Abstract: A communication terminal comprises: first unit that communicates with a network system that includes a forwarding apparatus forwarding a packet and a control apparatus informing the forwarding apparatus of a processing rule prescribing a packet processing method; second unit that determines a processing operation to be executed by the network system from among packet processing operations to be executed by the communication terminal; and third unit that requests the control apparatus to inform the forwarding apparatus of a processing rule corresponding to the determined packet processing operation.

Abstract: A communication system includes: a forwarding node(s) in which a first packet handling operation(s) for processing incoming packets is set and which processes packets in accordance with the packet handling operation(s); a first control apparatus setting the first packet handling operation(s) in the forwarding node(s); a flow control node(s) arranged upstream of the forwarding node(s); and a second control apparatus setting a second packet handling operation(s) in the flow control node(s). The flow control node(s) intercepts forwarding of packets that do not satisfy a predetermined condition(s) to the forwarding node(s) in accordance with the second packet handling operation(s).

Abstract: A terminal communicating with a network including a forwarding device(s) for forwarding a packet and a control device for controlling the forwarding device(s) in accordance with a request from the forwarding device, includes: a communication unit that receives a processing rule indicating that a packet for communicating with a first destination is changed so as to communicate with a second destination, from the control device; a storage unit that stores the received processing rule, and a processing unit that in a case of communicating with the network, changes a destination of a packet in accordance with a processing rule that corresponds to the packet by referring to the processing rule stored in the storage unit.

Abstract: Authority permission grants/denials associated with each of a plurality of roles (R1, R2, . . . , Rm) assigned to one subject are derived by inheritance based on a subject assignment associating a role and a subject, an authority permission assignment associating a role, an authority permission, and a grant/denial, and a role hierarchy indicating an inheritance relation between roles. Among the derived authority permission grants/denials, grants/denials of authority permissions (A1, A2, . . . , An) which are each derived from two or more different roles (R1, R2, . . . , Rm) and which are each granted to one of the plurality of roles R1, R2 . . . Rm but denied to another one of the plurality of roles R1, R2 . . . Rm are determined in accordance with an input. As exceptional authority permission assignment for a virtual exceptional role constituted of a combination of roles (R1, R2, . . . , Rm), authority permission grants/denials associated with each role (R1, R2, . . .

Abstract: A communication control apparatus controls communication between a first apparatus and a second apparatus connected to the first apparatus via a plurality of relay apparatuses. The communication control apparatus comprises: a communication path generation unit that refers to a control policy including access control and supplementary control that is other than the access control from the first apparatus to the second apparatus and refers to network configuration information about a network configuration among the first apparatus, the second apparatus, and the plurality of relay apparatuses and generates a communication path that matches the control policy from the first apparatus to the second apparatus and goes through at least one of the plurality of relay apparatuses; and a communication path control unit that instructs a relay apparatus(es) on the communication path among the plurality of relay apparatuses to execute the access control and the supplementary control included in the control policy.

Abstract: A communication system includes: a plurality of forwarding nodes that process a packet transmitted from a user terminal, in accordance with a processing rule that has been set, and a control device that selects a forwarding node in which a processing rule is to be set, from among the plurality of forwarding nodes, such that processing rules are set so as not to be concentrated in a specific forwarding node, based on the number of processing rules that are set in each of the forwarding nodes.

Abstract: Authentication apparatus authenticates user using host connected to forwarding node. Policy management apparatus holds access control policy for identifying host under access control using identifier of forwarding node or identifier of user, and links identifier of host under access control and identifier of forwarding node to which host is connected, or identifier of host under access control and identifier of user using host. Forwarding node transmits to policy management apparatus identifier of host connected to own forwarding node and identifier of own forwarding node. Authentication apparatus transmits to policy management apparatus identifier of host connected to forwarding node and identifier of user. Policy management apparatus refers to access control policy and, if host connected to forwarding node is under access control, notifies content of access control to control apparatus as access control list.

Abstract: A terminal communicating with a network including a forwarding device for forwarding a packet and a control device for controlling the forwarding device in accordance with a request from the forwarding device, includes: a communication unit that receives a processing rule specifying a method of processing the packet, which is determined by the control device, from the control device, a storage unit that stores the received processing rule, and a processing unit that in a case of communicating with the network, processes the packet in accordance with the processing rule that corresponds to the packet by referring to the processing rule stored in the storage unit.

Abstract: A communication system includes an information acquisition unit that acquires information for determining an isolation level to which a user terminal belongs, from the user terminal; an isolation level determination unit that determines an isolation level to which the user terminal belongs, based on the acquired information; an isolation level information storage unit that defines whether or not access is possible to respective access destinations for each isolation level; an access control unit that causes a forwarding node(s) to implement forwarding or dropping of a packet, in accordance with whether or not access is possible to the respective access destinations; and a forwarding node(s) that forwards a packet in accordance with control of the access control unit. Stepwise access control is realized using isolation levels.

Abstract: A communication system comprises: a plurality of forwarding nodes each of which processes an incoming packet in accordance with a packet handling operation; a data base which stores a first table for determining a role of a user of a source node from information about the source node and a second table for defining an accessible or inaccessible resource for each role and which transmits a response about a resource accessible or inaccessible by the user of the source node in response to a request from a control apparatus; and a control apparatus which uses, when receiving a request for setting the processing rule from any one of the forwarding nodes, information about the source node included in the request for setting the processing rule, querying the data base for a resource accessible or inaccessible by the user of the source node, creating the processing rule based on the response from the data base, and setting the processing rule in the forwarding node.

Abstract: A communication system includes a control device; a forwarding node that processes, in accordance with a processing rule set by control device, a packet transmitted from a user terminal; and a policy management device that manages communication policy and notifies the control device of communication policy that corresponds to a user for whom authentication has succeeded; a setting request transmission permitting unit that, based on notification from the policy management device, sets to a forwarding node that receives a packet from the user terminal a first processing rule causing the forwarding node to make a setting request of processing rule with regard to a packet transmitted from the user terminal; and a path control unit that determines path from user terminal to access destination and sets to forwarding node along the path the second processing rule that corresponds to the path.

Abstract: A communication system comprises: a plurality of forwarding nodes processing an incoming packet in accordance with a processing rule (packet handling operation) in which a matching rule for determining a packet to be processed and a processing content applied to a packet matching the matching rule are associated with each other; an address management apparatus giving an address to a host; and a control apparatus first setting a first processing rule for realizing communication between the host and the address management apparatus in a forwarding node between the host and the address management apparatus and thereafter setting a second processing rule for realizing communication between a host given an address by the address management apparatus and a predetermined network resource.

Abstract: The present invention implements detailed access control according to access rights granted to users, by a simple configuration.

Abstract: Authentication apparatus authenticates user using host connected to forwarding node. Policy management apparatus holds access control policy for identifying host under access control using identifier of forwarding node or identifier of user, and links identifier of host under access control and identifier of forwarding node to which host is connected, or identifier of host under access control and identifier of user using host. Forwarding node transmits to policy management apparatus identifier of host connected to own forwarding node and identifier of own forwarding node. Authentication apparatus transmits to policy management apparatus identifier of host connected to forwarding node and identifier of user. Policy management apparatus refers to access control policy and, if host connected to forwarding node is under access control, notifies content of access control to control apparatus as access control list.

Abstract: A precedence constraint solving means generates a set of authorities without a precedence constraint into a temporary storing means from a set of authorities having a precedence constraint extracted for a role. At this moment, the precedence constraint solving means derives an authority in accordance with an order satisfying the precedence constraint from the set of authorities having the precedence constraint and, when an object of the derived authority includes an object of an authority having the same action already generated in the temporary storing means and permission/denial identifiers of both the authorities are different from each other, divides the derived authority into a plurality of authorities having objects of the same granularity as that of the included object, and stores only an authority having a different object from the included object into the temporary storing means.

Abstract: A terminal communicating via a network including a forwarding device(s) for forwarding a packet and a control device for controlling the forwarding device(s) in accordance with a request from the forwarding device, includes: a communication unit that receives a processing rule specifying a process of adding, to a packet, quality information related to communication quality with respect to the terminal, from the control device, a memory unit that stores the received processing rule, and a processing unit that in a case of communicating via the network, adds quality information to a packet in accordance with a processing rule that corresponds to the packet by referring to the processing rule stored in the memory unit.

Abstract: Authority permission grants/denials associated with each of a plurality of roles (R1, R2, . . . , Rm) assigned to one subject are derived by inheritance based on a subject assignment associating a role and a subject, an authority permission assignment associating a role, an authority permission, and a grant/denial, and a role hierarchy indicating an inheritance relation between roles. Among the derived authority permission grants/denials, grants/denials of authority permissions (A1, A2, . . . , An) which are each derived from two or more different roles (R1, R2, . . . , Rm) and which are each granted to one of the plurality of roles R1, R2 . . . Rm but denied to another one of the plurality of roles R1, R2 . . . Rm are determined in accordance with an input. As exceptional authority permission assignment for a virtual exceptional role constituted of a combination of roles (R1, R2, . . . , Rm), authority permission grants/denials associated with each role (R1, R2, . . .

Abstract: When access control implementing sections of many types different depending on an object are connected simultaneously, an access control list applied to each of the access control implementing sections is generated in a format corresponding to each access control implementing section, and a process of transferring to each access control implementing section is collectively executed based on an access control policy. Specifically, the access control lists different every access control implementing section are generated from a same access control policy based on a relation between an object and an access control implementing section for the access control implementing sections.

Abstract: A policy storage stores an access control policy as a set of setting information items to make resources (access destinations) shared by an adhoc group. When a part of the access control policy is edited, a policy analyzer updates a rule generated from the edited access control policy. At this time, the rule is updated with use of object knowledge having a data configuration capable of expressing a user as belonging to plural user groups. An access control list setting means updates a part of an access control list, based on the updated rule. Accordingly, an access control list can be generated with respect to a user group including a user who belongs to plural organizations, and the access control list can be updated efficiently.

Abstract: A policy storage stores an access control policy as a set of setting information items to make resources (access destinations) shared by an adhoc group. When a part of the access control policy is edited, a policy analyzer updates a rule generated from the edited access control policy. At this time, the rule is updated with use of object knowledge having a data configuration capable of expressing a user as belonging to plural user groups. An access control list setting means updates a part of an access control list, based on the updated rule. Accordingly, an access control list can be generated with respect to a user group including a user who belongs to plural organizations, and the access control list can be updated efficiently.