JP3587633B2 - Network communication method and apparatus - Google Patents

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a communication method and apparatus for a virtual network that relays application communication in a network communication system that performs communication between a client and a server in an environment in which a plurality of firewalls intervene.
[0002]
[Prior art]
Conventionally, there is socks V5 proposed in RFC1928 as a proxy server that relays communication between a client and a server in an environment where a firewall is interposed.
[0003]
Socks defines a socks protocol that realizes mutual authentication between a client and a relay server and a connection command to the relay server, and can realize communication between the client and the server beyond one firewall.
[0004]
As a mechanism for dynamically exchanging relay route information in the IP layer, there are gateway protocols such as RIP (Routing Information Protocol: RFC1058) and OSPF (Open Shortest Path First: RFC1131).
[0005]
[Problems to be solved by the invention]
With the spread of the Internet, cooperation between business units and companies via the Internet and a network environment compatible with remote offices / telecommuting workers are required. In such a network environment, security threats such as intrusion into the corporate network from the outside and eavesdropping of data in the external network have become problems. For this reason, a firewall has been devised as a security tool for preventing intrusion into a corporate network from the outside. The firewall conceals information such as the configuration of the network to be protected from the outside and executes access control based on the authentication of the communication entity at the boundary of the network, thereby preventing intrusion from the outside and preventing communication of legitimate users. Has a function to enable.
[0006]
In IETF, in order to prevent data eavesdropping in the external network in communication between two networks connected by the external network, encryption / encryption of communication packets between firewalls or routers at the boundary between the respective networks and the external network. A method for performing decoding has been proposed. By using this method, it is possible to realize a VPN (Virtual Private Network) that is a technology for making the Internet appear as a virtual corporate network.
[0007]
As described above, in the corporate network using the Internet, the firewall plays an important role in security, and an internal firewall is being installed in the corporate network for the purpose of protecting the sub-network. Communication in such an environment with multiple firewalls has several problems. For example, when communication from an external network computer is performed through an internal firewall that protects a subnetwork, the external firewall and the internal firewall need to relay the communication.
[0008]
However, since the route information to the internal firewall that performs the relay is hidden in the external network, it is necessary to acquire the route information by some method.
[0009]
FIG. 1 is an example of the above problem. When the client 101 communicates with a server in the company A network 106, the external firewall 102 relays the communication. In the communication with the server 104 in the company A network 106, the external firewall 102 can obtain the route information to the server 104, so that the communication can be performed. However, in communication with the server 105 in the subnetwork 107, since the server 105 is hidden by the internal firewall 103, the external firewall 102 cannot obtain the route information to the server 105 and perform communication. Can not. Further, in communication between two networks connected by an external network, a VPN cannot be formed between the respective internal firewalls unless route information for specifying the internal firewall is set for the external firewall.
[0010]
FIG. 2 is an example of the above problem. By registering the firewall 206 in the firewall 205 as a path to the server 202, the client 201 in the network 210 can communicate with the server 202 in the network 2111 by VPN. However, when the server 204 is located in the sub-network 214 inside the network 213, the internal firewall 209 cannot be registered in the firewall 207 because the route is hidden by the firewall 208.
[0011]
Therefore, an object of the present invention is to solve the above two problems by providing a virtual network environment in which a user can use a communication application without being aware of a relay route even when a plurality of firewalls are interposed. I do.
[0012]
[Means for Solving the Problems]
In order to solve the above problems, in the present invention, a communication client program on a client and a communication relay program for relaying communication of a communication server program of a server are started on a relay server such as a firewall, and data is transmitted to the client and the relay server. A route information table for controlling the relay route is provided, and the communication client program on the client executes the process of connecting to the server which cannot be directly connected by the firewall.
(1) It is in the middle of the route to the target server, and
(2) a process of selecting a relay server communicable from the client from the data relay control table;
A connection is made with the relay program of the relay server determined by the above process, and a process of requesting the relay server to relay communication with the communication server program on the server is executed.
[0013]
Therefore, the relay program on the relay server has a function of relaying communication between the communication client program of the client and the communication server program on the server based on the request content of the communication client program on the client. Further, the relay program on the relay server, in the process of connecting to the server that cannot be directly connected by the firewall, like the communication client program of the client,
(1) It is in the middle of the route to the target server, and
(2) a process of selecting a relay server communicable from the client from the data relay control table;
A connection is made with the relay program of the relay server determined by the above process, and a process of requesting the relay server to relay communication with the communication server program on the server is executed.
[0014]
In the virtual network configuration method and apparatus according to the present invention, a communication between a client and a server is relayed by using a communication relay server arranged on a network, and the client and the relay server have a path information table for controlling a data relay path. The client communication program and the relay server relay program
(1) It is in the middle of the route to the target server, and
(2) a process of selecting a relay server communicable from the client from the data relay control table;
Is executed from the data relay control table to secure the communication path, so that the client user can use the communication application without being aware of the relay path even if a plurality of firewalls are interposed.
[0015]
BEST MODE FOR CARRYING OUT THE INVENTION
One embodiment of the present invention will be described with reference to FIGS. 3 to 7. FIG. FIG. 3 is a diagram showing an outline of a virtual network configuration method and device of this method. 301 and 302 are server computers, 303 is a client computer, 304 to 306 are firewall / relay servers, 307 and 308 are local segments, 309 is a backbone segment, 310 is the Internet, 311 and 312 are network subdomains protected by firewalls 313 Is the network domain. When executing communication from the client computer 303 to the server computer 301, the firewall / relay servers 306 and 304 relay the communication.
[0016]
FIG. 4 is a diagram showing a configuration of a client used in the virtual network configuration method and apparatus of the present method and a computer used in the relay server. 41 is a memory, 411 is a relay route information storage area, 412 is a communication data storage area, 413 is a program load area, 42 is a bus, 43 is a CPU, 44 is an external storage device, 441 is a communication program, and 442 is a data relay control program. , 443 is a relay route table, and 45 is a communication I / O.
[0017]
FIG. 5 is a flowchart showing an outline of a communication client program in which the client computer 303 communicates with the server computer 301 in the virtual network configuration method and apparatus of the present system. Step 501 is a step of specifying the firewall / relay server 306 that relays to the communication address of the server computer 301 with reference to the relay path table 442. Step 502 is a step of determining whether the firewall / relay server needs to be relayed. Step 503 is a process in the case where relaying by the firewall / relay server is required, and is a step of connecting to the firewall / relay server 306. Step 504 is a process in the case where relaying by the firewall / relay server is unnecessary. The step of directly connecting to the computer, the step 505 is a step of notifying the firewall / relay server 306 of the communication address of the server computer 301, and the step 506 is a step of the firewall / relay server 306. The step of receiving the result of the connection processing with the server that has been performed, the step 507 is a step of judging from the content received in the step 506 whether or not the other party connected to the firewall / relay server 306 is a server, and the step 508 is a step in which the server computer 301 This is the step of transmitting and receiving communication data. This flow is common to all communication programs 441 operating on the client computer 303. For example, in the case of a UNIX OS, the above functions can be incorporated in a communication library.
[0018]
FIG. 6 is a flowchart schematically showing a relay program 442 in which the relay server 306 relays communication to the server computer 301 in the virtual network configuration method and apparatus of the present method. Step 601 is a step of waiting for a relay request from the communication client program of the client computer 303, Step 602 is a step of receiving the communication address of the server computer 301 from the client computer 303, and Step 603 is a step of receiving the communication address of the server computer 301. The step of identifying whether the firewall / relay server 304 which performs the relay of the firewall / relay server 304 is required by referring to the relay route table 442, the step 604 is a step of determining whether the relay of the firewall / relay server is necessary, and the step 605 is a step of determining whether the relay / relay server is required. Is a step in which connection to the firewall / relay server 304 is performed, and step 606 is a processing in the case where relay by the firewall / relay server is not required. , Step, step 607 for connecting to the server computer directly, a step for transmitting and receiving communication data with the server computer 301.
[0019]
FIG. 7 is a diagram showing the contents of a route information table 422 used in the virtual network configuration method and apparatus of the present system and an example of a network. 71 is a fictitious domain food. co. jp is a network example. food. co. jp domain is a subdomain of fruit. food. co. jp domain, and vegetable. food. co. jp domain and a firewall / relay server with an external network. food. co. jp and the server computer super. food. co. jp.
[0020]
food. co. jp subdomain fruit. food. co. jp domain is a firewall / relay server outside the domain lemon. fruit. food. co. jp and the server computer kiwi. fruit. food. co. jp and the client computer cherry. fruit. food. co. jp. food. co. jp subdomain veg-table. food. co. jp domain is a firewall / relay server potato. vegetable. food. co. jp and the server calculator carrot. vegetable. food. co. jp. 72 is fruit. food. co. jp domain client computer cherry. fruit. food. co. In the figure showing the configuration of the relay route table for jp, a domain name description field 721 specifying a domain that requires relay and a relay server name description field 722 specifying a firewall / relay server that relays to the domain are specified. Have.
[0021]
The domain name description field 721 can use a negation operator “$” as a description for expressing a part other than the described domain name. For example, “@ fruit.food.co.jp” represents “a domain other than the fruit.food.co.jp domain”. In the relay route table 72, a record 723 indicating that "lemon.fruit.food.co.jp relays except for the fruit.food.co.jp domain" is registered. Similarly, 73 is fruit. food. co. jp domain relay server lemon. fruit. food. co. FIG. 7 is a diagram showing the configuration of a relay route table for jp, where a record 731 indicating that “potato.vegetable.food.co.jp relays to the vegetable.food.co.jp domain” and “food.co.jp”. A record 732 indicating that “other than the domain is relayed by dinner.food.co.jp” is registered.
[0022]
Client computer cherry. fruit. food. co. jp is the server computer kiwi. fruit. food. co. jp, the relay route control table 72 is evaluated, and kiwi determines that fruit. food. co. Because it is a server computer in the jp domain, a direct connection is made. As another case, the client computer “cherry. fruit. food. co. jp is the server computer super. food. co. jp, the relay route control table 72 is evaluated, and the super is determined to be fruit. food. co. jp. Since it is a server computer outside the domain, lemon. fruit. food. co. jp for relay. Relay server lemon. fruit. food. co. jp evaluates the relay route control table 73, and the super is “vegetable. food. co. jp server outside the domain, and food. co. jp, so that a direct connection is made. As still another case, the client computer “cherry. fruit. food. co. When jp communicates with a server on the external network, the relay network control table 72 is evaluated, and the server on the external network determines that the fruit. food. co. jp because it is a server computer outside the domain. fruit. food. co. jp for relay. At this time, the relay server lemon. fruit. food. co. jp evaluates the relay route control table 73, and the server of the external network determines whether or not “vegetable. food. co. jp server outside the domain, and food. co. jp. food. co. jp for relay. Relay server dinner. food. co. jp is also Lemon. fruit. food. co. In the same way as jp, the relay route control table is evaluated, and the connection method with the server is determined.
[0023]
In FIG. 7, the domain and the relay server in the relay route table are described by the domain name and the host name in DNS, but this description can also be made by specifying the IP address and the netmask.
[0024]
The basic virtual network configuration method and apparatus of the present system have been described above. If mutual authentication is performed in step 505 of the schematic flowchart of the client computer side communication program 441 and step 602 of the schematic flowchart of the relay server side relay program 442, It is possible to prevent impersonation of both the client computer and the relay server. FIG. 8 is a diagram showing a system configuration for realizing the above functions. The client computer 303 and the firewall / relay servers 304 and 306 have authentication information tables 81 to 83 for storing authentication-related information of computers that perform mutual authentication with the own computer. Each of the authentication information tables 81 to 83 has an ID field 813 of the authentication partner computer and a shared information field for authentication 814. The authentication information table 81 has an entry 811 including the ID of the firewall / relay server 306 and the shared information for authentication 84, and an entry 812 including the ID of the firewall / relay server 304 and the shared information for authentication 85. The authentication information table 82 has an entry 821 including the ID of the client computer 303 and the shared information for authentication 84. The authentication information table 83 has an entry 831 including the ID of the client computer 303 and the shared information for authentication 85. The communication program 441 of the client computer 303 performs a search using the ID of the firewall / relay server that performs mutual authentication acquired in step 501 or step 506 as a key, and from the authentication information table 81, the shared information for authentication with the firewall / relay server. And execute a mutual authentication process. The relay program 442 of the firewall / relay server 306 performs a search using the ID of the client computer obtained in step 602 as a key, obtains shared information for authentication with the client computer from the authentication information table 82, and executes a mutual authentication process. I do. Here, the communication program 441 of the client computer 303 executes authentication processing with the relay program 442 of the firewall / relay server 306, and if the authentication processing is successful, further executes the authentication processing with the relay program 442 of the firewall / relay server 304. However, if the authentication process is successful, security can be enhanced by establishing a connection with the server 301. In the mutual authentication processing, for example, if the authentication shared information 84, 85 is a common key in a shared key encryption method, an ISO / IEC9798 authentication method can be used.
[0025]
It is also possible to use authentication using a public key cryptosystem. When this authentication process is used, information for encrypting communication data can be exchanged between the client computer and the firewall / relay server. In this figure, since the client computer 303 can exchange information for encryption with the firewall / relay server 306 and 304, it is possible to exchange information between the client computer 303 and the firewall / relay server 306 or between the client computer 303 and the firewall / relay server 306. Data encryption can be performed between the relay servers 304.
[0026]
FIG. 9 is a diagram showing another method of mutual authentication in the virtual network configuration method and apparatus of the present method. The authentication information table 91 of the client computer 303 has an entry 911 including the ID of the firewall / relay server 306 and the authentication shared information 94. The authentication information table 92 of the firewall / relay server 306 includes an entry 921 including the ID of the client computer 303 and the shared information for authentication 94, and an entry 922 including the ID of the firewall / relay server 304 and the shared information 95 for authentication. Have. The authentication information table 93 of the firewall / relay server 304 has an entry 931 including the ID of the firewall / relay server 306 and the shared information 95 for authentication. The communication program 441 of the client computer 303 executes a mutual authentication process with the firewall / relay server 306 connected in step 503. The firewall / relay server 306 performs mutual authentication with the client computer 303 connected in step 602 and the firewall / relay server 304 connected in step 605. As in FIG. 8, when this authentication processing is executed, data encryption can be performed between the client computer 303 and the firewall / relay server 306 or between the firewall / relay server 306 and the firewall / relay server 304. it can.
[0027]
FIG. 10 is a diagram illustrating a method of updating the relay route information in the virtual network configuration method and device of the present method. 1001 is a fictitious domain food. co. jp is a network example. food. co. jp domain as a subdomain, fruit. food. co. jp domain, and a firewall / relay server dinner. food. co. jp and the server computer super. food. co. jp. food. co. jp subdomain fruit. food. co. jp domain is a firewall / relay server outside the domain lemon.jp. fruit. food. co. jp and banana. fruit. food. co. jp and the server computer kiwi. fruit. food. co. jp and apple. fruit. food. co. jp, and the client computer cherry. fruit. food. co. jp. dinner. food. co. jp is stored in the relay route table 1002 from the client of the external network. food. co. The entry for relaying access to the jp domain is lemon. fruit. food. co. jpn designated as a firewall / relay server; fruit. food. co. There is an entry 1022 that specifies jp as a firewall / relay server. Firewall / relay server lemon. fruit. food. co. jp and banana. fruit. food. co. jp periodically stores each of the entries 1021 and 1022 in a diner. food. co. jp., and send to dinner.jp. food. co. jp can update the relay route information dynamically by updating the relay route table 1002 based on the information. Further, a priority field 1025 is provided in the relay route table 1002, and the firewall / relay server lemon. fruit. food. co. jp and banana. fruit. food. co. j is, for example, a priority set according to the load situation, which is set to dinner. food. co. jp. to send to the dinner. food. co. jp is fruit. food. co. The firewall / relay server used for communication with the jp domain can be changed. In addition, by describing the server name in the domain name description field 1023, the firewall / relay server used for relay can be changed for each server. For example, when the domain name description field 1023 of the entry 1021 is set to kiwi. fruit. food. co. jp, add the domain name description field 1023 of entry 1022 to apple. fruit. food. co. jp, so that kiwi. fruit. food. co. jp is sent to lemon. fruit. food. co. jp is an apple. fruit. food. co. jp is sent to banana. fruit. food. co. jp will relay each.
[0028]
FIG. 11 is a diagram illustrating an example of a communication infrastructure conversion function in the virtual network configuration method and device of the present scheme. 1101 is a client computer, 1102 is a firewall / relay server, 1111 is a communication client program, 1121 is a data relay control program, 1103 is a server computer, 1131 is a server program, 1104 is an IPV4-compatible communication module, and 1105 is an IPV6-compatible communication module. Reference numeral 1106 denotes an IPv4 network, and 1107 denotes an IPv6 network. The client computer 1101 uses the IPV4 compatible communication module 1104 to perform communication according to the IPV4 protocol. Further, the server computer 1103 performs communication according to the IPV6 protocol using the communication module 1105 corresponding to the IPV4.
[0029]
Therefore, the client computer 1101 and the server computer 1103 cannot perform direct communication. However, by using the data relay control program 1121 in the firewall / relay server 1102 having the IPV4 communication module 1104 and the IPV6 communication module 1105, communication can be performed between the client computer 1101 and the server computer 1103. become. In FIG. 11, conversion between IP V4 and IP V6 was performed as an example of the communication infrastructure, but by using an appropriate relay program and a relay path table, Apple Talk, SNA, IPX, etc. can be used as the communication infrastructure. It is also possible to use.
[0030]
【The invention's effect】
As is apparent from the above description, according to the present invention, even when relay route information is concealed by a plurality of firewalls, network communication that allows a user of a client to use a communication application without being aware of a relay route. A method and apparatus can be obtained.
[Brief description of the drawings]
FIG. 1 is a diagram showing a conventional network configuration.
FIG. 2 is a diagram showing another conventional network configuration.
FIG. 3 is a network configuration diagram showing one embodiment of the present invention.
FIG. 4 is a block diagram illustrating an example of a configuration of a client and a relay server.
FIG. 5 is a flowchart showing a processing operation of the client computer.
FIG. 6 is a flowchart illustrating a processing operation of the relay server.
FIG. 7 is a diagram illustrating an example of a route information table.
FIG. 8 is a diagram showing an embodiment of an authentication system used in the present invention.
FIG. 9 is a diagram showing another embodiment of the authentication system used in the present invention.
FIG. 10 is a diagram illustrating an example of dynamic route control.
FIG. 11 is a diagram showing a main part of another embodiment of the present invention.
[Explanation of symbols]
101. . . Client computer, 102. . . External firewall, 103. . . Internal firewall, 104. . . Server, 105. . . Server, 106. . . Company A network, 107. . . Subnetwork, 201. . . Client computer, 202. . . Server computer, 203. . . Client computer, 204. . . Server computer, 205. . . Firewall, 206. . . Firewall, 207. . . Firewall, 208. . . Firewall, 209. . . Internal firewall, 210. . . Network, 211. . . Network, 212. . . Network, 213. . . Network, 214. . . Subnetwork, 215. . . External network, 216. . . External network, 301. . . Server computer, 302. . . Server computer, 303. . . Client computer, 304. . . 305. Firewall / relay server . . 306. Firewall / relay server . . 307. firewall / relay server . . Local segment, 308. . . Local segment, 309. . . Backbone segment, 310. . . Internet, 311. . . Network subdomain, 312. . . Network subdomain, 313. . . Network domain, 41. . . Memory, 411. . . 412. Relay route information storage area . . Communication data storage area, 413. . . Program load area, 42. . . Bus, 43. . . CPU, 44. . . External storage device, 441. . . Communication program, 442. . . Data relay control program, 443. . . Relay route table, 45. . . Communication I / O, 501. . . Relay server identification processing, 502. . . 503. relay processing necessity determination processing; . . Relay server connection processing, 504. . . Server connection processing, 505. . . Server address notification processing, 506. . . Relay processing result reception processing, 507. . . Server connection determination processing, 508. . . Communication data transmission / reception processing; . . Waiting for client communication request, 602. . . Server address reception processing, 603. . . Relay server identification processing, 604. . . Processing for determining necessity of relay processing, 605. . . Relay server connection processing, 606. . . Server address notification processing, 607. . . Server connection processing, 71. . . Network example, 72. . . Relay route table, 721. . . Domain name description field, 722. . . Relay server name description field, 723. . . Entry, 731. . . Entry, 732. . . Entry, 81. . . Authentication information table, 811. . . Authentication information entry, 812. . . Authentication information entry, 813. . . Authentication partner computer ID field, 814. . . 82. Authentication shared information field . . Authentication information table, 821. . . Authentication information entry, 83. . . Authentication information table, 831. . . Authentication information entry, 84. . . Shared information for authentication, 85. . . Shared information for authentication, 91. . . Authentication information table, 911. . . Authentication information entry, 92. . . Authentication information table, 921. . . Authentication information entry, 922. . . Authentication information entry, 93. . . Authentication information table, 931. . . Authentication information entry, 94. . . Shared information for authentication, 95. . . Shared information for authentication, 1001. . . Network example, 1002. . . Relay route table, 1021. . . Entries, 1022. . . Entry, 1023. . . Domain name description field, 1024. . . Relay server name description field, 1025. . . Priority description field, 1101. . . Client computer, 1102. . . Firewall / relay server, 1111. . . Communication client program, 1121. . . Data relay control program, 1103. . . Server computer, 1131. . . Server program, 1104. . . IPV4 compatible communication module, 1105. . . IPV6-compatible communication module, 1106. . . IPV4 network, 1107. . . IP V6 network

Claims (7)

In a network having a plurality of relay devices between a client device and a server device for hiding relay route information to the server device from a preceding device, a network between the client device, the plurality of relay devices, and the server device is provided. A communication system in which the client device communicates with the server device by establishing a connection with
Each of the relay devices and the client device,
A relay path control table storing the identification information of the server device and the identification information of the next device to be connected when transmitting a connection request to the server device, in association with each other;
Each of the relay devices is
In response to a connection request to the server device by the client device received from the client device or the preceding relay device, which is a preceding device, the connection request to the server device is referred to by referring to the relay route control table. Means for determining a next-stage device based on the identification information of the server device included in
A means for connecting to the next-stage relay device when the next-stage device is any of the relay devices;
Means for notifying to the preceding device that connection to the next-stage relay device has been established;
Means for, in response to the notification to the preceding device, transferring a connection request to the server device newly received from the preceding device to the connected next relay device;
Means for receiving, from the next-stage relay device, the result of the transferred connection request to the server device and transferring the result to the preceding-stage device;
In response to the result of the connection request to the server device transferred to the preceding device, a connection request to the server device newly received from the preceding device is transmitted to the connected next relay device. Means for transferring,
The client device comprises:
At the time of a connection request to the server device, the relay route control table is referred to, and based on the identification information of the server device, a next-stage relay device to which a connection request to the server device is to be transmitted is selected. Means for connecting to the next-stage relay device,
Means for transmitting a connection request to the server device to the connected next relay device;
Means for receiving a result of the connection request to the server device and determining whether or not the server device has been connected;
If the determination result indicates that the connection is made to one of the relay devices instead of the server device, a connection request to the server device is transmitted again to the connected next-stage relay device. Means,
A communication system comprising: The communication system according to claim 1, wherein
The client device and the relay device,
To perform authentication with the other is a device wherein the server apparatus or another relay device, an authentication information table information for authentication and identification information identifying the other device and stored in association,
Characterized in that when receiving a connection request to the containing identification information the server device, by using the authentication information table, and means for performing authentication with the other apparatus identified by said identification information Communication system. The communication system according to claim 2, wherein
Wherein the authentication information table which the client device comprises has identification information for authentication and the relay device respectively the authentication information,
The authentication information table, the communication system characterized by having said client device and identification information for authentication and the authentication information by the relay device each comprising. The communication system according to claim 2, wherein
Wherein the authentication information table which the client device comprises includes the authentication information and identification information for authenticating the next stage relay apparatus,
Communication system wherein the authentication information table, characterized by having a identification information for authenticating the other adjacent device and authentication information by the relay apparatus. The communication system according to claim 1, wherein
The client device and any of the relay devices
Means for sharing data encryption information,
Means for performing encrypted communication of data using the shared encryption information. The communication system according to claim 1, wherein
The client device and the relay device,
Means for sharing data encryption information between adjacent devices,
Means for performing encrypted communication of data using the shared encryption information. The communication system according to claim 1, wherein
The relay route control table of one of the client device and the relay device is
Priority information that gives priority to the stored information is further stored,
Any of the above devices,
Means for transmitting information for changing the priority of information stored in the relay path control table of another device;
Means for changing the priority of the information stored in the relay route control table based on the priority change information received from another device,
The communication system according to claim 1, wherein the means for selecting the relay device of any one of the devices selects another device using the priority information stored in the relay path control table.

Images