CN105704093A - Firewall access control strategy debugging method, device and system - Google Patents

Abstract

The invention discloses a firewall access control strategy debugging method, device and system. The method includes the following steps that: firewall access control strategies sent by a collection send are received, wherein the firewall access control strategies contain at least one firewall strategy; the X-th firewall access control strategy is obtained, and the firewall strategy abnormality weight of an X-th firewall is determined; the firewall access control strategy of an adjacent firewall of the X-th firewall is obtained, and a firewall strategy abnormality weight between the firewalls is determined according to the firewall strategy of the X-th firewall and the firewall strategy of the adjacent firewall; and the abnormality degree of the X-th firewall access control strategy is determined according to the firewall strategy abnormality weight of the X-th firewall and the firewall strategy abnormality weight between the firewalls, so that debugging can be performed. With the technical schemes of the invention adopted, the analysis efficiency of the firewall access control strategies can be effectively improved, and a firewall device which should be solved most preferentially can be pointed out for an administrator.

Description

A kind of firewall access control policy error-checking method, Apparatus and system

Technical field

The present invention relates to internet information processing technology field, more particularly relate to a kind of firewall access control policy error-checking method, Apparatus and system。

Background technology

The network size of Telecom Operators is huge, and in order to better protect the data message on distinct device, the equipment being generally directed to different level of security divides different security domains and sub-security domain。And between different security domains and sub-security domain, isolated and control its access safety by deployment fire wall, material is thus formed multistage distributed Fire Wire architecture。

Multistage distributed fire wall framework considerably increases workload and the difficulty that enterprise security policy is arranged。Along with the growth of corporate business, corporate networks scale constantly expands the continuous conversion with business, causes the increase of firewall box and the continuous amendment of firewall access control policy。When managing multiple fire wall, manager more and more easily misses in firewall policy and there is mistake or contradiction strategy configuration between different fire-proof。

In sum, along with constantly expanding of network size and being continuously increased of network interface in prior art, access strategy in fire wall gets more and more, if desired the processing server of multiple grades is built, or make firewall box to be checked can pass through wired network remote access by changing the access control list of related network device, implement difficulty very big。

Summary of the invention

The embodiment of the present invention provides a kind of firewall access control policy error-checking method and device, it is possible to the effective analysis efficiency improving firewall access control policy, and includes pointing out, to manager, the firewall box that override solves。

The embodiment of the present invention provides a kind of firewall access control policy error-checking method, including:

Receive the firewall access control policy that collection terminal sends；Described firewall access control policy includes at least one firewall policy；

Obtain X firewall access control policy, it is determined that the firewall policy exception weight of described X fire wall self；

Obtain the firewall access control policy of next-door neighbour's fire wall of described X fire wall, the firewall policy according to the firewall policy of described X fire wall Yu described next-door neighbour's fire wall, it is determined that the firewall policy exception weight between fire wall；Wherein, described next-door neighbour's fire wall is there is the fire wall of direct filiation with described X fire wall；

Firewall policy exception weight between firewall policy exception weight according to described X fire wall self and described fire wall determines that the intensity of anomaly of described X firewall access control policy is for debugging。

It is preferred that the described firewall policy exception weight determining described X fire wall self, including:

The firewall policy exception weight of X fire wall self is determined according to following equation:

$W_X=\underset{i=1}{\overset{N}{\mathrm{\Σ}}}{M}_i$

Wherein, W_XIt is the firewall policy exception weight of X fire wall self, M_iBeing the intensity of anomaly of i-th article of firewall policy in X firewall access control policy, N is the firewall policy sum that X firewall access control policy includes。

It is preferred that the intensity of anomaly of i-th article of firewall policy is determined according to equation below in described X firewall access control policy:

$M_i=\underset{i=1}{\overset{N-1}{\mathrm{\Σ}}}{W}_{\mathrm{ir}}$

Wherein, M_iBeing the intensity of anomaly of i-th article of firewall policy in X firewall access control policy, N is the firewall policy sum that X firewall access control policy includes, W_irIt is i-th article of firewall policy and the intensity of anomaly weight of other N-1 article of firewall policy in described X firewall access control policy in X firewall access control policy。

It is preferred that i-th article of firewall policy includes following arbitrary one with the intensity of anomaly weight of other N-1 article of firewall policy in described X firewall access control policy in described X firewall access control policy:

IfRA [order] < RB [order] and RA [action] ≠ RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

IfRA [order] < RB [order] and RA [action]=RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

If $\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\},$ $\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}$ And RA [action] ≠ RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W3 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

If $\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\},$ $\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}$ And RA [action]=RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W4 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；

Wherein, R [order] is the number of regulation of in firewall access control policy firewall policy；R [action] is the action part of in firewall access control policy firewall policy；{ R [filter] } filters the cartesian product of all subitems in territory for rule R in firewall access control policy。

It is preferred that the described firewall policy exception weight determined between described X fire wall, including:

The firewall policy exception weight between described X fire wall is determined according to following equation:

$W_X^{\&prime;}=\underset{i=1}{\overset{N_X}{\mathrm{\&Sigma;}}}{M}_{\mathrm{Xi}}^{\&prime;}$

Wherein, W_X' it is the firewall policy exception weight between X fire wall, M'_XiIt is i-th article of firewall policy and the intensity of anomaly of all firewall policies, N in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy_XIt is that the firewall policy that X firewall access control policy includes is total。

It is preferred that i-th article of firewall policy and the intensity of anomaly of all firewall policies in the Y firewall access control policy of described X fire wall next-door neighbour are determined according to equation below in described X firewall access control policy:

$M_X=\underset{i=1}{\overset{N_Y}{\mathrm{\&Sigma;}}}{W}_{\mathrm{ir}}^{\&prime;}$

Wherein, M_XIt is i-th article of firewall policy and the intensity of anomaly of all firewall policies, N in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy_YFor the firewall policy sum that the Y firewall access control policy being close to X fire wall includes, W '_irIt is i-th article of firewall policy and the intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy。

It is preferred that i-th article of firewall policy includes following arbitrary one with the intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour in described X firewall access control policy:

If Fx, Fy ∈ Domain1, Fy is the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx is covered by the RB of Fy, it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx is covered by the RB of Fy, it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fy is the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA [action]=FyRB [action], the then RB redundancy of RA and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action]=FyRB [action], the then RB redundancy of RA and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1Fy is the parent of Fx,FxRA [action] ≠ FyRB [action] then claims FxRA and FyRB association irregular, it is determined that in described X firewall access control policy, the A article firewall policy is W3 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；

Wherein, R [filter] is the filtration fraction of i-th firewall policy in fire wall control strategy；R [action] is the action part of i-th firewall policy in fire wall control strategy。

The embodiment of the present invention provides a kind of firewall access control policy debugging device, including:

Receive unit: for receiving the firewall access control policy that collection terminal sends；Described firewall access control policy includes at least one firewall policy；

First determines unit: be used for obtaining X firewall access control policy, it is determined that the firewall policy exception weight of described X fire wall self；

Second determines unit: for obtaining next-door neighbour's firewall access control policy of described X fire wall, the anti-control strategy of asking according to described X firewall access control policy Yu described next-door neighbour's fire wall, it is determined that the firewall policy exception weight between fire wall；Wherein, described next-door neighbour's fire wall is there is the fire wall of direct filiation with described X fire wall；

Debugging unit: determine that the intensity of anomaly of described X firewall access control policy is for debugging according to the firewall policy exception weight between the firewall policy exception weight of described X fire wall self and described fire wall。

It is preferred that described first determine unit specifically for:

The firewall policy exception weight of X fire wall self is determined according to following equation:

$W_X=\underset{i=1}{\overset{N}{\mathrm{\&Sigma;}}}{M}_i$

Wherein, W_XIt is the firewall policy exception weight of X fire wall self, M_iBeing the intensity of anomaly of i-th article of firewall policy in X firewall access control policy, N is the firewall policy sum that X firewall access control policy includes。

It is preferred that described first determines that unit is additionally operable to:

In described firewall access control policy, the intensity of anomaly of every firewall policy is determined according to equation below:

$M_i=\underset{i=1}{\overset{N-1}{\mathrm{\&Sigma;}}}{W}_{\mathrm{ir}}$

Wherein, M_iBeing the intensity of anomaly of i-th article of firewall policy in X firewall access control policy, N is the firewall policy sum that X firewall access control policy includes, W_irIt is i-th article of firewall policy and the intensity of anomaly weight of N-i article of firewall policy in described X firewall access control policy in X firewall access control policy。

It is preferred that described first determines that unit is additionally operable to:

IfRA [order] < RB [order] and RA [action] ≠ RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

IfRA [order] < RB [order] and RA [action]=RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

If $\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\},$ $\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}$ And RA [action] ≠ RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W3 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

If $\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\},$ $\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}$ And RA [action]=RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W4 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；

Wherein, R [order] is the number of regulation of in firewall access control policy firewall policy；R [action] is the action part of in firewall access control policy firewall policy；{ R [filter] } filters the cartesian product of all subitems in territory for rule R in firewall access control policy。

It is preferred that described second determine unit specifically for:

The firewall policy exception weight between described X fire wall is determined according to following equation:

$W_X^{\&prime;}=\underset{i=1}{\overset{N_X}{\mathrm{\&Sigma;}}}{M}_{\mathrm{Xi}}^{\&prime;}$

Wherein, W_X' it is the firewall policy exception weight between X fire wall, M'_XiIt is i-th article of firewall policy and the intensity of anomaly of all firewall policies, N in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy_XIt is that the firewall policy that X firewall access control policy includes is total。

It is preferred that described second determines that unit is additionally operable to:

In described X firewall access control policy, arbitrary one article of firewall policy and the intensity of anomaly of all firewall policies in the Y firewall access control policy of described X fire wall next-door neighbour are determined according to equation below:

$M_X=\underset{i=1}{\overset{N_Y}{\mathrm{\&Sigma;}}}{W}_{\mathrm{ir}}^{\&prime;}$

Wherein, M_XIt is arbitrary one article of firewall policy and the intensity of anomaly of all firewall policies, N in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy_YFor the firewall policy sum that the Y firewall access control policy being close to xth fire wall includes, W '_irIt is i-th article of firewall policy and the intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy。

It is preferred that described second determines that unit is additionally operable to:

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxRA [filter]=FyRB [filter], if FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx is covered by the RB of Fy, it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy,If FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx is covered by the RB of Fy, it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxRA [filter]=FyRB [filter], if FxRA [action]=FyRB [action], the then RB redundancy of RA and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy,If FxRA [action]=FyRB [action], the then RB redundancy of RA and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy,FxRA [action] ≠ FyRB [action] then claims FxRA and FyRB association irregular, it is determined that in described X firewall access control policy, the A article firewall policy is W3 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；

Wherein, R [filter] is the filtration fraction of a firewall policy in fire wall control strategy；R [action] is the action part of a firewall policy in fire wall control strategy。

The embodiment of the present invention provides a kind of firewall access control policy error checking system, including central processing server；

Collection terminal, is used for gathering fire wall fire prevention access control policy, obtains the firewall access control policy of next-door neighbour's fire wall of X firewall access control policy and described X fire wall, and be sent to described central processing server；

Access control policy baseline database, for providing the firewall policy exception Weight algorithm between firewall policy exception Weight algorithm and fire wall for described central processing server, and store the firewall policy exception weight between the described X firewall policy exception weight and described X fire wall that described central processing server determines。

The embodiment of the present invention receives the firewall access control policy that collection terminal sends；Described firewall access control policy includes at least one firewall policy；Obtain X firewall access control policy, it is determined that the firewall policy exception weight of described X fire wall self；Obtain the firewall access control policy of next-door neighbour's fire wall of described X fire wall, the firewall policy according to the firewall policy of described X fire wall Yu described next-door neighbour's fire wall, it is determined that the firewall policy exception weight between fire wall；Wherein, described next-door neighbour's fire wall is there is the fire wall of direct filiation with described X fire wall；Firewall policy exception weight between firewall policy exception weight according to described X fire wall self and described fire wall determines that the intensity of anomaly of described X firewall access control policy is for debugging。Adopt the method, according to firewall policy exception weight, may determine that single fire wall weight, according to policies anomaly weight between fire wall, may determine that policies anomaly weight between fire wall, according to the abnormal conditions of policies anomaly weight between the described firewall policy exception weight determined and fire wall, it is possible to point out should preferentially solve in-problem firewall box to manager in time。

Accompanying drawing explanation

The firewall access control policy error checking system schematic diagram that Fig. 1 provides for the embodiment of the present invention one；

A kind of wall with flues access control policy error-checking method schematic diagram that Fig. 2 provides for the embodiment of the present invention two；

The collection terminal that Fig. 3 provides for the embodiment of the present invention and firewall box exchange method schematic diagram；

The collection terminal that Fig. 4 provides for the embodiment of the present invention and central processing server exchange method schematic diagram；

The central processing server that Fig. 5 provides for the embodiment of the present invention and access control policy baseline database exchange method schematic diagram；

The relevant information schematic diagram of the firewall box that Fig. 6 provides for the embodiment of the present invention；

The tree structure schematic diagram that multiple firewall boxs under the consolidated network that Fig. 7 provides for the embodiment of the present invention build；

The determination firewall policy exception weight method schematic diagram that Fig. 8 provides for the embodiment of the present invention；

Firewall policy exception weight method schematic diagram between determination fire wall and this fire wall next-door neighbour's fire wall that Fig. 9 provides for the embodiment of the present invention；

Debugging result is sent to e-mail server schematic diagram by the central processing server that Figure 10 provides for the embodiment of the present invention；

A kind of firewall access control policy debugging device schematic diagram that Figure 11 provides for the embodiment of the present invention three。

Detailed description of the invention

The embodiment of the present invention receives the firewall access control policy that collection terminal sends；Described firewall access control policy includes at least one firewall policy；Obtain X firewall access control policy, it is determined that the firewall policy exception weight of described X fire wall self；Obtain the firewall access control policy of next-door neighbour's fire wall of described X fire wall, the firewall policy according to the firewall policy of described X fire wall Yu described next-door neighbour's fire wall, it is determined that the firewall policy exception weight between fire wall；Wherein, described next-door neighbour's fire wall is there is the fire wall of direct filiation with described X fire wall；Determine that the firewall policy exception weight between the firewall policy exception weight of described X fire wall self and described fire wall is for debugging；Described X firewall access control policy includes i (i > 1) article firewall policy。Adopt the method, according to firewall policy exception weight, may determine that single fire wall weight, according to policies anomaly weight between fire wall, may determine that policies anomaly weight between fire wall, according to the abnormal conditions of policies anomaly weight between the described firewall policy exception weight determined and fire wall, it is possible to point out should preferentially solve in-problem firewall box to manager in time。

In order to make technical problem solved by the invention, technical scheme and beneficial effect clearly understand, below in conjunction with drawings and Examples, the preferred embodiments of the present invention are illustrated。It should be understood that preferred embodiment described herein is only in order to the description and interpretation present invention, it is not intended to limit the present invention, and when not conflicting, the embodiment in the present invention and the feature in embodiment can be mutually combined。

Embodiment one

A kind of firewall access control policy error checking system in the embodiment of the present invention one, as it is shown in figure 1, mainly include collection terminal, central processing server, access control policy baseline database and e-mail server。

Wherein, collection terminal equipment is mainly computer, wherein, computer mainly includes notebook computer, and needs in computer to include management mouth and 3G (3rd-Generation)/4G (the4Generationmobilecommunication) card of surfing Internet。

Collection terminal comprises collection adaptable interface, authentication module, device data acquisition module, facility information editor module, data encryption module, data transmission module, mobile network's interface。The major function of collection terminal is for gathering distributed fire wall access control policy, editor's firewall box mark, mark association security domain information and next-door neighbour's firewall information, structural devices information, encryption firewall box data, connect 3G/4G mobile Internet, upload data to central processing server。

Central processing server comprises authentication module, deciphering module, computing module, memory module, alarm notification module, data base interface。The major function of central processing server has the firewall access control policy data to collecting to be decrypted, and firewall box information and access control policy is sorted out and is stored in data base, check fire wall control strategy。

The major function of access control policy baseline database checks rule for storage access control policy, and access control policy checks algorithm, firewall box identification information, security domain level information, firewall policy data, equipment manager authentication information。

In the embodiment of the present invention, for the firewall access control policy in the catenet comprised under multilevel security territory, constructing a kind of firewall access control policy error checking system, this system concentrates error checking system framework based on the security strategy of high-speed mobile network (3G/4G)。Self adaptation collection terminal and firewall box are directly connected to, it is encrypted after obtaining fire wall relevant information, it is uploaded to central processing server adding ciphertext data by 3G or 4G mobile network, the security domain relation at different fire-proof place is distinguished by central processing server, automatically fire wall relational tree is set up, carry out policies anomaly weight calculation between independent firewall policy exception weight calculation and fire wall, in time result of calculation can be sent to manager, and to the firewall box pointing out should preferentially solve of manager。

Embodiment two

As in figure 2 it is shown, the embodiment of the present invention two provides a kind of firewall access control policy error-checking method, comprise the steps:

Step 101, receives the firewall access control policy that collection terminal sends；Described firewall access control policy includes at least one firewall policy；

Step 102, obtains X firewall access control policy, it is determined that the firewall policy exception weight of described X fire wall self；

Step 103, obtains the firewall access control policy of next-door neighbour's fire wall of described X fire wall, the firewall policy according to the firewall policy of described X fire wall Yu described next-door neighbour's fire wall, it is determined that the firewall policy exception weight between fire wall；Wherein, described next-door neighbour's fire wall is there is the fire wall of direct filiation with described X fire wall；

According to the firewall policy exception weight between the firewall policy exception weight of described X fire wall self and described fire wall, step 104, determines that the intensity of anomaly of described X firewall access control policy is for debugging。

In a step 101, the firewall access control policy that collection terminal sends is received；

In embodiments of the present invention, collection terminal connects firewall box and acquisition terminal by the management mouth of firewall box, specifically as shown in Figure 3。

Between described firewall box and described collection terminal, connection is set up by managing mouth, the collection adaptable interface of collection terminal identifies firewall box model automatically, carry out coupling to connect, then the authentication service in triggering collection end authentication module, the account of firewall box is input in collection terminal, if the account of the firewall box that authentication module is by inputting, then the device data acquisition module of collection terminal will gather fire wall identity code automatically, and obtain firewall access control policy；In the embodiment of the present invention, described firewall access control policy includes at least one firewall policy。

If authentication module is not over the account of the firewall box of input, then return to the interface of account input。

When after the device data acquisition module data acquisition of collection terminal, identity code and the firewall access control policy information of the firewall box collected will be edited, wherein, in the embodiment of the present invention, the information that the facility information editor module of collection terminal is responsible for device data acquisition module is collected is edited, the identity code of the firewall box collected by acquisition module and firewall access control policy information are input in information editing's module, wherein information editing's module mainly obtains the essential information of firewall box: information of home location, unit type, port number。

Further, if described firewall box exists higher level's security domain of next-door neighbour, then each next-door neighbour's higher level's security domain identification information, the perimeter firewall port IP address (InternetProtocolAddress) of each next-door neighbour higher level's security domain and the port IP address of each access next-door neighbour's higher level's security domain are input in information editing's module。If described firewall box exists subordinate's security domain mark of next-door neighbour, then the identification information of each next-door neighbour subordinate security domain and each port IP address accessing next-door neighbour subordinate security domain are input in information editing's module。

Further, if being absent from next-door neighbour's higher level's security domain, then in information coding module, next-door neighbour's higher level's security domain information is not inputted；If being absent from next-door neighbour subordinate security domain, then in information coding module, do not input next-door neighbour subordinate security domain information。In the embodiment of the present invention, can there is multiple next-door neighbour's higher level's security domain in firewall box, it is also possible to be absent from next-door neighbour's higher level's security domain, and accordingly, firewall box can exist multiple next-door neighbour subordinates security domain, it is also possible to is absent from next-door neighbour subordinate security domain。The quantity of higher level's security domain of firewall box is not limited by the embodiment of the present invention, and the quantity of the next-door neighbour subordinate security domain of firewall box is not also limited。

Further, the embodiment of the present invention can be passed through extensible markup language (ExtensibleMarkupLanguage, XML) and the typing information of firewall box is carried out structuring process。

After facility information editor module in collection terminal completes input information, in order to ensure the safety of firewall box information, the data encryption module of collection terminal needs the information of input is encrypted, in the embodiment of the present invention, to the firewall box data acquisition asymmet-ric encryption method collected, wherein, asymmet-ric encryption method be use PKI to gather to firewall box data be encrypted, this encryption file can only be deciphered by the private key of central processing server。In embodiments of the present invention, the encryption method of the data acquisition entering into data encryption module is not limited。

After the firewall box data collected are completed encryption by the data encryption module of collection terminal, the firewall box data of encryption are transferred to the data transmission module of collection terminal, and firewall box data are transferred in central processing server by data transmission module by mobile network's interface of collection terminal。Wherein, data transmission module is before being transmitted, it is necessary to first input account password, arranges the address of service of central processing server。

The data transmission module of collection terminal to central processing server transmission encryption after fire wall device data process as shown in Figure 4, mobile network's interface of collection terminal first passes through 3G/4G mobile network and connects to central processing server request, the authentication module that central authorities process in service is first called, and authentication module needs first to judge whether collection terminal is trusted users。If collection terminal is trusted users, then receive the firewall box data that collection terminal sends, after central processing server receives the firewall box data that collection terminal sends, send to collection terminal and receive successfully response；If collection terminal is insincere user, then the request that central processing server refusal collection terminal sends, collection terminal account or code error information is returned to collection terminal。

After central processing server receives the firewall box data that collection terminal sends, carry out data interaction between central processing server and access control policy baseline database, specifically as shown in Figure 5。

Owing to collection terminal is before sending firewall box data to central processing unit, the firewall box data collected have been encrypted by the data encryption module of collection terminal, so, after central processing server receives the firewall box data that collection terminal sends, it is necessary to first the fire wall data of encryption are decrypted process。

After deciphering module in central processing server uses the private key pair encryption corresponding with collection terminal data encryption module, fire wall device data is decrypted, after obtaining the firewall box data of deciphering, need further firewall box data to be resolved, obtain the relevant information of firewall box, specifically as shown in Figure 6, the relevant information obtaining firewall box includes: 1. firewall box identity code, 2. information of home location, 3. unit type, 4. port number, 5. next-door neighbour's higher level's security domain mark, 6. the perimeter firewall port IP address of higher level's security domain it is close to, 7. the port IP address of next-door neighbour's higher level's security domain is accessed, 8. next-door neighbour subordinate security domain mark, 9. the port IP address of next-door neighbour subordinate security domain is accessed, 10. firewall access control policy data。

Further, the security domain of next-door neighbour up and down mark according to firewall box and the upper and lower information such as adjacent security domain corresponding ports IP address in central processing server, may determine that the firewall box that firewall box is associated, the firewall box data being associated by firewall box store in the memory module in central authorities' central processing server。

In a step 102, X firewall access control policy is obtained, it is determined that the firewall policy exception weight of described X fire wall self；

In the embodiment of the present invention, the multiple firewall boxs under consolidated network can build a tree structure as shown in Figure 7, adopts this structure can utilize the superior and the subordinate's interconnecting relation between fire wall, it is simple to storage in a computer, lookup, analysis and debugging calculate。Firewall box control strategy in same network is all formulated according to a security strategy, it can be determined that whether the firewall system in same network system can reach expection security protection effect, depend on whether the strategy of each firewall box configures correctly on the one hand, depend on the other hand firewall box be associated between firewall box between strategy whether can collaborative work, do not clash。

After the firewall box data collected being completed by central processing server resolve acquisition firewall box related data, need the spell-checking facility in central processing server that firewall box related data is carried out debugging detection, when carrying out debugging, need the firewall security Baseline detection table first calling in access control policy baseline database, firewall access control policy is carried out security baseline detection, if detection firewall access control policy meets firewall security baseline, then it is assumed that this firewall access control policy is safe；If detection firewall access control policy does not meet firewall security baseline, then it is assumed that this firewall access control policy is dangerous。

After firewall access control policy does not meet firewall security baseline, it is necessary to this firewall access control policy is carried out algorithm detection and firewall box data that this firewall box is associated carry out algorithm detection。

In the embodiment of the present invention, the security domain of fire wall can be defined as follows:

F [domain], domain ∈ 1,2,3,4 ... ,+∞ }。

In firewall access control policy, the definition of a rule includes as follows:

Firewall access control policy number of regulation: R [order] ∈ 1,2,3,4 ... ,+∞ }。

Firewall access control policy filtration fraction: R [filter] ∈ { protocol type, source IP address, source address port, target ip address, destination address ports }。

Firewall access control policy action part:

In the embodiment of the present invention, based on firewall policy exception weight, independent firewall access control policy is detected。

The computational methods of independent firewall policy exception weight are mainly comprised the following steps, specifically as shown in Figure 8:

Step 1021, determine whether every firewall policy is correlated with；

In embodiments of the present invention, firewall access control policy filtration fraction R is filtered the cartesian product of all subitems in territory and is called the rule R Packet Filtering set mated, be designated as { R [filter] }, when A article of firewall policy and the B article firewall policy in firewall access control policy is then claimed to be correlated with, ifThen claim A article of firewall policy and the B article firewall policy in firewall access control policy uncorrelated。

In embodiments of the present invention, when there is overlapping or covering or is equal in RA [filter] and RB [filter] the Packet Filtering set mated, may result in the regular RA of A article of firewall policy or the regular RB of B article of firewall policy in firewall access control policy cannot come into force, run counter to security strategy set in advance。

Step 1022, determine the intensity of anomaly of every firewall policy；

In embodiments of the present invention, in firewall access control policy, the intensity of anomaly of every firewall policy is determined according to formula (1):

$M_i=\underset{i=1}{\overset{N-1}{\mathrm{\&Sigma;}}}{W}_{\mathrm{ir}}---\left(1\right)$

In formula, M_iBeing the intensity of anomaly of i-th article of firewall policy in X firewall access control policy, N is the firewall policy sum that X firewall access control policy includes, W_irIt is i-th article of firewall policy and the intensity of anomaly weight of other N-1 article of firewall policy in described X firewall access control policy in X firewall access control policy。

Further, in described X firewall access control policy, i-th article of firewall policy includes following arbitrary one with the intensity of anomaly weight of other N-1 article of firewall policy in described X firewall access control policy:

IfRA [order] < RB [order] and RA [action] ≠ RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

IfRA [order] < RB [order] and RA [action]=RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

If $\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\},$ $\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}$ And RA [action] ≠ RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W3 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

If $\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\},$ $\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}$ And RA [action]=RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W4 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；

Wherein, R [order] is the number of regulation of in firewall access control policy firewall policy；R [action] is the action part of in firewall access control policy firewall policy；{ R [filter] } filters the cartesian product of all subitems in territory for rule R in firewall access control policy。

Such as, independent firewall access control policy includes 4 firewall policies, and wherein, Article 1 firewall policy includes following three situation relative to the intensity of anomaly weight of other three firewall policies:

The first: Article 1 firewall policy can include following arbitrary one relative to the intensity of anomaly weight of Article 2 firewall policy:

1) ifR1 [order] < R2 [order] and R1 [action] ≠ R2 [action], then rule R2 cannot play a role。Determine that Article 1 firewall policy is W1 relative to the intensity of anomaly weight of Article 2 firewall policy。

2) ifR1 [order] < R2 [order] and R1 [action]=R2 [action], then rule R2 redundancy。Determine that Article 1 firewall policy is W2 relative to the intensity of anomaly weight of Article 2 firewall policy。

3) if rule R1 is relevant to rule R2, $\left\{R2\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{R_1\right[\mathrm{filter}\left]\right\},$ $\left\{R_1\right[\mathrm{filter}\left]\right\}\&NotSubset;$ $\left\{R2\right[\mathrm{filter}\left]\right\}$ And R1 [action] ≠ R2 [action], then rule R1 conflicts with rule R2, it is determined that Article 1 firewall policy is W3 relative to the intensity of anomaly weight of Article 2 firewall policy。

4) if rule R1 is relevant to rule R2, $\left\{R2\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{R1\right[\mathrm{filter}\left]\right\},$ $\left\{R1\right[\mathrm{filter}\left]\right\}\&NotSubset;$ $\left\{R2\right[\mathrm{filter}\left]\right\}$ And R1 [action]=R2 [action], then rule R1 is overlapping with rule R2, it is determined that Article 1 firewall policy is W4 relative to the intensity of anomaly weight of Article 2 firewall policy。

The second: Article 1 firewall policy can include following arbitrary one relative to the intensity of anomaly weight of Article 3 firewall policy:

1) ifR1 [order] < R3 [order] and R1 [action] ≠ R3 [action], then rule R3 cannot play a role。Determine that Article 1 firewall policy is W1 relative to the intensity of anomaly weight of Article 3 firewall policy。

2) ifR1 [order] < R3 [order] and R1 [action]=R3 [action], then rule R3 redundancy。Determine that Article 1 firewall policy is W2 relative to the intensity of anomaly weight of Article 3 firewall policy。

3) if rule R1 is relevant to rule R3, $\left\{R3\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{R_1\right[\mathrm{filter}\left]\right\},$ $\left\{R_1\right[\mathrm{filter}\left]\right\}\&NotSubset;$ $\left\{R3\right[\mathrm{filter}\left]\right\}$ And R1 [action] ≠ R3 [action], then rule R1 conflicts with rule R3, it is determined that Article 1 firewall policy is W3 relative to the intensity of anomaly weight of Article 3 firewall policy。

4) if rule R1 is relevant to rule R3, $\left\{R3\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{R1\right[\mathrm{filter}\left]\right\},$ $\left\{R1\right[\mathrm{filter}\left]\right\}\&NotSubset;$ $\left\{R3\right[\mathrm{filter}\left]\right\}$ And R1 [action]=R3 [action], then rule R1 is overlapping with rule R3, it is determined that Article 1 firewall policy is W4 relative to the intensity of anomaly weight of Article 3 firewall policy。

The third: Article 1 firewall policy can include following arbitrary one relative to the intensity of anomaly weight of Article 4 firewall policy:

1) ifR1 [order] < R4 [order] and R1 [action] ≠ R4 [action], then rule R4 cannot play a role。Determine that Article 1 firewall policy is W1 relative to the intensity of anomaly weight of Article 4 firewall policy。

2) ifR1 [order] < R4 [order] and R1 [action]=R4 [action], then rule R4 redundancy。Determine that Article 1 firewall policy is W2 relative to the intensity of anomaly weight of Article 4 firewall policy。

3) if rule R1 is relevant to rule R4, $\left\{R4\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{R_1\right[\mathrm{filter}\left]\right\},$ $\left\{R_1\right[\mathrm{filter}\left]\right\}\&NotSubset;$ $\left\{R4\right[\mathrm{filter}\left]\right\}$ And R1 [action] ≠ R4 [action], then rule R1 conflicts with rule R4, it is determined that Article 1 firewall policy is W3 relative to the intensity of anomaly weight of Article 4 firewall policy。

4) if rule R1 is relevant to rule R4, $\left\{R4\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{R1\right[\mathrm{filter}\left]\right\},$ $\left\{R1\right[\mathrm{filter}\left]\right\}\&NotSubset;$ $\left\{R4\right[\mathrm{filter}\left]\right\}$ And R1 [action]=R4 [action], then rule R1 is overlapping with rule R4, it is determined that Article 1 firewall policy is W4 relative to the intensity of anomaly weight of Article 4 firewall policy。

According to above-mentioned analysis, may determine that the intensity of anomaly of Article 1 firewall policy in independent firewall access control policy, owing to Article 1 firewall policy can have at least situation in four respectively relative to the intensity of anomaly weight of other three firewall policies, so, the intensity of anomaly of Article 1 firewall policy mainly includes following several situation:

1) if Article 1 firewall policy is W1 relative to the intensity of anomaly weight of Article 2 firewall policy；Article 1, firewall policy is W1 relative to the intensity of anomaly weight of Article 3 firewall policy；Article 1, firewall policy is W1 relative to the intensity of anomaly weight of Article 4 firewall policy；The intensity of anomaly of Article 1 firewall policy is may determine that according to formula (1):

$M_1=\underset{i=1}{\overset{3}{\mathrm{\&Sigma;}}}{W}_{1r}=W_{11}+W_{11}+W_{11}={3W}_{11}$

2) if Article 1 firewall policy is W1 relative to the intensity of anomaly weight of Article 2 firewall policy；Determine that Article 1 firewall policy is W1 relative to the intensity of anomaly weight of Article 3 firewall policy；Article 1, firewall policy is W2 relative to the intensity of anomaly weight of Article 4 firewall policy；The intensity of anomaly of Article 1 firewall policy is may determine that according to formula (1):

$M_1=\underset{i=1}{\overset{3}{\mathrm{\&Sigma;}}}{W}_{1r}=W_{11}+W_{11}+W_{12}={2W}_{11}+W_{12}$

In the embodiment of the present invention, the intensity of anomaly of Article 1 firewall policy is merely illustrated both above situation, other similar situation is not being explained one by one, in a word, Article 1, the intensity of anomaly of fire wall is under same independent fire wall, the intensity of anomaly weight sum between Article 1 fire wall and other each fire wall。

Step 1023, determine same firewall policy exception weight；

In the embodiment of the present invention, after in same independent fire wall, the intensity of anomaly of Article 1 fire wall is determined, also need to determine the intensity of anomaly of Article 2 fire wall, determine the intensity of anomaly etc. of Article 3 fire wall, until determining to the intensity of anomaly of number Article 2 fire wall in same independent fire wall, in same independent fire wall, the intensity of anomaly of every fire wall is determined entirely。

After in same independent fire prevention, the intensity of anomaly of every fire wall is determined, according to formula (2), it may be determined that firewall policy exception weight:

$W_X=\underset{i=1}{\overset{N}{\mathrm{\&Sigma;}}}{M}_i---\left(2\right)$

Wherein, W_XIt is the firewall policy exception weight of X fire wall self, M_iBeing the intensity of anomaly of i-th article of firewall policy in X firewall access control policy, N is the firewall policy sum that X firewall access control policy includes。

Such as, if same firewall access control policy includes 4 firewall policies, wherein, the intensity of anomaly M of Article 1 firewall policy_1r, the intensity of anomaly of Article 2 firewall policy is M_2r, the intensity of anomaly M of Article 3 firewall policy_3r, then may determine that the intensity of anomaly of independent firewall access control policy is M_1r+M_2r+M_3r, namely independent firewall policy exception weight is W=M_1r+M_2r+M_3r。

In the embodiment of the present invention, assume that same firewall access control policy includes 4 firewall policies, in step 1022, when determining the intensity of anomaly of every firewall policy, it is possible to according to the intensity of anomaly being calculated Article 1 firewall policy from Article 1 firewall policy relative to Article 2, Article 3, Article 4 firewall policy；Can also according to Article 4 firewall policy relative to Article 3, Article 2, Article 1 firewall policy calculate last Article 4 firewall policy intensity of anomaly；The calculating sequencing of the embodiment of the present invention intensity of anomaly to determining every firewall policy is not specifically limited。

Further, if according to the intensity of anomaly being calculated Article 1 firewall policy from Article 1 firewall policy relative to Article 2, Article 3, Article 4 firewall policy, when then calculating the intensity of anomaly of Article 2 firewall policy, it is possible to be calculated the intensity of anomaly of Article 2 firewall policy relative to Article 3, Article 4 firewall policy from Article 2；The intensity of anomaly of Article 2 firewall policy can also be calculated relative to Article 1, Article 3, Article 4 firewall policy from Article 2。

If according to the intensity of anomaly being calculated Article 2 firewall policy from Article 2 relative to Article 3, Article 4 firewall policy, when then calculating the intensity of anomaly of Article 3 firewall policy, the intensity of anomaly of Article 3 firewall policy must be calculated according to Article 4 firewall policy, and, the intensity of anomaly of Article 4 firewall policy need not calculate, if namely same firewall access control policy includes 4 firewall policies, only calculate the intensity of anomaly of front 3 firewall policies in this firewall access control policy。

If according to the intensity of anomaly being calculated Article 2 firewall policy from Article 2 relative to Article 1, Article 3, Article 4 firewall policy, when then calculating the intensity of anomaly of Article 3 firewall policy, it is necessary to be calculated the intensity of anomaly of Article 3 firewall policy according to Article 1, Article 2, Article 4 firewall policy；The intensity of anomaly of Article 4 firewall policy is calculated according to Article 1, Article 2, Article 3 firewall policy；If namely same firewall access control policy includes 4 firewall policies, it is necessary to calculate the intensity of anomaly of every firewall policy strong support strategy of other fire prevention relatively。

The specific algorithm of the embodiment of the present invention intensity of anomaly to determining every firewall policy does not limit。

Step 103, obtains the firewall access control policy of next-door neighbour's fire wall of described X fire wall, the firewall policy according to the firewall policy of described X fire wall Yu described next-door neighbour's fire wall, it is determined that the firewall policy exception weight between fire wall；Wherein, described next-door neighbour's fire wall is there is the fire wall of direct filiation with described X fire wall；

In the embodiment of the present invention, if this firewall box is absent from next-door neighbour's higher level's security domain in the firewall box data of collection terminal collection, also next-door neighbour subordinate security domain it is absent from, then may determine that this firewall box is individualism, accordingly, this firewall box is just absent from the firewall box that is associated。Then it is made without step 103。

If in the firewall box data that collection terminal gathers there is next-door neighbour's higher level's security domain or there is next-door neighbour's subordinate's security domain or there is next-door neighbour's higher level's security domain and next-door neighbour subordinate security domain in this firewall box simultaneously；Then may determine that this firewall box exists the firewall box being associated。

In the embodiment of the present invention, association fire prevention espalierF is the finite set (n > 0) comprising n fire wall。RelationMeet the following conditions:

Having and only have a fire wall f0 ∈ F, it does not have next-door neighbour's higher level's fire wall, f0 is the root of fire prevention espalier；

Each fire wall in F all comprises security domain Domain, Domain > 0；

Multiple fire wall fx in same Domain, close proximity each other, x >=2；

If fx is the parent of fy, then fy is the sub-level of fx；

If the sub-level that fy is fx, then fx is the parent of fy；

Except fire wall f₀Outward, each fire wall in F all has at least one next-door neighbour's higher level's fire wall；

Each fire wall in F all has 0 or multiple next-door neighbour subordinates fire wall。

In the embodiment of the present invention, for the fy level (fx is the parent of fy) being fx, as it is shown in figure 9, the computational methods of policies anomaly weight between fire wall are specifically described:

Step 1031, determine in X firewall access control policy, in every firewall policy and Y firewall access control policy, whether every firewall policy is correlated with；

In association fire prevention espalier T, ifThe B article firewall policy in A article of firewall policy and Y firewall access control policy is then claimed in X firewall access control policy to be correlated with；IfThen claim in X firewall access control policy the B article firewall policy in A article of firewall policy and Y firewall access control policy uncorrelated。

In embodiments of the present invention, whenMay result in X firewall access control policy the B article firewall policy in A article of firewall policy and Y firewall access control policy and produce irregular phenomenon。

Step 1032, determine the intensity of anomaly of every firewall policy in X firewall access control policy；

In embodiments of the present invention, in described X firewall access control policy, the intensity of anomaly of every firewall policy is determined according to formula (3):

$M_X=\underset{i=1}{\overset{N_Y}{\mathrm{\&Sigma;}}}{W}_{\mathrm{ir}}^{\&prime;}---\left(3\right)$

Wherein, M_XIt is i-th article of firewall policy and the intensity of anomaly of all firewall policies, N in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy_YFor the firewall policy sum that the Y firewall access control policy being close to X fire wall includes, W '_irIt is i-th article of firewall policy and the intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy。

Further, in described X firewall access control policy, i-th article of firewall policy includes following arbitrary one with the intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour:

If Fx, Fy ∈ Domain1, Fy is the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx is covered by the RB of Fy, it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx is covered by the RB of Fy, it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fy is the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA [action]=FyRB [action], the then RB redundancy of RA and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action]=FyRB [action], the then RB redundancy of RA and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1Fy is the parent of Fx,FxRA [action] ≠ FyRB [action] then claims FxRA and FyRB association irregular, it is determined that in described X firewall access control policy, the A article firewall policy is W3 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；

Wherein, R [filter] is the filtration fraction of i-th firewall policy in fire wall control strategy；R [action] is the action part of i-th firewall policy in fire wall control strategy。

Further, FxRA [filter] is the filtration fraction of RA article of firewall policy in X firewall access control policy, and FyRB [filter] is the filtration fraction of RB article of firewall policy in Y firewall access control policy；FxRA [action] is the action part of RA firewall policy in X firewall access control policy, and FyRB [action] is the action part of RB firewall policy in Y firewall access control policy。

Such as, X firewall access control policy includes 4 articles of firewall policies, Y fire wall wall access control policy includes 3 articles of firewall policies, then in the Y firewall access control policy that in X firewall access control policy, Article 1 firewall policy is close to relative to X fire wall, the intensity of anomaly weight of Article 1 firewall policy includes following three situation:

The first: in the Y firewall access control policy that in X firewall access control policy, Article 1 firewall policy is close to relative to X fire wall, the intensity of anomaly weight of Article 1 firewall policy includes following arbitrary one:

1) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR1 [filter], if FxR1 [action] ≠ FyR1 [action], then the R1 of fire wall Fx is covered by the R1 of Fy, it is determined that in described X firewall access control policy, Article 1 firewall policy is W1 with the intensity of anomaly weight of Article 1 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

2) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy,If FxR1 [action] ≠ FyR1 [action], then the R1 of fire wall Fx is covered by the R1 of Fy, it is determined that in described X firewall access control policy, Article 1 firewall policy is W1 with the intensity of anomaly weight of Article 1 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

3) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR1 [filter], if FxR1 [action]=FyR1 [action], the then R1 redundancy of R1 and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, Article 1 firewall policy is W2 with the intensity of anomaly weight of Article 1 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

4) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy,If FxR1 [action]=FyR1 [action], the then R1 redundancy of R1 and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, Article 1 firewall policy is W2 with the intensity of anomaly weight of Article 1 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

5) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [action] ≠ FyR1 [action] then claims FxR1 and FyR1 association irregular, it is determined that in described X firewall access control policy, Article 1 firewall policy is W3 with the intensity of anomaly weight of Article 1 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

The second: in the Y firewall access control policy that in X firewall access control policy, Article 1 firewall policy is close to relative to X fire wall, the intensity of anomaly weight of Article 2 firewall policy includes following arbitrary one:

1) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR2 [filter], if FxR1 [action] ≠ FyR2 [action], then the R1 of fire wall Fx is covered by the R2 of Fy, it is determined that in described X firewall access control policy, Article 1 firewall policy is W1 with the intensity of anomaly weight of Article 2 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

2) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy,If FxR1 [action] ≠ FyR2 [action], then the R1 of fire wall Fx is covered by the R2 of Fy, it is determined that in described X firewall access control policy, Article 1 firewall policy is W1 with the intensity of anomaly weight of Article 2 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

3) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR2 [filter], if FxR1 [action]=FyR2 [action], the then R2 redundancy of R1 and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, Article 1 firewall policy is W2 with the intensity of anomaly weight of Article 2 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

4) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy,If FxR1 [action]=FyR2 [action], the then R2 redundancy of R1 and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, Article 1 firewall policy is W2 with the intensity of anomaly weight of Article 2 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

5) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [action] ≠ FyR2 [action] then claims FxR1 and FyR2 association irregular, it is determined that in described X firewall access control policy, Article 1 firewall policy is W3 with the intensity of anomaly weight of Article 2 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

The third: in the Y firewall access control policy that in X firewall access control policy, Article 1 firewall policy is close to relative to X fire wall, the intensity of anomaly weight of Article 3 firewall policy includes following arbitrary one:

1) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR3 [filter], if FxR1 [action] ≠ FyR3 [action], then the R1 of fire wall Fx is covered by the R3 of Fy, it is determined that in described X firewall access control policy, Article 1 firewall policy is W1 with the intensity of anomaly weight of Article 3 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

2) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy,If FxR1 [action] ≠ FyR3 [action], then the R1 of fire wall Fx is covered by the R3 of Fy, it is determined that in described X firewall access control policy, Article 1 firewall policy is W1 with the intensity of anomaly weight of Article 3 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

3) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR3 [filter], if FxR1 [action]=FyR3 [action], the then R3 redundancy of R1 and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, Article 1 firewall policy is W2 with the intensity of anomaly weight of Article 3 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

4) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy,If FxR1 [action]=FyR3 [action], the then R3 redundancy of R1 and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, Article 1 firewall policy is W2 with the intensity of anomaly weight of Article 3 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

5) if Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [action] ≠ FyR3 [action] then claims FxR1 and FyR3 association irregular, it is determined that in described X firewall access control policy, Article 1 firewall policy is W3 with the intensity of anomaly weight of Article 3 firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour。

According to above-mentioned analysis, may determine that the intensity of anomaly of Article 1 firewall policy in X firewall access control policy, owing in X firewall access control policy, Article 1 firewall policy can have at least situation in four respectively with the intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour, so, in X firewall access control policy, the intensity of anomaly of Article 1 firewall policy mainly includes following several situation:

1) if Article 1 firewall policy is W1 with Article 1 firewall policy intensity of anomaly weight in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy；If Article 1 firewall policy is W1 with Article 2 firewall policy intensity of anomaly weight in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy；If Article 1 firewall policy is W1 with Article 3 firewall policy intensity of anomaly weight in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy；May determine that in X firewall access control policy, Article 1 firewall policy intensity of anomaly is according to formula (3):

$M_{X1}=\underset{i=1}{\overset{3}{\mathrm{\&Sigma;}}}{W}_{1r}^{\&prime;}=W_{11}+W_{11}+W_{11}={3W}_{11}$

2) if Article 1 firewall policy is W1 with Article 1 firewall policy intensity of anomaly weight in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy；If Article 1 firewall policy is W1 with Article 2 firewall policy intensity of anomaly weight in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy；If Article 1 firewall policy is W2 with Article 3 firewall policy intensity of anomaly weight in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy；May determine that in X firewall access control policy, Article 1 firewall policy intensity of anomaly is according to formula (3):

$M_{X1}=\underset{i=1}{\overset{3}{\mathrm{\&Sigma;}}}{W}_{1r}^{\&prime;}=W_{11}+W_{11}+W_{12}={2W}_{11}+W_{12}$

In the embodiment of the present invention, Article 1 firewall policy intensity of anomaly in X firewall access control policy is merely illustrated both above situation, other similar situation is not being explained one by one, in a word, in X firewall access control policy, Article 1 firewall policy and arbitrary one article of firewall policy intensity of anomaly weight sum in the Y firewall access control policy of described X fire wall next-door neighbour, be Article 1 firewall policy intensity of anomaly in X firewall access control policy。

Step 1033, the firewall policy exception weight determined between fire wall and described fire wall next-door neighbour's fire wall；

In embodiments of the present invention, after in the Y firewall access control policy being close to relative to X fire wall for Article 1 firewall policy in X firewall access control policy, the intensity of anomaly weight of arbitrary one article of firewall policy is determined, in addition it is also necessary to determine the intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy that Article 2 firewall policy in X firewall access control policy is close to relative to X fire wall；The intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy that in X firewall access control policy, Article 3 firewall policy is close to relative to X fire wall；The intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy that in X firewall access control policy, Article 4 firewall policy is close to relative to X fire wall；After in the Y firewall access control policy that the 4 articles of firewall policies included by X firewall access control policy are close to relative to X fire wall, the intensity of anomaly weight of arbitrary one article of firewall policy is determined, the firewall policy exception weight that X fire wall and described X fire wall are close between Y fire wall just can determine that。

After in the Y firewall access control policy that every the firewall policy included by X firewall access control policy is close to relative to X fire wall, the intensity of anomaly weight of arbitrary one article of firewall policy is determined, according to formula formula (4), it may be determined that X fire wall and described X fire wall are close to the firewall policy exception weight between Y fire wall:

$W_X^{\&prime;}=\underset{i=1}{\overset{N_X}{\mathrm{\&Sigma;}}}{M}_{\mathrm{Xi}}^{\&prime;}$ Formula (4)

Wherein, W_X' it is the firewall policy exception weight between X fire wall, M'_XiIt is i-th article of firewall policy and the intensity of anomaly of all firewall policies, N in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy_XIt is that the firewall policy that X firewall access control policy includes is total。

Such as, X firewall access control policy includes 4 articles of firewall policies, 3 articles of firewall policies are included with the Y firewall access control policy of X fire wall next-door neighbour, wherein, the intensity of anomaly weight M of firewall policy in the Y firewall access control policy that the Article 1 firewall policy that X firewall access control policy includes is close to X fire wall relatively_X1；The intensity of anomaly weight M of firewall policy in the Y firewall access control policy that the Article 2 firewall policy that X firewall access control policy includes is close to X fire wall relatively_X2；The intensity of anomaly weight M of firewall policy in the Y firewall access control policy that the Article 3 firewall policy that X firewall access control policy includes is close to X fire wall relatively_X3；The intensity of anomaly weight M of firewall policy in the Y firewall access control policy that the Article 4 firewall policy that X firewall access control policy includes is close to X fire wall relatively_X4。

Then according to formula (4), it may be determined that the firewall policy exception weight that X fire wall and described X fire wall are close between Y fire wall is:

$W^{\&prime;}=\underset{i=1}{\overset{4}{\mathrm{\&Sigma;}}}{M}_{\mathrm{Xi}}^{\&prime;}=M_{X1}+M_{X2}+M_{X3}+M_{X4}$

In the embodiment of the present invention, assume that X firewall access control policy includes 4 articles of firewall policies, 3 articles of firewall policies are included with the Y firewall access control policy of X fire wall next-door neighbour, in step 1032, when determining the intensity of anomaly of every firewall policy in X firewall access control policy, can according to Article 1 firewall policy in X firewall access control policy relative to Article 1 in Y firewall access control policy, Article 2, Article 3 firewall policy is calculated in X firewall access control policy Article 1 firewall policy intensity of anomaly；Can be calculated in X firewall access control policy Article 1 firewall policy intensity of anomaly according to Article 4 firewall policy in X firewall access control policy relative to Article 1 in Y firewall access control policy, Article 2, Article 3 firewall policy；In the embodiment of the present invention, it is determined that in X firewall access control policy, the intensity of anomaly calculating sequencing of every firewall policy is not specifically limited。

Further, if being calculated in X firewall access control policy Article 1 firewall policy intensity of anomaly according to Article 1 firewall policy in X firewall access control policy relative to Article 1 in Y firewall access control policy, Article 2, Article 3 firewall policy, then can calculate the extent of error of Article 2 in X firewall access control policy, Article 3, Article 4 firewall policy rule successively according to order。If being calculated in X firewall access control policy Article 1 firewall policy intensity of anomaly according to Article 4 firewall policy in X firewall access control policy relative to Article 1 in Y firewall access control policy, Article 2, Article 3 firewall policy；The extent of error of Article 3 in X firewall access control policy, Article 2, Article 1 firewall policy rule then can be calculated successively according to order。

After in central processing server, firewall box related data is carried out debugging detection by spell-checking facility, according to the firewall policy exception weight between firewall policy exception weight and fire wall and described fire wall next-door neighbour's fire wall, can determine that the bigger independent fire wall of firewall policy exception weighted value, the firewall box that the firewall policy bigger fire wall of exception weighted value is associated can also be determined simultaneously。

At step 104, determine that the intensity of anomaly of described X firewall access control policy is for debugging according to the firewall policy exception weight between the firewall policy exception weight of described X fire wall self and described fire wall。

As shown in Figure 10, central processing server is according to the firewall policy exception weighted value between each the independent firewall policy exception weight finally determined and fire wall and described fire wall next-door neighbour's fire wall, being sent to access control policy baseline database by the memory module in central processing unit and data base interface, all data received are stored by access control policy baseline database with the carrying out of daily record。

Further, the firewall policy exception weighted value between each the independent firewall policy exception weight determined and fire wall and described fire wall next-door neighbour's fire wall is sent to e-mail server by alarm module by central processing server。In the embodiment of the present invention, firewall policy exception weighted value between each independent firewall policy exception weight and fire wall and described fire wall next-door neighbour's fire wall that manager receives according to sub-mail server, it is possible to be relatively easy to determine the firewall box that should preferentially solve。

The embodiment of the present invention receives the firewall access control policy that collection terminal sends；According to described firewall access control policy, it is determined that described firewall policy exception weight；Next-door neighbour's fire wall according to described fire wall, it is determined that the firewall policy exception weight between described fire wall and described fire wall next-door neighbour's fire wall；Next-door neighbour's fire wall of wherein said fire wall is there is the fire wall of filiation with described fire wall。Adopt the method, according to firewall policy exception weight, may determine that single fire wall weight, according to policies anomaly weight between fire wall, may determine that policies anomaly weight between fire wall, according to the abnormal conditions of policies anomaly weight between the described firewall policy exception weight determined and fire wall, it is possible to point out should preferentially solve in-problem firewall box to manager in time。

For said method flow process, the embodiment of the present invention also provides for a kind of firewall access control policy debugging device, and the particular content of these devices is referred to said method to be implemented, and does not repeat them here。

Embodiment three

The embodiment of the present invention provides a kind of firewall access control policy debugging device, as shown in figure 11, including: receive unit 21, first determine unit 22 and, second determine unit 23 and debugging unit 24。

Receive unit 21: receive the firewall access control policy that collection terminal sends；Described firewall access control policy includes at least one firewall policy；

First determines unit 22: be used for obtaining X firewall access control policy, it is determined that the firewall policy exception weight of described X fire wall self；

Second determines unit 23: for obtaining next-door neighbour's firewall access control policy of described X fire wall, the anti-control strategy of asking according to described X firewall access control policy Yu described next-door neighbour's fire wall, it is determined that the firewall policy exception weight between fire wall；Wherein, described next-door neighbour's fire wall is there is the fire wall of direct filiation with described X fire wall；

Debugging unit 24: determine that the intensity of anomaly of described X firewall access control policy is for debugging according to the firewall policy exception weight between the firewall policy exception weight of described X fire wall self and described fire wall。

Further, described first determine unit 22 specifically for:

The firewall policy exception weight of X fire wall self is determined according to following equation:

$W_X=\underset{i=1}{\overset{N}{\mathrm{\&Sigma;}}}{M}_i$

Wherein, W_XIt is the firewall policy exception weight of X fire wall self, M_iBeing the intensity of anomaly of i-th article of firewall policy in X firewall access control policy, N is the firewall policy sum that X firewall access control policy includes。

Further, described first determines that unit 22 is additionally operable to:

In described firewall access control policy, the intensity of anomaly of every firewall policy is determined according to equation below:

$M_i=\underset{i=1}{\overset{N-1}{\mathrm{\&Sigma;}}}{W}_{\mathrm{ir}}$

Wherein, M_iBeing the intensity of anomaly of i-th article of firewall policy in X firewall access control policy, N is the firewall policy sum that X firewall access control policy includes, W_irIt is i-th article of firewall policy and the intensity of anomaly weight of N-i article of firewall policy in described X firewall access control policy in X firewall access control policy。

Further, described first determines that unit 22 is additionally operable to:

IfRA [order] < RB [order] and RA [action] ≠ RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

IfRA [order] < RB [order] and RA [action]=RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

If $\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\},$ $\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}$ And RA [action] ≠ RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W3 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

If $\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\},$ $\left\{\mathrm{RA}\right[\mathrm{filter}\left]\right\}\&NotSubset;\left\{\mathrm{RB}\right[\mathrm{filter}\left]\right\}$ And RA [action]=RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W4 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；

Wherein, R [order] is the number of regulation of in firewall access control policy firewall policy；R [action] is the action part of in firewall access control policy firewall policy；{ R [filter] } filters the cartesian product of all subitems in territory for rule R in firewall access control policy。

Further, described second determine unit 23 specifically for:

The firewall policy exception weight between described X fire wall is determined according to following equation:

$W_X^{\&prime;}=\underset{i=1}{\overset{N_X}{\mathrm{\&Sigma;}}}{M}_{\mathrm{Xi}}^{\&prime;}$

Wherein, W_X' it is the firewall policy exception weight between X fire wall, M'_XiIt is i-th article of firewall policy and the intensity of anomaly of all firewall policies, N in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy_XIt is that the firewall policy that X firewall access control policy includes is total。

Further, described second determines that unit 23 is additionally operable to:

In described X firewall access control policy, arbitrary one article of firewall policy and the intensity of anomaly of all firewall policies in the Y firewall access control policy of described X fire wall next-door neighbour are determined according to equation below:

$M_X=\underset{i=1}{\overset{N_Y}{\mathrm{\&Sigma;}}}{W}_{\mathrm{ir}}^{\&prime;}$

Wherein, M_XIt is arbitrary one article of firewall policy and the intensity of anomaly of all firewall policies, N in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy_YFor the firewall policy sum that the Y firewall access control policy being close to xth fire wall includes, W '_irIt is i-th article of firewall policy and the intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy。

Further, described second determines that unit 23 is additionally operable to:

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxRA [filter]=FyRB [filter], if FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx is covered by the RB of Fy, it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy,If FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx is covered by the RB of Fy, it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxRA [filter]=FyRB [filter], if FxRA [action]=FyRB [action], the then RB redundancy of RA and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy,If FxRA [action]=FyRB [action], the then RB redundancy of RA and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy,FxRA [action] ≠ FyRB [action] then claims FxRA and FyRB association irregular, it is determined that in described X firewall access control policy, the A article firewall policy is W3 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；

Wherein, R [filter] is the filtration fraction of a firewall policy in fire wall control strategy；R [action] is the action part of a firewall policy in fire wall control strategy。

Should be appreciated that the unit that one of the above firewall access control policy debugging device includes is only the logical partitioning that the function realized according to this device carries out, in practical application, it is possible to carry out superposition or the fractionation of said units。And a kind of firewall access control policy error-checking method one_to_one corresponding that the function that a kind of firewall access control policy debugging device that this embodiment provides realizes provides with above-described embodiment, for the handling process specifically that this device realizes, said method embodiment one is described in detail, is not described in detail herein。

Obviously, the present invention can be carried out various change and modification without deviating from the spirit and scope of the present invention by those skilled in the art。So, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification。

Claims (15)

1. a firewall access control policy error-checking method, it is characterised in that including:

Receive the firewall access control policy that collection terminal sends；Described firewall access control policy includes at least one firewall policy；

Obtain X firewall access control policy, it is determined that the firewall policy exception weight of described X fire wall self；

Obtain the firewall access control policy of next-door neighbour's fire wall of described X fire wall, the firewall policy according to the firewall policy of described X fire wall Yu described next-door neighbour's fire wall, it is determined that the firewall policy exception weight between fire wall；Wherein, described next-door neighbour's fire wall is there is the fire wall of direct filiation with described X fire wall；

Firewall policy exception weight between firewall policy exception weight according to described X fire wall self and described fire wall determines that the intensity of anomaly of described X firewall access control policy is for debugging。

2. method as claimed in claim 1, it is characterised in that the described firewall policy exception weight determining described X fire wall self, including:

The firewall policy exception weight of X fire wall self is determined according to following equation:

Wherein, W_XIt is the firewall policy exception weight of X fire wall self, M_iBeing the intensity of anomaly of i-th article of firewall policy in X firewall access control policy, N is the firewall policy sum that X firewall access control policy includes。

3. method as claimed in claim 2, it is characterised in that in described X firewall access control policy, the intensity of anomaly of i-th article of firewall policy is determined according to equation below:

Wherein, M_iBeing the intensity of anomaly of i-th article of firewall policy in X firewall access control policy, N is the firewall policy sum that X firewall access control policy includes, W_irIt is i-th article of firewall policy and the intensity of anomaly weight of other N-1 article of firewall policy in described X firewall access control policy in X firewall access control policy。

4. method as claimed in claim 3, it is characterised in that in described X firewall access control policy, i-th article of firewall policy includes following arbitrary with the intensity of anomaly weight of other N-1 article of firewall policy in described X firewall access control policy:

IfRA [order] < RB [order] and RA [action] ≠ RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

IfRA [order] < RB [order] and RA [action]=RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

IfAnd RA [action] ≠ RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W3 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

IfAnd RA [action]=RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W4 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；

Wherein, R [order] is the number of regulation of in firewall access control policy firewall policy；R [action] is the action part of in firewall access control policy firewall policy；{ R [filter] } filters the cartesian product of all subitems in territory for rule R in firewall access control policy。

5. method as claimed in claim 1, it is characterised in that the described firewall policy exception weight determined between described X fire wall, including:

The firewall policy exception weight between described X fire wall is determined according to following equation:

Wherein, W'_XIt is the firewall policy exception weight between X fire wall, M'_XiIt is i-th article of firewall policy and the intensity of anomaly of all firewall policies, N in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy_XIt is that the firewall policy that X firewall access control policy includes is total。

6. method as claimed in claim 5, it is characterized in that, in the Y firewall access control policy that in described X firewall access control policy, i-th article of firewall policy and described X fire wall are close to, the intensity of anomaly of all firewall policies is determined according to equation below:

Wherein, M_XIt is i-th article of firewall policy and the intensity of anomaly of all firewall policies, N in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy_YFor the firewall policy sum that the Y firewall access control policy being close to X fire wall includes, W'_irIt is i-th article of firewall policy and the intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy。

7. method as claimed in claim 6, it is characterized in that, in described X firewall access control policy, i-th article of firewall policy includes following arbitrary one with the intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour:

If Fx, Fy ∈ Domain1, Fy is the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx is covered by the RB of Fy, it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx is covered by the RB of Fy, it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fy is the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA [action]=FyRB [action], the then RB redundancy of RA and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action]=FyRB [action], the then RB redundancy of RA and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1Fy is the parent of Fx,FxRA [action] ≠ FyRB [action] then claims FxRA and FyRB association irregular, it is determined that in described X firewall access control policy, the A article firewall policy is W3 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；

Wherein, R [filter] is the filtration fraction of i-th firewall policy in fire wall control strategy；R [action] is the action part of i-th firewall policy in fire wall control strategy。

8. a firewall access control policy debugging device, it is characterised in that including:

Receive unit: for receiving the firewall access control policy that collection terminal sends；Described firewall access control policy includes at least one firewall policy；

First determines unit: be used for obtaining X firewall access control policy, it is determined that the firewall policy exception weight of described X fire wall self；

Second determines unit: for obtaining next-door neighbour's firewall access control policy of described X fire wall, the anti-control strategy of asking according to described X firewall access control policy Yu described next-door neighbour's fire wall, it is determined that the firewall policy exception weight between fire wall；Wherein, described next-door neighbour's fire wall is there is the fire wall of direct filiation with described X fire wall；

Debugging unit: determine that the intensity of anomaly of described X firewall access control policy is for debugging according to the firewall policy exception weight between the firewall policy exception weight of described X fire wall self and described fire wall。

9. as claimed in claim 8 device, it is characterised in that described first determine unit specifically for:

The firewall policy exception weight of X fire wall self is determined according to following equation:

Wherein, W_XIt is the firewall policy exception weight of X fire wall self, M_iBeing the intensity of anomaly of i-th article of firewall policy in X firewall access control policy, N is the firewall policy sum that X firewall access control policy includes。

10. device as claimed in claim 8, it is characterised in that described first determines that unit is additionally operable to:

In described firewall access control policy, the intensity of anomaly of every firewall policy is determined according to equation below:

Wherein, M_iBeing the intensity of anomaly of i-th article of firewall policy in X firewall access control policy, N is the firewall policy sum that X firewall access control policy includes, W_irIt is i-th article of firewall policy and the intensity of anomaly weight of N-i article of firewall policy in described X firewall access control policy in X firewall access control policy。

11. device as claimed in claim 10, it is characterised in that described first determines that unit is additionally operable to:

IfRA [order] < RB [order] and RA [action] ≠ RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

IfRA [order] < RB [order] and RA [action]=RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

IfAnd RA [action] ≠ RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W3 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；Or

IfAnd RA [action]=RB [action], it is determined that in described X firewall access control policy, the A article firewall policy is W4 with the intensity of anomaly weight of B article of firewall policy in described X firewall access control policy；

Wherein, R [order] is the number of regulation of in firewall access control policy firewall policy；R [action] is the action part of in firewall access control policy firewall policy；{ R [filter] } filters the cartesian product of all subitems in territory for rule R in firewall access control policy。

12. as claimed in claim 8 device, it is characterised in that described second determine unit specifically for:

The firewall policy exception weight between described X fire wall is determined according to following equation:

Wherein, W'_XIt is the firewall policy exception weight between X fire wall, M'_XiIt is i-th article of firewall policy and the intensity of anomaly of all firewall policies, N in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy_XIt is that the firewall policy that X firewall access control policy includes is total。

13. device as claimed in claim 12, it is characterised in that described second determines that unit is additionally operable to:

In described X firewall access control policy, arbitrary one article of firewall policy and the intensity of anomaly of all firewall policies in the Y firewall access control policy of described X fire wall next-door neighbour are determined according to equation below:

Wherein, M_XIt is arbitrary one article of firewall policy and the intensity of anomaly of all firewall policies, N in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy_YFor the firewall policy sum that the Y firewall access control policy being close to xth fire wall includes, W'_irIt is i-th article of firewall policy and the intensity of anomaly weight of arbitrary one article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour in X firewall access control policy。

14. device as claimed in claim 13, it is characterised in that described second determines that unit is additionally operable to:

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxRA [filter]=FyRB [filter], if FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx is covered by the RB of Fy, it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy,If FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx is covered by the RB of Fy, it is determined that in described X firewall access control policy, the A article firewall policy is W1 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxRA [filter]=FyRB [filter], if FxRA [action]=FyRB [action], the then RB redundancy of RA and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy,If FxRA [action]=FyRB [action], the then RB redundancy of RA and the Fy of fire wall Fx, it is determined that in described X firewall access control policy, the A article firewall policy is W2 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy,FxRA [action] ≠ FyRB [action] then claims FxRA and FyRB association irregular, it is determined that in described X firewall access control policy, the A article firewall policy is W3 with the intensity of anomaly weight of B article of firewall policy in the Y firewall access control policy of described X fire wall next-door neighbour；

Wherein, R [filter] is the filtration fraction of a firewall policy in fire wall control strategy；R [action] is the action part of a firewall policy in fire wall control strategy。

15. a firewall access control policy error checking system, it is characterised in that include central processing server described in claim 8～14；

Collection terminal, is used for gathering fire wall fire prevention access control policy, obtains the firewall access control policy of next-door neighbour's fire wall of X firewall access control policy and described X fire wall, and be sent to described central processing server；

Access control policy baseline database, for providing the firewall policy exception Weight algorithm between firewall policy exception Weight algorithm and fire wall for described central processing server, and store the firewall policy exception weight between the described X firewall policy exception weight and described X fire wall that described central processing server determines。