WO2006067951A1 - アクセス制御装置およびアクセス制御方法 - Google Patents
アクセス制御装置およびアクセス制御方法 Download PDFInfo
- Publication number
- WO2006067951A1 WO2006067951A1 PCT/JP2005/022306 JP2005022306W WO2006067951A1 WO 2006067951 A1 WO2006067951 A1 WO 2006067951A1 JP 2005022306 W JP2005022306 W JP 2005022306W WO 2006067951 A1 WO2006067951 A1 WO 2006067951A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- host
- packet
- address
- network
- destination
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Definitions
- Access control apparatus and access control method are provided.
- the present invention relates to an access control device and an access control method, and more particularly to an access control device and access control in a network in which access from a terminal in an internal network is restricted according to the type of host in the external network. Regarding the method.
- a DNS (Domain Name System) server that performs name resolution of an IP address and a host name may be installed.
- a connection request from a terminal of an internal network such as a LAN (Local Area Network) to a host of an external network including the Internet, for example is designated by the terminal.
- the host name of the connection destination is sent to the DNS server.
- the DNS server searches for the IP address corresponding to the received host name, and returns the result to the terminal as a response.
- the terminal in the internal network can know the IP address of the host in the external network trying to connect and can access this host.
- Patent Document 1 A technique for searching for an IP address by DNS in this way is disclosed in Patent Document 1, for example.
- a router is installed at the boundary between the internal network and external network, and this router manages and updates the HO STS table and HOSTS table that record the host name and IP address. And an update processing unit.
- client 1 transmits a DNS request for requesting name resolution to a DNS server in order to connect to a host.
- the DNS server is capable of sending a DNS response to the DNS request to the client 1.
- the router stores the host name and IP address included in the DNS response in the HOSTS table by the update processing unit and forwards them to the client 1. To do. As a result, client 1 can access the host via the router.
- the client 2 transmits a DNS request to the DNS server in the same manner as the client 1.
- the internal network The router installed at the boundary of the external network receives this DNS request and refers to the HOS TS table.
- the router does not forward the DNS request to the DNS server, but directly sends the corresponding IP address in the HOST S table to the client 2. .
- Patent Document 1 Japanese Patent Laid-Open No. 11-340984
- the router installed at the boundary between the internal network and the external network may be able to perform access control. In order to determine access to general hosts and access to secure hosts. The router needs to maintain a list of all secure hosts.
- An object of the present invention is to reduce the consumption of resources such as memory and to efficiently secure a host. It is an object to provide an access control apparatus and an access control method capable of controlling access to a user.
- the access control apparatus includes a host list indicating hosts that are restricted in access in the second network or hosts that are not restricted in access among the hosts in the first network.
- Storage means for storing; receiving means for receiving a packet whose destination is set to a host in the first network; and a destination host for the received packet is the host list.
- the control means for controlling whether to send the packet to the host or to discard the packet, and the destination host of the received packet is not registered in the host list.
- the host list is updated by obtaining information on whether or not the terminal power access to the host is permitted.
- a configuration having a means.
- the access control method includes a host list indicating hosts that are restricted in access in the second network or hosts that are not restricted in access among the hosts in the first network.
- An access control method in a stored access control apparatus the step of receiving a packet whose destination is set to a host in the first network and the terminal power in the second network; and When the destination host is registered in the host list, the step of controlling whether the packet is transmitted to the host or the packet is discarded; and the destination host of the received packet is added to the host list. If it is not registered, information on whether or not the terminal-based access to the host is permitted is excluded. And to have a stearyl-up for updating the host list acquired from.
- FIG. 1 is a diagram showing an example of a conventional network configuration
- FIG. 2 is a conceptual diagram showing an example of a network configuration according to an embodiment of the present invention.
- FIG. 3 Block diagram showing a main configuration of the gateway device according to the embodiment.
- FIG. 4 is a diagram showing an example of a terminal list according to an embodiment.
- FIG. 5A A diagram showing an example of a host list of general hosts according to the embodiment.
- FIG. 5B A diagram showing an example of a host list of a secure host according to the embodiment.
- FIG. 6 Flow diagram showing operation of access control according to the embodiment.
- FIG. 7 Sequence diagram showing a specific example of access control according to the embodiment.
- FIG. 8 Sequence diagram showing another specific example of access control according to the embodiment.
- FIG. 9 is a sequence diagram showing still another specific example of access control according to the embodiment.
- FIG. 10 Flow diagram showing other access control operations according to the embodiment.
- FIG. 11 is a conceptual diagram showing another example of the network configuration according to the embodiment.
- FIG. 2 is a conceptual diagram showing an example of a network configuration in an embodiment of the present invention.
- the network shown in FIG. 1 mainly includes an internal network 100 such as a LAN, an external network 200 including a public network such as the Internet, and a gateway device 300 installed at the boundary between the internal network 100 and the external network 200. ing.
- the internal network 100 is authenticated in advance and can access all hosts in the external network 200.
- the secure terminal 100a IP address “192.168.1.aaa” and the external network 200 It has a general terminal 100b (IP address “192.168.1.bbb”) and a general terminal 100c (IP address “192. 168.1.ccc”) that can be accessed only by general hosts that are not subject to access restrictions.
- the external network 200 includes an authentication server 2 OOa (IP address “xxx.xxx.xxx.100”) that authenticates terminals in the internal network 100 and a secure terminal that can be accessed only by secure terminals in the internal network 100.
- a dedicated DNS server 200b IP address “xxx.xxx.xxx.l”) that performs name resolution on the host and a domain name “www.xxl.ne.jp” that can be accessed only from a secure terminal in the internal network 100
- DNS server 200d IP address ⁇ ⁇ . ⁇ .2. ⁇ .3 ''
- general host 200e IP address xxx.xxx.xxx.4 with domain name ⁇ www.yy2.ne.jp '' that can be accessed by both secure terminals and general terminals in the internal network 100
- a IP address “xxx.xxx.x.l”
- the terminals 100a to 100c in the internal network 100 and the servers / hosts 200a to 200e in the external network 200 are connected via the gateway device 300 !.
- FIG. 3 is a block diagram showing a main configuration of gateway apparatus 300 according to the present embodiment.
- the gateway device 300 includes a transmission / reception unit 301, an access control unit 302, a terminal information storage unit 303, a host information storage unit 304, a host list update unit 305, and a transmission / reception unit 306.
- the host list update unit 305 includes a DNS reverse lookup request transmission unit 3051, a DNS reverse lookup response reception unit 3052, and a write control unit 3053.
- the transmission / reception unit 301 is connected to the internal network 100, transmits and receives packets to and from the terminals 100a to 100c in the internal network 100, and performs predetermined packet processing such as frame check and frame assembly of packets. I do.
- Access control unit 302 controls access from internal network 100 to external network 200. At this time, the access control unit 302 performs access control according to whether the destination IP address and the source IP address of the packet are the IP addresses of secure terminals or hosts, or the IP addresses of ordinary terminals or hosts. I do. The access control by the access control unit 302 will be described in detail later.
- the terminal information storage unit 303 holds a terminal list as shown in FIG. 4, for example. That is, the terminal information storage unit 303 stores whether each terminal in the internal network 100 is a secure terminal or a general terminal.
- the host information storage unit 304 stores a host list as shown in FIG. 5A, which is updated by the host list update unit 305, for example. That is, the host information storage unit 304 stores the domain name and IP address of a general host in the external network 200.
- the host information storage unit 304 may store the domain name and IP address of the secure host in the external network 200 as shown in FIG. 5B, for example. In the following description, unless otherwise specified, the host information storage unit 304 stores a host list of general hosts.
- the host list update unit 305 asks whether or not the unregistered host in the host list of the host information storage unit 304 is a secure host or a general host. Update the host list.
- the reverse DNS request transmission unit 3051 performs access control when the destination IP address of the packet transmitted from the internal network 100 is not registered in the host list of the host information storage unit 304.
- a DNS reverse lookup request for inquiring whether or not the host of the destination IP address is a secure host is transmitted via the transmission / reception unit 306.
- the DNS reverse lookup response receiving unit 3052 receives a DNS reverse lookup response, which is a response to the DNS reverse lookup request, via the transmission / reception unit 306, and inquires whether the combined destination IP address is a secure host. It notifies the write controller 3053 whether it is a host.
- the write control unit 3053 When the inquired destination IP address is the IP address of a general host, the write control unit 3053 writes this destination IP address and the corresponding domain name in the host list of the host information storage unit 304.
- the transmission / reception unit 306 is connected to the external network 200, transmits / receives a packet to / from the server Z hosts 200a to 200e in the external network 200, and performs a predetermined frame check or frame assembly of the packet. Perform packet processing.
- the terminal power in the internal network 100 is also external network 2
- a packet in which the terminal power within the internal network 100 is also transmitted is the gateway device 30.
- the packet is held by the transmission / reception unit 301, and the access control unit 302 is notified of the destination IP address and the transmission source IP address of the packet.
- the access control unit 302 searches the terminal list of the terminal information storage unit 303 for the packet source IP address, and determines whether or not the packet source terminal is a secure terminal. (ST1000).
- ST1000 the source of the packet is a secure terminal, access to both the secure host and the general host in the external network 200 is permitted, and the host of the destination IP address that does not need to be restricted.
- the packet is transmitted via the transmission / reception unit 306 (ST1700).
- the destination IP address of the packet is checked against the host list in the host information storage unit 304 to determine whether the destination of the packet is a general host. (ST1100). In other words, if the destination IP address of the packet is already registered in the host list, it is determined that the destination of this packet is a general host. In this case, access from a general terminal in the internal network 100 to a general host in the external network 200 is permitted, so access is not restricted, and packets are sent to the general host at the destination IP address via the transmission / reception unit 306. Is transmitted (ST1700).
- the destination IP address of the packet is not registered in the host list, it is unknown whether the host of this destination IP address is a secure host or a general host.
- An instruction is sent to DNS reverse lookup request transmission unit 3051 to send a reverse lookup request.
- the reverse DNS request sending unit 3051 inquires whether or not the destination IP address of the packet is registered as a secure host. Sent to dedicated DNS server 200b (ST1200). Also, the DNS reverse lookup request transmission unit 3051 notifies the inquired IP address to the write control unit 3053.
- the transmitted DNS reverse lookup request is received by the dedicated DNS server 200b, and a DNS reverse lookup response indicating whether or not the host of the IP address included in the DNS reverse lookup request is registered in the dedicated DNS server 200b. Is sent.
- the dedicated DNS server 200b performs name resolution related to the secure host. Therefore, if the IP address of the reverse DNS request is registered in the dedicated DNS server 200b, the host of this IP address is the secure host. Is determined to be a strike. Further, if the IP address of the reverse DNS request is not registered in the dedicated DNS server 200b, it is determined that the host of this IP address is a general host.
- the dedicated DNS server 200b and the DNS server 200d are provided in the external network 200.
- a server that combines the functions of the dedicated DNS server and the DNS server is provided. May be.
- information indicating whether each host in the external network 200 registered in the server is a secure host or a general host is held.
- the host type is mapped to, for example, a VLAN (Virtual LAN) tag ID or a TOS (Type Of Service) field of the Internet protocol.
- the layer used for identifying the type of host may be an arbitrary layer.
- the reverse DNS lookup A hit is sent as a response, and if the IP address is not registered in the dedicated DNS server (ie, if it is the IP address of a general host), an error is sent as a reverse DNS response.
- the DNS reverse lookup response is transmitted to gateway apparatus 300 and received by DNS reverse lookup response reception unit 3052 via transmission / reception unit 306 (ST1300).
- reverse DNS response reception section 3052 determines whether or not the reverse DNS response is an error (ST1400). In other words, it is determined whether or not the inquired IP address is a secure host. As a result of this determination, if the reverse DNS response is a hit, it means that the inquired IP address is the IP address of the secure host, and access from a general terminal is not permitted.
- the packet held in the transmission / reception unit 301 is discarded, and access denial information indicating that access is denied is transmitted to the transmission source of the packet via the transmission / reception unit 301 (ST1500).
- the result of the determination in ST1400 is that the reverse DNS response is an error, it means that the inquired IP address is the IP address of a general host, and that fact is sent to the write control unit 3053. Be notified. Then, the IP address for which the DNS reverse lookup request transmission unit 305 1 is also notified by the write control unit 3053 is newly added to the general host list stored in the host information storage unit 304. As a result, the host list in the host information storage unit 304 is updated. (ST1600). Further, since the transmission destination of the packet is a general host, access from the general terminal is permitted, and the packet is transmitted from transmission / reception section 301 via transmission / reception section 306 (ST1700).
- the gateway device 300 when a packet is transmitted from a terminal in the internal network 100 to a host in the external network 200, if the gateway device 300 does not know the type of the destination host of the packet, the external network 200 By performing reverse DNS lookup on the dedicated DNS server 200b, the host list is updated as necessary and packet transmission is controlled. As a result, the gateway device 300 can obtain only necessary host information that does not need to store all secure hosts (or general hosts), and can reduce the consumption of resources such as memory. Can do.
- a packet is transmitted from the general terminal 100b to the transmission / reception unit 301 of the gateway device 300 (400). Then, the authentication information including the destination IP address and the source IP address of this packet is notified from the transmission / reception unit 301 to the access control unit 302 (401).
- the access control unit 302 that has received the authentication propriety information refers to the terminal list stored in the terminal information storage unit 303 and determines that the source IP address of the packet is the IP address of the general terminal. It is determined whether or not the destination IP address of the packet is registered in the host list stored in the host information storage unit 304. Here, the destination IP address of the packet is not registered in the host list, and it is unknown whether this destination IP address is a secure host IP address or a general host IP address.
- the access control unit 302 outputs a DNS reverse lookup request notification to the DNS reverse lookup request transmission unit 3051 in the host list update unit 305 (402). Then, a DNS reverse lookup request for the destination IP address is output from the DNS reverse lookup request transmission unit 3051 to the transmission / reception unit 306 (403), and a DNS reverse lookup request is sent to the dedicated DNS server 200b (404).
- Dedicated DNS server The server 200b can determine whether or not the IP address included in the reverse DNS request is registered. Here, since this IP address is the IP address of the secure host, it is registered in the dedicated DNS server 200b. As a reverse DNS lookup response, a hit is returned to the transmission / reception unit 306 (405).
- the DNS reverse lookup response is transferred from the transmission / reception unit 306 to the DNS reverse lookup response reception unit 3052 in the host list update unit 305 (406), and the DNS reverse lookup response reception unit 3052 sends the DNS reverse lookup response.
- this is notified to the access control unit 302 (407). Since the reverse DNS lookup response is a hit, it can be seen that the destination IP address of the packet is the IP address of the secure host, and packet transmission from general terminals is not permitted. Therefore, a packet discard instruction is issued from the access control unit 302 to the transmission / reception unit 301 (408). When the packet is discarded by the transmission / reception unit 301 in accordance with this instruction, access denial information indicating that access to the destination IP address of the packet is denied is transmitted to the general terminal 100b (409).
- a reverse DNS lookup request is sent to the dedicated DNS server. It is transmitted to 200b (400 to 404). In the dedicated DNS server 200b, it is possible to determine whether or not the IP address included in the DNS reverse lookup request is registered.
- this IP address is the IP address of a general host
- the dedicated DNS server 200b It is not registered, and an error is returned to the transceiver 306 as a reverse DNS response (500)
- the DNS reverse lookup response is transferred from the transmission / reception unit 306 to the DNS reverse lookup response reception unit 3052 in the host list update unit 305 (501), and the DNS reverse lookup response reception unit 3052
- the fact is notified to the access control unit 302 (502).
- the IP address included in the DNS reverse lookup request is the IP address of the general host, so that information is written from the DNS reverse lookup response receiver 3052. This is notified to the control unit 3053, and the write control unit 3053 registers the above IP address in the host list stored in the host information storage unit 304.
- the destination IP address of the packet is the IP address of the general host, and that transmission of the packet from the general terminal is permitted. Therefore, a packet transmission instruction is issued from the access control unit 302 to the transmission / reception unit 301 (503). In accordance with this instruction, the packet is transferred from the transmitting / receiving unit 301 to the transmitting / receiving unit 306 (504), and the packet is transmitted from the transmitting / receiving unit 306 to the host of the destination IP address in the external network 200 (505).
- the destination IP address of the packet from the general terminal 100b is not stored in the host information storage unit 304 of the gateway device 300, and the host of this destination IP address is a general host, The packet from the general terminal 100b is sent to the general host with the destination IP address.
- the access control unit 302 stores the packet in the host information storage unit 304. Judges whether the destination IP address of the packet is registered in the stored host list. Here, the destination IP address of the packet is registered in the host list, and it is found that this destination IP address is the IP address of the general host. Therefore, we can see that packets from general terminals are allowed to the host with this destination IP address, A packet transmission instruction is issued from the access control unit 302 to the transmission / reception unit 301 (503). In accordance with this instruction, the packet is transferred from the transmission / reception unit 301 to the transmission / reception unit 306 (504), and the packet is transmitted from the transmission / reception unit 306 to the host of the destination IP address in the external network 200 (505).
- the packet from the general terminal 100b is sent to the general host having the destination IP address. Sent.
- the host information storage unit 304 since the host information storage unit 304 stores the host list of general hosts, the access to the general host from the general terminal 100b is performed as shown in FIG. Access speed can be improved.
- the terminal is a secure terminal.
- access is permitted regardless of the host list by referring to the terminal list in the terminal information storage unit 303 by the access control unit 302.
- the host information storage unit 304 holds the host list of secure hosts !, the destination IP address is not registered in the host list.
- a reverse DNS lookup request is sent to the dedicated DNS server 200b.
- the destination can be determined if the destination general host has been accessed in the past. Since the IP address is registered in the host list, access is permitted without reverse DNS lookup.
- the gateway device when the host type is not registered in the gateway device, the destination IP address of the packet is subjected to reverse DNS lookup, and the DNS server of the external network Asks if the host with the destination IP address is registered as a secure host.
- the gateway device updates the host list for only the host that is the packet transmission target and consumes resources such as memory. Control access to secure hosts efficiently can do.
- the host information storage unit 304 stores the host list of the secure host. Also good.
- the external network 200 it is considered that more general hosts are installed than secure hosts, so storing the host list of secure hosts can reduce the amount of information in the host list. In addition, the consumption of resources such as memory can be further reduced.
- the access control unit 302 searches the packet source IP address in the terminal list of the terminal information storage unit 303 and determines whether or not the packet transmission source terminal is a secure terminal (ST1000). ). As a result, when the transmission source of the packet is a secure terminal, the packet is transmitted to the host having the destination IP address via transmission / reception section 306 (ST1700).
- the packet destination IP address is checked against the host list in the host information storage unit 304 to determine whether the packet destination is a secure host. (ST2000). In other words, if the destination IP address of the packet is already registered in the host list, it is determined that the destination of this packet is a secure host. In this case, since the general terminal power in the internal network 100 is also not allowed to access the secure host in the external network 200, the packet held in the transmission / reception unit 301 is discarded by the access control unit 302, and the transmission / reception unit Via 301, access denial information indicating that access has been denied is transmitted to the packet transmission source (ST1500).
- the DNS reverse request transmission unit 3051 is instructed to transmit a reverse request. Is issued. In response to this instruction, a DNS reverse lookup request is sent from the DNS reverse lookup request sending unit 3051, and a DNS reverse lookup response to this DNS reverse lookup request is also sent back to the DNS reverse lookup response receiving unit 3052 ( ST1200, ST1300).
- the reverse DNS response reception unit 3052 determines whether the reverse DNS response is an error (ST1400). If the reverse DNS response is a hit, the inquired IP address is the secure host's IP address. This means that it is an IP address, and that is notified to the write control unit 3053. Then, the IP address notified from the reverse DNS request transmission unit 3051 is newly added to the host list of the secure host stored in the host information storage unit 304 by the write control unit 3053. As a result, the host list in the host information storage unit 304 is updated (ST2100).
- the access control unit 302 discards the packet held in the transmission / reception unit 301 and denies access to the packet transmission source via the transmission / reception unit 301. Access denial information is sent (ST1500).
- the packet is transmitted from the transmission / reception unit 301 via the transmission / reception unit 306 (ST1700).
- the gateway device 300 can obtain only necessary host information without having to store all the secure hosts, and can reduce the consumption of resources such as memory.
- the present invention can be applied to a network configuration assuming the network configuration shown in FIG. 2, for example, the network configuration shown in FIG. That is, as shown in FIG. 11, a dedicated network 620 is further formed in the external network 600, and even when the dedicated network 620 is connected to the IP network 610 via the network device 630, The present invention can be applied.
- a DNS reverse lookup request is transmitted from the gateway device 300 to the dedicated DNS server 620b in the dedicated network 620, and access to the secure host 620c is controlled.
- a DNS reverse lookup request is transmitted from the gateway device 300 to the DNS server 640, whereby access control is performed. Is called. That is, in the present invention, access control to a secure host installed on an arbitrary network is possible.
- the host list stored in the host information storage unit 304 may be periodically deleted. In this way, even if the network configuration in the external network 200 is changed and the IP addresses of the secure host and general host change, an accurate host list can be maintained at all times and memory consumption can be ensured. It can be really reduced.
- the host list periodically stored in the host information storage unit 304 is registered with the dedicated DNS server 200b and checked against the list of secure hosts, and the host list is accurately maintained. It's okay to check if it's not!
- the access control device is a host in the first network, a host in which access is restricted by a terminal in the second network, or a host in which access is not restricted Storage means for storing a host list indicating the destination, a receiving means for receiving a packet whose destination is set to a host in the first network, and a terminal power in the second network, and a destination of the received packet Control means for controlling whether to send the packet to the host or to discard the packet, and the destination host of the received packet is included in the host list. If it is not registered, the host list is obtained by acquiring external force information on whether or not the terminal power access to the host is permitted. And an updating means for updating.
- the update means includes the first network as an address of a host whose access is restricted by a destination address of the packet.
- DNS reverse request transmission unit that inquires whether or not the server is registered in the server
- DNS reverse response reception unit that receives a DNS reverse response that indicates whether the destination address is registered in the server
- write control unit that controls writing of the destination address to the host list in response to the DNS reverse lookup response.
- DNS reverse lookup of the destination address is performed on the server in the first network, and writing of the destination address to the host list is controlled according to this result. It is possible to confirm whether the host is a secure host or a general host and to update the host list accurately.
- the access control device is the access control device according to the first aspect, wherein the control means is configured such that when the destination host of the received packet is not registered in the host list, According to the information acquired from the outside by the updating means, a configuration is adopted that determines whether to transmit the packet to the host or to discard the packet.
- a terminal in the second network is permitted to access all hosts in the first network.
- the storage means adopts a configuration that periodically deletes the host list.
- the access control method is a host in the first network, a host in which access is limited by a terminal in the second network, or a host in which access is not restricted.
- An access control method in an access control apparatus storing a host list indicating: a packet having a destination set in a host in the first network and receiving the terminal power in the second network; When the destination host of the received packet is registered in the host list, the step of controlling whether to send the packet to the host or to discard the packet; and the destination host of the received packet If it is not registered in the host list, access to the host from the terminal is permitted And to have, and updating the host list information external force be acquired.
- the access control device and the access control method according to the present invention can reduce the consumption of resources such as memory, and can efficiently control access to a secure host.
- resources such as memory
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2006548769A JPWO2006067951A1 (ja) | 2004-12-22 | 2005-12-05 | アクセス制御装置およびアクセス制御方法 |
EP05811793A EP1816812A1 (en) | 2004-12-22 | 2005-12-05 | Access control device, and access control method |
US11/721,784 US20090254658A1 (en) | 2004-12-22 | 2005-12-05 | Access control device, and access control method |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2004-372230 | 2004-12-22 | ||
JP2004372230 | 2004-12-22 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006067951A1 true WO2006067951A1 (ja) | 2006-06-29 |
Family
ID=36601555
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2005/022306 WO2006067951A1 (ja) | 2004-12-22 | 2005-12-05 | アクセス制御装置およびアクセス制御方法 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20090254658A1 (ja) |
EP (1) | EP1816812A1 (ja) |
JP (1) | JPWO2006067951A1 (ja) |
WO (1) | WO2006067951A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013035310A1 (ja) * | 2011-09-06 | 2013-03-14 | 日本電気株式会社 | 通信装置、通信システム及び通信方法 |
JP2017005604A (ja) * | 2015-06-15 | 2017-01-05 | 株式会社エヌ・ティ・ティ ピー・シー コミュニケーションズ | 中継装置および中継装置の制御方法 |
Families Citing this family (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007050244A2 (en) | 2005-10-27 | 2007-05-03 | Georgia Tech Research Corporation | Method and system for detecting and responding to attacking networks |
EP2036291B1 (en) * | 2006-06-30 | 2015-07-22 | Network Box Corporation Limited | A system for classifying an internet protocol address |
GB2459216B (en) * | 2006-12-18 | 2011-06-22 | Ericsson Telefon Ab L M | Method and apparatus for establishing a session |
US8782278B2 (en) * | 2008-03-21 | 2014-07-15 | Qualcomm Incorporated | Address redirection for nodes with multiple internet protocol addresses in a wireless network |
US10027688B2 (en) | 2008-08-11 | 2018-07-17 | Damballa, Inc. | Method and system for detecting malicious and/or botnet-related domain names |
US20100191834A1 (en) * | 2009-01-27 | 2010-07-29 | Geoffrey Zampiello | Method and system for containing routes |
US9009293B2 (en) | 2009-11-18 | 2015-04-14 | Cisco Technology, Inc. | System and method for reporting packet characteristics in a network environment |
US9015318B1 (en) * | 2009-11-18 | 2015-04-21 | Cisco Technology, Inc. | System and method for inspecting domain name system flows in a network environment |
US9148380B2 (en) | 2009-11-23 | 2015-09-29 | Cisco Technology, Inc. | System and method for providing a sequence numbering mechanism in a network environment |
US8792495B1 (en) | 2009-12-19 | 2014-07-29 | Cisco Technology, Inc. | System and method for managing out of order packets in a network environment |
US8578497B2 (en) | 2010-01-06 | 2013-11-05 | Damballa, Inc. | Method and system for detecting malware |
US8826438B2 (en) | 2010-01-19 | 2014-09-02 | Damballa, Inc. | Method and system for network-based detecting of malware from behavioral clustering |
WO2011123812A1 (en) | 2010-04-03 | 2011-10-06 | Openwave Systems Inc. | Reverse dns lookup with modified reverse mappings |
US9516058B2 (en) | 2010-08-10 | 2016-12-06 | Damballa, Inc. | Method and system for determining whether domain names are legitimate or malicious |
US8787303B2 (en) | 2010-10-05 | 2014-07-22 | Cisco Technology, Inc. | Methods and apparatus for data traffic offloading at a router |
US9003057B2 (en) | 2011-01-04 | 2015-04-07 | Cisco Technology, Inc. | System and method for exchanging information in a mobile wireless network environment |
US8631489B2 (en) | 2011-02-01 | 2014-01-14 | Damballa, Inc. | Method and system for detecting malicious domain names at an upper DNS hierarchy |
US8948013B1 (en) | 2011-06-14 | 2015-02-03 | Cisco Technology, Inc. | Selective packet sequence acceleration in a network environment |
US8792353B1 (en) | 2011-06-14 | 2014-07-29 | Cisco Technology, Inc. | Preserving sequencing during selective packet acceleration in a network environment |
US8743690B1 (en) | 2011-06-14 | 2014-06-03 | Cisco Technology, Inc. | Selective packet sequence acceleration in a network environment |
US8737221B1 (en) | 2011-06-14 | 2014-05-27 | Cisco Technology, Inc. | Accelerated processing of aggregate data flows in a network environment |
CN102833782A (zh) | 2012-08-23 | 2012-12-19 | 中兴通讯股份有限公司 | 一种错误码信息获取方法、装置及系统 |
US10547674B2 (en) | 2012-08-27 | 2020-01-28 | Help/Systems, Llc | Methods and systems for network flow analysis |
US9680861B2 (en) | 2012-08-31 | 2017-06-13 | Damballa, Inc. | Historical analysis to identify malicious activity |
US10084806B2 (en) | 2012-08-31 | 2018-09-25 | Damballa, Inc. | Traffic simulation to identify malicious activity |
US9166994B2 (en) | 2012-08-31 | 2015-10-20 | Damballa, Inc. | Automation discovery to identify malicious activity |
US9894088B2 (en) | 2012-08-31 | 2018-02-13 | Damballa, Inc. | Data mining to identify malicious activity |
JP6039352B2 (ja) * | 2012-10-12 | 2016-12-07 | キヤノン株式会社 | デバイス管理システム、デバイス管理システムの制御方法、及びプログラム |
US9571511B2 (en) | 2013-06-14 | 2017-02-14 | Damballa, Inc. | Systems and methods for traffic classification |
US10395226B2 (en) * | 2014-01-31 | 2019-08-27 | Ncr Corporation | Maintaining secure access to a self-service terminal (SST) |
EP2991281B1 (en) * | 2014-06-30 | 2019-08-07 | Huawei Technologies Co., Ltd. | Webpage pushing method, device and terminal |
US9449187B2 (en) * | 2014-08-11 | 2016-09-20 | Document Dynamics, Llc | Environment-aware security tokens |
US9930065B2 (en) | 2015-03-25 | 2018-03-27 | University Of Georgia Research Foundation, Inc. | Measuring, categorizing, and/or mitigating malware distribution paths |
CN114385067B (zh) * | 2020-10-19 | 2023-07-18 | 澜起科技股份有限公司 | 用于存储器系统的数据更新方法和存储器控制器 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002252626A (ja) * | 2001-02-26 | 2002-09-06 | Yaskawa Electric Corp | Dnsサーバ |
JP2003008662A (ja) * | 2001-06-22 | 2003-01-10 | Furukawa Electric Co Ltd:The | ネットワークアクセス制御方法、その装置およびその装置を用いたネットワークアクセス制御システム |
JP2004193694A (ja) * | 2002-12-09 | 2004-07-08 | Hitachi Ltd | ゲートウェイ装置、情報機器装置及び通信制御方法 |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5898830A (en) * | 1996-10-17 | 1999-04-27 | Network Engineering Software | Firewall providing enhanced network security and user transparency |
US20030154306A1 (en) * | 2002-02-11 | 2003-08-14 | Perry Stephen Hastings | System and method to proxy inbound connections to privately addressed hosts |
US7567510B2 (en) * | 2003-02-13 | 2009-07-28 | Cisco Technology, Inc. | Security groups |
-
2005
- 2005-12-05 EP EP05811793A patent/EP1816812A1/en not_active Withdrawn
- 2005-12-05 WO PCT/JP2005/022306 patent/WO2006067951A1/ja not_active Application Discontinuation
- 2005-12-05 US US11/721,784 patent/US20090254658A1/en not_active Abandoned
- 2005-12-05 JP JP2006548769A patent/JPWO2006067951A1/ja active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002252626A (ja) * | 2001-02-26 | 2002-09-06 | Yaskawa Electric Corp | Dnsサーバ |
JP2003008662A (ja) * | 2001-06-22 | 2003-01-10 | Furukawa Electric Co Ltd:The | ネットワークアクセス制御方法、その装置およびその装置を用いたネットワークアクセス制御システム |
JP2004193694A (ja) * | 2002-12-09 | 2004-07-08 | Hitachi Ltd | ゲートウェイ装置、情報機器装置及び通信制御方法 |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013035310A1 (ja) * | 2011-09-06 | 2013-03-14 | 日本電気株式会社 | 通信装置、通信システム及び通信方法 |
JPWO2013035310A1 (ja) * | 2011-09-06 | 2015-03-23 | 日本電気株式会社 | 通信装置、通信システム及び通信方法 |
US9306900B2 (en) | 2011-09-06 | 2016-04-05 | Nec Corporation | Communication device, communication system, and communication method |
JP2017005604A (ja) * | 2015-06-15 | 2017-01-05 | 株式会社エヌ・ティ・ティ ピー・シー コミュニケーションズ | 中継装置および中継装置の制御方法 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2006067951A1 (ja) | 2008-06-12 |
US20090254658A1 (en) | 2009-10-08 |
EP1816812A1 (en) | 2007-08-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2006067951A1 (ja) | アクセス制御装置およびアクセス制御方法 | |
US11115500B2 (en) | Request routing utilizing client location information | |
US7415536B2 (en) | Address query response method, program, and apparatus, and address notification method, program, and apparatus | |
Laganier et al. | Host identity protocol (HIP) rendezvous extension | |
JP5551247B2 (ja) | マルチnat64環境のための方法及びホストノード | |
US7437479B2 (en) | Position identifier management apparatus and method, mobile computer, and position identifier processing method | |
EP2266064B1 (en) | Request routing | |
US7685288B2 (en) | Ad-hoc service discovery protocol | |
US8837483B2 (en) | Mapping private and public addresses | |
US8397073B1 (en) | Managing secure content in a content delivery network | |
KR100714111B1 (ko) | IPv6 애니캐스트 서비스 지원을 위한 애니캐스트라우팅 장치 및 방법 | |
US7573903B2 (en) | IPv6/IPv4 translator | |
US10554551B2 (en) | Method to optimize mapping for multiple locations of a device in mobility | |
KR100811890B1 (ko) | 인터넷 시스템에서 서비스 플로우를 보장하는 애니캐스트라우팅 방법 및 장치 | |
US20060056420A1 (en) | Communication apparatus selecting a source address | |
JP2004266568A (ja) | 名前解決サーバおよびパケット転送装置 | |
US20020199015A1 (en) | Communications system managing server, routing server, mobile unit managing server, and area managing server | |
JP2845208B2 (ja) | アドレス解決装置 | |
US20100023620A1 (en) | Access controller | |
JP6014068B2 (ja) | 中継装置及び中継方法、並びにコンピュータ・プログラム | |
JP4352645B2 (ja) | 端末装置、中継装置、通信方法及びその通信プログラムを記録した記録媒体 | |
JP2007166659A (ja) | 名前解決サーバおよびパケット転送装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KN KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2006548769 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2005811793 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11721784 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWP | Wipo information: published in national office |
Ref document number: 2005811793 Country of ref document: EP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2005811793 Country of ref document: EP |