CN113285906A

CN113285906A - Security policy configuration method, device, equipment and storage medium

Info

Publication number: CN113285906A
Application number: CN202010102605.7A
Authority: CN
Inventors: 胡杨; 陈平平; 刘小军
Original assignee: Beijing Baidu Netcom Science and Technology Co Ltd
Current assignee: Beijing Baidu Netcom Science and Technology Co Ltd
Priority date: 2020-02-19
Filing date: 2020-02-19
Publication date: 2021-08-20

Abstract

The embodiment of the application discloses a security policy configuration method, a security policy configuration device and a storage medium, and relates to the technical field of network security. The specific implementation scheme is as follows: responding to the trigger operation of a user, and determining target network equipment to be configured from network equipment with heterogeneous models; receiving a unified configuration strategy for target network equipment; converting the unified configuration strategy according to the model information of the target network equipment to obtain target strategy data supported by the target network equipment; and issuing the target policy data to the target network equipment to indicate the target network equipment to carry out security policy configuration according to the target policy data. By unifying the issuing form of the security policy on the network equipment layer with heterogeneous model, and combining the model information of each equipment to carry out policy conversion in the issuing process, the universality of the issued policy is ensured, and the unified configuration of the security policy of the network equipment in the environment with heterogeneous model is fundamentally realized.

Description

Security policy configuration method, device, equipment and storage medium

Technical Field

The embodiment of the application relates to the technical field of computers, in particular to the technical field of network security, and specifically relates to a security policy configuration method, device, equipment and storage medium.

Background

With the development of large-scale distribution of network devices, the network device environment to be managed may include network devices of multiple manufacturers, and operation and maintenance personnel need to configure security policies by using languages and rules supported by the devices.

At present, the schemes of pursuing uniform configuration in heterogeneous environments based on uniform equipment models, uniform equipment configuration protocols, division manufacturer configuration models and the like have high extra requirements on manufacturers and poor universality, and the uniform configuration of network equipment in the heterogeneous environments cannot be realized in a real sense.

Disclosure of Invention

The embodiment of the application provides a security policy configuration method, a security policy configuration device and a storage medium, which can fundamentally realize the unified configuration of the security policy of network equipment in a number-heterogeneous environment.

In a first aspect, an embodiment of the present application provides a security policy configuration method, including:

responding to the trigger operation of a user, and determining target network equipment to be configured from network equipment with heterogeneous models;

receiving a unified configuration policy for the target network device;

converting the unified configuration strategy according to the model information of the target network equipment to obtain target strategy data supported by the target network equipment;

and issuing the target policy data to the target network equipment to indicate the target network equipment to carry out security policy configuration according to the target policy data.

One embodiment in the above application has the following advantages or benefits: by unifying the issuing form of the security policy on the network equipment layer with heterogeneous model, and combining the model information of each equipment to carry out policy conversion in the issuing process, the universality of the issued policy is ensured, and the unified configuration of the security policy of the network equipment in the environment with heterogeneous model is fundamentally realized. The method and the device avoid the additional configuration requirement on equipment manufacturers, reduce the technical requirement on operation and maintenance personnel and the complexity of operation of the operation and maintenance personnel, facilitate the operation and maintenance personnel to carry out security policy configuration according to an integrated and standardized thought, and improve the efficiency and the accuracy of the security policy configuration.

Optionally, the receiving the unified configuration policy for the target network device includes:

receiving a uniform configuration strategy edited by a user according to a uniform security strategy intention description format by adopting a uniform configuration language; the unified security policy intent description format comprises configuration content and a configuration action, and is used for instructing the target network device to perform security policy configuration on the configuration content by executing the configuration action.

One embodiment in the above application has the following advantages or benefits: the issuing form of the security policy is unified on a network equipment layer with heterogeneous models, and the security policy is issued in a unified security policy intention description format. Therefore, the operation and maintenance personnel only need to master one language and one rule to carry out security policy configuration on the network equipment with different types and numbers, the technical requirements on the operation and maintenance personnel and the operation complexity of the operation and maintenance personnel are reduced, and the operation and maintenance personnel can conveniently carry out security policy configuration according to an integrated and standardized thought.

Optionally, the converting the unified configuration policy according to the model information of the target network device includes:

determining a target strategy translation template matched with the model information according to the model information of the target network equipment;

and converting the unified configuration policy according to the translation relationship from the unified configuration language to the target configuration language supported by the target network equipment in the target policy translation template.

One embodiment in the above application has the following advantages or benefits: whether the platform supports the configuration of the type of network equipment at present is judged by detecting whether a target strategy translation template matched with the type information of the target network equipment exists in the platform, so that the unified configuration strategy is subjected to forward translation conversion based on the existing target strategy translation template to obtain target strategy data supported by the target network equipment. The operation and maintenance personnel are prevented from performing personalized configuration operation on various types of equipment, and the technical requirements on the operation and maintenance personnel and the operation complexity of the operation and maintenance personnel are reduced.

Optionally, before the converting the unified configuration policy according to the model information of the target network device, the method further includes:

and carrying out legality detection on the unified configuration strategy according to the unified security strategy intention description format.

One embodiment in the above application has the following advantages or benefits: the validity of the unified configuration strategy is detected, so that the accuracy of the strategy is fundamentally ensured, and the accurate conversion to the data formats supported by various types of network equipment is facilitated.

Optionally, the performing, according to the unified security policy intention description format, validity detection on the unified configuration policy includes:

if the unified configuration policy is detected to conform to the unified security policy intention description format, determining configuration content and configuration actions in the unified configuration policy;

carrying out legality detection on the syntactic format of the configuration content;

and if the grammar format is detected to be legal, carrying out duplicate removal processing on the unified configuration strategy according to the configuration content and the configuration action.

One embodiment in the above application has the following advantages or benefits: the unified configuration strategy is subjected to legality detection from the aspects of format, grammar, semantics and the like, so that the accuracy of the strategy is fundamentally guaranteed.

Optionally, after the issuing the target policy data to the target network device, the method further includes:

and verifying the accuracy of the security policy configuration based on the unified configuration policy.

One embodiment in the above application has the following advantages or benefits: under the condition that the security policy is configured in the network equipment, the accuracy verification can be carried out on the configured security policy in the network equipment, and the later inspection of the network equipment is facilitated.

Optionally, the verifying the accuracy of the security policy configuration based on the unified configuration policy includes:

converting target policy data configured by the target network equipment according to the model information of the target network equipment configured by the unified configuration policy to obtain a conversion result of the unified security policy intention description format;

and comparing the conversion results of different target network devices with texts to position and investigate the failed configuration device according to the text comparison result.

One embodiment in the above application has the following advantages or benefits: target strategy data in target network equipment of different models are reversely translated and converted into a conversion result in a unified security strategy intention description format, and a basis is provided for text comparison of the conversion result among the network equipment, so that whether the strategy data of the network equipment are consistent or not is verified according to the text comparison result, and therefore positioning of failed configuration equipment is facilitated, and the reason of failed configuration is checked to carry out reconfiguration.

Optionally, the converting the target policy data configured by the target network device according to the model information of the target network device configured by the unified configuration policy includes:

determining a target strategy reverse translation template matched with the model information according to the model information of the target network equipment;

extracting target strategy data configured by the target network equipment based on the unified configuration strategy according to the target strategy reverse translation template;

and converting the target policy data according to a reverse translation relation from a target configuration language supported by the target network equipment to a uniform configuration language in the target policy reverse translation template.

One embodiment in the above application has the following advantages or benefits: because the forward translation and the reverse translation processes between the unified configuration language and the target configuration language supported by each network device may be different, when the later inspection and verification are performed, whether the platform currently supports the verification of the type of network device can be judged by detecting whether a target strategy reverse translation template matched with the type information of the target network device exists in the platform, so that the target strategy data is subjected to reverse translation conversion based on the existing target strategy reverse translation template, and a conversion result of the unified security strategy intention description format is obtained. The operation and maintenance personnel are prevented from checking various types of equipment one by one, and the technical requirements on the operation and maintenance personnel and the operation complexity of the operation and maintenance personnel are reduced.

In a second aspect, an embodiment of the present application provides a security policy configuration apparatus, including:

the device configuration determining module is used for responding to the triggering operation of a user and determining target network devices to be configured from the network devices with different models;

a unified policy determination module, configured to receive a unified configuration policy for the target network device;

the unified strategy conversion module is used for converting the unified configuration strategy according to the model information of the target network equipment so as to obtain target strategy data supported by the target network equipment;

and the strategy issuing module is used for issuing the target strategy data to the target network equipment so as to indicate the target network equipment to carry out security strategy configuration according to the target strategy data.

Optionally, the unified policy determining module is specifically configured to:

Optionally, the unified policy transformation module is specifically configured to:

Further, the apparatus further includes a unified policy detection module, specifically configured to:

and before the unified configuration strategy is converted according to the model information of the target network equipment, carrying out validity detection on the unified configuration strategy according to a unified security strategy intention description format.

Optionally, the unified policy detection module is specifically configured to:

Further, the apparatus further includes a policy configuration verification module, specifically configured to:

and after the target policy data is issued to the target network equipment, verifying the accuracy of security policy configuration based on the unified configuration policy.

Optionally, the policy configuration verification module is specifically configured to:

In a third aspect, an embodiment of the present application provides an electronic device, including:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,

the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a security policy configuration method as described in any of the embodiments of the present application.

In a fourth aspect, embodiments of the present application provide a non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform a security policy configuration method according to any of the embodiments of the present application.

One embodiment in the above application has the following advantages or benefits: in a network equipment environment with heterogeneous models, target network equipment to be configured and a uniform configuration strategy for the target network equipment are determined according to user operation, the uniform configuration strategy is converted into target strategy data supported by the target network equipment according to model information of the target network equipment, and therefore the target strategy data are issued to the corresponding target network equipment to carry out security strategy configuration. According to the method and the device, the issuing form of the security policy is unified on the network device layer with the heterogeneous model, and the policy conversion is carried out by combining the model information of each device in the issuing process, so that the universality of the issued policy is guaranteed, and the unified configuration of the security policy of the network device in the heterogeneous model environment is fundamentally realized. The method and the device avoid the additional configuration requirement on equipment manufacturers, reduce the technical requirement on operation and maintenance personnel and the complexity of operation of the operation and maintenance personnel, facilitate the operation and maintenance personnel to carry out security policy configuration according to an integrated and standardized thought, and improve the efficiency and the accuracy of the security policy configuration.

Other effects of the above-described alternative will be described below with reference to specific embodiments.

Drawings

The drawings are included to provide a better understanding of the present solution and are not intended to limit the present application. Wherein:

fig. 1 is a flow chart of a security policy configuration method according to a first embodiment of the present application;

FIG. 2 is a flow chart of a security policy configuration method according to a second embodiment of the present application;

FIG. 3 is an exemplary diagram of a security policy configuration improvement according to a second embodiment of the present application;

FIG. 4 is a flow chart of a security policy configuration method according to a third embodiment of the present application;

fig. 5 is a schematic structural diagram of a security policy configuration apparatus according to a fourth embodiment of the present application;

fig. 6 is a block diagram of an electronic device for implementing a security policy configuration method according to an embodiment of the present application.

Detailed Description

The following description of the exemplary embodiments of the present application, taken in conjunction with the accompanying drawings, includes various details of the embodiments of the application for the understanding of the same, which are to be considered exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present application. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.

First embodiment

Fig. 1 is a flowchart of a security policy configuration method according to a first embodiment of the present application, where the present embodiment is applicable to a case where a unified security policy configuration is performed on network devices with heterogeneous models to be managed, and the method may be implemented by a security policy configuration apparatus, which is implemented in software and/or hardware, and is preferably configured in an electronic device, such as a client or a server of a device management platform. As shown in fig. 1, the method specifically includes the following steps:

and S110, responding to the trigger operation of the user, and determining target network equipment to be configured from the network equipment with different models.

In the specific embodiment of the present application, a network device refers to a physical entity connected to a network, and may include devices that support normal operation of the network, such as a switch, a router, a firewall, and the like; and may also include a computer, such as a personal computer or server. Because the variety of network devices is wide and manufacturers are numerous, an environment in which network devices are deployed for an enterprise or an organization generally includes a large number of network devices with different models, and a network device environment with different models is formed. The model heterogeneity includes, but is not limited to, the heterogeneity of manufacturers, the heterogeneity of device types, the heterogeneity of device attributes, and the like.

In this embodiment, the security policy configuration refers to configuring network parameters for the network device, for example, configuring which flows can be forwarded through the network element. The security policy of the network element can be managed in a centralized way through the function of security policy configuration.

Correspondingly, in a network device environment with heterogeneous models, the configuration languages, configuration formats, and configuration instructions of the security policies between different models are very different, and operation and maintenance personnel need to perform personalized security policy configuration in a configuration mode supported by the model of the network device for each model of the network device.

In this embodiment, since the security policy configuration plays an important role in the configuration change of the network device, the risk involved is extremely high, and any misoperation may cause normal traffic loss; meanwhile, the network devices with different models bring certain technical requirements and operation complexity to network operation and maintenance personnel, and the security strategy of the whole network is difficult to be viewed from a centralized unified view. This results in time and labor consuming security policy changes, and is prone to human misoperation, which results in loss of service. Therefore, in this embodiment, on the network device layer with heterogeneous models, a security policy configuration platform is provided for the operation and maintenance personnel to edit the uniform configuration policy according to the uniform security policy intention description format and send the uniform configuration policy to each network device to be configured without distinguishing the device models.

Specifically, the user refers to a worker who performs security policy configuration on the network device, for example, a network operation and maintenance worker. The user can select at least one network device to be configured with the security policy from a plurality of managed network devices as a target network device through operation on the security policy configuration platform, and correspondingly, the security policy configuration platform responds to the triggering operation of the user. Correspondingly, basic device information of the target network device can be acquired, wherein the basic device information at least comprises the model information of the device. The model information may be the same or different between different target network devices for the selected plurality of target network devices.

In order to improve the efficiency of selecting the target network device by the user, the device grouping can be performed according to the security policy configuration requirements of each network device in advance, the network devices with the same configuration requirements are divided into the same group, so that operation and maintenance personnel can perform batch selection of the devices in a group unit according to the configuration intention, the device selection range can be narrowed according to the configuration intention, and specific devices are selected for configuration through an in-group device list from the group matched with the configuration intention.

And S120, receiving a unified configuration strategy for the target network equipment.

In the specific embodiment of the present application, the unified configuration policy refers to a security policy edited by a user in a unified editing manner on the basis that the device model information does not need to be distinguished. Correspondingly, the security policy configuration platform receives the uniform configuration policy edited by the user for the target network device in response to the editing operation of the user.

Optionally, receiving a uniform configuration policy edited by a user according to a uniform security policy intention description format by using a uniform configuration language; the unified security policy intention description format comprises configuration content and configuration action, and is used for instructing the target network device to perform security policy configuration on the configuration content by executing the configuration action.

In this embodiment, the unified configuration language refers to the same language that is used by the user when configuring the network devices of multiple models. The security policy platform can provide a uniform configuration language, and correspondingly, all users do not need to distinguish equipment models, and only adopt the uniform configuration language to edit the uniform security policy. Or the security policy platform can also provide a plurality of configuration languages for the user to select, correspondingly, the user selects one configuration language which is good at according to the technical capability of the user as the uniform configuration language, and then the user can edit the uniform configuration policy only by adopting the uniform configuration language on the basis of not distinguishing the model of the equipment. Unified configuration languages include, but are not limited to, unification of language types, unification of grammars, unification of instructions, and the like.

In this embodiment, the unified security policy intent description format refers to a security policy editing format corresponding to a unified configuration language. By analyzing the policy configuration formats of various manufacturers, the policy configuration formats can be found to have great difference in configuration syntax, but the policy intention key parts can be represented by conditions and actions finally after being disassembled. Therefore, the embodiment abstractly describes the security policy ACLs (Access Control Lists) of all network devices in the form of configuration content-configuration action in the unified security policy intent description format. The configuration content includes, but is not limited to, a protocol, an original address, a source port, a destination address, a destination port, a TCP flag, and the like. Configuration actions refer to configuration actions on configured content including, but not limited to, dropping, receiving, modifying priorities, placing in a queue, and the like.

Specifically, based on the unified configuration language and the unified security policy intention description format, the user can adopt the unified configuration language to edit the unified configuration policy by himself according to the unified security policy intention description format; or the security policy configuration platform provides configuration templates of various security policies for the user, and the user fills in configuration parameters based on the configuration templates to generate a uniform configuration policy.

For example, assume that the security policy intent is: "only 80 ports of TCP traffic are allowed to pass through". The configuration mode corresponding to the model of the network device a is assumed as follows: access-list 100permit tcp any eq 80; access-list 100deny any; int interface-name; ip access-group 100 in. The configuration mode corresponding to the model of the network device B is assumed to be: iptables-A input-i interface-ptcp-dport80-j ACCEPT; iptables-A input-i interface-j DROP. The unified configuration policy edited based on the security configuration policy platform may be "port 80-accept", so that the complexity of the user for configuring each network device is greatly reduced, and the complicated and personalized complicated configuration is avoided. It should be noted that the above configuration is merely an exemplary illustration, and does not limit the specific configuration.

S130, converting the unified configuration strategy according to the model information of the target network equipment to obtain target strategy data supported by the target network equipment.

In this embodiment of the present application, the target policy data refers to model information of the target network device, and in terms of configuration language, configuration format, configuration instruction, and the like, personalized security policy configuration data supported by the target network device can be obtained to instruct the target network device to execute the target policy data to configure the security policy.

In this embodiment, the security policy configuration platform determines the target network device and the uniform configuration policy, and the user may stop all operations after triggering the issuing operation. Accordingly, before the security policy configuration platform really issues the security policy, in order to enable each target network device to support the deployment of the security policy, the unified configuration policy may be converted into target policy data supported by each target network device according to the model information of each target network device. For different target network devices with the same model information, the target strategy data corresponding to the model information can be obtained through conversion once, and the conversion for different devices with the same model is not needed for multiple times. And furthermore, through automatic conversion of target policy data, manual individualized configuration of operation and maintenance personnel is avoided, the technical requirements on the operation and maintenance personnel and the operation complexity of the operation and maintenance personnel are reduced, and the operation and maintenance personnel can conveniently carry out security policy configuration in an integrated and standardized thought.

Because the types of the network equipment are more, a strategy translation template can be constructed for each type of network equipment in advance, so that whether the platform supports the configuration of the equipment of the type is judged according to the existence of the template in the platform. And under the condition of judging support, converting the unified configuration strategy according to the existing template. And under the condition of judging that the model is not supported, a temporary support prompt can be generated to inform a user of the specific unsupported equipment model and is fed back to a background developer, so that the developer can conveniently develop the template of the unsupported equipment model.

Specifically, the present embodiment may refer to the process of converting the unified configuration policy into the target policy data as forward translation. In the forward translation process, a target strategy translation template matched with the model information can be determined according to the model information of the target network equipment; and performing forward translation conversion on the unified configuration strategy according to the translation relationship from the unified configuration language to the target configuration language supported by the target network equipment in the target strategy translation template.

Illustratively, in the above example, assume that the unified configuration policy is "port 80-accept", and the target network devices include network device a and network device B, and their models are different. By converting the unified configuration policy, the target policy data supported by the network device a can be obtained as follows: access-list 100permit tcp any eq 80; access-list 100deny any; int interface-name; ip access-group 100 in. The target policy data supported by the network device B is obtained as follows: iptables-A input-i interface-p tcp-dport80-j ACCEPT; iptables-A input-i interface-j DROP.

In addition, before the unified configuration strategy is converted, the unified configuration strategy can be subjected to legality detection according to the unified security strategy intention description format. The method and the device can fundamentally guarantee the accuracy of the same configuration strategy and avoid the failure of strategy configuration of the network equipment caused by the error of the unified configuration strategy. Illustratively, if it is detected that the unified configuration policy conforms to the unified security policy intention description format, determining configuration content and configuration actions in the unified configuration policy; carrying out legality detection on the syntactic format of the configuration content; and if the grammar format is detected to be legal, performing duplicate removal processing on the unified configuration strategy according to the configuration content and the configuration action.

S140, issuing the target policy data to the target network equipment to indicate the target network equipment to carry out security policy configuration according to the target policy data.

In the embodiment of the present application, after the security policy configuration platform converts the uniform configuration policy to obtain the personalized target policy data supported by each target network device, the security policy configuration platform may issue the target policy data to the corresponding target network device. And instructing the target network equipment to perform security policy configuration on the configuration content by executing the configuration action according to the target policy data. Among them, CLI (Command-Line Interface) or NetConf (Network configuration Protocol) may be used to interact with a Protocol specific to the Network device.

In addition, in the embodiment, the accuracy of the configuration of the security policy may be verified by performing reverse translation on the target policy data at the time of issuing the unified configuration policy, after issuing the unified configuration policy, or based on the time of the deployed security policy in the network device. The details will be explained in the following examples.

In the technical scheme of this embodiment, in a network device environment with heterogeneous models, a target network device to be configured and a uniform configuration policy for the target network device are determined according to a user operation, and the uniform configuration policy is converted into target policy data supported by each target network device according to model information of each target network device, so that the target policy data is sent to the corresponding target network device for security policy configuration. According to the method and the device, the issuing form of the security policy is unified on the network device layer with the heterogeneous model, and the policy conversion is carried out by combining the model information of each device in the issuing process, so that the universality of the issued policy is guaranteed, and the unified configuration of the security policy of the network device in the heterogeneous model environment is fundamentally realized. The method and the device avoid the additional configuration requirement on equipment manufacturers, reduce the technical requirement on operation and maintenance personnel and the complexity of operation of the operation and maintenance personnel, facilitate the operation and maintenance personnel to carry out security policy configuration according to an integrated and standardized thought, and improve the efficiency and the accuracy of the security policy configuration.

Second embodiment

Fig. 2 is a flowchart of a security policy configuration method according to a second embodiment of the present application, where this embodiment further explains a forward translation conversion process of a unified configuration policy on the basis of the first embodiment, and can determine whether a platform currently supports configuration of a network device of a type by detecting whether a target policy translation template matching model information of the target network device exists in the platform, so as to perform forward translation conversion on the unified configuration policy based on the existing target policy translation template, and obtain target policy data supported by the target network device. As shown in fig. 2, the method specifically includes the following steps:

s210, responding to the trigger operation of the user, and determining target network equipment to be configured from the network equipment with heterogeneous models.

And S220, receiving the uniform configuration strategy edited by the user according to the uniform security strategy intention description format by adopting a uniform configuration language.

And S230, carrying out validity detection on the unified configuration strategy according to the unified security strategy intention description format.

In the specific embodiment of the application, the legality detection at least comprises detection of format, grammar and semantics, and the unified configuration strategy with non-repeated strategy format, grammar format and semantics is obtained through the legality detection, so that the problem that the strategy configuration of the network equipment fails due to errors of the unified configuration strategy is avoided.

Optionally, if it is detected that the unified configuration policy conforms to the unified security policy intention description format, determining configuration content and configuration actions in the unified configuration policy; carrying out legality detection on the syntactic format of the configuration content; and if the grammar format is detected to be legal, performing duplicate removal processing on the unified configuration strategy according to the configuration content and the configuration action.

The unified security policy intention description format is composed of configuration content and configuration actions, so that the policy format of the unified configuration policy can be detected, and whether the unified configuration policy edited by a user contains the configuration content and the configuration actions at the same time is judged. If the policy format of the unified configuration policy is detected to be illegal, a prompt may be given to the user to instruct the user to re-edit the correct unified configuration policy. If the strategy format is detected to be legal, the configuration content and the configuration action in the unified configuration strategy can be determined through key word identification and other modes for subsequent detection.

Secondly, for the unified configuration policy with legal policy format, the validity of the syntax format of the configuration content can be detected, for example, whether the IP address is legal or not and whether the port format is legal or not. If configuration content with illegal grammar is detected, prompting can be carried out on a user so as to indicate the user to edit the configuration content with a correct grammar format; or the configuration content is automatically converted into the configuration content in the correct syntactic format through the identification of the configuration content.

Finally, for the uniform configuration strategy with legal grammar format, it can also detect whether there is duplication or inclusion relation in the same uniform configuration strategy or between different uniform configuration strategies according to the configuration content and the semantics of the configuration action, so as to perform deduplication processing on the duplicated strategies and avoid the duplication configuration of the same strategies.

S240, determining a target strategy translation template matched with the model information according to the model information of the target network equipment.

In a specific embodiment of the present application, the policy translation template is used to instruct the security policy configuration platform to forward translate the unified configuration policy into policy data supported by the device model. Specifically, the target policy translation template includes a translation relationship from the unified configuration language to a target configuration language supported by the target network device. Policy translation templates can be constructed for various types of network devices in advance, whether the platform supports the configuration of the type or not is judged according to the existence of the templates in the platform, and the matched policy translation template is used as a target policy translation template. The target network device may include a plurality of target network devices, and the models of the plurality of target network devices may be different, and accordingly, the determined target policy translation template also includes a plurality of target policy translation templates.

S250, converting the unified configuration strategy according to the translation relation from the unified configuration language to the target configuration language supported by the target network equipment in the target strategy translation template.

In a specific embodiment of the present application, the target configuration language refers to a configuration language supported by the target network device. The translation relationship of the unified configuration language to the target configuration language supported by the target network device includes, but is not limited to, the translation of the format, instructions, syntax, and the like. For each type of target network equipment, forward translation conversion can be performed on the unified configuration strategy according to the target strategy translation template, so as to obtain target strategy data supported by the target network equipment.

The target configuration language and the uniform configuration language may be the same or different. And if the target configuration language is the same as the uniform configuration language, the uniform configuration strategy can be used as target strategy data of the target network equipment without conversion. If the target configuration language is different from the uniform configuration language, forward translation conversion is carried out on the uniform configuration strategy according to the translation relation from the uniform configuration language to the target configuration language supported by the target network equipment in the target strategy translation template, so as to obtain target strategy data supported by the target network equipment.

And S260, issuing the target policy data to the target network equipment to indicate the target network equipment to carry out security policy configuration according to the target policy data.

As an example, fig. 3 is an exemplary diagram of a security policy configuration mode improvement. As shown in the upper diagram of fig. 3, in order to perform personalized configuration on each network device, an operation and maintenance worker must perform personalized configuration on each network device one by one according to the model information of each network device and the configuration flow and configuration format of each network device. The configuration difficulty of operation and maintenance personnel is increased, the configuration time of all network equipment is prolonged, and the configuration efficiency and accuracy are reduced. As shown in the lower diagram of fig. 3, for uniform configuration of all network devices in this embodiment, operation and maintenance personnel only need to adopt a uniform configuration language, edit a uniform configuration policy according to a uniform security policy intention description format, and automatically generate personalized policy data of each network device through conversion of the uniform configuration policy, thereby improving configuration efficiency and accuracy.

In the technical scheme of this embodiment, in a network device environment with heterogeneous models, a target network device to be configured and a uniform configuration policy for the target network device are determined according to a user operation, and whether a platform currently supports configuration of the type of network device is determined by detecting whether a target policy translation template matched with model information of the target network device exists in the platform according to model information of each target network device, so that forward translation conversion is performed on the uniform configuration policy based on the existing target policy translation template to obtain target policy data supported by the target network device, and the target policy data is issued to the corresponding target network device to perform security policy configuration. The embodiment of the application fundamentally realizes the unified configuration of the network equipment security policy in the model number heterogeneous environment, avoids the additional configuration requirement on equipment manufacturers, reduces the technical requirement on operation and maintenance personnel and the operation complexity of the operation and maintenance personnel, is convenient for the operation and maintenance personnel to carry out the security policy configuration in an integrated and standardized thought, and improves the efficiency and the accuracy of the security policy configuration.

Third embodiment

Fig. 4 is a flowchart of a security policy configuration method according to a third embodiment of the present application, where this embodiment further explains a reverse verification process of a security policy configured in a network device on the basis of the first embodiment, and can determine whether a platform currently supports verification of a network device of a type by detecting whether a target policy reverse translation template matching model information of the target network device exists in the platform, so as to perform reverse translation conversion on target policy data based on the existing target policy reverse translation template, obtain a conversion result in a uniform security policy intention description format, and provide a basis for text comparison of conversion results between network devices. As shown in fig. 3, the method specifically includes the following steps:

and S410, responding to the trigger operation of the user, and determining target network equipment to be configured from the network equipment with different models.

And S420, receiving a unified configuration strategy for the target network equipment.

S430, converting the unified configuration strategy according to the model information of the target network equipment to obtain target strategy data supported by the target network equipment.

S440, issuing the target policy data to the target network equipment to indicate the target network equipment to carry out security policy configuration according to the target policy data.

S450, determining a target strategy reverse translation template matched with the model information according to the model information of the target network equipment.

In a specific embodiment of the present application, the policy reverse translation template is used to instruct the security policy configuration platform to extract target policy data and to perform reverse translation on the target policy data, that is, to convert policy data supported by a device model into a unified configuration policy.

In view of the fact that target policy data cannot be extracted from network devices blindly and directly due to differences in languages, formats, instructions and the like of data configured in network devices of different models, the target policy reverse translation template may first include an extraction rule of the target policy data in the device of the corresponding model, so as to instruct the security policy configuration platform to extract the target policy data. Secondly, the target strategy reverse translation template also comprises a reverse translation relation from the target configuration language supported by the target network equipment to the uniform configuration language.

Specifically, a policy reverse translation template may be constructed for each model of network device in advance, so as to determine whether the platform currently supports reverse verification of the model according to the existence of the template in the platform, and use the matched policy reverse translation template as the target policy reverse translation template. The target network device may include a plurality of target network devices, and models of the plurality of target network devices may differ, and accordingly, the determined target policy reverse translation template also includes a plurality of target policy reverse translation templates.

And S460, extracting target strategy data configured by the target network equipment based on the unified configuration strategy according to the target strategy reverse translation template.

In the specific embodiment of the application, target policy data configured by the target network device based on the unified configuration policy is extracted from all configuration data of the target network device according to a target policy data extraction rule of the device of the corresponding model in the target policy reverse translation template. The same configuration strategy and the target strategy data can be associated through the consistent unique identification so as to extract the appointed target strategy data.

S470, converting the target strategy data according to the reverse translation relation from the target configuration language supported by the target network equipment to the uniform configuration language in the target strategy reverse translation template.

In a specific embodiment of the present application, the target configuration language refers to a configuration language supported by the target network device. The target configuration language supported by the target network device is a reverse translation relationship to the unified configuration language, including but not limited to the translation of the format, instructions, and syntax. For each type of target network equipment, reverse translation conversion can be carried out on target strategy data according to a target strategy translation template so as to obtain a conversion result in a unified security strategy intention description format.

And S480, comparing the conversion results of different target network devices with texts to position and investigate the device with failed configuration according to the text comparison result.

In the embodiment of the present application, in view of the fact that the difference between the configuration language, the configuration format, and the configuration instruction of the security policy among different models is great, the policy data configured in different target network devices cannot be compared with the text, and thus the accuracy of the unified configuration policy configuration cannot be verified. Therefore, target strategy data in target network equipment of different models are reversely translated and converted into a conversion result in a unified security strategy intention description format, and a basis is provided for text comparison of the conversion result among the network equipment.

Specifically, in the forward translation process, the target policy data is obtained by converting based on a uniform configuration policy; in the process of reverse translation, the conversion result is obtained by conversion based on the target strategy data. Therefore, under the condition that links such as data conversion, transmission, configuration and the like are correct, the conversion result is the uniform configuration policy of the uniform security policy intention description format, namely the conversion results of different target network devices are completely the same in text form. Therefore, the conversion results of different target network devices are compared with the text, and whether the strategy data of each network device are consistent or not is verified according to the text comparison result. Therefore, the target network equipment with inconsistent verification is determined as the configuration failure equipment, the prompt of the configuration failure equipment is generated for the user, the positioning of the configuration failure equipment is realized, the configuration failure reason is checked, and the user can reconfigure according to the configuration failure reason.

It is to be noted that, in the reverse translation verification process in this embodiment, at least the configuration of the security policy may be verified accurately at the time of issuing the unified configuration policy, after issuing the unified configuration policy, or based on the security policy already deployed in the network device.

Illustratively, in the process of issuing the unified configuration policy, before the target policy data is issued to the corresponding target network device, or after the target policy data is issued to the corresponding target network device and before the policy configured in each target network device takes effect, reverse translation and comparison may be performed on different target policy data to ensure the accuracy of translation of the target policy data.

For another example, after the unified configuration policy is issued to each target network device, the policy configured in each target network device takes effect immediately. And by determining the target network equipment to which the unified configuration strategy is issued, extracting and converting target strategy data in the target network equipment, and realizing the after-event verification of the configuration condition of the unified configuration strategy.

For another example, the configuration time of the security policy may not be distinguished, and the target policy data configured in the network device is directly based on and converted, so as to implement the later-stage inspection of the network.

According to the technical scheme of the embodiment, through the reverse translation of the target strategy data, a basis is provided for text comparison of the target strategy data, and according to a text comparison result, the failed configuration equipment can be quickly positioned and the reason can be checked, so that a user can conveniently reconfigure the failed configuration equipment. The operation and maintenance personnel are prevented from checking various types of equipment one by one, and the technical requirements on the operation and maintenance personnel and the operation complexity of the operation and maintenance personnel are reduced.

Fourth embodiment

Fig. 5 is a schematic structural diagram of a security policy configuration apparatus according to a fourth embodiment of the present application, where this embodiment is applicable to a case of performing uniform security policy configuration on heterogeneous network devices of different types to be managed, and the apparatus can implement the security policy configuration method according to any embodiment of the present application.

The apparatus 500 specifically includes the following:

a configured device determining module 510, configured to determine, in response to a trigger operation of a user, a target network device to be configured from network devices of different models;

a unified policy determination module 520, configured to receive a unified configuration policy for the target network device;

a unified policy conversion module 530, configured to convert the unified configuration policy according to the model information of the target network device, so as to obtain target policy data supported by the target network device;

a policy issuing module 540, configured to issue the target policy data to the target network device, so as to instruct the target network device to perform security policy configuration according to the target policy data.

Optionally, the unified policy determining module 520 is specifically configured to:

Optionally, the unified policy transformation module 530 is specifically configured to:

Further, the apparatus 500 further includes a unified policy detection module 550, specifically configured to:

Optionally, the unified policy detection module 550 is specifically configured to:

Further, the apparatus 500 further includes a policy configuration verification module 560, specifically configured to:

Optionally, the policy configuration verification module 560 is specifically configured to:

According to the technical scheme of the embodiment, through the mutual cooperation of the functional modules, the functions of selecting target network equipment, determining and detecting a uniform configuration strategy, performing forward translation on the uniform configuration strategy, determining personalized target strategy data, issuing and deploying a security strategy, performing reverse translation on the target strategy data, comparing texts of reverse translation results, verifying strategy configuration and the like are realized. According to the method and the device, the issuing form of the security policy is unified on the network device layer with the heterogeneous model, and the policy conversion is carried out by combining the model information of each device in the issuing process, so that the universality of the issued policy is guaranteed, and the unified configuration of the security policy of the network device in the heterogeneous model environment is fundamentally realized. The method and the device avoid the additional configuration requirement on equipment manufacturers, reduce the technical requirement on operation and maintenance personnel and the complexity of operation of the operation and maintenance personnel, facilitate the operation and maintenance personnel to carry out security policy configuration according to an integrated and standardized thought, and improve the efficiency and the accuracy of the security policy configuration.

Fifth embodiment

According to an embodiment of the present application, an electronic device and a readable storage medium are also provided.

Fig. 6 is a block diagram of an electronic device according to a security policy configuration method according to an embodiment of the present application. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the present application that are described and/or claimed herein.

As shown in fig. 6, the electronic apparatus includes: one or more processors 601, memory 602, and interfaces for connecting the various components, including a high-speed interface and a low-speed interface. The various components are interconnected using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions for execution within the electronic device, including instructions stored in or on the memory to display Graphical information for a Graphical User Interface (GUI) on an external input/output device, such as a display device coupled to the Interface. In other embodiments, multiple processors and/or multiple buses may be used, along with multiple memories and multiple memories, as desired. Also, multiple electronic devices may be connected, with each device providing portions of the necessary operations, e.g., as a server array, a group of blade servers, or a multi-processor system. In fig. 6, one processor 601 is taken as an example.

The memory 602 is a non-transitory computer readable storage medium as provided herein. The memory stores instructions executable by at least one processor to cause the at least one processor to perform the security policy configuration method provided herein. A non-transitory computer readable storage medium of the present application stores computer instructions for causing a computer to perform a security policy configuration method provided by the present application.

The memory 602, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the security policy configuration method in the embodiments of the present application, for example, the configuration device determining module 510, the unified policy determining module 520, the unified policy converting module 530, the policy issuing module 540, the unified policy detecting module 550, and the policy configuration verifying module 560 shown in fig. 5. The processor 601 executes various functional applications and data processing of the server by running non-transitory software programs, instructions and modules stored in the memory 602, that is, implementing the security policy configuration method in the above method embodiment.

The memory 602 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the electronic device of the security policy configuration method, and the like. Further, the memory 602 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 602 optionally includes memory located remotely from the processor 601, and these remote memories may be connected over a network to the electronic device of the security policy configuration method. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The electronic device of the security policy configuration method may further include: an input device 603 and an output device 604. The processor 601, the memory 602, the input device 603 and the output device 604 may be connected by a bus or other means, and fig. 6 illustrates the connection by a bus as an example.

The input device 603 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic device of the security policy configuration method, such as a touch screen, keypad, mouse, track pad, touch pad, pointer stick, one or more mouse buttons, track ball, joystick, or other input device. The output device 604 may include a display device, an auxiliary lighting device such as a Light Emitting Diode (LED), a tactile feedback device, and the like; the tactile feedback device is, for example, a vibration motor or the like. The Display device may include, but is not limited to, a Liquid Crystal Display (LCD), an LED Display, and a plasma Display. In some implementations, the display device can be a touch screen.

Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, Integrated circuitry, Application Specific Integrated Circuits (ASICs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.

These computer programs, also known as programs, software applications, or code, include machine instructions for a programmable processor, and may be implemented using high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or Device for providing machine instructions and/or data to a Programmable processor, such as a magnetic disk, optical disk, memory, Programmable Logic Device (PLD), including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.

To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device for displaying information to a user, for example, a Cathode Ray Tube (CRT) or an LCD monitor; and a keyboard and a pointing device, such as a mouse or a trackball, by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user may be received in any form, including acoustic, speech, or tactile input.

The systems and techniques described here can be implemented in a computing system that includes a back-end component, e.g., as a data server, or that includes a middleware component, e.g., an application server, or that includes a front-end component, e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here, or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), the internet, and blockchain networks.

The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.

According to the technical scheme of the embodiment of the application, the issuing form of the security policy is unified on a network equipment layer with heterogeneous models, and the policy conversion is carried out by combining the model information of each equipment in the issuing process, so that the universality of the issued policy is ensured, and the unified configuration of the security policy of the network equipment in the environment with heterogeneous models is fundamentally realized. The method and the device avoid the additional configuration requirement on equipment manufacturers, reduce the technical requirement on operation and maintenance personnel and the complexity of operation of the operation and maintenance personnel, facilitate the operation and maintenance personnel to carry out security policy configuration according to an integrated and standardized thought, and improve the efficiency and the accuracy of the security policy configuration.

In addition, the issuing form of the security policy is unified on a network equipment layer with heterogeneous models, and the security policy is issued in a unified security policy intention description format. Therefore, the operation and maintenance personnel only need to master one language and one rule to carry out security policy configuration on the network equipment with different types and numbers, the technical requirements on the operation and maintenance personnel and the operation complexity of the operation and maintenance personnel are reduced, and the operation and maintenance personnel can conveniently carry out security policy configuration according to an integrated and standardized thought.

In addition, whether the platform supports the configuration of the type of network equipment at present is judged by detecting whether a target strategy translation template matched with the type information of the target network equipment exists in the platform, so that the uniform configuration strategy is subjected to forward translation conversion based on the existing target strategy translation template to obtain target strategy data supported by the target network equipment. The operation and maintenance personnel are prevented from performing personalized configuration operation on various types of equipment, and the technical requirements on the operation and maintenance personnel and the operation complexity of the operation and maintenance personnel are reduced.

In addition, the validity detection of the unified configuration strategy fundamentally ensures the accuracy of the strategy and is beneficial to the accurate conversion to the data formats supported by various types of network equipment.

In addition, the validity detection is carried out on the unified configuration strategy from the aspects of format, grammar, semantics and the like, so that the accuracy of the strategy is fundamentally ensured.

In addition, under the condition that the security policy is configured in the network equipment, the accuracy verification can be carried out on the configured security policy in the network equipment, and the later-stage inspection of the network equipment is facilitated.

In addition, target strategy data in target network equipment of different models are reversely translated and converted into a conversion result in a unified security strategy intention description format, and a basis is provided for text comparison of the conversion result among the network equipment, so that whether the strategy data of the network equipment are consistent or not is verified according to the text comparison result, and therefore the positioning of the equipment with failed configuration is facilitated, and the reason of failed configuration is checked to carry out reconfiguration.

In addition, because the forward translation and the reverse translation processes between the unified configuration language and the target configuration language supported by each network device may be different, when the platform is examined and verified at a later stage, whether the platform currently supports the verification of the network devices of the type can be judged by detecting whether a target strategy reverse translation template matched with the type information of the target network device exists in the platform, so that the target strategy data is subjected to reverse translation conversion based on the existing target strategy reverse translation template, and a conversion result of the unified security strategy intention description format is obtained. The operation and maintenance personnel are prevented from checking various types of equipment one by one, and the technical requirements on the operation and maintenance personnel and the operation complexity of the operation and maintenance personnel are reduced.

It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present application may be executed in parallel, sequentially, or in different orders, as long as the desired results of the technical solutions disclosed in the present application can be achieved, and the present invention is not limited herein.

The above-described embodiments should not be construed as limiting the scope of the present application. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims

1. A method for configuring a security policy, comprising:

receiving a unified configuration policy for the target network device;

2. The method of claim 1, wherein receiving the unified configuration policy for the target network device comprises:

3. The method of claim 1, wherein the converting the unified configuration policy according to the model information of the target network device comprises:

4. The method of claim 1, further comprising, before the converting the unified configuration policy according to the model information of the target network device:

5. The method of claim 4, wherein the detecting the legitimacy of the unified configuration policy according to the unified security policy intent description format comprises:

6. The method of claim 1, further comprising, after the issuing the target policy data to the target network device:

7. The method of claim 6, wherein verifying the accuracy of the security policy configuration based on the unified configuration policy comprises:

8. The method of claim 7, wherein the converting the target policy data configured by the target network device according to the model information of the target network device configured by the unified configuration policy comprises:

9. A security policy configuration apparatus, comprising:

10. The apparatus of claim 9, wherein the unified policy determination module is specifically configured to:

11. The apparatus of claim 9, wherein the unified policy transformation module is specifically configured to:

12. The apparatus according to claim 9, wherein the apparatus further comprises a unified policy detection module, specifically configured to:

13. The apparatus of claim 12, wherein the unified policy detection module is specifically configured to:

14. The apparatus according to claim 9, wherein the apparatus further comprises a policy configuration verification module, specifically configured to:

15. The apparatus of claim 14, wherein the policy configuration validation module is specifically configured to:

16. The apparatus of claim 15, wherein the policy configuration validation module is specifically configured to:

17. An electronic device, comprising:

at least one processor; and

the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the security policy configuration method of any of claims 1-8.

18. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the security policy configuration method of any one of claims 1-8.