CN117879870A

CN117879870A - IP-free firewall management and control method and device, electronic equipment and storage medium

Info

Publication number: CN117879870A
Application number: CN202311670004.6A
Authority: CN
Inventors: 邓越; 陈光明; 杨辰钟; 麦思文
Original assignee: Saian Technology Guangdong Co ltd
Current assignee: Saian Technology Guangdong Co ltd
Priority date: 2023-12-06
Filing date: 2023-12-06
Publication date: 2024-04-12

Abstract

The embodiment of the application provides a I P-free firewall management and control method, a I P-free firewall management and control device, electronic equipment and a storage medium, and belongs to the technical field of network security. The method comprises the following steps: when a plurality of non-I P firewalls are communicated with a management center, the management center adopts a queue or polling mode to limit the flow; acquiring a strategy synchronization mode; if the strategy synchronization mode is an uploading and issuing mode, acquiring a pre-stored strategy through the firewall without I P, generating a current unique identification code according to the strategy, sending the current unique identification code to a management center, acquiring strategy data in a database through the management center, and if the unique identification code of the strategy data is different from the current unique identification code, sending the strategy data to the firewall without I P through the management center, and applying the strategy data through the firewall without I P. The method and the device can keep consistency of strategy information, prevent overload of the system and improve stability and reliability of the system.

Description

IP-free firewall management and control method and device, electronic equipment and storage medium

Technical Field

The present disclosure relates to the field of network security technologies, and in particular, to a method and apparatus for controlling an IP-free firewall, an electronic device, and a storage medium.

Background

At present, when a large number of IP-free firewalls are simultaneously communicated with a management center during management and control, the situation that the system is overloaded due to too many communication requests is caused, particularly the problem of occupied bandwidth of a field network is required to be considered, the strategy configuration of the IP-free firewalls is generally complicated, professional I T personnel are required to complete the strategy configuration, and meanwhile, the configuration and management of the IP-free firewalls are required to be frequently adjusted. Considering the influences of the situations that the field network and the environment are complex, all the IP-free firewalls can not communicate in any time period, equipment offline, network jitter, faults and the like can exist in the center, and the situation that policy information in the IP-free firewall is inconsistent with policy information in the management center easily occurs.

Therefore, the above technical problems are to be solved in industry.

Disclosure of Invention

The main purpose of the embodiments of the present application is to provide a method, an apparatus, an electronic device, and a storage medium for controlling an IP-free firewall, so as to overcome the defects in the prior art.

The embodiment of the application discloses the following technical scheme:

in one aspect, an embodiment of the present application provides a method for controlling an IP-free firewall, where the method includes:

Acquiring a strategy synchronization mode, wherein the strategy synchronization mode comprises an uploading and issuing mode;

if the strategy synchronization mode is the uploading and issuing mode, acquiring a pre-stored strategy through an IP-free firewall, generating a current unique identification code according to the strategy, sending the current unique identification code to a management center, acquiring strategy data in a database through the management center, and if the unique identification code of the strategy data is different from the current unique identification code, sending the strategy data to the IP-free firewall through the management center, and applying the strategy data through the IP-free firewall;

when a plurality of IP-free firewalls are communicated with the management center, the management center adopts a queue or polling mode to limit the flow.

In some embodiments, the policy synchronization mode further includes a downlink mode and an uplink mode, and the method further includes:

if the strategy synchronization mode is the uplink mode, acquiring a pre-stored strategy through the IP-free firewall, generating a current unique identification code according to the strategy, sending the current unique identification code to the management center, acquiring strategy data of a database through the management center, and if the unique identification code of the strategy data is different from the current unique identification code, updating the strategy data of the database of the management center according to the current unique identification code, returning confirmation information through the management center, receiving the confirmation information through the IP-free firewall, wherein the confirmation information is used for confirming that the data is correctly received;

If the policy synchronization mode is the downlink mode, policy data in a database is acquired through the management center, the policy data is sent to the IP-free firewall, the policy data is applied through the IP-free firewall, confirmation information is returned, and the confirmation information is received through the management center.

In some embodiments, the limiting the current by the management center in a queue manner includes:

if the strategy synchronization mode is the uplink mode, receiving a request through the management center, and adding the request to an uplink queue; dynamically adjusting the length of the uplink queue by monitoring load conditions, wherein the load conditions comprise request quantity, response time, CPU utilization rate, memory utilization rate, hard disk utilization rate and CPU temperature;

if the strategy synchronous mode is the downlink mode, creating a request through the management center, and adding the request to a downlink queue; and dynamically adjusting the length of the downlink queue by monitoring the load condition.

In some embodiments, the limiting the current by the management center by using a queue or a polling mode includes:

if the policy synchronization mode is the uplink mode or the uplink and downlink mode, and the management center goes offline, adding a request into an IP-free fireproof wall uploading queue through the IP-free firewall, optimizing the IP-free fireproof wall uploading queue through polling every other preset time, and continuing to operate through the IP-free firewall according to the stored last communicable configuration until the management center goes online, and uploading the request in the IP-free fireproof wall uploading queue;

If the strategy synchronization mode is the downlink mode and the IP-free firewall is offline, adding the request into a downlink queue through the management center, and optimizing the downlink queue by polling every other preset time until the IP-free firewall is offline, and issuing the request in the downlink queue.

In some embodiments, the limiting the current by the management center in a queue manner further includes:

predicting whether the request will timeout before the request is submitted by the uplink queue or the downlink queue;

if the predicted result is that the request will timeout, the request is abandoned.

In some embodiments, the management center includes a center status page including a center running status area, a terminal status page including a terminal running status area, and a history policy page including a policy list area, a list template area, and a blacklist area, the method further comprising:

responding to a first instruction, and displaying the CPU utilization rate, the memory utilization rate, the hard disk utilization rate and the CPU temperature of the management center through the center running state area;

Responding to a second instruction, and displaying the CPU utilization rate, the memory utilization rate, the effective strategy number and the current strategy interception of the IP-free firewall through the terminal running state area;

responding to a third instruction, and displaying a history strategy of the IP-free firewall in the strategy list area, wherein the history strategy comprises a strategy size, a creation user and creation time;

and responding to a fourth instruction, displaying a list name, a list IP address and a list starting condition of the current history strategy in the list template area, and displaying a blacklist name, a list name, an asset access condition and a blacklist starting condition in the blacklist area.

In some embodiments, the method further comprises:

establishing connection with a management center through an IP-free firewall by using the IP of the protected equipment;

generating and processing log data through the IP-free firewall, and sending the log data to the management center.

In another aspect, an embodiment of the present application provides a distributed management and control apparatus, where the apparatus includes:

the strategy synchronization module is used for acquiring a strategy synchronization mode, wherein the strategy synchronization mode comprises an uploading and issuing mode;

the uploading and issuing module is used for acquiring a pre-stored strategy through an IP-free firewall and generating a current unique identification code according to the strategy if the strategy synchronization mode is an uploading and issuing mode, sending the current unique identification code to the management center, acquiring strategy data in a database through the management center, and sending the strategy data to the IP-free firewall through the management center and applying the strategy data through the IP-free firewall if the unique identification code of the strategy data is different from the current unique identification code;

And the current limiting module is used for limiting the current through the management center in a queue or polling mode when a plurality of IP-free firewalls are communicated with the management center.

On the other hand, the embodiment of the application provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the IP-free firewall management and control method when executing the computer program.

In another aspect, embodiments of the present application provide a computer readable storage medium storing a computer program that when executed by a processor implements the IP-free firewall management and control method described above.

According to the IP-free firewall management and control method, the IP-free firewall management and control device, the electronic equipment and the storage medium, when a plurality of IP-free firewalls are communicated with the management center, the management center adopts a queue or polling mode to limit current, so that reasonable utilization and stability of resources are ensured; acquiring a strategy synchronization mode; if the strategy synchronization mode is an uploading and issuing mode, a pre-stored strategy is obtained through the IP-free firewall, a current unique identification code is generated according to the strategy, the current unique identification code is sent to the management center, strategy data in a database is obtained through the management center, if the unique identification code of the strategy data is different from the current unique identification code, the strategy data is sent to the IP-free firewall through the management center, the strategy data is applied through the IP-free firewall, automatic strategy data application is achieved, and the efficiency and accuracy of network security management are improved. The method and the device can keep consistency of strategy information, prevent overload of the system and improve stability and reliability of the system.

Drawings

Fig. 1 is a flowchart of a method for controlling an IP-free firewall according to an embodiment of the present application;

fig. 2 is a further flowchart of a method for controlling an IP-less firewall according to an embodiment of the present application;

fig. 3 is a further flowchart of a method for controlling an IP-less firewall according to an embodiment of the present application;

fig. 4 is a flowchart of step S103 in fig. 1;

fig. 5 is a flowchart of step S103 in fig. 1;

fig. 6 is a schematic application scenario diagram of an IP-less firewall management and control method according to an embodiment of the present application;

FIG. 7 is a schematic diagram of a policy synchronization mode provided in an embodiment of the present application;

FIG. 8 is a schematic diagram of a central status page provided by an embodiment of the present application;

fig. 9 is a schematic diagram of a terminal status page provided in an embodiment of the present application;

fig. 10 is a schematic diagram of another terminal status page provided in an embodiment of the present application;

FIG. 11 is a schematic diagram of a history policy page provided by an embodiment of the present application;

fig. 12 is a schematic structural diagram of an IP-free firewall control device according to an embodiment of the present disclosure;

fig. 13 is a schematic hardware structure of an electronic device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.

It should be noted that although functional block division is performed in a device diagram and a logic sequence is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the block division in the device, or in the flowchart. The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the present application.

First, several nouns referred to in this application are parsed:

CPU utilization: refers to the ratio between the workload of a computer central processing unit and its available processing capacity, representing the situation of the machine running a program at a certain point in time.

Memory utilization: refers to the proportion of physical memory currently being used by the system to the total available memory. It is one of the indexes for measuring the utilization of the system memory resources.

Hard disk utilization rate: refers to the degree to which the hard disk space stored in a computer system is occupied. It is an important parameter that measures the extent of capacity utilization of a file system.

Strategy: the method is a strategy for controlling equipment to forward the flow and perform content security integrated detection on the flow. The policy verifies that the data flow passing through the firewall is valid for the data flow conforming to the security policy to pass through the firewall.

At present, when a large number of IP-free firewalls are simultaneously communicated with a management center during management and control, the situation that the system is overloaded due to too many communication requests is caused, particularly the problem of occupied bandwidth of a field network needs to be considered, the strategy configuration of the IP-free firewalls is generally complicated, professional IT personnel are needed to complete the strategy configuration, and meanwhile, the configuration and management of the IP-free firewalls need to be frequently adjusted. Considering the situations of on-site network, environment complexity, not necessarily all IP-free firewalls can communicate in any time period, equipment offline, network jitter, faults and the like can also exist in the center, so that the situation that policy information in the IP-free firewall is inconsistent with policy information in the management center is easy to occur.

Therefore, the above technical problems are to be solved in industry.

Based on this, the embodiment of the application provides a method, a device, an electronic device and a storage medium for managing and controlling an IP-free firewall, which aim to keep consistency of policy information, prevent overload of a system and improve stability and reliability of the system.

The method, the device, the electronic equipment and the storage medium for controlling the firewall without the IP are specifically described through the following embodiments, and the method for controlling the firewall without the IP in the embodiment of the application is described first.

The embodiment of the application provides a method for controlling an IP-free firewall, which relates to the technical field of equipment control. The IP-free firewall management and control method provided by the embodiment of the application can be applied to a terminal, a server and software running in the terminal or the server. In some embodiments, the terminal may be a smart phone, tablet, notebook, desktop, etc.; the server side can be configured as an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligent platforms and the like; the software may be an application or the like implementing the IP-less firewall management and control method, but is not limited to the above form.

The subject application is operational with numerous general purpose or special purpose computer system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

It should be noted that, in each specific embodiment of the present application, when related processing is required according to user information, user behavior data, user history data, user location information, and other data related to user identity or characteristics, permission or consent of the user is obtained first, and the collection, use, processing, and the like of these data comply with related laws and regulations and standards. In addition, when the embodiment of the application needs to acquire the sensitive personal information of the user, the independent permission or independent consent of the user is acquired through a popup window or a jump to a confirmation page or the like, and after the independent permission or independent consent of the user is explicitly acquired, necessary user related data for enabling the embodiment of the application to normally operate is acquired.

Fig. 1 is an optional flowchart of an IP-less firewall management method according to an embodiment of the present application, where the method in fig. 1 may include, but is not limited to, steps S101 to S103.

Step S101, a strategy synchronization mode is obtained;

specifically, the policy synchronization mode includes an upload-down mode, a down mode, and an up mode.

In some embodiments, the policy synchronization mode is configured by a policy synchronization configuration page of the management center.

In some embodiments, the policy synchronization pattern is stored by a database of the management center.

In step S101, the policy synchronization pattern may be obtained from a database in the management center.

In some embodiments, the policy synchronization pattern may be obtained through an IP-less firewall.

In step S101, the policy synchronization pattern may be acquired from a database without an IP firewall.

It can be understood that the control range of the policy synchronization mode is not specifically limited, and can be flexibly selected in combination with actual control requirements. Illustratively, the policy synchronization mode may govern all online non-IP firewalls, and the policy synchronization mode may also govern some online non-IP firewalls.

It is understood that different IP-less firewalls may employ different policy synchronization modes. Illustratively, the IP-less firewall at school adopts a downstream mode and the IP-less firewall at hospital adopts an upstream-downstream mode.

In some embodiments, different policy synchronization modes may be configured for different IP-free firewalls through a policy synchronization configuration page of the management center.

In this embodiment, a policy synchronization mode is acquired, and preparation is made for subsequent policy synchronization and current limiting.

Step S102, if the strategy synchronous mode is an uploading and downloading mode, acquiring a pre-stored strategy through an IP-free firewall, generating a current unique identification code according to the strategy, transmitting the current unique identification code to a management center, acquiring strategy data in a database through the management center, and if the unique identification code of the strategy data is different from the current unique identification code, transmitting the strategy data to the IP-free firewall through the management center, and applying the strategy data through the IP-free firewall;

specifically, the unique identification code is used to uniquely identify the policy of the IP-less firewall.

In some embodiments, the generation of the unique identification code is not specifically limited, and the unique identification code can be flexibly selected in combination with actual control requirements. The unique identifier may be generated by matching a predetermined (policy-unique identifier) form, or may be generated by a predetermined generation algorithm.

It can be understood that the policy storage is not specifically limited in the present application, and flexible selection can be performed in combination with actual control requirements. The policies may be stored in a database, or in a local file system, for example.

In some embodiments, the unique identification code may be generated from the policy data or may be obtained from the policy data by the management center obtaining the policy data within the database.

Optionally, the present application also compares the current unique identification code of the IP-less firewall with the unique identification code of the management center.

In some embodiments, if the current unique identifier of the IP-less firewall is the same as the unique identifier of the management center, the policy data representing the IP-less firewall is the same as the policy data of the management center, and no policy synchronization is required.

In some embodiments, if the current unique identification code of the IP-less firewall is different from the unique identification code of the management center, the policy data is sent to the IP-less firewall by the management center, and the policy data is applied by the IP-less firewall.

It can be understood that the policy data is not specifically limited, and can be flexibly selected in combination with actual control requirements. The policy data may illustratively employ a unique identification code, or may employ complete policy data.

Optionally, the unique identifier is sent to the IP-less firewall by the management center, and the policy data is obtained and applied by the IP-less firewall according to the unique identifier and the (policy-unique identifier) form matching.

In this embodiment, if the policy synchronization mode is an upload and download mode, a pre-stored policy is obtained through the IP-free firewall, a current unique identification code is generated according to the policy, the current unique identification code is sent to the management center, policy data in the database is obtained through the management center, if the unique identification code of the policy data is different from the current unique identification code, the policy data is sent to the IP-free firewall through the management center, the IP-free firewall can apply the latest policy data through the application of the policy data by the IP-free firewall, ensure the synchronous update of the policy data, respond to threats and attacks in time, and take corresponding protective measures, thereby improving the security of the network, reducing the workload of manual configuration and management, simplifying the deployment and maintenance process of the policy, improving the management efficiency, and improving the expandability and flexibility of the system.

Step S103, when a plurality of IP-free firewalls communicate with the management center, the management center adopts a queue or polling mode to limit the flow.

In some embodiments, if an IP-free firewall sends too many requests in a short time, it is determined to be an abnormal request and corresponding processing actions are taken, such as rejecting or delaying processing the requests.

In some embodiments, deduplication is performed using a request ID or unique identifier, each request being assigned a unique request ID or identifier, and the management center first checks whether the request ID already exists when a new request is received. If there is a duplicate request ID, then the indication is a duplicate request and results that have been previously processed can be ignored or returned directly.

In some embodiments, the characteristics of the request are analyzed and judged according to predefined rules and algorithms to identify abnormal requests. For example, illegal parameters, abnormal access behavior, abnormal data traffic, etc. in the request may be detected and corresponding measures taken to intercept.

In some embodiments, when a request without an IP firewall exceeds a set limit, the request may be queued for delay processing.

In some embodiments, when the plurality of IP-less firewalls communicate with the management center, if the policy synchronization mode is an upstream mode, the request is received by the management center and added to the upstream queue; the length of the uplink queue is dynamically adjusted by monitoring the load condition. The load condition comprises the request quantity, response time, CPU utilization, memory utilization, hard disk utilization and CPU temperature.

In some embodiments, the upstream queue may be located at the IP-less firewall end or at the management center end.

Optionally, after the queue length is adjusted, the request may be fetched from the upstream queue according to a certain policy (e.g., polling, random, etc.), and then submitted.

Further, when the request is submitted, the policy data of the management center can be synchronously modified into the policy data without the IP firewall through the management center.

If the policy synchronization mode is an uplink mode and the management center is offline, adding the request into the IP-free fireproof wall uploading queue through the IP-free firewall, optimizing the IP-free fireproof wall uploading queue through polling every preset time, and continuing to operate through the IP-free firewall according to the stored last communication configuration until the management center is online, and uploading the request in the IP-free fireproof wall uploading queue.

In some embodiments, the preset time is not limited specifically, and may be flexibly selected in combination with actual control requirements. The preset time may be set by a user, or may be automatically calculated by the system.

The preset time may be estimated according to factors such as system load, network bandwidth, and size of an upload queue. A shorter preset time may provide faster request processing speed, but may increase system load and network pressure, while a longer preset time may reduce system load, but may cause delays.

In some embodiments, when the plurality of IP-less firewalls communicate with the management center, if the policy synchronization mode is a downstream mode, creating a request by the management center, adding the request to a downstream queue; the length of the downlink queue is dynamically adjusted by monitoring the load condition.

In some embodiments, the downstream queue may be located at the IP-less firewall end or at the management center end.

Optionally, after the queue length is adjusted, the request may be fetched from the downstream queue according to a certain policy (e.g., polling, random, etc.), and then submitted.

Further, when the request is submitted, the policy data of the non-IP firewall can be synchronously modified into the policy data of the management center through the non-IP firewall.

If the strategy synchronization mode is a downlink mode and no IP firewall is offline, adding the request into a downlink queue through a management center, and optimizing the downlink queue by polling every preset time until no IP firewall is online, and issuing the request in the downlink queue.

In some embodiments, a prediction is made as to whether the request will timeout before the request is submitted by either the upstream or downstream queues.

It will be appreciated that the upstream queue commit includes uploading requests in the upstream queue and the downstream queue commit includes issuing requests in the downstream queue.

It should be noted that, the prediction mode is not specifically limited in the present application, and the prediction mode can be flexibly selected in combination with the actual control requirement. For example, statistical analysis based on historical data may be used for prediction, machine learning models may be used for prediction, and real-time monitoring and feedback mechanisms may be used for prediction.

The statistical analysis based on the historical data can calculate indexes such as average response time, longest response time and the like according to the previous request record and response time. Then, according to the current request characteristics (such as the type of the request, parameters, target resources and the like), the response time of the current request is presumed according to the statistical analysis result of the historical data, and compared with a set timeout threshold value to determine whether timeout is possible.

The machine learning model is adopted for prediction, and a machine learning algorithm can be used for training various characteristics and context information of the request to construct a prediction model. The predictive model may be trained based on existing data sets, learn relationships between different request characteristics and timeout conditions, and predict whether a current request is likely to timeout based on the characteristics of the current request.

For example, a real-time monitoring system may be provided to detect factors such as load conditions, network delays, etc. of the current system and other factors that may cause a request timeout before the request is submitted to the queue using a real-time monitoring and feedback mechanism for prediction. Based on these monitoring metrics, the prediction results may be adjusted in real time or warnings provided to assist in deciding whether to submit the request.

Further, if the predicted result is that the request will timeout, the request is discarded.

In this embodiment, when a plurality of IP-free firewalls communicate with the management center, the management center uses a queue or polling method to limit the flow, balance the load of the management center, avoid excessive requests of some IP-free firewalls or excessive resources of the management center being occupied, so that other IP-free firewalls cannot communicate or respond in time, avoid system breakdown or performance degradation caused by excessive requests being sent to the management center at the same time, improve the stability and reliability of the whole system, enable the requests to be properly scheduled and processed, improve the performance and response speed of the system, reduce the delay and waiting time caused by excessive requests, and filter out abnormal requests, repeated requests and the like by setting a flow limiting policy, thereby improving the security of the management center.

In the steps S101 to S103 illustrated in the embodiments of the present application, when a plurality of IP-free firewalls communicate with a management center, the management center uses a queue or polling method to limit the flow, so as to ensure reasonable utilization and stability of resources; acquiring a strategy synchronization mode; if the strategy synchronization mode is an uploading and issuing mode, a pre-stored strategy is obtained through the IP-free firewall, a current unique identification code is generated according to the strategy, the current unique identification code is sent to the management center, strategy data in a database is obtained through the management center, if the unique identification code of the strategy data is different from the current unique identification code, the strategy data is sent to the IP-free firewall through the management center, the strategy data is applied through the IP-free firewall, automatic strategy data application is achieved, and the efficiency and accuracy of network security management are improved. The method and the device can keep consistency of strategy information, prevent overload of the system and improve stability and reliability of the system.

Referring to fig. 2, in some embodiments, the method may include, but is not limited to, steps S201 to S204:

step S201, if the strategy synchronous mode is the uplink mode, acquiring a pre-stored strategy through the IP-free firewall, generating a current unique identification code according to the strategy, and transmitting the current unique identification code to the management center;

In some embodiments, the generation of the unique identification code is not specifically limited, and the unique identification code can be flexibly selected in combination with actual control requirements.

In some embodiments, the unique identifier may be generated based on a predetermined (policy-unique identifier) form match, or may be generated by a predetermined generation algorithm.

Illustratively, the policy-unique identification form is shown in Table 1.

TABLE 1

Optionally, key parameters in the policy are encoded, such as policy type, target resource, validation time, etc. The parameters may be processed using a hash function or encryption algorithm to generate a digest or hash of a fixed length, and the generated unique identification code is stored in association with the policy.

Further, the corresponding unique identification code, the strategy and the current unique identification code are stored to obtain strategy data corresponding to the current unique identification code.

Step S202, strategy data of a database is obtained through a management center;

in some embodiments, policy data for the management center is stored in a database.

In some embodiments, the policy data storage is not specifically limited, and flexible selection can be performed in combination with actual management and control requirements. Policy data may be stored, for example, in a database, in a local file system or a network shared file system, or in a memory cache (e.g., redis, memcached).

It can be understood that the policy data is not specifically limited, and can be flexibly selected in combination with actual control requirements. The policy data may be a unique identifier, complete policy data, or both.

Illustratively, when the policy data employs complete policy data, the unique identification code is derived from the policy data.

Step S203, if the unique identification code of the policy data is different from the current unique identification code, updating the policy data of the management center database according to the current unique identification code;

in some embodiments, the unique identifier of the policy data is compared with the current unique identifier, and if the unique identifier of the policy data is different from the current unique identifier, the policy data of the management center database is updated according to the current unique identifier.

Illustratively, when the policy data of the management center database includes complete policy data, the complete policy data is obtained according to the current unique identification code, and the policy data of the management center database is updated according to the complete policy data and the current unique identification code.

And step S204, returning the confirmation information through the management center, and receiving the confirmation information through the IP-free firewall.

Specifically, the acknowledgement information is used to confirm that the data has been received correctly.

In some embodiments, the management center returns a confirmation message when updating the policy data of the management center database according to the current unique identification code is completed, and the non-IP firewall receives the confirmation message.

In step S201 to step S204 illustrated in the embodiment of the present application, if the policy synchronization mode is an uplink mode, a pre-stored policy is obtained through the IP-free firewall and a current unique identification code is generated according to the policy, the current unique identification code is sent to the management center, policy data of the database is obtained through the management center, if the unique identification code of the policy data is different from the current unique identification code, the policy data of the database of the management center is updated according to the current unique identification code, confirmation information is returned through the management center, the confirmation information is received through the IP-free firewall, the unique identification code is automatically generated and interacted with the management center, so that the configuration management process of the IP-free firewall can be simplified, no manual configuration change is required on each device, and the policy data can be uniformly managed and issued through the management center, and real-time policy update can be realized, and the consistency of the policy data can be maintained.

Referring to fig. 3, in some embodiments, the method may include, but is not limited to, steps S301 to S303:

step S301, if the strategy synchronous mode is the downlink mode, acquiring strategy data in a database through a management center, and transmitting the strategy data to the IP-free firewall;

Step S302, policy data is applied through the IP-free firewall and confirmation information is returned;

in some embodiments, if the policy data in the database does not include complete policy data, the complete policy data is obtained according to the unique identification code in the policy data.

In some embodiments, policy data is applied and acknowledgement information returned through the IP-less firewall.

In step S303, the management center receives the confirmation information.

Referring to fig. 4, in some embodiments, step S103 may include, but is not limited to, steps S401 to S404:

step S401, if the strategy synchronous mode is an uplink mode or an uplink and downlink mode, and the management center goes off-line, the request is added into an IP-free fireproof wall uploading queue through the IP-free fireproof wall;

Specifically, the no-IP firewall upload queue is a queue located in the no-IP firewall and used for storing upload requests.

In some embodiments, if the policy synchronization mode is an uplink mode or an uplink and downlink mode, and the management center is offline, the request cannot be sent to the management center, and the request is added to the non-IP firewall uplink queue through the non-IP firewall.

Step S402, optimizing the IP-free fireproof wall uploading queue by polling every preset time;

In some embodiments, the polling operation is triggered every preset time by a timer or timer, which may be system level or a separate timer for the no IP firewall upload queue.

In some embodiments, the IP-less firewall upload queues may be optimized by setting priorities to assign different processing priorities to different types of requests to ensure that important requests are processed as soon as possible.

In some embodiments, the IP-less firewall uplink queue may be optimized by dynamically adjusting the length of the queue.

In this embodiment, the utilization of network resources may be optimized by adding requests to the upload queue and utilizing a polling mechanism. When the management center is offline, the IP-free firewall does not frequently attempt to connect with the management center, so that unnecessary network communication overhead is reduced.

Step S403, continuing to operate through the IP-free firewall according to the stored last communication configuration;

in some embodiments, the IP-less firewall continues to operate according to stored policy data.

Step S404, until the management center is on line, the request in the IP-free fireproof wall uploading queue is uploaded.

In some embodiments, when the management center goes online, requests in the IP-less firewall upload queue are uploaded to the management center.

In some embodiments, if the acknowledgement returned by the management center is not received, the request is resent.

Step S401 to step S404 illustrated in the embodiment of the present application, if the policy synchronization mode is an uplink mode or an upload/download mode, and the management center goes offline, and adds the request to the no-IP firewall upload queue through the no-IP firewall; the IP-free fireproof wall uploading queue is optimized by polling every other preset time; continuing to operate according to the stored last communication configuration through the IP-free firewall; until the management center is on line, the request in the IP-free fireproof wall uploading queue is uploaded, the management center is off line, the IP-free fireproof wall can still work normally, the continuous operation of the network is guaranteed, the equipment can be protected, the IP-free fireproof wall uploading queue is optimized, the network transmission efficiency can be improved, the transmission delay is reduced, the network performance is improved, the integrity and the accuracy of the request are guaranteed, the synchronization between the management center and the IP-free fireproof wall is recovered in time, and the network safety and the normal operation are guaranteed.

Referring to fig. 5, in some embodiments, step S103 may further include, but is not limited to, steps S501 to S503:

step S501, if the policy synchronization mode is the downlink mode and no IP firewall is offline, adding the request into a downlink queue through a management center;

specifically, the downstream queue is a queue located in the management center and used for storing downstream (issue) requests.

Step S502, through polling every preset time, the downlink queue is optimized;

Step S503, until there is no IP fire wall line, the request in the downlink queue is issued.

In some embodiments, when there is no IP firewall line, the requests in the downstream queue are issued to the IP-less firewall.

In some embodiments, if no acknowledgement is received from the IP-less firewall, the request is resent.

Step S501 to step S503 illustrated in the embodiment of the present application, if the policy synchronization mode is a downlink mode and no IP firewall is offline, adding the request to a downlink queue through the management center; polling is carried out once every preset time, and a downlink queue is optimized; until no IP fire wall is used, the request in the downlink queue is issued, the continuous operation of the network is ensured, the downlink queue is optimized, the network transmission efficiency can be improved, the transmission delay is reduced, the network performance is improved, the integrity and the accuracy of the request are ensured, the synchronization between the management center and the IP fire wall is recovered in time, and the network safety and the normal operation are ensured.

Referring to fig. 6, in some embodiments, the method of the present application is applied to an IP-less firewall 602 and a management center 601, and includes the following steps:

establishing a connection with the management center 601 through an IP-less firewall 602 that borrows the protected device IP;

acquiring a strategy synchronization mode;

the strategy synchronization mode comprises an uploading and issuing mode, a descending mode and an ascending mode. An exemplary policy synchronization pattern is schematically illustrated in fig. 7.

If the policy synchronization mode is an uploading and issuing mode, generating a current unique identification code according to a policy through the IP-free firewall 602, sending the current unique identification code to the management center 601, acquiring policy data in a database through the management center 601, and if the unique identification code of the policy data is different from the current unique identification code, sending the policy data to the IP-free firewall 602 through the management center 601, and applying the policy data through the IP-free firewall 602;

if the policy synchronization mode is an uplink mode, generating a current unique identification code according to a policy through the IP-free firewall 602, sending the current unique identification code to the management center 601, acquiring policy data of a database through the management center 601, if the unique identification code of the policy data is different from the current unique identification code, updating the policy data of the database of the management center 601 according to the current unique identification code, returning confirmation information through the management center 601, receiving the confirmation information through the IP-free firewall 602, wherein the confirmation information is used for confirming that the data has been correctly received;

If the policy synchronization mode is the downlink mode, acquiring policy data in a database through the management center 601, sending the policy data to the IP-free firewall 602, applying the policy data through the IP-free firewall 602 and returning confirmation information, and receiving the confirmation information through the management center 601;

if the policy synchronization mode is the uplink mode, receiving a request through the management center 601, and adding the request to an uplink queue; the length of the uplink queue is dynamically adjusted by monitoring load conditions, wherein the load conditions comprise request quantity, response time, CPU utilization rate, memory utilization rate, hard disk utilization rate and CPU temperature;

if the policy synchronization mode is the downlink mode, creating a request through the management center 601, and adding the request to a downlink queue; dynamically adjusting the length of the downlink queue by monitoring the load condition;

when a plurality of IP-free firewalls 602 communicate with the management center 601, if the policy synchronization mode is an uplink mode or an uploading and downloading mode, and the management center 601 is offline, adding a request into an uploading queue of the IP-free firewall 602 through the IP-free firewall 602, optimizing the uploading queue of the IP-free firewall 602 by polling every preset time, and continuing to operate through the IP-free firewall 602 according to the stored last communicable configuration until the management center 601 is online, and uploading the request in the uploading queue of the IP-free firewall 602;

When a plurality of IP-free firewalls 602 communicate with the management center 601, if the policy synchronization mode is a downlink mode and the IP-free firewalls 602 are offline, adding a request into a downlink queue through the management center 601, polling once every preset time, optimizing the downlink queue until the IP-free firewalls 602 are online, and issuing the request in the downlink queue;

if the predicted result is that the request can timeout, the request is abandoned;

responding to the first instruction, and displaying the CPU utilization rate, the memory utilization rate, the hard disk utilization rate and the CPU temperature of the management center 601 through the center running state area;

the management center 601 includes a central status page, a terminal status page and a history policy page, the central status page includes a central running status area, the terminal status page includes a terminal running status area, the history policy page includes a policy list area, a list template area and a blacklist area, and the first instruction includes an opening instruction of the central status page.

Illustratively, a central status page schematic is shown in FIG. 8.

Responding to the second instruction, and displaying the CPU utilization rate, the memory utilization rate, the effective strategy number and the current day strategy interception of the IP-free firewall 602 through the terminal running state area;

Wherein the second instruction comprises an open instruction of a terminal status page, and an exemplary terminal status page schematic diagram is shown in fig. 9.

In response to the third instruction, displaying a history policy of the IP-free firewall 602 in a policy list area, the history policy including a policy size, a creation user, and a creation time;

the policy size is the size of the policy, and represents the size of the storage actually occupied by the policy. The third instruction includes an open instruction for a history policy page, an exemplary history policy page schematic is shown in FIG. 10.

And responding to the fourth instruction, and displaying the list name, the list referencing object, the list IP address, the list port address and the list starting condition of the current history strategy in a list template area.

Specifically, displaying a white list name, a list name, an asset access condition, a corresponding IP-free firewall name and a white list starting condition in a white list area; displaying a gray list name, a list name, an asset access condition, a corresponding IP-free firewall name and a gray list starting condition in a gray list area; and displaying the blacklist name, the list name, the asset access condition, the corresponding IP-free firewall name and the blacklist starting condition in the blacklist area.

The fourth instruction comprises a selected instruction of the history policy in the history policy page, and the name of the list is displayed by the name list of the list used by the history policy. The list name may be a user-defined identifier for identifying the different lists. List the IP addresses are listed as IP addresses in the list. The IP address may be a specific IP address to intercept or allow passage. List port addresses the list of port addresses is displayed in the list. The port address may be a specific port address to intercept or allow a pass. The list enablement status list shows whether the list has been enabled or disabled. If the list is enabled, it indicates that the policy is using the list for access control. If the list is disabled, it indicates that the policy is no longer using the list and the corresponding access control rule will no longer be effective. The asset access profile displays the network access profile for the entities or resources listed in the protected device access list. The access asset case column displays the case of entities or resources listed in the list accessing the protected device, the SA-NAC column displays the name of the IP-free firewall, and an exemplary historical policy page diagram is shown in FIG. 11.

Log data is generated and processed through the IP-less firewall 602 and sent to the management center 601.

Wherein, the log information to be recorded, such as the running state of the system, the operation of the user, error information, etc., is determined by the IP-free firewall 602; configuring a log recording strategy, such as a recording time range, a log level, a filtering condition and the like, through the IP-free firewall 602 according to log information required to be recorded; the generated log data is stored in a designated storage device through the IP-free firewall 602 and transmitted to the management center 601.

According to the IP-free firewall management and control method, when a plurality of IP-free firewalls are communicated with a management center, the management center adopts a queue or polling mode to limit current, so that reasonable utilization and stability of resources are ensured; acquiring a strategy synchronization mode; if the strategy synchronization mode is an uploading and issuing mode, a pre-stored strategy is obtained through the IP-free firewall, a current unique identification code is generated according to the strategy, the current unique identification code is sent to the management center, strategy data in a database is obtained through the management center, if the unique identification code of the strategy data is different from the current unique identification code, the strategy data is sent to the IP-free firewall through the management center, the strategy data is applied through the IP-free firewall, automatic strategy data application is achieved, and the efficiency and accuracy of network security management are improved. The method and the device can keep consistency of strategy information, prevent overload of the system and improve stability and reliability of the system.

Referring to fig. 12, an embodiment of the present application further provides an IP-free firewall control device, which may implement the IP-free firewall control method, where the device includes:

the policy synchronization module 1201 is configured to obtain a policy synchronization mode, where the policy synchronization mode includes an upload and download mode;

the uploading and issuing module 1202 is configured to obtain a pre-stored policy through the IP-free firewall and generate a current unique identifier according to the policy if the policy synchronization mode is an uploading and issuing mode, send the current unique identifier to the management center, obtain policy data in the database through the management center, and send the policy data to the IP-free firewall through the management center and apply the policy data through the IP-free firewall if the unique identifier of the policy data is different from the current unique identifier;

the current limiting module 1203 is configured to limit current by the management center in a queue or polling manner when the plurality of IP-free firewalls communicate with the management center.

The specific implementation of the IP-free firewall control device is substantially the same as the specific embodiment of the IP-free firewall control method, and will not be described herein.

The content of the method embodiment of the invention is suitable for the device embodiment, the specific function of the device embodiment is the same as that of the method embodiment, and the achieved beneficial effects are the same as those of the method.

The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the IP-free firewall management and control method when executing the computer program. The electronic equipment can be any intelligent terminal including a tablet personal computer, a vehicle-mounted computer and the like.

The content of the method embodiment of the invention is suitable for the electronic equipment embodiment, the functions of the electronic equipment embodiment are the same as those of the method embodiment, and the achieved beneficial effects are the same as those of the method.

Referring to fig. 13, fig. 13 illustrates a hardware structure of an electronic device according to another embodiment, the electronic device includes:

the processor 1301 may be implemented by a general purpose CPU (central processing unit), a microprocessor, an application specific integrated circuit (ApplicationSpecificIntegratedCircuit, ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solutions provided by the embodiments of the present application;

the memory 1302 may be implemented in the form of read-only memory (ReadOnlyMemory, ROM), static storage, dynamic storage, or random access memory (RandomAccessMemory, RAM). The memory 1302 may store an operating system and other application programs, and when the technical solutions provided in the embodiments of the present application are implemented by software or firmware, relevant program codes are stored in the memory 1302, and the processor 1301 invokes the IP-free firewall management method to execute the embodiments of the present application;

An input/output interface 1303 for implementing information input and output;

the communication interface 1304 is configured to implement communication interaction between the device and other devices, and may implement communication in a wired manner (e.g. USB, network cable, etc.), or may implement communication in a wireless manner (e.g. mobile network, WIFI, bluetooth, etc.);

a bus 1305 to transfer information between the various components of the device (e.g., the processor 1301, memory 1302, input/output interfaces 1303, and communication interfaces 1304);

wherein the processor 1301, the memory 1302, the input/output interface 1303 and the communication interface 1304 enable a communication connection between each other inside the device via a bus 1305.

The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the IP-free firewall management and control method when being executed by a processor.

The content of the method embodiment of the invention is applicable to the storage medium embodiment, the specific function of the storage medium embodiment is the same as that of the method embodiment, and the achieved beneficial effects are the same as those of the method.

The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The embodiments described in the embodiments of the present application are for more clearly describing the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application, and as those skilled in the art can know that, with the evolution of technology and the appearance of new application scenarios, the technical solutions provided by the embodiments of the present application are equally applicable to similar technical problems.

It will be appreciated by those skilled in the art that the technical solutions shown in the figures do not constitute limitations of the embodiments of the present application, and may include more or fewer steps than shown, or may combine certain steps, or different steps.

The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

Those of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.

The terms "first," "second," "third," "fourth," and the like in the description of the present application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

It should be understood that in this application, "at least one" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.

In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is merely a logical function division, and there may be another division manner in actual implementation, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including multiple instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the various embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing a program.

Preferred embodiments of the present application are described above with reference to the accompanying drawings, and thus do not limit the scope of the claims of the embodiments of the present application. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and spirit of the embodiments of the present application shall fall within the scope of the claims of the embodiments of the present application.

Claims

1. An IP-less firewall management and control method, the method comprising:

2. The method of claim 1, wherein the policy synchronization mode further comprises a downlink mode and an uplink mode, the method further comprising:

3. The method according to claim 2, wherein the limiting by the management center by means of queues or polls comprises:

4. The method according to claim 2, wherein the limiting by the management center by means of queues or polls comprises:

if the policy synchronization mode is the uplink mode or the uplink and downlink mode, and the management center goes offline, adding a request into an IP-free fireproof wall uploading queue through the IP-free firewall, optimizing the IP-free fireproof wall uploading queue through polling every other preset time, and uploading the request in the IP-free fireproof wall uploading queue through the IP-free firewall according to the stored last communication configuration until the management center goes online;

5. A method according to claim 3, wherein the limiting by the management center by means of queues or polls further comprises:

6. The method of claim 3, wherein the management center includes a center status page, a terminal status page, and a history policy page, the center status page including a center operational status region, the terminal status page including a terminal operational status region, the history policy page including a policy list region, a list template region, and a blacklist region, the method further comprising:

responsive to a third instruction, displaying a historical policy of the IP-less firewall in the policy list area, the historical policy including a policy size, a creation user, and a creation time;

and responding to a fourth instruction, displaying a list name, a list IP address and a list enabling condition of the current history strategy in the list template area, and displaying a blacklist name, a list name, an asset access condition and a blacklist enabling condition in the blacklist area.

7. The method according to claim 1, wherein the method further comprises:

8. A distributed management and control apparatus, the apparatus comprising:

9. An electronic device comprising a memory storing a computer program and a processor that when executing the computer program implements the IP-free firewall management method of any one of claims 1-7.

10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the IP-free firewall management method of any one of claims 1 to 7.