CN117353958A - Processing method of security policy and related device - Google Patents

Processing method of security policy and related device Download PDF

Info

Publication number
CN117353958A
CN117353958A CN202210752166.3A CN202210752166A CN117353958A CN 117353958 A CN117353958 A CN 117353958A CN 202210752166 A CN202210752166 A CN 202210752166A CN 117353958 A CN117353958 A CN 117353958A
Authority
CN
China
Prior art keywords
security
address
security policy
intention
access behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210752166.3A
Other languages
Chinese (zh)
Inventor
吴朱亮
谢于明
王仲宇
张亮
韩涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202210752166.3A priority Critical patent/CN117353958A/en
Priority to PCT/CN2023/102352 priority patent/WO2024001998A1/en
Publication of CN117353958A publication Critical patent/CN117353958A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a processing method of a security policy, and relates to the technical field of network security. The first communication device obtains a first security policy configured on the first security device, and generates a first security intention according to the first security policy. Wherein the first security policy indicates a first access behavior of the first address to the second address, the first access behavior being either permission or prohibition of access, the first security intent indicates a first access behavior of the first object to the second object, the first object or the second object comprising any one of: the type of user, the name of the service, or the name of the network area. Based on an easily understood manner, the security intent directly represents the access needs of the inter-service, inter-network, inter-user, or user, service, and inter-network. The security policy represented by the IP information is converted into an easy-to-understand security intention, so that a network administrator can more easily understand and maintain the security policy.

Description

Processing method of security policy and related device
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method and an apparatus for processing a security policy.
Background
In recent years, network security issues have become increasingly prominent. To secure the network, a security device (e.g., a firewall) is deployed to deter external attacks.
Network administrators typically set security policies piece by piece based on internet protocol (Internet Protocol, IP) quintuple so that firewalls identify messages that need to be blocked or messages that are allowed to pass, but IP quintuple based security policies are inconvenient to understand and maintain.
Disclosure of Invention
The application provides a processing method and a related device of a security policy, so that the security policy is easier to understand and maintain.
The first aspect of the present application provides a method for processing a security policy, which may be applied to a first communication device. The first communication device is, for example, a network management device or other devices deployed in an internal network or an external network. The first communication device obtains a first security policy configured on the first security device and generates a first security intention according to the first security policy.
Wherein the first security policy indicates a first access behavior of the first address to the second address, the first access behavior being either allowing or prohibiting access. For example, the first address is a source address and the second address is a destination address. The source address is, for example, a media access control (Media Access Control, MAC) address, a source IP address, a source port (port), or a combination of the above. The destination address is, for example, a destination MAC address, a destination IP address, a destination port, or a combination of the above.
Wherein the first security intent indicates a first access behavior of the first object to the second object, the first object or the second object comprising any one of: the type of user, the name of the service, or the name of the network area. The first security intention is, for example, to express in the form of natural language that an access behavior is allowed or prohibited. The first object is an initiator of the first access behavior, e.g. the first object may be a type of user initiating the first access behavior, or a name of a service initiating the first access behavior, or a name of a network area initiating the first access behavior. The second object is a recipient of the first access behavior, e.g. the second object is a type of user that allows or prohibits access by the first object, or a name of a service that allows or prohibits access by the first object, or a name of a network area that allows or prohibits access by the first object.
In this scheme, based on an easy-to-understand manner, the security intention directly represents the access requirements among services, networks, users, or users, services, and networks. Therefore, the security policy represented by the IP information is converted into an easy-to-understand security intention, so that the security policy is easier to understand and maintain.
Optionally, the first communication device determines the first object from the first address and the second object from the second address. For example, a source IP address, a source port, a protocol type, or a combination of the above are used to determine the first object. For example, the destination IP address, the destination port, the protocol type, or a combination of the above information is used to determine the second object.
The corresponding relation between the first address and the second address in the security policy and the first object and the second object in the security intention is clarified, and the accuracy of the conversion process from the security intention to the security policy is improved.
Optionally, the first communication device determines the first object according to the first address and object information base, and determines the second object according to the second address and object information base. Namely, a first object corresponding to a first address is acquired from an object information base, and a second object corresponding to a second address is acquired. The object information base includes each object of at least one object and address information of each object, the at least one object includes a first object and a second object, and each object is any one of the following: a type of user, a name of a service, or a name of a network area.
In the scheme, the first object corresponding to the first address and the second object corresponding to the second address are determined according to the object description information, so that the efficiency of converting the security policy into the security intention is improved.
Optionally, the first security intention is used to check whether the first security policy matches the security policy deployment intention. Wherein the security policy deployment intention indicates that access behavior of one object to another object is allowed or forbidden, and the above objects can be expressed specifically as: a user type, a name of a service or a name of a network area. That is, by comparing the first security intent and the security policy deployment intent, verification of the rationality of the first security policy is achieved.
Optionally, the security policy deployment intent indicates a second access behavior of the third object to the fourth object. When the third object and the first object each include a first sub-address, the fourth object and the second object each include a second sub-address, and the first access behavior and the second access behavior are the same, the first communication device determines that the first security policy matches the security policy deployment intent.
For example, "the third object and the first object each include the first sub-address" may include any of the following cases: the third object comprises the first object, the first object comprises the third object, or the first sub-address is part of an address to which the third object points, and the first sub-address is part of an address to which the first object points. It should be noted that, the concepts of the first sub-address and the second sub-address are used to explain the relationship between the third object and the first object, and the first communication device may determine the relationship between the third object and the first object directly according to the first object and the second object. For example, the third object is network area 1, the first object is service 1 in network area 1, and then the third object includes the first object, where the address pointed to by the first object is part of the address pointed to by the third object. For another example, the third object is service C, and service C is provided in each of the network area 1, the network area 2, and the network area 3, and the first object is network area 1, and then the address to which the third object points and the address to which the first object points each include an address (i.e., one example of the first sub-address) of the device that provides service C in network area 1, and so on.
Optionally, the first security intention is used to check whether the newly added security policy deployment intention conflicts with the first security intention. The newly added security policy deployment intention is, for example, a deployment intention of a security policy determined based on a service to be opened, and one newly added security policy deployment intention is used to indicate that an access behavior of one object to another object is allowed or prohibited. After the newly added security policy deployment intention appears, before the security policy corresponding to the newly added security policy deployment intention is configured, whether the newly added security policy deployment intention conflicts with the plurality of first security intents is checked, so that the possibility that the newly added security policy conflicts with the existing security policy is reduced, the stability of the network operation process is improved, and the network can be guaranteed to provide services for users smoothly.
Optionally, the additional security policy deployment intent indicates a third access behavior of the fifth object to the sixth object. When the first object and the fifth object each include a third sub-address, the second object and the sixth object each include a fourth sub-address, and the first access behavior and the third access behavior are different, the first communication device determines that the newly added security policy deployment intent conflicts with the first security intent.
Optionally, the first communication device obtains a second security policy configured on the second security device, and generates the second security intention according to the second security policy. The second security policy indicates a fourth access behavior of the first address to the second address. The second security intent indicates that the first object performs a fourth access behavior on the second object. The first security device is located on an access path of the first address to the second address, the second security device being any other security device on the access path. The acquisition of the information is beneficial to subsequent maintenance of security policies on other security devices on the access path of the first address to the second address.
Optionally, the first security intention and the second security intention are used to verify whether the first security policy and the second security policy match the security policy deployment intention. That is, by comparing the first security intention and the second security intention, and the security policy deployment intention, verification of the rationality of the first security policy and the second security policy is achieved.
Optionally, the security policy deployment intent indicates a second access behavior of the third object to the fourth object. When the third object and the first object each comprise a first sub-address, the fourth object and the second object each comprise a second sub-address, and the first access behavior and the fourth access behavior are the same as the second access behavior, the first communication device determines that the first security policy and the second security policy match the security policy configuration intent.
Alternatively, if the first access behavior is prohibited access, the first security intent and the second security intent may be used to check whether configuration redundancy exists. And determining whether the configuration redundancy of the security policies exists on the plurality of security devices based on the first security intention and the second security intention, so that the redundant security policies can be found in time, and the resource utilization rate of the security devices can be improved.
Optionally, the first communication device determines that there is configuration redundancy when both the first security intention and the second security intention indicate that the first object is prohibited from accessing the second object. When the access behavior of the first address to the second address is to be prohibited, only a security policy for prohibiting the access behavior of the first address to the second address is configured on any security device on the access path from the first address to the second address, so that when both the first security intention and the second security intention indicate that the first object is prohibited from accessing the second object, it is determined that there is a configuration redundancy between the first security policy and the second security policy, and a specific implementation scheme for determining the configuration redundancy is provided, which enhances the feasibility of the scheme.
Alternatively, the first communication device may display the first security policy and the first security intention to the user through a graphical user interface (graphic user interface, GUI) or the second communication device. The security policy and the security intention obtained based on the security policy are displayed to the user, namely the security intention is associated with the security policy, so that the user can understand the meaning of the security policy more easily, and the difficulty of the maintenance stage of the security policy can be reduced.
Alternatively, the first communication device may display the first content, the second content, and the third content to the user through the GUI or the second communication device. The first content comprises a first object, a first address and a corresponding relation between the first object and the first address, the second content comprises a second object, a second address and a corresponding relation between the second object and the second address, and the third content comprises a first access behavior.
Optionally, the first communication device may display one or more of the following to the user via the GUI or the second communication device: the first check result, the second check result, the third check result, or the fourth check result. The first verification result indicates whether the first security policy matches the security policy deployment intent. The second check result indicates whether the newly added security policy deployment intention conflicts with the first security intention. The third verification result indicates whether the first security policy and the second security policy match the security policy deployment intent. The fourth check result indicates whether there is configuration redundancy. The verification result is displayed, so that a user can be prompted to timely find out the deployed security policy in the security device or the problems existing in the security policy to be deployed, and the stability of network operation can be improved.
Optionally, the first communication device obtains a third security policy from the third security device, where the third security policy indicates that access behavior of the third address to the fourth address is allowed or prohibited, obtains a seventh object corresponding to the third address, obtains an eighth object corresponding to the fourth address, and adds a correspondence between the seventh object and the third address and a correspondence between the eighth object and the fourth address in the object information base, to obtain a new object information base. The seventh object or the eighth object includes any one of the following: the type of user, the name of the service, or the name of the network area. When an address does not exist in the object information base, the user can determine the object corresponding to the address, and the address and the object are added into the object information base, namely, the object information base can be dynamically updated in the process of generating the safety intention based on the safety strategy, so that the object information base is continuously perfected, and the difficulty of executing the conversion operation from the safety strategy to the safety intention in the future is reduced.
A second aspect of the present application provides a security policy processing apparatus. The processing device of the security policy comprises an acquisition module and a generation module. The acquisition module is used for acquiring a first security policy configured on the first security device. And the generation module is used for generating a first security intention according to the first security policy. The first security policy indicates a first access behavior of the first address to the second address. The first access behavior is to allow or prohibit access. The first security intent indicates a first access behavior of the first object to the second object. The first object or the second object includes any one of the following: the type of user, the name of the service, or the name of the network area.
Optionally, the generating module is specifically configured to: the first object is determined from the first address and the second object is determined from the second address.
Optionally, the processing device of the security policy further includes a determining module. The determining module is used for determining a first object according to the first address and object information base and determining a second object according to the second address and object information base. The object information base includes each object of the at least one object and address information of each object. The at least one object includes a first object and a second object. Each object is any one of the following: a type of user, a name of a service, or a name of a network area.
Optionally, the first security intention is used to check whether the first security policy matches the security policy deployment intention.
Optionally, the security policy deployment intent indicates a second access behavior of the third object to the fourth object. The determining module is further configured to determine that the first security policy matches the security policy deployment intention when the third object and the first object each include a first sub-address, the fourth object and the second object each include a second sub-address, and the first access behavior and the second access behavior are the same.
Optionally, the first security intention is used to check whether the newly added security policy deployment intention conflicts with the first security intention.
Optionally, the additional security policy deployment intent indicates a third access behavior of the fifth object to the sixth object. The determining module is further configured to determine that the deployment intention of the added security policy conflicts with the first security intention when the first object and the fifth object each include a third sub-address, the second object and the sixth object each include a fourth sub-address, and the first access behavior and the third access behavior are different.
Optionally, the obtaining module is further configured to obtain a second security policy configured on the second security device, and the generating module is further configured to generate the second security intention according to the second security policy. The second security policy indicates a fourth access behavior of the first address to the second address, and the second security intent indicates that the first object performs the fourth access behavior to the second object. The first security device is located on an access path of the first address to the second address, the second security device being any other security device on the access path. Optionally, the first security intention and the second security intention are used to verify whether the first security policy and the second security policy match the security policy deployment intention.
Optionally, the security policy deployment intent indicates a second access behavior of the third object to the fourth object. The determining module is further configured to determine that the first security policy and the second security policy match the security policy configuration intent when the third object includes the first object, the fourth object includes the second object, and the first access behavior and the fourth access behavior are the same as the second access behavior.
Optionally, the first security intention and the second security intention are used to check configuration redundancy.
Optionally, the determining module is further configured to determine that there is a configuration redundancy when the first security intention and the second security intention both indicate that the first object is prohibited from accessing the second object.
Optionally, the processing device of the security policy further includes a display module. The display module is used for displaying the first security policy and the first security intention.
Optionally, the display module is further configured to display one or more of the following: the first check result, the second check result, the third check result, or the fourth check result. The first verification result indicates whether the first security policy matches the security policy deployment intent. The second check result indicates whether the newly added security policy deployment intention conflicts with the first security intention. The third verification result indicates whether the first security policy and the second security policy match the security policy deployment intent. The fourth check result indicates whether there is configuration redundancy.
Optionally, the processing device of the security policy further includes an acquisition module. The acquisition module is further configured to acquire a third security policy from the third security device, the third security policy indicating to run or prohibit access behavior of the third address to the fourth address. The obtaining module is further configured to obtain a seventh object corresponding to the third address, obtain an eighth object corresponding to the fourth address, and add a correspondence between the seventh object and the third address and a correspondence between the eighth object and the fourth address to the object information base, so as to obtain a new object information base. The seventh object or the eighth object includes any one of the following: the type of user, the name of the service, or the name of the network area.
A third aspect of the present application provides a network device comprising a processor and a memory. The memory is for storing program code and the processor is for invoking the program code in the memory to cause the network device to perform the method as in the first aspect or any of the embodiments of the first aspect.
A fourth aspect of the present application provides a computer readable storage medium storing instructions that when run on a computer cause the computer to perform a method as in the first aspect or any one of the embodiments of the first aspect.
A fifth aspect of the present application provides a computer program product which, when run on a computer, causes the computer to perform the method as the first aspect or any of the embodiments of the first aspect.
A sixth aspect of the present application provides a chip comprising one or more processors. Some or all of the processor is configured to read and execute computer instructions stored in the memory to perform the method of any of the possible implementations of any of the aspects described above. Optionally, the chip further comprises a memory. Optionally, the chip further comprises a communication interface, and the processor is connected with the communication interface. The communication interface is used for receiving data and/or information to be processed, and the processor acquires the data and/or information from the communication interface, processes the data and/or information and outputs a processing result through the communication interface. Optionally, the communication interface is an input-output interface or a bus interface. The method provided by the application is realized by one chip or a plurality of chips in a cooperative manner.
The solutions provided in the second aspect to the sixth aspect are used to implement or cooperate to implement the method provided in the first aspect, so that the same or corresponding beneficial effects as those in the first aspect can be achieved, which are not described herein.
Drawings
Fig. 1 is a schematic diagram of a network deployment scenario provided in an embodiment of the present application;
fig. 2 is a flow chart of a method for processing a security policy according to an embodiment of the present application;
fig. 3 is a flowchart of a method for acquiring a first object corresponding to a first address according to an embodiment of the present application;
FIG. 4 is a schematic illustration showing a security policy and security intent provided in an embodiment of the present application;
fig. 5 is a flow chart of another method for processing a security policy according to an embodiment of the present application;
fig. 6 is a flow chart of another method for processing a security policy according to an embodiment of the present application;
fig. 7 is a schematic network topology diagram of a service already opened in a network according to an embodiment of the present application;
fig. 8 is a flow chart of another method for processing a security policy according to an embodiment of the present application;
fig. 9 is a flow chart of another method for processing a security policy according to an embodiment of the present application;
Fig. 10 is a network topology diagram of a method for processing a security policy according to an embodiment of the present application;
fig. 11 is another network topology diagram of a method for processing a security policy according to an embodiment of the present application;
fig. 12 is a flow chart of another method for processing a security policy according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of a network device according to an embodiment of the present application;
fig. 14 is a schematic structural diagram of a processing device of a security policy according to an embodiment of the present application;
fig. 15 is a schematic structural diagram of a processing device of another security policy according to an embodiment of the present application;
fig. 16 is a schematic structural diagram of a network device according to an embodiment of the present application.
Detailed Description
Embodiments of the present application will now be described with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some, but not all embodiments of the present application. As a person of ordinary skill in the art can know, with the development of technology and the appearance of new scenes, the technical solutions provided in the embodiments of the present application are applicable to similar technical problems.
The terms first, second and the like in the description and in the claims of the present application and in the above-described figures, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.
The word "exemplary" is used herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
The embodiment of the application provides a processing method of a security policy, which is used for reducing difficulty in understanding the security policy. The embodiment of the application also provides a processing device, communication equipment, a computer readable storage medium and the like of the corresponding security policy. For the purpose of making the objects, technical solutions and advantages of the present application more apparent, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a schematic diagram of a network deployment scenario provided in an embodiment of the present application. As shown in fig. 1, the network architecture includes an internal network, an external network, and a first communication device. The internal network comprises a firewall, network equipment for forwarding a message and terminal equipment, the security equipment in the internal network refers to communication equipment with security policies deployed in the internal network, and the security equipment can comprise any one or more of the following: a firewall, a network device or a terminal device for forwarding messages, etc.
When a message is received by the security device, the deployed security policy may be matched with the information of the message (e.g., the source address of the message, the destination address of the message, etc.) to determine whether to allow or prohibit the message to pass. It should be appreciated that, while the first communication device is shown in fig. 1 as being deployed outside of the internal network (e.g., the first communication device is a cloud device), fig. 1 is merely one example of a network deployment scenario, and in other scenarios, the first communication device may be deployed in the internal network, which is not limited herein. For ease of understanding, the various devices in the network architecture will be described in detail below.
The internal network may be divided into a plurality of network areas, such as the data center network and office parks in fig. 1. Each network area may have different security requirements so that each network area may deploy security devices, such as an office-park network deployment firewall 1 shown in fig. 1 and a data center network deployment firewall 2 shown in fig. 1. Security devices at different locations may be configured with different security policies.
The terminal devices in the internal network may include terminal devices used by users in the internal network (e.g., terminal device 1 and terminal device 2 in fig. 1), terminal devices for providing services (e.g., database server and Web server in fig. 1), or terminal devices for other purposes (e.g., report server and test server in fig. 1), etc., without limitation.
The terminal device includes a server, a personal computer, a notebook computer, a smart phone, a tablet computer, an internet of things device, and other physical devices. Optionally, the terminal device includes a virtualization device disposed on the physical device, for example, the terminal device includes a Virtual Machine (VM) disposed on the server and used for providing the business service.
The network equipment deployed between the firewall and the terminal equipment is message forwarding equipment used for forwarding traffic between the external network and the terminal equipment in the internal network and traffic between different terminal equipment in the internal network. Illustratively, the network devices include packet forwarding devices such as switches, gateways, routers, and the like. Optionally, the network device is implemented as a virtualized device deployed on a hardware device. For example, the network device includes a VM, virtual router or virtual switch running a program for sending messages.
The first communication device is an execution subject of the security policy acquisition method provided in the embodiment of the present application. Illustratively, the first communication device comprises a server or a VM disposed on a server. The server may be deployed in a public cloud, a private cloud, or a hybrid cloud. It should be understood that the execution body of the security policy obtaining method provided in the embodiment of the present application may also be other devices, for example, a network management device or a certain network device (for example, a packet forwarding device or a firewall) in an internal network, which may be specifically and flexibly determined in combination with an actual application scenario, and is not limited herein.
Specifically, the first communication device is configured to obtain a first security policy configured on the first security device, and generate a first security intention according to the obtained first security policy. Wherein the first security policy indicates a first access behavior of the first address to the second address and the first security intent indicates a first access behavior of the first object to the second object.
The security policy includes a first address and a second address, the security policy being for instructing the security device to permit or prohibit the first address from accessing the second address. The first object or the second object includes any one of the following: the type of user, the name of the service, or the name of the network area. For example, security intent is to allow internet users to access web services. At this time, the first object includes a type of user (i.e., internet user), and the second object includes a name of the business (i.e., web service). As another example, the security intent is to prohibit internet users from accessing database services. At this time, the first object includes a type of user (i.e., internet user), and the second object includes a name of the service (i.e., database service). As another example, security is intended to allow web services to access database services. At this time, the first object includes the name of one service (i.e., web service), and the second object includes the name of another service (i.e., database service). For another example, the security intent is to prohibit access to the data center by an office campus. At this time, the first object includes the name of one network area (i.e., office park), and the second object includes the name of another network area (i.e., data center). For another example, the security intent is to prohibit access to the data center by an office campus. At this time, the first object includes the name of one network area (i.e., office park), and the second object includes the name of another network area (i.e., data center). For another example, security is intended to prohibit a production plant from accessing database services. At this time, the first object includes the name of one network area (i.e., office park), and the second object includes the name of the business (i.e., database service). That is, based on an easy-to-understand manner, the security intent directly represents the access requirements among services, networks, users, or users, services, and networks, and thus, the security intent is generated according to the security policy, making it easier for the network administrator to understand and maintain the security policy.
It should be noted that, in the network deployment scenario where the embodiments of the present application are located, there may be more or fewer devices, and fig. 1 is only an example for facilitating understanding of the present solution, and is not limited to the present solution.
The scenario of application of the security policy processing method provided by the embodiment of the present application is described above, and a specific implementation procedure of the security policy processing method provided by the embodiment of the present application will be described in detail below.
Referring to fig. 2, fig. 2 is a flow chart illustrating a method for processing a security policy according to an embodiment of the present application. As shown in fig. 2, the method for processing a security policy provided in the embodiment of the present application includes the following steps 201 to 202:
step 201, a first security policy configured on a first security device is obtained, where the first security policy indicates a first access behavior of a first address to a second address, and the first access behavior is to allow or prohibit access.
In this embodiment, the first communication device obtains a first security policy configured on the first security device. The first security policy includes at least one security policy. The first security policy indicates a first access behavior of the first address to the second address, the first access behavior being either allowing or prohibiting access. When the first security device receives a message, the source address and destination address of the message may be matched with at least one first security policy deployed to determine whether to allow or prohibit the message from passing through.
The first communication device may obtain a first address and a second address from each of the first security policies, e.g., the first address is a source address and the second address is a destination address. The source address is, for example, a media access control (Media Access Control, MAC) address, a source IP address, a source port (port), or a combination of the above. The destination address is, for example, a destination MAC address, a destination IP address, a destination port, or a combination of the above. The first security policy indicates that the first address is allowed or forbidden to access the second address. Optionally, the first security policy may further include a protocol type employed by the first access behavior.
The source IP address obtained from the first security policy may be any of the following: at least one IP address, at least one IP address segment, or any (any), when the source IP address is not set in the first security policy, the source IP address may be determined to be any. The concept of the destination IP address obtained from the first security policy is similar to the concept of the source IP address obtained from the first security policy, and will not be described here.
The source port obtained from the first security policy may be at least one port number or any, and when the source port is not set in the first security policy, the source port may be determined to be any. The ports are arbitrarily understood to be ports 0 to 65535. The concept of the destination port obtained from the first security policy is similar to the concept of the source port obtained from the first security policy, and will not be described here.
The types of protocols employed include, but are not limited to, transmission control protocol (Transmission Control Protocol, TCP), user datagram protocol (User Datagram Protocol, UDP), or other types of protocols, etc., and are not intended to be exhaustive.
The code forms of the security policies deployed on the different types of security devices may be different, for example, one example of the first security policy configured in the switch and one example of the first security policy configured in the terminal device are disclosed below, respectively. One example of a first security policy deployed in a switch is as follows:
ip access-list AA
10deny tcp 172.20.201.0/24 192.168.10.1eq 12345
20deny tcp 172.20.201.0/24 192.168.10.2eq 12345
the source IP address in the first security policy in the switch shown above includes 172.20.201.0/24, the source port is not specified in the first security policy shown above, the destination IP address includes 192.168.10.1 and 192.168.10.2, the protocol type is TCP, and the first access behavior is prohibited (dense).
One example of a first security policy deployed in a terminal device is as follows:
the iptables-I INPUT-p tcp-dport 12345-j ACCEPT# allows messages with the destination port of 12345 to flow in
The source IP address and the source port are not specified in the first security policy shown above, and then both the source IP address and the source port may be determined to be arbitrary, the destination IP address may be determined to be the IP address of the terminal device, the destination port number includes 12345, and the first access behavior in the first sub-security policy is allowed (accept). It should be understood that the above two examples are merely for convenience in understanding security policies in different code forms deployed on different types of security devices, and are not intended to limit the present solution.
The first communication device may obtain the first security policy in a number of ways. In one implementation, the first security device may transmit the deployed at least one first security policy to the first communication device, and accordingly, the first communication device receives the at least one first security policy transmitted by the first security device. In another implementation, the first communication device may remotely log into the first security device based on a Secure Shell protocol (SSH), a remote terminal protocol (TELNET), or other technique to obtain at least one first security policy deployed on the first security device.
Step 202, generating a first security intention according to a first security policy, the first security intention indicating a first access behavior of a first object to a second object, the first object or the second object comprising any one of the following: the type of user, the name of the service, or the name of the network area.
In this embodiment, after the first communication device obtains the first address, the second address, and the first access behavior from the first security policy, the first communication device may generate a first security intention corresponding to the first security policy.
Wherein the first security intention is a security intention, and the security intention is expressed in the form of natural language to allow or prohibit an access behavior. The first object is an initiator of a first access behavior, the first object comprising any one of: the type of user, the name of the service, or the name of the network area. That is, the first object may be a type of a user initiating the first access behavior, or a name of a service initiating the first access behavior, or a name of a network area initiating the first access behavior. The second object is a recipient of the first access behavior, the second object comprising any one of: the type of user, the name of the service or the name of the network area. That is, the second object is a type of a user that allows or prohibits the access of the first object, or a name of a service that allows or prohibits the access of the first object, or a name of a network area that allows or prohibits the access of the first object.
Optionally, step 202 may include: the first communication device determines a first object from the first address and a second object from the second address. For example, the first address comprises a source IP address, a source port, a protocol type, or a combination of the above, i.e. a source IP address, a source port, a protocol type, or a combination of the above, for determining the first object. For example, the second address comprises a destination IP address, a destination port, a protocol type, or a combination of the above, i.e. a destination IP address, a destination port, a protocol type, or a combination of the above, for determining the second object.
In the embodiment of the application, the corresponding relation between the first address and the second address in the security policy and the first object and the second object in the security intention is defined, so that the accuracy of the conversion process from the security policy to the security intention is improved.
The first communication device, after acquiring the first object and the second object, may generate a first security intent corresponding to the first security policy. Wherein the first security intent indicates a first access behavior of the first object to the second object. The first security intention may in particular represent that the first object is allowed to access the second object or that the first object is prohibited from accessing the second object. The presentation of the first security intention is described below by way of example in connection with the types of the first object and the second object. The content in "[ ]" in the following examples is optional content.
Case 1: the first object is arbitrary, the second object is the name of a service
First safety intention: YY traffic allowing/prohibiting arbitrary network area access [ XX network area ]
Case 2: the first object is arbitrary and the second object is the name of a network area
First safety intention: allowing/prohibiting arbitrary network area access to XX network area
Case 3: the first object is a type of user, and the second object is arbitrary
First safety intention: allowing/prohibiting ZZ user of [ BB network area ] to access arbitrary network area
Case 4: the first object is a type of user, and the second object is a name of a service
First safety intention: allow/prohibit ZZ subscriber of [ BB network area ] from accessing YY traffic case 5 of [ XX network area ]: the first object is a type of user, and the second object is a name of a network area
First safety intention: allowing/prohibiting ZZ user access to XX network area of [ BB network area ]
Case 6: the first object is the name of a service, and the second object is any
First safety intention: allowing/prohibiting CC traffic of [ BB network area ] to access arbitrary network area
Case 7: the first object is the name of a service, and the second object is the name of a service
First safety intention: allowing/prohibiting CC traffic of [ BB network area ] to access YY traffic case 8 of [ XX network area ]: the first object is the name of a service, and the second object is the name of a network area
First safety intention: allowing/prohibiting CC traffic of [ BB network area ] to access XX network area
Case 9: the first object is the name of a network area, and the second object is any
First safety intention: allowing/prohibiting BB network area access to arbitrary network area
Case 10: the first object is the name of a network area, and the second object is the name of a service
First safety intention: enabling/disabling YY traffic for BB network area access [ XX network area ]
Case 11: the first object is the name of a network area, and the second object is the name of a network area
First safety intention: allowing/prohibiting BB network area access to XX network area
For example, the conversion of the first security policy deployed on the switch to the first security intention may be "the student user prohibits access to the online learning service", that is, the first object corresponding to 172.20.201.0/24 is the student user, 192.168.10.1:12345 and 192.168.10.2: the second object corresponding to 12345 is an online learning service; as another example, the conversion of the first security policy deployed on the terminal device into the first security intent may be "any network area allows access to the online learning service", it should be understood that the present solution is merely illustrated herein for convenience of understanding, and is not intended to be limiting. In the embodiment of the application, it is clear that the first address in the first security policy is used for determining the first object, and the second address in the first security policy is used for determining the second object, so that the difficulty in the process of converting the security policy into the security intention is reduced.
In the embodiment of the application, based on an easy-to-understand manner, the security intention directly represents the access requirements among services, networks, users, or users, services and networks. Thus, the security policy expressed by the IP address is converted into the security intention expressed by the natural language, so that the administrator can more easily understand and maintain the security policy.
Optionally, the first communication device may further obtain, from the first security policy, a name of a network area in which the device located at the first address is located and a name of a network area in which the device located at the second address is located. For example, the first network area is a source network area, and the second network area is a destination network area; if the information does not exist in the first security policy, the first communication device may determine that the information acquired in the first security policy is null.
For further understanding of the present solution, the following is taken as an example in connection with the above first security policy deployed on the switch and the terminal device, and the information that the first communication device may further obtain from the first security policy may be presented in the form of a code, where it should be noted that the content following "//" represents the information obtained based on the code content.
1. The information obtained from the first security policy deployed in the switch may be as follows:
/>
2. the information obtained from the first security policy deployed in the terminal device may be as follows:
/>
it should be understood that the foregoing examples are merely for convenience in understanding the present solution and are not intended to limit the present solution.
Wherein the first communication device may employ forms, plain text, a combination of graphics and text, or other forms to store information obtained from the first security policy.
The first object and the second object may each include one of: the type of user, the name of the service, or the name of the network area. The type of user is used to distinguish between different users. Different types of users correspond to different addresses or address segments. For example, the user type may be intranet users, partner users, internet users, and the like. Intranet users include users that access from an internal network. An internal network is a network that is governed by a user (e.g., an enterprise), such as a campus network of an enterprise through which users accessing the network may be referred to as intranet users of the enterprise. The enterprise's internal network has a specified address field. When the first address or the second address in the security policy is included in the specified address field, the first communication device may determine that the first object or the second object is an intranet user. Partner users include users that access from the partner's network. For example, where enterprise 1 and enterprise 2 cooperate, enterprise 1 grants enterprise 2 access to service 1 of enterprise 1, the first communication device may determine that the first object is an enterprise 1 user when the first address included in the security policy is included in the address or address segment corresponding to enterprise 1. Internet users include users accessing from any location whose address corresponds to any. Of course, the internet user may be a user other than the specific user whose address does not include the address of the specific user. The specific users are, for example, internal users and/or partner users. A particular type of user may also be subdivided into a plurality of users, for example, when the internal network is a campus network, the internal users may be subdivided into a staff user and a student user, which may correspond to different addresses or address segments, respectively. For another example, when the internal network is a campus network of a train enterprise, the internal users may be subdivided into administrative office users, production shop users may be subdivided into engine shop users, tire shop users, etc., and different types of users may correspond to different addresses or address segments, respectively.
The service is deployed in the internal network, provides services to the outside or the inside, and the names of the services are used for distinguishing different services. For example, the names of the services may be personal mobile banking services, personal client information services, online learning services, internet services or other services, etc., and the specific situations may be combined, which are not limited herein. Each service provides a service to the outside based on the service address. The service address is, for example, a combination of an IP address, a port, and a protocol. For example, web services provide services based on the TCP protocol at IP1:80, and domain name resolution services provide services based on the TCP protocol or UDP protocol at IP 2:53. The first communication device may determine, based on the first address or the second address included in the security policy, to which service address of the service the first address or the second address belongs, to determine the first object or the second object included in the security intention. Wherein the first address or the second address may be an IP address, a port, a protocol, or a combination thereof in the service address.
The name of the network area is used to distinguish between different network areas. The different network areas correspond to different addresses or address segments, and the first communication device may determine the name of the network area where the first address or the second address is located based on the first address or the second address included in the security policy. For example, the names of the network areas may be internal network areas, partner network areas, internet areas, and the like. An internal network area is a network area that is governed by a user (e.g., an enterprise), such as a campus network for an enterprise. A partner network area is a network area that is governed by one partner. For example, enterprise 1 and enterprise 2 have a partnership, and the campus network of enterprise 1 and the campus network of enterprise 2 may interact as a partnership network area. An internet area may refer broadly to all or a network area other than a particular network, such as an intranet area and/or a partner network area. A certain network area may also be subdivided into different network areas. For example, the internal network area may be subdivided into "production 1 area", "test 1 area", "office area", "XX land data center", "XX park XX building" or other names, etc., all of which may be determined in connection with the actual application scenario.
Different network areas may correspond to different security devices, respectively. For example, enterprises deploy firewalls in "production zone 1" and "test zone 1", respectively, each firewall managing network access behavior of a corresponding network zone, respectively.
The first communication device may determine whether the first address obtained from the first security policy is arbitrary, for example, whether the source IP address and the source port obtained from the first security policy are both arbitrary. If the determination is yes, the first communication device may determine that the first object includes any network area. If the judgment result is negative, the first communication equipment can determine the first object according to the first address and the object information base. The object information base is used for storing each object in at least one object and address information of each object, and each object is any one of the following: a type of user, a name of a service, or a name of a network area. For example, the address of each type of user may include an IP address of each user type, the IP address of each user type may include a segment of IP addresses corresponding to one type of user, or may include one or more IP addresses corresponding to one type of user. For example, the address of each service may include an IP address and a port corresponding to each service, and may further include a supported protocol type. The IP address to which each service corresponds may include one or more IP addresses for providing the service or may include a segment of IP addresses for providing the service. The ports to which each service corresponds may include one or more ports that provide the service. For example, the address of each network region may include a segment of IP addresses corresponding to each network region, or may include one or more IP addresses corresponding to each network region.
Optionally, the object information base may further include description information of each object. If the object is a type of user, the description information of the object may include any one or more of the following: the type of role of the user, the type of network environment in which the device is used by the user, or other information of the user. If the object is a service, the description information of the object may further include any one or more of the following: the type of role of the service, the network environment in which the device providing the service is located, the physical location of the device providing the service, the type of device providing the service, or other descriptive information, etc.
Wherein the role type of the user is a finer granularity description of the same type of user. For example, the type of user is a user of a third party enterprise, and the role type of user may include an administrator or a general user. As another example, the user's type is an internet user, and the user's role type may include Application (APP) and browser. For another example, the user may be a teacher in a campus network, and the role type of the user may include a teacher in administrative position, a teacher in teaching position, etc., which are illustrated herein for convenience in understanding the present solution, and are not limited to the present solution.
The type of network environment in which the device used by the user is located may be determined based on the functionality of the network environment in which the device used by the user is located. For example, if the network environment in which the device used by the user is located is a production shop, the type of network environment in which the device used by the user is located may be production. For another example, if the network environment in which the device used by the user is located is a test shop, the type of network environment in which the device used by the user is located may be a test. For another example, if the network environment in which the device used by the user is located is an office campus, the type of network environment in which the device used by the user is located may be an office, and the like, which is not limited herein.
The role type of service is a finer granularity of the division of devices that provide the same service. The division basis of the role types of the service can be the function of the device providing the service or other types of basis, etc. For example, the name of a service is an online learning service, and the role type of the service may include a database (database), a cache (cache), and a web server (web server). The character type is a database for storing learning materials used in online learning, the character type is web for acquiring learning materials from a database in response to an acquisition request for the learning materials, managing the learning materials in the database, and the like. It should be understood that the examples herein are merely for convenience in understanding the concept of "role type of service" and are not intended to limit the present solution.
The type of the network environment where the service providing device is located may be determined based on the function of the network environment where the service providing device is located, and the concept of the "type of the network environment where the service providing device is located" and the concept of the "type of the network environment where the user is located" are similar, and it may be understood that the description is omitted herein. For example, the physical location of providing the foregoing one service device may be a XX server of a XX data center XX room, or the physical location of providing the foregoing one service device may be a XX room of a XX campus, etc., which is not exhaustive. Types of providing the foregoing one of the business devices include, but are not limited to, physical devices, virtual machines or containers, and the like.
Illustratively, table 1 gives an illustration of the information of one object in the object information base.
TABLE 1
Specifically, the first communication device may determine whether the first address exists in the object information base. The first address includes one or more of the following: source IP address, source port, or protocol type.
And if the first address exists in the object information base, acquiring a first object corresponding to the first address from the object information base. If the first address does not exist in the object information base, the first communication device can display first indication information to the user so as to acquire a first object corresponding to the first address. The first communication device may further add a first object and a first address to the object information base to update the object information base, i.e. obtain an updated object information base.
Wherein the first indication information at least comprises a first address. Optionally, the first indication information presented to the user may further include any one or more of the following: the name of the network area associated with the first address, the name of the first security policy, the type of the first object or other information, etc. The first object is of the type user, service or network area.
For example, the first communication device may obtain a name of a network area associated with the first address, and the first indication information presented to the user includes the first address and the name of the source network area.
If the first communication device does not acquire the first object corresponding to the first address from the object information base, that is, if the first address does not exist in the object information base, the first communication device may acquire the name of the network area associated with the first address from the object information base.
Specifically, the first communication device may perform fuzzy matching between the first address and address information of a plurality of objects in the object information base; at least one target object associated with the first address is determined from the object information base, and the name of the network area to which the target object belongs is determined as the name of the network area associated with the first address.
Optionally, the first communication device may perform fuzzy matching on the first address and address information of a plurality of objects in the object information base based on a similarity between the first address and address information of each object in the object information base; at least one target object associated with the first address is determined from an object information base. For example, the similarity between the address information of each target object and the first address may be greater than or equal to a similarity threshold, or at least one target object is at least one object with the highest similarity between the target object and the first address in the object information base, and the like, which is not meant to be exhaustive. For example, if address a is 192.168.10.1, address B is 192.168.10.2, and address C is 172.20.201.0, the similarity between address a and address B is higher than the similarity between address a and address C. For example, the first address is 192.168.10.6:80, the object information base is not exactly matched with the first address, but the object information base includes a first network area, the addresses of the network areas are 192.168.10.1-192.168.10.100, and the first communication device can determine that the IP address in the first address belongs to the network area, so that the first network area is regarded as the name of the network area of the first address. It should be understood that the examples herein are for ease of understanding the present solution only and are not intended to limit the present solution.
In this embodiment, when the first address does not exist in the object information base, the user may determine the first object corresponding to the first address, and add the first address and the first object to the object information base, that is, in the process of generating the security intention based on the security policy, the object information base may be dynamically updated, so as to continuously perfect the object information base, which is beneficial to reducing the difficulty of executing the conversion operation from the security policy to the security intention in the future.
Optionally, when the first communication device presents the first indication information to the user, any one or more of the following fields may be presented: the field content of the aforementioned fields may be shown as null, for example, a role type, a type of network environment, a physical location of a device providing a service, a type of a device providing a service, or other fields, etc. The purpose of presenting the aforementioned fields includes instructing the user to enter information corresponding to the aforementioned fields, such as instructing the user to enter any one or more of the following: the type of role of the object, the type of network environment in which the object is located, the physical location of the device providing the service, the type of device providing the service, or description information of other objects, etc.
The first communication device adding the first address and the first object to the object information store may comprise: the first communication device may add the first address, the first object, and description information of the first object to the object information base.
A manner in which a first object corresponding to a first address is acquired for a first communication device. In one implementation, the first communication device may present the first indication information to the user through a first graphical user interface (graphical user interface, GUI). The first communication device may acquire the first object corresponding to the first address based on a feedback operation of the user for the first instruction information input.
If the first indication information includes a name corresponding to the first address, the name corresponding to the first address includes a name of the source IP address and/or a name of the source port; the feedback operation may include: the user selects one of the source IP address name and/or the source port name, or the user inputs the first object.
If the first indication information does not include the name corresponding to the first address, the feedback operation may include: the user inputs an operation to the first object.
In another implementation, the first communication device may send the first indication information to the second communication device, where the second communication device presents the first indication information to the user through the second GUI, where the first communication device and the second communication device are two different devices. The second communication device may acquire the first object corresponding to the first address based on a feedback operation of the user for the first instruction information input, and send the first object to the first communication device.
For a more intuitive understanding of the present solution, refer to fig. 3, and fig. 3 is a schematic flow chart of acquiring a first object corresponding to a first address according to an embodiment of the present application. The method for acquiring the first object corresponding to the first address provided by the embodiment of the application comprises the following steps A1-A6.
In step A1, the first communication device determines whether the source IP address and the source port are arbitrary. If yes, go to step A2. If the judgment result is negative, the step A3 is entered.
In step A2, the first communication device determines that the first object includes any user of any network area and any service of any network area. The subsequent steps A3 to A6 are not performed any more.
And A3, the first communication equipment judges whether a first address exists in the object information base, if so, the step A4 is carried out, and if not, the step A5 is carried out.
And step A4, the first communication equipment acquires a first object corresponding to the first address from the object information base. The subsequent steps A5 to A6 are not performed any more.
And step A5, the first communication equipment displays first indication information to the user so as to acquire a first object corresponding to the first address, wherein the first indication information indicates that the first object comprises the first address.
And step A6, the first communication equipment adds the first address and the first object to the object information base to obtain an updated object information base. It should be understood that the example in fig. 3 is merely for facilitating understanding of the present solution, and is not intended to limit the present solution.
For determining the second object from the second address. The first communication device may determine whether the destination IP address and the destination port obtained from the second security policy are both arbitrary, that is, whether the second address obtained from the second security policy by the second communication device is arbitrary. If the judgment result is yes, the second communication device can determine that the second object comprises any user of any network area and any service in any network area.
If the judgment result is negative, the second communication device can determine the second object according to the second address and the object information base. Specifically, the first communication device may determine whether a second address exists in the object information base, where the second address includes one or more of the following: destination IP address, destination port, or protocol type. And if the second address exists in the object information base, acquiring a second object corresponding to the second address from the object information base.
If the second address does not exist in the object information base, the first communication device can display second indication information to the user so as to acquire a second object corresponding to the second address. The first communication device may further add a second object and a second address to the object information base to update the object information base, i.e. obtain an updated object information base.
It should be noted that, the specific implementation manner of the first communication device for obtaining the second object corresponding to the second address is similar to the specific implementation manner of obtaining the first object corresponding to the first address, and the concept of the second indication information is similar to the concept of the first indication information, which is not described herein.
The first communication device may perform the steps of acquiring the first object corresponding to the first address and acquiring the second object corresponding to the second address separately, or may perform the steps simultaneously, so that the steps of displaying the first indication information to the user and displaying the second indication information to the user by the first communication device may perform the steps separately or may perform the steps simultaneously, and may specifically be flexibly determined in combination with an actual application scenario.
For further understanding of the present solution, the following is exemplified in connection with the three first security policies shown above, and the first indication information and the second indication information carry which information are shown in table 2.
TABLE 2
Wherein the rightmost column in table 2 may be edited by a user to input a first object corresponding to a first address. For example, drag and drop the content of the column of the name acquired from the security policy to the column of the first object to realize the input of the first object; alternatively, the user may directly input the first object in text form, for example, to facilitate understanding of the present embodiment, and the manner in which the first object is input by the user is not limited.
It should be noted that, the fields shown in table 2 are only for convenience of understanding the present solution, more or fewer fields may be shown in the actual product, for example, fields related to the description information of the first object may also be shown, or fields such as a network area may also not be shown, which information may be specifically shown and flexibly determined in combination with the actual application scenario, which is not limited herein.
In the embodiment of the application, the object information base is obtained by summarizing at least one object in the network and the address information of each object, so that after the first address and the second address included in the security policy are obtained, the first object corresponding to the first address and the second object corresponding to the second address can be determined according to the object information base, and the efficiency of converting the security policy into the security intention is greatly improved.
Optionally, after generating the first security intention corresponding to the first security policy, the first communication device may further display the first security policy and the first security intention to the user, so as to show a correspondence between the first security intention and the first security policy to the user.
Specifically, the first communication device may display the first security intention and the first security policy to the user through the GUI. Alternatively, the first communication device may send the first security intention and the first security policy to the second communication device, which displays the first security intention and the first security policy to the user through the GUI.
For the display form of "first security intent and first security policy," in one implementation, the first security intent and first security policy may be presented in a form, plain text, text in combination with graphics, or other means, or the like.
Alternatively, the first communication device may display the first content, the second content, and the third content to the user through the GUI or the second communication device; the first content comprises a first object, a first address and a corresponding relation between the first object and the first address, the second content comprises a second object, a second address and a corresponding relation between the second object and the second address, and the third content comprises a first access behavior.
Optionally, the first communication device may further display the description information of the first object and/or the description information of the second object to the user through the GUI or the second communication device, and the meaning of "the description information of the first object and/or the description information of the second object" may refer to the description of the meaning of "the description information of the object" above, which is not repeated herein.
For a more intuitive understanding of the present solution, please refer to fig. 4, fig. 4 is a schematic diagram showing the first security policy and the first security intention provided in the embodiment of the present application. As shown in fig. 4, the first security policy shown in fig. 4 is an example of a first security policy deployed on a firewall, where the first security policy and the first security intention include a source network area where the first object is located (i.e. any area in fig. 4), the first object (i.e. any of fig. 4), and a source IP address and a source port corresponding to the first object (i.e. any IP address in fig. 4), and further include a destination network area where the second object is located (i.e. a data center in fig. 4), the second object (i.e. online learning service in fig. 4), a protocol type, and a destination IP address and a destination port corresponding to the second object, and further include a first access (i.e. permission in fig. 4), and it should be understood that the example in fig. 4 is merely for facilitating understanding of the present scheme and is not used to limit the present scheme.
In the embodiment of the application, the security policy and the security intention obtained based on the security policy are displayed to the user, namely, the security intention and the security policy are associated, so that the user can understand the meaning of the security policy more easily, and the maintenance difficulty of the security policy is reduced.
For further understanding of the present solution, the following description will describe, by way of a specific example, a method for processing a security policy provided in the present application with reference to an application scenario diagram shown in fig. 1, referring to fig. 1, two different network areas of an office park and a data center exist in an internal network, a firewall 1 is disposed between the office park and the internet area, and a firewall 2 is disposed between the office park and the data center. In fig. 5, a first security policy in the form of a code deployed in the firewall 1 is obtained by the first communication device, and it should be noted that, the embodiment shown in fig. 5 below is merely for convenience of understanding the present solution, and is not limited to this solution. As shown in fig. 5, the method for processing a security policy provided in the embodiment of the present application includes the following steps 501 to 504.
Step 501, a first security policy in the form of a code in the firewall 1 is obtained.
In this embodiment, the specific implementation manner of step 501 may refer to the description of step 201 in the corresponding embodiment of fig. 2, which is not described herein. Wherein a first security policy in the form of a code deployed on the firewall 1 is exemplified as follows. One first security policy in the form of code deployed on the firewall 1 is as follows:
/>
In the first security policy, the source address (src-addr) is arbitrary (Any), the destination IP address (dst-addr) is 192.168.1.1/32, the destination port includes 12345, the protocol type (protocol) is TCP, and the first access behavior (action) is permission (permission).
Step 502, a first address and a second address are obtained from a first security policy in the form of a code.
In this embodiment, the specific implementation manner of step 502 may refer to the description of step 201 in the corresponding embodiment of fig. 2, which is not described herein. As an example, the following information obtained by the first communication device from the first security policies on the firewall 1 and the firewall 2 is shown in the form of codes, respectively, and the information obtained from the first security policies on the firewall 1 is as follows:
/>
the source network area (src_zone) corresponding to the first address is arbitrary (any), the source address (src_addrgrp) included in the first address is arbitrary, the destination network area (dst_zone) corresponding to the second address is arbitrary, the destination IP address included in the second address is 192.168.10.1/32, the destination port included in the second address is 12345, the protocol type is TCP, and the first access behavior (action) is allowed.
Step 503, obtaining a first object corresponding to the first address and a second object corresponding to the second address.
In this embodiment, the specific implementation manner of step 503 may refer to the description of step 202 in the corresponding embodiment of fig. 2, which is not described herein. As an example, where the capturing of the second object corresponding to the second address is described by taking the absence of the second address in the object information base as an example, the second indication information presented to the user by the first communication device may be as shown in table 3 below.
TABLE 3 Table 3
Wherein the rightmost column in table 3 may be edited by the user to input a first object corresponding to the first address. It should be noted that the fields shown in table 3 are only for convenience of understanding the present solution, and more or fewer fields may be shown in the actual product, which is not limited herein.
At step 504, a first security intent corresponding to the first security policy is generated.
In this embodiment, the specific implementation manner of step 504 may refer to the description of step 202 in the corresponding embodiment of fig. 2, which is not described herein. For example, the user entered "online learning service" as the second object in table 3, and the first security intention may be as shown in table 4 below:
TABLE 4 Table 4
On the basis of the embodiments shown in fig. 2 to 5, after the first communication device acquires the first security intention corresponding to the first security policy, optionally, in an application scenario, the first security intention may be used to check whether the first security policy matches an existing security policy deployment intention.
The security policy deployment intention is also expressed in a form of natural language, and is used for indicating that access behavior of one object to another object is allowed or forbidden, where the foregoing object may specifically be represented as: a user type, a name of a service or a name of a network area.
The security policy deployment intent may include any one or more of the following: the user may specify at least one security rule, a security policy deployment intent determined to implement an already-opened service, or other type of security policy deployment intent, etc., as required by the security specification.
For example, the security rules may be a prohibition of internet area access to the data center area, a prohibition of internet area access to data center area personnel information management services, or other security rules, etc. The security policy deployment intent determined, for example, to implement an already-opened service may include, but is not exhaustive of, allowing a user in the internet to access service 1, allowing service 1 to access service 2, and so on.
In another application scenario, the first security intent may be used to check whether the newly added security policy deployment intent conflicts with the first security intent. The newly added security policy deployment intention is, for example, a deployment intention of a security policy determined based on a service to be opened, and one newly added security policy deployment intention is used to indicate that an access behavior of one object to another object is allowed or prohibited. For example, if the service to be opened is an online learning service that opens a data center to an internet user, the newly added security policy deployment intention may include allowing the internet user to access the online learning service, which is illustrated herein for convenience only and is not intended to limit the present solution.
Since the specific implementation schemes of the two application scenarios are different, the specific implementation schemes of the two scenarios are described below.
Scene 1: the first security intent is to verify whether the first security policy matches an existing security policy deployment intent
Referring to fig. 6, fig. 6 is a flowchart illustrating a method for processing a security policy according to an embodiment of the present application. As shown in fig. 6, the method for processing a security policy provided in the embodiment of the present application includes the following steps 601 to 605.
In step 601, a first security policy configured on a first security device is obtained, where the first security policy indicates a first access behavior of a first address to a second address, and the first access behavior is permission or prohibition of access.
Step 602, generating a first security intention according to a first security policy, the first security intention indicating a first access behavior of a first object to a second object, the first object or the second object comprising any one of: the type of user, the name of the service, or the name of the network area.
In this embodiment, the specific implementation manner of steps 601 and 602 is similar to the specific implementation manner of steps 201 and 202 in the corresponding embodiment of fig. 2, and will not be described herein.
Step 603, determining whether the first security policy matches the security policy deployment intent according to the first security intent.
In this embodiment, the first communication device may acquire at least one security policy deployment intention already stored on the first security device, and for any one of the at least one security policy deployment intention (hereinafter referred to as "target security policy deployment intention" for convenience of description), the first communication device may determine whether the first security policy matches the target security policy deployment intention according to the first security intention.
Wherein the target security policy deployment intent indicates a second access behavior of the third object to the fourth object. The third object comprises or the fourth object comprises any one of the following: the second access behavior is to allow or prohibit access, the type of user, the name of the service, or the name of the network area.
Specifically, in one case, if the third object and the first object each include a first sub-address, and the fourth object and the second object each include a second sub-address, and the first access behavior and the second access behavior are the same, it is determined that the first security policy matches the target security policy deployment intention.
For example, "the third object and the first object each include the first sub-address" may include any of the following cases: the third object comprises the first object, the first object comprises the third object, or the first sub-address is part of an address to which the third object points, and the first sub-address is part of an address to which the first object points.
The "third object includes the first object" includes that the address pointed to by the third object is the same as the address pointed to by the first object, that is, the third object and the first object are the same object; alternatively, the address pointed to by the first object is part of the address pointed to by the third object. The concept of "the first object includes the third object" is similar to the concept of "the third object includes the first object", and a description thereof will be omitted herein.
It should be noted that, in the embodiment of the present application, the concept of the address pointed to by the third object, the address pointed to by the first object, the first sub-address, and the second sub-address are used to explain the relationship between the third object and the first object, and the first communication device may determine the relationship between the third object and the first object directly according to the first object and the second object. For example, the third object is network area 1, the first object is service 1 in network area 1, and then the third object includes the first object, where the address pointed to by the first object is part of the address pointed to by the third object. For another example, the third object is network area 2, the first object is user Z in network area 2, and the third object comprises the first object, in this example the address to which the first object points is part of the address to which the third object points. For another example, the third object is the network area 3, and the first object is the network area 3, then the third object includes the first object, and in this example, the address pointed to by the first object is the same as the address pointed to by the third object. For another example, the third object is service C, and service C is provided in each of the network area 1, the network area 2, and the network area 3, and the first object is network area 1, where the address pointed to by the third object and the address pointed to by the first object each include an address (i.e., an example of the first sub-address) of a device that provides service C in network area 1, and so on, which is not exhaustive herein.
Optionally, if the first object is a user type, the address pointed by the first object includes an IP address adopted by a type of user; if the first object is a service name, the address pointed by the first object comprises an IP address, a port and a protocol type for the service; if the first object is a name of a network area, the address pointed to by the first object includes an IP address adopted by the network area. The meaning of the "address pointed to by the third object" is similar to the "address pointed to by the first object", and will not be described here.
Correspondingly, the "fourth object includes the second object" includes that the address pointed to by the fourth object is the same as the address pointed to by the second object, or that the address pointed to by the second object is a part of the address pointed to by the fourth object.
If the second object is the name of a service, the address pointed by the second object comprises an IP address, a port and a protocol type for the service; if the second object is a name of a network area, the address pointed to by the second object includes the IP address adopted by the network area. The meaning of the "address pointed to by the fourth object" is similar to the "address pointed to by the second object", and will not be described here.
The "the first access behavior and the second access behavior are the same" includes: when the first access behavior is allowed, the second access behavior is also allowed; when the first access behavior is prohibited, the second access behavior is also prohibited.
In another case, if the third object and the first object do not intersect, or the fourth object and the second object do not intersect, it is determined that the first security policy matches the target security policy deployment intent.
In one case, if the third object and the first object each include a first sub-address, the fourth object and the second object each include a second sub-address, and the first access behavior and the second access behavior are different, then it is determined that the first security policy does not match (i.e., conflict) with the target security policy deployment intent.
The first communication device may repeatedly perform the above operations to determine whether the first security policy matches each of the at least one security policy deployment intent, and if the first security policy matches each of the at least one security policy deployment intent, determine that the first security policy matches an existing security policy deployment intent; if the first security policy does not match any of the at least one security policy deployment intention, determining that the first security policy does not match a security policy deployment intention already existing on the first security device.
In the embodiment of the application, a specific judging method for determining whether the first security policy is matched with the security policy deployment intention according to the first security intention is defined, and the difficulty of a judging process for judging whether the security policy is matched with the security policy deployment intention is reduced.
Step 604, a first security policy and a first security intent are displayed.
In this embodiment, the specific implementation of step 604 may refer to the description of step 202 in the corresponding embodiment of fig. 2, which is not described herein.
Step 605, displaying a first verification result, wherein the first verification result indicates whether the first security policy and the security policy deployment intention are matched.
In this embodiment, the first communication device may further display a first verification result to the user through the GUI or through the second communication device, where the first verification result indicates whether the first security policy and the security policy deployment intention match.
Optionally, if the first security policy is not matched with the first security policy deployment intention, the first communication device may further display alert information to the user to alert the user to process a conflict situation between the first security policy and the first security policy deployment intention; the first security policy deployment intention is one of the at least one first security policy deployment intention that has been stored.
It should be noted that, the embodiment of the present application does not limit the execution sequence of steps 604 and 605, and steps 604 and 605 may be executed simultaneously, that is, the first communication device may display the first security policy, the first security intention, and the first verification result to the user through the GUI or through the second communication device. Alternatively, step 604 may be performed before step 605 is performed; alternatively, step 605 may be performed before step 604.
For a more intuitive understanding of the present solution, the process of determining the first verification result will be described below by way of a specific example, and it should be noted that the embodiment shown in fig. 7 below is merely for convenience of understanding the present solution, and is not limited to this solution. Referring to fig. 7, fig. 7 is a network topology diagram of a service already opened in a network according to an embodiment of the present application.
As shown in FIG. 7, client-A has an IP address of 101.10.1.1, personal Client information service has an IP address of 182.101.1.1, internet area has a public network address, office area has an IP address of 192.168.1.0/24, and data center has an IP address of 182.101.1.0/24, for example. Services provided by personal client information services to internet users have been opened in the network.
To implement the above-described traffic, the same first security policy is deployed on both the firewall FW-up>A and the firewall FW-B, examples of which are as follows:
rule name Permit-A
source-address 101.10.1.1mask 255.255.255.255
destination-address 182.101.1.1mask 255.255.255.255
service HTTP
action permit
wherein the first security policy indicates that access behavior of the IP address 101.10.1.1mask 255.255.255.255 to the IP address 182.101.1.1mask 255.255.255.255 is allowed.
After the first communication device obtains the above-mentioned first security policy from each of the firewall FW-up>A and the firewall FW-B, respectively, up>A first security intention corresponding to the first security policy may be generated. The first security intent corresponding to the first security policy described above may indicate: the Client-a in the internet user has a first access to the personal Client information service, the first access being permission to access.
The first communication device obtains a security policy deployment intention from at least one existing security policy deployment intention as follows: the internet has a second access to the data center, the second access being prohibited. Since the internet (one example of the name of the network areup>A) includes Client-up>A among internet users, and the datup>A center (one example of the name of the network areup>A) includes personal Client information service, the first access behavior and the second access behavior are different, and thus it is determined that the first security intention conflicts (i.e., does not match) with the existing security policy deployment intention, the first security policies deployed on the firewall FW-up>A and the firewall FW-B both conflict with the security policy deployment intention.
The first communication device displays a first verification result and a first security policy corresponding to the first security intention to the user. The first verification result is shown in table 5, for example, and the first security policy corresponding to the first security intention is shown in table 6, for example.
TABLE 5
TABLE 6
It should be understood that the foregoing examples are merely for convenience in understanding the present solution and are not intended to limit the present solution.
In the embodiment of the application, after the first security intention is acquired, whether the first security policy is matched with the existing security policy deployment intention or not can be checked according to the first security intention, that is, whether the first security policy is matched with the security policy deployment intention or not is determined by judging whether the first security intention is matched with the security policy deployment intention or not, so that the rationality of checking the first security policy is realized.
Scene 2: the first security intent is used to verify whether the newly added security policy deployment intent conflicts with the first security intent
Referring to fig. 8, fig. 8 is a flowchart illustrating a method for processing a security policy according to an embodiment of the present application. As shown in fig. 8, the method for processing a security policy provided in the embodiment of the present application includes the following steps 801 to 805.
Step 801, a first security policy configured on a first security device is obtained, where the first security policy indicates a first access behavior of a first address to a second address, and the first access behavior is to allow or prohibit access.
Step 802, generating a first security intention according to a first security policy, the first security intention indicating that a first object performs a first access behavior on a second object, the first object or the second object comprising any one of: the type of user, the name of the service, or the name of the network area.
In this embodiment, the specific implementation manner of steps 801 and 802 is similar to the specific implementation manner of steps 201 and 202 in the corresponding embodiment of fig. 2, and will not be described herein.
Step 803, determining whether the deployment intention of the newly added security policy conflicts with the first security intention according to the first security intention.
In this embodiment, when the first communication device receives the newly added security policy deployment intention, a security intention set corresponding to at least one first security policy deployed on the first security device may be obtained, where the security intention set includes at least one first security intention. The first communication equipment judges whether the deployment intention of the newly-added security policy conflicts with each first security policy in at least one first security policy, and if the deployment intention of the newly-added security policy does not conflict with each first security policy in the at least one first security policy, the deployment intention of the newly-added security policy is determined to not conflict with the security intention set; if the newly added security policy deployment intention conflicts with any one of the at least one first security policy, determining that the newly added security policy deployment intention conflicts with the security intention set.
The newly added security policy deployment intention indicates a third access behavior of the fifth object to the sixth object, wherein the third access behavior is access permission or access prohibition; the fifth object or the sixth object includes any one of the following: the user type, the name of the service, or the name of the network area.
For any one of the at least one first security intention, specifically, step 803 may include: when the first object and the fifth object both comprise a third sub-address, the second object and the sixth object both comprise a fourth sub-address, and the first access behavior and the third access behavior are different, determining that the newly added security policy deployment intention conflicts with the first security intention.
The specific meaning of the "the first object and the fifth object each include a third sub-address" that represents that the address pointed by the first object and the address pointed by the fifth object each include a third sub-address, "the second object and the sixth object each include a fourth sub-address" that represents that the address pointed by the second object and the address pointed by the sixth object each include a fourth sub-address "may refer to the description of" the third object and the first object each include the first sub-address "above, and will not be repeated herein.
When the first object and the fifth object both comprise a third sub-address, the second object and the sixth object both comprise a fourth sub-address, and the first access behavior and the third access behavior are the same, determining that the deployment intention of the newly added security policy does not conflict with the first security intention. When the address pointed by the first object and the address pointed by the fifth object do not intersect, or the address pointed by the second object and the address pointed by the sixth object do not intersect, the newly added security policy deployment intention is determined not to conflict with the first security intention.
In the embodiment of the application, a specific judging method for judging whether the deployment intention of the newly added security policy conflicts with the first security intention is defined, and the difficulty of a judging process for judging whether the deployment intention of the newly added security policy conflicts with the first security intention is reduced.
Step 804, a first security policy and a first security intent are displayed.
Step 805 displays a second check result indicating whether the newly added security policy deployment intent conflicts with the first security intent.
In this embodiment, the specific implementation manner of steps 804 and 805 is similar to that of steps 604 and 605 in the corresponding embodiment of fig. 6, and will not be described herein.
Optionally, if it is verified that the newly added security policy deployment intention conflicts with a first security intention (for aspect description, hereinafter referred to as "target first security intention"), the first communication device may further display alert information to the user to alert the user to process the conflict situation between the first security policy and the target first security intention.
It should be noted that, the embodiment of the present application does not limit the execution sequence of steps 804 and 805, and steps 804 and 805 may be executed simultaneously, that is, the first communication device may display the first security policy, the first security intention, and the first verification result to the user through the GUI or through the second communication device. Alternatively, step 804 may be performed first, and then step 805 may be performed. Alternatively, step 805 may be performed first, and step 804 may be performed later.
In the embodiment of the application, after the newly added security policy deployment intention appears, before the security policy corresponding to the newly added security policy deployment intention is configured, whether the newly added security policy deployment intention conflicts with the plurality of first security intents is checked, so that the possibility that the newly added security policy conflicts with the existing security policy is reduced, the stability of the network operation process is improved, and the network can be guaranteed to provide services for users smoothly. In addition, another application mode of the first safety intention is provided, the application scene of the scheme is expanded, and the flexibility of the scheme is improved.
Based on the embodiments shown in fig. 2 to 8, optionally, the first communication device may further determine each second security device according to an access path of the first address to the second address, where the second security device is any other security device on the access path than the first security device. The first communication device obtains the security policy configured on the second security device and generates a security intent corresponding to the security policy configured on the second security device.
Determining a second security intent corresponding to a second security policy, wherein the second security policy indicates a fourth access behavior of the first address to the second address, wherein the second security intent indicates that the first object performs the fourth access behavior to the second object.
Optionally, in an application scenario, the first security intention and the second security intention may be used to verify whether the first security policy and the second security policy match an existing security policy deployment intention.
In another application scenario, the first security intent and the second security intent are used to check configuration redundancy if the first access behavior is a prohibited access behavior. In the embodiment of the application, the second security device located on the access path of the first address to the second address can be obtained, and the second security intention corresponding to the second security policy on the second security device is obtained, so that the subsequent maintenance of the security policies on other security devices on the access path of the first address to the second address is facilitated.
Since the specific implementation schemes of the two application scenarios are different, the specific implementation schemes of the two scenarios are described below.
Scene 1: the first security intention and the second security intention are used to verify whether the first security policy and the second security policy match an existing security policy deployment intention.
Referring to fig. 9, fig. 9 is a flowchart illustrating a method for processing a security policy according to an embodiment of the present application. As shown in fig. 9, the method for processing a security policy provided in the embodiment of the present application includes the following steps 901-907.
Step 901, a first security policy configured on a first security device is obtained, where the first security policy indicates a first access behavior of a first address to a second address, and the first access behavior is permission or prohibition of access.
Step 902, generating a first security intention according to a first security policy, the first security intention indicating a first access behavior of a first object to a second object, the first object or the second object comprising any one of: the type of user, the name of the service, or the name of the network area.
In this embodiment, the specific implementation manner of steps 901 and 902 is similar to the specific implementation manner of steps 201 and 202 in the corresponding embodiment of fig. 2, and will not be described herein.
In step 903, a security policy configured on the second security device is obtained, where the first security device and the second security device are both located on a target access path of the first address to the second address, and the first security device and the second security device are different security devices.
Step 904, generating a security intent corresponding to a security policy configured on the second security device.
In this embodiment, the specific implementation manner of steps 903 and 904 is similar to the specific implementation manner of steps 201 and 202 in the corresponding embodiment of fig. 2, and will not be described herein.
It should be noted that, the embodiment of the present application does not limit the execution sequence of steps 901 to 902 and steps 903 to 904, and steps 901 and 902 may be executed first, and then steps 903 and 904 may be executed; steps 903 and 904 may be performed before steps 901 and 902 are performed.
Step 905, determining whether the first security policy and the second security policy match the security policy deployment intent according to the first security intent and the second security intent.
In this embodiment, after determining, according to the first address and the second address, at least one security device included in the target access path of the first address to the second address, if the number of at least one security devices included in the target access path is at least two security devices, the first communication device may determine at least one second security device included in the target access path.
For any one of the at least one second security device (hereinafter referred to as a "target second security device" for convenience of description), there may be a plurality of security intents corresponding to a plurality of security policies in the target second security device.
The first communication device may determine whether a second security intention corresponding to a second security policy exists among a plurality of security intents corresponding to a target second security device, where the second security policy indicates a fourth access behavior of the first address to the second address, the fourth access behavior being permission or prohibition of access, and the second security intention indicates a fourth access behavior of the first object to the second object.
If the second security intention corresponding to the second security policy exists in the target second security device, the first communication device may determine, according to the first security intention and the second security intention corresponding to the target second security device, whether the second security policies on the first security policy and the target second security device match the target security policy deployment intention, where the target security policy deployment intention is any one security policy deployment intention of the at least one security policy deployment intention.
Specifically, in one case, if it is determined that the first security policy matches the security policy deployment intent based on the first security intent, and the second security intent does not conflict with the first security intent, it is determined that both the first security policy and the second security policy in the target second security device match the security policy deployment intent. For a specific implementation of "determining whether the first security policy matches the security policy deployment intention based on the first security intention" refer to the description in step 603 in the corresponding embodiment of fig. 6, which is not described herein.
If the first access behavior and the fourth access behavior are the same, the first communication device determines that the second security intention and the first security intention do not conflict, that is, the first security policy on the first security device and the second security policy on the target second security device do not conflict.
Thus, i.e. when the third object comprises the first object, the fourth object comprises the second object, and the first access behavior and the fourth access behavior are identical to the second access behavior, it is determined that both the first security policy and the second security policy match the security policy deployment intent.
In another case, if it is determined that the first security policy matches the security policy deployment intent based on the first security intent and the second security intent conflicts with the first security intent, then determining the first security intent determines that the first security policy matches the security policy deployment intent and the second security policy in the target second security device does not match the security policy deployment intent.
And if the first access behavior and the fourth access behavior are different, the first communication device determines that the second security intention conflicts with the first security intention, namely, the first security policy on the first security device conflicts with the second security policy on the target second security device.
In another case, if it is determined based on the first security intent that the first security policy does not match the security policy deployment intent, then step 905 need not be performed.
In the embodiment of the application, a specific implementation manner for checking whether the first security policy and the second security policy match the security policy deployment intention according to the first security intention and the second security intention is provided, so that the implementation difficulty of the scheme is reduced.
If the second security intention corresponding to the second security policy does not exist in the target second security device, the first communication device may determine that the second security policy is missing on the target second security device. Optionally, the first communication device may further display, through a GUI or through the second communication device, alert information to the user, where the alert information is used to inform the user that the second security policy is missing on the target second security device.
In order to more intuitively understand the present solution, the process of determining the first verification result is described below by using a specific example, and fig. 10 is a network topology diagram of a processing method of the security policy provided in the embodiment of the present application. Fig. 10 includes upper and lower sub-diagrams, the upper sub-diagram of fig. 10 shows a network topology, and the lower sub-diagram of fig. 10 shows warning information for informing a user that the second security policy is missing. As shown in FIG. 10, client-A has an IP address of 192.168.1.1 and personal Client information service has an IP address of 172.101.1.1.
The firewalls FW-A and FW-C each have the same security policy deployed thereon, examples of which are as follows:
rule name Permit-A
source-address 192.168.1.1mask 255.255.255.255
destination-address 172.101.1.1mask 255.255.255.255
service HTTP
action permit
wherein the security policy indicates that access behavior of the IP address 192.168.1.1mask 255.255.255.255 to the IP address 172.101.1.1mask 255.255.255.255 is allowed.
The first communication device may generate up>A first security intention corresponding to the first security policy from the firewall FW-up>A after the above-described first security policy, respectively. The first security intent corresponding to the first security policy described above may indicate: the Client-a in the internet user has a first access to the personal Client information service, the first access being permission to access.
After the first communication device determines that the first security policy matches the security policy deployment intention according to the first security intention, the first communication device determines that three security devices including up>A firewall FW-up>A, up>A firewall FW-B and up>A firewall FW-C are included on up>A target access path between Client-up>A and personal Client information traffic, and determines that the firewall FW-up>A and the firewall FW-C are two second security devices on the target access path between Client-up>A and personal Client information traffic.
And under the condition that the first access behavior is allowed, the first communication equipment judges whether a second security intention exists in the security intentions corresponding to at least one security policy on the firewall FW-B, and if the judgment result is negative, the second security policy is determined to be absent on the firewall FW-B, namely, warning information is required to be output to a user.
The first communication device judges whether up>A second security intention exists in the security intents corresponding to at least one security policy on the firewall FW-C, and because the judgment result is yes and the fourth access behavior and the first access behavior in the second security intention corresponding to the firewall FW-C do not conflict, the first security policy on the firewall FW-A and the second security policy on the firewall FW-C are determined to be matched with the security policy deployment intention.
As shown in the lower sub-schematic of fig. 10, the second security intention on FW-up>A and the second security intention on FW-C match the security policy deployment intention, with the second security policy missing on FW-B. The view of fig. 10 is a view of a security intent indication on a corresponding firewall to prohibit Client-a access to personal Client information traffic, and a circle is a view of a corresponding firewall to miss a security policy.
It should be understood that the example in fig. 10 is merely for facilitating understanding of the present solution, and is not intended to limit the present solution.
Step 906, a first security policy and a first security intent are displayed.
Step 907, displaying a third verification result indicating whether the first security policy and the second security policy match the security policy deployment intent.
In this embodiment, the third verification result includes that both the first security policy and the second security policy on the target second security device match the security policy deployment intention; alternatively, the first security intention determines that the first security policy matches the security policy deployment intention, and that the second security policy in the target second security device does not match the security policy deployment intention. The specific implementation of steps 906 and 907 is similar to steps 604 and 605 in the corresponding embodiment of fig. 6, and will not be described here.
In order to more intuitively understand the present solution, the process of determining the first verification result is described below by using a specific example, and fig. 11 is a network topology diagram of a processing method of the security policy provided in the embodiment of the present application. Fig. 11 includes upper and lower sub-graphs, the upper sub-graph of fig. 11 shows a network topology, and the lower sub-graph of fig. 11 shows a third verification result. As shown in FIG. 11, client-A has an IP address of 192.168.1.1 and personal Client information service has an IP address of 172.101.1.1.
The security policy is deployed on the firewall FW-B as follows:
rule name Deny-A-Web
source-address 192.168.1.1mask 255.255.255.255
destination-address 172.101.1.1mask 255.255.255.255
service HTTP
action deny
wherein the security policy indicates that access to the IP address 172.101.1.1mask 255.255.255.255 by the IP address 192.168.1.1mask 255.255.255.255 is prohibited.
The same security policies are deployed on firewalls FW-A and FW-C, examples of which are as follows:
rule name Permit-A
source-address 192.168.1.1mask 255.255.255.255
destination-address 172.101.1.1mask 255.255.255.255
service HTTP
action permit
wherein the security policy indicates that access behavior of the IP address 192.168.1.1mask 255.255.255.255 to the IP address 172.101.1.1mask 255.255.255.255 is allowed.
After the first communication device obtains the above-mentioned first security policy from the firewall FW-B, a first security intention corresponding to the first security policy may be generated. The first security intent corresponding to the first security policy described above may indicate: client-a first access to personal Client information service, the first access being prohibited access.
The first communication device determines that the target access path between Client-up>A and the personal Client information service comprises three security devices of up>A firewall FW-up>A, up>A firewall FW-B and up>A firewall FW-C, and determines that the firewall FW-up>A and the firewall FW-C are two second security devices on the target access path between Client-up>A and the personal Client information service.
After the first communication device obtains the above-mentioned security policies from the firewall FW-up>A and the firewall FW-C, it may generate security intents corresponding to the security policies on the firewall FW-up>A and the firewall FW-C, and determine up>A second security intention from at least one security intention corresponding to the security policies on the firewall FW-up>A and the firewall FW-C, respectively. The second security intent corresponding to the firewall FW-A and the firewall FW-C may indicate: and the Client-A performs a fourth access action on the personal Client information service, wherein the fourth access action is permission access. The ∈v shown in fig. 11 indicates that the security intention indication on the corresponding firewall prohibits the access of Client-a to the personal Client information service, and the x indicates that the security intention indication on the corresponding firewall permits the access of Client-a to the personal Client information service.
After determining that the first security policy matches the security policy deployment intention, the first communication device may determine whether up>A second security intention corresponding to the firewall FW-up>A and the firewall FW-C conflicts with the first security intention, and since the second security intention corresponding to the firewall FW-up>A and the firewall FW-C conflicts with the first security intention, the third verification result is to determine that the first security policy on the firewall FW-B matches the security policy deployment intention, and that the second security policies on the firewall FW-up>A and the firewall FW-C do not match the security policy deployment intention.
The third verification result displayed to the user by the first communication device may be specifically referred to the following table 7 and table 8:
TABLE 7
TABLE 8
Source IP address Access behavior Destination IP address
First security intention on FW-B 192.168.1.1 Prohibiting access 172.101.1.1
Second Security intention on FW-A 192.168.1.1 Allowing access 172.101.1.1
Second Security intention on FW-C 192.168.1.1 Allowing access 172.101.1.1
As shown in the lower sub-schematic of fig. 11, the second security intent on FW-up>A and the second security intent on FW-C conflict with the security policy deployment intent, the first security intent on FW-B matches the security policy deployment intent, it should be understood that the example in fig. 11 is merely to facilitate understanding of the present solution and is not intended to limit the present solution.
In the embodiment of the application, whether the first security policy and the second security policy match the security policy deployment intention can be checked according to the first security intention and the second security intention, so that another application mode of the first security intention is provided, the application scene of the scheme is expanded, and the flexibility of the scheme is further improved. In addition, whether the security policy on the single security device matches the security policy deployment intention can be checked, and whether all security devices on the access path of the first address to the second address match the security policy deployment intention can be checked, that is, by comparing the first security intention and the second security intention and the security policy deployment intention, the rationality of checking the first security policy and the second security policy is realized.
Scene 2: the first security intention and the second security intention are used to check configuration redundancy.
Referring to fig. 12, fig. 12 is a flowchart of a method for obtaining a security policy according to an embodiment of the present application.
As shown in fig. 12, the method for obtaining a security policy provided in the embodiment of the present application includes the following steps 1201-1207:
step 1201, a first security policy configured on a first security device is obtained, where the first security policy indicates a first access behavior of a first address to a second address, and the first access behavior is to allow or prohibit access.
Step 1202, generating a first security intention according to a first security policy, the first security intention indicating a first access behavior of a first object to a second object, the first object or the second object comprising any one of: the type of user, the name of the service, or the name of the network area.
In this embodiment, the specific implementation manner of steps 1201 and 1202 is similar to that of steps 201 and 202 in the corresponding embodiment of fig. 2, and will not be described here.
Step 1203, obtaining a security policy configured on a second security device, where the first security device and the second security device are both located on a target access path of the first address to the second address, and the first security device and the second security device are different security devices.
Step 1204, generating a security intent corresponding to the security policy configured on the second security device.
In this embodiment, the specific implementation manner of steps 1203 and 1204 is similar to the specific implementation manner of steps 201 and 202 in the corresponding embodiment of fig. 2, and will not be described here again.
It should be noted that, the embodiment of the present application does not limit the execution sequence of steps 1201 to 1202 and steps 1203 to 1204, and steps 1201 and 1202 may be executed first, and then steps 1203 and 1204 may be executed; steps 1203 and 1204 may also be performed before steps 1201 and 1202.
Step 1205, determining whether the first security policy and the second security policy are configuration redundancy according to the first security intention and the second security intention.
In this embodiment, after determining, according to the first address and the second address, at least one security device included in the target access path of the first address to the second address, if the number of at least one security devices included in the target access path is at least two security devices, the first communication device may determine at least one second security device included in the target access path.
For any one of the at least one second security device (hereinafter referred to as a "target second security device" for convenience of description), in the case where the first access behavior is prohibited access, there may be a plurality of security intents corresponding to the plurality of security policies in the target second security device, and the first communication device may acquire a second security intention corresponding to the second security policy from the plurality of security intents corresponding to the target second security device, wherein the second security policy indicates a fourth access behavior of the first address to the second address, the fourth access behavior being an allowed or prohibited access behavior, the second security intention indicating that the first object performs the fourth access behavior to the second object.
If the second security intention exists in the plurality of security intents corresponding to the target second security device and the fourth access behavior is forbidden, namely at least one second security intention exists in the plurality of security intents corresponding to the target second security device to indicate that the first object is forbidden to access the second object, determining that the first security policy and the second security policy on the target second security device are redundant in configuration. If one second security intention does not exist in the at least one second security intention to indicate that the first object is prohibited from accessing the second object, determining that the first security policy does not have configuration redundancy with the second security policy on the target second security device.
The first communication device performs the above-described operations on each of the at least one second security device to determine whether there is configuration redundancy for the first security policy with the second security policy on each of the second security devices. And if the first security policy has configuration redundancy with the second security policy on the at least one second security device on the target access path, determining that the first security policy and the second security policy have configuration redundancy.
And if the first security policy and the second security policy on each second security device on the target access path have no configuration redundancy, determining that the first security policy and the second security policy have no configuration redundancy.
In the embodiment of the present application, when the access behavior of the first address to the second address is to be prohibited, only a security policy for prohibiting the access behavior of the first address to the second address is configured on any security device on an access path from the first address to the second address, so when both the first security intention and the second security intention indicate that the first object is prohibited from accessing the second object, it may be determined that there is a configuration redundancy between the first security policy and the second security policy, which is favorable for timely finding out the redundant security policy and improving the resource utilization rate of the security device.
Step 1206 displays the first security policy and the first security intent.
Step 1207, displaying a fourth checking result, where the fourth checking result indicates whether the first security policy and the second security policy have configuration redundancy.
In this embodiment, the implementation manner of steps 1206 and 1207 is similar to steps 604 and 605 in the corresponding embodiment of fig. 6, and will not be described here again.
Optionally, when it is determined that the first security policy and the second security policy have configuration redundancy, a treatment suggestion may also be displayed to the user through the GUI or the second communication device according to the deployment policy of the security policies. Wherein the disposition proposal is used to indicate which security policy on the security device on the target access path is reserved; deployment policies for the security policies include one or more of the following: the near first object policy, the near second object policy, the resource comparison policy, the random policy, or other policies, etc., are not exhaustive herein.
The near first object policy is used for selecting and reserving the security policy on the security device closest to the first object from at least one security device passing through the target access path, the near second object policy is used for selecting and reserving the security policy on the security device closest to the second object from at least one security device passing through the target access path, the resource comparison policy is used for selecting and reserving the security policy on the security device with the most security resources from at least one security device passing through the target access path, and the security resources are free storage spaces used for storing the security policies in the security devices.
For a more intuitive understanding of the present solution, the process of determining the fourth verification result will be described below by way of a specific example, and it should be noted that the embodiment shown in fig. 13 below is merely for convenience of understanding the present solution, and is not limited to this solution. Referring to fig. 13, fig. 13 is a network topology diagram of a method for processing a security policy according to an embodiment of the present application. Fig. 13 includes upper and lower sub-graphs, the upper sub-graph of fig. 13 shows a network topology, and the lower sub-graph of fig. 13 shows a fourth verification result. The IP address of Client-A is 192.168.1.1 and the IP address of personal Client information service is 172.101.1.1.
The security policies are deployed on both the firewall FW-A and the firewall FW-B as follows:
rule name Deny-A-Web
source-address 192.168.1.1mask 255.255.255.255
destination-address 172.101.1.1mask 255.255.255.255
service HTTP
action deny
wherein the security policy indicates that access to the IP address 172.101.1.1mask 255.255.255.255 by the IP address 192.168.1.1mask 255.255.255.255 is prohibited.
After the first communication device obtains the above-mentioned first security policy from the firewall FW-up>A, up>A first security intention corresponding to the first security policy may be generated. The first security intent corresponding to the first security policy described above may indicate: client-a first access to personal Client information service, the first access being prohibited access.
The first communication device determines that the target access path between Client-up>A and the personal Client information service includes two security devices, firewall FW-up>A and firewall FW-B, and determines that firewall FW-B is up>A second security device on the target access path between Client-up>A and the personal Client information service.
After the first communication device obtains the second security policy from the firewall FW-B, a second security intention corresponding to the second security policy may be generated. The second security intent corresponding to the second security policy on the firewall FW-B may indicate: and the Client-A performs a fourth access action on the personal Client information service, wherein the fourth access action is to prohibit access.
The first communication device determines that up>A second security intention corresponding to firewall FW-B indicates that Client-up>A is prohibited from accessing personal Client information traffic, and determines that up>A first security policy in firewall FW-up>A is configured with up>A second security policy in firewall FW-B.
The fourth verification result displayed to the user by the first communication device may be specifically referred to the following table 9 and table 10:
TABLE 9
Security policies corresponding to security intent:
table 10
Source IP address Access behavior Destination IP address
First Security policy on FW-A 192.168.1.1 Prohibiting access 172.101.1.1
Second Security policy on FW-A 192.168.1.1 Prohibiting access 172.101.1.1
As shown in the lower sub-schematic of fig. 13, there is configuration redundancy for the security policies on FW-up>A and FW-B. X in the sub-diagram below indicates that the security intent of the corresponding firewall indicates that Client-a is prohibited from accessing the personal Client information service. It should be understood that the example in fig. 13 is merely for facilitating understanding of the present solution, and is not intended to limit the present solution.
In the embodiment of the application, whether the configuration redundancy of the security policies exists on the plurality of security devices or not can be determined according to the first security intention and the second security intention, so that the redundant security policies can be found in time, and the utilization rate of resources on the security devices is improved. In addition, another application mode of the first safety intention is provided, the application scene of the scheme is expanded, and the flexibility of the scheme is further improved.
One or more verification results can be displayed to the user, so that the user can be prompted to timely find out the safety strategy deployed in the safety equipment or the problems existing in the safety strategy to be deployed, the user can be helped to timely find out the existing or potential risks, and the stability of network operation can be improved.
Referring to fig. 14, fig. 14 is a schematic structural diagram of a security policy processing device according to an embodiment of the present application. As shown in fig. 14, the processing apparatus 1400 of the security policy includes an acquisition module 1401 and a generation module 1402. An obtaining module 1401 is configured to obtain a first security policy configured on the first security device, where the first security policy indicates a first access behavior of the first address to the second address, and the first access behavior is to allow or prohibit access. A generating module 1402 is configured to generate a first security intention according to a first security policy, the first security intention indicating a first access behavior of a first object to a second object. The first object or the second object includes any one of the following: the type of user, the name of the service, or the name of the network area.
Optionally, referring to fig. 15, fig. 15 is a schematic structural diagram of a processing device for security policy according to an embodiment of the present application. The processing means 1400 of the security policy further comprises a determination module 1403.
Optionally, the determining module 1403 is configured to determine the first object according to the first address and determine the second object according to the second address.
Optionally, the determining module 1403 is further configured to determine a first object according to the first address and object information base, and determine a second object according to the second address and object information base. The object information base includes each object of the at least one object and address information of each object. The at least one object includes a first object and a second object. Each object is any one of the following: a type of user, a name of a service, or a name of a network area.
Optionally, the first security intention is used to check whether the first security policy matches the security policy deployment intention.
Optionally, the security policy deployment intent indicates a second access behavior of the third object to the fourth object. Optionally, the determining module 1403 is further configured to determine that the first security policy matches the security policy deployment intention when the third object and the first object each include a first sub-address, the fourth object and the second object each include a second sub-address, and the first access behavior and the second access behavior are the same.
Optionally, the first security intention is used to check whether the newly added security policy deployment intention conflicts with the first security intention.
Optionally, the additional security policy deployment intent indicates a third access behavior of the fifth object to the sixth object. Optionally, the determining module 1403 is further configured to determine that the newly added security policy deployment intention conflicts with the first security intention when the first object and the fifth object each include a third sub-address, the second object and the sixth object each include a fourth sub-address, and the first access behavior and the third access behavior are different.
Optionally, the obtaining module 1401 is further configured to obtain a second security policy configured on the second security device, and the generating module 1402 is further configured to generate a second security intention according to the second security policy. The second security policy indicates a fourth access behavior of the first address to the second address, and the second security intent indicates that the first object performs the fourth access behavior to the second object. The first security device is located on an access path of the first address to the second address, the second security device being any other security device on the access path.
Optionally, the first security intention and the second security intention are used to verify whether the first security policy and the second security policy match the security policy deployment intention.
Optionally, the security policy deployment intent indicates a second access behavior of the third object to the fourth object. Optionally, the determining module 1403 is further configured to determine that the first security policy and the second security policy match the security policy configuration intent when the third object includes the first object, the fourth object includes the second object, and the first access behavior and the fourth access behavior are the same as the second access behavior.
Optionally, the first security intention and the second security intention are used to check configuration redundancy.
Optionally, the determining module 1403 is further configured to determine that there is a configuration redundancy when the first security intention and the second security intention both indicate that the first object is prohibited from accessing the second object.
Optionally, referring to fig. 15, the processing device 1400 of the security policy further includes a display module 1404. A display module 1404 for displaying the first security policy and the first security intention.
Optionally, the display module 1404 is further configured to display one or more of the following: the first check result, the second check result, the third check result, or the fourth check result. The first verification result indicates whether the first security policy matches the security policy deployment intent. The second check result indicates whether the newly added security policy deployment intention conflicts with the first security intention. The third verification result indicates whether the first security policy and the second security policy match the security policy deployment intent. The fourth check result indicates whether there is configuration redundancy.
Optionally, the obtaining module 1401 is further configured to obtain a third security policy from the third security device, where the third security policy indicates that the access behavior of the third address to the fourth address is allowed or forbidden. Optionally, the obtaining module 1401 is further configured to obtain a seventh object corresponding to the third address, obtain an eighth object corresponding to the fourth address, and add a correspondence between the seventh object and the third address and a correspondence between the eighth object and the fourth address to the object information base, so as to obtain a new object information base. The seventh object or the eighth object includes any one of the following: the type of user, the name of the service, or the name of the network area.
Fig. 16 is a schematic structural diagram of a network device 1600 according to an embodiment of the application. The network device 1600 is equipped with the processing means of the security policy described above. Network device 1600 is implemented by a general bus architecture.
The network device 1600 includes at least one processor 1601, a communication bus 1602, a memory 1603, and at least one communication interface 1604.
Optionally, the processor 1601 is a general purpose processor (central processing unit, CPU), network processor (network processor, NP), microprocessor, or one or more integrated circuits for implementing aspects of the present application, e.g., application-specific integrated circuits (ASIC), programmable logic devices (programmable logic device, PLD), or a combination thereof. The PLD is a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), a general-purpose array logic (generic array logic, GAL), or any combination thereof.
A communication bus 1602 is used to communicate information between the components described above. The communication bus 1602 is classified into an address bus, a data bus, a control bus, and the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
Optionally, memory 1603 is a read-only memory (ROM) or other type of static storage device that can store static information and instructions. Alternatively, memory 1603 is a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions. Alternatively, memory 1603 is an electrically erasable programmable read-only Memory (EEPROM), a compact disk read-only Memory (CD-ROM) or other optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. Optionally, the memory 1603 is separate and coupled to the processor 1601 by way of a communication bus 1602. Optionally, the memory 1603 and the processor 1601 are integrated.
The communication interface 1604 uses any transceiver-like device for communicating with other devices or communication networks. Communication interface 1604 includes a wired communication interface. Optionally, the communication interface 1604 further comprises a wireless communication interface. The wired communication interface is, for example, an ethernet interface. The ethernet interface is an optical interface, an electrical interface, or a combination thereof. The wireless communication interface is a wireless local area network (wireless local area networks, WLAN) interface, a cellular network communication interface, a combination thereof, or the like.
In a specific implementation, as one embodiment, processor 1601 includes one or more CPUs, such as CPU0 and CPU1 shown in fig. 16.
In a particular implementation, as one embodiment, network device 1600 includes multiple processors, such as processor 1601 and processor 1605 shown in fig. 16. Each of these processors is a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein refers to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
In some embodiments, memory 1603 is used to store program code 1616 that performs aspects of the present application, and processor 1601 executes program code 1616 stored in memory 1603. That is, the network device 1600 implements the method embodiments described above through the processor 1601 and the program code 1616 in the memory 1603.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are referred to each other, and each embodiment is mainly described as a difference from other embodiments.
A refers to B, referring to a simple variation where A is the same as B or A is B.
The terms "first" and "second" and the like in the description and in the claims of embodiments of the present application are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order of the objects, and should not be interpreted to indicate or imply relative importance. For example, a first speed limiting channel and a second speed limiting channel are used to distinguish between different speed limiting channels, rather than to describe a particular order of speed limiting channels, nor should the first speed limiting channel be understood to be more important than the second speed limiting channel.
In the examples herein, unless otherwise indicated, the meaning of "at least one" means one or more and the meaning of "a plurality" means two or more.
The above-described embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces, in whole or in part, the procedures or functions described in accordance with embodiments of the present application. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (Digital Subscriber Line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.

Claims (33)

1. A method of processing a security policy, the method comprising:
acquiring a first security policy configured on first security equipment, wherein the first security policy indicates a first access behavior of a first address to a second address, and the first access behavior is permission or prohibition of access;
generating a first security intention according to the first security policy, wherein the first security intention indicates the first access behavior of a first object to a second object, and the first object or the second object comprises any one of the following: the type of user, the name of the service, or the name of the network area.
2. The method of claim 1, wherein the generating a first security intent according to the first security policy comprises:
Determining the first object according to the first address;
and determining the second object according to the second address.
3. The method according to claim 2, wherein the method further comprises:
determining the first object according to the first address and an object information base;
determining the second object according to the second address and the object information base;
wherein the object information base includes each object of at least one object and address information of each object, the at least one object includes the first object and the second object, and each object is any one of the following: a type of user, a name of a service, or a name of a network area.
4. A method according to any of claims 1 to 3, wherein the first security intention is used to verify whether the first security policy matches a security policy deployment intention.
5. The method of claim 4, wherein the security policy deployment intent indicates a second access behavior of a third object to a fourth object, the method further comprising:
and when the third object and the first object both comprise a first sub-address, the fourth object and the second object both comprise a second sub-address, and the first access behavior and the second access behavior are the same, determining that the first security policy matches the security policy deployment intention.
6. A method according to any one of claims 1 to 3, wherein the first security intention is used to check whether a newly added security policy deployment intention conflicts with the first security intention.
7. The method of claim 6, wherein the added security policy deployment intent indicates a third access behavior of a fifth object to a sixth object, the method further comprising:
and when the first object and the fifth object both comprise a third sub-address, the second object and the sixth object both comprise a fourth sub-address, and the first access behavior and the third access behavior are different, determining that the newly added security policy deployment intention conflicts with the first security intention.
8. The method according to any one of claims 1 to 7, further comprising:
acquiring a second security policy configured on a second security device, wherein the second security policy indicates a fourth access behavior of the first address to the second address, the first security device is located on an access path of the first address to the second address, and the second security device is any other security device on the access path;
Generating a second security intention according to the second security policy, wherein the second security intention indicates the fourth access behavior of the first object to the second object.
9. The method of claim 8, wherein the first security intent and the second security intent are used to verify whether the first security policy and the second security policy match the security policy deployment intent.
10. The method according to claim 9, wherein the method further comprises:
when the third object and the first object each include a first sub-address, the fourth object and the second object each include a second sub-address, and the first access behavior and the fourth access behavior are the same as the second access behavior, determining that the first security policy and the second security policy match the security policy deployment intent.
11. The method of claim 8, wherein the first security intent and the second security intent are used to check configuration redundancy.
12. The method of claim 11, wherein the method further comprises:
when the first security intent and the second security intent both indicate that the first object is prohibited from accessing the second object, it is determined that a configuration redundancy exists.
13. The method according to any one of claims 1 to 12, further comprising:
displaying the first security policy and the first security intent.
14. The method of claim 13, wherein the method further comprises:
displaying one or more of the following: a first check result, a second check result, a third check result, or a fourth check result;
the first verification result indicates whether the first security policy matches a security policy deployment intention, the second verification result indicates whether a newly added security policy deployment intention conflicts with the first security intention, the third verification result indicates whether the first security policy and the second security policy match the security policy deployment intention, and the fourth verification result indicates whether configuration redundancy exists.
15. The method according to any one of claims 1 to 14, further comprising:
obtaining a third security policy from a third security device, the third security policy indicating that a fifth access behavior of a third address to a fourth address is allowed or prohibited;
acquiring a seventh object corresponding to the third address, and acquiring an eighth object corresponding to the fourth address, wherein the seventh object or the eighth object comprises any one of the following: the type of the user, the name of the service, or the name of the network area;
And adding the corresponding relation between the seventh object and the third address and the corresponding relation between the eighth object and the fourth address in the object information base to obtain a new object information base.
16. A security policy processing apparatus, the apparatus comprising:
the system comprises an acquisition module, a first security policy and a second security policy, wherein the acquisition module is used for acquiring a first security policy configured on first security equipment, the first security policy indicates a first access behavior of a first address to a second address, and the first access behavior is access permission or access prohibition;
a generation module, configured to generate a first security intention according to the first security policy, where the first security intention indicates the first access behavior of a first object to a second object, and the first object or the second object includes any one of the following: the type of user, the name of the service, or the name of the network area.
17. The apparatus of claim 16, further comprising a determination module,
the determining module is used for determining the first object according to the first address;
the determining module is further configured to determine the second object according to the second address.
18. The apparatus of claim 17, wherein the device comprises a plurality of sensors,
the determining module is used for determining the first object according to the first address and the object information base;
the determining module is further configured to determine the second object according to the second address and the object information base;
wherein the object information base includes each object of at least one object and address information of each object, the at least one object includes the first object and the second object, and each object is any one of the following: a type of user, a name of a service, or a name of a network area.
19. The apparatus of any of claims 16 to 18, wherein the first security intention is to check whether the first security policy matches a security policy deployment intention.
20. The apparatus of claim 19, wherein the security policy deployment intent indicates a second access behavior of a third object to a fourth object;
the determining module is further configured to determine that the first security policy matches the security policy deployment intention when the third object and the first object each include a first sub-address, the fourth object and the second object each include a second sub-address, and the first access behavior and the second access behavior are the same.
21. The apparatus of any of claims 16 to 18, wherein the first security intent is to check whether an added security policy deployment intent conflicts with the first security intent.
22. The apparatus of claim 21, wherein the added security policy deployment intent indicates a third access behavior of a fifth object to a sixth object;
the determining module is further configured to determine that the deployment intention of the added security policy conflicts with the first security intention when the first object and the fifth object each include a third sub-address, the second object and the sixth object each include a fourth sub-address, and the first access behavior and the third access behavior are different.
23. The apparatus according to any one of claims 16 to 22, wherein,
the obtaining module is further configured to obtain a second security policy configured on a second security device, where the second security policy indicates a fourth access behavior of the first address to the second address, the first security device is located on an access path of the first address to the second address, and the second security device is any other security device on the access path;
The generating module is further configured to generate a second security intention according to the second security policy, where the second security intention indicates the fourth access behavior of the first object to the second object.
24. The apparatus of claim 23, wherein the first security intention and the second security intention are used to verify whether the first security policy and the second security policy match the security policy deployment intention.
25. The apparatus of claim 24, wherein the device comprises a plurality of sensors,
the determining module is further configured to determine that the first security policy and the second security policy match the security policy deployment intention when the third object and the first object each include a first sub-address, the fourth object and the second object each include a second sub-address, and the first access behavior and the fourth access behavior are the same as the second access behavior.
26. The apparatus of claim 23, wherein the first security intent and the second security intent are to check configuration redundancy.
27. The apparatus of claim 26, wherein the device comprises a plurality of sensors,
The determination module is further configured to determine that a configuration redundancy exists when the first security intention and the second security intention both indicate that the first object is prohibited from accessing the second object.
28. The apparatus according to any one of claims 16 to 27, further comprising:
and the display module is used for displaying the first security policy and the first security intention.
29. The apparatus of claim 28, wherein the device comprises a plurality of sensors,
the display module is further used for displaying one or more of the following: a first check result, a second check result, a third check result, or a fourth check result;
the first verification result indicates whether the first security policy matches a security policy deployment intention, the second verification result indicates whether a newly added security policy deployment intention conflicts with the first security intention, the third verification result indicates whether the first security policy and the second security policy match the security policy deployment intention, and the fourth verification result indicates whether configuration redundancy exists.
30. The device according to any one of claims 16 to 29, wherein,
The obtaining module is further configured to obtain a third security policy from a third security device, where the third security policy indicates that a fifth access behavior of a third address to a fourth address is allowed or prohibited;
the obtaining module is further configured to obtain a seventh object corresponding to the third address, obtain an eighth object corresponding to the fourth address, and the seventh object or the eighth object includes any one of the following: the type of the user, the name of the service, or the name of the network area;
and adding the corresponding relation between the seventh object and the third address and the corresponding relation between the eighth object and the fourth address in the object information base to obtain a new object information base.
31. A communication device comprising a processor and a memory, the memory for storing program code, the processor for invoking the program code in the memory to cause the communication device to perform the method of any of claims 1-15.
32. A computer readable storage medium storing instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1-15.
33. A computer program product comprising program code which, when run on a computer, causes the computer to perform the method of any of claims 1-15.
CN202210752166.3A 2022-06-29 2022-06-29 Processing method of security policy and related device Pending CN117353958A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210752166.3A CN117353958A (en) 2022-06-29 2022-06-29 Processing method of security policy and related device
PCT/CN2023/102352 WO2024001998A1 (en) 2022-06-29 2023-06-26 Security policy processing method and related apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210752166.3A CN117353958A (en) 2022-06-29 2022-06-29 Processing method of security policy and related device

Publications (1)

Publication Number Publication Date
CN117353958A true CN117353958A (en) 2024-01-05

Family

ID=89354486

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210752166.3A Pending CN117353958A (en) 2022-06-29 2022-06-29 Processing method of security policy and related device

Country Status (2)

Country Link
CN (1) CN117353958A (en)
WO (1) WO2024001998A1 (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863193B (en) * 2005-05-10 2010-10-13 联想网御科技(北京)有限公司 Method for implementing safety tactics of network safety apparatus
CN101364877B (en) * 2008-09-28 2010-10-27 福建星网锐捷网络有限公司 Security policy configuring method and apparatus thereof
US10944793B2 (en) * 2017-06-29 2021-03-09 Juniper Networks, Inc. Rules-based network security policy modification
US11606301B2 (en) * 2019-04-23 2023-03-14 Hewlett Packard Enterprise Development Lp Verifying intents in stateful networks using atomic address objects
CN114640590B (en) * 2022-01-26 2023-02-10 北京邮电大学 Method for detecting conflict of policy set in intention network and related equipment

Also Published As

Publication number Publication date
WO2024001998A1 (en) 2024-01-04

Similar Documents

Publication Publication Date Title
US20230421590A1 (en) Rule-Based Network-Threat Detection
US10504025B2 (en) Parallel processing of data by multiple semantic reasoning engines
CN110521170B (en) Static network policy analysis of a network
US9531757B2 (en) Management of security policies across multiple security products
US10051007B2 (en) Network traffic control device, and security policy configuration method and apparatus thereof
JP2018088686A (en) Automated generation of label-based access control rule
EP3788755B1 (en) Accessing cloud resources using private network addresses
EP3493472B1 (en) Network function (nf) management method and nf management device
US20150052575A1 (en) Steering Traffic Among Multiple Network Services Using a Centralized Dispatcher
US9521167B2 (en) Generalized security policy user interface
Zhang et al. A survey of computational offloading in mobile cloud computing
CN110785963A (en) Collecting network model and node information from a network
US11552953B1 (en) Identity-based authentication and access control mechanism
CN110741602A (en) Event generation in response to network intent form peering failure
CN113056895B (en) Systems and methods for migrating existing access control list policies to intent-based policies and vice versa
CN108667776B (en) Network service diagnosis method
CN110800259B (en) Distributed fault code aggregation across application-centric dimensions
CN105939267A (en) Out-of-band management method and device
US11665241B1 (en) Systems and methods for dynamic federated API generation
CN105791073A (en) Service deployment method and device in virtual network
KR20220018041A (en) Intent-Based Application Fabric
CN105683943B (en) Use the distributed network security of the Policy model of logic-based multidimensional label
CN110995489B (en) Large data platform server management method, device, server and storage medium
CN117353958A (en) Processing method of security policy and related device
US20230319115A1 (en) Systems and methods for validating, maintaining, and visualizing security policies

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication