CN112039868A - Firewall policy verification method, device, equipment and storage medium - Google Patents

Firewall policy verification method, device, equipment and storage medium Download PDF

Info

Publication number
CN112039868A
CN112039868A CN202010877429.4A CN202010877429A CN112039868A CN 112039868 A CN112039868 A CN 112039868A CN 202010877429 A CN202010877429 A CN 202010877429A CN 112039868 A CN112039868 A CN 112039868A
Authority
CN
China
Prior art keywords
information
firewall policy
verification
logic
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010877429.4A
Other languages
Chinese (zh)
Inventor
曾斯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Property and Casualty Insurance Company of China Ltd
Original Assignee
Ping An Property and Casualty Insurance Company of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Property and Casualty Insurance Company of China Ltd filed Critical Ping An Property and Casualty Insurance Company of China Ltd
Priority to CN202010877429.4A priority Critical patent/CN112039868A/en
Publication of CN112039868A publication Critical patent/CN112039868A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the field of network security, and discloses a firewall policy verification method, a firewall policy verification device, firewall policy verification equipment and a storage medium, wherein the method comprises the following steps: acquiring a system architecture of firewall policy deployment, and extracting logic entities in the system architecture and call relationship information between the logic entities; performing rationality verification between the logic entities based on the call relationship information; if the verification is passed, acquiring host information and port information according to the logic entity and the calling relation information; performing firewall policy verification according to the host information and the port information; if the verification fails, displaying preset webpage links, and adjusting calling relation information between the logic entities based on the webpage links; and redeploying the firewall policy based on the adjusted calling relation information, and verifying the new firewall policy again. By the method, the firewall policy can be automatically applied after the firewall policy verification fails, and the system architecture does not need to be readjusted and reviewed again.

Description

Firewall policy verification method, device, equipment and storage medium
Technical Field
The present invention relates to the field of network security, and in particular, to a firewall policy verification method, apparatus, device, and storage medium.
Background
In the conventional scheme, after an architect designs a system architecture diagram, the system architecture is reviewed in a mode of issuing a review task through a video conference or a field conference or through a terminal, and after the review is passed, firewall strategies of each module in the system architecture are deployed according to the system architecture of the system architecture diagram.
In the prior art, after the firewall policy verification fails, an architect needs to review the system architecture again, adjust the system architecture, and redeploy the firewall policy according to the adjusted system architecture, so that the firewall policy redeployment efficiency is low.
Disclosure of Invention
The invention mainly aims to solve the technical problem that the firewall policy deployment efficiency is low because the firewall policy deployment can only be deployed by re-deploying the system structure after the existing firewall policy verification fails.
The invention provides a firewall policy verification method in a first aspect, which comprises the following steps:
acquiring a system architecture of firewall policy deployment, and extracting logic entities in the system architecture and call relationship information between the logic entities;
performing rationality verification between the logic entities based on the calling relationship information;
if the rationality verification is passed, acquiring host information and port information according to the logic entity and the calling relation information;
performing firewall policy verification according to the host information and the port information;
if the verification is successful, returning a firewall policy verification result to the front end;
if the verification fails, sending a preset webpage link to the front end;
adjusting the calling relationship information between the logic entities according to the input information of the operation and maintenance personnel in the webpage link;
and redeploying the firewall policy based on the adjusted calling relation information, and verifying the new firewall policy again.
Optionally, in a first implementation manner of the first aspect of the present invention, the performing, based on the call relationship information, rationality verification between the logic entities includes:
acquiring a preset initial system architecture logic specification file, and acquiring an initial logic entity calling specification rule from the initial system architecture logic specification file;
and performing rationality verification between the logic entities according to the calling relationship information between the logic entities in the system architecture and the initial logic entity calling specification rules.
Optionally, in a second implementation manner of the first aspect of the present invention, the performing, according to the call relationship information between the logic entities in the system architecture and the initial logic entity call specification rules, the rationality verification between the logic entities includes:
generating a system architecture review item according to the initial logic entity calling specification rule;
determining whether the calling relationship information is matched with the system architecture review item;
and if so, determining that the system architecture passes the rationality verification.
Optionally, in a third implementation manner of the first aspect of the present invention, the obtaining, according to the logic entity and the call relationship, host information and port information includes:
inquiring a preset background server according to the logic entities to obtain host information and port information corresponding to each logic entity;
and classifying the host information according to the calling relation information to obtain the IP information of the host of the initiator and the IP information of the host of the responder.
Optionally, in a fourth implementation manner of the first aspect of the present invention, the performing firewall policy verification according to the host information and the port information includes:
generating a firewall policy verification request according to the host information and the port information;
according to the IP information of the initiator host, performing remote login operation on the initiator host in the firewall policy verification request;
and if the login is successful, verifying the existing firewall strategy in the system architecture through a preset wall verification script.
Optionally, in a fifth implementation manner of the first aspect of the present invention, the performing a remote login operation on the initiator host in the firewall policy verification request includes:
obtaining login passwords of all initiator hosts in the firewall policy verification request according to the IP information of the initiator hosts;
and sending the login password to the corresponding initiator host to remotely log in each initiator host.
Optionally, in a sixth implementation manner of the first aspect of the present invention, after the relocating the firewall policy based on the adjusted invocation relationship information and verifying the new firewall policy again, the method further includes:
and correspondingly deploying the new firewall policy to the firewall server of the area where the application instance of each logic entity of the system architecture is located.
The second aspect of the present invention provides a firewall policy verification apparatus, including:
the system comprises an extraction module, a firewall policy deployment module and a management module, wherein the extraction module is used for acquiring a system architecture of firewall policy deployment and extracting logic entities in the system architecture and call relationship information between the logic entities;
the rationality verification module is used for carrying out rationality verification between the logic entities based on the calling relationship information;
the obtaining module is used for obtaining host information and port information according to the logic entity and the calling relation if the rationality verification passes;
the strategy verification module is used for performing firewall strategy verification according to the host information and the port information;
the result returning module is used for returning the firewall policy verification result to the front end when the firewall policy verification is successful;
the link sending module is used for sending a preset webpage link to the front end when the firewall policy verification fails;
the adjusting module is used for adjusting the calling relationship information between the logic entities according to the input information of the operation and maintenance personnel in the webpage link;
and the strategy deployment module is used for redeploying the firewall strategy based on the adjusted calling relation information and verifying the new firewall strategy again.
Optionally, in a first implementation manner of the second aspect of the present invention, the rationality verifying module includes:
the system comprises a detailed rule obtaining unit, a detailed rule obtaining unit and a logic rule setting unit, wherein the detailed rule obtaining unit is used for obtaining a preset initial system architecture logic specification file and obtaining an initial logic entity calling specification detailed rule from the initial system architecture logic specification file;
and the verification unit is used for performing rationality verification between the logic entities according to the calling relationship information between the logic entities in the system architecture and the initial logic entity calling specification rule.
Optionally, in a second implementation manner of the second aspect of the present invention, the verification unit is specifically configured to:
generating a system architecture review item according to the initial logic entity calling specification rule;
determining whether the calling relationship information is matched with the system architecture review item;
and if so, determining that the system architecture passes the rationality verification.
Optionally, in a third implementation manner of the second aspect of the present invention, the obtaining module is specifically configured to:
inquiring a preset background server according to the logic entities to obtain host information and port information corresponding to each logic entity;
and classifying the host information according to the calling relation information to obtain the IP information of the host of the initiator and the IP information of the host of the responder.
Optionally, in a fourth implementation manner of the second aspect of the present invention, the policy verification module includes:
the generating unit is used for generating a firewall policy verification request according to the host information and the port information;
the login unit is used for performing remote login operation on the initiator host in the firewall policy verification request according to the IP information of the initiator host;
and the wall checking unit is used for verifying the existing firewall strategy in the system architecture through a preset wall checking script if the login is successful.
Optionally, in a fifth implementation manner of the second aspect of the present invention, the login unit is specifically configured to:
obtaining login passwords of all initiator hosts in the firewall policy verification request according to the IP information of the initiator hosts;
and sending the login password to the corresponding initiator host to remotely log in each initiator host.
Optionally, in a sixth implementation manner of the second aspect of the present invention, the firewall policy verification apparatus further includes a server deployment module, where the server deployment module is specifically configured to:
and correspondingly deploying the new firewall policy to the firewall server of the area where the application instance of each logic entity of the system architecture is located.
A third aspect of the present invention provides a firewall policy verification apparatus, including: a memory having instructions stored therein and at least one processor, the memory and the at least one processor interconnected by a line; the at least one processor invokes the instructions in the memory to cause the firewall policy validation device to perform the firewall policy validation method described above.
A fourth aspect of the present invention provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to execute the firewall policy validation method described above.
The technical scheme provided by the invention discloses a firewall policy verification method, which comprises the following steps: acquiring a system architecture of firewall policy deployment, and extracting logic entities in the system architecture and call relationship information between the logic entities; performing rationality verification between the logic entities based on the calling relationship information; if the rationality verification is passed, acquiring host information and port information according to the logic entity and the calling relation information; performing firewall policy verification according to the host information and the port information; if the verification is successful, returning a firewall policy verification result to the front end; if the verification fails, displaying preset webpage links, and adjusting calling relation information between the logic entities based on the webpage links; and redeploying the firewall policy based on the adjusted calling relation information, and verifying the new firewall policy again. By the method, after the firewall policy verification fails, the system architecture does not need to be readjusted and reviewed again, and only the relation between the logic entities needs to be adjusted according to the calling relation information, so that the automatic application and deployment of the firewall policy are realized, the deployment time of the firewall is shortened, and the shared attribute of the architecture is improved.
Drawings
FIG. 1 is a diagram of a firewall policy validation method according to a first embodiment of the present invention;
FIG. 2 is a diagram of a firewall policy validation method according to a second embodiment of the present invention;
FIG. 3 is a diagram of a firewall policy validation method according to a third embodiment of the present invention;
FIG. 4 is a diagram of a firewall policy validation method according to a fourth embodiment of the present invention;
FIG. 5 is a diagram of an embodiment of a firewall policy validation apparatus according to the embodiment of the present invention;
fig. 6 is a schematic diagram of another embodiment of a firewall policy validation apparatus according to an embodiment of the present invention;
fig. 7 is a schematic diagram of an embodiment of a firewall policy validation apparatus according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a firewall policy verification method, a firewall policy verification device, equipment and a storage medium, wherein the firewall policy verification method comprises the following steps: acquiring a system architecture of firewall policy deployment, and extracting logic entities in the system architecture and call relationship information between the logic entities; performing rationality verification between the logic entities based on the calling relationship information; if the rationality verification is passed, acquiring host information and port information according to the logic entity and the calling relation information; performing firewall policy verification according to the host information and the port information; if the verification is successful, returning a firewall policy verification result to the front end; if the verification fails, displaying preset webpage links, and adjusting calling relation information between the logic entities based on the webpage links; and redeploying the firewall policy based on the adjusted calling relation information, and verifying the new firewall policy again. By the method, after the firewall policy verification fails, the system architecture does not need to be readjusted and reviewed again, and only the relation between the logic entities needs to be adjusted according to the calling relation information, so that the automatic application and deployment of the firewall policy are realized, the deployment time of the firewall is shortened, and the shared attribute of the architecture is improved.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," or "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For convenience of understanding, a detailed flow of the embodiment of the present invention is described below, and referring to fig. 1, an embodiment of the firewall policy verification method according to the embodiment of the present invention includes:
101. acquiring a system architecture of firewall policy deployment, and extracting logic entities in the system architecture and call relationship information between the logic entities;
in this embodiment, before performing firewall policy verification, an architecture review is required, in practical application, the architecture review is performed in such a manner that an architect issues a review task through a video conference or a telephone conference or through a terminal after designing a system architecture diagram, the system architecture is reviewed, after the review is passed, firewall policies between each logic entity in the system are deployed according to the system architecture diagram, and after the architecture review is performed, the architect adds the logic entities to a background server.
In practical applications, the system architecture diagram includes a plurality of logic entities, that is, a plurality of modules of the system architecture designed by the system architect, such as an isolation area, where the isolation area includes a website server, a domain name server, a mail server, a router, a gateway, and a virtual local area network, where the virtual local area network includes a personal server and includes a file server, and the intranet can also set a private service area, and the like.
In practical application, the call relationship information is a call relationship between logic entities in the system, and the operation and maintenance personnel and the development personnel can read the logic entities and the call relationship according to the system architecture diagram, but in this embodiment, the logic entities and the call relationship can be obtained by directly reading from background data.
102. Performing rationality verification between the logic entities based on the call relationship information;
in practical application, after the architecture review is that an architect designs a system architecture diagram, the system architecture needs to be reviewed in a mode of issuing a review task through a video conference or a telephone conference or through a terminal, and in this embodiment, according to the calling relationship information between the logic entities and the logic entities represented in the system architecture diagram, the system architecture, that is, whether the logic calling relationship between the logic entities is reasonable or not, can be automatically reviewed.
103. If the rationality verification is passed, acquiring host information and port information according to the logic entity and the calling relation information;
in this step, the host information includes, but is not limited to, an initiator host IP, a responder host IP, and port information, and each logic entity corresponds to an instance IP and port information, where the instance IP includes one or more IPs, and the logic entity can query the corresponding IP information in the system, and the invocation relationship is an invocation relationship between different logic entities, that is, an invocation relationship between modules in the system, and through the invocation relationship, it can be obtained whether the IP corresponding to the logic entity is the initiator IP or the responder IP, and the corresponding host information can be automatically obtained according to the logic entity and the invocation relationship, so that situations that production problems are caused by missing IP when obtaining IP for firewall policy verification and applying are avoided.
In this step, a plurality of logic entities may be obtained, each logic entity corresponds to one IP or a plurality of IPs, the backend server may perform verification of the firewall policy after obtaining the IPs, and each IP needs to be verified by a regular expression before verifying the firewall policy.
104. Performing firewall policy verification according to the host information and the port information;
in practical application, a general firewall policy verification method is that after a verifier acquires the host information, inputting the initiator IP and the responder IP in the host information through an authentication tool, this may lead to situations where there are many hosts that need to verify the policy, where the verifier needs to log in to each server manually, or the same server needs to verify multiple hosts accessed one by one, in this embodiment, after the system acquires the host information such as the initiator IP, the responder IP, and the port information, a firewall policy verification request carrying the host information is triggered, the background server performs a remote login operation after receiving the firewall policy request, and when the remote login operation is successful, and sending the firewall policy contained in the firewall policy request to a corresponding initiator host for verification.
105. If the verification is successful, returning a firewall policy verification result to the front end;
in the step, after firewall policy verification is performed according to host information, a firewall policy verification result is obtained, that is, whether an initiator host and a responder host are communicated or not, the firewall policy verification result includes but is not limited to communication and non-communication, when the initiator host and the responder host are communicated, the firewall policy verification result is successfully verified, the initiator host sends the firewall policy verification result to a background server, the background server receives the firewall policy verification result returned by each initiator host, sends the firewall policy verification result to a front end, the front end displays the firewall policy verification result, and displays the conditions that a telnet responder IP and a port on a related initiator server are communicated.
106. If the verification fails, sending a preset webpage link to the front end;
107. adjusting the calling relation information between the logic entities according to the input information of the operation and maintenance personnel in the webpage link;
in this step, when the connected state of the initiator host and the responder host shows that the two hosts are not connected, the verification of the firewall policy is failed, at this time, the application of the firewall policy needs to be carried out again, when the background server receives the firewall policy verification result and shows that the firewall policy verification result is failed, a webpage is sent to be linked to the front end, the web page link is used for providing a page for operation and maintenance personnel and developers to adjust the calling relationship between the logic entities, since the architecture of the system is already reviewed before the firewall policy verification is carried out, therefore, the logic entities in the system architecture do not need to be adjusted, and only the logic calling relation among the logic entities needs to be adjusted, and simultaneously, because the adjustment of the logic entity is not needed, the host information is not needed to be acquired through the logic entity, and the subsequent configuration application of the firewall policy is facilitated.
108. And redeploying the firewall policy based on the adjusted calling relation information, and verifying the new firewall policy again.
In this step, after the firewall policy validation fails, the front end obtains a web link, where the web link is used to adjust the call relationship between the logical entities of the operation and maintenance staff and the developer, and after the front end obtains the call relationship information between the adjusted logical entities, the front end outputs the adjusted call relationship information to the background server and then triggers a firewall policy application request, where the firewall policy application request includes the adjusted call relationship information, and the background server sends the host information to a system for processing firewall policies according to the logical entities to apply for firewall policies, and after the firewall policy validation is passed, the front end performs firewall policy validation again.
In practical application, when the firewall policy application request contains the calling relationship between the logic entities, for example, the system comprises an isolation zone (DMZ), the isolation zone comprises a website server, a domain name server, a mail server, a router, a gateway, a virtual local area network 1, a virtual local area network 2, and a virtual local area network 3, the virtual local area network 1 and the virtual local area network 2 respectively comprise a personal computer, the virtual local area network 3 comprises a file server, etc., the intranet can also be provided with an SF zone (private server), a ptr (pointer record) zone, the call relation is a logic call relation indicating logic entities designed by architects, and mainly after obtaining call relation information of the system architecture, the logic calling relationship among all the logic entities of the system architecture can be determined according to the calling relationship information of the system architecture.
The embodiment of the invention provides a firewall policy verification method, which comprises the following steps: acquiring a system architecture of firewall policy deployment, and extracting logic entities in the system architecture and call relationship information between the logic entities; performing rationality verification between the logic entities based on the calling relationship information; if the rationality verification is passed, acquiring host information and port information according to the logic entity and the calling relation information; performing firewall policy verification according to the host information and the port information; if the verification is successful, returning a firewall policy verification result to the front end; if the verification fails, displaying preset webpage links, and adjusting calling relation information between the logic entities based on the webpage links; and redeploying the firewall policy based on the adjusted calling relation information, and verifying the new firewall policy again. By the method, after the firewall policy verification fails, the system architecture does not need to be readjusted and reviewed again, and only the relation between the logic entities needs to be adjusted according to the calling relation information, so that the automatic application and deployment of the firewall policy are realized, the deployment time of the firewall is shortened, and the shared attribute of the architecture is improved.
Referring to fig. 2, another embodiment of the firewall policy verification method according to the embodiment of the present invention includes:
201. acquiring a system architecture of firewall policy deployment, and extracting logic entities in the system architecture and call relationship information between the logic entities;
202. acquiring a preset initial system architecture logic specification file, and acquiring an initial logic entity calling specification rule from the initial system architecture logic specification file;
in this step, the initial system architecture logic specification file refers to a preset specification file, and specifies some rules to be complied with in the designed system architecture in detail, for example, the system architecture design is divided into a DMZ zone, a PTR zone and an intranet SF zone, and the initial system architecture logic specification file specifies applications that do not allow an external system to directly call the intranet SF zone, but uses a unified gateway as a docking gateway, and the DMZ zone and the PTR zone cannot call each other, and so on, there are many rules, which are not described here.
203. Generating a system architecture review item according to the initial logic entity calling specification rule;
in this step, the generating of the system architecture review item is mainly performed by configuring the initial logic entity call specification rules into a configuration management database, where the configuration management database is used to store and manage configuration information of various devices in the enterprise architecture, and by configuring the initial logic entity call specification rules into the configuration management database, that is, by configuring the management data, the initial logic entity call specification rules are managed and maintained. In this embodiment, the matching process mainly performs automatic matching through the configuration management database, and if matching is performed, it is determined that the system architecture passes the rationality detection.
204. Determining whether the calling relation information is matched with a system architecture review item;
205. if so, determining that the system architecture passes the rationality verification;
in this embodiment, the configuration management database is used to manage the initial logic entity call specification rules in the initial system architecture logic specification file, and the initial logic entity call specification rules are configured in the configuration management database to generate the system architecture review items, so that automatic matching can be realized by the configuration management database, whether the logic call relationship between the logic entities matches the function specified by the system architecture review items in the configuration management database is determined by the configuration management database, the rationality detection of the system architecture is realized by the configuration management database, the process of artificial review is reduced, the review efficiency is improved, and the review duration is effectively controlled.
206. If the rationality verification is passed, acquiring host information and port information according to the logic entity and the calling relation information;
in this step, the purpose of the rationality verification is to determine whether the system architecture conforms to the rules in the initial system architecture logic specification file, and after passing the rationality verification, it indicates that the logic entity selected by the architect and the system architecture are rational, that is, the system architecture conforms to the rules in the specification file, and then the call link between the editing entities in the system architecture can be determined according to the call relationship.
207. Performing firewall policy verification according to the host information and the port information;
208. if the verification is successful, returning a firewall policy verification result to the front end;
209. if the verification fails, sending a preset webpage link to the front end;
210. adjusting the calling relation information between the logic entities according to the input information of the operation and maintenance personnel in the webpage link;
211. and redeploying the firewall policy based on the adjusted calling relation information, and verifying the new firewall policy again.
On the basis of the above embodiment, the process of automatically reviewing the system architecture after the system architecture is constructed is described in detail, after the automatic review is completed, the firewall policy can be deployed according to the logic entities in the system architecture and the call relationship between the logic entities, and the system architecture after the review does not need to be adjusted after the firewall policy verification fails, that is, the logic entities in the system architecture do not need to be adjusted, and only the logic call relationship between the logic entities needs to be adjusted, so that the automatic application and deployment of the firewall policies are realized, the deployment time of the firewall is shortened, and the common attribute of the architecture is improved.
Referring to fig. 3, a third embodiment of the firewall policy verification method according to the embodiment of the present invention includes:
301. acquiring a system architecture of firewall policy deployment, and extracting logic entities in the system architecture and call relationship information between the logic entities;
302. performing rationality verification between the logic entities based on the call relationship information;
303. if the rationality passes the verification, inquiring a preset background server according to the logic entities to obtain host information and port information corresponding to each logic entity;
304. classifying the host information according to the calling relation information to obtain the IP information of the host of the initiator and the IP information of the host of the responder;
in this step, the background server stores a logic entity and host IP information and a corresponding relationship between the logic entity and the host IP information and port information, according to the corresponding relationship, the corresponding host IP information can be obtained according to the logic entity, and meanwhile, the host IP information includes two types of initiator host IP information and responder IP information, according to a call relationship between the logic entities, the initiator host IP information and the responder IP information can be obtained, for example, two logic entities respectively correspond to two pieces of host IP information, and according to the call relationship between the logic entities, it can be known that the first logic entity calls the second logic entity, and it can be known that the host IP information corresponding to the first logic entity is the initiator host IP information, and the host IP information corresponding to the second logic entity is the responder host IP information.
305. Generating a firewall policy verification request according to the host information and the port information;
306. obtaining login passwords of all initiator hosts in the firewall policy verification request according to the IP information of the initiator hosts;
307. sending the login password to the corresponding initiator host to remotely log in each initiator host;
in this step, after the system acquires host information such as the initiator IP, the responder IP, port information, and the like, a firewall policy validation request carrying the host information is triggered, at this time, the firewall policy validation request needs to be verified, when the verification passes, the background server performs a remote login operation on the initiator host in the firewall policy validation request, and when the login fails, the front end displays a prompt message.
In practical application, the firewall policy validation request may be verified by verifying the host information, specifically, the host information may be classified, and then various types of host information are verified according to verification rules corresponding to the categories, for example, the types of the initiator host IP and the responder host IP are verified, that is, whether the input is an IP is verified through a regular expression, if the input is an IP, the verification is passed, and if the input is not an IP, the verification is not passed, and the front end displays the reminding information.
In this step, the remote login operation may be remote password-free login and remote password-calling login, in this embodiment, a remote password-free login manner is used, the remote password-free login is a service host, a cloud interface is called to push a preset script and the key information to each initiator host by obtaining key information of the service host, each initiator host executes the preset script, whether the key information exists in a configuration file of each initiator host is detected, if the key information exists in the configuration file of the initiator host, the preset script is deleted, if the key information does not exist in the configuration file of the initiator host, the key information is written into the configuration file, so that the service host exists in a trust list of each initiator host, and the remote password-free login can be performed through the login information list and the key information of the service host, and different servers do not need to be manually logged in, so that the convenience of firewall policy verification can be effectively improved.
In practical application, remote login can be performed by using a remote password login mode, the remote password login refers to that when each initiator host builds registration, a corresponding login user password, namely a login password, is distributed, when a background server receives a firewall policy verification request, an interface is called in a URL (uniform resource locator) splicing mode to obtain the login password of each initiator host, each initiator host is remotely logged in by using the login password in a specified password mode, namely, an instruction carrying an IP (Internet protocol) and the login password is sent to the corresponding initiator host, each initiator host is remotely logged in, different servers do not need to be manually logged in, and convenience of firewall policy verification can be effectively improved.
308. If the login is successful, verifying the existing firewall strategy in the system architecture through a preset wall verification script;
when the login is successful, before the firewall policy is verified through the preset wall testing script, the method further comprises the steps of receiving the wall testing script input by a developer and used for verifying the firewall policy, and configuring the wall testing script to realize the calling function of the wall testing script.
In this embodiment, after the remote login is successful, the firewall policy needs to be verified, mainly through a preset wall-checking script, where the wall-checking script is written by a development or operation and maintenance person for performing firewall activation verification on each host, the development or operation and maintenance person inputs the wall-checking script into a transfer machine, the transfer machine configures and stores the wall-checking script to implement a call function of the wall-checking script, and after the remote login is successful, the transfer machine can run a wall-checking task and obtain a firewall activation result, specifically, when the wall-checking task is run, a telnet command linking a target domain name and a port of a responder is generated, and if connection success information of the target domain name and the port of the responder is received, it is determined that the firewall between the initiator host and the responder host is in an activation state, if receiving connection overtime information or connection refusal information returned by the target domain name + port of the responder, determining that the firewall between the initiator host and the responder host is in a disconnection state, namely that the firewall is not opened or the firewall is failed.
309. If the verification is successful, returning a firewall policy verification result to the front end;
310. if the verification fails, sending a preset webpage link to the front end;
311. adjusting the calling relation information between the logic entities according to the input information of the operation and maintenance personnel in the webpage link;
312. and redeploying the firewall policy based on the adjusted calling relation information, and verifying the new firewall policy again.
This embodiment describes the firewall policy verification process in detail on the basis of the previous embodiment, and performs telnet through the host password in the firewall policy request, and performs firewall policy verification through telnet instruction after the telnet is successful, thereby improving verification efficiency and reducing verification error rate.
Referring to fig. 4, a fourth embodiment of the firewall policy validation method according to the embodiment of the present invention includes:
401. acquiring a system architecture of firewall policy deployment, and extracting logic entities in the system architecture and call relationship information between the logic entities;
402. performing rationality verification between the logic entities based on the call relationship information;
403. if the rationality verification is passed, acquiring host information and port information according to the logic entity and the calling relation information;
404. performing firewall policy verification according to the host information and the port information;
405. if the verification is successful, returning a firewall policy verification result to the front end;
406. if the verification fails, sending a preset webpage link to the front end;
407. adjusting the calling relation information between the logic entities according to the input information of the operation and maintenance personnel in the webpage link;
408. redeploying the firewall policy based on the adjusted calling relationship information, and verifying the new firewall policy again;
409. and correspondingly deploying the new firewall policy to the firewall server of the area where the application instance of each logic entity of the system architecture is located.
In this step, the firewall policy corresponding to each logical entity may be generated by confirming the invocation link, for example, for the system architecture, the invocation link between the logical entities may be, but is not limited to, as follows: the external system calls the DMZ zone; calling an inner network SF area by the DMZ area; the PTR area calls an inner network SF area; and calling the DMZ zone by the internal network SF zone. And generating a corresponding firewall policy of the logic entity based on the calling relation of the calling link. For example, for a DMZ zone, the external system is allowed to make calls in the firewall policy of the DMZ zone.
In this step, after the system architecture passes the rationality verification, the call link of the logic entities in the system architecture, that is, the call link, which is a call link indicating which logic entities in the system architecture can call each other and which logic entities cannot call each other, can be determined by the logic call relationship between the logic entities in the system architecture. Therefore, the firewall policies corresponding to the respective logic entities can be generated according to the call link, and the firewall policies are deployed to the respective corresponding modules, so as to implement the call policies of the respective modules in the system architecture.
On the basis of the previous embodiment, the present embodiment describes in detail a process of reapplying and re-verifying the firewall policy after the firewall policy verification fails. After the firewall policy verification fails, the firewall policy is reapplied and deployed, so that security holes can be avoided, and then the firewall policy is verified again, so that the problem that the reapplied firewall policy cannot be used is solved.
With reference to fig. 5, the firewall policy verification method in the embodiment of the present invention is described above, and a firewall policy verification apparatus in the embodiment of the present invention is described below, where an embodiment of the firewall policy verification apparatus in the embodiment of the present invention includes:
an extracting module 501, configured to obtain a system architecture for firewall policy deployment, and extract a logic entity in the system architecture and call relationship information between the logic entities;
a rationality verifying module 502, configured to perform rationality verification between the logic entities based on the call relationship information;
an obtaining module 503, configured to obtain host information and port information according to the logic entity and the call relationship if the rationality verification passes;
a policy validation module 504, configured to perform firewall policy validation according to the host information and the port information;
a result returning module 505, configured to return a firewall policy verification result to the front end when the firewall policy verification is successful;
a link sending module 506, configured to send a preset web link to the front end when the firewall policy verification fails;
the adjusting module 507 is used for adjusting the calling relationship information between the logic entities according to the input information of the operation and maintenance personnel in the webpage link;
and the policy deployment module 508 is configured to perform firewall policy redeployment based on the adjusted call relation information, and verify the new firewall policy again.
In this embodiment, the present invention provides a firewall policy verification apparatus, where the firewall policy verification apparatus is capable of operating the firewall policy verification method, and the firewall policy verification method includes: acquiring a system architecture of firewall policy deployment, and extracting logic entities in the system architecture and call relationship information between the logic entities; performing rationality verification between the logic entities based on the calling relationship information; if the rationality verification is passed, acquiring host information and port information according to the logic entity and the calling relation information; performing firewall policy verification according to the host information and the port information; if the verification is successful, returning a firewall policy verification result to the front end; if the verification fails, displaying preset webpage links, and adjusting calling relation information between the logic entities based on the webpage links; and redeploying the firewall policy based on the adjusted calling relation information, and verifying the new firewall policy again. By the method, after the firewall policy verification fails, the system architecture does not need to be readjusted and reviewed again, and only the relation between the logic entities needs to be adjusted according to the calling relation information, so that the automatic application and deployment of the firewall policy are realized, the deployment time of the firewall is shortened, and the shared attribute of the architecture is improved.
Referring to fig. 6, another embodiment of the firewall policy verification apparatus according to the embodiment of the present invention includes:
an extracting module 501, configured to obtain a system architecture for firewall policy deployment, and extract a logic entity in the system architecture and call relationship information between the logic entities;
a rationality verifying module 502, configured to perform rationality verification between the logic entities based on the call relationship information;
an obtaining module 503, configured to obtain host information and port information according to the logic entity and the call relationship if the rationality verification passes;
a policy validation module 504, configured to perform firewall policy validation according to the host information and the port information;
a result returning module 505, configured to return a firewall policy verification result to the front end when the firewall policy verification is successful;
a link sending module 506, configured to send a preset web link to the front end when the firewall policy verification fails;
the adjusting module 507 is used for adjusting the calling relationship information between the logic entities according to the input information of the operation and maintenance personnel in the webpage link;
and the policy deployment module 508 is configured to perform firewall policy redeployment based on the adjusted call relation information, and verify the new firewall policy again.
Wherein the rationality verification module 502 comprises:
a rule obtaining unit 5021, configured to obtain a preset initial system architecture logic specification file, and obtain an initial logic entity invocation specification rule from the initial system architecture logic specification file;
a verifying unit 5022, configured to perform rationality verification between the logic entities according to the information of the call relationship between the logic entities in the system architecture and the call specification rule of the initial logic entity.
Optionally, the verification unit 5022 is specifically configured to:
generating a system architecture review item according to the initial logic entity calling specification rule;
determining whether the calling relationship information is matched with the system architecture review item;
and if so, determining that the system architecture passes the rationality verification.
Optionally, in a third implementation manner of the second aspect of the present invention, the obtaining module 503 is specifically configured to:
inquiring a preset background server according to the logic entities to obtain host information and port information corresponding to each logic entity;
and classifying the host information according to the calling relation information to obtain the IP information of the host of the initiator and the IP information of the host of the responder.
Wherein the policy validation module 504 comprises:
a generating unit 5041, configured to generate a firewall policy validation request according to the host information and the port information;
a login unit 5042, configured to perform a remote login operation on the initiator host in the firewall policy validation request according to the initiator host IP information;
the wall checking unit 5043 is configured to verify an existing firewall policy in the system architecture through a preset wall checking script if the login is successful.
Optionally, the login unit 5042 is specifically configured to:
obtaining login passwords of all initiator hosts in the firewall policy verification request according to the IP information of the initiator hosts;
and sending the login password to the corresponding initiator host to remotely log in each initiator host.
Optionally, the firewall policy verification apparatus further includes a server deployment module 509, where the server deployment module is specifically configured to:
and correspondingly deploying the new firewall policy to the firewall server of the area where the application instance of each logic entity of the system architecture is located.
In this embodiment, the present invention provides a firewall policy validation device, where a server deployment module is added to the firewall policy validation device based on the previous embodiment, and units in each module are described in detail.
Fig. 5 and fig. 6 describe the firewall policy validation apparatus in the embodiment of the present invention in detail from the perspective of the modular functional entity, and the firewall policy validation apparatus in the embodiment of the present invention is described in detail from the perspective of hardware processing.
Fig. 7 is a schematic structural diagram of a firewall policy validation apparatus according to an embodiment of the present invention, where the firewall policy validation apparatus 700 may generate relatively large differences due to different configurations or performances, and may include one or more processors (CPUs) 710 (e.g., one or more processors) and a memory 720, and one or more storage media 730 (e.g., one or more mass storage devices) storing applications 733 or data 732. Memory 720 and storage medium 730 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 730 may include one or more modules (not shown), each of which may include a series of instructions operating on the firewall policy validation apparatus 700. Further, the processor 710 may be configured to communicate with the storage medium 730, and execute a series of instruction operations in the storage medium 730 on the firewall policy validation apparatus 700 to implement the steps of the firewall policy validation method described above.
The firewall-based policy validation apparatus 700 may also include one or more power supplies 740, one or more wired or wireless network interfaces 750, one or more input-output interfaces 760, and/or one or more operating systems 731, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, and the like. Those skilled in the art will appreciate that the firewall policy validation device architecture shown in fig. 7 does not constitute a limitation of a firewall-based policy validation device and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
The present invention also provides a computer readable storage medium, which may be a non-volatile computer readable storage medium, or a volatile computer readable storage medium, having stored therein instructions, which, when run on a computer, cause the computer to perform the steps of the firewall policy validation method.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A firewall policy verification method is characterized by comprising the following steps:
acquiring a system architecture of firewall policy deployment, and extracting logic entities in the system architecture and call relationship information between the logic entities;
performing rationality verification between the logic entities based on the calling relationship information;
if the rationality verification is passed, acquiring host information and port information according to the logic entity and the calling relation information;
performing firewall policy verification according to the host information and the port information;
if the verification is successful, returning a firewall policy verification result to the front end;
if the verification fails, sending a preset webpage link to the front end;
adjusting the calling relationship information between the logic entities according to the input information of the operation and maintenance personnel in the webpage link;
and redeploying the firewall policy based on the adjusted calling relation information, and verifying the new firewall policy again.
2. The firewall policy validation method according to claim 1, wherein the performing rationality validation between the logical entities based on the invocation relationship information comprises:
acquiring a preset initial system architecture logic specification file, and acquiring an initial logic entity calling specification rule from the initial system architecture logic specification file;
and performing rationality verification between the logic entities according to the calling relationship information between the logic entities in the system architecture and the initial logic entity calling specification rules.
3. The firewall policy validation method according to claim 2, wherein performing the rationality validation between the logic entities according to the invocation relationship information between the logic entities in the system architecture and the initial logic entity invocation specification rules comprises:
generating a system architecture review item according to the initial logic entity calling specification rule;
determining whether the calling relationship information is matched with the system architecture review item;
and if so, determining that the system architecture passes the rationality verification.
4. The firewall policy validation method of claim 1, wherein the obtaining host information and port information according to the logical entity and the call relationship comprises:
inquiring a preset background server according to the logic entities to obtain host information and port information corresponding to each logic entity;
and classifying the host information according to the calling relation information to obtain the IP information of the host of the initiator and the IP information of the host of the responder.
5. The firewall policy validation method according to claim 4, wherein the performing firewall policy validation according to the host information and the port information comprises:
generating a firewall policy verification request according to the host information and the port information;
according to the IP information of the initiator host, performing remote login operation on the initiator host in the firewall policy verification request;
and if the login is successful, verifying the existing firewall strategy in the system architecture through a preset wall verification script.
6. The firewall policy validation method of claim 5, wherein the telnet operation on the initiator host in the firewall policy validation request comprises:
obtaining login passwords of all initiator hosts in the firewall policy verification request according to the IP information of the initiator hosts;
and sending the login password to the corresponding initiator host to remotely log in each initiator host.
7. The firewall policy validation method according to claim 1, wherein after the firewall policy is redeployed based on the adjusted invocation relationship information and the new firewall policy is validated again, the method further comprises:
and correspondingly deploying the new firewall policy to the firewall server of the area where the application instance of each logic entity of the system architecture is located.
8. A firewall policy validation apparatus, comprising:
the system comprises an extraction module, a firewall policy deployment module and a management module, wherein the extraction module is used for acquiring a system architecture of firewall policy deployment and extracting logic entities in the system architecture and call relationship information between the logic entities;
the rationality verification module is used for carrying out rationality verification between the logic entities based on the calling relationship information;
the obtaining module is used for obtaining host information and port information according to the logic entity and the calling relation if the rationality verification passes;
the strategy verification module is used for performing firewall strategy verification according to the host information and the port information;
the link sending module is used for sending a preset webpage link to the front end when the firewall policy verification fails;
the adjusting module is used for adjusting the calling relationship information between the logic entities according to the input information of the operation and maintenance personnel in the webpage link;
the adjusting module is used for displaying preset webpage links when the firewall policy verification fails and adjusting the calling relationship information between the logic entities based on the webpage links;
and the strategy deployment module is used for redeploying the firewall strategy based on the adjusted calling relation information and verifying the new firewall strategy again.
9. A firewall policy validation device, comprising: a memory having instructions stored therein and at least one processor, the memory and the at least one processor interconnected by a line;
the at least one processor invoking the instructions in the memory to cause the firewall policy validation device to perform the firewall policy validation method of any of claims 1-7.
10. A computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the firewall policy validation method of any of claims 1-7.
CN202010877429.4A 2020-08-27 2020-08-27 Firewall policy verification method, device, equipment and storage medium Pending CN112039868A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010877429.4A CN112039868A (en) 2020-08-27 2020-08-27 Firewall policy verification method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010877429.4A CN112039868A (en) 2020-08-27 2020-08-27 Firewall policy verification method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN112039868A true CN112039868A (en) 2020-12-04

Family

ID=73580194

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010877429.4A Pending CN112039868A (en) 2020-08-27 2020-08-27 Firewall policy verification method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112039868A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995169A (en) * 2021-02-22 2021-06-18 中国工商银行股份有限公司 Method and device for deploying firewall
CN113965374A (en) * 2021-10-20 2022-01-21 平安普惠企业管理有限公司 Firewall verification method based on intranet and storage medium
CN114006755A (en) * 2021-10-29 2022-02-01 中国平安财产保险股份有限公司 Method, system, device, equipment and storage medium for identifying interface calling authority
CN114143090A (en) * 2021-11-30 2022-03-04 招商局金融科技有限公司 Firewall deployment method, device, equipment and medium based on network security architecture
CN114499948A (en) * 2021-12-23 2022-05-13 麒麟软件有限公司 Linux firewall dynamic policy processing method and device and storage medium
CN115766278A (en) * 2022-12-06 2023-03-07 深圳市天源景云科技有限公司 Firewall strategy generation method, device, equipment and storage medium
CN116137575A (en) * 2023-02-17 2023-05-19 支付宝(杭州)信息技术有限公司 Online environment-based risk control strategy verification method and device

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995169A (en) * 2021-02-22 2021-06-18 中国工商银行股份有限公司 Method and device for deploying firewall
CN113965374A (en) * 2021-10-20 2022-01-21 平安普惠企业管理有限公司 Firewall verification method based on intranet and storage medium
CN114006755A (en) * 2021-10-29 2022-02-01 中国平安财产保险股份有限公司 Method, system, device, equipment and storage medium for identifying interface calling authority
CN114006755B (en) * 2021-10-29 2023-07-18 中国平安财产保险股份有限公司 Authentication method, system, device, equipment and storage medium for interface call permission
CN114143090A (en) * 2021-11-30 2022-03-04 招商局金融科技有限公司 Firewall deployment method, device, equipment and medium based on network security architecture
CN114143090B (en) * 2021-11-30 2024-02-06 招商局金融科技有限公司 Firewall deployment method, device, equipment and medium based on network security architecture
CN114499948A (en) * 2021-12-23 2022-05-13 麒麟软件有限公司 Linux firewall dynamic policy processing method and device and storage medium
CN115766278A (en) * 2022-12-06 2023-03-07 深圳市天源景云科技有限公司 Firewall strategy generation method, device, equipment and storage medium
CN115766278B (en) * 2022-12-06 2023-08-15 深圳市宜嘉科技有限公司 Firewall policy generation method, device, equipment and storage medium
CN116137575A (en) * 2023-02-17 2023-05-19 支付宝(杭州)信息技术有限公司 Online environment-based risk control strategy verification method and device

Similar Documents

Publication Publication Date Title
CN112039868A (en) Firewall policy verification method, device, equipment and storage medium
Costin et al. A {Large-scale} analysis of the security of embedded firmwares
CA2946224C (en) Method and apparatus for automating the building of threat models for the public cloud
US10003458B2 (en) User key management for the secure shell (SSH)
US20130254882A1 (en) Multi-domain identity interoperability and compliance verification
US11647026B2 (en) Automatically executing responsive actions based on a verification of an account lineage chain
CN110597541B (en) Interface updating processing method, device, equipment and storage medium based on block chain
CN108989355A (en) A kind of leak detection method and device
CN110162994A (en) Authority control method, system, electronic equipment and computer readable storage medium
CN104702624A (en) Method and system for logging virtual machine based on Cloud Stack platform
CN108073630B (en) Service search access management method and system based on dynamic configuration
CN107645565A (en) Processing method, device, system and the processor of server state information
Putra et al. Infrastructure as code for security automation and network infrastructure monitoring
CN116244682A (en) Database access method, device, equipment and storage medium
AU2016253706B2 (en) Data structure and algorithm to track machines
CN112383536B (en) Firewall verification method and device, computer equipment and storage medium
US11379434B2 (en) Efficient and automatic database patching using elevated privileges
CN114036505A (en) Safety operation and maintenance analysis server, safety operation and maintenance analysis method and computer equipment
Cisco Release Notes for Cisco Access Registrar 3.0
US20190116198A1 (en) Method For Model Checking On The Design Of Security checking software Of Safety-critical Distributed Storage System
Mirković Security evaluation in cloud
Casagrande et al. Systems, software, and applications updating for avoiding cyber attacks: A pentest demonstration
JP2003514275A (en) Computer access security test method on data communication network
CN110545264B (en) Method and device for automatically detecting LDAP authentication injection vulnerability
Chen et al. The Assessment of the Design Risk for ORAN

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination