CN104735026B - Security strategy control method and device - Google Patents
Security strategy control method and device Download PDFInfo
- Publication number
- CN104735026B CN104735026B CN201310704252.8A CN201310704252A CN104735026B CN 104735026 B CN104735026 B CN 104735026B CN 201310704252 A CN201310704252 A CN 201310704252A CN 104735026 B CN104735026 B CN 104735026B
- Authority
- CN
- China
- Prior art keywords
- data
- security strategy
- normalization
- filtering object
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An embodiment of the present invention provides a kind of security strategy control method and device, the described method includes:Obtain the filtering object data that the security strategy in fire wall includes;The filtering object data of each security strategy are normalized, each filtering object data are merged, obtain the normalization data of each filtering object so that do not include identical data in the normalization data of each filtering object;Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are compared;If two normalization datas of any filtering object determine that there are redundancy relationships for two security strategies there are identical data.The embodiment of the present invention fast and accurately realize in fire wall security strategy whether the judgement of redundancy.
Description
Technical field
The present embodiments relate to technical field of network security, more particularly to a kind of security strategy control method
And device.
Background technology
Fire wall is a kind of network safety system, passes through preset security strategy, in that case it can be decided which data be allowed to or
Which data of person are rejected by the function of data filtering being realized, so as to protect Internet resources.
Security strategy is made of filtering object and filtering behavior, and filtering behavior includes allowing or refusal, security strategy are led to
The corresponding data of setting filtering object, such as the specific address of setting address object, subnet, address field are crossed, service pair is set
Protocol name of specific port numbers, application as in etc., realizes the configuration of security strategy.For being filtered in matching security strategy
The transmission data of object data are handled according to the filtering behavior in security strategy.
Since in fire wall, there are many quantity of security strategy, update is more difficult, and inventor is realizing the process of the present invention
Middle discovery, substantial amounts of security strategy easily cause redundancy, are reduced so as to cause the O&M efficiency of fire wall, therefore how quick
Accurately determine in fire wall security strategy whether redundancy, so as to quickly solving redundancy issue, become people in the art
The technical issues of member is in the urgent need to address.
The content of the invention
In order to fast and accurately realize in fire wall security strategy whether the judgement of redundancy, an embodiment of the present invention provides one
Kind security strategy control method and device.
To achieve the above object, the embodiment of the present invention provides following technical solution:
In a first aspect, a kind of security strategy control method is provided, including:
Obtain the filtering object data that the security strategy in fire wall includes;
The filtering object data of each security strategy are normalized, each filtering object data are closed
And obtain the normalization data of each filtering object so that do not include in the normalization data of each filtering object identical
Data;
Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are compared;
If two normalization datas of any filtering object determine that two security strategies are deposited there are identical data
In redundancy relationship.
In the first possible realization method of the first aspect, arbitrary two security strategies include the first security strategy
With the second security strategy, two normalization datas of identical filtering object include the first normalization number of first security strategy
According to the second normalization data with second security strategy;
After definite two policy datas are there are redundancy relationship, the method further includes:
If the first normalization data in two normalization datas of each filtering object includes the second normalization data
Total data when, determine that second security strategy is otherwise partial redundance security strategy for completely redundant security strategy.
With reference to the first possible realization method of the first aspect, additionally provide the first aspect second may
Realization method, the first normalization data of two normalization datas of each filtering object include the second normalization data
When, determine that the second security strategy of second normalization data includes for completely redundant security strategy:
First normalization data of two normalization datas of each filtering object includes the whole of the second normalization data
During data, if the matching priority of first security strategy is more than the matching priority of second security strategy, determine
Second security strategy is completely redundant security strategy, is otherwise partial redundance security strategy.
With reference to any of the above-described kind of possible realization method of the first aspect or the first aspect, described is additionally provided
By identical filtering object in identical arbitrary two security strategies of security domain described in the third possible realization method of one side
Two normalization datas be compared including:
According to matching priority orders, by any security strategy respectively with to match priority than it low and be not completely redundant
The security strategy of security strategy is compared, and compares two normalization datas of identical filtering object in two security strategies.
With reference to any of the above-described kind of possible realization method of the first aspect or the first aspect, described is additionally provided
4th kind of possible realization method of one side, the filtering object data to each security strategy are normalized, will
Each filtering object data merge, and obtain the normalization data of each filtering object and include:
For each security strategy, by the filtering object data with data nest relation, the nested pass of the data is released
System;
Each filtering object data are merged, and are converted into same data type, obtain returning for each filtering object
One changes data so that does not include identical data in the normalization data of each filtering object.
Second aspect provides a kind of security strategy control device, including:
Data capture unit, the filtering object data that the security strategy for obtaining in fire wall includes;
Normalization unit is normalized for the filtering object data to each security strategy, by each filtering
Object data merges, and obtains the normalization data of each filtering object so that the normalization number of each filtering object
Do not include identical data in;
Comparing unit, for two of identical filtering object in identical arbitrary two security strategies of security domain to be normalized
Data are compared;
First redundancy determination unit, if for any filtering object two normalization datas there are identical data,
Determine that there are redundancy relationships for two security strategies.
In the first possible realization method of the second aspect, further include:
Second redundancy determination unit, if for the first normalization number in two normalization datas of each filtering object
During according to total data including the second normalization data, determine the second security strategy of second normalization data to be completely superfluous
Otherwise remaining security strategy is partial redundance security strategy.
With reference to the first possible realization method of the second aspect, additionally provide the second aspect second may
Realization method, if the second redundancy determination unit is specifically used for first in two normalization datas of each filtering object
Normalization data includes the total data of the second normalization data, and of the first security strategy of first normalization data
It is more than the matching priority of the second security strategy of second normalization data with priority, determines second security strategy
It is otherwise partial redundance security strategy for completely redundant security strategy.
