CN106254379A - The processing system of network security policy and processing method - Google Patents

The processing system of network security policy and processing method Download PDF

Info

Publication number
CN106254379A
CN106254379A CN201610817357.8A CN201610817357A CN106254379A CN 106254379 A CN106254379 A CN 106254379A CN 201610817357 A CN201610817357 A CN 201610817357A CN 106254379 A CN106254379 A CN 106254379A
Authority
CN
China
Prior art keywords
address
module
strategy
flow
network security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610817357.8A
Other languages
Chinese (zh)
Other versions
CN106254379B (en
Inventor
朱志博
吴善鹏
张昊峥
张晓强
雷兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Ctrip Business Co Ltd
Original Assignee
Shanghai Ctrip Business Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Ctrip Business Co Ltd filed Critical Shanghai Ctrip Business Co Ltd
Priority to CN201610817357.8A priority Critical patent/CN106254379B/en
Publication of CN106254379A publication Critical patent/CN106254379A/en
Application granted granted Critical
Publication of CN106254379B publication Critical patent/CN106254379B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses processing system and the processing method of a kind of network security policy, processing system includes: IP address sending module, when line or network change on the server, sends IP address;Flow study module, receives IP address, and be set to all let pass strategy by corresponding network security policy, and receives all flow informations of pool ip address;Extraction module, according to every flow information extraction source IP address, purpose IP address, destination interface and the agreement collected to generate underlying security strategy;First merges module, and underlying security strategy carries out source IP address merging, generates initial safe strategy;Second merges module, initial safe strategy carries out purpose IP address and merges, generate final security strategy;Processing module, sends final security strategy to Network Security Device, and deletes strategy of all letting pass.The present invention is automatic generating network security strategy by the way of flow learns, it is achieved that full automatic configuration.

