JP2001127821A - System and method for controlling data communication - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable network equipment to control communication of each user, performing data communication. SOLUTION: On a communication network having network equipment 5 for repeating data transmission, a multiuser terminal 1a to be shared by plural users and an IP address managing machine 7 for managing an IP address/user name data base 9, in which the correspondent relation of the IP addresses and the user names of this multiuser terminal 1a is recorded, are provided. The multiuser terminal 1a has plural IP addresses and performs the dedicated assignment of an idle IP address to each of plural users, who share the multiuser terminal 1a. The multiuser terminal 1a reports the user name and the IP address to the IP address managing machine 7 and the IP address managing machine 7 registers them in the data base 9. When data are received from the multiuser terminal 1a, the network equipment 5 inquires the user name of a transmission source IP address recorded in these data to the IP address managing machine 7, discriminates that user name and controls data communication corresponding to the discriminated user name according to the preset operating policy.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a data communication control method performed in a communication network.

[0002]

2. Description of the Related Art Data transmitted / received on a communication network usually contains addresses indicating the location or identification of the source and destination on the network. In the following, TCP / IP, which is a communication protocol widely used on the Internet and intranets, will be described as an example.
The source and destination I
The P address is recorded. Some network devices (relays) that make up the network change the quality of service or limit the use of services (access control) according to the value of the destination or source IP address. . For example, the following devices correspond to it.

[0003] Bandwidth control device / router with priority control function Secures or limits the bandwidth according to the value of the IP address, protocol number, and port number of the destination or source.

[0004] FireWall (Packet Filter) Transfers or discards received packets according to the destination or source IP address, protocol number, and port number values.

[0005] A policy routing router determines where to forward a packet according to the value of the destination or source IP address, protocol number, and port number.

[0006]

The communication control performed by the above-described network equipment is based on the fact that the data transmission source user or the destination user is who the data belongs to or where the user belongs. However, it is preferable to perform this in accordance with the circumstances of each user. However, the network device can refer only to the header portion of the data, and the IP address recorded in the header portion is assigned to each terminal device instead of each user. Or, it is impossible to perform data communication control according to the destination user. Therefore, the following problem occurs.

When a plurality of users share and use the same terminal device, an IP address is assigned to each terminal device, and moreover, usually only one IP address is assigned to a terminal device. Transmits the data, the same source IP address is recorded in the header portion of the data. Also,
Among multi-user OSs that are based on the premise that a plurality of users use the same terminal, one network device can be provided with a plurality of IP addresses.
Also in S, all users share all IP addresses, that is, all users can use all IP addresses. Therefore, the network device cannot determine the source or destination of the data to be communicated by such a terminal device, and cannot control data communication corresponding to each user. Therefore, "legitimate" users who are allowed to communicate,
Depending on the terminal device used for the communication,
There is a problem that communication cannot be performed because it is determined to be an "illegal" user, or conversely, depending on the terminal device used by the "illegal" user, communication can be performed as a "authorized" user.

Accordingly, it is an object of the present invention to enable a network device to perform communication control for each user who performs data communication.

[0009]

A data communication control system according to the present invention provides a communication network in which data communication is performed using a multi-user terminal equipped with a multi-user OS on the premise that a plurality of users use the same terminal. it can. The communication network includes an identification code allocating unit, an identification code / user name storage unit, and a network device that controls communication of data on the communication network. The identification code allocating means allocates a plurality of identification codes prepared to be used for indicating a transmission source or a destination of data to a plurality of users of the multi-user terminal so that the identification codes are different for each user. The identification code / user name storage unit stores the correspondence between the identification code and the user name to which the identification code is assigned.

When transmitting the data of each user to the communication network, the multi-user terminal attaches the identification code allocated to each user by the identification code allocating means to the data of each user and transmits the data. When data of each user is received from the user terminal, the user of the received data is determined from the identification code attached to the received data based on the correspondence stored in the identification code / user name storage unit. Then, data communication control according to the determined user is performed.

According to the present invention, the network device can determine the user name of the source or destination of the data from the identification code attached to the data communicated by the terminal shared by a plurality of users. (E.g., controlling whether or not to perform data transfer or performing preferential transfer according to the transmission source user of the received data).

[0012]

FIG. 1 shows the configuration of a communication network according to an embodiment of the present invention.

