WO2006095438A1 - アクセス制御方法、アクセス制御システムおよびパケット通信装置 - Google Patents
アクセス制御方法、アクセス制御システムおよびパケット通信装置 Download PDFInfo
- Publication number
- WO2006095438A1 WO2006095438A1 PCT/JP2005/004359 JP2005004359W WO2006095438A1 WO 2006095438 A1 WO2006095438 A1 WO 2006095438A1 JP 2005004359 W JP2005004359 W JP 2005004359W WO 2006095438 A1 WO2006095438 A1 WO 2006095438A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- packet
- user
- access control
- attribute information
- communication device
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2854—Wide area networks, e.g. public data networks
- H04L12/2856—Access arrangements, e.g. Internet access
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Definitions
- Access control method access control system, and packet communication apparatus
- the present invention relates to an access control method, an access control system, and a packet communication device.
- the present invention relates to an access control method for packet communication, an access control system using the method, and a packet communication apparatus.
- computers such as personal computers and network devices such as packet communication devices have become cheaper, more functional, and more advanced, and computer networks using computers and network devices (hereinafter simply referred to as networks). Is rapidly spreading.
- measures in the OSI reference model at the second layer include filtering by MAC address and route control by partial LAN (VLAN).
- VLAN virtual LAN
- settings such as filtering by IP address are set in the packet communication device, and only the area permitted by the user (computer) is accessed. Access control.
- Patent Documents 1 and 2 describe an example of access control based on filter settings.
- Patent Document 1 JP-A-2004-62417
- Patent Document 2 JP 2004-15530 A
- FIG. 1 is a configuration diagram of an example of a network.
- the network in Fig. 1 performs access control based on the filter settings of the packet communication device 1-4.
- control is performed at the IP level, in the network shown in Fig. 1, as a filter setting for the IP address of the packet communication device 2, rules permitting communication between the PC 5 and the application server 6 and other PC and application servers Access control is performed by setting rules that restrict communication with 6.
- the filter setting only needs to set the rule to either pass or block the packet, so the total power of m X n / 2 is set. There is a problem that it is difficult to separate whether it is a V-rail.
- the rules between all the PCs 5, 7, 8 and application servers 6, 9 are set in the packet communication device 1-4.
- the packet communication devices 1 to 4 set only the rules related to the PCs managed by the respective networks, and reduce the amount to be set.
- PC8 moves to PC7
- packet communication device 4 changes to PC8 set in packet communication device 3.
- Related rules must be set. For this reason, there is a problem that the burden on the network administrator increases when the user moves frequently.
- each packet communication device 1 when an application server 9 is added, each packet communication device 1
- the present invention has been made in view of the above points, and an object thereof is to provide an access control method, an access control system, and a packet communication apparatus in which security and convenience coexist.
- the present invention provides an access control method in a network including a plurality of packet communication devices, in which a packet communication device as a transmission source transmits user attribute information to a packet to be transmitted. And a second step in which the destination packet communication device performs access control based on the attribute information of the user assigned to the packet.
- access control may be performed based on policy information set in advance and attribute information of the user.
- the user attribute information given to the packet may be deleted.
- application information of the packet is added to the packet to be transmitted in addition to the user attribute information
- the user attribute information given to the packet and Access control may be performed based on a combination of the application information of the packets.
- the pre-assigned user attribute information is deleted, and then the packet is It is good also as giving the attribute information of the user who transmits.
- the first step gives the user attribute information when the packet to be transmitted is a packet to which the user attribute information is to be added, and the second step gives the received packet.
- the access control may be performed based on the user attribute information given to the packet when the user attribute packet is to be given the user attribute information.
- the present invention is an access control system configured to include a plurality of packet communication devices, a transmission source packet communication device that adds user attribute information to a packet to be transmitted, and the packet control device that is attached to the packet. And a destination packet communication apparatus that performs access control based on the attribute information of the user.
- the present invention provides an attribute information adding means for adding user attribute information to a packet received from an end system, and the user attribute information added to a packet destined for the end system. And an access control means for performing access control based on this.
- FIG. 1 is a configuration diagram of an example of a network.
- FIG. 2 is a block diagram of an example of an access control system according to the present invention.
- FIG. 3 is a sequence diagram showing an operation outline of the access control system according to the present invention.
- FIG. 4 is a configuration diagram of an example of a table in which the packet communication apparatus holds user attribute values.
- FIG. 5 is a block diagram showing an example of a security tag format.
- FIG. 6 is a configuration diagram of an example of a table representing a security policy.
- FIG. 7 is a block diagram of an embodiment of a packet communication device that implements a security agent function.
- FIG. 8 is a block diagram of an embodiment of a packet communication device that implements a security judge function.
- FIG. 10 is a configuration diagram of another example showing the format of the security tag.
- a tag is generated based on user attributes (for example, information such as affiliation and job title) independent of the network configuration, and access control is performed using the tag.
- Tags can also be generated based on user attribute information and packet application information.
- the above tag is referred to as a security tag, and a security tag generated based on user attribute information and packet application information will be described as an example.
- the processing for communicating from the PC 5 to the application server 6 is performed as follows.
- the packet communication device 1 on the ingress side (source) identifies the application information of the packet received from the PC5, and adds a security tag generated based on the application information and the attribute information of the user operating the PC5 to the packet. Then send.
- the packet communication device 2 on the egress side compares the policy information set in advance with the security tag attached to the received packet, and will be described later based on the comparison result. Determine whether access is possible or not. If it is determined that access is possible, the packet communication device 2 passes the packet. That is, the packet communication device 2 transmits the bucket to the application server 6. If it is determined that access is impossible, the packet communication device 2 discards the packet.
- the access control of the present invention based on the filter setting of the packet communication device has a smaller number of settings than the conventional access control based on the filter setting of the packet communication device.
- the number to be set is m X n as described above.
- the maximum number to be set is m + n. This is because in the access control of the present invention by setting the filter of the packet communication device, it is necessary to set the attribute information of m users and the policy information of n devices.
- the conventional access control based on the packet communication device filter settings allows a maximum of 10,000,000 settings. Is required.
- a maximum of 11,000 settings is sufficient.
- the user attribute information is set in an authentication server described later, it does not depend on the network configuration. For this reason, in the access control of the present invention based on the filter setting of the packet communication device, even if the user accesses from, for example, another office, the change or addition of the network configuration is not required to perform the filter setting again. Can respond flexibly.
- Example 1
- FIG. 2 is a configuration diagram of an example of an access control system according to the present invention.
- the access control system of FIG. 2 has a configuration including packet communication apparatuses 11 and 12, an authentication server 13, a PC 15, an application server 16, and a communication network 17.
- the packet communication devices 11 and 12 and the authentication server 13 are connected to a communication network 17.
- the PC 15 is connected to the communication network 17 via the packet communication device 11.
- the application server 16 is connected to the communication network 17 via the packet communication device 12 and connected.
- the packet communication device 11 is, for example, an access switch hub or the like, and has a security agent function to be described later.
- the packet communication device 12 is a load balancer that bundles multiple servers as an access switch, and has a security judge function to be described later.
- the packet communication devices 11 and 12 are connected to end systems such as the PC 15 and the application server 16.
- the authentication server 13 holds authentication information (for example, a list of user IDs and passwords) of users who use the access control system according to the present invention and user attribute information.
- the authentication server 13 responds to the request from the packet communication device 11 with the authentication result and user attribute information.
- the authentication server 13 is, for example, 3D with RADIUS (Remote Authentication Dial In User Service) Sano.
- the security administrator 14 sets a security policy as policy information for each server such as the application server 16.
- the security policy sets a combination of user attribute information and application information that are allowed access. Sekiyuri
- the administrator 14 is responsible for setting authentication information and attribute information in the authentication server 13 for each user.
- the application server 16 is an example of a server.
- the PC 15 is an example of a device such as a computer operated by a user.
- the communication network 17 is, for example, an IP-based network (such as an intranet) constructed by interconnecting routers. The user uses the PC 15 to perform specific application communication with the application server 16.
- FIG. 3 is a sequence diagram showing an operation outline of the access control system according to the present invention.
- the security administrator 14 sets a security policy for the packet communication device 12. For example, security administrator 14 states that “Web access packets pass when the attribute information value of the user (hereinafter simply referred to as attribute value) is 2 or more. For other application packets, the attribute value of the user is 4 or more. Set a security policy such that “Allow all other packets to be discarded.”
- security clearance 15 is given according to the user's status and responsibility.
- security clearance can be given as “5 for manager class, 4 for senior manager class, 3 for middle manager class, 2 for general employee class, 1 part-time job, 1 for outside visitors”.
- the security administrator does not need to disclose the meaning of user attribute values, and can freely define the meaning of user attribute values.
- the security clearance can be set for each department to which the user belongs, and may be given as "1 for sales, 2 for SE, 3 for development, 4 for personnel, 5 for accounting". it can .
- the access control system according to the present invention allows the user belonging to the SE or development department to access the Web server and the user belonging to the sales department. It is possible to use such as not permitting access to the Web server.
- User attribute values can be flexibly set according to the company's security policy.
- step S 2 the security administrator 14 sets user authentication information (for example, user ID, password, etc.) and user attribute values in the authentication server 13. For example The security administrator 14 sets the user ID “12345678”, password “abcdefgh”, and user attribute value “3” as user authentication information.
- Steps S1 and S2 constitute the preset phase.
- the user connects the PC 15 to the packet communication device 11 and starts the authentication phase.
- the authentication procedure performed in the authentication phase.
- an authentication procedure using a user ID and password will be described as an example.
- step S 3 the PC 15 transmits an authentication request packet including the user ID and password of the user to the packet communication device 11.
- step S4 the packet communication device 11 transfers the authentication request packet received from the PC 15 to the authentication server 13.
- the authentication server 13 performs authentication using the user ID and password included in the authentication request packet.
- step S 5 when the authentication server 13 confirms that the user ID and the password correspond correctly, the authentication server 13 responds to the packet communication device 11 with the authentication OK and the user attribute value. For example, the authentication server 13 returns an authentication OK and a user attribute value “3” to the packet communication device 11. Note that the authentication server 13 returns an authentication NG to the packet communication device 11 if the user ID and password do not correspond correctly.
- step S 6 the packet communication device 11 temporarily records the attribute value of the user and returns an authentication OK to the PC 15.
- the packet communication device 11 holds the attribute value of the user while the authentication ⁇ K is valid. If there is a new authentication request with the same user power, the attribute value of the stored user is overwritten.
- FIG. 4 is a configuration diagram of an example of a table in which the packet communication apparatus holds user attribute values.
- the identifier for example, MAC address
- the attribute value of the user are stored in association with each other.
- steps S3—S6 constitutes an authentication phase.
- the authentication phase if authentication is a positive result, there is no problem even if the authentication procedure changes as long as the correspondence between the authenticated user and the attribute value of the user is held in the packet communication device 11. There is no.
- the communication phase is started after the authentication phase.
- the Syn packet of the TCP procedure is sent from the PC 15 to the application server 16. If it is sent as the destination and the response is returned to the PC 15, communication is performed as it is. If no response is returned from the application server 16 to the PC 15, the communication is interrupted.
- the packet communication device 11 When the packet communication device 11 relays a packet, the packet communication device 11 adds a security tag according to the present invention to the packet.
- a security tag is set in the option field of the IP header.
- an application identifier as packet application information and a user attribute value as user attribute information are set.
- FIG. 5 is a configuration diagram of an example showing a security tag format.
- the security tag is configured to include the application identifier and the user attribute value, and is set in the option field of the IP header.
- the packet communication device 11 can set the application identifier by examining the packet. For example, by examining packet header information called a TCP port number, the packet communication device 11 can determine the packet application (email, Web access, file transfer, IP phone, etc.). In this embodiment, the force S for determining the packet application using the TCP port number, or other methods may be used. User attribute values temporarily recorded in the table in Fig. 4 during the authentication phase can be used.
- the security tag is set in the option field of the IP header.
- the packet to which the security tag is attached by the packet communication device 11 passes through the communication network 17 without any problem and arrives at the packet communication device 12.
- the packet communication device 12 checks the security tag of the packet.
- steps S7 and S8 represent an example in which the application is a file transfer
- steps S9 to S12 represent an example in which the application is a web access.
- step S7 the packet communication device 11 receives the file transfer communication request from the PC 15, and assigns a security tag including the application identifier indicating the file transfer and the user attribute value “3” to the packet.
- step S 8 the packet communication device 11 transmits the packet with the security tag to the packet communication device 12.
- the packet communication device 12 compares the contents of the security tag attached to the received packet with the security policy represented by the table in FIG. 6 set in the pre-setting phase.
- FIG. 6 is a configuration diagram of an example of a table representing a security policy.
- the security policy in Figure 6 is: “Web access packets are allowed to pass if the user attribute value is 2 or greater. Other application packets are allowed to pass if the user attribute value is greater than or equal. The content is “destroyed”.
- the packet communication device 12 Based on the contents of the security tag attached to the received packet, the packet communication device 12 confirms that the received packet application is other than Web access (file transfer) and that the attribute value of the IJ user is 3. I understand. The packet communication device 12 discards the received packet because the attribute value of the user is permitted if it is an application other than the security policy Web access in Fig. 6 with a user attribute value of 4 or more.
- step S9 the packet communication device 11 receives the Web access communication request from the PC 15, and assigns a security tag including the application identifier representing the Web access and the user attribute value “3” to the packet.
- the packet communication device 11 receives the packet with the security tag. Transmit to packet communication device 12.
- the packet communication device 12 compares the contents of the security tag attached to the received packet with the security policy represented by the table in FIG. 6 set in the pre-setting phase.
- the packet communication device 12 From the contents of the security tag attached to the received packet, the packet communication device 12 knows that the application of the received packet is Web access and the attribute value of the user is 3. If the packet communication device 12 is an application for web access with the security policy power shown in Fig. 6, if the user attribute value is 2 or more, the packet is accepted.
- the packet communication device 12 passes the file transfer packet, and the packet reaches the application server 16.
- the application server 16 proceeds to step S12 and responds to the PC 15.
- the PC 15 starts a data transfer phase.
- FIG. 7 is a block diagram of an embodiment of a packet communication device that implements a security agent function.
- the packet communication device 11 is an access switch for connecting the PC 15 or the like.
- the packet communication device 11 includes a transmission path control unit 22, 23, a path control unit 24, an authentication confirmation unit 25, an authenticated user recording unit 26, an authentication execution unit 27, a tag control unit 28, tag information
- the recording unit 29 is included.
- the transmission path control unit 22 accommodates a communication path accessed by the PC 15.
- the transmission path control unit 22 performs physical / electrical transmission path accommodation and communication control level communication procedures.
- the transmission path control unit 22 corresponds to the LAN port of the access switch and its MAC control circuit.
- the transmission path control unit 23 is used for both communication with the authentication server 13 and communication with the application server 16 as a destination that the user desires to connect to. There are a plurality of transmission path control units 22 and 23 depending on the number of transmission paths to be accommodated.
- the route control unit 24 also determines the destination address information power to send the packet and selects the corresponding transmission line control unit 23. It fulfills the function of sending packets.
- the route control unit 24 corresponds to a routing mechanism.
- the transmission path control units 22 and 23 and the path control unit 24 are main functional blocks that constitute an access switch (a layer 3 switch that implements a noordinating function) of the existing technology.
- the authentication confirmation unit 25 performs a function of determining a transmission source of a packet and determining whether or not the transmission source is an already authenticated user.
- a transmission path identifier of the transmission path control unit 22 that received the packet
- a physical address such as a MAC address
- the authenticated user recording unit 26 records information necessary for determining whether or not the transmission source is an already authenticated user.
- the authenticated user recording unit 26 stores a list of packet transmission source identification information of users who are authenticated.
- the authentication execution unit 27 executes an authentication procedure with the authentication server 13 described above.
- the authentication confirmation unit 25, the authenticated user recording unit 26, and the authentication execution unit 27 are the main functional block diagrams constituting the authentication function of the existing technology.
- access authentication which is an existing technology.
- an unauthenticated user transmits a packet from the PC 15 to the application server 16.
- the packet is received by the transmission path control unit 22.
- the transmission path control unit 22 transmits the received packet to the authentication confirmation unit 25.
- the authentication confirmation unit 25 refers to the list stored in the authenticated user recording unit 26 using the packet transmission source identification information of the received packet as a key. However, since this user is not authenticated, it is not registered in the list. Therefore, the authentication confirmation unit 25 discards the packet. Therefore, an unauthenticated user cannot communicate with the application server 16.
- the transmission path control unit 22 performs a different operation only when the received packet is an authentication procedure packet.
- the authentication confirmation unit 25 transmits the packet to the authentication execution unit 27.
- the authentication execution unit 27 executes the authentication procedure as follows, for example.
- the authentication execution unit 27 places authentication information (for example, a user ID and a password) provided by a user in an inquiry packet, and places the inquiry packet in an authentication service. To server 13.
- the inquiry packet reaches the authentication server 13 via the path control unit 24 and the transmission path control unit 23.
- the authentication server 13 checks the user ID and password to confirm the validity of the user. If the authentication result indicates authentication ⁇ K, the authentication server 13 transmits the attribute value of the user to the packet communication device 11 in addition to the authentication result. As described above, the user attribute value is assigned to each user by the security administrator and set in the authentication server 13. If the authentication result indicates authentication NG, the authentication server 13 transmits the authentication result to the packet communication device 11.
- the authentication result and the user attribute value reach the authentication execution unit 27 via the transmission path control unit 23 and the route control unit 24.
- the authentication execution unit 27 registers the packet sender identification information of the user and the attribute value of the user in the list of the tag information recording unit 29 in association with each other.
- the authentication execution unit 27 registers the user packet transmission source identification information in the authenticated user recording unit 26. Further, the authentication execution unit 27 transmits an authentication result indicating authentication ⁇ to the user. The authentication result indicating authentication ⁇ reaches the PC 15 via the authentication confirmation unit 25 and the transmission path control unit 22. With the above processing, access authentication is completed.
- access authentication Various methods exist for access authentication, but methods other than those described above may be used.
- access authentication the user's packet sender identification information is registered in the authenticated user recording unit 26 only when the authentication result indicates an authentication error.
- the tag control unit 28 performs a function of inserting the above-described security tag into a packet passing therethrough.
- the tag controller 28 also functions to determine packet applications (email, Web access, file transfer, IP phone, etc.). The function of determining the packet application can be realized as described above.
- the tag information recording unit 29 stores a list in which the user packet transmission source identification information and the user attribute values are associated with each other.
- the user transmits a packet from the PC 15 to the application server 16.
- the packet reaches the authentication confirmation unit 25 via the transmission path control unit 22.
- the authentication confirmation unit 25 refers to the list stored in the authenticated user recording unit 26 using the packet transmission source identification information of the received packet as a key. Since this user is registered in the list, the authentication confirmation unit 25 transmits the packet to the tag control unit 28.
- the tag control unit 28 searches the list of the tag information recording unit 29 using the packet transmission source identification information of the received packet as a key.
- the tag control unit 28 Since the tag control unit 28 also has a function of determining the packet application, it can create an application identifier itself.
- the tag control unit 28 generates a security tag based on the user attribute value and the application identifier, and transmits the packet with the security tag to the route control unit 24.
- the route control unit 24 performs normal route selection and sends the packet through the transmission route control unit 23.
- the security tag is set in the option field of the IP header, the operation of the path control unit 24 and the transmission path control unit 23 is not affected. Therefore, the packet with the security tag is sent to the application server 16 without affecting the operations of the route control unit 24 and the transmission path control unit 23.
- the tag control unit 28 deletes the security tag. Thereafter, the tag control unit 28 generates a security tag as described above, and reassigns the security tag to the packet.
- the tag control unit 28 deletes the security tag and re-adds the created security tag, thereby adding a security tag. Can prevent counterfeiting.
- FIG. 8 is a block diagram of an embodiment of a packet communication device that implements a security judgment function.
- the packet communication device 12 is a router that accommodates the application server 16.
- Switch or a server load balancer that accommodates a plurality of application servers 16 and distributes the load.
- the packet communication device 12 includes transmission path control units 32 and 33, a server front processing unit 34, a tag confirmation unit 35, a policy input unit 36, a tag processing unit 37, and a policy recording unit 38. It is a configuration.
- the transmission path control unit 32 accommodates a communication path that the PC 15 accesses from a remote location via the packet communication device 11 and the communication network 17 in which the security agent function is implemented.
- the transmission path control unit 32 performs physical / electrical transmission path accommodation and transmission control level communication procedures.
- the transmission path control unit 32 corresponds to a LAN port and its MAC control circuit.
- the transmission path control unit 33 is the same as the transmission path control unit 32, but is used for communication with the application server 16 as a destination to which the user desires to connect. There are a plurality of transmission path control units 32 and 33 depending on the number of transmission paths to be accommodated. Note that the packet communication device 12 may be built in the abrasion server 16.
- the transmission path control unit 33 is an internal bus connection interface or communication control software that performs an equivalent function.
- the server front processing unit 34 functions as a packet communication device, for example, a function of distributing loads to a plurality of application servers.
- the transmission path control units 32 and 33 and the server front processing unit 34 are main functional blocks constituting the packet communication apparatus of the existing technology.
- the tag confirmation unit 35 performs a function of determining whether or not a security tag is attached to the packet.
- the policy input unit 36 functions to set a security policy in the policy recording unit 38.
- the policy input unit 36 may be provided as software that operates on an external general-purpose PC (not shown), which is not essential for the packet communication device 12. This is because the policy input unit 36 operates in the pre-setting phase and does not need to be connected to other functional blocks at high speed at all times.
- connection relationship between the policy input unit 36 and the policy recording unit 38 is described by a dotted line and an arrow is attached to form a functional block for one-sided pre-configuration. I'll show you there.
- the tag processing unit 37 confirms the security tag attached to the packet, and determines whether or not the packet can pass by checking the content of the security tag against the security policy.
- the policy recording unit 38 records a security policy that is a condition to be satisfied by the contents of the security tag.
- the policy input unit 36 that sets a security policy in the policy recording unit 38 provides a security administrator with an easy-to-understand interface, for example, a simple language for describing security policies.
- the security administrator uses the interface provided by the policy input unit 36 to determine which server with which attribute value is allowed to communicate with which server, or a server without a security tag from the existing environment. It can be set in a form that is easy for humans to understand which special terminals are allowed to communicate with, and can be referred to or updated as appropriate.
- the policy recording unit 38 is referred to by functional blocks such as the tag confirmation unit 35 and the tag processing unit 37, the policy recording unit 38 can be held in a format that can be mechanically processed at a higher speed (for example, a mask pattern). Good.
- the packet transmitted from the PC 15 via the packet communication device 11 and the communication network 17 in which the security agent function is implemented is received by the transmission path control unit 32 and transmitted to the tag confirmation unit 35.
- the tag confirmation unit 35 determines whether or not a security tag is attached to the packet. If the security tag is attached, the tag confirmation unit 35 transmits the packet to the tag processing unit 37. If no security tag has been assigned, the tag confirmation unit 35 discards the packet. [0102]
- the tag processing unit 37 searches the policy recording unit 38 using the content of the security tag attached to the packet as a key. In this embodiment, the user attribute value and the application identifier are the keys.
- the policy recording unit 38 is recorded in a format that can mechanically determine the condition that the user's attribute value should satisfy for each application.
- the tag processing unit 37 discards the packet. If the condition is met, the tag processing unit 37 removes the security tag from the packet, and transmits the packet from which the security tag has been removed to the server front processing unit 34.
- Subsequent processing is existing, and after processing such as load distribution by the server front processing unit 34, the packet is sent to the application server 16 via the transmission path control unit 33.
- the security administrator can set a security policy for each server in advance, and only allow packets from users who satisfy the security policy to pass through. Ensure that the policy is not counterfeited.
- the packet communication device 12 that implements the security judgment function can specify a special terminal that is allowed to communicate with the server without a security tag in the process of migrating from the existing environment. It is guaranteed that the server load balancing function will not be affected.
- the access control system configured by the packet communication device 11 that implements the security agent function and the packet communication device 12 that implements the security judgment function, which user is associated with which server This ensures that the security administrator has full control over which applications can communicate.
- Example 1 in the packet communication device 11 that implements the security agent function, the power S was assigned to all packets S, and the processing performance of the packet communication device 11 affects communication performance. was there. Therefore, in the second embodiment, a packet to be assigned a security tag is determined, and a security tag is assigned only to a packet to which a security tag is to be added.
- the block diagram of the packet communication device 11 is the same as that in FIG.
- the packet communication device 11 After confirming that the user has been authenticated, the packet communication device 11 determines whether or not the packet is to be assigned a security tag. When the packet communication device 11 determines that the packet is to be attached with a security tag, the packet communication device 11 assigns a security tag to the packet.
- the packet communication device 11 can reduce the load by adding a session tag only to the Syn packet.
- FIG. 9 is a block diagram of another embodiment of the packet communication device that implements the security judge function.
- the packet communication device 12 in FIG. 9 includes a tag confirmation unit 35 and a server front processing unit 3.
- the packet transmitted by the PC 15 via the packet communication device 11 and the communication network 17 in which the security agent function is implemented is received by the transmission path control unit 32 and transmitted to the tag confirmation unit 35.
- the tag confirmation unit 35 determines whether or not the packet is to be assigned a security tag.
- the tag confirmation unit 35 transmits the packet to the server front processing unit 34.
- the tag confirmation unit 35 determines whether or not a security tag is attached. If the security tag is assigned, the tag confirmation unit 35 transmits the packet to the tag processing unit 37. If there is no security tag, the tag confirmation unit 35 discards the packet.
- the subsequent processing is the same as the operation of the security judge function of the packet communication device 12 in FIG.
- the security tag may have a configuration including an application identifier and a user attribute value.
- FIG. 10 is a configuration diagram of another example showing the format of the security tag. As shown in Fig. 10, the security tag is configured to include the attribute value of the user and set in the option field of the IP header.
- the application identifier can be determined by examining packet header information called a TCP port number, for example, and therefore does not necessarily need to be included in the security tag. In this case, the application identifier is determined by the packet communication device 12 that implements the security judge function.
- the packet communication device 12 that implements the security judgment function determines the force that the security tag includes the application identifier, and the security tag includes the application identifier.
- the application identifier can be determined by checking packet header information called TCP port number.
- the number of rule settings which was conventionally m X n, is reduced to m + n, and changes to rule settings such as when moving or adding servers are simplified. it can. Furthermore, in the access control system according to the present invention, communication can be controlled for each detailed condition such as the state of the terminal used by the user and application information, and the security and convenience of the in-house network can coexist.
- the access control system according to the present invention can be set without network expertise as in the prior art.
- a personnel policy of a company that directly provides employee personal information to a department that operates an infrastructure can directly set a security policy.
- the access control system according to the present invention does not depend on the network configuration, and does not require time and effort for setting due to a change in the network form or movement of a user location.
- the access control system according to the present invention can be expected to be effective as a compatible technology even when non-IP networks such as ubiquitous networks become widespread in the future.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP05720630.2A EP1858204A4 (en) | 2005-03-11 | 2005-03-11 | ACCESS RULES, ACCESS RULES AND PACKAGE COMMUNICATION DEVICE |
JP2007506969A JP4630896B2 (ja) | 2005-03-11 | 2005-03-11 | アクセス制御方法、アクセス制御システムおよびパケット通信装置 |
PCT/JP2005/004359 WO2006095438A1 (ja) | 2005-03-11 | 2005-03-11 | アクセス制御方法、アクセス制御システムおよびパケット通信装置 |
CN2005800490048A CN101160839B (zh) | 2005-03-11 | 2005-03-11 | 接入控制方法、接入控制系统以及分组通信装置 |
US11/836,992 US7856016B2 (en) | 2005-03-11 | 2007-08-10 | Access control method, access control system, and packet communication apparatus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2005/004359 WO2006095438A1 (ja) | 2005-03-11 | 2005-03-11 | アクセス制御方法、アクセス制御システムおよびパケット通信装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/836,992 Continuation US7856016B2 (en) | 2005-03-11 | 2007-08-10 | Access control method, access control system, and packet communication apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006095438A1 true WO2006095438A1 (ja) | 2006-09-14 |
Family
ID=36953049
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2005/004359 WO2006095438A1 (ja) | 2005-03-11 | 2005-03-11 | アクセス制御方法、アクセス制御システムおよびパケット通信装置 |
Country Status (5)
Country | Link |
---|---|
US (1) | US7856016B2 (ja) |
EP (1) | EP1858204A4 (ja) |
JP (1) | JP4630896B2 (ja) |
CN (1) | CN101160839B (ja) |
WO (1) | WO2006095438A1 (ja) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011253352A (ja) * | 2010-06-02 | 2011-12-15 | Nippon Telegr & Teleph Corp <Ntt> | 通信端末及びその電文処理方法 |
WO2015037682A1 (ja) * | 2013-09-11 | 2015-03-19 | フリービット株式会社 | ネットワーク接続システム及びその方法 |
WO2015037684A1 (ja) * | 2013-09-11 | 2015-03-19 | フリービット株式会社 | アプリケーション状態変化通知プログラム及びその方法 |
JP2016048890A (ja) * | 2014-08-28 | 2016-04-07 | ソフトバンク株式会社 | 通信制御装置、通信制御システム、通信制御方法、および通信制御プログラム |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8910241B2 (en) | 2002-04-25 | 2014-12-09 | Citrix Systems, Inc. | Computer security system |
US8516539B2 (en) | 2007-11-09 | 2013-08-20 | Citrix Systems, Inc | System and method for inferring access policies from access event records |
US8990910B2 (en) | 2007-11-13 | 2015-03-24 | Citrix Systems, Inc. | System and method using globally unique identities |
US9240945B2 (en) | 2008-03-19 | 2016-01-19 | Citrix Systems, Inc. | Access, priority and bandwidth management based on application identity |
US20090240801A1 (en) * | 2008-03-22 | 2009-09-24 | Jonathan Rhoads | Computer data network filter |
US8943575B2 (en) * | 2008-04-30 | 2015-01-27 | Citrix Systems, Inc. | Method and system for policy simulation |
US7933221B1 (en) * | 2008-08-21 | 2011-04-26 | Sprint Communications Company L.P. | Regulating dataflow between a mobile device and a wireless telecommunications network |
US8990573B2 (en) * | 2008-11-10 | 2015-03-24 | Citrix Systems, Inc. | System and method for using variable security tag location in network communications |
US8874748B2 (en) * | 2010-06-04 | 2014-10-28 | Broadcom Corporation | Method and system for combining and/or blending multiple content from different sources in a broadband gateway |
US20130111149A1 (en) * | 2011-10-26 | 2013-05-02 | Arteris SAS | Integrated circuits with cache-coherency |
WO2013143579A1 (en) * | 2012-03-27 | 2013-10-03 | Nokia Siemens Networks Oy | Mapping selective dscp values to gtp-u |
US9451056B2 (en) * | 2012-06-29 | 2016-09-20 | Avaya Inc. | Method for mapping packets to network virtualization instances |
DE102012110544B4 (de) * | 2012-11-05 | 2014-12-31 | OMS Software GMBH | Verfahren und System zum Zugreifen auf Daten in einem verteilten Netzwerksystem |
KR101534476B1 (ko) * | 2013-10-29 | 2015-07-07 | 삼성에스디에스 주식회사 | 비인가 액세스 포인트 탐지 방법 및 장치 |
EP2903209B1 (de) * | 2014-01-30 | 2018-11-14 | Siemens Aktiengesellschaft | Verfahren zur Aktualisierung von Nachrichtenfilterregeln einer Netzzugangskontrolleinheit eines industriellen Kommunikationsnetzes, Adressverwaltungseinheit und Konvertereinheit |
CN103795735B (zh) * | 2014-03-07 | 2017-11-07 | 深圳市迈科龙电子有限公司 | 安全设备、服务器及服务器信息安全实现方法 |
US10116553B1 (en) * | 2015-10-15 | 2018-10-30 | Cisco Technology, Inc. | Application identifier in service function chain metadata |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0787122A (ja) * | 1993-09-13 | 1995-03-31 | Nissin Electric Co Ltd | ルータ形式ネットワーク間接続装置 |
JP2003283549A (ja) * | 2002-03-22 | 2003-10-03 | Nippon Telegr & Teleph Corp <Ntt> | コンテンツフィルタリング装置及び方法 |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0746804B2 (ja) * | 1985-09-25 | 1995-05-17 | カシオ計算機株式会社 | メールシステム |
JP2003502757A (ja) * | 1999-06-10 | 2003-01-21 | アルカテル・インターネツトワーキング・インコーポレイテツド | ポリシーベースのネットワークアーキテクチャ |
US7069580B1 (en) * | 2000-06-16 | 2006-06-27 | Fisher-Rosemount Systems, Inc. | Function-based process control verification and security in a process control system |
CN1140978C (zh) * | 2001-04-17 | 2004-03-03 | 陈常嘉 | 基于密码的接纳控制的实现方法 |
US7100207B1 (en) * | 2001-06-14 | 2006-08-29 | International Business Machines Corporation | Method and system for providing access to computer resources that utilize distinct protocols for receiving security information and providing access based on received security information |
US7388866B2 (en) * | 2002-03-07 | 2008-06-17 | Broadcom Corporation | System and method for expediting upper layer protocol (ULP) connection negotiations |
JP3791464B2 (ja) | 2002-06-07 | 2006-06-28 | ソニー株式会社 | アクセス権限管理システム、中継サーバ、および方法、並びにコンピュータ・プログラム |
JP2004062417A (ja) | 2002-07-26 | 2004-02-26 | Nippon Telegr & Teleph Corp <Ntt> | 認証サーバ装置、サーバ装置、およびゲートウェイ装置 |
JP2004171212A (ja) * | 2002-11-19 | 2004-06-17 | Hitachi Ltd | サービス実行方法及びサービス提供システム |
JP3953963B2 (ja) * | 2003-02-07 | 2007-08-08 | 日本電信電話株式会社 | 認証機能付きパケット通信装置、ネットワーク認証アクセス制御サーバ、および分散型認証アクセス制御システム |
US20040177247A1 (en) * | 2003-03-05 | 2004-09-09 | Amir Peles | Policy enforcement in dynamic networks |
-
2005
- 2005-03-11 EP EP05720630.2A patent/EP1858204A4/en not_active Withdrawn
- 2005-03-11 WO PCT/JP2005/004359 patent/WO2006095438A1/ja not_active Application Discontinuation
- 2005-03-11 CN CN2005800490048A patent/CN101160839B/zh not_active Expired - Fee Related
- 2005-03-11 JP JP2007506969A patent/JP4630896B2/ja not_active Expired - Fee Related
-
2007
- 2007-08-10 US US11/836,992 patent/US7856016B2/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0787122A (ja) * | 1993-09-13 | 1995-03-31 | Nissin Electric Co Ltd | ルータ形式ネットワーク間接続装置 |
JP2003283549A (ja) * | 2002-03-22 | 2003-10-03 | Nippon Telegr & Teleph Corp <Ntt> | コンテンツフィルタリング装置及び方法 |
Non-Patent Citations (1)
Title |
---|
See also references of EP1858204A4 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011253352A (ja) * | 2010-06-02 | 2011-12-15 | Nippon Telegr & Teleph Corp <Ntt> | 通信端末及びその電文処理方法 |
WO2015037682A1 (ja) * | 2013-09-11 | 2015-03-19 | フリービット株式会社 | ネットワーク接続システム及びその方法 |
WO2015037684A1 (ja) * | 2013-09-11 | 2015-03-19 | フリービット株式会社 | アプリケーション状態変化通知プログラム及びその方法 |
JP6055105B2 (ja) * | 2013-09-11 | 2016-12-27 | フリービット株式会社 | アプリケーション状態変化通知プログラム及びその方法 |
JP6055104B2 (ja) * | 2013-09-11 | 2016-12-27 | フリービット株式会社 | ネットワーク接続システム及びその方法 |
JPWO2015037684A1 (ja) * | 2013-09-11 | 2017-03-02 | フリービット株式会社 | アプリケーション状態変化通知プログラム及びその方法 |
JPWO2015037682A1 (ja) * | 2013-09-11 | 2017-03-02 | フリービット株式会社 | ネットワーク接続システム及びその方法 |
US10165571B2 (en) | 2013-09-11 | 2018-12-25 | Freebit Co., Ltd. | Application state change notification program and method therefor |
US10499402B2 (en) | 2013-09-11 | 2019-12-03 | Freebit Co., Ltd. | Application state change notification program and method therefor |
US10721742B2 (en) | 2013-09-11 | 2020-07-21 | Freebit Co., Ltd. | Application state change notification program and method therefor |
JP2016048890A (ja) * | 2014-08-28 | 2016-04-07 | ソフトバンク株式会社 | 通信制御装置、通信制御システム、通信制御方法、および通信制御プログラム |
Also Published As
Publication number | Publication date |
---|---|
EP1858204A1 (en) | 2007-11-21 |
JP4630896B2 (ja) | 2011-02-09 |
EP1858204A4 (en) | 2014-01-08 |
JPWO2006095438A1 (ja) | 2008-08-14 |
CN101160839B (zh) | 2013-01-16 |
US7856016B2 (en) | 2010-12-21 |
US20070283014A1 (en) | 2007-12-06 |
CN101160839A (zh) | 2008-04-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4630896B2 (ja) | アクセス制御方法、アクセス制御システムおよびパケット通信装置 | |
JP3262689B2 (ja) | 遠隔操作システム | |
Ioannidis et al. | Implementing a distributed firewall | |
JP4168052B2 (ja) | 管理サーバ | |
EP1634175B1 (en) | Multilayer access control security system | |
JP5062967B2 (ja) | ネットワークアクセス制御方法、およびシステム | |
US6003084A (en) | Secure network proxy for connecting entities | |
US7536715B2 (en) | Distributed firewall system and method | |
US20030131263A1 (en) | Methods and systems for firewalling virtual private networks | |
JP2008015786A (ja) | アクセス制御システム及びアクセス制御サーバ | |
JP5239341B2 (ja) | ゲートウェイ、中継方法及びプログラム | |
US20080052765A1 (en) | Network system, authentication method, information processing apparatus and access processing method accompanied by outbound authentication | |
EP1241849B1 (en) | Method of and apparatus for filtering access, and computer product | |
CN100438427C (zh) | 网络控制方法和设备 | |
US20060150243A1 (en) | Management of network security domains | |
JP4636345B2 (ja) | セキュリティポリシー制御システム、セキュリティポリシー制御方法、及びプログラム | |
JP5204054B2 (ja) | ネットワーク管理システムおよび通信管理サーバ | |
JP4081041B2 (ja) | ネットワークシステム | |
JP2013034096A (ja) | アクセス制御システム、端末装置、中継装置及びアクセス制御方法 | |
JP2012070225A (ja) | ネットワーク中継装置及び転送制御システム | |
JP2002084326A (ja) | 被サービス装置、センタ装置、及びサービス装置 | |
JP6330814B2 (ja) | 通信システム、制御指示装置、通信制御方法及びプログラム | |
WO2006001587A1 (en) | Network management system and network management server of co-operating with authentication server | |
WO2001091418A2 (en) | Distributed firewall system and method | |
JP3808663B2 (ja) | 計算機ネットワークシステムおよびそのアクセス制御方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2007506969 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11836992 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2005720630 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200580049004.8 Country of ref document: CN |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
NENP | Non-entry into the national phase |
Ref country code: RU |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: RU |
|
WWP | Wipo information: published in national office |
Ref document number: 2005720630 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 11836992 Country of ref document: US |