with another information processing device via the Internet or during communication, the processing device does not communicate with the other information processing device via the intranet, and the information processing device does not communicate with the other information processing device via the intranet. In this configuration, control is performed so as not to communicate with other information processing apparatuses via the Internet after or during communication with the other information processing apparatus.

If the remote access system is configured in this way, the network access management unit performs “control processing so that the information processing device cannot connect to both the Internet and the intranet at the same time” by the network access management unit. After the device communicates with other information processing devices via the Internet or during communication, the device does not communicate with other information processing devices via the intranet, and the information processing device does not communicate with other information processing devices via the intranet. It can be controlled not to communicate with another information processing apparatus via the Internet after or during communication with the processing apparatus.
For this reason, when the information processing apparatus is infected with a computer virus via the Internet, it is possible to prevent the infection range from spreading to the intranet, and confidential information is stored in the memory of the information processing apparatus via the intranet. When stored, the information can be prevented from leaking to other information processing apparatuses via the Internet.

  In the remote access system of the present invention, when the network access management unit inputs a network access request including the current network connection destination information, the current network connection position information and the previous network connection position are stored from the network connection position information storage unit. Acquiring information, acquiring the current network connection destination information and the previous network connection destination information from the network connection destination information storage means, (a) the current network connection location information is information for identifying the intranet, and When the previous network connection position information is information specifying an intranet, the information processing apparatus performs network access. (B) The current network connection position information is information specifying an intranet, and the previous network When the connection location information is information for specifying the Internet, network access by the information processing apparatus is not performed, and (c) the current network connection location information is information for specifying the Internet, and the previous network connection location When the information is information specifying the Internet, the current network connection destination information is information specifying the intranet, and the previous network connection destination information is information specifying the intranet, the information processing apparatus (D) The current network connection position information is information identifying the Internet, the previous network connection position information is information identifying the Internet, and the current network connection destination information is Information that identifies the intranet And when the previous network connection destination information is information specifying the Internet, the information processing apparatus does not perform network access, and (e) the current network connection position information is information specifying the Internet. The previous network connection location information is information for identifying the Internet, the current network connection destination information is information for identifying the Internet, and the previous network connection destination information is information for identifying the Internet. If there is a network access by the information processing apparatus, (f) the current network connection location information is information identifying the Internet, and the previous network connection location information is information identifying the Internet, and , This network connection destination information When the information is information specifying the Internet and the previous network connection destination information is information specifying the intranet, network access by the information processing apparatus is not performed, and (g) the current network connection location information is When the information is information specifying the Internet and the previous network connection position information is information specifying an intranet, the information processing apparatus does not perform network access.

  If the remote access system has such a configuration, it is based on the current network connection position information of the information processing apparatus, the previous network connection position information, the network connection destination information accessed this time, and the network connection destination information accessed last time. Thus, it is possible to control whether or not to perform appropriate access for each type of network access.

  In the remote access system of the present invention, the intranet includes a VPN gateway, (c) the current network connection position information is information specifying the Internet, and the previous network connection position information is information specifying the Internet. If the network connection destination information of this time is information for specifying the intranet and the previous network connection destination information is information for specifying the intranet, the network access management unit can connect the information processing apparatus and the VPN. A virtual direct connection communication line is established with the gateway, and network access is performed by the information processing apparatus.

  If the remote access system has such a configuration, the same security effect as when the information processing device is directly connected to the intranet can be realized by connecting the information processing device taken outside the company to the Internet via the intranet. Is possible.

  In the remote access system of the present invention, the information processing apparatus includes a filter in which filter information received from a proxy server in an intranet is set. (E) The current network connection position information is information for identifying the Internet, and When the previous network connection location information is information identifying the Internet, the current network connection destination information is information identifying the Internet, and the previous network connection destination information is information identifying the Internet Then, the network access management unit determines whether the current network connection destination information is set as connection destination information that does not permit access to the filter, and the current network connection destination information is set as connection destination information that does not permit access. If not Network access by the information processing device, or it is determined whether the current network connection destination information is set as connection destination information allowing access to the filter, and the current network connection destination information permits connection destination information Is set to perform network access by the information processing apparatus.

If the remote access system is configured in this way, when the information processing device taken outside the company is connected to the Internet, the same filter is applied as when accessing the Internet via the intranet without connecting via the intranet. It is possible to reduce the intranet network load.
That is, when the information processing device remotely accesses the Internet, the access destination can be restricted by using the filter information downloaded in advance from the proxy server on the intranet and set in the filter of the information processing device. it can.
For this reason, when the information processing apparatus is connected to the Internet, it is not necessary to go through the intranet, and the communication load on the intranet can be reduced.

  In the remote access system of the present invention, an information processing device stores a key information management unit that manages encryption key information stored in a key information storage unit, and an encryption target file encrypted using the encryption key information. When an encryption target file storage unit to be stored and a file access request including a file path are input, an encryption target file corresponding to the file path is acquired from the encryption target file storage unit, and a key is stored in the key information management unit. When the information acquisition request is output and the encryption key information is input from the key information management unit, the key information management unit includes a file access management unit that decrypts and opens the file to be encrypted using the encryption key information. When the key information acquisition request is input, it is confirmed whether or not the encryption key information is stored in the key information storage means. If the key information acquisition request is output to the network access management unit and the encryption key information is input from the network access management unit, the encryption key information is output to the file access management unit. When the network access management unit inputs a new key information acquisition request, when the information processing apparatus performs network access to the intranet, the encryption key information is received from the key management server in the intranet, and the key The information is output to the information management unit.

If the remote access system has such a configuration, when the information processing apparatus performs network access, access to the confidential information file stored as the encryption target file in the information processing apparatus can be restricted. Information leakage can be prevented.
That is, when the information processing apparatus is allowed to connect to the Internet from the outside, information in the intranet may be leaked through the information processing apparatus. For this reason, the information processing apparatus is controlled so that the encryption key information cannot be acquired from the intranet, and the encryption target file stored in the information processing apparatus cannot be opened.
As described above, by controlling network access of the information processing apparatus, it is possible to appropriately prevent information leakage from the information processing apparatus.

  The remote access system of the present invention further includes a reset execution unit that restarts the information processing apparatus when the information processing apparatus inputs a restart request from the network access management unit, and the network access management unit includes (b) The current network connection location information is information identifying the intranet, and the previous network connection location information is information identifying the Internet; and (d) the current network connection location information is information identifying the Internet. Yes, the previous network connection location information is information identifying the Internet, the current network connection destination information is information identifying the intranet, and the previous network connection location information is information identifying the Internet. (F) This network The connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection destination information is information specifying the Internet, and When the network connection destination information is information for identifying an intranet, and (g) the current network connection position information is information for identifying the Internet, and the previous network connection position information is information for identifying an intranet. In addition, the information processing apparatus is configured to output a restart request to the reset execution unit.

If the remote access system has such a configuration, the process and memory information executed in the information processing apparatus can be isolated between the time of accessing the Internet and the time of accessing the intranet. Can be prevented.
That is, when the network connection destination accessed by the information processing device is changed from the intranet to the Internet, the operating system in the information processing device is restarted before communication to the Internet, the memory information is cleared, the process is stopped, and the encryption key Can be cleared.
Therefore, the memory information that the computer virus tries to steal can be emptied, the computer virus process can be stopped, the encrypted confidential information file cannot be decrypted, and the leakage of confidential information due to computer viruses etc. can be prevented It becomes possible to do.

  The information processing apparatus of the present invention is an information processing apparatus that can be connected to the Internet and a predetermined intranet, and the connection position of the current and previous network access by the information processing apparatus is either the Internet or the intranet. Network location information for identifying the network connection location information, and network connection location information for identifying whether the current and previous network access destinations by the information processing apparatus are the Internet or an intranet, respectively. Based on the connection destination storage means, the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information, the information processing apparatus is simultaneously connected to both the Internet and the intranet. A configuration equipped with a network access management unit for controlling so as not to be connected.

  Further, in the information processing apparatus of the present invention, the network access management unit performs the information based on the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information. After the processing device communicates with another information processing device via the Internet or during communication, the processing device does not communicate with the other information processing device via the intranet, and the information processing device does not communicate with the other information processing device via the intranet. In this configuration, control is performed so as not to communicate with other information processing apparatuses via the Internet after or during communication with the other information processing apparatus.

  In the information processing apparatus of the present invention, when the network access management unit inputs a network access request including the current network connection destination information, the current network connection position information and the previous network connection position are stored from the network connection position information storage unit. Acquiring information, acquiring the current network connection destination information and the previous network connection destination information from the network connection destination information storage means, (a) the current network connection location information is information for identifying the intranet, and When the previous network connection position information is information specifying an intranet, the information processing apparatus performs network access. (B) The current network connection position information is information specifying an intranet, and the previous network Connection location information When the information specifies the Internet, network access by the information processing apparatus is not performed. (C) The current network connection position information is information specifying the Internet, and the previous network connection position information is the Internet. If the current network connection destination information is information for specifying an intranet, and the previous network connection destination information is information for specifying an intranet, network access by the information processing apparatus is performed. (D) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information specifies the intranet. Information, or When the previous network connection destination information is information specifying the Internet, the network access by the information processing apparatus is not performed, and (e) the current network connection position information is information specifying the Internet, and the previous time If the network connection location information is information identifying the Internet, the current network connection destination information is information identifying the Internet, and the previous network connection destination information is information identifying the Internet, (F) The current network connection location information is information identifying the Internet, and the previous network connection location information is information identifying the Internet, and the current network Connection destination information is When the network specifying information is the information for specifying the intranet and the previous network connection destination information is the information for specifying the intranet, the information processing apparatus does not access the network, and (g) the current network connection position information is the Internet. In the case where the information is specified and the previous network connection position information is information specifying the intranet, the information processing apparatus does not perform network access.

  In the information processing apparatus of the present invention, the intranet includes a VPN gateway, (c) the current network connection position information is information specifying the Internet, and the previous network connection position information is information specifying the Internet. If the network connection destination information of this time is information for specifying the intranet and the previous network connection destination information is information for specifying the intranet, the network access management unit can connect the information processing apparatus and the VPN. A virtual direct connection communication line is established with the gateway, and network access is performed by the information processing apparatus.

  The information processing apparatus of the present invention includes a filter in which filter information received from a proxy server in an intranet is set. (E) The current network connection position information is information specifying the Internet, and the previous network connection Network access management when the location information is information identifying the Internet, the current network connection destination information is information identifying the Internet, and the previous network connection destination information is information identifying the Internet Determine whether the current network connection destination information is set as connection destination information that does not permit access to the filter, and if the current network connection destination information is not set as connection destination information that does not permit access, Network by information processing equipment Access is performed, or it is determined whether the current network connection destination information is set as connection destination information allowing access to the filter, and the current network connection destination information is set as connection destination information permitting access In this case, the information processing apparatus performs network access.

  The information processing apparatus according to the present invention includes a key information management unit that stores and manages encryption key information in a key information storage unit, and an encryption target that stores an encryption target file encrypted using the encryption key information. When a file access request including a file storage means and a file path is input, an encryption target file corresponding to the file path is acquired from the encryption target file storage means, and a key information acquisition request is output to the key information management unit When the encryption key information is input from the key information management unit, the key information management unit includes a file access management unit that decrypts and opens the file to be encrypted using the encryption key information. Is input, it is confirmed whether the encryption key information is stored in the key information storage means, and if it is stored, the encryption key information is output to the file access management unit, If not, a new key information acquisition request is output to the network access management unit, and when the encryption key information is input from the network access management unit, the encryption key information is output to the file access management unit, and the network access management unit However, when a new key information acquisition request is input, when the information processing apparatus performs network access to the intranet, the encryption key information is received from the key management server in the intranet and output to the key information management unit. is there.

  In addition, the information processing apparatus of the present invention includes a reset execution unit that restarts the information processing apparatus when a restart request is input from the network access management unit, and the network access management unit includes (b) the current network connection position. The information is information specifying the intranet, and the previous network connection position information is information specifying the Internet; and (d) the current network connection position information is information specifying the Internet, and the previous time The network connection location information is information identifying the Internet, the current network connection destination information is information identifying the intranet, and the previous network connection destination information is information identifying the Internet; (F) This network connection location information is Internet And the previous network connection location information is information specifying the Internet, the current network connection destination information is information specifying the Internet, and the previous network connection destination information is In the case of information specifying an intranet, and (g) when the current network connection location information is information specifying the Internet, and the previous network connection location information is information specifying an intranet, the information processing An apparatus restart request is output to the reset execution unit.

  The remote access program according to the present invention is a remote access program for controlling an information processing apparatus connectable to the Internet and a predetermined intranet to control network access. Connection location storage means for storing network connection location information for specifying whether the connection location of network access is the Internet or an intranet, and the current and previous network access destinations by the information processing device are the Internet and intranet respectively. Connection destination storage means for storing network connection destination information for identifying the network connection location information, current network connection location information, previous network connection location information, current network connection location information, and previous network connection location information. Based on the network connection destination information, it is constituted that the information processing apparatus at the same time to both the Internet and intranet to act as a network access management unit for controlling so as not to be connected.

  Further, the remote access program of the present invention provides the network access management unit with the information based on the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information. After the processing device communicates with another information processing device via the Internet or during communication, the processing device does not communicate with the other information processing device via the intranet, and the information processing device does not communicate with the other information processing device via the intranet. After the communication with this information processing apparatus or during the communication, control is performed so as not to communicate with another information processing apparatus via the Internet.

  The remote access program of the present invention, when a network access request including the current network connection destination information is input to the network access management unit, the current network connection position information and the previous network from the network connection position information storage means. The connection location information is acquired, the current network connection destination information and the previous network connection destination information are acquired from the network connection destination information storage means, and (a) the current network connection location information is information for identifying the intranet. And, when the previous network connection position information is information for identifying an intranet, network access by the information processing apparatus is performed, (b) the current network connection position information is information for identifying an intranet, and Last time When the network connection position information is information specifying the Internet, the network access by the information processing apparatus is not performed, and (c) the current network connection position information is information specifying the Internet, and the previous network If the connection location information is information specifying the Internet, the current network connection destination information is information specifying an intranet, and the previous network connection destination information is information specifying an intranet, the information (D) The current network connection location information is information for specifying the Internet, and the previous network connection location information is information for specifying the Internet, and the current network connection. The destination information is intranet And when the previous network connection destination information is information specifying the Internet, network access by the information processing apparatus is not performed, and (e) the current network connection position information indicates the Internet The information to be specified, the previous network connection location information is information for specifying the Internet, the current network connection destination information is information for specifying the Internet, and the previous network connection destination information is the Internet. (F) The current network connection position information is information for specifying the Internet, and the previous network connection position information is for specifying the Internet. Information and When the network connection destination information is information specifying the Internet and the previous network connection destination information is information specifying the intranet, network access by the information processing apparatus is not performed, and (g) the current network When the connection location information is information for specifying the Internet and the previous network connection location information is information for specifying the intranet, the information processing apparatus does not perform network access.

  In the remote access program of the present invention, the intranet includes a VPN gateway, (c) the current network connection position information is information specifying the Internet, and the previous network connection position information is information specifying the Internet. Yes, and if the current network connection destination information is information for specifying an intranet and the previous network connection destination information is information for specifying an intranet, the network access management unit and the VPN A virtual direct connection communication line is established with the gateway, and network access is performed by the information processing apparatus.

  Further, the remote access program of the present invention causes the information processing apparatus to function as a filter in which the filter information received from the proxy server in the intranet is set, and (e) the current network connection position information is information identifying the Internet, The previous network connection location information is information for identifying the Internet, the current network connection destination information is information for identifying the Internet, and the previous network connection destination information is information for identifying the Internet. In this case, the network access management unit determines whether or not the current network connection destination information is set as connection destination information that does not permit access to the filter, and the current network connection destination information is set as connection destination information that does not permit access. Not Network access by the information processing device, or whether the current network connection destination information is set as connection destination information that permits access to the filter, and the current network connection destination information permits access When the connection destination information is set, the network access by the information processing apparatus is performed.

  The remote access program of the present invention also stores an encryption target file encrypted using the encryption key information and a key information management unit that manages the information processing apparatus by storing the encryption key information in the key information storage means. When the file access request including the encryption target file storage means and the file path is input, the encryption target file corresponding to the file path is acquired from the encryption target file storage means, and the key information management unit When an information acquisition request is output and encryption key information is input from the key information management unit, the key information management unit functions as a file access management unit that decrypts and opens the encryption target file using the encryption key information. When the key information acquisition request is input, the key information storage means checks whether the encryption key information is stored. If the key information is output to the file access management unit and is not stored, a new key information acquisition request is output to the network access management unit, and the encryption key information is input from the network access management unit. When a new key information acquisition request is input to the access management unit and the information processing apparatus performs network access to the intranet, the encryption key information is received from the key management server in the intranet. The received information is output to the key information management unit.

  The remote access program of the present invention causes the information processing apparatus to function as a reset execution unit that restarts the information processing apparatus when a restart request is input from the network access management unit, and causes the network access management unit to execute (b ) When the current network connection location information is information for specifying the intranet, and the previous network connection location information is information for specifying the Internet, and (d) The current network connection location information is information for specifying the Internet. In addition, the previous network connection location information is information for identifying the Internet, the current network connection destination information is information for identifying an intranet, and the previous network connection destination information is for identifying the Internet. If it is information, (f) this time The network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection destination information is information specifying the Internet, and the previous time And (g) the current network connection position information is information for specifying the Internet, and the previous network connection position information is information for specifying the intranet. In this case, a restart request for the information processing apparatus is output to the reset execution unit.

  The remote access method of the present invention is a remote access method for controlling network access by an information processing apparatus connectable to the Internet and a predetermined intranet, and the connection positions of the current and previous network access by the information processing apparatus are as follows: Connection location storage means for storing network connection location information for specifying whether it is the Internet or an intranet, and whether the current and previous network access destinations by the information processing device are the Internet or an intranet, respectively The network access management unit in the information processing apparatus provided with the connection destination storage means for storing the network connection destination information includes the current network connection position information, the previous network connection position information, and the current network connection. Information, and on the basis of the previous network connection destination information, the information processing apparatus at the same time to both the Internet and the intranet is a method of controlling so as not to be connected.

  In the remote access method of the present invention, the network access management unit determines that the information is based on the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information. After the processing device communicates with another information processing device via the Internet or during communication, the processing device does not communicate with the other information processing device via the intranet, and the information processing device does not communicate with the other information processing device via the intranet. This is a method for controlling not to communicate with another information processing apparatus via the Internet after or during communication with the other information processing apparatus.

  In the remote access method of the present invention, when the network access management unit inputs a network access request including the current network connection destination information, the current network connection position information and the previous network connection position are stored from the network connection position information storage unit. Acquiring information, acquiring the current network connection destination information and the previous network connection destination information from the network connection destination information storage means, (a) the current network connection location information is information for identifying the intranet, and When the previous network connection position information is information specifying an intranet, the information processing apparatus performs network access. (B) The current network connection position information is information specifying an intranet, and the previous network Connection If the location information is information specifying the Internet, network access by the information processing apparatus is not performed, and (c) the current network connection location information is information specifying the Internet, and the previous network connection location information Is information for identifying the Internet, the current network connection destination information is information for identifying an intranet, and the previous network connection destination information is information for identifying an intranet. (D) The current network connection location information is information identifying the Internet, the previous network connection location information is information identifying the Internet, and the current network connection location information is the intranet. With information to identify And when the previous network connection destination information is information for specifying the Internet, network access by the information processing apparatus is not performed, and (e) the current network connection position information is information for specifying the Internet, The previous network connection location information is information for identifying the Internet, the current network connection destination information is information for identifying the Internet, and the previous network connection destination information is information for identifying the Internet. And (f) the current network connection location information is information identifying the Internet, and the previous network connection location information is information identifying the Internet, and This network connection destination information When the information for specifying the Internet is the information for specifying the intranet in the previous network connection destination information, network access by the information processing apparatus is not performed, and (g) the current network connection position information indicates the Internet This is a method of not performing network access by the information processing apparatus when it is information to be specified and the previous network connection position information is information for specifying an intranet.

  If the information processing apparatus and the remote access program are configured in this way and the remote access method is such a method, the current and previous network connection position information of the information processing apparatus and the network connection destination information accessed this time and the previous time Based on this, it is possible to prevent the information processing apparatus from accessing the Internet and the intranet at the same time, and it is possible to eliminate infections such as computer viruses on the intranet and leakage of confidential information in the intranet.

  In addition, when an information processing device taken outside the company is connected to the Internet, the same filter as when accessing the Internet via the intranet can be applied without connecting via the intranet, and the network load of the intranet can be reduced. It becomes possible to reduce.

In addition, when the information processing apparatus performs network access, access to the confidential information file in the information processing apparatus can be restricted under certain conditions, and information leakage from the information processing apparatus can be prevented.
That is, the confidential information file in the information processing apparatus is encrypted with a predetermined encryption key, and the encryption key is stored in the key management server on the intranet. For this reason, if the information processing apparatus is already connected to the Internet, the information processing apparatus cannot obtain the encryption key because access to the intranet cannot be made, and access to the confidential information file is not permitted.
On the other hand, when the information processing apparatus is not connected to the Internet in advance, the information processing apparatus can acquire the encryption key from the key management server on the intranet, and access to the confidential information file is permitted.
As a result, information leakage from the information processing apparatus can be prevented.

In addition, according to the present invention, since the process and memory information executed in the information processing apparatus can be isolated between the time of accessing the Internet and the time of accessing the intranet, information leakage from the information processing apparatus can be prevented. Is possible.
That is, when the network connection destination accessed by the information processing apparatus is changed from the intranet to the Internet, the operating system in the information processing apparatus is restarted before communication to the Internet, the memory information is cleared, the process is stopped, and the encryption key Can be cleared.
As a result, the memory information that the computer virus tries to steal can be emptied, the computer virus process can be stopped, and the encrypted confidential information file can no longer be decrypted. It becomes possible to prevent.

In addition, when the network connection destination accessed by the information processing device is changed from the Internet to the intranet, the operating system in the information processing device is restarted before the communication to the intranet to clear the memory information or stop the process. can do.
As a result, the computer virus process can be stopped, the memory area used by the computer virus can be cleared, and the computer virus can illegally access the intranet via an information processing device taken outside the company. It becomes possible to prevent.

ADVANTAGE OF THE INVENTION According to this invention, when the business terminal connected and used for an intranet is taken out outside the company, it can prevent accessing the internet and an intranet simultaneously.
For this reason, it is possible to eliminate the risk that the business terminal is infected with a computer virus on the Internet and the range of infection spreads from the business terminal to the intranet. It is also possible to prevent information on the intranet from leaking to the Internet via the business terminal.

Hereinafter, a preferred embodiment of a remote access system of the present invention will be described with reference to the drawings.
Note that the remote access system of the present invention shown in the following embodiments is operated by a computer controlled by a program. The CPU of the computer sends a command to each component of the computer based on the program, and performs predetermined processing necessary for the operation of the client terminal in the remote access system, for example, terminal IP address information acquisition processing, terminal IP address type Determination processing, destination IP address information acquisition processing, destination IP address type determination processing, and the like are performed. Thus, each process and operation in the remote access system of the present invention can be realized by specific means in which the program and the computer cooperate.

The program is stored in advance in a recording medium such as a ROM and a RAM, and is executed by causing the computer to read the program from a recording medium mounted on the computer. For example, the program may be read by the computer via a communication line.
Further, the recording medium for storing the program can be constituted by, for example, a semiconductor memory, a magnetic disk, an optical disk, or any other recording means that can be read by any computer.

[Concept of client terminal state transition]
First, the concept of the state transition of the client terminal in the remote access system according to the embodiment of the present invention will be described with reference to FIG.
The client terminal shown in the figure is a business terminal connected to an in-house intranet in a remote access system.

First, the state where the client terminal is stopped is “state A when the terminal is stopped”. This is a state at the start of use of the client terminal. When the client terminal is turned on, the state A is changed to the “initial state B at the time of starting the terminal”.
This state B shows a state where the network has not been accessed yet after the client terminal is activated.
In this state B, if no network access request is made by the client terminal, the client terminal continues to transition to this state B.

Next, in the “initial state B at the time of starting the terminal”, when the client terminal makes an access request to the Internet via an Internet service provider (hereinafter referred to as ISP) or the like, the “state of remote connection to the Internet from the outside” Transition to “C”.
In this state C, when an access request to the Internet is generated, it is possible to continue to transit to the state C and access to the Internet is possible, but access to the intranet is not possible.
In this state C, when the network connection position information (Internet or intranet) or the network connection destination information (Internet or intranet) is changed, the state of the client terminal is reset once, and “initial state B when the terminal is started” Must transition to

Next, in the “initial state B at the time of starting the terminal”, when the client terminal makes an access request to the intranet via the ISP or the like, the client terminal transits to the “state D in which remote connection is established from the outside to the intranet”.
In this state D, when an access request to the intranet is generated, it is possible to continue to transition to this state D, so that access to the intranet is possible, but access to the Internet is not possible.
In this state D, when the network connection position information or the network connection destination information is changed, the state of the client terminal must be reset once and transition to the “initial state B when the terminal is started”.

Next, in “Initial state B at the time of starting the terminal”, when the client terminal makes an access request to the intranet or the access request to the Internet while being directly connected to the intranet, the client terminal State E ”.
In this state E, when an access request to the intranet is generated, it is possible to continue to transit to this state E, and it is possible to access the intranet, and when an access request to the Internet is generated, it is possible to continue to transition to this state E. Access to is possible.
In this state E, when the network connection position information is changed, the state of the client terminal must be reset once and transition to the “initial state B when the terminal is activated”.

[First embodiment]
Next, the configuration of the first embodiment of the present invention will be described with reference to FIG. FIG. 2 is a block diagram showing the configuration of the remote access system of this embodiment.
As shown in the figure, the remote access system of this embodiment includes a client terminal 10, an intranet 20, the Internet 30, and an ISP 40.

The remote access system of this embodiment is used when the client terminal 10 remotely accesses the intranet 20 or the Internet 30 from the outside of the intranet 20.
In the remote access system of this embodiment, it is assumed that the encryption key is stored in the key management server 23 in the intranet 20.

[Client terminal 10]
In the present embodiment, the client terminal 10 is a business terminal taken outside the company, and as shown in FIG. 2, the security system 11, the application execution unit 12, the filter information storage unit 13, the filter 14, and the encryption target file storage And a function of accessing a communication network such as the intranet 20 or the Internet 30 via the ISP 40.
The security system 11 includes a network access management unit 11a, a file access management unit 11b, a filter information management unit 11c, a terminal connection position information management unit 11d, a key information management unit 11e, and a reset execution unit, as shown in FIG. 11f.

When a network access request including destination IP address information is input from the application execution unit 12 or the like, the network access management unit 11a acquires network connection destination information (intranet connection or Internet connection) based on the destination IP address information. Stored in a predetermined network connection destination information storage means.
This network connection destination information can be acquired based on the type of destination IP address information.

That is, when the type of destination IP address information is a private IP address of the intranet 20, it is determined that the network connection destination information is an intranet connection, and when the type of destination IP address information is a global IP address, the network connection destination information Can be determined as an Internet connection.
Then, as the network connection destination information, an intranet connection or an Internet connection can be stored in the network connection destination information storage means.

The destination IP address information can also be obtained from the header of a packet transmitted from the network access management unit 11a to another information processing apparatus. In such a configuration, when accessing the intranet from outside the intranet, the IP address information of the terminal in the intranet is encrypted depending on conditions, and the IP address (global IP address) of the VPN gateway is set as the destination IP address information. A header may have been added. In such a case, the network connection destination information can be obtained based on whether the destination IP address information set in the header is the IP address of the VPN gateway.
In other words, when the destination IP address information is the IP address of the VPN gateway, it is possible to determine that it is an intranet connection, and when it is not the IP address of the VPN gateway, it is possible to determine that it is an Internet connection.

Further, the destination IP address information itself can be stored in the network connection destination information storage unit as the network connection destination information.
In the description of the processing procedure described later, a case where destination IP address information is stored as network connection destination information in the network connection destination information storage means is described as an example.
In this network connection destination information storage means, not only the current network connection destination information but also the previous network connection destination information can be stored.

