JP2006227755A - Cooperative control device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To enable management by separating an equipment system network from an information system network, and at the same time, achieve cooperation between the networks. <P>SOLUTION: A cooperative control device 30 acquires a corresponding user ID obtained from a card ID and reader ID, which is transmitted from the equipment system network 10, using a storage means. When entering a room from a low to high security level area, the valid information for validating the account, which is the access authority of the user managed in the information system network 20 to the information system network, including an acquired user ID, is controlled so as to be transmitted to an ACL server 24 arranged in the information system network 20 for managing the account, thereby achieving the cooperation. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to entrance management from a low security level area to an advanced security level area, and information management in an advanced security level area. More specifically, the present invention relates to an equipment network responsible for entrance management, and an information network responsible for information management. The present invention relates to a cooperation control device that promotes cooperation.

  In companies that frequently handle confidential information or specific departments within the company, it is possible to prevent leakage of confidential information in advance by applying an entrance management system that manages the entrance of workers who handle confidential information. ing.

  Generally, an entrance management system uses information that uniquely identifies a user, such as a user ID (IDentification) incorporated in an IC (Integrated Circuit) card given to the user, or biometric information (fingerprint, iris, voiceprint, etc.). An advanced security level area where confidential information is handled by unlocking the locked door for entry when personal authentication is performed by the host computer for entry management and the registered authorized user is authenticated. Management such as permitting access to the inside is performed.

  By the way, the above-described confidential information is managed by a confidential information management system constructed on a network different from the entrance management system, and the confidential information is received from the information terminal device installed in the area where the entrance management is performed. It can be used in response to access to the management host computer. When accessing the host computer for managing confidential information, an authentication process similar to the personal authentication in the above-described entrance management system is required.

  As described above, since the entrance management system and the confidential information management system are constructed on completely different networks, it is very difficult for the user to use the authentication process twice before using the confidential information. Complicated operations were required.

  Therefore, cooperation between such an entrance management system and a confidential information management system is required, and authentication processing at the time of entering a region that handles confidential information and authentication at the start of use of the information terminal device after entering the room A method for associating the processing with the processing has been devised (see, for example, Patent Document 1 and Patent Document 2).

In addition, to deal with the problem caused by the passage of time from entering the room to logging on to the information terminal device, which has not been considered in Patent Document 1 and Patent Document 2, dealing with forgetting to log off the information terminal device when leaving the room A technique for realizing it has also been devised (for example, see Patent Document 3).
JP 2000-259878 A JP 2002-41469 A JP 2004-302875 A

  However, the technologies disclosed in Patent Documents 1, 2, and 3 are the same in each case in which the networks that are individually constructed in order to link the entrance management system and the confidential information management system are the same. It is configured to connect to a network.

  The confidential information management system may be connected to an external network, and includes the risk of unauthorized access by a third party and virus infection. Since the confidential information management system considers connection to such an external network in advance, sufficient countermeasures are taken. On the other hand, in an entrance management system, connection with an external network was not originally considered.

  Therefore, connecting the entrance management system and the confidential information management system so as to be in the same network increases the risk of the entrance management system being exposed to unauthorized access and virus infection, and copes with them. There is a problem that can not be.

  In addition, the entrance management system and the confidential information management system may communicate using their own protocols, so if the same network is constructed, the communication load may be unnecessarily imposed. There is a problem that some load countermeasures must be taken.

  In addition, when a network failure occurs in either the room entry management system or the confidential information management system, the room entry management system and the confidential information management system are connected to the same network, so that the failure can be recovered. Need to verify the entire large network. Therefore, there is a problem that it becomes a network system that is very difficult for the network administrator to manage.

  Therefore, the present invention has been devised to solve the above-described problems, and includes an equipment network that is a network of an entrance / exit management system and an information network that is a network of a confidential information management system. It is an object of the present invention to provide a linkage control device that can be individually separated and managed, and can appropriately link networks.

  In order to solve the above-described problem, the present invention manages entry from a low security level area to a high security level area in accordance with an authentication processing result based on first authenticated information that uniquely identifies a user. And the access restriction of the user to the information system network according to the authentication processing result based on the second authenticated information that is constructed in the high security level area and uniquely identifies the user. A cooperative control device for mutually coordinating with an information-related network that reads the first authenticated information when entering the high-security level area from the low-security level area in the facility-based network Room entry device ID (IDentification), the first authentication information, and the second authentication From the storage means, the corresponding second authenticated information is stored from the storage means for storing the information in association with the first authenticated information and the entry device ID transmitted from the facility network. Including information acquisition means to be acquired and the second authenticated information acquired by the information acquisition means at the time of entering the high security level area from the low security level area, and managed in the information network Control means for controlling to transmit valid information for validating an account, which is an access right of the user to the information system network, to an account management means provided in the information system network for managing the account; It is characterized by providing.

  The cooperative control apparatus according to the present invention makes it possible to separately manage and manage an equipment network and an information network, and reads first authenticated information used for authentication processing in the equipment network and the first authenticated information. The entry device ID of the entry reading device and the second authentication information used for the authentication process in the information network are associated with each other, stored in the storage means, and according to the authentication process result of the first authentication information. It is an advantage that the equipment network and the information network are closed networks by cooperating so that the second authenticated information is acquired and access authority to the information network is obtained. , Unauthorized access via a network by a third party or other authorized users, or via a network such as a virus infection While avoiding insurance, unauthorized entry into convenience and high security level region of the authentication process by achieving cooperation, to prevent information leakage, making it possible to enhance security.

  In addition, the cooperation control device includes the associated first authenticated information, the leaving device ID of the leaving reading device that reads the first authenticated information when leaving the room, and the second authenticated information. By using the first authentication target information in response to the authentication processing result, the second authentication target information is acquired and the access authority to the information network is lost. Information leakage after the user leaves the area can be prevented.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

[First Embodiment]
First, the information leakage prevention system shown as the first embodiment of the present invention will be described with reference to FIG. As shown in FIG. 1, the information leakage prevention system is configured by connecting an equipment network 10 and an information network 20 to each other by a cooperation control device 30.

  The facility network 10 manages intrusions from a low security level area (low security level area) to a high security level area (high security level area) that handles confidential information. In the equipment network 10, authentication processing is performed for all users who wish to enter the advanced security level area and for all users who wish to exit the advanced security level area. Authenticate only to allow entry into and exit from the area.

  The information system network 20 is a network constructed in a high security level area managed by the facility network 10. For example, the information network 20 manages confidential information, and only an authenticated user is allowed to log on from an information terminal device connected to the network and is allowed to access the confidential information.

  The facility network 10 and the information network 20 are separated from each other and can be managed independently. The linkage control device 30 prevents the leakage of confidential information managed at a high security level by interoperating between the equipment network 10 and the information network 20, while maintaining a high security level area. To help users work smoothly.

  Next, the configuration of the equipment network 10, the information network 20, and the cooperation control device 30 that configure the information leakage prevention system will be described using FIG. 1.

(Configuration of equipment network 10)
First, the configuration of the equipment network 10 will be described. The equipment network 10 includes a plurality of control units 12 connected to the hubs 11 and a plurality of gateway units 14 connected to the control units 12 via the hubs 13.

  Each control unit 12 is a minimum unit for controlling the entrance / exit management of the high security level area and the low security level area executed in the facility network 10. Each control unit 12 is centrally controlled by a management PC 18 that is a general-purpose PC (Personal Computer) also connected to the hub 11. An administrator who manages the equipment network 10 detects and manages an entry / exit processing error by each control unit 12 from the management PC 18.

  As described above, in the equipment network 10, the entrance / exit management processing is distributed by the entrance / exit management by the plurality of control units 12, thereby greatly improving the operating rate of the equipment network 10 as a whole and the equipment network 10. Even in the case of a small scale, it can be easily applied by appropriately changing the combination of the control units 12 according to the installation environment. In addition, a dedicated management device is not required.

  When the equipment network 10 is adapted to a large scale, a center device 19 as indicated by a dotted line in FIG. 1 is provided as a dedicated management device instead of the management PC 18.

  An entrance card reader 15 is provided below each gateway unit 14 and is provided outside the high security level area, and reads information stored in the semiconductor memory of the IC card owned by the user when entering the high security level area. A plurality of exit card readers 16 that are provided in the advanced security level area and read the above-described information of the IC card when leaving the advanced security level area are connected.

  The IC card owned by the user is, for example, a non-contact IC card or the like, and by using radio waves / electromagnetic waves with the entrance card reader 15 or the exit card reader 16, information can be read out without contact. Can write.

  The gateway unit 14 is provided at an entrance when entering the high security level area from the low security level area or exiting from the high security level area to the low security level area. The door) is connected to an electric lock 17 that can be locked and unlocked by an electric action. The electric lock 17 normally locks a door (door).

  The door (door) that separates the low security level region and the high security level region may be, for example, a door (door) that separates rooms from each other, or an elevator door (door). Good.

  The gateway unit 14 obtains a card ID, which is authentication information for uniquely identifying the IC card, from the information of the IC card read by the entrance card reader 15 or the exit card reader 16, and this card ID Performs authentication processing to determine whether or not the card ID is registered in advance. The gateway unit 14 performs control so that the locked electric lock 17 is unlocked for a predetermined time when the card ID is authenticated as a valid pre-registered card ID. On the other hand, if the card ID is not a valid card ID registered in advance, the gateway unit 14 leaves the locked electric lock 17 as it is and controls a notification means such as an alarm device (not shown) to perform an authentication process. Notify the user that the result is an error.

  In order to prevent the processing load in the entrance / exit processing from increasing, the gateway unit 14 is used for entrance / exit processing including, for example, the entrance card reader 15, exit card reader 16, and electric lock 17. For example, only 4 units are required at the maximum.

  The facility network 10 communicates with the cooperation control device 30 by the control unit 12 via the hub 11, but since the amount of information to be communicated is not so large, in communication with the cooperation control device 30, for example, It can be covered by relatively low speed communication such as 10BASE-T which is a communication standard of Ethernet (registered trademark).

(Configuration of information network 20)
Next, the configuration of the information network 20 will be described. The information network 20 is operated by a switching hub 21 that controls communication with the cooperation control device 30 in the information network 20 in which traffic increases, and a user who enters the high security level area connected to the switching hub 21. A plurality of client PCs (Personal Computers) 22 that are information terminal devices and an ACL (Access Control List) server 24 are provided.

  Each client PC 22 is connected to a card reader 23 that reads information stored in a semiconductor memory of an IC card owned by a user who has entered the high security level area. The card is stored in the IC card from the card reader 23 when the user activates the client PC 22 and, for example, browses, uses, or uses confidential information whose access is managed in the information network 20. It is required to read the ID and perform authentication processing.

  The ACL server 24 is a server that registers an account of a registered user who can access the information network 20 and manages the user who accesses the information network 20. The account registered in the ACL server 24 is normally invalidated, and validated in response to notification from the cooperation control device 30 that the account is valid. That is, the ACL server 24 manages the user so as to permit access to the information network 20 in response to the notification from the cooperation control device 30.

  Therefore, for example, in a state where the ACL server 24 has not received a message to validate the account, it is not possible to log on to the information network 20 from the client PC 22.

  The ACL server 24 also functions as a log server, and records a log when the user whose account is validated accesses the information network 20 through the client PC 22. This log server does not necessarily have to be configured the same as the ACL server 24, and the cooperation control device 30 may have the function of the log server.

  The ACL server 24 is connected to a card reader 25 that reads information stored in a semiconductor memory in an administrator IC card owned by only the network administrator of the information network 20. For example, the network administrator refers to the account information of the user stored in the ACL server 24 for maintenance or security management, or the log recorded in the log server. Is required to read and authenticate the card ID stored in the IC card owned by.

  The information system network 20 communicates with the cooperation control device 30 via the switching hub 21, but the amount of information to be communicated increases and traffic increases compared to the facility system network 10. For example, it is desirable to perform high-speed communication such as 100BASE-TX, which is a communication standard of Ethernet (registered trademark).

  The cooperation control device 30 is a device provided for the purpose of linking the equipment network 10 and the information network 20. The cooperation between the equipment network 10 and the information system network 20 executed by the cooperation control device 30 can be managed as a system in which the existing network called the equipment network 10 and the information system network 20 is closed, This is a collaboration that strengthens security by exchanging information with each other.

  The cooperation control device 30 cooperates so as to permit access to the information system network 20 in accordance with the authentication processing result by the equipment network 10. Specifically, the cooperation control device 30 includes a storage unit (not shown), and in order to link the facility network 10 and the information network 20 stored in the storage unit, an IC card owned by the user A card ID that uniquely identifies the IC card stored in the semiconductor memory, and a device ID that uniquely identifies all the entry card readers 15 and the exit card readers 16 that are configured in the equipment network 10 The equipment network 10 and the information network 20 are linked using a table in which the reader ID and the user ID, which is authentication information for uniquely identifying the user in the information network 20, are associated with each other. ing.

  The tables stored in the storage unit included in the cooperation control device 30 are, for example, two tables as illustrated in FIGS.

  The table shown in FIG. 2A is a gateway unit 14 that manages the entry card reader 15 and the exit card reader 16 for each reader ID that is the device ID of the entry card reader 15 and the exit card reader 16. This is a table in which card IDs given to IC cards that are allowed to enter the high security level area that is the jurisdiction of the are associated. That is, the table shown in FIG. 2A includes an entrance card reader 15 and an exit card reader 16 attached to the entrance and exit of the high security level area and the low security level area, and an IC that can enter and exit the room. A table that associates cards.

  Since one card ID is registered in a plurality of entry card readers 15 and a plurality of exit card readers 16, one card ID is associated with a plurality of reader IDs as shown in FIG. Will be.

  The table shown in FIG. 2B is a card ID that is authentication information stored in a semiconductor memory of an IC card used to uniquely identify a user in the equipment network 10, and in the information network 20. It is the table which matched user ID which is the information to be authenticated which specifies a user uniquely.

  When the cooperation control device 30 receives the reader ID and the card ID as the room entry information via the control unit 12 of the equipment network 10, the reader ID and the card ID correspond from the table shown in FIG. Judge whether or not. Then, in the case where it corresponds, the user ID corresponding to the card ID is acquired using the table shown in FIG. 2B, and the information network 20 is made to validate the account corresponding to this user ID. Notice.

  When the correspondence between the reader ID and the card ID cannot be taken, the cooperation control device 30 does not cooperate with the equipment network 10 and the information network 20, so the user has entered the advanced security level area. However, the access authority to the information network 20 is not given.

  Further, the cooperation control device 30 may be provided with a log server function for recording an access log from the client PC 22 in the information network 20 given to the ACL server 24 described above. As described above, the processing operation in the case where the cooperation control device 30 has the function of the log server will be described as appropriate in the cooperation processing operation of the cooperation control device 30 using a timing chart described later.

  Next, in the information leakage prevention system having such a configuration, the user enters the high security level area from the low security level area, logs on to the information network 20 from the client PC 22 in the high security level area, and then logs off. A series of operations from the high security level area to the low security level area will be described with reference to a timing chart.

{First cooperation processing operation}
First, a description will be given of a first cooperation processing operation in which the cooperation control device 30 makes a cooperation by validating a user account in the information system network 20 of the ACL server 24 according to a user authentication result in the equipment network 10. do.

(Entry processing to the advanced security level area)
The entrance processing to the high security level area is executed by management by the equipment network 10. First, the user carries the IC card that he owns to a position where the radio wave from the room card reader 15 can be received and reads the card ID stored in the semiconductor memory (step S1).

  The entrance card reader 15 reads the card ID from the IC card and transmits it to the gateway unit 14 (step S2).

  The gateway unit 14 performs authentication processing in the facility network 10 by comparing the transmitted card ID with a pre-registered card ID. When the transmitted card ID matches the registered card ID, the gateway unit 14 authenticates the card ID and permits entry by unlocking the locked electric lock 17 (step). S3).

  On the other hand, if the card IDs do not match and are not authenticated, the gateway unit 14 authenticates via an alarm device (not shown) or a liquid crystal display provided on the low security level area side, for example. Control to output an error notification indicating that it was not done.

  When the transmitted card ID is authenticated, the gateway unit 14 records a log indicating that the user has entered the high security level area from the low security level area in the gateway unit 14 (step S4). ). When the gateway unit 14 authenticates the transmitted card ID, the gateway unit 14 transmits the card ID and the reader ID, which is a device ID that uniquely identifies the gateway unit 14, as room entry information to the control unit 12. To do. Then, the control unit 12 notifies the link control device 30 of this room entry information (step S5).

  The linkage control device 30 uses the entry information notified from the gateway unit 14 and is stored in a storage unit (not shown), as described with reference to FIG. 2, and a table associated with the card ID and the reader ID. The reader ID, the card ID, and the user ID are matched using a table in which the card ID is associated with the user ID registered in advance for authentication processing in the information network 20. That is, the cooperation control apparatus 30 verifies whether the reader ID transmitted as the room entry information and the card ID are the correct combination recognized by using the table shown in FIG. If it is, the user ID corresponding to the card ID is acquired using the table shown in FIG. 2B (step S6).

  Further, the cooperation control apparatus 30 sends valid information for validating the user account registered in the ACL server 24 of the information system network 20 to which the acquired user ID is attached to the ACL server 24 via the switching hub 21. Transmit (step S7).

  As a result, the account in the information system network 20 of the user who entered the high security level area becomes valid, and the user has acquired the access authority to the information system network 20.

(Logon process)
The user who has entered the high security level area first activates the client PC 22 (step S11). Then, after the client PC 22 is activated, an IC card is set in the card reader 23 and a logon request is made to the client PC 22. The card reader 23 reads the card ID from the set IC card and transmits it to the client PC 22 (step S12).

  The client PC 22 makes a logon permission request to the ACL server 24 using the card ID read from the card reader 23 (step S13).

  The ACL server 24 authenticates the transmitted card ID, and when authenticated, permits the logon from the client PC 22 (step S14). In response to this, the client PC 22 transmits a log of logon information including the user ID to the log server of the ACL server 24 in order to record which user logged on from which client PC 22 (step S15). . For example, the client PC 22 displays a message notifying that logon is permitted on the display screen and notifies the user that logon is permitted (step S16).

  In this way, a user who has entered the high security level area can access the information network 20 via the client PC 22. At this time, when the facility network 10 and the information network 20 are linked by the linkage control device 30, for example, when a regular user A enters a room with another regular user B, etc. When the user A enters the room without using the IC card, it is impossible to log on even if the client PC 22 has access authority, and more accurate access management can be performed.

  Further, even if a third party who has illegally entered through the door (door) where the electric lock 17 has been unlocked by a user who intends to enter the high security level area accesses the client PC 22, access authority Since there is no illegal access, unauthorized access can be prevented.

  Therefore, the facility network 10 and the information system network 20 can be managed independently as systems that are closed to each other, but very high security can be ensured by cooperation by the cooperation control device 30.

(Logoff processing)
When the user leaves the high security level area, the user first logs off the logon from the client PC 22.

  The user makes a termination request to the client PC 22 (step S21). Upon receiving the termination request, the client PC 22 transmits logoff information including the user ID to the log server of the ACL server 24 in order to record which user has logged off from which client PC 22 (step S22). As a result, the client PC 22 is logged off from the information network 20 and shuts down (step S23).

(Exiting from the high security level area)
After the logoff is completed, the user exits from the high security level area to the low security level area.

  The exit processing from the high security level area is executed by management by the equipment network 10. First, the user carries the IC card that he owns to a position where the radio wave from the leaving card reader 16 can be received and reads the card ID stored in the semiconductor memory (step S41).

  The leaving card reader 16 reads the card ID from the IC card and transmits it to the gateway unit 14 (step S42).

  The gateway unit 14 performs authentication processing in the facility network 10 by comparing the transmitted card ID with a pre-registered card ID. When the transmitted card ID and the registered card ID match, the gateway unit 14 authenticates the card ID and permits the user to leave the room by unlocking the locked electric lock 17 (step). S43).

  On the other hand, if the card IDs do not match and are not authenticated, the gateway unit 14 is authenticated via, for example, an alarm device (not shown) or a liquid crystal display provided on the high security level area side. Control to output an error notification indicating that there was no error.

  When the transmitted card ID is authenticated, the gateway unit 14 records in the gateway unit 14 a log indicating that the user has left the high security level area to the low security level area (step S44). ). When the gateway unit 14 authenticates the transmitted card ID, the gateway unit 14 transmits the card ID and the reader ID, which is a device ID that uniquely identifies the gateway unit 14, as leaving information to the control unit 12. To do. And the control unit 12 notifies this leaving information to the cooperation control apparatus 30 (step S45).

  The linkage control device 30 uses the exit information notified from the gateway unit 14 and is stored in a storage unit (not shown), as described with reference to FIG. 2, and a table associated with the card ID and the reader ID. The reader ID, the card ID, and the user ID are matched using a table in which the card ID is associated with the user ID registered in advance for authentication processing in the information network 20. That is, the cooperation control device 30 verifies whether the reader ID transmitted as the leaving information and the card ID are the correct combination recognized by using the table shown in FIG. If it is, the user ID corresponding to the card ID is acquired using the table shown in FIG. 2B (step S46).

  Further, the cooperation control apparatus 30 sends invalid information for invalidating the user account registered in the ACL server 24 of the information network 20 to which the acquired user ID is attached to the ACL server 24 via the switching hub 21. Transmit (step S47).

  As a result, the account in the information system network 20 of the user who has left the high security level area becomes invalid, and the user has lost access authority to the information system network 20, thus preventing information leakage after the user leaves the room. can do.

{Second cooperative processing operation}
Next, the second cooperative processing operation for preventing the act of once entering the high security level area and leaving the client PC 22 to the information network 20 while leaving the low security level area is described above. The description will be given based on the first cooperative processing operation.

  As described above, if the user leaves the high security level area while the user is logged on to the information system network 20, for example, a third party who has illegally entered the high security level, or is allowed to enter the room. In other words, unauthorized access to the information network 20 by other authorized users is easily permitted.

  Therefore, by providing the function of the log server provided in the ACL server 24 to the cooperation control device 30 and operating it according to the timing chart as shown in FIG. 4, such an action can be prevented.

(Entry processing to the advanced security level area)
The entry operation from the low security level area to the high security level area in the second cooperative processing operation is exactly the same as the operation from step S1 to step S7 described with reference to FIG. Therefore, the description is omitted.

(Logon process)
The user who enters the advanced security level area first activates the client PC 22 (step S51). Then, after the client PC 22 is activated, an IC card is set in the card reader 23 and a logon request is made to the client PC 22. The card reader 23 reads the card ID from the set IC card and transmits it to the PC 22 (step S52).

  The client PC 22 makes a logon permission request to the ACL server 24 using the card ID read from the card reader 23 (step S53).

  The ACL server 24 authenticates the transmitted card ID, and if authenticated, permits the logon from the client PC 22 (step S54). In response to this, the client PC 22 transmits a log of log-on information including the user ID to the log server of the cooperation control device 30 in order to record which user logged on from which client PC 22 (step S55). ). For example, the client PC 22 displays a message notifying that logon is permitted on the display screen, and notifies the user that logon is permitted (step S56).

  In response to the log-on information being transmitted to the log server, the cooperation control device 30 uses a table that associates a user ID and a card ID as shown in FIG. 2B stored in a storage unit (not shown). Then, the card ID corresponding to the user ID included in the transmitted logon information is searched (step S57).

  The cooperation control apparatus 30 transmits invalid information including the card ID to the control unit 12 so that the searched card ID becomes invalid. Then, the control unit 12 transmits this invalid information to the gateway unit 14. In response to this, the gateway unit 14 invalidates the card ID included in the transmitted invalid information (step S58).

  In this way, a user who has entered the high security level area can access the information network 20 via the client PC 22. At this time, for example, when the equipment network 10 and the information network 20 are linked by the linkage control device 30, the electric lock 17 is unlocked by a user who has just entered the advanced security level area. Even if a third party who has illegally entered through the door (door) or another authorized user permitted to enter the room accesses the PC 22, the unauthorized access can be prevented because there is no access authority.

  Therefore, the facility network 10 and the information system network 20 can be managed independently as systems that are closed to each other, but very high security can be ensured by cooperation by the cooperation control device 30.

  Further, when the client PC 22 is logged on to the information network 20, the IC card owned by the logged-on user is prevented so that the authentication process at the gateway unit 14 cannot be performed by the cooperation control device 30. Invalidate the ID. As a result, it is impossible to leave the high security level area to the low security level area while logged on.

  Accordingly, it is possible to eliminate unauthorized access to the information network 20 from the logged-on client PC 22 that is likely to be caused by forgetting to log off.

(Logoff processing)
When the user leaves the high security level area, the user first logs off the logon from the client PC 22.

  The user makes a termination request to the client PC 22 (step S61). The client PC 22 that has received the termination request transmits logoff information including the user ID to the log server of the cooperation control apparatus 30 in order to record which user has logged off from which client PC 22 (step S62). As a result, the client PC 22 is logged off from the information network 20 and shuts down (step S63).

  In response to the log-off information being transmitted to the log server, the cooperation control device 30 uses a table that associates a user ID and a card ID as shown in FIG. 2B stored in a storage unit (not shown). The card ID corresponding to the user ID included in the transmitted logoff information is searched (step S64).

  The cooperation control device 30 transmits valid information including the card ID to the control unit 12 so that the retrieved card ID is valid. Then, the control unit 12 transmits this valid information to the gateway unit 14. In response to this, the gateway unit 14 validates the card ID included in the transmitted valid information (step S65).

(Exiting from the high security level area)
The exit operation from the high security level region to the low security level region in the second cooperative processing operation is exactly the same as the operation from step S41 to step S47 in the first cooperative processing operation described with reference to FIG. Therefore, the same step number is attached and explanation is omitted.

  In this way, in the second cooperative processing operation, in the high security level area, once logged on to the information system network 20, the gateway unit 14 that performs IC card authentication processing determines the card ID of the IC card. Perform invalid processing. As a result, it is possible to eliminate unauthorized access to the information-related network 20 due to unauthorized use of the client PC 22 that remains logged on, which is likely to occur due to leaving the high security level area due to forgetting to log off.

{Third linkage processing operation}
Next, in the high security level area, in particular, in the area where the user does not like staying for a long time, for example, in the server room, etc., the third cooperative processing operation that permits entry with a stay time restriction is described above. The description will be given based on the cooperative processing operation of 1.

  The server room can access all the information stored in the server. For example, even in emergency such as maintenance, periodic inspection, server down, etc. It is necessary to limit the processing time and prevent an act other than the purpose from being executed.

  Therefore, the occupancy time after the user enters the advanced security level area is managed by the cooperation control device 30 and is operated according to the timing chart shown in FIG. Can do.

(Entry processing to the advanced security level area)
The entrance processing to the high security level area is executed by management by the equipment network 10. First, the user carries the IC card that he owns to a position where radio waves can be received from the room card reader 15 and reads the card ID stored in the semiconductor memory (step S71).

  The entrance card reader 15 reads the card ID from the IC card and transmits it to the gateway unit 14 (step S72).

  The gateway unit 14 performs authentication processing in the facility network 10 by comparing the transmitted card ID with a pre-registered card ID. When the transmitted card ID matches the registered card ID, the gateway unit 14 authenticates the card ID and permits entry by unlocking the locked electric lock 17 (step). S73).

  On the other hand, if the card IDs do not match and are not authenticated, the gateway unit 14 authenticates via an alarm device (not shown) or a liquid crystal display provided on the low security level area side, for example. Control to output an error notification indicating that it was not done.

  When the transmitted card ID is authenticated, the gateway unit 14 records a log indicating that the user has entered the high security level area from the low security level area in the gateway unit 14 (step S74). ). When the gateway unit 14 authenticates the transmitted card ID, the gateway unit 14 transmits the card ID and the reader ID, which is a device ID that uniquely identifies the gateway unit 14, as room entry information to the control unit 12. To do. Then, the control unit 12 notifies the link control device 30 of this room entry information (step S75).

  In response to receiving the room entry information, the cooperation control apparatus 30 determines that the user has entered the advanced security level area, and in order to limit the user's stay time in the advanced security level area, for example, The management of the occupancy time is started by operating a timer that measures the time. (Step S76).

  In the management of the occupancy time by the cooperation control device 30, for example, the time measured by the timer after entering the high security level region as described above becomes the occupancy time set in the cooperation control device 30 in advance. This is done by notifying the information network 20 to that effect. The occupancy time is set in the cooperation control device 30 in association with each card ID when registering the card ID, for example. When the cooperation control device 30 acquires the room entry information, the cooperation control device 30 reads the available room time set in association with reference to the card ID that constitutes the room entry information.

  As described above, when the available time for each card ID is set in the cooperation control device 30, the available time is set for each card ID, that is, for each user who enters the advanced security level area. Can do.

  The occupancy time set in the cooperative control device 30 is not limited to this. For example, the occupancy time can be set to two hours uniformly, or can be changed according to the entrance time zone, and can be constructed in the high security level area. It is determined on an ad hoc basis according to the requirements of the information network 20.

  The linkage control device 30 uses the entry information notified from the gateway unit 14 and is stored in a storage unit (not shown), as described with reference to FIG. 2, and a table associated with the card ID and the reader ID. The reader ID, the card ID, and the user ID are matched using a table in which the card ID is associated with the user ID registered in advance for authentication processing in the information network 20. That is, the cooperation control apparatus 30 verifies whether the reader ID transmitted as the room entry information and the card ID are the correct combination recognized by using the table shown in FIG. If it is, the user ID corresponding to the card ID is acquired using the table shown in FIG. 2B (step S77).

  Further, the cooperation control apparatus 30 sends valid information for validating the user account registered in the ACL server 24 of the information system network 20 to which the acquired user ID is attached to the ACL server 24 via the switching hub 21. Transmit (step S78).

  As a result, the account in the information system network 20 of the user who entered the high security level area becomes valid, and the user has acquired the access authority to the information system network 20.

(Logon process)
The logon processing operation to the information network 20 in the high security level area in the third linkage processing operation is exactly the same as the operation from step S11 to step S16 described with reference to FIG. A description thereof will be omitted.

(Logoff processing)
When the log-off process of the third cooperative processing operation does not exceed the stay time set in the cooperative control device 30, the operations from step S21 to step S23 in the first cooperative processing operation described with reference to FIG. The description is omitted because it is exactly the same.

  On the other hand, after entering the high security level area of the user, the cooperation control device 30 calculates the measurement time measured from the entry start time by a timer and the set stayable time, for example, at predetermined time intervals. In comparison, it is monitored whether the measurement time exceeds the stayable time (step S81).

  The cooperation control device 30 notifies the client PC 22 of a warning message when the set stay time is reached (step S82). If the warning message is followed, the user logs off the logon from the client PC 22. In response to notifying the client PC 22 of the warning message, the cooperation control device 30 starts measuring time using a timer or the like.

  Specifically, the user makes an end request to the client PC 22 (step S83). The client PC 22 that has received the termination request transmits log-off information including the user ID to the log server of the ACL server 24 in order to record which user has logged off from which client PC 22 (step S84). As a result, the client PC 22 is logged off from the information network 20 and shuts down (step S85).

  On the other hand, the warning message from the cooperation control device 30 is not followed even if a predetermined time has passed, that is, the information system is not counted even though the time measurement started after notifying the warning message has exceeded the predetermined time. When not logged off from the network 20, the cooperation control device 30 transmits invalid information including the card ID to the control unit 12 so that the card ID for which entry into the high security level area is authenticated becomes invalid. . Then, the control unit 12 transmits this invalid information to the gateway unit 14. In response to this, the gateway unit 14 invalidates the card ID included in the transmitted invalid information (step S86).

  Furthermore, the cooperation control device 30 sends invalid information via the switching hub 21 to invalidate the user account registered in the ACL server 24 of the information network 20 with the user ID corresponding to the card ID attached. The data is transmitted to the ACL server 24 (step S87). Then, the cooperation control device 30 transmits a forced termination command to the client PC 22 to forcibly terminate it (step S88).

  Thereby, even when the warning message is not followed, access to the information-related network 20 can be forcibly excluded.

(Exiting from the high security level area)
The exit operation from the high security level region to the low security level region in the third cooperative processing operation is exactly the same as the operation from step S41 to step S47 in the first cooperative processing operation described with reference to FIG. Therefore, the same step number is attached and explanation is omitted.

  In this way, in the third cooperative processing operation, the staying time of the user who has entered the high security level area can be managed by the cooperative control device 30, so that particularly strict security is required even in the high security level area. Since access to the information network 20 can be managed in time, information leakage can be suppressed.

  In the above-described third cooperative processing operation, the staying time management in the high security level area of the user is executed by the cooperative control device 30, but when the equipment network 10 is large-scaled. May be executed as shown in the timing chart of FIG. 6 by using the center device 19 used in place of the management PC 18. The timing chart shown in FIG. 6 is almost the same as the timing chart described with reference to FIG. 5, so only the different steps of “advance processing to the advanced security level area” and “log-off processing” will be described. These steps are given the same step numbers and will not be described.

  In the entry process to the advanced security level area, when the gateway unit 14 authenticates the card ID, the card ID and the reader ID that is a device ID that uniquely identifies the gateway unit 14 are used as the entry information. It transmits to the control unit 12 (step S75a).

  Then, the control unit 12 notifies the room entry information to the center device 19 and the cooperation control device 30 (step S75b).

  Then, the center device 19 determines that the user has entered the advanced security level area in response to receiving the entry information, and in order to limit the user's stay time in the advanced security level area, for example, A timer for measuring the room time is operated to start the management of the room time (step S76).

  In the management of the occupancy time by the center device 19, for example, the time measured by the timer after entering the advanced security level area as described above is set in the center device 19 in advance, as in the cooperation control device 30. This is done by notifying the information network 20 when the available time is reached. The occupancy time is set in the cooperation control device 30 in association with each card ID when registering the card ID, for example. When the center device 19 acquires the room entry information, the center device 19 refers to the card ID that constitutes the room entry information and reads the room availability time set in association with the room ID.

  As described above, if the available time for each card ID is set in the center device 19, the available time can be set for each card ID, that is, for each user who enters the high security level area. it can.

  The occupancy time set in the center device 19 is not limited to this. For example, information that is set in the high security level area may be set to two hours uniformly, or may be changed according to the room entry time zone. It is determined on an ad hoc basis according to the demands required by the network 20.

  In the log-off processing from the information network 20 by the client PC 22, the center device 19 includes the measurement time measured from the entry start time by the timer after entering the high security level area of the user, the set stayable time, Are compared at every predetermined time interval, for example, and it is monitored whether or not the measurement time exceeds the stayable time (step S81a).

When the measurement time exceeds the set stayable time, the center device 19 indicates that there is an abnormal situation in which there is a user who exceeds the stayable time and is accessing the information system network. 30 (step S81b)
In this way, in the third cooperative processing operation, the staying time of the user who has entered the high security level area can be managed by the center device 19, and therefore information that requires particularly strict security even in the high security level area. Since access to the network 20 can be managed in time, information leakage can be suppressed.

[Second Embodiment]
Next, the information leakage prevention system shown as the second embodiment of the present invention will be described with reference to FIG. As shown in FIG. 7, the information leakage prevention system shown as the second embodiment is the same as the information leakage prevention system and facility network 10 shown as the first embodiment described above. In order to execute the authentication process when exiting from the security level area to the low security level area, the exit card reader 16 for reading the card ID, which is the authentication information stored in the IC card owned by the user, is not provided. It has become.

  As described above, the information leakage prevention system shown as the second embodiment has the same configuration as the information network 20 except that the facility network 10 does not include the card reader 16 for leaving the room. It is the same as the information leakage prevention system shown as. Therefore, as shown in FIG. 7, each functional unit constituting the information leakage prevention system shown as the second embodiment is the same as the information leakage prevention system shown as the first embodiment shown in FIG. The reference numerals are attached and the description is omitted.

{Fourth cooperative processing operation}
In the information leakage prevention system shown in FIG. 7 as the second embodiment, the cooperation control device 30 executes the fourth cooperation processing operation as shown in the timing chart of FIG. In the fourth cooperative processing operation, in response to the fact that the facility network 10 does not include the leaving card reader 16, the invalidation processing of the account of the ACL server 24 when the user leaves the high security level area is based on time. To be executed.

(Entry processing to the advanced security level area)
The entry operation from the low security level area to the high security level area in the fourth linkage processing operation is exactly the same as the operation from step S1 to step S7 described with reference to FIG. Therefore, the description is omitted.

(Logon process)
The logon processing operation to the information network 20 in the high security level area in the fourth linkage processing operation is exactly the same as the operation from step S11 to step S16 described with reference to FIG. A description thereof will be omitted.

(Logoff processing)
The logoff processing operation from the information network 20 in the high security level area in the fourth linkage processing operation is exactly the same as the operation from step S21 to step S23 described with reference to FIG. A description thereof will be omitted.

(Exiting from the high security level area)
Since the information leakage prevention system shown as the second embodiment in FIG. 7 does not include the leaving card reader 16 as described above, the authentication process by the gateway unit 14 is not executed when leaving the room. That is, even if the user logs off from the client PC 22 and leaves the advanced security level area, the account of the information-related network 20 remains valid. Therefore, there is a high risk of unauthorized access to the information-related network 20 by a third party who has illegally entered the high security level area or another authorized user permitted to enter the room.

  Therefore, in the fourth cooperative operation process, the cooperation control device 30 transmits invalid information for invalidating the valid account to the ACL server 24 at step S91 at a predetermined time. . In step S91, the “predetermined predetermined time” that is the timing at which the cooperation control device 30 transmits invalid information to the ACL server 24 is assumed to be various depending on the environment in which the information leakage prevention system is constructed. For example, the following two can be assumed.

  The first “predetermined predetermined time” is a time determined by an administrator of the information network 20 or the like. For example, by determining that all accounts are invalidated at midnight, the cooperation control device 30 transmits invalid information that automatically invalidates the account to the ACL server 24 according to time.

  The second “predetermined predetermined time” is a time when it is determined that there is no user using the information network 20. For example, in a company where the information leakage prevention system, called the alarm mode, is installed, it is linked with a crime prevention system that operates when leaving the company, and all people have left the company, so the crime prevention system has been activated. The cooperation control device 30 transmits invalid information for invalidating the account to the ACL server 24 according to the time when the system is functioning.

  When the log server function is given to the linkage control apparatus 30 as shown in FIG. 4, invalid information that invalidates the account from the linkage control apparatus 30 after a predetermined time has elapsed since the client PC 22 logged off is displayed as ACL. It can be sent to the server 24. At this time, in response to receiving logoff information from the client PC 22 to the log server, the cooperation control device 30 starts measuring a predetermined time until an invalid signal is generated and transmitted to the ACL server 24.

  In the information leakage prevention system shown in FIG. 7 as the second embodiment, the cooperation control device 30 executes the fourth cooperation processing operation as shown in the timing chart of FIG. In the fourth cooperative processing operation, in response to the fact that the facility network 10 does not include the leaving card reader 16, the invalidation processing of the account of the ACL server 24 when the user leaves the high security level area is based on time. To be executed.

  Further, in the fourth cooperative processing operation, as shown in the timing chart of FIG. 9, the ACL server 24 itself logs off from the information system network 20 via the client PC 22 by giving the ACL server 24 an invalidation function. User accounts can also be disabled.

  The timing chart shown in FIG. 9 is the same as the timing chart shown in FIG. 8 because the operations from step S1 to step S7, step S11 to step S16, and step S21 to step S23 are the same as those shown in FIG. The description is omitted.

  In response to the user receiving logoff / logoff information from the information network 20 via the client PC 22, the ACL server 24 operates the invalidation function to invalidate the account of the logged off user ( Step S101).

  When the ACL server 24 has an invalidation function, the account is invalidated in response to receiving logoff information from the client PC 22 as described above. The account may be invalidated after a predetermined time has elapsed.

  For example, when the last working time (for example, 10:00 PM) is determined as an operating rule of the information leakage prevention system according to employee rules, laws, etc., the ACL server 24 is set when the last working time is reached to comply with this. Automatically disables the account with the disable function. At this time, instead of invalidating the account at the last working time, the account can be invalidated 30 minutes after the last working time.

  In addition, for example, an access rule for the information network 20 is determined by the operation rules such as a server room where the information leakage prevention system is applied, for example, from 9 AM to 5 PM. In such a case, the account is invalidated by the invalidation function of the ACL server 24 at a time other than the accessible time zone.

  As described above, in the facility network 10, even when the exit card reader 16 is not provided and authentication processing is not required for exiting from the high security level area to the low security level area, the cooperative control device 30, ACL The server 24 cooperates with the facility network 10 and the information network 20 and invalidates the account after leaving the high security level area.

  As a result, the account in the information system network 20 of the user who has left the high security level area becomes invalid, and the user has lost access authority to the information system network 20, thus preventing information leakage after the user leaves the room. can do.

  In the first embodiment and the second embodiment of the present invention, the user uses the card ID stored in the IC card owned by the user as authentication target information, and performs the authentication processing of the facility network 10. However, the present invention is not limited to this, and the user only needs to be uniquely identified in the facility network 10. For example, biometric information such as fingerprint information and iris information is used as authentication information, The authentication process in the equipment network 10 may be performed by executing the biometric authentication process.

  Further, when logging on to the information system network 20 from the client PC 22, the biometric authentication process using the biometric information may be executed.

  The above-described embodiment is an example of the present invention. For this reason, the present invention is not limited to the above-described embodiment, and various modifications can be made depending on the design and the like as long as the technical idea according to the present invention is not deviated from this embodiment. Of course, it is possible to change.

It is a block diagram for demonstrating the structure of the information leakage system shown as the 1st Embodiment of this invention. It is the figure which showed an example of the table stored in the memory | storage means with which a cooperation control apparatus is provided, (a) is a table which relates reader | leader ID and card ID, (b) is card ID and user ID. It is a related table. It is a timing chart for explaining the 1st cooperation processing operation. It is a timing chart for explaining the 2nd cooperation processing operation. It is a timing chart for explaining the 3rd cooperation processing operation. It is a timing chart for demonstrating another example of the said 3rd cooperation processing operation | movement. It is a block diagram for demonstrating the structure of the information leakage system shown as the 2nd Embodiment of this invention. It is a timing chart for explaining the 4th cooperation processing operation. It is a timing chart for demonstrating another example of the said 4th cooperation processing operation | movement.

Explanation of symbols

10 Equipment network
12 Control Unit 14 Gateway Unit 15 Entrance Card Reader 16 Exit Card Reader 17 Electric Lock 20 Information Network 22 Client PC (Personal Computer)
24 ACL (Access Control List) Server 30 Cooperation Control Device

Claims (13)

A facility network that manages entry from the low security level area to the high security level area according to the authentication processing result based on the first authenticated information that uniquely identifies the user, and the high security level area. And a cooperative control device that cooperates with an information network that restricts access to the information network of the user according to an authentication processing result based on second authenticated information that uniquely identifies the user. Because
In the facility network, when entering from the low security level area to the high security level area, the entry device ID (IDentification) of the entry reading device that reads the first authentication information and the first identification target. Storage means for storing authentication information and the second authenticated information in association with each other;
Information acquisition means for acquiring the corresponding second authenticated information from the storage means from the first authenticated information and the entry device ID transmitted from the facility network;
The information of the user managed in the information system network including the second authenticated information acquired by the information acquisition means when entering the high security level area from the low security level area And a control means for controlling to transmit valid information for validating an account, which is an access right to the system network, to an account management means provided in the information system network for managing the account. Control device. The storage means includes an exit device ID of the exit reading device that reads the first authenticated information and the first device when the exit from the high security level region to the low security level region in the facility network. And the second authenticated information are stored in association with each other,
The information acquisition means acquires the corresponding second authenticated information from the storage means from the first authenticated information and the leaving device ID transmitted from the facility network,
When the user leaves the high security level area to the low security level area, the control means includes the second authenticated information acquired by the information acquisition means and invalidates the account. The linkage control device according to claim 1, wherein the invalidation information to be transmitted is controlled to be transmitted to the account management means. When leaving the user from the high security level area to the low security level area,
The control means controls to transmit invalid information for invalidating all user accounts managed by the account management means to the account management means in response to a predetermined time. The cooperation control apparatus according to claim 1, wherein When leaving the user from the high security level area to the low security level area,
In response to receiving logoff information notifying that the user has logged off from the information terminal device connected to the information system network and logged on by the user, the control means is configured to change the account in the information system network. The cooperation control device according to claim 1, wherein the invalidation information to be invalidated is controlled to be transmitted to the account management means. In response to receiving log-on information notifying that the user has logged on to the information system network from the information terminal device connected to the information system network, the control means,
From the second authenticated information included in the logon information, the corresponding first authenticated information is retrieved from the storage means, and invalid information for invalidating the retrieved first authenticated information is obtained. Transmit to the equipment network, and control to stop the authentication process by the first authenticated process information in the equipment network,
The control means, in response to receiving logoff information notifying that the information system network has been logged off from an information terminal device connected to the information system network,
From the second authenticated information included in the logoff information, the corresponding first authenticated information is retrieved from the storage unit, and valid information for validating the retrieved first authenticated information is obtained. The cooperation control device according to claim 2, wherein the cooperative control apparatus transmits to the facility network and performs control so as to execute again the authentication process using the first authenticated process information in the facility network. In response to receiving the entry information transmitted from the facility network and informing that the user has entered the high security level area, the control means starts counting time, and the time measured is In response to exceeding the time allowed for staying in the above-mentioned advanced security level area,
The cooperation control apparatus according to claim 1, wherein the information terminal apparatus connected to the information system network and logging on to the information system network is notified that the stayable time has been exceeded. . In response to receiving a notification from the center device that controls the facility network that the user's stayable time has been exceeded in the predetermined high security level area,
The cooperation control device according to claim 1, wherein the information terminal device connected to the information system network and logged on to the information system network is notified that the stay time has been exceeded. The control means starts timing in response to notifying the information terminal device that the stayable time has been exceeded, and the information terminal device indicates that the measured time has passed a predetermined time, The control device transmits the invalid information for invalidating the first authenticated information to the facility network in response to being logged on to the information network. 7. The cooperative control device according to 7. The control means starts timing in response to notifying the information terminal device that the stayable time has been exceeded, and the information terminal device indicates that the measured time has passed a predetermined time, The linkage according to claim 6 or 7, wherein invalid information for invalidating the account is transmitted to the account management means in response to being logged on to the information network. Control device. Time measurement is started in response to notifying the information terminal device that the stayable time has been exceeded, the time measured has passed a predetermined time, and the information terminal device is connected to the information network. 8. The cooperative control device according to claim 6, wherein control is performed so as to transmit a forced termination command to the information terminal device in response to being logged on to the information terminal device. The cooperative control apparatus according to claim 1, wherein the first authentication information is a card ID (IDentification) stored in a memory included in an IC (Integrated Circuit) card owned by the user. The cooperation control apparatus according to claim 1, wherein the first authenticated information is biometric information of a user. The cooperative control apparatus according to claim 1, wherein the second authenticated information is a user ID (IDentification) that uniquely identifies a user in the information network.

Images