CN101340444A - Fireproof wall and server policy synchronization method, system and apparatus - Google Patents
Fireproof wall and server policy synchronization method, system and apparatus Download PDFInfo
- Publication number
- CN101340444A CN101340444A CNA200810146862XA CN200810146862A CN101340444A CN 101340444 A CN101340444 A CN 101340444A CN A200810146862X A CNA200810146862X A CN A200810146862XA CN 200810146862 A CN200810146862 A CN 200810146862A CN 101340444 A CN101340444 A CN 101340444A
- Authority
- CN
- China
- Prior art keywords
- strategy
- message
- server
- compartment wall
- fire compartment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The embodiment of the invention discloses a strategy synchronization method, a system and a device. The method comprises that: a firewall receives an updating strategy message which is sent by a server; the firewall carries out the updating of a local strategy according to the updating strategy message, thereby realizing the strategy synchronization on the server. By adopting the embodiment of the invention, the dynamic synchronized firewall and ACL rules on the server can rapidly update role rules which are bound by a user terminal and the synchronization of more strategies and the switch of authorities of the user terminal can be rapidly realized without the manual configuration on the firewall.
Description
Technical field
The present invention relates to networking technology area, especially a kind of fire compartment wall and server policy synchronization method, system and equipment.
Background technology
Constantly perfect along with the develop rapidly of computer networking technology and Internet/Intranet technology, information technology and network technology to enterprise bring convenience, quick and efficient, also brought various potential safety hazards simultaneously.Traditional network security product such as fire compartment wall, Anti-Virus etc. are then powerless for internal user attack and threat incident.And for solve these hidden danger proposed to user terminal based on ACL (AccessControl List, Access Control List (ACL)) method conduct interviews control technology.
In the acl approach of prior art, each bar acl rule is made up of some permit/deny (permission/refusal) statement, and the specific rule of the common formation of these statements is used as the differentiation standard to packet.Therefore can be by disposing the authority that different ACL controls different terminals.
The inventor finds that there is following shortcoming at least in prior art in realizing process of the present invention:
Though can distinguish the authority of user terminal in the prior art, all be manual configuration basically, dumb and allocative efficiency is low.When interior network termination was more, the number of configuration ACL will be very many, and configuration is trouble comparatively.If user terminal changes, then need the manual rule that changes configuration, cause the authority of user terminal to be revised upgrading slow and efficient very low.
Summary of the invention
Embodiments of the invention provide a kind of policy synchronization method, system and equipment, to realize finishing fast synchronous and quick user terminal authority, the network access authority of control terminal more flexibly upgraded of fire compartment wall and server policy.
Embodiments of the invention provide a kind of policy synchronization method, are applied to comprise the system of fire compartment wall and server, comprising:
The update strategy message that the fire compartment wall reception server sends;
Described fire compartment wall upgrades according to the strategy of described update strategy message to this locality, and strategy is synchronous on realization and the described server.
Embodiments of the invention also provide a kind of policy synchronization method, are applied to comprise the system of fire compartment wall and server, comprising:
Described server receives the message that described fire compartment wall sends the request synchronization policy;
Described server generates update strategy message according to the message of described request synchronization policy;
Send described update strategy message to described fire compartment wall.
The embodiment of the invention also provides a kind of firewall box, comprising:
Update strategy message sink unit is used for the update strategy message that reception server sends;
The policy update unit is used for the update strategy message that receives according to described update strategy message sink unit the strategy of this locality is upgraded, realize with described server on strategy synchronously.
The embodiment of the invention also provides a kind of server, comprising:
The synchronization policy receiving element is used to receive the message that described fire compartment wall sends the request synchronization policy;
The update strategy message generation unit is used for generating update strategy message according to the message of described request synchronization policy;
The update strategy message sending unit is used to send described update strategy message to described fire compartment wall.
In the embodiment of the invention, mutual by update strategy message between fire compartment wall and server, can upgrade the role's rule and the synchronous more strategy of terminal use's binding fast, and synchronization policy need be on fire compartment wall manual configuration, thereby can upgrade the authority of user terminal faster, more flexibly the network access authority of control terminal.In addition, can prevent external user visit Intranet, and prevent inner legal but dangerous user is connected to enterprise network further infects company's network.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the method flow diagram of a kind of policy synchronization in the embodiment of the invention;
Fig. 1-A is the another flow chart of a kind of method of policy synchronization in the embodiment of the invention;
Fig. 2 is user, role, the role's rule relation schematic diagram in the strategy of the embodiment of the invention;
Fig. 3 be in the embodiment of the invention fire compartment wall initiatively to the flow process of server requests synchronization policy;
Fig. 4 is the schematic diagram of fire compartment wall and server policy synchronization system in the embodiment of the invention;
Fig. 5 is the schematic diagram of firewall box in the embodiment of the invention;
Fig. 6 is the schematic diagram of firewall box in another embodiment of the present invention;
Fig. 7 is the schematic diagram of server in the embodiment of the invention;
Fig. 8 is the schematic diagram of server in another embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail:
Embodiments of the invention provide a kind of policy synchronization method,, on the basis of configuration acl approach on the fire compartment wall, increase server and issue the method for ACL in existing craft to fire compartment wall, with finish fast fire compartment wall and server policy synchronously.And the authority of user terminal is upgraded in the variation of the role's (authority set) by changing user binding and the variation of role's rule self fast.The network access authority of control terminal more flexibly, the authority open different to the user of different users and different safe conditions.When server terminal is authenticated with safety inspection after, the result notification fire compartment wall, fire compartment wall is according to the information of server, the access rights of decision terminal, prevent external user visit Intranet, prevent inner legal but dangerous user is connected to enterprise network further infects company's network, also isolate for being connected to the user that network do not verify, and can take precautions against various attack, and user access resources is audited.
The embodiment of the invention provides a kind of method of policy synchronization, is applied to comprise the system of fire compartment wall and server, as shown in Figure 1, may further comprise the steps:
The update strategy message that step s101, fire compartment wall reception server send.
Step s102, fire compartment wall upgrade according to the strategy of update strategy message to this locality, and strategy is synchronous on realization and the server.
The embodiment of the invention also provides a kind of method of policy synchronization, is applied to comprise the system of fire compartment wall and server, shown in Fig. 1-A, may further comprise the steps:
S101-A, described server receive the message that described fire compartment wall sends the request synchronization policy.
S102-A, described server generate update strategy message according to the message of described request synchronization policy.
S103-A, the described update strategy message of transmission are to described fire compartment wall.
Concrete, the strategy that relates in the embodiment of the invention specifically comprises: at least one is for the role of user terminal use and the role rule corresponding with this role, and different role's rules realize by the access control list ACL function.
Consider that existing manual configuration technical configuration efficient is low, ACL can not real-time update, and the authority set that changes the user is trouble comparatively also.The embodiment of the application of the invention realized fire compartment wall and server policy synchronously, this policy synchronization method comprises: fire compartment wall initiatively to server requests strategy, server initiatively to the variation and the manual synchronization policy of fire compartment wall notification strategy.By adopting above-mentioned three kinds of methods, realized the synchronous of fire compartment wall and server policy.
In the embodiments of the invention, strategy specifically comprises user terminal, role and role's rule (also can be called authority), wherein role and role's rule concern that schematic diagram as shown in Figure 2: each role can be regarded as an authority set, and each authority set is formed by the principle combinations that comprises different ACL again.By comprise the ACL group of different acl rules for each role bindings, make each role have the corresponding authority of this ACL group.Suppose that certain user terminal has A and B role simultaneously, this user terminal just has role's rule of A and B role's correspondence so, and the resource outside A and the B role's rule can't be visited.By being the different different roles of user terminal binding, make different user terminals have different role's rules.Revise the authority of user terminal if desired, can be by giving the new role of user binding at server or revising role's rule realization that user terminal is bound.Only need to change accordingly, just can change user's authority easily at server.
In the embodiments of the invention, fire compartment wall initiatively to the flow process of server requests synchronization policy as shown in Figure 3, is specially following steps:
After step s301, fire compartment wall started, active request was connected with server, and fire compartment wall begins synchronization policy after the successful connection.
Policy synchronization operation between fire compartment wall and the server is by carrying out based on the mechanism of timestamp.Timestamp can comprise role's timestamp and role rule timestamp for adopting the counter of specified byte length, and each role has the role's timestamp of oneself, and each role's rule also all has the role's rule timestamp of oneself.Role of the every modification of server (comprise the change of role's self attributes, increase role's rule, revise role's rule, deletion role rule), it is big that role's timestamp becomes, and according to the operation to role's rule corresponding role's rule timestamp changed simultaneously.
Fire compartment wall start connect with server or rebulid be connected after, fire compartment wall sends the message of request synchronization policy to server, carries all Role Informations in this locality in message, comprises role ID and role's timestamp.
Step s302, server obtain the strategy that has changed according to the message that fire compartment wall sends.
Concrete, server adopts the following variation that takes place based on the machine-processed determination strategy of timestamp.
Consider that role ID generally is tactic, therefore server can be according to role ID, the Role Information of this locality and the Role Information of fire compartment wall transmission are compared one by one, if certain role ID does not exist on fire compartment wall existing on the server, illustrate that then this role is the newly-increased role of server, need increase on fire compartment wall.If coexisting, certain role ID is present on server and the fire compartment wall, then can be according to as the described method of following table 1 timestamp relatively, and be example for role A wherein with the role ID.
Table 1: the comparative approach of role ID on server and the fire compartment wall
| The timestamp of role A on the fire compartment wall | The timestamp of role A on the server | Comparative result |
| ?5 | ?5 | Role server does not change, and does not need synchronously |
| ?6 | ?8 | Role server changes, and needs synchronously |
| ?7 | ?0 | Server has been deleted this role, and fire compartment wall also needs deletion |
| ?8 | ?7 | Fire compartment wall can not be made amendment to the strategy that issues, and does not exist |
Step s303, server send update strategy message to fire compartment wall.
Server will send to fire compartment wall with update strategy message according to this comparative result.Can at first send all roles' that need revise or delete message, send the Role Information that needs increase then.
Step s304, fire compartment wall upgrade local policy according to the update strategy message that server issues, and guarantee consistent with server.
After fire compartment wall is received the update strategy message that server issues, the Role Information that needs are upgraded according to ID and local role relatively: if timestamp is 0, delete this role, and all role's rules below the deletion role; If timestamp is bigger than local, then revise the role, the concurrent message of referring to role's rule of this role's correspondence of step of seeking common ground; If need to increase Role Information newly, then increase the role and send the information that request should increase role's rule of role's correspondence synchronously newly according to role ID.
Except that the synchronous flow process of above-mentioned role, fire compartment wall also can be finished based on the mechanism of above-mentioned timestamp when synchronously other strategies as role are regular, can reduce the interaction data amount of server and fire compartment wall so to the full extent.If adopt the strategy that server is all to be notified to fire compartment wall, interactive data quantity is excessive like this.In the embodiments of the invention, determine the needs updating strategy according to comparing timestamp, server only can be determined that change or newly-increased strategy by comparing timestamp.
All Policies enters ready state after finishing synchronously, this moment fire compartment wall can waiting for server the strategy change information of notice or the user offline information of reaching the standard grade.User terminal is carried out access control according to the strategy after synchronous.
The method that embodiments of the invention also provide server initiatively to change to the fire compartment wall notification strategy.After fire compartment wall entered ready state, the strategy of server may change, and at this moment can take the mode of server proactive notification to come the implementation strategy unanimity.When server modifications after role or the role's rule, can proactive notification fire compartment wall real-time update strategy.For example: fire compartment wall finds that the timestamp of role or role's rule is 0 after receiving the notice that server initiatively sends, and the server deletion strategy be described, and fire compartment wall also needs to delete; The timestamp that fire compartment wall is found role that server sends or role's rule is during than fire compartment wall side big, and server modifications has been described should strategy, need carry out the renewal of role or role's rule; When fire compartment wall finds that server increases strategy newly, then increase this strategy.By aforesaid operations, guarantee the consistent of strategy on fire compartment wall and the server.
Embodiments of the invention also are provided at the method for manual synchronization policy on the fire compartment wall, come the forced synchronism strategy by manual at the fire compartment wall input command, policy synchronization flow process in the time of should asking the similar fire compartment wall active request of the policy synchronization flow process synchronization policy under the condition is not repeated in this description at this.
In the control of communication process between fire compartment wall and the server, can use mode to realize based on COPS (CommonOpen Policy Service Protocol, general open policy service protocol agreement) agreement.This agreement uses TCP (Transmission Control Protocol, transmission control protocol) as host-host protocol, so that carry out reliable message transmission between fire compartment wall and server.This agreement provides a two-way dynamic strategy distribution mechanism, and fire compartment wall can be initiatively to the server requests strategy, and server also can initiatively pass through the variation initiation policy synchronization of firewall policy certainly.
Concrete, can at first some SOCKET functions be registered in the COPS assembly.The COPS assembly provides with the form in LIB storehouse, fire compartment wall is registered to this assembly with processing functions such as general internal memory, Debug output, character string, TCP, timers by adaptation layer, also comprise system function, the function of registration connection management part (comprising: Status Change, receive the processing of business packet), the processing function that initialization connects configuration list item (order line processing) and calls service part carries out the transmission, receiver function of business datum etc.
Fire compartment wall is at first finished by order and is connected the configuration list item, after the starting switch, the system function of registration begins to call the SOCKET interface of registration and initiates connection request to server end, server end judges whether to allow to connect according to connecting the configuration list item, if permission connects then responds successful connection message, fire compartment wall is replied and is connected confirmation, successful connection this moment; Otherwise connection failure.
If user terminal is wanted access resources, so must be earlier by authentication.User terminal must have the access rights of this resource could visit corresponding Internet resources.In the server authentication process, if the identity of user terminal is illegal, then user terminal can only be visited the pre-authentication domain that enterprise pre-sets; If identity is legal, but do not satisfy the enterprise security strategy, then server can be warned to user prompt, and the helping directive user carries out safe reparation simultaneously; If identity is legal, security strategy meets enterprise demand simultaneously, and this moment, server can proactive notification fire compartment wall user be reached the standard grade; This moment, user terminal obtained the authority of visit respective network resource.Comprise information such as source IP, affiliated role ID, user name in the message that server notification fire compartment wall user reaches the standard grade.
After fire compartment wall is received user's the message of accesses network resource:
First: search source IP monitoring form (comprise source IP, and role ID), continue next step by authentication if find then illustrate, otherwise explanation not authentication do not pass through, the notice user authentication failure authenticates again.
Second: begin to travel through all roles in this source IP monitoring mark, the resource group from maximum begins to look into earlier, if allow to pass through, just this message is let slip, do not allow by then abandoning, otherwise the continuation next step.
The the 3rd: begin to search packet filtering between the territory, allow then to let slip, do not allow by then abandoning, otherwise continue next step.
The the 4th: begin to search default packet filtering, allow then to let slip, otherwise abandon this message.
(3) management of connection status and passway for escaping function between fire compartment wall and the server;
Passway for escaping mainly is for realizing that the link between fire compartment wall and server breaks down, and perhaps server breaks down etc. under the situation, to open all authorities of user.Because when above-mentioned fault takes place, can cause all authentification of user messages can't normally arrive fire compartment wall, just can't obtain authority and visit due Internet resources, so increased status detection mechanism.If enabled state monitoring, and (the connection status variation is registered the processing function that connection status changes to assembly by application layer to detect the disconnection of critical server connection status, assembly is had no progeny in having set up COPS successful connection or COPS connection the connection status change is notified to application layer), just, after recovering, the critical server connection status just recovers original control of authority to open all authorities of all user terminals.
State-detection mechanism: fire compartment wall and server have keepalive mechanism, and fire compartment wall will send message to server at set intervals, receive the response of server, then think to connect normally; All do not receive response if send three keep-alive messages, then think to connect to disconnect.Fire compartment wall restarts to ask the Connection Service device, up to the server successful connection, restart synchronization policy then.
The policy synchronization method that the application of the invention embodiment provides, strategy on dynamic synchronization fire compartment wall and the server, can upgrade role's rule of terminal use's binding fast, and synchronization policy need be on fire compartment wall manual configuration, thereby can upgrade the authority of user terminal faster, more flexibly the network access authority of control terminal.In addition, can prevent external user visit Intranet, and prevent inner legal but dangerous user is connected to enterprise network further infects company's network.
Embodiments of the invention also provide a kind of policy synchronization system, as shown in Figure 4, comprise firewall box 10 and server 20.Wherein, firewall box 10 is used for the update strategy message that reception server 20 sends; And upgrade according to the strategy of update strategy message this locality, realize with server 20 on strategy synchronously.
In the embodiments of the invention, as shown in Figure 5, this firewall box 10 comprises:
Update strategy message sink unit 11 is used for the update strategy message that reception server sends;
As shown in Figure 6, this firewall box 10 also comprises in the embodiments of the invention:
Request message transmitting element 13 is used for sending the message of asking synchronization policy to server 20; For the message generation update strategy message of server 20 according to the request synchronization policy.
Escaping function unit 15, the link that is used between fire compartment wall 10 and server 20 breaks down, and when perhaps server 20 breaks down, opens the passway for escaping function, to open all authorities of user terminal, after recovering, then recover original control with server 20 connection status.
In addition, above-mentioned policy update unit 12 may further include:
Obtain subelement 121, be used for obtaining strategy sign and the time corresponding stamp that update strategy message is carried;
In the embodiments of the invention, as shown in Figure 7, this server 20 comprises:
Synchronization policy receiving element 21 is used to receive the message of the request synchronization policy that described firewall box 10 sends.
Update strategy message generation unit 22 is used for generating update strategy message according to the message of described synchronization policy receiving element 21.
Update strategy message sending unit 23 is used to send described update strategy message to described firewall box 10.
In the embodiments of the invention, as shown in Figure 8, in this server 20:
Update strategy message sending unit 23 can also comprise:
First sends subelement 231, when being used to receive the message of the request synchronization policy that firewall box 10 sends, sends the update strategy message to firewall box 10; Or
Second sends subelement 232, when being used to detect local policy and changing, sends the update strategy message to firewall box 10.
Update strategy message generation unit 22 can also comprise:
First obtains subelement 221, is used for obtaining the sign for the treatment of synchronization policy and the timestamp that the first request synchronization policy message that sends subelement 231 receptions is carried;
First compares subelement 222, is used for according to the sign for the treatment of synchronization policy, and the timestamp of firewall box 10 transmissions and the timestamp of the local relative strategy of storing are compared;
First generates subelement 223, is used for the comparative result according to the first comparison subelement 222, will treat that the sign of synchronization policy and the timestamp that store corresponding this locality are added in the update strategy message.
Update strategy message generation unit 22 can also comprise:
Second generates subelement 224, and when being used to detect local policy and changing, with the sign of the strategy that changes, and the timestamp of corresponding this locality storage is added in the update strategy message.
Policy synchronization system and equipment that the application of the invention embodiment provides, acl rule on dynamic synchronization fire compartment wall and the server, can upgrade the role's rule and the synchronous more strategy of terminal use's binding fast, and synchronization policy need be on fire compartment wall manual configuration, thereby can upgrade the authority of user terminal faster, more flexibly the network access authority of control terminal.In addition, can prevent external user visit Intranet, and prevent inner legal but dangerous user is connected to enterprise network further infects company's network.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprises that some instructions are used so that a station terminal equipment (as mobile phone, PDA etc.) is carried out the described method of each embodiment of the present invention.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, described program can be stored in the computer read/write memory medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-OnlyMemory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (24)
1, a kind of policy synchronization method is applied to comprise it is characterized in that the system of fire compartment wall and server, comprising:
The update strategy message that the fire compartment wall reception server sends;
Described fire compartment wall upgrades according to the strategy of described update strategy message to this locality, and strategy is synchronous on realization and the described server.
2, the method for claim 1 is characterized in that, described fire compartment wall upgrades the strategy of this locality according to described update strategy message and comprises:
Described fire compartment wall obtains the strategy sign and the time corresponding of carrying in the described update strategy message and stabs;
Described fire compartment wall is according to described strategy sign, and the timestamp that carries in the local time stamp of correspondence and the described update strategy message is compared;
Described fire compartment wall upgrades according to the comparative result of the described timestamp strategy to this locality.
3, method as claimed in claim 2 is characterized in that, described fire compartment wall upgrades the strategy of this locality according to the comparative result of described timestamp and comprises:
For a strategy sign, newly when described fire compartment wall side tactful, described fire compartment wall sends the message of obtaining the strategy with described strategy sign to the strategy that the comparative result of described timestamp is represented described server side to described server; Or
For a strategy sign, when the comparative result of described timestamp represents that the strategy of described server side has not existed, the described strategy sign corresponding strategy of the local storage of described fire compartment wall deletion; Or
For a strategy sign, when the comparative result of described timestamp represented that there is not described strategy in described fire compartment wall side, described fire compartment wall sent the message of obtaining the strategy with described strategy sign to described server.
4, as each described method in the claim 1 to 3, it is characterized in that, described strategy specifically comprises: at least one is for the role of user terminal use and/or role's rule of described role's correspondence, described role's rule realizes by access control list ACL, the corresponding a plurality of role's rules of each role.
5, the method for claim 1 is characterized in that, described fire compartment wall also comprises after according to described update strategy message the strategy of this locality being upgraded:
Described fire compartment wall is controlled the access of user terminal according to described strategy.
6, the method for claim 1 is characterized in that, also comprises:
Link between described fire compartment wall and described server breaks down, perhaps described server is that critical server breaks down or all connect when all breaking down, open the passway for escaping function, to open all authorities of user terminal, after recovering, then recover original control with described critical server connection status; If there is not critical server, normally just recover original control as long as there is server to connect.
7, a kind of policy synchronization method is applied to comprise it is characterized in that the system of fire compartment wall and server, comprising:
Described server receives the message that described fire compartment wall sends the request synchronization policy;
Described server generates update strategy message according to the message of described request synchronization policy;
Send described update strategy message to described fire compartment wall.
8, method as claimed in claim 7 is characterized in that, the step of described server generation update strategy message is specially and comprises:
Described server obtains the sign for the treatment of synchronization policy and the timestamp that carries in the described request synchronization policy message;
Described server compares the timestamp of described fire compartment wall transmission and the timestamp of the local relative strategy of storing according to the described sign for the treatment of synchronization policy;
Comparative result is not for not simultaneously, and described server is added on the described sign of synchronization policy and the timestamp that store corresponding this locality treated in the update strategy message.
9, method as claimed in claim 7 is characterized in that, described server receives described fire compartment wall and sends before the message of asking synchronization policy, also comprises:
When described server detects local policy and changes, generate update strategy message and initiatively send to described fire compartment wall according to the described strategy that changes.
10, method as claimed in claim 9 is characterized in that, described server generates update strategy message and comprises:
Described server is with the sign of the described strategy that changes, and the timestamp of corresponding this locality storage is added in the update strategy message.
As claim 8 or 10 described methods, it is characterized in that 11, the timestamp of the local storage of described server is specially:
Described server is that each strategy of local storage is safeguarded a timestamp, revise a strategy at every turn after, described tactful time corresponding stabbed carries out respective change.
12, a kind of policy synchronization system comprises fire compartment wall and server, it is characterized in that,
Described fire compartment wall is used to receive the update strategy message that described server sends; And upgrade according to the strategy of described update strategy message this locality, realize with described server on strategy synchronously.
13, policy synchronization as claimed in claim 12 system is characterized in that described fire compartment wall also comprises:
Update strategy message sink unit is used for the update strategy message that reception server sends;
The policy update unit is used for the update strategy message that receives according to described update strategy message sink unit the strategy of this locality is upgraded, realize with described server on strategy synchronously.
14, policy synchronization as claimed in claim 12 system is characterized in that described server also comprises:
The update strategy message generation unit is used to generate the update strategy message that sends to firewall box;
The update strategy message sending unit is used for sending the update strategy message that described update strategy message generation unit generates to described firewall box.
15, a kind of firewall box is characterized in that, comprising:
Update strategy message sink unit is used for the update strategy message that reception server sends;
The policy update unit is used for the update strategy message that receives according to described update strategy message sink unit the strategy of this locality is upgraded, realize with described server on strategy synchronously.
16, firewall box as claimed in claim 15 is characterized in that, also comprises:
The request message transmitting element is used for sending the message of asking synchronization policy to described server; For the message generation update strategy message of described server according to the described request synchronization policy.
17, firewall box as claimed in claim 15 is characterized in that, described policy update unit comprises:
Obtain subelement, be used for obtaining strategy sign and the time corresponding stamp that described update strategy message is carried;
Subelement relatively is used for obtaining the strategy sign that subelement obtains according to described, and the timestamp that carries in the local time stamp of correspondence and the described update strategy message is compared;
Upgrade subelement, be used for, the strategy of this locality is upgraded according to the described relatively comparative result of the timestamp of subelement.
18, firewall box as claimed in claim 17 is characterized in that, described renewal subelement comprises:
First upgrades subelement, be used for for a strategy sign, newly when described fire compartment wall side tactful, described fire compartment wall sends the message of obtaining the strategy with described strategy sign to the strategy that the comparative result of described timestamp is represented described server side to described server; Or
Second upgrades subelement, be used for for a strategy sign, and when the comparative result of described timestamp represents that the strategy of described server side has not existed, the described strategy sign corresponding strategy of the local storage of described fire compartment wall deletion; Or
The 3rd upgrades subelement, is used for for a strategy sign, and when the comparative result of described timestamp represented that there is not described strategy in described fire compartment wall side, described fire compartment wall sent the message of obtaining the strategy with described strategy sign to described server.
19, firewall box as claimed in claim 15 is characterized in that, also comprises:
Control unit is used for according to described policy update unit updating strategy the access of user terminal being controlled.
20, firewall box as claimed in claim 15 is characterized in that, also comprises:
The escaping function unit, link between described fire compartment wall and described server breaks down, perhaps described server is that critical server breaks down or all connect when all breaking down, open the passway for escaping function, to open all authorities of user terminal, after recovering, then recover original control with described critical server connection status; If there is not critical server, normally just recover original control as long as there is server to connect.
21, a kind of server is characterized in that, comprising:
The synchronization policy receiving element is used to receive the message that described fire compartment wall sends the request synchronization policy;
The update strategy message generation unit is used for generating update strategy message according to the message of described request synchronization policy;
The update strategy message sending unit is used to send described update strategy message to described fire compartment wall.
22, server as claimed in claim 21 is characterized in that, described update strategy message sending unit comprises:
First sends subelement, when being used to receive the message of the request synchronization policy that described firewall box sends, sends described update strategy message to described firewall box; Or
Second sends subelement, when being used to detect local policy and changing, sends described update strategy message to described firewall box.
As claim 21 or 22 described servers, it is characterized in that 23, described update strategy message generation unit comprises:
First obtains subelement, is used for obtaining the sign for the treatment of synchronization policy and the timestamp that the described first request synchronization policy message that sends subelement acceptance is carried;
First subelement relatively is used for the sign for the treatment of synchronization policy according to described, and the timestamp that described fire compartment wall is sent compares with the timestamp of the relative strategy of local storage;
First generates subelement, is used for the comparative result according to the described first comparison subelement, and the described sign of synchronization policy and the timestamp that store corresponding this locality treated is added in the update strategy message.
As claim 21 or 22 described servers, it is characterized in that 24, described update strategy message generation unit comprises:
Second generates subelement, and when being used to detect local policy and changing, with the sign of the described strategy that changes, and the timestamp of corresponding this locality storage is added in the update strategy message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810146862XA CN101340444B (en) | 2008-08-26 | 2008-08-26 | Fireproof wall and server policy synchronization method, system and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810146862XA CN101340444B (en) | 2008-08-26 | 2008-08-26 | Fireproof wall and server policy synchronization method, system and apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101340444A true CN101340444A (en) | 2009-01-07 |
| CN101340444B CN101340444B (en) | 2011-08-24 |
Family
ID=40214397
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810146862XA Active CN101340444B (en) | 2008-08-26 | 2008-08-26 | Fireproof wall and server policy synchronization method, system and apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101340444B (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101977187A (en) * | 2010-10-20 | 2011-02-16 | 中兴通讯股份有限公司 | Firewall policy distribution method, client, access server and system |
| CN101582900B (en) * | 2009-06-24 | 2012-06-27 | 成都市华为赛门铁克科技有限公司 | Firewall security policy configuration method and management unit |
| CN102611699A (en) * | 2012-02-22 | 2012-07-25 | 浪潮(北京)电子信息产业有限公司 | Method and system for access control in cloud operation system |
| CN102761432A (en) * | 2011-04-29 | 2012-10-31 | 腾讯科技(深圳)有限公司 | CGI (Common Gateway Interface) monitoring method, device and system thereof |
| CN103379140A (en) * | 2012-04-17 | 2013-10-30 | 中国移动通信集团公司 | Log processing rule synchronization method and relative device and system |
| CN104717194A (en) * | 2013-12-16 | 2015-06-17 | 研祥智能科技股份有限公司 | Security policy change method and system |
| CN104717182A (en) * | 2013-12-12 | 2015-06-17 | 华为技术有限公司 | Security policy deployment method and device for network firewall |
| CN104883368A (en) * | 2015-05-28 | 2015-09-02 | 上海斐讯数据通信技术有限公司 | Core firewall management method |
| CN105592086A (en) * | 2015-12-22 | 2016-05-18 | Tcl集团股份有限公司 | Method and apparatus of managing firewall specific to Android platform |
| CN106506569A (en) * | 2015-09-06 | 2017-03-15 | 北京国双科技有限公司 | The update method of authority and device |
| WO2017067216A1 (en) * | 2015-10-19 | 2017-04-27 | 中兴通讯股份有限公司 | Method and apparatus for updating traffic flow template, computer storage medium |
| CN108429743A (en) * | 2018-02-28 | 2018-08-21 | 新华三信息安全技术有限公司 | A kind of security policy configuration method, system, domain control server and firewall box |
| CN109120577A (en) * | 2017-06-23 | 2019-01-01 | 华为技术有限公司 | A kind of firewall dispositions method and device |
| CN109495435A (en) * | 2017-09-13 | 2019-03-19 | 北京国双科技有限公司 | The firewall update method and device of server |
| CN109981540A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团辽宁有限公司 | Firewall data optimization methods, device, computer equipment and readable storage medium storing program for executing |
| CN110377661A (en) * | 2019-06-27 | 2019-10-25 | 浪潮思科网络科技有限公司 | A kind of method of OpenDaylight automatic synchronization Firewall device data |
| CN111245785A (en) * | 2019-12-30 | 2020-06-05 | 中国建设银行股份有限公司 | Method, system, device and medium for firewall to block and unblock IP |
| CN112152989A (en) * | 2019-06-26 | 2020-12-29 | 黑莓有限公司 | Method and system for updating application layers for third party telecommunications providers |
| CN112217902A (en) * | 2020-10-22 | 2021-01-12 | 新华三信息安全技术有限公司 | Firewall data synchronization method and device |
| CN113225296A (en) * | 2020-01-21 | 2021-08-06 | 华为技术有限公司 | Authority management method and device |
| CN113709099A (en) * | 2021-07-12 | 2021-11-26 | 新华三大数据技术有限公司 | Method, device, equipment and storage medium for issuing mixed cloud firewall rules |
| CN114978678A (en) * | 2022-05-20 | 2022-08-30 | 中国工商银行股份有限公司 | Firewall policy changing method and device, computer equipment and storage medium |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107783772A (en) * | 2017-09-29 | 2018-03-09 | 北京金山安全管理系统技术有限公司 | A kind of tactful treating method and apparatus |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7624434B2 (en) * | 2002-03-01 | 2009-11-24 | 3Com Corporation | System for providing firewall capabilities to a communication device |
| KR20060100004A (en) * | 2005-03-15 | 2006-09-20 | 엘지전자 주식회사 | Virus vaccine providing system and method for mobile communication terminal |
-
2008
- 2008-08-26 CN CN200810146862XA patent/CN101340444B/en active Active
Cited By (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582900B (en) * | 2009-06-24 | 2012-06-27 | 成都市华为赛门铁克科技有限公司 | Firewall security policy configuration method and management unit |
| CN101977187B (en) * | 2010-10-20 | 2015-10-28 | 中兴通讯股份有限公司 | Firewall policy distribution method, client, access server and system |
| WO2012051868A1 (en) * | 2010-10-20 | 2012-04-26 | 中兴通讯股份有限公司 | Firewall policy distribution method, client, access server and system |
| CN101977187A (en) * | 2010-10-20 | 2011-02-16 | 中兴通讯股份有限公司 | Firewall policy distribution method, client, access server and system |
| CN102761432A (en) * | 2011-04-29 | 2012-10-31 | 腾讯科技(深圳)有限公司 | CGI (Common Gateway Interface) monitoring method, device and system thereof |
| CN102761432B (en) * | 2011-04-29 | 2016-03-30 | 腾讯科技(深圳)有限公司 | CGI method for supervising and device thereof and system |
| CN102611699A (en) * | 2012-02-22 | 2012-07-25 | 浪潮(北京)电子信息产业有限公司 | Method and system for access control in cloud operation system |
| CN103379140B (en) * | 2012-04-17 | 2016-07-27 | 中国移动通信集团公司 | A kind of log processing rule synchronization method and relevant device and system |
| CN103379140A (en) * | 2012-04-17 | 2013-10-30 | 中国移动通信集团公司 | Log processing rule synchronization method and relative device and system |
| CN104717182A (en) * | 2013-12-12 | 2015-06-17 | 华为技术有限公司 | Security policy deployment method and device for network firewall |
| CN104717182B (en) * | 2013-12-12 | 2018-03-09 | 华为技术有限公司 | The security strategy dispositions method and device of network firewall |
| CN104717194A (en) * | 2013-12-16 | 2015-06-17 | 研祥智能科技股份有限公司 | Security policy change method and system |
| CN104883368A (en) * | 2015-05-28 | 2015-09-02 | 上海斐讯数据通信技术有限公司 | Core firewall management method |
| CN104883368B (en) * | 2015-05-28 | 2020-06-05 | 上海斐讯数据通信技术有限公司 | Management method of kernel firewall |
| CN106506569A (en) * | 2015-09-06 | 2017-03-15 | 北京国双科技有限公司 | The update method of authority and device |
| WO2017067216A1 (en) * | 2015-10-19 | 2017-04-27 | 中兴通讯股份有限公司 | Method and apparatus for updating traffic flow template, computer storage medium |
| CN105592086A (en) * | 2015-12-22 | 2016-05-18 | Tcl集团股份有限公司 | Method and apparatus of managing firewall specific to Android platform |
| CN105592086B (en) * | 2015-12-22 | 2019-09-17 | Tcl集团股份有限公司 | A kind of method and device for Android platform managing firewall |
| CN109120577B (en) * | 2017-06-23 | 2020-10-27 | 华为技术有限公司 | Firewall deployment method and device |
| CN109120577A (en) * | 2017-06-23 | 2019-01-01 | 华为技术有限公司 | A kind of firewall dispositions method and device |
| CN109495435A (en) * | 2017-09-13 | 2019-03-19 | 北京国双科技有限公司 | The firewall update method and device of server |
| CN109981540A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团辽宁有限公司 | Firewall data optimization methods, device, computer equipment and readable storage medium storing program for executing |
| CN108429743A (en) * | 2018-02-28 | 2018-08-21 | 新华三信息安全技术有限公司 | A kind of security policy configuration method, system, domain control server and firewall box |
| US11750565B2 (en) | 2019-06-26 | 2023-09-05 | Blackberry Limited | Method and system for updating of an application layer for a third-party telematics provider |
| CN112152989A (en) * | 2019-06-26 | 2020-12-29 | 黑莓有限公司 | Method and system for updating application layers for third party telecommunications providers |
| CN112152989B (en) * | 2019-06-26 | 2024-03-26 | 黑莓有限公司 | Method and system for updating an application layer for a third party telecommunications provider |
| CN110377661A (en) * | 2019-06-27 | 2019-10-25 | 浪潮思科网络科技有限公司 | A kind of method of OpenDaylight automatic synchronization Firewall device data |
| CN111245785A (en) * | 2019-12-30 | 2020-06-05 | 中国建设银行股份有限公司 | Method, system, device and medium for firewall to block and unblock IP |
| CN113225296A (en) * | 2020-01-21 | 2021-08-06 | 华为技术有限公司 | Authority management method and device |
| CN112217902A (en) * | 2020-10-22 | 2021-01-12 | 新华三信息安全技术有限公司 | Firewall data synchronization method and device |
| CN112217902B (en) * | 2020-10-22 | 2022-03-22 | 新华三信息安全技术有限公司 | Firewall data synchronization method and device |
| CN113709099A (en) * | 2021-07-12 | 2021-11-26 | 新华三大数据技术有限公司 | Method, device, equipment and storage medium for issuing mixed cloud firewall rules |
| CN113709099B (en) * | 2021-07-12 | 2023-11-07 | 新华三大数据技术有限公司 | Mixed cloud firewall rule issuing method, device, equipment and storage medium |
| CN114978678A (en) * | 2022-05-20 | 2022-08-30 | 中国工商银行股份有限公司 | Firewall policy changing method and device, computer equipment and storage medium |
| CN114978678B (en) * | 2022-05-20 | 2024-02-20 | 中国工商银行股份有限公司 | Firewall policy changing method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101340444B (en) | 2011-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101340444B (en) | Fireproof wall and server policy synchronization method, system and apparatus | |
| CN108173822B (en) | Intelligent door lock control method, intelligent door lock and computer readable storage medium | |
| CN101277308B (en) | Method for insulating inside and outside networks, authentication server and access switch | |
| CN102843682B (en) | Access point authorizing method, device and system | |
| CN104346559B (en) | Authority request response method and corresponding device | |
| CN101179583B (en) | Method and equipment preventing user counterfeit internet | |
| CN101232509A (en) | Equipment, system and method for supporting insulation mode network access control | |
| US9319429B2 (en) | Network quarantine system, network quarantine method and program therefor | |
| KR20160114620A (en) | Methods, devices and systems for dynamic network access administration | |
| US10542433B2 (en) | Connection establishment method, device, and system | |
| JPWO2009031453A1 (en) | Network security monitoring device and network security monitoring system | |
| CN102572005A (en) | IP address allocation method and equipment | |
| CN112492602B (en) | 5G terminal safety access device, system and equipment | |
| CN104935572A (en) | Multilevel privilege management method and device | |
| CN104580085A (en) | Business data updating method, system, client side and server | |
| CN101877695A (en) | System and method for controlling access right | |
| CN107135548B (en) | Method and device for updating BSSID and connecting network | |
| CN101621523A (en) | User security access control method as well as device and system thereof | |
| CN106412901A (en) | Network-loitering prevention wireless routing method and system | |
| CN101309279B (en) | Control method, system and device for terminal access | |
| JP2008158903A (en) | Authentication system and main terminal | |
| CN108810129A (en) | Internet of Things network control system and method, terminal device and local network services equipment | |
| CN104811927A (en) | Information processing method, terminal and server and communication method and system | |
| CN113271299A (en) | Login method and server | |
| CN112911374B (en) | DLNA (digital Living network alliance) -based screen projection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: CHENGDU CITY HUAWEI SAIMENTEKE SCIENCE CO., LTD. Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO., LTD. Effective date: 20090424 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20090424 Address after: Qingshui River District, Chengdu high tech Zone, Sichuan Province, China: 611731 Applicant after: Chengdu Huawei Symantec Technologies Co., Ltd. Address before: Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Province, China: 518129 Applicant before: Huawei Technologies Co., Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: Huawei Symantec Technologies Co., Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd. |