Further, the network access management unit 11a restricts the connection destination network of the client terminal 10 based on the network connection destination information and the network connection position information of the client terminal 10.
That is, when the client terminal 10 is remotely connected to the intranet 20 from outside the intranet, the network access management unit 11a denies access to the intranet 20 when accessing the Internet 30 before connecting to the intranet 20. And in order to connect to the intranet 20, it notifies that the reset of the client terminal 10 is implemented.

The notification that the network access management unit 11a performs the reset can be output to, for example, a display device or a speaker in the client terminal 10, a printing device connected to the client terminal 10, or the like. The following notification that the reset is performed can be performed in the same manner.
In response to this notification, when a predetermined input for accepting the reset is made to the client terminal 10, the reset executing unit 11f can restart the client terminal 10.

Further, when the client terminal 10 remotely connects to the Internet 30 from outside the intranet, if the client terminal 10 accesses the intranet 20 before connecting to the Internet 30, the network access management unit 11a rejects access to the Internet 30; Notify that the terminal is to be reset to connect to the Internet 30.
Further, when the filter information acquisition request is input from the filter information management unit 11c and when the key information acquisition request is input from the key information management unit 11e, the network access management unit 11a accesses the intranet 20 and receives these information. Receive.

The file access management unit 11b manages the encryption target file storage unit 15 in the client terminal 10, and performs encryption and decryption of the encryption target file stored in the encryption target file storage unit 15.
A specific file encryption processing method by the file access management unit 11b is not particularly limited, but for example, it is preferable to perform the processing of the application execution unit 12 in the background.
At this time, the file access management unit 11b acquires the encryption key from the key information management unit 11e.

Further, the file access management unit 11b performs file access to the encryption target file stored in the encryption target file storage unit 15 from the application execution unit 12 or the like when the client terminal 10 is connected to the intranet 20. If there is, the key information is acquired from the key information management unit 11e, and the encryption target file is decrypted.
On the other hand, when the client terminal 10 is connected to the Internet 30, the file access management unit 11b accesses the encryption target file stored in the encryption target file storage unit 15 from the application execution unit 12 or the like. Even if there is, access to the file to be encrypted is denied.

The filter information management unit 11 c manages the filter information storage unit 13 in the client terminal 10.
The filter information management unit 11c acquires the filter information stored in the filter information storage unit 22 from the intranet 20 via the network access management unit 11a, and stores it in the filter information storage unit 13.
Further, the filter information management unit 11 c sets the filter information stored in the filter information storage unit 13 in the filter 14.

The terminal connection location information management unit 11d manages the network connection location information (intranet connection or Internet connection) of the client terminal 10 by storing it in a predetermined network connection location information storage unit (not shown).
This network connection position information can be acquired based on the type of IP address information of the client terminal 10.
That is, as in the case of the network connection destination information described above, if the IP address information type is a private IP address of the intranet 20, it is determined that the network connection position is an intranet connection, and the IP address information type is the global IP address. In the case of an address, the network connection position can be determined as an Internet connection.

Then, as a network connection position, an intranet connection or an Internet connection can be stored in the network connection position storage means.
Further, as the network connection position, the IP address information itself of the client terminal 10 can be stored in the network connection position storage unit.

In the description of the processing procedure to be described later, the case where the IP address information of the client terminal 10 is stored in the network connection position information storage unit as the network connection position information is described as an example.
The terminal connection location information management unit 11d acquires the IP address information given to the client terminal 10 from the ISP 40 when the client terminal 10 is connected to the network. Then, the acquired IP address information is stored as network connection position information in the network connection position information storage means.

The network connection location information storage means can store not only the current network connection location information of the client terminal 10 but also the previous network connection location information.
When the terminal connection location information management unit 11d inputs the current terminal location information acquisition request from the network access management unit 11a, the terminal connection location information management unit 11d returns the current network connection location information to the network access management unit 11a, and acquires the past terminal location information. When the request is input, the past network connection position information is returned to the network access management unit 11a.

The key information management unit 11e manages a key for encrypting and decrypting the encryption target file.
Whether the encryption key is stored in a predetermined key storage unit in the client terminal or in a key storage unit in an external storage device such as a USB memory or a flexible disk, the key management server 23 on the connection destination intranet 20 is used. You may store in the key memory | storage part in. However, when the client terminal 10 is restarted, the key information management unit 11e deletes the encryption key information stored in the key storage unit.

In addition, when the encryption key is stored in the key storage unit in the key management server 23, the key information management unit 11e acquires the encryption key from the key management server 23 via the network access management unit 11a. Is stored in a predetermined key information storage means (not shown).
At this time, when the key information acquisition unit 11e receives the key information acquisition request from the file access management unit 11b, the key information management unit 11e outputs the key acquisition request to the network access management unit 11a. The key is acquired, and this encryption key is output to the key information management unit 11e.

If the client terminal 10 has already accessed the Internet 30 and cannot access the intranet 20, the network access management unit 11a cannot acquire the encryption key from the key management server 23.
Therefore, in this case, the key information management unit 11e cannot acquire the encryption key unless the client terminal 10 is restarted.

The reset execution unit 11f restarts the client terminal 10 when a reset request is input from the network access management unit 11a.
As described above, in the present invention, by restarting the client terminal 10, the process being executed in the client terminal 10 is stopped without performing any other special processing, and the process is performed in a memory (not shown) of the client terminal 10. Clear stored information.

  The application execution unit 12 executes an application on the client terminal 10. When the application performs network access or file access, the application execution unit 12 outputs network access information to the network access management unit 11a or outputs file access information to the file access management unit 11b by executing the application. Output.

The filter information storage unit 13 is a storage unit that stores URL filtering information and the like for use in the filter 14.
When the filter information management unit 11c receives the setting of the URL filtering information stored in the filter information storage unit 13, the filter 14 accesses the Internet 30 from the client terminal 10 using the URL filtering information. Limit.

  For example, when the network access management unit 11a accesses the Internet 30, the filter 14 prohibits access to the URL existing in the URL filtering information based on the URL filtering information set in the filter 14; The connection destination of the client terminal 10 is limited. Further, the connection destination of the client terminal 10 can be restricted by permitting only access to the URL existing in the URL filtering information.

The encryption target file storage unit 15 is a storage unit that stores confidential information, and stores files to be encrypted.
A specific method for encrypting a file to be encrypted is not particularly limited in the present invention. For example, by a process executed by the application execution unit 12 or the like, via the file access management unit 11b, When the encryption target file is stored in the encryption target file storage unit 15, the file to be encrypted can be encrypted in the background by the file access management unit 11b.
It is also possible to adopt a configuration in which a user individually selects a certain file as an encryption target, encrypts it by the file access management unit 11b, and stores it in the encryption target file storage unit 15.

  Further, in the client terminal 10, if there is a file access to the encryption target file stored in the encryption target file storage unit 15, if the encryption key is acquired by the key information management unit 11 e, this encryption is performed. The encryption target file is decrypted using the key.

[Intranet 20]
Next, the intranet 20 includes a proxy server 21, a filter information storage unit 22, a key management server 23, a file server 24, a VPN gateway 25, and a DHCP server 26, as shown in FIG.

The proxy server 21 is an information processing apparatus that is constructed and operated by an administrator of the intranet 20 in accordance with the security policy in the intranet 20.
The proxy server 21 centrally manages access to the Internet 30 from computers connected in the intranet 20 and access to the intranet 20 from the Internet 30. Then, based on the filter information stored in the filter information storage unit 22, only a specific type of connection is permitted from the inside of the intranet 20 or unauthorized access from the outside of the intranet 20 is blocked.
Further, the proxy server 21 can be provided with general proxy server functions such as a cache function and an authentication function.

The key management server 23 includes key storage means for storing key information for encrypting and decrypting the encryption target file stored in the encryption target file storage unit 15 of the client terminal 10.
The file server 24 includes storage means for storing various business information files including confidential information.

A VPN (Virtual Private Network) gateway 25 has a function of accepting communication from the client terminal 10 and establishing a virtual direct connection communication line (hereinafter sometimes referred to as a tunnel) between the client terminal 10 and the intranet 20. Have.
A DHCP (Dynamic Host Configuration Protocol) server 26 has a function of accepting an IP address request from a client terminal and assigning an IP address to the client terminal.
A conventionally well-known thing can be used for each structure in these intranets 20. FIG.

The Internet 30 is a huge network that connects networks all over the world using the communication protocol TCP / IP.
An ISP (Internet Services Provider) 40 is an information processing apparatus managed by an Internet provider, and relays communication between the client terminal 10 and the intranet 20 and between the client terminal 10 and the Internet 30 and connects the client terminal 10 to the network. .

[Processing procedure of network access management unit in remote access system]
Next, a processing procedure in the remote access system of this embodiment will be described with reference to FIGS. FIG. 3 is an operation procedure diagram showing a processing procedure of the network access management unit in the remote access system of this embodiment. FIG. 4 is a diagram showing terminal restart guidance output by the system.

When the client terminal 10 remotely accesses the intranet 20 from outside the company, a network access request is first generated (step A1).
This network access request includes destination IP address information, and is input from the application execution unit 12 to the network access management unit 11a when the application execution unit 12 is executing an application, for example.
At this time, the network access management unit 11a stores the destination IP address information included in the network access request in the network connection destination information storage unit as the current network connection destination information.

