JP4879643B2 - Network access control system, terminal, address assignment device, terminal system authentication device, network access control method, and computer program - Google Patents

Description

  The present invention relates to a network access control system, a terminal, an address assignment device, a terminal system authentication device, a network access control method, and a computer program.

  In recent years, thin clients have attracted attention with the occurrence of personal information leakage cases due to the loss of notebook PCs (personal computers) and portable information recording media, and the formulation of laws for the Personal Information Protection Law. A thin client is a computer equipped with only minimum functions such as display and input, and resources such as application software are centrally managed by a server.

  One thin client technology is SCC (Storage Centric Computing). FIG. 15 is a diagram for explaining the SCC technique. As shown in the figure, the SCC technology does not have storage on the SCC terminal side, connects to a network (NW) storage, and downloads an OS (Operation System) image file (hereinafter referred to as “OS image”) to a memory. Start the OS. In SCC, data (storage) is managed by a server or administrator, and a CPU (central processing unit) on the SCC terminal side is used for processing by using an application. In addition, this SCC terminal is a terminal that mounts the OS image on the network storage by PXE (Preboot eXecution Envitoment) and starts the OS, and boots from local storage (hard disk, CD-ROM, USB memory, etc.) It does not include the terminal to do.

FIG. 16 is a diagram showing an OS startup procedure of the conventional SCC terminal shown in FIG.
First, when the power of the SCC terminal connected to the network is turned on (step S800), the SCC terminal sends to a DHCP (Dynamic Host Configuration Protocol) server to request a parameter required for network boot, for example, an IP address. A DHCP request is transmitted (step S810). The DHCP server acquires the MAC (Media Access Control) address of the DHCP request source SCC terminal from the received DHCP request, and performs authentication based on whether this MAC address is a pre-registered MAC address (step S820). If the DHCP server is an unregistered MAC address, the DHCP server does not send back a DHCP response, and the process ends here.

  When the SCC terminal is authenticated in step S820, the DHCP server notifies the SCC terminal of the IP address and parameters necessary for network booting by a DHCP response (step S830). The SCC terminal transmits a PXE request for making a network boot request to the SCC server based on the parameters described in the DHCP response (step S840). The SCC server notifies the SCC terminal of the location of the program file necessary for network booting, for example, a URL (Universal Resource Locator) by a PXE response (step S850).

  Based on the information described in the received PXE response, the SCC terminal transmits a TFTP (Trivial File Transfer Protocol) connection to the SCC server (step S860). The SCC terminal downloads a program file necessary for network booting called NBP (Network Bootstrap Program) by using TFTP (step S870). The SCC terminal executes NBP, connects to the NW storage (step S880), and downloads the OS image from the NW storage to the main memory (step S890). Thereafter, the SCC terminal activates the OS downloaded on the main memory (step S900).

When the SCC technique described above is used, there are the following problems.
The current problem is information leakage due to the rich client connection. As shown in FIG. 16, the SCC terminal is connected to the network, that is, connected to the network storage after the power is turned on and starts the OS. For this reason, even if authentication is attempted at the time of network connection, the OS is not activated, so that an application necessary for authentication cannot be executed. Therefore, it is difficult to perform authentication when connecting to the network. In the current SCC environment, MAC address authentication is performed when parameters required for network booting are acquired by a DHCP request. However, since the connection to the network itself is not restricted, rich Even a client can connect and there is a risk that information is stored in the local storage.
Another current problem is information leakage due to writing to local storage. In other words, even if the terminal connected to the network is authenticated and only the SCC terminal can be connected, the user adds a local storage such as a USB (Universal Serial Bus) memory after the OS is started, and the added local storage is confidential. There is a possibility of bringing out information.

In order to solve the above problems, there are the following existing countermeasure technologies.
As a countermeasure against information leakage due to the connection of the rich client, it is conceivable to eliminate the connection from the rich client. For this purpose, it is necessary to authenticate whether the client is a rich client or an SCC terminal when connected to the network. However, since the SCC terminal is diskless, an application required for authentication cannot be used until it is connected to the network storage and the OS is started. Further, in order to connect to the network storage, it is assumed that it can be connected to the network. For this reason, authentication performed when connecting to a network such as IEEE802.1X cannot be performed. The main methods of this solution are: (1) Start the terminal with a micro OS and perform authentication at the time of network connection, (2) Terminal not registered in the communication (ARP: Address Resolution Protocol) monitoring server There are two ways to restrict the communication.

  In the case of (1), there is a method of using a micro OS in a local storage such as a USB memory or a CD-ROM without making the terminal completely diskless. For this purpose, an OS (micro OS) having a minimum necessary function capable of executing an application required for terminal authentication and an application for network connection authentication are installed in the local storage in advance. The terminal starts the micro OS after starting BIOS (Basic Input Output System), and after the terminal is authenticated, connects to the network storage and downloads the OS.

  In the case of (2), instead of authenticating at the time of network connection, a server that monitors the communication of the terminal is arranged on the network, and only the registered terminal is blocked by interfering with the communication of the unregistered terminal. Enable communication. The method of blocking communication is to monitor ARP resolution that is always performed when communicating within the same segment, and when the MAC address described in ARP is a terminal that is not registered, the monitoring server responds to the ARP response. Respond on behalf. All communications from unregistered terminals are addressed to the monitoring server, and communication with a regular destination is not established.

  In addition, security software can be introduced as a countermeasure against information leakage caused by writing to local storage. In this case, security software for restricting writing to the local storage is introduced into the OS activated on the terminal. Another measure is control by OS policy or device driver. In this case, writing to the local storage is restricted by an OS policy or a device driver activated on the terminal.

On the other hand, Patent Document 1 describes that access control is performed according to the security patch application status of an OS activated on a terminal when connected to a network.
JP 2005-250761 A

Considering from the viewpoint of monitoring prevention of information leakage, the conventional countermeasure techniques have the following problems.
As countermeasures against information leakage due to rich client connections, when a terminal is started with a micro OS as shown in (1) and authentication is performed when connecting to a network, connections such as rich clients that are not permitted to be used are excluded. Postcard. However, there are problems such as time and cost of distributing local storage such as a USB memory, use of local storage, which does not lead to information leakage countermeasures, and micro OS is falsified to avoid authentication.
In addition, as shown in (2), when restricting communication of a terminal that is not registered in the communication (ARP) monitoring server, communication from a terminal that is not registered with a MAC address can be blocked. It does not control the connection to the network. Therefore, any terminal can connect to the network. Therefore, even a terminal that does not have a registered MAC address can perform communication by capturing a registered MAC address that can be communicated by capturing a packet and spoofing the MAC address.

On the other hand, as a countermeasure against information leakage due to writing to the local storage, regardless of which of the countermeasures, such as introducing security software or controlled by the OS policy or device driver, is added to the local storage on the terminal and to the local storage Can be saved. In addition, by using these measures, it is possible to solve the problem in the case where the terminal is activated by the micro OS as shown in (1) described above and authentication at the time of network connection is performed. However, in the current SCC technology, there is no mechanism for authenticating whether these measures are implemented in the OS activated in the terminal. For this reason, there is a possibility that the SCC terminal adds the local storage without starting the OS from the network storage after performing the terminal authentication at the time of network connection, and starts the OS from the local storage.
Moreover, the technique of patent document 1 cannot be applied in order to solve the problem mentioned above.

  The present invention has been made in view of such circumstances, and performs terminal authentication when a thin client is connected to the network, and also authenticates that the terminal is activated by an OS in which the use of local storage is restricted. It is an object of the present invention to provide a network access control system, a terminal, an address assignment device, a terminal system authentication device, a network access control method, and a computer program that can permit access to confidential information.

  In order to solve the above-described problems, the present invention can form a connection group that is connected to the end of a network and is a logical network different from the physical configuration, and transfers data between nodes belonging to the same connection group. In a network access control system comprising: a connection control device that performs control so that communication can be performed; an address assignment device that belongs to the first connection group of the network; a terminal system authentication device that belongs to the second connection group of the network; The terminal connected to the network transmits an address request in which its own physical address and terminal type are set to the address assigning device, and information on the address allocated to itself in the network in response to the address request. Address required to receive Means, accessing the terminal system authentication device, obtaining a program necessary for network booting, and executing the program obtained by the network boot program obtaining means, received by the address request means A connection establishment means for establishing a connection with the network using address information, a session with the network storage using the connection established by the connection establishment means, and an operation system including a local storage check function Operation system image acquisition means for acquiring an image file, and the operation system is activated by the image file acquired by the operation system image acquisition means, and the local storage Notification means for checking whether the use is restricted and notifying the terminal system authentication device of information on the check result, wherein the address assignment device receives an address request from the terminal belonging to the first connection group. Depending on whether the physical address set in the received address request is a physical address permitted in advance and the terminal type set in the address request indicates a thin client having no local storage In order to change the connection group to which the terminal belongs to the second connection group while allocating an address in the network and notifying the terminal when the authentication by the terminal authentication unit that performs authentication and the authentication by the terminal authentication unit is successful A connection group setting change message is transmitted to the connection control device An address assignment unit, wherein the terminal system authentication device receives access from the terminal that has been changed to the second connection group, and transmits a program necessary for network boot from the terminal. When the information of the check result of whether or not the local storage is restricted is received and authentication is performed depending on whether or not the local storage is restricted, and when the authentication by the system authentication means is successful Connection group changing means for sending a connection group setting change message for changing the connection group to which the terminal belongs to a third connection group in the network to the connection control device, wherein the connection control device has the address Granting device or terminal system authentication device Network access control, comprising: connection control means for receiving a connection group setting change message and controlling the connection group to which the terminal belongs to a change destination connection group indicated by the connection group setting change message. System.

  Further, the present invention is the network access control system described above, wherein the system authentication means further establishes a session between the terminal that is the transmission source of the information of the check result and the network storage The authentication is performed by the following.

Further, the present invention provides a connection group that is connected to the end of the network and can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group. A terminal connected to the network of a network access control system comprising a control device, an address assignment device belonging to the first connection group of the network, a terminal system authentication device belonging to the second connection group of the network, and a network storage a is, the physical address of itself, and transmits an address request sets the terminal type indicating the thin client that does not have local storage to the address allocation device, the terminal authentication unit of the addressing device, set in the address request The authentication by the physical address and the terminal type succeeded, and the address assignment unit of the address assigning device transmits a connection group setting change message to the connection control device, and the connection group to which the terminal belongs is set to the second assigned to the terminal when changing to the connection group, the address request means for receiving the information you Keru address to the network, and access to the terminal system authentication device, a network boot to obtain the program necessary for network booting A program acquisition unit; a connection establishment unit that executes the program acquired by the network boot program acquisition unit and establishes a connection with the network using the address information received by the address request unit; and the connection establishment unit Connection established by And establishes a session with the network storage, acquires an operation system image file including an operation system image file including a local storage check function, and starts the operation system with the image file acquired by the operation system image acquisition unit. And a notification means for checking whether or not the use of the local storage is restricted and notifying the terminal system authentication device of information of the check result.

  Further, the present invention provides a connection group that is connected to the end of the network and can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group. The address assignment device in a network access control system comprising a control device, an address assignment device belonging to a first connection group of the network, a terminal system authentication device belonging to a second connection group of the network, and a network storage. And receiving an address request from a terminal connected to the network belonging to the first connection group, and the physical address of the terminal set in the received address request is a pre-permitted physical address, and The terminal type set in the address request is A terminal authentication unit that performs authentication based on whether the thin client does not have a local storage, and when the authentication by the terminal authentication unit is successful, assigns an address in the network and notifies the terminal, and An address assignment device comprising: an address assignment unit that transmits a connection group setting change message for changing a connection group to which a terminal belongs to a second connection group to the connection control device.

  Further, the present invention provides a connection group that is connected to the end of the network and can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group. The terminal system authentication device in a network access control system comprising: a control device; an address assignment device belonging to the first connection group of the network; a terminal system authentication device belonging to the second connection group of the network; and a network storage. A network boot program transmitting means for transmitting a program necessary for network booting received from a terminal connected to the network, which has been changed from a first connection group to a second connection group; Local storage Receives information on the result of checking whether usage is restricted, authenticates whether the local storage is restricted, and determines whether a session between the terminal and the network storage is established A system authentication unit for performing authentication, and a connection group setting change message for changing a connection group to which the terminal belongs to a third connection group in the network when authentication by the system authentication unit is successful. And a connection group changing means for transmitting to the terminal system authentication device.

  Further, the present invention provides a connection group that is connected to the end of the network and can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group. A network access control method in a network access control system comprising a control device, an address assignment device belonging to a first connection group of the network, a terminal system authentication device belonging to a second connection group of the network, and a network storage. A terminal belonging to the first connection group and connected to the network transmits an address request in which a physical address and a terminal type of the terminal are set to the address assigning device; and Receive and receive address request Authentication is performed based on whether the physical address set in the address request is a pre-permitted physical address and the terminal type set in the address request indicates a thin client without local storage. A connection group setting change message for allocating an address in the network and notifying the terminal and changing a connection group to which the terminal belongs to a second connection group when authentication is successful. Transmitting to the control device, the connection control device receiving a connection group setting change message from the address assignment device, changing the connection group to which the terminal belongs to a second connection group, and the terminal, Assigned to itself in the network. The terminal system authenticating device receives the access from the terminal and transmits a program necessary for network booting, and the terminal receives the program received from the terminal system authenticating device. Executing a step of establishing a connection with the network using the address information received from the address assigning device, establishing a session with the network storage using the established connection, and performing a local storage check function A step of acquiring an image file of the operation system including the step, a step of starting the operation system with the acquired image file, checking whether local storage is restricted, and notifying the terminal system authentication device of information on the check result And the terminal system authentication device receives information on the result of checking whether or not the local storage is restricted from the terminal, and performs authentication based on whether or not the local storage is restricted. A step of performing authentication depending on whether a session between the terminal and the network storage is established; and when authentication is successful, for changing the connection group to which the terminal belongs to the third connection group in the network A step of transmitting a connection group setting change message to the connection control device; and the connection control device receives a connection group setting change message from the terminal system authentication device, and transfers the connection group to which the terminal belongs to a third connection group Controlling to change A network access control method according to symptoms.

  Further, the present invention provides a connection group that is connected to the end of the network and can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group. Used for the address assignment device in a network access control system comprising a control device, an address assignment device belonging to the first connection group of the network, a terminal system authentication device belonging to the second connection group of the network, and a network storage. A computer that belongs to a first connection group, receives an address request from a terminal connected to the network, and the physical address of the terminal set in the received address request is a physical address that is permitted in advance, and Set in the address request A terminal authentication unit that performs authentication depending on whether the terminal type indicates a thin client that does not have a local storage, and when the authentication by the terminal authentication unit is successful, an address in the network is allocated and notified to the terminal A computer program that functions as address assignment means for transmitting a connection group setting change message for changing the connection group to which the terminal belongs to a second connection group to the connection control device.

  Further, the present invention provides a connection group that is connected to the end of the network and can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group. As the terminal system authentication device in a network access control system comprising a control device, an address assignment device belonging to the first connection group of the network, a terminal system authentication device belonging to the second connection group of the network, and a network storage A network boot program transmitting means for transmitting a program necessary for network booting, receiving access from a terminal connected to the network, wherein the computer used is changed from a first connection group to a second connection group; Or Receives information on the check result of whether local storage is restricted, authenticates whether the local storage is restricted, and establishes a session between the terminal and the network storage A system authentication unit that performs authentication depending on whether the connection group setting change message for changing the connection group to which the terminal belongs to a third connection group in the network when the authentication by the system authentication unit is successful. A computer program that functions as connection group changing means for transmitting to a control device.

According to the present invention, when the thin client is connected to the network, even if the OS is not started in the thin client, it is determined by the address request message that the terminal is an SCC terminal, and the network access corresponding to the type of the terminal is performed. Control can be realized.
In addition, after the OS is started, authentication is performed based on whether or not the use of local storage such as a USB memory is restricted, the session with the network storage is confirmed, and the access control of the network is performed again, thereby restricting the use of the local storage. Only authorized regular SCC terminals can be connected to the intranet.
In addition, unlike the screen transfer type thin client in which the calculation is performed by the server CPU, in the SCC terminal in the network boot type thin client environment, the OS authentication processing is performed in the CPU of the client PC, so the OS authentication is performed. However, there is a threat that a key used for OS authentication is eavesdropped or a service is copied due to memory eavesdropping or application analysis. However, according to the present invention, this threat can also be avoided by performing verification of network connectivity.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.
FIG. 1 is a diagram showing a typical system configuration assumed by a network (NW) access control system according to an embodiment of the present invention. The NW access control system according to the present embodiment performs authentication of a terminal when connected to a network and authentication of an OS (Operation System) activated by the terminal, and a local storage such as a USB (Universal Serial Bus) memory having a risk of information leakage. Eliminate devices that can use. The exclusion of terminals is realized by controlling access to the network.

  In the NW access control system shown in the figure, access control from the SCC (Storage Centric Computing) terminal 1 to the network N is performed. This is realized by controlling the VLAN of the VLAN compatible switch 2 to which the SCC terminal 1 is connected. VLAN is a technology for creating a virtual connection group by specific nodes on a LAN (Local Area Network) independently of the connection form of physical nodes in the LAN. Each node can only be connected to the VLAN to which it belongs. In this NW access control system, a VLAN (Virtual LAN) control function described in Patent Document 1 is used for access control to the network N.

  The network N includes a VLAN control server 3, a DHCP (Dynamic Host Configuration Protocol) server 4 (address assignment device), an SCC server 5 (terminal system authentication device), an NW storage 6, and a file connected to the VLAN control server 3. The shared server 7 is connected by a LAN or the like. The network N is composed of three VLANs for connection authentication (first connection group), OS authentication VLAN (second connection group), and business VLAN (third connection group). In this way, by dividing the network N by VLAN, the accessible range within the network N is limited.

The connection authentication VLAN is a VLAN that is connected first when the terminal is connected to the network N. When the terminal connected to the network is an unregistered terminal or a rich client terminal, the connection range is confined within the connection authentication VLAN. That is, as described above, the network N is divided into VLANs, so when a terminal is connected, it is connected to an isolated VLAN called connection authentication VLAN, but other VLANs can be accessed. As a result, the unauthenticated terminal is confined in the connection authentication VLAN.
The OS authentication VLAN is a VLAN to which only terminals that are determined to be registered SCC terminals in the connection authentication VLAN are connected. In this VLAN, authentication is performed based on whether the OS started up in the SCC terminal 1 is restricted in the use of a local storage such as a USB memory. If the local storage usage is not restricted, the connection range is confined within the OS authentication VLAN.
The business VLAN is an intranet where actual business processing is performed, and is a network that handles information to be protected by the NW access control system. In the OS authentication VLAN, only terminals that have been authenticated that the use of local storage is restricted can be connected to the business VLAN.

FIG. 14 is a diagram illustrating VLAN transition conditions.
In the figure, the SCC terminal 1 belonging to the connection authentication VLAN transitions to the OS authentication VLAN when authenticated in terminal determination (FIG. 2: step S120 described later). When the SCC terminal 1 connected to the OS authentication VLAN is authenticated in OS authentication (FIG. 2: step S230 described later) and network connectivity verification (FIG. 2: step S240 described later), the business VLAN Transition to. Then, when the power supply of the SCC terminal 1 or the network disconnection occurs, the transition to the connection authentication VLAN is made again.

The SCC terminal 1 is a thin client, has no storage, is a terminal that starts an OS (Operation System) by mounting an OS image on the NW storage 6 using PXE (Preboot eXecution Envitoment) of existing SCC technology. is there. The SCC terminal 1 performs processing by use of an application or the like by a CPU (central processing unit) provided therein.
The VLAN-compatible switch 2 is a switch equivalent to layer 2 having a VLAN function compliant with IEEE (the Institute of Electrical and Electronic Engineers) 802.1Q, and is disposed at the end of the network, and within the same VLAN. Transfer data between nodes. The end of the network indicates a situation where a terminal is connected and there is no network (node) downstream from the terminal. The VLAN-compatible switch 2 has a function of remotely changing VLAN settings by SNMP (Simple Network Management Protocol). SNMP is a protocol for monitoring devices connected to a TCP / IP network via a network, which is defined by IETF (Internet Engineering Task Force) RFC (Request For Comments) 1157.
The VLAN control server 3 receives a VLAN setting change message, which is a request message for changing the VLAN setting, from an external server, and issues an SNMP for changing the VLAN setting of the VLAN switch 2 to which the terminal is connected. It has a function.

The DHCP server 4 includes only the DHCP server process from the existing SCC server in the prior art, and executes a general DHCP server process. In addition, the DHCP server 4 is configured to determine whether the terminal that has made the DHCP request is a pre-registered terminal or an SCC terminal, and the VLAN based on the result of the determination. And a function of transmitting a VLAN setting change message to the control server 3.
The SCC server 5 has the same function as an existing SCC server in the prior art. In addition, when the terminal requests OS authentication, the SCC server 5 performs authentication based on whether the OS activated on the SCC terminal 1 is an OS that is restricted in the use of a local storage such as a USB memory. And a function of inquiring a session with the SCC terminal 1 to the NW storage 6 and determining whether the OS activated on the SCC terminal 1 is loaded by the NW storage 6. Further, it has a function of transmitting a VLAN setting change message to the VLAN control server 3 based on the result of these authentications.
The NW storage 6 stores an OS (Operation System) image file (hereinafter “OS image”) used by the SCC terminal 1.
The file sharing server 7 is a server used for general file sharing, and stores information to be protected from information leakage.

Next, a processing procedure of the NW access control system according to this embodiment will be described.
FIG. 2 is a diagram showing a basic processing procedure of the NW access control system according to the present embodiment, and FIGS. 3 to 13 are diagrams showing the detailed processing procedure.
A connection authentication VLAN is allocated in advance to the connection destination switch port of the SCC terminal 1 in the VLAN compatible switch 2. Thus, when the SCC terminal 1 is turned on as a terminal connected to the network N, it is connected to the network N (FIG. 2: step S100). Subsequently, the SCC terminal 1 transmits to the DHCP server 4 a DHCP request (address request) for requesting parameters necessary for network boot, that is, activation and establishment of a connection to the network, such as an IP address and network settings. (FIG. 2: Step S110). Based on the DHCP request received from the SCC terminal 1, the DHCP server 4 confirms whether the MAC address of the requesting terminal is registered in advance and determines whether it is an SCC terminal (FIG. 2). : Step S120). To determine whether the terminal is an SCC terminal, the description of the PXE terminal included in the DHCP request is confirmed.

FIG. 3 is a diagram showing a detailed processing procedure of steps S110 and S120.
As shown in the figure, in step S110, the SCC terminal 1 transmits a DHCPREQUEST (or BOOTPREQUEST) message to the VLAN control server 3 as a DHCP request for PXE activation. In the Options (Vendor specific info) field of the DHCP (BOOTP) REQUEST message, “PXE Client” is described by “option code number 60 Class-identifier”. This DHCP (BOOTP) Options (Vendor specific info) is defined by IETF RFC2939 or the like.

  In step S120, in order to determine whether the DHCP server 4 may distribute the IP address to the DHCP request source terminal, the source MAC address set in the DHCP (BOOTP) REQUEST message is registered in advance in advance. Check if the MAC address is valid. If it is confirmed that the MAC address is valid, the PXE Client is set in the Options (Vendor specific info) field of the DHCP (BOOTP) REQUEST message to determine whether the terminal type of the DHCP requesting terminal is a PXE-activated SCC terminal. "" If the MAC address is not registered or is not an SCC terminal, the DHCP server 4 ends the process here.

  When the DHCP server 4 determines in step S120 that the DHCP request transmission source terminal is a pre-registered terminal and a PXE activated SCC terminal, the DHCP server 4 assigns the IP address assigned to the SCC terminal 1 and the network Parameters necessary for booting are notified to the SCC terminal 1 by a DHCP response (FIG. 2: step S130). Further, the DHCP server 4 creates a VLAN setting change message based on the result of the terminal determination in step S120, and transmits it to the VLAN control server 3 (FIG. 2: step S140).

  FIG. 4 shows the detailed processing procedure of step S140. When the DHCP server 4 determines in step S120 that the MAC address of the DHCP requesting terminal is an authorized SCC terminal registered in advance and is a PXE-activated SCC terminal, the DHCP server 4 Based on the IP address lease information, the MAC address and IP address information of the DHCP request source SCC terminal 1 is acquired, and a VLAN setting change message is generated (FIG. 4: step S141) and transmitted to the VLAN control server 3. (FIG. 4: Step S142). More specifically, the VLAN setting change message includes the terminal information including the IP address of the SCC terminal 1 and the MAC address information, and the VLAN including information of the VLAN NAME in which the name of the VLAN to be connected next is set. Information. The IP address assigned by the DHCP server 4 is set as the IP address of the SCC terminal 1, and the MAC address notified by the DHCP request is set as the MAC address of the SCC terminal 1. In the VLAN NAME, the name of the VLAN defined by the VLAN control server 3, that is, the name for connection terminal authentication / OS authentication / business use can be set. Here, “OS authentication” is set as the next connection destination. For "is set.

  The VLAN control server 3 creates an SNMP message for changing the VLAN setting of the switch port connected to the SCC terminal 1 to the OS authentication VLAN according to the VLAN setting change message received from the DHCP server 4. Is transmitted to the VLAN-compatible switch 2 to which is connected (FIG. 2: Step S150). The VLAN compatible switch 2 that has received the SNMP changes the VLAN setting of the connection port of the SCC terminal 1 to the OS authentication VLAN. The VLAN-compatible switch 2 and the switch port are identified by a response by transmitting SNMP to the VLAN-compatible switch 2 based on the MAC address of the SCC terminal 1 described in the VLAN setting change message. Details of this procedure will be described later.

  The SCC terminal 1 transmits a PXE request for making a network boot request to the SCC server 5 based on the parameters described in the DHCP response received in step S130 (FIG. 2: step S160). The SCC server 5 transmits a PXE response in which a location of a program file necessary for network boot, for example, a URL (Universal Resource Locator) is set, to the SCC terminal 1 (FIG. 2: step S170). The SCC terminal 1 performs a TFTP (Trivial File Transfer Protocol) connection with the SCC server 5 based on the information described in the received PXE response (FIG. 2: step S180). TFTP is a protocol for performing file transfer without performing verification using a user name or password. The SCC terminal 1 downloads a program file necessary for network boot, called NBP (Network Bootstrap Program), from the SCC server 5 by using TFTP (FIG. 2: step S190).

  The SCC terminal 1 executes the NBP downloaded from the SCC server 5, starts TCP / IP communication using the IP address assigned by the DHCP server 4, network settings, and the like, connects to the network N, and connects to the NW storage 6 To establish a session (FIG. 2: step S200). The SCC terminal 1 downloads the OS image in which the OS authentication service, which is an authentication service, is set from the NW storage 6 to the main memory (FIG. 2: step S210), and starts the downloaded OS on the main memory ( FIG. 2: Step S220). As a result, the OS authentication service is activated on the SCC terminal 1 and communicates with the SCC server 5 in order to authenticate whether the use of a local storage such as a USB memory is restricted (FIG. 2: step S230).

  FIG. 9 shows a detailed processing procedure in step S230. In the figure, the OS authentication service activated in the SCC terminal 1 checks whether the driver loaded in the SCC terminal 1 is restricted and the use of the local storage is restricted. Alternatively, when an application or the like that suppresses local storage is used, the operation status of the application is checked (FIG. 9: Step S231). Note that the local storage restriction method is arbitrary and is not specified here. The OS authentication service activated by the SCC terminal 1 connects to the SCC server 5 and encrypts and transmits the check result in step S231 (FIG. 9: step S232). The SCC server 5 decrypts the check result received from the OS authentication service of the SCC terminal 1, and confirms whether the use of local storage is restricted by the content of the decrypted check result (FIG. 9: Step S233).

  If the SCC server 5 determines that the use of local storage is restricted in the SCC terminal 1, the SCC server 5 checks whether the OS image downloaded from the NW storage 6 is activated by the SCC terminal 1 that has requested the OS authentication. (FIG. 2: Step S240). Therefore, the SCC server 5 inquires of the NW storage 6 about the session information and confirms whether the SCC terminal 1 has established a session with the NW storage 6.

FIG. 10 shows a detailed processing procedure in step S240. In the figure, the SCC server 5 authenticates that there is no problem in the authentication result based on the notification from the OS authentication service of the SCC terminal 1 received in step S230, that is, the local storage is restricted in the SCC terminal 1. In this case, it is further authenticated whether the OS activated on the SCC terminal 1 is camouflaged based on whether the OS of the SCC terminal 1 is activated based on the OS image supplied from the regular NW storage 6. Specifically, the SCC server 5 is connected to the NW storage 6 by Telnet or the like (FIG. 10: step S241), and session information that is connection information between the NW storage 6 and the SCC terminal 1 is set to the command “Volume select < Reference is made using “volume name> show connections” (FIG. 10: step S242). The SCC server 5 confirms whether or not the session information acquired from the NW storage 6 as a result of executing the command includes the IP address of the SCC terminal 1 as the OS authentication service connection source IP address (FIG. 10: Step S243). .
In addition to Telnet, the session information confirmation means includes a method using a dedicated API and a management tool.

The SCC server 5 creates a VLAN setting change message based on the result of the OS authentication in step S230 and the network connectivity verification in step S240, and transmits it to the VLAN control server 3 (FIG. 2: step S250).
FIG. 11 shows the detailed processing procedure of step S250. The SCC server 5 is set as the notification source of the check result received from the OS authentication service of the SCC terminal 1 in step S230 in the terminal information, and the IP address of the SCC terminal 1 that has been confirmed to establish a session in step S240. In the VLAN information, a VLAN NAME in which “business use” as a setting change destination is set is set, a VLAN change message is generated (FIG. 11: step S251), and transmitted to the VLAN control server 3 (FIG. 11: step). S252).

The VLAN control server 3 changes the VLAN setting of the switch port to which the SCC terminal 1 is connected according to the VLAN setting change message received from the SCC server 5 (FIG. 2: step S260). Details of this procedure will be described later. As a result, the SCC terminal 1 is connected to the business VLAN, and resources in the intranet can be used. The SCC terminal 1 can access a file in the file sharing server 7 and performs business processing.
By the above procedure, it is possible to eliminate the risk of information leakage and allow only the regular SCC terminal 1 to participate in the intranet.

Next, a detailed processing procedure in step S150 and step S260 of FIG. 2 will be described.
5 to 8, in step S150, the VLAN control server 3 identifies the VLAN-compatible switch 2 and switch port to which the SCC terminal 1 is connected using SNMP based on the description of the VLAN setting change message. A detailed procedure for setting the VLAN setting of the switch port to the OS authentication VLAN will be described.

  In FIG. 5, the VLAN control server 3 uniquely identifies a segment in the network as network configuration information in order to identify the subnet domain to be controlled so that a system can be constructed across a plurality of subnet domains. Segment information in which a segment ID to be associated with a network address (including subnet) included in the segment is held. The VLAN control server 3 searches the segment information using the IP address information described in the terminal information in the VLAN setting change message received in step S140 as a key, and specifies the segment ID (FIG. 5: step S151). .

  Subsequently, in FIG. 6, the VLAN control server 3 transmits an SNMP dot1dTpFdbPort to all the VLAN compatible switches 2 existing in the subnet domain to which the SCC terminal 1 is connected, and is connected to the VLAN compatible switch 2. The correspondence information of the MAC address of the existing terminal and the switch port in the VLAN compatible switch 2 is acquired. The VLAN control server 3 identifies the VLAN compatible switch 2 and the switch port of the SCC terminal 1 from the acquired correspondence information. Note that dot1dTpFdbPort is defined by IETF RFC1213 or the like. Specifically, it operates as follows.

  The VLAN control server 3 holds, as network configuration information, a segment ID, a switch ID for specifying a switch in the segment, and switch information in which the IP address of the switch is associated. The VLAN control server 3 searches the switch information using the segment ID acquired in step S151 as a key, and acquires all the switch IDs and addresses of the VLAN-compatible switch 2 existing in the segment to which the SCC terminal 1 is connected. . Then, using this acquired information, an SNMP get, which is an SNMP message in which dot1dTpFdbPort is set, is transmitted to all VLAN-compatible switches 2 in the segment to which the SCC terminal 1 is connected (FIG. 6: steps S152 and S153). ). In the dot1dTpFdbPort transmitted to each VLAN-compatible switch 2, the OID (Object Identifier) of dot1dTpFdbPort and the switch IP address of the VLAN-compatible switch 2 acquired from the switch information are set as search keys.

  When the VLAN switch 2 receives the dot1dTpFdbPort SNMP message from the VLAN control server 3, it returns an SNMP Response notifying the set of the MAC address and switch port number of the terminal connected to the VLAN control server 3 ( FIG. 6: Step S154). When the VLAN control server 3 receives the response result for dot1dTpFdbPort by SNMP Response from the VLAN switch 2, it sets the MAC address and switch port information indicated in the response result and the VLAN setting change message received in step S140. The switch port corresponding to the MAC address of the SCC terminal 1 is specified by comparing with the MAC address of the SCC terminal 1 that has been set (step S155 in FIG. 6).

  When the switch port to which the SCC terminal 1 is connected can be specified, in FIG. 7, the VLAN control server 3 adds the IP address and MAC address of the SCC terminal 1 to the terminal information held as the network configuration information, and the SCC terminal. The switch ID and switch port information of the VLAN-compatible switch 2 of the connection destination of 1 are registered (FIG. 6: Step S156). The MAC address and IP address of the SCC terminal 1 are obtained from the VLAN setting change message received from the DHCP server 4 in step S140 (FIG. 2). The switch ID is the switch ID of the VLAN-compatible switch 2 that is the transmission source of the SNMP Response that can acquire the switch port number corresponding to the MAC address of the SCC terminal 1 in step S155. The switch port is the switch port number acquired from SNMP Response in step S155.

In FIG. 8, the VLAN control server 3 receives the VLAN setting change message received in step S140 (FIG. 2) for the VLAN corresponding to the VLAN compatible switch 2 to which the SCC terminal 1 is connected. An SNMP message for changing to the VLAN described in (1) is transmitted.
The VLAN control server 3 holds VLAN information in which VLAN NAME and VLAN ID are associated as network configuration information. The VLAN control server 3 acquires a VLAN ID corresponding to the VLAN NAME “for OS authentication” set in the VLAN information in the VLAN setting change message from the VLAN information. Then, an SNMP set that is an SNMP message for changing the VLAN setting of the switch port to “for OS authentication” is generated (FIG. 8: step S157) and transmitted to the VLAN compatible switch 2 to which the SCC terminal 1 is connected. (FIG. 8: Step S158). The SNMP set includes an IP address (switch IP address) of the VLAN switch 2, an OID whose VLAN setting is to be changed, a switch port identified in step S 155 (FIG. 6), and a VLAN corresponding to the “OS authentication” VLAN. An ID is set. The VLAN-compatible switch 2 that has received the SNMP set changes the VLAN setting of the switch port of the SCC terminal 1 to the “OS authentication” VLAN, and returns an SNMP Response (step S159).

Next, the detailed procedure in step S260 will be described.
12 and 13, in step S260, the VLAN control server 3 specifies the connection destination switch and the switch port of the SCC terminal 1 using SNMP based on the description of the VLAN setting change message. A detailed procedure for setting the VLAN setting of the port to the business VLAN will be described.

  In FIG. 12, the VLAN control server 3 receives the IP address information described in the terminal information in the VLAN setting change message received in step S250 (FIG. 2), the network configuration information stored therein, Based on the above, the network to which the SCC terminal 1 is connected is specified. That is, the VLAN control server 3 searches the terminal information of the network configuration information held by itself using the IP address set in the terminal information in the VLAN setting change message as a key, and the SCC terminal 1 is connected. The connection destination switch ID and switch port of the VLAN switch 2 are specified (FIG. 12: Step S261).

  Subsequently, in FIG. 13, the VLAN control server 3 uses the VLAN information set in the VLAN setting change message received in step S250 (FIG. 2) from the VLAN information of the network configuration information held therein. The VLAN ID corresponding to the NAME “business use” is acquired. The VLAN control server 3 generates an SNMP set that is an SNMP message for changing the VLAN of the connection destination switch port of the SCC terminal 1 to the business VLAN (FIG. 13: step S262), and the SCC terminal 1 is connected. Is transmitted to the VLAN-compatible switch 2 (FIG. 13: step S263). The SNMP set includes the IP address (switch IP address) of the VLAN switch 2, the OID whose VLAN setting is to be changed, the switch port to which the SCC terminal 1 is connected, and the VLNA ID corresponding to the “business” VLAN. Is set. The VLAN switch 2 that has received the SNMP set returns an SNMP Response when the VLAN setting of the switch port of the SCC terminal 1 is changed to the “business use” VLAN (FIG. 13: step S264).

According to the above-described embodiment, when a terminal that is a thin client is connected to the network, it is determined that the connection source terminal is an SCC terminal by a DHCP request message even before the OS is started in the terminal. It is possible to realize network access control according to the type.
In addition, after starting the OS, authentication is performed based on whether or not the use of local storage such as a USB memory is restricted, the session with the network storage is confirmed, and access to the network is controlled again, thereby restricting the use of local storage. Only authorized regular SCC terminals can be connected to the intranet.
In addition, unlike the screen transfer type thin client in which the calculation is performed by the server CPU, in the SCC terminal in the network boot type thin client environment, the OS authentication processing is performed in the CPU of the client PC, so the OS authentication is performed. However, there is a threat that a key used for OS authentication is eavesdropped or a service is copied due to memory eavesdropping or application analysis. However, in this embodiment, this threat can also be avoided by performing network connectivity verification together.

  The VLAN-compatible switch 2, the VLAN control server 3, the DHCP server 4, the SCC server 5, the NW storage 6, and the file sharing server 7 have a computer system inside. The operation processes of the VLAN-compatible switch 2, the VLAN control server 3, the DHCP server 4, the SCC server 5, the NW storage 6, and the file sharing server 7 are stored in a computer-readable recording medium in the form of a program. The computer system reads out and executes this program, and the above processing is performed. The computer system here includes a CPU, various memories, an OS, and hardware such as peripheral devices.

Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.
The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Furthermore, the “computer-readable recording medium” dynamically holds a program for a short time like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line. In this case, a volatile memory in a computer system serving as a server or a client in that case, and a program that holds a program for a certain period of time are also included. The program may be a program for realizing a part of the functions described above, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system.

1 is a system configuration diagram of a network access control system according to an embodiment of the present invention. It is a figure which shows the operation | movement procedure of the network access control system shown in FIG. It is a figure which shows the detailed operation | movement procedure of FIG. It is a figure which shows the detailed operation | movement procedure of FIG. It is a figure which shows the detailed operation | movement procedure of FIG. It is a figure which shows the detailed operation | movement procedure of FIG. It is a figure which shows the detailed operation | movement procedure of FIG. It is a figure which shows the detailed operation | movement procedure of FIG. It is a figure which shows the detailed operation | movement procedure of FIG. It is a figure which shows the detailed operation | movement procedure of FIG. It is a figure which shows the detailed operation | movement procedure of FIG. It is a figure which shows the detailed operation | movement procedure of FIG. It is a figure which shows the detailed operation | movement procedure of FIG. It is a figure which shows the transition conditions of VLAN. It is a figure for demonstrating the conventional SCC technique. It is a figure which shows the OS starting procedure of the conventional SCC terminal.

Explanation of symbols

1 ... SCC terminal (terminal)
2 ... VLAN-compatible switch 3 ... VLAN control server (connection control device)
4 ... DHCP server (address assignment device)
5 ... SCC server (terminal system authentication device)
6 ... NW (network) storage 7 ... File sharing server

Claims (8)

A connection control device that is connected to the end of the network, can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group; and the network A network access control system comprising an address assignment device belonging to the first connection group, a terminal system authentication device belonging to the second connection group of the network, and a network storage.
The terminal connected to the network is
An address request unit configured to transmit an address request in which its own physical address and terminal type are set to the address assigning device, and in response to the address request, receive address information assigned to itself in the network;
Network boot program acquisition means for accessing the terminal system authentication device and acquiring a program necessary for network boot;
A connection establishment unit that executes the program acquired by the network boot program acquisition unit and establishes a connection with the network using the address information received by the address request unit;
An operation system image acquisition unit that establishes a session with the network storage using the connection established by the connection establishment unit and acquires an image file of an operation system including a check function of a local storage;
The operation system is activated by the image file acquired by the operation system image acquisition means, and includes a notification means for checking whether the local storage is restricted in use and notifying the terminal system authentication device of information on the check result,
The address assigning device is:
An address request is received from the terminal belonging to the first connection group, the physical address set in the received address request is a physical address that is permitted in advance, and the terminal type set in the address request is Terminal authentication means for performing authentication depending on whether the client is a thin client without local storage,
When authentication by the terminal authentication means is successful, an address in the network is allocated and notified to the terminal, and a connection group setting change message for changing the connection group to which the terminal belongs to a second connection group An address assignment means for transmitting to the connection control device,
The terminal system authentication device is
A network boot program transmitting means for receiving access from the terminal changed to the second connection group and transmitting a program necessary for network boot;
System authentication means for receiving information on the result of checking whether or not the local storage is restricted from the terminal, and performing authentication depending on whether or not the local storage is restricted.
A connection group changing unit for transmitting a connection group setting change message for changing the connection group to which the terminal belongs to a third connection group in the network to the connection control device when the authentication by the system authentication unit is successful; With
The connection control device includes:
A connection control unit configured to receive a connection group setting change message from the address assignment device or the terminal system authentication device, and to control to change the connection group to which the terminal belongs to a connection group to be changed indicated by the connection group setting change message; ,
A network access control system characterized by the above. The system authentication means further performs authentication depending on whether a session is established between the terminal that is a transmission source of the information on the check result and the network storage.
The network access control system according to claim 1. A connection control device that is connected to the end of the network, can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group; and the network A terminal for connecting to the network of a network access control system comprising an address assignment device belonging to the first connection group, a terminal system authentication device belonging to the second connection group of the network, and a network storage,
The physical address of itself, and transmits an address request sets the terminal type indicating the thin client that does not have local storage to the address allocation device, the terminal authentication unit of the address assignment unit, to the address request Authentication by the set physical address and the terminal type succeeds, and the address assignment unit of the address assigning device transmits a connection group setting change message to the connection control device, and the connection group to which the terminal belongs is set to the second the assigned to the terminal when changing to the connection group, the address request means for receiving the information you Keru address to the network,
Network boot program acquisition means for accessing the terminal system authentication device and acquiring a program necessary for network boot;
A connection establishment unit that executes the program acquired by the network boot program acquisition unit and establishes a connection with the network using the address information received by the address request unit;
An operation system image acquisition unit that establishes a session with the network storage using the connection established by the connection establishment unit and acquires an image file of an operation system including a check function of a local storage;
A notification means for starting the operation system with the image file acquired by the operation system image acquisition means, checking whether the local storage is restricted in use, and notifying the terminal system authentication device of information on the check result;
A terminal comprising: A connection control device that is connected to the end of the network, can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group; and the network The address assignment device in a network access control system comprising an address assignment device belonging to the first connection group, a terminal system authentication device and a network storage belonging to the second connection group of the network,
An address request is received from a terminal that belongs to the first connection group and is connected to the network, and the physical address of the terminal set in the received address request is a previously permitted physical address, and the address request A terminal authentication means for performing authentication based on whether the terminal type set in FIG. 4 indicates that the terminal type is a thin client having no local storage;
When authentication by the terminal authentication means is successful, an address in the network is allocated and notified to the terminal, and a connection group setting change message for changing the connection group to which the terminal belongs to a second connection group Address allocation means for transmitting to the connection control device;
An address assigning device comprising: A connection control device that is connected to the end of the network, can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group; and the network The terminal system authentication device in a network access control system comprising an address assignment device belonging to the first connection group, a terminal system authentication device belonging to the second connection group of the network, and a network storage,
A network boot program transmitting means for receiving access from a terminal connected to the network, changed from the first connection group to the second connection group, and transmitting a program necessary for network boot;
Receives information on the result of checking whether the local storage is restricted from use from the terminal, authenticates whether the local storage is restricted, and performs a session between the terminal and the network storage. System authentication means for performing authentication depending on whether or not is established;
A connection group changing unit for transmitting a connection group setting change message for changing the connection group to which the terminal belongs to a third connection group in the network to the connection control device when the authentication by the system authentication unit is successful; ,
A terminal system authentication device comprising: A connection control device that is connected to the end of the network, can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group; and the network A network access control method in a network access control system comprising an address assignment device belonging to the first connection group, a terminal system authentication device belonging to the second connection group of the network, and a network storage,
A terminal belonging to the first connection group and connected to the network is
Transmitting an address request that sets its own physical address and terminal type to the address assigning device;
The addressing device is
A thin client that receives an address request from the terminal, the physical address set in the received address request is a physical address that has been previously permitted, and the terminal type set in the address request has no local storage Authenticating depending on whether or not
When authentication is successful, an address in the network is assigned and notified to the terminal, and a connection group setting change message for changing the connection group to which the terminal belongs to the second connection group is transmitted to the connection control apparatus. And steps to
The connection control device
Receiving a connection group setting change message from the address assignment device, and changing the connection group to which the terminal belongs to a second connection group;
The terminal is
Receiving information on addresses assigned to the network in the network;
The terminal system authentication device is
Receiving access from the terminal and transmitting a program necessary for network boot;
The terminal is
Executing the program received from the terminal system authenticating device and establishing a connection with the network using the address information received from the address assigning device;
Establishing a session with the network storage using the established connection and obtaining an image file of the operation system including a local storage check function;
Starting the operation system with the acquired image file, checking whether the local storage is restricted in use, and notifying the terminal system authentication device of the information of the check result;
The terminal system authentication device is
Receives information on the result of checking whether the local storage is restricted from use from the terminal, authenticates whether the local storage is restricted, and performs a session between the terminal and the network storage. Authenticating depending on whether or not
Transmitting a connection group setting change message for changing the connection group to which the terminal belongs to a third connection group in the network to the connection control device when the authentication is successful;
The connection control device
Receiving a connection group setting change message from the terminal system authentication device, and controlling to change the connection group to which the terminal belongs to a third connection group;
A network access control method comprising: A connection control device that is connected to the end of the network, can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group; and the network A computer used for the address assignment device in a network access control system comprising: an address assignment device belonging to the first connection group; a terminal system authentication device belonging to the second connection group of the network; and a network storage.
An address request is received from a terminal that belongs to the first connection group and is connected to the network, and the physical address of the terminal set in the received address request is a previously permitted physical address, and the address request A terminal authentication means for performing authentication depending on whether the terminal type set in is a thin client having no local storage,
When authentication by the terminal authentication means is successful, an address in the network is allocated and notified to the terminal, and a connection group setting change message for changing the connection group to which the terminal belongs to a second connection group Address allocation means for transmitting to the connection control device;
A computer program that functions as a computer program. A connection control device that is connected to the end of the network, can form a connection group that is a logical network different from the physical configuration, and controls data transfer between nodes belonging to the same connection group; and the network A computer used as the terminal system authentication device in a network access control system comprising: an address assignment device belonging to the first connection group; a terminal system authentication device belonging to the second connection group of the network; and a network storage.
A network boot program transmitting means for receiving access from a terminal connected to the network, changed from the first connection group to the second connection group, and transmitting a program necessary for network boot;
Receives information on the result of checking whether the local storage is restricted from use from the terminal, authenticates whether the local storage is restricted, and performs a session between the terminal and the network storage. System authentication means for performing authentication based on whether or not
A connection group changing means for transmitting a connection group setting change message for changing the connection group to which the terminal belongs to a third connection group in the network to the connection control device when authentication by the system authentication means is successful;
A computer program that functions as a computer program.

Images