CN104135461A - Firewall policy processing method and device - Google Patents
Firewall policy processing method and device Download PDFInfo
- Publication number
- CN104135461A CN104135461A CN201310163682.3A CN201310163682A CN104135461A CN 104135461 A CN104135461 A CN 104135461A CN 201310163682 A CN201310163682 A CN 201310163682A CN 104135461 A CN104135461 A CN 104135461A
- Authority
- CN
- China
- Prior art keywords
- firewall policy
- policy
- firewall
- baseline
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a firewall policy processing method and device. The method comprises the following steps: acquiring firewall policies, and standardizing the firewall policies to generate a firewall policy access control list; acquiring network flow of an internal network as well as between internal and external networks of a firewall to obtain network flow proportion statistics; quantifying the firewall policy access control list according to the network flow proportion statistics; and performing policy optimization processing on the quantified firewall policy access control list according to a preset policy optimizing rule. With the firewall policy processing method and device, the defect of waste of time and labor in manual auditing of firewall policies can be overcome, the management of firewall change policies is reinforced, the establishment of policies with safety risks is avoided, and the security of the firewall is enhanced.
Description
Technical field
The present invention relates to network security technology field, relate in particular to method and device that a kind of firewall policy is processed.
Background technology
Fire compartment wall is as the protective barrier between in-house network and extranets, between private network and public network, for preventing that outside invasion has important effect.Firewall policy refer to fire compartment wall will reference regulation, rule, requirement and filtration clause.Fire compartment wall is decontroled according to firewall policy or is blocked the data flow through fire compartment wall, and firewall policy plays a part very crucial in intranet and extranet access control.Along with the growth of network size and the continuous adjustment of business, on fire compartment wall, configured a large amount of security strategies.In these strategies, may comprise that do not re-used, redundancy, conflict, or even the strategy of breach of security rule, this has not only increased and has administered and maintained cost, but also may become potential safety hazard, therefore the audit of firewall policy is necessary very much.
Firewall policy audit comprises two aspects: optimize audit and security audit.The object of optimizing audit is to find out that occurred or potential repetition or Conflict Strategies, and the solution of policy optimization is provided, so that firewall administrator manages strategy, reduces redundancy strategy, improves the matching efficiency of firewall policy.The object of security audit is to find out the strategy of excessive mandate or breach of security rule, reduces the probability of the excessive risk event generation bringing thus.
Strategy audit can adopt manual type or automated manner.For the very little situation of tactful quantity, manual type still can be dealt with, once tactful quantity reaches certain scale, the efficiency of artificial audit is just very low.Meanwhile, in fire compartment wall regular maintenance, often have the situation that is added specification violation and security regulations strategy in situation without permission to occur, to firewall policy, change lacks supervision and control device timely and effectively.The change of firewall policy lacks record and audit, to firewall management, brings larger difficulty and potential safety hazard.The common method and system device to the distribution of firewall policy, execution and firewall policy configuration, yet there are no ripe information to the automatic auditing method of the content of firewall policy own in the market.
Adopt artificial audit firewall policy, subject matter is: the first, and firewall policy quantity is huge, the very labor intensive of manually auditing.Along with the network capacity extension and business reorganization, on fire compartment wall, accumulate over a long period and accumulated a large amount of security strategies, on separate unit fire compartment wall, exist hundreds and thousands of tactful situations very common.Adopt manual type to carry out analytical auditing to firewall policy, will expend a large amount of manpowers.The second, the poor in timeliness of manually auditing, can not note abnormalities, error strategy in time.On fire compartment wall, often have violate safety regulation comprise security risk strategy set up.Because firewall rule amount is large and loaded down with trivial details, newly-increased firewall policy is difficult to accomplish to examine timely and effectively.
Summary of the invention
In order to solve technical problem of the prior art, the present invention proposes method and the device that a kind of firewall policy is processed, by following tactful audit regulation, carry out strategy audit, can efficiently find in time the strategy of redundancy, conflict and breach of security rule in fire compartment wall, and carry out firewall policy change, distribute work order simultaneously and examine to related personnel.The present invention can make up the defect that manual examination and verification firewall policy is wasted time and energy, and has strengthened fire compartment wall and has changed tactful management, has avoided having the foundation of security risk strategy, improves the fail safe of fire compartment wall.
