CN104468161A - Configuration method and apparatus of firewall rule set, and firewall - Google Patents

Abstract

The embodiments of the invention provide a configuration method and apparatus of a firewall rule set, and a firewall. The method comprises the following steps: obtaining a matching sequence adjusting parameter value corresponding to each rule in a first rule set during a process when a firewall carries out rule matching on a network flow according to the configured first rule set within a set time interval, wherein the first rule set is the firewall rule set subjected to elimination processing of an inter-rule restriction relation; according to all the matching sequence adjusting parameter values corresponding to the rules, adjusting the rule matching sequence of the first rule set to obtain an adjusted first rule set; and loading the adjusted first rule set to the configuration of the firewall to enable the firewall to be capable of performing filtering processing on a data packet according to the adjusted first rule set. According to the embodiments of the invention, reconfiguration of the firewall rule set is realized.

Description

A kind of collocation method of firewall rule sets under discrimination, device and fire compartment wall

Technical field

The present invention relates to network security and service quality field, particularly relate to a kind of collocation method of firewall rule sets under discrimination, device and fire compartment wall.

Background technology

One of conventional means that fire compartment wall is defendd as Intranet, according to its rule set, detects the packet that it passes through according to the order of sequence, prevents invalid data from invading the internal network (Intranet) of mechanism.Along with the development of Information technology, network service quality (QoS) more and more receives much attention, although high-performance routing and swiching technology, Consumer's Experience can be promoted, but fire compartment wall is as first network security barrier, usual employing series connection or other mode of hanging are deployed in the boundary position of organization network, flow major part in whole network system all needs through fire compartment wall (according to the mode of series connection, all flows all need through fire compartment wall), therefore its handling property will play vital effect to the QoS of whole network system.Shown in fire compartment wall deployment diagram 1 and Fig. 2, wherein, Fig. 1 is the mode of series connection, and Fig. 2 is other mode of hanging.

Summary of the invention

In view of this, the object of the embodiment of the present invention is to provide a kind of collocation method of firewall rule sets under discrimination, device and fire compartment wall, to realize reconfiguring of firewall rule sets under discrimination.

For solving the problems of the technologies described above, the embodiment of the present invention provides scheme as follows:

The embodiment of the present invention provides a kind of collocation method of firewall rule sets under discrimination, comprising:

Obtain fire compartment wall carries out in the process of rule match according to the first rule set of configuration to network traffics in setting-up time interval, the matching order adjusting parameter values that in described first rule set, every rule is corresponding, wherein, described first rule set is the firewall rule sets under discrimination of the Processing for removing of restricting relation through between rule;

The matching order adjusting parameter values corresponding according to all described every rules, carries out the adjustment of rule match order, described first rule set after being adjusted to described first rule set;

The first rule set after described adjustment is loaded into the configuration of described fire compartment wall, makes described fire compartment wall according to the first rule set after described adjustment, filtration treatment can be carried out to packet.

Preferably, in the first rule set after described adjustment between two between rule, the matching order adjusting parameter values of rule correspondence before sequence is comparatively greater than the matching order adjusting parameter values of the rule correspondence after sequence comparatively.

Preferably, the matching order adjusting parameter values that described every rule is corresponding is the matching frequency that described every rule is corresponding;

Described acquisition fire compartment wall carries out in the process of rule match according to the first rule set of configuration to network traffics in setting-up time interval, and the matching order adjusting parameter values that in described first rule set, every rule is corresponding comprises:

Gather described fire compartment wall carries out in the process of rule match according to described first rule set to network traffics in described setting-up time interval, the matching times that in described first rule set, every rule is corresponding;

The matching times corresponding with all described every rules by matching times corresponding for described every rule and ratio, as the matching frequency that described every rule is corresponding.

Preferably, described acquisition fire compartment wall carries out in the process of rule match according to the first rule set of configuration to network traffics in setting-up time interval, and the matching order adjusting parameter values that in described first rule set, every rule is corresponding comprises:

Gather described fire compartment wall carries out in the process of rule match according to described first rule set to network traffics in described setting-up time interval, the matching times that in described first rule set, every rule is corresponding and a up-to-date match time;

The matching times corresponding with all described every rules by matching times corresponding for described every rule and ratio, as the matching frequency that described every rule is corresponding;

By the ratio at a up-to-date match time corresponding for described every rule and described setting-up time interval, as the coupling immediate cause that described every rule is corresponding;

The matching frequency corresponding to described every rule and coupling immediate cause ask weighted sum, obtain the matching order adjusting parameter values that described every rule is corresponding.

Preferably, also comprise:

The matching frequency corresponding according to all described every rules and the function preset, determine that a rule match order adjustment judges parameter value;

Judge parameter value and a threshold value preset according to the adjustment of described rule match order, judge whether the adjustment needing described first rule set to be carried out to rule match order, obtain a judged result;

When described judged result is for being, enter the described step the first rule set after described adjustment being loaded into the configuration of described fire compartment wall;

When described judged result is no, do not enter the described step the first rule set after described adjustment being loaded into the configuration of described fire compartment wall.