A local communication network 2 in which a plurality of terminal devices 1a, 1b, 1c,... Are installed, and another local communication network in which a plurality of terminal devices 3a, 3b, 3c,. 4 are communicably connected to each other via a network device 5, and a more global communication network is constructed. On this communication network, I
An IP address management machine 7 that manages an IP address / user name database 9 that records the correspondence between P addresses and user names is provided. Here, for convenience of explanation,
As shown in the figure, a network having the simplest configuration in which two networks 2 and 4 are connected by one network device is used. However, it goes without saying that the present invention can be applied to a more complicated network configuration. . The IP address management machine 7 is connected to the network 2 in the figure, but may be connected to the network 4. There may be multiple IP address management machines, especially in a complex network configuration.

The terminal devices 1a, 1b, 1c ..., 3a, 3
Among the terminals b, 3c,..., for example, the terminal device 1a is a general-purpose computer such as a personal computer equipped with a multi-user OS according to the principle of the present invention. (Hereinafter, referred to as a multi-user terminal). The terminal devices 1b, 1c,... Connected to the same local network 2 as the multi-user terminal 1a may be personal computers exclusively used by one user. Various applications in the multi-user terminal 1a can be operated through the network 2 using the terminal devices 1b, 1c,. In the following description, for the sake of simplicity, the user name of the terminal device 1b is “Taro”, the user name of the terminal device 1c is “Hanako”, and the terminal devices 1b and 1c are Taro and Hanako, respectively.
Will be referred to as “operation terminal”.

FIG. 2 shows the configuration of the multi-user terminal 1a.

The multi-user terminal 1a is a multi-user O
As a function of S, in response to a command coming from each user's operation terminal 1b, 1c,... Or a command inputted directly by each user to this multi-user terminal 1a, the first user (for example, Ta)
ro) application 11a, a second user (for example,
Hanako) application 11b, third user application 11c,...

The multi-user terminal 1a has a plurality of IP addresses as a function of the multi-user OS, and is assigned exclusively to each of a plurality of users sharing the multi-user terminal 1a. Multiple IPs
The device driver, ie, the first user (eg, Ta
ro), an IP device driver 13b of a second user (for example, Hanako), an IP device driver 13c of a third user, and so on. Then, the multi-user terminal 1a includes the plurality of user-specific IP device drivers 1
A plurality of owned IP addresses are assigned to 3a, 13b, 13c,. At this time, IP addresses are assigned so that different IP addresses correspond to different users. For example, an IP address [10.1.2.201] is assigned to the IP device driver 13a of the first user,
The IP address [10.1.2.202] is assigned to the second user IP device driver 13b, and the IP address [10.1.2.203] is assigned to the third user IP device driver 13c.

The multi-user terminal 1a provides each user with each I
It is also possible to fixedly assign a P address in advance, but in this embodiment, instead, when each user logs in to the multi-user terminal 1a,
For the logged-in user (to the user's IP device driver), an IP address that has not been used for a predetermined time or longer is selected from the owned IP addresses and assigned. Then, the multi-user terminal 1a notifies the IP address management machine 7 of the logged-in user name and the assigned IP address. Each user who logs in to the multi-user terminal 1a receives the application 11a, 11
From b, 11c,..., data 12a, 12b, 12c,.
Is transmitted to the communication network, the data 12a, 12b, 12c,... Output from the applications 11a, 11b, 11c,.
By the P device drivers 13a, 13b, 13c,..., The IP address corresponding to each user is added to the header portion as the source IP address, and the transmission data 14a,
Are sent to the network 2 as 14b, 14c,.

FIG. 3 shows the structure of transmission data 14a, 14b, and 14c transmitted from the multi-user terminal 1a to the network 2 for different transmission source users.

As described above, each transmission data 14a, 1
The header portions 17a, 17b, and 17c of 4b and 14c include a destination IP address, a source IP address, and the like. As shown in the figure, the source IP address is an IP address exclusively assigned to the source user of each data. That is, the source IP address of the transmission data 14a transmitted by the first user (for example, Taro) is the first
IP address [10.1.2.20 assigned to the user (Taro)
1], and the transmission source IP address of the transmission data 14b transmitted by the second user (Hanako) is the second user (Hanako)
Is the IP address [10.1.2.202] assigned to
The source IP address of the transmission data 14c transmitted by the user is the IP address [10.1.2.
203].

Referring again to FIG. 1, network device 5
Is a router or a firewall (filter), for example, and controls data transfer with the network 4. That is, an operation policy is set in advance, and data is passed or rejected according to the transmission source or destination user according to the operation policy.
The network device 5 has a cache table for temporarily storing the correspondence between the IP address and the user name.
(Not shown). When transferring data, the network device 5 first refers to the cache table to check the user name corresponding to the source or destination IP address recorded in the header of the data. If the user name is not recorded in the cache table, the network device 5 queries the IP address management machine 7 for the user name of the IP address.
When receiving the answer of the user name from the IP address management machine 7, the correspondence between the IP address and the user name is stored in the cache table. The network device 5 performs transfer control such as passing or not passing data according to the user name of the transmission source or the destination determined in this way.

The IP address management machine 7 manages an IP address and a user to which the IP address is assigned in an IP address / user name database 9. IP
The address management machine 7 includes terminal devices 1a, 1b, 1c,
, 3a, 3b, 3c,..., The IP address and the user name to which the IP address is assigned,
The P address and the user name are stored in the IP address / user name database 9. When receiving an inquiry about the user name of the source or destination IP address from the network device 5, the IP address management machine 7
Using the P address as a search key, the IP address / user name database 9 searches for the user name of the user to which the IP address is assigned, and notifies the network device 5 of the resulting user name.

Hereinafter, the communication control operation by the network device 5 will be described with reference to a flowchart.

FIGS. 4 to 6 show, for example, the multi-user terminal 1.
The operation of the multi-user terminal 1a, the network device 5, and the IP address management machine 7 at this time will be described by taking as an example a case where the user a transmits data to the server terminal 3a.

In the multi-user terminal 1a, for example, when "Taro" logs in as a user to the multi-user terminal 1a (step S1), the multi-user terminal 1a receives a plurality of IP addresses held by the user "Taro". One IP address [10.1.2.201] (S
2). Then, the multi-user terminal 1a receives the user name "Tar
o "and the IP address [10.1.2.201] are notified to the IP address management machine 7 (S3). The IP address management machine 7 registers the user name "Taro" and the IP address [10.1.2.201] notified from the multi-user terminal 1a in the IP address / user name database 9 (S4).

In the multi-user terminal 1a, for example, when another user "Hanako" logs in to the multi-user terminal 1a (S5), the multi-user terminal 1a gives the user "Hanako" an IP address different from "Taro". [Ten.
1.2.202] (S6). Then, the multi-user terminal 1a sets the user name “Hanako” and the IP address [10.1.2.20
2] to the IP address management machine 7 (S7).
The IP address management machine 7 sets the user name “Hanako” notified from the multi-user terminal 1a and the IP address [10.1.
2.202] is registered in the IP address / user name database (S8).

When assigning an IP address to each user in steps S2 and S6, an IP address that has not been used for a predetermined time period at present is selected from a plurality of IP addresses held. Assign with. Therefore, even if an IP address is once assigned to a certain user, it can be assigned to another user if a predetermined time or more elapses after the user completes communication. In this way, by allocating the IP addresses to the users not fixedly but in a flexible manner, a limited number of IP addresses can be allocated to a larger number of users.

An operation policy is set in the network device 5 in advance (step S9). The operation policy defines the contents of communication control according to the transmission source or the destination. For example, here, "the transmission source is" Tar
It is assumed that an operation policy has been set such that all data of “o” is passed and all data of the transmission source “Hanako” is not passed.

In the multi-user terminal 1a, assume that the user "Taro" has transmitted data to the server terminal 3a.
(S10). In the header portion of the data transmitted by "Taro", the IP address [10.1.2.201] assigned to "Taro" as the source IP address, and the IP address of server terminal 3a as the destination IP address. ,include.

The network device 5 analyzes the header portion of the data transmitted from the multi-user terminal 1a by “Taro” and confirms the source IP address [10.1.2.201] (S1).
1) Retrieve the source IP address from the cache table in the network device 5 (S12). The network device 5 reads the source IP from the cache table.
If the address [10.1.2.201] is found (Yes in S12)
s), the user whose transmission source corresponds to the IP address is determined to be “Taro” from the cache table (S1).
7).

On the other hand, if the source IP address [10.1.2.201] is not found in the cache table in step S12 (No in S12), the network device 5
Makes an inquiry to the IP address management machine 7 about the user name of the source IP address (S13). In response to this inquiry, the IP address management machine 7 searches the IP address / user name database 9 for the source IP address and acquires the corresponding user name "Taro".
(S14), this user name “Taro” is assigned to the network device 5
(S15). The network device 5 registers the user name “Taro” notified from the IP address management machine 7 and the IP address [10.1.2.201] in the cache table (S16), and sets the data transmission source user name to “Taro”.
Is determined (S17).

In this way, the network device 5 transfers the data from "Taro" to the destination server terminal 3a in accordance with the preset operation policy "all data with the transmission source" Taro "is passed" (S18). .

As shown in FIG. 6, it is assumed that the user "Hanako" has transmitted data to the server terminal 3a in the multi-user terminal 1a (S19). In the header portion of the data transmitted by “Hanako”, the IP address [10.1.
2.202], and the IP address of the server terminal 3a is included as the destination IP address.

Thereafter, the same operation as when the user "Taro" transmits data is performed. That is, the network device 5
Analyzes the header part of the data transmitted from "Hanako" from the multi-user terminal 1a, and analyzes the source IP address [10.
1.2.202] (S20), and searches the cache table in the network device 5 for the source IP address (S21). If the source IP address [10.1.2.202] is found from the cache table (Yes in S21), the network device 5 refers to the source user to “Hana
ko ”(S26), and if the source IP address [10.1.2.202] is not found in the cache table (No in S21), the user name of the source IP address is transmitted to the IP address management machine 7. An inquiry is made (S22).
In response to this inquiry, the IP address management machine 7
Retrieves the source IP address from the IP address / user name database 9 and obtains the corresponding user name "Hanako" (S23), and this user name "Hanako"
Is notified to the network device 5 (S24). The network device 5 registers the user name “Hanako” notified from the IP address management machine 7 and its IP address [10.1.2.202] in the cache table (S25), and sets the data transmission source user name to “Hanako”. It is determined (S26).

In this case, the network device 5 does not pass data from “Hanako” in accordance with the preset operation policy “all data of“ Hanako ”is not transmitted” (S27). Then, for example,
The data of "Hanako" is discarded, and a message to the effect that data communication cannot be performed is notified to the multi-user terminal 1a.

As described above, the IP address assigned to each user (for example, “Taro” or “Hanako”) of the multi-user terminal 1a has not been used for a predetermined period of time, and has been assigned to another user in the past. May have been assigned. That is, the assignment of the IP address is performed in a fluid manner. Therefore, the network device 5
As shown in FIG. 7, as shown in FIG. 7, the source user who has not received data for a certain period of time since the last data reception so as not to make a wrong user determination according to the correspondence between the old IP address and the user name. If the name and the IP address are in the cache table (Yes in S28), they are deleted from the cache table (S29). Here, the "constant time" of the condition "data has not been received for a certain time or more", which is a condition for deletion from the cache table, is the IP assigned by the multi-user terminal 1a to the user
The length of the address is shorter or equal to the “predetermined time” of the condition of “not used for a predetermined time” which is a condition of the address.

In the above-described embodiment, the multi-user terminal 1a allocates its own IP address to the user who has logged in, and notifies the IP address and the user name to the IP address management machine 7. I have. On the other hand, in the second and third embodiments described below, the IP address management machine 7 manages all the IP addresses of all the multi-user terminals 1a,.
A free IP address among the IP addresses of each multi-user terminal 1a is assigned to each user of each multi-user terminal 1a. The operation of the two embodiments in which the IP address management machine 7 assigns an IP address to a user will be described below with reference to FIGS.

FIG. 8 shows the operation of the second embodiment of the present invention in which the IP address management machine 7 assigns a free IP address to the user of the multi-user terminal 1a.

In the multi-user terminal 1a, for example, when “Taro” logs in the multi-user terminal 1a as a user (step S30), the multi-user terminal 1a
In the P address management machine 7, the I for the user "Taro"
An application for assigning a P address is made (S31). The IP address management machine 7 manages the IP address of the multi-user terminal 1a managed in the IP address / user name database 9.
From the addresses, a vacant (that is, not used for a predetermined time or longer) IP address (for example, [10.1.2.301]) is selected and transmitted to the multi-user terminal 1a (S3).
2). The multi-user terminal 1a provides the user “Taro” with the I
The IP address [10.
1.2.301] (S33). Then, the multi-user terminal 1a sets the user name “Taro” and the IP address [10.1.
2.301] to the IP address management machine 7 (S3
4). The IP address management machine 7 transmits the user name “Taro” and the IP address notified from the multi-user terminal 1a.
[10.1.2.301] is registered in the IP address / user name database 9.

The operation of data communication after assigning an IP address to a user in this way is the same as the operation shown in FIGS. 5 and 6 already described.

FIG. 9 shows the operation of the third embodiment of the present invention in which the IP address management machine 7 assigns a free IP address to the user of the multi-user terminal 1a.

In the multi-user terminal 1a, for example, when “Taro” logs in to the multi-user terminal 1a as a user (step S36), the multi-user terminal 1a
The user name “Taro” is notified to the P-address management machine 7 and an application for the assignment of the IP address to the user “Taro” is made (S37). IP address management machine 7
Is a vacant (that is, not used for a predetermined time or more) IP address of the multi-user terminal 1a managed in the IP address / user name database 9.
Select an address (for example, [10.1.2.401]) (S3
8). Then, the IP address management machine 7 registers the selected IP address [10.1.2.401] and the user name “Taro” notified from the multi-user terminal 1a in the database 9 (S39). Then, the IP address management machine 7
Is the IP address [10.1.2.40] registered in the database 9.
1] to the multi-user terminal 1a (S40). The multi-user terminal 1a assigns the IP address [10.1.2.401] received from the IP address management machine 7 to the user “Taro” (S41).

The subsequent data communication operation is the same as the operation shown in FIGS.

FIGS. 10 to 12 show the multi-user terminal 1a according to the first to third embodiments when setting the IP device driver of the multi-user OS so that a plurality of users can perform network communication. 4 shows an example of a GUI screen displayed on a display. The following description is based on the assumption that a multi-user OS based on, for example, Microsoft Windows NT and incorporating the principles of the present invention is used.

First, the user opens the control panel on the desktop, and double-clicks the "network" icon in the control panel to open the network setting window 20 shown in FIG. 10 on the display. When setting the IP device driver, the user clicks the “protocol” tag 21A in the network setting window 20 to display the protocol setting screen 21 as shown in the figure. Subsequently, the user enters protocol list box 2
2, the “TCP / IP protocol” which is the protocol of the communication network in this embodiment is selected, and the property button 23 is pressed, so that the “TCP / IP properties” window 25 shown in FIG. To open. On this window 25, a user list box 26 for entering the user name of the multi-user terminal 1a appears. In the user list box 26, for example, “Taro”, “Hanako”, “Syst
The user name that has already been entered, such as "em default", is displayed. In order to additionally enter another user name, the user presses the add button 28 and then inputs the user name to be entered by key input to confirm it. To set an IP address assignment method for a user who has already been entered, the user must enter the user list box 26
Select the desired user name (for example, "Taro") from among them,
The property button 27 is pressed.

Then, a system setting window 29 shown in FIG. 12 is opened on the display. On this window 29, the user name “Taro” to be set is displayed in the user name box 30. When the "IP address" tag 31A in this window 29 is clicked, an IP address assignment method setting screen 31 is displayed on the front as shown in the figure. On this setting screen 31, IP
Radio buttons 33, 35, and 3 for selecting any of the three typical methods for assigning addresses.
There are seven.

When the first radio button 33 is turned on, "IP address is automatically assigned", that is,
A method is selected in which the multi-user terminal 1a assigns a free IP address to the target user (Taro).
When this method is selected, an IP address is allocated as described with reference to FIG.

When the second radio button 35 is turned on, “acquire IP address from server”,
A method is selected in which the address management machine 7 assigns a free IP address to the target user (Taro).
When this method is selected, an IP address is allocated as described with reference to FIG. 8 or FIG.

When the bottom radio button 37 is turned on, "designate IP address", that is, the target user (Ta
A method of fixedly assigning an IP address to ro) in advance is selected. When this button 37 is turned on, the user assigns “IP address”, “netmask”, “default route”,
“DNS server”, “WINS server”, “affiliation domain”, etc. are entered from the keyboard.

In the above-described first to third embodiments, the network device 5 determines the source or destination user of the data from the IP address recorded in the header portion of the data communicated by the terminal shared by a plurality of users. Since the name can be determined, data communication control according to the user (for example, control as to whether or not to perform data transfer or preferential transfer according to the transmission source user of the received data) is performed. be able to.

In these embodiments, communication control for each user can be performed without changing the format of the header portion of data according to a predetermined communication protocol from the conventional one. Therefore, the implementation of these embodiments can be easily performed in a short period of time based on the conventional system.

Next, a fourth embodiment of the present invention will be described. In order to avoid repetition with the description of the above embodiment, only differences from the above embodiment will be described.

In the fourth embodiment, data communication control can be performed for each user according to the group to which the user belongs (affiliation domain, affiliated network, etc.). Therefore, different IP addresses can be assigned to the same user depending on the group to which the user belongs.
That is, a user belonging to a plurality of groups may be assigned a plurality of IP addresses at the same time.

FIG. 13 shows the configuration of the multi-user terminal 1a according to the fourth embodiment.

The multi-user terminal 1a has, as a function of the multi-user OS, operation terminals 1b, 1c,.
In response to a command from the user or a command directly input by each user to the multi-user terminal 1a, application software 43a, 43b,
43c,... For example, when the first user “Taro” and the second user “Hanako” belong to the first group, and the first user “Taro” belongs to the second group, the multi-user terminal 1a transmits the first user “Taro”. , The first group application 43b of the first user “Taro”, and the first group application 43c of the second user “Hanako”.

Further, the multi-user terminal 1a is provided as a function of the multi-user OS.
Has a plurality of IP device drivers dedicatedly assigned to each of a plurality of users sharing the same for each group to which the user belongs. For example, a first group IP device driver 49a of the first user “Taro”, and a second group IP device driver 49 of the first user “Taro”
b, an IP device driver 49c for the first group of the second user “Hanako”,... The multi-user terminal 1a includes, as functions of the multi-user OS, the plurality of user-specific group-specific IP device drivers 49a,
A plurality of owned IP addresses are assigned to 49b, 49c,. At this time, IP addresses are assigned so that different IP addresses correspond to different groups even for the same user. For example, [10.3.2.501] is assigned as an IP address for the first group of the first user “Taro”, and [10.3.2.502] is assigned as an IP address for the second group of the first user “Taro”.
[10.5.0.201] is assigned as the IP address for the first group of the second user “Hanako”. Multi-user terminal 1a
Indicates the name of the logged-in user, the name of the group to which the user belongs, and the assigned IP address, as shown in FIG.
Notify the P address management machine 7.

In this case, the IP address management machine 7
The user name, the group to which the user name belongs, and the assigned IP address notified from the multi-user terminal 1a are registered in the database 9. As a result, the network device 5 determines not only the user (source) but also the group to which the user belongs from the source (or destination) IP address recorded in the data received from the multi-user terminal 1a. Therefore, data communication control can be performed for each user according to the group to which the user belongs.

In the fourth embodiment, similarly to the second and third embodiments, the IP address management machine 7 may assign an IP address to each user for each group. it can.

Next, a method of setting the IP device driver of the multi-user terminal 1a in the fourth embodiment will be described.

When the user selects “TCP / IP protocol” and presses the property button 23 on the network setting window 20 shown in FIG.
A group-specific setting window 61 shown in FIG. In the group list box 63 without the group-specific setting window 61, already registered group names, for example, “first group”, “second group”, “System d”
efault "is displayed.

In order to additionally register a new group,
The user presses the add button 67 to enter and confirm a new group name.

When the driver setting is performed for a registered group, for example, the “first group”,
The user selects “first group” in the group list box 63 and presses the property button 65. Then
For the user names belonging to the “first group”, the “TCP / IP properties” window 25 shown in FIG.
The registered user names belonging to the group are displayed.
In the following, the user name is selected by the method already described and FIG.
Is set on the window 29 shown in FIG.

As described above, according to the fourth embodiment, as described above, data communication control can be performed for each user according to the group to which the user belongs.

While several preferred embodiments of the present invention have been described above, in any of these embodiments, various specific multi-user OSs of the multi-user terminal 1a may be employed. . Hereinafter, four representative multi-user OSs will be described.

(1) Access control to the server for each user in an environment using UNIX.

UNIX is a multi-user OS. Accordingly, as shown in FIG. 15, in an environment using UNIX, generally, remote login to the UNIX terminal 101 from the remote operation terminals 103a, 103b,.

The UNIX terminal 101 has a multi-user OS based on UNIX and improved according to the present invention. For example, from the operating terminal 103a of Taro, UNI
When the user remotely logs in to the X terminal 101 (step S10)
1) The login shell 102a for Taro is executed on UNIX. The UNIX terminal 101 assigns a free IP address to Taro, and assigns the user name “Taro” to the I
The IP address is notified to the IP address management machine 107 (S102), and the IP address management machine 107 registers it in the database 109. Thereafter, when the Taro operation terminal 103a transmits data from the Taro login shell 102a of the UNIX terminal 101 to the server terminal 111 (S103), the data includes "Tar".
The IP address assigned to “o” is added as the source IP address. Upon receiving the data, the network device 105 transmits the source IP address attached to the data.
An inquiry is made to the IP address management machine 107 for the user name of the address (S104), and an answer is received (S10).
5) It is determined that the data transmission source is “Taro”. The network device 105 has, as an operation policy,
If "All data of" Taro "is passed" is set,
The data is transferred to the server terminal 111 (S10
6).

In a conventional UNIX terminal, the same IP address is assigned to the source IP address of all data to be transmitted, so that the network device cannot determine the source of the received data for each user. According to this usage example, the UNIX terminal 101 uses a different IP for each user.
Since the data is transmitted by allocating the address, the network device 5 can determine the transmission source of the received data for each user, and thus can perform access control according to the user.

(2) Access control to the server for each user in an environment using WindowsNT Terminal Server.

Windows NT is a multi-user OS,
As shown in FIG.
1 can be used simultaneously by a plurality of users. In an environment using the WindowsNT Terminal Server 201, generally, the user operates his / her own operation terminal 203a, 20a.
3b, run the application from ...
It is very common to access the server terminal 211 on the rminal Server 201.

Windows NT Terminal Server 201
It has a multi-user OS based on dowsNT with an improvement according to the invention. For example, the operating terminal 20 of Taro
3a, when the user logs in to the Windows NT Terminal Server 201 (step S201), the Windows NT Terminal Server 201
Taro application entity 202a on ver201
Is executed. WindowsNT Terminal Server 201
Assign a free IP address to Taro and enter the user name "Ta
ro ”and the assigned IP address are notified to the IP address management machine 207 (S202), and the IP address management machine 207 registers it in the database 209. Then, on the operating terminal 203a of Taro, WindowsNT Term
The entity 202a of the application of the inal Server 201
Is transmitted to the server terminal 211 from the server (S20).
3) The IP address assigned to "Taro" is added to the data as the source IP address. Upon receiving the data, the network device 205 inquires the IP address management machine 207 of the user name of the source IP address of the data (S204) and receives a response (S205). Is determined. If “all data of“ Taro ”is passed” is set as the operation policy, the network device 205 transfers the data to the server terminal 211 (S206).

The conventional Windows NT Terminal Server assigns the same IP address to the source IP address of all the data to be transmitted, so that the network device cannot determine the source of the received data for each user. According to this usage example, WindowsNT Terminal Server2
01 performs data transmission by assigning a different source IP address to each user, so that the network device 5 can determine the source of the received data for each user, and thus perform access control according to the user. be able to.

(3) Special machine (for example, CAD host)
Communication control for each user in an environment that uses.

A special application such as a CAD application can often be executed only on a machine having special hardware. When a plurality of users want to use such an application, a usage form of “preparing only one special machine, installing a multi-user OS in the machine, and using the machine by a plurality of users” may be adopted.

At this time, the UNIX terminal 1 shown in FIG.
01 or WindowsNTTerminal Server 20 shown in FIG.
An improved multi-user OS according to the present invention, such as 1
Machines with special applications (for example, CA
D application), the network device 105 (or 205) can access the server terminal using the special application.
Since the source of the received data can be determined for each user, access control according to the user can be performed.

(4) Priority control for each user in an environment using FireWall.

As shown in FIG. 17, from outside FireWall 301, FireWall 301 is connected via Internet 400.
In an environment where the user logs in once and accesses the server terminal 311 inside the FireWall 301, the FireWall is a multi-user OS. In such an environment, when the user executes the application of his / her own operation terminal 303a, 303b,...
ll 301 will be executed.

The FireWall 301 has an improved multi-user OS according to the present invention. For example, FireWa from the operating terminal 303a of Taro via the Internet 400
When the user logs in to ll301 (step S301), Fi
ReWall 301, Taro application entity 302a
Is executed. The FireWall 301 assigns a vacant IP address to Taro, and assigns the user name “Taro” to the IP.
The IP address management machine 307 notifies the IP address management machine 307 of the address (S302), and the IP address management machine 307 registers it in the database 309. Thereafter, when data is transmitted from the entity 302a of the application of the FireWall 301 to the server terminal 311 in the operation terminal 303a of Taro (S303), the data includes the IP of “Taro”.
The address is assigned as the source IP address. Upon receiving the data, the network device 305 inquires of the IP address management machine 307 about the user name of the source IP address of the data (S304), receives an answer (S305), and sets the data source to "Taro". Is determined. If “pass the data of“ Taro ”with the highest priority” is set as the operation policy, the network device 305 transfers the data to the server terminal 311 quickly with the highest priority (S306).

In the conventional FireWall, since the same IP address is assigned to the source IP address of all data to be transmitted, the network device cannot determine the source of the received data for each user. According to the usage example, since the FireWall 301 assigns a different source IP address to each user and performs data transmission, the network device 5 can determine the source of the received data for each user. Appropriate access control can be performed.

As described above, the present invention can be implemented in other various forms.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration of a communication network according to a first embodiment of the present invention.

FIG. 2 is a block diagram showing a configuration of a multi-user terminal 1a.

FIG. 3 is a diagram showing a configuration of transmission data 14a, 14b, 14c.

FIG. 4 shows a multi-user terminal 1 when a user of the multi-user terminal 1a logs in to the multi-user terminal 1a.
a, a flowchart showing the operation of the network device 5 and the IP address management machine 7;

FIG. 5 is a flowchart showing operations of the multi-user terminal 1a, the network device 5, and the IP address management machine 7 when the user “Taro” of the multi-user terminal 1a transmits data to the server terminal 3a.

FIG. 6 shows another user “Hanako” of the multi-user terminal 1a.
9 is a flowchart showing the operation of the multi-user terminal 1a, the network device 5, and the IP address management machine 7 when transmitting data to the server terminal 3a.

FIG. 7 is a flowchart showing an operation when the network device 5 deletes a registered user name and IP address from a cache table.

FIG. 8 is a flowchart showing an operation in which the IP address management machine assigns a vacant IP address to a user and registers a user name and an IP address in a database in the second embodiment of the present invention.

FIG. 9 is a flowchart showing an operation when the IP address management machine assigns a vacant IP address to a user and registers a user name and an IP address in a database in the third embodiment of the present invention.

FIG. 10 is an example of a display screen when setting of an IP device driver is started in the multi-user terminal 1a.

FIG. 11 is an example of a display screen when a user name is entered or selected in setting of an IP device driver.

FIG. 12 illustrates an example of setting an IP device driver.
An example of a display screen at the time of selecting an address assignment method.

FIG. 13 is a block diagram showing a configuration of a multi-user terminal 1a according to a fourth embodiment of the present invention.

FIG. 14 is a multi-user terminal 1 according to the fourth embodiment.
13 is an example of a display screen when a group name is entered or selected in the setting of the IP device driver of FIG.

FIG. 15 is a block diagram showing the overall configuration and operation of a communication network when the present invention is used in an environment using UNIX.

FIG. 16 is a block diagram showing the overall configuration and operation of a communication network when the present invention is applied in an environment using Windows NT Terminal Server.

FIG. 17 is a block diagram showing the overall configuration and operation of a communication network when the present invention is applied in an environment using FireWall.

[Explanation of symbols]

 1a Multi-user terminal 1b, 1c,... Operation terminal 3a, 3b, 3c,... Server terminal 5 Network device 7 IP address management machine 9 IP address / user name database 11a, 11b, 11c,. IP device driver

Continuation of the front page F term (reference) 5B089 GA11 GA21 GB01 HA01 JA31 JB22 KB06 5K030 JA07 JT02 KA02 KA05 KA06 5K034 DD03 FF02 FF13 HH01 9A001 BB04 CC06 CC08 JJ05 JJ12

Claims (3)

[Claims] 1. A data communication control method in a communication network in which data communication is performed using a multi-user terminal equipped with a multi-user OS on the premise that a plurality of users use the same terminal, wherein: Identification code assigning means for assigning a plurality of identification codes prepared in advance used to indicate a transmission source or a destination of data to a plurality of users of the multi-user terminal so that identification codes are different for each user, An identification code / user name storage unit that stores a correspondence relationship between the identification code and a user name to which the identification code is assigned; and a network device that controls communication of data on the communication network. The user terminal transmits the identification code when transmitting the data of each user to the communication network. The identification code assigned to each user by the assigning means is attached to the data of each user and transmitted. When the data of each user is received from the multi-user terminal, the network device adds the identification code to the received data. From the identification code, the identification code
A data communication control method, wherein a user of the received data is determined based on the correspondence stored in the user name storage means, and data communication control is performed according to the determined user. 2. A computer-readable recording medium on which a program for causing a computer to function as a multi-user terminal that can be used by a plurality of users and that can transmit data of each user to a communication network is recorded. An identification code assignment method in which a network assigns a plurality of identification codes prepared in advance used to indicate a source or a destination of data to a plurality of users of the multi-user terminal so that the identification codes are different for each user. Means, identification code / user name storage means for storing the correspondence between the identification code and the user name to which the identification code is assigned, and network equipment for controlling data communication on the communication network. In this case, the program sends the data of each user to the communication network. When transmitting, the program includes a program code for causing the computer to execute a transmitting step of attaching the identification code assigned to each user by the identification code assigning means to the data of each user and transmitting the data. ,
When the network device receives the data of each user from the multi-user terminal, from the identification code attached to the received data, the identification code
A computer-readable record for determining a user of the received data based on the correspondence stored in the user name storage means and performing data communication control according to the determined user; Medium. 3. A program for causing a computer to function as a network device provided in a communication network for performing data communication using a multi-user terminal equipped with a multi-user OS on the assumption that a plurality of users use the same terminal. In a computer-readable recording medium recording, the communication network, a plurality of identification codes prepared in advance used to indicate the source or destination of data, for a plurality of users of the multi-user terminal, ID code assigning means for assigning an ID code differently for each user; ID code / user name storing means for storing the correspondence between the ID code and the user name to which the ID code is assigned;
When the multi-user terminal transmits data of each user to the communication network, the multi-user terminal attaches an identification code assigned to each user by the identification code assignment means to the data of each user and transmits the data. In the configuration, when the program receives the data of each user from the multi-user terminal, the program stores the identification code / user name from the identification code attached to the received data. A program code for causing the computer to execute a communication control step of determining a user of the received data based on the correspondence stored in the storage device and performing data communication control according to the determined user. Computer readable recording medium.