Description

The processing system of network security policy and processing method
Technical field
The present invention relates to a kind of technical field of network security, particularly relate to a kind of network security policy processing system and Processing method.
Background technology
Along with the development of the Internet, the network safety prevention of data center becomes increasingly complex, and network security policy configuration is more Coming the most complicated, human configuration is more and more difficult.Existing network security policy management method cannot meet server Quick thread Actual demand, and manual maintenance high cost.
Summary of the invention
The technical problem to be solved in the present invention is to overcome network security policy management method in prior art to expire The actual demand of foot server Quick thread and the defect of manual maintenance high cost, it is provided that the place of a kind of network security policy Reason system and processing method.
The present invention solves above-mentioned technical problem by following technical proposals:
The invention provides the processing system of a kind of network security policy, its feature is, including:
IP (agreement of interconnection between network) address sending module, when line or network change on the server, The IP address of server is sent;
Flow study module, is used for receiving described IP address, is set to by network security policy corresponding for described IP address All let pass strategy, and proceed by flow study, collect all flow informations of described IP address;
Extraction module, for according to collect every flow information extraction source IP address, purpose IP address, destination interface with And agreement is to generate underlying security strategy;
First merges module, for being entered by underlying security strategy the most identical to purpose IP address, destination interface and agreement Row source IP address merges, to generate the initial safe strategy including source IP group, purpose IP address, destination interface and agreement;
Second merges module, for initial safe strategy the most identical to source IP group, destination interface and agreement is carried out mesh IP address merge, include the final security strategy of source IP group, purpose IP group, destination interface and agreement to generate;
Processing module, for described final security strategy being sent to Network Security Device, and deletes described flow Practise whole strategies of letting pass that module is arranged.
It is preferred that described flow study module is additionally operable to arrange flow learning time.
It is preferred that described IP address sending module is additionally operable to when server rolls off the production line send the IP address of the server that rolls off the production line To described flow study module, described flow study module is additionally operable to call described processing module and deletes all and described clothes that roll off the production line The network security policy being correlated with in the IP address of business device.
It is an object of the invention to additionally provide the processing method of a kind of network security policy, its feature is, it utilizes Above-mentioned processing system realizes, and comprises the following steps:
S1, described IP address sending module line on the server or network be when changing, the IP address of server is sent out See off;
S2, described flow study module receive described IP address, corresponding for described IP address network security policy is arranged For strategy of all letting pass, and proceed by flow study, collect all flow informations of described IP address;
S3, described extraction module according to collect every flow information extraction source IP address, purpose IP address, destination interface And agreement is to generate underlying security strategy;
S4, described first merge module by underlying security strategy the most identical to purpose IP address, destination interface and agreement Carry out source IP address merging, to generate the initial safe strategy including source IP group, purpose IP address, destination interface and agreement;
S5, described second merge module initial safe strategy the most identical to source IP group, destination interface and agreement is carried out Purpose IP address merges, to generate the final security strategy including source IP group, purpose IP group, destination interface and agreement;
S6, described final security strategy sends in Network Security Device, and deletes described flow by described processing module Whole strategies of letting pass that study module is arranged.
It is preferred that step S2Described in flow study module also set up flow learning time.
It is preferred that described processing method also includes:
The IP address of the server that rolls off the production line is sent to described flow by described IP address sending module when server rolls off the production line Practising module, described flow study module calls described processing module, and to delete all and the described server that rolls off the production line IP address relevant Network security policy.
The most progressive effect of the present invention is: the safe plan of present invention automatic generating network by the way of flow learns Slightly, the configuration whole process of strategy all need not manually participate in, it is achieved that full automatic configuration, it is achieved that the intelligence of security configuration Change, eliminate the complexity of human configuration, improve the efficiency of network security configuration, it is achieved that the intellectuality of security strategy is joined Put.
Accompanying drawing explanation
Fig. 1 is the module diagram of the processing system of the network security policy of presently preferred embodiments of the present invention.
Fig. 2 is the flow chart of the processing method of the network security policy of presently preferred embodiments of the present invention.
Detailed description of the invention
Further illustrate the present invention below by the mode of embodiment, but the most therefore limit the present invention to described reality Execute among example scope.
As it is shown in figure 1, the processing system of the network security policy of the present invention includes that IP address sending module 1, flow learn Module 2, extraction module 3, first merge module 4, second and merge module 5 and processing module 6.
Wherein, described IP address sending module can be time line or network change on the server, by the IP of server Address (i.e. newly-increased IP address or the IP address of generation change) sends to described flow study module 2;
Described flow study module 2 is after receiving described IP address, then by network security plan corresponding for described IP address Slightly it is set to strategy of all letting pass, i.e. all-pass strategy is opened in described IP address;And proceed by flow study, is set The habit time, all flow informations of described IP address in being subsequently collected in described learning time;
Every flow information extraction source IP address, the purpose that described extraction module 3 is collected according to described flow study module 2 IP address, destination interface and agreement are to generate underlying security strategy, and i.e. every flow information can generate a underlying security Strategy, described underlying security strategy all includes source IP address, purpose IP address, destination interface and agreement;
Described first merges module 4 can be by underlying security strategy the most identical to purpose IP address, destination interface and agreement Carry out source IP address merging, to generate the initial safe strategy including source IP group, purpose IP address, destination interface and agreement; That is, described initial safe strategy includes purpose IP address, destination interface and agreement are the most identical, and described source IP group represents bag Include multiple different source IP address;
Described second merges module 5 can be carried out initial safe strategy the most identical to source IP group, destination interface and agreement Purpose IP address merges, to generate the final security strategy including source IP group, purpose IP group, destination interface and agreement;I.e. institute Stating source IP group, destination interface and agreement that final security strategy includes the most identical, described purpose IP group expression includes multiple Different purpose IP addresses;
Described final security strategy is then sent to Network Security Device by described processing module 6, and deletes described flow Whole strategies of letting pass that study module 2 is arranged, will delete the all-pass strategy of described IP address.
Wherein, in the specific implementation process of the present invention, described IP address sending module 1 is additionally operable to when server rolls off the production line Sending the IP address of the server that rolls off the production line to described flow study module 2, described flow study module 2 is additionally operable to call described place Reason module 6 deletes the network security policy that the IP address of all and described server that rolls off the production line is relevant.
The present invention is reached the standard grade by server or server network occurs change by the network security plan of the IP address of change Slightly giving tacit consent to and first let pass, then by the way of the flow in time range is specified in study, corresponding flow carries out changing, merging, Ultimately form the network security policy Rule Information of correspondence;The present invention is by the way of study so that the life of network security policy Becoming to need not manually configure, strategy configuration achieves whole-course automation.
Present invention also offers the processing method of a kind of network security policy, utilize the process of above-mentioned network security policy System realizes, as in figure 2 it is shown, the processing method of the network security policy of the present invention comprises the following steps:
When step 101, described IP address sending module line on the server or network change, by the IP ground of server Location sends;
Step 102, described flow study module receive described IP address, by network security policy corresponding for described IP address Be set to all let pass strategy, and proceeds by flow study, collects all flow informations of described IP address;
Step 103, described extraction module are according to every the flow information extraction source IP address collected, purpose IP address, mesh Port and agreement to generate underlying security strategy;
Step 104, described first merging module are by underlying security the most identical to purpose IP address, destination interface and agreement Strategy carries out source IP address merging, to generate the initial safe plan including source IP group, purpose IP address, destination interface and agreement Slightly;
Step 105, described second merging module are by initial safe strategy the most identical to source IP group, destination interface and agreement Carry out purpose IP address to merge, to generate the final security strategy including source IP group, purpose IP group, destination interface and agreement;
Described final security strategy is sent to Network Security Device by step 106, described processing module, and deletes described Whole strategies of letting pass that flow study module is arranged.
Wherein, step S2Described in flow study module also set up flow learning time.
And preferably, described processing method can also include:
The IP address of the server that rolls off the production line is sent to described flow by described IP address sending module when server rolls off the production line Practising module, described flow study module calls described processing module, and to delete all and the described server that rolls off the production line IP address relevant Network security policy.
Although the foregoing describing the detailed description of the invention of the present invention, it will be appreciated by those of skill in the art that these Being merely illustrative of, protection scope of the present invention is defined by the appended claims.Those skilled in the art is not carrying on the back On the premise of the principle and essence of the present invention, these embodiments can be made various changes or modifications, but these change Protection scope of the present invention is each fallen within amendment.

Claims (6)

1. the processing system of a network security policy, it is characterised in that including:
IP address sending module, when line or network change on the server, sends the IP address of server;
Flow study module, is used for receiving described IP address, is set to all by network security policy corresponding for described IP address Let pass tactful, and proceed by flow study, collect all flow informations of described IP address;
Extraction module, for according to every flow information extraction source IP address, purpose IP address, destination interface and the association collected View is to generate underlying security strategy;
First merges module, for underlying security strategy the most identical to purpose IP address, destination interface and agreement is carried out source IP address merges, to generate the initial safe strategy including source IP group, purpose IP address, destination interface and agreement;
Second merges module, for initial safe strategy the most identical to source IP group, destination interface and agreement is carried out purpose IP Address merges, to generate the final security strategy including source IP group, purpose IP group, destination interface and agreement;
Processing module, for described final security strategy being sent to Network Security Device, and deletes described flow study mould Whole strategies of letting pass that block is arranged.
2. the processing system of network security policy as claimed in claim 1, it is characterised in that described flow study module is also used In arranging flow learning time.
3. the processing system of network security policy as claimed in claim 1, it is characterised in that described IP address sending module is also For the IP address of the server that rolls off the production line being sent to described flow study module, described flow study module when server rolls off the production line It is additionally operable to call described processing module and deletes the network security policy that the IP address of all and described server that rolls off the production line is relevant.
4. the processing method of a network security policy, it is characterised in that it utilizes processing system as claimed in claim 1 real Existing, comprise the following steps:
S1, described IP address sending module line on the server or network be when changing, the IP address of server is sent out Go;
S2, described flow study module receive described IP address, network security policy corresponding for described IP address is set to all Let pass tactful, and proceed by flow study, collect all flow informations of described IP address;
S3, described extraction module according to collect every flow information extraction source IP address, purpose IP address, destination interface and Agreement is to generate underlying security strategy;
S4, described first merge module underlying security strategy the most identical to purpose IP address, destination interface and agreement is carried out source IP address merges, to generate the initial safe strategy including source IP group, purpose IP address, destination interface and agreement;
S5, described second merge module initial safe strategy the most identical to source IP group, destination interface and agreement is carried out purpose IP Address merges, to generate the final security strategy including source IP group, purpose IP group, destination interface and agreement;
S6, described final security strategy sends in Network Security Device, and deletes described flow study mould by described processing module Whole strategies of letting pass that block is arranged.
5. the processing method of network security policy as claimed in claim 4, it is characterised in that step S2Described in flow study Module also sets up flow learning time.
6. the processing method of network security policy as claimed in claim 4, it is characterised in that described processing method also includes:
The IP address of the server that rolls off the production line is sent to described flow study mould by described IP address sending module when server rolls off the production line Block, described flow study module calls described processing module and deletes the network that all and the described server that rolls off the production line IP address is relevant Security strategy.
CN201610817357.8A 2016-09-09 2016-09-09 The processing system and processing method of network security policy Active CN106254379B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610817357.8A CN106254379B (en) 2016-09-09 2016-09-09 The processing system and processing method of network security policy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610817357.8A CN106254379B (en) 2016-09-09 2016-09-09 The processing system and processing method of network security policy

Publications (2)

Publication Number Publication Date
CN106254379A true CN106254379A (en) 2016-12-21
CN106254379B CN106254379B (en) 2019-03-12

Family

ID=57599623

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610817357.8A Active CN106254379B (en) 2016-09-09 2016-09-09 The processing system and processing method of network security policy

Country Status (1)

Country Link
CN (1) CN106254379B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110247933A (en) * 2019-07-08 2019-09-17 中国工商银行股份有限公司 The method and apparatus for realizing firewall policy
CN111131198A (en) * 2019-12-11 2020-05-08 杭州迪普科技股份有限公司 Updating method and device for network security policy configuration
CN111147528A (en) * 2020-04-03 2020-05-12 四川新网银行股份有限公司 Method for managing network security policy
CN112769814A (en) * 2021-01-04 2021-05-07 中国科学院信息工程研究所 Method and system for comprehensively coordinating network security equipment in linkage manner
CN113691522A (en) * 2021-08-20 2021-11-23 北京天融信网络安全技术有限公司 Data traffic processing method and device, electronic equipment and storage medium
CN115842664A (en) * 2022-11-23 2023-03-24 紫光云技术有限公司 Public cloud network flow security implementation method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9154479B1 (en) * 2012-09-14 2015-10-06 Amazon Technologies, Inc. Secure proxy
CN105871930A (en) * 2016-06-21 2016-08-17 上海携程商务有限公司 Self-adaptive firewall security policy configuration method and system based on applications

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9154479B1 (en) * 2012-09-14 2015-10-06 Amazon Technologies, Inc. Secure proxy
CN105871930A (en) * 2016-06-21 2016-08-17 上海携程商务有限公司 Self-adaptive firewall security policy configuration method and system based on applications

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110247933A (en) * 2019-07-08 2019-09-17 中国工商银行股份有限公司 The method and apparatus for realizing firewall policy
CN110247933B (en) * 2019-07-08 2022-01-04 中国工商银行股份有限公司 Method and device for realizing firewall policy
CN111131198A (en) * 2019-12-11 2020-05-08 杭州迪普科技股份有限公司 Updating method and device for network security policy configuration
CN111131198B (en) * 2019-12-11 2022-04-26 杭州迪普科技股份有限公司 Updating method and device for network security policy configuration
CN111147528A (en) * 2020-04-03 2020-05-12 四川新网银行股份有限公司 Method for managing network security policy
CN111147528B (en) * 2020-04-03 2020-08-21 四川新网银行股份有限公司 Method for managing network security policy
CN112769814A (en) * 2021-01-04 2021-05-07 中国科学院信息工程研究所 Method and system for comprehensively coordinating network security equipment in linkage manner
CN113691522A (en) * 2021-08-20 2021-11-23 北京天融信网络安全技术有限公司 Data traffic processing method and device, electronic equipment and storage medium
CN115842664A (en) * 2022-11-23 2023-03-24 紫光云技术有限公司 Public cloud network flow security implementation method

Also Published As

Publication number Publication date
CN106254379B (en) 2019-03-12

Similar Documents

Publication Publication Date Title
CN106254379A (en) The processing system of network security policy and processing method
CN111787090B (en) Intelligent treatment platform based on block chain technology
CN108009497A (en) Image recognition monitoring method, system, computing device and readable storage medium storing program for executing
CN105631026A (en) Security data analysis system
CN106452955B (en) A kind of detection method and system of abnormal network connection
CN108306804A (en) A kind of Ethercat main station controllers and its communication means and system
CN109150572A (en) Realize the method, apparatus and computer readable storage medium of alarm association
KR20170101455A (en) Training method of robot with 3d camera using artificial intelligence deep learning network based big data platform
CN104301244B (en) A kind of cluster communication system and method for large size distribution network system
WO2022151815A1 (en) Method and apparatus for determining security state of terminal device
CN107633101A (en) A kind of learning information correction processing method and information processing system
CN105046567A (en) Community service system based on socialization
CN103973589A (en) Network traffic classification method and device
CN106557370A (en) Computing resource dynamic dispatching platform based on Realtime Statistics
CN110162959A (en) Data processing method and device based on device-fingerprint
CN111242509B (en) Service management system and service management method for intelligent community
CN106921519A (en) A kind of method that IP route closure is carried out based on automatic dispatching and workflow management
CN112449013A (en) Data cooperation method based on identification analysis in industrial Internet of things
CN115689610A (en) Credit card marketing customer-obtaining method and device based on big data
CN103401791A (en) Method and equipment for identifying boundary port
CN106504540A (en) A kind of analysis method of information of vehicles and device
CN112884165B (en) Full-flow service migration method and system for federal machine learning
CN109587063A (en) A kind of drainage method and device of data
CN112596894B (en) Tracking method and device based on edge calculation
CN104104526A (en) Network logging-on behavior monitoring method, device and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant