JP5178871B2 - Client equipment and system - Google Patents

Description

The present invention relates to a client device and a system for controlling access to the web by a user.

  In recent years, it has become possible for anyone to easily acquire and send all kinds of information through the Internet using an information processing apparatus such as a computer. On the other hand, in addition to private Internet use within the company, for example, browsing private websites during work, computer virus infections due to malicious website browsing, leaking confidential information, etc. It has become.

  In order to solve such a problem, for example, the following method may be used.

  First, a server device (filtering server) that performs filtering, such as a proxy server, is installed on a network to which a client device used by a user is connected, and the client device communicates with the Internet via this filtering server. By configuring, it is a method of restricting access from the client device to the Internet.

  The second is a method of restricting access from the client device to the Internet by introducing an application for restricting access to the client device used by the user.

JP 2002-073548 A JP 2004-110806 A

  However, in the first method, the range in which access can be restricted is limited to only client devices connected to the same network where the filtering server is installed, and can be connected to another network. Access cannot be restricted for existing client devices.

  Here, the same network refers to a network within the same subnet mask.

In the second method, since the application for restricting access operates on the OS (operating system) of the client device, the user himself can intentionally stop the application of the client device, and the access is not always necessary. There is no guarantee that restrictions will be enforced.

The present invention has been made in view of the above circumstances, and an object thereof is to provide a client device and a system that realizes access control independent of a network environment, an OS, an application, and the like.

A client device according to an aspect of the present invention is a client device on which a virtual machine monitor (VMM) is mounted. The virtual machine monitor includes a predetermined value via the Internet when communication is established after the virtual machine monitor is activated. An IP address for accessing the server device, and at least a URI in the HTTP packet subject to access restriction or access permission from the server device, whether or not there is a GET request restriction on the URI, and the URI A filtering rule acquisition function unit that acquires information on a filtering rule indicating whether or not there is a restriction on a POST request for the virtual machine monitor, and stores the information in a predetermined storage medium in the virtual machine monitor; and a temporary storage unit that temporarily stores the acquired filtering rule; , Said Claire A first discrimination function unit for discriminating whether or not a packet issued from a virtual machine of the second node corresponds to an HTTP request packet, and the HTTP request when the discrimination result of the first discrimination function unit indicates A host name, a request URI, and a request method for the URI are acquired from the HTTP command of the packet, and a character string obtained by combining the acquired host name and the request URI is subject to access restriction or access permission according to the filtering rule. A second determination function unit for determining whether or not the corresponding URI is present, and when the determination result of the second determination function unit indicates that the acquired request method indicates that the filtering rule accesses the URI Third to determine whether the request method is subject to restriction A discrimination function unit including a discrimination function unit; and if the filtering rule sets an access restriction, discarding the HTTP request packet when the discrimination result of the third discrimination function unit indicates appropriate; A packet discard function unit that discards the HTTP request packet when the determination result of the third determination function unit indicates non-applicability when the filtering rule sets access permission; .

A system according to another aspect of the present invention includes a filtering rule management server for managing filtering rules and a client device incorporating a virtual machine monitor, wherein the filtering management server is configured to restrict access or access by the client device. Information on the HTTP URI to be permitted, whether there is a restriction on the GET request for the URI, and filtering rule information indicating whether there is a restriction on the POST request for the URI are stored, and the virtual machine monitor of the client device After starting, when establishing communication, the IP address for accessing the filtering management server via the Internet is stored, and the filtering rule stored in the filtering management server A filtering rule acquisition function unit that acquires information, a temporary storage unit that temporarily stores the acquired filtering rule in a storage medium in the virtual machine monitor, and a packet issued from the virtual machine of the client device is an HTTP request packet A first discriminating function unit for discriminating whether or not it corresponds, and when the discrimination result of the first discriminating function unit indicates that the host name, the request URI, and the URI from the HTTP command of the HTTP request packet A second method for determining whether or not a character string obtained by combining the acquired host name and request URI corresponds to a URI that is subject to access restriction or access permission according to the filtering rule. The discrimination function unit and the discrimination result of the second discrimination function unit indicate that A determination function unit including a third determination function unit that determines whether the acquired request method corresponds to a request method for which the filtering rule is subject to access restriction or access permission for the URI; And a packet discard function unit for discarding the HTTP request packet when the determination result of the third determination function unit indicates that it corresponds .

ADVANTAGE OF THE INVENTION According to this invention, the client apparatus and system which implement | achieve access control independent of a network environment, OS, an application, etc. can be provided.

1 is a schematic diagram illustrating an example of a communication system to which an access control method according to an embodiment of the present invention is applied. The figure which shows an example of a structure of the information of a filtering rule. The block diagram which shows an example of a function structure of a client. The block diagram which shows an example of a function structure of a server. The flowchart which shows an example of the operation | movement by the program for access control incorporated in VMM of the client.

  Embodiments of the present invention will be described below with reference to the drawings.

  In this embodiment, for convenience, the server device is referred to as a “server” and the client device is referred to as a “client”.

  FIG. 1 is a schematic diagram illustrating an example of a communication system to which an access control method according to an embodiment of the present invention is applied.

  In the communication system shown in FIG. 1, a filtering management server (computer) 1, a client (computer) 10, a server (computer) 101 subject to access restriction, and a server not subject to access restriction, which can be connected through the Internet N. (Computer) 102 exists. In FIG. 1, only one server 101 that is an access restriction target and one server 102 that is not an access restriction target are illustrated, but actually there are a plurality of each. Although only one client 10 is shown, there are actually a plurality of clients 10.

  The filtering management server 1 stores a URI (Uniform Resource Identifier) and a request method in an HTTP (Hypertext Transfer Protocol) packet, which is an access restriction target when the client 10 accesses a Web site, which is a resource on the Web. The filtering rule information (hereinafter referred to as “filtering rule FR”) is stored. The filtering rule FR indicates at least a URI subject to access restriction, whether or not there is a GET request restriction on the URI, and whether or not there is a POST request restriction on the URI.

  More specifically, the filtering rule FR has information as shown in FIG.

  That is, as a setting item, there is “URI” subject to access restriction, and “http: //...” Or the like is registered as the setting content of “URI”. Here, for example, the URI of the server 101 subject to access restriction is registered, while the URI of the server 102 not subject to access restriction is not registered.

  In addition, “GET request restriction” and “POST request restriction” are prepared as setting items so that it is possible to set whether to allow or prohibit a request for each request method for the “URI” subject to the access restriction. ing. Although an example in which only two types of request methods can be set is shown here, there may be setting items other than the request method. As a setting content of “GET request restriction”, a true / false value indicating “True” (true) or “False” (false) is registered in order to designate permission or prohibition of the request method “GET”. Similarly, in the setting contents of “POST request restriction”, a true / false value indicating “True” (true) or “False” (false) is registered in order to specify permission or prohibition of the request method “POST”. . This makes it possible to prohibit both GET requests and POST requests, or to prohibit only one of GET requests and POST requests.

  The client 10 includes a network interface card (NIC) 20, a virtual machine monitor (VMM) 30, a guest OS 40, and an application 50.

  The NIC 20 is a card that implements a communication interface for the client 10 to connect to the Internet N.

  The VMM 30 is a virtual machine monitor, and is software for virtualizing a computer so that a plurality of different virtual machines can be executed in parallel. The operation does not depend on the network environment of the client, the OS, the application, or the like. The VMM 30 includes a temporary storage unit 31, a filtering rule acquisition function 32, a determination function 33, and a packet discard function 34, which will be described in detail later.

  The filtering rule acquisition function 32, the determination function 33, and the packet discard function 34 constitute an access control function module 60. The access control function module 60 is a program incorporated in the VMM 30 in order to realize an access control function. That is, the access control function module 60 is an access control program for causing the VMM 30 to implement the filtering rule acquisition function 32, the determination function 33, and the packet discard function 34 in the computer.

  The temporary storage unit 31 stores a filtering rule FR acquired from the filtering rule management server 1 via the Internet N when the client 10 is activated, and is realized using a RAM or the like.

  The guest OS 40 controls the operation of the client 10 in an integrated manner, is monitored by the VMM 30, and makes various requests to the VMM 30, including requests for accessing resources on the Web.

  The application 50 is software such as Internet browsing software used by the user.

  FIG. 3 is a block diagram illustrating an example of a functional configuration of the client 10. In addition, the same code | symbol is attached | subjected to the element which is common in FIG.

  As described above, the client 10 includes the NIC 20, the VMM 30, and the guest OS 40. The VMM 30 includes the temporary storage unit 31, the filtering rule acquisition function 32, the determination function 33, and the packet discard function 34, and filtering. The rule acquisition function 32, the discrimination function 33, and the packet discard function 34 constitute an access control function module 60.

  The temporary storage unit 31 temporarily stores the filtering rule FR acquired from the filtering rule management server 1 via the Internet 20 via the NIC 20 by the filtering rule acquisition function 32 when the client 10 is activated, and is stored here. The filtering rule FR is used to realize an access control function during the operation of the client 10. This filtering rule FR is deleted when the client 10 is shut down.

  Further, the IP address of the management server is set in advance in the filtering rule acquisition function 32 of the client 10.

  When the client 10 is activated, the filtering rule acquisition function 32 accesses the filtering management server 1 via the Internet N. From the filtering management server 1, a filtering rule FR indicating a URI and a request method subject to access restriction is obtained. This is a function for acquiring and storing the temporary storage unit 31 in the client 10.

  The discrimination function 33 monitors a packet issued from the guest OS 40. When the packet is an HTTP request packet, the URI and the request method indicated by the HTTP command of the packet are determined according to the filtering rule FR on the temporary storage unit 31. This is a function for determining whether or not the URI and the request method are subject to access restriction.

  More specifically, the determination function 33 determines whether the packet issued from the guest OS corresponds to the HTTP request packet and the determination result of the first determination function. The host name, the request URI, and the request method for the URI are obtained from the HTTP command of the HTTP request packet, and the character string obtained by combining the acquired host name and the request URI is subjected to access restriction by the filtering rule FR. When the second determination function for determining whether or not the corresponding URI is applicable, and the determination result of the second determination function indicates the corresponding, the acquired request method indicates that the filtering rule FR is the URI To determine whether the request method is subject to access restriction And a discrimination function.

  The packet discard function 34 is a function for discarding a packet having a URI and a request method that are subject to access restriction by the filtering rule FR on the temporary storage unit 31.

  FIG. 4 is a block diagram illustrating an example of a functional configuration of the filtering rule management server 1. In addition, the same code | symbol is attached | subjected to the element which is common in FIG.

  The filtering rule management server 1 includes a NIC 11, an OS 12, a web server 13, and a storage unit 14.

  The NIC 11 is a card that implements a communication interface for the filtering rule management server 1 to connect to the Internet N.

  The OS 12 is a normal operating system installed in the filtering rule management server 1.

  The Web server 13 manages the filtering rule FR stored in the storage unit 14, receives a filtering rule acquisition request from the client 10 via the OS 12, and stores the filtering rule FR stored in the storage unit 14 as the client 10. Send to.

  The storage unit 14 stores the filtering rule FR. This filtering rule FR can be updated only by a specific administrator.

  Next, an example of the operation by the access control function module 60 will be described with reference to the flowchart of FIG.

  When the client 10 is activated, after the communication is established, the filtering rule acquisition function 32 connects to the Internet N through the NIC 20, accesses the filtering management server 1 (step S11), and acquires the filtering rule FR from the filtering management server 1. This is temporarily stored in the temporary storage unit 31 (step S12).

  Next, the determination function 33 monitors a packet issued from the guest OS 40 and waits until a packet is received from the guest OS 40 (step S13).

  When receiving a packet from the guest OS 40, the determination function 33 determines whether the packet is an HTTP request packet (step S14). If the packet is not an HTTP request packet (NO in step S14), the packet discard function 34 passes the packet (step S21).

  On the other hand, if the packet is an HTTP request packet (YES in step S14), the determination function 33 acquires the host name, request URI, and request method from the HTTP command of the packet (step S15), and acquires the acquired host name. And whether the character string obtained by combining the request URI matches one of the URIs indicated in the filtering rule FR on the temporary storage unit 31 (step S16). If the character string does not match any URI (NO in step S16), the packet discard function 34 passes the packet (step S21).

  On the other hand, if the character string matches any URI indicated in the filtering rule FR (YES in step S16), the determination function 33 determines whether the acquired request method is “GET” or “POST”. It is determined whether there is any (steps S17 and S18). When the request method is neither “GET” nor “POST” (NO in step S17, NO in step S18), the packet discard function 34 passes the packet (step S21).

  On the other hand, when the acquired request method is “GET” (YES in step S17), the determination function 33 determines whether or not the GET request restriction corresponding to the URI on the filtering rule FR indicates “true”. (Step S19). Here, when “false” is indicated instead of “true” (NO in step S19), the packet discard function 34 passes the packet (step S21). On the other hand, if “true” is indicated (YES in step S19), the packet discard function 34 discards the packet (step S22). Thereafter, the processing from step S14 is repeated.

  When the acquired request method is “POST” (YES in step S18), the determination function 33 determines whether the POST request restriction corresponding to the URI on the filtering rule FR indicates “true”. (Step S20). If “false” is indicated instead of “true” (NO in step S20), the packet discard function 34 passes the packet (step S21). On the other hand, when “true” is indicated (YES in step S20), the packet discard function 34 discards the packet (step S22). Thereafter, the processing from step S14 is repeated.

  As described above, according to the above-described embodiment, the VMM in which the access control function module is incorporated and the IP address of the management server is set is installed in each client device. By implementing access control using, you can easily realize a robust and robust access control function that does not depend on the network environment, OS, applications, etc., and prevent users from accessing inappropriate resources be able to. In addition to this, it is possible to prevent private use of the Internet within the company, such as browsing private sites, computer virus infections due to malicious site browsing, and leakage of confidential information. It becomes.

  The effects of the above embodiment are classified as follows.

(1) Reduces the burden on the administrator Since the access control function is incorporated as a function (module) of the VMM of the client device, the user is not aware of the application or system and is necessary for access restriction. Since the access control function module communicates with the filtering rule management server and acquires the filtering rules, it is not necessary to perform individual settings for each client, and the burden on the administrator can be reduced.

(2) Network-independent There is no need to install a filtering server that restricts access on the network, and the access control function is incorporated as a function (module) of the VMM in the client, so it does not depend on the network. Access restrictions can be realized.

(3) There is no need to introduce an application that restricts access and does not depend on the OS or application, and the access control function is incorporated as a function (module) of the VMM in the client, so it does not depend on the OS or application. Access restrictions can be realized.

(4) Not operated by the user As described above, it is not necessary to introduce an application or the like that restricts access, and the access control function is incorporated as a function (module) of the VMM in the client. Operation such as stopping the access control function is not performed, and high security can be maintained.

  In the above embodiment, the filtering rule FR has been described as indicating the URI and request method subject to “access restriction”, but instead, this filtering rule FR is designated as the URI and request subject to “access permission”. It may be configured to indicate a method.

  In this case, the discrimination function 33 monitors a packet issued from the guest OS 40. If the packet is an HTTP request packet, the URI and the request method indicated by the HTTP command of the packet are filtered on the temporary storage unit 31. It is determined whether or not the rule FR corresponds to the URI and request method that are the targets of “access permission”. In addition, when a packet having a URI and a request method whose filtering rule FR on the temporary storage unit 31 is the target of “access permission” is detected, the packet discard function 34 allows the packet to pass, and the other packets Shall be discarded.

  The present invention is not limited to the above-described embodiments as they are, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. In addition, various inventions can be formed by appropriately combining a plurality of components disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

DESCRIPTION OF SYMBOLS 1 ... Filtering management server, 10 ... Client, 11 ... NIC, 12 ... OS, 13 ... Web server, 14 ... Storage part, 20 ... NIC, 30 ... VMM, 31 ... Temporary storage part, 32 ... Filtering rule acquisition function, 33 ... Discrimination function 34 ... Packet discard function 40 ... Guest OS 50 ... Application 60 ... Access control function module 101 ... Access restriction target server 102 ... Access restriction target server
FR: Filtering rules, N: Internet.

Claims (2)

A client device equipped with a virtual machine monitor (VMM) ,
The virtual machine monitor stores an IP address for accessing a predetermined server device via the Internet when communication is established after the virtual machine monitor is started , and at least access restriction or access permission from the server device. of the gET request to URI and the URI in the subject to the HTTP packet limits presence, and the URI of filtering rules indicating the presence or absence of restriction of the POST request for information to the virtual machine monitor of a given in obtaining A filtering rule acquisition function unit to be stored in a storage medium;
A temporary storage unit for temporarily storing the acquired filtering rules;
A first determination function unit for determining whether or not a packet issued from the virtual machine of the client corresponds to an HTTP request packet; and when the determination result of the first determination function unit indicates corresponding, the HTTP The host name, request URI, and request method for the URI are acquired from the HTTP command of the request packet, and the character string obtained by combining the acquired host name and request URI is subject to access restriction or access permission according to the filtering rule. A second discriminating function unit that discriminates whether or not the corresponding URI is applicable, and the determination result of the second discriminating function unit indicates that the acquired request method indicates that the filtering rule is related to the URI whether or not corresponding to the request method that is the subject of access restrictions A discrimination unit that includes a third discrimination unit to another,
When the filtering rule sets access restriction, when the determination result of the third determination function unit indicates that it is applicable, the HTTP request packet is discarded, and the filtering rule sets access permission client device, wherein the determination result of the third discrimination unit is to indicate not applicable, and a packet discarding function unit that discards the HTTP request packet. A system comprising a filtering rule management server for managing filtering rules and a client device incorporating a virtual machine monitor,
The filtering management server stores the URI on the HTTP subject to the access restriction or access permission by the client device, the presence or absence of the GET request restriction on the URI, and the filtering rule information indicating the presence or absence of the POST request restriction on the URI. And
The virtual machine monitor of the client device stores an IP address for accessing the filtering management server via the Internet when the communication is established after the activation, and information on the filtering rule stored in the filtering management server A filtering rule acquisition function unit that acquires the temporary filtering unit that temporarily stores the acquired filtering rule in a storage medium in the virtual machine monitor, and a packet issued from the virtual machine of the client device corresponds to an HTTP request packet A first discrimination function unit for discriminating whether or not to perform, and when the discrimination result of the first discrimination function unit indicates that the host name, the request URI, and the URI from the HTTP command of the HTTP request packet Get request method A second determination function unit for determining whether a character string obtained by combining the acquired host name and the request URI corresponds to a URI that is subject to access restriction or access permission according to the filtering rule; When the determination result of the second determination function unit indicates that the request method is acquired, it is determined whether the acquired request method corresponds to a request method for which the filtering rule is subject to access restriction or access permission for the URI. A discriminating function unit comprising three discriminating function units;
A system comprising: a packet discard function unit that discards the HTTP request packet when the determination result of the third determination function unit indicates that it corresponds.

Images