In these days, virtualization technologies in which a plurality of virtual computers (sometimes called virtual machines or logical hosts) works on a physical computer (sometimes called a physical machine or a physical host) are used in fields of data processing. Software programs including an OS (Operating System) are allowed to be run on the respective virtual machines. The physical machine using the virtualization technology runs a software program for managing the plural virtual machines.
A software program called a hypervisor, for example, allocates data processing capabilities of a CPU (Central Processing Unit) and storage areas in a RAM (Random Access Memory) to each of plural virtual machines as a resource for arithmetic operations. Further, the hypervisor sometimes implements a network routing function on the physical machine using resources for arithmetic operations. The routing function implemented on the physical machine is sometimes called a virtual router. Making virtual routers relay communication among the virtual machines allows a network of the virtual machines to be built on the physical machine. In this way, a data processing system may be configured to work a virtual machine on a physical machine and to make a service implemented on the virtual machine accessible from a client device.
A firewall is sometimes provided on a communication route in a network in order to maintain security for communication via the network. The firewall filters traffic on the network according to a predetermined rule, and cuts off communication that is performed using communication paths or protocols except for allowable ones.
For example, a method is proposed in which, when a user terminal device is connected to a certain network via a gateway device, the gateway device is provided with a filtering table that is beforehand set for a network to be connected with and the gateway device filters traffic based on the filtering table.
Further, a method is proposed in which, when a user terminal device starts to be connected to an external network via a firewall device, the firewall device obtains a filter rule corresponding to a user from a policy server device.
Japanese Laid-open Patent Publication No. 2003-244245 (paragraphs 0038-0042) and International Publication Pamphlet No. WO 04071038 (from 3th line on page 32 to 6th line on page 33) discuss related arts.