CN103763323A - Method and device for managing firewall rules - Google Patents
Method and device for managing firewall rules Download PDFInfo
- Publication number
- CN103763323A CN103763323A CN201410032663.1A CN201410032663A CN103763323A CN 103763323 A CN103763323 A CN 103763323A CN 201410032663 A CN201410032663 A CN 201410032663A CN 103763323 A CN103763323 A CN 103763323A
- Authority
- CN
- China
- Prior art keywords
- firewall rule
- rule
- firewall
- match information
- reasonable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method and device for managing firewall rules. Through the statistics and the analysis carried out on historical matching conditions of the firewall rules, the effect that rules needing to be optimized and managed can be found out from the firewall rules quickly regardless of changes of user department organizations and services and regardless of alternation and changes of network management personnel is achieved.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of firewall rule management method and device.
Background technology
In the existing network architecture, firewall box is absolutely necessary, and is also the key node of network security.Whether firewall rule, as its name suggests, is a kind of according to territory, source, object territory, source IP, object IP, COS, time period, the next definite rule of action (allow or forbid), for controlling flow, can on slave firewall equipment, pass through.The firewall box of industry main flow is blocked for unknown flowing of access acquiescence, and this just needs network management personnel to open legal access path according to the demand of business, thereby is that each department, every service create corresponding firewall rule.
But along with the continuous variation of user department tissue and business, the firewall rule creating also will get more and more thereupon, probably reach the scale of thousands of rules, add that time span is longer, and network management personnel's change alternately, certainly will bring the maintenance issues of firewall rule.
Summary of the invention
In view of this, the invention provides a kind of method and device of firewall rule management.By the present invention, promptly in slave firewall rule, find out the rule that needs optimization.
In order to achieve the above object, the invention provides a kind of firewall rule management method, comprise the steps:
Obtain the match information of firewall rule;
According to described match information, determine that whether described firewall rule is reasonable.
Further, the match information of described firewall rule specifically comprises matching times and the last match time in the described firewall rule cycle.
Further, before the described match information of obtaining firewall rule, also comprise:
The log-on message of receiving terminal apparatus, is that described terminal equipment creates firewall rule according to predetermined policy, and having created after described firewall rule, described firewall rule is sent to firewall box.
Further, according to described match information, determine that whether described firewall rule is reasonable, specifically comprise:
According to the matching times in the described cycle of obtaining, determine the average rate matched of described firewall rule;
According to described average rate matched, determine that whether described firewall rule is reasonable.
Further, according to described match information, determine that whether described firewall rule is reasonable, specifically comprise:
According to the average rate matched of history of the average rate matched of firewall rule in the current period obtaining and storage, determine that whether described firewall rule is reasonable.
Further, described according to described match information, determine that described firewall rule whether rationally after, also comprise:
When definite described firewall rule is unreasonable, send warning message to network management personnel, so that described network management personnel adjusts described firewall rule according to described warning message.
Based on the identical design of said method, the present invention also provides a kind of firewall rule management devices, and wherein, described device comprises:
Acquisition module, for obtaining the match information of firewall rule;
Determination module, for determining that according to described match information whether described firewall rule is reasonable.
Further, the match information of described firewall rule specifically comprises matching times and the last match time in the described firewall rule cycle.
Further, described determination module determines that according to described match information whether described firewall rule is reasonable, specifically comprises:
Matching times in the cycle of obtaining described in determination module basis is determined the average rate matched of described firewall rule;
Determination module determines that according to described average rate matched whether described firewall rule is reasonable.
Further, determination module determines that according to described match information whether described firewall rule is reasonable, specifically comprises:
Determination module, according to the average rate matched of firewall rule and the average rate matched of history of storage in the current period obtaining, determines that whether described firewall rule is reasonable.
Further, described device also comprises:
Processing module, before obtaining the match information of firewall rule at acquisition module described in obtaining, the log-on message of receiving terminal apparatus, according to predetermined policy, be that described terminal equipment creates firewall rule, and having created after described firewall rule, described firewall rule is sent to firewall box.
Further, described processing module, also for when definite described firewall rule is unreasonable, sends warning message to network management personnel, so that described network management personnel adjusts described firewall rule according to described warning message.
Compared with prior art, the present invention has the following advantages: by the historical match condition to firewall rule, carry out Classified statistics, realized no matter user department tissue, business which kind of variation has occurred, or network management personnel alternates alternately, all promptly in slave firewall rule, finds out the rule that need to be optimized management.
Accompanying drawing explanation
Fig. 1 is the method flow schematic diagram of a kind of firewall rule management that provides of exemplary embodiment of the present;
Fig. 2 is the logic device structural representation of a kind of firewall rule management that provides of exemplary embodiment of the present.
Embodiment
Below in conjunction with the accompanying drawing in the present invention, the technical scheme in the present invention is clearly and completely described.Obviously, the described implementation of present specification is only exemplary embodiment of the present invention.Any based on design of the present invention, those of ordinary skills, not making all other implementations that obtain under creative work prerequisite, all should belong to the scope of protection of the invention.
As shown in Figure 1, a kind of firewall rule management method schematic flow sheet providing for exemplary embodiment of the present.Described method comprises:
Particularly, the match information of described firewall rule is specially: the matching times in every firewall rule cycle and mating for the last time the corresponding time.When specific implementation, the mutual interface with it that described NM server provides by firewall box periodically obtains firewall rule match information.
In order to realize the present invention, obtain the match information of firewall rule at NM server before, NM server also need create firewall rule on firewall box.Concrete, when NM server receives the log-on message of terminal equipment, according to predetermined strategy, for this terminal equipment creates firewall rule, then this firewall rule is sent to firewall box.Like this, firewall box is follow-up just can specifically process the message of the terminal equipment receiving according to this firewall rule.For example: under certain application scenarios, firewall rule A is: the address of coming from 192.168.1.1-192.168.1.255 subnet does not allow to access 192.168.2.1-192.168.2.255 subnet.After this firewall rule A creates on firewall box, suppose that it is that 192.168.1.1, destination address are while being the terminal equipment message of 192.168.2.1 that firewall box receives a source address, according to the firewall rule A storing on it, mate, determine when this message mates with firewall rule A, while also not allowing this message to pass through, described firewall box can record this match condition and corresponding match time thereof.
Further, firewall box, for the terminal equipment message receiving at every turn, all can mate by the firewall rule of preserving on it, and carries out record the match time of the situation to coupling and correspondence thereof, simultaneously cumulative to matching times.The cycle of obtaining match information when NM server is default, while arriving, is obtained match information corresponding to firewall rule recording on it by the interface mutual with firewall box.
Concrete, NM server is determined the average rate matched of current rule according to match information corresponding to firewall rule, according to obtained average rate matched, this firewall rule is judged, determines that whether this firewall rule setting is reasonable.
First, NM server is determined the average rate matched of firewall rule in current period according to match information corresponding to firewall rule of obtaining.Concrete, NM server deducts by the matching times of this firewall rule obtaining in this cycle this regular matching times that the upper cycle obtains, obtain the mean value of matching times in described this cycle of firewall rule, and then calculate the average rate matched of this rule within this cycle.Further, after the average rate matched of NM server within this cycle of the complete firewall rule of calculative determination, also need this average rate matched to be stored as historical data, so that subsequent query and relatively use.
Secondly, NM server, after having determined the average rate matched of firewall rule, judges this rule according to the average rate matched obtaining, and determines that whether this rule is reasonable.Concrete, when NM server, determine that the average rate matched of current rule is lower, confirm that arranging of this firewall rule may be not too reasonable, need to adjust this firewall rule.Further, in order to make NM server judge that more exactly whether described firewall rule setting is reasonable, preferably, when the present invention carries out firewall rule processing according to the average rate matched of determining, also need to be using the average rate matched of multiple history of this firewall rule as carrying out reference.
Concrete, according to predetermined policy, after the average rate matched of history of this rule of inquiry, if judge that the average rate matched of this firewall rule history is always very low, illustrate and use the corresponding business of this firewall rule seldom to use, determine that this rule may be not too reasonable, need to be optimized.But, if after the average rate matched of history of this rule of inquiry, judge that this firewall rule is from certain time, corresponding average rate matched is very low suddenly, illustrate and use the business of this firewall rule that variation may occur, need to this firewall rule be adjusted or be deleted.If NM server is found current firewall rule and is mated for the last time corresponding time gap current time for a long time, determine that this firewall rule does not play a role for a long time, this rule has not had related service using yet, this rule may not need, keeper can delete this rule according to actual conditions, and does not affect existing business.
Further, when NM server judges that arranging of firewall rule may be unreasonable, preferably, also will be pushed to network management personnel by warning message, so that network management personnel is according to actual conditions adjustment or delete this firewall rule etc.
For field personnel under making are more clear and clear, with concrete example, the present invention will be described below.Concrete,
First, NM server obtains the match information of firewall rule.
Referring to table 1, suppose under certain application scenarios the match information of all firewall rules that record on the firewall box that NM server obtained in the T1 moment.
The match information in table 1T1 moment
| Rule name | Matching times | Last match time |
| Rule?A | 150 | 2013-10-416:14:22 |
| Rule?B | 180 | 2013-5-1510:14:22 |
Wherein, by table 1, can it is evident that, in the T1 moment, the matching times of regular A is 150, and be 2013-10-416:14:22 last match time; The matching times of rule B is 180, and be 2013-5-1510:14:22 last match time.
With further reference to table 2, under this application scenarios, the match information of the strictly all rules recording on the firewall box that NM server obtained in the T2 moment.
The match information in table 2T2 moment
| Rule name | Matching times | Last match time |
| Rule?A | 450 | 2013-10-416:19:22 |
| Rule?B | 180 | 2013-5-1510:14:22 |
Wherein, by table 2, can it is evident that, in the T2 moment, the matching times of regular A is 450, and be 2013-10-416:19:22 last match time; The matching times of rule B is 180, and be 2013-5-1510:14:22 last match time.
Secondly, NM server is determined the average rate matched of each firewall rule.
NM server is determined Rule A and the Rule B average rate matched during T1-T2, and specific formula for calculation is: (matching times-T1 moment matching times in T2 moment)/and (T2-T1).According to the parameter in above-mentioned table 1, table 2, obtain average rate matched:
Average rate matched=(450-150)/(300)=1 time/second of Rule A.
Because Rule B is constant at T1 and the match information in these two moment of T2, determine that this Rule B does not mate for a long time.Now, NM server can determine that this Rule B has not played for a long time corresponding effect on firewall box, illustrates that firewall box has not re-used this Rule B, thereby by keeper, this Rule B is deleted.Referring to as following table 3, for Rule A and Rule B are in the average rate matched in T1-T2 moment.
The average rate matched in table 3T1-T2 moment
| Rule name | Rate matched | Last match time | Historical speed |
| Rule?A | 1 time/second | 2013-10-416:19:22 | Hyperlink |
| Rule?B | 0 | 2013-5-1510:14:22 | Hyperlink |
Wherein, by table 3, can it is evident that, in the T1-T2 moment, the rate matched of regular A is 1 time/second, and be 2013-10-416:19:22 last match time; The rate matched of rule B is 0, and be 2013-5-1510:14:22 last match time.
According to the present invention, calculating after the average rate matched of regular A and regular B, also need the average rate matched to obtaining to store, so that subsequent query is used.Referring to table 4, be assumed to be the average rate matched record of history of Rule A.
The average rate matched of history of table 4Rule A
| Rule name | Time | Rate matched |
| Rule?A | 2013-10-416:06:22 | 10 |
[0065]?
| Rule?A | 2013-10-416:11:22 | 9 |
| Rule?A | 2013-10-416:14:22 | 5 |
| Rule?A | 2013-10-416:19:22 | 1 |
Wherein, by table 4, can it is evident that, As time goes on, the rate matched of Rule A is reducing gradually, changes not quite, illustrate that the corresponding business of this Rule A of use may seldom be used, determine that this Rule A may be not too reasonable, need to be optimized it.
Certainly, in order more obviously to determine whether Rule A is also applicable to current business, can also, by by a day average rate matched of this Rule A of statistics, referring to table 5, be assumed to be the Rule A average rate matched of every day.
Show the 5Rule A average rate matched of every day
| Rule name | Time | Rate matched |
| Rule?A | 2013-10-1 | 100 |
| Rule?A | 2013-10-2 | 100 |
| Rule?A | 2013-10-3 | 2 |
| Rule?A | 2013-10-4 | 2 |
Wherein, by table 5, can it is evident that, As time goes on, the rate matched of Rule A reduces to suddenly 2 at 2013-10-3 from 100, illustrates and uses the business of this Rule A that variation has occurred, and need to this Rule A be adjusted accordingly or be deleted.
Compared with prior art, the present invention carries out Classified statistics by the historical match condition to firewall rule, realized no matter user department tissue, business which kind of variation has occurred, or network management personnel alternates alternately, all promptly in slave firewall rule, finds out the rule that need to be optimized management.
Based on the design identical with said method, the invention provides a kind of firewall rule management devices.As shown in Figure 2, this device comprises:
Wherein, described match information specifically refers to the matching times in the cycle and mates for the last time the corresponding time.
Described determination module 22 determines that according to described match information whether described firewall rule is reasonable, specifically passes through to realize as follows:
Concrete, determination module 22 deducts by the matching times of this firewall rule obtaining in this cycle this regular matching times that the upper cycle obtains, obtain the mean value of matching times in described this cycle of firewall rule, and then calculate the average rate matched of this rule within this cycle.Further, after the average rate matched of determination module within this cycle of the complete firewall rule of calculative determination, also need this average rate matched to be stored as historical data, so that subsequent query and relatively use.
Concrete, when determination module 22, determine that the average rate matched of current rule is lower, confirm that arranging of this firewall rule may be not too reasonable, need to adjust this firewall rule.In order to make determination module judge that more exactly whether described firewall rule setting is reasonable, preferably, when the present invention carries out firewall rule processing according to the average rate matched of determining, also need to be using the average rate matched of multiple history of this firewall rule as carrying out reference.
Further, described device also comprises:
Compared with prior art, the present invention is added up and is processed by the historical match condition to firewall rule, realized no matter user department tissue, business which kind of variation has occurred, or network management personnel alternates alternately, all promptly in slave firewall rule, finds out the rule that need to be optimized management.
Disclosed is above only exemplary embodiment of the present invention, and still, the present invention is not limited thereto, and the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.
Claims (12)
1. a firewall rule management method, is applied on NM server, it is characterized in that, comprises the steps:
Obtain the match information of firewall rule;
According to described match information, determine that whether described firewall rule is reasonable.
2. the method for claim 1, is characterized in that, the match information of described firewall rule specifically comprises matching times and the last match time in the described firewall rule cycle.
3. the method for claim 1, is characterized in that, before obtaining the match information of firewall rule, also comprises:
The log-on message of receiving terminal apparatus, is that described terminal equipment creates firewall rule according to predetermined policy, and having created after described firewall rule, described firewall rule is sent to firewall box.
4. the method for claim 1, is characterized in that, according to described match information, determines that whether described firewall rule is reasonable, specifically comprises:
According to the matching times in the described cycle of obtaining, determine the average rate matched of described firewall rule;
According to described average rate matched, determine that whether described firewall rule is reasonable.
5. method as claimed in claim 4, is characterized in that, according to described match information, determines that whether described firewall rule is reasonable, specifically comprises:
According to the average rate matched of history of the average rate matched of firewall rule in the current period obtaining and storage, determine that whether described firewall rule is reasonable.
6. the method for claim 1, is characterized in that, described according to described match information, determine that described firewall rule whether rationally after, also comprise:
When definite described firewall rule is unreasonable, send warning message to network management personnel, so that described network management personnel adjusts described firewall rule according to described warning message.
7. a firewall rule management devices, is applied on NM server, it is characterized in that, comprising:
Acquisition module, for obtaining the match information of firewall rule;
Determination module, for determining that according to described match information whether described firewall rule is reasonable.
8. device as claimed in claim 6, is characterized in that, the match information of described firewall rule specifically comprises matching times and the last match time in the described firewall rule cycle.
9. device as claimed in claim 6, is characterized in that, determination module determines that according to described match information whether described firewall rule is reasonable, specifically comprises:
Matching times in the cycle of obtaining described in determination module basis is determined the average rate matched of described firewall rule;
Determination module determines that according to described average rate matched whether described firewall rule is reasonable.
10. method as claimed in claim 9, is characterized in that, determination module determines that according to described match information whether described firewall rule is reasonable, specifically comprises:
Determination module, according to the average rate matched of firewall rule and the average rate matched of history of storage in the current period obtaining, determines that whether described firewall rule is reasonable.
11. methods as claimed in claim 6, is characterized in that, described device also comprises:
Processing module, before obtaining the match information of firewall rule at acquisition module described in obtaining, the log-on message of receiving terminal apparatus, according to predetermined policy, be that described terminal equipment creates firewall rule, and having created after described firewall rule, described firewall rule is sent to firewall box.
12. devices as claimed in claim 6, is characterized in that,
Described processing module, also for when definite described firewall rule is unreasonable, sends warning message to network management personnel, so that described network management personnel adjusts described firewall rule according to described warning message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410032663.1A CN103763323A (en) | 2014-01-23 | 2014-01-23 | Method and device for managing firewall rules |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410032663.1A CN103763323A (en) | 2014-01-23 | 2014-01-23 | Method and device for managing firewall rules |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103763323A true CN103763323A (en) | 2014-04-30 |
Family
ID=50530483
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410032663.1A Pending CN103763323A (en) | 2014-01-23 | 2014-01-23 | Method and device for managing firewall rules |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103763323A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| US9900285B2 (en) | 2015-08-10 | 2018-02-20 | International Business Machines Corporation | Passport-controlled firewall |
| CN108566382A (en) * | 2018-03-21 | 2018-09-21 | 北京理工大学 | The fire wall adaptive ability method for improving of rule-based life cycle detection |
| CN108696369A (en) * | 2017-04-06 | 2018-10-23 | 华为技术有限公司 | A kind of warning information processing equipment and method |
| CN109088886A (en) * | 2018-09-29 | 2018-12-25 | 郑州云海信息技术有限公司 | The management method and device of monitoring strategies on firewall |
-
2014
- 2014-01-23 CN CN201410032663.1A patent/CN103763323A/en active Pending
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| US9900285B2 (en) | 2015-08-10 | 2018-02-20 | International Business Machines Corporation | Passport-controlled firewall |
| US10069798B2 (en) | 2015-08-10 | 2018-09-04 | International Business Machines Corporation | Passport-controlled firewall |
| US10367788B2 (en) | 2015-08-10 | 2019-07-30 | International Business Machines Corporation | Passport-controlled firewall |
| US10637829B2 (en) | 2015-08-10 | 2020-04-28 | International Business Machines Corporation | Passport-controlled firewall |
| CN108696369A (en) * | 2017-04-06 | 2018-10-23 | 华为技术有限公司 | A kind of warning information processing equipment and method |
| CN108566382A (en) * | 2018-03-21 | 2018-09-21 | 北京理工大学 | The fire wall adaptive ability method for improving of rule-based life cycle detection |
| CN108566382B (en) * | 2018-03-21 | 2020-12-08 | 北京理工大学 | Firewall self-adaption capability improving method based on rule life cycle detection |
| CN109088886A (en) * | 2018-09-29 | 2018-12-25 | 郑州云海信息技术有限公司 | The management method and device of monitoring strategies on firewall |
| CN109088886B (en) * | 2018-09-29 | 2021-10-01 | 郑州云海信息技术有限公司 | Method and device for managing monitoring strategy on firewall |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103763323A (en) | Method and device for managing firewall rules | |
| CN102340434B (en) | Multihoming access-based loop avoidance method and edge devices | |
| TWI640177B (en) | Data delivery method and system in software defined network | |
| WO2017218686A3 (en) | Fixed line resource management | |
| CN103227756B (en) | Online protocol optimization method and device | |
| CN104243237A (en) | P2P flow detection method and device | |
| CN103905251A (en) | Network topology obtaining method and device | |
| CN108111320A (en) | A kind of local service charging method, server and charging gateway | |
| CN105871964A (en) | User experience (UE) processing method and device | |
| WO2019030775A3 (en) | Systems and methods for managing data related to vehicle(s) | |
| CN109041086A (en) | A kind of configuration method and device of OpenFlow example | |
| US9401961B2 (en) | Cloud-enhanced traffic controller | |
| CN108494766A (en) | WAF regulation managements method and WAF groups | |
| CN105429823B (en) | Flux of multicast detection method and device in distributed communication equipment | |
| CN110611591B (en) | Network topology establishing method and device | |
| CN102136957A (en) | Label switched path monitoring realization method, device and system | |
| US9813159B2 (en) | Method for setting maintenance association MA, apparatus, and system | |
| CN103414648B (en) | A kind of communication flow rate control method and system | |
| CN106603722A (en) | Management device determining method and device | |
| CN103414653B (en) | A kind of flow control methods and system | |
| CN109218180A (en) | Multicast control method and device based on Local Area Network | |
| CN104780063B (en) | node device login method and device | |
| CN101431465A (en) | Method, system and apparatus for confirming edge equipment | |
| CN103812782B (en) | Method for realizing multicast member management | |
| JP5600626B2 (en) | Traffic passing route analysis method, program, and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Applicant before: Huasan Communication Technology Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140430 |