With reference to any of the above-described kind of possible realization method of the second aspect or the second aspect, described is additionally provided
The third possible realization method of two aspects, the comparing unit are specifically used for according to matching priority orders, by any safety
Strategy compared with matching the low security strategy of priority than it, compares identical filtering object in two security strategies respectively
Two normalization datas.
With reference to any of the above-described kind of possible realization method of the second aspect or the second aspect, described is additionally provided
In 4th kind of possible realization method of two aspects, the normalization unit includes:
For being directed to each security strategy, the filtering object data with data nest relation release for flattening unit
The data nest relation;
Subelement is normalized, for each filtering object data to be merged, and same data type is converted into, obtains
The normalization data of each filtering object so that do not include identical data in the normalization data of each filtering object.
To sum up, an embodiment of the present invention provides a kind of security strategy control method and device, by will be each in fire wall
The filtering object data of security strategy are normalized, and obtain the normalization data of filtering object;Security domain is identical
Two normalization datas of identical filtering object are compared in arbitrary two security strategies, if two of any filtering object are returned
One changes data there are identical data, then can determine that two security strategies there are redundancy relationship, fast and accurately realize
In fire wall security strategy whether the judgement of redundancy.And the data after normalizing do not include the data repeated, reduce and compare work
It measures, further improves the judgement efficiency of security strategy redundancy.
Description of the drawings
It in order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of invention, for those of ordinary skill in the art, without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of flow chart of security strategy control method one embodiment provided in an embodiment of the present invention;
Fig. 2 is a kind of flow chart of another embodiment of security strategy control method provided in an embodiment of the present invention;
Fig. 3 is a kind of flow chart of another embodiment of security strategy control method provided in an embodiment of the present invention;
Fig. 4 is a kind of structure diagram of security strategy control device one embodiment provided in an embodiment of the present invention;
Fig. 5 is a kind of structure diagram of another embodiment of security strategy control device provided in an embodiment of the present invention;
Fig. 6 is a kind of structure diagram of another embodiment of security strategy control device provided in an embodiment of the present invention;
Fig. 7 is a kind of structure diagram of control device one embodiment provided in an embodiment of the present invention;
Fig. 8 is a kind of structure diagram of fire wall one embodiment provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without making creative work
Embodiment belongs to the scope of protection of the invention.
The embodiment of the present invention can include:
The filtering object data of security strategy in fire wall are obtained, by the filtering object number of each security strategy in fire wall
According to being normalized, the normalization data of filtering object is obtained, by by identical arbitrary two security strategies of security domain
In two normalization datas of identical filtering object be compared.If there are identical for two normalization datas of any filtering object
Data, then can determine two security strategies there are redundancy relationship, pass through the data after being normalized to filtering object and carry out
Compare, can fast and accurately realize in fire wall security strategy whether the judgement of redundancy.And the data after normalizing do not include
The data repeated, reduce and compare workload, further improve the judgement efficiency of security strategy redundancy.
Fig. 1 be a kind of flow chart of security strategy control method one embodiment provided in an embodiment of the present invention, this method
It can include following steps:
101:Obtain the filtering object data that each security strategy in fire wall includes.
Wherein, the filtering object includes at least address object and service object.
Fire wall includes substantial amounts of security strategy, and each security strategy is made of filtering object and filtering behavior.It crosses
Filter object data constitutes the filter condition of security strategy, and when being not provided with filtering object data, fire wall can be refused or permit
Perhaps all transmission data pass through.Filtering behavior can be formulated for the transmission data for matching filter condition:Refuse or allow.
For traditional firewall, filtering object mainly includes address object and service object.Address object is source address pair
As or purpose object.Service refers to the information flow with consensus standard, and service has certain feature, such as corresponding agreement and end
Slogan etc., thus service object can include port object (po) and protocol object, port object (po) can refer to again source port object or
Destination interface object etc..
Therefore filtering object data can include source address data, destination address data, source port data, destination interface number
According to this and protocol data.Source address data and destination address data are mainly by multiple addresses, multiple subnets, multiple address fields
At least one composition can filter the access to address or subnet.Source port data and destination interface data mainly include multiple
Port numbers, protocol data mainly including protocol name etc., can filter the access to port or agreement.
For next generation firewall, filtering object mainly includes address object and service object, can additionally include using
Family object, application and time object etc..User object data can be weighed including user's name etc. with restricting user access
Limit;Application data are including Apply Names etc., such as RDP(Remote Desktop Protoco, Remote Desktop Protocol)It should
With, P2P(Peer to Peer peer-to-peer networks)Using the access of application can be limited, time object data includes multiple times
Section or cycle time section, such as 4:00-6:00 or daily 5:00-8:00 etc., time access rights can be limited.
Based on object approach realize policy data allocation plan in, filtering object data are pre-set, with
When putting security strategy, pre-set filtering object data are directly quoted.The pre-set filtering object data can be with
It is quoted by different security strategies, same filtering object may pre-set multigroup filtering object data, such as address pair
As that can include multiple address sets, can have nest relation between each address set.
102:The filtering object data of each security strategy are normalized, each filtering object data are carried out
Merge, obtain the normalization data of each filtering object so that do not include phase in the normalization data of each filtering object
Same data.
Since each filtering object may include multiple data, the data of same filtering object may include identical number
According to, such as address object data, including multiple addresses, multiple address fields etc., the address that address field includes may wrap
Include it is at least one in the plurality of address, in different address section may include identical individual address, for an address object number
According to including 1.1.1.1,1.1.1.2,1.1.1.4,1.1.1.3-1.1.1.5, it is clear that wrapped in address field 1.1.1.3-1.1.1.5
Include address 1.1.1.4.
It is equal to each filtering object data of each security strategy in the embodiment of the present invention in order to reduce data processing amount
It is normalized, including each filtering object data are merged so that the normalization data of obtained filtering object
In do not include deleting repeated data in filtering object data in identical data namely normalization data.Example is as described above
Location object data 1.1.1.1,1.1.1.2,1.1.1.4,1.1.1.3-1.1.1.5, the normalization data after merging are
1.1.1.1-1.1.1.5。
It is that operation is merged to the period in time object when filtering object further includes time object, such as
4:00-6:00 and 5:00-8:00, then it can be merged into 4:00-8:00.
During being normalized, for not including the filtering object of identical data, then normalization data is still
The initial data of filtering object.
103:Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are carried out
Compare.
Fire wall is accessed control based on security domain, and what security strategy specifically controlled is whether transmission data are permitted
Perhaps or it is rejected from source security domain to purpose security domain.Just there are redundancy issues for strategy in only same security domain.
Therefore it is that arbitrary two security strategy identical to security domain is compared in the embodiment of the present invention.
Every security strategy includes source security domain and purpose security domain, herein security domain it is identical refer to source security domain it is identical and
Purpose security domain is also identical.
104:If two normalization datas of any filtering object determine two security strategies there are identical data
There are redundancy relationships.
If in two security strategies, two normalization datas of any filtering object there are intersection, then can determine this two
There are redundancy relationships for security strategy.
It determines after there is the security strategy of redundancy relationship, prompt message can also be exported, to prompt user to superfluous
The security strategy of remaining relation is handled.
In the present embodiment, the filtering object data of each security strategy in fire wall are normalized, obtained
The normalization data of filtering object, by the way that two of identical filtering object in identical arbitrary two security strategies of security domain are returned
One change data are compared.If two normalization datas of any filtering object there are identical data, can determine this two
Security strategy is compared by the data after being normalized to filtering object there are redundancy relationship, can be fast and accurately real
Showed in fire wall security strategy whether the judgement of redundancy.And the data after normalizing do not include the data repeated, reduce ratio
Compared with workload, the judgement efficiency of security strategy redundancy is further improved.
Fig. 2 be another embodiment of a kind of security strategy control method provided in an embodiment of the present invention flow chart, the party
Method can include following steps:
201:The filtering object data that the security strategy in fire wall includes are obtained, the filtering object includes at least address
Object and service object.
202:The filtering object data of each security strategy are normalized, each filtering object data are carried out
Merge, obtain the normalization data of each filtering object so that do not include phase in the normalization data of each filtering object
Same data.
203:Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are carried out
Compare.
204:If two normalization datas of any filtering object determine two safe plans there are identical data
Slightly there are redundancy relationships.
The operation of step 201~step 204 is identical with the operation of step 101~step 104, and details are not described herein.
205;Judge whether the first normalization data in two normalization datas of each filtering object returns including second
One changes data, if so, 206 are entered step, if not, entering step 207.
206:It determines in two security strategies, the second security strategy is completely redundant security strategy.
207:It determines in two security strategies, the second security strategy is partial redundance security strategy.
Arbitrary two security strategies include the first security strategy and the second security strategy, for same filtering object, first
The normalization data of security strategy is the first normalization data, and the normalization data of the second security strategy is the second normalization number
According to.If the first normalization data in two normalization datas of each filtering object includes the whole of the second normalization data
Data, the i.e. intersection of the first normalization data and the second normalization data are equal to second normalization data, then second normalizing
It is completely redundant security strategy to change corresponding second security strategy of data.
In the first security strategy and the second security strategy there are during redundancy relationship, if each filtering in two security strategies
First normalization data of object only includes the partial data of the second normalization data, i.e. the first normalization data and the second normalizing
When changing the intersection of data not equal to second normalization data, the second security strategy is partial redundance security strategy.Each filtering
The situation that first normalization data of object does not include the second normalization data includes:First normalizing of at least one filtering object
Changing data does not include the second normalization data.
Wherein, the security strategy in fire wall have matching priority, transmission data be according to the matching priority successively
Matched with security strategy, if there is with transmit Data Matching security strategy, then terminate matching operation, no longer with residue
Security strategy is matched.
Therefore in order to further improve the accuracy of redundant safety strategy, two normalizings of each filtering object are being determined
When changing the first normalization data of data includes the second normalization data, if the matching priority of first security strategy is big
In the matching priority of second security strategy, determine second security strategy as completely redundant security strategy, otherwise for
Partial redundance security strategy.
I.e. if the first normalization data of two normalization datas of each filtering object includes the second normalization data,
But the matching priority of the first security strategy is less than the matching priority of second security strategy, then second security strategy
For partial redundance security strategy.
Completely redundant security strategy and partial redundance security strategy, can perform different processing.For completely redundant
Security strategy, system can delete its slave firewall.For partial redundance security strategy, redundancy prompting letter can be exported
Breath, to prompt user there are partial redundance security strategy, so as to which user is reminded to be carried out in time to partial redundance security strategy
Processing to reduce firewall redundancy amount, improves O&M efficiency.
In the present embodiment, the filtering object data of each security strategy in fire wall are normalized, obtained
The normalization data of filtering object, by the way that two of identical filtering object in identical arbitrary two security strategies of security domain are returned
One change data are compared.If two normalization datas of any filtering object there are identical data, can determine this two
Security strategy is there are redundancy relationship, if the first normalization data in two normalization datas includes the second normalization number
According to, then corresponding second security strategy of the second normalization data can be determined as completely redundant security strategy, it is otherwise superfluous for part
Remaining security strategy, so as to realize that the security strategy to different redundancy types carries out different disposal.The present embodiment is quick and precisely
Realize in fire wall security strategy whether the judgement of redundancy.And the data after normalizing do not include the data repeated, reduce
Compare workload, further improve the judgement efficiency of security strategy redundancy.
