CN103905407A - Method and device for firewall access control strategy analysis - Google Patents
Method and device for firewall access control strategy analysis Download PDFInfo
- Publication number
- CN103905407A CN103905407A CN201210585072.8A CN201210585072A CN103905407A CN 103905407 A CN103905407 A CN 103905407A CN 201210585072 A CN201210585072 A CN 201210585072A CN 103905407 A CN103905407 A CN 103905407A
- Authority
- CN
- China
- Prior art keywords
- access control
- control policy
- address set
- source
- inclusion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a method and a device for firewall access control strategy analysis. The method comprises the following steps: the analysis device acquires all access control strategies of a firewall; among all the access control strategies, an access control strategy of which the action mark is 'not allowed' is a safe access control strategy; when the action mark of an access control strategy is 'allowed', the access control strategy is a safe access control strategy if the source IP address set is included in non-trusted IP address sets, the destination IP address set is included in access-allowed IP address sets and the destination port number set is included in access-allowed destination port number sets, or the access control strategy is an unsafe access control strategy; and when the number of safe access control strategies is greater than or equal to two, the analysis device performs optimization analysis on every two safe access control strategies. The efficiency of firewall access control strategy analysis can be effectively improved, and the correctness of firewall access control strategy analysis can be guaranteed.
Description
Technical field
The application relates to mobile communication technology, particularly a kind of analytical method of firewall access control policy and device.
Background technology
Along with popularizing of IT application in enterprises, the information security issue of network has caused increasing concern, in order to ensure the information security of the network equipment, conventionally with fire compartment wall, each network equipment is carried out to strict access control, fire compartment wall is the information safety devices of a software and hardware combining, it according to access control policy to the data of the flowing through control that conducts interviews, thereby ensure the information security of network.Generally, in each fire compartment wall, have a large amount of access control policies, wherein, described in each, access control policy comprises: source IP address set, object IP address set, the set of destination slogan and action identification, wherein, described action identification comprises: allow and do not allow.In the time of certain packet process fire compartment wall, fire compartment wall mates this packet successively according to whole access control policies, thereby judges whether this packet to let pass.
A typical access control policy is as described in Table 1:
Table 1
At present, the operation and maintenance of fire compartment wall is to be all responsible for by network manager, all access control policies of fire compartment wall are all also to be analyzed and processed by network manager, wherein, the object that firewall access control policy is analyzed is to find out the access control policy of unsafe or inadequate optimization, follow-uply can the access control policy of unsafe or inadequate optimization be got rid of or be optimized, and then ensure information security and the efficient operation of network.
Realizing in process of the present invention, inventor finds that in prior art, at least there are the following problems:
Along with the continuous expansion of network size and the continuous increase of network interface, access control policy in fire compartment wall is more and more, if the analytical work of firewall access control policy is completed by network manager, the analysis efficiency of firewall access control policy will be more and more lower so, and in the time that network manager's analysis is lacked experience, also cannot guarantee the correctness that firewall access control policy is analyzed.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of analytical method of firewall access control policy, the analysis efficiency of firewall access control policy not only can be effectively improved, but also the correctness that firewall access control policy is analyzed can be guaranteed.
Another object of the present invention is to provide a kind of analytical equipment of firewall access control policy, not only can effectively improve the analysis efficiency of firewall access control policy, but also can guarantee the correctness that firewall access control policy is analyzed.
For achieving the above object, technical scheme of the present invention is achieved in that
An analytical method for firewall access control policy, described method comprises:
Analytical equipment obtains whole access control policies of fire compartment wall, wherein, described in each, access control policy comprises: source IP address set, object IP address set, the set of destination slogan and action identification, and wherein, described action identification comprises: allow and do not allow;
Described in each in access control policy, when described action identification is not when allowing, described access control policy is safe access control policy;
When described action identification is for allowing, and described source IP address set-inclusion is in the IP of the untrusted setting in advance address set, and described object IP address set is contained in the IP address set of the permission access setting in advance, and when the destination slogan set that described destination slogan set-inclusion is accessed in the permission setting in advance, described access control policy is safe access control policy, otherwise described access control policy is unsafe access control policy;
In the time that the number of described safe access control policy is more than or equal to two, described analytical equipment is according to the inclusion relation of the source IP address set in the access control policy of every two safety, object IP address set and the set of destination slogan, the access control policy of every two safety is optimized to analysis, obtains the optimization analysis result of the access control policy of every two safety.
An analytical equipment for firewall access control policy, comprising: acquiring unit and analytic unit;
Described acquiring unit, for obtaining whole access control policies of fire compartment wall, wherein, described in each, access control policy comprises: source IP address set, object IP address set, the set of destination slogan and action identification, wherein, described action identification comprises: allow and do not allow; Whole described access control policies are sent to described analytic unit;
Described analytic unit, for access control policy described in each, judge that whether described action identification is for not allowing, if, described access control policy is safe access control policy, otherwise, judge whether described source IP address set is contained in the IP address set of the untrusted setting in advance, and whether described object IP address set is contained in the IP address set of the permission access setting in advance, and whether the set of described destination slogan is contained in the destination slogan set of the permission access setting in advance, if, described access control policy is safe access control policy, otherwise, described access control policy is unsafe access control policy, also in the time that the number of described safe access control policy is more than or equal to two, according to the inclusion relation of the source IP address set in the access control policy of every two safety, object IP address set and the set of destination slogan, the access control policy of every two safety is optimized to analysis, obtains the optimization analysis result of the access control policy of every two safety.
Therefore in technical scheme of the present invention, analytical equipment obtains whole access control policies of fire compartment wall, in each access control policy, when action identification is not when allowing, described access control policy is safe access control policy, when action identification is for allowing, and source IP address set-inclusion is in the IP of the untrusted setting in advance address set, and object IP address set is contained in the IP address set of the permission access setting in advance, and when the destination slogan set that destination slogan set-inclusion is accessed in the permission setting in advance, described access control policy is safe access control policy, otherwise, described access control policy is unsafe access control policy, in the time that the number of the access control policy of safety is more than or equal to two, analytical equipment is according to the source IP address set in the access control policy of every two safety, the inclusion relation of object IP address set and the set of destination slogan, the access control policy of every two safety is optimized to analysis, obtain the optimization analysis result of the access control policy of every two safety.Because being is in the present invention analyzed each access control policy by analytical equipment, and analytical equipment can also be efficiently, the fail safe of each access control policy that correctly judges, rather than by network manager, each access control policy is analyzed, therefore, with prior art now than, analytical method and the device of the firewall access control policy that the present invention proposes, the analysis efficiency of firewall access control policy not only can be effectively improved, but also the correctness that firewall access control policy is analyzed can be guaranteed.
Accompanying drawing explanation
Fig. 1 is the realization flow figure of the analytical method of firewall access control policy of the present invention.
Fig. 2 is the flow chart of a kind of implementation method of step 101 in the present invention.
Fig. 3 is the realization flow figure of a kind of implementation method of step 107 in the present invention.
Fig. 4 is the structural representation of the analytical equipment of firewall access control policy in the present invention.
Embodiment
For problems of the prior art, the analytical plan of the firewall access control policy after a kind of improvement is proposed in the present invention, the analysis efficiency of firewall access control policy not only can be effectively improved, but also the correctness that firewall access control policy is analyzed can be guaranteed.
For make technical scheme of the present invention clearer, understand, referring to the accompanying drawing embodiment that develops simultaneously, scheme of the present invention is described in further detail.
Fig. 1 is the realization flow figure of the analytical method of firewall access control policy of the present invention.As shown in Figure 1, comprise the following steps:
Step 101: analytical equipment obtains whole access control policies of fire compartment wall, wherein, each access control policy comprises: source IP address set, object IP address set, the set of destination slogan and action identification, wherein, described action identification comprises: allow and do not allow.
In specific embodiments of the invention, step 101 can have multiple implementation.For example, Fig. 2 is the flow chart of a kind of implementation method of step 101 in the present invention.As shown in Figure 2, comprise the following steps:
Step 201: analytical equipment, according to the IP address of the fire compartment wall obtaining in advance, is connected in the login page of firewall access control policy.
In specific embodiments of the invention, analytical equipment need to obtain the IP address of fire compartment wall in advance.In this step, analytical equipment, according to the IP address of the fire compartment wall obtaining in advance, is connected in the login page of firewall access control policy.
Step 202: analytical equipment, according to the username and password obtaining in advance, obtains whole access control policies of fire compartment wall.
In the specific embodiment of invention, analytical equipment also needs to obtain in advance the username and password of login page.In this step, analytical equipment, according to the username and password obtaining in advance, obtains whole access control policies of fire compartment wall.In the ordinary course of things, in each fire compartment wall, have a large amount of access control policies, wherein, described in each, access control policy comprises: source IP address set, object IP address set, the set of destination slogan and action identification, wherein, described action identification comprises: allow and do not allow.For example, as shown in table 1, described allow to refer to allow source IP address to be: 211.32.22.24 or 211.32.22.25, object IP address is: 172.22.11.42 or 172.22.11.43, destination slogan is: FTP(21) or packet SSH(22) pass through fire compartment wall.
Known according to above-mentioned description, by above-mentioned step 201~202, analytical equipment can obtain whole access control policies of fire compartment wall, in follow-up step, analytical equipment is by each access control policy is analyzed, thereby can judge the fail safe of each access control policy.
Step 102: in each access control policy, analytical equipment judges that whether action identification is for not allowing; If so, perform step 103; Otherwise, execution step 104.
In this step, in each access control policy, when action identification is not when allowing, execution step 103; In the time that action identification is permission, execution step 104.
Step 103: analytical equipment is judged the access control policy that access control policy is safety, execution step 106.
In this step, in each access control policy, when action identification is not when allowing, analytical equipment is judged the access control policy that described access control policy is safety, execution step 106.
Or, when action identification is for allowing, and source IP address set-inclusion is in the IP of the untrusted setting in advance address set, and object IP address set is contained in the IP address set of the permission access setting in advance, and when the destination slogan set that destination slogan set-inclusion is accessed in the permission setting in advance, analytical equipment judges that described access control policy is safe access control policy.For example, in specific embodiments of the invention, suppose that the IP address set of the untrusted setting in advance is: { 211.32.22.24,211.32.22.25,211.32.22.26,211.32.22.27,211.32.22.28}; The IP address set of the permission access setting in advance is: { 172.22.11.42,172.22.11.43,172.22.11.44}; The destination slogan set of the described permission access setting in advance is: and FTP(21), FTP(22), SSH(21) and, SSH(22).And suppose that access control policy is as shown in table 1, because the action identification of this access control policy is permission, and source IP address set-inclusion is in the IP of the untrusted setting in advance address set, and object IP address set is contained in the IP address set of the permission access setting in advance, and destination slogan set-inclusion is in the destination slogan set of the permission access setting in advance, therefore, this access control policy is safe access control policy, execution step 106.
Step 104: analytical equipment judges whether source IP address set is contained in the IP address set of the untrusted setting in advance, and whether object IP address set is contained in the IP address set of the permission access setting in advance, and whether the set of destination slogan is contained in the destination slogan set of the permission access setting in advance; If so, return to execution step 103; Otherwise, execution step 105.
In specific embodiments of the invention, when source IP address set-inclusion is in the IP of the untrusted setting in advance address set, and object IP address set is contained in the IP address set of the permission access setting in advance, and when the destination slogan set that destination slogan set-inclusion is accessed in the permission setting in advance, return to execution step 103; When source IP address set is not contained in the IP address set of the untrusted setting in advance, or object IP address set is not contained in the IP address set of the permission access setting in advance, or when the set of destination slogan is not contained in the destination slogan set of the permission access setting in advance, execution step 105.
Step 105: analytical equipment judges that access control policy is as unsafe access control policy.
In this step, when source IP address set is not contained in the IP address set of the untrusted setting in advance, or object IP address set is not contained in the IP address set of the permission access setting in advance, or when the set of destination slogan is not contained in the destination slogan set of the permission access setting in advance, analytical equipment judges that described access control policy is as unsafe access control policy.
Step 106: analytical equipment judges whether the number of safe access control policy is more than or equal to two; If so, perform step 107; Otherwise, execution step 108.
By step 101~105, analytical equipment can be judged the fail safe of each access control policy, and can to judge each access control policy be safe access control policy or unsafe access control policy to analytical equipment.In this step, analytical equipment judges whether the number of safe access control policy is more than or equal to two; If so, perform step 107; Otherwise, execution step 108.
Step 107: analytical equipment is according to the inclusion relation of the source IP address set in the access control policy of every two safety, object IP address set and the set of destination slogan, the access control policy of every two safety is optimized to analysis, obtains the optimization analysis result of the access control policy of every two safety.
In this step, analytical equipment is optimized between two analysis in all safe access control policy, obtains the optimization analysis result of the access control policy of every two safety.In specific embodiments of the invention, suppose that the access control policy of the safety of fire compartment wall has 4, be respectively: access control policy A, access control policy B, access control policy C and access control policy D.In this step, the access control policy of every two safety is optimized analysis by analytical equipment, obtains the optimization analysis result of the access control policy of every two safety.Particularly, analytical equipment is optimized respectively analysis by access control policy A and access control policy B, access control policy A and access control policy C, access control policy A and access control policy D, access control policy B and access control policy C, access control policy B and access control policy D, access control policy C and access control policy D respectively, obtains the optimization analysis result of the access control policy of every two safety.
Step 108: analytical equipment finishes the analysis process of firewall access control policy.
In this step, in the time that the number of the access control policy of safety is less than two, analytical equipment finishes the analysis process of firewall access control policy.
Known according to above-mentioned description, by above-mentioned step 101~108, analytical equipment obtains whole access control policies of fire compartment wall, and in each access control policy, when action identification is not when allowing, described access control policy is safe access control policy, when action identification is for allowing, and source IP address set-inclusion is in the IP of the untrusted setting in advance address set, and object IP address set is contained in the IP address set of the permission access setting in advance, and when the destination slogan set that destination slogan set-inclusion is accessed in the permission setting in advance, described access control policy is safe access control policy, otherwise, described access control policy is unsafe access control policy, in the time that the number of the access control policy of safety is more than or equal to two, analytical equipment is according to the source IP address set in the access control policy of every two safety, the inclusion relation of object IP address set and the set of destination slogan, the access control policy of every two safety is optimized to analysis, obtain the optimization analysis result of the access control policy of every two safety.Because being is in the present invention analyzed each access control policy by analytical equipment, rather than by network manager, each access control policy is analyzed, and analytical equipment can also be efficiently, the fail safe of each access control policy that correctly judges, therefore, with prior art now than, the analytical method of the firewall access control policy that the present invention proposes, the analysis efficiency of firewall access control policy not only can be effectively improved, but also the correctness that firewall access control policy is analyzed can be guaranteed.
In the specific embodiment of the present invention, step 107 can have multiple implementation.For example, Fig. 3 is the realization flow figure of a kind of implementation method of step 107 in the present invention.As shown in Figure 3, comprise the following steps:
Step 301: one of them the safe access control policy in the access control policy of two safety of analytical equipment is set to the first access control policy, another safe access strategy is set to the second access control policy.
In this step, analytical equipment can the access control policy of two safety in any one safe access control policy be set to the first access control policy, another safe access control policy is set to the second access control policy.In specific embodiments of the invention, access control policy A and access control policy B are optimized analysis by what-if device, in this step, analytical equipment can be set to the first access control policy by access control policy A, and access control policy B is set to the second access control policy; In addition, analytical equipment also can be set to the first access control policy by access control policy B, and access control policy A is set to the second access control policy.
Step 302: analytical equipment judges the source IP address set in source IP address set and the second access control policy in the first access control policy, object IP address set in object IP address set and the second access control policy in the first access control policy, and whether destination slogan set in the set of destination slogan and the second access control policy in the first access control policy all there is inclusion relation; If so, perform step 303; Otherwise, execution step 304.
In specific embodiments of the invention, described inclusion relation is: comprise, or, be contained in.
In this step, analytical equipment judges the source IP address set in source IP address set and the second access control policy in the first access control policy, object IP address set in object IP address set and the second access control policy in the first access control policy, and whether destination slogan set in the set of destination slogan and the second access control policy in the first access control policy all there is inclusion relation.For example, suppose that the source IP address set in the first access control policy is: 211.32.22.24}, object IP address set is: 172.22.11.42}, the set of destination slogan is: and FTP(21), SSH(22), source IP address set in the second access control policy is: { 211.32.22.24, 211.32.22.25}, object IP address set is: { 172.22.11.42, 172.22.11.43}, the set of destination slogan is: FTP(21) }, due to the source IP address set of the source IP address set-inclusion in the first access control policy in the second access control policy, object IP address set in the first access control policy is contained in the object IP address set in the second access control policy, and the destination slogan set in destination slogan set-inclusion the second access control policy in the first access control policy, so source IP address set in source IP address set and the second access control policy in the first access control policy, object IP address set in object IP address set and the second access control policy in the first access control policy, and first destination slogan set in access control policy and the destination slogan set in the second access control policy all there is inclusion relation.
