In order for the security of a network to be acquired, connection from a console terminal to the network may be limited.
FIG. 21 is a diagram illustrating an example of the configuration of a network system 1000. The network system 1000 is an example of a large-scale network such as a data center, and for example, as illustrated in FIG. 21, includes a management-related network 200 and a service-related network 400. The service-related network 400 includes operation system areas 510 to 530 that a plurality of terminals 900 performing an operation access, and the management-related network 200 includes network management areas 310 to 330 that respectively manage the operation system areas 510 to 530.
As illustrated in FIG. 21, the network system 1000 includes an operational switch 600, maintenance terminals 710 to 730 and a management terminal 800. The management terminal 800 is a terminal that is used by a manager who manages the entire data center in order to manage the entire network (at least the management-related network 200). The maintenance terminals 710 to 730 are terminals that are used by a user (for example, a maintenance person) who utilizes part of the network system 1000 in order to manage the network management areas 310 to 330 related to the department of the user.
The operational switch 600 is a device that is connected to the network management areas 310 to 330 and switches access from the maintenance terminals 710 to 730 connected to ports of the operational switch 600 to the network management areas 310 to 330 corresponding to the connection ports.
As described above, the operational switch 600 connects the maintenance terminals 710 to 730 to the network management areas 310 to 330 corresponding to the ports to which the maintenance terminals 710 to 730 are connected. However, since the maintenance person does not manage the entire network system 1000, if the maintenance person can access the network management areas 310 to 330 other than an area related to the department of the maintenance person, the security of the network system 1000 is degraded.
Hence, for example, in order for the maintenance person to access only the specific network management areas 310 to 330, the manager may prevent the maintenance person from connecting the maintenance terminals 710 to 730 to erroneous ports of the operational switch 600.
As an example, it can be considered that a port protect function is provided in the operational switch 600. The port protect function is a function of port security in which identification information on the maintenance terminals 710 to 730 to be connected is previously set for the individual ports of the operational switch 600, and when the maintenance terminals 710 to 730 whose identification information is not registered are connected, the connection ports are blocked. As the identification information on the maintenance terminals 710 to 730, there are Media Access Control (MAC) addresses.
As another example, it can be considered that security locks are provided in individual ports of the operational switch 600. The security lock is a component (module) that can be attached to the slot of the port, and is locked by a security key (release key) and is thereby difficult to remove physically from the slot. For example, the manager issues a security key for the port to allow the maintenance person to use to the maintenance person, and the maintenance person uses the issued security key to release the security lock of the port to be used, connects the maintenance terminals 710 to 730 to the port and uses the port.
As a related technology, a communication device system is known in which a card-type device is inserted into or connected to a control target device, and thus remote maintenance control or remote monitoring on the control target device is performed by a maintenance control or remote monitoring device connected to a gateway (for example, see patent document 1). In this technology, the device ID of the control target device stored in the card-type device and a device ID acquired from the control target device are compared, and when they agree with each other, a device authentication ID is transmitted to the gateway to perform the authentication.
A technology is also known in which a network device uses a combination of a port number to which the device is connected and the MAC address of the device to determine whether or not login to the network device is allowed (for example, see patent document 2). Another technology is also known in which when a WEB page supplied by a monitoring host device is browsed from a WEB page for a manager supplied by an image formation device, the specific information of the image formation device and access request time information are used for authentication (for example, see patent document 3).
Furthermore, a log information collection system is also known in which a log collection module that is automatically started up when a Universal Serial Bus (USB) memory is connected to a host is provided, and log information is stored by the log collection module (for example, see patent document 4). In this technology, the log collection module acquires a device ID from a target device of maintenance and stores it in the USB memory, and a maintenance terminal acquires an access ID corresponding to the device ID from an information server and stores it in the USB memory. Then, the log collection module receives authentication in the target device through the access ID to collect the log information.
[Patent document 1] Japanese Laid-open Patent Publication No. 2010-211446
[Patent document 2] Japanese Laid-open Patent Publication No. 2012-108686
[Patent document 3] Japanese Laid-open Patent Publication No. 2008-158633
[Patent document 4] Japanese Laid-open Patent Publication No. 2008-158862
In the port protect function described above, since the manager registers MAC addresses for the individual ports of the operational switch 600, when the operational switch 600 has a large number of ports, there is a possibility that the number of operation steps is increased and a setting mistake or the like is made. Moreover, since the manager previously receives MAC address information for the maintenance terminals 710 to 730, when a large number of maintenance terminals 710 to 730 are present, there is a possibility that the number of operation steps increases and a setting mistake or the like is made.
In the method of using the security lock, the security locks are provided in the individual ports of the operational switch 600. Hence, since the manager manages the security keys corresponding to the number of security locks provided, the management is complicated, and when the security key is lost, it may be difficult to release the security lock.