  Next, the network access management unit 11a outputs the current terminal location information acquisition request of the client terminal 10 to the terminal connection location information management unit 11d, and the current status of the client terminal 10 from the terminal connection location information management unit 11d. Network connection position information (IP address information in this embodiment) is acquired (step A2).

Next, the network access management unit 11a determines the type of the acquired IP address information (step A3).
In this embodiment, since it is assumed that the client terminal 10 remotely accesses the intranet 20 from the outside, the IP address information of the client terminal 10 acquired from the terminal connection position information management unit 11d is a global IP address. is there.
Therefore, the network access management unit 11a outputs a previous terminal location information acquisition request to the terminal connection location information management unit 11d, and uses the previous network location of the client terminal 10 as terminal location information from the terminal connection location information management unit 11d. IP address information at the time of access is acquired (step A8).

Then, the network access management unit 11a determines the type of the previous IP address information of the acquired client terminal 10 (step A9).
Here, when the type of the previous IP address information is a global IP address or there is no information, the network access management unit 11a acquires the current destination IP address information included in the network access request from the network connection destination information storage unit. (Step A10).

Next, the network access management unit 11a determines the type of the destination IP address (step A11).
Then, when the type of the destination IP address is a private IP address, the network access management unit 11a determines that the client terminal 10 is trying to connect to the intranet 20, and stores the previous destination IP address information in the network connection destination information storage. Obtained from the means (step A12).

Next, the network access management unit 11a determines the type of the previous destination IP address information (step A13).
Then, if the type of the previous destination IP address information is a private IP address or no information, the network access management unit 11a determines that the connection to the intranet 20 by the client terminal 10 is possible, and then the client terminal 10 And whether the tunnel exists between the intranet 20 and the intranet 20 (step A14).

  In this case, it is determined that the connection to the intranet 20 is possible because the client terminal 10 has accessed the intranet 20 in the previous time. This is because there is no risk of problems such as computer virus infection.

Next, as a result of checking whether or not a tunnel exists, the network access management unit 11a establishes a tunnel between the client terminal 10 and the intranet 20 if there is no tunnel (no step A15) (step A16).
In establishing this tunnel, the network access management unit 11a exchanges information for performing encrypted communication with the VPN gateway 25, performs mutual authentication of whether the communication destination is correct, and performs encrypted communication.
The tunnel in the present invention can use a conventionally known general encrypted secure communication path. Information communicated through the tunnel cannot be referred to from the outside.
After the tunnel is established, the network access management unit 11a can access the intranet 20 (step A17).

  On the other hand, when the tunnel already exists (the presence of step A15), the network access management unit 11a can access the intranet 20 (step A17).

In step A13, if the type of the previous destination IP address information is a global IP address, it is determined that the client terminal 10 is trying to access the Internet 30 and the intranet 20 at the same time, and the network access management unit 11a. Does not access the network, and performs restart guidance of the client terminal 10 (step A18).
That is, in this case, since the client terminal 10 has already accessed the Internet 30, if access to the intranet 20 is permitted, if the client terminal 10 is infected with a computer virus, the infection spreads to the intranet 20. Since there is a fear, restart guidance is performed without permitting access to the intranet 20.

  The restart guidance for the client terminal 10 is not particularly limited as long as it prompts the user of the client terminal 10 to restart the client terminal 10. For example, it is possible to display a restart guide as shown in FIG. 4 on the display of the client terminal 10, or to output the restart guide from the speaker of the client terminal 10 by voice. The same applies to the restart guidance of the client terminal 10 below.

  In step A11, if the type of the destination IP address this time is a global IP address, it is determined that the client terminal 10 is trying to access the Internet, and the network access management unit 11a determines the previous destination IP address information. Is acquired from the network connection destination information storage means (step A19).

Next, the network access management unit 11a determines the type of the previous destination IP address information (step A20).
If the type of the previous destination IP address information is a private IP address or no information, the network access management unit 11a passes the current destination IP address information or destination URL information through the filter 14 and acquires the filter processing result. (Step A21).

Then, the network access management unit 11a checks whether or not the destination IP address information this time has passed through the filter 14 (step A22), and if it has passed through the filter, performs network access (step A23).
On the other hand, when the current destination IP address information cannot pass through the filter 14, the network access management unit 11a ends without performing network access.

  Here, when the client terminal 10 has previously accessed the Internet 30 or when accessing the Internet 30 for the first time after startup, access to the Internet 30 is permitted because there is no risk of information leakage from the intranet 20. is doing. However, even in this case, in order to increase the safety of communication, access is permitted only when it passes the filter.

The filter includes a black list type and a white list type. In the present invention, any of them can be used.
When the black list type is used, whether or not the filter 14 has been passed can be determined based on whether or not the current destination IP address information or the URL corresponding to this IP address information is not set in the filter 14. .
For example, if the current destination IP address information or the URL corresponding to this IP address information is not set in the filter 14, it is determined that the filter 14 has passed, and if it is set in the filter 14, the filter 14 can be determined to have failed.

In step A20, if the type of the previous destination IP address information is a private IP address, it is determined that the client terminal 10 is trying to access the Internet 30 and the intranet 20 at the same time. 10 restart guidance (step A24).
In this case, since the client terminal 10 has already accessed the intranet 20, if it is allowed to continue to access the Internet 30 from the outside, information in the intranet 20 may leak from the memory of the client terminal 10. The client terminal 10 is restarted without allowing the access.

In step A9, if the type of IP address information of the client terminal 10 at the previous network access is a private IP address, it is determined that the connection position of the client terminal 10 has changed from the intranet 20 to the Internet 30, and the network Without accessing, the client terminal 10 is restarted (step A24).
Also in this case, since the client terminal 10 has already accessed the intranet 20, if access from the outside is permitted, information in the intranet 20 may leak from the memory of the client terminal 10 or the like.

[Processing procedure of the file access manager in the remote access system]
Next, a processing procedure in the remote access system of this embodiment will be described with reference to FIG. This figure is an operation procedure diagram showing a processing procedure of the file access management unit in the remote access system of this embodiment.

First, a file access request is generated at the client terminal 10 (step B1).
The file access request is information including a file path, and is input from the application execution unit 12 to the file access management unit 11b when the application execution unit 12 is executing an application, for example.

Next, the file access management unit 11b refers to the attribute information of the file included in the input file access request, and determines whether the file is an encryption target file (step B2).
If it is determined that the file access request is made with respect to the encryption target file, the file access management unit 11b next checks whether or not there is an encryption key (step B3).

That is, the file access management unit 11b outputs a key information acquisition request to the key information management unit 11e, and tries to acquire key information from the key information management unit 11e.
At this time, the key information management unit 11e checks whether or not an encryption key is stored in a key information storage unit (not shown) on the client terminal 10 side. If the encryption key is not stored, the key information management unit 11e passes through the network access management unit 11a. Then, an encryption key is acquired from the key management server 23 of the intranet 20 and stored in the key information storage means (step B4).
Since this network access is performed toward the intranet 20, when already connected to the Internet 30, as described with reference to FIG. 3, the network access is rejected and the terminal restart guidance is issued. Performed (step A13, step A18).

Then, the file access management unit 11b confirms whether or not the key acquisition by the key information management unit 11e has succeeded (step B5). If the key acquisition fails, the file access management unit 11b rejects the file access and ends the process. To do.
On the other hand, when the key acquisition by the key information management unit 11e is successful, the file access management unit 11b acquires the key information from the key information management unit 11e, and decrypts the encryption target file to be accessed using this key information. (Step B6), the file is opened (Step B7).

In step B3, when the file access management unit 11b can acquire the key information from the key information management unit 11e, the encryption target file to be accessed is decrypted using the key information (step B6), and the file is stored. Open (step B7).
Furthermore, if the access target file is not the encryption target file in step B2, the file access management unit 11b opens the file (step B7).

[Second Embodiment]
Next, a second embodiment of the present invention will be described with reference to FIG. FIG. 6 is a block diagram showing the configuration of the remote access system of this embodiment.
This embodiment describes the case where the client terminal 10 is used in the intranet 20, and is different from the first embodiment in that the client terminal 10 is directly connected to the intranet 20.
The other points are the same as in the first embodiment, and the functions of the components in the remote access system of the present embodiment shown in FIG. 6 are the same as those in the remote access system of the first embodiment shown in FIG. It has the same function as the configuration.

Further, the network access management unit 11a according to the present embodiment, when the client terminal 10 is connected to the intranet 20 from the intranet 20, even when accessing the Internet 30 from the intranet 20 before connecting to the intranet 20, Allow access to 20.
In addition, when the client terminal 10 connects from the intranet 20 to the Internet 30, the network access management unit 11 a accesses the Internet 30 even when the client terminal 10 accesses the intranet 20 from the intranet 20 before connecting to the Internet 30. Allow.
This is because when the client terminal 10 is directly connected to the intranet 20, the network access by the client terminal 10 is performed by the proxy server 21 or the like based on the security policy in the intranet 20. This is because even if access to the Internet 30 or the intranet 20 is continuously permitted, there is no risk of computer virus infection or information leakage.

Next, the processing procedure of the network access management unit in the remote access system of this embodiment will be described with reference to FIG.
When the client terminal 10 is connected to the intranet 20 and accesses the intranet 20, a network access request is first generated (step A1). The generation of this network access request is the same as in the first embodiment.

  Next, the network access management unit 11a outputs a current terminal location information acquisition request to the terminal connection location information management unit 11d, and the current network connection location information of the client terminal 10 (from the terminal connection location information management unit 11d ( In this embodiment, IP address information) is acquired (step A2).

Next, the network access management unit 11a determines the type of the acquired IP address information (step A3).
In this embodiment, since it is assumed that the client terminal 10 directly accesses the intranet 20, the IP address information of the client terminal 10 acquired by the terminal connection position information management unit 11d is a private IP address.
In this case, the network access management unit 11a outputs a previous terminal location information acquisition request to the terminal connection location information management unit 11d, and the terminal connection location information management unit 11d obtains the previous location information of the client terminal 10 as terminal location information. IP address information at the time of network access is acquired (step A4).

Then, the network access management unit 11a determines the type of the previous IP address information of the acquired client terminal 10 (step A5).
Here, when the type of the previous IP address information is a private IP address or there is no information, the network access management unit 11a determines whether the network connection position of the client terminal 10 is the same as that at the time of the previous access or after the startup. And access to the intranet (step A6).
That is, in this case, since the client terminal 10 does not access the Internet 30 from the outside of the intranet 20, there is no possibility that the intranet 20 is infected with the computer virus via the client terminal 10. Is allowed to access.

In step A5, if the type of the previous IP address information is a global IP address, it is determined that the network connection position of the client terminal 10 has changed from the previous access, and the network access management unit 11a performs network access. First, restart guidance of the client terminal 10 is performed (step A7).
This is because the client terminal 10 previously accessed the network from the outside of the intranet 20, and there is a possibility that a computer virus may infect the intranet 20 via the client terminal 10.

Next, the processing procedure of the file access management unit in the remote access system of this embodiment will be described with reference to FIG.
First, a file access request is generated at the client terminal 10 (step B1). The generation of this file access request is the same as in the first embodiment.

Next, the file access management unit 11b specifies an access target file based on the path of the file included in the input file access request, and determines whether the file is an encryption target file based on the attribute information of the file. Is determined (step B2).
If it is determined that the file access request is made with respect to the file to be encrypted, the file access management unit 11b next checks whether or not there is an encryption key (step B3).

Here, the file access management unit 11b outputs a key information acquisition request to the key information management unit 11e, and tries to acquire key information from the key information management unit 11e.
At this time, the key information management unit 11e checks whether or not an encryption key is stored in a key information storage unit (not shown) on the client terminal 10 side. If the encryption key is not stored, the key information management unit 11e passes through the network access management unit 11a. Then, an encryption key is acquired from the key management server 23 of the intranet 20 and stored in the key information storage means (step B4).

In the present embodiment, the client terminal 10 is directly connected to the intranet 20, but if already connected to the Internet 30, as described with reference to FIG. Start-up guidance is performed (step A5, step A7). On the other hand, after the client terminal 10 is permitted to access the intranet 20, the key information management unit 11e can acquire the key.
The subsequent operation (step B5 to step B7) by the file access management unit 11b is the same as the operation in the first embodiment.

  Next, processing contents by the network access management unit 11a for each combination of the position of the client terminal and the connection destination in the remote access systems of the first embodiment and the second embodiment will be described with reference to FIG. This figure summarizes the processing contents by the network access management unit 11a for each combination of the position of the client terminal and the connection destination.

First, when the client terminal 10 performs network access from within the intranet 20 (the previous access is also from the intranet 20), the client terminal 10 can access the intranet 20 regardless of the destination (step A1 in FIG. 3 → A6).
This is because the client terminal 10 does not access the Internet 30 from the outside, and there is no possibility that a computer virus will infect the intranet 20 via the client terminal 10.

When the client terminal 10 performs network access from within the intranet 20 (previous access from outside the intranet 20), the client terminal 10 provides restart guidance regardless of the destination (steps A1 → A5 → A7 in FIG. 3). ).
This is because the client terminal 10 previously performed network access from outside the intranet 20 last time, and there is a possibility that a computer virus may infect the intranet 20 via the client terminal 10.

Further, when the client terminal 10 accesses the intranet 20 from outside the intranet 20 (the previous access to the intranet 20 from outside the intranet 20), the client terminal 10 performs network access through the tunnel (steps A1 → A3 → A8 in FIG. 3). → A17).
This is because the client terminal 10 has previously accessed the intranet 20 and has not accessed the Internet 30 from the outside, so there is no possibility that a computer virus will infect the intranet 20 via the client terminal 10. is there.

In addition, when the client terminal 10 accesses the intranet 20 from outside the intranet 20 (previous access to the Internet 30 from outside the intranet 20), the client terminal 10 provides restart guidance (steps A1 → A3 → A8 in FIG. 3). A13 → A18).
This is because the client terminal 10 has previously accessed the Internet 30 from the outside last time, and there is a possibility that a computer virus may infect the intranet 20 via the client terminal 10.

Further, when the client terminal 10 accesses the Internet 30 from outside the intranet 20 (the previous access to the Internet 30 from outside the intranet 20), the client terminal 10 performs network access through a filter (steps A1 → A3 → A8 in FIG. 3). → A11 → A19 → A23).
This is because the client terminal 10 does not access the intranet 20 in advance, so that even if connection to the Internet 30 is continuously permitted, there is no possibility that information in the intranet 20 leaks to the Internet 30. However, even when the client terminal 10 is connected to the Internet 30 from the outside in this way, the client terminal 10 performs network access through the same filter as that in the intranet 20, thereby eliminating dangerous access and the like. It is possible to do.

Further, when the client terminal 10 accesses the Internet 30 from outside the intranet 20 (the previous access from the outside of the intranet 20 to the intranet 20), the client terminal 10 provides restart guidance (steps A1 → A3 → A8 in FIG. 3). A11 → A19 → A20 → A24).
This is because the client terminal 10 has previously accessed the intranet 20, and if the connection to the Internet 30 is continuously permitted from the outside, information in the intranet 20 may leak to the Internet 30.

When the client terminal 10 performs network access from outside the intranet 20 (previous access from within the intranet 20), the client terminal 10 provides restart guidance regardless of the destination (steps A1 → A3 → A8 in FIG. 3). → A9 → A24).
This is because the client terminal 10 previously accessed the network from within the intranet 20, and therefore, if connection to the network from the outside is continuously permitted, information in the intranet 20 may leak through the client terminal 10. Because.

  As described above, according to the remote access system of the first embodiment and the second embodiment, the state of the client terminal 10 being used can be clearly classified according to a certain standard in the remote access system. When there is an access to the network for each state, it is possible to perform optimal processing for security.

That is, in the remote access system of the above embodiment, the state of the client terminal 10 is divided into four states (an initial state when the terminal is activated, a state in which remote connection from the intranet 20 to the Internet 30 is performed, and Remote connection state, connection state from intranet 20 to intranet 20), and for each of these states, the current network connection position information of client terminal 10 (intranet 20, Internet 30) and the previous network connection Location information (intranet 20, internet 30, no information), network connection destination information accessed this time (intranet 20, internet 30), and network connection destination information accessed last time (intranet Net 20, the Internet 30, based on no information), it is possible to determine the destination state of the client terminal 10.
For this reason, when there is an access to the network from each state, it is possible to perform optimal processing for each of them.

Further, according to the remote access system of the above embodiment, the client terminal 10 can be prevented from accessing the Internet 30 and the intranet 20 at the same time.
That is, based on the current and previous network connection location information of the client terminal 10 and the current and previous network connection destination information, the respective network connection destinations when accessing the Internet 30 and accessing the intranet 20 are determined as client It is possible to restrict the terminal 10 from accessing the Internet 30 and the intranet 20 at the same time.
For this reason, it is possible to eliminate the risk that the client terminal 10 is infected with a computer virus on the Internet 30 and the infection range extends from the client terminal 10 to the intranet 20. It is also possible to prevent information on the intranet 20 from leaking to the Internet 30 via the client terminal 10.

Further, according to the remote access system of the above embodiment, when the client terminal 10 performs network access, access to the confidential information file in the client terminal 10 can be restricted under certain conditions, and information leakage from the client terminal 10 can be prevented. It becomes possible to prevent.
That is, the confidential information file in the client terminal 10 is encrypted with a predetermined encryption key, and the encryption key is stored in the key management server on the intranet 20. For this reason, when the client terminal 10 is already connected to the Internet 30, the client terminal 10 cannot obtain the encryption key because access to the intranet 20 is not possible, and access to the confidential information file is not permitted. On the other hand, when the client terminal 10 is not connected to the Internet 30 in advance, the client terminal 10 can acquire the encryption key from the key management server on the intranet 20, and access to the confidential information file is permitted.
As a result, information leakage from the client terminal 10 can be prevented.

Further, according to the remote access system of the above embodiment, the process and memory information executed in the client terminal 10 can be isolated between the time of accessing the Internet 30 and the time of accessing the intranet 20, Information leakage from the client terminal 10 can be prevented.
That is, when the network connection destination accessed by the client terminal 10 is changed from the intranet 20 to the Internet 30, the operating system in the client terminal 10 is restarted before the communication to the Internet 30 to clear the memory information and stop the process. And the encryption key can be cleared.
As a result, the memory information that the computer virus tries to steal can be emptied, the computer virus process can be stopped, and the encrypted confidential information file can no longer be decrypted. It becomes possible to prevent.

Further, when the network connection destination accessed by the client terminal 10 is changed from the Internet 30 to the intranet 20, the operating system in the client terminal 10 is restarted before the communication to the intranet 20, and the memory information is cleared or the process is performed. You can stop.
As a result, the process of the computer virus can be stopped, the memory area used by the computer virus can be cleared, and the computer virus or the like can illegally access the intranet 20 via the client terminal 10 taken outside the company. Can be prevented.

Further, according to the remote access system of the above embodiment, when the client terminal 10 is taken out of the office and remotely connected to the intranet 20, the confidential information file is handled in the same manner as when directly connected to the intranet 20. Can do.
That is, since the encryption target file can be decrypted only when the encryption key can be downloaded from the key management server on the intranet 20 regardless of access from within the intranet 20 or access from outside the intranet 20, the client terminal Even when 10 is remotely connected to the intranet 20, the confidential information file can be handled in the same manner as when directly connected to the intranet 20.

  In addition, according to the remote access system of the above embodiment, the same filter as when accessing the Internet 30 via the intranet 20 without connecting the client terminal 10 taken outside the company to the Internet 30 via the intranet 20 is applied. This can be applied, and the network load of the intranet 20 can be reduced.

In other words, when the client terminal 10 remotely accesses the Internet 30, by using filter information that is downloaded in advance from a proxy server on the intranet 20 and set in the filter of the client terminal, it is possible to perform dangerous access. It is possible to eliminate.
For this reason, when the client terminal 10 connects to the Internet 30, it is not necessary to go through the intranet 20, and the communication load of the intranet 20 can be reduced.

It goes without saying that the remote access system of the present embodiment is not limited to the above embodiments, and various modifications can be made within the scope of the present invention.
For example, instead of the terminal activation guidance output process in the above-described embodiment, it is possible to appropriately change the configuration such as automatically restarting the client terminal 10.

  The remote access system of the present invention is preferably used for realizing high security when a device having a communication function such as a personal computer or a cellular phone is used as a business terminal connected to the intranet 20. Is possible.

It is a figure which shows four states of the client terminal in the remote access system of each embodiment of the remote access system of this embodiment. It is a block diagram which shows the structure of the remote access system of 1st embodiment of the remote access system of this embodiment. It is an operation | movement procedure figure which shows the process sequence of the network access management part in the remote access system of 1st embodiment of the remote access system of this embodiment. It is a figure which shows the terminal restart guidance screen output by the remote access system of 1st embodiment of the remote access system of this embodiment. It is an operation | movement procedure figure which shows the process sequence of the file access management part in the remote access system of 1st embodiment of the remote access system of this embodiment. It is a block diagram which shows the structure of the remote access system of 2nd embodiment of the remote access system of this embodiment. It is a figure which shows the processing content for every combination of the position of a client terminal, and the connection destination in the remote access system of 1st Embodiment and 2nd Embodiment of the remote access system of this embodiment.

Explanation of symbols

A State when the terminal is stopped B Initial state when the terminal is started C State where remote connection is made from the outside to the Internet D State where remote connection is made from the outside to the intranet E State where connection is made from the inside to the intranet 10 Client terminal 11 Security system 11a Network access management unit 11b File access management unit 11c Filter information management unit 11d Terminal connection position information management unit 11e Key information management unit 11f Reset execution unit 12 Application execution unit 13 Filter information storage unit 14 Filter 15 Encryption target file storage unit 20 Intranet 21 Proxy server 22 Filter information storage unit 23 Key management server 24 File server 25 VPN gateway 26 DHCP server 30 Internet 40 ISP

Claims (24)

A remote access system for controlling network access by an information processing apparatus connectable to the Internet and a predetermined intranet,
The information processing apparatus is
Connection position storage means for storing network connection position information for specifying whether the connection position of the current and previous network access by the information processing apparatus is the Internet or the intranet;
Connection destination storage means for storing network connection destination information for specifying whether the current and previous network access destinations by the information processing apparatus are the Internet or the intranet;
Based on the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information, the information processing apparatus is simultaneously connected to both the Internet and the intranet. A remote access system comprising: a network access management unit that controls so as not to connect. The network access management unit
Based on the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information, the information processing apparatus performs other information processing via the Internet. After communication with the device or during communication, the information processing device does not communicate with another information processing device via the intranet, and the information processing device is in communication with another information processing device via the intranet or during communication, The remote access system according to claim 1, wherein control is performed so as not to communicate with another information processing apparatus via the Internet. The network access management unit
If you enter a network access request that includes this network connection information,
The current network connection location information and the previous network connection location information are obtained from the network connection location information storage means, and the current network connection location information and the previous network connection location are obtained from the network connection location information storage means. Get information,
(A) When the current network connection location information is information for specifying an intranet, and the previous network connection location information is information for specifying an intranet, the information processing apparatus performs network access;
(B) When the current network connection position information is information specifying an intranet and the previous network connection position information is information specifying the Internet, network access by the information processing apparatus is not performed.
(C) The current network connection location information is information for specifying the Internet, the previous network connection location information is information for specifying the Internet, and the current network connection location information specifies an intranet. And when the previous network connection destination information is information specifying an intranet, the information processing device performs network access,
(D) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information specifies an intranet. And when the previous network connection destination information is information for specifying the Internet, network access by the information processing apparatus is not performed.
(E) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And when the previous network connection destination information is information specifying the Internet, perform network access by the information processing device,
(F) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And when the previous network connection destination information is information specifying an intranet, network access by the information processing apparatus is not performed,
(G) When the current network connection location information is information for specifying the Internet and the previous network connection location information is information for specifying an intranet, network access by the information processing apparatus is not performed. The remote access system according to claim 1 or 2. The intranet comprises a VPN gateway;
(C) The current network connection location information is information for specifying the Internet, the previous network connection location information is information for specifying the Internet, and the current network connection location information specifies an intranet. And when the previous network connection destination information is information specifying an intranet,
The remote access according to claim 3, wherein the network access management unit establishes a virtual direct connection communication line between the information processing apparatus and the VPN gateway, and performs network access by the information processing apparatus. Access system. The information processing apparatus includes a filter that sets filter information received from a proxy server in the intranet,
(E) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And when the previous network connection destination information is information specifying the Internet,
The network access management unit
It is determined whether or not the current network connection destination information is set as connection destination information that does not permit access to the filter. Network access by the information processing device, or
It is determined whether the current network connection destination information is set as connection destination information allowing access to the filter, and when the current network connection destination information is set as connection destination information allowing access, The remote access system according to claim 3 or 4, wherein the information processing apparatus performs network access. The information processing apparatus is
A key information management unit for storing and managing encryption key information in a key information storage means;
An encryption target file storage means for storing an encryption target file encrypted using the encryption key information;
When a file access request including a file path is input, an encryption target file corresponding to the file path is acquired from the encryption target file storage unit, and a key information acquisition request is output to the key information management unit. A file access management unit that decrypts and opens the file to be encrypted using the encryption key information when the encryption key information is input from the key information management unit, and
When the key information management unit inputs the key information acquisition request, the key information storage unit checks whether or not encryption key information is stored in the key information storage unit, and if so, stores the encryption key information in the file access management unit. If the key information acquisition request is output to the network access management unit and the encryption key information is input from the network access management unit, the encryption key information is input to the file access management unit. Output,
When the network access management unit inputs the new key information acquisition request, when performing network access to the intranet by the information processing device, the network access management unit receives encryption key information from a key management server in the intranet, and It outputs to a key information management part. The remote access system in any one of Claims 1-5 characterized by the above-mentioned. The information processing apparatus is
When a restart request is input from the network access management unit, the reset execution unit restarts the information processing apparatus,
The network access management unit
(B) the current network connection location information is information identifying an intranet, and the previous network connection location information is information identifying the Internet;
(D) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information specifies an intranet. And the previous network connection destination information is information for identifying the Internet,
(F) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And the previous network connection destination information is information for identifying an intranet, and
(G) When the current network connection location information is information specifying the Internet, and the previous network connection location information is information specifying the intranet,
The remote access system according to claim 3, wherein a restart request for the information processing apparatus is output to the reset execution unit. An information processing apparatus that can be connected to the Internet and a predetermined intranet,
Connection position storage means for storing network connection position information for specifying whether the connection position of the current and previous network access by the information processing apparatus is the Internet or the intranet;
Connection destination storage means for storing network connection destination information for specifying whether the current and previous network access destinations by the information processing apparatus are the Internet or the intranet;
Based on the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information, the information processing apparatus is simultaneously connected to both the Internet and the intranet. An information processing apparatus comprising: a network access management unit that controls to prevent connection. The network access management unit
Based on the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information, the information processing apparatus performs other information processing via the Internet. After communication with the device or during communication, the information processing device does not communicate with another information processing device via the intranet, and the information processing device is in communication with another information processing device via the intranet or during communication, The information processing apparatus according to claim 8, wherein control is performed so as not to communicate with another information processing apparatus via the Internet. The network access management unit
If you enter a network access request that includes this network connection information,
The current network connection location information and the previous network connection location information are obtained from the network connection location information storage means, and the current network connection location information and the previous network connection location are obtained from the network connection location information storage means. Get information,
(A) When the current network connection location information is information for specifying an intranet, and the previous network connection location information is information for specifying an intranet, the information processing apparatus performs network access;
(B) When the current network connection position information is information specifying an intranet and the previous network connection position information is information specifying the Internet, network access by the information processing apparatus is not performed.
(C) The current network connection location information is information for specifying the Internet, the previous network connection location information is information for specifying the Internet, and the current network connection location information specifies an intranet. And when the previous network connection destination information is information specifying an intranet, the information processing device performs network access,
(D) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information specifies an intranet. And when the previous network connection destination information is information for specifying the Internet, network access by the information processing apparatus is not performed.
(E) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And when the previous network connection destination information is information specifying the Internet, perform network access by the information processing device,
(F) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And when the previous network connection destination information is information specifying an intranet, network access by the information processing apparatus is not performed,
(G) When the current network connection location information is information for specifying the Internet and the previous network connection location information is information for specifying an intranet, network access by the information processing apparatus is not performed. The information processing apparatus according to claim 8 or 9, The intranet comprises a VPN gateway;
(C) The current network connection location information is information for specifying the Internet, the previous network connection location information is information for specifying the Internet, and the current network connection location information specifies an intranet. And when the previous network connection destination information is information specifying an intranet,
The information according to claim 10, wherein the network access management unit establishes a virtual direct connection communication line between the information processing apparatus and the VPN gateway, and performs network access by the information processing apparatus. Processing equipment. The information processing apparatus according to claim 10 or 11, comprising a filter that sets filter information received from a proxy server in the intranet,
(E) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And when the previous network connection destination information is information specifying the Internet,
The network access management unit
It is determined whether or not the current network connection destination information is set as connection destination information that does not permit access to the filter. Network access by the information processing device, or
It is determined whether the current network connection destination information is set as connection destination information allowing access to the filter, and when the current network connection destination information is set as connection destination information allowing access, An information processing apparatus that performs network access by an information processing apparatus. The information processing apparatus according to any one of claims 8 to 12,
A key information management unit for managing encryption key information by storing it in a key information storage means;
An encryption target file storage means for storing an encryption target file encrypted using the encryption key information;
When a file access request including a file path is input, an encryption target file corresponding to the file path is acquired from the encryption target file storage unit, and a key information acquisition request is output to the key information management unit. A file access management unit that decrypts and opens the file to be encrypted using the encryption key information when the encryption key information is input from the key information management unit, and
When the key information management unit inputs the key information acquisition request, the key information storage unit checks whether or not encryption key information is stored in the key information storage unit, and if so, stores the encryption key information in the file access management unit If the key information acquisition request is output to the network access management unit and the encryption key information is input from the network access management unit, the encryption key information is input to the file access management unit. Output,
When the network access management unit inputs the new key information acquisition request, when performing network access to the intranet by the information processing device, the network access management unit receives encryption key information from a key management server in the intranet, and An information processing apparatus that outputs to a key information management unit. An information processing apparatus according to any one of claims 10 to 13,
When a restart request is input from the network access management unit, the reset execution unit restarts the information processing apparatus,
The network access management unit
(B) the current network connection location information is information identifying an intranet, and the previous network connection location information is information identifying the Internet;
(D) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information specifies an intranet. And the previous network connection destination information is information for identifying the Internet,
(F) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And the previous network connection destination information is information for identifying an intranet, and
(G) When the current network connection location information is information specifying the Internet, and the previous network connection location information is information specifying the intranet,
An information processing apparatus that outputs a restart request of the information processing apparatus to the reset execution unit. A remote access program that causes an information processing device connectable to the Internet and a predetermined intranet to control network access,
The information processing apparatus;
Connection position storage means for storing network connection position information for specifying whether the connection position of the current and previous network access by the information processing apparatus is the Internet or the intranet;
Connection destination storage means for storing network connection destination information for specifying whether the current and previous network access destinations by the information processing apparatus are the Internet or the intranet; and
Based on the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information, the information processing apparatus is simultaneously connected to both the Internet and the intranet. A remote access program for functioning as a network access management unit that controls to prevent connection. In the network access management unit,
Based on the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information, the information processing apparatus performs other information processing via the Internet. After communication with the device or during communication, the information processing device does not communicate with another information processing device via the intranet, and the information processing device is in communication with another information processing device via the intranet or during communication, The remote access program according to claim 15 for executing control so as not to communicate with another information processing apparatus via the Internet. In the network access management unit,
When a network access request including this network connection destination information is entered,
The current network connection location information and the previous network connection location information are obtained from the network connection location information storage means, and the current network connection location information and the previous network connection location are obtained from the network connection location information storage means. Get information,
(A) When the current network connection location information is information for specifying an intranet and the previous network connection location information is information for specifying an intranet, the information processing apparatus performs network access;
(B) When the current network connection location information is information for specifying an intranet and the previous network connection location information is information for specifying the Internet, network access by the information processing apparatus is not performed. ,
(C) The current network connection location information is information for specifying the Internet, the previous network connection location information is information for specifying the Internet, and the current network connection location information specifies an intranet. And when the previous network connection destination information is information for specifying an intranet, network access by the information processing apparatus is performed.
(D) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information specifies an intranet. And when the previous network connection destination information is information specifying the Internet, without performing network access by the information processing apparatus,
(E) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And when the previous network connection destination information is information specifying the Internet, the information processing device performs network access,
(F) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And when the previous network connection destination information is information specifying an intranet, network access by the information processing apparatus is not performed,
(G) When the current network connection location information is information for identifying the Internet and the previous network connection location information is information for identifying an intranet, network access by the information processing apparatus is not performed. The remote access program according to claim 15 or 16, for executing the operation. The intranet comprises a VPN gateway;
(C) The current network connection location information is information for specifying the Internet, the previous network connection location information is information for specifying the Internet, and the current network connection location information specifies an intranet. And when the previous network connection destination information is information specifying an intranet,
18. The network access management unit for causing the information processing apparatus to perform network access by establishing a virtual direct connection communication line between the information processing apparatus and the VPN gateway. Remote access program. Causing the information processing apparatus to function as a filter in which filter information received from a proxy server in the intranet is set;
(E) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And when the previous network connection destination information is information specifying the Internet,
In the network access management unit,
If the current network connection destination information is set as connection destination information that does not allow access to the filter, and if the current network connection destination information is not set as connection destination information that does not allow access, Network access by the information processing device, or
When it is determined whether the current network connection destination information is set as connection destination information allowing access to the filter, and the current network connection destination information is set as connection destination information allowing access, The remote access program according to claim 17 or 18, for executing network access by an information processing apparatus. The information processing apparatus;
A key information management unit for storing and managing encryption key information in a key information storage means;
An encryption target file storage means for storing an encryption target file encrypted using the encryption key information; and
When a file access request including a file path is input, an encryption target file corresponding to the file path is acquired from the encryption target file storage unit, and a key information acquisition request is output to the key information management unit. When the encryption key information is input from the key information management unit, the encryption key information is used to decrypt and open the file to be encrypted and function as a file access management unit.
When the key information acquisition request is input to the key information management unit, the key information storage unit confirms whether or not encryption key information is stored in the key information storage unit. If it is output to the management unit and is not stored, a new key information acquisition request is output to the network access management unit, and the encryption key information is input from the network access management unit. Output to
When the new key information acquisition request is input to the network access management unit, when performing network access to the intranet by the information processing apparatus, encryption key information is received from a key management server in the intranet. The remote access program according to any one of claims 15 to 19, for causing the key information management unit to execute the output. The information processing apparatus;
When a restart request is input from the network access management unit, it functions as a reset execution unit that restarts the information processing apparatus,
In the network access management unit,
(B) the current network connection location information is information identifying an intranet, and the previous network connection location information is information identifying the Internet;
(D) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information specifies an intranet. And the previous network connection destination information is information for identifying the Internet,
(F) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And the previous network connection destination information is information for identifying an intranet, and
(G) When the current network connection location information is information specifying the Internet, and the previous network connection location information is information specifying the intranet,
The remote access program according to any one of claims 17 to 20, for causing the reset execution unit to output a restart request of the information processing apparatus. A remote access method for controlling network access by an information processing apparatus connectable to the Internet and a predetermined intranet,
Connection location storage means for storing network connection location information specifying whether the connection location of the current and previous network access by the information processing device is the Internet or the intranet, and current and previous time by the information processing device A network access management unit in the information processing apparatus including connection destination storage means for storing network connection destination information for specifying whether the network access destination is the Internet or the intranet,
Based on the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information, the information processing apparatus is simultaneously connected to both the Internet and the intranet. A remote access method characterized by controlling so that it cannot be connected. The network access management unit
Based on the current network connection location information, the previous network connection location information, the current network connection location information, and the previous network connection location information, the information processing apparatus performs other information processing via the Internet. After communication with the device or during communication, the information processing device does not communicate with another information processing device via the intranet, and the information processing device is in communication with another information processing device via the intranet or during communication, The remote access method according to claim 22, wherein control is performed so as not to communicate with another information processing apparatus via the Internet. The network access management unit
If you enter a network access request that includes this network connection information,
The current network connection location information and the previous network connection location information are obtained from the network connection location information storage means, and the current network connection location information and the previous network connection location are obtained from the network connection location information storage means. Get information,
(A) When the current network connection location information is information for specifying an intranet, and the previous network connection location information is information for specifying an intranet, the information processing apparatus performs network access;
(B) When the current network connection position information is information specifying an intranet and the previous network connection position information is information specifying the Internet, network access by the information processing apparatus is not performed.
(C) The current network connection location information is information for specifying the Internet, the previous network connection location information is information for specifying the Internet, and the current network connection location information specifies an intranet. And when the previous network connection destination information is information specifying an intranet, the information processing device performs network access,
(D) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information specifies an intranet. And when the previous network connection destination information is information for specifying the Internet, network access by the information processing apparatus is not performed.
(E) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And when the previous network connection destination information is information specifying the Internet, perform network access by the information processing device,
(F) The current network connection location information is information specifying the Internet, the previous network connection location information is information specifying the Internet, and the current network connection location information is specifying the Internet. And when the previous network connection destination information is information specifying an intranet, network access by the information processing apparatus is not performed,
(G) When the current network connection location information is information for specifying the Internet and the previous network connection location information is information for specifying an intranet, network access by the information processing apparatus is not performed. 24. The remote access method according to claim 22 or 23.

Images