One aspect of the present invention, has proposed a kind of method that firewall policy is processed, and comprising: gather firewall policy, described firewall policy is carried out to standardization and generate firewall policy Access Control List (ACL); Gather the network traffics between fire compartment wall internal network and inside and outside network, obtain network traffics proportioning statistics; According to described network traffics proportioning statistics, described firewall policy Access Control List (ACL) is carried out to quantification treatment; Firewall policy Access Control List (ACL) according to default policy optimization rule after to described quantification treatment is carried out policy optimization processing.
Preferably, the firewall policy Access Control List (ACL) of the default policy optimization rule of described basis after to described quantification treatment carries out also comprising after the step of policy optimization processing: the firewall policy Access Control List (ACL) according to default security audit rule after to described quantification is carried out security audit processing.
Preferably, described collection firewall policy, the step of described firewall policy being carried out to standardization generation firewall policy Access Control List (ACL) further comprises: to Probe harvester, issue firewall policy acquisition; Obtain firewall policy baseline results and use parsing quasi-sentence to carry out standardization to described baseline results; Tactful baseline using described standardized firewall policy as Probe harvester.
Preferably, after the described step using described standardized firewall policy as the tactful baseline of Probe harvester, also comprise: above-mentioned steps is repeated at interval at preset timed intervals, upgrades described tactful baseline.
Preferably, the network traffics between described collection fire compartment wall internal network and inside and outside network, the step that obtains network traffics proportioning statistics further comprises: according to predetermined period, gather the network traffics between fire compartment wall internal network and inside and outside network; Proportioning to described network traffics is added up, and obtains network traffics proportioning statistics.
Another aspect of the present invention, the device that a kind of firewall policy is processed has been proposed, comprise acquisition module, statistical module, quantization modules and optimization module, wherein: described acquisition module, be used for gathering firewall policy, described firewall policy carried out to standardization and generate firewall policy Access Control List (ACL); Described statistical module, for gathering the network traffics between fire compartment wall internal network and inside and outside network, obtains network traffics proportioning statistics; Described quantization modules, for carrying out quantification treatment according to described network traffics proportioning statistics to described firewall policy Access Control List (ACL); Described optimization module, for according to default policy optimization rule the firewall policy Access Control List (ACL) after to described quantification treatment carry out policy optimization processing.
Preferably, also comprise audit module, for according to default security audit rule the firewall policy Access Control List (ACL) after to described quantification carry out security audit processing.
Preferably, described acquisition module further comprises that order issues unit, Standardisation Cell and tactful baseline generation unit, wherein: described order issues unit, and for issuing firewall policy acquisition to Probe harvester; Described Standardisation Cell, for obtaining firewall policy baseline results and using parsing quasi-sentence to carry out standardization to described baseline results; Described tactful baseline generation unit, for the tactful baseline using described standardized firewall policy as Probe harvester.
Preferably, described acquisition module also comprises updating block, issues performing an action of unit, Standardisation Cell and tactful baseline generation unit upgrade described tactful baseline for interval at preset timed intervals by described order.
Preferably, described statistical module is further used for: according to predetermined period, gather the network traffics between fire compartment wall internal network and inside and outside network; Proportioning to described network traffics is added up, and obtains network traffics proportioning statistics.
Method and device that firewall policy of the present invention is processed, following tactful audit regulation carries out automatic audit to firewall policy and can effectively improve fire compartment wall audit efficiency, simultaneously by setting up firewall policy and interconnecting relation baseline, regularly gathering current firewall policy and interconnecting relation compares with it, when discovery strategy and interconnecting relation change, generate the single processing of alarm group, a kind of good firewall policy management method is provided, realized the effective management to firewall policy and the change of fire compartment wall inside and outside interconnecting relation, reduced and improper possibility of being attacked has been set because of firewall policy, improved the fail safe of fire compartment wall.
Accompanying drawing explanation
Fig. 1 is the flow chart of a kind of method that in the embodiment of the present invention, firewall policy is processed;
Fig. 2 is the structural representation of the device that in the embodiment of the present invention, a kind of firewall policy is processed.
Embodiment
Fig. 1 is the flow chart of a kind of method that in the embodiment of the present invention, firewall policy is processed.As shown in Figure 1, comprise the following steps:
Step 100, collection firewall policy, carry out standardization by described firewall policy and generate firewall policy Access Control List (ACL);
Network traffics between step 102, collection fire compartment wall internal network and inside and outside network, obtain network traffics proportioning statistics;
Step 104, according to described network traffics proportioning statistics, described firewall policy Access Control List (ACL) is carried out to quantification treatment;
Step 106, the firewall policy Access Control List (ACL) according to default policy optimization rule after to described quantification treatment are carried out policy optimization processing.
Preferably, can also comprise after step 106: the firewall policy Access Control List (ACL) according to default security audit rule after to described quantification is carried out security audit processing.
In above-mentioned steps 100, generation firewall policy Access Control List (ACL) is that the process of establishing of tactful baseline specifically comprises the following steps:
Strategy acquisition issues: WebServer calls the routine interface of Server, by Server, to Probe harvester sending strategy, gathers message
Obtain baseline results standardization: Probe harvester linking objective equipment implementation strategy acquisition, acquisition strategy baseline results is also used parsing quasi-sentence to carry out standardization
Strategy baseline is set up: Probe harvester obtains after policy criteria data, usings standardized firewall policy as tactful baseline.
Discovery strategy change: Probe harvester regularly gathers current firewall policy standardization; Compare with tactful baseline, discovery strategy change, distributes work order and examines to related personnel.
Update strategy baseline: Probe harvester gathers current firewall policy standardization, update strategy baseline.
WebServer: provide firewall policy graphically to show, the web server that management is built; Server: provide strategy to gather message generation, the server of distribution function and the storage of firewall policy data; Probe: implementation strategy acquisition acquisition strategy baseline results standardized acquisition server; Strategy baseline: the initial baseline value of strategy comparison, for finding current strategies alteration.
In above-mentioned steps 102, it is further comprising the steps that local area network (LAN) inside and outside devices interconnect relation gather-is set up interconnecting relation baseline:
According to predetermined period, gather the network traffics between fire compartment wall internal network and inside and outside network;
Proportioning to described network traffics is added up, and obtains network traffics proportioning statistics.
Switch on-premise network sniffer in fire compartment wall inside, gather between inside, the network traffics between inside and outside, carry out the collection (as: month) of one section of longer cycle, (source port, source IP, destination interface, object IP, outflow, inbound traffics, time started, termination time) added up in the pairing that network traffics are occurred.The statistical information of more than matching has represented the operation system interconnecting relation of this period, according to the importance of definite interconnecting relations such as the size of flow, the connection frequency, hands over and manually confirms, draws legal interconnecting relation baseline.
In above-mentioned steps 104, firewall policy quantification treatment specifically comprises:
After the collected and standardization generation strategy ACL of firewall policy, the target port content that ACL is related to, target port number, Target IP content, Target IP number quantize, Bing YiACLWei unit carries out permutation and combination comparison, judge the safety issues such as tactful redundancy issues such as whether having strategy coverings, interception in firewall policy ACL and opening object IP scope are excessive, and target port is excessive.
Strategy audit should be followed following rule and carry out policy optimization and security audit:
(1) discovery redundancy and useless strategy are realized firewall policy optimization, should follow following rule:
1): strategy repeats
Strategy repeats to judge: in configuration file, two or more pieces strategy five-tuple is identical and keep strokes, and is judged to be strategy and repeats.
2) strategy is whole covers
The whole covering of strategy judged: in configuration file, current strategies five-tuple is comprised completely and keeps strokes by the higher strategy of priority, judges that current strategies is covered by integral body.This tactful global failure.
3) policy section covers
Policy section covers to be judged: in configuration file, current strategies five-tuple is comprised and keeps strokes by the higher policy section of priority, judges that current strategies is partially covered.This policy section lost efficacy.
4) the whole interception of strategy
Tactful whole interception is judged: in configuration file, current strategies five-tuple is comprised completely by the higher strategy of priority and moves on the contrary, and judgement current strategies is tackled by integral body.This tactful global failure.
5) policy section interception
Policy section interception is judged: in configuration file, current strategies five-tuple is comprised by the higher policy section of priority and moves on the contrary, judges that current strategies is partly tackled.This policy section lost efficacy.
6) invalid tactful group
Invalid strategy group is judged: tactful group that does not comprise any strategy is judged to be invalid tactful group.
For example define tactful group of acl number2100, and do not comprised any strategy in strategy group 2100.
7) strategy is normal
Strategy is normal to be judged: do not find that above-mentioned firewall policy allocation problem is judged to be strategy normal.
Strategy security audit should be followed following rule:
1) object IP is any
Judge: configuration file exists the strategy that object IP is any.
2) object IP scope is excessive
Judge: in configuration file, exist object IP scope to exceed the strategy of the maximum permissible value of strategy audit.Object IP maximum permissible value can arrange according to network actual conditions.
3) destination interface is any
Judge: in configuration file, have the strategy that destination interface is any.
4) destination interface scope is excessive
Judge: in configuration file, exist destination interface scope to exceed the strategy of the maximum permissible value of strategy audit.
Destination interface maximum permissible value can arrange according to network actual conditions.
5) opened management port
Judge: the strategy that relates to the conventional management maintenance ports such as 22,23,80,443,3389 in destination interface.
Follow above policy optimization and tactful security audit rule, by system program, automatically find the strategy of redundancy on fire compartment wall, useless, expiration policy and breach of security rule; Realize firewall policy optimization and tactful security audit.Wherein, five-tuple is the property set of firewall policy, for representing the visiting demand of fire compartment wall definition.5 key elements that five-tuple has comprised firewall policy.Respectively network source IP address, source port, network object IP address, destination interface, communication protocol (as Transmission Control Protocol etc.).Action: the traffic policy action of firewall policy can be permit or deny.Strategy ACL: tactful Access Control List (ACL).
In above-mentioned steps 106, by implementing the change of following flow monitoring firewall policy and interconnecting relation, and carry out optimization process:
Choose the firewall box that needs periodic reinvestigation strategy and interconnecting relation change situation, set up periodic reinvestigation plan;
Webserver is by probe harvester and smell spy machine and obtain current strategies and the interconnecting relation in selected device;
Current strategies and interconnecting relation and tactful baseline and interconnecting relation baseline are compared, and discovery strategy and interconnecting relation change, generate corresponding alarm; Start worksheet flow process, distribute work order and examine to related personnel;
Gather firewall policy and interconnecting relation, update strategy baseline and interconnecting relation baseline after changing.
Fig. 2 is the structural representation of the device that in the embodiment of the present invention, a kind of firewall policy is processed.As shown in Figure 2, comprise acquisition module 200, statistical module 202, quantization modules 204 and optimize module 206, wherein: described acquisition module, for gathering firewall policy, carries out standardization by described firewall policy and generates firewall policy Access Control List (ACL); Described statistical module, for gathering the network traffics between fire compartment wall internal network and inside and outside network, obtains network traffics proportioning statistics; Described quantization modules, for carrying out quantification treatment according to described network traffics proportioning statistics to described firewall policy Access Control List (ACL); Described optimization module, for according to default policy optimization rule the firewall policy Access Control List (ACL) after to described quantification treatment carry out policy optimization processing.
Preferably, also comprise audit module, for according to default security audit rule the firewall policy Access Control List (ACL) after to described quantification carry out security audit processing.
Described acquisition module further comprises that order issues unit, Standardisation Cell and tactful baseline generation unit, wherein: described order issues unit, and for issuing firewall policy acquisition to Probe harvester; Described Standardisation Cell, for obtaining firewall policy baseline results and using parsing quasi-sentence to carry out standardization to described baseline results; Described tactful baseline generation unit, for the tactful baseline using described standardized firewall policy as Probe harvester.
Described acquisition module also comprises updating block, issues performing an action of unit, Standardisation Cell and tactful baseline generation unit upgrade described tactful baseline for interval at preset timed intervals by described order.
Described statistical module is further used for: according to predetermined period, gather the network traffics between fire compartment wall internal network and inside and outside network; Proportioning to described network traffics is added up, and obtains network traffics proportioning statistics.
Firewall policy auditing method can form firewall policy total management system in conjunction with tactful change management method, and firewall policy audit, strategy change and interconnecting relation change monitoring management function are provided.
Various embodiments of the present invention are followed tactful audit regulation and firewall policy is carried out to automatic audit can effectively be improved fire compartment wall audit efficiency, simultaneously by setting up firewall policy and interconnecting relation baseline, regularly gathering current firewall policy and interconnecting relation compares with it, when discovery strategy and interconnecting relation change, generate the single processing of alarm group, a kind of good firewall policy management method is provided.Realized the effective management to the change of firewall policy and fire compartment wall inside and outside interconnecting relation, reduced and improper possibility of being attacked, the fail safe that has improved fire compartment wall have been set because of firewall policy.
It should be noted that: above embodiment is only unrestricted in order to the present invention to be described, the present invention is also not limited in above-mentioned giving an example, and all do not depart from technical scheme and the improvement thereof of the spirit and scope of the present invention, and it all should be encompassed in claim scope of the present invention.
Claims (10)
1. the method that firewall policy is processed, is characterized in that, comprising:
Gather firewall policy, described firewall policy is carried out to standardization and generate firewall policy Access Control List (ACL);
Gather the network traffics between fire compartment wall internal network and inside and outside network, obtain network traffics proportioning statistics;
According to described network traffics proportioning statistics, described firewall policy Access Control List (ACL) is carried out to quantification treatment;
Firewall policy Access Control List (ACL) according to default policy optimization rule after to described quantification treatment is carried out policy optimization processing.
2. method according to claim 1, is characterized in that, the firewall policy Access Control List (ACL) of the default policy optimization rule of described basis after to described quantification treatment carries out also comprising after the step of policy optimization processing:
Firewall policy Access Control List (ACL) according to default security audit rule after to described quantification is carried out security audit processing.
3. method according to claim 1 and 2, is characterized in that, described collection firewall policy, and the step of described firewall policy being carried out to standardization generation firewall policy Access Control List (ACL) further comprises:
To Probe harvester, issue firewall policy acquisition;
Obtain firewall policy baseline results and use parsing quasi-sentence to carry out standardization to described baseline results;
Tactful baseline using described standardized firewall policy as Probe harvester.
4. method according to claim 3, is characterized in that, after the described step using described standardized firewall policy as the tactful baseline of Probe harvester, also comprises:
Above-mentioned steps is repeated at interval at preset timed intervals, upgrades described tactful baseline.
5. method according to claim 1 and 2, is characterized in that, the network traffics between described collection fire compartment wall internal network and inside and outside network, and the step that obtains network traffics proportioning statistics further comprises:
According to predetermined period, gather the network traffics between fire compartment wall internal network and inside and outside network;
Proportioning to described network traffics is added up, and obtains network traffics proportioning statistics.
6. the device that firewall policy is processed, is characterized in that, comprises acquisition module, statistical module, quantization modules and optimization module, wherein:
Described acquisition module, for gathering firewall policy, carries out standardization by described firewall policy and generates firewall policy Access Control List (ACL);
Described statistical module, for gathering the network traffics between fire compartment wall internal network and inside and outside network, obtains network traffics proportioning statistics;
Described quantization modules, for carrying out quantification treatment according to described network traffics proportioning statistics to described firewall policy Access Control List (ACL);
Described optimization module, for according to default policy optimization rule the firewall policy Access Control List (ACL) after to described quantification treatment carry out policy optimization processing.
7. device according to claim 6, is characterized in that, also comprises audit module, for according to default security audit rule the firewall policy Access Control List (ACL) after to described quantification carry out security audit processing.
8. according to the device described in claim 6 or 7, it is characterized in that, described acquisition module further comprises that order issues unit, Standardisation Cell and tactful baseline generation unit, wherein:
Described order issues unit, for issuing firewall policy acquisition to Probe harvester;
Described Standardisation Cell, for obtaining firewall policy baseline results and using parsing quasi-sentence to carry out standardization to described baseline results;
Described tactful baseline generation unit, for the tactful baseline using described standardized firewall policy as Probe harvester.
9. device according to claim 8, it is characterized in that, described acquisition module also comprises updating block, issues performing an action of unit, Standardisation Cell and tactful baseline generation unit upgrade described tactful baseline for interval at preset timed intervals by described order.
10. according to the device described in claim 6 or 7, it is characterized in that, described statistical module is further used for:
According to predetermined period, gather the network traffics between fire compartment wall internal network and inside and outside network;
Proportioning to described network traffics is added up, and obtains network traffics proportioning statistics.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310163682.3A CN104135461A (en) | 2013-05-02 | 2013-05-02 | Firewall policy processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310163682.3A CN104135461A (en) | 2013-05-02 | 2013-05-02 | Firewall policy processing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104135461A true CN104135461A (en) | 2014-11-05 |
Family
ID=51807985
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310163682.3A Pending CN104135461A (en) | 2013-05-02 | 2013-05-02 | Firewall policy processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104135461A (en) |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104735084A (en) * | 2015-04-13 | 2015-06-24 | 国家电网公司 | Firewall baseline strategy auditing method |
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| CN105791213A (en) * | 2014-12-18 | 2016-07-20 | 华为技术有限公司 | Strategy optimization device and method |
| CN105847258A (en) * | 2016-03-25 | 2016-08-10 | 国家电网公司 | Firewall-based method for analyzing ACL company internal resource opening scope |
| CN106034116A (en) * | 2015-03-13 | 2016-10-19 | 国家计算机网络与信息安全管理中心 | Method and system for reducing malicious network flow |
| CN106657047A (en) * | 2016-12-14 | 2017-05-10 | 北京启明星辰信息安全技术有限公司 | Network access relationship generation method and apparatus |
| CN107566359A (en) * | 2017-08-25 | 2018-01-09 | 郑州云海信息技术有限公司 | A kind of intelligent fire-proofing wall system and means of defence |
| CN108462676A (en) * | 2017-02-20 | 2018-08-28 | 中兴通讯股份有限公司 | The management method and device of Network Security Device |
| CN109040089A (en) * | 2018-08-15 | 2018-12-18 | 深圳前海微众银行股份有限公司 | Network strategy auditing method, equipment and computer readable storage medium |
| CN109040037A (en) * | 2018-07-20 | 2018-12-18 | 南京方恒信息技术有限公司 | A kind of safety auditing system based on strategy and rule |
| CN109639743A (en) * | 2018-12-13 | 2019-04-16 | 成都亚信网络安全产业技术研究院有限公司 | A kind of firewall policy detection method and equipment |
| CN109768962A (en) * | 2018-12-13 | 2019-05-17 | 平安科技(深圳)有限公司 | Firewall strategy-generating method, device, computer equipment and storage medium |
| CN109802960A (en) * | 2019-01-08 | 2019-05-24 | 深圳中兴网信科技有限公司 | Firewall policy processing method and processing device, computer equipment and storage medium |
| CN110324826A (en) * | 2019-06-10 | 2019-10-11 | 平安科技(深圳)有限公司 | A kind of Intranet access method and relevant apparatus |
| CN110661811A (en) * | 2019-10-10 | 2020-01-07 | 国网山东省电力公司信息通信公司 | Firewall policy management method and device |
| CN110677383A (en) * | 2019-08-22 | 2020-01-10 | 平安科技(深圳)有限公司 | Firewall opening method and device, storage medium and computer equipment |
| CN110768934A (en) * | 2018-07-27 | 2020-02-07 | 阿里巴巴集团控股有限公司 | Method and device for checking network access rule |
| CN111988273A (en) * | 2020-07-07 | 2020-11-24 | 国网思极网安科技(北京)有限公司 | Firewall policy management method and device |
| CN112019361A (en) * | 2019-05-30 | 2020-12-01 | 阿里巴巴集团控股有限公司 | Migration method and device of access control list, storage medium and electronic equipment |
| CN112565287A (en) * | 2020-12-18 | 2021-03-26 | 深信服科技股份有限公司 | Asset exposure surface determining method and device, firewall and storage medium |
| CN113162782A (en) * | 2020-01-22 | 2021-07-23 | 中国移动通信集团山东有限公司 | Data center network configuration method and device |
| CN113452715A (en) * | 2021-06-29 | 2021-09-28 | 中国工商银行股份有限公司 | Management method, system, equipment and readable storage medium of firewall policy |
| CN114050908A (en) * | 2020-07-24 | 2022-02-15 | 中国移动通信集团浙江有限公司 | Method and device for automatically auditing firewall policy and computer storage medium of computing equipment |
| CN115987628A (en) * | 2022-12-22 | 2023-04-18 | 北京云澈科技有限公司 | Method, device, processor and storage medium for monitoring and accessing violation policies based on network flow and firewall configuration |
| CN116132200A (en) * | 2023-04-18 | 2023-05-16 | 北京云澈科技有限公司 | Processing method, device, processor and computer storage medium for monitoring firewall policy quality based on network space dynamic data |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1864226A2 (en) * | 2005-03-28 | 2007-12-12 | Wake Forest University | Methods, systems, and computer program products for network firewall policy optimization |
| CN101582900A (en) * | 2009-06-24 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Firewall security policy configuration method and management unit |
| CN101753369A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for detecting firewall rule conflict |
| CN102594770A (en) * | 2011-01-07 | 2012-07-18 | 张咏 | Adaptive optimizing method based on cloud storage firewall |
-
2013
- 2013-05-02 CN CN201310163682.3A patent/CN104135461A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1864226A2 (en) * | 2005-03-28 | 2007-12-12 | Wake Forest University | Methods, systems, and computer program products for network firewall policy optimization |
| CN101753369A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for detecting firewall rule conflict |
| CN101582900A (en) * | 2009-06-24 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Firewall security policy configuration method and management unit |
| CN102594770A (en) * | 2011-01-07 | 2012-07-18 | 张咏 | Adaptive optimizing method based on cloud storage firewall |
Non-Patent Citations (2)
| Title |
|---|
| 张李: "基于统计分析方法的防火墙优化研究", 《中国学术期刊》 * |
| 范光远,辛阳: ""防火墙审计方案的分析与设计"", 《信息网络安全》 * |
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| CN105791213A (en) * | 2014-12-18 | 2016-07-20 | 华为技术有限公司 | Strategy optimization device and method |
| CN105791213B (en) * | 2014-12-18 | 2020-01-10 | 华为技术有限公司 | Policy optimization device and method |
| CN106034116A (en) * | 2015-03-13 | 2016-10-19 | 国家计算机网络与信息安全管理中心 | Method and system for reducing malicious network flow |
| CN104735084A (en) * | 2015-04-13 | 2015-06-24 | 国家电网公司 | Firewall baseline strategy auditing method |
| CN105847258A (en) * | 2016-03-25 | 2016-08-10 | 国家电网公司 | Firewall-based method for analyzing ACL company internal resource opening scope |
| CN105847258B (en) * | 2016-03-25 | 2019-01-29 | 国家电网公司 | Internal enterprise resources range of opening analysis method based on firewall ACL |
| CN106657047A (en) * | 2016-12-14 | 2017-05-10 | 北京启明星辰信息安全技术有限公司 | Network access relationship generation method and apparatus |
| CN108462676A (en) * | 2017-02-20 | 2018-08-28 | 中兴通讯股份有限公司 | The management method and device of Network Security Device |
| CN107566359A (en) * | 2017-08-25 | 2018-01-09 | 郑州云海信息技术有限公司 | A kind of intelligent fire-proofing wall system and means of defence |
| CN109040037A (en) * | 2018-07-20 | 2018-12-18 | 南京方恒信息技术有限公司 | A kind of safety auditing system based on strategy and rule |
| CN110768934A (en) * | 2018-07-27 | 2020-02-07 | 阿里巴巴集团控股有限公司 | Method and device for checking network access rule |
| CN109040089A (en) * | 2018-08-15 | 2018-12-18 | 深圳前海微众银行股份有限公司 | Network strategy auditing method, equipment and computer readable storage medium |
| CN109768962A (en) * | 2018-12-13 | 2019-05-17 | 平安科技(深圳)有限公司 | Firewall strategy-generating method, device, computer equipment and storage medium |
| CN109768962B (en) * | 2018-12-13 | 2022-04-12 | 平安科技(深圳)有限公司 | Firewall strategy generation method and device, computer equipment and storage medium |
| CN109639743A (en) * | 2018-12-13 | 2019-04-16 | 成都亚信网络安全产业技术研究院有限公司 | A kind of firewall policy detection method and equipment |
| CN109802960A (en) * | 2019-01-08 | 2019-05-24 | 深圳中兴网信科技有限公司 | Firewall policy processing method and processing device, computer equipment and storage medium |
| CN112019361A (en) * | 2019-05-30 | 2020-12-01 | 阿里巴巴集团控股有限公司 | Migration method and device of access control list, storage medium and electronic equipment |
| CN110324826A (en) * | 2019-06-10 | 2019-10-11 | 平安科技(深圳)有限公司 | A kind of Intranet access method and relevant apparatus |
| CN110677383A (en) * | 2019-08-22 | 2020-01-10 | 平安科技(深圳)有限公司 | Firewall opening method and device, storage medium and computer equipment |
| CN110661811A (en) * | 2019-10-10 | 2020-01-07 | 国网山东省电力公司信息通信公司 | Firewall policy management method and device |
| CN113162782A (en) * | 2020-01-22 | 2021-07-23 | 中国移动通信集团山东有限公司 | Data center network configuration method and device |
| CN113162782B (en) * | 2020-01-22 | 2022-12-09 | 中国移动通信集团山东有限公司 | Data center network configuration method and device |
| CN111988273A (en) * | 2020-07-07 | 2020-11-24 | 国网思极网安科技(北京)有限公司 | Firewall policy management method and device |
| CN114050908A (en) * | 2020-07-24 | 2022-02-15 | 中国移动通信集团浙江有限公司 | Method and device for automatically auditing firewall policy and computer storage medium of computing equipment |
| CN114050908B (en) * | 2020-07-24 | 2023-07-21 | 中国移动通信集团浙江有限公司 | Method, device, computing equipment and computer storage medium for automatically auditing firewall policy |
| CN112565287A (en) * | 2020-12-18 | 2021-03-26 | 深信服科技股份有限公司 | Asset exposure surface determining method and device, firewall and storage medium |
| CN113452715A (en) * | 2021-06-29 | 2021-09-28 | 中国工商银行股份有限公司 | Management method, system, equipment and readable storage medium of firewall policy |
| CN115987628A (en) * | 2022-12-22 | 2023-04-18 | 北京云澈科技有限公司 | Method, device, processor and storage medium for monitoring and accessing violation policies based on network flow and firewall configuration |
| CN116132200A (en) * | 2023-04-18 | 2023-05-16 | 北京云澈科技有限公司 | Processing method, device, processor and computer storage medium for monitoring firewall policy quality based on network space dynamic data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104135461A (en) | Firewall policy processing method and device | |
| EP2721801B1 (en) | Security measures for the smart grid | |
| CN108063753A (en) | A kind of information safety monitoring method and system | |
| CN105634998B (en) | Method and system for unified monitoring of physical machine and virtual machine in multi-tenant environment | |
| DE102016103521A1 (en) | Detection of anomalies in industrial communication networks | |
| US20150281176A1 (en) | Method And Technique for Automated Collection, Analysis, and Distribution of Network Security Threat Information | |
| DE102016109358A1 (en) | Configurable robustness agent in a plant safety system | |
| CN107819633B (en) | Method for rapidly discovering and processing network fault | |
| CN110752951A (en) | Industrial network flow monitoring and auditing method, device and system | |
| CN109150869B (en) | Switch information acquisition and analysis system and method | |
| CN103607299A (en) | Network management system | |
| CN112506167B (en) | Method and system for processing abnormity of industrial network equipment | |
| CN112468592B (en) | Terminal online state detection method and system based on electric power information acquisition | |
| CN102184473A (en) | Comprehensive supervisory system for secondary power system | |
| CN107704359A (en) | A kind of monitoring system of big data platform | |
| CN206962850U (en) | The security protection system and power information system of Electricity Information Network | |
| CN106534110B (en) | Trinity transformer substation secondary system safety protection system framework system | |
| CN105045100A (en) | Intelligent operation monitoring platform for management by use of mass data | |
| CN110971467A (en) | Network centralized management system | |
| CN110049015B (en) | Network security situation awareness system | |
| Ciancamerla et al. | An electrical grid and its SCADA under cyber attacks: Modelling versus a Hybrid Test Bed | |
| CN116743804A (en) | Visual supervisory systems of computer lab | |
| CN207070054U (en) | A kind of cable broadband hfc plant backhaul lines monitoring system | |
| KR102145421B1 (en) | Digital substation with smart gateway | |
| CN112615744A (en) | Computer lab asset cloud safety management platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141105 |
|
| RJ01 | Rejection of invention patent application after publication |