Fig. 3 be another embodiment of a kind of security strategy control method provided in an embodiment of the present invention flow chart, the party
Method can include following steps:
301:The filtering object data that the security strategy in fire wall includes are obtained, the filtering object includes at least address
Object and service object.
302:For each security strategy, by the filtering object data with data nest relation, it is embedding to release the data
Set relation.
303:Each filtering object data are merged, and are converted into same data type, obtain each filtering object
Normalization data so that in the normalization data of each filtering object not include identical data.
Based on object approach realize policy data allocation plan in, pre-set filtering object data, with
When putting security strategy, pre-set filtering object data are directly quoted.
The pre-set filtering object data can be quoted by different security strategies, and same filtering object may be set
Multigroup filtering object data, every group can include multiple data, can be nested against one another between multigroup filtering object data, such as right
In address object, multiple address sets can be included, there can be nest relation between each address set, as address set A is included
Data are:1.1.1.1,1.1.1.2,1.1.1.4 and address set B, the data that address set B is included are:1.1.1.3-
1.1.1.5, it is known that address set A is nested with the data of address set B.
Therefore when being normalized, by the filtering object data with data nest relation, the data are released
Nest relation carries out flaky process.Such as address above mentioned collection A, the result of flattening is:1.1.1.1 1.1.1.2,
1.1.1.4,1.1.1.3-1.1.1.5.
Each filtering object data are merged, and are converted into same data type.
For the filtering object data with data nest relation, will release the filtering object data of data nest relation into
Row merges, such as address above mentioned collection A, the data after merging can be:1.1.1.1-1.1.1.5.
In merging process, if the data after merging have serial relation, table can be carried out in a manner of data area
Show, such as be after address above mentioned collection A removal repeated datas:1.1.1.1,1.1.1.2,1.1.1.3,1.1.1.4,1.1.1.5, respectively
A address has serial relation, then the data after merging can be expressed as address field 1.1.1.1-1.1.1.5.
It is that different types of data data are unified for same data type to be converted to same data type, and data is facilitated to carry out
Compare.
Certain data type conversion can not also carry out during renormalization processing, can when carrying out data and comparing again into
Row conversion.
When filtering object data are normalized in security strategy, the number of all filtering objects is extracted first
Include source address object, the destination address object in address object according to, these filtering objects, source port object in service object,
Destination interface object and protocol object.
It can also include user object, application and time object etc..
304:According to matching priority orders, any security strategy is matched into the low security strategy of priority with than it respectively
It is compared, compares two normalization datas of identical filtering object in two security strategies.
305:If two normalization datas of any filtering object determine two safe plans there are identical data
Slightly there are redundancy relationships.
306;Judge whether the first normalization data in two normalization datas of each filtering object returns including second
One changes data, if so, step 307 is performed, if not, performing step 309.
307:Judge whether the matching priority of the first security strategy of first normalization data is more than described second
The matching priority of second security strategy of normalization data, if so, 308 are entered step, if not, performing step 309.
308:It determines in two security strategies, second security strategy is completely redundant security strategy.
309:It determines in two security strategies, second security strategy is partial redundance security strategy.
In the first security strategy and the second security strategy there are during redundancy relationship, if each filtering in two security strategies
When first normalization data of two normalization datas of object includes the second normalization data, and first security strategy
The matching priority that priority is more than second security strategy is matched, it is completely redundant safety to determine second security strategy
Otherwise strategy is partial redundance security strategy.
I.e. if the first normalization data of two normalization datas of each filtering object only includes the second normalization number
According to partial data;And first normalization data include the total data of the second normalization data, but the first security strategy
Matching priority be less than second security strategy matching priority, then second security strategy be the safe plan of partial redundance
Slightly.
When progress security strategy compares, obtained successively in same security domain according to matching priority in the present embodiment
Security strategy, for any security strategy, travel through the low security strategy of matched priority and be compared.It is wrapped in fire wall
Include substantial amounts of security strategy, security strategy has matching priority, when being filtered to data, be according to matching priority by
High to Low order is matched with security strategy, if in the presence of the security strategy to match, you can to terminate to match flow, according to
The matched security strategy handles data.Therefore, it is that any security strategy difference is matched excellent in the present embodiment
The low security strategy of first grade is compared, with determine than its low security strategy of matching priority whether redundancy.
By any security strategy, the low security strategy of matched priority is compared respectively, more excellent than its matching to determine
Whether redundancy can be specifically the low security strategy of first grade:According to matching priority orders, by the safety of highest matching priority
Strategy, respectively compared with matching the low security strategy of priority than it, to determine completely redundant security strategy and portion
Divide redundant safety strategy;
At the end of the security strategy of highest matching priority compares, according to matching priority, selection matches excellent less than highest
The security strategy of first grade, and be not any bar security strategy of completely redundant security strategy, difference matches excellent with than it successively
First grade is low and is not that the security strategy of completely redundant security strategy is compared, to determine completely redundant security strategy and portion
Divide redundant safety strategy, until all security strategies than it compared with matching the low security strategy of priority.
Completely redundant security strategy and partial redundance security strategy, can perform different processing.For completely redundant
Security strategy, system can delete its slave firewall.For partial redundance security strategy, redundancy prompting letter can be exported
Breath, to prompt user there are partial redundance security strategy, so as to which user is reminded to be carried out in time to partial redundance security strategy
Processing to reduce firewall redundancy amount, improves O&M efficiency.
In the present embodiment, the filtering object data of each security strategy in fire wall are normalized, obtained
The normalization data of filtering object, according to matching priority, by identical filtering object in two identical security strategies of security domain
Two normalization datas be compared.If two normalization datas of any filtering object, can be with there are identical data
Two security strategies are determined there are redundancy relationship, if the first normalization data in two normalization datas is returned including second
One changes data, and the matching priority of the first security strategy can then determine the second normalization data higher than the second security strategy
Corresponding second security strategy is completely redundant security strategy, is otherwise partial redundance security strategy, so as to realize to not
Security strategy with redundancy type carries out different disposal.The present embodiment can fast and accurately realize security strategy in fire wall
Whether the judgement of redundancy.And the data after normalizing do not include the data repeated, reduce and compare workload, further improve
The judgement efficiency of security strategy redundancy.
For foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as to a series of combination of actions, but
It is that those skilled in the art should know, the present invention and from the limitation of described sequence of movement, because according to of the invention real
Example is applied, some steps may be employed other orders or be carried out at the same time.Secondly, those skilled in the art should also know, explanation
Embodiment described in book belongs to preferred embodiment, and involved action and module not necessarily present invention institute are necessary
's.
Fig. 4 is a kind of structure diagram of security strategy control device one embodiment provided in an embodiment of the present invention, should
Device can include:
Data capture unit 401, the filtering object data that the security strategy for obtaining in fire wall includes.
The filtering object includes at least address object and service object.
Normalization unit 402 is normalized for the filtering object data to each security strategy, by each mistake
Filter object data merges, and obtains the normalization data of each filtering object so that the normalization of each filtering object
Do not include identical data in data.
During being normalized, for not including the filtering object of identical data, then normalization data is still
The initial data of filtering object.
Comparing unit 403, for two of identical filtering object in identical arbitrary two security strategies of security domain to be returned
One change data are compared.
Fire wall is accessed control based on security domain, and what security strategy specifically controlled is whether transmission data are permitted
Perhaps or it is rejected from source security domain to purpose security domain.Just there are redundancy issues for strategy in only same security domain.
Every security strategy includes source security domain and purpose security domain, herein security domain it is identical refer to source security domain it is identical and
Purpose security domain is also identical.
First redundancy determination unit 404, if there are identical numbers for two normalization datas of any filtering object
According to determining that there are redundancy relationships for two security strategies.
If in two security strategies, two normalization datas of any filtering object there are intersection, then can determine this two
There are redundancy relationships for security strategy.
It determines after there is the security strategy of redundancy relationship, prompt message can also be exported, to prompt user to superfluous
The security strategy of remaining relation is handled.
In the present embodiment, the filtering object data of each security strategy in fire wall are normalized, obtained
The normalization data of filtering object, by the way that two of identical filtering object in identical arbitrary two security strategies of security domain are returned
One change data are compared.If two normalization datas of any filtering object there are identical data, can determine this two
Security strategy is compared by the data after being normalized to filtering object there are redundancy relationship, can be fast and accurately real
Showed in fire wall security strategy whether the judgement of redundancy.Data after normalization do not include the data repeated, further improve
The judgement efficiency of security strategy redundancy.
Fig. 5 is a kind of structure diagram of security strategy control device one embodiment provided in an embodiment of the present invention, should
Device can include:
Data capture unit 501, the filtering object data that the security strategy for obtaining in fire wall includes.
The filtering object includes at least address object and service object.
Normalization unit 502 is normalized for the filtering object data to each security strategy, by each mistake
Filter object data merges, and obtains the normalization data of each filtering object so that the normalization of each filtering object
Do not include identical data in data.
Comparing unit 503, for two of identical filtering object in identical arbitrary two security strategies of security domain to be returned
One change data are compared.
First redundancy determination unit 504, if there are identical numbers for two normalization datas of any filtering object
According to determining that there are redundancy relationships for two security strategies.
Second redundancy determination unit 505, if for the first normalizing in two normalization datas of each filtering object
When changing data includes the total data of the second normalization data, the second security strategy for determining second normalization data has been
Otherwise full redundancy security strategy is partial redundance security strategy.
Arbitrary two security strategies include the first security strategy and the second security strategy, for same filtering object, first
The normalization data of security strategy is the first normalization data, and the normalization data of the second security strategy is the second normalization number
According to.If the first normalization data in two normalization datas of each filtering object includes the whole of the second normalization data
Data, the i.e. intersection of the first normalization data and the second normalization data are equal to second normalization data, then second normalizing
It is completely redundant security strategy to change corresponding second security strategy of data.
In the first security strategy and the second security strategy there are during redundancy relationship, if each filtering in two security strategies
First normalization data of object only includes the partial data of the second normalization data, i.e. the first normalization data and the second normalizing
When changing the intersection of data not equal to second normalization data, the second security strategy is completely redundant security strategy.Each filtering
The situation that first normalization data of object does not include the second normalization data includes:First normalizing of at least one filtering object
Changing data does not include the second normalization data.
Wherein, the security strategy in fire wall have matching priority, transmission data be according to the matching priority successively
Matched with security strategy, if there is with transmit Data Matching security strategy, then terminate matching operation, no longer with residue
Security strategy is matched.
Therefore in order to further improve the accuracy of redundant safety strategy, the second redundancy determination unit is determining each mistake
When filtering the first normalization data of two normalization datas of object includes the second normalization data, if the first safe plan
Matching priority slightly is more than the matching priority of second security strategy, and it is completely redundant to determine second security strategy
Otherwise security strategy is partial redundance security strategy.
Completely redundant security strategy and partial redundance security strategy, can perform different processing.For completely redundant
Security strategy, system can delete its slave firewall.For partial redundance security strategy, redundancy prompting letter can be exported
Breath, to prompt user there are partial redundance security strategy, so as to which user is reminded to be carried out in time to partial redundance security strategy
Processing to reduce firewall redundancy amount, improves O&M efficiency.
In the present embodiment, the filtering object data of each security strategy in fire wall are normalized, obtained
The normalization data of filtering object, by the way that two of identical filtering object in identical arbitrary two security strategies of security domain are returned
One change data are compared.If two normalization datas of any filtering object there are identical data, can determine this two
Security strategy is there are redundancy relationship, if the first normalization data in two normalization datas includes the second normalization number
According to, then corresponding second security strategy of the second normalization data can be determined as completely redundant security strategy, it is otherwise superfluous for part
Remaining security strategy, so as to realize that the security strategy to different redundancy types carries out different disposal.The present embodiment is quick and precisely
Realize in fire wall security strategy whether the judgement of redundancy.And the data after normalizing do not include the data repeated, reduce
Compare workload, further improve the judgement efficiency of security strategy redundancy.
Fig. 6 is a kind of structure diagram of another embodiment of security strategy control device provided in an embodiment of the present invention,
The device can include:
Data capture unit 601, the filtering object data that the security strategy for obtaining in fire wall includes.
The filtering object includes at least address object and service object;
Normalization unit 602 is normalized for the filtering object data to each security strategy, by each mistake
Filter object data merges, and obtains the normalization data of each filtering object so that the normalization of each filtering object
Do not include identical data in data.
Wherein, in the present embodiment, which can include:
Flattening unit 6021, for being directed to each security strategy, by the filtering object data with data nest relation,
Release the data nest relation;
Subelement 6023 is normalized, for each filtering object data to be merged, and is converted into same data type,
Obtain the normalization data of each filtering object so that do not include identical data in the normalization data of each filtering object.
Comparing unit 603, for according to matching priority orders by any security strategy respectively with matching priority than it
Low security strategy is compared, and compares two normalization datas of identical filtering object in two security strategies.
As a kind of possible realization method, which can include:
First comparing subunit;For according to priority orders are matched, highest to be matched to the security strategy of priority, respectively
Compared with matching the low security strategy of priority than it, to determine completely redundant security strategy and partial redundance safety
Strategy, and trigger second comparing subunit;
Second comparing subunit:For according to matching priority, selection to match the security strategy of priority less than highest,
And not be completely redundant security strategy any bar security strategy, respectively successively with than its match priority it is low and be not completely it is superfluous
The security strategy of remaining security strategy is compared, to determine completely redundant security strategy and partial redundance security strategy, directly
To all security strategies compared with matching the low security strategy of priority than it.
First redundancy determination unit 604, if there are identical numbers for two normalization datas of any filtering object
According to determining that there are redundancy relationships for two security strategies.
Second redundancy determination unit 605, if for the first normalizing in two normalization datas of each filtering object
Changing data includes the total data of the second normalization data, and the matching of the first security strategy of first normalization data is excellent
First grade is more than the matching priority of the second security strategy of second normalization data, determines that second security strategy has been
Otherwise full redundancy security strategy is partial redundance security strategy.
Completely redundant security strategy and partial redundance security strategy, can perform different processing.For completely redundant
Security strategy, system can delete its slave firewall.For partial redundance security strategy, redundancy prompting letter can be exported
Breath, to prompt user there are partial redundance security strategy, so as to which user is reminded to be carried out in time to partial redundance security strategy
Processing to reduce firewall redundancy amount, improves O&M efficiency.
Therefore the device can also include:
Processing unit, for second security strategy to be deleted.
Prompt unit, for exporting redundancy prompt message, to prompt user that there are partial redundance security strategies.
In the present embodiment, the filtering object data of each security strategy in fire wall are normalized, obtained
The normalization data of filtering object, according to matching priority, by identical filtering object in two identical security strategies of security domain
Two normalization datas be compared.If two normalization datas of any filtering object, can be with there are identical data
Two security strategies are determined there are redundancy relationship, if the first normalization data in two normalization datas is returned including second
One changes data, and the matching priority of the first security strategy can then determine the second normalization data higher than the second security strategy
Corresponding second security strategy is completely redundant security strategy, is otherwise partial redundance security strategy, so as to realize to not
Security strategy with redundancy type carries out different disposal.The present embodiment can fast and accurately realize security strategy in fire wall
Whether the judgement of redundancy.And the data after normalizing do not include the data repeated, reduce and compare workload, further improve
The judgement efficiency of security strategy redundancy.
Security strategy control device described in above-described embodiment in practical applications, is desirably integrated into fire wall or can be with
It is established with fire wall in connection third party device.The fire wall or equipment of security strategy control device of the embodiment of the present invention are disposed,
Can fast and accurately determine security strategy whether redundancy.
As can be seen from the above description, those skilled in the art can be understood that the present invention can add by software must
The mode of the general hardware platform needed is realized.Therefore, referring to Fig. 7, the embodiment of the present invention additionally provides a kind of control device, should
Control device includes at least processor 701 and the memory 702, the receiver 703 that are connected respectively by bus with processor 701.
The memory 702 storage batch processing instruction, which can be high-speed RAM memory, it is also possible to right and wrong
Volatile memory(non-volatile memory), for example, at least magnetic disk storage etc..
The processor 701 for calling the program instruction that the memory 702 stores, performs following operation:
Triggering receiver 703 obtains the filtering object data that the security strategy in fire wall includes;
The filtering object data of each security strategy are normalized, each filtering object data are closed
And obtain the normalization data of each filtering object so that do not include in the normalization data of each filtering object identical
Data;
Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are compared;
If two normalization datas of any filtering object determine that two security strategies are deposited there are identical data
In redundancy relationship.
Wherein, which may be a central processor CPU or specific integrated circuit ASIC
(Application Specific Integrated Circuit)Or it is arranged to implement the one of the embodiment of the present invention
A or multiple integrated circuits.
Optionally, which can be used for performing Fig. 1 provided in an embodiment of the present invention-any safety shown in Fig. 3
Policy control method.
The control device can realize the redundancy judgement to the security strategy in different fire-proof.
Referring to Fig. 8, the present invention also provides a kind of fire wall, which includes at least processor 801 and and processor
801 memories 802 connected respectively by bus.
The processor 701 for calling the program instruction that the memory 702 stores, performs following operation:
Obtain the filtering object data that security strategy includes;
The filtering object data of each security strategy are normalized, each filtering object data are closed
And obtain the normalization data of each filtering object so that do not include in the normalization data of each filtering object identical
Data;
Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are compared;
If two normalization datas of any filtering object determine that two security strategies are deposited there are identical data
In redundancy relationship.
Wherein, which may be a central processor CPU or specific integrated circuit ASIC
(Application Specific Integrated Circuit)Or it is arranged to implement the one of the embodiment of the present invention
A or multiple integrated circuits.
Optionally, which can be used for performing Fig. 1 provided in an embodiment of the present invention-any safe plan shown in Fig. 3
Slightly control method.
Each embodiment is described by the way of progressive in this specification, the highlights of each of the examples are with other
The difference of embodiment, just to refer each other for identical similar portion between each embodiment.For device disclosed in embodiment
For, since it is corresponded to the methods disclosed in the examples, so description is fairly simple, related part is said referring to method part
It is bright.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, term " comprising ", "comprising" or its any other variant meaning
Covering non-exclusive inclusion, so that process, method, article or equipment including a series of elements not only include that
A little elements, but also including other elements that are not explicitly listed or further include for this process, method, article or
The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged
Except also there are other identical elements in the process, method, article or apparatus that includes the element.
For convenience of description, it is divided into various units during description apparatus above with function to describe respectively.Certainly, this is being implemented
The function of each unit is realized can in the same or multiple software and or hardware during invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can
It is realized by the mode of software plus required general hardware platform.Based on such understanding, technical scheme essence
On the part that the prior art contributes can be embodied in the form of software product in other words, the computer software product
It can be stored in storage medium, such as ROM/RAM, magnetic disc, CD, it is used including some instructions so that a computer equipment
(Can be personal computer, server or the network equipment etc.)Perform some of each embodiment or embodiment of the invention
Method described in part.
The foregoing description of the disclosed embodiments enables professional and technical personnel in the field to realize or use the present invention.
A variety of modifications of these embodiments will be apparent for those skilled in the art, it is as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, it is of the invention
The embodiments shown herein is not intended to be limited to, and is to fit to and the principles and novel features disclosed herein phase one
The most wide scope caused.
Claims (10)
1. a kind of security strategy control method, which is characterized in that including:
Obtain the filtering object data that the security strategy in fire wall includes;
The filtering object data of each security strategy are normalized, each filtering object data are merged, are obtained
To the normalization data of each filtering object so that do not include identical number in the normalization data of each filtering object
According to;
Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are compared;
If two normalization datas of any filtering object determine that there are superfluous for two security strategies there are identical data
Remaining relation.
2. according to the method described in claim 1, it is characterized in that, arbitrary two articles of security strategies include the first security strategy and the
Two security strategies, two normalization datas of identical filtering object include first security strategy the first normalization data and
Second normalization data of second security strategy;
After definite two policy datas are there are redundancy relationship, the method further includes:
If the first normalization data in two normalization datas of each filtering object includes the complete of the second normalization data
During portion's data, determine that second security strategy is otherwise partial redundance security strategy for completely redundant security strategy.
3. according to the method described in claim 2, it is characterized in that, the of two normalization datas of each filtering object
When one normalization data includes the total data of the second normalization data, the second safe plan of second normalization data is determined
Slightly completely redundant security strategy includes:
First normalization data of two normalization datas of each filtering object includes the total data of the second normalization data
When, if the matching priority of first security strategy is more than the matching priority of second security strategy, determine described
Second security strategy is completely redundant security strategy, is otherwise partial redundance security strategy.
4. according to claims 1 to 3 any one of them method, which is characterized in that described by identical arbitrary two of security domain
In security strategy two normalization datas of identical filtering object be compared including:
According to matching priority orders, any security strategy is compared respectively with matching the low security strategy of priority than it
Compared with comparing two normalization datas of identical filtering object in two security strategies.
5. according to claims 1 to 3 any one of them method, which is characterized in that the filtering pair to each security strategy
Image data is normalized, and each filtering object data are merged, obtain the normalization data of each filtering object
Including:
For each security strategy, by the filtering object data with data nest relation, the data nest relation is released;
Each filtering object data are merged, and are converted into same data type, obtain the normalization of each filtering object
Data so that do not include identical data in the normalization data of each filtering object.
6. a kind of security strategy control device, which is characterized in that including:
Data capture unit, the filtering object data that the security strategy for obtaining in fire wall includes;
Normalization unit is normalized for the filtering object data to each security strategy, by each filtering object
Data merge, and obtain the normalization data of each filtering object so that in the normalization data of each filtering object
Do not include identical data;
Comparing unit, for by two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain
It is compared;
First redundancy determination unit, if for any filtering object two normalization datas there are identical data, determine
There are redundancy relationships for two security strategies.
7. device according to claim 6, which is characterized in that further include:
Second redundancy determination unit, if for the first normalization data bag in two normalization datas of each filtering object
When including the total data of the second normalization data, the second security strategy for determining second normalization data is completely redundant peace
Full strategy, is otherwise partial redundance security strategy.
8. device according to claim 7, which is characterized in that if the second redundancy determination unit is specifically for each
The first normalization data in two normalization datas of filtering object includes the total data of the second normalization data, and described
The matching priority of first security strategy of the first normalization data is more than the second security strategy of second normalization data
Matching priority, determine that second security strategy is otherwise partial redundance security strategy for completely redundant security strategy.
9. according to claim 6~8 any one of them device, which is characterized in that the comparing unit be specifically used for according to
With priority orders, any security strategy is compared two compared with matching the low security strategy of priority than it respectively
Two normalization datas of identical filtering object in security strategy.
10. according to claim 6~8 any one of them device, which is characterized in that the normalization unit includes:
Flattening unit, for being directed to each security strategy, by the filtering object data with data nest relation, described in releasing
Data nest relation;
Subelement is normalized, for each filtering object data to be merged, and same data type is converted into, obtains each
The normalization data of filtering object so that do not include identical data in the normalization data of each filtering object.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310704252.8A CN104735026B (en) | 2013-12-19 | 2013-12-19 | Security strategy control method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310704252.8A CN104735026B (en) | 2013-12-19 | 2013-12-19 | Security strategy control method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104735026A CN104735026A (en) | 2015-06-24 |
CN104735026B true CN104735026B (en) | 2018-05-18 |
Family
ID=53458465
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310704252.8A Active CN104735026B (en) | 2013-12-19 | 2013-12-19 | Security strategy control method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104735026B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106603524A (en) * | 2016-12-09 | 2017-04-26 | 浙江宇视科技有限公司 | Method for combining safety rules and intelligent device |
CN107094143B (en) * | 2017-04-28 | 2020-08-04 | 杭州迪普科技股份有限公司 | Method and device for detecting policy redundancy |
CN108768879B (en) * | 2018-04-26 | 2022-04-22 | 新华三信息安全技术有限公司 | Method and device for adjusting policy priority |
CN113098883B (en) * | 2021-04-13 | 2021-11-26 | 四川玖优创信息科技有限公司 | Block chain and big data based security protection method and block chain service system |
CN114039853B (en) * | 2021-11-15 | 2024-02-09 | 天融信雄安网络安全技术有限公司 | Method and device for detecting security policy, storage medium and electronic equipment |
CN114389897B (en) * | 2022-03-18 | 2022-06-10 | 苏州市卫生计生统计信息中心 | IT infrastructure security policy centralized management and control optimization method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6826698B1 (en) * | 2000-09-15 | 2004-11-30 | Networks Associates Technology, Inc. | System, method and computer program product for rule based network security policies |
CN101753369A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for detecting firewall rule conflict |
CN103259761A (en) * | 2012-02-15 | 2013-08-21 | 深圳市证通电子股份有限公司 | Firewall system based on Android platform and construction method thereof |
-
2013
- 2013-12-19 CN CN201310704252.8A patent/CN104735026B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6826698B1 (en) * | 2000-09-15 | 2004-11-30 | Networks Associates Technology, Inc. | System, method and computer program product for rule based network security policies |
CN101753369A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for detecting firewall rule conflict |
CN103259761A (en) * | 2012-02-15 | 2013-08-21 | 深圳市证通电子股份有限公司 | Firewall system based on Android platform and construction method thereof |
Non-Patent Citations (3)
Title |
---|
Detecting and Resolving Firewall Policy Anomalies;Hongxin Hu等;《IEEE Transactions on Dependable and Secure Computing》;20120131;全文 * |
Firewall verification and redundancy checking are equivalent;H. B. Acharya等;《INFOCOM, 2011 Proceedings IEEE》;20110415;全文 * |
Lightweight detecting and resolving algorithm for firewall policy conflict;Qi Xiao等;《Ubiquitous and Future Networks (ICUFN) 2013 Fifth International Conference》;20130705;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN104735026A (en) | 2015-06-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104735026B (en) | Security strategy control method and device | |
CN108123936B (en) | Access control method and system based on block chain technology | |
KR101986081B1 (en) | Method for sharing and verifing a block between specific nodes in a blockchain | |
Li et al. | Blockchain-based security architecture for distributed cloud storage | |
CN107276762A (en) | The method of work and device of a kind of multi-protocols block chain | |
CN108876383A (en) | A kind of data trade method, device and equipment based on block chain | |
CN108829691B (en) | Rural electronic commerce data storage method | |
CN108197138A (en) | The method and system for the matching subscription information that releases news in publish/subscribe system | |
CN108156240A (en) | A kind of method and system of industry adapter access server | |
CN105894159A (en) | Implementation method of cross-domain and cross-platform user unified management system | |
CN104702638A (en) | Event subscribing and dispatching method and device | |
CN109344611A (en) | Access control method, terminal device and the medium of application | |
CN103516763B (en) | Method for processing resource and system and device | |
CN109524065A (en) | Medical data querying method, medical data platform and relevant apparatus | |
CN101958842B (en) | Flow control method based on user | |
CN110197064A (en) | Process handling method and device, storage medium and electronic device | |
CN105306481B (en) | A kind of operating method of access control policy rules | |
CN109345311A (en) | The method and device that credit is mutually known between different financial institution | |
CN105704093B (en) | A kind of firewall access control policy error-checking method, apparatus and system | |
CN108280147A (en) | Data management method and device | |
CN109995759A (en) | A kind of method and relevant apparatus of physical machine access VPC | |
US8201228B2 (en) | System and method for securing a network | |
CN111190959A (en) | Data-based encryption method and system for block chain decentralized storage | |
CN110502474A (en) | Order allocation method, device and storage medium based on distributed memory system | |
CN113239255B (en) | Heterogeneous data resource sharing method and device, computer equipment and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |