In a corporate network or the like (for example, an in-house LAN (local area network)), security measures are essential to prevent unauthorized access from both inside and outside the network. For example, an administrator of a corporate network needs to properly control access to the network and manage terminals connected to the network. In particular, managing the terminals connected to the network is not difficult in a case where the network administrator previously grasps identification numbers (for example, IP (Internet Protocol) addresses, MAC (Media Access Control) addresses, resource numbers, etc.) and installation locations of the terminals before the terminals are connected to the network.
However, if an employee (a user using the network) connects a terminal or the like to the network without prior consent of the network administrator, it is very difficult for the network administrator to grasp the existence of the terminal. In a case where the network administrator cannot manage such terminals, operations such as for identifying a terminal that has caused a security incident and checking the terminals for inventory will be very complicated and time-consuming. These days, more and more companies adopt BYOD (Bring Your Own Device), which is a policy of allowing employees to use their own terminals for work. In such a corporate environment, there is an operation form in which the network administrator previously manages all the terminals before these terminals are connected to the corporate network. However, since smooth work by the employees could be disturbed, there is a great difficult.
PTL 1 discloses an unauthorized-connection detection system for detecting unauthorized connection to a network by unauthorized terminals having no access rights. According to a method disclosed in [0009] in PTL 1, a dedicated monitoring program is stored in each authorized terminal having an access right to the network. When an authorized terminal is connected to the network, the monitoring program causes the terminal to perform a predetermined operation and transmit predetermined information to a management server that manages the network. By checking the presence and content of the information, connection to the network by an unauthorized terminal having no access right is detected.
NPLs 1 and 2 propose a technique referred to as OpenFlow (see NPLs 1 and 2). OpenFlow recognizes communications as end-to-end flows and performs path control, failure recovery, load balancing, and optimization on a per-flow basis. An OpenFlow switch standardized in NPL 2 has a secure channel for communication with an OpenFlow controller and operates according to a flow table suitably added or rewritten by the OpenFlow controller. In the flow table, a set of the following three is defined for each flow: match fields that define contents against which packet headers are matched; flow statistical information (Counters); and an instruction(s) that defines a processing content(s) (see section “5.2 Flow Table” in NPL 2).
For example, when an OpenFlow switch receives a packet, the OpenFlow switch searches its flow table for an entry having a match field(s) that matches header information of the received packet (see “5.3 Matching” in NPL 2). As a result of the search, if the OpenFlow switch finds an entry that matches the received packet, the OpenFlow switch updates its flow statistical information (Counters) and processes the received packet, based on the processing content(s) (packet transmission from a specified port, flooding, dropping, or the like) written in the instruction field of the entry. If, as a result of the search, the OpenFlow switch does not find an entry that matches the received packet, the OpenFlow switch requests the OpenFlow controller to set an entry for processing the received packet, namely, transmits a processing content determination request to the OpenFlow controller via the corresponding secure channel. The OpenFlow switch receives a flow entry that corresponds to the request and updates its own flow table. In this way, the OpenFlow switch performs packet forwarding by using an entry stored in its flow table as a processing rule.    PTL 1: Japanese Patent No. 4002276    NPL 1: Nick McKeown, and seven others, “OpenFlow: Enabling Innovation in Campus Networks,” [online], [searched on Jul. 2, 2013], Internet <URL:http://www.openflow.org/documents/openflow-wp-latest.pdf>    NPL 2: “OpenFlow Switch Specification” Version 1.3.1 (Wire Protocol 0x04), [online], [searched on Jul. 2, 2013], Internet <URL:https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.3.1.pdf>