KR100904557B1 - Unification management system for different types of firewalls and method therof - Google Patents

Abstract

A heterogeneous firewall unified management system and a method thereof for using the grouped policy of heterogeneous firewalls are provided to manage heterogeneous firewalls through a common command by grouping the policy of heterogeneous firewalls. A firewall(10) has a different OS(Operating System) and a policy. The policies of firewalls are registered by an integration management member(20). Each policy command groups common command language. The integration management member manages each policy instruction grouped in the common command language and executes to the common command language. A management terminal(30) outputs the acknowledgement signal of the policy which is registration requested in the integration management member.

Description

Unification Management System for Different Types of Firewalls and Method therof}

The present invention relates to an integrated management system and method for integrated management of different types of firewalls, and more specifically, to integrated management of different types of firewalls by applying a command line interface (CLI) between an operating system or an application program and a user. The present invention relates to a heterogeneous integrated firewall management system and method.

The openness of the Internet leads to various attacks on Internet access devices. This attack is effected by sending packet sequences that cause the target device to no longer function properly. These attacks can be categorized into categories such as stopping the target device, Denial of Service (DoS), and Distributed Denial of Service (DDoS), which can cause the device to no longer be used, compromised, or otherwise compromised. Change the files or software on the target device to act as a DoS clone attack source.

Most attacks occur on devices connected to the public Internet and enter the workplace through the company's Internet connection. Some businesses have more than one connection point to the Internet. As such, network devices located at the interface between the two networks, also called firewalls, are used to defend against these attacks. For example, a firewall may be used between a public and private network, between two Internet Service Provider (ISP) networks, between two Local Area Networks,

Or between any other two networks. If a firewall device is located at all connection points to the Internet, a perimeter firewall is created around the internal network and devices.

The firewall is responsible for keeping unauthorized attacks out of the private network and, if possible, eliminating unauthorized transmissions that can occur from within the private network. Other uses of the firewall may include modifying information inside the packet. For example, a firewall can be used as a network address translator (NAT) for converting (translating) between public and private Internet protocol (IP) addresses.

In addition, a firewall is a gateway type device that connects communication between different networks, and a policy is a packet that registers a security program and receives packets between different networks as a destination. In order to prevent internal and external information from being transmitted and received, the internal network is secured.

Here, the components for determining the rule include a source IP, a source port, a source IP, a destination port, a protocol, a packet, or a packet. Action to decide prohibition, expressed as packet allowance time slot. That is, the policy sets data that can make a decision to allow or deny a packet according to IPs, ports, and protocols of a registered source and destination, and determines packet allowance or packet prohibition based on the data registered in the policy. do.

However, since the conventional firewalls have been installed with different operating systems and functions for various companies all over the world, it is possible to build firewalls having different operating systems and commands made by different companies when constructing a company's internal communication network. However, since each firewall has a different operating system and commands, it is difficult to integrate them.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-described problems, and is classified as an object according to the rules of different firewalls having different commands and policies, thereby grouping and grouping at least one or more different types of firewalls by a common command. It is to provide a heterogeneous firewall integrated management system and method that can be integrated management.

Another object of the present invention is a heterogeneous firewall integrated management system that can be integrated management through a user interface (Command Line Interface) that can receive a response when the operating system or application type a specific command to the firewall of different models and To provide a method.

Another object of the present invention is to provide a heterogeneous firewall integrated management system and method that can be integrated and manage at least one or more firewall, easy to register and change the firewall policy for the expansion of the firewall, and can check the occurrence of errors therein Is in.

The present invention includes the following examples in order to achieve the above object.

According to a first embodiment of the present invention, a heterogeneous firewall integrated management system of the present invention comprises: at least one firewall having different operating systems and policies; Registering different policies of the at least one firewall, grouping each policy command into a common command, and executing the common command so that the firewall self command grouped into the common command is executed; Integrated management member for integrated management of the above firewall; And a management terminal for outputting an approval signal of a policy newly registered to the integrated management member.

According to a second embodiment of the present invention, in the first embodiment, the integrated management member comprises: an information setting unit for setting the policy information of the at least one firewall and the authority for the approval process of the firewall policy; A policy application unit for requesting approval of registration by transmitting the new registration request policy information to the management terminal when a registration request signal is applied for a policy of a new firewall; A policy determination unit which, upon receiving the policy signal of the policy applied for registration in the policy application unit, determines registration of the approved policy; An information storage unit for storing policy history information of the policy request unit and the management terminal; And a command execution unit for grouping the newly registered policy information as a common command word registered in the information setting unit, and outputting the presence or absence of an error by executing the common command word.

According to a third embodiment of the present invention, in the second embodiment, the information setting unit classifies and registers the firewall policy information of at least one or more different types for each object, and registers commands of each registered policy with a common command word. An information configuration module for registering by grouping; And an authority setting module for registering IPs or accounts of respective management terminals for reviewing and approving new policies applied for registration through the policy application unit, and setting respective rights in the new registration approval process of the policy.

According to the fourth embodiment of the present invention, in the third embodiment, the information configuration module includes general information including operating system version information of the firewall that can be supported by the integrated management member, application method of each policy, and inquiry method. Policy information including a modification method, a deletion method, an execution method, and a release method, and a method of registering, querying, modifying, and deleting an object classified in the policy. Argument) to register at least one of the configuration method.

According to a fifth embodiment of the present invention, in the fourth embodiment, the policy information includes a common command for applying new policy information, a common command input when the registered policy is inquired, and a registered policy. Common commands to be inputted for execution, and common commands inputted for executing and undoing a registered policy.

According to a sixth embodiment of the present invention, in the fifth embodiment, the integrated management system of the heterogeneous firewall is characterized by applying a command line interface.

According to the seventh embodiment of the present invention, in the sixth embodiment, the management terminal is a policy review terminal for outputting a review result signal for reviewing the policy applied by the policy application unit, and the policy review terminal And a policy approval terminal for outputting a result signal for approval of the policy.

According to an eighth embodiment of the present invention, in the seventh embodiment, the information configuration module examines, reviews and approves, approves, approves, approves the work order and applies the policy the policy approval process in the management terminal. Characterized in that it is set to proceed to include at least one or more of the steps.

According to a ninth embodiment of the present invention, in the eighth embodiment, the authority setting module registers respective terminal IPs or accounts for each of the policy review, review payment, policy approval, and approval payment. Characterized in that to proceed.

According to a tenth embodiment of the present invention, in the second embodiment, the command execution unit is a common command included in the firewall policy registered in the information setting unit when the approval decision signal of the policy for newly registering is applied. A command configuration module for grouping commands of a newly registered policy; An instruction execution module for executing the common instruction; It includes a result analysis module for analyzing the execution result of the command execution module to analyze the success or error and output a result message.

According to an eleventh embodiment of the present invention, in the heterogeneous firewall integrated management method of the present invention, if a request for approval of a new policy is approved, a policy request step of requesting approval of a new registration request policy according to a set approval process; An approval confirmation step of determining whether to confirm the approval by proceeding with the approval of the newly registered request policy through the steps of reviewing, payment, approval, and approval approval of the new registration request policy applied in the policy application step; A common command constructing step of reconfiguring the commands included in the policy of the firewall into the common commands by grouping the commands included in the new policy approved in the approval step and the registered common commands; A command execution step of receiving a response from a firewall including a corresponding policy by executing a common command grouped in the common command configuration step; An error determination step of checking the response signal received in the command execution step to determine a result of the command execution to determine whether an error occurs; An error cause checking step of checking, analyzing, and transmitting an error cause if an error occurs in the error judging step; A result list registration step of outputting a result list if an error has not occurred, if the error has not occurred in the error determination step, and registering the error occurrence cause identified in the error cause checking step in a result list; And a result output step of outputting a result after executing the command including the presence or absence of an error in the command execution result registered in the result list.

According to a twelfth embodiment of the present invention, in the eleventh embodiment of the heterogeneous firewall integrated management method of the present invention, the policy application step includes registering a newly registered policy in an application list and registering a newly registered registered policy. A policy review step of reviewing the information; A review settlement step of checking the review result information of the policy review step and paying the review result of the policy; A policy approval step of approving the policy by confirming the policy information of the newly registered application registered in the review and payment step; An approval settlement step of paying approval of the new registration application policy approved at the policy approval step; A work instruction and execution step of registering a policy approved in the approval settlement step in a work list and setting a new work order policy information to be reconstructed as a common command through the common command step; Include.

According to a thirteenth embodiment of the present invention, in the twelfth embodiment of the heterogeneous firewall integrated management method of the present invention, the reviewing step is outputted from the policy review terminal in which a request list stored in the information storage unit is set for review. The review result output from the policy review terminal is registered in the payment list.

According to a fourteenth embodiment of the present invention, in the thirteenth embodiment of the heterogeneous firewall integrated management method of the present invention, the payment step is outputted from a review payment terminal in which a payment list stored in the information storage unit is granted review payment authority. And, it characterized in that to register the payment result output from the review payment terminal to the approval list.

According to a fifteenth embodiment of the present invention, in the fourteenth embodiment of the heterogeneous firewall integrated management method of the present invention, in the approval step, an approval list stored in the information storage unit is output to a policy approval terminal, and the policy approval terminal It is characterized by registering the approval result output from the work list.

According to a sixteenth embodiment of the present invention, in at least one of the eleventh to fifteenth embodiments of the heterogeneous firewall integrated management method of the present invention, the common command is a command of an interface between users in the common command configuration step. It is characterized by.

According to the present invention, each policy information set in different firewalls is registered and classified as the same object, and each object command is grouped with a common command so that each common command is executed. Responsive signals can be received from heterogeneous firewalls run by different operating systems and applications, allowing integrated management of different firewalls.

In addition, the present invention is reconfigurable and applied as a user interface (Command Line Interface) that can receive a response when the operating system or application inputs a specific command in the firewall of different models by different operating systems or applications Integrated firewall can be managed.

In addition, the present invention registers the policy information of the firewall, reconfigures the registered policy with a common command and newly registers it, so that it is easy to add new firewalls of different types or to change the policy information of the existing firewall. As it can be confirmed, there is an effect of increasing the convenience of the worker when registering and changing new policy information for the expansion of the firewall.

Hereinafter, exemplary embodiments of a heterogeneous firewall integrated management system and a method thereof according to the present invention will be described in detail with reference to the accompanying drawings.

1 is a schematic diagram showing a heterogeneous firewall integrated management system according to the present invention.

Referring to FIG. 1, the heterogeneous firewall integrated management system according to the present invention includes at least one firewall 10 having different operating systems and policies, and each of the at least one firewall 10 so as to collectively manage the at least one firewall 10. Register the policy (Rule) of the firewall 10, classify the object (Object) of each policy and group the command as a common command, so that the integrated management member 20 for integrated management of different types of firewall 10, and It includes a management terminal 30 for approving the new registration policy through the integrated management member (20).

The at least one firewall 10 is driven with different operating systems and applications, and has a policy for each operation. Here, the policy includes information such as source IP and port, destination IP and port, and basic components such as packet reception amount according to time slots, and can determine whether to allow or prohibit the packet. Accordingly, the firewall 10 protects an internal server or a network system from unauthorized external intrusion by making a decision to allow or prohibit a packet through each information included in the policy.

The management terminal 30 reviews the policy applied for registration from the integrated management member 20, approves and transmits a decision signal for applying the newly registered policy to the integrated management member 20.

The integrated management member 20 groups the policies of each of the one or more firewalls 10, classifies them into respective objects, and reconfigures and groups the commands of the firewall itself for execution of each object as common commands. Even with different operating systems or policies, it is possible to receive the response from the common command from the firewall. For this purpose, it is preferable to apply a command of a command line interface as a common command. The configuration of the integrated management member 20 as described above is as shown in FIG.

2 is a block diagram illustrating an integrated management member in a heterogeneous firewall integrated management system according to the present invention.

Referring to FIG. 2, the information setting unit 21 classifies general information and firewall 10 policy information including versions of at least one or more firewalls 10 of different types for each object and sets common commands for each object. And a policy application unit 22 for registering a new policy, an input unit 23 to which a policy review signal and a policy approval signal of the management terminal 30 and an input signal of an administrator are applied, and a policy of the input unit 23. The policy decision unit 24 and the policy application unit 22 and the management terminal 30 which determine the policy applied by the policy application unit 22 according to the approval signal and apply it to the command execution unit 26 below. Information storage unit 25 for storing the policy history of the information, and a command execution unit 26 for analyzing the execution and the results of the execution by grouping the new policy by classifying and classifying the instructions of the classified policy for each object.

The information setting unit 21 forms an information configuration module 211 for grouping commands by configuring information such as a policy, a version, and an application method of the firewall 10, and during the approval process of a new registration policy of the firewall 10 policy. And an authority setting module 212 for setting authority for review, payment, approval, approval settlement, work order, and work execution.

The information configuration module 211 includes general information including a supported version of each firewall 10 capable of reconfiguring the firewall 10 policy as a common command, an application method, an inquiry method, a correction method, a deletion method, Policy information including an execution method and an execution method, and a method of registering, inquiring, modifying, and deleting a classified object are registered, and a method of configuring a common command and an argument of the common command is specified accordingly. The information configuration table of the information configuration module 211 as described above is as follows.

Information composition Classification Contents General Information Firewall version Register firewall version supported by system Policy Information How to apply How to configure common command and argument specification How to Inquire How to configure common command and argument specification How to fix How to configure common command and argument specification How to delete How to configure common command and argument specification Instruction on how to implement the policy How to configure common command and argument specification Instruction on how to disable the policy How to configure common command and argument specification Object Information (Network, Service, Time Object) Specify object registration method How to configure common command and argument specification Specify object search method How to configure common command and argument specification How to modify object How to configure common command and argument specification How to delete object How to configure common command and argument specification

The general information specifies the operating system and version of the application program of the firewall 10 supported by the integrated management member 20, the operating system that can be integrated management as a common command by the integrated management member 20 as described above. And supported versions of the application.

The policy information specifies the application method, the policy inquiry method, the modification method, the deletion method, the policy execution method, and the policy execution cancellation method for each registered firewall-specific policy, and can execute each method. The common commands and arguments are listed. The common command includes a common command for applying new policy information in the policy information, a common command input when a registered policy is searched, a common command input for modifying a registered policy, and a registered policy. Contains common commands entered for execution and undo. And the arguments specify each of the arguments constituting the function of the common instruction.

That is, the policy information is a firewall response to the policy (Rule) of each firewall 10 registered in the integrated management member 20 to give a command for the policy application, inquiry, modification, execution, undo and the response to the firewall It is grouped with its own instructions that are applied to each firewall 10 so that they can be received from 10. Accordingly, the at least one firewall 10 has the same function or effect but is configured as different operating systems and applications, and thus has different commands. However, in the present invention, by setting a common command for the policy information of each firewall 10 as described above, and grouping the command corresponding to the execution command of the same object as the common command, the common command of the integrated management member 20. It executes a command of the firewall 10 itself grouped in. Therefore, the firewall 10 having different commands, respectively, can respond to the common command of the integrated management member 20. In this case, the common command may be a command line interface.

The object information classifies the policy information as a network, a service, and a time object, and includes a method of registering, inquiring, modifying, and deleting each classified object. The object information includes a common command and a common command for executing each method. Contains the arguments included in.

Here, the object is classified as a basic component of the rule of the firewall 10, and includes a network object, a service object, and a time object. This is as shown in FIG.

 3 is a block diagram illustrating an example of object classification of a heterogeneous firewall integrated management system according to the present invention.

Referring to FIG. 3, the firewall 10 classifies a self registration policy as a network object, a service object, and a time object. Among them, the network object includes an IP list of a source and a destination connected to a network, a service object includes a source port, a destination port and a protocol, and a time object includes an IP list indicating a policy application time according to time zones. do.

Such an object is a basic element included in the policy of the firewall 10, and the classification of the object is classified according to the basic element. In FIG. 3, whether or not an object for packet acceptance is included is not included, but preferably, the object for packet determination is included.

Accordingly, the information configuration module 211 classifies the basic elements of the policies configured in the different firewalls 10 as the above objects and groups common commands for the corresponding objects. Accordingly, the command execution unit 26 may receive a response signal to at least one or more firewalls 10 having different operating systems and applications through the common command set in the information configuration module 211 as described above.

In addition, the information configuration module 211 sets the approval process of the policy for new registration, and sets the process for each step. For example, a policy review terminal 31 for reviewing a policy applied by the policy application unit 22 and a procedure for approving a policy reviewed by the policy review terminal 31 are set and registered. .

The authority setting module 212 is the IP or account of each management terminal 30 to apply for registration of the new policy through the policy request unit 22, the policy review terminal 31 and the policy approval terminal 33 The IP or account is registered, and each authority is set in the approval process of the new registration application policy for each IP or account, as shown in Table 2 below.

Policy approval stage Set permissions in the policy approval process Policy Application Policy Listening Authorization Terminal IP Address or Account Setting Policy Review Policy Review Authorization Terminal IP Address or Account Setting Review payment Authorize review payment terminal IP address or account setup Policy approval Policy Approval Authorization Terminal IP Address or Account Setting Approved Payment Authorization payment terminal IP address or account setting Work order Work Order and Execution Authority Terminal IP Address or Account Setup Policy application Policy application Authorization terminal IP address or account setting

 The policy approval process is divided into policy application, policy review, review settlement, policy approval, approval settlement, work order, and policy application as described above. Therefore, the authority setting module 212 registers the IP address of the terminal performing each step or the account of the person in charge to set the authority of the terminal or person in charge in each step in the policy approval process.

For example, the authority setting module 212 is an IP of an employee's terminal set as a reviewer in the operation team, if the principal department reviewing a newly registered policy through the policy application unit 22 is an operation team. Register the account as a policy review terminal 31, and register as a payment terminal 32 of the terminal IP or account of the billing right of the operation team that pays the result of the review of the policy reviewed by the employee terminal and the policy application unit 22 Through set the terminal (31, 32) involved in the review process of the policy applied for registration.

In addition, the authority setting module 212 receives an approval result including whether to approve the policy approval terminal 33 and the policy approval terminal 33 that review the approval of the policy in the policy approval process of the policy approval terminal 33. Each IP address or account of the approval payment terminal 34 to pay is registered and assigned to each terminal 33 and 34 having the authority for the policy approval process.

Here, the common command is set as a command line interface command, and the user interface belongs to an operating system that receives a response from the system when a command is transmitted in each firewall 10. Therefore, in the present invention, in order to collectively manage different types of firewalls 10, group commands of user interfaces included in the operating system of each firewall 10 to set common commands, and common management member 20 is common. It is characterized by the response by command.

The policy application unit 22 is a request for registration of a new policy, the basic components of the new policy, the port and IP of the origin, the port and IP of the destination, the packet acceptance and rejection criteria, the IP list of the origin and destination Request for registration of a new policy that includes. At this time, the new registration policy input from the policy application unit 22 is transmitted to the policy review terminal 31 of the management terminal 30 and registered in the review list of the policy review terminal 31, and the corresponding file is stored in the policy. It is stored in the review terminal 31 and output to the display.

The input unit 23 receives an input signal of the management terminal 30 or an input signal of the manager in charge and transmits it to the policy decision unit 24. In addition, the input unit 23 receives the policy review list and the policy approval list of the management terminal 30 received from the policy review terminal 31 and the policy approval terminal 33 and applies it to the policy decision unit 24. .

The policy decision unit 24 receives a policy review list and review result data of the policy review terminal 31 input through the input unit 23, a policy approval result of the policy approval terminal 33, and an approval policy. The data is sent to the information setting unit 21 for storage.

The information storage unit 25 stores the registered new policy applied in the policy application unit 22 and history information on the registration process of the new policy. For example, the information storage unit 25 may be one of an IP address or an account of the policy review terminal 31, a date, a review list, and a review result, and an IP of the review settlement terminal 32. Address) or account, date and review result, and stores newly applied policy (including origin and destination IP and packet acceptance criteria).

The command execution unit 26 and the common command language included in the information configuration of the firewall 10 is set in the information configuration module 211, if the policy that the user has applied for a new registration is determined in the policy decision unit 24, The command of the newly registered policy is grouped as an argument to enable a response by the common command. To this end, the command execution unit 26 includes a command configuration module 261 for grouping a registration policy into a set common command, a command execution module 262 for executing the common command to control the firewall 10, and the And a result analysis module 263 for analyzing success and error by analyzing the execution result of the command execution module 262.

The command constructing module 261 groups the command per object of the newly registered policy as a common command for each object and an argument set in the information constructing module 211. That is, the command configuration module 261 registers commands for each object of the firewall 10 itself, for example, commands such as "lookup", "registration", and "delete" in the information configuration module 211. Grouping with a common command causes the common command to be executed when the common command is executed (for example, del policy) and its own command (for example, del) that is grouped with the common command (del policy).

The command execution module 262 executes the common command set in the information configuration module 211 to the firewall 10 having the newly registered policy and receives a response from the firewall 10.

The result analysis module 263 checks the result from the firewall 10 when the command execution module 262 is driven, and examines and outputs an error. At this time, the result analysis module 263 checks the result through the execution of the common command in the firewall 10, and outputs the result to the display when an error occurs.

As described above, the integrated management system of the heterogeneous firewall 10 according to the present invention classifies basic components of each policy as objects, sets commands of each object as common commands, executes commands of newly registered policy-specific objects, and Group common commands. Here, the integrated management member 20 receives the response of the firewall by driving the common command because the integrated management group 20 groups the registered policy as a policy of a newly registered firewall. Hereinafter, the integrated management method of the heterogeneous firewall including the above configuration will be described in detail using the flowchart of FIG. 4.

4 is a flowchart illustrating a heterogeneous firewall integrated management method according to the present invention.

Referring to Figure 4, heterogeneous firewall integrated management method according to the present invention is a policy application step (S11) for the user to apply for registration of a new policy, and approval to confirm whether the policy applied in the policy application step (S11) A confirmation step (S12), and if the policy applied for registration in the approval confirmation step (S12) is approved, a common command configuration step (S13) for each firewall 10 grouping the set common command and its own command word of the firewall 10, and An error determination step for checking whether an error occurs in the firewall 10 as the command execution step S14 for executing the common command configured in the common command configuration step S13 and the common command is executed in the command execution step S14. If an error has occurred in step S15, the error judging step S15, an error cause checking step S17 for checking the cause of the error, and if no error has occurred in the error judging step S15, A result list registration step (S16) for registering and a result output step (S18) for outputting an execution result of the common command including the presence or absence of an error are included.

The policy application step (S11) is a step for requesting approval of the new policy in the policy application unit 22. Here, if the policy filer 22 receives a policy file of the new firewall 10 through a user terminal (not shown), the policy request unit 22 transmits the policy file to the policy review terminal 31 to review the new policy. Herein, the policy approval process includes a terminal 31 having an IP address or an account to which each information and a result signal are reviewed, approved, reviewed, and approved for approval according to the policy approved process set in the information configuration module 211. 34) proceeds sequentially. To this end, the policy application unit 22 registers a newly registered policy in a review list according to a policy approval process included in the policy information configured in the information configuration module 211, and registers the corresponding information in the policy review terminal 31. To send).

The approval confirmation step (S12) is a step of determining whether the approval signal is received from the policy approval terminal 33 through the input unit 23 in the policy determination unit 24. Herein, the policy review and approval processes of the policy review terminal 31 and the policy approval terminal 33 are as shown in FIG. 5 below.

5 is a flowchart illustrating an example of a policy approval step in the heterogeneous firewall integrated management method according to the present invention.

Referring to Figure 5, the approval confirmation step (S12) is the application list registration step (S22) for registering the information of the policy newly applied in the policy application step (S11, S21) of the policy application unit 22 to the application list ), A policy review step (S23) for reviewing the application list, a payment list registration step (S24) for registering the review result of the review step (S23) in the payment list, and the payment list for the review result. The payment registration step (S25) for approving the payment signal, the approval application list registration step (S26) for registering the review result paid in the payment step (S25) in the approval application list, and the new registration policy by checking the approval application list. The approval review step (S27) for reviewing the approval for the approval, the approval payment list registration step (S28) for registering the approval review result as the approval payment list, and the approval payment list at the approval payment terminal (34) to confirm the policy approval Determination The approval payment step (S29) for transmitting a signal, the work list registration step (S30) for registering the new policy approved in the approval payment step (S29), and outputs a work instruction for the new policy included in the work list. A work order step (S31) to perform, a register list performing step (S32) for registering in a to-do list to perform registration of the new policy information indicated in the work order step (S31), and the new policy information registered to the to-do list The policy application step (S33) for driving the information configuration module 211 to register in the policy information, and the result list step (S34) for registering the information according to the results of each of the above steps (S21 ~ S33) Include.

The application list registration step (S22) is a step of registering the policy information of the newly applied firewall 10 through the user terminal (not shown) in the policy application unit 22. Here, the policy application unit 22 registers the newly registered policy information in the application list and stores it in the information storage unit 25.

Here, the application list, review list, payment list, approval application list, approval payment list and the result list is a terminal (IP policy review and payment terminal (Political Review and Payment Terminal) having the authority granted the policy review set in the authority setting module 212) 31, 32), or outputted from the policy approval terminal 33 and the approval settlement terminal 34, or automatically updated when information in the list is added. Preferably, the application to result list and the policy information are stored through the information storage unit 25 under the control of the policy determination unit 24.

In the policy review step S23, the policy review terminal 31 confirms the policy information newly registered through the application list, and applies the newly registered policy information stored in the information storage unit 25 through the application list. Review and confirm. In this case, the policy review terminal 31 checks the supportable firewall 10 version information set in the information configuration module 211 and reviews the policy of the newly registered firewall 10 based on whether or not it matches. Do.

In the payment list registration step (S24), the application list is transmitted to the policy review terminal 31 under the control of the policy decision unit 24, and the person in charge of the policy review terminal 31 confirming this request for new registration. When the review result of the policy is input through the policy review terminal 31, the policy decision unit 24 registers the review result of the policy review terminal 31 in the payment list and the information storage unit 25. ). The payment list is linked with the respective policy review information input by the policy review terminal 31.

The payment step (S25) is a step of receiving and confirming a policy review result included in the payment list transmitted by the policy decision unit 24 at the review payment terminal 32 and inputting a payment signal thereto. Here, the review payment terminal 32 confirms through the policy request unit 22 through the payment list including the review result information stored in the information storage unit 25, and checks the review result information in the policy request unit. By requesting through (22), the result of the review is confirmed and stored in the information storage unit 25.

Here, the review result and the settlement result in the review step (S23) and the payment step (S25) are stored in the information storage unit 25 through the policy decision unit 24, and the approval review and approval settlement step described below. The results of (S27, S29) are also stored in the information storage unit 25, which is created as a result list (S34) and can output the history to each terminal.

The approval application list registration step (S26) is the policy of the newly registered application in the approval application list according to the payment result of the review payment terminal 32 stored in the information storage unit 25 in the policy application unit 22 Register it.

In the approval review step S27, the registered approval application list is output from the policy approval terminal 33 under the control of the policy decision unit 24, and the person in charge of the policy approval is output to his terminal. It is a step to review whether the new registration policy included in the application list is approved. Accordingly, the policy approval terminal 33 outputs a review result signal to the policy decision unit 24 for approval.

In the approval settlement list registration step (S28), the policy decision unit 24 registers the newly registered policy information in the approval settlement list according to the review result reviewed by the policy approval terminal 33, and the information. In the storage unit 25, the approval review result is stored.

The approval settlement step (S29) is a step of outputting a result signal for approval approval or not to the policy determination unit 24 by checking the corresponding new policy information in the approval settlement list received from the approval settlement terminal 34. .

The work list registration step (S30) is a step in which the policy decision unit 24 registers the approved new policy in the work list according to the approval payment signal received from the approval payment terminal 34.

The work ordering step S31 is a step of outputting a work order for a new policy included in the work list by the policy decision unit 24. At this time, the policy determination unit 24 checks the authority information set in the authority setting module 212, searches for an IP address or an account set as work authority, and transmits a work instruction signal to a terminal having the corresponding IP or account.

The performing list registration step S32 is a step of registering in the performing list so that the policy determination unit 24 registers the new policy information indicated in the work instruction step S31.

The policy application step (S33) is a step of grouping the newly applied registration policy with the command of the firewall 10 itself by checking common commands and arguments according to the policy information set by the information configuration module 211. Corresponds to the common command configuration (S13) and execution step (S14) of.

As described above, the approval confirmation step (S12) is a step of confirming whether or not to approve the registration of the newly applied policy through the above process. Therefore, when the policy decision unit 24 receives the policy decision signal of the policy applied by the management terminal 30, the policy execution unit 26 drives the command execution unit 26 to apply the newly registered policy information to the information configuration module 211. Group common commands and commands of the new policy to be grouped in) will be described in the following common command configuration step (S13).

The common command constructing step (S13) is performed by grouping the commands included in the policy of the newly registered firewall 10 and the common commands registered in the information constructing module 211 in the command constructing module 261. The command included in the policy of (10) is reconfigured into the common command. This shows a display screen as an example in FIG.

6 is a diagram illustrating an actual display output screen of the heterogeneous firewall integrated management method according to the present invention.

Referring to FIG. 6, the command configuration module 261 confirms a command of a command line interface between users in the policy information of the newly registered firewall 10, for example, the new registration request. The command of the policy information is searched for through the command "show policy" in the policy information. Then, the searched commands are classified as respective objects, which are described as an example in Table 3 below.

designation Firewall (10) own command Lookup show policy Enrollment ad policy [priority #] [interface] [srcnet] [dstnet] [service group] [timeobject] [user] [vpngateway / none] [log / grag / bidir] [allow / deny / encrypt / token] [enable / disable ] [comment] delete del policy [policy number] Policy enforcement do policy enable [policy number I all] Undo policy do policy disable [policy number Iall]

Accordingly, the command configuration module 261 classifies the commands of the firewall 10 for each object, and sets the common command and the firewall 10 itself to be grouped in common with respect to commands belonging to each object. .

In the command execution step S14, when the command configuration module 261 completes grouping the common command and the firewall 10 itself command, the policy decision unit 24 drives the command execution module 262 to perform the grouping. A step of receiving a response from the firewall 10 by driving a common command. When the command execution module 262 executes a common command, the command grouped with the common command in the policy information of the firewall 10 grouped in the common command is transmitted to the firewall 10. That is, the present invention registers its own command of each firewall 10, grouping the registered self command and the common command, the driving signal according to the grouped command is transmitted to the firewall 10 when the common command is executed. To receive a response.

In the error determination step S15, the policy decision unit 24 drives the result analysis module 263 after the command execution step S14 to analyze the result of the command execution to determine whether an error has occurred. Step.

The error cause checking step (S17) is a step of checking the error cause, if an error occurs as a result of the determination of the error determination step (S15) in the result analysis module 263. Here, if an error occurs, the result analysis module 263 analyzes the cause of the error and transmits a result to the policy decision unit 24.

The result list registration step (S16) is a step of registering the result list in the result analysis module 263 if an error has not occurred as a result of the determination of the error determination step.

The result output step (S18) is a step of outputting the result of command execution in the result analysis module 263 in the policy determination unit 24. If this is described as an example, the policy decision unit 24 outputs a result not including an error message as shown in the following example if no error occurs in the analysis result of the result analysis module 263.

Example 1

"SWOS> add policy 2 etho INTERNAL MANAGER ALL anytime none log deny enable 'test1 rule'

NOTICE: ADD FILTER SRC = INTERNAL DST = MANAGER ACTION = 2 "

As such, the execution of the command that does not generate an error does not include an error message. Alternatively, if an error occurs as confirmed in the error determination step, an error message including the cause of the error is included and output to the display.

Example result 2

"SWOS> add policy 2 etho INTERNAL MANAGER ALL anytime none none log deny enable 'test1 rule'

ERROR: Rule Error: The same rule exists. "

Here, it is confirmed that an error has occurred because the sentence of Example 2 includes a repetitive sentence as "none none".

In addition, the policy decision unit 24 preferably stores the result list and the error message as described above in the information storage unit 25.

 Therefore, in the present invention, the firewall 10 having at least one or more different models may be registered through a single integrated management member 20, or a new policy may be added, or the firewall 10 may be integrated and managed by a common command.

The present invention described above is not limited to the above-described embodiments and drawings, and various modifications and changes can be made without departing from the technical spirit of the present invention. It will be obvious to you.

1 is a schematic diagram showing a heterogeneous firewall integrated management system according to the present invention,

2 is a block diagram illustrating an integrated management member in a heterogeneous firewall integrated management system according to the present invention;

3 is a block diagram showing an example of object classification in the heterogeneous firewall integrated management method according to the present invention;

4 is a flowchart illustrating a heterogeneous firewall integrated management method according to the present invention;

5 is a flowchart illustrating an example of a policy application step in the heterogeneous firewall integrated management method according to the present invention;

6 is a diagram illustrating an actual display output screen of the heterogeneous firewall integrated management method according to the present invention.

* Description of the major symbols shown in the drawings *

10: firewall 20: integrated management member

21: Information setting department 22: Policy application department

23: input unit 24: policy decision unit

25: information storage unit 26: command execution unit

30: management terminal 31: policy review terminal

32: Review and payment terminal 33: Policy approval terminal

34: approval payment terminal 211: information configuration module

212: authority setting module 261: command configuration module

262: command execution module 263: result analysis module

Claims (16)

delete delete At least one firewall with different operating systems and rules; Registering different policies of the at least one firewall, grouping each policy command into a common command, and executing the common command so that each policy command grouped in the common command is executed so that the at least one Integrated management member for integrated management of the above firewall; A management terminal for outputting an approval signal of a policy newly registered to the integrated management member; Include, The integrated management member includes an information setting unit for setting the policy information of the at least one firewall and the authority for the approval process of the firewall policy; A policy application unit for requesting approval of a registration by transmitting policy information of a new firewall requested to be registered to the management terminal when a registration request signal for a policy of a new firewall is authorized; A policy determination unit which, upon receiving the approval signal of the management terminal for the policy applied for registration from the policy application unit, determines registration of the approved policy; An information storage unit for storing policy history information of the policy request unit and the management terminal; A command execution unit for grouping the newly registered policy information as a common command word registered in the information setting unit and executing the common command word to output an error presence; Including, The information setting unit classifies and registers the firewall policy information of at least one or more different types for each object, and registers and registers commands of each registered policy with a common command word; An authority setting module for registering an IP or an account of each management terminal for reviewing and approving a new policy applied for registration through the policy application unit, and setting respective rights in a new registration approval process of the policy; Integrated management system of heterogeneous firewall, characterized in that it comprises. The method of claim 3, wherein the information configuration module General information including operating system version information of the firewall supported by the integrated management member; Policy information including how to apply each policy, how to search, how to modify, how to delete, how to execute, how to cancel, Heterogeneous firewall, characterized in that for registering a method of registering, querying, modifying, deleting the object classified in the policy, including at least one of the common command and the configuration method of the argument of the common command accordingly Integrated management system. The method of claim 4, wherein the policy information is Common commands for applying new policy information, common commands input when querying a registered policy, common commands for modifying a registered policy, and common commands for executing and undoing a registered policy. Integrated management system of heterogeneous firewall, characterized in that it comprises a command. The method of claim 5, wherein the common command Integrated management system of the heterogeneous firewall, characterized in that the group of commands between the policies of the at least one different type of firewall registered in the integrated management member as a command of a command line interface. The method of claim 6, wherein the management terminal And a policy review terminal for outputting a review result signal for reviewing the policy applied by the policy application unit, and a policy approval terminal for outputting a result signal for approval of the policy reviewed at the policy review terminal. Integrated management system of heterogeneous firewall. The method of claim 7, wherein the information configuration module Integrated management system of heterogeneous firewall, characterized in that the management terminal is set to include at least one or more of the process of reviewing, reviewing, approving, approving, approving the work, and applying the policy. . The method of claim 8, wherein the authority setting module Integrated management system of heterogeneous firewall, characterized in that to register each terminal IP or account for each of the policy review, review payment, policy approval, authorization payment to proceed with each step. The method of claim 3, wherein the command execution unit A command configuration module for grouping the commands of the newly registered policy as a common command included in the firewall policy registered by the information setting unit when the approval decision signal of the newly registered policy is applied; An instruction execution module for executing the common instruction, And a result analysis module for analyzing the execution result of the command execution module and analyzing a success and an error and outputting a result message. delete A policy application step of requesting approval of a new registration request policy according to a set approval process when an approval request signal of a new policy is authorized; An approval confirmation step of determining whether to confirm the approval by proceeding with the approval of the newly registered request policy through the steps of reviewing, payment, approval, and approval approval of the new registration request policy applied in the policy application step; A common command constructing step of reconfiguring the commands included in the new policy into the common commands by grouping the commands included in the new policy approved in the approval step and the registered common commands; A command execution step of receiving a response from a firewall including a corresponding policy by executing a common command grouped in the common command configuration step; An error determination step of checking the response signal received in the command execution step to determine the result of the command execution to determine whether an error has occurred; An error cause checking step of checking, analyzing, and transmitting an error cause if an error occurs in the error judging step; A result list registration step of outputting a result list if an error has not occurred in the error determination step, and registering the error occurrence cause identified in the error cause checking step in a result list; A result output step of outputting a result after executing the command including the presence or absence of an error in the command execution result registered in the result list; Include, The policy application step includes: a policy review step of registering a new registration request policy in an application list and reviewing the registered new registration request policy information; A review settlement step of checking the review result information of the policy review step and paying the review result of the policy; A policy approval step of approving the policy by confirming the policy information of the newly registered application registered in the review and payment step; An approval settlement step of paying approval of the new registration application policy approved at the policy approval step; The work order and execution step of registering the policy approved and approved in the approval settlement step and executing the work order and work to reconfigure the newly registered policy information as a common command through the common command configuration step. To; Integrated management method of heterogeneous firewall comprising a. The method of claim 12, wherein the reviewing step The application list stored in the information storage unit is output from the policy review terminal, the authority of the review is set, the integrated management method of the heterogeneous firewall, characterized in that to register the review results output from the policy review terminal to the payment list. The method of claim 13, wherein the payment step The payment list stored in the information storage unit is output from the review payment terminal granted the review payment authority, the integrated management method of heterogeneous firewall, characterized in that to register the payment result output from the review payment terminal to the approval list. The method of claim 14, wherein the approval step The approval list stored in the information storage unit is output to the policy approval terminal, the integrated management method of heterogeneous firewall, characterized in that to register the approval result output from the policy approval terminal to the work list. 16. The method of claim 12, wherein the common command is a command of an interface between users in the common command configuration step.

Images