Recently, many companies have been introducing quarantine systems for in-company networks. A quarantine system is a mechanism by which a computer that is trying to connect to an in-company network is temporarily connected to a test network, a check for infection by computer viruses or a security check of software installed in the computer is performed, and confirmation is made that there is no problem, before allowing connection to the in-company network. In establishing the quarantine system, in general a method is used where a combination is made with a user authentication device or terminal authentication device, and a computer is connected to the in-company network and test network in accordance with the outcome of the authentication. Furthermore, a VLAN (Virtual Local Area Network) is often used for distinguishing between an in-company network and a test network. A VLAN relates to technology for building a logical network that does not depend on the physical structure of the network.
Cited Publication 1 discloses a network connection control system in which, when a computer tries to connect to a network, resource information of the computer is collected and a check is made as to whether or not a policy for connecting to the network is satisfied, before allowing only a computer that satisfies the policy to connect to the network.
Furthermore, Cited Publication 2 discloses a system inside a private network that includes a plurality of registered company networks, and is provided with processing nodes configured so that only allowed inbound messages (inbound messages transmitted by one or more authenticated message forwarding nodes) are transmitted to a registered company network, and a control node configured so as to maintain registration of a plurality of message forwarding nodes related to a company network.
In recent years, technology known as OpenFlow has been proposed (refer to Patent Literature 3, and Non Patent Literatures 1 and 2). In OpenFlow, communication is treated as end-to-end flow, and path control, recovery from failure, load balancing, and optimization are performed in flow units. An OpenFlow switch as specified in Non Patent Literature 2 is provided with a secure channel for communication with an OpenFlow controller positioned as a control device, and operates according to a flow table in which appropriate addition or rewriting is instructed by the OpenFlow controller. In the flow table are definitions of sets of matching rules (Header fields) for collation with packet headers, flow statistical information (Counters), and actions (Actions) defining processing content, for each flow (refer to FIG. 16).
For example, when an OpenFlow switch receives a packet, an entry is searched for that has a matching rule (refer to header field in FIG. 16) that matches header information of the received packet, from the flow table. As a result of the search, in a case where an entry matching the received packet is found, the OpenFlow switch updates the flow statistical information (Counters) and also implements processing content (packet transmission from a specified port, flooding, dropping, and the like) described in an Actions field of the entry in question, for the received packet. On the other hand, as a result of the search, in a case where an entry matching the received packet is not found, the OpenFlow switch transmits the received packet to the OpenFlow controller via a secure channel, requests determination of a path of the packet based on source and destination of the received packet, receives a flow entry realizing this, and updates the flow table. In this way, the OpenFlow switch uses the entry stored in the flow table as a processing rule (packet handling operation) to perform packet forwarding.