CN104717194A - Security policy change method and system - Google Patents
Security policy change method and system Download PDFInfo
- Publication number
- CN104717194A CN104717194A CN201310694822.XA CN201310694822A CN104717194A CN 104717194 A CN104717194 A CN 104717194A CN 201310694822 A CN201310694822 A CN 201310694822A CN 104717194 A CN104717194 A CN 104717194A
- Authority
- CN
- China
- Prior art keywords
- security policy
- security
- flag information
- module
- policy module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention relates to a security policy change method. The method includes the following steps that the change of security policy modules in a security policy module set of a security policy server side is monitored; when information indicating that the security policy modules are changed is captured, change identification information is generated; the change identification information is sent to a security policy client side through a network; the security policy client side inquires whether the change identification information is received or not; after it is confirmed that the change identification information is received, the changed security policy modules are input from the security policy server side according to ID numbers; according to the change type, the input security policy modules are enabled. The invention further relates to a security policy system. The security policy modules input by the security policy client side and the security policy modules of the security policy server side are identical. The operation is finished automatically through a procedure of the security policy client side without manual intervention, the automation degree is increased, manual operation is avoided, efficiency is improved, cost is reduced, and the method and system are simple and practical.
Description
Technical field
The present invention relates to the communication technology of Values information transmission, particularly relate to a kind of change method of security strategy, also relate to a kind of change system of security strategy.
Background technology
At present, Godson (loongson) is widely used at industrial control field as domestic processor, domesticly independently, to be not easily infected by the virus, the feature such as the operating system of highly customization becomes the safe and reliable technical guarantee of Godson, its outstanding security advantages enjoys the trust of all trades and professions.
But at industrial control field, particularly higher to safety concerns industry spot, the hardware platform of security strategy often for Godson itself based on Godson is effective, is unfavorable for large scale deployment.That is, at industrial control field, according to the needs of application, be necessary the hardware platform disposing multiple stage Godson in different places, these places disposed often have discreteness, even being separated by of having is very far away, although the hardware platform of security strategy for each deployment of Godson is effective in this case, but once security strategy needs to increase, when deleting or upgrade, traditional way is the upgrading security strategy of sending engineer to hurry to each place deploying Godson equipment one by one, this traditional way takes time and effort, inefficiency, the operation cost of company is all virtually increased in the process of at every turn security strategy being upgraded.By artificial security strategy upgraded and needs to restart computer after upgrading could use new security strategy, cause the inconvenience in use.
Summary of the invention
Based on this, be necessary a kind of change method that security strategy is provided, realize the automatic renewal client of discrete distribution being carried out to security strategy.
A change method for security strategy, the change of security policy module among the security policy module collection comprising the following steps: to monitor security policy service end; Generate change flag information when capturing security policy module and being modified, described change flag information comprises No. ID and change type of the security policy module be modified; Described change flag information is sent to security strategy client by network; Whether security strategy client query receives described change flag information; Described security strategy client, after confirming and receiving described change flag information, imports security policy module be modified after by network from described security policy service end according to described No. ID; According to the security policy module of the enable importing of described change type.
Wherein in an embodiment, described change type comprise security policy module newly-increased, delete, upgrading; The step of the described security policy module according to the enable importing of change type, that load operating is carried out for newly-increased security policy module, unload for the security policy module deleted, the security policy module for upgrading first unloads the security policy module after old security policy module and then load operating upgrading.
Wherein in an embodiment, described change flag information to be sent to the step of security strategy client by network after, also comprise and judge whether described change flag information all sends successfully, if then remove the change flag information on described security policy service end, and continue the step of the change of the security policy module monitoring security policy service end.
Wherein in an embodiment, described change flag information to be sent to the step of security strategy client by network before, also comprise and the step with tactful authentication processing is encrypted to described change flag information, described security strategy client, after confirming and receiving described change flag information, also comprises and is decrypted the step with tactful authentication check to described change flag information.
Wherein in an embodiment, described described change flag information to be encrypted and tactful authentication processing, and described described change flag information to be decrypted and tactful authentication check, being that the hardware by having corresponding function carries out, participating in without the need to software.
There is a need to the change system that a kind of security strategy is provided.
A change system for security strategy, comprises security policy service end and security strategy client, and described security policy service end comprises: security policy module collection, comprises all security policy module that described security strategy client needs load and run; Monitor module, for monitoring the change of security policy module among described security policy module collection; Change flag information generation module, generates change flag information for capturing when security policy module is modified in monitoring module, and described change flag information comprises No. ID and change type of the security policy module be modified; Sending module, for sending to security strategy client by described change flag information by network; Described security strategy client comprises: enquiry module, whether receives described change flag information for inquiry; Security strategy imports module, for after confirming and receiving described change flag information, is imported according to described No. ID the security policy module be modified by network from described security policy service end; Security strategy enable module, for the security policy module according to the enable importing of described change type.
Wherein in an embodiment, described change type comprise security policy module newly-increased, delete, upgrading; Described security strategy imports module and is used for carrying out load operating for newly-increased security policy module, unload for the security policy module deleted, the security policy module for upgrading first unloads the security policy module after old security policy module and then load operating upgrading.
Wherein in an embodiment, described security policy service end comprises encryption and tactful certified processor, for send described change flag information at sending module before, is encrypted and tactful authentication processing described change flag information; Described security strategy client comprises deciphering and tactful authentication check processor, for being decrypted the change flag information received and tactful authentication check process.
Wherein in an embodiment, described security strategy client comprises timer, and whether described enquiry module receives described change flag information according to the clock signal timing inquiry of timer.
Wherein in an embodiment, the change system of described security strategy builds based on Godson hardware platform.
The change method and system of above-mentioned security strategy, security strategy client changes operation according to change flag information accordingly to security policy module, the security policy module imported all from security policy service end, and has consistency with the security policy module of security policy service end.Security strategy client-side program automatically completes aforesaid operations and does not need manual intervention, separate between security strategy client, is independent of each other, and all security policy module are all from security policy service end.Thus realize the change of security policy module in mode easily.Automaticity improves, and avoids manual operation, improves efficiency, reduce cost, simple and practical.
Accompanying drawing explanation
Fig. 1 is the system block diagram of the change system of security strategy;
Fig. 2 is the flow chart of the change method of security strategy in an embodiment;
Fig. 3 is the flow chart of the change method of security strategy in another embodiment;
Fig. 4 is the structural representation of the change system of security strategy in an embodiment;
Fig. 5 is the structural representation of the change system of security strategy in another embodiment.
Embodiment
For enabling object of the present invention, feature and advantage more become apparent, and are described in detail the specific embodiment of the present invention below in conjunction with accompanying drawing.
At industrial control field, for the needs of applied environment, need the hardware platform disposing Godson in each site of deployment.And based on the consideration in fail safe, needing to install security policy module on the platform of Godson to operating system and application program protects, improve the safety and stability of system.
Fig. 1 is the system block diagram of the change system of security strategy.The change system of security strategy comprises security policy service end 10 and security strategy client 20, and both are formed by Godson hardware platform, coupled together between the two and communicated by network by network.Operation service end program on security policy service end 10, running client program in security strategy client 20.A security policy service end 10 can mate multiple security strategy client 20.
Fig. 2 is the flow chart of the change method of security strategy in an embodiment, comprises the following steps:
S110, monitors the change of the security policy module of security policy service end.
Security policy service end 10 is set up and has a security policy module collection 12, this module concentrates the security policy module containing all security strategy clients 20 and need to load and run, and security policy service end 10 realizes the centralized management to all security policy module and monitoring.Security policy module collection 12 needs to be safeguarded by system manager, system manager to certain concrete security policy module newly-increased, delete, updating operation all can serviced end program catch.
S120, generates change flag information when capturing security policy module and being modified.
After system manager is captured to the amendment of security policy module, system generates the change flag information of security policy module, and change flag information comprises following two aspects:
(1) ID(identification of security policy module, identifier) number, be which security policy module there occurs change for mark;
(2) changing type, for identifying the change classification of carrying out security policy module, comprising newly-increased, the deletion of security policy module, upgrading etc.
After each security policy module in security policy module collection 12 makes change, all can generate security policy module change flag information corresponding with it.If there is multiple security policy module to make change, many security policy module change flag informations will be generated.
S130, sends to security strategy client by change flag information by network.
Change flag information is sent to security strategy client 20 by network by security policy service end 10, so that operations such as security strategy client 20 increases newly this locality security policy module just in use according to change flag information, deletes, upgradings.
So far, a cycle for the treatment of of security policy service end 10 completes, thus return step S110 proceed monitor.Meanwhile, the security strategy client 20 receiving change flag information also can perform handling process according to change flag information.
S210, whether security strategy client query receives change flag information.
Be the mode adopting timing inquiry in the present embodiment, regularly will inquire about whether receive change flag information at set intervals.
S220, confirms after receiving change flag information, imports the security policy module after being modified from security policy service end.
If security strategy client 20 does not receive change flag information, so client-side program will not do any process, wait for the arrival in the cycle in the time interval of timing inquiry next time.If client-side program confirms receive change flag information, so client-side program imports No. ID security policy module pointed to by by network from security policy service end 10.
S230, according to the security policy module of the enable importing of change type.
When after security policy module client-side program has imported change from security policy service end 10 after, client-side program will use the security policy module imported and make it to come into force.If security policy service end 10 has increased security policy module newly, then security strategy client 20 security policy module that load operating is new immediately; If security policy service end 10 deletes security policy module, then security strategy client 20 unloads this security policy module immediately and deletes corresponding security policy module; The security policy module if security policy service end 10 has been upgraded, then security strategy client 20 first unloads old security policy module, and then the security policy module after load operating upgrading.
The change method of above-mentioned security strategy, the operations such as security strategy client 20 increases newly accordingly security policy module according to change flag information, deletes, upgrading, the security policy module imported all from security policy service end 10, and has consistency with the security policy module of security policy service end 10.Security strategy client-side program automatically completes aforesaid operations and does not need manual intervention, separate between security strategy client, is independent of each other, and all security policy module are all from security policy service end 10.Thus with mode easily realize security policy module newly-increased, delete, upgrading.Automaticity improves, and avoids manual operation, improves efficiency, reduce cost, simple and practical.In the industrial environment of large scale deployment Godson hardware platform, the automatic renewal of convenient and safe policy client and upgrading, do not need to restart computer.
It should be noted that, although the change method of above-mentioned security strategy is that on hardware platform designed by enforcement, it equally also can be used on X86 hardware platform.
In another embodiment, as shown in Figure 3, security policy service end 10 also comprises step S122 after step S120: be encrypted and tactful authentication processing change flag information.Corresponding, security strategy client 20 also comprises step S212 after step S210: be decrypted and tactful authentication check change flag information.
Concrete, the hardware that the encryption of step S122 and tactful authentication processing are made up of the microprocessor with cryptographic calculation function carries out, and encryption and tactful authentication processing process are realized automatically by hardware, participate in without the need to software.In like manner, the hardware that the deciphering of step S212 and tactful authentication check are also made up of the microprocessor of tool corresponding function has come.
Further, in the embodiment shown in fig. 3, also step S140 is comprised after step S130: judge whether change flag information all sends successfully.If so, then security policy service end 10 returns step S110, continues the change of monitoring security policy module, and security strategy client 20 also can perform handling process (order performs step S210, S220 etc.) according to change flag information simultaneously; Otherwise wait for until change flag information all sends successfully.
Understandable, in other embodiments, also can only include step S140, and there is no step S122/S212; Or only include step S122 and S212, and there is no step S140.
Fig. 4 is the structural representation of the change system of security strategy in an embodiment, and in this embodiment, security policy service end 10, except security policy module collection 12, also comprises and monitors module 14, change flag information generation module 16 and sending module 18; Security strategy client 20 comprises enquiry module 22, security strategy imports module 24 and security strategy enable module 26.
Monitor module 14 for the change of monitoring system keeper to the security policy module in security policy module collection 12, comprise keeper to certain concrete security policy module newly-increased, delete, updating operation.
Change flag information generation module 16 generates change flag information for capturing when security policy module is modified in monitoring module 14, and change flag information comprises following two aspects:
(1) ID(identification of security policy module, identifier) number, be which security policy module is changed for mark;
(2) changing type, for identifying the change classification of carrying out security policy module, comprising newly-increased, the deletion of security policy module, upgrading etc.
Sending module 18 is for sending to security strategy client 20 by change flag information by network.
Whether enquiry module 22 receives the change flag information of sending module 18 transmission for inquiry.
Confirmation receive change flag information after, security strategy import module 24 according to change flag information in No. ID, imported the security policy module be modified from security policy service end 10 by network.
Security strategy enable module 26 is for the security policy module according to the enable importing of change type.If security policy service end 10 has increased security policy module newly, then security strategy client 20 security policy module that load operating is new immediately; If security policy service end 10 deletes security policy module, then security strategy client 20 unloads this security policy module immediately and deletes corresponding security policy module; The security policy module if security policy service end 10 has been upgraded, then security strategy client 20 first unloads old security policy module, and then the security policy module after load operating upgrading.
Fig. 5 is the structural representation of the change system of security strategy in another embodiment, in this embodiment, security policy service end 10 also comprises encryption and tactful certified processor 17, and security strategy client 20 also comprises deciphers and tactful authentication check processor 21 and timer 23.Encryption and tactful certified processor 17, for before sending module 18 transmission change flag information, are encrypted and tactful authentication processing change flag information; Deciphering and tactful authentication check processor 21 are decrypted and tactful authentication check process for the change flag information received security strategy client 20.These processes realize automatically by hardware, participate in without the need to software.Encrypted and decrypted by the data of hardware to transmission, enhance the fail safe of policy data transmission.
Enquiry module 22 adopts the mode of timing inquiry, and according to the clock signal of timer 23, whether timing inquiry at set intervals receives change flag information.If security strategy client 20 does not receive change flag information, so security strategy client 20 will not do any process, wait for the arrival in the cycle in the time interval of timing inquiry next time.
The above embodiment only have expressed several execution mode of the present invention, and it describes comparatively concrete and detailed, but therefore can not be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.
Claims (10)
1. a change method for security strategy, comprises the following steps:
The change of security policy module among the security policy module collection of monitoring security policy service end;
Generate change flag information when capturing security policy module and being modified, described change flag information comprises No. ID and change type of the security policy module be modified;
Described change flag information is sent to security strategy client by network;
Whether security strategy client query receives described change flag information;
Described security strategy client, after confirming and receiving described change flag information, imports security policy module be modified after by network from described security policy service end according to described No. ID;
According to the security policy module of the enable importing of described change type.
2. the change method of security strategy according to claim 1, is characterized in that, described change type comprise security policy module newly-increased, delete, upgrading; The step of the described security policy module according to the enable importing of change type, that load operating is carried out for newly-increased security policy module, unload for the security policy module deleted, the security policy module for upgrading first unloads the security policy module after old security policy module and then load operating upgrading.
3. the change method of security strategy according to claim 1, it is characterized in that, described change flag information to be sent to the step of security strategy client by network after, also comprise and judge whether described change flag information all sends successfully, if then remove the change flag information on described security policy service end, and continue the step of the change of the security policy module monitoring security policy service end.
4. the change method of security strategy as claimed in any of claims 1 to 3, it is characterized in that, described change flag information to be sent to the step of security strategy client by network before, also comprise and the step with tactful authentication processing is encrypted to described change flag information, described security strategy client, after confirming and receiving described change flag information, also comprises and is decrypted the step with tactful authentication check to described change flag information.
5. the change method of security strategy according to claim 4, it is characterized in that, described described change flag information to be encrypted and tactful authentication processing, with described, described change flag information is decrypted and tactful authentication check, being that hardware by having corresponding function carries out, participating in without the need to software.
6. a change system for security strategy, comprises security policy service end and security strategy client, it is characterized in that,
Described security policy service end comprises:
Security policy module collection, comprises all security policy module that described security strategy client needs load and run;
Monitor module, for monitoring the change of security policy module among described security policy module collection;
Change flag information generation module, generates change flag information for capturing when security policy module is modified in monitoring module, and described change flag information comprises No. ID and change type of the security policy module be modified;
Sending module, for sending to security strategy client by described change flag information by network;
Described security strategy client comprises:
Whether enquiry module, receive described change flag information for inquiry;
Security strategy imports module, for after confirming and receiving described change flag information, is imported according to described No. ID the security policy module be modified by network from described security policy service end;
Security strategy enable module, for the security policy module according to the enable importing of described change type.
7. the change system of security strategy according to claim 6, is characterized in that, described change type comprise security policy module newly-increased, delete, upgrading; Described security strategy imports module and is used for carrying out load operating for newly-increased security policy module, unload for the security policy module deleted, the security policy module for upgrading first unloads the security policy module after old security policy module and then load operating upgrading.
8. the change system of security strategy according to claim 6, it is characterized in that, described security policy service end comprises encryption and tactful certified processor, for send described change flag information at sending module before, is encrypted and tactful authentication processing described change flag information; Described security strategy client comprises deciphering and tactful authentication check processor, for being decrypted the change flag information received and tactful authentication check process.
9. the change system of security strategy according to claim 6, is characterized in that, described security strategy client comprises timer, and whether described enquiry module receives described change flag information according to the clock signal timing inquiry of timer.
10. the change system of security strategy according to claim 6, is characterized in that, the change system of described security strategy builds based on Godson hardware platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310694822.XA CN104717194A (en) | 2013-12-16 | 2013-12-16 | Security policy change method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310694822.XA CN104717194A (en) | 2013-12-16 | 2013-12-16 | Security policy change method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104717194A true CN104717194A (en) | 2015-06-17 |
Family
ID=53416163
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310694822.XA Pending CN104717194A (en) | 2013-12-16 | 2013-12-16 | Security policy change method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104717194A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106067886A (en) * | 2016-08-03 | 2016-11-02 | 广州唯品会信息科技有限公司 | Security strategy update method and system |
| CN107463852A (en) * | 2017-06-28 | 2017-12-12 | 北京北信源软件股份有限公司 | Based on protection devices of the ApacheRanger to Hadoop company-datas and guard method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060143179A1 (en) * | 2004-12-29 | 2006-06-29 | Motorola, Inc. | Apparatus and method for managing security policy information using a device management tree |
| CN101340444A (en) * | 2008-08-26 | 2009-01-07 | 华为技术有限公司 | Fireproof wall and server policy synchronization method, system and apparatus |
| CN101977217A (en) * | 2010-10-15 | 2011-02-16 | 中兴通讯股份有限公司 | Widget updating method and system as well as Widget client and Widget server |
-
2013
- 2013-12-16 CN CN201310694822.XA patent/CN104717194A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060143179A1 (en) * | 2004-12-29 | 2006-06-29 | Motorola, Inc. | Apparatus and method for managing security policy information using a device management tree |
| CN101340444A (en) * | 2008-08-26 | 2009-01-07 | 华为技术有限公司 | Fireproof wall and server policy synchronization method, system and apparatus |
| CN101977217A (en) * | 2010-10-15 | 2011-02-16 | 中兴通讯股份有限公司 | Widget updating method and system as well as Widget client and Widget server |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106067886A (en) * | 2016-08-03 | 2016-11-02 | 广州唯品会信息科技有限公司 | Security strategy update method and system |
| CN106067886B (en) * | 2016-08-03 | 2019-06-14 | 广州品唯软件有限公司 | Security strategy update method and system |
| CN107463852A (en) * | 2017-06-28 | 2017-12-12 | 北京北信源软件股份有限公司 | Based on protection devices of the ApacheRanger to Hadoop company-datas and guard method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10824729B2 (en) | Compliance management in a local network | |
| US20190280872A1 (en) | Secure configuration of a device | |
| EP2860657B1 (en) | Determining a security status of potentially malicious files | |
| CN107944232A (en) | A kind of design method and system of the Active Defending System Against based on white list technology | |
| CN110569251A (en) | Data processing method, related equipment and computer readable storage medium | |
| CN110856126B (en) | Information reporting and receiving method, terminal equipment and storage medium | |
| CN104021141B (en) | Method, device and system for data processing and cloud service | |
| CN111258599B (en) | Firmware upgrade method, system and computer readable storage medium | |
| US10127385B2 (en) | Automated security vulnerability exploit tracking on social media | |
| CN111614761B (en) | Block chain message transmission method, device, computer and readable storage medium | |
| US20150222632A1 (en) | Unauthorized device detection method, unauthorized device detection server, and unauthorized device detection system | |
| CN103366117A (en) | Repairing method and system for files infected by infectious viruses | |
| CN107959715A (en) | Remote terminal information recognition software system and recognition methods based on wireless telecommunications | |
| CN105049502A (en) | Method of upgrading equipment software in cloud network management system and device | |
| CN102932391A (en) | Method and device for processing data in peer to server/peer (P2SP) system, and P2SP system | |
| CN104780080A (en) | DPI (deep packet inspection) method and system | |
| CN111597543A (en) | Wide-area process access authority authentication method and system based on block chain intelligent contract | |
| US10404733B1 (en) | Active push-based remediation for reputation-based security systems | |
| CN111869165B (en) | Method and control system for controlling and/or monitoring a device | |
| CN107172112B (en) | Computer file transmission method and device | |
| CN104717194A (en) | Security policy change method and system | |
| CN114465729A (en) | Internet of things data management method and system based on block chain technology | |
| CN113259429A (en) | Session keeping control method, device, computer equipment and medium | |
| CN101175315B (en) | Method and system for updating control mobile station | |
| CN115567218A (en) | Data processing method and device of security certificate based on block chain and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150617 |
|
| RJ01 | Rejection of invention patent application after publication |