JPH1132088A - Network system - Google Patents

Abstract

(57) [Summary] [PROBLEMS] An AP that uses a dynamically assigned communication port is transmitted between networks partitioned by FW.
To work without change. An ISP connected to an intranet protected by an FW and an ESP connected to the Internet not protected by an FW.
Is provided. A communication path is established between the ESP and the ISP, and the ISP
Distributes access information from ESP to ESP.
Is relayed on the communication path between the ESP and the ISP. [Effect] The development cost of the FW system can be reduced, and detailed access control can be performed for each AP.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a network system, and more particularly, to a network system such as an intranet or the Internet, in which various application programs (hereinafter referred to as "AP") which are already used are used without modification. And a highly secure network system capable of performing secure communication.

[0002]

2. Description of the Related Art A FW (Fire Wall) is a conventional technique that can improve the security of a network system by preventing unauthorized access to a network.
Construction techniques are known. This FW construction technology includes an application gateway (hereinafter, referred to as APGW),
A circuit gateway (hereinafter, referred to as SCGW), a packet filter, and the like are known.

[0003] As a conventional technique relating to a packet filter, for example, a technique described in Japanese Patent Application Laid-Open No. Hei 5-327717 is known. This prior art is to filter a packet by a set of a terminal address and a port number. Further, as a conventional technique related to SCGW,
"SOCK Protocol Vers in Internet-Drafts
The technique described in Ion 5 "is known.

[0004] In addition, there is also known a FW that can construct a VPN for encrypting a communication path in order to prevent not only unauthorized access to the network as described above but also wiretapping and falsification of data on the network. As a technique for realizing this, it is also known to construct a VPN using a tunnel technique.

[0005]

The above-described SCGW FW replaces an AP whose communication port is not fixed with an existing AP.
Cannot be realized without modification, and the packet filter FW used in combination with the APGW can support an AP whose communication port is not fixed. APG
W must be used, and the development cost is high and the performance is inferior.

SUMMARY OF THE INVENTION An object of the present invention is to solve the above-mentioned problems of the prior art, and to use an AP whose communication port is not fixed and uses an existing AP without modification in a network system using an SCGW type FW. An object of the present invention is to provide a network system capable of realizing an access check function provided in a FW, having a low development cost and a security performance not inferior in performance.

Another object of the present invention is to provide a network system capable of easily realizing the VPN construction of various individual APs using the aforementioned dynamic ports.

[0008]

SUMMARY OF THE INVENTION According to the present invention, the object is to provide a specific accessible port in the FW, in order to achieve the above-mentioned object without changing the AP interface, APs authorized using ports
This is achieved by providing the following two means for transferring the data. That is, the first means is a relay means for establishing a communication path using the port in a manner sandwiching the FW, and relaying the AP data using the communication path. Recognize the dynamic port notification to be notified to use the port, check the access authority of the AP that has notified the notification, and if the AP is permitted, use the relay unit to transmit the AP data using the subsequent dynamic port. It is a means to switch to the existing communication. Preferably, the relay means is provided with means for encrypting the AP data.

According to the present invention, by providing the above-described configuration, the relay means can access the AP using the FW accessible port.
To transfer data, the AP using the dynamic port can be used without modification, and the access check can be performed by switching only the permitted AP data to the communication using the relay means. It is possible to do.

[0010] Further, by encrypting the communication path of the above-mentioned relay means, a VPN via the FW can be realized in the AP using the dynamic port.

[0011] According to the present invention, the above object is specifically,
A client computer connected to an interconnected computer network, and a server computer connected to the computer network via a general-purpose access check device and connected to a protected network, wherein the server computer and the client computer In a computer network system that performs data communication with an AP,
A first data communication unit connected to a network protected by the general-purpose access check device; a second data communication unit connected to a network not protected by the general-purpose access check device; 2
Means for establishing a data transfer path between the data communication means, and means for communicating with the second data communication means to transfer data of the specific AP without changing the specific AP on the client computer Data relay means for relaying the data of the specific AP using a data transfer path between the first communication means and the second communication means; and data of the specific AP based on the data content of the specific AP. Means for controlling the relay means.

Various modifications of the configuration for achieving the object of the present invention will be described in detail in the description of the embodiments of the present invention.

[0013]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiments of a network system according to the present invention will be described below in detail with reference to the drawings.

FIG. 1 is a block diagram showing a configuration example of a network system according to a first embodiment of the present invention.
This is a network system configured by connecting the Internet and an intranet via W. In FIG. 1, reference numeral 100 denotes an internal security acting server (Intra Sec).
urity proxy: hereinafter referred to as ISP); 101, an external security proxy server (hereinafter referred to as ESP); 102, FW; 103, router (hereinafter, referred to as R); 104, Internet provider (hereinafter, referred to as P) , 105 is a client computer,
106 is a server computer, 110 is an intranet, 11
1 is the Internet, 112 is the public telephone network (Public Te)
lephone Network: PTN).

In the network system configured as shown in FIG. 1, in the client computers 105a, 105
05b (when it is not necessary to distinguish between the two, simply described as 105) is the P104 connected to the PTN 112, the Internet 111, R103a, FW102, R103b.
Server computer 106 in the intranet 110 via the
To access. In the access from the client computer 105 to the server computer 106, the FW 102 relays only valid access. In addition, R103a, 10
3b (only when it is not necessary to distinguish between the two, it is simply described as 103) connects networks and distributes data packets. In the illustrated network system, in order to strengthen protection against access to the intranet 110, the FW 102 and the R103
And connect through.

FW102 and R103 on the Internet side
The ESP 101 is connected to the segment connected to a. The ISP 100 is connected to a segment inside the FW 102. ISP100 and E
The SP 101 and the SP 101 cooperate to complement the access check function of the FW 102. FW102, client 105, server 106, ESP101, ISP100
Are configured by a well-known computer system including a CPU and a memory.

FIG. 2 is a diagram for explaining the software structure of the client computer 105, which will be described below.

In FIG. 2, reference numeral 200 denotes a client A
P, which is a communication program for performing various processes. Specifically, the client AP is a program that performs file transfer, Telnet, network chat, or other business processing, and operates on the OS 203. The OS 203 controls the communication protocol and takes charge of data transmission / reception processing on the Internet 111.
CP / IP processing 206 and P104 via PTN 112
And a PPP process 207 which is in charge of data transmission / reception processing.

Further, the client computer 105 includes a socket process 202 for processing an interface between the client AP 200 and the TCP / IP process 203. In the conventional processing, the client AP 200 directly calls the socket processing 202, but in the present invention, the socket hook processing 201 is provided as middleware between the socket processing 202 and the client AP 200. Further, the first embodiment of the present invention has a provider access process 205 for activating a PPP process 207 with a target P104 as an auxiliary application.
Modem driver 204 for controlling transmission on PTN 112
including.

The socket hook process 201 provides the same interface as the socket process 202 as an interface with the client AP 200, and provides a socket interface to the client AP 200 using the interface with the socket process 202. Also, the socket hook processing 201 includes authentication, encryption,
Has access destination control function. This socket hook processing 2
01, the client AP is not modified and FW10
2 can be adapted.

FIG. 3 is a diagram for explaining the software structure of the FW 102, which will be described below. In FIG. 3, reference numeral 300 denotes a FW main process. The FW main process 300 includes a relay process 301, an authentication process 302, and a negotiation process 303. FW10
2 has a socket process 202 and a TCP / IP process 203 similarly to the client computer 105.

The FW main processing 300 is executed by the A
Act as P. The FW 102 is of a circuit gateway type, transmits and receives the ID of the connection destination and the sender in a negotiation process 303, and relays data from the sender confirmed in the authentication process 302 at the socket level by the relay process 301. The relay process 301 does not have a function of encrypting and sending data.

FIG. 4 is a diagram for explaining the software configuration of the ESP 101, which will be described below. FIG.
403 is an ESP main process, and the ESP main process 403 is an ISP that performs communication with the ISP 100.
It comprises a protocol process 400, a client protocol process 401 for communicating with a client, and a relay process 402 for relaying data. Further, similarly to the FW 102, it has a socket process 202 and a TCP / IP process 203.

FIG. 5 is a diagram for explaining the software configuration of the ISP 100, which will be described below. FIG.
In FIG. 5, reference numeral 500 denotes an ISP main process. The ISP main process 500 includes an ESP protocol process 502 for communicating with the ESP, an AP data analysis control process 501, and a relay process 503. In addition, FW102 and ESP
Similar to 101, it has a socket process 202 and a TCP / IP process 203. An OS 506 of the ISP 100 controls input / output with an external I / O device. This OS5
06 is a text editor 5 for changing the setting information 505
04. In the setting information, a condition for determining a dynamic address notification for each AP, which will be described later, is described as text. The AP data analysis control processing 501 executes a dynamic address notification determination processing based on the above-described conditions.

As described above, the ISP 100 can change the setting information using the text editor 504 when dealing with various APs.
The effect that the development cost is reduced and the scalability is good compared to the case of adding can be obtained.

FIG. 6 shows a first embodiment of the present invention.
FIG. 6 is a sequence diagram illustrating a protocol between the ESP and the ISP in the network system shown in FIG.
The processing in each device will be described in detail with reference to FIG.

(1) First, the ISP 100 and the ESP 101
And communicates with the ISP 100 via the FW 102.
And the ESP 101 to establish a logical session. After this, the AP 200 of the client 105
Is a co for establishing a connection with the server 106.
A nnect request is issued (steps 600 and 601).

(2) Next, a socket hook process 201 receiving a connect request from the client AP 200
Sets the connection establishment destination from the server 106 to the ESP 10
1 and a connection is established (step 60).
2).

(3) ESP 10 that has accepted the connection from socket hook process 201 of client 105
1 uses FW 102 to use the authentication function of FW 102.
A connection is established with the client 102, and then relay processing of information necessary for performing client authentication is performed. In this way, the authentication of the client 105 is
(Steps 603 and 6)
05).

As described above, the ES according to the embodiment of the present invention
Since the protocol between the P-ISP uses the authentication function of the FW 102, there is no need to have a database for authentication in the ESP 101 or ISP 100, and there is an advantage that there is no need to set authentication information and management is easy. .

(4) In the middle of the authentication sequence of step 605, when the FW 102 confirms the client 105, it establishes a connection with the server 106 (step 604).

(5) At the end of step 605, F
W102 notifies the client 10 that the relay path has been established.
Notify 5 The ESP 101 that has received the relay route establishment notification of the FW 102 does not immediately relay to the client 105, and suspends the notification until a series of processes described below ends. Next, the ESP 101
2 by releasing the connection with the FW 102
Is released (step 606).

(6) Next, the ESP 101 generates a temporary encryption key and exchanges the encryption key with the client 105 (step 607).

As described above, by using the encryption key for each connection, it is difficult to estimate the encryption key, and the security can be improved. Also, even if the FW 102 has no encryption function, the ESP 101
02 has the advantage that it can be realized without making changes.

(7) Next, the ESP 101
A connection request with the server 106 through the session 0 is sent through the session previously established in step 600. Upon receiving this, the ISP 100 establishes a connection with the server 106 and returns a response to the ESP 101 (steps 608 to 610).

(8) Upon receiving this, the ESP 101 returns the held relay path establishment response to the client 105 side. The socket hook process 201 that has received the relay path establishment response from the ESP 101 returns a normal return to the AP 200, thereby notifying the AP 200 that a connection with the server 106 has been established (step 61).
1, 612).

By the processing described above, the client 105
The virtual connection between the server and the server 106 is ISP1
00, the FW 102, and the ESP 101 can be realized by relaying the respective connections.

Next, a sequence when data is transmitted through the connection established by the above-described processing will be described.

(9) When sending data, the client AP 200 issues a send request to the socket hook process 201 specifying transmission data and a connection. Upon receiving this, the socket hook processing 201 proceeds to ESP
The data from the AP 200 is transmitted to 101 (steps 613 and 614).

(10) Upon receiving the data from the client 105, the ESP 101 encapsulates the data and
Hand over to P100. The ISP 100 that has received the encapsulated data checks the contents of the data and determines whether or not the communication address has been notified by the client (steps 615 and 616).

(11) If the condition is not satisfied in the check in step 616, the ISP 100 returns the encapsulated data to the original data, and passes the data to the server 106 using the connection established in step 609. If the condition is satisfied in the check in step 616, that is, if the communication address is notified by the client, the ISP 100
5 is sent (step 617,
618).

(12) Upon receiving this, the ESP 101 establishes a connection with the client 105. At this time, the client AP waiting to accept a connection
200 is a socket hook processing 20 for accept request.
1 is requested. Then, when the connection with the ESP 101 in step 619 is established in the socket hook process, the socket hook process 201 notifies the AP 200 of this by returning (step 61).
9-621).

(13) The ESP 101 that has established a connection with the client 105 transmits the result to the ISP 100
Notify. ISP that received this connection establishment notification
100 changes the communication address of the client in the relay AP data held in Step 616 to the communication address of the ISP 100 itself and sends it to the server 106 (Step 62).
2,623).

(14) Upon receiving the communication address from the ISP 100, the server 106 establishes a connection to the communication address of the ISP 100, and transfers data using the established connection (steps 624 and 62).
5).

(15) Upon receiving this, the ISP 100 relays the data to the ESP 101. The ESP 101 that has received the data from the server 106 relays the data to the client 105 using the connection established in step 619. The client AP 200 issues a recv request to receive the data, and receives the data as a response (steps 626 to 629).

ISP 10 for processing the above-described sequence
0, the ESP 101, and the socket hook processing 201 of the client 105, the SCGW type FW 10
105 and server 10 connected via the server 2
6, the client AP 200 is connected to the server 1
AP dynamically assigned to client 06
Server 1 that notified the communication address of 200 and received this
It is possible to realize an access check of an application program that performs a process of transmitting data to the client communication address notified from 06 without modifying the application.

FIG. 7 is a view for explaining the format of a communication protocol message between the ISP 100 and the ESP 101 described with reference to FIG.

In FIG. 7, reference numeral 700 denotes a common format. The common format 700 is composed of a command field 701, a connection ID field 702, and a command individual field 703. Only the command individual field 703 has a variable length, and the other fields have a fixed length. Various messages can be identified based on the values in the command field 701.

710 is a table showing the values in the command field 701 and their names. Each command has the following 5
There are types. That is, in corresponding to step 608
side-connect. req, the inside-connect. rsp, data-transf corresponding to steps 615 and 626
er. req, outsid corresponding to step 618
e-connect. req, outside-connect. rsp.

Reference numeral 720 is a table showing the contents of the connection ID field 702 in each of the above-mentioned commands. Outside-conn in this Table 720
The ectin ID is a number that identifies the connection with the client 105 established by the ESP 101 in step 602 of the sequence. Also, inside-co
The nectin ID is a number that identifies the connection with the server 106 established by the ISP 100 in step 624 of the sequence.

Reference numeral 730 is a table showing the contents of the command individual field 703 in each of the above commands. The inside-connect. re
The server address of q is the communication address of the server 106. Also, inside-cone
ct. The result code of rsp is step 6
09 is a value indicating the result of “data-transfer”.
r. The replication application data is communication data transferred between the server 106 and the client 105. Furthermore, outside-cone
ct. The client address of “req” indicates that the data corresponding to the check in step 616 is stored in the server 106.
Is the communication address of the client 105 sent to
utside-connect. rsp result
code is the ESP10 established in step 619
1 and the result of the connection between the client 105. Also, new outside-connectivity
on ID is the ESP10 established in step 619.
This is a number for identifying the connection between the client 1 and the client 105.

FIG. 8 is a sequence diagram for explaining a process for establishing an initialization session between the ISP 100 and the ESP 101. Next, an initialization session established between the ISP 100 and the ESP 101 via the FW 102 is described. Details of the processing of the establishing step 600 will be described with reference to FIG.

(1) First, a request for establishing an initialization session is made from the ISP 100 side. For this reason, IS
P100 establishes a connection to FW 102, and sends connect. issue req (step 80)
0, 801).

(2) connect. F receiving req
The main processing 300 of W102 is performed by connecting the ESP1
01 and a connection is established. Then, the main processing 30
0 is a connection completion response connect. r
sp is returned (steps 802 and 803).

This connection completion response connect. rsp
Is received by the ISP 100, a session between the ISP 100 and the ESP 101 via the FW 102 is established. The FW 102 that has completed the above-described processing thereafter performs only data relay. In the above-described processing according to the embodiment of the present invention, the ISP 102 does not perform the authentication processing of the ISP 100, and the ESP 101 performs the authentication of the ISP 100.

(3) Next, the ISP 100
l. Req is sent to ESP101. This trial.
For req, a random number and the random number are stored in ISP100 and ESP.
And a value encrypted with the common key between 101, and these are sent as a pair (step 804).

(4) trial. ESP receiving req
The main process 400 of 101 decrypts the transmitted encrypted random number using the common key in hand, and confirms the ISP 100 when the decrypted value matches the transmitted random number. Then, a pair of the random number and the encrypted random number
l. It is sent to the ISP main process 500 as rsp (step 805).

(5) Upon receiving this, the main processing 500 of the ISP 100 is performed by the ESP 101 in the same manner as described above.
Authenticate. Next, the ISP main process 500 sends the initialization data to the ESP 101 (Step 806).

FIG. 9 is a flowchart for explaining the logic of the initialization process and the logic of the FW process between the ESP and the ISP in the first embodiment of the present invention. 9300 is a processing flow of the FW main processing 300. First, the processing of the FW 102 will be described.

(1) The FW 102 is a type of FW that relays a connection. For this reason, first, the FW 102 accepts the connection by the accept request, and then receives the relay request from the partner by the established connection (steps 9310 and 9320). (2) Next, it is checked whether or not the other party who has sent the relay request needs to be authenticated. As a result, if the authentication is necessary, an authentication process is performed (steps 9330 and 9340). (3) Next, a request for a connection to the connection partner described in the relay request is issued, and a relay destination connection is established (step 9350). (4) Next, in order to mutually relay data from the connection established in step 9310 and the connection established in step 9350, these connections are associated with each other. Then, the establishment completion response of the relay path thus established is returned to the sender of the relay request (step 9360). (5) Then, data relay processing is performed between the corresponding connections (step 9370).

Reference numeral 9500 denotes a processing flow of initialization processing logic between the ESP 101 and the ISP 100 by the ISP main processing 500, which will be described below.

(1) First, the ISP main processing 500
A connection with the FW 102 is established, and a relay request with the ESP 101 is issued to the FW 102 (step 9).
510, 9520). (2) Next, the ISP main processing 500 executes the registration by performing authentication with the ESP 101, and sends initial data to the ESP 101 (steps 9530 and 954).
0).

Reference numeral 9400 denotes a processing flow of initialization processing logic between the ESP 101 and the ISP 100 by the ESP main processing 400, which will be described below.

(1) First, the ESP main processing 400
The connection from the ISP 100 is received via the FW 102 (step 9410). (2) Next, the ESP main processing 400
Is authenticated, and the ISP 101 is stored.
Receive initial data from 0 (steps 9420 and 9420)
430).

FIG. 10 is a flowchart of the processing logic of each application program on the server 106 and the client 105 in the above-described embodiment of the present invention. Referring to FIG.
0 and the server AP 2000 will be described.

First, the processing of the client AP 200 will be described. (1) First, a control connection with the server 106 is established, and then a command from the user is accepted to check whether or not the request is a transfer request. If the request is not a transfer request, the command is processed (step 1010). ~ 103
0). (2) If the command from the user is a transfer request, the data transfer request is notified to the server 106 through the control connection, and the communication port which is its own communication address is set to
By requesting the IP processing 203, a communication port is dynamically allocated (steps 1040 and 105).
0). (3) Then, the assigned communication port is assigned to the server 10
6 and accepts a transfer connection from the server 106 (steps 1060 and 1070). (4) Next, data transfer is performed using the transfer connection established in the process of step 1070. Thereafter, the flow returns to the process of accepting the user command in step 1020 (step 1080).

Next, the processing flow of the server AP 2000 will be described. (1) First, a connection from the client 105 is received and a request from the client is received (steps 2010 and 2020). (2) Next, it is determined whether or not the request received from the client is a data transfer request. If the request is not a transfer request, a process corresponding to the request is performed (steps 2040 and 203).
0). (3) If the received request is a transfer request, it waits until a port notification from the client AP 200 is received (step 2050). (4) Next, a connection request is issued to the notified port of the client AP 200 to establish a transfer connection, and data is transferred by the established transfer connection (steps 2060 and 2070).

FIG. 11 is a flowchart for explaining the operation of the socket hook processing 201 on the client 105 according to the first embodiment of the present invention, which will be described below.

(1) First, socket hook processing 201
Receives the communication command from the client AP 200 and sorts the process for each command (step 1100). (2) If the communication command is a connect command, first establish a connection with the ESP 101 and use the established connection with the ESP 101 to perform FW1.
02 is requested to make a relay connection to the server 106 (steps 1110 and 1112). (3) Next, the authentication processing by the FW 102 is performed, and the ESP
Exchange the encryption key with 101 (steps 1114, 111)
6). (4) Next, the relay connection response from the FW 102 via the ESP 101 is received, and a response is returned to the AP by returning (steps 1118 and 1160).

(5) When the communication command is an accept command, first, the connection from the ESP 101 is accepted, the key is exchanged with the ESP 101, and thereafter, a response is returned to the AP by returning (steps 1120, 1122, 1160).

(6) If the communication command is a send command, first, data is encrypted, and the command is passed to the socket process 202. Then, the socket processing 20
A response is returned to the AP by returning the return from step 2 (steps 1130, 1150, 1160).

(7) If the communication command is a recv command, the command is first passed to the socket process 202 to decode the received data. Then, a response is returned to the AP by returning (steps 1140, 114
2, 1160).

(8) If the communication command is a command other than the above, the command is passed to the socket process 202, and a response is returned to the AP by returning the return from the socket process 202 (steps 1150 and 1160).

FIG. 12 shows an ISP according to an embodiment of the present invention.
5 is a flowchart illustrating processing of a main processing 300, which will be described below.

(1) First, as described with reference to FIG. 9 and FIG. 8, the ISP 100 establishes a session with the ESP 101, and then receives a command from the ESP 101, and receives the connection request (inside- conn
ect. req), and if not a connection request, it waits for a connection request (step 1200,
1202).

(2) When the connection request is received in step 1202, the connection with the server 106 is established, and then the ESP 101 is notified that the connection with the server 106 has been established (step 1204, 12
06).

(3) Next, the data is received and relay processing is performed. At this time, an ISP-ESP protocol header is attached to the data received from the connection with the server 106,
Relay processing for transferring this to the ESP side in an ESP session is performed (steps 1208 and 1210).

(4) On the other hand, the data content of the data received from the ESP session is determined. If it is not a communication address notification, the data is relayed to the server 106, and the process returns to step 1208 (step 12).
12, 1214).

(5) If the data content determined in step 1212 is a communication address notification, the ESP 106
Issues a request to establish a connection with the client,
Next, an acknowledgment is received from the ESP 106 indicating that the connection with the client has been established (step 12).
16, 1218).

(6) Next, the communication address of the data is rewritten to the communication address of its own, the data is relayed, and after receiving the connection from the server, the process returns to step 1208 (steps 1220 and 122).
2).

FIG. 13 shows an ESP according to the embodiment of the present invention.
5 is a flowchart illustrating a processing operation of the main processing 400, which will be described below.

(1) First, as described with reference to FIGS. 9 and 8, the ESP 101 opens a session with the ISP 100 and then waits until a connection from the client 105 is received (steps 1300 and 130).
2).

(2) Next, a connection with the FW 102 is established, and authentication data is relayed to the FW 102.
The response from the FW 102 is received. Then, FW102
The connection with the server is disconnected (1304 to 1310).

(3) Next, an encryption key is generated and exchanged with the client, and a request for connection with the server 106 is
Send to SP100. Then, a response message indicating that the connection with the server 106 has been established from the ISP 100 is received, and a connection establishment response is transmitted to the client 105 (steps 1312 to 1318).

(4) Next, the data is received and the processing is sorted according to the contents. If the received data is relay data, the received data is relayed, and the process returns to step 1320 of data reception. At this time, the data is encrypted / decrypted (steps 1320 and 132).
2).

(5) If the data received in step 1320 is data for a connection establishment request with the client, a connection with the client 105 is established, and the encryption key is exchanged with the client 105. Then, the connection establishment response with the client 105 is sent to the ISP 1
00, and returns to the process of step 1320 (steps 1324-1328).

FIG. 14 is a block diagram showing a configuration example of a network system according to the second embodiment of the present invention.
The reference numerals in the figure are the same as those in FIG.

In the first embodiment of the present invention described above, the ISP 100 and the ESP 101
In the second embodiment of the present invention shown in FIG. 14, a communication path 1400 (for example, a LAN connection) for directly connecting between the ISP and the ESP is provided. A session between the ISP and the ESP is established using the path 1400, and initialization data and relay data are transmitted.

The second embodiment of the present invention has a function in which the socket hook processing 201 of the client 105 sorts the connection with the FW 102 and the connection with the ESP 101 according to the address of the communication partner. With such a configuration, it is possible to obtain an effect that the load on the FW 102 can be reduced.

FIG. 15 is a block diagram showing a part of a configuration example of a network system according to the third embodiment of the present invention. In FIG. 15, reference numeral 1500 denotes a computer device;
Other reference numerals are the same as those in FIG.

Although the first and second embodiments of the present invention described above are examples in which the ISP 100 and the ESP 101 are realized by independent computer systems, the third embodiment of the present invention shown in FIG. IS within one computer device 1500
The P main processing 500 and the ESP main processing 400 are operated. The ISP main process 500 and the ESP main process 400 are connected to a network inside and outside the FW 102, and
The ISP main process 500 and the ESP main process 400 perform inter-process communication.

As described above, the same computer 1500
ISP main processing 500 and ESP main processing 400
A that uses the dynamic communication address
The introduction cost when supporting P can be reduced. Also, as in the case of the above-described second embodiment of the present invention, the socket hook processing 201 of the client 105 is performed.
In addition, by providing a function of distributing the one connected to the FW 102 and the one connected to the ESP 101 according to the address of the communication partner, the effect of reducing the load on the FW 102 can be obtained.

FIG. 16 is a block diagram showing a part of a configuration example of a network system according to the fourth embodiment of the present invention, and the reference numerals in FIG. 16 are the same as those in FIG.

The fourth embodiment of the present invention employs an IS on the FW 102 in the first embodiment of the present invention.
The P main processing 500, the ESP main processing 400, and the FW main processing 300 operate. Then, the ISP main processing 500 and the ESP main processing 40
0 and the FW main process 300 execute data relay by performing inter-process communication.

The fourth embodiment of the present invention configured as described above can reduce the introduction cost when supporting an AP using a dynamic communication address as compared with the third embodiment.

FIG. 17 is a block diagram showing a configuration example of a network system according to the fifth embodiment of the present invention.
The reference numerals in the figure are the same as those in FIG.

In the fifth embodiment of the present invention, the ISP main process 500 is realized as a daemon process in the server 106 of the first embodiment of the present invention. Even in the embodiment having the simple configuration, the introduction cost in the case of supporting the AP using the dynamic communication address can be suppressed.

FIG. 18 is a block diagram showing a configuration example of a network system according to the sixth embodiment of the present invention.
The reference numerals in the figure are the same as those in FIG.

A sixth embodiment of the present invention shown in FIG.
The ESP is realized as a server on the Internet, and the provider ISP100 and the ESP101 are
One ESP10 instead of one pair
This enables a plurality of ISPs 100 to establish a session and relay data.

According to this embodiment, the ESP 100 is set to 1
Since it is only necessary to provide one, it is possible to reduce the introduction cost when supporting an AP using a dynamic communication address.

FIG. 19 is a block diagram showing a configuration example of a network system according to the seventh embodiment of the present invention.
The reference numerals in the figure are the same as those in FIG.

The seventh embodiment of the present invention shown in FIG.
The ESP 101 is realized as one device in the Internet provider 104 according to the first embodiment of the present invention. In this embodiment, a plurality of ESPs 101 can establish a session with one ISP 100. Also, multiple IS
A plurality of ESPs 101 can establish a many-to-many session with respect to the P100.

According to the seventh embodiment of the present invention configured as described above, it is possible to show that the service provider supports an AP using a dynamic communication address as a service.

FIG. 20 is a block diagram showing a configuration example of a network system according to the eighth embodiment of the present invention.
The reference numerals in the figure are the same as those in FIG.

The eighth embodiment of the present invention shown in FIG.
The function of the ESP 101 is provided on the client computer 105 according to the first embodiment of the present invention described above. This can be easily realized by setting the internal address to. At this time, ESP
A session between the ESP 101 and the ISP can be established by starting the ESP 101.

According to the above-described eighth embodiment of the present invention, the introduction cost when supporting an AP using a dynamic communication address can be suppressed.

FIG. 21 is a block diagram showing a configuration example of a network system according to the ninth embodiment of the present invention.
The reference numerals in the figure are the same as those in FIG.

The ninth embodiment of the present invention shown in FIG.
The ISP main process 400 is executed on the server computer 106 by E
SP main processing is provided on the client computer 105,
Further, it is realized by including a router 103 having a packet filter function. In this embodiment, each function of the ESP and the ISP can be provided in the end computer. At this time, by using the authentication function between the ISP and the ESP, the FW 102 does not need to have the authentication function.

The above-described embodiment can be applied not only to a circuit gateway type FW but also to a packet filter type FW.

In the embodiments of the present invention described above, only a fixed sequence equivalent to that described with reference to FIG. 6 can be executed. However, the present invention can also provide support for APs using more complex dynamic communication addresses. I will explain an example.

FIG. 22 is a diagram showing an example of an access control macro language input by the ISP 100 and corresponding to each AP.

In FIG. 22, initial service-addres
s describes the well-known communication service address of the server application. ISP part is ISP1
This is a macro description of the data content check condition at 00 and the processing when the condition is met, including the ISP-ESP protocol. The same applies to the ESP part.

The ISP 100 has a function of expanding the AP data analysis processing 501 and the ESP protocol processing 502 in accordance with the macro as described above, and a function of generating initialization data for the ESP 101. ESP101 is IS
It has a function to extend the ISP protocol processing 403 based on the data sent from the P100. ISP10
0 may send an object executable by the ESP 101 and the ESP 101 may execute the object.

As described above, it is possible to easily support an AP using a more complicated dynamic communication address. An ISP 100 that connects a plurality of ESPs 101
Since the access control policy in each ESP 101 can be specified separately and the setting can be performed collectively, the operation management including the expandability can be easily performed.

The above-described embodiments of the present invention correspond to the ISP1
Although it has been described that 00 checks the data, the present invention can easily realize the data check on the ESP 101 side. In this implementation, as described in FIG. 22, the user may specify the check condition. Accordingly, unnecessary data is not received by the ISP 101, so that security can be improved and the load on the ISP 100 can be reduced.

FIG. 23 is a block diagram showing a configuration example of a network system according to the tenth embodiment of the present invention.

Although the embodiments of the present invention described above are examples in which the ESP 101 is connected to the Internet 111, the tenth embodiment of the present invention shown in FIG. 110b. That is, in the embodiment shown in FIG. 23, two intranets 110a and 110b are provided, and the ESP 101 is provided on one of the intranets 110b.
Is provided.

In the embodiment shown in FIG. 23, by providing the above-described configuration, communication can be performed between the client 105 in another intranet and the server 106 in the own intranet, and the server is moved to a different intranet. The effect that the communication can be performed even if it is performed can be obtained.

[0119]

As described above, according to the present invention, the following effects can be obtained.

[0120] 1. In a network environment using an existing FW, it is possible to perform secure communication via the FW by using an AP that uses a dynamic communication port without modifying the AP.

2. In an environment where the FW supports encryption, an AP using a dynamic communication port can be adapted without modifying the AP.

3. Similarly, in an environment where an authentication function is supported by the FW, an AP using a dynamic communication port is assigned to the AP.
Can be adapted without modification.

4. Further, in an environment where the FW does not support encryption, an AP using a dynamic communication port can be adapted without modifying the AP, and encryption can be supported.

[0124] 5. Further, in a network environment using an existing FW, a plurality of APs using a dynamic communication port are used.
Is supported without modification of those APs, access control information of each AP can be created together and reflected on each device, so that management and operation are easy.

6. Further, when the access control information of the above item 5 is reflected, since the data to be reflected is encrypted, security of management and operation can be ensured.

7. Further, since the present invention supports an authentication function, data can be transferred only to a reliable partner, and security can be enhanced.

8. In addition, the present invention that secures a data transfer path that does not mediate the FW can reduce the load on the FW and improve network performance.

9. In addition, communication can be performed using a specific AP via a different intranet.

10. When communicating with a server in a company intranet separated by FW from the Internet using a company-made business AP, an APG for the company-made AP is used.
There is no need to create W, and the construction cost can be reduced.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a configuration example of a network system according to a first embodiment of the present invention.

FIG. 2 is a diagram illustrating a software structure of a client computer in FIG.

FIG. 3 is a diagram illustrating a software structure of the FW in FIG. 1;

FIG. 4 is a diagram illustrating a software configuration of an ESP in FIG. 1;

FIG. 5 is a diagram illustrating a software configuration of the ISP in FIG. 1;

FIG. 6 is a sequence diagram illustrating a protocol between an ESP and an ISP in the network system according to the first embodiment of the present invention.

FIG. 7 is a diagram illustrating a format of a communication protocol message between the ISP and the ESP described with reference to FIG. 6;

FIG. 8 is a sequence diagram illustrating a process for establishing an initialization session between an ISP and an ESP.

FIG. 9 shows the ES in the first embodiment of the present invention described above.
5 is a flowchart illustrating logic of initialization processing and logic of FW processing between P and ISP.

FIG. 10 is a flowchart of processing logic of each application program on a server and a client in the embodiment of the present invention described above.

FIG. 11 is a flowchart illustrating an operation of a socket hook process 201 on the client according to the first embodiment of this invention.

FIG. 12 is a flowchart illustrating a process of an ISP main process 300 according to the embodiment of the present invention.

FIG. 13 is a flowchart illustrating a processing operation of an ESP main process 400 according to the embodiment of the present invention.

FIG. 14 is a block diagram illustrating a configuration example of a network system according to a second embodiment of the present invention.

FIG. 15 is a block diagram illustrating a configuration example of a network system according to a third embodiment of the present invention.

FIG. 16 is a block diagram illustrating a configuration example of a network system according to a fourth embodiment of the present invention.

FIG. 17 is a block diagram illustrating a configuration example of a network system according to a fifth embodiment of the present invention.

FIG. 18 is a block diagram illustrating a configuration example of a network system according to a sixth embodiment of the present invention.

FIG. 19 is a block diagram illustrating a configuration example of a network system according to a seventh embodiment of the present invention.

FIG. 20 is a block diagram illustrating a configuration example of a network system according to an eighth embodiment of the present invention.

FIG. 21 is a block diagram illustrating a configuration example of a network system according to a second embodiment of the present invention.

FIG. 22 is a diagram showing an example of an access control macro language corresponding to each AP input by the ISP 100.

FIG. 23 is a block diagram illustrating a configuration example of a network system according to a tenth embodiment of the present invention.

[Explanation of symbols]

 REFERENCE SIGNS LIST 100 Internal security proxy server (ISP) 101 External security proxy server (ESP) 102 Firewall (FW) 103 Router (R) 104 Internet provider (P) 105 Client computer 106 Server computer 110 Intranet 111 Internet 112 Public telephone network (PTN)

──────────────────────────────────────────────────の Continued on front page (51) Int.Cl. ⁶ Identification code FI H04L 12/24 12/26

Claims (18)

[Claims] 1. A server computer comprising: a client computer connected to an interconnected computer network; and a server computer connected to the computer network via a general-purpose access check device and connected to a protected network. In a computer network system for performing data communication between the general access check device and an application program on the client computer, a first data communication means connected to a network protected by the general access check device; Second data communication means connected to a network which is not connected, means for establishing a data transfer path between the first and second data communication means, and changing a specific application program on the client computer. Without Means for communicating with the second data communication means to transfer data of the specific application program, and the specific application program using a data transfer path between the first communication means and the second communication means Data relay means for relaying the data of
Means for controlling data relay means of the specific application program based on data content of the specific application program. 2. The communication path between a client computer and a general-purpose access check device is encrypted, and
2. The data communication means of claim 1, further comprising a function of determining the data content of the specific application program.
The described network system. 3. The network system according to claim 1, wherein the first data communication unit and the second data communication unit are configured as independent dedicated devices. 4. A function of distributing initialization information to means for controlling said data relay means using a data transfer path between said first data communication means and said second data communication means. The network system according to claim 1, 2 or 3, wherein: 5. An authentication data relay device for relaying authentication data between a client computer and a general-purpose access check device, wherein the general-purpose access check device has an authentication function. 5. The network according to claim 1, wherein data relay of the client computer is performed using a data transfer path between the first data communication unit and the second data communication unit. system. 6. The apparatus according to claim 1, further comprising a function of encrypting a data transfer path between said first data communication means and said second data communication means. Network system. 7. The apparatus according to claim 1, further comprising a function of encrypting data between said first data communication means or said second data communication means and a client computer. The described network system. 8. Application program data between the first data communication means and the second data communication means using a data transfer path between the first data communication means and the second data communication means. The network system according to any one of claims 1 to 7, wherein the information for transfer control is transmitted and received. 9. The method according to claim 1, wherein a plurality of specific application program data are relayed by using one data transfer path between said first data communication means and said second data communication means. 8. The network system according to any one of 8 above. 10. The apparatus according to claim 1, further comprising a function of mutually authenticating the first data communication means and the second data communication means.
The described network system. 11. The first data communication unit and the second data communication unit are directly connected by a transmission line, and data is transferred between the first data communication unit and the second data communication unit. The network system according to claim 1, wherein a path is constructed using the transmission path. 12. The client computer connects to a server computer via a general-purpose access check device,
The network system according to any one of claims 1 to 11, further comprising a function of determining whether to connect via a second data communication unit. 13. A data transfer path between the first data communication unit and the second data communication unit, wherein the second data communication unit establishes a data transfer path with the plurality of first data communication units. The network system according to any one of claims 1 to 12, wherein: 14. A data transfer path between the first data communication means and the second data communication means, wherein the first data communication means establishes a data transfer path with a plurality of second data communication means. The network system according to any one of claims 1 to 12, wherein: 15. Transferring security policy information in a network protected by the general-purpose access check device to the second data communication means between the first data communication means and the second data communication means. The network system according to any one of claims 1 to 14, further comprising a function of reflecting the path using a path. 16. The server computer, comprising: a client computer connected to an interconnected computer network; and a server computer connected to the computer network via a general-purpose access check device and connected to a protected network. And a computer network system that performs data communication between the client computer and an application program on the client computer, the computer network system being connected to both a network protected by the general-purpose access check device and a network not protected by the general-purpose access check device. A specific application program access check device, and communicates with the specific application program access check device without changing the specific application program on the client computer. Means for transferring the data of the specific application program to the access check device for the application program without changing the application program for the client, and relay means for relaying the data of the specific application program by the access check device for the specific application program And a means for controlling relay means of the specific application program based on data content of the specific application program. 17. The server computer, comprising: a client computer connected to an interconnected computer network; and a server computer connected to the computer network via a general-purpose access check device and connected to a protected network. In the computer network system for performing data communication between the client computer and an application program on the client computer, the access check device performs communication using a protected access network with a general-purpose access check program that is not directly connected to a network. A first program, a second program for performing communication using an unprotected network, and communication means between the three programs;
Means for controlling data relay processing via a general-purpose access check program according to the data content of the specific application program, and means for communicating with the access check device without changing the specific application program on the client computer A network system comprising: 18. The server computer, comprising: a client computer connected to an interconnected computer network; and a server computer connected to the computer network via a general-purpose access check device and connected to a protected network. In a computer network system for performing data communication between the client device and an application program on the client computer, a first device connected to a network protected by the general access check device and a general access check device different from the first device Means for establishing a data transfer path between the first and second apparatuses via the plurality of general-purpose access check apparatuses, and a second apparatus connected to the client computer. Specific application program Means for communicating with the second device without changing the system, and transferring data of the specific application program to the second device; and transferring data between the first device and the second device. A network system comprising: means for delivering data of a specific application program using a path; and means for activating data delivery means for the specific application program based on data content of the specific application program.