JP2006178894A - Access control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an access control system capable of efficiently restricting access to a specific Web site when a member of an organization accesses the Internet using a server provided by the organization as a gate.
An access control program used for a gate server in an access control system in which a gate server is provided between a plurality of terminals and the Web and controls access to the Web from the terminals, and is used by members of an organization Receiving an access request for accessing the Web from a terminal other than the premises where the gate server is installed, detecting whether to permit the access request according to the policy of the organization, and controlling access. Do.
[Selection] Figure 1

Description

  The present invention relates to an access control system and an access control program for restricting access to a specific Web server performed through a network.

  Conventionally, various information can be obtained by accessing a server from a terminal device via the Internet. However, there are websites on the Internet that provide useful information for users, but there are websites that are inappropriate for children to browse, such as violent images and pornographic images. In order to deal with this problem, conventionally, a control system for restricting access to harmful websites when the Internet is used by young children is known.

Some of such control systems include an ISP (Internet Service Provider) between an Internet provider and a terminal computer (user). For example, as shown in FIG. 2, this ISP performs filtering, so that harmful information can be blocked out of access information performed between the provider and the user. Such filtering techniques are described in, for example, the following prior art documents 1, 2, 3, and the like. Here, the provider may undertake such a filtering role.
In addition, as shown in FIG. 3, when a company, an organization, a school, etc. installs its own filtering gate server and accesses the Internet from a terminal in the company, the filtering gate server Connected to the Internet after accessing. In this filtering gate server, access from terminals in the company is restricted.
Japanese Patent Application Laid-Open No. 2002-236631 JP 2002-073548 A JP 2000-341362 A

However, for example, when an elementary school student browses content using a terminal in the school, only appropriate content can be browsed, but even when accessing the Internet from a home terminal after returning home, It is desirable to restrict the browsing of appropriate content.
Here, in the prior art, when accessing the Internet from each home terminal, there is a problem that no measures are taken at present in how to limit access to harmful sites. Here, when taking measures, parents and the like must regulate content browsing according to their users (children), but it is necessary to fully consider what kind of content should be regulated and protected Burden the person. Such a problem may occur not only in schools but also in companies and various organizations (regions and religions).

The present invention has been made in view of such circumstances, and an object thereof is to restrict access to a specific Web site when an organization member accesses the Internet using a server provided by the organization as a gate. It is an object of the present invention to provide an access control system and an access control program that can efficiently perform the above.
It is another object of the present invention to provide an access control system that can charge each member efficiently when operating such an access control system.

  In order to solve the above-described problem, the present invention provides an access control system in which a gate server is provided between a plurality of terminals and the Web, and controls access to the Web from the terminal, wherein the gate server includes: , Having an access control unit that permits access to the Web in accordance with a policy of a predetermined group, and the terminal is a terminal used by a member of the group, and from other than the premises where the gate server is installed An access unit that accesses the Web via a gate server is provided.

  In addition, the present invention is an access control system in which a gate server is provided between a plurality of terminals and the Web, and an access control to the Web from the terminal is performed, and is provided between the gate server and the Web. , Having an access control device that permits access to the Web in accordance with a policy of a predetermined group, wherein the terminal is a terminal used by a member of the group, and from other than the premises where the gate server is installed It has an access part which accesses the said Web via a gate server and the said access control apparatus, It is characterized by the above-mentioned.

  The present invention is also an access control system in which a gate server is provided between a plurality of terminals and the Web, and the access control to the Web from the terminal is performed. The gate server conforms to a policy of a predetermined group. And a storage unit for storing information for restricting access to the Web in response, and receiving an access request from the terminal, and detecting whether the access is permitted to the received access destination with reference to the storage unit An access control unit, and the terminal is a terminal used by a member of the organization, and when accessing the Web from outside the premises where the gate server is installed, the gate server is used as a connection destination. And a connecting portion to be connected.

According to the present invention, in the above-described access control system, an authentication unit that performs user authentication in response to a change request related to a connection destination of the connection unit, and the connection destination is changed when authentication is not established by the authentication unit. A connection destination setting unit that is not permitted.
Further, the present invention is characterized in that, in the above-described access control system, the gate server includes a billing processing unit that performs billing processing for a user who is to receive the access control service.

  The present invention also provides an access control program used for a gate server in an access control system in which a gate server is provided between a plurality of terminals and the Web, and controls access to the Web from the terminals. A step of receiving an access request for accessing the Web via the gate server from outside the premises where the gate server is installed, and the access request according to the policy of the organization And detecting whether to permit or not and performing access control.

  As described above, according to the present invention, a terminal used by a member of an organization receives an access request for accessing the Web via the gate server from a site other than the premises where the gate server is installed. Detecting whether access requests are permitted according to policy and performing access control, so even if accessed from a terminal located outside the premises, access control is performed according to the policy of the organization Accordingly, it is possible to unify the policies so as to be the same as that of the group even at home.

  In addition, according to the present invention, since charging processing is performed for users who are subject to access control services, it is possible to efficiently enclose users (members) compared to calling for subscription to an unspecified number of users. It is possible to improve the recovery efficiency of the consideration.

Hereinafter, an access control system according to an embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a schematic configuration diagram showing a configuration of an access control system according to an embodiment of the present invention.
In this figure, in the access control system, a terminal 1 is connected to a filtering gate server 4 via an ISP (Internet service provider) 2 and the Internet 3, and the filtering gate server 4 is connected to the Internet 6 via an ISP 5. The A Web server capable of distributing various contents is connected to the Internet 6.

The filtering gate server 4 is owned by a predetermined group such as a company, a local group, or a school, and the access destination is controlled by permitting access only to a Web site according to the policy of the predetermined group. I do.
The terminal 1 is used by members of a predetermined organization that manages the filtering gate server 4 and is provided outside the premises where the filtering gate server 4 is installed. From the place other than the premises, the filtering gate server is provided. 4 to access websites on the Web. Here, if the organization is a company, the member is an employee of the company or an employee of a group company related to the company. This group company may be, for example, a company that is a business partner of the company. The relationship between the organization and the members may be, for example, a local business association and a member belonging to the business association, a school and its students, or the like.

  Here, when the group is a school, the filtering gate server 4 receives access from a terminal provided in the school premises and controls the access destination. In the present invention, the filtering gate server 4 is provided outside the premises. Accept access from other terminals. The terminal other than the premises is, for example, a terminal provided at the student's home, and accesses the school filtering gate server 4 from the home. As a result, even if a home terminal is used, the access destination can be controlled with the same policy as the school, and the site can be browsed under a policy unified between the school and the home.

As described above, the filtering gate server 4 is provided in the organization, and the members access the terminal from a location other than the premises to realize access control. For example, the following effects can be obtained.
(1) A company owns a server, and lends a terminal to the same group company, such as a business partner, and allows the company to browse the Internet with the same policy by allowing the same company group to access the server once. it can. This makes it possible to restrict browsing to sites that publish information that is not related to the company, so that the company can provide only the necessary information to the members of the company group as a terminal that can be viewed. be able to.
(2) The Dan family can browse the Internet according to the regulation policy of the religious organization to which he belongs.
(3) The guardian can allow the child to browse the Internet with the same content regulation policy as the school, and can match the educational policy between the home and the school. As a result, it is possible to reduce the burden on the parent regarding policy management.

  Here, in the case of an access control system provided in the past, since the policy differs depending on the service provider, the user must select the service as appropriate, and himself (or his child, etc.) ), It is difficult to select which service to enter if you want to view content with the same policy as the organization to which it belongs. In addition, there is a problem that the service content and the target policy do not always match. Furthermore, there are services that allow users to set policies themselves, but setting them is difficult unless they have sufficient computer knowledge. However, by applying the access control system of the present invention, it can be received at home according to the policy desired by itself.

  In addition, by charging users of this access control system, the organizations that own the server are able to make capital investment, cost, By pricing and providing within the balance of business operations, users (members) can be enclosed more efficiently than when calling for subscription to an unspecified number of people, and the collection efficiency of consideration is improved. Can do. In addition, the organization can use the collected consideration for server capital investment. The billing process will be described later.

Next, the above-described access control system will be further described. FIG. 4 is a schematic block diagram for explaining functions of the terminal and the filtering gate server. In this figure, only the terminal 1 and the filtering gate server 4 are shown.
In the terminal 1, the connection destination setting unit 11 sets (stores) connection destination information for designating the filtering gate server 4 as a connection destination in the connection destination information storage unit 13. This connection destination information includes, for example, an IP address and a port number.
In response to the change request for changing the connection destination information stored in the connection destination information storage unit 13, the authentication unit 12 accepts a password input from the user and is registered through an input device such as a keyboard or a mouse. The user authentication is performed in comparison with the password, and when the authentication is established, the change of the connection destination information is permitted, and when the authentication is not established, the process of not permitting the change of the connection destination information is performed. This change of the connection destination information includes rewriting of the connection destination information, deletion of the connection destination information, deletion of the application itself that accesses the filtering gate server 4 based on the connection destination information, and the like.

The access input unit 14 specifies an URL serving as access destination information and makes an access request.
The connection unit 15 uses the filtering gate server 4 specified by the connection destination information stored in the connection destination information storage unit 13 as a connection destination when accessing the Web from outside the premises where the filtering gate server 4 is installed. Connect and transmit the access request input from the access input unit 14.
The content display unit 16 receives and displays content transmitted from a server on the Web.
The user registration unit 17 has a function of registering a user who subscribes to a service provided by the filtering gate server 4 in the filtering gate server 4. Here, the information used for registration is information for identifying the user, and includes, for example, name, address, date of birth, contact information, payment method, ID and password used for login.

Next, the filtering gate server 4 will be described.
In the filtering gate server 4, the access request receiving unit 41 receives an access request transmitted from the connection unit 15 of the terminal 1.
The policy database 42 stores information for restricting access according to the policy of the organization that manages the filtering gate server 4. Here, a list of URLs of sites to which access is permitted may be stored, or a list of URLs of sites to which access is not permitted may be stored.

  The search unit 43 receives an access request from the terminal by the access request receiving unit 41 and detects whether or not access is permitted to the access destination included in the received access request with reference to the policy database 42. When the search unit 43 permits access, it is an access request for a URL registered in the list as a site where access is permitted, or access to a URL other than the list registered as not permitting access. This is the case. The case where access is not permitted is a case where the access request is for a URL registered as one where access is not permitted, or the case where the access is a request other than a URL registered as a site where access is permitted.

  The response unit 44 makes a response to the content browsing request. Specifically, when access is permitted in the search unit 43, a content transmission request unit 45 that requests an access request from the terminal 1 to access a server specified by the URL and to transmit content to the terminal 1; When the access is not permitted in the search unit 43, a non-browsing notification unit 46 that transmits a non-browsing notification that notifies the terminal 1 that the content cannot be browsed is provided.

The user information database 47 stores the user information transmitted from the terminal 1 as information related to the service target user.
Based on the user information registered in the user information database 47, the billing processing unit 48 performs billing processing for a user who is to receive an access control service. Here, settlement processing such as credit settlement processing and bank withdrawal processing is performed based on the registered user information settlement method.

Next, the operation of the access control system described above will be described with reference to the drawings. First, an operation for initial setting of connection destination information and the like in the terminal 1 will be described. The initial setting is preferably performed by a user other than the user who wants to perform access control. For example, when the group is a school and the member is a student, the initial setting is performed by the parent of the student. .
FIG. 5 is a flowchart for explaining the initial setting. First, an application for performing access control in the present invention is installed in the terminal 1, and when the application is activated, a user input screen for connection destination information and a password is displayed on the display screen. An example of this screen is shown in FIG. Then, when the user inputs the IP address of the filtering gate server 4 as the connection destination information, inputs the password, and clicks the OK button, the connection destination information setting unit 11 sets the input IP address to the connection destination. The information is written in the information storage unit 13 (step S11), and the password is written in a predetermined memory area of the authentication unit 12 (step S12).

Next, the operation for changing the connection destination information will be described with reference to the flowchart of FIG.
When an instruction to change connection destination information is input from the user (step S21), the authentication unit 12 displays a screen for requesting password input and requests password input from the user (step S22). When the password is input by the user, it is detected whether or not the input password matches the registered password (step S23). If the password does not match, the change of the connection destination information is not permitted. If they match, the change of the connection destination information is accepted and the setting is changed (step S24).
According to this embodiment, when the passwords match, the connection destination can be changed. For example, only the parent who knows the password can change the connection destination information. It is possible to prevent connection to the Internet via a server other than the above.

Next, the operation for controlling the access destination according to the policy will be described with reference to the flowchart of FIG.
First, after the terminal 1 is activated, a user login input is accepted (step S31). After the login is successfully completed, a URL desired to be browsed is specified and a site access request is input (step S32). The unit 15 transmits an access request together with the URL specified for the filtering gate server 4 based on the connection destination information stored in the connection destination information storage unit 13 (step S33).

  When the access request received from the terminal 1 is received by the access request receiving unit 41 (Step S41), the search unit 43 of the filtering gate server 4 searches the URL of the access request from the list in the policy database 42, and the access is received. Whether it is permitted or not is detected (step S42). Here, when the URL requested for access is detected from the list of URLs that are not permitted to access, it is detected as unauthorized access (step S43), and the terminal 1 is notified that browsing is not possible (step S44). ).

  On the other hand, if the requested URL is not detected from the list of URLs that are not permitted to be accessed, it is detected as permitted access (step S43), and the content corresponding to the requested URL is transmitted to the terminal 1. An access request for requesting to be transmitted is transmitted to the Web server specified by the URL (step S45).

  When receiving the access request from the filtering gate server 4 (step S51), the Web server transmits the content specified by the URL to the terminal 1 (step S52). The terminal 1 receives the content transmitted from the web server, and displays the content by the content display unit 16 (step S34).

  In the above-described embodiment, the functions of the search unit 43 and the response unit 44 provided in the filtering gate server 4 may be provided in the terminal 1, and filtering may be performed on the terminal 1 side. Here, the policy database 42 may be connected via a network, or may be provided in the terminal 1 so that the latest policy data is downloaded and updated from the server at a predetermined timing. Good.

  Further, the processing of the connection destination information setting unit 11, the authentication unit 12, the access input unit 14, the connection unit 15, the content display unit 16, and the user registration unit 17 in FIG. 4, the access request reception unit 41, and the search unit 43 in FIG. , A program for realizing the functions of the response unit 44, the content transmission request unit 45, the browsing impossible notification unit 46, and the charging processing unit 48 is recorded on a computer-readable recording medium, and the program recorded on the recording medium is recorded. Access control may be performed by reading the program into a computer system and executing it. Here, the “computer system” includes an OS and hardware such as peripheral devices.

Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.
The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Furthermore, the “computer-readable recording medium” dynamically holds a program for a short time like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line. In this case, a volatile memory in a computer system serving as a server or a client in that case, and a program that holds a program for a certain period of time are also included. The program may be a program for realizing a part of the functions described above, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system.

  The embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes design and the like within a scope not departing from the gist of the present invention.

It is a schematic block diagram which shows the structure of the access control system by one Embodiment of this invention. It is a figure for demonstrating the conventional filtering. It is a figure for demonstrating the conventional filtering. It is a schematic block diagram for demonstrating the function of a terminal and the gate server for filtering. It is a flowchart for demonstrating the initial setting of a terminal. It is drawing which shows an example of the user input screen of connection destination information and a password. It is a flowchart for demonstrating the operation | movement which changes connection destination information. It is a flowchart for demonstrating the operation | movement which performs control of an access destination according to a policy.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Terminal 4 Gate server for filtering 11 Connection destination information setting part 12 Authentication part 13 Connection destination information storage part 14 Access input part 15 Connection part 16 Content display part 17 User registration part 41 Access request reception part 42 Policy database 43 Search part 44 Response Unit 45 content transmission request unit 46 browsing impossible notification unit 47 user information database 48 accounting processing unit

Claims (6)

A gate server is provided between a plurality of terminals and the Web, and is an access control system for controlling access to the Web from the terminal,
The gate server has an access control unit that permits access to the Web according to a policy of a predetermined group,
The terminal is a terminal used by a member of the organization, and has an access unit that accesses the Web via the gate server from outside the premises where the gate server is installed. . A gate server is provided between a plurality of terminals and the Web, and is an access control system for controlling access to the Web from the terminal,
An access control device provided between the gate server and the Web and permitting access to the Web according to a policy of a predetermined group;
The terminal is a terminal used by a member of the organization, and has an access unit that accesses the Web from outside the premises where the gate server is installed via the gate server and the access control device. And access control system. A gate server is provided between a plurality of terminals and the Web, and is an access control system for controlling access to the Web from the terminal,
The gate server includes storage means for storing information for restricting access to the Web according to a policy of a predetermined group;
An access control unit that receives an access request from the terminal and detects whether to permit access to the received access destination with reference to the storage unit;
The terminal is a terminal used by a member of the organization,
A connection unit that connects the gate server as a connection destination when accessing the Web from outside the premises where the gate server is installed;
An access control system comprising: An authentication unit that performs user authentication in response to a change request related to the connection destination of the connection unit;
When authentication is not established by the authentication unit, a connection destination setting unit that does not allow the connection destination to be changed, and
An access control system comprising: The gate server is
5. The access control system according to claim 1, further comprising: a billing processing unit that performs billing processing for a user who is to receive the access control service. An access control program used for a gate server in an access control system in which a gate server is provided between a plurality of terminals and the Web, and controls access to the Web from the terminal,
Receiving an access request for accessing the Web via the gate server from a terminal used by a member of the organization other than the premises where the gate server is installed;
Detecting whether to permit the access request according to the policy of the organization, and performing access control;
An access control program comprising:

Images