At first, a prior art 1 will be explained. Conventionally, the technology has been proposed for mutually connecting a plurality of intranets mutually connected via Internet etc. by the Ether-over-SSL communication so that they can be utilized as an identical LAN segment (Non-patent document 1).
FIG. 1 is a block diagram illustrating a configuration of a network in such a prior art.
An Internet 1, which is configured of a session relay device 10, a Firewall 23, and a Firewall 33, or other appliances, is a wide area network (WAN) for making communication between each of these apparatuses and the other. In FIG. 1, each of the apparatuses within the Internet 1 is mutually connected to the other via a HUB 11, and is also connected to an intranet 2 or an intranet 3 via the Firewall 23 or the Firewall 33.
The session relay device 10 is a computer having SoftEther virtual-HUB software installed. The session relay device 10 is connected to each apparatus within the Internet 1 via the HUB 11. The session relay device 10 performs a session relay operation of transferring an Ethernet frame flowing into an SSL session that is established between a gateway device 20 and the session relay device 10 to an SSL session that is established between a gateway device 30 and the session relay device 10, or contrarily, of transferring the Ethernet frame flowing into the SSL session that is established between the gateway device 30 and the session relay device 10 to the SSL session that is established between the gateway device 20 and the session relay device 10.
The HUB 11 performs a bridging operation of making a reference to an MAC DA header of the Ethernet frame input from each device of the session relay device 10, the Firewall 23, and the Firewall 33, and transfer it to an appropriate destination port (appropriate device).
The intranet 2, which is configured of the gateway device 20, a terminal 21, a HUB 22, and the Firewall 23, is a local area network (LAN) for making communication between each of these apparatuses and the other. The intranet 2 is mutually connected to the Internet 1 via the Firewall 23, and an operation of the Firewall 23 allows communication between the Internet 1 and the intranet 2 to be restricted according to a predetermined setting.
Each of the devices within the intranet 2, which is mutually connected to the other via the HUB 22, can make communication freely without restriction by the foregoing Firewall 23 etc. Further, in the figure, the intranet 2 and an intranet 3 are mutually connected with each other by the gateway device 20, the gateway device 30, and the session relay device 10 so that they operate as an identical LAN, whereby communication between each device within the intranet 2 and each device within the intranet 3 as well can be made freely without restriction by the foregoing Firewall 23 etc.
The gateway device 20 is a computer having a SoftEther client installed. The gateway device 20 is connected to each apparatus within the intranet 2 via the HUB 22. The gateway device 20 performs a gateway operation of transferring the Ethernet frame flowing in the intranet 2 into the SSL session that is established between the gateway device 20 and the session relay device 10, or contrarily, of transferring the Ethernet frame flowing in the SSL session that is established between the gateway device 20 and the session relay device 10 into the intranet 2.
The terminal 21 is a computer that a user of the intranet uses usually, in which software (for example, an Internet browser, a mailer, etc.) for making communication with each apparatus (for example, a server 31) within the intranet operates. The terminal 21 is connected to each apparatus over the intranet 2 via the HUB 22.
The HUB 22, similarly to the HUB 11, performs a bridging operation of making a reference to the MAC DA header of the Ethernet frame input from each device of the gateway device 20, the terminal 21, and the Firewall 23, and transferring it to an appropriate destination port (appropriate device).
The Firewall 23, which is an apparatus for mutually connecting the intranet 2 and the Internet 1, is connected to each apparatus over the intranet 2 via the HUB 22, and is connected to each apparatus over the Internet 1 via the HUB 11. The Firewall 23 performs an operation of restricting communication between the Internet 1 and the intranet 2 according a predetermined setting. For example, in a case where the apparatus inside the intranet 2 employs a TCP to request a communication start of each apparatus of the Internet 1, the communication after it is freely made in a bi-direction; however, contrarily, in a case where each apparatus of the Internet 1 employs a TCP to request a communication start of each apparatus of the intranet 2, this request is interrupted, and the communication after it is also interrupted in a bi-direction.
The intranet 3, which is configured of the gateway 30, the server 31, a HUB 32, and the Firewall 33, is a local area network (LAN) for making communication between each of these apparatuses and the other. The intranet 3 is mutually connected to the Internet 1 via the Firewall 33, and an operation of the Firewall 33 allows communication between the Internet 1 and the intranet 3 to be restricted according to a predetermined setting.
Each of the devices within the intranet 3, which is mutually connected to the other via the HUB 32, can make communication freely without restriction by the foregoing Firewall 33 etc. Further, in FIG. 1, the intranet 2 and the intranet 3 are mutually connected with each other by the gateway device 20, the gateway device 30, and the session relay device 10 so that they operate as an identical LAN, whereby communication between each device within the intranet 3 and each device within the intranet 2 as well can be made freely without restriction by the foregoing Firewall 33 etc.
The gateway device 30, which has a configuration similar to that of the gateway device 20, and performs an operation similar, is a computer. With figure numerals, each apparatus having the number of 3000th level in the gateway device 30 corresponds to each apparatus having the number of 2000th level in the gateway device 20 as it stands. For example, a configuration and an operation of an intermediate driver 3006 are identical to that of an intermediate driver 2006. The gateway device 30, which has the SoftEther client installed, is connected to each apparatus within the intranet 3 via the HUB 32. The gateway device 30 performs a gateway operation of transferring the Ethernet frame flowing in the intranet 3 into the SSL session that is established between the gateway device 30 and the session relay device 10, or contrarily, of transferring the Ethernet frame flowing in the SSL session that is established between the gateway device 30 and the session relay device 10 into the intranet 3.
The server 31, which is accessed by the terminal within the intranet, is a computer, in which software (for example, a WWW server, a POP server, etc.) for receiving communication from each terminal (for example, the terminal 21) within the intranet operates. The server 31 is connected to each apparatus over the intranet 3 via the HUB 32.
The HUB 32, similarly to the HUB 11 and the HUB 22, performs a bridging operation of making a reference to the MAC DA header of the Ethernet frame input from each device of the gateway device 30, the server 31, and the Firewall 33, and transferring it to an appropriate destination port (appropriate device).
The Firewall 33, which is an apparatus for mutually connecting the intranet 3 and the Internet 1, is connected to each apparatus over the intranet 3 via the HUB 32, and is connected to each apparatus over the Internet 1 via the HUB 11. The Firewall 33 performs an operation of restricting communication between the Internet 1 and the intranet 3 according a predetermined setting. For example, in a case where the apparatus inside the intranet 3 has employed the TCP to request a communication start of each apparatus of the Internet 1, the communication after it is feely made in a bi-direction; however, contrarily, in a case where each apparatus of the Internet 1 has employed the TCP to request a communication start of each apparatus of the intranet 3, this request is interrupted, and the communication after it is also interrupted in a bi-direction.
FIG. 2 is a block diagram illustrating a frame format of an Ethernet frame F20 that is transmitted/received within the intranet 2 (for example, between the terminal 21 and the gateway device 20) and within the intranet 3 (for example, between the server 31 and the gateway device 30) in the network shown in FIG. 1.
LAN MAC F21 indicates a header (a header specified by IEEE802 in addition to MAC DA, MAC SA, and Ethernet TYPE) necessary for making communication by means of a layer 2 (Ethernet: Registered Trademark) over the intranet 2 or the intranet 3.
LAN IP F22 indicates a header (a header specified by IETF in addition to IP DA, IP SA, and IP TYPE) necessary for making communication by means of a layer 3 (IP) over the intranet 2 or the intranet 3.
LAN TCP F23 indicates a header (a TCP header such as a port number and a sequence number) necessary for making communication by the TCP between each of the apparatuses existing within the intranet 2 or the intranet 3 and the other.
LAN DATA F24 is data that is exchanged between items of software that operate in each apparatus existing within the intranet 2 or the intranet 3.
FIG. 3 is a block diagram illustrating a frame format of an Ethernet-over-SSL frame F10 that is transmitted/received between the gateway device 20 and the session relay device 10, and between the gateway device 30 and the session relay device 10 in the network shown in FIG. 1.
INET MAC F11 indicates a header (a header specified by IEEE802 in addition to MAC DA, MAC SA, and Ethernet TYPE) necessary for making communication by means of the layer 2 (Ethernet), being communication (for example, communication between the gateway device 20 and the session relay device 10) that is made between the intranet 2 or the intranet 3, and the Internet 1.
INET IP F12 indicates a header (a header specified by IETF in addition to IP DA, IP SA, and IP TYPE) necessary for making communication by means of the layer 3 (IP), being communication (for example, communication between the gateway device 20 and the session relay device 10) that is made between the intranet 2 or the intranet 3, and the Internet 1.
INET TCP F13 indicates a header (a TCP header such as a port number and a sequence number) necessary for making communication by the TCP, being communication (for example, communication between the gateway device 20 and the session relay device 10) that is made between the intranet 2 or the intranet 3, and the Internet 1.
INET SSL Encrypted DATA F14 is data that is exchanged between items of software that operate in each apparatus (for example, the gateway device 20 or the session relay device 10) in communication (for example, communication between the gateway device 20 and the session relay device 10) that is made between the intranet 2 or the intranet 3, and the Internet 1. This data has been encrypted, so the apparatus that exists in a half way of the path cannot decode the encrypted data to decrypt its content with a method that is employed usually.
In the configuration shown in FIG. 1, the Ethernet frame F20 flowing over the intranet 2 or the intranet 3 is filed into the INET SSL Encrypted DATA F14.