CN105071991B - The test method of the IP connectivity of multiple fire walls - Google Patents
The test method of the IP connectivity of multiple fire walls Download PDFInfo
- Publication number
- CN105071991B CN105071991B CN201510489927.0A CN201510489927A CN105071991B CN 105071991 B CN105071991 B CN 105071991B CN 201510489927 A CN201510489927 A CN 201510489927A CN 105071991 B CN105071991 B CN 105071991B
- Authority
- CN
- China
- Prior art keywords
- address information
- fire wall
- tested
- destination
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0811—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of test methods of the IP connectivity of multiple fire walls, include the configuration information of the multiple fire walls of parsing, obtain routing iinformation, address information library and Rule Information and stored to database;Obtain source IP and destination IP;Each fire wall is tested successively, source IP and destination IP and routing iinformation are subjected to matching judgment respectively, when source IP and destination IP matchs with routing iinformation simultaneously, is obtained first interface information and second interface information and is judged whether the two is identical;Judge whether to find the first address information and the second address information;Judge whether source address information includes arbitrary address or the first address information, and whether destination address information includes arbitrary address or the second address information.Compared with prior art, the present invention successively tests each fire wall using unified inquiry entrance, realizes the IP connectivity test of automation, effectively increases working efficiency and accuracy.
Description
Technical field
The present invention relates to network safety filed, more particularly to a kind of IP of multiple fire walls (Internet Protocol,
The agreement interconnected between network) connectivity test method.
Background technology
Fire wall is the barrier of network security, and between computer and network that it is connected, which flows into stream
The all-network communication gone out and data packet are intended to by this fire wall.It can be very big by the safety approach centered on fire wall
Ground improves the safety of internal network, and filters unsafe service and reduce risk.
In actual application, since there are diversified fire walls, in order to determine it is anti-whether two IP can penetrate
Wall with flues is communicated, and generally requires manually to carry out IP connectivity test to each fire wall.Cumbersome test behaviour complicated in this way
Make so that the working efficiency and accuracy of security officer cannot reach ideal effect.
Invention content
The technical problem to be solved by the present invention is to determine whether two IP can penetrate fire prevention in the prior art to overcome
When wall is communicated, needs manually to test each fire wall, so as to cause the low defect of working efficiency, provide one
Kind it is capable of the test method of automatic test and the IP connectivity of the high multiple fire walls of testing efficiency.
The present invention is to solve above-mentioned technical problem by following technical proposals:
A kind of test method of the IP connectivity of multiple fire walls, feature is, includes the following steps:
S1, the multiple fire wall of parsing configuration information, obtain the routing iinformation of each fire wall, address information library and
Rule Information,
Wherein, in each fire wall, routing iinformation includes multiple interface messages, and address information library includes several addresses letter
Breath, Rule Information include multiple source address informations and multiple destination address information, multiple source address information and multiple purpose
Address information constitutes the partial address information in several address informations;
S2, the routing iinformation of multiple fire wall, address information library and Rule Information stored to a database;
S3, obtain source IP and destination IP;
S4, test each fire wall successively, execute following steps:
S41, respectively the source IP and the destination IP match sentencing with the routing iinformation of fire wall to be tested in the database
It is disconnected, when the source IP and the destination IP matchs with the routing iinformation of the fire wall to be tested simultaneously, acquisition first interface information with
Otherwise second interface information terminates the test to the fire wall to be tested,
Wherein, which is interface letter corresponding with the source IP in the routing iinformation of the fire wall to be tested
Breath, the second interface information are interface message corresponding with the destination IP in the routing iinformation of the fire wall to be tested;
S42, judge whether the first interface information and the second interface information identical, if it is not, thening follow the steps S43If
It is then to terminate the test to the fire wall to be tested;
S43, judge the first address information and the second address information whether are found in the database, if so, executing step
Rapid S44, if it is not, then terminate the test to the fire wall to be tested,
Wherein, which is address letter corresponding with the source IP in the address information library of the fire wall to be tested
Breath, second address information are address information corresponding with the destination IP in the address information library of the fire wall to be tested;
S44, judge in the Rule Information of the fire wall to be tested multiple source address information whether comprising arbitrary address or should
First address information, and whether multiple destination address information includes arbitrary address or second address information, if so, the source
IP and the destination IP can be by the fire walls to be tested, if it is not, then the source IP and the destination IP cannot pass through the fire prevention to be tested
Wall.
In the present solution, routing iinformation, address information library and the Rule Information of each fire wall are to match confidence by parsing
Obtained from breath, wherein source address information and destination address information represent positioned at fire wall both sides and can pass through the fire wall
Address information.
Step S41In, it is to be tested at this if source IP and destination IP are matched with the routing iinformation of fire wall to be tested simultaneously
Interface message corresponding with the source IP and the destination IP is obtained in the routing iinformation of fire wall respectively.Those skilled in the art should
Understand, when an IP match with the routing iinformation of fire wall, there will necessarily be in multiple interface messages that routing iinformation includes and
The corresponding interface messages of the IP.
Step S42In, if first interface information is identical with second interface information, illustrate source corresponding with first interface information
IP and destination IP corresponding with second interface information are located at the same side of fire wall to be tested, in this case need not be to source IP
The continuity testing of the fire wall to be tested is carried out with destination IP.
Step S43In, include not necessarily corresponding with source IP and destination IP respectively in the address information library of fire wall to be tested
Address information terminate survey to the fire wall to be tested when searching interface message corresponding less than with source IP and destination IP
Examination.
Step S44In, multiple source address informations in the Rule Information of fire wall to be tested whether comprising arbitrary address be
Refer to, if arbitrary address is allowed to pass through the fire wall to be tested, when in multiple source address informations including arbitrary address, Ren Heyuan
IP can be transferred through the fire wall to be tested, similarly, when in multiple destination address information including arbitrary address, any destination IP
It can be transferred through the fire wall to be tested.It is readily appreciated that ground, source IP and destination IP can refer to source IP and mesh by fire wall to be tested
IP between can be communicated by the fire wall to be tested, source IP and destination IP cannot refer to source by fire wall to be tested
It cannot be communicated by the fire wall to be tested between IP and destination IP.
It should be noted that step S41Middle source IP and destination IP match not with the routing iinformation of fire wall to be tested simultaneously
Representing source IP and destination IP can be by the condition that the fire wall to be tested, source IP and destination IP pass through fire wall:In source IP and
Destination IP simultaneously with the routing iinformation of fire wall to be tested it is matched under the premise of, corresponding with source IP and destination IP address information needs
It is matched to a rule of the fire wall to be tested.The rule includes two kinds of situations:The first situation is that this is to be tested anti-
The source address information and destination address information of wall with flues can be arbitrary address;The second situation is the source of the fire wall to be tested
Address information includes that the destination address information of address information corresponding with the source IP and the fire wall to be tested includes and the purpose
The corresponding address informations of IP.
In the present solution, by the parsing to multiple firewall configuration files, and obtained routing iinformation, address will be parsed
Information bank and Rule Information are stored into database, are carried out successively to each fire wall using unified inquiry entrance, that is, database
Test realizes the IP connectivity test of automation, effectively increases the working efficiency and accuracy of firewall administrator.
Preferably, step S44Replace with following steps:
S441, judge whether multiple source address information includes arbitrary address in the Rule Information of the fire wall to be tested, and
Whether multiple destination address information includes arbitrary address, if so, the source IP and the destination IP can pass through the fire prevention to be tested
Wall, and terminate the test to the fire wall to be tested, if it is not, thening follow the steps S442;
S442, judge whether multiple source address information includes arbitrary address in the Rule Information of the fire wall to be tested, and
Whether multiple destination address information includes second address information, if so, the source IP and the destination IP can be to be measured by this
Fire wall is tried, and terminates the test to the fire wall to be tested, if it is not, thening follow the steps S443;
S443, judge whether multiple source address information includes first address in the Rule Information of the fire wall to be tested
Information, and whether multiple destination address information includes arbitrary address, if so, the source IP and the destination IP can be to be measured by this
Fire wall is tried, and terminates the test to the fire wall to be tested, if it is not, thening follow the steps S444;
S444, judge whether multiple source address information includes first address in the Rule Information of the fire wall to be tested
Information, and whether multiple destination address information includes second address information, if so, the source IP and the destination IP can pass through
The fire wall to be tested, if it is not, then the source IP and the destination IP cannot pass through the fire wall to be tested.
In the present solution, first determine whether in multiple source address informations and multiple destination address information whether to include arbitrary address,
Arbitrary address is determined whether by fire wall to be tested, when multiple source address informations and/or multiple destination address information
In include arbitrary address when, then need not carry out again multiple source address informations whether include the first address information and/or multiple mesh
Address information in whether include the judgement of the second address information.
Preferably, step S1Middle xml (the Extensible using a kind of python (computer programming language) language
Markup Language, extensible markup language) module parsed.
Preferably, step S41It is middle that matching judgment is carried out using longest mask matches method.
In the present solution, longest mask matches method is the matched existing method of routing iinformation, repeat no more.
On the basis of common knowledge of the art, above-mentioned each optimum condition can be combined arbitrarily to get each preferable reality of the present invention
Example.
The positive effect of the present invention is that:Compared with prior art, the present invention passes through to multiple firewall configurations text
The parsing of part, and routing iinformation, address information library and the Rule Information that parsing obtains are stored into database, using unified
Inquiry entrance each fire wall is tested successively, realize automation IP connectivity test, effectively increase fire prevention
The working efficiency and accuracy of wall administrator.
Description of the drawings
Fig. 1 is the flow chart of the test method of the IP connectivity of the embodiment of the present invention.
Fig. 2 is the local flow chart of the test method of the IP connectivity of the embodiment of the present invention.
Specific implementation mode
It is further illustrated the present invention below by the mode of embodiment, but does not therefore limit the present invention to the reality
It applies among a range.
A kind of test method of the IP connectivity of multiple fire walls, as shown in Figure 1, including the following steps:
The configuration information of step 101, the multiple fire wall of parsing, obtains routing iinformation, the address information of each fire wall
Library and Rule Information;
Wherein, in each fire wall, routing iinformation includes multiple interface messages, and address information library includes several addresses letter
Breath, Rule Information include multiple source address informations and multiple destination address information, multiple source address information and multiple purpose
Address information constitutes the partial address information in several address informations.In the present embodiment, using the xml moulds of python language
Block parses the configuration information of fire wall.
Step 102 stores the routing iinformation of multiple fire wall, address information library and Rule Information to database;
Step 103 obtains source IP and destination IP;
Step 104 tests each fire wall successively.
As shown in Fig. 2, the step of testing each fire wall successively specifically includes:
Step 201 respectively carries out the source IP and the destination IP and the routing iinformation of fire wall to be tested in the database
Matching judgment, when the source IP and the destination IP matchs with the routing iinformation of the fire wall to be tested simultaneously, acquisition
Otherwise Interface_1 and Interface_2 terminates the test to the fire wall to be tested;
Wherein, Interface_1 is interface message corresponding with the source IP in the routing iinformation of the fire wall to be tested,
Interface_2 is interface message corresponding with the destination IP in the routing iinformation of the fire wall to be tested.In the present embodiment, adopt
Matching judgment is carried out with longest mask matches method.
Step 202 judges whether Interface_1 and Interface_2 is identical, if it is not, 203 are thened follow the steps, if so,
Then terminate the test to the fire wall to be tested;
Step 203 judges whether find Address_1 and Address_2 in the database, if so, executing step
Rapid 204, if it is not, then terminating the test to the fire wall to be tested;
Wherein, Address_1 is address information corresponding with the source IP in the address information library of the fire wall to be tested,
Address_2 is address information corresponding with the destination IP in the address information library of the fire wall to be tested.
Step 204 judges that whether multiple source address information is comprising arbitrarily in the Rule Information of the fire wall to be tested
Location, and whether multiple destination address information includes arbitrary address, if so, the source IP and the destination IP can be to be tested by this
Fire wall, and terminate the test to the fire wall to be tested, if it is not, thening follow the steps 205;
Step 205 judges that whether multiple source address information is comprising arbitrarily in the Rule Information of the fire wall to be tested
Location, and whether multiple destination address information includes Address_2, if so, the source IP and the destination IP can be to be measured by this
Fire wall is tried, and terminates the test to the fire wall to be tested, if it is not, thening follow the steps 206;
Step 206, judge in the Rule Information of the fire wall to be tested multiple source address information whether include
Address_1, and whether multiple destination address information includes arbitrary address, if so, the source IP and the destination IP can pass through
The fire wall to be tested, and terminate the test to the fire wall to be tested, if it is not, thening follow the steps 207;
Step 207, judge in the Rule Information of the fire wall to be tested multiple source address information whether include
Address_1, and whether multiple destination address information includes Address_2, if so, the source IP and the destination IP can pass through
The fire wall to be tested, if it is not, then the source IP and the destination IP cannot pass through the fire wall to be tested.
The test method of the IP connectivity of multiple fire walls in the present embodiment, by unified query database successively to every
A fire wall is tested, and is realized the IP connectivity test of automation, is effectively increased the working efficiency of firewall administrator
And accuracy, it is with a wide range of applications.
Although specific embodiments of the present invention have been described above, it will be appreciated by those of skill in the art that these
It is merely illustrative of, protection scope of the present invention is defined by the appended claims.Those skilled in the art is not carrying on the back
Under the premise of from the principle and substance of the present invention, many changes and modifications may be made, but these are changed
Protection scope of the present invention is each fallen with modification.
Claims (4)
1. a kind of test method of the IP connectivity of multiple fire walls, which is characterized in that include the following steps:
S1, the multiple fire wall of parsing configuration information, obtain routing iinformation, address information library and the rule of each fire wall
Information,
Wherein, in each fire wall, routing iinformation includes multiple interface messages, and address information library includes several address informations,
Rule Information includes multiple source address informations and multiple destination address information, multiple source address information and multiple destination address
Information constitutes the partial address information in several address informations;
S2, the routing iinformation of multiple fire wall, address information library and Rule Information stored to a database;
S3, obtain source IP and destination IP;
S4, test each fire wall successively, execute following steps:
S41, respectively the source IP and the destination IP and the routing iinformation of fire wall to be tested in the database be subjected to matching judgment,
When the source IP and the destination IP are matched with the routing iinformation of the fire wall to be tested simultaneously, first interface information and second is obtained
Otherwise interface message terminates the test to the fire wall to be tested,
Wherein, which is interface message corresponding with the source IP in the routing iinformation of the fire wall to be tested, should
Second interface information is interface message corresponding with the destination IP in the routing iinformation of the fire wall to be tested;
S42, judge whether the first interface information and the second interface information identical, if it is not, thening follow the steps S43, if so, knot
Test of the beam to the fire wall to be tested;
S43, judge the first address information and the second address information whether are found in the database, if so, thening follow the steps
S44, if it is not, then terminate the test to the fire wall to be tested,
Wherein, which is address information corresponding with the source IP in the address information library of the fire wall to be tested,
Second address information is address information corresponding with the destination IP in the address information library of the fire wall to be tested;
S44, judge in the Rule Information of the fire wall to be tested multiple source address information whether comprising arbitrary address or this first
Address information, and multiple destination address information whether include arbitrary address or second address information, if so, the source IP and
The destination IP can be by the fire wall to be tested, if it is not, then the source IP and the destination IP cannot pass through the fire wall to be tested.
2. test method as described in claim 1, which is characterized in that step S44Replace with following steps:
S441, judge whether multiple source address information includes arbitrary address in the Rule Information of the fire wall to be tested, and this is more
Whether a destination address information includes arbitrary address, if so, the source IP and the destination IP can by the fire wall to be tested, and
Terminate the test to the fire wall to be tested, if it is not, thening follow the steps S442;
S442, judge whether multiple source address information includes arbitrary address in the Rule Information of the fire wall to be tested, and this is more
Whether a destination address information includes second address information, if so, the source IP and the destination IP can be to be tested anti-by this
Wall with flues, and terminate the test to the fire wall to be tested, if it is not, thening follow the steps S443;
S443, judge whether multiple source address information includes first address information in the Rule Information of the fire wall to be tested,
And whether multiple destination address information includes arbitrary address, if so, the source IP and the destination IP can be to be tested anti-by this
Wall with flues, and terminate the test to the fire wall to be tested, if it is not, thening follow the steps S444;
S444, judge whether multiple source address information includes first address information in the Rule Information of the fire wall to be tested,
And whether multiple destination address information includes second address information, if so, the source IP and the destination IP can be waited for by this
Fire wall is tested, if it is not, then the source IP and the destination IP cannot pass through the fire wall to be tested.
3. test method as claimed in claim 1 or 2, which is characterized in that step S1The middle xml modules using python language
It is parsed.
4. test method as claimed in claim 1 or 2, which is characterized in that step S41It is middle using longest mask matches method into
Row matching judgment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510489927.0A CN105071991B (en) | 2015-08-11 | 2015-08-11 | The test method of the IP connectivity of multiple fire walls |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510489927.0A CN105071991B (en) | 2015-08-11 | 2015-08-11 | The test method of the IP connectivity of multiple fire walls |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105071991A CN105071991A (en) | 2015-11-18 |
CN105071991B true CN105071991B (en) | 2018-11-02 |
Family
ID=54501278
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510489927.0A Active CN105071991B (en) | 2015-08-11 | 2015-08-11 | The test method of the IP connectivity of multiple fire walls |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105071991B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9900229B2 (en) * | 2016-01-29 | 2018-02-20 | Microsoft Technology Licensing, Llc | Network-connectivity detection |
CN105978881B (en) * | 2016-05-13 | 2019-05-31 | 上海携程商务有限公司 | The querying method and system for the firewall that ip is passed through address |
CN108494771B (en) * | 2018-03-23 | 2021-04-23 | 平安科技(深圳)有限公司 | Electronic device, firewall opening verification method and storage medium |
CN115065613B (en) * | 2022-06-08 | 2024-01-12 | 北京启明星辰信息安全技术有限公司 | Network connectivity analysis system and analysis method based on firewall configuration |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101707617A (en) * | 2009-12-04 | 2010-05-12 | 福建星网锐捷网络有限公司 | Message filtering method, device and network device |
CN102413012A (en) * | 2011-11-21 | 2012-04-11 | 上海交通大学 | System for automatically analyzing computer network connectivity |
CN103905406A (en) * | 2012-12-28 | 2014-07-02 | 中国移动通信集团公司 | Failed firewall policy detection method and device |
-
2015
- 2015-08-11 CN CN201510489927.0A patent/CN105071991B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101707617A (en) * | 2009-12-04 | 2010-05-12 | 福建星网锐捷网络有限公司 | Message filtering method, device and network device |
CN102413012A (en) * | 2011-11-21 | 2012-04-11 | 上海交通大学 | System for automatically analyzing computer network connectivity |
CN103905406A (en) * | 2012-12-28 | 2014-07-02 | 中国移动通信集团公司 | Failed firewall policy detection method and device |
Also Published As
Publication number | Publication date |
---|---|
CN105071991A (en) | 2015-11-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11063960B2 (en) | Automatic generation of attribute values for rules of a web application layer attack detector | |
CN102739457B (en) | Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology | |
CN105071991B (en) | The test method of the IP connectivity of multiple fire walls | |
US8990938B2 (en) | Analyzing response traffic to detect a malicious source | |
CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
US8903749B2 (en) | Method of identifying a protocol giving rise to a data flow | |
CN104115463A (en) | A streaming method and system for processing network metadata | |
CN106034056A (en) | Service safety analysis method and system thereof | |
CN112653669A (en) | Network terminal security threat early warning method and system and network terminal management device | |
CN102123058A (en) | Test equipment and method for testing network protocol decoder | |
CN106452955A (en) | Abnormal network connection detection method and system | |
CN111490893A (en) | Method, device and system for establishing network forwarding model | |
US9271159B2 (en) | Methods, systems, and computer readable media for testing a diameter routing node | |
CN108833430B (en) | Topology protection method of software defined network | |
CN110225062A (en) | A kind of method and apparatus monitoring network attack | |
CN113098852B (en) | Log processing method and device | |
CN109088756B (en) | Network topology completion method based on network equipment identification | |
CN104883362A (en) | Method and device for controlling abnormal access behaviors | |
CN111698110A (en) | Network equipment performance analysis method, system, equipment and computer medium | |
CN103856373B (en) | Web system robustness testing method based on HTTP mutation | |
WO2015176450A1 (en) | Service delivery method and system | |
Oujezsky et al. | Modeling botnet C&C traffic lifespans from NetFlow using survival analysis | |
CN106549929B (en) | The localization method and system in a kind of APT attack source | |
CN103716288A (en) | System and method for data processing | |
CN114221808B (en) | Security policy deployment method and device, computer equipment and readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C41 | Transfer of patent application or patent right or utility model | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20160301 Address after: 200335 Shanghai city Changning District Admiralty Road No. 968 Building No. 16 10 floor Applicant after: SHANGHAI XIECHENG BUSINESS CO., LTD. Address before: 200335 Shanghai City, Changning District Fuquan Road No. 99, Ctrip network technology building Applicant before: Ctrip computer technology (Shanghai) Co., Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |