CN113407983A - Security policy issuing method and device - Google Patents
Security policy issuing method and device Download PDFInfo
- Publication number
- CN113407983A CN113407983A CN202010182620.7A CN202010182620A CN113407983A CN 113407983 A CN113407983 A CN 113407983A CN 202010182620 A CN202010182620 A CN 202010182620A CN 113407983 A CN113407983 A CN 113407983A
- Authority
- CN
- China
- Prior art keywords
- user
- network address
- account information
- security policy
- source network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000009471 action Effects 0.000 claims abstract description 50
- 238000012545 processing Methods 0.000 claims abstract description 50
- 238000004891 communication Methods 0.000 claims description 34
- 238000004590 computer program Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The application provides a method and a device for issuing a security policy, and belongs to the technical field of network security. The method comprises the following steps: acquiring a network log of each user and a pre-stored user permission list, wherein the user permission list comprises a first corresponding relation between account information and permission information of each user, and the permission information comprises a destination network address and a processing action; acquiring a second corresponding relation between the account information of each user and a source network address according to the network log of each user; generating a security policy based on the source network address and the authority information corresponding to the same account information in the first corresponding relationship and the second corresponding relationship; and sending the generated security policy to access control equipment so that the access control equipment performs access control on each user according to the security policy. By the method and the device, the efficiency of configuring the security policy can be improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for issuing a security policy.
Background
With the development of internet technology, people pay more and more attention to network security. In order to secure data in a local area network, people usually set an access control device (such as a firewall) in the local area network to control access rights of users.
In the related art, when a user accesses a local area network through a user terminal, a DHCP server allocates an IP address to the user terminal. And the user terminal takes the distributed IP address as a source IP address and sends a communication message to the access control equipment. The Access Control device stores security policies, such as an Access Control List (ACL), pre-configured by a technician. The security policy contains at least a source IP address, a destination IP address, and a processing action. The access control equipment extracts the source IP address and the destination IP address from the communication message, determines the security strategy hit by the extracted source IP address and destination IP address, and further processes the communication message according to the processing action in the security strategy. For example, if the processing action in the security policy is "allow", the communication packet is allowed to pass through, so that the user accesses the network resource corresponding to the destination IP address; if the processing action in the security policy is "drop," the communication packet is dropped to prevent the user from accessing the network resource.
However, the technician needs to configure the security policy separately for each access control device in the local area network, and the efficiency of configuring the security policy is low.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for issuing a security policy, so as to solve the problem of low efficiency of configuring a security policy. The specific technical scheme is as follows:
in a first aspect, a method for issuing a security policy is provided, where the method includes:
acquiring a network log of each user and a pre-stored user permission list, wherein the user permission list comprises a first corresponding relation between account information and permission information of each user, and the permission information comprises a destination network address and a processing action;
acquiring a second corresponding relation between the account information of each user and a source network address according to the network log of each user;
generating a security policy based on the source network address and the authority information corresponding to the same account information in the first corresponding relationship and the second corresponding relationship;
and sending the generated security policy to access control equipment so that the access control equipment performs access control on each user according to the security policy.
Optionally, the generating a security policy based on the source network address and the authority information corresponding to the same account information in the first corresponding relationship and the second corresponding relationship includes:
for each account information, acquiring a first destination network address and a first processing action corresponding to the account information from the first corresponding relation, and acquiring a first source network address corresponding to the account information from the second corresponding relation;
generating a security policy comprising the first source network address, the first destination network address, and the first processing action.
Optionally, the weblog is a system login log;
the obtaining of the second corresponding relationship between the account information of each user and the source network address according to the network log of each user includes:
and extracting account information and a source network address of a login account from the system login logs corresponding to the users, and correspondingly storing the extracted account information and the source network address to obtain a second corresponding relation.
Optionally, the weblog is a dynamic host configuration protocol DHCP log;
the obtaining of the second corresponding relationship between the account information of each user and the source network address according to the network log of each user includes:
acquiring a third corresponding relation between the user terminal identification and the source network address from the DHCP log;
for each user terminal identification, determining second account information and a second source network address corresponding to the user terminal identification in the corresponding relation and the third corresponding relation of the pre-stored user terminal identification and account information;
and correspondingly storing the second account information and the second source network address to obtain a second corresponding relation.
Optionally, the sending the generated security policy to the access control device includes:
sending the generated security policy to the access control device through an Application Program Interface (API) interface corresponding to the access control device; alternatively, the first and second electrodes may be,
and sending the generated security policy to the access control device in a remote command mode.
In a second aspect, a device for issuing a security policy is provided, where the device includes:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring a weblog of each user and a pre-stored user permission list, the user permission list comprises a first corresponding relation between account information and permission information of each user, and the permission information comprises a destination network address and a processing action;
a second obtaining module, configured to obtain, according to the weblog of each user, a second correspondence between the account information of each user and the source network address;
a generating module, configured to generate a security policy based on a source network address and permission information corresponding to the same account information in the first corresponding relationship and the second corresponding relationship;
and the sending module is used for sending the generated security policy to the access control equipment so that the access control equipment can carry out access control on each user according to the security policy.
Optionally, the generating module is specifically configured to:
for each account information, acquiring a first destination network address and a first processing action corresponding to the account information from the first corresponding relation, and acquiring a first source network address corresponding to the account information from the second corresponding relation;
generating a security policy comprising the first source network address, the first destination network address, and the first processing action.
Optionally, the weblog is a system login log;
the second obtaining module is specifically configured to:
and extracting account information and a source network address of a login account from the system login logs corresponding to the users, and correspondingly storing the extracted account information and the source network address to obtain a second corresponding relation.
Optionally, the weblog is a dynamic host configuration protocol DHCP log;
the second obtaining module is specifically configured to:
acquiring a third corresponding relation between the user terminal identification and the source network address from the DHCP log;
for each user terminal identification, determining second account information and a second source network address corresponding to the user terminal identification in the corresponding relation and the third corresponding relation of the pre-stored user terminal identification and account information;
and correspondingly storing the second account information and the second source network address to obtain a second corresponding relation.
Optionally, the sending module is specifically configured to:
sending the generated security policy to the access control device through an Application Program Interface (API) interface corresponding to the access control device; alternatively, the first and second electrodes may be,
and sending the generated security policy to the access control device in a remote command mode.
In a third aspect, a network device is provided, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of the first aspect when executing a program stored in the memory.
In a fourth aspect, a computer-readable storage medium is provided, having stored thereon a computer program which, when being executed by a processor, carries out the method steps of any of the first aspects.
In a fifth aspect, there is provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the above-described methods of issuing security policies.
The embodiment of the application has the following beneficial effects:
the embodiment of the application provides a method and a device for issuing a security policy, which can acquire a weblog of each user and a pre-stored user permission list, wherein the user permission list comprises account information of each user and a first corresponding relation of permission information, and the permission information comprises a destination network address and a processing action. And then, acquiring a second corresponding relation between the account information of each user and the source network address according to the network log of each user, further generating a security policy based on the source network address and the authority information corresponding to the same account information in the first corresponding relation and the second corresponding relation, and sending the generated security policy to the access control equipment so that the access control equipment can perform access control on each user according to the security policy. According to the scheme, the network equipment can automatically generate the security policy according to the actual authority of the user and issue the security policy to the access control equipment, technical personnel do not need to manually configure the security policy in each access control equipment, and the efficiency of configuring the security policy is improved. According to the scheme, the source network address is not simply associated with the right, but is associated with the right by means of the account information of the user, and even if the source network address changes dynamically, the changed situation can be adapted only by updating the security policy.
Of course, not all of the above advantages need be achieved in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
Fig. 1 is a schematic diagram of a network system according to an embodiment of the present application;
fig. 2 is a flowchart of a security policy issuing method according to an embodiment of the present application;
fig. 3 is a flowchart of an example of a method for issuing a security policy according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a security policy issuing apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a network device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the application provides a method for issuing a security policy, which can be applied to network equipment in a local area network. The local area network may further include an access control device (such as a firewall), a DHCP (dynamic host configuration protocol) server, a log storage server, and a user terminal. Fig. 1 is a schematic diagram of a network system according to an embodiment of the present application. The network equipment can be respectively connected with the access control equipment, the DHCP server and the log storage server, and the access control equipment can be connected with the user terminal through the access equipment so that the user terminal can access the Internet through the access control equipment.
The method for issuing the security policy provided in the embodiment of the present application will be described in detail below with reference to specific embodiments, and as shown in fig. 2, the specific steps are as follows:
step 201, obtaining the weblog of each user and the pre-stored user authority list.
In the embodiment of the present application, a technician may pre-configure a user permission list, where the user permission list may include a correspondence (i.e., a first correspondence) between account information and permission information of each user. The entitlement information may include a destination network address and a processing action. The destination network address may be an IP (Internet Protocol) address, a Media Access Control (MAC) address, or the like. The processing action may be a processing action of the access control device on the communication packet. And if the processing action in the security policy is 'release', the access control equipment releases the communication message hitting the security policy so as to enable the user to access the network resource corresponding to the destination network address. If the processing action in the security policy is "discard", the access control device discards the communication packet hitting the security policy to prevent the user from accessing the network resource. In one example, the user authority list may contain content of < user-destination IP address-process action >.
In one implementation, the technician may store the user permission list in a database, and the network device may retrieve the user permission list from the database. In addition, the network device can also obtain the network logs of each user in the network. The weblog may be a system login log or a DHCP log. When the weblog is a system login log, the network device may obtain the weblog from the log storage server. When the blog is a DHCP log, the network device may obtain the blog from a DHCP server.
It should be noted that, for coarse-grained access control, the security policy may only include the source network address, the destination network address, and the processing action, and at this time, the user authority list only needs to include < user-destination network address-processing action >. For fine-grained access control, the security policy may further include one or more of a source port, a destination port, and a communication protocol, and accordingly, the user authority list also needs to include one or more of the above information. In one example, the user authority list may contain content of < user-source port-destination IP address-destination port-processing action >.
Step 202, obtaining a second corresponding relationship between the account information of each user and the source network address according to the network log of each user.
In the embodiment of the application, after the network device acquires the weblog of each user, the network log can be analyzed, so that the account information of each user and the source network address corresponding to each account information can be acquired according to the weblog. The network device may store the account information and the source network address correspondingly to establish a corresponding relationship (i.e., a second corresponding relationship) between the account information and the source network address, and the second corresponding relationship may be referred to as a user network list. The source network address may be a source IP address.
Optionally, for different types of weblogs, the process of obtaining the corresponding relationship between the account information and the source network address is different, and several examples are provided in the present application, which are specifically as follows.
Example one, the weblog is a system log. Correspondingly, the processing procedure for acquiring the second corresponding relationship between the account information of each user and the source network address comprises the following steps.
Step one, extracting account information and a source network address of a login account from a system login log corresponding to each user.
In the embodiment of the application, when a user accesses a local area network through a user terminal, the user can log in through an access system of the local area network or a remote VPN system by using a personal account, and meanwhile, the user terminal can send a DHCP discovery message. The DHCP discover message carries the user terminal identifier. The user terminal identifier may be a MAC address or a host identifier of the user terminal. If the user logs in successfully, the DHCP server allocates an IP address for the user terminal according to a pre-stored address allocation strategy, and returns a DHCP response message to the user terminal, wherein the DHCP response message carries the IP address allocated to the terminal by the DHCP server and the IP address of the DHCP server. The user terminal will access the local area network by using the IP address as the source IP address, and the above process may be referred to as an online process of the user. The log storage server in the local area network can record logs according to the online process of the user to obtain a system login log. The system login log includes account information (such as an account number or a user ID) of the user login and an IP address allocated by the DHCP server to the user terminal.
The network device may obtain system login logs for each user. For each user, the system login log of the user can be analyzed, and account information of an account logged in by the user and a source network address are acquired.
And step two, correspondingly storing the extracted account information and the source network address to obtain a second corresponding relation.
In the embodiment of the application, for each user, after acquiring the account information and the source network address corresponding to the user, the network device may correspondingly store the extracted account information and source network address to establish a corresponding relationship (i.e., a second corresponding relationship) between the account information and the source network address.
Example two, the network log is a DHCP log, and accordingly, the processing procedure of obtaining the second corresponding relationship between the account information of each user and the source network address includes the following steps.
Step one, acquiring a third corresponding relation between the user terminal identification and the source network address from the DHCP log.
In this embodiment, the DHCP server may also record a log (i.e., a DHCP log) of the device. Based on the user online process in the first example, the DHCP log may record the correspondence between the user terminal identifier and the source network address. The network device may obtain a DHCP log from the DHCP server, further extract the user terminal identifier and the source network address from the DHCP log, and then correspondingly store the user terminal identifier and the source network address to establish a corresponding relationship (i.e., a third corresponding relationship) between the user terminal identifier and the source network address.
And secondly, determining second account information and a second source network address corresponding to the user terminal identification in the pre-stored corresponding relation and the third corresponding relation between the user terminal identification and the account information aiming at each user terminal identification.
In the embodiment of the present application, since the user terminal used by each user is usually fixed, for example, in an enterprise network, each employee may use a fixed computer. Therefore, the corresponding relationship between the user terminal identification and the account information can be configured in advance and stored in the network device. For each user terminal identifier, the network device may determine, in a pre-stored correspondence between the user terminal identifier and the account information, account information corresponding to the user terminal identifier (which may be referred to as second account information for convenience of distinction), and may determine, from the third correspondence, a source network address corresponding to the user terminal identifier (which may be referred to as a second source network address for convenience of distinction).
And step three, correspondingly storing the second account information and the second source network address to obtain a second corresponding relation.
In the embodiment of the present application, for each user terminal identifier, after acquiring the second account information and the second source network address corresponding to the user terminal identifier, the network device may correspondingly store the second account information and the second source network address, so as to establish a corresponding relationship (i.e., a second corresponding relationship) between the account information and the source network address.
Step 203, generating a security policy based on the source network address and the authority information corresponding to the same account information in the first corresponding relationship and the second corresponding relationship.
In the embodiment of the application, the network device can perform correlation analysis on the user permission list and the user network list so as to obtain the security policy. In one implementation, the network device may determine a source network address and authority information corresponding to the same account information in the first corresponding relationship and the second corresponding relationship, and then generate a security policy including the source network address and the authority information.
Optionally, the specific processing procedure of step 203 may be: for each account information, acquiring a first destination network address and a first processing action corresponding to the account information from a first corresponding relation, and acquiring a first source network address corresponding to the account information from a second corresponding relation; a security policy is generated that includes a first source network address, a first destination network address, and a first processing action.
In this embodiment of the present application, for each account information included in the user permission list, the network device may obtain first permission information (i.e., a first destination network address and a first processing action) corresponding to the account information in the user permission list, and may search, in the user network list, whether a source network address (i.e., a first source network address) corresponding to the account information exists. If so, a security policy is generated that includes the first source network address, the first destination network address, and the first processing action. And if the first source network address corresponding to the account information is not found, the security policy is not generated. Optionally, the network device may also determine account information that is commonly included in the user permission list and the user network list, and then generate a security policy corresponding to the account information.
In one example, the contents of the user rights list are shown in Table one and the user networks list is shown in Table two.
Watch 1
Watch two
| Account information | Source network address |
| Account 1 | Source network address E |
| Account 2 | Source network address F |
| Account 3 | Source network address G |
The security policies generated from table one and table two are as shown in table three.
Watch III
| Source network address | Destination network address | Processing actions |
| Source network address E | Target network address A | Release |
| Source network address F | Target network address B | Discard the |
| Source network address G | Target network address A | Release |
And 204, sending the generated security policy to the access control equipment so that the access control equipment performs access control on each user according to the security policy.
In the embodiment of the application, after the network device generates the security policy, the corresponding relationship between the security policy and the account information may be stored, and the generated security policy may be sent to the access control device. The access control device may then receive and store the security policy. Subsequently, after the access control device receives the communication message, the source network address and the destination network address can be extracted from the communication message, the extracted network addresses are matched with each security policy to determine the security policy hit by the communication message, and the communication message is processed according to the processing action in the hit security policy, so that the access control of the user is realized. For example, if the processing action in the security policy is "release", the access control device releases the communication packet hitting the security policy, so that the user accesses the network resource corresponding to the destination network address; if the processing action in the security policy is "discard", the access control device discards the communication packet hitting the security policy to prevent the user from accessing the network resource.
Optionally, the issuing manner of the security policy may be various, and this embodiment provides two feasible implementation manners, which are specifically described as follows.
And in the first mode, the generated security policy is sent to the access control equipment through an Application Program Interface (API) interface corresponding to the access control equipment.
In this embodiment, an Application Programming Interface (API) may be provided between the network device and the access control device, and the network device and the access control device may communicate with each other through the API. Based on this, the network device may send the generated security policy to the access control device through the API interface.
And secondly, sending the generated security policy to the access control equipment in a remote command mode.
In the embodiment of the application, if no API is set between the network device and the access control device, the network device may simulate a technician to log in the access control device remotely, and then send the generated security policy to the access control device in a remote command manner.
Optionally, when the network device detects that the user permission list or the user network list is updated, the security policy may be updated in real time, and the specific process is as follows: and when detecting that the authority information corresponding to the target account information is updated, modifying the source network address in the security policy corresponding to the target account information into the updated authority information, and issuing the security policy again. And when detecting that the source network address corresponding to the target account information is updated, modifying the source network address in the security policy corresponding to the target account information into the updated source network address, and issuing the security policy again.
In the embodiment of the present application, a technician may modify authority information (destination network address or processing action) corresponding to certain account information (which may be referred to as target account information) in the database. For example, after the authority of a user is upgraded, the authority of the resource of the destination address a is changed from being inaccessible to being accessible, and then the technical staff may modify the security policy < target account information-destination address a-discard > in the database to < target account information-destination address a-release >. When the modification is completed, the database may send the target account information and the modified rights information to the network device. The network device may search a security policy (which may be referred to as a target security policy) corresponding to the target account information from the locally stored security policies, modify the authority information in the target security policy into updated authority information, and re-issue the updated security policy to the access control policy. Optionally, in another implementation, the network device may also actively query whether the database is modified, and if so, update the security policy according to the modified data.
Similarly, the IP address of the ue is dynamically allocated, so that the ue has a preset validity duration. When the IP address is over, the DHCP server will re-assign the IP address for the user terminal. At this time, the log storage server updates the system log, and the updated system log includes the destination account information and the newly allocated IP address (i.e., the source network address). The log storage server may send the target account information and the newly assigned source network address to the network device. The network device modifies the source network address in the security policy corresponding to the target account information into the updated source network address, and re-issues the updated security policy to the access control policy. Optionally, in another implementation manner, the network device may also actively query whether the system login log corresponding to the target account information is updated, and if so, update the security policy according to the updated source network address.
In the embodiment of the application, the network device can obtain the network logs of the users and a pre-stored user authority list, the user authority list comprises the account information of the users and the first corresponding relation of the authority information, and the authority information comprises the destination network address and the processing action. And then, acquiring a second corresponding relation between the account information of each user and the source network address according to the network log of each user, further generating a security policy based on the source network address and the authority information corresponding to the same account information in the first corresponding relation and the second corresponding relation, and sending the generated security policy to the access control equipment so that the access control equipment can perform access control on each user according to the security policy. According to the scheme, the network equipment can automatically generate the security policy and issue the security policy to the access control equipment, technical personnel do not need to manually configure the security policy in each access control equipment, and the efficiency of configuring the security policy is improved. In addition, in the scheme, the security policy is generated based on the user authority list and the user network list, so that the method and the device can be applied to the firewall equipment which is used at present and identified based on the security policy, and a next-generation firewall with more functions (such as an application layer identification function and a gateway function) is not required to be deployed, so that the network deployment cost is reduced. In addition, the network equipment can also detect whether the IP address or the authority information of the user changes, and if the IP address or the authority information of the user changes, the security policy can be regenerated and issued without being reconfigured by technical personnel, so that the labor cost is saved.
Fig. 3 is a flowchart of an example of a method for issuing a security policy according to an embodiment of the present application, as shown in fig. 3,
step 301, obtaining the weblog of each user.
Step 302, a pre-stored user authority list is obtained.
The user authority list comprises account information of each user and a first corresponding relation of authority information, and the authority information comprises a destination IP address and a processing action.
Step 303, analyzing the weblog of each user to obtain a second corresponding relationship between the account information of each user and the source IP address.
Step 304, for each account information, a first destination IP address and a first processing action corresponding to the account information are obtained from the first corresponding relationship, and a first source IP address corresponding to the account information is obtained from the second corresponding relationship.
Step 305, a security policy is generated that includes the first source IP address, the first destination IP address, and the first processing action.
And step 306, sending the security policy to the access control device, so that the access control device performs access control on each user according to the security policy.
Based on the same technical concept, an embodiment of the present application further provides a device for issuing a security policy, as shown in fig. 4, the device includes:
a first obtaining module 410, configured to obtain a weblog of each user and a pre-stored user permission list, where the user permission list includes a first corresponding relationship between account information and permission information of each user, and the permission information includes a destination network address and a processing action;
a second obtaining module 420, configured to obtain, according to the weblog of each user, a second correspondence between the account information of each user and the source network address;
a generating module 430, configured to generate a security policy based on the source network address and the authority information corresponding to the same account information in the first corresponding relationship and the second corresponding relationship;
a sending module 440, configured to send the generated security policy to the access control device, so that the access control device performs access control on each user according to the security policy.
Optionally, the generating module 430 is specifically configured to:
for each account information, acquiring a first destination network address and a first processing action corresponding to the account information from a first corresponding relation, and acquiring a first source network address corresponding to the account information from a second corresponding relation;
a security policy is generated that includes a first source network address, a first destination network address, and a first processing action.
Optionally, the weblog is a system login log;
the second obtaining module 420 is specifically configured to:
and extracting the account information and the source network address of the login account from the system login log corresponding to each user, and correspondingly storing the extracted account information and the source network address to obtain a second corresponding relation.
Optionally, the weblog is a dynamic host configuration protocol DHCP log;
the second obtaining module 420 is specifically configured to:
acquiring a third corresponding relation between the user terminal identification and the source network address from the DHCP log;
for each user terminal identification, determining second account information and a second source network address corresponding to the user terminal identification in a pre-stored corresponding relationship and a third corresponding relationship between the user terminal identification and the account information;
and correspondingly storing the second account information and the second source network address to obtain a second corresponding relation.
Optionally, the sending module 440 is specifically configured to:
sending the generated security policy to the access control device through an Application Program Interface (API) interface corresponding to the access control device; alternatively, the first and second electrodes may be,
and sending the generated security policy to the access control device in a remote command mode.
In the embodiment of the application, the network device can obtain the network logs of the users and a pre-stored user authority list, the user authority list comprises the account information of the users and the first corresponding relation of the authority information, and the authority information comprises the destination network address and the processing action. And then, acquiring a second corresponding relation between the account information of each user and the source network address according to the network log of each user, further generating a security policy based on the source network address and the authority information corresponding to the same account information in the first corresponding relation and the second corresponding relation, and sending the generated security policy to the access control equipment so that the access control equipment can perform access control on each user according to the security policy. According to the scheme, the network equipment can automatically generate the security policy and issue the security policy to the access control equipment, technical personnel do not need to manually configure the security policy in each access control equipment, and the efficiency of configuring the security policy is improved.
Based on the same technical concept, the embodiment of the present invention further provides a network device, as shown in fig. 5, including a processor 501, a communication interface 502, a memory 503 and a communication bus 504, where the processor 501, the communication interface 502 and the memory 503 complete mutual communication through the communication bus 504,
a memory 503 for storing a computer program;
the processor 501, when executing the program stored in the memory 503, implements the following steps:
acquiring a network log of each user and a pre-stored user permission list, wherein the user permission list comprises a first corresponding relation between account information and permission information of each user, and the permission information comprises a destination network address and a processing action;
acquiring a second corresponding relation between the account information of each user and a source network address according to the network log of each user;
generating a security policy based on the source network address and the authority information corresponding to the same account information in the first corresponding relationship and the second corresponding relationship;
and sending the generated security policy to access control equipment so that the access control equipment performs access control on each user according to the security policy.
Optionally, the generating a security policy based on the source network address and the authority information corresponding to the same account information in the first corresponding relationship and the second corresponding relationship includes:
for each account information, acquiring a first destination network address and a first processing action corresponding to the account information from the first corresponding relation, and acquiring a first source network address corresponding to the account information from the second corresponding relation;
generating a security policy comprising the first source network address, the first destination network address, and the first processing action.
Optionally, the weblog is a system login log;
the obtaining of the second corresponding relationship between the account information of each user and the source network address according to the network log of each user includes:
and extracting account information and a source network address of a login account from the system login logs corresponding to the users, and correspondingly storing the extracted account information and the source network address to obtain a second corresponding relation.
Optionally, the weblog is a dynamic host configuration protocol DHCP log;
the obtaining of the second corresponding relationship between the account information of each user and the source network address according to the network log of each user includes:
acquiring a third corresponding relation between the user terminal identification and the source network address from the DHCP log;
for each user terminal identification, determining second account information and a second source network address corresponding to the user terminal identification in the corresponding relation and the third corresponding relation of the pre-stored user terminal identification and account information;
and correspondingly storing the second account information and the second source network address to obtain a second corresponding relation.
Optionally, the sending the generated security policy to the access control device includes:
sending the generated security policy to the access control device through an Application Program Interface (API) interface corresponding to the access control device; alternatively, the first and second electrodes may be,
and sending the generated security policy to the access control device in a remote command mode.
The communication bus mentioned in the network device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the network device and other devices.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In another embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and when executed by a processor, the computer program implements the steps of any one of the above-mentioned security policy issuing methods.
In another embodiment of the present invention, a computer program product containing instructions is further provided, which when run on a computer, causes the computer to execute the method for issuing any one of the security policies in the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is merely exemplary of the present application and is presented to enable those skilled in the art to understand and practice the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for issuing a security policy is characterized by comprising the following steps:
acquiring a network log of each user and a pre-stored user permission list, wherein the user permission list comprises a first corresponding relation between account information and permission information of each user, and the permission information comprises a destination network address and a processing action;
acquiring a second corresponding relation between the account information of each user and a source network address according to the network log of each user;
generating a security policy based on the source network address and the authority information corresponding to the same account information in the first corresponding relationship and the second corresponding relationship;
and sending the generated security policy to access control equipment so that the access control equipment performs access control on each user according to the security policy.
2. The method according to claim 1, wherein generating a security policy based on a source network address and authority information corresponding to the same account information in the first corresponding relationship and the second corresponding relationship comprises:
for each account information, acquiring a first destination network address and a first processing action corresponding to the account information from the first corresponding relation, and acquiring a first source network address corresponding to the account information from the second corresponding relation;
generating a security policy comprising the first source network address, the first destination network address, and the first processing action.
3. The method of claim 1, wherein the weblog is a system log;
the obtaining of the second corresponding relationship between the account information of each user and the source network address according to the network log of each user includes:
and extracting account information and a source network address of a login account from the system login logs corresponding to the users, and correspondingly storing the extracted account information and the source network address to obtain a second corresponding relation.
4. The method of claim 1, wherein the weblog is a Dynamic Host Configuration Protocol (DHCP) log;
the obtaining of the second corresponding relationship between the account information of each user and the source network address according to the network log of each user includes:
acquiring a third corresponding relation between the user terminal identification and the source network address from the DHCP log;
for each user terminal identification, determining second account information and a second source network address corresponding to the user terminal identification in the corresponding relation and the third corresponding relation of the pre-stored user terminal identification and account information;
and correspondingly storing the second account information and the second source network address to obtain a second corresponding relation.
5. The method of claim 1, wherein sending the generated security policy to an access control device comprises:
sending the generated security policy to the access control device through an Application Program Interface (API) interface corresponding to the access control device; alternatively, the first and second electrodes may be,
and sending the generated security policy to the access control device in a remote command mode.
6. An issuing device of a security policy, characterized in that the device comprises:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring a weblog of each user and a pre-stored user permission list, the user permission list comprises a first corresponding relation between account information and permission information of each user, and the permission information comprises a destination network address and a processing action;
a second obtaining module, configured to obtain, according to the weblog of each user, a second correspondence between the account information of each user and the source network address;
a generating module, configured to generate a security policy based on a source network address and permission information corresponding to the same account information in the first corresponding relationship and the second corresponding relationship;
and the sending module is used for sending the generated security policy to the access control equipment so that the access control equipment can carry out access control on each user according to the security policy.
7. The apparatus of claim 6, wherein the generating module is specifically configured to:
for each account information, acquiring a first destination network address and a first processing action corresponding to the account information from the first corresponding relation, and acquiring a first source network address corresponding to the account information from the second corresponding relation;
generating a security policy comprising the first source network address, the first destination network address, and the first processing action.
8. The apparatus of claim 6, wherein the weblog is a system log;
the second obtaining module is specifically configured to:
and extracting account information and a source network address of a login account from the system login logs corresponding to the users, and correspondingly storing the extracted account information and the source network address to obtain a second corresponding relation.
9. The network equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing the communication between the processor and the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any one of claims 1 to 5 when executing a program stored in the memory.
10. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of the claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010182620.7A CN113407983A (en) | 2020-03-16 | 2020-03-16 | Security policy issuing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010182620.7A CN113407983A (en) | 2020-03-16 | 2020-03-16 | Security policy issuing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113407983A true CN113407983A (en) | 2021-09-17 |
Family
ID=77676663
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010182620.7A Pending CN113407983A (en) | 2020-03-16 | 2020-03-16 | Security policy issuing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113407983A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115150170A (en) * | 2022-06-30 | 2022-10-04 | 北京天融信网络安全技术有限公司 | Security policy configuration method and device, electronic equipment and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060098900A1 (en) * | 2004-09-27 | 2006-05-11 | King Martin T | Secure data gathering from rendered documents |
| CN101764742A (en) * | 2009-12-30 | 2010-06-30 | 福建星网锐捷网络有限公司 | Network resource visit control system and method |
| CN103458003A (en) * | 2013-08-15 | 2013-12-18 | 中电长城网际系统应用有限公司 | Access control method and system of self-adaptation cloud computing environment virtual security domain |
| CN106302371A (en) * | 2015-06-12 | 2017-01-04 | 北京网御星云信息技术有限公司 | A kind of firewall control method based on subscriber service system and system |
| CN106375318A (en) * | 2016-09-01 | 2017-02-01 | 北京神州绿盟信息安全科技股份有限公司 | Network access control system and method |
| CN109460653A (en) * | 2018-10-22 | 2019-03-12 | 武汉极意网络科技有限公司 | Verification method, verifying equipment, storage medium and the device of rule-based engine |
| CN110110510A (en) * | 2019-04-17 | 2019-08-09 | 中国石油化工股份有限公司 | A kind of engineering calculation model management method based on cloud computing |
| CN110620782A (en) * | 2019-09-29 | 2019-12-27 | 深圳市珍爱云信息技术有限公司 | Account authentication method and device, computer equipment and storage medium |
| CN110650065A (en) * | 2019-09-24 | 2020-01-03 | 中国人民解放军战略支援部队信息工程大学 | Internet-oriented network equipment public testing system and testing method |
| US10560478B1 (en) * | 2011-05-23 | 2020-02-11 | Palo Alto Networks, Inc. | Using log event messages to identify a user and enforce policies |
-
2020
- 2020-03-16 CN CN202010182620.7A patent/CN113407983A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060098900A1 (en) * | 2004-09-27 | 2006-05-11 | King Martin T | Secure data gathering from rendered documents |
| CN101764742A (en) * | 2009-12-30 | 2010-06-30 | 福建星网锐捷网络有限公司 | Network resource visit control system and method |
| US10560478B1 (en) * | 2011-05-23 | 2020-02-11 | Palo Alto Networks, Inc. | Using log event messages to identify a user and enforce policies |
| CN103458003A (en) * | 2013-08-15 | 2013-12-18 | 中电长城网际系统应用有限公司 | Access control method and system of self-adaptation cloud computing environment virtual security domain |
| CN106302371A (en) * | 2015-06-12 | 2017-01-04 | 北京网御星云信息技术有限公司 | A kind of firewall control method based on subscriber service system and system |
| CN106375318A (en) * | 2016-09-01 | 2017-02-01 | 北京神州绿盟信息安全科技股份有限公司 | Network access control system and method |
| CN109460653A (en) * | 2018-10-22 | 2019-03-12 | 武汉极意网络科技有限公司 | Verification method, verifying equipment, storage medium and the device of rule-based engine |
| CN110110510A (en) * | 2019-04-17 | 2019-08-09 | 中国石油化工股份有限公司 | A kind of engineering calculation model management method based on cloud computing |
| CN110650065A (en) * | 2019-09-24 | 2020-01-03 | 中国人民解放军战略支援部队信息工程大学 | Internet-oriented network equipment public testing system and testing method |
| CN110620782A (en) * | 2019-09-29 | 2019-12-27 | 深圳市珍爱云信息技术有限公司 | Account authentication method and device, computer equipment and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115150170A (en) * | 2022-06-30 | 2022-10-04 | 北京天融信网络安全技术有限公司 | Security policy configuration method and device, electronic equipment and storage medium |
| CN115150170B (en) * | 2022-06-30 | 2024-03-12 | 北京天融信网络安全技术有限公司 | Security policy configuration method, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11652793B2 (en) | Dynamic firewall configuration | |
| US20200084097A1 (en) | Blockchain-based configuration profile provisioning system | |
| CN111460460B (en) | Task access method, device, proxy server and machine-readable storage medium | |
| CN107547565B (en) | Network access authentication method and device | |
| WO2018113730A1 (en) | Method and apparatus for detecting network security | |
| CN110971569A (en) | Network access authority management method and device and computing equipment | |
| US8102860B2 (en) | System and method of changing a network designation in response to data received from a device | |
| CN112597472A (en) | Single sign-on method, device and storage medium | |
| JP4753953B2 (en) | Software execution management apparatus, method and program thereof | |
| CN110968848B (en) | User-based rights management method and device and computing equipment | |
| CN112995166B (en) | Authentication method and device for resource access, storage medium and electronic equipment | |
| CN110855709A (en) | Access control method, device, equipment and medium for security access gateway | |
| CN106254319B (en) | Light application login control method and device | |
| CN112738100A (en) | Authentication method, device, authentication equipment and authentication system for data access | |
| CN107948979B (en) | Information processing method and device and auditing equipment | |
| CN112995164B (en) | Resource access authentication method and device, storage medium and electronic equipment | |
| CN108076500B (en) | Method and device for managing local area network and computer readable storage medium | |
| CN113407983A (en) | Security policy issuing method and device | |
| CN111147625B (en) | Method, device and storage medium for acquiring local external network IP address | |
| US20150067766A1 (en) | Application service management device and application service management method | |
| CN112688899A (en) | In-cloud security threat detection method and device, computing equipment and storage medium | |
| CN110971570A (en) | Network access authority control method and device and computing equipment | |
| CN114866247A (en) | Communication method, device, system, terminal and server | |
| WO2016179960A1 (en) | Domain name system (dns) resolution processing method and device | |
| JP2022070222A (en) | Computer-implemented methods, device provisioning systems and computer programs (internet-of-things device provisioning) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |