CN105071991B - The test method of the IP connectivity of multiple fire walls - Google Patents

The test method of the IP connectivity of multiple fire walls Download PDF

Info

Publication number
CN105071991B
CN105071991B CN201510489927.0A CN201510489927A CN105071991B CN 105071991 B CN105071991 B CN 105071991B CN 201510489927 A CN201510489927 A CN 201510489927A CN 105071991 B CN105071991 B CN 105071991B
Authority
CN
China
Prior art keywords
address information
fire wall
tested
destination
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510489927.0A
Other languages
Chinese (zh)
Other versions
CN105071991A (en
Inventor
田国华
吴善鹏
楚孝龙
陈宏�
雷兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Ctrip Business Co Ltd
Original Assignee
Shanghai Ctrip Business Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Ctrip Business Co Ltd filed Critical Shanghai Ctrip Business Co Ltd
Priority to CN201510489927.0A priority Critical patent/CN105071991B/en
Publication of CN105071991A publication Critical patent/CN105071991A/en
Application granted granted Critical
Publication of CN105071991B publication Critical patent/CN105071991B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0811Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of test methods of the IP connectivity of multiple fire walls, include the configuration information of the multiple fire walls of parsing, obtain routing iinformation, address information library and Rule Information and stored to database;Obtain source IP and destination IP;Each fire wall is tested successively, source IP and destination IP and routing iinformation are subjected to matching judgment respectively, when source IP and destination IP matchs with routing iinformation simultaneously, is obtained first interface information and second interface information and is judged whether the two is identical;Judge whether to find the first address information and the second address information;Judge whether source address information includes arbitrary address or the first address information, and whether destination address information includes arbitrary address or the second address information.Compared with prior art, the present invention successively tests each fire wall using unified inquiry entrance, realizes the IP connectivity test of automation, effectively increases working efficiency and accuracy.

Description

The test method of the IP connectivity of multiple fire walls
Technical field
The present invention relates to network safety filed, more particularly to a kind of IP of multiple fire walls (Internet Protocol, The agreement interconnected between network) connectivity test method.
Background technology
Fire wall is the barrier of network security, and between computer and network that it is connected, which flows into stream The all-network communication gone out and data packet are intended to by this fire wall.It can be very big by the safety approach centered on fire wall Ground improves the safety of internal network, and filters unsafe service and reduce risk.
In actual application, since there are diversified fire walls, in order to determine it is anti-whether two IP can penetrate Wall with flues is communicated, and generally requires manually to carry out IP connectivity test to each fire wall.Cumbersome test behaviour complicated in this way Make so that the working efficiency and accuracy of security officer cannot reach ideal effect.
Invention content
The technical problem to be solved by the present invention is to determine whether two IP can penetrate fire prevention in the prior art to overcome When wall is communicated, needs manually to test each fire wall, so as to cause the low defect of working efficiency, provide one Kind it is capable of the test method of automatic test and the IP connectivity of the high multiple fire walls of testing efficiency.
The present invention is to solve above-mentioned technical problem by following technical proposals:
A kind of test method of the IP connectivity of multiple fire walls, feature is, includes the following steps:
S1, the multiple fire wall of parsing configuration information, obtain the routing iinformation of each fire wall, address information library and Rule Information,
Wherein, in each fire wall, routing iinformation includes multiple interface messages, and address information library includes several addresses letter Breath, Rule Information include multiple source address informations and multiple destination address information, multiple source address information and multiple purpose Address information constitutes the partial address information in several address informations;
S2, the routing iinformation of multiple fire wall, address information library and Rule Information stored to a database;
S3, obtain source IP and destination IP;
S4, test each fire wall successively, execute following steps:
S41, respectively the source IP and the destination IP match sentencing with the routing iinformation of fire wall to be tested in the database It is disconnected, when the source IP and the destination IP matchs with the routing iinformation of the fire wall to be tested simultaneously, acquisition first interface information with Otherwise second interface information terminates the test to the fire wall to be tested,
Wherein, which is interface letter corresponding with the source IP in the routing iinformation of the fire wall to be tested Breath, the second interface information are interface message corresponding with the destination IP in the routing iinformation of the fire wall to be tested;
S42, judge whether the first interface information and the second interface information identical, if it is not, thening follow the steps S43If It is then to terminate the test to the fire wall to be tested;
S43, judge the first address information and the second address information whether are found in the database, if so, executing step Rapid S44, if it is not, then terminate the test to the fire wall to be tested,
Wherein, which is address letter corresponding with the source IP in the address information library of the fire wall to be tested Breath, second address information are address information corresponding with the destination IP in the address information library of the fire wall to be tested;
S44, judge in the Rule Information of the fire wall to be tested multiple source address information whether comprising arbitrary address or should First address information, and whether multiple destination address information includes arbitrary address or second address information, if so, the source IP and the destination IP can be by the fire walls to be tested, if it is not, then the source IP and the destination IP cannot pass through the fire prevention to be tested Wall.
In the present solution, routing iinformation, address information library and the Rule Information of each fire wall are to match confidence by parsing Obtained from breath, wherein source address information and destination address information represent positioned at fire wall both sides and can pass through the fire wall Address information.
Step S41In, it is to be tested at this if source IP and destination IP are matched with the routing iinformation of fire wall to be tested simultaneously Interface message corresponding with the source IP and the destination IP is obtained in the routing iinformation of fire wall respectively.Those skilled in the art should Understand, when an IP match with the routing iinformation of fire wall, there will necessarily be in multiple interface messages that routing iinformation includes and The corresponding interface messages of the IP.
Step S42In, if first interface information is identical with second interface information, illustrate source corresponding with first interface information IP and destination IP corresponding with second interface information are located at the same side of fire wall to be tested, in this case need not be to source IP The continuity testing of the fire wall to be tested is carried out with destination IP.
Step S43In, include not necessarily corresponding with source IP and destination IP respectively in the address information library of fire wall to be tested Address information terminate survey to the fire wall to be tested when searching interface message corresponding less than with source IP and destination IP Examination.
Step S44In, multiple source address informations in the Rule Information of fire wall to be tested whether comprising arbitrary address be Refer to, if arbitrary address is allowed to pass through the fire wall to be tested, when in multiple source address informations including arbitrary address, Ren Heyuan IP can be transferred through the fire wall to be tested, similarly, when in multiple destination address information including arbitrary address, any destination IP It can be transferred through the fire wall to be tested.It is readily appreciated that ground, source IP and destination IP can refer to source IP and mesh by fire wall to be tested IP between can be communicated by the fire wall to be tested, source IP and destination IP cannot refer to source by fire wall to be tested It cannot be communicated by the fire wall to be tested between IP and destination IP.
It should be noted that step S41Middle source IP and destination IP match not with the routing iinformation of fire wall to be tested simultaneously Representing source IP and destination IP can be by the condition that the fire wall to be tested, source IP and destination IP pass through fire wall:In source IP and Destination IP simultaneously with the routing iinformation of fire wall to be tested it is matched under the premise of, corresponding with source IP and destination IP address information needs It is matched to a rule of the fire wall to be tested.The rule includes two kinds of situations:The first situation is that this is to be tested anti- The source address information and destination address information of wall with flues can be arbitrary address;The second situation is the source of the fire wall to be tested Address information includes that the destination address information of address information corresponding with the source IP and the fire wall to be tested includes and the purpose The corresponding address informations of IP.
In the present solution, by the parsing to multiple firewall configuration files, and obtained routing iinformation, address will be parsed Information bank and Rule Information are stored into database, are carried out successively to each fire wall using unified inquiry entrance, that is, database Test realizes the IP connectivity test of automation, effectively increases the working efficiency and accuracy of firewall administrator.
Preferably, step S44Replace with following steps:
S441, judge whether multiple source address information includes arbitrary address in the Rule Information of the fire wall to be tested, and Whether multiple destination address information includes arbitrary address, if so, the source IP and the destination IP can pass through the fire prevention to be tested Wall, and terminate the test to the fire wall to be tested, if it is not, thening follow the steps S442
S442, judge whether multiple source address information includes arbitrary address in the Rule Information of the fire wall to be tested, and Whether multiple destination address information includes second address information, if so, the source IP and the destination IP can be to be measured by this Fire wall is tried, and terminates the test to the fire wall to be tested, if it is not, thening follow the steps S443
S443, judge whether multiple source address information includes first address in the Rule Information of the fire wall to be tested Information, and whether multiple destination address information includes arbitrary address, if so, the source IP and the destination IP can be to be measured by this Fire wall is tried, and terminates the test to the fire wall to be tested, if it is not, thening follow the steps S444
S444, judge whether multiple source address information includes first address in the Rule Information of the fire wall to be tested Information, and whether multiple destination address information includes second address information, if so, the source IP and the destination IP can pass through The fire wall to be tested, if it is not, then the source IP and the destination IP cannot pass through the fire wall to be tested.
In the present solution, first determine whether in multiple source address informations and multiple destination address information whether to include arbitrary address, Arbitrary address is determined whether by fire wall to be tested, when multiple source address informations and/or multiple destination address information In include arbitrary address when, then need not carry out again multiple source address informations whether include the first address information and/or multiple mesh Address information in whether include the judgement of the second address information.
Preferably, step S1Middle xml (the Extensible using a kind of python (computer programming language) language Markup Language, extensible markup language) module parsed.
Preferably, step S41It is middle that matching judgment is carried out using longest mask matches method.
In the present solution, longest mask matches method is the matched existing method of routing iinformation, repeat no more.
On the basis of common knowledge of the art, above-mentioned each optimum condition can be combined arbitrarily to get each preferable reality of the present invention Example.
The positive effect of the present invention is that:Compared with prior art, the present invention passes through to multiple firewall configurations text The parsing of part, and routing iinformation, address information library and the Rule Information that parsing obtains are stored into database, using unified Inquiry entrance each fire wall is tested successively, realize automation IP connectivity test, effectively increase fire prevention The working efficiency and accuracy of wall administrator.
Description of the drawings
Fig. 1 is the flow chart of the test method of the IP connectivity of the embodiment of the present invention.
Fig. 2 is the local flow chart of the test method of the IP connectivity of the embodiment of the present invention.
Specific implementation mode
It is further illustrated the present invention below by the mode of embodiment, but does not therefore limit the present invention to the reality It applies among a range.
A kind of test method of the IP connectivity of multiple fire walls, as shown in Figure 1, including the following steps:
The configuration information of step 101, the multiple fire wall of parsing, obtains routing iinformation, the address information of each fire wall Library and Rule Information;
Wherein, in each fire wall, routing iinformation includes multiple interface messages, and address information library includes several addresses letter Breath, Rule Information include multiple source address informations and multiple destination address information, multiple source address information and multiple purpose Address information constitutes the partial address information in several address informations.In the present embodiment, using the xml moulds of python language Block parses the configuration information of fire wall.
Step 102 stores the routing iinformation of multiple fire wall, address information library and Rule Information to database;
Step 103 obtains source IP and destination IP;
Step 104 tests each fire wall successively.
As shown in Fig. 2, the step of testing each fire wall successively specifically includes:
Step 201 respectively carries out the source IP and the destination IP and the routing iinformation of fire wall to be tested in the database Matching judgment, when the source IP and the destination IP matchs with the routing iinformation of the fire wall to be tested simultaneously, acquisition Otherwise Interface_1 and Interface_2 terminates the test to the fire wall to be tested;
Wherein, Interface_1 is interface message corresponding with the source IP in the routing iinformation of the fire wall to be tested, Interface_2 is interface message corresponding with the destination IP in the routing iinformation of the fire wall to be tested.In the present embodiment, adopt Matching judgment is carried out with longest mask matches method.
Step 202 judges whether Interface_1 and Interface_2 is identical, if it is not, 203 are thened follow the steps, if so, Then terminate the test to the fire wall to be tested;
Step 203 judges whether find Address_1 and Address_2 in the database, if so, executing step Rapid 204, if it is not, then terminating the test to the fire wall to be tested;
Wherein, Address_1 is address information corresponding with the source IP in the address information library of the fire wall to be tested, Address_2 is address information corresponding with the destination IP in the address information library of the fire wall to be tested.
Step 204 judges that whether multiple source address information is comprising arbitrarily in the Rule Information of the fire wall to be tested Location, and whether multiple destination address information includes arbitrary address, if so, the source IP and the destination IP can be to be tested by this Fire wall, and terminate the test to the fire wall to be tested, if it is not, thening follow the steps 205;
Step 205 judges that whether multiple source address information is comprising arbitrarily in the Rule Information of the fire wall to be tested Location, and whether multiple destination address information includes Address_2, if so, the source IP and the destination IP can be to be measured by this Fire wall is tried, and terminates the test to the fire wall to be tested, if it is not, thening follow the steps 206;
Step 206, judge in the Rule Information of the fire wall to be tested multiple source address information whether include Address_1, and whether multiple destination address information includes arbitrary address, if so, the source IP and the destination IP can pass through The fire wall to be tested, and terminate the test to the fire wall to be tested, if it is not, thening follow the steps 207;
Step 207, judge in the Rule Information of the fire wall to be tested multiple source address information whether include Address_1, and whether multiple destination address information includes Address_2, if so, the source IP and the destination IP can pass through The fire wall to be tested, if it is not, then the source IP and the destination IP cannot pass through the fire wall to be tested.
The test method of the IP connectivity of multiple fire walls in the present embodiment, by unified query database successively to every A fire wall is tested, and is realized the IP connectivity test of automation, is effectively increased the working efficiency of firewall administrator And accuracy, it is with a wide range of applications.
Although specific embodiments of the present invention have been described above, it will be appreciated by those of skill in the art that these It is merely illustrative of, protection scope of the present invention is defined by the appended claims.Those skilled in the art is not carrying on the back Under the premise of from the principle and substance of the present invention, many changes and modifications may be made, but these are changed Protection scope of the present invention is each fallen with modification.

Claims (4)

1. a kind of test method of the IP connectivity of multiple fire walls, which is characterized in that include the following steps:
S1, the multiple fire wall of parsing configuration information, obtain routing iinformation, address information library and the rule of each fire wall Information,
Wherein, in each fire wall, routing iinformation includes multiple interface messages, and address information library includes several address informations, Rule Information includes multiple source address informations and multiple destination address information, multiple source address information and multiple destination address Information constitutes the partial address information in several address informations;
S2, the routing iinformation of multiple fire wall, address information library and Rule Information stored to a database;
S3, obtain source IP and destination IP;
S4, test each fire wall successively, execute following steps:
S41, respectively the source IP and the destination IP and the routing iinformation of fire wall to be tested in the database be subjected to matching judgment, When the source IP and the destination IP are matched with the routing iinformation of the fire wall to be tested simultaneously, first interface information and second is obtained Otherwise interface message terminates the test to the fire wall to be tested,
Wherein, which is interface message corresponding with the source IP in the routing iinformation of the fire wall to be tested, should Second interface information is interface message corresponding with the destination IP in the routing iinformation of the fire wall to be tested;
S42, judge whether the first interface information and the second interface information identical, if it is not, thening follow the steps S43, if so, knot Test of the beam to the fire wall to be tested;
S43, judge the first address information and the second address information whether are found in the database, if so, thening follow the steps S44, if it is not, then terminate the test to the fire wall to be tested,
Wherein, which is address information corresponding with the source IP in the address information library of the fire wall to be tested, Second address information is address information corresponding with the destination IP in the address information library of the fire wall to be tested;
S44, judge in the Rule Information of the fire wall to be tested multiple source address information whether comprising arbitrary address or this first Address information, and multiple destination address information whether include arbitrary address or second address information, if so, the source IP and The destination IP can be by the fire wall to be tested, if it is not, then the source IP and the destination IP cannot pass through the fire wall to be tested.
2. test method as described in claim 1, which is characterized in that step S44Replace with following steps:
S441, judge whether multiple source address information includes arbitrary address in the Rule Information of the fire wall to be tested, and this is more Whether a destination address information includes arbitrary address, if so, the source IP and the destination IP can by the fire wall to be tested, and Terminate the test to the fire wall to be tested, if it is not, thening follow the steps S442
S442, judge whether multiple source address information includes arbitrary address in the Rule Information of the fire wall to be tested, and this is more Whether a destination address information includes second address information, if so, the source IP and the destination IP can be to be tested anti-by this Wall with flues, and terminate the test to the fire wall to be tested, if it is not, thening follow the steps S443
S443, judge whether multiple source address information includes first address information in the Rule Information of the fire wall to be tested, And whether multiple destination address information includes arbitrary address, if so, the source IP and the destination IP can be to be tested anti-by this Wall with flues, and terminate the test to the fire wall to be tested, if it is not, thening follow the steps S444
S444, judge whether multiple source address information includes first address information in the Rule Information of the fire wall to be tested, And whether multiple destination address information includes second address information, if so, the source IP and the destination IP can be waited for by this Fire wall is tested, if it is not, then the source IP and the destination IP cannot pass through the fire wall to be tested.
3. test method as claimed in claim 1 or 2, which is characterized in that step S1The middle xml modules using python language It is parsed.
4. test method as claimed in claim 1 or 2, which is characterized in that step S41It is middle using longest mask matches method into Row matching judgment.
CN201510489927.0A 2015-08-11 2015-08-11 The test method of the IP connectivity of multiple fire walls Active CN105071991B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510489927.0A CN105071991B (en) 2015-08-11 2015-08-11 The test method of the IP connectivity of multiple fire walls

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510489927.0A CN105071991B (en) 2015-08-11 2015-08-11 The test method of the IP connectivity of multiple fire walls

Publications (2)

Publication Number Publication Date
CN105071991A CN105071991A (en) 2015-11-18
CN105071991B true CN105071991B (en) 2018-11-02

Family

ID=54501278

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510489927.0A Active CN105071991B (en) 2015-08-11 2015-08-11 The test method of the IP connectivity of multiple fire walls

Country Status (1)

Country Link
CN (1) CN105071991B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9900229B2 (en) * 2016-01-29 2018-02-20 Microsoft Technology Licensing, Llc Network-connectivity detection
CN105978881B (en) * 2016-05-13 2019-05-31 上海携程商务有限公司 The querying method and system for the firewall that ip is passed through address
CN108494771B (en) * 2018-03-23 2021-04-23 平安科技(深圳)有限公司 Electronic device, firewall opening verification method and storage medium
CN115065613B (en) * 2022-06-08 2024-01-12 北京启明星辰信息安全技术有限公司 Network connectivity analysis system and analysis method based on firewall configuration

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101707617A (en) * 2009-12-04 2010-05-12 福建星网锐捷网络有限公司 Message filtering method, device and network device
CN102413012A (en) * 2011-11-21 2012-04-11 上海交通大学 System for automatically analyzing computer network connectivity
CN103905406A (en) * 2012-12-28 2014-07-02 中国移动通信集团公司 Failed firewall policy detection method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101707617A (en) * 2009-12-04 2010-05-12 福建星网锐捷网络有限公司 Message filtering method, device and network device
CN102413012A (en) * 2011-11-21 2012-04-11 上海交通大学 System for automatically analyzing computer network connectivity
CN103905406A (en) * 2012-12-28 2014-07-02 中国移动通信集团公司 Failed firewall policy detection method and device

Also Published As

Publication number Publication date
CN105071991A (en) 2015-11-18

Similar Documents

Publication Publication Date Title
US11063960B2 (en) Automatic generation of attribute values for rules of a web application layer attack detector
CN102739457B (en) Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology
CN105071991B (en) The test method of the IP connectivity of multiple fire walls
US8990938B2 (en) Analyzing response traffic to detect a malicious source
CN107733851A (en) DNS tunnels Trojan detecting method based on communication behavior analysis
US8903749B2 (en) Method of identifying a protocol giving rise to a data flow
CN104115463A (en) A streaming method and system for processing network metadata
CN106034056A (en) Service safety analysis method and system thereof
CN112653669A (en) Network terminal security threat early warning method and system and network terminal management device
CN102123058A (en) Test equipment and method for testing network protocol decoder
CN106452955A (en) Abnormal network connection detection method and system
CN111490893A (en) Method, device and system for establishing network forwarding model
US9271159B2 (en) Methods, systems, and computer readable media for testing a diameter routing node
CN108833430B (en) Topology protection method of software defined network
CN110225062A (en) A kind of method and apparatus monitoring network attack
CN113098852B (en) Log processing method and device
CN109088756B (en) Network topology completion method based on network equipment identification
CN104883362A (en) Method and device for controlling abnormal access behaviors
CN111698110A (en) Network equipment performance analysis method, system, equipment and computer medium
CN103856373B (en) Web system robustness testing method based on HTTP mutation
WO2015176450A1 (en) Service delivery method and system
Oujezsky et al. Modeling botnet C&C traffic lifespans from NetFlow using survival analysis
CN106549929B (en) The localization method and system in a kind of APT attack source
CN103716288A (en) System and method for data processing
CN114221808B (en) Security policy deployment method and device, computer equipment and readable storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20160301

Address after: 200335 Shanghai city Changning District Admiralty Road No. 968 Building No. 16 10 floor

Applicant after: SHANGHAI XIECHENG BUSINESS CO., LTD.

Address before: 200335 Shanghai City, Changning District Fuquan Road No. 99, Ctrip network technology building

Applicant before: Ctrip computer technology (Shanghai) Co., Ltd.

GR01 Patent grant
GR01 Patent grant