1. Field of the Invention
This invention relates to a relay program, a communication processing program, and a firewall system, and more particularly to a relay program, communication processing program, and a firewall system, for relaying data communication passing through a firewall that is installed at a connection point between an external network and an internal network to manage communication.
2. Description of the Related Art
Recently, with expansion of computer network, network security for preventing computer hacking and protecting confidential data in network environment becomes more crucial.
In general, TCP/IP (Transmission Control Protocol/Internet Protocol) is widely used as a protocol to perform communication between computers. In TCP/IP, IP addresses and TCP ports are used to specify target computer devices. Hereinafter, a communication port of a target computer device specified by an IP address and a TCP port is called a port or a socket. In order to ensure security in information management, a control mechanism called a firewall is provided for communication between computer devices, which allows communication only between specified ports.
A firewall is installed at a connection point between an external network and an internal network. When the firewall receives an access request that should pass through the firewall, from the external network, it determines under preset rules whether to allow or deny this access request, thereby preventing unauthorized accesses to the internal network. In this connection, there is a firewall system that effectively uses network resources by establishing a connection with a computer device requesting an access only when determination on whether to allow or deny the access request results in allowance of the access request (for example, refer to Japanese Unexamined Patent Publication No. 10-215248 (paragraphs [0013] to [0020], FIG. 1)).
FIG. 12 shows an example of a communication control function using a firewall.
A firewall 901 is installed at a connection point between an external network to which a communication source client 902 is connected and an internal network to which a communication destination server 1 (903) and a communication destination server 2 (904) are connected, and is designed to determine under preset rules whether to allow or deny an access request from the communication source client 902. The communication source client 902 issues an access request to access the communication destination server 1 (903) or the communication destination server 2 (904) that exists beyond the firewall, by using a TCP port that is specified for each application.
For example, assume now that the firewall 901 has rules that allow access requests issued from a combination of an IP address of “111.123.1.50” and a TCP port of “80” and a combination of an IP address of “111.123.1.51” and a TCP port of “81”. In this case, only when an access request received from the communication source client 902 matches the combination of the IP address of “111.123.1.50” and the TCP port of “80” or the combination of the IP address of “111.123.1.51” and the TCP port of “81”, which is set as the rules, the access request is allowed to pass through the firewall 901.
As explained above, in order to perform communication through a firewall by using a specified port, the port to be allowed to pass through should be registered in the firewall. For example, in FIG. 12, the ports 80 and 81 should be set in the firewall.
However, in conventional settings in firewalls, ports to be used for respective applications should be set to be allowed. Therefore, if there are a plurality of applications, a large number of ports should be managed. This causes a lot of efforts in security management, which is a problem. In addition, in an application that requires bi-directional communication between a communication source client of an external network and a communication destination server of an internal network, such as obtaining an event result, a port of sending an event result from the internal network, in addition to a port of sending an access request from the external network, should be separately set in the firewall.
That is to say, the number of ports to be set in a firewall for management increases with increase in a system scale. When a new application is installed under a circumstance where there are many ports to be managed, setting in the firewall that should be correctly done probably has errors. In addition, setting in the firewall should be changed according to removal or change of applications. However, if there are many registrations, not only errors in setting but also necessity of change may be missed or disregarded. Such errors in setting and missing of version upgrading cause security holes, which may greatly lower the security level. In actual, it is known that security holes are created due to man-caused errors.