Preferably, if the fuzzy rules in described first rule set is n, the matching frequency that the i-th rule in described first rule set is corresponding is f _i, the adjustment of described rule match order judges that parameter value is S, then described function is $S=1-\frac{\underset{i=1}{\overset{n}{\mathrm{\Σ}}}{f}_{i}1g{f}_i}{1\mathrm{gn}};$

Described adjustment according to described rule match order judges parameter value and a threshold value preset, and judges whether the adjustment needing described first rule set to be carried out to rule match order, obtains a judged result and comprise:

Judge that the adjustment of described rule match order judges whether parameter value is greater than described threshold value, if so, described judged result is yes, otherwise described judged result is no.

Preferably, if the fuzzy rules in described first rule set is n, the matching frequency that the i-th rule in described first rule set is corresponding is f _i, the adjustment of described rule match order judges that parameter value is S, then described function is $S=\frac{\underset{i=1}{\overset{n}{\mathrm{\Σ}}}{f}_{i}1g{f}_i}{1\mathrm{gn}};$

Described adjustment according to described rule match order judges parameter value and a threshold value preset, and judges whether the adjustment needing described first rule set to be carried out to rule match order, obtains a judged result and comprise:

Judge that the adjustment of described rule match order judges whether parameter value is less than described threshold value, if so, described judged result is yes, otherwise described judged result is no.

The embodiment of the present invention also provides a kind of inking device of firewall rule sets under discrimination, comprising:

Acquisition module, carry out in the process of rule match according to the first rule set of configuration to network traffics for obtaining fire compartment wall in setting-up time interval, the matching order adjusting parameter values that in described first rule set, every rule is corresponding, wherein, described first rule set is the firewall rule sets under discrimination of the Processing for removing of restricting relation through between rule;

Adjusting module, for the matching order adjusting parameter values corresponding according to all described every rules, carries out the adjustment of rule match order, described first rule set after being adjusted to described first rule set;

Insmoding, for the first rule set after described adjustment being loaded into the configuration of described fire compartment wall, making described fire compartment wall according to the first rule set after described adjustment, filtration treatment can be carried out to packet.

Preferably, in the first rule set after described adjustment between two between rule, the matching order adjusting parameter values of rule correspondence before sequence is comparatively greater than the matching order adjusting parameter values of the rule correspondence after sequence comparatively.

Preferably, the matching order adjusting parameter values that described every rule is corresponding is the matching frequency that described every rule is corresponding;

Described acquisition module comprises:

First collecting unit, carries out in the process of rule match according to described first rule set to network traffics for gathering described fire compartment wall in described setting-up time interval, the matching times that in described first rule set, every rule is corresponding;

First determining unit, for by matching times corresponding with all described every rules for matching times corresponding for described every rule and ratio, as the matching frequency that described every rule is corresponding.

Preferably, described acquisition module comprises:

Second collecting unit, carries out in the process of rule match according to described first rule set to network traffics for gathering described fire compartment wall in described setting-up time interval, the matching times that in described first rule set, every rule is corresponding and a up-to-date match time;

Second determining unit, for by matching times corresponding with all described every rules for matching times corresponding for described every rule and ratio, as the matching frequency that described every rule is corresponding;

3rd determining unit, for the ratio by a up-to-date match time corresponding for described every rule and described setting-up time interval, as the coupling immediate cause that described every rule is corresponding;

Ask weighted sum unit, ask weighted sum for the matching frequency corresponding to described every rule with coupling immediate cause, obtain the matching order adjusting parameter values that described every rule is corresponding.

Preferably, also comprise:

Determination module, for according to matching frequency corresponding to all described every rules and the function preset, determines that a rule match order adjustment judges parameter value;

Judge module, for judging parameter value and a threshold value preset according to the adjustment of described rule match order, judging whether the adjustment needing described first rule set to be carried out to rule match order, obtaining a judged result; When described judged result is for being, insmod described in entering; When described judged result is no, insmod described in not entering.

Preferably, if the fuzzy rules in described first rule set is n, the matching frequency that the i-th rule in described first rule set is corresponding is f _i, the adjustment of described rule match order judges that parameter value is S, then described function is $S=1-\frac{\underset{i=1}{\overset{n}{\mathrm{\Σ}}}{f}_{i}1g{f}_i}{1\mathrm{gn}};$

Described judge module comprises:

First judging unit, for judging that the adjustment of described rule match order judges whether parameter value is greater than described threshold value, if so, described judged result is yes, otherwise described judged result is no.

Preferably, if the fuzzy rules in described first rule set is n, the matching frequency that the i-th rule in described first rule set is corresponding is f _i, the adjustment of described rule match order judges that parameter value is S, then described function is $S=\frac{\underset{i=1}{\overset{n}{\mathrm{\Σ}}}{f}_{i}1g{f}_i}{1\mathrm{gn}};$

Described judge module comprises:

Second judging unit, for judging that the adjustment of described rule match order judges whether parameter value is less than described threshold value, if so, described judged result is yes, otherwise described judged result is no.

The embodiment of the present invention also provides a kind of fire compartment wall comprising the inking device of above-described firewall rule sets under discrimination.

As can be seen from the above, the embodiment of the present invention at least has following beneficial effect:

Make the rule match of firewall rule sets under discrimination order can flow Network Based actual rule matching state and be adjusted, thus achieve reconfiguring of firewall rule sets under discrimination.

Accompanying drawing explanation

Fig. 1 represents that schematic diagram disposed by the fire compartment wall adopting series system;

Fig. 2 represents the fire compartment wall deployment schematic diagram adopting other extension mode;

Fig. 3 represents the flow chart of steps of the collocation method of a kind of firewall rule sets under discrimination that the embodiment of the present invention provides;

Fig. 4 represents the network element Organization Chart of the better embodiment of the embodiment of the present invention;

Fig. 5 represents the flow chart of the time interval T inner model treatment step of the better embodiment of the embodiment of the present invention;

Fig. 6 represents the rule decision tree construction algorithm schematic diagram of the better embodiment of the embodiment of the present invention;

Fig. 7 represents the structure chart of the inking device of a kind of firewall rule sets under discrimination that the embodiment of the present invention provides.

Embodiment

For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawings and the specific embodiments the embodiment of the present invention is described in detail.

Fig. 3 represents the flow chart of steps of the collocation method of a kind of firewall rule sets under discrimination that the embodiment of the present invention provides, and with reference to Fig. 3, the embodiment of the present invention provides a kind of collocation method of firewall rule sets under discrimination, comprises the steps:

Step 301, obtain fire compartment wall carries out in the process of rule match according to the first rule set of configuration to network traffics in setting-up time interval, the matching order adjusting parameter values that in described first rule set, every rule is corresponding, wherein, described first rule set is the firewall rule sets under discrimination of the Processing for removing of restricting relation through between rule;

Step 302, the matching order adjusting parameter values corresponding according to all described every rules, carries out the adjustment of rule match order, described first rule set after being adjusted to described first rule set;

Step 303, is loaded into the configuration of described fire compartment wall by the first rule set after described adjustment, make described fire compartment wall according to the first rule set after described adjustment, can carry out filtration treatment to packet.

Visible, by the way, make the rule match of firewall rule sets under discrimination order can flow Network Based actual rule matching state and be adjusted, thus achieve reconfiguring of firewall rule sets under discrimination.

Wherein, between rule, restricting relation refers to that fire compartment wall may exist Different matching rule to same packet, if will adjust wherein certain rule, just inevitably together with adjusting the rule be positioned at before this rule.Between rule, the Processing for removing of restricting relation is exactly by certain process, eliminate this restricting relation between rule, thus the rule ordering that firewall rule is concentrated can not be impacted by the packet filtering function basic to fire compartment wall by adjusting arbitrarily.

In embodiments of the present invention, Ke Yiyou:

In the first rule set after described adjustment between two between rule, the matching order adjusting parameter values of rule correspondence before sequence is comparatively greater than the matching order adjusting parameter values of the rule correspondence after sequence comparatively.

Matching order adjustment parameter can be relevant to matching times, or also can be relevant to matching times and match time.

For the situation that matching order adjustment parameter is relevant to matching times, Ke Yiyou:

The matching order adjusting parameter values that described every rule is corresponding is the matching frequency that described every rule is corresponding;

Described acquisition fire compartment wall carries out in the process of rule match according to the first rule set of configuration to network traffics in setting-up time interval, and the matching order adjusting parameter values that in described first rule set, every rule is corresponding comprises:

Gather described fire compartment wall carries out in the process of rule match according to described first rule set to network traffics in described setting-up time interval, the matching times that in described first rule set, every rule is corresponding;

The matching times corresponding with all described every rules by matching times corresponding for described every rule and ratio, as the matching frequency that described every rule is corresponding.

For the situation that matching order adjustment parameter is relevant to matching times and match time, Ke Yiyou:

Described acquisition fire compartment wall carries out in the process of rule match according to the first rule set of configuration to network traffics in setting-up time interval, and the matching order adjusting parameter values that in described first rule set, every rule is corresponding comprises:

Gather described fire compartment wall carries out in the process of rule match according to described first rule set to network traffics in described setting-up time interval, the matching times that in described first rule set, every rule is corresponding and a up-to-date match time;

The matching times corresponding with all described every rules by matching times corresponding for described every rule and ratio, as the matching frequency that described every rule is corresponding;

By the ratio at a up-to-date match time corresponding for described every rule and described setting-up time interval, as the coupling immediate cause that described every rule is corresponding;

The matching frequency corresponding to described every rule and coupling immediate cause ask weighted sum, obtain the matching order adjusting parameter values that described every rule is corresponding.

Consider that, when the coupling of each rule is comparatively even, adjust rule and also can not bring too significantly effect, even may add on the contrary and assess the cost, in view of this, no matter for which kind of situation above-mentioned, described method can also comprise:

The matching frequency corresponding according to all described every rules and the function preset, determine that a rule match order adjustment judges parameter value;

Judge parameter value and a threshold value preset according to the adjustment of described rule match order, judge whether the adjustment needing described first rule set to be carried out to rule match order, obtain a judged result;

When described judged result is for being, enter the described step the first rule set after described adjustment being loaded into the configuration of described fire compartment wall;

When described judged result is no, do not enter the described step the first rule set after described adjustment being loaded into the configuration of described fire compartment wall.

Particularly, the design of function and the design of concrete judgment mode can be carried out, so can have from the matching frequency of each rule close to the angle of obeying equally distributed degree:

If the fuzzy rules in described first rule set is n, the matching frequency that the i-th rule in described first rule set is corresponding is f _i, the adjustment of described rule match order judges that parameter value is S, then described function is $S=1-\frac{\underset{i=1}{\overset{n}{\mathrm{\Σ}}}{f}_{i}1g{f}_i}{1\mathrm{gn}};$

Described adjustment according to described rule match order judges parameter value and a threshold value preset, and judges whether the adjustment needing described first rule set to be carried out to rule match order, obtains a judged result and comprise:

Judge that the adjustment of described rule match order judges whether parameter value is greater than described threshold value, if so, described judged result is yes, otherwise described judged result is no.

Here, when S is 0, the matching frequency service of rule is uniformly distributed, if adopt regulation rule order to optimize fire wall performance, effect is little, increases on the contrary and assesses the cost.When S is tending towards 1, the coupling of rule embodies a concentrated reflection of the rule of smaller scale, adopts regulation rule order to optimize fire wall performance obvious.

Or, Ke Yiyou:

If the fuzzy rules in described first rule set is n, the matching frequency that the i-th rule in described first rule set is corresponding is f _i, the adjustment of described rule match order judges that parameter value is S, then described function is $S=\frac{\underset{i=1}{\overset{n}{\mathrm{\Σ}}}{f}_{i}1g{f}_i}{1\mathrm{gn}};$

Described adjustment according to described rule match order judges parameter value and a threshold value preset, and judges whether the adjustment needing described first rule set to be carried out to rule match order, obtains a judged result and comprise:

Judge that the adjustment of described rule match order judges whether parameter value is less than described threshold value, if so, described judged result is yes, otherwise described judged result is no.

Here, when S is 1, the matching frequency service of rule is uniformly distributed, if adopt regulation rule order to optimize fire wall performance, effect is little, increases on the contrary and assesses the cost.When S is tending towards 0, the coupling of rule embodies a concentrated reflection of the rule of smaller scale, adopts regulation rule order to optimize fire wall performance obvious.

For the embodiment of the present invention being set forth clearly clear, provide the better embodiment of the embodiment of the present invention below.

The network element framework model that this better embodiment proposes, comprises pretreatment module, acquisition module, tune sequence module and heavily loaded module 4 nucleus modules, realizes the on-line performance optimization of fire compartment wall according to traffic characteristic by the interaction of 4 modules.Shown in network element Organization Chart 4.

1, pretreatment module: this module is anticipated firewall rule sets under discrimination, for eliminating the correlation between rule, specifically for the Processing for removing of restricting relation between above described rule.Due to same packet, fire compartment wall may have many matched rules, and the principle of Match in sequence taked by fire compartment wall for this reason, and the rule according to priority match takes corresponding behavior as abandoned or receiving packet.Because this restriction, to adjustment, wherein a rule inevitably will together with adjusting the rule before being positioned at it.

Consider the existence due to restricting relation between rule, make the rule ordering of fire compartment wall adjust problem and become a np problem, the also suboptimization often of the rule set after its adjustment.For this reason, the restricting relation that pretreatment module will be eliminated between rule, makes the rule set obtained after toning sequence resume module be optimized, thus makes fire wall performance optimum.In view of this, between rule, the Processing for removing of restricting relation can carry out in the following way:

Packet P has d item, is respectively (F ₁..., F _d), then packet P can be defined as the tuple (P of a d dimension ₁..., P _d), wherein p _i∈ D (F _i), D (F _i) be territory F _icodomain, be a nonnegative integer section or set.Setting tool has d decision space (F ₁..., F _d) fire compartment wall f contain n rule r ₁, r ₂..., r _n, be expressed as f=< r ₁, r ₂..., r _n>, regular r _i(1≤i≤n) may be defined as: < i > ^ (F ₁∈ S ₁) ^...^ (F _d∈ S _d) → < action > wherein S _j(1≤j≤d) is D (F _j) nonvoid subset, action(takes action) be the behavior that defines of rule, as: deny(refuses) and accept(acceptance).

For regular r _ifollowing 2 set of definition:

Set of matches (Matching Set) R _i, represent regular r _ithe packet set defined.

Judge collection (Evaluating Set) E _i, represent the principle according to fire compartment wall Match in sequence, regular r _ithe packet set mated, then here the mode by rule-based decision tree is obtained the judgement collection of rule and the judgement collection got is replaced regular set of matches.To arbitrary data bag P, only, there is not the judgement collection mating many rules in the judgement collection of coupling one rule, judges that collection is for eliminating the dependence between rule.

Rule decision tree (Rule Decision Tree, RDT) definition: there is d and judge item F ₁..., F _dfire compartment wall f, its decision tree t is directed acyclic tree, and t need meet following 5 features:

1) t has and only has a root node (root) not entering limit, and the node wherein not going out limit is called as leaf node (leaf).

2) arbitrary node v in t, has a label F (v), and $F\left(v\right)\&Element;\left\{\begin{array}{ccccc}\{F_{1,}...,F_d\}& \mathrm{if}& v& \mathrm{is}& \mathrm{nonleaf}\\ \{\mathrm{accept},\mathrm{deny}\}& \mathrm{if}& v& \mathrm{is}& \mathrm{leaf}\end{array}\right.,$ Wherein, if v is nonleaf refers to if v is non-leaf nodes; If v is leaf refers to if v is leaf node.

3) any limit e:u in t, has label I (e).Wherein, I (e) is a nonvoid subset of the codomain of the label of node u.

4) rule (rule) is formed from root node (root) to the path of leaf node (leaf) in t.

5) in t, set E (v) going out limit of arbitrary node v satisfies condition any 2 different limit e and e' in E (v), has I (e) ∩ I (e').

The construction algorithm of rule decision tree as shown in Figure 6, first judgement item of current rule, this rule and root node (first of Article 1 rule judges item) as input, are realized the judgement collection that the rule decision of structure corresponding to current rule is set and solved corresponding to current rule by this algorithm.

2, acquisition module: this module is used in the time interval T of system configuration (as 30 seconds) and gathers fire compartment wall relevant statistics, this statistics provides tune order parameter for adjusting sequence module.The data of statistics comprise: the matching times f of every rule _isum fanction up-to-date one time match time t _i.

3, sequence module is adjusted: this module is by obtaining the related data of acquisition module, and adjustment firewall rule order, generates optimum rule set.

4, heavily loaded module: the optimum rule set adjusting sequence module to obtain is loaded in firewall configuration by this module, and fire compartment wall does filtration treatment according to optimum rule set to packet.

With reference to Fig. 5, in a time interval T, a given preference rule collection, comprises n rule 1,2 after pretreatment module process ... i, i+1 ..., n.The matching times f of n rule is obtained through acquisition module statistics _isum fanction up-to-date one time match time t _i.Be defined as follows parameter:

Matching frequency (Matching Frequency) F _i, the matching frequency of this parameter characterization rule i,

Coupling immediate cause (Matching Recency) T _i, this parameter characterization rule i mates ratio recently, wherein t _lastit is the termination time of time interval T, if rely on the 0th moment statistics, then the t in first time interval _last=T;

After acquisition module process, obtain matching frequency and the coupling immediate cause of rule.Define even Summing Factor adjustment thresholding to judge whether to select regulation rule order to optimize fire wall performance.

Even factor S, the uniformity coefficient of n rule matching frequency in this parameter characterization rule set, 0≤S≤1. when S is 0, the matching frequency of rule is obeyed and is uniformly distributed, and adopt regulation rule order to optimize fire wall performance in this situation, its effect is little, increases on the contrary and assesses the cost.When S is tending towards 1, the coupling of rule embodies a concentrated reflection of the rule of smaller scale, adopts regulation rule order to optimize fire wall performance obvious;

Adjustment thresholding Ts, this parameter characterization selects the threshold value of adjustment, and Ts can be set to 0.4 by acquiescence.

Work as S>Ts, call sequence module, optimize firewall rule order; Otherwise, then do not add fire compartment wall when rule changes and do packet filtering process.

Here, whether thresholding is mainly used in selecting to adopt adjusting the method for sequence to obtain optimum rule set, mainly sees the coupling uniformity coefficient of current rule.If coupling is comparatively, then adopt the method adjusting sequence, optimum results is not obvious.Only have coupling uneven, adopt and adjust sequence optimization, result is obvious.

Selected by thresholding, adjusting sequence module for obtaining optimum rule set, defining fire compartment wall optimization problem for minimizing regular Mean match number of times, namely weight w _i, i is in time interval T for this parameter characterization rule, weight shared under present flow rate feature.w _i=ρF _i+(1-ρ)T _i，0<ρ≤1。When ρ is tending towards 1, represent that flow surrounding time does not have similitude, its setting is relevant to present flow rate feature.The value of ρ trends towards 1, is applicable to sudden network characterization.The value of ρ trends towards 0, is applicable to large discharge network characterization.Can by the value of adjustment ρ, realize performance optimization under multiple network environment, the empirical value of ρ is 0.8.

Fire compartment wall optimization problem its optimal solution is for regular by weight descending, and the rule set after arrangement is optimization rule collection.

Heavy duty module, optimum rule set be loaded in firewall configuration, fire compartment wall does filtration treatment according to optimum set pair packet.

The technical scheme of raising fire wall performance mainly improved the matching algorithm of fire compartment wall by the mode (as adopted binary tree etc.) of hardware (as adopted three-state content addressable memory TCAM s etc.) or software in the past, can response data packet fast, thus improve the performance of fire compartment wall.But this has certain restriction:

According to hard-wired mode, cost is higher; Adopt the mode of software simulating, its effect is obvious not;

Can not embody the flow feature in network, the matching frequency through adding up firewall rule is obeyed Zipf and is distributed, and wherein less rule (being about about 20%) has higher matching times, and the matching times of major part rule is lower.For these most of rules, need traversal most rule (being about about 80%) nearly, cause its hydraulic performance decline.

This better embodiment is obeyed Zipf based on the matching frequency of firewall rule and is distributed that this is true, proposes a kind of network element framework model based on dynamic conditioning firewall rule order.Current network flow feature monitored in real time by this model, rule (active rule and the higher rule of matching times) will be enlivened shift to an earlier date, after dull rule (the dull rule rule that namely matching times is lower) being moved, thus reduce regular Mean match number of times, thus the performance of raising fire compartment wall.

This better embodiment realizes relatively simple, and cost is low; The various flow rate environment such as sudden, large discharge can be adapted to; Can according to rule match feature corresponding to current network flow, realize fire wall performance in real time, dynamic optimization.

Fig. 7 represents the structure chart of the inking device of a kind of firewall rule sets under discrimination that the embodiment of the present invention provides, and with reference to Fig. 7, the embodiment of the present invention also provides a kind of inking device of firewall rule sets under discrimination, comprising:

Acquisition module 701, carry out in the process of rule match according to the first rule set of configuration to network traffics for obtaining fire compartment wall in setting-up time interval, the matching order adjusting parameter values that in described first rule set, every rule is corresponding, wherein, described first rule set is the firewall rule sets under discrimination of the Processing for removing of restricting relation through between rule;

Adjusting module 702, for the matching order adjusting parameter values corresponding according to all described every rules, carries out the adjustment of rule match order, described first rule set after being adjusted to described first rule set;

Insmoding 703, for the first rule set after described adjustment being loaded into the configuration of described fire compartment wall, making described fire compartment wall according to the first rule set after described adjustment, filtration treatment can be carried out to packet.

Visible, by the way, make the rule match of firewall rule sets under discrimination order can flow Network Based actual rule matching state and be adjusted, thus achieve reconfiguring of firewall rule sets under discrimination.

Wherein, specifically can have:

In the first rule set after described adjustment between two between rule, the matching order adjusting parameter values of rule correspondence before sequence is comparatively greater than the matching order adjusting parameter values of the rule correspondence after sequence comparatively.

Further, Ke Yiyou:

The matching order adjusting parameter values that described every rule is corresponding is the matching frequency that described every rule is corresponding;

Described acquisition module comprises:

First collecting unit, carries out in the process of rule match according to described first rule set to network traffics for gathering described fire compartment wall in described setting-up time interval, the matching times that in described first rule set, every rule is corresponding;

First determining unit, for by matching times corresponding with all described every rules for matching times corresponding for described every rule and ratio, as the matching frequency that described every rule is corresponding.

Or, Ke Yiyou:

Described acquisition module comprises:

Second collecting unit, carries out in the process of rule match according to described first rule set to network traffics for gathering described fire compartment wall in described setting-up time interval, the matching times that in described first rule set, every rule is corresponding and a up-to-date match time;

Second determining unit, for by matching times corresponding with all described every rules for matching times corresponding for described every rule and ratio, as the matching frequency that described every rule is corresponding;

3rd determining unit, for the ratio by a up-to-date match time corresponding for described every rule and described setting-up time interval, as the coupling immediate cause that described every rule is corresponding;

Ask weighted sum unit, ask weighted sum for the matching frequency corresponding to described every rule with coupling immediate cause, obtain the matching order adjusting parameter values that described every rule is corresponding.

Further, described device can also comprise:

Determination module, for according to matching frequency corresponding to all described every rules and the function preset, determines that a rule match order adjustment judges parameter value;

Judge module, for judging parameter value and a threshold value preset according to the adjustment of described rule match order, judging whether the adjustment needing described first rule set to be carried out to rule match order, obtaining a judged result; When described judged result is for being, insmod described in entering; When described judged result is no, insmod described in not entering.

Specifically can have:

If the fuzzy rules in described first rule set is n, the matching frequency that the i-th rule in described first rule set is corresponding is f _i, the adjustment of described rule match order judges that parameter value is S, then described function is $S=1-\frac{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{f}_{i}1g{f}_i}{1\mathrm{gn}};$

Described judge module comprises:

First judging unit, for judging that the adjustment of described rule match order judges whether parameter value is greater than described threshold value, if so, described judged result is yes, otherwise described judged result is no.

Or, specifically can have:

If the fuzzy rules in described first rule set is n, the matching frequency that the i-th rule in described first rule set is corresponding is f _i, the adjustment of described rule match order judges that parameter value is S, then described function is $S=\frac{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{f}_{i}1g{f}_i}{1\mathrm{gn}};$

Described judge module comprises:

Second judging unit, for judging that the adjustment of described rule match order judges whether parameter value is less than described threshold value, if so, described judged result is yes, otherwise described judged result is no.

The embodiment of the present invention also provides a kind of fire compartment wall, and described fire compartment wall comprises the inking device of above-described firewall rule sets under discrimination.

The above is only the execution mode of the embodiment of the present invention; should be understood that; for those skilled in the art; under the prerequisite not departing from embodiment of the present invention principle; can also make some improvements and modifications, these improvements and modifications also should be considered as the protection range of the embodiment of the present invention.

Claims (15)

1. a collocation method for firewall rule sets under discrimination, is characterized in that, comprising:

Obtain fire compartment wall carries out in the process of rule match according to the first rule set of configuration to network traffics in setting-up time interval, the matching order adjusting parameter values that in described first rule set, every rule is corresponding, wherein, described first rule set is the firewall rule sets under discrimination of the Processing for removing of restricting relation through between rule;

The matching order adjusting parameter values corresponding according to all described every rules, carries out the adjustment of rule match order, described first rule set after being adjusted to described first rule set;

The first rule set after described adjustment is loaded into the configuration of described fire compartment wall, makes described fire compartment wall according to the first rule set after described adjustment, filtration treatment can be carried out to packet.

2. the method for claim 1, is characterized in that, in the first rule set after described adjustment between two between rule, the matching order adjusting parameter values of rule correspondence before sequence is comparatively greater than the matching order adjusting parameter values of the rule correspondence after sequence comparatively.

3. method as claimed in claim 2, it is characterized in that, the matching order adjusting parameter values that described every rule is corresponding is the matching frequency that described every rule is corresponding;

Described acquisition fire compartment wall carries out in the process of rule match according to the first rule set of configuration to network traffics in setting-up time interval, and the matching order adjusting parameter values that in described first rule set, every rule is corresponding comprises:

Gather described fire compartment wall carries out in the process of rule match according to described first rule set to network traffics in described setting-up time interval, the matching times that in described first rule set, every rule is corresponding;

The matching times corresponding with all described every rules by matching times corresponding for described every rule and ratio, as the matching frequency that described every rule is corresponding.

4. method as claimed in claim 2, it is characterized in that, described acquisition fire compartment wall carries out in the process of rule match according to the first rule set of configuration to network traffics in setting-up time interval, and the matching order adjusting parameter values that in described first rule set, every rule is corresponding comprises:

Gather described fire compartment wall carries out in the process of rule match according to described first rule set to network traffics in described setting-up time interval, the matching times that in described first rule set, every rule is corresponding and a up-to-date match time;

The matching times corresponding with all described every rules by matching times corresponding for described every rule and ratio, as the matching frequency that described every rule is corresponding;

By the ratio at a up-to-date match time corresponding for described every rule and described setting-up time interval, as the coupling immediate cause that described every rule is corresponding;

The matching frequency corresponding to described every rule and coupling immediate cause ask weighted sum, obtain the matching order adjusting parameter values that described every rule is corresponding.

5. the method as described in claim 3 or 4, is characterized in that, also comprises:

The matching frequency corresponding according to all described every rules and the function preset, determine that a rule match order adjustment judges parameter value;

Judge parameter value and a threshold value preset according to the adjustment of described rule match order, judge whether the adjustment needing described first rule set to be carried out to rule match order, obtain a judged result;

When described judged result is for being, enter the described step the first rule set after described adjustment being loaded into the configuration of described fire compartment wall;

When described judged result is no, do not enter the described step the first rule set after described adjustment being loaded into the configuration of described fire compartment wall.

6. method as claimed in claim 5, is characterized in that, if the fuzzy rules in described first rule set is n, the matching frequency that the i-th rule in described first rule set is corresponding is f _i, the adjustment of described rule match order judges that parameter value is S, then described function is

Described adjustment according to described rule match order judges parameter value and a threshold value preset, and judges whether the adjustment needing described first rule set to be carried out to rule match order, obtains a judged result and comprise:

Judge that the adjustment of described rule match order judges whether parameter value is greater than described threshold value, if so, described judged result is yes, otherwise described judged result is no.

7. method as claimed in claim 5, is characterized in that, if the fuzzy rules in described first rule set is n, the matching frequency that the i-th rule in described first rule set is corresponding is f _i, the adjustment of described rule match order judges that parameter value is S, then described function is

Described adjustment according to described rule match order judges parameter value and a threshold value preset, and judges whether the adjustment needing described first rule set to be carried out to rule match order, obtains a judged result and comprise:

Judge that the adjustment of described rule match order judges whether parameter value is less than described threshold value, if so, described judged result is yes, otherwise described judged result is no.

8. an inking device for firewall rule sets under discrimination, is characterized in that, comprising:

Acquisition module, carry out in the process of rule match according to the first rule set of configuration to network traffics for obtaining fire compartment wall in setting-up time interval, the matching order adjusting parameter values that in described first rule set, every rule is corresponding, wherein, described first rule set is the firewall rule sets under discrimination of the Processing for removing of restricting relation through between rule;

Adjusting module, for the matching order adjusting parameter values corresponding according to all described every rules, carries out the adjustment of rule match order, described first rule set after being adjusted to described first rule set;

Insmoding, for the first rule set after described adjustment being loaded into the configuration of described fire compartment wall, making described fire compartment wall according to the first rule set after described adjustment, filtration treatment can be carried out to packet.

9. device as claimed in claim 8, is characterized in that, in the first rule set after described adjustment between two between rule, the matching order adjusting parameter values of the rule correspondence before sequence is comparatively greater than the matching order adjusting parameter values of the rule correspondence after sequence comparatively.

10. device as claimed in claim 9, it is characterized in that, the matching order adjusting parameter values that described every rule is corresponding is the matching frequency that described every rule is corresponding;

Described acquisition module comprises:

First collecting unit, carries out in the process of rule match according to described first rule set to network traffics for gathering described fire compartment wall in described setting-up time interval, the matching times that in described first rule set, every rule is corresponding;

First determining unit, for by matching times corresponding with all described every rules for matching times corresponding for described every rule and ratio, as the matching frequency that described every rule is corresponding.

11. devices as claimed in claim 9, it is characterized in that, described acquisition module comprises:

Second collecting unit, carries out in the process of rule match according to described first rule set to network traffics for gathering described fire compartment wall in described setting-up time interval, the matching times that in described first rule set, every rule is corresponding and a up-to-date match time;

Second determining unit, for by matching times corresponding with all described every rules for matching times corresponding for described every rule and ratio, as the matching frequency that described every rule is corresponding;

3rd determining unit, for the ratio by a up-to-date match time corresponding for described every rule and described setting-up time interval, as the coupling immediate cause that described every rule is corresponding;

Ask weighted sum unit, ask weighted sum for the matching frequency corresponding to described every rule with coupling immediate cause, obtain the matching order adjusting parameter values that described every rule is corresponding.

12. devices as described in claim 10 or 11, is characterized in that, also comprise:

Determination module, for according to matching frequency corresponding to all described every rules and the function preset, determines that a rule match order adjustment judges parameter value;

Judge module, for judging parameter value and a threshold value preset according to the adjustment of described rule match order, judging whether the adjustment needing described first rule set to be carried out to rule match order, obtaining a judged result; When described judged result is for being, insmod described in entering; When described judged result is no, insmod described in not entering.

13. devices as claimed in claim 12, is characterized in that, if the fuzzy rules in described first rule set is n, the matching frequency that the i-th rule in described first rule set is corresponding is f _i, the adjustment of described rule match order judges that parameter value is S, then described function is

Described judge module comprises:

First judging unit, for judging that the adjustment of described rule match order judges whether parameter value is greater than described threshold value, if so, described judged result is yes, otherwise described judged result is no.

14. devices as claimed in claim 12, is characterized in that, if the fuzzy rules in described first rule set is n, the matching frequency that the i-th rule in described first rule set is corresponding is f _i, the adjustment of described rule match order judges that parameter value is S, then described function is

Described judge module comprises:

Second judging unit, for judging that the adjustment of described rule match order judges whether parameter value is less than described threshold value, if so, described judged result is yes, otherwise described judged result is no.

15. 1 kinds of fire compartment walls, is characterized in that, comprise the inking device of the firewall rule sets under discrimination according to any one of claim 8 to 14.