As a measure for expanding the coverage of a cellular communication system, the introduction of femto base stations that form cells for covering narrow areas such as residential houses, schools, and enterprises has proceeded. Further, expectation for local IP access services to be connected to local networks utilized through femto base stations by homes, schools, enterprises and the like has increased. This is expectation for the high level of QoS guarantee and security according to the use of cellular technology, as compared to local network connection using a wireless LAN in the related art.
The local network connection through the femto base station has been studied in standard-setting organizations that formulate cellular standard technology. Particularly, in 3GPP (3rd Generation Partnership Project), as local IP access (LIPA), the formulation of network architecture, procedures, and protocols have proceeded (Non Patent Literature 1). Non Patent Literature 1 discloses a method of causing a mobile terminal to specify an identifier (particularly, access point name, referred to as APN) indicating a local network (hereinafter, also referred to as a local IP network or a LIPA network) serving a connection destination and perform LIPA.
On the other hand, with the progress of technological development in which cellular phones are made into IP terminals, full-time connection to the Internet has been realized. In such a situation, a large number of essential problems, such as unintentional access to malicious Internet sites or the receiving of electronic mails including a virus, in Internet full-time connection have been confirmed. In order to solve such problems, there is a method of setting a security filter in a packet gateway or the like of an operator network. Here, in the security filter, so-called five-tuples constituted by a combination of source/destination addresses, port numbers, protocol numbers or the like, and an URL or the like which is an identifier of a web page are set as a filter entry. When a security gateway picks up packets matching with the security filter entry, the security gateway executes action such as the discard of packets or the notifying of a user.
The setting of the security filter entry as mentioned above is generally performed via a subscriber information database or the like. For example, a user performs the setting of the filter entry through a web page or the like of an operator. Therefore, it takes time until the setting is reflected. Addresses or port numbers to be used may be dynamically changed depending on services, and thus real-time reflection in the filter entry becomes an important requirement.
In addition, it is necessary that individual cellular phone users individually act. Particularly, in areas, such as schools or educational facilities, in which a large number of cellular phone users gather, it is considered to perform collective setting as school affairs. Individual setting for a large number of cellular phones takes considerable effort. Furthermore, since harmful sites on the Internet increase every day, the filter entry is required to be updated accordingly, and thus effort to perform individual setting is considerable. In addition, it is also considered that students change the filter entry independently, and thus there is a limit on the setting of the filter entry, required for educational environment recommended by schools, in individual cellular phone contracts.
In order to solve the above-mentioned problems, a gateway for performing security filtering network is installed in the school. For example, it is considered that a serving gateway (SGW) which is equipment of an operator core network is installed on a network utilized by the school, and that security filtering is carried out. This is to accommodate a cellular phone to be filtered in the femto base station, establish PDN connection for Internet connection via the SGW in the school with a packet gateway (PGW) of an operator core network, and filter the traffic of the cellular phone in the SGW. Thereby, since the security filter can be set in the SGW in the school, it is possible to secure the real-time properties of setting reflection. In addition, since the traffic of cellular phones to be accommodated can be filtered collectively, it is not necessary to perform the setting of the filter entry on individual cellular phones.