Access server and connection restriction method

US 8,082,579 B2
Filed: 06/25/2008
Issued: 12/20/2011
Est. Priority Date: 09/12/2007
Status: Expired due to Fees

First Claim

Patent Images

1. An access server in a network system including an authentication server, a first server or a first communication apparatus to perform a first access restriction or not to perform the access restriction to an access from a user terminal to a site, a second server or a second communication apparatus to perform a second access restriction which is different from the first access restriction to the access from the user terminal to the site, and the access server, the access server comprising:

a plurality of ports for connection with the user terminal, the authentication server, the first server and/or the first communication apparatus, and the second server and/or the second communication apparatus;

a port conversion unit to change, according to time information which are set in advance in the authentication server and which are received from the authentication server when performing a user authentication with the authentication server, an output destination port of a packet from the user terminal to one of the port to which the first server or the first communication apparatus is connected and the port to which the second server or the second communication apparatus is connected;

a filtering unit to perform filtering on the port to which the user terminal is connected;

an authentication processing unit to perform a process for authentication of the user terminal by communicating with the authentication server; and

a memory to store port change setting information to indicate whether port change is performed for the user terminal, one or plural port change times for changing the output destination port of the packet, filtering setting information to indicate whether filtering is performed for the user terminal, a filtering start time and a filtering end time correspondingly to a user identifier,whereinthe authentication processing unit transmits an authentication request to the authentication server when an access is made from the user terminal, receives an authentication packet including an authentication result, the port change setting information, the port change time for changing the output destination port of the packet, the filtering setting information and a filtering time from the authentication server,the authentication processing unit stores the port change setting information, the port change time for changing the output destination port of the packet, the filtering setting information, the filtering start time and the filtering end time included in the authentication packet into the memory correspondingly to the user identifier,the port conversion unit refers to the memory, and in a case where the port change setting information is set to perform the port change on an arbitrary user identifier, when it becomes the corresponding port change time, the port conversion unit changes an output destination of a packet from the user terminal of the user identifier, andthe filtering unit refers to the memory, and in a case where the filtering setting information for an arbitrary user identifier is set to perform the filtering, when it becomes the corresponding filtering start time, the filtering unit performs the filtering on the port to which the user identifier is connected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The access server receives an authentication packet including an authentication result, a port change setting information, a port change time, a filtering setting information and a filtering time from the authentication server. The access server stores the respective information in the authentication packet into a memory. The access server refers to the memory, and in the case where the port change setting information on an arbitrary user identifier is set to perform port change, when it becomes the port change time, the access server changes the output destination of a packet from a user terminal to, for example, a proxy server B from a proxy server A. Besides, in the case where the filtering setting information on an arbitrary user identifier is set to perform filtering, when it becomes the filtering start time, the access server performs filtering on the port to which the user terminal is connected.

Citations

16 Claims

1. An access server in a network system including an authentication server, a first server or a first communication apparatus to perform a first access restriction or not to perform the access restriction to an access from a user terminal to a site, a second server or a second communication apparatus to perform a second access restriction which is different from the first access restriction to the access from the user terminal to the site, and the access server, the access server comprising:
- a plurality of ports for connection with the user terminal, the authentication server, the first server and/or the first communication apparatus, and the second server and/or the second communication apparatus;
  
  a port conversion unit to change, according to time information which are set in advance in the authentication server and which are received from the authentication server when performing a user authentication with the authentication server, an output destination port of a packet from the user terminal to one of the port to which the first server or the first communication apparatus is connected and the port to which the second server or the second communication apparatus is connected;
  
  a filtering unit to perform filtering on the port to which the user terminal is connected;
  
  an authentication processing unit to perform a process for authentication of the user terminal by communicating with the authentication server; and
  
  a memory to store port change setting information to indicate whether port change is performed for the user terminal, one or plural port change times for changing the output destination port of the packet, filtering setting information to indicate whether filtering is performed for the user terminal, a filtering start time and a filtering end time correspondingly to a user identifier,whereinthe authentication processing unit transmits an authentication request to the authentication server when an access is made from the user terminal, receives an authentication packet including an authentication result, the port change setting information, the port change time for changing the output destination port of the packet, the filtering setting information and a filtering time from the authentication server,the authentication processing unit stores the port change setting information, the port change time for changing the output destination port of the packet, the filtering setting information, the filtering start time and the filtering end time included in the authentication packet into the memory correspondingly to the user identifier,the port conversion unit refers to the memory, and in a case where the port change setting information is set to perform the port change on an arbitrary user identifier, when it becomes the corresponding port change time, the port conversion unit changes an output destination of a packet from the user terminal of the user identifier, andthe filtering unit refers to the memory, and in a case where the filtering setting information for an arbitrary user identifier is set to perform the filtering, when it becomes the corresponding filtering start time, the filtering unit performs the filtering on the port to which the user identifier is connected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The access server according to claim 1, whereinthe first and the second servers are proxy servers different from each other in a use condition of HTTP, andthe access server changes the output port of the packet from the user terminal to the plurality of proxy servers according to the time period by referring to the memory, and Web browsing of the user terminal can be restricted according to the time period.
  - 3. The access server according to claim 1, whereinthe filtering unit refers to the memory, and starts the filtering on the port to which the user identifier is connected when it becomes the corresponding filtering start time, and ends the filtering when it becomes the filtering end time.
  - 4. The access server according to claim 1, whereinthe filtering unit filters at least a packet on web browsing, and does not filter a mail and/or a music file.
  - 5. The access server according to claim 1, whereinthe first and the second communication apparatuses are a first and a second routers, andthe access server changes the output port of the packet to the router from the user terminal according to the time period by referring to the memory, and distributes, for each time period, the packet to the first router not to perform the filtering and the second router to perform the filtering in cooperation with a DNS server.
  - 6. The access server according to claim 1, wherein the memory includesa user management area in which the port change setting information and the filtering setting information are stored correspondingly to the user identifier, anda time period management area in which the one or plural port change times, the filtering start time and the filtering end time are stored correspondingly to the user identifier.
  - 7. The access server according to claim 1, whereinthe memory further stores, correspondingly to a user identifier, output port number information to indicate a port for outputting the packet from the user terminal indicated by the user identifier,the port conversion unit changes the output port number information of the memory when it becomes the port change time, andthe port conversion unit determines the output destination of the packet received from the user terminal in accordance with the output port number information of the memory.
  - 8. The access server according to claim 1, whereinthe user terminal to perform wired communication and/or the user terminal to perform wireless communication in at least a part is accommodated.
  - 9. The access server according to claim 1, further comprisinga timer circuit to manage present time or, to manage a time till the port change time, a time till the filtering start time or, a time till the filtering end time.

10. A connection restriction method in a network system including an authentication server, a first server or a first communication apparatus to perform a first access restriction or not to perform the access restriction to an access from a user terminal to a site, a second server or a second communication apparatus to perform a second access restriction which is different from the first access restriction to an access from the user terminal to the site, and an access server, the connection restriction method comprising:
- transmitting, by the access server, an authentication request to the authentication server when the access is performed from the user terminal;
  
  receiving, from the authentication server, an authentication packet including an authentication result, a port change setting information to indicate whether port change is performed for the user terminal, one or plural port change times for changing the output destination port of the packet, a filtering setting information to indicate whether filtering is performed for the user terminal, a filtering start time and a filtering end time;
  
  storing, correspondingly to a user identifier, the port change setting information, the port change time for changing the output destination port of the packet, the filtering setting information, the filtering start time and the filtering end time included in the authentication packet into a memory;
  
  referring to the memory to change, in a case where the port change setting information on an arbitrary user identifier is set to perform the port change and when it becomes the corresponding port change time, an output destination of a packet from the user terminal of the user identifier to one of a port to which the first server or the first communication apparatus is connected and a port to which the second server or the second communication apparatus is connected; and
  
  performing, in a case where the filtering setting information on an arbitrary user identifier is set to perform the filtering and when it becomes the corresponding filtering start time, the filtering on the port to which the user identifier is connected.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The connection restriction method according to claim 10, further comprisingchanging the output port of the packet from the user terminal to the first and the second servers which are proxy servers different from each other in a use condition of HTTP according to the time period by referring to the memory, and Web browsing of the user terminal can be restricted according to the time period.
  - 12. The connection restriction method according to claim 10, further comprisingreferring to the memory, and starting the filtering on the port to which the user identifier is connected when it becomes the corresponding filtering start time, and ending the filtering when it becomes the filtering end time.
  - 13. The connection restriction method according to claim 10, further comprisingfiltering at least a packet on web browsing, and not filtering a mail and/or a music file.
  - 14. The connection restriction method according to claim 10, further comprisingchanging the output port of the packet to the first and the second communication apparatuses which are a first and a second routers from the user terminal according to the time period by referring to the memory, and distributes, for each time period, the packet to the first router not to perform the filtering and the second router to perform the filtering in cooperation with a DNS server.
  - 15. The connection restriction method according to claim 10, further comprisingchanging the output port number information of the memory which stores, correspondingly to a user identifier, output port number information to indicate a port for outputting the packet from the user terminal indicated by the user identifier, when it becomes the port change time, anddetermining the output destination of the packet received from the user terminal in accordance with the output port number information of the memory.
  - 16. The connection restriction method according to claim 10, further comprisingmanaging present time or, managing a time till the port change time, a time till the filtering start time or, a time till the filtering end time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Shimizu, Shinsuke, Miyata, Hiroaki, Nozue, Daiki
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Cribbs, Malcolm

Application Number

US12/145,778
Publication Number

US 20090070863A1
Time in Patent Office

1,273 Days
Field of Search

726/1, 726/2, 726 11- 14, 713/154
US Class Current

726/12
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

Access server and connection restriction method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Access server and connection restriction method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links