Step 303: the access control policy that the first access control policy and the second access control policy are not optimized each other.
In this step, when the source IP address set in source IP address set and the second access control policy in the first access control policy, object IP address set in object IP address set and the second access control policy in the first access control policy, and first the destination slogan set in access control policy and the destination slogan set in the second access control policy while all there is inclusion relation, the access control policy that the first access control policy and the second access control policy are not optimized each other.
In preferred embodiment of the present invention, the described access control policy of not optimizing can be further divided into: the access control policy of non-intersection and the access control policy of intersection.Particularly, when the inclusion relation of the source IP address set in source IP address set and the second access control policy in the first access control policy, the inclusion relation of the object IP address set in object IP address set and the second access control policy in the first access control policy, and the inclusion relation homogeneous phase of first the destination slogan set in access control policy and the destination slogan set in the second access control policy simultaneously, the first access control policy and the second access control policy non-access control policy intersecting each other, otherwise, the access control policy that the first access control policy and the second access control policy intersect each other.
For example, suppose that the source IP address set in the first access control policy is: 211.32.22.24}, object IP address set is: 172.22.11.42}, the set of destination slogan is: and FTP(21), SSH(22), source IP address set in the second access control policy is: { 211.32.22.24, 211.32.22.25}, object IP address set is: { 172.22.11.42, 172.22.11.43}, the set of destination slogan is: FTP(21) }, due to the source IP address set of the source IP address set-inclusion in the first access control policy in the second access control policy, object IP address set in the first access control policy is contained in the object IP address set in the second access control policy, and the destination slogan set in destination slogan set-inclusion the second access control policy in the first access control policy, as can be seen here, the inclusion relation of the source IP address set in source IP address set and the second access control policy in the first access control policy, the inclusion relation of the object IP address set in object IP address set and the second access control policy in the first access control policy, and first destination slogan set in access control policy not identical with the inclusion relation of the destination slogan set in the second access control policy, therefore, the access control policy that the first access control policy and the second access control policy intersect each other.
Particularly, described the first access control policy and described the second access control policy each other non-access control policy intersecting comprise: the source IP address set described in the source IP address set-inclusion in described the first access control policy in the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the destination slogan set in the second access control policy described in destination slogan set-inclusion in described the first access control policy; Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the destination slogan set in described the second access control policy of destination slogan set-inclusion in described the first access control policy.
Particularly, the first access control policy comprises with the access control policy that the second access control policy intersects each other: the source IP address in source IP address set-inclusion the second access control policy in the first access control policy, and the object IP address set in the first access control policy comprises the object IP address set in the second access control policy, and the destination slogan set in the second access control policy of destination slogan set-inclusion in the first access control policy; Or, source IP address set in source IP address set-inclusion the second access control policy in the first access control policy, and when the object IP address set in the first access control policy is contained in the object IP address set in the second access control policy, and destination slogan set in destination slogan set-inclusion the second access control policy in the first access control policy; Or, source IP address set in source IP address set-inclusion the second access control policy in the first access control policy, and the object IP address set in the first access control policy is contained in the object IP address set in the second access control policy, and the destination slogan set in the second access control policy of destination slogan set-inclusion in the first access control policy; Or, the source IP address set of source IP address set-inclusion in the first access control policy in the second access control policy, and the object IP address set in the first access control policy comprises the object IP address set in the second access control policy, and destination slogan set in destination slogan set-inclusion the second access control policy in the first access control policy; Or, the source IP address set of source IP address set-inclusion in the first access control policy in the second access control policy, and the object IP address set in the first access control policy comprises the object IP address set in the second access control policy, and the port numbers set in the second access control policy of destination slogan set-inclusion in the first access control policy; Or, the source IP address set of source IP address set-inclusion in the first access control policy in the second access control policy, and the object IP address set in the first access control policy is contained in the object IP address set in the second access control policy, and port numbers set in destination slogan set-inclusion the second access control policy in the first access control policy.
Preferably, the access control policy of described non-intersection can also be further divided into: the access control policy of non-overlapping access control policy and the conflict of non-intersection; The access control policy of described intersection can also be further divided into: overlapping access control policy and the access control policy conflicting that intersects.
Particularly, when the first access control policy and the second access control policy non-access control policy intersecting each other, and when the action identification in the first access control policy is identical with action identification in the second access control policy, the first access control policy and the second access control policy be non-overlapping access control policy each other, otherwise, the first access control policy and the second access control policy non-access control policy conflicting that intersects each other.For example, when the first access control policy and the second access control policy non-access control policy intersecting each other, and the action identification in the action identification in the first access control policy and the second access control policy is while permission, and the first access control policy and the second access control policy be non-overlapping access control policy each other.
The access control policy intersecting each other when the first access control policy and the second access control policy, and when the action identification in the first access control policy is identical with action identification in the second access control policy, the first access control policy and the second access control policy overlapping access control policy each other, otherwise the first access control policy is the mutual access control policy conflicting that intersects with the second access control policy.For example, the access control policy intersecting each other when the first access control policy and the second access control policy, and the action identification in the action identification in the first access control policy and the second access control policy is while permission, the first access control policy and the second access control policy overlapping access control policy each other.
Step 304: the access control policy that the first access control policy and the second access control policy are optimized each other.
In this step, when the source IP address set in source IP address set and the second access control policy in the first access control policy, or the object IP address set in object IP address set and the second access control policy in the first access control policy, or while there is not inclusion relation in the destination slogan set in the set of destination slogan and the second access control policy in the first access control policy, the access control policy that the first access control policy and the second access control policy are optimized each other.
Known according to above-mentioned description, by above-mentioned step 301~304, analytical equipment can be optimized analysis by the access control policy of every two safety, obtain the optimization analysis result of the access control policy of every two safety, follow-up can being optimized the access control policy of inadequate optimization, and then the efficient operation of assurance network.
The analytical method of firewall access control policy that the present invention proposes, analytical equipment obtains whole access control policies of fire compartment wall, and in each access control policy, when action identification is not when allowing, described access control policy is safe access control policy, when action identification is for allowing, and source IP address set-inclusion is in the IP of the untrusted setting in advance address set, and object IP address set is contained in the IP address set of the permission access setting in advance, and when the destination slogan set that destination slogan set-inclusion is accessed in the permission setting in advance, described access control policy is safe access control policy, otherwise, described access control policy is unsafe access control policy, in the time that the number of the access control policy of safety is more than or equal to two, analytical equipment is according to the source IP address set in the access control policy of every two safety, the inclusion relation of object IP address set and the set of destination slogan, the access control policy of every two safety is optimized to analysis, obtain the optimization analysis result of the access control policy of every two safety.Because being is in the present invention analyzed each access control policy by analytical equipment, and analytical equipment can also be efficiently, the fail safe of each access control policy that correctly judges, rather than by network manager, each access control policy is analyzed, therefore, with prior art now than, the analytical method of the firewall access control policy that the present invention proposes, the analysis efficiency of firewall access control policy not only can be effectively improved, but also the correctness that firewall access control policy is analyzed can be guaranteed.
Fig. 4 is the structural representation of the analytical equipment of firewall access control policy in the present invention.As shown in Figure 4, comprising: acquiring unit 401 and analytic unit 402;
Described acquiring unit 401, for obtaining whole access control policies of fire compartment wall, wherein, described in each, access control policy comprises: source IP address set, object IP address set, the set of destination slogan and action identification, wherein, described action identification comprises: allow and do not allow; Whole described access control policies are sent to described analytic unit 402;
Described analytic unit 402, for access control policy described in each, judge that whether described action identification is for not allowing, if, described access control policy is safe access control policy, otherwise, judge whether described source IP address set is contained in the IP address set of the untrusted setting in advance, and whether described object IP address set is contained in the IP address set of the permission access setting in advance, and whether the set of described destination slogan is contained in the destination slogan set of the permission access setting in advance, if, described access control policy is safe access control policy, otherwise, described access control policy is unsafe access control policy, also in the time that the number of described safe access control policy is more than or equal to two, according to the inclusion relation of the source IP address set in the access control policy of every two safety, object IP address set and the set of destination slogan, the access control policy of every two safety is optimized to analysis, obtains the optimization analysis result of the access control policy of every two safety.
Further, described analytic unit 402, is also set to the first access control policy for one of them safe access control policy of the access control policy of two safety, and another safe access control policy is set to the second access control policy, when the source IP address set in the source IP address set in described the first access control policy and described the second access control policy, object IP address set in object IP address set in described the first access control policy and described the second access control policy, and while all there is inclusion relation in destination slogan set in the set of destination slogan and described the second access control policy in described the first access control policy, the access control policy that described the first access control policy and described the second access control policy are not optimized each other, otherwise, the access control policy that described the first access control policy and described the second access control policy are optimized each other.
Further, the described access control policy of not optimizing comprises: the access control policy of non-intersection and the access control policy of intersection;
Described analytic unit 402, also for judging the inclusion relation of the source IP address set in source IP address set and described second access control policy of described the first access control policy, the inclusion relation of the object IP address set in the object IP address set in described the first access control policy and described the second access control policy, and whether destination slogan set in described the first access control policy is all identical with the inclusion relation of the destination slogan set in described the second access control policy, if, described the first access control policy and described the second access control policy non-access control policy intersecting each other, otherwise, the access control policy that described the first access control policy and described the second access control policy intersect each other.
Further, described the first access control policy and described the second access control policy each other the non-access control policy intersecting comprise:
Source IP address set described in source IP address set-inclusion in described the first access control policy in the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the destination slogan set in the second access control policy described in destination slogan set-inclusion in described the first access control policy;
Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the destination slogan set in described the second access control policy of destination slogan set-inclusion in described the first access control policy.
Further, described the first access control policy comprises with the access control policy that described the second access control policy intersects each other:
Source IP address described in source IP address set-inclusion in described the first access control policy in the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the destination slogan set in described the second access control policy of destination slogan set-inclusion in described the first access control policy;
Or, source IP address set described in source IP address set-inclusion in described the first access control policy in the second access control policy, and when the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the destination slogan set in the second access control policy described in destination slogan set-inclusion in described the first access control policy;
Or, source IP address set described in source IP address set-inclusion in described the first access control policy in the second access control policy, and the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the destination slogan set in described the second access control policy of destination slogan set-inclusion in described the first access control policy;
Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the destination slogan set in the second access control policy described in destination slogan set-inclusion in described the first access control policy;
Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the port numbers set in described the second access control policy of destination slogan set-inclusion in described the first access control policy;
Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the port numbers set in the second access control policy described in destination slogan set-inclusion in described the first access control policy.
Further, the access control policy of described non-intersection comprises: the access control policy of non-overlapping access control policy and the conflict of non-intersection;
Described analytic unit 402, also for judging described the first access control policy and the whether each other non-access control policy intersecting of described the second access control policy, and whether the action identification in described the first access control policy is identical with the action identification in described the second access control policy, if, described the first access control policy and described the second access control policy non-overlapping access control policy each other, otherwise, described the first access control policy and described the second access control policy non-access control policy conflicting that intersects each other.
Further, the access control policy of described intersection comprises: overlapping access control policy and the access control policy conflicting that intersects;
Described analytic unit 402, the also access control policy for judging whether described the first access control policy and described the second access control policy intersect each other, and whether the action identification in described the first access control policy is identical with the action identification in described the second access control policy, if, described the first access control policy and described the second access control policy overlapping access control policy each other, otherwise described the first access control policy is the mutual access control policy conflicting that intersects with described the second access control policy.
The analytical equipment of the firewall access control policy that the present invention proposes, acquiring unit obtains whole access control policies of fire compartment wall, analytic unit is in each access control policy, judge that whether action identification is for not allowing, if, described access control policy is safe access control policy, otherwise, judge whether source IP address set is contained in the IP address set of the untrusted setting in advance, and whether object IP address set is contained in the IP address set of the permission access setting in advance, and whether the set of destination slogan is contained in the destination slogan set of the permission access setting in advance, if, described access control policy is safe access control policy, otherwise, described access control policy is unsafe access control policy, in the time that the number of the access control policy of safety is more than or equal to two, analytical equipment is according to the source IP address set in the access control policy of every two safety, the inclusion relation of object IP address set and the set of destination slogan, the access control policy of every two safety is optimized to analysis, obtain the optimization analysis result of the access control policy of every two safety.Because being is in the present invention analyzed each access control policy by analytical equipment, and analytical equipment can also be efficiently, the fail safe of each access control policy that correctly judges, rather than by network manager, each access control policy is analyzed, therefore, with prior art now than, the analytical equipment of the firewall access control policy that the present invention proposes, the analysis efficiency of firewall access control policy not only can be effectively improved, but also the correctness that firewall access control policy is analyzed can be guaranteed.
The specific works flow process of Fig. 4 shown device embodiment please refer to the respective description in embodiment of the method shown in Fig. 1, repeats no more.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, be equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.
Claims (14)
1. an analytical method for firewall access control policy, is characterized in that, comprising:
Analytical equipment obtains whole access control policies of fire compartment wall, wherein, described in each, access control policy comprises: source IP address set, object IP address set, the set of destination slogan and action identification, and wherein, described action identification comprises: allow and do not allow;
Described in each in access control policy, when described action identification is not when allowing, described access control policy is safe access control policy;
When described action identification is for allowing, and described source IP address set-inclusion is in the IP of the untrusted setting in advance address set, and described object IP address set is contained in the IP address set of the permission access setting in advance, and when the destination slogan set that described destination slogan set-inclusion is accessed in the permission setting in advance, described access control policy is safe access control policy, otherwise described access control policy is unsafe access control policy;
In the time that the number of described safe access control policy is more than or equal to two, described analytical equipment is according to the inclusion relation of the source IP address set in the access control policy of every two safety, object IP address set and the set of destination slogan, the access control policy of every two safety is optimized to analysis, obtains the optimization analysis result of the access control policy of every two safety.
2. method according to claim 1, is characterized in that, the described access control policy by every two safety is optimized to analyze and comprises:
One of them safe access control policy in the access control policy of two safety of described analytical equipment is set to the first access control policy, and another safe access control policy is set to the second access control policy;
When the source IP address set in the source IP address set in described the first access control policy and described the second access control policy, object IP address set in object IP address set in described the first access control policy and described the second access control policy, and while all there is inclusion relation in destination slogan set in the set of destination slogan and described the second access control policy in described the first access control policy, the access control policy that described the first access control policy and described the second access control policy are not optimized each other, otherwise, the access control policy that described the first access control policy and described the second access control policy are optimized each other.
3. method according to claim 2, is characterized in that, the described access control policy of not optimizing comprises: the access control policy of non-intersection and the access control policy of intersection;
When the inclusion relation of the source IP address set in the source IP address set in described the first access control policy and described the second access control policy, the inclusion relation of the object IP address set in the object IP address set in described the first access control policy and described the second access control policy, and the inclusion relation homogeneous phase of destination slogan set in the set of destination slogan and described the second access control policy in described the first access control policy simultaneously, described the first access control policy and described the second access control policy non-access control policy intersecting each other, otherwise, the access control policy that described the first access control policy and described the second access control policy intersect each other.
4. method according to claim 3, is characterized in that, described the first access control policy and described the second access control policy each other non-access control policy intersecting comprise:
Source IP address set described in source IP address set-inclusion in described the first access control policy in the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the destination slogan set in the second access control policy described in destination slogan set-inclusion in described the first access control policy;
Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the destination slogan set in described the second access control policy of destination slogan set-inclusion in described the first access control policy.
5. method according to claim 3, is characterized in that, described the first access control policy comprises with the access control policy that described the second access control policy intersects each other:
Source IP address described in source IP address set-inclusion in described the first access control policy in the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the destination slogan set in described the second access control policy of destination slogan set-inclusion in described the first access control policy;
Or, source IP address set described in source IP address set-inclusion in described the first access control policy in the second access control policy, and when the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the destination slogan set in the second access control policy described in destination slogan set-inclusion in described the first access control policy;
Or, source IP address set described in source IP address set-inclusion in described the first access control policy in the second access control policy, and the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the destination slogan set in described the second access control policy of destination slogan set-inclusion in described the first access control policy;
Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the destination slogan set in the second access control policy described in destination slogan set-inclusion in described the first access control policy;
Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the port numbers set in described the second access control policy of destination slogan set-inclusion in described the first access control policy;
Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the port numbers set in the second access control policy described in destination slogan set-inclusion in described the first access control policy.
6. method according to claim 3, is characterized in that, the access control policy of described non-intersection comprises: the access control policy of non-overlapping access control policy and the conflict of non-intersection;
When described the first access control policy and described the second access control policy non-access control policy intersecting each other, and when the action identification in described the first access control policy is identical with action identification in described the second access control policy, described the first access control policy and described the second access control policy non-overlapping access control policy each other, otherwise, described the first access control policy and described the second access control policy non-access control policy conflicting that intersects each other.
7. method according to claim 3, is characterized in that, the access control policy of described intersection comprises: overlapping access control policy and the access control policy conflicting that intersects;
The access control policy intersecting each other when described the first access control policy and described the second access control policy, and when the action identification in described the first access control policy is identical with action identification in described the second access control policy, described the first access control policy and described the second access control policy overlapping access control policy each other, otherwise described the first access control policy is the mutual access control policy conflicting that intersects with described the second access control policy.
8. an analytical equipment for firewall access control policy, is characterized in that, comprising: acquiring unit and analytic unit;
Described acquiring unit, for obtaining whole access control policies of fire compartment wall, wherein, described in each, access control policy comprises: source IP address set, object IP address set, the set of destination slogan and action identification, wherein, described action identification comprises: allow and do not allow; Whole described access control policies are sent to described analytic unit;
Described analytic unit, for access control policy described in each, judge that whether described action identification is for not allowing, if, described access control policy is safe access control policy, otherwise, judge whether described source IP address set is contained in the IP address set of the untrusted setting in advance, and whether described object IP address set is contained in the IP address set of the permission access setting in advance, and whether the set of described destination slogan is contained in the destination slogan set of the permission access setting in advance, if, described access control policy is safe access control policy, otherwise, described access control policy is unsafe access control policy, also in the time that the number of described safe access control policy is more than or equal to two, according to the inclusion relation of the source IP address set in the access control policy of every two safety, object IP address set and the set of destination slogan, the access control policy of every two safety is optimized to analysis, obtains the optimization analysis result of the access control policy of every two safety.
9. device according to claim 8, it is characterized in that, described analytic unit, also be set to the first access control policy for one of them safe access control policy of the access control policy of two safety, another safe access control policy is set to the second access control policy, when the source IP address set in the source IP address set in described the first access control policy and described the second access control policy, object IP address set in object IP address set in described the first access control policy and described the second access control policy, and while all there is inclusion relation in destination slogan set in the set of destination slogan and described the second access control policy in described the first access control policy, the access control policy that described the first access control policy and described the second access control policy are not optimized each other, otherwise, the access control policy that described the first access control policy and described the second access control policy are optimized each other.
10. device according to claim 9, is characterized in that, the described access control policy of not optimizing comprises: the access control policy of non-intersection and the access control policy of intersection;
Described analytic unit, also for judging the inclusion relation of the source IP address set in source IP address set and described second access control policy of described the first access control policy, the inclusion relation of the object IP address set in the object IP address set in described the first access control policy and described the second access control policy, and whether destination slogan set in described the first access control policy is all identical with the inclusion relation of the destination slogan set in described the second access control policy, if, described the first access control policy and described the second access control policy non-access control policy intersecting each other, otherwise, the access control policy that described the first access control policy and described the second access control policy intersect each other.
11. devices according to claim 10, is characterized in that, described the first access control policy and described the second access control policy each other non-access control policy intersecting comprise:
Source IP address set described in source IP address set-inclusion in described the first access control policy in the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the destination slogan set in the second access control policy described in destination slogan set-inclusion in described the first access control policy;
Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the destination slogan set in described the second access control policy of destination slogan set-inclusion in described the first access control policy.
12. devices according to claim 10, is characterized in that, described the first access control policy comprises with the access control policy that described the second access control policy intersects each other:
Source IP address described in source IP address set-inclusion in described the first access control policy in the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the destination slogan set in described the second access control policy of destination slogan set-inclusion in described the first access control policy;
Or, source IP address set described in source IP address set-inclusion in described the first access control policy in the second access control policy, and when the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the destination slogan set in the second access control policy described in destination slogan set-inclusion in described the first access control policy;
Or, source IP address set described in source IP address set-inclusion in described the first access control policy in the second access control policy, and the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the destination slogan set in described the second access control policy of destination slogan set-inclusion in described the first access control policy;
Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the destination slogan set in the second access control policy described in destination slogan set-inclusion in described the first access control policy;
Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy comprises the object IP address set in described the second access control policy, and the port numbers set in described the second access control policy of destination slogan set-inclusion in described the first access control policy;
Or, the source IP address set of source IP address set-inclusion in described the first access control policy in described the second access control policy, and the object IP address set in described the first access control policy is contained in the object IP address set in described the second access control policy, and the port numbers set in the second access control policy described in destination slogan set-inclusion in described the first access control policy.
13. devices according to claim 10, is characterized in that, the access control policy of described non-intersection comprises: the access control policy of non-overlapping access control policy and the conflict of non-intersection;
Described analytic unit, also for judging described the first access control policy and the whether each other non-access control policy intersecting of described the second access control policy, and whether the action identification in described the first access control policy is identical with the action identification in described the second access control policy, if, described the first access control policy and described the second access control policy non-overlapping access control policy each other, otherwise, described the first access control policy and described the second access control policy non-access control policy conflicting that intersects each other.
14. devices according to claim 10, is characterized in that, the access control policy of described intersection comprises: overlapping access control policy and the access control policy conflicting that intersects;
Described analytic unit, the also access control policy for judging whether described the first access control policy and described the second access control policy intersect each other, and whether the action identification in described the first access control policy is identical with the action identification in described the second access control policy, if, described the first access control policy and described the second access control policy overlapping access control policy each other, otherwise described the first access control policy is the mutual access control policy conflicting that intersects with described the second access control policy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210585072.8A CN103905407A (en) | 2012-12-28 | 2012-12-28 | Method and device for firewall access control strategy analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210585072.8A CN103905407A (en) | 2012-12-28 | 2012-12-28 | Method and device for firewall access control strategy analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103905407A true CN103905407A (en) | 2014-07-02 |
Family
ID=50996562
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210585072.8A Pending CN103905407A (en) | 2012-12-28 | 2012-12-28 | Method and device for firewall access control strategy analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103905407A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105704093A (en) * | 2014-11-25 | 2016-06-22 | 中国移动通信集团设计院有限公司 | Firewall access control strategy debugging method, device and system |
| CN105871908A (en) * | 2016-05-30 | 2016-08-17 | 北京琵琶行科技有限公司 | Control method and device of access control strategies of enterprise network boundary equipment |
| CN108494771A (en) * | 2018-03-23 | 2018-09-04 | 平安科技(深圳)有限公司 | Electronic device, fire wall open verification method and storage medium |
| CN109302409A (en) * | 2018-10-31 | 2019-02-01 | 锐捷网络股份有限公司 | Analysis method, device, equipment and the storage medium of ACL access control policy |
| CN113596033A (en) * | 2021-07-30 | 2021-11-02 | 深信服科技股份有限公司 | Access control method and device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060521A (en) * | 2006-04-18 | 2007-10-24 | 华为技术有限公司 | Information packet filtering method and network firewall |
| CN101217547A (en) * | 2008-01-18 | 2008-07-09 | 南京邮电大学 | A flood request attaching filtering method based on the stateless of open source core |
| US20080222290A1 (en) * | 2007-03-05 | 2008-09-11 | Alcatel Lucent | Access control list generation and validation tool |
| CN101911591A (en) * | 2008-01-15 | 2010-12-08 | 微软公司 | Preventing secure data from leaving a network perimeter |
| CN101582900B (en) * | 2009-06-24 | 2012-06-27 | 成都市华为赛门铁克科技有限公司 | Firewall security policy configuration method and management unit |
-
2012
- 2012-12-28 CN CN201210585072.8A patent/CN103905407A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060521A (en) * | 2006-04-18 | 2007-10-24 | 华为技术有限公司 | Information packet filtering method and network firewall |
| US20080222290A1 (en) * | 2007-03-05 | 2008-09-11 | Alcatel Lucent | Access control list generation and validation tool |
| CN101911591A (en) * | 2008-01-15 | 2010-12-08 | 微软公司 | Preventing secure data from leaving a network perimeter |
| CN101217547A (en) * | 2008-01-18 | 2008-07-09 | 南京邮电大学 | A flood request attaching filtering method based on the stateless of open source core |
| CN101582900B (en) * | 2009-06-24 | 2012-06-27 | 成都市华为赛门铁克科技有限公司 | Firewall security policy configuration method and management unit |
Non-Patent Citations (1)
| Title |
|---|
| 庄冠夏: "《防火墙规则冲突检测和次序优化的研究与实现》", 《中国优秀硕士学位论文全文数据库_信息科技辑》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105704093A (en) * | 2014-11-25 | 2016-06-22 | 中国移动通信集团设计院有限公司 | Firewall access control strategy debugging method, device and system |
| CN105704093B (en) * | 2014-11-25 | 2018-06-12 | 中国移动通信集团设计院有限公司 | A kind of firewall access control policy error-checking method, apparatus and system |
| CN105871908A (en) * | 2016-05-30 | 2016-08-17 | 北京琵琶行科技有限公司 | Control method and device of access control strategies of enterprise network boundary equipment |
| CN105871908B (en) * | 2016-05-30 | 2020-04-07 | 北京琵琶行科技有限公司 | Method and device for managing and controlling access control strategy of enterprise network boundary equipment |
| CN108494771A (en) * | 2018-03-23 | 2018-09-04 | 平安科技(深圳)有限公司 | Electronic device, fire wall open verification method and storage medium |
| CN109302409A (en) * | 2018-10-31 | 2019-02-01 | 锐捷网络股份有限公司 | Analysis method, device, equipment and the storage medium of ACL access control policy |
| CN113596033A (en) * | 2021-07-30 | 2021-11-02 | 深信服科技股份有限公司 | Access control method and device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9900322B2 (en) | Method and system for providing permissions management | |
| EP3396905B1 (en) | Method and device for securely sending a message | |
| CN103905407A (en) | Method and device for firewall access control strategy analysis | |
| Boudi et al. | Assessing lightweight virtualization for security-as-a-service at the network edge | |
| WO2013160765A3 (en) | Cyber security analyzer | |
| CN102801717B (en) | Login validation method and system | |
| CN104394175B (en) | A kind of packet access control method based on network identity | |
| CN104951354B (en) | A kind of scheduling virtual machine algorithm security verification method based on dynamic migration | |
| CN104660593A (en) | Method for filtering OPC security gateway data packets | |
| US20170085567A1 (en) | System and method for processing task resources | |
| CN111709023B (en) | Application isolation method and system based on trusted operating system | |
| EP3113419B1 (en) | Network accessing method and router | |
| WO2014149490A4 (en) | Secure end-to-end permitting system for device operations | |
| CN103701822A (en) | Access control method | |
| CN106161395A (en) | A kind of prevent the method for Brute Force, Apparatus and system | |
| CA2862046C (en) | Method and device for prompting program uninstallation | |
| CN104580211A (en) | SOA architecture-based intrusive system | |
| CN113472798B (en) | Method, device, equipment and medium for backtracking and analyzing network data packet | |
| Sahd et al. | Mobile technology risk management | |
| CN105142143A (en) | Verification method and system thereof | |
| CN112312400B (en) | Access control method, access controller and storage medium | |
| CN106302520B (en) | A kind of far control class wooden horse sweep-out method and device | |
| CN104717062B (en) | The method and device that a kind of visitor based on BYOD management systems quickly accesses | |
| US10362062B1 (en) | System and method for evaluating security entities in a computing environment | |
| Hans | Cutting edge practices for secure software engineering |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140702 |