CN105704093B

CN105704093B - A kind of firewall access control policy error-checking method, apparatus and system

Info

Publication number: CN105704093B
Application number: CN201410690385.9A
Authority: CN
Inventors: 马力鹏; 杜雪涛; 赵蓓; 吴日切夫; 张高山; 洪东; 常玲; 薛姗; 刘佳; 张艋; 张琳; 杜刚
Original assignee: China Mobile Group Design Institute Co Ltd
Current assignee: China Mobile Group Design Institute Co Ltd
Priority date: 2014-11-25
Filing date: 2014-11-25
Publication date: 2018-06-12
Anticipated expiration: 2034-11-25
Also published as: CN105704093A

Abstract

The invention discloses a kind of firewall access control policy error-checking method, apparatus and system receives the firewall access control policy that collection terminal is sent；The firewall access control policy includes at least one firewall policy；X firewall access control policy is obtained, determines the firewall policy exception weight of the X fire wall itself；The firewall access control policy close to fire wall of the X fire wall is obtained, according to the firewall policy of the X fire wall and the firewall policy close to fire wall, determines the firewall policy exception weight between fire wall；Determine the intensity of anomaly of the X firewall access control policy for debugging according to the firewall policy exception weight between the firewall policy exception weight of the X fire wall itself and the fire wall.Using the technical solution, the analysis efficiency of firewall access control policy, and the firewall box including pointing out override solution to administrator can be effectively improved.

Description

A kind of firewall access control policy error-checking method, apparatus and system

Technical field

The present invention relates to internet information processing technology fields, more particularly relate to a kind of firewall access control policy and look into Wrong method, apparatus and system.

Background technology

The network size of Telecom Operators is huge, in order to preferably protect the data information on distinct device, usual needle Different security domains and sub- security domain are divided to the equipment of different security levels.And lead between different security domains and sub- security domain Deployment fire wall is crossed to be isolated and control its access safety, material is thus formed multistage distributed Fire Wire architectures.

Multistage distributed fire wall framework considerably increases the workload and difficulty of enterprise security policy setting.With public affairs The growth of department's business, corporate networks scale constantly expand the continuous transformation with business, lead to the increase and fire prevention of firewall box The continuous modification of wall access control policy.When managing multiple fire walls, administrator is more and more easily missed in firewall policy And there is mistake or contradiction strategy configuration between different fire-proof.

In conclusion in the prior art with the continuous expansion of network size and being continuously increased for network interface, fire wall In access strategy it is more and more, if desired build multiple grades of processing server or by changing related network device Accesses control list makes firewall box to be checked that can be remotely accessed by wired network, and enforcement difficulty is very big.

Invention content

The embodiment of the present invention provides a kind of firewall access control policy error-checking method and device, can effectively improve anti- The analysis efficiency of wall with flues access control policy, and the firewall box including pointing out override solution to administrator.

The embodiment of the present invention provides a kind of firewall access control policy error-checking method, including：

Receive the firewall access control policy that collection terminal is sent；The firewall access control policy includes at least one Firewall policy；

X firewall access control policy is obtained, determines the firewall policy exception weight of the X fire wall itself；

The firewall access control policy close to fire wall of the X fire wall is obtained, according to the X fire wall Firewall policy and the firewall policy close to fire wall, determine the firewall policy exception weight between fire wall；Wherein, It is described close to fire wall for there are the fire walls of direct set membership with the X fire wall；

It is different according to the firewall policy between the firewall policy exception weight of the X fire wall itself and the fire wall Chang Quanchong determines the intensity of anomaly of the X firewall access control policy for debugging.

Preferably, the firewall policy exception weight for determining the X fire wall itself, including：

The firewall policy exception weight of X fire wall itself is determined according to the following equation：

Wherein, W_XFor the firewall policy exception weight of X fire wall itself, M_iFor in X firewall access control policy The intensity of anomaly of i-th firewall policy, N_XThe firewall policy sum included for X firewall access control policy.

Preferably, the intensity of anomaly of i-th firewall policy is according to following public in the X firewall access control policy What formula determined：

Wherein, M_iFor the intensity of anomaly of i-th firewall policy in X firewall access control policy, N_XIt prevents fires for X The firewall policy sum that wall access control policy includes, W_irFor i-th fire wall plan in X firewall access control policy Slightly with other N in the X firewall access control policy_XThe intensity of anomaly weight of -1 firewall policy.

Preferably, i-th firewall policy and the X firewall access in the X firewall access control policy Other N in control strategy_XThe intensity of anomaly weight of -1 firewall policy includes following any one：

IfRA[order]<RB [order] and RA [action] ≠ RB [action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy The intensity of anomaly weight of the B articles firewall policy is W1 in control strategy；Or

IfRA[order]<RB [order] and RA [action]=RB [action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy The intensity of anomaly weight of the B articles firewall policy is W2 in control strategy；Or

IfAnd RA [action] ≠ RB [action], it is determined that the A articles firewall policy and the X fire wall in the X firewall access control policy The intensity of anomaly weight of the B articles firewall policy is W3 in access control policy；Or

IfAnd RA [action] =RB [action], it is determined that the A articles firewall policy and the X fire wall in the X firewall access control policy The intensity of anomaly weight of the B articles firewall policy is W4 in access control policy；

Wherein, R [order] is the number of regulation of a firewall policy in firewall access control policy；R[action] Action part for a firewall policy in firewall access control policy；{ R [filter] } controls plan for firewall access The cartesian product of all subitems in slightly middle rule R filterings domain.

Preferably, the firewall policy exception weight determined between the X fire wall, including：

The firewall policy exception weight between the X fire wall is determined according to the following equation：

Wherein, W '_XFirewall policy exception weight between X fire wall, M '_XiFor X firewall access control policy In i-th article of firewall policy and all firewall policies in the adjacent Y firewall access control policies of X fire wall Intensity of anomaly, N_XThe firewall policy sum included for X firewall access control policy.

Preferably, in the X firewall access control policy i-th firewall policy and the X fire wall close to Y firewall access control policies in the intensity of anomaly of all firewall policies determined according to equation below：

Wherein, M_XIt is adjacent for i-th firewall policy in X firewall access control policy and the X fire wall The intensity of anomaly of all firewall policies in Y firewall access control policies, N_YIt prevents fires for Y adjacent with X fire wall The firewall policy sum that wall access control policy includes, W '_irFor i-th fire wall in X firewall access control policy The tactful intensity of anomaly with any one article of firewall policy in the adjacent Y firewall access control policies of X fire wall Weight.

Preferably, in the X firewall access control policy i-th firewall policy and the X fire wall close to Y firewall access control policies in any one article of firewall policy intensity of anomaly weight include following any one：

If Fx, Fy ∈ Domain1, Fy are the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx covered by the RB of Fy, determine X firewall access control plan The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly Intensity of anomaly weight slightly is W1；Or

If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx covered by the RB of Fy, determine X firewall access control plan The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly Intensity of anomaly weight slightly is W1；Or

If Fx, Fy ∈ Domain1, Fy are the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly Intensity of anomaly weight slightly is W2；Or

If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly Intensity of anomaly weight slightly is W2；Or

If Fx, Fy ∈ Domain1Fy are the parent of Fx,FxRA [action] ≠ FyRB [action] then claims FxRA to be associated with FyRB irregularly, determines the X firewall access control policy In the A articles firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall Intensity of anomaly weight be W3；

Wherein, R [filter] is the filtration fraction of i-th firewall policy in fire wall control strategy；R [action] is The action part of i-th firewall policy in fire wall control strategy.

The embodiment of the present invention provides a kind of firewall access control policy debugging device, including：

Receiving unit：For receiving the firewall access control policy of collection terminal transmission；The firewall access controls plan Slightly include at least one firewall policy；

First determination unit：For obtaining X firewall access control policy, the anti-of the X fire wall itself is determined Wall with flues policies anomaly weight；

Second determination unit：For obtain the X fire wall close to firewall access control policy, according to described X firewall access control policies ask control strategy with described close to the anti-of fire wall, determine that the firewall policy between fire wall is different Chang Quanchong；Wherein, it is described close to fire wall for there are the fire walls of direct set membership with the X fire wall；

Debugging unit：According to anti-between the firewall policy exception weight of the X fire wall itself and the fire wall Wall with flues policies anomaly weight determines the intensity of anomaly of the X firewall access control policy for debugging.

Preferably, first determination unit is specifically used for：

Preferably, first determination unit is additionally operable to：

The intensity of anomaly of every firewall policy is determined according to equation below in the firewall access control policy：

Wherein, M_iFor the intensity of anomaly of i-th firewall policy in X firewall access control policy, N_XIt prevents fires for X The firewall policy sum that wall access control policy includes, W_irFor i-th fire wall plan in X firewall access control policy Slightly with N in the X firewall access control policy_XThe intensity of anomaly weight of-i firewall policies.

Preferably, first determination unit is additionally operable to：

Preferably, second determination unit is specifically used for：

Wherein, W '_XFirewall policy exception weight between X fire wall, M'_XiFor X firewall access control policy In i-th article of firewall policy and all firewall policies in the adjacent Y firewall access control policies of X fire wall Intensity of anomaly, N_XThe firewall policy sum included for X firewall access control policy.

Preferably, second determination unit is additionally operable to：

Any one article of firewall policy and the adjacent Y of X fire wall in the X firewall access control policy The intensity of anomaly of all firewall policies is determined according to equation below in firewall access control policy：

Wherein, M_XFor a firewall policy any in X firewall access control policy and the X fire wall close to Y firewall access control policies in all firewall policies intensity of anomaly, N_YTo prevent with the adjacent Y of xth fire wall The firewall policy sum that wall with flues access control policy includes, W '_irFor i-th fire prevention in X firewall access control policy The abnormal journey of wall strategy and any one article of firewall policy in the adjacent Y firewall access control policies of X fire wall Spend weight.

Preferably, second determination unit is additionally operable to：

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxRA [filter]=FyRB [filter], if FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx covered by the RB of Fy, determine X firewall access control plan The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly Intensity of anomaly weight slightly is W1；Or

If Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx covered by the RB of Fy, determine X firewall access control plan The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly Intensity of anomaly weight slightly is W1；Or

If Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxRA [filter]=FyRB [filter], if FxRA The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly Intensity of anomaly weight slightly is W2；Or

If Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxRA The RB redundancies of [action]=FyRB [action], the then RA and Fy of fire wall Fx determine the X firewall access control plan The A articles firewall policy and the B articles fire wall plan in the adjacent Y firewall access control policies of X fire wall in slightly Intensity of anomaly weight slightly is W2；Or

If Fx, Fy ∈ Domain1, Fx higher level close to Fy,FxRA [action] ≠ FyRB [action] then claims FxRA to be associated with FyRB irregularly, determines the X firewall access control policy In the A articles firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall Intensity of anomaly weight be W3；

Wherein, R [filter] is the filtration fraction of a firewall policy in fire wall control strategy；R [action] is The action part of a firewall policy in fire wall control strategy.

The embodiment of the present invention provides a kind of firewall access control policy error checking system, including central processing server；

Collection terminal for acquiring fire wall fire prevention access control policy, obtains X firewall access control policy and described The firewall access control policy close to fire wall of X fire wall, and it is sent to the central processing server；

Access control policy baseline database, for providing firewall policy exception weight for the central processing server Firewall policy exception Weight algorithm between algorithm and fire wall, and store the X that the central processing server determines Firewall policy exception weight between firewall policy exception weight and the X fire wall.It receives and adopts in the embodiment of the present invention Collect the firewall access control policy that end is sent；The firewall access control policy includes at least one firewall policy； X firewall access control policy is obtained, determines the firewall policy exception weight of the X fire wall itself；Described in acquisition The firewall access control policy close to fire wall of X fire wall, according to the firewall policy of the X fire wall with it is described Close to the firewall policy of fire wall, the firewall policy exception weight between fire wall is determined；Wherein, it is described to be close to fire wall There are the fire walls of direct set membership with the X fire wall；It is abnormal according to the firewall policy of the X fire wall itself Firewall policy exception weight between weight and the fire wall determines the intensity of anomaly of the X firewall access control policy For debugging.Using this method, according to firewall policy exception weight, it may be determined that single fire wall weight, according to fire wall Between policies anomaly weight, it may be determined that policies anomaly weight between fire wall, according to the determining firewall policy exception weight And between fire wall policies anomaly weight abnormal conditions, can point out most should preferentially to solve to administrator in time of problems anti- Wall with flues equipment.

Description of the drawings

Fig. 1 is the firewall access control policy error checking system schematic diagram that the embodiment of the present invention one provides；

Fig. 2 is a kind of wall with flues access control policy error-checking method schematic diagram provided by Embodiment 2 of the present invention；

Fig. 3 is collection terminal provided in an embodiment of the present invention and firewall box exchange method schematic diagram；

Fig. 4 is collection terminal provided in an embodiment of the present invention and central processing server exchange method schematic diagram；

Fig. 5 is central processing server provided in an embodiment of the present invention and access control policy baseline database exchange method Schematic diagram；

Fig. 6 is the relevant information schematic diagram of firewall box provided in an embodiment of the present invention；

Fig. 7 is the tree structure signal of multiple firewall boxes structure under consolidated network provided in an embodiment of the present invention Figure；

Fig. 8 is determining firewall policy exception weight method schematic diagram provided in an embodiment of the present invention；

Fig. 9 is determining fire wall provided in an embodiment of the present invention and the fire wall close to the firewall policy between fire wall Abnormal weight method schematic diagram；

Debugging result is sent to e-mail server by Figure 10 for central processing server provided in an embodiment of the present invention Schematic diagram；

Figure 11 is a kind of firewall access control policy debugging schematic device that the embodiment of the present invention three provides.

Specific embodiment

The firewall access control policy that collection terminal is sent is received in the embodiment of the present invention；The firewall access controls plan Slightly include at least one firewall policy；X firewall access control policy is obtained, determines the X fire wall itself Firewall policy exception weight；The firewall access control policy close to fire wall of the X fire wall is obtained, according to described The firewall policy of X fire wall and the firewall policy close to fire wall, determine that the firewall policy between fire wall is different Chang Quanchong；Wherein, it is described close to fire wall for there are the fire walls of direct set membership with the X fire wall；It determines described Firewall policy exception weight between the firewall policy exception weight of X fire wall itself and the fire wall is for debugging； The X firewall access control policy includes i (i>1) firewall policy.It is different according to firewall policy using this method Chang Quanchong, it may be determined that single fire wall weight, according to policies anomaly weight between fire wall, it may be determined that strategy is different between fire wall Chang Quanchong, can according to the abnormal conditions of policies anomaly weight between the determining firewall policy exception weight and fire wall It points out most should preferentially solve firewall box of problems to administrator in time.

In order to which technical problem solved by the invention, technical solution and advantageous effect is more clearly understood, below in conjunction with Accompanying drawings and embodiments illustrate the preferred embodiment of the present invention.It should be understood that preferred embodiment described herein is only It to the description and interpretation present invention, is not intended to limit the present invention, and in the absence of conflict, the embodiment in the present invention And the feature in embodiment can be combined with each other.

Embodiment one

A kind of firewall access control policy error checking system in the embodiment of the present invention one, as shown in Figure 1, main include adopting Collect end, central processing server, access control policy baseline database and e-mail server.

Wherein, acquisition end equipment is mainly computer, wherein, computer mainly includes notebook computer, Er Qieji It needs to include managing mouth and 3G (3rd-Generation)/4G (the 4Generation mobile in calculation machine Communication) card of surfing Internet.

Collection terminal includes acquisition adaptable interface, authentication module, device data acquisition module, facility information editor module, number According to encrypting module, data transmission module, mobile network's interface.The major function of collection terminal accesses control for acquisition distributed fire wall System strategy, editor's firewall box mark, mark association security domain information and close to firewall information, structural devices information, Firewall box data are encrypted, connect 3G/4G mobile Internets, upload data to central processing server.

Central processing server includes authentication module, deciphering module, computing module, memory module, alarm notification module, number According to bank interface.The major function of central processing server, which has, is decrypted the firewall access control policy data being collected into, Firewall box information and access control policy are sorted out deposit database, check fire wall control strategy.

The major function of access control policy baseline database checks rule, access control plan for storage access control policy Slightly check algorithm, firewall box identification information, security domain grade information, firewall policy data, equipment manager authentication information.

In the embodiment of the present invention, for comprising the firewall access control policy in the catenet under multilevel security domain, A kind of firewall access control policy error checking system is constructed, which is based on the security strategy of high-speed mobile network (3G/4G) Concentrate error checking system frame.Adaptive collection terminal is directly connected to firewall box, is added after obtaining fire wall relevant information It is close, encryption data is uploaded to by 3G or 4G mobile networks by central processing server, different preventing is distinguished by central processing server Security domain relationship where wall with flues, establishes fire wall relational tree automatically, carries out independent firewall policy exception weight calculation and prevents Result of calculation can be sent to administrator, and point out most to administrator by policies anomaly weight calculation between wall with flues in time The firewall box that should preferentially solve.

Embodiment two

As shown in Fig. 2, the embodiment of the present invention two provides a kind of firewall access control policy error-checking method, including walking as follows Suddenly：

Step 101, the firewall access control policy that collection terminal is sent is received；It is wrapped in the firewall access control policy Include at least one firewall policy；

Step 102, X firewall access control policy is obtained, determines that the firewall policy of the X fire wall itself is different Chang Quanchong；

Step 103, the firewall access control policy close to fire wall of the X fire wall is obtained, according to the X The firewall policy of fire wall and the firewall policy close to fire wall determine that the firewall policy between fire wall is weighed extremely Weight；Wherein, it is described close to fire wall for there are the fire walls of direct set membership with the X fire wall；

Step 104, according to the fire prevention between the firewall policy exception weight of the X fire wall itself and the fire wall Wall policies anomaly weight determines the intensity of anomaly of the X firewall access control policy for debugging.

In a step 101, the firewall access control policy that collection terminal is sent is received；

In embodiments of the present invention, collection terminal connects firewall box and acquisition eventually by the management mouth of firewall box End, it is specific as shown in Figure 3.

Connection is established between the firewall box and the collection terminal by managing mouth, the acquisition adaptation of collection terminal connects Mouth automatic identification firewall box model, carries out matching connection, then the authentication service in the authentication module of triggering collection end, will be anti- The account of wall with flues equipment is input in collection terminal, if the account for the firewall box that authentication module passes through input, collection terminal Automatic collection fire wall identity code is obtained firewall access control policy by device data acquisition module；The present invention In embodiment, the firewall access control policy includes at least one firewall policy.

If authentication module is not over the account of the firewall box of input, the interface inputted back to account.

It, will be to the identity of collected firewall box after the device data acquisition module data acquisition of collection terminal Identification code and firewall access control policy information into edlin, wherein, in the embodiment of the present invention, the facility information of collection terminal is compiled It collects module to be responsible for the collected information of device data acquisition module into edlin, by the collected firewall box of acquisition module Identity code and firewall access control policy information be input in information editing's module, wherein information editing's module is main Obtain the essential information of firewall box：Information of home location, unit type, port number.

It further, will be each close to higher level's security domain if there are adjacent higher level's security domains for the firewall box Identification information, each close to the perimeter firewall port IP address of higher level's security domain (Internet Protocol Address) It is input in information editing's module with the port IP address of each access close to higher level's security domain.If the firewall box exists The adjacent safe domain identifier of subordinate is then accessed by each identification information close to subordinate's security domain and each close to lower level security The port IP address in domain is input in information editing's module.

Further, it if there is no close to higher level's security domain, is not inputted in information coding module close to upper level security Domain information；If there is no close to subordinate's security domain, do not inputted in information coding module close to subordinate's security domain information.This hair In bright embodiment, firewall box may have multiple close to higher level's security domain, can not also exist close to higher level's security domain, phase It answers, firewall box may have multiple close to subordinate's security domain, can not also exist close to subordinate's security domain.It is of the invention real It applies example not limit the quantity of higher level's security domain of firewall box, to the quantity close to subordinate's security domain of firewall box Also it does not limit.

Further, the embodiment of the present invention can pass through extensible markup language (Extensible Markup Language, XML) structuring processing is carried out to the typing information of firewall box.

After input information is completed in facility information editor module in collection terminal, in order to ensure firewall box information Safety, the information of input is encrypted in the data encryption module needs of collection terminal, in the embodiment of the present invention, to collected anti- Wall with flues device data uses asymmet-ric encryption method, wherein, asymmet-ric encryption method is to use the fire prevention arrived of the public key to acquisition Wall equipment data are encrypted, which can only be decrypted by the private key of central processing server.In embodiments of the present invention, The encryption method used to the data for entering data encryption module does not limit.

After the data encryption module of collection terminal completes encryption to collected firewall box data, by encrypted fire wall Device data is transferred to the data transmission module of collection terminal, and data transmission module will be prevented fires by mobile network's interface of collection terminal In wall equipment data transmission to central processing server.Wherein, data transmission module needs first to input account before being transmitted The registered permanent residence enables, and sets the address of service of central processing server.

The process of the data transmission module of collection terminal fire wall device data after central processing server transmission encryption is such as Shown in Fig. 4, mobile network's interface of collection terminal first passes through 3G/4G mobile networks asks to connect to central processing server, center Authentication module in processing service is called first, and authentication module needs first to judge whether collection terminal is trusted users.If acquisition It holds as trusted users, then receives the firewall box data of collection terminal transmission, central processing server receives collection terminal transmission Firewall box data after, to collection terminal transmit and receive successfully response；If collection terminal for can not credit household, central processing The request that server refusal collection terminal is sent, collection terminal account or password error message are returned to collection terminal.

After central processing server receives the firewall box data of collection terminal transmission, central processing server is with visiting Ask and carry out data interaction between control strategy baseline database, it is specific as shown in Figure 5.

Since collection terminal to central processing unit before firewall box data are sent, the data encryption module pair of collection terminal Collected firewall box data are encrypted, so, central processing server receives the fire wall of collection terminal transmission After device data, need that first encrypted fire wall data are decrypted.

Deciphering module use and the corresponding private key pair encryption of collection terminal data encryption module in central processing server Fire wall device data is decrypted afterwards, after the firewall box data for obtaining decryption, needs further to firewall box Data are parsed, and obtain the relevant information of firewall box, specific as shown in fig. 6, obtaining the relevant information of firewall box Including：1. firewall box identity code, 2. information of home location, 3. unit type, 4. port number, 5. close to upper level security Domain identifier 6. close to the perimeter firewall port IP address of higher level's security domain, 7. accesses the Port IP close to higher level's security domain The port IP address close to subordinate's security domain 8. close to the safe domain identifier of subordinate, is 9. accessed, 10. firewall access control policy in location Data.

Further, pacified in central processing server according to the upper and lower of firewall box close to safe domain identifier and upper and lower neighbour The information such as universe corresponding ports IP address, it may be determined that the associated firewall box of firewall box, by firewall box phase In associated firewall box data storage to the memory module in central central processing server.

In a step 102, X firewall access control policy is obtained, determines the fire wall plan of the X fire wall itself Slightly abnormal weight；

In the embodiment of the present invention, multiple firewall boxes under consolidated network can build one it is as shown in Figure 7 tree-like Structure can utilize the superior and the subordinate's interconnecting relation between fire wall, convenient for storing, searching, analyzing in a computer using the structure And debugging calculates.Firewall box control strategy in same network is all formulated according to a security strategy, institute Can determine whether the firewall system in same network system can reach expected security protection effect, on the one hand depend on Whether it is configured correctly, on the other hand depending on the associated firewall box of firewall box in the strategy of each firewall box Between whether can cooperate between strategy, do not clash.

Parsing is completed to collected firewall box data in central processing server and obtains firewall box dependency number Debugging detection is carried out to firewall box related data according to the spell-checking facility later, needed in central processing server, is being carried out When debugging, need first to call the firewall security Baseline detection table in access control policy baseline database, to fire wall Access control policy carries out security baseline detection, if detection firewall access control policy meets firewall security baseline, recognizes It is safe for the firewall access control policy；If detection firewall access control policy does not meet firewall security baseline, It is dangerous then to think the firewall access control policy.

After firewall access control policy does not meet firewall security baseline, need to the firewall access control policy It carries out algorithm detection and associated firewall box data carries out algorithm detection to the firewall box.

In the embodiment of the present invention, the security domain of fire wall can be defined as follows：

F [domain], domain ∈ { 1,2,3,4 ... ,+∞ }.

The definition of a rule includes as follows in firewall access control policy：

Firewall access control policy number of regulation：R [order] ∈ { 1,2,3,4 ... ,+∞ }.

Firewall access control policy filtration fraction：R [filter] ∈ protocol type, and source IP address, source address port, Target ip address, destination address ports }.

Firewall access control policy action part：

In the embodiment of the present invention, independent firewall access control policy is examined based on firewall policy exception weight It surveys.

The computational methods of independent firewall policy exception weight are mainly included the following steps, it is specific as shown in Figure 8：

Step 1021 determines whether every firewall policy is related；

In embodiments of the present invention, firewall access control policy filtration fraction R is filtered to the flute card of all subitems in domain Youngster's product is known as the matched Packet Filtering set of rule R institutes, is denoted as { R [filter] }, when Then claim the A articles firewall policy and the B articles firewall policy phase in firewall access control policy It closes, ifThen claim A articles of firewall policy and in firewall access control policy B firewall policy is uncorrelated.

In embodiments of the present invention, when RA [filter] and RB [filter] institutes, matched Packet Filtering set is handed over Folded or covering or it is equal when, the regular RA that may lead in firewall access control policy the A articles firewall policy or the B articles are prevented The regular RB of wall with flues strategy can not come into force, and be runed counter to preset security strategy.

Step 1022, the intensity of anomaly for determining every firewall policy；

In embodiments of the present invention, in firewall access control policy the intensity of anomaly of every firewall policy according to formula (1) it determines：

In formula, M_iFor the intensity of anomaly of i-th firewall policy in X firewall access control policy, N_XFor X The firewall policy sum that firewall access control policy includes, W_irFor i-th fire prevention in X firewall access control policy Wall strategy and other N in the X firewall access control policy_XThe intensity of anomaly weight of -1 firewall policy.

Further, i-th firewall policy and the X firewall access in the X firewall access control policy Other N in control strategy_XThe intensity of anomaly weight of -1 firewall policy includes following any one：

For example, independent firewall access control policy includes 4 firewall policies, wherein, first firewall policy Include following three situation relative to the intensity of anomaly weight of other three firewall policies：

The first：First firewall policy can include following relative to the intensity of anomaly weight of Article 2 firewall policy Any one：

If 1),R1[order]<R2 [order] and R1 [action] ≠ R2 [action], then rule R2 can not play a role.Determine first firewall policy relative to the different of Article 2 firewall policy Chang Chengdu weights are W1.

If 2),And R1 [action] =R2 [action], then rule R2 redundancies.Determine abnormal journey of first firewall policy relative to Article 2 firewall policy Degree weight is W2.

If 3), rule R1 is related to rule R2, And R1 [action] ≠ R2 [action], then rule R1 conflict with rule R2, determine first firewall policy Intensity of anomaly weight relative to Article 2 firewall policy is W3.

If 4), rule R1 is related to rule R2, And R1 [action]=R2 [action], then rule R1 is Chong Die with rule R2, determines first firewall policy Intensity of anomaly weight relative to Article 2 firewall policy is W4.

Second：First firewall policy can include following relative to the intensity of anomaly weight of Article 3 firewall policy Any one：

If 1),R3 [order] and R1 [action] ≠ R3 [action], then rule R3 can not play a role.Determine first firewall policy relative to Article 3 firewall policy Intensity of anomaly weight be W1.

If 2),R3 [order] and R1 [action]= R3 [action], then rule R3 redundancies.Determine intensity of anomaly of first firewall policy relative to Article 3 firewall policy Weight is W2.

If 3), rule R1 is related to rule R3, And R1 [action] ≠ R3 [action], then rule R1 conflict with rule R3, determine first firewall policy Intensity of anomaly weight relative to Article 3 firewall policy is W3.

If 4), rule R1 is related to rule R3, And R1 [action]=R3 [action], then rule R1 is Chong Die with rule R3, determines first firewall policy Intensity of anomaly weight relative to Article 3 firewall policy is W4.

The third：First firewall policy can include following relative to the intensity of anomaly weight of Article 4 firewall policy Any one：

If 1),And R1 [action] ≠ R4 [action], then rule R4 can not play a role.Determine first firewall policy relative to Article 4 firewall policy Intensity of anomaly weight be W1.

If 2),And R1 [action] =R4 [action], then rule R4 redundancies.Determine abnormal journey of first firewall policy relative to Article 4 firewall policy Degree weight is W2.

If 3), rule R1 is related to rule R4, And R1 [action] ≠ R4 [action], then rule R1 conflict with rule R4, determine first firewall policy Intensity of anomaly weight relative to Article 4 firewall policy is W3.

If 4), rule R1 is related to rule R4, And R1 [action]=R4 [action], then rule R1 is Chong Die with rule R4, determines first firewall policy Intensity of anomaly weight relative to Article 4 firewall policy is W4.

According to above-mentioned analysis, it may be determined that the abnormal journey of first firewall policy in independent firewall access control policy Degree, since first firewall policy respectively can be at least four relative to the intensity of anomaly weight of other three firewall policies Situation, so, the intensity of anomaly of first firewall policy mainly includes following several situations：

1), if first firewall policy is W1 relative to the intensity of anomaly weight of Article 2 firewall policy；First Firewall policy is W1 relative to the intensity of anomaly weight of Article 3 firewall policy；First article of firewall policy is relative to the 4th The intensity of anomaly weight of firewall policy is W1；The intensity of anomaly of first firewall policy can be determined according to formula (1)：

2), if first firewall policy is W1 relative to the intensity of anomaly weight of Article 2 firewall policy；Determine One firewall policy is W1 relative to the intensity of anomaly weight of Article 3 firewall policy；First firewall policy relative to The intensity of anomaly weight of Article 4 firewall policy is W2；The exception of first firewall policy can be determined according to formula (1) Degree：

In the embodiment of the present invention, both above situation is merely illustrated to the intensity of anomaly of first firewall policy, it is right Other similar situations are not being explained one by one, in short, the intensity of anomaly of first fire wall is under same independent fire wall, The sum of intensity of anomaly weight between first fire wall and other each fire walls.

Step 1023 determines same firewall policy exception weight；

In the embodiment of the present invention, after being determined for the intensity of anomaly of first fire wall in same independent fire wall, also It needs to be determined that the intensity of anomaly of Article 2 fire wall, determines intensity of anomaly of Article 3 fire wall etc., independently prevent until by same After being determined in wall with flues to the intensity of anomaly of number Article 2 fire wall, the intensity of anomaly of every fire wall in same independent fire wall It is complete to determine.

After the intensity of anomaly of every fire wall in same independent fire prevention is determined, according to formula (2), it may be determined that fire prevention Wall policies anomaly weight：

For example, if same firewall access control policy includes 4 firewall policies, wherein, first fire wall plan Intensity of anomaly M slightly_1r, the intensity of anomaly of Article 2 firewall policy is M_2r, the intensity of anomaly M of Article 3 firewall policy_3r, The intensity of anomaly that can then determine independent firewall access control policy is M_1r+M_2r+M_3r, i.e., independent firewall policy power extremely Weight is W=M_1r+M_2r+M_3r。

In the embodiment of the present invention, it is assumed that same firewall access control policy includes 4 firewall policies, in step In 1022, when determining the intensity of anomaly of every firewall policy, can according to from first article of firewall policy relative to Two, Article 3, Article 4 firewall policy calculate the intensity of anomaly of first firewall policy；It can also be according to the 4th Firewall policy calculates the different of last Article 4 firewall policy relative to Article 3, Article 2, first firewall policy Chang Chengdu；The embodiment of the present invention is to determining that the calculating sequencing of the intensity of anomaly of every firewall policy is not specifically limited.

Further, if according to from first firewall policy relative to Article 2, Article 3, Article 4 fire wall plan Slightly carry out calculating the intensity of anomaly of first firewall policy, then it, can be with when calculating the intensity of anomaly of Article 2 firewall policy Relative to Article 3, Article 4 firewall policy calculate the intensity of anomaly of Article 2 firewall policy from Article 2；Also may be used Relative to first, Article 3, Article 4 firewall policy calculate the exception of Article 2 firewall policy from Article 2 Degree.

If according to carrying out calculating Article 2 firewall policy relative to Article 3, Article 4 firewall policy from Article 2 Intensity of anomaly, then when calculating the intensity of anomaly of Article 3 firewall policy, it is necessary to be counted according to Article 4 firewall policy The intensity of anomaly of Article 3 firewall policy is calculated, also, the intensity of anomaly of Article 4 firewall policy does not have to calculate, if that is, Same firewall access control policy includes 4 firewall policies, only calculate in the firewall access control policy first 3 it is anti- The intensity of anomaly of wall with flues strategy.

If prevent according to calculating Article 2 is carried out relative to first, Article 3, Article 4 firewall policy from Article 2 The intensity of anomaly of wall with flues strategy, then when calculating the intensity of anomaly of Article 3 firewall policy, it is necessary to according to first, Article 2, Article 4 firewall policy calculate the intensity of anomaly of Article 3 firewall policy；The intensity of anomaly of Article 4 firewall policy It is calculated according to first, Article 2, Article 3 firewall policy；If it is wrapped in namely same firewall access control policy Include 4 firewall policies, it is necessary to calculate the intensity of anomaly of the strong support strategy of the relatively other fire prevention of every firewall policy.

The embodiment of the present invention is to determining that the specific algorithm of the intensity of anomaly of every firewall policy does not limit.

In the embodiment of the present invention, if the firewall box is not present close to upper in the firewall box data of collection terminal acquisition Level security domain is also not present close to subordinate's security domain, then can determine that the firewall box is individualism, correspondingly, should Associated firewall box is just not present in firewall box.It does not need to then carry out step 103.

If the firewall box exists close to higher level's security domain or presence in the firewall box data of collection terminal acquisition Close to subordinate's security domain or exist simultaneously close to higher level's security domain and close to subordinate's security domain；It can then determine the fire wall There are associated firewall boxes for equipment.

In the embodiment of the present invention, association fire prevention espalierF is the finite set (n for including n fire wall> 0).RelationshipMeet the following conditions：

One and only one fire wall f0 ∈ F, not close to higher level's fire wall, f0 is the root of fire prevention espalier；

Each fire wall in F includes security domain Domain, Domain>0；

Multiple fire wall fx in same Domain, each other close proximity, x >=2；

If fx is the parent of fy, fy is the sub- grade of fx；

If fy is the sub- grade of fx, fx is the parent of fy；

Except fire wall f₀Outside, each fire wall in F has at least one close to higher level's fire wall；

Each fire wall in F has 0 or multiple close to subordinate's fire wall.

In the embodiment of the present invention, by taking fy is the sub- grade (fx is the parent of fy) of fx as an example, as shown in figure 9, between fire wall The computational methods of policies anomaly weight are specifically described：

Step 1031 determines that every firewall policy and Y firewall access control in X firewall access control policy Whether every firewall policy is related in strategy；

In association fire prevention espalier T, ifThen claim X fire wall The A articles firewall policy is related to the B articles firewall policy in Y firewall access control policies in access control policy；IfThen claim the A articles firewall policy in X firewall access control policy It is uncorrelated to the B articles firewall policy in Y firewall access control policies.

In embodiments of the present invention, whenX may be caused to prevent fires The B articles firewall policy generates not in A articles of firewall policy and Y firewall access control policies in wall access control policy The phenomenon that regular.

Step 1032, the intensity of anomaly for determining every firewall policy in X firewall access control policy；

In embodiments of the present invention, in the X firewall access control policy every firewall policy intensity of anomaly It is determined according to formula (3)：

Further, i-th firewall policy and the X fire wall are tight in the X firewall access control policy The intensity of anomaly weight of any one article of firewall policy includes following any one in adjacent Y firewall access control policies：

Further, FxRA [filter] is the mistake of the RA articles firewall policy in X firewall access control policy Part is filtered, FyRB [filter] is the filtration fraction of the RB articles firewall policy in Y firewall access control policies；FxRA [action] is the action part of RA firewall policies in X firewall access control policy, and FyRB [action] prevents for Y The action part of RB firewall policies in wall with flues access control policy.

For example, X firewall access control policy includes 4 firewall policies, Y fire wall wall access control policies Include 3 firewall policies, then in X firewall access control policy first firewall policy relative to X fire wall The intensity of anomaly weight of first article of firewall policy includes following three situation in adjacent Y firewall access control policies：

The first：First article of firewall policy is relative to X fire wall adjacent in X firewall access control policy The intensity of anomaly weight of first firewall policy includes following any one in Y firewall access control policies：

If 1), Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR1 [filter], if FxR1 [action] ≠ FyR1 [action], then the R1 of fire wall Fx covered by the R1 of Fy, determine X firewall access control plan First article of firewall policy and first article of fire wall in the adjacent Y firewall access control policies of X fire wall in slightly The intensity of anomaly weight of strategy is W1.

If 2), Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxR1 [action] ≠ FyR1 [action], then the R1 of fire wall Fx covered by the R1 of Fy, determine X firewall access control plan First article of firewall policy and first article of fire wall in the adjacent Y firewall access control policies of X fire wall in slightly The intensity of anomaly weight of strategy is W1.

If 3), Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR1 [filter], if FxR1 The R1 redundancies of [action]=FyR1 [action], the then R1 and Fy of fire wall Fx determine the X firewall access control plan First article of firewall policy and first article of fire wall in the adjacent Y firewall access control policies of X fire wall in slightly The intensity of anomaly weight of strategy is W2.

If 4), Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxR1 The R1 redundancies of [action]=FyR1 [action], the then R1 and Fy of fire wall Fx determine the X firewall access control plan First article of firewall policy and first article of fire wall in the adjacent Y firewall access control policies of X fire wall in slightly The intensity of anomaly weight of strategy is W2.

If 5), Fx, Fy ∈ Domain1, Fx higher level close to Fy, FxR1 [action] ≠ FyR1 [action] then claims FxR1 to be associated with FyR1 irregularly, determines the X firewall access control policy In first article of firewall policy and first article of fire wall plan in the adjacent Y firewall access control policies of X fire wall Intensity of anomaly weight slightly is W3.

Second：First article of firewall policy is relative to X fire wall adjacent in X firewall access control policy The intensity of anomaly weight of Article 2 firewall policy includes following any one in Y firewall access control policies：

If 1), Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR2 [filter], if FxR1 [action] ≠ FyR2 [action], then the R1 of fire wall Fx covered by the R2 of Fy, determine X firewall access control plan First article of firewall policy and Article 2 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly The intensity of anomaly weight of strategy is W1.

If 2), Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxR1 [action] ≠ FyR2 [action], then the R1 of fire wall Fx covered by the R2 of Fy, determine X firewall access control plan First article of firewall policy and Article 2 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly The intensity of anomaly weight of strategy is W1.

If 3), Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR2 [filter], if FxR1 The R2 redundancies of [action]=FyR2 [action], the then R1 and Fy of fire wall Fx determine the X firewall access control plan First article of firewall policy and Article 2 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly The intensity of anomaly weight of strategy is W2.

If 4), Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxR1 The R2 redundancies of [action]=FyR2 [action], the then R1 and Fy of fire wall Fx determine the X firewall access control plan First article of firewall policy and Article 2 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly The intensity of anomaly weight of strategy is W2.

If 5), Fx, Fy ∈ Domain1, Fx higher level close to Fy, FxR1 [action] ≠ FyR2 [action] then claims FxR1 to be associated with FyR2 irregularly, determines the X firewall access control policy In first article of firewall policy and Article 2 fire wall plan in the adjacent Y firewall access control policies of X fire wall Intensity of anomaly weight slightly is W3.

The third：First article of firewall policy is relative to X fire wall adjacent in X firewall access control policy The intensity of anomaly weight of Article 3 firewall policy includes following any one in Y firewall access control policies：

If 1), Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR3 [filter], if FxR1 [action] ≠ FyR3 [action], then the R1 of fire wall Fx covered by the R3 of Fy, determine X firewall access control plan First article of firewall policy and Article 3 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly The intensity of anomaly weight of strategy is W1.

If 2), Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxR1 [action] ≠ FyR3 [action], then the R1 of fire wall Fx covered by the R3 of Fy, determine X firewall access control plan First article of firewall policy and Article 3 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly The intensity of anomaly weight of strategy is W1.

If 3), Fx, Fy ∈ Domain1, Fx higher level is close to Fy, FxR1 [filter]=FyR3 [filter], if FxR1 The R3 redundancies of [action]=FyR3 [action], the then R1 and Fy of fire wall Fx determine the X firewall access control plan First article of firewall policy and Article 3 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly The intensity of anomaly weight of strategy is W2.

If 4), Fx, Fy ∈ Domain1, Fx higher level close to Fy,If FxR1 The R3 redundancies of [action]=FyR3 [action], the then R1 and Fy of fire wall Fx determine the X firewall access control plan First article of firewall policy and Article 3 fire wall in the adjacent Y firewall access control policies of X fire wall in slightly The intensity of anomaly weight of strategy is W2.

If 5), Fx, Fy ∈ Domain1, Fx higher level close to Fy, FxR1 [action] ≠ FyR3 [action] then claims FxR1 to be associated with FyR3 irregularly, determines the X firewall access control policy In first article of firewall policy and Article 3 fire wall plan in the adjacent Y firewall access control policies of X fire wall Intensity of anomaly weight slightly is W3.

According to above-mentioned analysis, it may be determined that the abnormal journey of first firewall policy in X firewall access control policy Degree, due to first article of firewall policy in X firewall access control policy and the adjacent Y fire walls of X fire wall In access control policy the intensity of anomaly weight of any firewall policy respectively can situation at least four, so, X is prevented The intensity of anomaly of first firewall policy mainly includes following several situations in wall with flues access control policy：

If 1), first article of firewall policy and the adjacent Y of X fire wall in X firewall access control policy First firewall policy intensity of anomaly weight is W1 in firewall access control policy；If X firewall access control policy In first article of firewall policy and Article 2 fire wall plan in the adjacent Y firewall access control policies of X fire wall Slightly intensity of anomaly weight is W1；If first firewall policy and the X fire wall are tight in X firewall access control policy Article 3 firewall policy intensity of anomaly weight is W1 in adjacent Y firewall access control policies；It can be true according to formula (3) Determining first firewall policy intensity of anomaly in X firewall access control policy is：

If 2), first article of firewall policy and the adjacent Y of X fire wall in X firewall access control policy First firewall policy intensity of anomaly weight is W1 in firewall access control policy；If X firewall access control policy In first article of firewall policy and Article 2 fire wall plan in the adjacent Y firewall access control policies of X fire wall Slightly intensity of anomaly weight is W1；If first firewall policy and the X fire wall are tight in X firewall access control policy Article 3 firewall policy intensity of anomaly weight is W2 in adjacent Y firewall access control policies；It can be true according to formula (3) Determining first firewall policy intensity of anomaly in X firewall access control policy is：

In the embodiment of the present invention, to first firewall policy intensity of anomaly in X firewall access control policy only Both above situation is described, other similar situations are not being explained one by one, in short, in X firewall access control policy First article of firewall policy and any one article of fire wall plan in the adjacent Y firewall access control policies of X fire wall Slightly the sum of intensity of anomaly weight is first firewall policy intensity of anomaly in X firewall access control policy.

Step 1033 determines fire wall and the fire wall close to the firewall policy exception weight between fire wall；

In embodiments of the present invention, for first firewall policy in X firewall access control policy relative to X After the intensity of anomaly weight of any one article of firewall policy determines in the adjacent Y firewall access control policies of fire wall, Also need to determine that Article 2 firewall policy is prevented fires relative to the adjacent Y of X fire wall in X firewall access control policy The intensity of anomaly weight of any firewall policy in wall access control policy；Third in X firewall access control policy Article firewall policy is relative to any one article of firewall policy in the adjacent Y firewall access control policies of X fire wall Intensity of anomaly weight；Article 4 firewall policy is relative to the adjacent Y of X fire wall in X firewall access control policy The intensity of anomaly weight of any firewall policy in firewall access control policy；By X firewall access control policy The 4 articles of firewall policies included are relative to one article of fire prevention any in the adjacent Y firewall access control policies of X fire wall After the intensity of anomaly weight of wall strategy determines, X fire wall and the X fire wall are close to the fire prevention between Y fire walls Wall policies anomaly weight just can determine that.

By every firewall policy that X firewall access control policy includes relative to the adjacent Y of X fire wall After the intensity of anomaly weight of any firewall policy determines in firewall access control policy, according to formula formula (4), X fire wall and the X fire wall can be determined close to the firewall policy exception weight between Y fire walls：

For example, X firewall access control policy includes 4 firewall policies, prevent with the adjacent Y of X fire wall Wall with flues access control policy includes 3 firewall policies, wherein, include first of X firewall access control policy The opposite intensity of anomaly with firewall policy in the adjacent Y firewall access control policies of X fire wall of firewall policy is weighed Weight M_X1；The Article 2 firewall policy that X firewall access control policy includes is prevented relatively with the adjacent Y of X fire wall The intensity of anomaly weight M of firewall policy in wall with flues access control policy_X2；X firewall access control policy include Three articles of opposite abnormal journeys with firewall policy in the adjacent Y firewall access control policies of X fire wall of firewall policy Spend weight M_X3；Article 4 firewall policy that X firewall access control policy includes opposite adjacent with X fire wall the The intensity of anomaly weight M of firewall policy in Y firewall access control policies_X4。

Then according to formula (4), it may be determined that X fire wall and the X fire wall are close to the fire prevention between Y fire walls Wall policies anomaly weight is：

In the embodiment of the present invention, it is assumed that X firewall access control policy includes 4 firewall policies, prevents fires with X The adjacent Y firewall access control policies of wall include 3 articles of firewall policies, in step 1032, determine that X fire wall is visited It, can be according in X firewall access control policy when asking in control strategy the intensity of anomaly of every firewall policy One article of firewall policy relative to first article in Y firewall access control policies, Article 2, Article 3 firewall policy carry out Calculate first firewall policy intensity of anomaly in X firewall access control policy；It can be controlled according to X firewall access In strategy Article 4 firewall policy relative to first article in Y firewall access control policies, Article 2, Article 3 fire wall Strategy carries out calculating first firewall policy intensity of anomaly in X firewall access control policy；In the embodiment of the present invention, really The intensity of anomaly calculating sequencing for determining every firewall policy in X firewall access control policy is not specifically limited.

Further, if preventing fires according to first article of firewall policy in X firewall access control policy relative to Y First in wall access control policy, Article 2, Article 3 firewall policy carry out calculate X firewall access control policy in First firewall policy intensity of anomaly, then can according to sequentially successively calculate X firewall access control policy in Article 2, The extent of error of Article 3, Article 4 firewall policy rule.If prevent according to Article 4 in X firewall access control policy Wall with flues strategy relative to first article in Y firewall access control policies, Article 2, Article 3 firewall policy carry out calculating First firewall policy intensity of anomaly in X firewall access control policies；Then can according to sequentially successively calculate X fire wall Article 3 in access control policy, Article 2, first firewall policy rule extent of error.

After spell-checking facility carries out debugging detection to firewall box related data in central processing server, according to fire prevention Wall policies anomaly weight and fire wall and the fire wall are close to the firewall policy exception weight between fire wall, it may be determined that Go out the larger independent fire wall of firewall policy exception weighted value, while can also determine that firewall policy exception weighted value is larger The associated firewall box of fire wall.

At step 104, according between the firewall policy exception weight of the X fire wall itself and the fire wall Firewall policy exception weight determines the intensity of anomaly of the X firewall access control policy for debugging.

As shown in Figure 10, central processing server according to finally determining each independent firewall policy exception weight and is prevented Wall with flues and the fire wall pass through the storage mould in central processing unit close to the firewall policy exception weighted value between fire wall Block and database interface are sent to access control policy baseline database, the institute that access control policy baseline database will receive There are data with daily record store.

Further, central processing server is by determining each independent firewall policy exception weight and fire wall and institute It states fire wall and e-mail server is sent to by alarm module close to the firewall policy exception weighted value between fire wall. In the embodiment of the present invention, each independent firewall policy exception weight and fire wall that administrator is received according to sub- mail server With the fire wall close to the firewall policy exception weighted value between fire wall, it can be relatively easy to and determine most should preferentially solve Firewall box certainly.

The firewall access control policy that collection terminal is sent is received in the embodiment of the present invention；According to the firewall access control System strategy, determines the firewall policy exception weight；According to the fire wall close to fire wall, determine the fire wall with The fire wall is close to the firewall policy exception weight between fire wall；Wherein described fire wall close to fire wall for institute State fire wall of the fire wall there are set membership.Using this method, according to firewall policy exception weight, it may be determined that single anti- Wall with flues weight, according to policies anomaly weight between fire wall, it may be determined that policies anomaly weight between fire wall, according to described determining The abnormal conditions of policies anomaly weight between firewall policy exception weight and fire wall can point out most Ying You to administrator in time First solve firewall box of problems.

For above method flow, the embodiment of the present invention also provides a kind of firewall access control policy debugging device, this The particular content of a little devices is referred to above method implementation, and details are not described herein.

Embodiment three

The embodiment of the present invention provides a kind of firewall access control policy debugging device, as shown in figure 11, including：It receives single First 21, first determination unit 22 and the second determination unit 23 and debugging unit 24.

Receiving unit 21：Receive the firewall access control policy that collection terminal is sent；The firewall access control policy Include at least one firewall policy；

First determination unit 22：For obtaining X firewall access control policy, the X fire wall itself is determined Firewall policy exception weight；

Second determination unit 23：For obtain the X fire wall close to firewall access control policy, according to described X firewall access control policy and the firewall policy asked control strategy close to the anti-of fire wall, determine between fire wall Abnormal weight；Wherein, it is described close to fire wall for there are the fire walls of direct set membership with the X fire wall；

Debugging unit 24：According between the firewall policy exception weight of the X fire wall itself and the fire wall Firewall policy exception weight determines the intensity of anomaly of the X firewall access control policy for debugging.

Further, first determination unit 22 is specifically used for：

Further, first determination unit 22 is additionally operable to：

Further, second determination unit 23 is specifically used for：

Further, second determination unit 23 is additionally operable to：

It should be appreciated that the unit that includes of one of the above firewall access control policy debugging device only according to the device it is real The logical partitioning that existing function carries out in practical application, can carry out the superposition or fractionation of said units.And the embodiment carries The function that a kind of firewall access control policy debugging device supplied is realized is visited with a kind of fire wall that above-described embodiment provides Ask that control strategy error-checking method corresponds, for the more detailed process flow that the device is realized, in above method reality It applies and has been described in detail in example one, is not described in detail herein.

Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art God and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims

1. a kind of firewall access control policy error-checking method, which is characterized in that including：

Receive the firewall access control policy that collection terminal is sent；It is anti-that the firewall access control policy includes at least one Wall with flues strategy；

The firewall access control policy close to fire wall of the X fire wall is obtained, according to the fire prevention of the X fire wall Wall strategy and the firewall policy close to fire wall, determine the firewall policy exception weight between fire wall；Wherein, it is described Close to fire wall for there are the fire walls of direct set membership with the X fire wall；

It is weighed extremely according to the firewall policy between the firewall policy exception weight of the X fire wall itself and the fire wall Determine the intensity of anomaly of the X firewall access control policy for debugging again.

2. method as described in claim 1, which is characterized in that the firewall policy for determining the X fire wall itself is different Chang Quanchong, including：

Wherein, W_XFor the firewall policy exception weight of X fire wall itself, M_iIt is in X firewall access control policy i-th The intensity of anomaly of firewall policy, N_XThe firewall policy sum included for X firewall access control policy.

3. method as claimed in claim 2, which is characterized in that i-th fire wall plan in the X firewall access control policy What intensity of anomaly slightly was determined according to equation below：

Wherein, M_iFor the intensity of anomaly of i-th firewall policy in X firewall access control policy, N_XIt is visited for X fire wall Ask the firewall policy sum that control strategy includes, W_irFor i-th firewall policy in X firewall access control policy With other N in the X firewall access control policy_XThe intensity of anomaly weight of -1 firewall policy.

4. method as claimed in claim 3, which is characterized in that i-th fire wall plan in the X firewall access control policy Slightly with other N in the X firewall access control policy_XThe intensity of anomaly weight of -1 firewall policy includes following any ：

IfAnd RA [action] ≠ RB [action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy The intensity of anomaly weight of the B articles firewall policy is W3 in control strategy；Or

IfAnd RA [action]=RB [action], it is determined that the A articles firewall policy and the X firewall access in the X firewall access control policy The intensity of anomaly weight of the B articles firewall policy is W4 in control strategy；

Wherein, R [order] is the number of regulation of a firewall policy in firewall access control policy；R [action] is anti- The action part of a firewall policy in wall with flues access control policy；{ R [filter] } is in firewall access control policy The cartesian product of all subitems in regular R filterings domain.

5. method as described in claim 1, which is characterized in that the firewall policy determined between the X fire wall is abnormal Weight, including：

Wherein, W '_XFirewall policy exception weight between X fire wall, M'_XiIt is in X firewall access control policy The exception of i articles of firewall policy and all firewall policies in the adjacent Y firewall access control policies of X fire wall Degree, N_XThe firewall policy sum included for X firewall access control policy.

6. method as claimed in claim 5, which is characterized in that i-th fire wall plan in the X firewall access control policy Intensity of anomaly slightly with all firewall policies in the adjacent Y firewall access control policies of X fire wall is according to such as What lower formula determined：

Wherein, M_XPrevent for i-th article of firewall policy in X firewall access control policy and the adjacent Y of X fire wall The intensity of anomaly of all firewall policies, N in wall with flues access control policy_YFor with the adjacent Y firewall access of X fire wall The firewall policy sum that control strategy includes, W '_irFor i-th firewall policy in X firewall access control policy with The intensity of anomaly weight of any bar firewall policy in the adjacent Y firewall access control policies of X fire wall.

7. method as claimed in claim 6, which is characterized in that i-th fire wall plan in the X firewall access control policy Slightly with the intensity of anomaly weight of any bar firewall policy in the adjacent Y firewall access control policies of X fire wall Including any one of following：

If Fx, Fy ∈ Domain1, Fy are the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx by Fy RB cover, determine A in the X firewall access control policy The exception of article firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall Degree weight is W1；Or

If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action] ≠ FyRB [action], then the RA of fire wall Fx by Fy RB cover, determine A in the X firewall access control policy The exception of article firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall Degree weight is W1；Or

If Fx, Fy ∈ Domain1, Fy are the parent of Fx,If FxRA [action] The RB redundancies of=FyRB [action], the then RA and Fy of fire wall Fx determine A in the X firewall access control policy The exception of article firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall Degree weight is W2；Or

If Fx, Fy ∈ Domain1, Fy are the parent of Fx,FxRA [action] ≠ FyRB [action] then claims FxRA to be associated with FyRB irregularly, determines the X firewall access control policy In the A articles firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall Intensity of anomaly weight be W3；

Wherein, R [filter] is the filtration fraction of i-th firewall policy in fire wall control strategy；R [action] is fire prevention The action part of i-th firewall policy in wall control strategy；Domain ∈ { 1,2,3,4 ... ,+∞ }.

8. a kind of firewall access control policy debugging device, which is characterized in that including：

Receiving unit：For receiving the firewall access control policy of collection terminal transmission；In the firewall access control policy Including at least one firewall policy；

First determination unit：For obtaining X firewall access control policy, the fire wall of the X fire wall itself is determined Policies anomaly weight；

Second determination unit：For obtain the X fire wall close to firewall access control policy, prevented according to the X Wall with flues access control policy asks control strategy with described close to the anti-of fire wall, determines that the firewall policy between fire wall is weighed extremely Weight；Wherein, it is described close to fire wall for there are the fire walls of direct set membership with the X fire wall；

Debugging unit：According to the fire wall between the firewall policy exception weight of the X fire wall itself and the fire wall Policies anomaly weight determines the intensity of anomaly of the X firewall access control policy for debugging.

9. device as claimed in claim 8, which is characterized in that first determination unit is specifically used for：

10. device as claimed in claim 8, which is characterized in that first determination unit is additionally operable to：

Wherein, M_iFor the intensity of anomaly of i-th firewall policy in X firewall access control policy, N_XIt is visited for X fire wall Ask the firewall policy sum that control strategy includes, W_irFor i-th firewall policy in X firewall access control policy with N in the X firewall access control policy_XThe intensity of anomaly weight of-i firewall policies.

11. device as claimed in claim 10, which is characterized in that first determination unit is additionally operable to：

12. device as claimed in claim 8, which is characterized in that second determination unit is specifically used for：

Wherein, W '_XFirewall policy exception weight between X fire wall, M'_XiIt is in X firewall access control policy i-th The exception of article firewall policy and all firewall policies in the adjacent Y firewall access control policies of X fire wall Degree, N_XThe firewall policy sum included for X firewall access control policy.

13. device as claimed in claim 12, which is characterized in that second determination unit is additionally operable to：

Any bar firewall policy and the adjacent Y fire walls of X fire wall in the X firewall access control policy The intensity of anomaly of all firewall policies is determined according to equation below in access control policy：

Wherein, M_XPrevent for any bar firewall policy in X firewall access control policy and the adjacent Y of X fire wall The intensity of anomaly of all firewall policies, N in wall with flues access control policy_YFor with the adjacent Y firewall access of xth fire wall The firewall policy sum that control strategy includes, W '_irFor i-th firewall policy in X firewall access control policy with The intensity of anomaly weight of any bar firewall policy in the adjacent Y firewall access control policies of X fire wall.

14. device as claimed in claim 13, which is characterized in that second determination unit is additionally operable to：

If Fx, Fy ∈ Domain1, Fy are the parent of Fx, FxRA [filter]=FyRB [filter], if FxRA [action] The RB redundancies of=FyRB [action], the then RA and Fy of fire wall Fx determine A in the X firewall access control policy The exception of article firewall policy and the B articles firewall policy in the adjacent Y firewall access control policies of X fire wall Degree weight is W2；Or

Wherein, R [filter] is the filtration fraction of a firewall policy in fire wall control strategy；R [action] is fire prevention The action part of a firewall policy in wall control strategy；Domain ∈ { 1,2,3,4 ... ,+∞ }.

15. a kind of firewall access control policy error checking system, which is characterized in that including：

Collection terminal for acquiring fire wall fire prevention access control policy, obtains X firewall access control policy and the X The firewall access control policy close to fire wall of fire wall, and it is sent to central processing server；

Access control policy baseline database, for providing firewall policy exception Weight algorithm for the central processing server And the firewall policy exception Weight algorithm between fire wall, and store the X fire prevention that the central processing server determines Firewall policy exception weight between wall policies anomaly weight and the X fire wall.