CN104735026B - Security strategy control method and device - Google Patents

Security strategy control method and device Download PDF

Info

Publication number
CN104735026B
CN104735026B CN201310704252.8A CN201310704252A CN104735026B CN 104735026 B CN104735026 B CN 104735026B CN 201310704252 A CN201310704252 A CN 201310704252A CN 104735026 B CN104735026 B CN 104735026B
Authority
CN
China
Prior art keywords
data
security strategy
normalization
filtering object
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310704252.8A
Other languages
Chinese (zh)
Other versions
CN104735026A (en
Inventor
刘剑波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201310704252.8A priority Critical patent/CN104735026B/en
Publication of CN104735026A publication Critical patent/CN104735026A/en
Application granted granted Critical
Publication of CN104735026B publication Critical patent/CN104735026B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An embodiment of the present invention provides a kind of security strategy control method and device, the described method includes:Obtain the filtering object data that the security strategy in fire wall includes;The filtering object data of each security strategy are normalized, each filtering object data are merged, obtain the normalization data of each filtering object so that do not include identical data in the normalization data of each filtering object;Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are compared;If two normalization datas of any filtering object determine that there are redundancy relationships for two security strategies there are identical data.The embodiment of the present invention fast and accurately realize in fire wall security strategy whether the judgement of redundancy.

Description

Security strategy control method and device
Technical field
The present embodiments relate to technical field of network security, more particularly to a kind of security strategy control method And device.
Background technology
Fire wall is a kind of network safety system, passes through preset security strategy, in that case it can be decided which data be allowed to or Which data of person are rejected by the function of data filtering being realized, so as to protect Internet resources.
Security strategy is made of filtering object and filtering behavior, and filtering behavior includes allowing or refusal, security strategy are led to The corresponding data of setting filtering object, such as the specific address of setting address object, subnet, address field are crossed, service pair is set Protocol name of specific port numbers, application as in etc., realizes the configuration of security strategy.For being filtered in matching security strategy The transmission data of object data are handled according to the filtering behavior in security strategy.
Since in fire wall, there are many quantity of security strategy, update is more difficult, and inventor is realizing the process of the present invention Middle discovery, substantial amounts of security strategy easily cause redundancy, are reduced so as to cause the O&M efficiency of fire wall, therefore how quick Accurately determine in fire wall security strategy whether redundancy, so as to quickly solving redundancy issue, become people in the art The technical issues of member is in the urgent need to address.
The content of the invention
In order to fast and accurately realize in fire wall security strategy whether the judgement of redundancy, an embodiment of the present invention provides one Kind security strategy control method and device.
To achieve the above object, the embodiment of the present invention provides following technical solution:
In a first aspect, a kind of security strategy control method is provided, including:
Obtain the filtering object data that the security strategy in fire wall includes;
The filtering object data of each security strategy are normalized, each filtering object data are closed And obtain the normalization data of each filtering object so that do not include in the normalization data of each filtering object identical Data;
Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are compared;
If two normalization datas of any filtering object determine that two security strategies are deposited there are identical data In redundancy relationship.
In the first possible realization method of the first aspect, arbitrary two security strategies include the first security strategy With the second security strategy, two normalization datas of identical filtering object include the first normalization number of first security strategy According to the second normalization data with second security strategy;
After definite two policy datas are there are redundancy relationship, the method further includes:
If the first normalization data in two normalization datas of each filtering object includes the second normalization data Total data when, determine that second security strategy is otherwise partial redundance security strategy for completely redundant security strategy.
With reference to the first possible realization method of the first aspect, additionally provide the first aspect second may Realization method, the first normalization data of two normalization datas of each filtering object include the second normalization data When, determine that the second security strategy of second normalization data includes for completely redundant security strategy:
First normalization data of two normalization datas of each filtering object includes the whole of the second normalization data During data, if the matching priority of first security strategy is more than the matching priority of second security strategy, determine Second security strategy is completely redundant security strategy, is otherwise partial redundance security strategy.
With reference to any of the above-described kind of possible realization method of the first aspect or the first aspect, described is additionally provided By identical filtering object in identical arbitrary two security strategies of security domain described in the third possible realization method of one side Two normalization datas be compared including:
According to matching priority orders, by any security strategy respectively with to match priority than it low and be not completely redundant The security strategy of security strategy is compared, and compares two normalization datas of identical filtering object in two security strategies.
With reference to any of the above-described kind of possible realization method of the first aspect or the first aspect, described is additionally provided 4th kind of possible realization method of one side, the filtering object data to each security strategy are normalized, will Each filtering object data merge, and obtain the normalization data of each filtering object and include:
For each security strategy, by the filtering object data with data nest relation, the nested pass of the data is released System;
Each filtering object data are merged, and are converted into same data type, obtain returning for each filtering object One changes data so that does not include identical data in the normalization data of each filtering object.
Second aspect provides a kind of security strategy control device, including:
Data capture unit, the filtering object data that the security strategy for obtaining in fire wall includes;
Normalization unit is normalized for the filtering object data to each security strategy, by each filtering Object data merges, and obtains the normalization data of each filtering object so that the normalization number of each filtering object Do not include identical data in;
Comparing unit, for two of identical filtering object in identical arbitrary two security strategies of security domain to be normalized Data are compared;
First redundancy determination unit, if for any filtering object two normalization datas there are identical data, Determine that there are redundancy relationships for two security strategies.
In the first possible realization method of the second aspect, further include:
Second redundancy determination unit, if for the first normalization number in two normalization datas of each filtering object During according to total data including the second normalization data, determine the second security strategy of second normalization data to be completely superfluous Otherwise remaining security strategy is partial redundance security strategy.
With reference to the first possible realization method of the second aspect, additionally provide the second aspect second may Realization method, if the second redundancy determination unit is specifically used for first in two normalization datas of each filtering object Normalization data includes the total data of the second normalization data, and of the first security strategy of first normalization data It is more than the matching priority of the second security strategy of second normalization data with priority, determines second security strategy It is otherwise partial redundance security strategy for completely redundant security strategy.
With reference to any of the above-described kind of possible realization method of the second aspect or the second aspect, described is additionally provided The third possible realization method of two aspects, the comparing unit are specifically used for according to matching priority orders, by any safety Strategy compared with matching the low security strategy of priority than it, compares identical filtering object in two security strategies respectively Two normalization datas.
With reference to any of the above-described kind of possible realization method of the second aspect or the second aspect, described is additionally provided In 4th kind of possible realization method of two aspects, the normalization unit includes:
For being directed to each security strategy, the filtering object data with data nest relation release for flattening unit The data nest relation;
Subelement is normalized, for each filtering object data to be merged, and same data type is converted into, obtains The normalization data of each filtering object so that do not include identical data in the normalization data of each filtering object.
To sum up, an embodiment of the present invention provides a kind of security strategy control method and device, by will be each in fire wall The filtering object data of security strategy are normalized, and obtain the normalization data of filtering object;Security domain is identical Two normalization datas of identical filtering object are compared in arbitrary two security strategies, if two of any filtering object are returned One changes data there are identical data, then can determine that two security strategies there are redundancy relationship, fast and accurately realize In fire wall security strategy whether the judgement of redundancy.And the data after normalizing do not include the data repeated, reduce and compare work It measures, further improves the judgement efficiency of security strategy redundancy.
Description of the drawings
It in order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention, for those of ordinary skill in the art, without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of flow chart of security strategy control method one embodiment provided in an embodiment of the present invention;
Fig. 2 is a kind of flow chart of another embodiment of security strategy control method provided in an embodiment of the present invention;
Fig. 3 is a kind of flow chart of another embodiment of security strategy control method provided in an embodiment of the present invention;
Fig. 4 is a kind of structure diagram of security strategy control device one embodiment provided in an embodiment of the present invention;
Fig. 5 is a kind of structure diagram of another embodiment of security strategy control device provided in an embodiment of the present invention;
Fig. 6 is a kind of structure diagram of another embodiment of security strategy control device provided in an embodiment of the present invention;
Fig. 7 is a kind of structure diagram of control device one embodiment provided in an embodiment of the present invention;
Fig. 8 is a kind of structure diagram of fire wall one embodiment provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other without making creative work Embodiment belongs to the scope of protection of the invention.
The embodiment of the present invention can include:
The filtering object data of security strategy in fire wall are obtained, by the filtering object number of each security strategy in fire wall According to being normalized, the normalization data of filtering object is obtained, by by identical arbitrary two security strategies of security domain In two normalization datas of identical filtering object be compared.If there are identical for two normalization datas of any filtering object Data, then can determine two security strategies there are redundancy relationship, pass through the data after being normalized to filtering object and carry out Compare, can fast and accurately realize in fire wall security strategy whether the judgement of redundancy.And the data after normalizing do not include The data repeated, reduce and compare workload, further improve the judgement efficiency of security strategy redundancy.
Fig. 1 be a kind of flow chart of security strategy control method one embodiment provided in an embodiment of the present invention, this method It can include following steps:
101:Obtain the filtering object data that each security strategy in fire wall includes.
Wherein, the filtering object includes at least address object and service object.
Fire wall includes substantial amounts of security strategy, and each security strategy is made of filtering object and filtering behavior.It crosses Filter object data constitutes the filter condition of security strategy, and when being not provided with filtering object data, fire wall can be refused or permit Perhaps all transmission data pass through.Filtering behavior can be formulated for the transmission data for matching filter condition:Refuse or allow.
For traditional firewall, filtering object mainly includes address object and service object.Address object is source address pair As or purpose object.Service refers to the information flow with consensus standard, and service has certain feature, such as corresponding agreement and end Slogan etc., thus service object can include port object (po) and protocol object, port object (po) can refer to again source port object or Destination interface object etc..
Therefore filtering object data can include source address data, destination address data, source port data, destination interface number According to this and protocol data.Source address data and destination address data are mainly by multiple addresses, multiple subnets, multiple address fields At least one composition can filter the access to address or subnet.Source port data and destination interface data mainly include multiple Port numbers, protocol data mainly including protocol name etc., can filter the access to port or agreement.
For next generation firewall, filtering object mainly includes address object and service object, can additionally include using Family object, application and time object etc..User object data can be weighed including user's name etc. with restricting user access Limit;Application data are including Apply Names etc., such as RDP(Remote Desktop Protoco, Remote Desktop Protocol)It should With, P2P(Peer to Peer peer-to-peer networks)Using the access of application can be limited, time object data includes multiple times Section or cycle time section, such as 4:00-6:00 or daily 5:00-8:00 etc., time access rights can be limited.
Based on object approach realize policy data allocation plan in, filtering object data are pre-set, with When putting security strategy, pre-set filtering object data are directly quoted.The pre-set filtering object data can be with It is quoted by different security strategies, same filtering object may pre-set multigroup filtering object data, such as address pair As that can include multiple address sets, can have nest relation between each address set.
102:The filtering object data of each security strategy are normalized, each filtering object data are carried out Merge, obtain the normalization data of each filtering object so that do not include phase in the normalization data of each filtering object Same data.
Since each filtering object may include multiple data, the data of same filtering object may include identical number According to, such as address object data, including multiple addresses, multiple address fields etc., the address that address field includes may wrap Include it is at least one in the plurality of address, in different address section may include identical individual address, for an address object number According to including 1.1.1.1,1.1.1.2,1.1.1.4,1.1.1.3-1.1.1.5, it is clear that wrapped in address field 1.1.1.3-1.1.1.5 Include address 1.1.1.4.
It is equal to each filtering object data of each security strategy in the embodiment of the present invention in order to reduce data processing amount It is normalized, including each filtering object data are merged so that the normalization data of obtained filtering object In do not include deleting repeated data in filtering object data in identical data namely normalization data.Example is as described above Location object data 1.1.1.1,1.1.1.2,1.1.1.4,1.1.1.3-1.1.1.5, the normalization data after merging are 1.1.1.1-1.1.1.5。
It is that operation is merged to the period in time object when filtering object further includes time object, such as 4:00-6:00 and 5:00-8:00, then it can be merged into 4:00-8:00.
During being normalized, for not including the filtering object of identical data, then normalization data is still The initial data of filtering object.
103:Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are carried out Compare.
Fire wall is accessed control based on security domain, and what security strategy specifically controlled is whether transmission data are permitted Perhaps or it is rejected from source security domain to purpose security domain.Just there are redundancy issues for strategy in only same security domain.
Therefore it is that arbitrary two security strategy identical to security domain is compared in the embodiment of the present invention.
Every security strategy includes source security domain and purpose security domain, herein security domain it is identical refer to source security domain it is identical and Purpose security domain is also identical.
104:If two normalization datas of any filtering object determine two security strategies there are identical data There are redundancy relationships.
If in two security strategies, two normalization datas of any filtering object there are intersection, then can determine this two There are redundancy relationships for security strategy.
It determines after there is the security strategy of redundancy relationship, prompt message can also be exported, to prompt user to superfluous The security strategy of remaining relation is handled.
In the present embodiment, the filtering object data of each security strategy in fire wall are normalized, obtained The normalization data of filtering object, by the way that two of identical filtering object in identical arbitrary two security strategies of security domain are returned One change data are compared.If two normalization datas of any filtering object there are identical data, can determine this two Security strategy is compared by the data after being normalized to filtering object there are redundancy relationship, can be fast and accurately real Showed in fire wall security strategy whether the judgement of redundancy.And the data after normalizing do not include the data repeated, reduce ratio Compared with workload, the judgement efficiency of security strategy redundancy is further improved.
Fig. 2 be another embodiment of a kind of security strategy control method provided in an embodiment of the present invention flow chart, the party Method can include following steps:
201:The filtering object data that the security strategy in fire wall includes are obtained, the filtering object includes at least address Object and service object.
202:The filtering object data of each security strategy are normalized, each filtering object data are carried out Merge, obtain the normalization data of each filtering object so that do not include phase in the normalization data of each filtering object Same data.
203:Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are carried out Compare.
204:If two normalization datas of any filtering object determine two safe plans there are identical data Slightly there are redundancy relationships.
The operation of step 201~step 204 is identical with the operation of step 101~step 104, and details are not described herein.
205;Judge whether the first normalization data in two normalization datas of each filtering object returns including second One changes data, if so, 206 are entered step, if not, entering step 207.
206:It determines in two security strategies, the second security strategy is completely redundant security strategy.
207:It determines in two security strategies, the second security strategy is partial redundance security strategy.
Arbitrary two security strategies include the first security strategy and the second security strategy, for same filtering object, first The normalization data of security strategy is the first normalization data, and the normalization data of the second security strategy is the second normalization number According to.If the first normalization data in two normalization datas of each filtering object includes the whole of the second normalization data Data, the i.e. intersection of the first normalization data and the second normalization data are equal to second normalization data, then second normalizing It is completely redundant security strategy to change corresponding second security strategy of data.
In the first security strategy and the second security strategy there are during redundancy relationship, if each filtering in two security strategies First normalization data of object only includes the partial data of the second normalization data, i.e. the first normalization data and the second normalizing When changing the intersection of data not equal to second normalization data, the second security strategy is partial redundance security strategy.Each filtering The situation that first normalization data of object does not include the second normalization data includes:First normalizing of at least one filtering object Changing data does not include the second normalization data.
Wherein, the security strategy in fire wall have matching priority, transmission data be according to the matching priority successively Matched with security strategy, if there is with transmit Data Matching security strategy, then terminate matching operation, no longer with residue Security strategy is matched.
Therefore in order to further improve the accuracy of redundant safety strategy, two normalizings of each filtering object are being determined When changing the first normalization data of data includes the second normalization data, if the matching priority of first security strategy is big In the matching priority of second security strategy, determine second security strategy as completely redundant security strategy, otherwise for Partial redundance security strategy.
I.e. if the first normalization data of two normalization datas of each filtering object includes the second normalization data, But the matching priority of the first security strategy is less than the matching priority of second security strategy, then second security strategy For partial redundance security strategy.
Completely redundant security strategy and partial redundance security strategy, can perform different processing.For completely redundant Security strategy, system can delete its slave firewall.For partial redundance security strategy, redundancy prompting letter can be exported Breath, to prompt user there are partial redundance security strategy, so as to which user is reminded to be carried out in time to partial redundance security strategy Processing to reduce firewall redundancy amount, improves O&M efficiency.
In the present embodiment, the filtering object data of each security strategy in fire wall are normalized, obtained The normalization data of filtering object, by the way that two of identical filtering object in identical arbitrary two security strategies of security domain are returned One change data are compared.If two normalization datas of any filtering object there are identical data, can determine this two Security strategy is there are redundancy relationship, if the first normalization data in two normalization datas includes the second normalization number According to, then corresponding second security strategy of the second normalization data can be determined as completely redundant security strategy, it is otherwise superfluous for part Remaining security strategy, so as to realize that the security strategy to different redundancy types carries out different disposal.The present embodiment is quick and precisely Realize in fire wall security strategy whether the judgement of redundancy.And the data after normalizing do not include the data repeated, reduce Compare workload, further improve the judgement efficiency of security strategy redundancy.
Fig. 3 be another embodiment of a kind of security strategy control method provided in an embodiment of the present invention flow chart, the party Method can include following steps:
301:The filtering object data that the security strategy in fire wall includes are obtained, the filtering object includes at least address Object and service object.
302:For each security strategy, by the filtering object data with data nest relation, it is embedding to release the data Set relation.
303:Each filtering object data are merged, and are converted into same data type, obtain each filtering object Normalization data so that in the normalization data of each filtering object not include identical data.
Based on object approach realize policy data allocation plan in, pre-set filtering object data, with When putting security strategy, pre-set filtering object data are directly quoted.
The pre-set filtering object data can be quoted by different security strategies, and same filtering object may be set Multigroup filtering object data, every group can include multiple data, can be nested against one another between multigroup filtering object data, such as right In address object, multiple address sets can be included, there can be nest relation between each address set, as address set A is included Data are:1.1.1.1,1.1.1.2,1.1.1.4 and address set B, the data that address set B is included are:1.1.1.3- 1.1.1.5, it is known that address set A is nested with the data of address set B.
Therefore when being normalized, by the filtering object data with data nest relation, the data are released Nest relation carries out flaky process.Such as address above mentioned collection A, the result of flattening is:1.1.1.1 1.1.1.2, 1.1.1.4,1.1.1.3-1.1.1.5.
Each filtering object data are merged, and are converted into same data type.
For the filtering object data with data nest relation, will release the filtering object data of data nest relation into Row merges, such as address above mentioned collection A, the data after merging can be:1.1.1.1-1.1.1.5.
In merging process, if the data after merging have serial relation, table can be carried out in a manner of data area Show, such as be after address above mentioned collection A removal repeated datas:1.1.1.1,1.1.1.2,1.1.1.3,1.1.1.4,1.1.1.5, respectively A address has serial relation, then the data after merging can be expressed as address field 1.1.1.1-1.1.1.5.
It is that different types of data data are unified for same data type to be converted to same data type, and data is facilitated to carry out Compare.
Certain data type conversion can not also carry out during renormalization processing, can when carrying out data and comparing again into Row conversion.
When filtering object data are normalized in security strategy, the number of all filtering objects is extracted first Include source address object, the destination address object in address object according to, these filtering objects, source port object in service object, Destination interface object and protocol object.
It can also include user object, application and time object etc..
304:According to matching priority orders, any security strategy is matched into the low security strategy of priority with than it respectively It is compared, compares two normalization datas of identical filtering object in two security strategies.
305:If two normalization datas of any filtering object determine two safe plans there are identical data Slightly there are redundancy relationships.
306;Judge whether the first normalization data in two normalization datas of each filtering object returns including second One changes data, if so, step 307 is performed, if not, performing step 309.
307:Judge whether the matching priority of the first security strategy of first normalization data is more than described second The matching priority of second security strategy of normalization data, if so, 308 are entered step, if not, performing step 309.
308:It determines in two security strategies, second security strategy is completely redundant security strategy.
309:It determines in two security strategies, second security strategy is partial redundance security strategy.
In the first security strategy and the second security strategy there are during redundancy relationship, if each filtering in two security strategies When first normalization data of two normalization datas of object includes the second normalization data, and first security strategy The matching priority that priority is more than second security strategy is matched, it is completely redundant safety to determine second security strategy Otherwise strategy is partial redundance security strategy.
I.e. if the first normalization data of two normalization datas of each filtering object only includes the second normalization number According to partial data;And first normalization data include the total data of the second normalization data, but the first security strategy Matching priority be less than second security strategy matching priority, then second security strategy be the safe plan of partial redundance Slightly.
When progress security strategy compares, obtained successively in same security domain according to matching priority in the present embodiment Security strategy, for any security strategy, travel through the low security strategy of matched priority and be compared.It is wrapped in fire wall Include substantial amounts of security strategy, security strategy has matching priority, when being filtered to data, be according to matching priority by High to Low order is matched with security strategy, if in the presence of the security strategy to match, you can to terminate to match flow, according to The matched security strategy handles data.Therefore, it is that any security strategy difference is matched excellent in the present embodiment The low security strategy of first grade is compared, with determine than its low security strategy of matching priority whether redundancy.
By any security strategy, the low security strategy of matched priority is compared respectively, more excellent than its matching to determine Whether redundancy can be specifically the low security strategy of first grade:According to matching priority orders, by the safety of highest matching priority Strategy, respectively compared with matching the low security strategy of priority than it, to determine completely redundant security strategy and portion Divide redundant safety strategy;
At the end of the security strategy of highest matching priority compares, according to matching priority, selection matches excellent less than highest The security strategy of first grade, and be not any bar security strategy of completely redundant security strategy, difference matches excellent with than it successively First grade is low and is not that the security strategy of completely redundant security strategy is compared, to determine completely redundant security strategy and portion Divide redundant safety strategy, until all security strategies than it compared with matching the low security strategy of priority.
Completely redundant security strategy and partial redundance security strategy, can perform different processing.For completely redundant Security strategy, system can delete its slave firewall.For partial redundance security strategy, redundancy prompting letter can be exported Breath, to prompt user there are partial redundance security strategy, so as to which user is reminded to be carried out in time to partial redundance security strategy Processing to reduce firewall redundancy amount, improves O&M efficiency.
In the present embodiment, the filtering object data of each security strategy in fire wall are normalized, obtained The normalization data of filtering object, according to matching priority, by identical filtering object in two identical security strategies of security domain Two normalization datas be compared.If two normalization datas of any filtering object, can be with there are identical data Two security strategies are determined there are redundancy relationship, if the first normalization data in two normalization datas is returned including second One changes data, and the matching priority of the first security strategy can then determine the second normalization data higher than the second security strategy Corresponding second security strategy is completely redundant security strategy, is otherwise partial redundance security strategy, so as to realize to not Security strategy with redundancy type carries out different disposal.The present embodiment can fast and accurately realize security strategy in fire wall Whether the judgement of redundancy.And the data after normalizing do not include the data repeated, reduce and compare workload, further improve The judgement efficiency of security strategy redundancy.
For foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as to a series of combination of actions, but It is that those skilled in the art should know, the present invention and from the limitation of described sequence of movement, because according to of the invention real Example is applied, some steps may be employed other orders or be carried out at the same time.Secondly, those skilled in the art should also know, explanation Embodiment described in book belongs to preferred embodiment, and involved action and module not necessarily present invention institute are necessary 's.
Fig. 4 is a kind of structure diagram of security strategy control device one embodiment provided in an embodiment of the present invention, should Device can include:
Data capture unit 401, the filtering object data that the security strategy for obtaining in fire wall includes.
The filtering object includes at least address object and service object.
Normalization unit 402 is normalized for the filtering object data to each security strategy, by each mistake Filter object data merges, and obtains the normalization data of each filtering object so that the normalization of each filtering object Do not include identical data in data.
During being normalized, for not including the filtering object of identical data, then normalization data is still The initial data of filtering object.
Comparing unit 403, for two of identical filtering object in identical arbitrary two security strategies of security domain to be returned One change data are compared.
Fire wall is accessed control based on security domain, and what security strategy specifically controlled is whether transmission data are permitted Perhaps or it is rejected from source security domain to purpose security domain.Just there are redundancy issues for strategy in only same security domain.
Every security strategy includes source security domain and purpose security domain, herein security domain it is identical refer to source security domain it is identical and Purpose security domain is also identical.
First redundancy determination unit 404, if there are identical numbers for two normalization datas of any filtering object According to determining that there are redundancy relationships for two security strategies.
If in two security strategies, two normalization datas of any filtering object there are intersection, then can determine this two There are redundancy relationships for security strategy.
It determines after there is the security strategy of redundancy relationship, prompt message can also be exported, to prompt user to superfluous The security strategy of remaining relation is handled.
In the present embodiment, the filtering object data of each security strategy in fire wall are normalized, obtained The normalization data of filtering object, by the way that two of identical filtering object in identical arbitrary two security strategies of security domain are returned One change data are compared.If two normalization datas of any filtering object there are identical data, can determine this two Security strategy is compared by the data after being normalized to filtering object there are redundancy relationship, can be fast and accurately real Showed in fire wall security strategy whether the judgement of redundancy.Data after normalization do not include the data repeated, further improve The judgement efficiency of security strategy redundancy.
Fig. 5 is a kind of structure diagram of security strategy control device one embodiment provided in an embodiment of the present invention, should Device can include:
Data capture unit 501, the filtering object data that the security strategy for obtaining in fire wall includes.
The filtering object includes at least address object and service object.
Normalization unit 502 is normalized for the filtering object data to each security strategy, by each mistake Filter object data merges, and obtains the normalization data of each filtering object so that the normalization of each filtering object Do not include identical data in data.
Comparing unit 503, for two of identical filtering object in identical arbitrary two security strategies of security domain to be returned One change data are compared.
First redundancy determination unit 504, if there are identical numbers for two normalization datas of any filtering object According to determining that there are redundancy relationships for two security strategies.
Second redundancy determination unit 505, if for the first normalizing in two normalization datas of each filtering object When changing data includes the total data of the second normalization data, the second security strategy for determining second normalization data has been Otherwise full redundancy security strategy is partial redundance security strategy.
Arbitrary two security strategies include the first security strategy and the second security strategy, for same filtering object, first The normalization data of security strategy is the first normalization data, and the normalization data of the second security strategy is the second normalization number According to.If the first normalization data in two normalization datas of each filtering object includes the whole of the second normalization data Data, the i.e. intersection of the first normalization data and the second normalization data are equal to second normalization data, then second normalizing It is completely redundant security strategy to change corresponding second security strategy of data.
In the first security strategy and the second security strategy there are during redundancy relationship, if each filtering in two security strategies First normalization data of object only includes the partial data of the second normalization data, i.e. the first normalization data and the second normalizing When changing the intersection of data not equal to second normalization data, the second security strategy is completely redundant security strategy.Each filtering The situation that first normalization data of object does not include the second normalization data includes:First normalizing of at least one filtering object Changing data does not include the second normalization data.
Wherein, the security strategy in fire wall have matching priority, transmission data be according to the matching priority successively Matched with security strategy, if there is with transmit Data Matching security strategy, then terminate matching operation, no longer with residue Security strategy is matched.
Therefore in order to further improve the accuracy of redundant safety strategy, the second redundancy determination unit is determining each mistake When filtering the first normalization data of two normalization datas of object includes the second normalization data, if the first safe plan Matching priority slightly is more than the matching priority of second security strategy, and it is completely redundant to determine second security strategy Otherwise security strategy is partial redundance security strategy.
Completely redundant security strategy and partial redundance security strategy, can perform different processing.For completely redundant Security strategy, system can delete its slave firewall.For partial redundance security strategy, redundancy prompting letter can be exported Breath, to prompt user there are partial redundance security strategy, so as to which user is reminded to be carried out in time to partial redundance security strategy Processing to reduce firewall redundancy amount, improves O&M efficiency.
In the present embodiment, the filtering object data of each security strategy in fire wall are normalized, obtained The normalization data of filtering object, by the way that two of identical filtering object in identical arbitrary two security strategies of security domain are returned One change data are compared.If two normalization datas of any filtering object there are identical data, can determine this two Security strategy is there are redundancy relationship, if the first normalization data in two normalization datas includes the second normalization number According to, then corresponding second security strategy of the second normalization data can be determined as completely redundant security strategy, it is otherwise superfluous for part Remaining security strategy, so as to realize that the security strategy to different redundancy types carries out different disposal.The present embodiment is quick and precisely Realize in fire wall security strategy whether the judgement of redundancy.And the data after normalizing do not include the data repeated, reduce Compare workload, further improve the judgement efficiency of security strategy redundancy.
Fig. 6 is a kind of structure diagram of another embodiment of security strategy control device provided in an embodiment of the present invention, The device can include:
Data capture unit 601, the filtering object data that the security strategy for obtaining in fire wall includes.
The filtering object includes at least address object and service object;
Normalization unit 602 is normalized for the filtering object data to each security strategy, by each mistake Filter object data merges, and obtains the normalization data of each filtering object so that the normalization of each filtering object Do not include identical data in data.
Wherein, in the present embodiment, which can include:
Flattening unit 6021, for being directed to each security strategy, by the filtering object data with data nest relation, Release the data nest relation;
Subelement 6023 is normalized, for each filtering object data to be merged, and is converted into same data type, Obtain the normalization data of each filtering object so that do not include identical data in the normalization data of each filtering object.
Comparing unit 603, for according to matching priority orders by any security strategy respectively with matching priority than it Low security strategy is compared, and compares two normalization datas of identical filtering object in two security strategies.
As a kind of possible realization method, which can include:
First comparing subunit;For according to priority orders are matched, highest to be matched to the security strategy of priority, respectively Compared with matching the low security strategy of priority than it, to determine completely redundant security strategy and partial redundance safety Strategy, and trigger second comparing subunit;
Second comparing subunit:For according to matching priority, selection to match the security strategy of priority less than highest, And not be completely redundant security strategy any bar security strategy, respectively successively with than its match priority it is low and be not completely it is superfluous The security strategy of remaining security strategy is compared, to determine completely redundant security strategy and partial redundance security strategy, directly To all security strategies compared with matching the low security strategy of priority than it.
First redundancy determination unit 604, if there are identical numbers for two normalization datas of any filtering object According to determining that there are redundancy relationships for two security strategies.
Second redundancy determination unit 605, if for the first normalizing in two normalization datas of each filtering object Changing data includes the total data of the second normalization data, and the matching of the first security strategy of first normalization data is excellent First grade is more than the matching priority of the second security strategy of second normalization data, determines that second security strategy has been Otherwise full redundancy security strategy is partial redundance security strategy.
Completely redundant security strategy and partial redundance security strategy, can perform different processing.For completely redundant Security strategy, system can delete its slave firewall.For partial redundance security strategy, redundancy prompting letter can be exported Breath, to prompt user there are partial redundance security strategy, so as to which user is reminded to be carried out in time to partial redundance security strategy Processing to reduce firewall redundancy amount, improves O&M efficiency.
Therefore the device can also include:
Processing unit, for second security strategy to be deleted.
Prompt unit, for exporting redundancy prompt message, to prompt user that there are partial redundance security strategies.
In the present embodiment, the filtering object data of each security strategy in fire wall are normalized, obtained The normalization data of filtering object, according to matching priority, by identical filtering object in two identical security strategies of security domain Two normalization datas be compared.If two normalization datas of any filtering object, can be with there are identical data Two security strategies are determined there are redundancy relationship, if the first normalization data in two normalization datas is returned including second One changes data, and the matching priority of the first security strategy can then determine the second normalization data higher than the second security strategy Corresponding second security strategy is completely redundant security strategy, is otherwise partial redundance security strategy, so as to realize to not Security strategy with redundancy type carries out different disposal.The present embodiment can fast and accurately realize security strategy in fire wall Whether the judgement of redundancy.And the data after normalizing do not include the data repeated, reduce and compare workload, further improve The judgement efficiency of security strategy redundancy.
Security strategy control device described in above-described embodiment in practical applications, is desirably integrated into fire wall or can be with It is established with fire wall in connection third party device.The fire wall or equipment of security strategy control device of the embodiment of the present invention are disposed, Can fast and accurately determine security strategy whether redundancy.
As can be seen from the above description, those skilled in the art can be understood that the present invention can add by software must The mode of the general hardware platform needed is realized.Therefore, referring to Fig. 7, the embodiment of the present invention additionally provides a kind of control device, should Control device includes at least processor 701 and the memory 702, the receiver 703 that are connected respectively by bus with processor 701.
The memory 702 storage batch processing instruction, which can be high-speed RAM memory, it is also possible to right and wrong Volatile memory(non-volatile memory), for example, at least magnetic disk storage etc..
The processor 701 for calling the program instruction that the memory 702 stores, performs following operation:
Triggering receiver 703 obtains the filtering object data that the security strategy in fire wall includes;
The filtering object data of each security strategy are normalized, each filtering object data are closed And obtain the normalization data of each filtering object so that do not include in the normalization data of each filtering object identical Data;
Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are compared;
If two normalization datas of any filtering object determine that two security strategies are deposited there are identical data In redundancy relationship.
Wherein, which may be a central processor CPU or specific integrated circuit ASIC (Application Specific Integrated Circuit)Or it is arranged to implement the one of the embodiment of the present invention A or multiple integrated circuits.
Optionally, which can be used for performing Fig. 1 provided in an embodiment of the present invention-any safety shown in Fig. 3 Policy control method.
The control device can realize the redundancy judgement to the security strategy in different fire-proof.
Referring to Fig. 8, the present invention also provides a kind of fire wall, which includes at least processor 801 and and processor 801 memories 802 connected respectively by bus.
The processor 701 for calling the program instruction that the memory 702 stores, performs following operation:
Obtain the filtering object data that security strategy includes;
The filtering object data of each security strategy are normalized, each filtering object data are closed And obtain the normalization data of each filtering object so that do not include in the normalization data of each filtering object identical Data;
Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are compared;
If two normalization datas of any filtering object determine that two security strategies are deposited there are identical data In redundancy relationship.
Wherein, which may be a central processor CPU or specific integrated circuit ASIC (Application Specific Integrated Circuit)Or it is arranged to implement the one of the embodiment of the present invention A or multiple integrated circuits.
Optionally, which can be used for performing Fig. 1 provided in an embodiment of the present invention-any safe plan shown in Fig. 3 Slightly control method.
Each embodiment is described by the way of progressive in this specification, the highlights of each of the examples are with other The difference of embodiment, just to refer each other for identical similar portion between each embodiment.For device disclosed in embodiment For, since it is corresponded to the methods disclosed in the examples, so description is fairly simple, related part is said referring to method part It is bright.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation Between there are any actual relationship or orders.Moreover, term " comprising ", "comprising" or its any other variant meaning Covering non-exclusive inclusion, so that process, method, article or equipment including a series of elements not only include that A little elements, but also including other elements that are not explicitly listed or further include for this process, method, article or The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged Except also there are other identical elements in the process, method, article or apparatus that includes the element.
For convenience of description, it is divided into various units during description apparatus above with function to describe respectively.Certainly, this is being implemented The function of each unit is realized can in the same or multiple software and or hardware during invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can It is realized by the mode of software plus required general hardware platform.Based on such understanding, technical scheme essence On the part that the prior art contributes can be embodied in the form of software product in other words, the computer software product It can be stored in storage medium, such as ROM/RAM, magnetic disc, CD, it is used including some instructions so that a computer equipment (Can be personal computer, server or the network equipment etc.)Perform some of each embodiment or embodiment of the invention Method described in part.
The foregoing description of the disclosed embodiments enables professional and technical personnel in the field to realize or use the present invention. A variety of modifications of these embodiments will be apparent for those skilled in the art, it is as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, it is of the invention The embodiments shown herein is not intended to be limited to, and is to fit to and the principles and novel features disclosed herein phase one The most wide scope caused.

Claims (10)

1. a kind of security strategy control method, which is characterized in that including:
Obtain the filtering object data that the security strategy in fire wall includes;
The filtering object data of each security strategy are normalized, each filtering object data are merged, are obtained To the normalization data of each filtering object so that do not include identical number in the normalization data of each filtering object According to;
Two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain are compared;
If two normalization datas of any filtering object determine that there are superfluous for two security strategies there are identical data Remaining relation.
2. according to the method described in claim 1, it is characterized in that, arbitrary two articles of security strategies include the first security strategy and the Two security strategies, two normalization datas of identical filtering object include first security strategy the first normalization data and Second normalization data of second security strategy;
After definite two policy datas are there are redundancy relationship, the method further includes:
If the first normalization data in two normalization datas of each filtering object includes the complete of the second normalization data During portion's data, determine that second security strategy is otherwise partial redundance security strategy for completely redundant security strategy.
3. according to the method described in claim 2, it is characterized in that, the of two normalization datas of each filtering object When one normalization data includes the total data of the second normalization data, the second safe plan of second normalization data is determined Slightly completely redundant security strategy includes:
First normalization data of two normalization datas of each filtering object includes the total data of the second normalization data When, if the matching priority of first security strategy is more than the matching priority of second security strategy, determine described Second security strategy is completely redundant security strategy, is otherwise partial redundance security strategy.
4. according to claims 1 to 3 any one of them method, which is characterized in that described by identical arbitrary two of security domain In security strategy two normalization datas of identical filtering object be compared including:
According to matching priority orders, any security strategy is compared respectively with matching the low security strategy of priority than it Compared with comparing two normalization datas of identical filtering object in two security strategies.
5. according to claims 1 to 3 any one of them method, which is characterized in that the filtering pair to each security strategy Image data is normalized, and each filtering object data are merged, obtain the normalization data of each filtering object Including:
For each security strategy, by the filtering object data with data nest relation, the data nest relation is released;
Each filtering object data are merged, and are converted into same data type, obtain the normalization of each filtering object Data so that do not include identical data in the normalization data of each filtering object.
6. a kind of security strategy control device, which is characterized in that including:
Data capture unit, the filtering object data that the security strategy for obtaining in fire wall includes;
Normalization unit is normalized for the filtering object data to each security strategy, by each filtering object Data merge, and obtain the normalization data of each filtering object so that in the normalization data of each filtering object Do not include identical data;
Comparing unit, for by two normalization datas of identical filtering object in identical arbitrary two security strategies of security domain It is compared;
First redundancy determination unit, if for any filtering object two normalization datas there are identical data, determine There are redundancy relationships for two security strategies.
7. device according to claim 6, which is characterized in that further include:
Second redundancy determination unit, if for the first normalization data bag in two normalization datas of each filtering object When including the total data of the second normalization data, the second security strategy for determining second normalization data is completely redundant peace Full strategy, is otherwise partial redundance security strategy.
8. device according to claim 7, which is characterized in that if the second redundancy determination unit is specifically for each The first normalization data in two normalization datas of filtering object includes the total data of the second normalization data, and described The matching priority of first security strategy of the first normalization data is more than the second security strategy of second normalization data Matching priority, determine that second security strategy is otherwise partial redundance security strategy for completely redundant security strategy.
9. according to claim 6~8 any one of them device, which is characterized in that the comparing unit be specifically used for according to With priority orders, any security strategy is compared two compared with matching the low security strategy of priority than it respectively Two normalization datas of identical filtering object in security strategy.
10. according to claim 6~8 any one of them device, which is characterized in that the normalization unit includes:
Flattening unit, for being directed to each security strategy, by the filtering object data with data nest relation, described in releasing Data nest relation;
Subelement is normalized, for each filtering object data to be merged, and same data type is converted into, obtains each The normalization data of filtering object so that do not include identical data in the normalization data of each filtering object.
CN201310704252.8A 2013-12-19 2013-12-19 Security strategy control method and device Active CN104735026B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310704252.8A CN104735026B (en) 2013-12-19 2013-12-19 Security strategy control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310704252.8A CN104735026B (en) 2013-12-19 2013-12-19 Security strategy control method and device

Publications (2)

Publication Number Publication Date
CN104735026A CN104735026A (en) 2015-06-24
CN104735026B true CN104735026B (en) 2018-05-18

Family

ID=53458465

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310704252.8A Active CN104735026B (en) 2013-12-19 2013-12-19 Security strategy control method and device

Country Status (1)

Country Link
CN (1) CN104735026B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106603524A (en) * 2016-12-09 2017-04-26 浙江宇视科技有限公司 Method for combining safety rules and intelligent device
CN107094143B (en) * 2017-04-28 2020-08-04 杭州迪普科技股份有限公司 Method and device for detecting policy redundancy
CN108768879B (en) * 2018-04-26 2022-04-22 新华三信息安全技术有限公司 Method and device for adjusting policy priority
CN113098883B (en) * 2021-04-13 2021-11-26 四川玖优创信息科技有限公司 Block chain and big data based security protection method and block chain service system
CN114039853B (en) * 2021-11-15 2024-02-09 天融信雄安网络安全技术有限公司 Method and device for detecting security policy, storage medium and electronic equipment
CN114389897B (en) * 2022-03-18 2022-06-10 苏州市卫生计生统计信息中心 IT infrastructure security policy centralized management and control optimization method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6826698B1 (en) * 2000-09-15 2004-11-30 Networks Associates Technology, Inc. System, method and computer program product for rule based network security policies
CN101753369A (en) * 2008-12-03 2010-06-23 北京天融信网络安全技术有限公司 Method and device for detecting firewall rule conflict
CN103259761A (en) * 2012-02-15 2013-08-21 深圳市证通电子股份有限公司 Firewall system based on Android platform and construction method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6826698B1 (en) * 2000-09-15 2004-11-30 Networks Associates Technology, Inc. System, method and computer program product for rule based network security policies
CN101753369A (en) * 2008-12-03 2010-06-23 北京天融信网络安全技术有限公司 Method and device for detecting firewall rule conflict
CN103259761A (en) * 2012-02-15 2013-08-21 深圳市证通电子股份有限公司 Firewall system based on Android platform and construction method thereof

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Detecting and Resolving Firewall Policy Anomalies;Hongxin Hu等;《IEEE Transactions on Dependable and Secure Computing》;20120131;全文 *
Firewall verification and redundancy checking are equivalent;H. B. Acharya等;《INFOCOM, 2011 Proceedings IEEE》;20110415;全文 *
Lightweight detecting and resolving algorithm for firewall policy conflict;Qi Xiao等;《Ubiquitous and Future Networks (ICUFN) 2013 Fifth International Conference》;20130705;全文 *

Also Published As

Publication number Publication date
CN104735026A (en) 2015-06-24

Similar Documents

Publication Publication Date Title
CN104735026B (en) Security strategy control method and device
CN108123936B (en) Access control method and system based on block chain technology
KR101986081B1 (en) Method for sharing and verifing a block between specific nodes in a blockchain
Li et al. Blockchain-based security architecture for distributed cloud storage
CN107276762A (en) The method of work and device of a kind of multi-protocols block chain
CN108876383A (en) A kind of data trade method, device and equipment based on block chain
CN108829691B (en) Rural electronic commerce data storage method
CN108197138A (en) The method and system for the matching subscription information that releases news in publish/subscribe system
CN108156240A (en) A kind of method and system of industry adapter access server
CN105894159A (en) Implementation method of cross-domain and cross-platform user unified management system
CN104702638A (en) Event subscribing and dispatching method and device
CN109344611A (en) Access control method, terminal device and the medium of application
CN103516763B (en) Method for processing resource and system and device
CN109524065A (en) Medical data querying method, medical data platform and relevant apparatus
CN101958842B (en) Flow control method based on user
CN110197064A (en) Process handling method and device, storage medium and electronic device
CN105306481B (en) A kind of operating method of access control policy rules
CN109345311A (en) The method and device that credit is mutually known between different financial institution
CN105704093B (en) A kind of firewall access control policy error-checking method, apparatus and system
CN108280147A (en) Data management method and device
CN109995759A (en) A kind of method and relevant apparatus of physical machine access VPC
US8201228B2 (en) System and method for securing a network
CN111190959A (en) Data-based encryption method and system for block chain decentralized storage
CN110502474A (en) Order allocation method, device and storage medium based on distributed memory system
CN113239255B (en) Heterogeneous data resource sharing method and device, computer equipment and medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant