CN105704093B - A kind of firewall access control policy error-checking method, apparatus and system - Google Patents
A kind of firewall access control policy error-checking method, apparatus and system Download PDFInfo
- Publication number
- CN105704093B CN105704093B CN201410690385.9A CN201410690385A CN105704093B CN 105704093 B CN105704093 B CN 105704093B CN 201410690385 A CN201410690385 A CN 201410690385A CN 105704093 B CN105704093 B CN 105704093B
- Authority
- CN
- China
- Prior art keywords
- firewall
- policy
- access control
- fire wall
- action
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of firewall access control policy error-checking method, apparatus and system receives the firewall access control policy that collection terminal is sent;The firewall access control policy includes at least one firewall policy;X firewall access control policy is obtained, determines the firewall policy exception weight of the X fire wall itself;The firewall access control policy close to fire wall of the X fire wall is obtained, according to the firewall policy of the X fire wall and the firewall policy close to fire wall, determines the firewall policy exception weight between fire wall;Determine the intensity of anomaly of the X firewall access control policy for debugging according to the firewall policy exception weight between the firewall policy exception weight of the X fire wall itself and the fire wall.Using the technical solution, the analysis efficiency of firewall access control policy, and the firewall box including pointing out override solution to administrator can be effectively improved.
Description
Technical field
The present invention relates to internet information processing technology fields, more particularly relate to a kind of firewall access control policy and look into
Wrong method, apparatus and system.
Background technology
The network size of Telecom Operators is huge, in order to preferably protect the data information on distinct device, usual needle
Different security domains and sub- security domain are divided to the equipment of different security levels.And lead between different security domains and sub- security domain
Deployment fire wall is crossed to be isolated and control its access safety, material is thus formed multistage distributed Fire Wire architectures.
Multistage distributed fire wall framework considerably increases the workload and difficulty of enterprise security policy setting.With public affairs
The growth of department's business, corporate networks scale constantly expand the continuous transformation with business, lead to the increase and fire prevention of firewall box
The continuous modification of wall access control policy.When managing multiple fire walls, administrator is more and more easily missed in firewall policy
And there is mistake or contradiction strategy configuration between different fire-proof.
In conclusion in the prior art with the continuous expansion of network size and being continuously increased for network interface, fire wall
In access strategy it is more and more, if desired build multiple grades of processing server or by changing related network device
Accesses control list makes firewall box to be checked that can be remotely accessed by wired network, and enforcement difficulty is very big.
Invention content
The embodiment of the present invention provides a kind of firewall access control policy error-checking method and device, can effectively improve anti-
The analysis efficiency of wall with flues access control policy, and the firewall box including pointing out override solution to administrator.
The embodiment of the present invention provides a kind of firewall access control policy error-checking method, including:
Receive the firewall access control policy that collection terminal is sent;The firewall access control policy includes at least one
Firewall policy;
X firewall access control policy is obtained, determines the firewall policy exception weight of the X fire wall itself;
The firewall access control policy close to fire wall of the X fire wall is obtained, according to the X fire wall
Firewall policy and the firewall policy close to fire wall, determine the firewall policy exception weight between fire wall;Wherein,
It is described close to fire wall for there are the fire walls of direct set membership with the X fire wall;
It is different according to the firewall policy between the firewall policy exception weight of the X fire wall itself and the fire wall
Chang Quanchong determines the intensity of anomaly of the X firewall access control policy for debugging.
Preferably, the firewall policy exception weight for determining the X fire wall itself, including:
The firewall policy exception weight of X fire wall itself is determined according to the following equation:
Wherein, WXFor the firewall policy exception weight of X fire wall itself, MiFor in X firewall access control policy
The intensity of anomaly of i-th firewall policy, NXThe firewall policy sum included for X firewall access control policy.
Preferably, the intensity of anomaly of i-th firewall policy is according to following public in the X firewall access control policy
What formula determined:
Wherein, MiFor the intensity of anomaly of i-th firewall policy in X firewall access control policy, NXIt prevents fires for X
The firewall policy sum that wall access control policy includes, WirFor i-th fire wall plan in X firewall access control policy
Slightly with other N in the X firewall access control policyXThe intensity of anomaly weight of -1 firewall policy.
Preferably, i-th firewall policy and the X firewall access in the X firewall access control policy
Other N in control strategyXThe intensity of anomaly weight of -1 firewall policy includes following any one:
IfRA[order]<RB [order] and RA [action] ≠ RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W1 in control strategy;Or
IfRA[order]<RB [order] and RA [action]=RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W2 in control strategy;Or
IfAnd RA [action]
≠ RB [action], it is determined that the A articles firewall policy and the X fire wall in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W3 in access control policy;Or
IfAnd RA [action]
=RB [action], it is determined that the A articles firewall policy and the X fire wall in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W4 in access control policy;
Wherein, R [order] is the number of regulation of a firewall policy in firewall access control policy;R[action]
Action part for a firewall policy in firewall access control policy;{ R [filter] } controls plan for firewall access
The cartesian product of all subitems in slightly middle rule R filterings domain.
Preferably, the firewall policy exception weight determined between the X fire wall, including:
The firewall policy exception weight between the X fire wall is determined according to the following equation:
Wherein, W 'XFirewall policy exception weight between X fire wall, M 'XiFor X firewall access control policy
In i-th article of firewall policy and all firewall policies in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly, NXThe firewall policy sum included for X firewall access control policy.
Preferably, in the X firewall access control policy i-th firewall policy and the X fire wall close to
Y firewall access control policies in the intensity of anomaly of all firewall policies determined according to equation below:
Wherein, MXIt is adjacent for i-th firewall policy in X firewall access control policy and the X fire wall
The intensity of anomaly of all firewall policies in Y firewall access control policies, NYIt prevents fires for Y adjacent with X fire wall
The firewall policy sum that wall access control policy includes, W 'irFor i-th fire wall in X firewall access control policy
The tactful intensity of anomaly with any one article of firewall policy in the adjacent Y firewall access control policies of X fire wall
Weight.
Preferably, in the X firewall access control policy i-th firewall policy and the X fire wall close to
Y firewall access control policies in any one article of firewall policy intensity of anomaly weight include following any one:
If Fx, Fy ∈ Domain1, Fy are the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA
[action] ≠ FyRB [action], then the RA of fire wall Fx covered by the RB of Fy, determine X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W1;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA
[action] ≠ FyRB [action], then the RA of fire wall Fx covered by the RB of Fy, determine X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W1;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA
The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W2;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA
The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W2;Or
If Fx, Fy ∈ Domain1Fy are the parent of Fx,FxRA
[action] ≠ FyRB [action] then claims FxRA to be associated with FyRB irregularly, determines the X firewall access control policy
In the A articles firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly weight be W3;
Wherein, R [filter] is the filtration fraction of i-th firewall policy in fire wall control strategy;R [action] is
The action part of i-th firewall policy in fire wall control strategy.
The embodiment of the present invention provides a kind of firewall access control policy debugging device, including:
Receiving unit:For receiving the firewall access control policy of collection terminal transmission;The firewall access controls plan
Slightly include at least one firewall policy;
First determination unit:For obtaining X firewall access control policy, the anti-of the X fire wall itself is determined
Wall with flues policies anomaly weight;
Second determination unit:For obtain the X fire wall close to firewall access control policy, according to described
X firewall access control policies ask control strategy with described close to the anti-of fire wall, determine that the firewall policy between fire wall is different
Chang Quanchong;Wherein, it is described close to fire wall for there are the fire walls of direct set membership with the X fire wall;
Debugging unit:According to anti-between the firewall policy exception weight of the X fire wall itself and the fire wall
Wall with flues policies anomaly weight determines the intensity of anomaly of the X firewall access control policy for debugging.
Preferably, first determination unit is specifically used for:
The firewall policy exception weight of X fire wall itself is determined according to the following equation:
Wherein, WXFor the firewall policy exception weight of X fire wall itself, MiFor in X firewall access control policy
The intensity of anomaly of i-th firewall policy, NXThe firewall policy sum included for X firewall access control policy.
Preferably, first determination unit is additionally operable to:
The intensity of anomaly of every firewall policy is determined according to equation below in the firewall access control policy:
Wherein, MiFor the intensity of anomaly of i-th firewall policy in X firewall access control policy, NXIt prevents fires for X
The firewall policy sum that wall access control policy includes, WirFor i-th fire wall plan in X firewall access control policy
Slightly with N in the X firewall access control policyXThe intensity of anomaly weight of-i firewall policies.
Preferably, first determination unit is additionally operable to:
IfRA[order]<RB [order] and RA [action] ≠ RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W1 in control strategy;Or
IfRA[order]<RB [order] and RA [action]=RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W2 in control strategy;Or
IfAnd RA [action]
≠ RB [action], it is determined that the A articles firewall policy and the X fire wall in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W3 in access control policy;Or
IfAnd RA [action]
=RB [action], it is determined that the A articles firewall policy and the X fire wall in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W4 in access control policy;
Wherein, R [order] is the number of regulation of a firewall policy in firewall access control policy;R[action]
Action part for a firewall policy in firewall access control policy;{ R [filter] } controls plan for firewall access
The cartesian product of all subitems in slightly middle rule R filterings domain.
Preferably, second determination unit is specifically used for:
The firewall policy exception weight between the X fire wall is determined according to the following equation:
Wherein, W 'XFirewall policy exception weight between X fire wall, M'XiFor X firewall access control policy
In i-th article of firewall policy and all firewall policies in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly, NXThe firewall policy sum included for X firewall access control policy.
Preferably, second determination unit is additionally operable to:
Any one article of firewall policy and the adjacent Y of X fire wall in the X firewall access control policy
The intensity of anomaly of all firewall policies is determined according to equation below in firewall access control policy:
Wherein, MXFor a firewall policy any in X firewall access control policy and the X fire wall close to
Y firewall access control policies in all firewall policies intensity of anomaly, NYTo prevent with the adjacent Y of xth fire wall
The firewall policy sum that wall with flues access control policy includes, W 'irFor i-th fire prevention in X firewall access control policy
The abnormal journey of wall strategy and any one article of firewall policy in the adjacent Y firewall access control policies of X fire wall
Spend weight.
Preferably, second determination unit is additionally operable to:
If Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxRA [filter]=FyRB [filter], if FxRA
[action] ≠ FyRB [action], then the RA of fire wall Fx covered by the RB of Fy, determine X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W1;Or
If Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxRA
[action] ≠ FyRB [action], then the RA of fire wall Fx covered by the RB of Fy, determine X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W1;Or
If Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxRA [filter]=FyRB [filter], if FxRA
The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W2;Or
If Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxRA
The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W2;Or
If Fx, Fy ∈ Domain1, Fx higher level close to Fy,FxRA
[action] ≠ FyRB [action] then claims FxRA to be associated with FyRB irregularly, determines the X firewall access control policy
In the A articles firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly weight be W3;
Wherein, R [filter] is the filtration fraction of a firewall policy in fire wall control strategy;R [action] is
The action part of a firewall policy in fire wall control strategy.
The embodiment of the present invention provides a kind of firewall access control policy error checking system, including central processing server;
Collection terminal for acquiring fire wall fire prevention access control policy, obtains X firewall access control policy and described
The firewall access control policy close to fire wall of X fire wall, and it is sent to the central processing server;
Access control policy baseline database, for providing firewall policy exception weight for the central processing server
Firewall policy exception Weight algorithm between algorithm and fire wall, and store the X that the central processing server determines
Firewall policy exception weight between firewall policy exception weight and the X fire wall.It receives and adopts in the embodiment of the present invention
Collect the firewall access control policy that end is sent;The firewall access control policy includes at least one firewall policy;
X firewall access control policy is obtained, determines the firewall policy exception weight of the X fire wall itself;Described in acquisition
The firewall access control policy close to fire wall of X fire wall, according to the firewall policy of the X fire wall with it is described
Close to the firewall policy of fire wall, the firewall policy exception weight between fire wall is determined;Wherein, it is described to be close to fire wall
There are the fire walls of direct set membership with the X fire wall;It is abnormal according to the firewall policy of the X fire wall itself
Firewall policy exception weight between weight and the fire wall determines the intensity of anomaly of the X firewall access control policy
For debugging.Using this method, according to firewall policy exception weight, it may be determined that single fire wall weight, according to fire wall
Between policies anomaly weight, it may be determined that policies anomaly weight between fire wall, according to the determining firewall policy exception weight
And between fire wall policies anomaly weight abnormal conditions, can point out most should preferentially to solve to administrator in time of problems anti-
Wall with flues equipment.
Description of the drawings
Fig. 1 is the firewall access control policy error checking system schematic diagram that the embodiment of the present invention one provides;
Fig. 2 is a kind of wall with flues access control policy error-checking method schematic diagram provided by Embodiment 2 of the present invention;
Fig. 3 is collection terminal provided in an embodiment of the present invention and firewall box exchange method schematic diagram;
Fig. 4 is collection terminal provided in an embodiment of the present invention and central processing server exchange method schematic diagram;
Fig. 5 is central processing server provided in an embodiment of the present invention and access control policy baseline database exchange method
Schematic diagram;
Fig. 6 is the relevant information schematic diagram of firewall box provided in an embodiment of the present invention;
Fig. 7 is the tree structure signal of multiple firewall boxes structure under consolidated network provided in an embodiment of the present invention
Figure;
Fig. 8 is determining firewall policy exception weight method schematic diagram provided in an embodiment of the present invention;
Fig. 9 is determining fire wall provided in an embodiment of the present invention and the fire wall close to the firewall policy between fire wall
Abnormal weight method schematic diagram;
Debugging result is sent to e-mail server by Figure 10 for central processing server provided in an embodiment of the present invention
Schematic diagram;
Figure 11 is a kind of firewall access control policy debugging schematic device that the embodiment of the present invention three provides.
Specific embodiment
The firewall access control policy that collection terminal is sent is received in the embodiment of the present invention;The firewall access controls plan
Slightly include at least one firewall policy;X firewall access control policy is obtained, determines the X fire wall itself
Firewall policy exception weight;The firewall access control policy close to fire wall of the X fire wall is obtained, according to described
The firewall policy of X fire wall and the firewall policy close to fire wall, determine that the firewall policy between fire wall is different
Chang Quanchong;Wherein, it is described close to fire wall for there are the fire walls of direct set membership with the X fire wall;It determines described
Firewall policy exception weight between the firewall policy exception weight of X fire wall itself and the fire wall is for debugging;
The X firewall access control policy includes i (i>1) firewall policy.It is different according to firewall policy using this method
Chang Quanchong, it may be determined that single fire wall weight, according to policies anomaly weight between fire wall, it may be determined that strategy is different between fire wall
Chang Quanchong, can according to the abnormal conditions of policies anomaly weight between the determining firewall policy exception weight and fire wall
It points out most should preferentially solve firewall box of problems to administrator in time.
In order to which technical problem solved by the invention, technical solution and advantageous effect is more clearly understood, below in conjunction with
Accompanying drawings and embodiments illustrate the preferred embodiment of the present invention.It should be understood that preferred embodiment described herein is only
It to the description and interpretation present invention, is not intended to limit the present invention, and in the absence of conflict, the embodiment in the present invention
And the feature in embodiment can be combined with each other.
Embodiment one
A kind of firewall access control policy error checking system in the embodiment of the present invention one, as shown in Figure 1, main include adopting
Collect end, central processing server, access control policy baseline database and e-mail server.
Wherein, acquisition end equipment is mainly computer, wherein, computer mainly includes notebook computer, Er Qieji
It needs to include managing mouth and 3G (3rd-Generation)/4G (the 4Generation mobile in calculation machine
Communication) card of surfing Internet.
Collection terminal includes acquisition adaptable interface, authentication module, device data acquisition module, facility information editor module, number
According to encrypting module, data transmission module, mobile network's interface.The major function of collection terminal accesses control for acquisition distributed fire wall
System strategy, editor's firewall box mark, mark association security domain information and close to firewall information, structural devices information,
Firewall box data are encrypted, connect 3G/4G mobile Internets, upload data to central processing server.
Central processing server includes authentication module, deciphering module, computing module, memory module, alarm notification module, number
According to bank interface.The major function of central processing server, which has, is decrypted the firewall access control policy data being collected into,
Firewall box information and access control policy are sorted out deposit database, check fire wall control strategy.
The major function of access control policy baseline database checks rule, access control plan for storage access control policy
Slightly check algorithm, firewall box identification information, security domain grade information, firewall policy data, equipment manager authentication information.
In the embodiment of the present invention, for comprising the firewall access control policy in the catenet under multilevel security domain,
A kind of firewall access control policy error checking system is constructed, which is based on the security strategy of high-speed mobile network (3G/4G)
Concentrate error checking system frame.Adaptive collection terminal is directly connected to firewall box, is added after obtaining fire wall relevant information
It is close, encryption data is uploaded to by 3G or 4G mobile networks by central processing server, different preventing is distinguished by central processing server
Security domain relationship where wall with flues, establishes fire wall relational tree automatically, carries out independent firewall policy exception weight calculation and prevents
Result of calculation can be sent to administrator, and point out most to administrator by policies anomaly weight calculation between wall with flues in time
The firewall box that should preferentially solve.
Embodiment two
As shown in Fig. 2, the embodiment of the present invention two provides a kind of firewall access control policy error-checking method, including walking as follows
Suddenly:
Step 101, the firewall access control policy that collection terminal is sent is received;It is wrapped in the firewall access control policy
Include at least one firewall policy;
Step 102, X firewall access control policy is obtained, determines that the firewall policy of the X fire wall itself is different
Chang Quanchong;
Step 103, the firewall access control policy close to fire wall of the X fire wall is obtained, according to the X
The firewall policy of fire wall and the firewall policy close to fire wall determine that the firewall policy between fire wall is weighed extremely
Weight;Wherein, it is described close to fire wall for there are the fire walls of direct set membership with the X fire wall;
Step 104, according to the fire prevention between the firewall policy exception weight of the X fire wall itself and the fire wall
Wall policies anomaly weight determines the intensity of anomaly of the X firewall access control policy for debugging.
In a step 101, the firewall access control policy that collection terminal is sent is received;
In embodiments of the present invention, collection terminal connects firewall box and acquisition eventually by the management mouth of firewall box
End, it is specific as shown in Figure 3.
Connection is established between the firewall box and the collection terminal by managing mouth, the acquisition adaptation of collection terminal connects
Mouth automatic identification firewall box model, carries out matching connection, then the authentication service in the authentication module of triggering collection end, will be anti-
The account of wall with flues equipment is input in collection terminal, if the account for the firewall box that authentication module passes through input, collection terminal
Automatic collection fire wall identity code is obtained firewall access control policy by device data acquisition module;The present invention
In embodiment, the firewall access control policy includes at least one firewall policy.
If authentication module is not over the account of the firewall box of input, the interface inputted back to account.
It, will be to the identity of collected firewall box after the device data acquisition module data acquisition of collection terminal
Identification code and firewall access control policy information into edlin, wherein, in the embodiment of the present invention, the facility information of collection terminal is compiled
It collects module to be responsible for the collected information of device data acquisition module into edlin, by the collected firewall box of acquisition module
Identity code and firewall access control policy information be input in information editing's module, wherein information editing's module is main
Obtain the essential information of firewall box:Information of home location, unit type, port number.
It further, will be each close to higher level's security domain if there are adjacent higher level's security domains for the firewall box
Identification information, each close to the perimeter firewall port IP address of higher level's security domain (Internet Protocol Address)
It is input in information editing's module with the port IP address of each access close to higher level's security domain.If the firewall box exists
The adjacent safe domain identifier of subordinate is then accessed by each identification information close to subordinate's security domain and each close to lower level security
The port IP address in domain is input in information editing's module.
Further, it if there is no close to higher level's security domain, is not inputted in information coding module close to upper level security
Domain information;If there is no close to subordinate's security domain, do not inputted in information coding module close to subordinate's security domain information.This hair
In bright embodiment, firewall box may have multiple close to higher level's security domain, can not also exist close to higher level's security domain, phase
It answers, firewall box may have multiple close to subordinate's security domain, can not also exist close to subordinate's security domain.It is of the invention real
It applies example not limit the quantity of higher level's security domain of firewall box, to the quantity close to subordinate's security domain of firewall box
Also it does not limit.
Further, the embodiment of the present invention can pass through extensible markup language (Extensible Markup
Language, XML) structuring processing is carried out to the typing information of firewall box.
After input information is completed in facility information editor module in collection terminal, in order to ensure firewall box information
Safety, the information of input is encrypted in the data encryption module needs of collection terminal, in the embodiment of the present invention, to collected anti-
Wall with flues device data uses asymmet-ric encryption method, wherein, asymmet-ric encryption method is to use the fire prevention arrived of the public key to acquisition
Wall equipment data are encrypted, which can only be decrypted by the private key of central processing server.In embodiments of the present invention,
The encryption method used to the data for entering data encryption module does not limit.
After the data encryption module of collection terminal completes encryption to collected firewall box data, by encrypted fire wall
Device data is transferred to the data transmission module of collection terminal, and data transmission module will be prevented fires by mobile network's interface of collection terminal
In wall equipment data transmission to central processing server.Wherein, data transmission module needs first to input account before being transmitted
The registered permanent residence enables, and sets the address of service of central processing server.
The process of the data transmission module of collection terminal fire wall device data after central processing server transmission encryption is such as
Shown in Fig. 4, mobile network's interface of collection terminal first passes through 3G/4G mobile networks asks to connect to central processing server, center
Authentication module in processing service is called first, and authentication module needs first to judge whether collection terminal is trusted users.If acquisition
It holds as trusted users, then receives the firewall box data of collection terminal transmission, central processing server receives collection terminal transmission
Firewall box data after, to collection terminal transmit and receive successfully response;If collection terminal for can not credit household, central processing
The request that server refusal collection terminal is sent, collection terminal account or password error message are returned to collection terminal.
After central processing server receives the firewall box data of collection terminal transmission, central processing server is with visiting
Ask and carry out data interaction between control strategy baseline database, it is specific as shown in Figure 5.
Since collection terminal to central processing unit before firewall box data are sent, the data encryption module pair of collection terminal
Collected firewall box data are encrypted, so, central processing server receives the fire wall of collection terminal transmission
After device data, need that first encrypted fire wall data are decrypted.
Deciphering module use and the corresponding private key pair encryption of collection terminal data encryption module in central processing server
Fire wall device data is decrypted afterwards, after the firewall box data for obtaining decryption, needs further to firewall box
Data are parsed, and obtain the relevant information of firewall box, specific as shown in fig. 6, obtaining the relevant information of firewall box
Including:1. firewall box identity code, 2. information of home location, 3. unit type, 4. port number, 5. close to upper level security
Domain identifier 6. close to the perimeter firewall port IP address of higher level's security domain, 7. accesses the Port IP close to higher level's security domain
The port IP address close to subordinate's security domain 8. close to the safe domain identifier of subordinate, is 9. accessed, 10. firewall access control policy in location
Data.
Further, pacified in central processing server according to the upper and lower of firewall box close to safe domain identifier and upper and lower neighbour
The information such as universe corresponding ports IP address, it may be determined that the associated firewall box of firewall box, by firewall box phase
In associated firewall box data storage to the memory module in central central processing server.
In a step 102, X firewall access control policy is obtained, determines the fire wall plan of the X fire wall itself
Slightly abnormal weight;
In the embodiment of the present invention, multiple firewall boxes under consolidated network can build one it is as shown in Figure 7 tree-like
Structure can utilize the superior and the subordinate's interconnecting relation between fire wall, convenient for storing, searching, analyzing in a computer using the structure
And debugging calculates.Firewall box control strategy in same network is all formulated according to a security strategy, institute
Can determine whether the firewall system in same network system can reach expected security protection effect, on the one hand depend on
Whether it is configured correctly, on the other hand depending on the associated firewall box of firewall box in the strategy of each firewall box
Between whether can cooperate between strategy, do not clash.
Parsing is completed to collected firewall box data in central processing server and obtains firewall box dependency number
Debugging detection is carried out to firewall box related data according to the spell-checking facility later, needed in central processing server, is being carried out
When debugging, need first to call the firewall security Baseline detection table in access control policy baseline database, to fire wall
Access control policy carries out security baseline detection, if detection firewall access control policy meets firewall security baseline, recognizes
It is safe for the firewall access control policy;If detection firewall access control policy does not meet firewall security baseline,
It is dangerous then to think the firewall access control policy.
After firewall access control policy does not meet firewall security baseline, need to the firewall access control policy
It carries out algorithm detection and associated firewall box data carries out algorithm detection to the firewall box.
In the embodiment of the present invention, the security domain of fire wall can be defined as follows:
F [domain], domain ∈ { 1,2,3,4 ... ,+∞ }.
The definition of a rule includes as follows in firewall access control policy:
Firewall access control policy number of regulation:R [order] ∈ { 1,2,3,4 ... ,+∞ }.
Firewall access control policy filtration fraction:R [filter] ∈ protocol type, and source IP address, source address port,
Target ip address, destination address ports }.
Firewall access control policy action part:
In the embodiment of the present invention, independent firewall access control policy is examined based on firewall policy exception weight
It surveys.
The computational methods of independent firewall policy exception weight are mainly included the following steps, it is specific as shown in Figure 8:
Step 1021 determines whether every firewall policy is related;
In embodiments of the present invention, firewall access control policy filtration fraction R is filtered to the flute card of all subitems in domain
Youngster's product is known as the matched Packet Filtering set of rule R institutes, is denoted as { R [filter] }, when Then claim the A articles firewall policy and the B articles firewall policy phase in firewall access control policy
It closes, ifThen claim A articles of firewall policy and in firewall access control policy
B firewall policy is uncorrelated.
In embodiments of the present invention, when RA [filter] and RB [filter] institutes, matched Packet Filtering set is handed over
Folded or covering or it is equal when, the regular RA that may lead in firewall access control policy the A articles firewall policy or the B articles are prevented
The regular RB of wall with flues strategy can not come into force, and be runed counter to preset security strategy.
Step 1022, the intensity of anomaly for determining every firewall policy;
In embodiments of the present invention, in firewall access control policy the intensity of anomaly of every firewall policy according to formula
(1) it determines:
In formula, MiFor the intensity of anomaly of i-th firewall policy in X firewall access control policy, NXFor X
The firewall policy sum that firewall access control policy includes, WirFor i-th fire prevention in X firewall access control policy
Wall strategy and other N in the X firewall access control policyXThe intensity of anomaly weight of -1 firewall policy.
Further, i-th firewall policy and the X firewall access in the X firewall access control policy
Other N in control strategyXThe intensity of anomaly weight of -1 firewall policy includes following any one:
IfRA[order]<RB [order] and RA [action] ≠ RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W1 in control strategy;Or
IfRA[order]<RB [order] and RA [action]=RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W2 in control strategy;Or
IfAnd RA [action]
≠ RB [action], it is determined that the A articles firewall policy and the X fire wall in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W3 in access control policy;Or
IfAnd RA [action]
=RB [action], it is determined that the A articles firewall policy and the X fire wall in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W4 in access control policy;
Wherein, R [order] is the number of regulation of a firewall policy in firewall access control policy;R[action]
Action part for a firewall policy in firewall access control policy;{ R [filter] } controls plan for firewall access
The cartesian product of all subitems in slightly middle rule R filterings domain.
For example, independent firewall access control policy includes 4 firewall policies, wherein, first firewall policy
Include following three situation relative to the intensity of anomaly weight of other three firewall policies:
The first:First firewall policy can include following relative to the intensity of anomaly weight of Article 2 firewall policy
Any one:
If 1),R1[order]<R2 [order] and R1 [action] ≠ R2
[action], then rule R2 can not play a role.Determine first firewall policy relative to the different of Article 2 firewall policy
Chang Chengdu weights are W1.
If 2),And R1 [action]
=R2 [action], then rule R2 redundancies.Determine abnormal journey of first firewall policy relative to Article 2 firewall policy
Degree weight is W2.
If 3), rule R1 is related to rule R2, And R1 [action] ≠ R2 [action], then rule R1 conflict with rule R2, determine first firewall policy
Intensity of anomaly weight relative to Article 2 firewall policy is W3.
If 4), rule R1 is related to rule R2, And R1 [action]=R2 [action], then rule R1 is Chong Die with rule R2, determines first firewall policy
Intensity of anomaly weight relative to Article 2 firewall policy is W4.
Second:First firewall policy can include following relative to the intensity of anomaly weight of Article 3 firewall policy
Any one:
If 1),R3 [order] and R1 [action]
≠ R3 [action], then rule R3 can not play a role.Determine first firewall policy relative to Article 3 firewall policy
Intensity of anomaly weight be W1.
If 2),R3 [order] and R1 [action]=
R3 [action], then rule R3 redundancies.Determine intensity of anomaly of first firewall policy relative to Article 3 firewall policy
Weight is W2.
If 3), rule R1 is related to rule R3, And R1 [action] ≠ R3 [action], then rule R1 conflict with rule R3, determine first firewall policy
Intensity of anomaly weight relative to Article 3 firewall policy is W3.
If 4), rule R1 is related to rule R3, And R1 [action]=R3 [action], then rule R1 is Chong Die with rule R3, determines first firewall policy
Intensity of anomaly weight relative to Article 3 firewall policy is W4.
The third:First firewall policy can include following relative to the intensity of anomaly weight of Article 4 firewall policy
Any one:
If 1),And R1 [action]
≠ R4 [action], then rule R4 can not play a role.Determine first firewall policy relative to Article 4 firewall policy
Intensity of anomaly weight be W1.
If 2),And R1 [action]
=R4 [action], then rule R4 redundancies.Determine abnormal journey of first firewall policy relative to Article 4 firewall policy
Degree weight is W2.
If 3), rule R1 is related to rule R4, And R1 [action] ≠ R4 [action], then rule R1 conflict with rule R4, determine first firewall policy
Intensity of anomaly weight relative to Article 4 firewall policy is W3.
If 4), rule R1 is related to rule R4, And R1 [action]=R4 [action], then rule R1 is Chong Die with rule R4, determines first firewall policy
Intensity of anomaly weight relative to Article 4 firewall policy is W4.
According to above-mentioned analysis, it may be determined that the abnormal journey of first firewall policy in independent firewall access control policy
Degree, since first firewall policy respectively can be at least four relative to the intensity of anomaly weight of other three firewall policies
Situation, so, the intensity of anomaly of first firewall policy mainly includes following several situations:
1), if first firewall policy is W1 relative to the intensity of anomaly weight of Article 2 firewall policy;First
Firewall policy is W1 relative to the intensity of anomaly weight of Article 3 firewall policy;First article of firewall policy is relative to the 4th
The intensity of anomaly weight of firewall policy is W1;The intensity of anomaly of first firewall policy can be determined according to formula (1):
2), if first firewall policy is W1 relative to the intensity of anomaly weight of Article 2 firewall policy;Determine
One firewall policy is W1 relative to the intensity of anomaly weight of Article 3 firewall policy;First firewall policy relative to
The intensity of anomaly weight of Article 4 firewall policy is W2;The exception of first firewall policy can be determined according to formula (1)
Degree:
In the embodiment of the present invention, both above situation is merely illustrated to the intensity of anomaly of first firewall policy, it is right
Other similar situations are not being explained one by one, in short, the intensity of anomaly of first fire wall is under same independent fire wall,
The sum of intensity of anomaly weight between first fire wall and other each fire walls.
Step 1023 determines same firewall policy exception weight;
In the embodiment of the present invention, after being determined for the intensity of anomaly of first fire wall in same independent fire wall, also
It needs to be determined that the intensity of anomaly of Article 2 fire wall, determines intensity of anomaly of Article 3 fire wall etc., independently prevent until by same
After being determined in wall with flues to the intensity of anomaly of number Article 2 fire wall, the intensity of anomaly of every fire wall in same independent fire wall
It is complete to determine.
After the intensity of anomaly of every fire wall in same independent fire prevention is determined, according to formula (2), it may be determined that fire prevention
Wall policies anomaly weight:
Wherein, WXFor the firewall policy exception weight of X fire wall itself, MiFor in X firewall access control policy
The intensity of anomaly of i-th firewall policy, NXThe firewall policy sum included for X firewall access control policy.
For example, if same firewall access control policy includes 4 firewall policies, wherein, first fire wall plan
Intensity of anomaly M slightly1r, the intensity of anomaly of Article 2 firewall policy is M2r, the intensity of anomaly M of Article 3 firewall policy3r,
The intensity of anomaly that can then determine independent firewall access control policy is M1r+M2r+M3r, i.e., independent firewall policy power extremely
Weight is W=M1r+M2r+M3r。
In the embodiment of the present invention, it is assumed that same firewall access control policy includes 4 firewall policies, in step
In 1022, when determining the intensity of anomaly of every firewall policy, can according to from first article of firewall policy relative to
Two, Article 3, Article 4 firewall policy calculate the intensity of anomaly of first firewall policy;It can also be according to the 4th
Firewall policy calculates the different of last Article 4 firewall policy relative to Article 3, Article 2, first firewall policy
Chang Chengdu;The embodiment of the present invention is to determining that the calculating sequencing of the intensity of anomaly of every firewall policy is not specifically limited.
Further, if according to from first firewall policy relative to Article 2, Article 3, Article 4 fire wall plan
Slightly carry out calculating the intensity of anomaly of first firewall policy, then it, can be with when calculating the intensity of anomaly of Article 2 firewall policy
Relative to Article 3, Article 4 firewall policy calculate the intensity of anomaly of Article 2 firewall policy from Article 2;Also may be used
Relative to first, Article 3, Article 4 firewall policy calculate the exception of Article 2 firewall policy from Article 2
Degree.
If according to carrying out calculating Article 2 firewall policy relative to Article 3, Article 4 firewall policy from Article 2
Intensity of anomaly, then when calculating the intensity of anomaly of Article 3 firewall policy, it is necessary to be counted according to Article 4 firewall policy
The intensity of anomaly of Article 3 firewall policy is calculated, also, the intensity of anomaly of Article 4 firewall policy does not have to calculate, if that is,
Same firewall access control policy includes 4 firewall policies, only calculate in the firewall access control policy first 3 it is anti-
The intensity of anomaly of wall with flues strategy.
If prevent according to calculating Article 2 is carried out relative to first, Article 3, Article 4 firewall policy from Article 2
The intensity of anomaly of wall with flues strategy, then when calculating the intensity of anomaly of Article 3 firewall policy, it is necessary to according to first, Article 2,
Article 4 firewall policy calculate the intensity of anomaly of Article 3 firewall policy;The intensity of anomaly of Article 4 firewall policy
It is calculated according to first, Article 2, Article 3 firewall policy;If it is wrapped in namely same firewall access control policy
Include 4 firewall policies, it is necessary to calculate the intensity of anomaly of the strong support strategy of the relatively other fire prevention of every firewall policy.
The embodiment of the present invention is to determining that the specific algorithm of the intensity of anomaly of every firewall policy does not limit.
Step 103, the firewall access control policy close to fire wall of the X fire wall is obtained, according to the X
The firewall policy of fire wall and the firewall policy close to fire wall determine that the firewall policy between fire wall is weighed extremely
Weight;Wherein, it is described close to fire wall for there are the fire walls of direct set membership with the X fire wall;
In the embodiment of the present invention, if the firewall box is not present close to upper in the firewall box data of collection terminal acquisition
Level security domain is also not present close to subordinate's security domain, then can determine that the firewall box is individualism, correspondingly, should
Associated firewall box is just not present in firewall box.It does not need to then carry out step 103.
If the firewall box exists close to higher level's security domain or presence in the firewall box data of collection terminal acquisition
Close to subordinate's security domain or exist simultaneously close to higher level's security domain and close to subordinate's security domain;It can then determine the fire wall
There are associated firewall boxes for equipment.
In the embodiment of the present invention, association fire prevention espalierF is the finite set (n for including n fire wall>
0).RelationshipMeet the following conditions:
One and only one fire wall f0 ∈ F, not close to higher level's fire wall, f0 is the root of fire prevention espalier;
Each fire wall in F includes security domain Domain, Domain>0;
Multiple fire wall fx in same Domain, each other close proximity, x >=2;
If fx is the parent of fy, fy is the sub- grade of fx;
If fy is the sub- grade of fx, fx is the parent of fy;
Except fire wall f0Outside, each fire wall in F has at least one close to higher level's fire wall;
Each fire wall in F has 0 or multiple close to subordinate's fire wall.
In the embodiment of the present invention, by taking fy is the sub- grade (fx is the parent of fy) of fx as an example, as shown in figure 9, between fire wall
The computational methods of policies anomaly weight are specifically described:
Step 1031 determines that every firewall policy and Y firewall access control in X firewall access control policy
Whether every firewall policy is related in strategy;
In association fire prevention espalier T, ifThen claim X fire wall
The A articles firewall policy is related to the B articles firewall policy in Y firewall access control policies in access control policy;IfThen claim the A articles firewall policy in X firewall access control policy
It is uncorrelated to the B articles firewall policy in Y firewall access control policies.
In embodiments of the present invention, whenX may be caused to prevent fires
The B articles firewall policy generates not in A articles of firewall policy and Y firewall access control policies in wall access control policy
The phenomenon that regular.
Step 1032, the intensity of anomaly for determining every firewall policy in X firewall access control policy;
In embodiments of the present invention, in the X firewall access control policy every firewall policy intensity of anomaly
It is determined according to formula (3):
Wherein, MXIt is adjacent for i-th firewall policy in X firewall access control policy and the X fire wall
The intensity of anomaly of all firewall policies in Y firewall access control policies, NYIt prevents fires for Y adjacent with X fire wall
The firewall policy sum that wall access control policy includes, W 'irFor i-th fire wall in X firewall access control policy
The tactful intensity of anomaly with any one article of firewall policy in the adjacent Y firewall access control policies of X fire wall
Weight.
Further, i-th firewall policy and the X fire wall are tight in the X firewall access control policy
The intensity of anomaly weight of any one article of firewall policy includes following any one in adjacent Y firewall access control policies:
If Fx, Fy ∈ Domain1, Fy are the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA
[action] ≠ FyRB [action], then the RA of fire wall Fx covered by the RB of Fy, determine X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W1;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA
[action] ≠ FyRB [action], then the RA of fire wall Fx covered by the RB of Fy, determine X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W1;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA
The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W2;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA
The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W2;Or
If Fx, Fy ∈ Domain1Fy are the parent of Fx,FxRA
[action] ≠ FyRB [action] then claims FxRA to be associated with FyRB irregularly, determines the X firewall access control policy
In the A articles firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly weight be W3;
Wherein, R [filter] is the filtration fraction of i-th firewall policy in fire wall control strategy;R [action] is
The action part of i-th firewall policy in fire wall control strategy.
Further, FxRA [filter] is the mistake of the RA articles firewall policy in X firewall access control policy
Part is filtered, FyRB [filter] is the filtration fraction of the RB articles firewall policy in Y firewall access control policies;FxRA
[action] is the action part of RA firewall policies in X firewall access control policy, and FyRB [action] prevents for Y
The action part of RB firewall policies in wall with flues access control policy.
For example, X firewall access control policy includes 4 firewall policies, Y fire wall wall access control policies
Include 3 firewall policies, then in X firewall access control policy first firewall policy relative to X fire wall
The intensity of anomaly weight of first article of firewall policy includes following three situation in adjacent Y firewall access control policies:
The first:First article of firewall policy is relative to X fire wall adjacent in X firewall access control policy
The intensity of anomaly weight of first firewall policy includes following any one in Y firewall access control policies:
If 1), Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR1 [filter], if FxR1
[action] ≠ FyR1 [action], then the R1 of fire wall Fx covered by the R1 of Fy, determine X firewall access control plan
First article of firewall policy and first article of fire wall in the adjacent Y firewall access control policies of X fire wall in slightly
The intensity of anomaly weight of strategy is W1.
If 2), Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxR1
[action] ≠ FyR1 [action], then the R1 of fire wall Fx covered by the R1 of Fy, determine X firewall access control plan
First article of firewall policy and first article of fire wall in the adjacent Y firewall access control policies of X fire wall in slightly
The intensity of anomaly weight of strategy is W1.
If 3), Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR1 [filter], if FxR1
The R1 redundancies of [action]=FyR1 [action], the then R1 and Fy of fire wall Fx determine the X firewall access control plan
First article of firewall policy and first article of fire wall in the adjacent Y firewall access control policies of X fire wall in slightly
The intensity of anomaly weight of strategy is W2.
If 4), Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxR1
The R1 redundancies of [action]=FyR1 [action], the then R1 and Fy of fire wall Fx determine the X firewall access control plan
First article of firewall policy and first article of fire wall in the adjacent Y firewall access control policies of X fire wall in slightly
The intensity of anomaly weight of strategy is W2.
If 5), Fx, Fy ∈ Domain1, Fx higher level close to Fy, FxR1
[action] ≠ FyR1 [action] then claims FxR1 to be associated with FyR1 irregularly, determines the X firewall access control policy
In first article of firewall policy and first article of fire wall plan in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly weight slightly is W3.
Second:First article of firewall policy is relative to X fire wall adjacent in X firewall access control policy
The intensity of anomaly weight of Article 2 firewall policy includes following any one in Y firewall access control policies:
If 1), Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR2 [filter], if FxR1
[action] ≠ FyR2 [action], then the R1 of fire wall Fx covered by the R2 of Fy, determine X firewall access control plan
First article of firewall policy and Article 2 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly
The intensity of anomaly weight of strategy is W1.
If 2), Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxR1
[action] ≠ FyR2 [action], then the R1 of fire wall Fx covered by the R2 of Fy, determine X firewall access control plan
First article of firewall policy and Article 2 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly
The intensity of anomaly weight of strategy is W1.
If 3), Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR2 [filter], if FxR1
The R2 redundancies of [action]=FyR2 [action], the then R1 and Fy of fire wall Fx determine the X firewall access control plan
First article of firewall policy and Article 2 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly
The intensity of anomaly weight of strategy is W2.
If 4), Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxR1
The R2 redundancies of [action]=FyR2 [action], the then R1 and Fy of fire wall Fx determine the X firewall access control plan
First article of firewall policy and Article 2 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly
The intensity of anomaly weight of strategy is W2.
If 5), Fx, Fy ∈ Domain1, Fx higher level close to Fy, FxR1
[action] ≠ FyR2 [action] then claims FxR1 to be associated with FyR2 irregularly, determines the X firewall access control policy
In first article of firewall policy and Article 2 fire wall plan in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly weight slightly is W3.
The third:First article of firewall policy is relative to X fire wall adjacent in X firewall access control policy
The intensity of anomaly weight of Article 3 firewall policy includes following any one in Y firewall access control policies:
If 1), Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR3 [filter], if FxR1
[action] ≠ FyR3 [action], then the R1 of fire wall Fx covered by the R3 of Fy, determine X firewall access control plan
First article of firewall policy and Article 3 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly
The intensity of anomaly weight of strategy is W1.
If 2), Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxR1
[action] ≠ FyR3 [action], then the R1 of fire wall Fx covered by the R3 of Fy, determine X firewall access control plan
First article of firewall policy and Article 3 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly
The intensity of anomaly weight of strategy is W1.
If 3), Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR3 [filter], if FxR1
The R3 redundancies of [action]=FyR3 [action], the then R1 and Fy of fire wall Fx determine the X firewall access control plan
First article of firewall policy and Article 3 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly
The intensity of anomaly weight of strategy is W2.
If 4), Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxR1
The R3 redundancies of [action]=FyR3 [action], the then R1 and Fy of fire wall Fx determine the X firewall access control plan
First article of firewall policy and Article 3 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly
The intensity of anomaly weight of strategy is W2.
If 5), Fx, Fy ∈ Domain1, Fx higher level close to Fy, FxR1
[action] ≠ FyR3 [action] then claims FxR1 to be associated with FyR3 irregularly, determines the X firewall access control policy
In first article of firewall policy and Article 3 fire wall plan in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly weight slightly is W3.
According to above-mentioned analysis, it may be determined that the abnormal journey of first firewall policy in X firewall access control policy
Degree, due to first article of firewall policy in X firewall access control policy and the adjacent Y fire walls of X fire wall
In access control policy the intensity of anomaly weight of any firewall policy respectively can situation at least four, so, X is prevented
The intensity of anomaly of first firewall policy mainly includes following several situations in wall with flues access control policy:
If 1), first article of firewall policy and the adjacent Y of X fire wall in X firewall access control policy
First firewall policy intensity of anomaly weight is W1 in firewall access control policy;If X firewall access control policy
In first article of firewall policy and Article 2 fire wall plan in the adjacent Y firewall access control policies of X fire wall
Slightly intensity of anomaly weight is W1;If first firewall policy and the X fire wall are tight in X firewall access control policy
Article 3 firewall policy intensity of anomaly weight is W1 in adjacent Y firewall access control policies;It can be true according to formula (3)
Determining first firewall policy intensity of anomaly in X firewall access control policy is:
If 2), first article of firewall policy and the adjacent Y of X fire wall in X firewall access control policy
First firewall policy intensity of anomaly weight is W1 in firewall access control policy;If X firewall access control policy
In first article of firewall policy and Article 2 fire wall plan in the adjacent Y firewall access control policies of X fire wall
Slightly intensity of anomaly weight is W1;If first firewall policy and the X fire wall are tight in X firewall access control policy
Article 3 firewall policy intensity of anomaly weight is W2 in adjacent Y firewall access control policies;It can be true according to formula (3)
Determining first firewall policy intensity of anomaly in X firewall access control policy is:
In the embodiment of the present invention, to first firewall policy intensity of anomaly in X firewall access control policy only
Both above situation is described, other similar situations are not being explained one by one, in short, in X firewall access control policy
First article of firewall policy and any one article of fire wall plan in the adjacent Y firewall access control policies of X fire wall
Slightly the sum of intensity of anomaly weight is first firewall policy intensity of anomaly in X firewall access control policy.
Step 1033 determines fire wall and the fire wall close to the firewall policy exception weight between fire wall;
In embodiments of the present invention, for first firewall policy in X firewall access control policy relative to X
After the intensity of anomaly weight of any one article of firewall policy determines in the adjacent Y firewall access control policies of fire wall,
Also need to determine that Article 2 firewall policy is prevented fires relative to the adjacent Y of X fire wall in X firewall access control policy
The intensity of anomaly weight of any firewall policy in wall access control policy;Third in X firewall access control policy
Article firewall policy is relative to any one article of firewall policy in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly weight;Article 4 firewall policy is relative to the adjacent Y of X fire wall in X firewall access control policy
The intensity of anomaly weight of any firewall policy in firewall access control policy;By X firewall access control policy
The 4 articles of firewall policies included are relative to one article of fire prevention any in the adjacent Y firewall access control policies of X fire wall
After the intensity of anomaly weight of wall strategy determines, X fire wall and the X fire wall are close to the fire prevention between Y fire walls
Wall policies anomaly weight just can determine that.
By every firewall policy that X firewall access control policy includes relative to the adjacent Y of X fire wall
After the intensity of anomaly weight of any firewall policy determines in firewall access control policy, according to formula formula (4),
X fire wall and the X fire wall can be determined close to the firewall policy exception weight between Y fire walls:
Wherein, W 'XFirewall policy exception weight between X fire wall, M'XiFor X firewall access control policy
In i-th article of firewall policy and all firewall policies in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly, NXThe firewall policy sum included for X firewall access control policy.
For example, X firewall access control policy includes 4 firewall policies, prevent with the adjacent Y of X fire wall
Wall with flues access control policy includes 3 firewall policies, wherein, include first of X firewall access control policy
The opposite intensity of anomaly with firewall policy in the adjacent Y firewall access control policies of X fire wall of firewall policy is weighed
Weight MX1;The Article 2 firewall policy that X firewall access control policy includes is prevented relatively with the adjacent Y of X fire wall
The intensity of anomaly weight M of firewall policy in wall with flues access control policyX2;X firewall access control policy include
Three articles of opposite abnormal journeys with firewall policy in the adjacent Y firewall access control policies of X fire wall of firewall policy
Spend weight MX3;Article 4 firewall policy that X firewall access control policy includes opposite adjacent with X fire wall the
The intensity of anomaly weight M of firewall policy in Y firewall access control policiesX4。
Then according to formula (4), it may be determined that X fire wall and the X fire wall are close to the fire prevention between Y fire walls
Wall policies anomaly weight is:
In the embodiment of the present invention, it is assumed that X firewall access control policy includes 4 firewall policies, prevents fires with X
The adjacent Y firewall access control policies of wall include 3 articles of firewall policies, in step 1032, determine that X fire wall is visited
It, can be according in X firewall access control policy when asking in control strategy the intensity of anomaly of every firewall policy
One article of firewall policy relative to first article in Y firewall access control policies, Article 2, Article 3 firewall policy carry out
Calculate first firewall policy intensity of anomaly in X firewall access control policy;It can be controlled according to X firewall access
In strategy Article 4 firewall policy relative to first article in Y firewall access control policies, Article 2, Article 3 fire wall
Strategy carries out calculating first firewall policy intensity of anomaly in X firewall access control policy;In the embodiment of the present invention, really
The intensity of anomaly calculating sequencing for determining every firewall policy in X firewall access control policy is not specifically limited.
Further, if preventing fires according to first article of firewall policy in X firewall access control policy relative to Y
First in wall access control policy, Article 2, Article 3 firewall policy carry out calculate X firewall access control policy in
First firewall policy intensity of anomaly, then can according to sequentially successively calculate X firewall access control policy in Article 2,
The extent of error of Article 3, Article 4 firewall policy rule.If prevent according to Article 4 in X firewall access control policy
Wall with flues strategy relative to first article in Y firewall access control policies, Article 2, Article 3 firewall policy carry out calculating
First firewall policy intensity of anomaly in X firewall access control policies;Then can according to sequentially successively calculate X fire wall
Article 3 in access control policy, Article 2, first firewall policy rule extent of error.
After spell-checking facility carries out debugging detection to firewall box related data in central processing server, according to fire prevention
Wall policies anomaly weight and fire wall and the fire wall are close to the firewall policy exception weight between fire wall, it may be determined that
Go out the larger independent fire wall of firewall policy exception weighted value, while can also determine that firewall policy exception weighted value is larger
The associated firewall box of fire wall.
At step 104, according between the firewall policy exception weight of the X fire wall itself and the fire wall
Firewall policy exception weight determines the intensity of anomaly of the X firewall access control policy for debugging.
As shown in Figure 10, central processing server according to finally determining each independent firewall policy exception weight and is prevented
Wall with flues and the fire wall pass through the storage mould in central processing unit close to the firewall policy exception weighted value between fire wall
Block and database interface are sent to access control policy baseline database, the institute that access control policy baseline database will receive
There are data with daily record store.
Further, central processing server is by determining each independent firewall policy exception weight and fire wall and institute
It states fire wall and e-mail server is sent to by alarm module close to the firewall policy exception weighted value between fire wall.
In the embodiment of the present invention, each independent firewall policy exception weight and fire wall that administrator is received according to sub- mail server
With the fire wall close to the firewall policy exception weighted value between fire wall, it can be relatively easy to and determine most should preferentially solve
Firewall box certainly.
The firewall access control policy that collection terminal is sent is received in the embodiment of the present invention;According to the firewall access control
System strategy, determines the firewall policy exception weight;According to the fire wall close to fire wall, determine the fire wall with
The fire wall is close to the firewall policy exception weight between fire wall;Wherein described fire wall close to fire wall for institute
State fire wall of the fire wall there are set membership.Using this method, according to firewall policy exception weight, it may be determined that single anti-
Wall with flues weight, according to policies anomaly weight between fire wall, it may be determined that policies anomaly weight between fire wall, according to described determining
The abnormal conditions of policies anomaly weight between firewall policy exception weight and fire wall can point out most Ying You to administrator in time
First solve firewall box of problems.
For above method flow, the embodiment of the present invention also provides a kind of firewall access control policy debugging device, this
The particular content of a little devices is referred to above method implementation, and details are not described herein.
Embodiment three
The embodiment of the present invention provides a kind of firewall access control policy debugging device, as shown in figure 11, including:It receives single
First 21, first determination unit 22 and the second determination unit 23 and debugging unit 24.
Receiving unit 21:Receive the firewall access control policy that collection terminal is sent;The firewall access control policy
Include at least one firewall policy;
First determination unit 22:For obtaining X firewall access control policy, the X fire wall itself is determined
Firewall policy exception weight;
Second determination unit 23:For obtain the X fire wall close to firewall access control policy, according to described
X firewall access control policy and the firewall policy asked control strategy close to the anti-of fire wall, determine between fire wall
Abnormal weight;Wherein, it is described close to fire wall for there are the fire walls of direct set membership with the X fire wall;
Debugging unit 24:According between the firewall policy exception weight of the X fire wall itself and the fire wall
Firewall policy exception weight determines the intensity of anomaly of the X firewall access control policy for debugging.
Further, first determination unit 22 is specifically used for:
The firewall policy exception weight of X fire wall itself is determined according to the following equation:
Wherein, WXFor the firewall policy exception weight of X fire wall itself, MiFor in X firewall access control policy
The intensity of anomaly of i-th firewall policy, NXThe firewall policy sum included for X firewall access control policy.
Further, first determination unit 22 is additionally operable to:
The intensity of anomaly of every firewall policy is determined according to equation below in the firewall access control policy:
Wherein, MiFor the intensity of anomaly of i-th firewall policy in X firewall access control policy, NXIt prevents fires for X
The firewall policy sum that wall access control policy includes, WirFor i-th fire wall plan in X firewall access control policy
Slightly with N in the X firewall access control policyXThe intensity of anomaly weight of-i firewall policies.
Further, first determination unit 22 is additionally operable to:
IfRA[order]<RB [order] and RA [action] ≠ RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W1 in control strategy;Or
IfRA[order]<RB [order] and RA [action]=RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W2 in control strategy;Or
IfAnd RA [action]
≠ RB [action], it is determined that the A articles firewall policy and the X fire wall in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W3 in access control policy;Or
IfAnd RA [action]
=RB [action], it is determined that the A articles firewall policy and the X fire wall in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W4 in access control policy;
Wherein, R [order] is the number of regulation of a firewall policy in firewall access control policy;R[action]
Action part for a firewall policy in firewall access control policy;{ R [filter] } controls plan for firewall access
The cartesian product of all subitems in slightly middle rule R filterings domain.
Further, second determination unit 23 is specifically used for:
The firewall policy exception weight between the X fire wall is determined according to the following equation:
Wherein, W 'XFirewall policy exception weight between X fire wall, M'XiFor X firewall access control policy
In i-th article of firewall policy and all firewall policies in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly, NXThe firewall policy sum included for X firewall access control policy.
Further, second determination unit 23 is additionally operable to:
Any one article of firewall policy and the adjacent Y of X fire wall in the X firewall access control policy
The intensity of anomaly of all firewall policies is determined according to equation below in firewall access control policy:
Wherein, MXFor a firewall policy any in X firewall access control policy and the X fire wall close to
Y firewall access control policies in all firewall policies intensity of anomaly, NYTo prevent with the adjacent Y of xth fire wall
The firewall policy sum that wall with flues access control policy includes, W 'irFor i-th fire prevention in X firewall access control policy
The abnormal journey of wall strategy and any one article of firewall policy in the adjacent Y firewall access control policies of X fire wall
Spend weight.
Further, second determination unit 23 is additionally operable to:
If Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxRA [filter]=FyRB [filter], if FxRA
[action] ≠ FyRB [action], then the RA of fire wall Fx covered by the RB of Fy, determine X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W1;Or
If Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxRA
[action] ≠ FyRB [action], then the RA of fire wall Fx covered by the RB of Fy, determine X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W1;Or
If Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxRA [filter]=FyRB [filter], if FxRA
The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W2;Or
If Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxRA
The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W2;Or
If Fx, Fy ∈ Domain1, Fx higher level close to Fy,FxRA
[action] ≠ FyRB [action] then claims FxRA to be associated with FyRB irregularly, determines the X firewall access control policy
In the A articles firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly weight be W3;
Wherein, R [filter] is the filtration fraction of a firewall policy in fire wall control strategy;R [action] is
The action part of a firewall policy in fire wall control strategy.
It should be appreciated that the unit that includes of one of the above firewall access control policy debugging device only according to the device it is real
The logical partitioning that existing function carries out in practical application, can carry out the superposition or fractionation of said units.And the embodiment carries
The function that a kind of firewall access control policy debugging device supplied is realized is visited with a kind of fire wall that above-described embodiment provides
Ask that control strategy error-checking method corresponds, for the more detailed process flow that the device is realized, in above method reality
It applies and has been described in detail in example one, is not described in detail herein.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
God and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (15)
1. a kind of firewall access control policy error-checking method, which is characterized in that including:
Receive the firewall access control policy that collection terminal is sent;It is anti-that the firewall access control policy includes at least one
Wall with flues strategy;
X firewall access control policy is obtained, determines the firewall policy exception weight of the X fire wall itself;
The firewall access control policy close to fire wall of the X fire wall is obtained, according to the fire prevention of the X fire wall
Wall strategy and the firewall policy close to fire wall, determine the firewall policy exception weight between fire wall;Wherein, it is described
Close to fire wall for there are the fire walls of direct set membership with the X fire wall;
It is weighed extremely according to the firewall policy between the firewall policy exception weight of the X fire wall itself and the fire wall
Determine the intensity of anomaly of the X firewall access control policy for debugging again.
2. method as described in claim 1, which is characterized in that the firewall policy for determining the X fire wall itself is different
Chang Quanchong, including:
The firewall policy exception weight of X fire wall itself is determined according to the following equation:
Wherein, WXFor the firewall policy exception weight of X fire wall itself, MiIt is in X firewall access control policy i-th
The intensity of anomaly of firewall policy, NXThe firewall policy sum included for X firewall access control policy.
3. method as claimed in claim 2, which is characterized in that i-th fire wall plan in the X firewall access control policy
What intensity of anomaly slightly was determined according to equation below:
Wherein, MiFor the intensity of anomaly of i-th firewall policy in X firewall access control policy, NXIt is visited for X fire wall
Ask the firewall policy sum that control strategy includes, WirFor i-th firewall policy in X firewall access control policy
With other N in the X firewall access control policyXThe intensity of anomaly weight of -1 firewall policy.
4. method as claimed in claim 3, which is characterized in that i-th fire wall plan in the X firewall access control policy
Slightly with other N in the X firewall access control policyXThe intensity of anomaly weight of -1 firewall policy includes following any
:
IfRA[order]<RB [order] and RA [action] ≠ RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W1 in control strategy;Or
IfRA[order]<RB [order] and RA [action]=RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W2 in control strategy;Or
IfAnd RA [action] ≠ RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W3 in control strategy;Or
IfAnd RA [action]=RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W4 in control strategy;
Wherein, R [order] is the number of regulation of a firewall policy in firewall access control policy;R [action] is anti-
The action part of a firewall policy in wall with flues access control policy;{ R [filter] } is in firewall access control policy
The cartesian product of all subitems in regular R filterings domain.
5. method as described in claim 1, which is characterized in that the firewall policy determined between the X fire wall is abnormal
Weight, including:
The firewall policy exception weight between the X fire wall is determined according to the following equation:
Wherein, W 'XFirewall policy exception weight between X fire wall, M'XiIt is in X firewall access control policy
The exception of i articles of firewall policy and all firewall policies in the adjacent Y firewall access control policies of X fire wall
Degree, NXThe firewall policy sum included for X firewall access control policy.
6. method as claimed in claim 5, which is characterized in that i-th fire wall plan in the X firewall access control policy
Intensity of anomaly slightly with all firewall policies in the adjacent Y firewall access control policies of X fire wall is according to such as
What lower formula determined:
Wherein, MXPrevent for i-th article of firewall policy in X firewall access control policy and the adjacent Y of X fire wall
The intensity of anomaly of all firewall policies, N in wall with flues access control policyYFor with the adjacent Y firewall access of X fire wall
The firewall policy sum that control strategy includes, W 'irFor i-th firewall policy in X firewall access control policy with
The intensity of anomaly weight of any bar firewall policy in the adjacent Y firewall access control policies of X fire wall.
7. method as claimed in claim 6, which is characterized in that i-th fire wall plan in the X firewall access control policy
Slightly with the intensity of anomaly weight of any bar firewall policy in the adjacent Y firewall access control policies of X fire wall
Including any one of following:
If Fx, Fy ∈ Domain1, Fy are the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA [action]
≠ FyRB [action], then the RA of fire wall Fx by Fy RB cover, determine A in the X firewall access control policy
The exception of article firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Degree weight is W1;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action]
≠ FyRB [action], then the RA of fire wall Fx by Fy RB cover, determine A in the X firewall access control policy
The exception of article firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Degree weight is W1;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA
The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan
The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly
Intensity of anomaly weight slightly is W2;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action]
The RB redundancies of=FyRB [action], the then RA and Fy of fire wall Fx determine A in the X firewall access control policy
The exception of article firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Degree weight is W2;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx,FxRA
[action] ≠ FyRB [action] then claims FxRA to be associated with FyRB irregularly, determines the X firewall access control policy
In the A articles firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly weight be W3;
Wherein, R [filter] is the filtration fraction of i-th firewall policy in fire wall control strategy;R [action] is fire prevention
The action part of i-th firewall policy in wall control strategy;Domain ∈ { 1,2,3,4 ... ,+∞ }.
8. a kind of firewall access control policy debugging device, which is characterized in that including:
Receiving unit:For receiving the firewall access control policy of collection terminal transmission;In the firewall access control policy
Including at least one firewall policy;
First determination unit:For obtaining X firewall access control policy, the fire wall of the X fire wall itself is determined
Policies anomaly weight;
Second determination unit:For obtain the X fire wall close to firewall access control policy, prevented according to the X
Wall with flues access control policy asks control strategy with described close to the anti-of fire wall, determines that the firewall policy between fire wall is weighed extremely
Weight;Wherein, it is described close to fire wall for there are the fire walls of direct set membership with the X fire wall;
Debugging unit:According to the fire wall between the firewall policy exception weight of the X fire wall itself and the fire wall
Policies anomaly weight determines the intensity of anomaly of the X firewall access control policy for debugging.
9. device as claimed in claim 8, which is characterized in that first determination unit is specifically used for:
The firewall policy exception weight of X fire wall itself is determined according to the following equation:
Wherein, WXFor the firewall policy exception weight of X fire wall itself, MiIt is in X firewall access control policy i-th
The intensity of anomaly of firewall policy, NXThe firewall policy sum included for X firewall access control policy.
10. device as claimed in claim 8, which is characterized in that first determination unit is additionally operable to:
The intensity of anomaly of every firewall policy is determined according to equation below in the firewall access control policy:
Wherein, MiFor the intensity of anomaly of i-th firewall policy in X firewall access control policy, NXIt is visited for X fire wall
Ask the firewall policy sum that control strategy includes, WirFor i-th firewall policy in X firewall access control policy with
N in the X firewall access control policyXThe intensity of anomaly weight of-i firewall policies.
11. device as claimed in claim 10, which is characterized in that first determination unit is additionally operable to:
IfRA[order]<RB [order] and RA [action] ≠ RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W1 in control strategy;Or
IfRA[order]<RB [order] and RA [action]=RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W2 in control strategy;Or
IfAnd RA [action] ≠ RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W3 in control strategy;Or
IfAnd RA [action]=RB
[action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy
The intensity of anomaly weight of the B articles firewall policy is W4 in control strategy;
Wherein, R [order] is the number of regulation of a firewall policy in firewall access control policy;R [action] is anti-
The action part of a firewall policy in wall with flues access control policy;{ R [filter] } is in firewall access control policy
The cartesian product of all subitems in regular R filterings domain.
12. device as claimed in claim 8, which is characterized in that second determination unit is specifically used for:
The firewall policy exception weight between the X fire wall is determined according to the following equation:
Wherein, W 'XFirewall policy exception weight between X fire wall, M'XiIt is in X firewall access control policy i-th
The exception of article firewall policy and all firewall policies in the adjacent Y firewall access control policies of X fire wall
Degree, NXThe firewall policy sum included for X firewall access control policy.
13. device as claimed in claim 12, which is characterized in that second determination unit is additionally operable to:
Any bar firewall policy and the adjacent Y fire walls of X fire wall in the X firewall access control policy
The intensity of anomaly of all firewall policies is determined according to equation below in access control policy:
Wherein, MXPrevent for any bar firewall policy in X firewall access control policy and the adjacent Y of X fire wall
The intensity of anomaly of all firewall policies, N in wall with flues access control policyYFor with the adjacent Y firewall access of xth fire wall
The firewall policy sum that control strategy includes, W 'irFor i-th firewall policy in X firewall access control policy with
The intensity of anomaly weight of any bar firewall policy in the adjacent Y firewall access control policies of X fire wall.
14. device as claimed in claim 13, which is characterized in that second determination unit is additionally operable to:
If Fx, Fy ∈ Domain1, Fy are the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA [action]
≠ FyRB [action], then the RA of fire wall Fx by Fy RB cover, determine A in the X firewall access control policy
The exception of article firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Degree weight is W1;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action]
≠ FyRB [action], then the RA of fire wall Fx by Fy RB cover, determine A in the X firewall access control policy
The exception of article firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Degree weight is W1;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA [action]
The RB redundancies of=FyRB [action], the then RA and Fy of fire wall Fx determine A in the X firewall access control policy
The exception of article firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Degree weight is W2;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action]
The RB redundancies of=FyRB [action], the then RA and Fy of fire wall Fx determine A in the X firewall access control policy
The exception of article firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Degree weight is W2;Or
If Fx, Fy ∈ Domain1, Fy are the parent of Fx,FxRA
[action] ≠ FyRB [action] then claims FxRA to be associated with FyRB irregularly, determines the X firewall access control policy
In the A articles firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall
Intensity of anomaly weight be W3;
Wherein, R [filter] is the filtration fraction of a firewall policy in fire wall control strategy;R [action] is fire prevention
The action part of a firewall policy in wall control strategy;Domain ∈ { 1,2,3,4 ... ,+∞ }.
15. a kind of firewall access control policy error checking system, which is characterized in that including:
Collection terminal for acquiring fire wall fire prevention access control policy, obtains X firewall access control policy and the X
The firewall access control policy close to fire wall of fire wall, and it is sent to central processing server;
Access control policy baseline database, for providing firewall policy exception Weight algorithm for the central processing server
And the firewall policy exception Weight algorithm between fire wall, and store the X fire prevention that the central processing server determines
Firewall policy exception weight between wall policies anomaly weight and the X fire wall.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410690385.9A CN105704093B (en) | 2014-11-25 | 2014-11-25 | A kind of firewall access control policy error-checking method, apparatus and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410690385.9A CN105704093B (en) | 2014-11-25 | 2014-11-25 | A kind of firewall access control policy error-checking method, apparatus and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105704093A CN105704093A (en) | 2016-06-22 |
CN105704093B true CN105704093B (en) | 2018-06-12 |
Family
ID=56942213
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410690385.9A Active CN105704093B (en) | 2014-11-25 | 2014-11-25 | A kind of firewall access control policy error-checking method, apparatus and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105704093B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105704093B (en) * | 2014-11-25 | 2018-06-12 | 中国移动通信集团设计院有限公司 | A kind of firewall access control policy error-checking method, apparatus and system |
CN107948205B (en) * | 2017-12-31 | 2020-10-27 | 中国移动通信集团江苏有限公司 | Firewall strategy generation method, device, equipment and medium |
CN109120448B (en) * | 2018-08-24 | 2020-05-05 | 武汉思普崚技术有限公司 | Alarm method and system |
CN111698199A (en) * | 2020-04-13 | 2020-09-22 | 国网浙江省电力有限公司杭州供电公司 | Firewall monitoring method and device |
CN112351014B (en) * | 2020-10-28 | 2022-06-07 | 武汉思普崚技术有限公司 | Firewall security policy compliance baseline management method and device between security domains |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
CN103825876A (en) * | 2013-11-07 | 2014-05-28 | 北京安码科技有限公司 | Firewall policy auditing system in complex network environment |
CN103905407A (en) * | 2012-12-28 | 2014-07-02 | 中国移动通信集团公司 | Method and device for firewall access control strategy analysis |
CN104092676A (en) * | 2014-06-30 | 2014-10-08 | 复旦大学 | Parallel firewall rule anomaly detection method for cloud data center environment firewall as service |
CN105704093A (en) * | 2014-11-25 | 2016-06-22 | 中国移动通信集团设计院有限公司 | Firewall access control strategy debugging method, device and system |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU2005328336B2 (en) * | 2004-12-22 | 2011-09-15 | Wake Forest University | Method, systems, and computer program products for implementing function-parallel network firewall |
US8042167B2 (en) * | 2005-03-28 | 2011-10-18 | Wake Forest University | Methods, systems, and computer program products for network firewall policy optimization |
US20090300748A1 (en) * | 2008-06-02 | 2009-12-03 | Secure Computing Corporation | Rule combination in a firewall |
-
2014
- 2014-11-25 CN CN201410690385.9A patent/CN105704093B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103905407A (en) * | 2012-12-28 | 2014-07-02 | 中国移动通信集团公司 | Method and device for firewall access control strategy analysis |
CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
CN103825876A (en) * | 2013-11-07 | 2014-05-28 | 北京安码科技有限公司 | Firewall policy auditing system in complex network environment |
CN104092676A (en) * | 2014-06-30 | 2014-10-08 | 复旦大学 | Parallel firewall rule anomaly detection method for cloud data center environment firewall as service |
CN105704093A (en) * | 2014-11-25 | 2016-06-22 | 中国移动通信集团设计院有限公司 | Firewall access control strategy debugging method, device and system |
Non-Patent Citations (3)
Title |
---|
Discovery of policy anomalies in distributed firewalls;ALSHAER Ehab S等;《IEEE INFOOCOM 2004》;20041231;第4卷;全文 * |
分布式防火墙策略异常检测算法的研究;张丽;《中国优秀硕士学位论文全文数据库 信息科技辑》;20071215(第06期);全文 * |
基于DFSQL实现分布式防火墙策略异常检测与分析;邓宝龙等;《计算机与数字工程》;20121020;第40卷(第10期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN105704093A (en) | 2016-06-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112615849B (en) | Micro-service access method, device, equipment and storage medium | |
JP7222036B2 (en) | Model training system and method and storage medium | |
CN105704093B (en) | A kind of firewall access control policy error-checking method, apparatus and system | |
CN109729180A (en) | Entirety is intelligence community platform | |
CN104811428B (en) | Utilize the method, apparatus and system of social networks data verification client identity | |
CN110086825B (en) | Unmanned aerial vehicle power inspection data safety transmission system and method | |
CN107925589A (en) | Remote device management attribute is distributed to service node for service regulation processing | |
CN105721420B (en) | Access right control method and Reverse Proxy | |
CN106027463B (en) | A kind of method of data transmission | |
CN112398860A (en) | Safety control method and device | |
US20040030915A1 (en) | Access restriction control device and method | |
CN108259432A (en) | A kind of management method of API Calls, equipment and system | |
CN104158767B (en) | A kind of network admittance device and method | |
CN103250383A (en) | Terminal, control device, communication method, communication system, communication module, program, and information processing device | |
CN105516091B (en) | A kind of safe flow filter and filter method based on SDN controllers | |
CN101640825A (en) | Integration of three networks | |
CN110798459B (en) | Multi-safety-node linkage defense method based on safety function virtualization | |
CN101931613A (en) | Centralized authenticating method and centralized authenticating system | |
CN106027466B (en) | A kind of identity card cloud Verification System and card-reading system | |
CN104796383B (en) | A kind of method and apparatus that end message is anti-tamper | |
CN105991647A (en) | Data transmission method | |
CN110519306A (en) | A kind of the equipment access control method and device of Internet of Things | |
CN106789986A (en) | Monitoring device authentication method and device | |
CN106101054A (en) | The single-point logging method of a kind of multisystem and centralized management system | |
CN106027476A (en) | Identity card cloud authentication system and card reading system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |