JPH11308272A - Packet communication control system and packet communication controller - Google Patents

Abstract

PROBLEM TO BE SOLVED: To generate filtering rules in response to the access authority. SOLUTION: The system is provided with a user database 7 where access rang information of each user is in cross reference with user identification information and an IP address corresponding to one client to two users is in cross reference with the user identification information, a filtering rule generating means 8 that references the user database 7 to generate filtering rule information to control propriety of passing of a packet sent to a network based on a corresponding access range information based on the user identification information on an access request from the user to the network, and a filtering processing means 12 that controls the propriety of passing of the packet sent by the user by using the filtering rule information generated by the filtering rule generating means 8.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a packet communication control system and a packet communication control device suitable for access permission / non-permission control when a user accesses various resources of a network.

[0002]

2. Description of the Related Art In recent years, the network environment has been steadily expanding due to the development of network technology and the reduction in prices of network components. But on the other hand,
Crimes such as unauthorized access to computer resources and vandalism using the network environment are also increasing. Increasing security is becoming an urgent task to protect personal and business resources from this type of crime. Also, depending on the type of service, it is desired to realize functions such as those that allow only a specific user to access or those that are not desirable for children's emotional education, such as parental control.

[0003] As a mechanism for simply filtering a packet conforming to the TCP / IP protocol by an IP address of the packet, several products are already known, and the number of systems using these products is increasing. . By using these products, it is possible to restrict access to the system that provides the service and the external network and prevent the system from being destroyed, and at the same time, to illegally use computer resources such as CPU, memory, and disk. It becomes possible to prevent use.

[0004]

However, these products require that IP addresses included in packets generated by devices constituting a system and a network are unique,
It is assumed that the access authority (range) of these constituent devices does not change. For this reason, the configuration of the system tends to be fixed, and when a configuration device or the configuration itself is changed, it is necessary for a system administrator to change many settings. In addition, during this setting change, the system becomes unavailable, causing a great loss to the service provider.

[0005] No matter how many computers have become popular today, one computer is rarely used exclusively by one user, and one computer is used by a plurality of users both at home and in a company. There are many cases. Also, each user has a respective access right to the system and the network. When the use of a single computer by a plurality of users having various access rights is permitted, whether or not a packet sent by a computer (hereinafter, referred to as a client) used by the user can pass through a system and a network changes every moment. I do.

[0006] Further, with the spread of computers, the advancement of network technology, and the reduction in the price of network equipment, the number of clients connected to the network is increasing, and the scale of the network is increasing. In such a situation, IP addresses, which are identifiers of constituent devices on the network, are being depleted. As a result, an environment has emerged in which IP addresses that have been fixedly allocated to each component device are dynamically allocated. Under this environment, the IP address assigned to a client cannot be unique.

[0007] The packet filtering products currently on the market correspond to the use of one client by a plurality of users, the access authority of each user, the dynamically allocated IP addresses, and the like as described above. It is impossible. Also, it is impossible to dynamically reflect the changes in the configuration of the system and the network and the configuration devices.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems relating to the conventional network management, and has as its object to provide a packet communication control system and a packet communication control device which can solve the following problems. That is. (A) Corresponding to different access authority for each user. (B) Allowing different users to use the same client. (C) Generate a filtering rule according to the access authority. (D) Dynamic filtering is performed according to the generated filtering rule. (E) Monitor and prevent unauthorized access to computer resources by packets without access authority. (F) Dynamically delete unnecessary filtering rules.

[0009]

According to a first aspect of the present invention, there is provided a packet communication control system comprising: a first table in which access range information in a network of each user is associated with user identification information; A second route control address and user identification information used for route control in a network obtained from a terminal
When a user requests access to the network, a route control address and identification information are obtained from a terminal used by the user and written in the second table, and the user is identified. Filtering rule generating means for generating filtering rule information for controlling whether a packet to be transmitted to the network is allowed to pass from the corresponding access range information by referring to the database based on the information,
Filtering means for controlling whether a packet transmitted by the user can pass or not by using the filtering rule information generated by the filtering rule generating means. As a result, filtering rule information for controlling whether a packet transmitted to the network can pass or not is generated from the corresponding access range information based on the identification information of the user, and a packet transmitted by the user is generated using the filtering rule information. Is controlled.

In the packet communication control system according to the second aspect of the present invention, when a user requests access to a network, a route control address and identification information are obtained from a terminal used by the user and a second table is obtained. And a control unit for instructing the generation of filtering rule information by the filtering rule generation unit when there is no registration. As a result, unauthorized access from the second and subsequent users using the same routing control address can be prevented.

[0011] In the packet communication control system according to the third aspect of the present invention, the control means, upon receiving a notification of the end of access to the network from the user, obtains a route control address from a terminal used by the user and executes the first step. The second embodiment is characterized in that the corresponding registration in the second table is deleted, and the control of the packet passage by the filtering processing means is terminated. Thus, when the user notifies the end of the access to the network, the packet passing control by the filtering processing means is terminated and the recovery is performed.

[0012] In the packet communication control system according to the fourth aspect of the present invention, the first table further stores a password corresponding to the user identification information. A user authentication unit that obtains a password and identification information sent from the user, performs user authentication by comparing the registration with the registration in the first table, and shifts to processing by the control unit when the passwords match. It is characterized by. Thereby, the password and the identification information sent from the user are obtained, and the user is authenticated.

[0013] In the packet communication control system according to the fifth aspect of the present invention, there is provided a warning recording means for recording an unauthorized access request. In addition to returning an error notification of the request, information to be recorded in the warning recording means is transmitted. Thus, in the case of unauthorized access from a plurality of users using the same route control address, an error notification of the request is returned to the user, and the warning is recorded in the warning recording means.

In the packet communication control system according to the sixth aspect of the present invention, a warning recording means for recording an unauthorized access request is provided, and the user authentication means requests the user when the passwords do not match. And the information to be recorded in the warning recording means is transmitted. Thus, if there is an access using an incorrect password, an error notification of the request is returned to the user, and the request is recorded in the warning recording means.

According to a seventh aspect of the present invention, there is provided a packet communication control apparatus comprising: a first table in which access range information of each user in a network is associated with user identification information; a network acquired from a terminal used by the user; A database storing a second table in which a path control address used for path control and user identification information are associated with each other, and when a user requests access to a network, a terminal used by the user transmits a path control address from a terminal used by the user. And writing the identification information to the second table, and referring to the database based on the identification information of the user to control whether or not a packet to be transmitted to the network can pass from the corresponding access range information. Filtering rules that generate filtering rule information Filtering means for transmitting the filtering rule information generated by the filtering rule generating means to a terminal used by the user, and controlling whether or not a packet transmitted by the user is allowed to pass to the terminal. It is characterized by providing. As a result, filtering rule information for controlling whether a packet to be transmitted to the network can be passed or not is generated from the corresponding access range information based on the user's identification information, and the filtering rule information is transmitted to the user's terminal. In this terminal, pass / fail control of a packet transmitted by the user is performed.

The packet communication control device according to claim 8 of the present invention acquires a route control address and identification information from a terminal used by a user when a user requests access to the network, and obtains a second table from the terminal. And a control unit for instructing the generation of filtering rule information by the filtering rule generation unit when there is no registration. As a result, unauthorized access from the second and subsequent users using the same routing control address can be prevented.

In the packet communication control device according to the ninth aspect of the present invention, when the control unit receives a notification of the end of the access to the network from the user, the control unit obtains a route control address from a terminal used by the user, and In addition, the corresponding registration in the second table is deleted, and the control of the packet passing by the filtering processing means of the terminal is terminated. Thus, when the user notifies the end of the access to the network, the packet passing control by the filtering processing means is terminated and the recovery is performed.

[0018]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS A packet communication control system and a packet communication control device according to an embodiment of the present invention will be described below with reference to the accompanying drawings. In this embodiment, TC
A packet communication system conforming to the P / IP protocol is taken as an example. FIG. 1 shows a configuration diagram of the packet communication control system. This system includes a packet communication control device 1 and a client (terminal) 2 composed of a computer.

The packet communication control device 1 is constituted by a workstation or office computer having a CPU, etc., and includes input / output means 4 constituted by input devices such as a keyboard input device and a mouse and output devices such as a CRT display device. A data processing unit 3 is provided. The data processing unit 3 further includes a warning recording unit 5 and a data management unit 6.
Is provided.

Further, the packet communication control device 1 is provided with a user database 7. FIG. 2 in which access authority (range) information of each user in the network and user identification information are associated with each other in the user database 7.
Access authority information table (first table) 7 shown in FIG.
1. A path control address (IP) used for path control in a network acquired from a terminal used by a user.
A user access table (second table) 72 shown in FIG. 3 in which an address) and user identification information (user ID) are associated with each other is stored. Access authority table 7
The contents stored in 1 are input from the input / output unit 4 by the system administrator based on the request from the user, and are stored in the user database 7 by the data management unit 6.

The packet communication control device 1 includes a filtering rule generating means 8 for generating filtering rule information, a control means 9 for controlling the filtering rule generating means 8, and a user authenticating means for authenticating a user based on a password. 10 are provided.

On the other hand, the client 2 is provided with communication executing means 11 for performing communication, and filtering processing means 12 for controlling whether or not a packet to be transmitted is allowed to pass based on the filtering rule information generated by the packet communication control device 1. .

The above-described packet communication control system is actually applied, for example, to a communication system as shown in FIG. That is, a plurality (1 to N) of clients 2 are provided, and are connected to the packet communication control device 1 via the network 20-2. The packet communication control device 1 is connected to a network 20-1 other than the network 20-2. One or more servers, one or more databases, and one or more external networks are connected to the network 20-1 via the router 15.

In the system configured as described above, each client 2 is shared by a plurality of users, and the CPU of the packet communication control device 1 executes a program corresponding to the flowchart shown in FIG. Functions as 10. That is, each client 2
When the user inputs, for example, the user ID "User1" and the password "f3j230jk", they are taken in (S1).

The input of the user ID and the password is performed on a log-in screen as shown in FIG. After the user ID and password are input, the "LOGIN" part is designated by using a mouse or the like. Upon receiving the user ID and the password, the CPU of the packet communication control device 1 searches the access authority table 71 in the user database 7 using the user ID "User1" as a key (S2), and determines whether the corresponding registration has been made. It is detected (S3). In this example, the user ID
Since "User1" is registered in the access authority table 71, the flow branches to YES in step S3 to acquire the password registered in the access authority table 71 in the user database 7 corresponding to the user ID "User1". (S4), and compares this with the password sent from the client 2 to detect (S5) whether the password is correct (S6). Here, since both passwords are “f3j230jk” and coincide with each other, the process branches to YES in step 6 to succeed in authentication, and proceeds to the next process. On the other hand, if the user ID is incorrect or the password is incorrect, a warning record is executed (S7). In the warning record, the authentication unit 10 of FIG. 1 passes, for example, the date and time, the identification information of the client, the used user ID, the password, and the like to the warning recording unit 5, and these are stored in a log format.
Processing such as displaying a warning on a CRT display device constituting the input / output means 4 and sending an e-mail to another monitoring terminal (not shown) is performed. Further, the CPU of the packet communication control device 1 returns a notification of the request error to the client 2, and an error is displayed on the CRT display device of the client 2.

When the user authentication is successful, the CPU of the packet communication control device 1 executes a program corresponding to the flowchart shown in FIG. That is, following the user authentication, the CPU acquires the IP address of the client 2 (S11). The acquisition of the IP address is realized by using, for example, a socket. After obtaining the IP address, C
The PU searches the user access table 72 in the user database 7 and detects whether the IP address is already registered (S12). If not already registered, the user ID and the IP address are paired and registered in the user access table 72 as shown in FIG. On the other hand, if the acquired IP address is already registered in the user access table 72, a warning record is executed as an unauthorized login (S14). This process is basically the same as the process described in step S7 in FIG. Further, the CPU of the packet communication control device 1 returns a notification of the login error to the client 2, and an error is displayed on the CRT display device of the client 2.

For example, in the main memory of the packet communication control device 1, a data table for creating filtering rule information as shown in FIG. 8 is prepared. That is, the IP address and the example of the filtering rule are stored corresponding to the access target. The filtering rule can be created by setting the IP address of the client 2 in the “xxxx...” Portion of the filtering rule example.

The CPU of the packet communication control device 1 executes a program corresponding to the flowchart shown in FIG. That is, when the registration in FIG.
The access right information stored corresponding to the first user ID "User1" is obtained (S15). Here, as the access authority, information indicating that “server # 1, database” can be accessed is acquired. Next, CP
U2 acquires the IP address (S16) and generates filtering rule information according to the access authority (S1).
7), end rule generation.

In the above description, as shown on the right side of the flowchart in FIG.
1 "(IP address = 133.145.121.101) is obtained, and (IP address = 13
When 3.113.194.121) is obtained, a filtering rule example (pass xxx.xxx.xxx.xxxto) is obtained from the data table of FIG.
133.145.121.101), the filtering rule for server # 1 (pass 133.113.194.121 to 133.145.12)
1.101) is generated. This filtering rule indicates that access from the client 2 to the server # 1 is permitted. Although not shown here, filtering rule information indicating that the client 2 is permitted to access the database based on the access right is also generated in the same manner.

In this embodiment, the contents permitted are shown as filtering rule information, but access to other resources is prohibited. Further, the prohibited contents may be used as the filtering rule information. For example, it is assumed that filtering rule information indicating that access from the client 2 to the server # 2 is prohibited is generated, and that other rules are permitted.

The filtering rule information generated as described above is sent to the client 2 and the filtering processing means 12 performs processing using the filtering rule information. That is, the CPU of the client 2 functions as the filtering processing unit 12 according to the flowchart shown in FIG. That is,
The client 2 waits for the generation of a packet to be transmitted from the communication execution unit 11 (S21). When the packet arrives, the destination IP address of the packet is extracted (S22). A list of filtering rule information is searched using the destination IP address as a key (S23), and it is detected whether or not there is an IP address corresponding to the destination in the list of filtering rule information (S2).
4). Here, if there is a corresponding rule, it is determined whether or not the access destination of the packet matches the rule (S2).
5) If the packet matches the rule, the packet is passed (S26).

Further, if no corresponding rule is detected in step S24, or if it is detected in step S25 that the rule does not match, a warning record is executed (S27). In the alert log,
For example, date and time, client identification information (IP address), destination address, and the like are passed from the filtering processing unit 12 of FIG. 1 to the warning recording unit 5 via the control unit 9, and these are stored in a log format. , A warning display on the CRT display device constituting the input / output means 4 and a mail transmission to another monitoring terminal (not shown). In the client 2, the packet is discarded, and the process returns to step S21 to be performed.

As described above, the necessary data (packet) is transmitted from the login, and the logout is performed. Then, the CPU of the packet communication control device 1 performs the filtering rule information deletion process as the control unit 9 according to the flowchart of FIG. That is, a logout is received and a logout is detected in the same manner as in the case of login (S31).
An IP address is obtained from the client 2 used by the user using a socket (S32) (S32).
The client 2 uses the IP address as a key.
The rule information related to the IP address is deleted from the filtering rule information list (S33), the user access table 72 in the user database 7 is searched, and the registration related to the IP address is deleted (S34).

The system according to the above-described embodiment makes it possible to effectively use computer resources (prohibit monopoly). That is, conventionally, in the network management method, an access rule for a client is fixedly assigned, and thus the IP address of the client is fixedly assigned. However, according to the present embodiment, since the access rules are dynamically generated, applied, and deleted, the IP address of the client can also be dynamically allocated.
As a result, shared use of computer resources by a plurality of clients becomes possible.

Further, it is possible to enhance security. In short, the most frightening of modern computer systems is unauthorized use and trespassing of the systems. According to the present embodiment, it is possible to exclude use of at least a registered user. Regarding registered users, as long as a protocol conforming to the TCP / IP protocol is used, illegal use of resources can be prevented.

Further, a variety of systems can be realized. That is, according to the present embodiment, it has been described that the IP address of the client can be dynamically allocated. However, this makes it possible to realize a variety of systems. Since it is not necessary to assign a fixed IP address as in the related art, it is possible to realize various systems such as a change in system configuration, a change in a client machine used by a user, and addition of a new service.

Further, realization of parental control can be achieved. That is, parental control, which has become a hot topic in recent years, can be realized by applying the present embodiment. This is because access control is performed for each user. By realizing this function, it is possible to build a more social system, and it is possible to secure more customers.

In the above-described embodiment, the filtering processing means is provided in the client. However, in other embodiments, as apparent from FIG. 4, all the packets from the client pass through the packet communication control device. The packet communication control device is provided with filtering processing means. With this configuration, the same effects as those of the above-described embodiment can be obtained, and the above-described effects can be obtained without changing the client.

[0039]

As described above, according to the packet communication control system of the first aspect, it is possible to control whether or not a packet to be transmitted to the network can pass from the corresponding access range information based on the identification information of the user. Is generated and the pass / fail control of the packet transmitted by the user is performed using the filtering rule information. Therefore, the access range can be limited for each user, and the appropriate access can be guaranteed.

As described above, according to the packet communication control system of the second aspect, the route control address and the identification information are obtained from the terminal used by the user, and the presence or absence of the registration in the second table is determined. However, since the filtering rule information is generated when there is no registration, unauthorized access from the second and subsequent users using the same route control address can be prevented.

As described above, according to the packet communication control system of the third aspect, when the user notifies the end of the access to the network, the filtering processing means terminates the control of the passage of the packet and the recovery is performed. Therefore, the process according to the rule that has become unnecessary can be appropriately terminated.

As described above, according to the packet communication control system of the fourth aspect, the password and identification information sent from the user are acquired and the user is authenticated, so that unauthorized access can be prohibited.

As described above, according to the packet communication control system of the fifth aspect, in the case of unauthorized access from a plurality of users using the same routing address, a request error notification is returned to the users. In addition, since the warning is recorded in the warning recording means, it is possible to investigate the cause of the unauthorized access.

As described above, according to the packet communication control system of the sixth aspect, when there is an access using an invalid password, an error notification of the request is returned to the user, and the warning record is recorded. Since the information is recorded in the means, it is possible to pursue the cause of access using an unauthorized password and the like.

As described above, according to the packet communication control device of the seventh aspect, the filtering for controlling whether or not the packet to be transmitted to the network is allowed to pass from the corresponding access range information based on the identification information of the user. Since the rule information is generated and the pass / fail control of the packet sent by the user is performed using the filtering rule information, the access range can be limited for each user,
Ensure proper access is made.

As described above, according to the packet communication control device of the eighth aspect, the routing control address and the identification information are obtained from the terminal used by the user, and the presence or absence of the registration in the second table is determined. However, since the filtering rule information is generated when there is no registration, unauthorized access from the second and subsequent users using the same route control address can be prevented.

As described above, according to the packet communication control device of the ninth aspect, when a user notifies the end of access to the network, the packet passing control by the filtering processing means is terminated and restoration is performed. Therefore, the process according to the rule that has become unnecessary can be appropriately terminated.

[Brief description of the drawings]

FIG. 1 is a configuration diagram of a packet communication system according to an embodiment of the present invention.

FIG. 2 is a diagram showing contents of an access authority table provided in the packet communication system according to the embodiment of the present invention.

FIG. 3 is a diagram showing contents of a user access table provided in the packet communication system according to the embodiment of the present invention.

FIG. 4 is a configuration diagram of a specific example of a packet communication system according to an embodiment of the present invention.

FIG. 5 is a flowchart illustrating a user authentication operation of the packet communication system according to the embodiment of the present invention.

FIG. 6 is a diagram showing a login screen in a client of the packet communication system according to the embodiment of the present invention.

FIG. 7 is a flowchart illustrating a registration operation to a user access table in the packet communication system according to the embodiment of the present invention.

FIG. 8 is a diagram showing contents of a data table for creating a filtering rule.

FIG. 9 is a flowchart illustrating a filtering rule generation operation of the packet communication system according to the embodiment of the present invention.

FIG. 10 is a flowchart illustrating a filtering operation of the packet communication system according to the embodiment of the present invention.

FIG. 11 is a flowchart for explaining an operation at the time of logout of the packet communication system according to the embodiment of the present invention.

[Explanation of symbols]

REFERENCE SIGNS LIST 1 packet communication control device 2 client 3 data processing unit 4 input / output unit 5 warning recording unit 6 data management unit 7 user database 8 filtering rule generation unit 9 control unit 10 user authentication unit 11 communication execution unit 11 filtering processing unit 20 network

Claims (9)

[Claims] 1. A first table in which access range information and user identification information of each user in a network are associated with each other, a route control address and user identification information used for route control in a network obtained from a terminal used by the user. When a user requests access to a network, a route control address and identification information are obtained from a terminal used by the user, and the second table is stored in the second table. Filtering rule generating means for writing and generating filtering rule information for controlling whether or not a packet to be transmitted to the network can pass from the corresponding access range information by referring to the database based on the identification information of the user; Filtering rule generation means Packet communication control system characterized by using the generated filtering rule information and a filtering means for controlling the passableness of the packet which the user sends Ri. 2. When a user requests access to a network, a route control address and identification information are obtained from a terminal used by the user, and the presence or absence of registration in the second table is determined. 2. The packet communication control system according to claim 1, further comprising control means for instructing the generation of filtering rule information by the filtering rule generation means. 3. The control means, when notified of the end of access to the network from the user, obtains a path control address from a terminal used by the user, deletes the corresponding registration in the second table, and performs a filtering process. 3. The packet communication control system according to claim 2, wherein the control means determines whether or not the packet can be passed. 4. The first table further stores a password corresponding to the user identification information. When a user requests access to the network, the password and identification information transmitted from the user are acquired. 4. The packet according to claim 2, further comprising a user authentication unit for performing user authentication in comparison with registration in the first table, and, when the passwords match, shifting to processing by the control unit. Communication control system. 5. An alarm recording means for recording an unauthorized access request, wherein the control means returns an error notification of the request to the user when detecting the presence of the registration, and further comprises the warning recording means. 4. The packet communication control system according to claim 2, wherein information to be recorded is transmitted. 6. A warning recording means for recording an unauthorized access request, wherein the user authentication means, when the password does not match,
5. The packet communication control system according to claim 4, wherein an error notification of the request is returned to the user, and information to be recorded in the warning recording unit is transmitted. 7. A first table in which access range information of each user in a network and user identification information are associated with each other, a route control address and user identification information used for route control in a network obtained from a terminal used by the user. When a user requests access to a network, a route control address and identification information are obtained from a terminal used by the user, and the second table is stored in the second table. Filtering rule generation means for writing and generating filtering rule information for controlling whether or not a packet to be transmitted to the network can pass from the corresponding access range information by referring to the database based on the identification information of the user. And this filtering rule A packet communication control device for transmitting filtering rule information generated by the means to a terminal used by the user, and having the terminal include filtering processing means for controlling whether a packet transmitted by the user can pass or not. . 8. When a user requests access to a network, a route control address and identification information are obtained from a terminal used by the user, and the presence or absence of registration in the second table is determined. 8. The packet communication control device according to claim 7, further comprising control means for instructing the generation of filtering rule information by the filtering rule generation means. 9. The control means, upon receiving a notification of the end of access to the network from the user, obtains a route control address from a terminal used by the user, deletes the corresponding registration in the second table, and 9. The packet communication control device according to claim 8, wherein the control of the passage of the packet by the filtering processing means of the terminal is terminated.