CN104580078B - A kind of method for network access control and system - Google Patents

A kind of method for network access control and system Download PDF

Info

Publication number
CN104580078B
CN104580078B CN201310481662.0A CN201310481662A CN104580078B CN 104580078 B CN104580078 B CN 104580078B CN 201310481662 A CN201310481662 A CN 201310481662A CN 104580078 B CN104580078 B CN 104580078B
Authority
CN
China
Prior art keywords
fire wall
firewall
command script
target
executable
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310481662.0A
Other languages
Chinese (zh)
Other versions
CN104580078A (en
Inventor
唐鲲鹏
付宗源
李然
张建军
苏砫
王明漪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shenzhou Taiyue Software Co Ltd
Original Assignee
Beijing Shenzhou Taiyue Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shenzhou Taiyue Software Co Ltd filed Critical Beijing Shenzhou Taiyue Software Co Ltd
Priority to CN201310481662.0A priority Critical patent/CN104580078B/en
Publication of CN104580078A publication Critical patent/CN104580078A/en
Application granted granted Critical
Publication of CN104580078B publication Critical patent/CN104580078B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/084Configuration by using pre-existing information, e.g. using templates or copying from other elements
    • H04L41/0843Configuration by using pre-existing information, e.g. using templates or copying from other elements based on generic templates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0876Aspects of the degree of configuration automation
    • H04L41/0886Fully automatic configuration

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Automation & Control Theory (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of method for network access control and system, is related to information security of computer network technical field.The executable fire wall command script of generation is calculated by algorithm automatically for different fire-proof brand, model, the executable fire wall command script is issued to target firewall box, and the setting of new strategy is carried out to fire wall automatically, security control is finally carried out to network access according to the new firewall policy after setting, scheme is automatically configured so as to fulfill the firewall policy of efficiently and accurately, and can realize flexible firewall policy customization function, the safety assurance of bigger and the basis of flexible Application are provided for NS software.

Description

A kind of method for network access control and system
Technical field
The present invention relates to information security of computer network technical field, more particularly to a kind of method for network access control and it is System.
Background technology
In recent years, more and more enterprises and individuals pay attention to the safety problem of network access and data, the application of fire wall Rate is also substantially improved therewith.
The method for being carried out net access security control using fire wall in the prior art is mainly included the following steps:
1st, user chooses and need to protect the firewall box that equipment matches, and positions required order;
2nd, user's manual setting fire wall performs the parameter in order, is allowed to meet real network environment;
3rd, fire wall is issued on fire wall by the order after adjustment for manual type and is performed;
4th, the implementing result returned, manually need to be checked and be analyzed;
5th, security control is carried out to network access according to the firewall policy of new settings.
But the setting method based on existing firewall configuration has significant limitation, for managed device and by pipe The fire wall executable command of network needs manually to carry out secondary adjustment, according to actual environment to the source in fire wall command script The relevant parameters such as address, destination address, port carry out manual edit, and editor later also needs that order manually is issued to fire wall, It will be returned the result again after execution and carry out the work such as Macro or mass analysis.When the order that need to be performed is numerous, many safety are undoubtedly added The workload of administrator, while risk of error is also increased, as realizing that efficiency is even more to ensure, therefore, greatly limit The further development of the scheme of net access security control is realized using fire wall.
The content of the invention
In view of the above problems, the embodiment of the present invention provides a kind of method for network access control and system, to solve to deposit at present Firewall administrator to fire wall order manual compiling, manually issue, cause multiple fire-proof wall strategy allocative efficiency relatively low, accurate The problem of really property is poor.
The embodiment of the present invention employs following technical solution:
One embodiment of the invention provides a kind of method for network access control, the described method includes:
Obtain the firewall policy demand information that need to be set;
The source address in information and destination address match to obtain the target fire wall that need to open firewall policy according to demand Equipment, and corresponding fire wall command script template is selected according to target firewall box brand and/or model;
Relevant parameter by the policing parameter Auto-writing in the demand information to the fire wall command script masterplate At position, executable fire wall command script is generated;
The executable fire wall command script is issued to target firewall box automatically, and to fire wall according to new Strategy configured automatically;
Security control is carried out to network access according to the new firewall policy after setting.
Source address and destination address in the information according to demand, which match to obtain the target that need to open firewall policy, prevents Wall with flues equipment, and corresponding fire wall command script template is selected according to target firewall box brand and/or model and is specifically wrapped Include:
Source address and destination address in information according to demand, is matched in predetermined firewall zone relation table, Obtain opening the target firewall box of firewall policy;Each firewall box institute described in the firewall zone relation table Source address and target address information in region;
According to obtained target firewall box, target fire wall brand and/or model are obtained;
It is directed in preset in the fire wall command script template of different brands and/or model, according to target fire wall product Board and/or model match corresponding fire wall command script template.
After the executable fire wall command script of the generation, further include:Generate the executable fire wall command script Issue work order;
It is described that the executable fire wall command script is issued to target firewall box automatically, and fire wall is pressed Configuration is carried out according to new strategy automatically to specifically include:
Using emulation terminal technical modelling linking objective firewall box;
Executable fire wall command script is issued to target device fire wall by issuing work order described in execution;
Fire wall is automatically configured according to new strategy by performing the executable fire wall command script.
The policing parameter Auto-writing by the demand information is corresponding to the fire wall command script masterplate Method at parameter position is specially:
Using automatic form filling algorithm by the policing parameter Auto-writing in the demand information to the fire wall order foot At the relevant parameter position of this masterplate.
The method further includes:
Using work order regulation technique, the configuration process of firewall policy is monitored, and feeds back monitored results, for firewall policy Analysis uses.
The method for the firewall policy demand information that the acquisition need to be set includes:
Receive the firewall policy demand information of input;Or
The firewall policy that automatic collection need to be set, from wherein automatically extracting demand information.
In addition, the embodiment of the present invention additionally provides a kind of network access system, the system comprises:
Acquisition module, for obtaining the firewall policy demand information that need to be set;
Template chosen module, fire wall need to be opened by matching to obtain for the source address in information according to demand and destination address The target firewall box of strategy, and corresponding fire wall order foot is selected according to target firewall box brand and/or model This template;
Executable script generation module, for by the policing parameter Auto-writing in the demand information to the fire wall At the relevant parameter position of command script masterplate, executable fire wall command script is generated;
Configuration module is issued, is set for the executable fire wall command script to be issued to target fire wall automatically It is standby, and fire wall is configured automatically according to new strategy;
Safety control module, for carrying out security control to network access according to the new firewall policy after setting.
The executable script generation module further includes:
Work order generation unit, work order is issued for generate the executable fire wall command script;
The configuration module that issues specifically includes:
Connection unit, for using emulation terminal technical modelling linking objective firewall box;
Automatic issuance unit, for executable fire wall command script to be issued to mesh by issuing work order described in execution Marking device fire wall;
Unit is automatically configured, for by performing the executable fire wall command script to fire wall according to new strategy Automatically configured;
The configuration module that issues further includes:
Automatic monitoring unit, for utilizing work order regulation technique, monitors the configuration process of firewall policy, and feed back monitoring Used as a result, being analyzed for firewall policy.
The executable script generation module is specifically used for:
Using automatic form filling algorithm by the corresponding of the policing parameter Auto-writing to the fire wall command script masterplate At parameter position.
The acquisition module specifically includes:
Input unit is received, for receiving the firewall policy demand information of input;Or
Unit is automatically extracted, the firewall policy that need to be set for automatic collection, from wherein automatically extracting demand information.
As it can be seen that the embodiment of the present invention provides a kind of method for network access control and system, different fire prevention are directed to by algorithm Wall brand, model calculate the executable fire wall command script of generation automatically, which is issued To target firewall box, and the setting of new strategy is carried out to fire wall automatically, finally according to the new fire wall plan after setting Security control slightly is carried out to network access, automatically configures scheme so as to fulfill the firewall policy of efficiently and accurately, and can realize Flexible firewall policy customization function, the safety assurance of bigger and the basis of flexible Application are provided for NS software.
Further, what the embodiment of the present invention further included the executable fire wall command script of generation issues work order;And adopt With emulation terminal technical modelling linking objective equipment, under the fire wall command script that will be can perform by issuing work order described in execution Target device fire wall is sent to, further improves efficiency and accuracy rate that firewall policy automatically configures.
Brief description of the drawings
Fig. 1 is a kind of method for network access control flow chart provided in an embodiment of the present invention;
Fig. 2 is a kind of network access control system structure diagram provided in an embodiment of the present invention.
Embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention Formula is described in further detail.
The embodiment of the present invention can realize the fire wall automatic executing function of personalization, and maximum technological difficulties just exist In automatically generating with issuing breaking through for execution technology automatically for fire wall executable command script.Integral Thought:It is main to include preventing Wall with flues policy commands script automatically generates process and firewall policy command script issues implementation procedure automatically, and according to configuration New firewall policy afterwards carries out the security control of network access.Wherein firewall policy command script automatically generates process tool Body includes:Determine the Operational Visit demand informations such as demand source address, demand destination address, demand agreement, demand port numbers;According to The demand informations such as the source included in application, destination address are opened from address area relation table, region firewall box relation table Obtain the firewall box for needing to open strategy;Applicable command script template is determined according to fire wall brand, type information;Root According to the executable fire wall command script of the logical operation generation of demand information and Template Information(What logical operation referred to, which is exactly, is Those parameters that system will can be set before automatically, substitute into the relevant parameter position of script masterplate, just the complete instruction of generation one Script.In a specific embodiment, which can be automatic form filling algorithm).Firewall policy command script is certainly It is dynamic to issue implementation procedure and mainly include:System will be connected with emulation terminal technical modelling and issue purpose firewall box, and be established Executable script issues work order;This issues work order to system automated execution, is distributed to by issuing work order by executable script anti- Wall with flues, realizes that the automatic of fire wall command script issues work;Perform the executable command and new plan is automatically configured to fire wall Slightly.
Referring to Fig. 1, the embodiment of the present invention provides a kind of method for network access control, specifically comprises the following steps:
S101:Obtain the firewall policy demand information that need to be set.
It should be noted that need to apply newly opening or the firewall policy demand information of new settings, refer to the ginseng in script Number information, mainly including source address, destination address and policing parameter etc., such as:Source address, destination address, agreement, port numbers etc. Operational Visit information.
Determine the method that fire wall opens application policy requirement information, be realize the generation of fire wall command script first Precondition.
Specifically, obtaining the method for the firewall policy demand information that need to be set can be:
Receive the firewall policy demand information of input;Or, the firewall policy that automatic collection need to be set, from wherein automatic Extract demand information.
Namely determined by two methods:A, manual entry method;B, automatic collection method.
A, manual entry method.Can be by the method for manual entry, by the source address in firewall policy, destination address, institute Using data inputs such as agreement, port numbers into system.
B, automatic collection method.Can also be by the method for automatic collection firewall policy information, the strategy come from collection is certainly Information, the definite fire wall command script information such as source/destination address, agreement and port numbers involved in dynamic extraction strategy are used It is used in follow-up with the progress logic generation of script masterplate.
S102:The source address in information and destination address, which match to obtain the target that need to open firewall policy, according to demand prevents Wall with flues equipment, and corresponding fire wall command script template is selected according to target firewall box brand and/or model.
In one embodiment of the invention, the source address in information and destination address are matched to obtain and need to opened according to demand The target firewall box of firewall policy, and corresponding fire wall is selected according to target firewall box brand and/or model Command script template can specifically include following sub-step:
Sub-step 1:Source address and destination address in information according to demand, in predetermined firewall zone relation table into Row matching, obtains opening the target firewall box of firewall policy.
It should be noted that each firewall box region is recorded in firewall zone relation table set in advance Source address and target address information.
In concrete practice, according to the demand information needed for fire wall script(I.e.:Source address, destination address etc.)With reference to anti- The regional relation table of wall with flues, Auto-matching need to open the firewall box of strategy, be realize the generation of fire wall command script the Two preconditions.
The method of Auto-matching is:Script demand information is compared with firewall zone relation table data, finds to close When being fire wall data in table identical with script demand information or covering, that is, it is the fire prevention that need to open strategy to lock the fire wall Wall equipment.
Sub-step 2:According to obtained target firewall box, target fire wall brand and/or model are obtained.
Sub-step 3:It is directed in preset in the fire wall command script template of different brands and/or model, according to target Fire wall brand and/or model match corresponding fire wall command script template.
The method for determining fire wall command script masterplate, is the 3rd premise article for realizing the generation of fire wall command script Part.
The method for determining fire wall script masterplate:According to the brand of fire wall, model, the information such as instruction are applicable in, can doing When perform script logic generates, masterplate is directly chosen in preset fire wall script masterplate.Wherein preset fire wall Script masterplate is previously determined fire wall command script masterplate.
S103:By the corresponding of the policing parameter Auto-writing in the demand information to the fire wall command script masterplate At parameter position, executable fire wall command script is generated.
Information and script template information according to demand, system is by automatically by the Data Matching of demand information to fire wall script In the relevant parameter position of masterplate, so as to automatically generate executable fire wall command script, this function is fire wall order foot The committed step of this generation and technology point.
It should be noted that policing parameter refers specifically to the design parameter set for this firewall policy needs.
In the concrete realization, the policing parameter and Template Information in demand information, generation can be calculated by logical operation Executable fire wall command script.Wherein, what logical operation referred to is exactly those parameters that system will can obtain before automatically (That is policing parameter), the relevant parameter position of substitution script masterplate, so as to generate a complete command script.It is specific at one In embodiment, which can be specifically automatic form filling algorithm.I.e. using automatic form filling algorithm by the demand information Policing parameter Auto-writing to the relevant parameter position of the fire wall command script masterplate at.
S104:The executable fire wall command script is issued to target firewall box automatically, and to fire wall Configured automatically according to new strategy.
The automatic delivery method and process for realizing fire wall script, is the crucial skill that fire wall command script issues part Art.In one embodiment of the invention, fire wall open the realization that issues of policy commands script can be specific as follows:By building Adjustable fire wall in hair work order, work order is made to issue the content of script, connect fire wall using emulation terminal technical modelling, will Executable command is issued to fire wall, realizes the purpose that executable script is issued to fire wall.
Specifically, after the fire wall command script that above-mentioned generation can perform, further include:Generate the executable fire wall life Make script issues work order.
Correspondingly, described be issued to target firewall box automatically by the executable fire wall command script, and it is right Fire wall carries out configuration automatically according to new strategy and specifically includes:
Using emulation terminal technical modelling linking objective firewall box.
Executable fire wall command script is issued to target device fire wall by issuing work order described in execution.
With fire wall is automatically configured according to new strategy by performing the executable fire wall command script.
System will be connected with emulation terminal technical modelling and issue purpose equipment, by executable command(Executable fire wall Command script)Fire wall is issued to, and obtains the executable fire wall command script and orders execution one by one, to realize to fire prevention Wall new strategy being opened and setting.
Preferably, the method for the embodiment of the present invention further includes:Using work order regulation technique, matching somebody with somebody for firewall policy is monitored Process is put, and feeds back monitored results, analyzes and uses for firewall policy.Issue to can adjust in work order, work order by foundation and prevent Wall with flues issues the content of script, connects fire wall using emulation terminal technical modelling, and executable command is issued to fire wall, and Execution feedback information to fire wall is analyzed, and realizes the purpose that executable script is issued to fire wall.
S105:Security control is carried out to network access according to the new firewall policy after setting.
Configuration needs information and fire wall command script can be passed through in the case where multiple fire-proof wall command script needs to configure Masterplate and logical operation process, in an automatic fashion generation liberate manually behaviour for the executable command script of each fire wall Make, improve fire wall script allocative efficiency;Target device is connected using emulation terminal technology, by under the executable command configured Corresponding fire wall is sent to for its execution, and analyzes execution feedback information.
As it can be seen that the embodiment of the present invention provides a kind of Network Access Method, by algorithm for different fire-proof brand, model It is automatic to calculate the executable fire wall command script of generation, which is issued to target fire wall Equipment, and the setting of new strategy is carried out to fire wall automatically, finally according to the new firewall policy after setting to network access Security control is carried out, automatically configures scheme so as to fulfill the firewall policy of efficiently and accurately, and can realize flexible fire wall Strategy customization function, the safety assurance of bigger and the basis of flexible Application are provided for NS software.
Further, what the embodiment of the present invention further included the executable fire wall command script of generation issues work order;And adopt With emulation terminal technical modelling linking objective equipment, under the fire wall command script that will be can perform by issuing work order described in execution Target device fire wall is sent to, further improves efficiency and accuracy rate that firewall policy automatically configures.
Fig. 2 is participated in, is a kind of network access system provided in an embodiment of the present invention, the system comprises:
Acquisition module 201, for obtaining the firewall policy demand information that need to be set.
Template chosen module 202, match to obtain for the source address in information according to demand and destination address need to open it is anti- The target firewall box of wall with flues strategy, and corresponding fire wall is selected according to target firewall box brand and/or model and is ordered Make script template.
Executable script generation module 203, for the policing parameter Auto-writing in the demand information to be prevented to described At the relevant parameter position of wall with flues command script masterplate, executable fire wall command script is generated.
Configuration module 204 is issued, for the executable fire wall command script to be issued to target fire wall automatically Equipment, and fire wall is configured automatically according to new strategy.
Safety control module 205, for carrying out security control to network access according to the new firewall policy after setting.
Further, the executable script generation module further includes:
Work order generation unit, work order is issued for generate the executable fire wall command script.
Correspondingly, the configuration module that issues specifically includes:
Connection unit, for using emulation terminal technical modelling linking objective firewall box;
Automatic issuance unit, for executable fire wall command script to be issued to mesh by issuing work order described in execution Marking device fire wall;
With unit is automatically configured, for by performing the executable fire wall command script to fire wall according to new Strategy is automatically configured.
Preferably, in system provided in an embodiment of the present invention, the configuration module that issues further includes:
Automatic monitoring unit, for utilizing work order regulation technique, monitors the configuration process of firewall policy, and feed back monitoring Used as a result, being analyzed for firewall policy.
Specifically, the executable script generation module can be specifically used for:
Using automatic form filling algorithm by the corresponding of the policing parameter Auto-writing to the fire wall command script masterplate At parameter position.
In an embodiment of the invention, the acquisition module can specifically include:
Input unit is received, for receiving the firewall policy demand information of input;
Or, unit is automatically extracted, the firewall policy that need to be set for automatic collection, believes from demand is wherein automatically extracted Breath.
It should be noted that the operation principle and processing procedure of the modules or unit in present system embodiment The associated description in embodiment of the method shown in above-mentioned Fig. 1 is may refer to, details are not described herein again.
As it can be seen that the embodiment of the present invention provides a kind of network access control system, by algorithm for different fire-proof brand, Model calculates the executable fire wall command script of generation automatically, which is issued to target and is prevented Wall with flues equipment, and the setting of new strategy is carried out to fire wall automatically, finally according to the new firewall policy after setting to network Access and carry out security control, scheme is automatically configured so as to fulfill the firewall policy of efficiently and accurately, and can realize flexible anti- Wall with flues strategy customizes function, and the safety assurance of bigger and the basis of flexible Application are provided for NS software.
Further, what the embodiment of the present invention further included the executable fire wall command script of generation issues work order;And adopt With emulation terminal technical modelling linking objective equipment, under the fire wall command script that will be can perform by issuing work order described in execution Target device fire wall is sent to, further improves efficiency and accuracy rate that firewall policy automatically configures.
For the ease of clearly describing the technical solution of the embodiment of the present invention, in the embodiment of invention, employ " first ", Printed words such as " second " distinguish function and the essentially identical identical entry of effect or similar item, and those skilled in the art can manage The printed words such as solution " first ", " second " are not defined quantity and execution order.
Can be with it will appreciated by the skilled person that realizing that all or part of step in above-described embodiment method is Relevant hardware is instructed to complete by program, the program can be stored in a computer read/write memory medium, The program upon execution, includes the following steps:(The step of method), the storage medium, such as:ROM/RAM, magnetic disc, CD Deng.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention It is interior.

Claims (9)

  1. A kind of 1. method for network access control, it is characterised in that the described method includes:
    Obtain the firewall policy demand information that need to be set;
    The source address in information and destination address match to obtain the target firewall box that need to open firewall policy according to demand, And corresponding fire wall command script template is selected according to target firewall box brand and/or model;
    By the policing parameter Auto-writing in the demand information to the relevant parameter position of the fire wall command script masterplate Place, generates executable fire wall command script;
    The executable fire wall command script is issued to target firewall box automatically, and to fire wall according to new plan Slightly configured automatically;
    Security control is carried out to network access according to the new firewall policy after setting;
    Source address and destination address in the information according to demand match to obtain the target fire wall that need to open firewall policy Equipment, and corresponding fire wall command script template is selected according to target firewall box brand and/or model and is specifically included:
    Source address and destination address in information according to demand, is matched in predetermined firewall zone relation table, is obtained The target firewall box of firewall policy need to be opened;Each firewall box location described in the firewall zone relation table The source address and target address information in domain;
    According to obtained target firewall box, target fire wall brand and/or model are obtained;
    It is preset for the fire wall command script template of different brands and/or model in, according to target fire wall brand and/ Or model matches corresponding fire wall command script template.
  2. 2. according to the method described in claim 1, it is characterized in that, after the fire wall command script that the generation can perform, go back Including:Generate the executable fire wall command script issues work order;
    It is described that the executable fire wall command script is issued to target firewall box automatically, and to fire wall according to new Strategy automatic carry out configuration and specifically include:
    Using emulation terminal technical modelling linking objective firewall box;
    Executable fire wall command script is issued to target device fire wall by issuing work order described in execution;
    Fire wall is automatically configured according to new strategy by performing the executable fire wall command script.
  3. 3. according to the method described in claim 1, it is characterized in that, the policing parameter by the demand information is filled out automatically Being written to the method at the relevant parameter position of the fire wall command script masterplate is specially:
    Using automatic form filling algorithm by the policing parameter Auto-writing in the demand information to the fire wall command script mould At the relevant parameter position of version.
  4. 4. according to the method described in claim 1, it is characterized in that, the method further includes:
    Using work order regulation technique, the configuration process of firewall policy is monitored, and feeds back monitored results, is analyzed for firewall policy Use.
  5. 5. according to the method described in claim 1, it is characterized in that, firewall policy demand information that the acquisition need to be set Method includes:
    Receive the firewall policy demand information of input;Or
    The firewall policy that automatic collection need to be set, from wherein automatically extracting demand information.
  6. A kind of 6. network access system, it is characterised in that the system comprises:
    Acquisition module, for obtaining the firewall policy demand information that need to be set;
    Template chosen module, firewall policy need to be opened by matching to obtain for the source address in information according to demand and destination address Target firewall box, and corresponding fire wall command script mould is selected according to target firewall box brand and/or model Plate;
    Executable script generation module, for by the policing parameter Auto-writing in the demand information to the fire wall order At the relevant parameter position of script masterplate, executable fire wall command script is generated;
    Configuration module is issued, for the executable fire wall command script to be issued to target firewall box automatically, and Fire wall is configured automatically according to new strategy;
    Safety control module, for carrying out security control to network access according to the new firewall policy after setting;
    Template chosen module, for the source address and destination address in information according to demand, in predetermined firewall zone relation Matched in table, obtain opening the target firewall box of firewall policy;Described in the firewall zone relation table The source address and target address information of each firewall box region;
    According to obtained target firewall box, target fire wall brand and/or model are obtained;
    It is preset for the fire wall command script template of different brands and/or model in, according to target fire wall brand and/ Or model matches corresponding fire wall command script template.
  7. 7. system according to claim 6, it is characterised in that the executable script generation module further includes:
    Work order generation unit, work order is issued for generate the executable fire wall command script;
    The configuration module that issues specifically includes:
    Connection unit, for using emulation terminal technical modelling linking objective firewall box;
    Automatic issuance unit, sets for executable fire wall command script to be issued to target by issuing work order described in execution Backup firewall;
    Unit is automatically configured, for being carried out by performing the executable fire wall command script to fire wall according to new strategy Automatically configure;
    The configuration module that issues further includes:
    Automatic monitoring unit, for utilizing work order regulation technique, monitors the configuration process of firewall policy, and feeds back monitoring knot Fruit, analyzes for firewall policy and uses.
  8. 8. system according to claim 7, it is characterised in that the executable script generation module is specifically used for:
    Relevant parameter using automatic form filling algorithm by the policing parameter Auto-writing to the fire wall command script masterplate At position.
  9. 9. system according to claim 6, it is characterised in that the acquisition module specifically includes:
    Input unit is received, for receiving the firewall policy demand information of input;Or
    Unit is automatically extracted, the firewall policy that need to be set for automatic collection, from wherein automatically extracting demand information.
CN201310481662.0A 2013-10-15 2013-10-15 A kind of method for network access control and system Active CN104580078B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310481662.0A CN104580078B (en) 2013-10-15 2013-10-15 A kind of method for network access control and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310481662.0A CN104580078B (en) 2013-10-15 2013-10-15 A kind of method for network access control and system

Publications (2)

Publication Number Publication Date
CN104580078A CN104580078A (en) 2015-04-29
CN104580078B true CN104580078B (en) 2018-04-17

Family

ID=53095284

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310481662.0A Active CN104580078B (en) 2013-10-15 2013-10-15 A kind of method for network access control and system

Country Status (1)

Country Link
CN (1) CN104580078B (en)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105100109B (en) 2015-08-19 2019-05-24 华为技术有限公司 A kind of method and device of deployment secure access control policy
CN105681327B (en) * 2016-02-26 2019-05-31 上海携程商务有限公司 The automatic querying method and system of firewall policy
CN105827649A (en) * 2016-05-19 2016-08-03 上海携程商务有限公司 Method and system for automatically generating firewall policy
CN106060041A (en) * 2016-05-30 2016-10-26 北京琵琶行科技有限公司 Enterprises network access authority control method and device
CN108683632A (en) * 2018-04-04 2018-10-19 山石网科通信技术有限公司 Firewall security policy method of adjustment and device
CN109413017B (en) * 2018-04-28 2020-07-31 武汉思普崚技术有限公司 Method and system for managing heterogeneous firewall
US11677627B2 (en) * 2018-06-29 2023-06-13 Forescout Technologies, Inc. Dynamic segmentation management
CN109361711B (en) * 2018-12-14 2021-10-29 泰康保险集团股份有限公司 Firewall configuration method and device, electronic equipment and computer readable medium
CN109510842B (en) * 2018-12-29 2021-01-29 北京威努特技术有限公司 Method and device for configuring forced access control strategy of industrial control network file
CN110247896B (en) * 2019-05-22 2022-06-14 深圳壹账通智能科技有限公司 Information processing method and device based on firewall opening and computer equipment
CN110213256B (en) * 2019-05-28 2021-09-28 哈尔滨工程大学 Firewall control method based on producer consumer mode
CN110336834A (en) * 2019-07-31 2019-10-15 中国工商银行股份有限公司 Treating method and apparatus for firewall policy
CN110430206B (en) * 2019-08-13 2022-03-01 上海新炬网络技术有限公司 Method for generating and configuring firewall security policy based on script templating
CN110677383B (en) * 2019-08-22 2023-02-24 平安科技(深圳)有限公司 Firewall wall opening method and device, storage medium and computer equipment
CN113079128B (en) * 2020-01-06 2022-10-18 中国移动通信集团安徽有限公司 Information blocking method and device, computing equipment and computer storage medium
CN111262879B (en) * 2020-02-13 2022-05-24 武汉思普崚技术有限公司 Firewall security policy opening method and device based on simulation path analysis
CN111835794B (en) * 2020-09-17 2021-01-05 腾讯科技(深圳)有限公司 Firewall policy control method and device, electronic equipment and storage medium
CN112383507B (en) * 2020-10-16 2023-07-11 深圳力维智联技术有限公司 Firewall policy management method, device, system and computer readable storage medium
CN112636953A (en) * 2020-12-07 2021-04-09 杭州迪普科技股份有限公司 Policy command issuing method and device and electronic equipment
CN113055391B (en) * 2021-03-25 2023-04-18 建信金融科技有限责任公司 Method and device for policy configuration conversion during firewall replacement
CN113810429B (en) * 2021-11-16 2022-02-11 北京安博通科技股份有限公司 Method for opening automatic strategy
CN114640532B (en) * 2022-03-29 2023-03-24 联想(北京)有限公司 Processing method and device and electronic equipment
CN115225307A (en) * 2022-05-12 2022-10-21 马上消费金融股份有限公司 Firewall management method, system, electronic equipment and storage medium
CN116016185A (en) * 2022-12-27 2023-04-25 重庆富民银行股份有限公司 Automatic issuing method for firewall policy

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005120008A1 (en) * 2004-05-25 2005-12-15 Nokia Corporation Extensions to the firewall configuration protocols and features
CN101582900A (en) * 2009-06-24 2009-11-18 成都市华为赛门铁克科技有限公司 Firewall security policy configuration method and management unit
CN101657793A (en) * 2007-04-05 2010-02-24 国际商业机器公司 Method, system and computer program for configuring firewalls
CN103023707A (en) * 2012-12-28 2013-04-03 华为技术有限公司 Method, managing server and network system for strategy configuration

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7966654B2 (en) * 2005-11-22 2011-06-21 Fortinet, Inc. Computerized system and method for policy-based content filtering

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005120008A1 (en) * 2004-05-25 2005-12-15 Nokia Corporation Extensions to the firewall configuration protocols and features
CN101657793A (en) * 2007-04-05 2010-02-24 国际商业机器公司 Method, system and computer program for configuring firewalls
CN101582900A (en) * 2009-06-24 2009-11-18 成都市华为赛门铁克科技有限公司 Firewall security policy configuration method and management unit
CN103023707A (en) * 2012-12-28 2013-04-03 华为技术有限公司 Method, managing server and network system for strategy configuration

Also Published As

Publication number Publication date
CN104580078A (en) 2015-04-29

Similar Documents

Publication Publication Date Title
CN104580078B (en) A kind of method for network access control and system
CN104007668B (en) Safety automation composer
CN104281520B (en) Tracking and method, the apparatus and system of debugging
CN105141441B (en) A kind of method that IP network graphically configures
CN109669782A (en) Hardware abstraction layer multiplexing method, device, operating system and equipment
CN108369532A (en) For first and the encapsulation tool of third party's arrangements of components
US20140040441A1 (en) System and method for the configuration of a clustered simulation network
CN108508856A (en) A kind of industrial equipment intelligence control system and method
US20080077370A1 (en) System and method for integrating a process control system into a training simulator
CN106155661B (en) Control access method and device
CN108696359A (en) System and method for managing multiple wind power plants
CN110058878A (en) Fabric block chain configuration method and system based on intelligent contract
CN105024849A (en) Method for a high-density equipment cabinet server to perform bulk operation on each node BMC
CN108134690A (en) Network service deployment flow control method, apparatus and system
US20180107671A1 (en) Generation of multiple worksheet exportation
CN106453311A (en) Register and login system and method for biological characteristic distributed identity authentication
CN109976803A (en) A kind of generation method and device of file
CN101957725A (en) Method for managing external equipment of computer
CN106899553A (en) A kind of industrial control system safety protecting method based on private clound
CN107807956A (en) Electronic installation, data processing method and computer-readable recording medium
CN108446318A (en) A kind of mass data intelligent decision analysis system
CN105467857A (en) Method for power station simulation
US11609995B2 (en) Guard railed security benchmark implementation assurance
Hahn et al. Automated Cyber Security Testing Platform for Industrial Control Systems.
CN108108276A (en) A kind of universal testing method and device for log alarming function

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder

Address after: Room 818, 8 / F, 34 Haidian Street, Haidian District, Beijing 100080

Patentee after: BEIJING ULTRAPOWER SOFTWARE Co.,Ltd.

Address before: 100089 Beijing city Haidian District wanquanzhuang Road No. 28 Wanliu new building 6 storey block A Room 601

Patentee before: BEIJING ULTRAPOWER SOFTWARE Co.,Ltd.

CP02 Change in the address of a patent holder