CN112887324A - Policy configuration management system for network security device of power monitoring system - Google Patents

Policy configuration management system for network security device of power monitoring system Download PDF

Info

Publication number
CN112887324A
CN112887324A CN202110191045.1A CN202110191045A CN112887324A CN 112887324 A CN112887324 A CN 112887324A CN 202110191045 A CN202110191045 A CN 202110191045A CN 112887324 A CN112887324 A CN 112887324A
Authority
CN
China
Prior art keywords
management module
configuration
user
strategy
content
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110191045.1A
Other languages
Chinese (zh)
Other versions
CN112887324B (en
Inventor
陆力瑜
刘媛
陈文迪
刘慕娴
刘桂华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangxi Power Grid Co Ltd
Original Assignee
Guangxi Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangxi Power Grid Co Ltd filed Critical Guangxi Power Grid Co Ltd
Priority to CN202110191045.1A priority Critical patent/CN112887324B/en
Publication of CN112887324A publication Critical patent/CN112887324A/en
Application granted granted Critical
Publication of CN112887324B publication Critical patent/CN112887324B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/06Energy or water supply
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Bioethics (AREA)
  • Computing Systems (AREA)
  • Economics (AREA)
  • Primary Health Care (AREA)
  • Water Supply & Treatment (AREA)
  • Human Resources & Organizations (AREA)
  • Marketing (AREA)
  • Public Health (AREA)
  • Strategic Management (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the technical field of power monitoring systems, in particular to a policy configuration management system of a network security device of a power monitoring system, which comprises a user management module, a setting management module, a log management module and a configuration management module; the user management module is used for setting management authority for the user and separating system authority; the setting management module is used for setting a safety threshold value and managing an IP address; the log management module is used for recording login records of the system and operation records of the user; the configuration management module is used for automatically analyzing or backtracking and analyzing the strategy configuration files of the transverse isolation devices and the longitudinal encryption devices of different manufacturers; the adoption of the method can automatically analyze and compare the strategy configuration files of the transverse isolation device and the longitudinal encryption device of the power monitoring system, and can realize one-key query of the content exceeding the safety threshold, so that the modification content of the strategy configuration files can be clearly understood, manual check is not needed, and the configuration efficiency is improved.

Description

Policy configuration management system for network security device of power monitoring system
Technical Field
The invention relates to the technical field of power monitoring systems, in particular to a policy configuration management system of a network security device of a power monitoring system.
Background
In recent years, the network security threat of the power monitoring system is increasingly severe, and the boundary protection security strategy of the horizontal and vertical devices of the network security is imperfect, so that the security threat is spread in a wide range. At present, a network security device of an electric power monitoring system, particularly a horizontal security isolation and vertical encryption device, cannot provide analysis, comparison, query and statistics functions in security policy management, and a system does not support the horizontal isolation and encryption security policy checking function at present. Only by means of manual checking, the method has the risks of non-uniform standards, low efficiency and missing items.
Disclosure of Invention
In order to solve the above problems, the present invention provides a policy configuration management system for a network security device of a power monitoring system, and the specific technical solution is as follows:
the policy configuration management system of the network security device of the power monitoring system comprises a user management module, a setting management module, a log management module and a configuration management module;
the user management module is used for setting management authority for the login user and separating system authority;
the setting management module is used for setting a security threshold value of a policy configuration item of the network security device and managing the IP address use of the network security device;
the log management module is used for recording login records of a user and operation records of the user;
the configuration management module is used for automatically analyzing or backtracking and analyzing the strategy configuration files of the network security devices of different manufacturers; the automatic analysis is to structuralize predefined contents to be analyzed into a standard data format, store the standard data format into a search engine Elasticissearch, display the standard data format and mark the configured contents which reach or exceed a safety threshold; the backtracking analysis is to compare, mark and display the difference between the policy configuration file and the policy configuration file of the previous version;
the network security device comprises a firewall, a transverse isolation device and a longitudinal encryption device.
Preferably, the users set in the user management module include a common user and a super user, and the permission difference between the common user and the super user is that the number of modules in the user management module, the setting management module, the log management module and the configuration management module can be different.
Preferably, the step of automatic parsing by the configuration management module includes:
(1) a user selects a strategy configuration file to be read and selects and reads the content of effective configuration;
(2) the configuration management module reads the content of the strategy configuration file line by line and matches the content which needs to be read by a user, when the program finds the content which needs to be read in the strategy configuration file, the content is analyzed, and the corresponding definition of the content is searched in the strategy configuration file;
(3) the configuration management module stores the analyzed content and the definition thereof in an Elasticissearch according to the analysis rule by adopting a standard data type and displays the analyzed data on a page;
(4) and checking the configuration contents reaching or exceeding the safety threshold in batch according to the self-defined strategy checking template and marking.
Preferably, when the configuration management module reads the content in the policy configuration file line by line in the step (2), matching is performed with the content that the user needs to read through the matching keyword.
Preferably, when the policy configuration file is read line by line in the step (2), the policy configuration file is divided into configuration items, the character strings are divided into data arrays, the read data arrays and the predefined mapping arrays are in one-to-one correspondence according to positions, and the data arrays are stored in a dictionary format to form analyzed contents.
Preferably, the step of retrospective analysis by the configuration management module includes:
(1) the system selects two strategy configuration files to be compared by a user according to the contents of the configuration files;
(2) and comparing the two strategy configuration files by using a standard comparison library difflib of the python language, marking the difference of the two strategy configuration files and displaying the difference on a page.
Preferably, the management system adopts a B/S architecture.
The invention has the beneficial effects that: the invention can automatically analyze and compare the strategy configuration files of the transverse isolation device and the longitudinal encryption device of the power monitoring system, display the strategy configuration files on the page, simultaneously realize one-key inquiry of the contents exceeding the safety threshold value and realize the management of the strategy configuration files, thereby clearly understanding the modification contents of the strategy configuration files, avoiding manual check and improving the configuration efficiency.
The Elasticissearch search engine used by the invention not only can store complex types of structural data, but also can provide various types of query structures to meet diversified queries on the data. On the content analysis display and statistics of the strategy configuration files, the method and the device have the advantages that the display structure is clear, people can see clearly and meet the requirement of dynamically self-defining configuration of the safety threshold, and the purpose of checking whether potential safety hazards exist in different configuration strategy files in different production environments can be achieved by dynamically adjusting the threshold by a checker.
Drawings
FIG. 1 is a schematic structural view of the present invention;
FIG. 2 is a schematic diagram of a page of a user management module;
FIG. 3 is a diagram illustrating the contents of a policy profile in an embodiment;
FIG. 4 is a diagram illustrating the definition of the bastion machine in the embodiment;
FIG. 5 is a display page diagram of an embodiment;
FIG. 6 is a schematic diagram of a page for setting a security threshold by the setting management module;
FIG. 7 is a schematic diagram of a page setting up the use of the management module to add IP addresses;
FIG. 8 is a diagram of a display page of a Huawei firewall;
fig. 9 is a schematic diagram of a policy profile of a south reinitiation communication forward direction quarantine apparatus;
fig. 10 is a display page diagram of the south rey communication policy profile parsing.
FIG. 11 is a display page of a Xingtang policy profile parsing.
Detailed Description
For a better understanding of the present invention, reference is made to the following detailed description taken in conjunction with the accompanying drawings in which:
as shown in fig. 1, a policy configuration management system of a network security device of a power monitoring system includes a user management module, a setting management module, a log management module, and a configuration management module;
the user management module is used for setting management authority for the login user and separating system authority;
the setting management module is used for setting a security threshold value of a policy configuration item of the network security device and managing the IP address use of the network security device;
the log management module is used for recording login records of the user and operation records of the user;
the configuration management module is used for automatically analyzing or backtracking and analyzing the strategy configuration files of the network security devices of different manufacturers; the automatic analysis is to structurize the predefined content to be analyzed into a standard data format, store the standard data format into a search engine Elasticissearch and display the standard data format, and mark the configured content which reaches or exceeds a safety threshold; the backtracking analysis is to compare, mark and display the difference between the policy configuration file and the policy configuration file of the previous version;
the network security device comprises a firewall, a transverse isolation device and a longitudinal encryption device.
The framework adopted by the invention is a B/S framework, is realized by adopting a python programming language, an elastic search high-efficiency search engine is used for storing data, and is constructed by matching with a lightweight python web framework flash, the operating environment of the system depends on a JAVA environment, and the configuration of the JAVA environment is required. At present, the traditional relational database is difficult to realize the modeling and the diversified query on the data with a complex structure, and has the problem of lower query efficiency under the condition of no index, and on the visual aspect of information, the traditional method for reading files by using python can also obtain accurate results, but has a little shortage on the display friendliness and cannot realize the diversified query and storage. The Elasticissearch search engine used by the invention not only can store complex types of structural data, but also can provide various types of query structures to meet diversified queries on the data. On the aspect of analyzing, displaying and counting the configuration content, the invention not only has clear display structure, and enables people to be clear at a glance, but also can meet the requirement of dynamically self-defining configuration of the safety threshold, and the checker can dynamically adjust the threshold to achieve the purpose of checking whether the potential safety hazard exists in different configuration files under different production environments.
The users set in the user management module comprise ordinary users and super users, and the authority difference between the ordinary users and the super users is that the number of the modules in the user management module, the setting management module, the log management module and the configuration management module is different. The user management module may register and generate a unique user name and password corresponding to the real name, and the user logs in the system through the user name, password and dynamic authentication code, as shown in fig. 2.
The super user has all the management authorities by default, but the authority of the super user can be modified by another super user, and the system authority is divided into:
(1) setting and managing: the authority can be imported in bulk into the IP usage, and the user needs to describe the usage of a single IP, for example, 10.100.1.100, which is the usage of the IP, because there may not be a definition of the usage of the IP in the process of reading the configuration file, and at this time, the authority needs to be customized by the user, and the authority is given to the user to define the usage of the IP, and can be imported in bulk through an excel table.
(2) Log management: and querying and viewing operation records. When the user operates the system, the system records the sensitive operation of the user, such as deleting and modifying the user, defining the use of the ip, logging in the system and the like.
(3) And (4) user management, namely, adding, deleting, inquiring, modifying, editing and other operations on the user.
(4) Configuration management: a threshold for policy checking is defined.
The super user has the four authorities, and the ordinary user is assigned the authority by the super user, so that the ordinary user cannot enter a user management page and cannot perform addition, deletion, check and modification operations on the user.
The automatic analysis step of the configuration management module comprises the following steps:
(1) a user selects a strategy configuration file to be read and selects and reads the content of effective configuration;
(2) the configuration management module reads the content of the strategy configuration file line by line and matches the content which needs to be read by a user, when the program finds the content which needs to be read in the strategy configuration file, the content is analyzed, and the corresponding definition of the content is searched in the strategy configuration file; and when the configuration management module reads the contents in the strategy configuration file line by line, matching the contents which need to be read by the user through the matching keywords. When reading the strategy configuration file line by line, dividing the strategy configuration file into configuration items, dividing the strategy configuration file into data arrays by using character strings, corresponding the read data arrays and predefined mapping arrays one by one according to positions, and storing the data arrays by adopting a dictionary format to form analyzed content.
(3) The configuration management module stores the analyzed content and the definition thereof in an Elasticissearch according to the analysis rule by adopting a standard data type and displays the analyzed data on a page;
(4) and checking the configuration contents reaching or exceeding the safety threshold in batch according to the self-defined strategy checking template and marking.
The step of retrospective analysis of the configuration management module comprises the following steps:
(1) the system selects two strategy configuration files to be compared by a user according to the contents of the configuration files;
(2) and comparing the two strategy configuration files by using a standard comparison library difflib of the python language, marking the difference of the two strategy configuration files and displaying the difference on a page. The user can obtain the difference of the strategy configuration file compared with the other strategy configuration file according to the difference of the two files, and can obtain which place is modified, the system can not know what result can be caused after the modification, and only the difference is marked and displayed on the page.
The configuration management module can count and analyze potential safety hazards of a certain strategy configuration file through the data query language, so that examiners can accurately and quickly find the potential safety hazards. The setting management module can modify real-time dynamic configuration of a predefined safety threshold, meet flexible dynamic adjustment, and mark the configuration content reaching or exceeding the threshold. As shown in fig. 6, corresponding security thresholds are set, and a source port threshold is set to 100, and a destination port threshold is set to 100, which respectively indicate that the source port and the destination port provided by the user exceed the range of 100 and consider that the verification fails, and the configuration of failing to verify is exported to an excel table.
And setting the policy compliance source IP threshold value as 100 and the policy compliance destination IP threshold value as 100, and respectively indicating that the ranges of the source IP and the destination IP exceed 100 IP addresses, and then considering that the verification is not passed.
The method specifically comprises the following steps: in the process of reading the configuration file, the number of the IPs existing between the source address and the destination address in the source address object is calculated, if the source address is 10.100.1.0, the destination address is 10.100.1.100, 101 IPs can exist in the period, the IPs are stored in a database, when checking is carried out, data larger than a predefined value of 100 are searched through database query language, and the data are taken out, so that an excel file is generated and exported.
In addition, the usage of the IP address can be added to the setting management module of the present invention, and the usage of the IP address can be added and deleted as shown in fig. 7.
The invention can realize the automatic analysis, comparison, query and statistics of the strategy configuration files of network security devices such as a firewall, a transverse isolating device, a longitudinal encrypting device, an encrypting tunnel and the like, and particularly comprises the automatic analysis, comparison, query and statistics of 10 strategy configuration files such as a Huawei firewall, a fusion firewall, a starry starting firewall, a south Ruixing communication forward isolating device, a south Ruixing communication reverse isolating device, a Zhuhaihong Rui forward isolating device, a south Ruixing communication longitudinal encrypting device, a south Ruixing communication encrypting tunnel, a Xingtang longitudinal encrypting device, a Xingtang encrypting tunnel and the like. The reading of the relevant configuration files of the firewall is complex, but the reading process is similar, the program reads and matches line by line according to the field description provided by the client, if the content segment needing to be read is found, the content of each configuration is read and stored in a predefined array, the specific configuration content needs to be obtained, the data row is matched according to the object name from the currently read file, and finally the reading of the configuration is completed and stored in the database.
The horizontal isolation device and the longitudinal encryption device are similar to a south Rcom forward isolation device, a south Rcom reverse isolation device, a south Rcom longitudinal encryption device and a south Rcom encryption tunnel, are a row of specific configuration contents, each data line is specifically configured, and no other irrelevant information exists, so that the data lines are divided into an array according to the following steps, one field array is predefined according to field descriptions given by customers, and reading can be completed by corresponding the subscripts of the two arrays one by one.
Configuration contents to be read of the policy configuration files of the Xingtang longitudinal encryption device, the Xingtang encryption tunnel and the Zhuhaihongrui forward isolation device are all in a fixed format, and data between two fixed marks can be acquired by adopting a character string intercepting method.
The following explains the automatic parsing process using Hua as the firewall:
taking hua as an example of the firewall configuration file, the detailed reading and analyzing process is as follows:
the content of the Huawei firewall configuration file is similar as follows:
.....
#
ip address-set address12_1 type object
address 0 range 10.13.8.78 10.13.8.241
#
#
ip service-set huawe10_1 type object 1073
service 0 protocol tcp destination-port 6000 to 6005
#
ip address-set address12_6 type object
address 0 172.16.2.2 mask 255.255.255.255
address 1 172.16.222 mask 29
#
#
security-policy
rule name 10
policy logging
session logging
service huawe10_1
service huawei10_2
service huawei10_3
service huawei10_4
service huawei10_5
action deny
rule name 12
source-address address-set address12_1
source-address address-set address12_2
source-address address-set address12_3
source-address address-set address12_4
source-address address-set address12_5
destination-address address-set address12_6
destination-address address-set address12_7
destination-address address-set address12_8
destination-address address-set address12_9
service huawei12_1
service huawei12_2
service huawei12_3
action permit
...
#
....
according to the effective configuration content, the content between the keywords of security-policy to "#" needs to be parsed. Meanwhile, the contents of the specific configuration object of the specific configuration item "address-set" and "service-set" need to be recorded.
The program predefines a content dictionary object storing specific configuration items, and the structure is as follows:
ip_address_set_temp = {}
the program reads line by line, finds the keyword "address-set", and reads the subsequent IP address object, taking the content of the configuration file as an example, the first IP address object name is "address 12_ 1", and the specific IP address is "address 0 range 10.13.8.7810.13.8.241".
Reading code
If “ip address-set” in line:
Do ...
The reading program analyzes an address object 'address 0 range 10.13.8.7810.13.8.241', the type of which is 'range', and the address range is 10.13.8.78-10.13.8.241, in order to realize the query of the number of certain configured IP ranges, and the database does not support the query of the number of IP numbers of character strings, therefore, the number of the configured IP ranges is calculated in advance and stored in an array, and the number of the IP ranges is 164 in this example. And the IP address range needs to be stored in a structured manner and stored as a number type. Key code flow:
if "address" in line and "ip address-set" not in line:
If “range” in line:
ip_address_set_type = "range"
ip_range_temp = substr(line,"range ") # “10.13.8.78 10.13.8.241”
range_arr = ip_range_temp.split(” “) # [10.13.8.78,10.13.8.241]
ip_start = range_arr[0] # 10.13.8.78
ip_end = range_arr[1] # 10.13.8.241
IP _ start _ int = IP _ to _ int (IP _ start) # converts IP into a digital type
ip_end_int = ip_to_int(ip_end)
...
According to the above process, finally integrating into a complete data object:
{
“address12_1”:{
“ip_start”:”10.13.8.78”,
“ip_end”:”10.13.8.241”,
“ip_start_int”:168626254,
“ip_end_int”:168626417,
“flag”:164,
“type”:”range”
}
.., multiple address objects are stored in sequence.
}
Similarly, the read analysis of service objects is similar
{
“huawe10_1”:{
“port_start”: 6000,
“port_end”: 6005,
Flag 6, specific number of ports
“type”: “range”,
}
.., multiple service objects are stored in sequence.
}
After the specific service and the address object are read, the program continues to run, the keyword security-policy is found, the program starts to record line by line, and the code structure is as follows:
if "security-policy" in line:
# fixed marker Start
security_policy_flag = True
if security_policy_flag:
# start reading
Do ....
The reading rule and the matching content correspond to the following steps:
(1) "rule name" is the policy number;
(2) the source-address-set is a source address object;
(3) the destination-address-set is used as a destination address object;
(4) "service" is a service object;
(5) "action" is an action;
the program is matched line by line according to the rule and the matched content, if certain content does not exist, the program is marked as 'any', and the program flow is as follows:
if ”rule name“ in line:
rule _ name = substr (line, "rule name") # acquisition policy number 10
if “source-address address-set” in line:
source address object
... similar to the other contents.
Through the above program flow, the configuration content is stored in the following format:
[
{
”rule_name“:12,
“source_address_arr”:[
“address12_1”,
“address12_2”,
“address12_3”,
“address12_4”,
“address12_5”
],
“destination_address_arr”:[
“address12_6”,
“address12_7”,
“address12_8”,
“address12_9”,
],
“service_arr”:[
“huawei12_1”,
“huawei12_2”,
“huawei12_3”,
],
“action”:”permit”,
}
... multiple policy contents are added in sequence.
]
So far, the program has completed reading and parsing the configuration file, and then the contents are in one-to-one correspondence to generate a complete data structure, which is explained as follows:
(1) in order to support diversified queries, the program needs to integrate the read data, for example, the content of "source _ address _ arr" needs to store specific IP information, and for example, "address 12_ 1" needs to specifically correspond to a specific IP configuration item:
{
“ip_start”:”10.13.8.78”,
“ip_end”:”10.13.8.241”,
“ip_start_int”:168626254,
“ip_end_int”:168626417,
“flag”:164,
“type”:”range”
}
the for loop statement is only needed to be used for corresponding according to the key value name.
Forrule in configuration policy object:
Do ...
(2) the finally generated data structure needs to be added with custom content, such as information of reading time, read specific file name and the like
According to the above description, all the content data of the configuration file will be stored in the database, and the final structure is as follows:
{
...
"sort": 5,
"service_group": [],
"brand _ path": Hua is ",
"rule_name": "10",
"brand _ type": firewall configuration ",
"service_name": [
{
"data": [
{
“port_start”: 6000,
“port_end”: 6005,
“flag”: 6,
“name”:”huawe10_1”,
“type”: “range”,
}
},
...
],
"brand _ name": Hua is ",
"inttime": 1607066450.672,
"action": "permit",
"create_time": "2020-12-04 15:20:50",
"destination_address_name": [
...
]
"source_file": "",
"brand_model": "USG",
"brand _ tag": firewall ",
"source_ip_address_name": [
{
“ip_start”:”10.13.8.78”,
“ip_end”:”10.13.8.241”,
“ip_start_int”:168626254,
“ip_end_int”:168626417,
“flag”:164,
“type”:”range”,
“name”:”address12_1”
}
....
],
"unique_id": "RkQRbNxcLevsnW9jmc2T"
...
}
the complete data format is stored in the Elasticsearch in this way, and the parsed data is displayed on a page in the form of key-value pairs, similarly as shown in fig. 5. The reading of other firewall configuration files is similar to the reading of firewall configuration files, and is not described herein again.
The following describes the reading flow of the encryption device class configuration file in detail. For example, the "south rey communication policy" configuration file is read. The profile contents are as follows:
...
1,1,0,10.66.1.30,10.66.1.31,10.66.1.11,10.66.1.12,2,0,0,65535,2414,2414,
2,1,0,10.66.1.30,10.66.1.33,10.66.45.193,10.66.45.194,2,0,0,65535,2404,2404,
3,55,0,10.66.1.36,10.66.1.37,10.66.102.67,10.66.102.67,2,0,8000,8001,0,65535,
4,299,0,10.66.1.30,10.66.1.33,10.66.63.1,10.66.63.2,2,0,0,65535,2404,2404,
5,299,0,10.66.1.25,10.66.1.26,10.66.63.25,10.66.63.26,2,0,0,65535,2404,2404,
6,300,0,10.66.1.20,10.66.1.21,10.66.15.148,10.66.15.148,2,0,0,65535,2404,2404,
...
the configuration files have specific uniform formats, each line is a complete configuration item, and the position of the specific content of each configuration item is fixed, so that each line is read line by line, is divided into array functions by using character strings and is divided into array groups, and the array groups are in one-to-one correspondence with predefined field data. The following are key code examples:
open file read stream fh = io. open (file _ path + "/" + f, 'r', encoding = encoding) # open file read stream
for line in fh.readline():
# start row-by-row reading
Pitch (",") # as, "split configuration row,"
Do ...
Finally, reading the configuration items of each row into a predefined array, wherein the structure is as follows:
[“1”,”1”,”0”,....]
the predefined field mapping array has the following structure:
field_arr=["nrr_num","nrr_tunnel","nrr_en_way","nrr_srcip","nrr_endsrcip","nrr_scrdstip","nrr_endscrdstip","nrr_proto","nrr_undefind1","nrr_srcport","nrr_escrdsport","nrr_srcdstport","nrr_enddstport","nrr_undefind2"]
and (3) the read data array and the predefined mapping array are in one-to-one correspondence according to positions and are stored in a dictionary format, and the key code flow is as follows:
temp = {}
for i,v in enumerate(dataArr ):
temp[field_arr[i]] = v
finally, the specific configuration items of each line are formatted into a dictionary format as follows:
{
nrr_num:1,
nrr_tunnel:1,
nrr_en_way:0,
...
}
similarly, we need to convert all IP addresses into number types and count the number of IP address ranges as well as read firewall configuration files, and add custom fields such as read time, file name, etc.
[064] The complete format is as follows:
{
...
"nrr_srcport": 0,
"nrr_escrdsport": 65535,
"nrr_undefind1": "0",
"nrr_undefind2": "\n",
"nrr_num": "7",
"create_time": "2020-12-07 10:58:45",
"nrr_scrdstip": "10.66.39.193",
"nrr_srcip": "10.66.1.30",
"nrr_tunnel": "301",
"unique_id": "fOCGBcakJXeMdCucqAwT"
...
}
as shown in detail in fig. 10.
The reading process of other configuration files similar to the configuration file of the 'south telecommunication policy' is similar, and the description is omitted here.
In particular, similar to the configuration file of "xingtang", another reading method is required for the configuration file with no firewall and similar structure of the configuration file of "south telecom", taking the configuration file of "xingtang" as an example, it has the following structure:
... independent configuration content.
A strategy configuration ++ +. x + channel [1]
# select policy application channel, please give channel number <1..65535>
CHANNEL 1
And in the case of the [0] arrangement
POLICY 0
SOURCE-IP 172.22.21.81 TO 172.22.21.81
SOURCE-PORT-LOWER 0
SOURCE-PORT-UPPER 65535
DEST-IP 172.22.233.38 TO 172.22.233.40
DEST-PORT-LOWER 389
DEST-PORT-UPPER 389
DIRECTION DUAL
PROTOCOL TCP
PASS-MODE ENCRYPT
NAT-MODE NULL
POLICY-NAME
POLICY-LIMIT 0
POLICY-LEVEL 0
... independent configuration content.
The display effect is as in fig. 11. The reading program is read by combining a firewall reading method and a 'south telecom communication strategy' configuration file method. The program is read line by line, and if matched keywords are found, the matched keywords are stored in the array and then matched with the predefined fields, and the method is similar and is not repeated.
The present invention is not limited to the above-described embodiments, which are merely preferred embodiments of the present invention, and the present invention is not limited thereto, and any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (7)

1. The policy configuration management system of the network security device of the power monitoring system is characterized in that: the system comprises a user management module, a setting management module, a log management module and a configuration management module;
the user management module is used for setting management authority for the login user and separating system authority;
the setting management module is used for setting a security threshold value of a policy configuration item of the network security device and managing the IP address use of the network security device;
the log management module is used for recording login records of a user and operation records of the user;
the configuration management module is used for automatically analyzing or backtracking and analyzing the strategy configuration files of the network security devices of different manufacturers; the automatic analysis is to structuralize predefined contents to be analyzed into a standard data format, store the standard data format into a search engine Elasticissearch, display the standard data format and mark the configured contents which reach or exceed a safety threshold; the backtracking analysis is to compare, mark and display the difference between the policy configuration file and the policy configuration file of the previous version;
the network security device comprises a firewall, a transverse isolation device and a longitudinal encryption device.
2. The system according to claim 1, wherein the system comprises: the users set in the user management module comprise ordinary users and super users, and the authority difference between the ordinary users and the super users is that the number of the modules in the user management module, the setting management module, the log management module and the configuration management module can be different.
3. The system according to claim 1, wherein the system comprises: the step of automatic analysis of the configuration management module comprises the following steps:
(1) a user selects a strategy configuration file to be read and selects and reads the content of effective configuration;
(2) the configuration management module reads the content of the strategy configuration file line by line and matches the content which needs to be read by a user, when the program finds the content which needs to be read in the strategy configuration file, the content is analyzed, and the corresponding definition of the content is searched in the strategy configuration file;
(3) the configuration management module stores the analyzed content and the definition thereof in an Elasticissearch according to the analysis rule by adopting a standard data type and displays the analyzed data on a page;
(4) and checking the configuration contents reaching or exceeding the safety threshold in batch according to the self-defined strategy checking template and marking.
4. The policy configuration management system for a network security device of a power monitoring system according to claim 3, characterized in that: and (3) when the configuration management module reads the contents in the strategy configuration file line by line in the step (2), matching the contents which need to be read by the user through the matching keywords.
5. The policy configuration management system for a network security device of a power monitoring system according to claim 3, characterized in that: when the policy configuration file is read line by line in the step (2), the policy configuration file is divided into configuration items, the character strings are divided into data arrays, the read data arrays correspond to the predefined mapping arrays one by one according to positions, and the data arrays are stored in a dictionary format to form analyzed content.
6. The system according to claim 1, wherein the system comprises: the configuration management module backtracking analysis step comprises:
(1) the system selects two strategy configuration files to be compared by a user according to the contents of the configuration files;
(2) and comparing the two strategy configuration files by using a standard comparison library difflib of the python language, marking the difference of the two strategy configuration files and displaying the difference on a page.
7. The system according to claim 1, wherein the system comprises: the management system adopts a B/S architecture.
CN202110191045.1A 2021-02-20 2021-02-20 Policy configuration management system for network security device of power monitoring system Expired - Fee Related CN112887324B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110191045.1A CN112887324B (en) 2021-02-20 2021-02-20 Policy configuration management system for network security device of power monitoring system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110191045.1A CN112887324B (en) 2021-02-20 2021-02-20 Policy configuration management system for network security device of power monitoring system

Publications (2)

Publication Number Publication Date
CN112887324A true CN112887324A (en) 2021-06-01
CN112887324B CN112887324B (en) 2022-07-08

Family

ID=76057592

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110191045.1A Expired - Fee Related CN112887324B (en) 2021-02-20 2021-02-20 Policy configuration management system for network security device of power monitoring system

Country Status (1)

Country Link
CN (1) CN112887324B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113783837A (en) * 2021-08-03 2021-12-10 国网福建省电力有限公司检修分公司 Self-adaptive transformer substation longitudinal encryption host verification method and terminal

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1160643A2 (en) * 2000-06-01 2001-12-05 Asgent, Inc. Method of establishing a security policy, and apparatus for supporting establishment of security policy
US20090158386A1 (en) * 2007-12-17 2009-06-18 Sang Hun Lee Method and apparatus for checking firewall policy
CN103825876A (en) * 2013-11-07 2014-05-28 北京安码科技有限公司 Firewall policy auditing system in complex network environment
CN105721188A (en) * 2014-12-04 2016-06-29 北京神州泰岳信息安全技术有限公司 Firewall strategy check method and system
US20160191466A1 (en) * 2014-12-30 2016-06-30 Fortinet, Inc. Dynamically optimized security policy management
CN108429774A (en) * 2018-06-21 2018-08-21 蔡梦臣 A kind of firewall policy centralized optimization management method and its system
CN111147528A (en) * 2020-04-03 2020-05-12 四川新网银行股份有限公司 Method for managing network security policy
CN111160730A (en) * 2019-12-13 2020-05-15 北京护航科技股份有限公司 Network security equipment policy configuration analysis system based on network modeling and simulation technology
CN111641601A (en) * 2020-05-12 2020-09-08 中信银行股份有限公司 Firewall management method, device, equipment and storage medium
CN111786949A (en) * 2020-05-22 2020-10-16 山东鲁能软件技术有限公司 Firewall security policy automatic adaptation system and method

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1160643A2 (en) * 2000-06-01 2001-12-05 Asgent, Inc. Method of establishing a security policy, and apparatus for supporting establishment of security policy
US20090158386A1 (en) * 2007-12-17 2009-06-18 Sang Hun Lee Method and apparatus for checking firewall policy
CN103825876A (en) * 2013-11-07 2014-05-28 北京安码科技有限公司 Firewall policy auditing system in complex network environment
CN105721188A (en) * 2014-12-04 2016-06-29 北京神州泰岳信息安全技术有限公司 Firewall strategy check method and system
US20160191466A1 (en) * 2014-12-30 2016-06-30 Fortinet, Inc. Dynamically optimized security policy management
CN108429774A (en) * 2018-06-21 2018-08-21 蔡梦臣 A kind of firewall policy centralized optimization management method and its system
CN111160730A (en) * 2019-12-13 2020-05-15 北京护航科技股份有限公司 Network security equipment policy configuration analysis system based on network modeling and simulation technology
CN111147528A (en) * 2020-04-03 2020-05-12 四川新网银行股份有限公司 Method for managing network security policy
CN111641601A (en) * 2020-05-12 2020-09-08 中信银行股份有限公司 Firewall management method, device, equipment and storage medium
CN111786949A (en) * 2020-05-22 2020-10-16 山东鲁能软件技术有限公司 Firewall security policy automatic adaptation system and method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HONGXIN HU: "Detecting and Resolving Firewall Policy Anomalies", 《IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING》 *
韩振华: "智能安全防护软件策略管理研究与设计", 《全国第21届计算机技术与应用学术会议暨全国第2届安全关键技术与应用学术会议论文集》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113783837A (en) * 2021-08-03 2021-12-10 国网福建省电力有限公司检修分公司 Self-adaptive transformer substation longitudinal encryption host verification method and terminal

Also Published As

Publication number Publication date
CN112887324B (en) 2022-07-08

Similar Documents

Publication Publication Date Title
WO2020119430A1 (en) Protocol interface test method, device, computer device and storage medium
WO2014054854A1 (en) Log analysis system and log analyis method for security system
WO2022126966A1 (en) Interface parameter verification and conversion method and apparatus, and device and storage medium
CN105678188A (en) Anti-leakage protocol identification method and device for database
CN109561106B (en) Ship communication message real-time analysis and filtering method
EP2244418A1 (en) Database security monitoring method, device and system
CN104281672A (en) Log data processing method and device
CN106357618A (en) Web abnormality detection method and device
CN110990362A (en) Log query processing method and device, computer equipment and storage medium
CN111767573A (en) Database security management method and device, electronic equipment and readable storage medium
CN112887324B (en) Policy configuration management system for network security device of power monitoring system
CN107958154A (en) A kind of malware detection device and method
CN105045817A (en) SQL Server database evidence obtaining and analyzing system and method based on transaction log
CN105183916A (en) Device and method for managing unstructured data
Aldwairi et al. Exhaust: Optimizing wu-manber pattern matching for intrusion detection using bloom filters
Wurzenberger et al. Applying high-performance bioinformatics tools for outlier detection in log data
US20190066012A1 (en) Enterprise customer website
CN104537317A (en) Control method, device and system for lessees to access user-defined database
CN115174201A (en) Security rule management method and device based on screening label
CN111125066A (en) Method and device for detecting functions of database audit equipment
KR102332727B1 (en) Anomaly detection system using distrubuted storage of traffic of power plant contrl netwrok assets
CN116186116A (en) Asset problem analysis method based on equal protection assessment
CN111049801B (en) Firewall strategy detection method
CN107357632A (en) A kind of order line analysis method and device
CN117336083B (en) Communication method and system in network security level protection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20220708