Summary of the invention
Embodiments of the invention provide a kind of policy synchronization method, system and equipment, to realize finishing fast synchronous and quick user terminal authority, the network access authority of control terminal more flexibly upgraded of fire compartment wall and server policy.
Embodiments of the invention provide a kind of policy synchronization method, are applied to comprise the system of fire compartment wall and server, comprising:
The update strategy message that the fire compartment wall reception server sends, described strategy specifically comprises: at least one is for the role of user terminal use and/or role's rule of described role's correspondence, described role's rule realizes by access control list ACL, the corresponding a plurality of role's rules of each role;
Described fire compartment wall upgrades according to the strategy of described update strategy message to this locality, comprising:
Described fire compartment wall obtains the strategy sign and the time corresponding of carrying in the described update strategy message and stabs, and described timestamp comprises role's timestamp and role's rule timestamp;
Described fire compartment wall is according to described strategy sign, and the timestamp that carries in the local time stamp of correspondence and the described update strategy message is compared;
Described fire compartment wall upgrades according to the comparative result of the described timestamp strategy to this locality, realize with described server on strategy synchronously.
Embodiments of the invention also provide a kind of policy synchronization method, are applied to comprise the system of fire compartment wall and server, comprising:
Described server receives the message that described fire compartment wall sends the request synchronization policy, described strategy specifically comprises: at least one is for the role of user terminal use and/or role's rule of described role's correspondence, described role's rule realizes by access control list ACL, the corresponding a plurality of role's rules of each role;
Described server generates update strategy message according to the message of described request synchronization policy, carries strategy sign and time corresponding in the described update strategy message and stabs, and described timestamp comprises role's timestamp and role's rule timestamp;
Send described update strategy message to described fire compartment wall.
The embodiment of the invention also provides a kind of firewall box, comprising:
Update strategy message sink unit, be used for the update strategy message that reception server sends, described strategy specifically comprises: at least one is for the role of user terminal use and/or role's rule of described role's correspondence, described role's rule realizes by access control list ACL, the corresponding a plurality of role's rules of each role; Carry strategy sign and time corresponding in the described update strategy message and stab, described timestamp comprises role's timestamp and role's rule timestamp;
The policy update unit is used for the update strategy message that receives according to described update strategy message sink unit the strategy of this locality is upgraded, realize with described server on strategy synchronously.
The embodiment of the invention also provides a kind of server, comprising:
The synchronization policy receiving element, be used to receive the message that described fire compartment wall sends the request synchronization policy, described strategy specifically comprises: at least one is for the role of user terminal use and/or role's rule of described role's correspondence, described role's rule realizes by access control list ACL, the corresponding a plurality of role's rules of each role;
The update strategy message generation unit is used for generating update strategy message according to the message of described request synchronization policy, carries strategy sign and time corresponding in the described update strategy message and stabs, and described timestamp comprises role's timestamp and role's rule timestamp;
The update strategy message sending unit is used to send described update strategy message to described fire compartment wall.
In the embodiment of the invention, mutual by update strategy message between fire compartment wall and server, can upgrade the role's rule and the synchronous more strategy of terminal use's binding fast, and synchronization policy need be on fire compartment wall manual configuration, thereby can upgrade the authority of user terminal faster, more flexibly the network access authority of control terminal.In addition, can prevent external user visit Intranet, and prevent inner legal but dangerous user is connected to enterprise network further infects company's network.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail:
Embodiments of the invention provide a kind of policy synchronization method,, on the basis of configuration acl approach on the fire compartment wall, increase server and issue the method for ACL in existing craft to fire compartment wall, with finish fast fire compartment wall and server policy synchronously.And the authority of user terminal is upgraded in the variation of the role's (authority set) by changing user binding and the variation of role's rule self fast.The network access authority of control terminal more flexibly, the authority open different to the user of different users and different safe conditions.When server terminal is authenticated with safety inspection after, the result notification fire compartment wall, fire compartment wall is according to the information of server, the access rights of decision terminal, prevent external user visit Intranet, prevent inner legal but dangerous user is connected to enterprise network further infects company's network, also isolate for being connected to the user that network do not verify, and can take precautions against various attack, and user access resources is audited.
The embodiment of the invention provides a kind of method of policy synchronization, is applied to comprise the system of fire compartment wall and server, as shown in Figure 1, may further comprise the steps:
The update strategy message that step s101, fire compartment wall reception server send.
Step s102, fire compartment wall upgrade according to the strategy of update strategy message to this locality, and strategy is synchronous on realization and the server.
The embodiment of the invention also provides a kind of method of policy synchronization, is applied to comprise the system of fire compartment wall and server, shown in Fig. 1-A, may further comprise the steps:
S101-A, described server receive the message that described fire compartment wall sends the request synchronization policy.
S102-A, described server generate update strategy message according to the message of described request synchronization policy.
S103-A, the described update strategy message of transmission are to described fire compartment wall.
Concrete, the strategy that relates in the embodiment of the invention specifically comprises: at least one is for the role of user terminal use and the role rule corresponding with this role, and different role's rules realize by the access control list ACL function.
Consider that existing manual configuration technical configuration efficient is low, ACL can not real-time update, and the authority set that changes the user is trouble comparatively also.The embodiment of the application of the invention realized fire compartment wall and server policy synchronously, this policy synchronization method comprises: fire compartment wall initiatively to server requests strategy, server initiatively to the variation and the manual synchronization policy of fire compartment wall notification strategy.By adopting above-mentioned three kinds of methods, realized the synchronous of fire compartment wall and server policy.
In the embodiments of the invention, strategy specifically comprises user terminal, role and role's rule (also can be called authority), wherein role and role's rule concern that schematic diagram as shown in Figure 2: each role can be regarded as an authority set, and each authority set is formed by the principle combinations that comprises different ACL again.By comprise the ACL group of different acl rules for each role bindings, make each role have the corresponding authority of this ACL group.Suppose that certain user terminal has A and B role simultaneously, this user terminal just has role's rule of A and B role's correspondence so, and the resource outside A and the B role's rule can't be visited.By being the different different roles of user terminal binding, make different user terminals have different role's rules.Revise the authority of user terminal if desired, can be by giving the new role of user binding at server or revising role's rule realization that user terminal is bound.Only need to change accordingly, just can change user's authority easily at server.
In the embodiments of the invention, fire compartment wall initiatively to the flow process of server requests synchronization policy as shown in Figure 3, is specially following steps:
After step s301, fire compartment wall started, active request was connected with server, and fire compartment wall begins synchronization policy after the successful connection.
Policy synchronization operation between fire compartment wall and the server is by carrying out based on the mechanism of timestamp.Timestamp can comprise role's timestamp and role rule timestamp for adopting the counter of specified byte length, and each role has the role's timestamp of oneself, and each role's rule also all has the role's rule timestamp of oneself.Role of the every modification of server (comprise the change of role's self attributes, increase role's rule, revise role's rule, deletion role rule), it is big that role's timestamp becomes, and according to the operation to role's rule corresponding role's rule timestamp changed simultaneously.
Fire compartment wall start connect with server or rebulid be connected after, fire compartment wall sends the message of request synchronization policy to server, carries all Role Informations in this locality in message, comprises role ID and role's timestamp.
Step s302, server obtain the strategy that has changed according to the message that fire compartment wall sends.
Concrete, server adopts the following variation that takes place based on the machine-processed determination strategy of timestamp.
Consider that role ID generally is tactic, therefore server can be according to role ID, the Role Information of this locality and the Role Information of fire compartment wall transmission are compared one by one, if certain role ID does not exist on fire compartment wall existing on the server, illustrate that then this role is the newly-increased role of server, need increase on fire compartment wall.If coexisting, certain role ID is present on server and the fire compartment wall, then can be according to as the described method of following table 1 timestamp relatively, and be example for role A wherein with the role ID.
Table 1: the comparative approach of role ID on server and the fire compartment wall
The timestamp of role A on the fire compartment wall |
The timestamp of role A on the server |
Comparative result |
?5 |
?5 |
Role server does not change, and does not need synchronously |
?6 |
?8 |
Role server changes, and needs synchronously |
?7 |
?0 |
Server has been deleted this role, and fire compartment wall also needs deletion |
?8 |
?7 |
Fire compartment wall can not be made amendment to the strategy that issues, and does not exist |
Step s303, server send update strategy message to fire compartment wall.
Server will send to fire compartment wall with update strategy message according to this comparative result.Can at first send all roles' that need revise or delete message, send the Role Information that needs increase then.
Step s304, fire compartment wall upgrade local policy according to the update strategy message that server issues, and guarantee consistent with server.
After fire compartment wall is received the update strategy message that server issues, the Role Information that needs are upgraded according to ID and local role relatively: if timestamp is 0, delete this role, and all role's rules below the deletion role; If timestamp is bigger than local, then revise the role, the concurrent message of referring to role's rule of this role's correspondence of step of seeking common ground; If need to increase Role Information newly, then increase the role and send the information that request should increase role's rule of role's correspondence synchronously newly according to role ID.
Except that the synchronous flow process of above-mentioned role, fire compartment wall also can be finished based on the mechanism of above-mentioned timestamp when synchronously other strategies as role are regular, can reduce the interaction data amount of server and fire compartment wall so to the full extent.If adopt the strategy that server is all to be notified to fire compartment wall, interactive data quantity is excessive like this.In the embodiments of the invention, determine the needs updating strategy according to comparing timestamp, server only can be determined that change or newly-increased strategy by comparing timestamp.
All Policies enters ready state after finishing synchronously, this moment fire compartment wall can waiting for server the strategy change information of notice or the user offline information of reaching the standard grade.User terminal is carried out access control according to the strategy after synchronous.
The method that embodiments of the invention also provide server initiatively to change to the fire compartment wall notification strategy.After fire compartment wall entered ready state, the strategy of server may change, and at this moment can take the mode of server proactive notification to come the implementation strategy unanimity.When server modifications after role or the role's rule, can proactive notification fire compartment wall real-time update strategy.For example: fire compartment wall finds that the timestamp of role or role's rule is 0 after receiving the notice that server initiatively sends, and the server deletion strategy be described, and fire compartment wall also needs to delete; The timestamp that fire compartment wall is found role that server sends or role's rule is during than fire compartment wall side big, and server modifications has been described should strategy, need carry out the renewal of role or role's rule; When fire compartment wall finds that server increases strategy newly, then increase this strategy.By aforesaid operations, guarantee the consistent of strategy on fire compartment wall and the server.
Embodiments of the invention also are provided at the method for manual synchronization policy on the fire compartment wall, come the forced synchronism strategy by manual at the fire compartment wall input command, policy synchronization flow process in the time of should asking the similar fire compartment wall active request of the policy synchronization flow process synchronization policy under the condition is not repeated in this description at this.
In the control of communication process between fire compartment wall and the server, can use mode to realize based on COPS (CommonOpen Policy Service Protocol, general open policy service protocol agreement) agreement.This agreement uses TCP (Transmission Control Protocol, transmission control protocol) as host-host protocol, so that carry out reliable message transmission between fire compartment wall and server.This agreement provides a two-way dynamic strategy distribution mechanism, and fire compartment wall can be initiatively to the server requests strategy, and server also can initiatively pass through the variation initiation policy synchronization of firewall policy certainly.
Concrete, can at first some SOCKET functions be registered in the COPS assembly.The COPS assembly provides with the form in LIB storehouse, fire compartment wall is registered to this assembly with processing functions such as general internal memory, Debug output, character string, TCP, timers by adaptation layer, also comprise system function, the function of registration connection management part (comprising: Status Change, receive the processing of business packet), the processing function that initialization connects configuration list item (order line processing) and calls service part carries out the transmission, receiver function of business datum etc.
Fire compartment wall is at first finished by order and is connected the configuration list item, after the starting switch, the system function of registration begins to call the SOCKET interface of registration and initiates connection request to server end, server end judges whether to allow to connect according to connecting the configuration list item, if permission connects then responds successful connection message, fire compartment wall is replied and is connected confirmation, successful connection this moment; Otherwise connection failure.
If user terminal is wanted access resources, so must be earlier by authentication.User terminal must have the access rights of this resource could visit corresponding Internet resources.In the server authentication process, if the identity of user terminal is illegal, then user terminal can only be visited the pre-authentication domain that enterprise pre-sets; If identity is legal, but do not satisfy the enterprise security strategy, then server can be warned to user prompt, and the helping directive user carries out safe reparation simultaneously; If identity is legal, security strategy meets enterprise demand simultaneously, and this moment, server can proactive notification fire compartment wall user be reached the standard grade; This moment, user terminal obtained the authority of visit respective network resource.Comprise information such as source IP, affiliated role ID, user name in the message that server notification fire compartment wall user reaches the standard grade.
After fire compartment wall is received user's the message of accesses network resource:
First: search source IP monitoring form (comprise source IP, and role ID), continue next step by authentication if find then illustrate, otherwise explanation not authentication do not pass through, the notice user authentication failure authenticates again.
Second: begin to travel through all roles in this source IP monitoring mark, the resource group from maximum begins to look into earlier, if allow to pass through, just this message is let slip, do not allow by then abandoning, otherwise the continuation next step.
The the 3rd: begin to search packet filtering between the territory, allow then to let slip, do not allow by then abandoning, otherwise continue next step.
The the 4th: begin to search default packet filtering, allow then to let slip, otherwise abandon this message.
(3) management of connection status and passway for escaping function between fire compartment wall and the server;
Passway for escaping mainly is for realizing that the link between fire compartment wall and server breaks down, and perhaps server breaks down etc. under the situation, to open all authorities of user.Because when above-mentioned fault takes place, can cause all authentification of user messages can't normally arrive fire compartment wall, just can't obtain authority and visit due Internet resources, so increased status detection mechanism.If enabled state monitoring, and (the connection status variation is registered the processing function that connection status changes to assembly by application layer to detect the disconnection of critical server connection status, assembly is had no progeny in having set up COPS successful connection or COPS connection the connection status change is notified to application layer), just, after recovering, the critical server connection status just recovers original control of authority to open all authorities of all user terminals.
State-detection mechanism: fire compartment wall and server have keepalive mechanism, and fire compartment wall will send message to server at set intervals, receive the response of server, then think to connect normally; All do not receive response if send three keep-alive messages, then think to connect to disconnect.Fire compartment wall restarts to ask the Connection Service device, up to the server successful connection, restart synchronization policy then.
The policy synchronization method that the application of the invention embodiment provides, strategy on dynamic synchronization fire compartment wall and the server, can upgrade role's rule of terminal use's binding fast, and synchronization policy need be on fire compartment wall manual configuration, thereby can upgrade the authority of user terminal faster, more flexibly the network access authority of control terminal.In addition, can prevent external user visit Intranet, and prevent inner legal but dangerous user is connected to enterprise network further infects company's network.
Embodiments of the invention also provide a kind of policy synchronization system, as shown in Figure 4, comprise firewall box 10 and server 20.Wherein, firewall box 10 is used for the update strategy message that reception server 20 sends; And upgrade according to the strategy of update strategy message this locality, realize with server 20 on strategy synchronously.
In the embodiments of the invention, as shown in Figure 5, this firewall box 10 comprises:
Update strategy message sink unit 11 is used for the update strategy message that reception server sends;
Policy update unit 12 is used for the update strategy message that receives according to update strategy message sink unit 11 strategy of this locality is upgraded, realize with server 20 on strategy synchronously.
As shown in Figure 6, this firewall box 10 also comprises in the embodiments of the invention:
Request message transmitting element 13 is used for sending the message of asking synchronization policy to server 20; For the message generation update strategy message of server 20 according to the request synchronization policy.
Control unit 14 is used for according to policy update unit 12 updating strategy the access of user terminal being controlled.
Escaping function unit 15, the link that is used between fire compartment wall 10 and server 20 breaks down, and when perhaps server 20 breaks down, opens the passway for escaping function, to open all authorities of user terminal, after recovering, then recover original control with server 20 connection status.
In addition, above-mentioned policy update unit 12 may further include:
Obtain subelement 121, be used for obtaining strategy sign and the time corresponding stamp that update strategy message is carried;
Subelement 122 relatively is used for according to obtaining the strategy sign that subelement 121 obtains, and the timestamp that carries in the local time stamp of correspondence and the update strategy message is compared;
Upgrade subelement 123, be used for, the strategy of this locality is upgraded according to the comparative result of the timestamp of subelement 122 relatively.This renewal subelement 123 may further include: first upgrades subelement 1231, be used for for a strategy sign, the strategy that the comparative result of timestamp is represented server side newly when fire compartment wall side tactful, sends the message of obtaining the strategy with strategy sign to server 20; Or second upgrade subelement 1232, be used for for a strategy sign, and when the comparative result of timestamp represents that the strategy of server side has not existed, the strategy sign corresponding strategy of the local storage of deletion; Or the 3rd upgrade subelement 1233, is used for for a strategy sign, when the comparative result of timestamp represents that there is not strategy in the fire compartment wall side, sends the message of obtaining the strategy with strategy sign to server 20.
In the embodiments of the invention, as shown in Figure 7, this server 20 comprises:
Synchronization policy receiving element 21 is used to receive the message of the request synchronization policy that described firewall box 10 sends.
Update strategy message generation unit 22 is used for generating update strategy message according to the message of described synchronization policy receiving element 21.
Update strategy message sending unit 23 is used to send described update strategy message to described firewall box 10.
In the embodiments of the invention, as shown in Figure 8, in this server 20:
Update strategy message sending unit 23 can also comprise:
First sends subelement 231, when being used to receive the message of the request synchronization policy that firewall box 10 sends, sends the update strategy message to firewall box 10; Or
Second sends subelement 232, when being used to detect local policy and changing, sends the update strategy message to firewall box 10.
Update strategy message generation unit 22 can also comprise:
First obtains subelement 221, is used for obtaining the sign for the treatment of synchronization policy and the timestamp that the first request synchronization policy message that sends subelement 231 receptions is carried;
First compares subelement 222, is used for according to the sign for the treatment of synchronization policy, and the timestamp of firewall box 10 transmissions and the timestamp of the local relative strategy of storing are compared;
First generates subelement 223, is used for the comparative result according to the first comparison subelement 222, will treat that the sign of synchronization policy and the timestamp that store corresponding this locality are added in the update strategy message.
Update strategy message generation unit 22 can also comprise:
Second generates subelement 224, and when being used to detect local policy and changing, with the sign of the strategy that changes, and the timestamp of corresponding this locality storage is added in the update strategy message.
Policy synchronization system and equipment that the application of the invention embodiment provides, acl rule on dynamic synchronization fire compartment wall and the server, can upgrade the role's rule and the synchronous more strategy of terminal use's binding fast, and synchronization policy need be on fire compartment wall manual configuration, thereby can upgrade the authority of user terminal faster, more flexibly the network access authority of control terminal.In addition, can prevent external user visit Intranet, and prevent inner legal but dangerous user is connected to enterprise network further infects company's network.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprises that some instructions are used so that a station terminal equipment (as mobile phone, PDA etc.) is carried out the described method of each embodiment of the present invention.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, described program can be stored in the computer read/write memory medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-OnlyMemory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.