CN107094143A - A kind of detection method and device of tactful redundancy - Google Patents

A kind of detection method and device of tactful redundancy Download PDF

Info

Publication number
CN107094143A
CN107094143A CN201710296150.5A CN201710296150A CN107094143A CN 107094143 A CN107094143 A CN 107094143A CN 201710296150 A CN201710296150 A CN 201710296150A CN 107094143 A CN107094143 A CN 107094143A
Authority
CN
China
Prior art keywords
strategy
group
security
security strategy
redundancy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710296150.5A
Other languages
Chinese (zh)
Other versions
CN107094143B (en
Inventor
袁野
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201710296150.5A priority Critical patent/CN107094143B/en
Publication of CN107094143A publication Critical patent/CN107094143A/en
Application granted granted Critical
Publication of CN107094143B publication Critical patent/CN107094143B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a kind of detection method and device of tactful redundancy, and methods described includes:The pre-configured object group of each preset field in targeted security strategy group is deployed respectively, and merges the redundancy object obtained after expansion;After the completion of the redundancy object merging, based on the quantity of the corresponding object group of each preset field in the targeted security strategy group, the targeted security strategy assembling and dismantling are divided into some security strategies;Wherein, each preset field of some security strategies corresponds to unique object group respectively;Then some security strategies split out are traveled through, the redundant safety strategy in some security strategies is detected based on preset strategy.Technical scheme can effectively detect the redundant safety strategy in security strategy, to be handled by user for redundant safety strategy, improve the maintainability of safety means and the detection efficiency of tactful redundancy relationship.

Description

A kind of detection method and device of tactful redundancy
Technical field
The application is related to information security field, more particularly to a kind of detection method and device of tactful redundancy.
Background technology
Safety means handle the message received according to the security strategy of user configuring.The security strategy quantity of user configuring It is numerous, generally up to up to ten thousand.When safety means are matched according to security strategy, the priority based on security strategy, priority match The forward security strategy in position.
However, because security strategy is long term accumulation, and large number of, user often can not remember whether security strategy deposits In redundancy, for example, the forward strategy 1 of priority is source IP:192.168.0.0/16, purpose IP is unrestricted, acts as packet loss;Newly The strategy 2 of increasing is source IP 192.168.1.0/24, and purpose IP is unrestricted, acts to pass through, if the priority of strategy 2 is in strategy After 1, then strategy 2 can not come into force.
True rule is more increasingly complex than the example above, therefore, and user is safeguarding safety means, detects security strategy redundancy When, workload is huge, and detection efficiency is relatively low.
The content of the invention
In view of this, the application provides a kind of detection method and device of tactful redundancy, for fast and effeciently detecting peace Redundant safety strategy in full strategy, improves the maintainability of safety means and the detection efficiency of tactful redundancy detection.
Specifically, the application is achieved by the following technical solution:
A kind of detection method of tactful redundancy, applied to safety means, the pre-configured some safety of the safety means Tactful group, wherein, the security strategy group is made up of some preset fields;Each preset field corresponds to some pairs to be matched respectively As group;Including:
The pre-configured object group of each preset field in targeted security strategy group is deployed respectively, and merge expansion after The redundancy object arrived;
After the completion of the redundancy object merging, based on the corresponding object of each preset field in the targeted security strategy group The targeted security strategy assembling and dismantling are divided into some security strategies by the quantity of group;Wherein, some security strategies is each Preset field corresponds to unique object group respectively;
Some security strategies split out are traveled through, are detected based on preset strategy in some security strategies Redundant safety strategy.
In the detection method of the tactful redundancy, methods described also includes:
After the completion of the redundancy object merging, the IP object groups in the targeted security strategy group are converted into standard Presentation format.
In the detection method of the tactful redundancy, the presentation format of the standard is the presentation format of IP+ asterisk wildcards.
It is described to be detected based on preset strategy in some security strategies in the detection method of the tactful redundancy Redundant safety strategy, including:
Some security strategies are chosen to be targeted security strategy successively;
The targeted security strategy is matched with other security strategies;
If the targeted security strategy includes any other security strategies, the targeted security strategy is recorded other with this The redundancy relationship of security strategy.
In the detection method of the tactful redundancy, methods described also includes:
Before the redundant safety strategy during some security strategies are detected based on preset strategy, based on each security strategy Priority, some security strategies are ranked up.
A kind of detection means of tactful redundancy, applied to safety means, the pre-configured some safety of the safety means Tactful group, wherein, the security strategy group is made up of some preset fields;Each preset field corresponds to some pairs to be matched respectively As group;Including:
Combining unit, for the pre-configured object group of each preset field in targeted security strategy group to be deployed respectively, And merge the redundancy object obtained after expansion;
Split cells, for after the completion of the redundancy object merging, based on each default in the targeted security strategy group The targeted security strategy assembling and dismantling are divided into some security strategies by the quantity of the corresponding object group of field;Wherein, it is described some Each preset field of bar security strategy corresponds to unique object group respectively;
Detection unit, for traveling through some security strategies split out, detects described some based on preset strategy Redundant safety strategy in bar security strategy.
In the device of the tactful redundancy, described device also includes:
Converting unit, for after the completion of the redundancy object merging, by the IP objects in the targeted security strategy group Group is converted to the presentation format of standard.
In the device of the tactful redundancy, the presentation format of the standard is the presentation format of IP+ asterisk wildcards.
In the device of the tactful redundancy, the detection unit is further used for:
Some security strategies are chosen to be targeted security strategy successively;
The targeted security strategy is matched with other security strategies;
If the targeted security strategy includes any other security strategies, the targeted security strategy is recorded other with this The redundancy relationship of security strategy.
In the device of the tactful redundancy, described device also includes:
Arrangement units, for before the redundant safety strategy during some security strategies are detected based on preset strategy, Based on the priority of each security strategy, some security strategies are ranked up.
In the embodiment of the present application, safety means are by the pre-configured object group of each preset field in targeted security strategy group Deployed respectively, and merge the redundancy object obtained after expansion, after the completion of the redundancy object merging, based on the target The quantity of the corresponding object group of each preset field, some safe plans are split as by the targeted security strategy in security strategy group Omit, wherein, each preset field of some security strategies corresponds to unique object group respectively;Then the institute split out is traveled through Some security strategies are stated, the redundant safety strategy in some security strategies is detected based on preset strategy;
Because in the embodiment of the present application, safety means can include some pairs to be matched in targeted security strategy group In the case of as group, by way of carrying out internal de-redundancy for the targeted security strategy group, to the targeted security plan The internal structure slightly organized re-starts tissue, and targeted security strategy fractionation is corresponded to uniquely respectively as each preset field Some security strategies of object group, then carry out tactful redundancy detection for each security strategy after fractionation;So as to letter Change tactful redundancy detection, improve the maintainability of safety means and the detection efficiency of tactful redundancy detection.
Brief description of the drawings
Fig. 1 is a kind of flow chart of the detection method of tactful redundancy shown in the application;
Fig. 2 is a kind of structural representation of security strategy group shown in the application;
Fig. 3 is the structural representation of another security strategy group shown in the application;
Fig. 4 is a kind of structural representation of security strategy shown in the application;
Fig. 5 is a kind of embodiment block diagram of the detection means of tactful redundancy shown in the application;
Fig. 6 is a kind of hardware structure diagram of the detection means of tactful redundancy shown in the application.
Embodiment
In order that those skilled in the art more fully understand the technical scheme in the embodiment of the present invention, and make of the invention real Applying the above-mentioned purpose of example, feature and advantage can be more obvious understandable, below in conjunction with the accompanying drawings to prior art and the present invention Technical scheme in embodiment is described in further detail.
User would generally configure corresponding safety to safety means according to the attack source and attack pattern occurred in network Strategy.The message that security strategy processing of the safety means based on user configuring is received.With the change of attack source and attack pattern Change, the quantity for the security strategy being added on safety means can be more and more, often up to up to ten thousand.
, can message progress of the high security strategy of selection priority to receiving first when safety means use security strategy Matching.User can not often be fully apparent from the whole security strategies configured before this, when subsequently adding new security strategy, new Security strategy is probably due to the problem of priority, it is impossible to is matched, causes tactful redundancy.
Because security strategy is long-term accumulated, number of entries is numerous, the unavoidable situation for tactful redundancy occur, for example, excellent The forward strategy 1 of first level is source IP:192.168.0.0/16, purpose IP is unrestricted, acts as packet loss;Newly-increased strategy 2 is source IP192.168.1.0/24, purpose IP are unrestricted, act to pass through, if the priority of strategy 2 is after strategy 1, strategy 2 It can not come into force.
In practical application, the situation of tactful redundancy is increasingly complex, for example, source IP can be quoted during a security strategy configuration More than one IP objects or IP object groups, wherein IP objects group can be according to tables such as IP+ masks, IP scopes or IP+ asterisk wildcards Show form to represent, situations such as IP objects that different IP object groups include there may be repetition, intersection.In security strategy Other preset fields, such as purpose IP, agreement, port numbers, it is also possible to similar situation occur.Wherein, when a security strategy Each preset field when corresponding to some object groups to be matched respectively, the security strategy can be considered as to a security strategy group.
Therefore, user is safeguarding safety means, during detection security strategy redundancy, it may appear that many recheckings, causes Workload is huge, and detection efficiency is low.
To solve the above problems, in the embodiment of the present application, by each preset field inside each security strategy group Object group de-redundancy, then the security strategy assembling and dismantling after de-redundancy are divided into a plurality of security strategy, what then traversal was split out owns Security strategy, and then determine tactful redundancy relationship.
It is a kind of flow chart of the detection method of tactful redundancy shown in the application, the execution master of the embodiment referring to Fig. 1 Body is safety means, the pre-configured some security strategy groups of the safety means, wherein, each security strategy group preset by several Field is constituted, and each preset field corresponds to some object groups to be matched respectively;It the described method comprises the following steps:
Step 101:The pre-configured object group of each preset field in targeted security strategy group is deployed respectively, and merged The redundancy object obtained after expansion.
Step 102:After the completion of the redundancy object merging, based on each preset field pair in the targeted security strategy group The targeted security strategy assembling and dismantling are divided into some security strategies by the quantity for the object group answered;Wherein, some safety Each preset field of strategy corresponds to unique object group respectively.
Step 103:Some security strategies split out are traveled through, some safety is detected based on preset strategy Redundant safety strategy in strategy.
As previously described, because the multiple object groups of correspondence in a preset field inside same security strategy group, and it is each right As the possible difference of the presentation format of group, the object in each object group is likely to occur repetition.Therefore, detecting superfluous for security strategy Yu Shi, can first remove the redundancy inside same security strategy group first.
Specifically, in the embodiment of the present application, safety means are first when carrying out internal de-redundancy to targeted security strategy group First the pre-configured object group of each preset field in the targeted security strategy group can respectively be deployed, obtain in each object group Multiple objects.
In a kind of embodiment shown, safety means can be pre- by each IP fields in above-mentioned targeted security strategy group Multiple IP objects groups of configuration are deployed respectively, so as to obtain multiple IP objects in each IP objects group.
Fig. 2 is referred to, is a kind of structural representation of security strategy group shown in the application, as shown in Fig. 2 security strategy The preset field of group can include source IP, purpose IP, service, action and other information, wherein, service includes protocol number, source Mouth and destination interface.
Wherein, source IP field can include that in multiple IP objects groups, each IP objects group multiple IP objects can be included.Safety Equipment can be deployed multiple IP objects groups in source IP field respectively, obtain multiple IP objects.As shown in Fig. 2 IP pairs As obtaining IP object 1-1-1,1-1-2,1-1-3 ... 1-1-m after group 1-1 expansion;IP objects are obtained after IP object groups 1-n expansion 1-n-1、1-n-2、1-n-3……1-n-m.There can also be multiple IP objects groups between IP object group 1-1 and IP object groups 1-n, Same expansion obtains multiple IP objects.
It is pointed out that the IP objects group and IP objects in Fig. 2 are only used for illustrating the expansion process of IP object groups, it is actual The mode of the expression of IP objects group and IP objects not in figure;If by taking actual IP objects group expansion as an example, IP object group 192.168.1.1-192.168.1.10 deploy after can obtain IP objects 192.168.1.1,192.168.1.2, 192.168.1.3、192.168.1.4、192.168.1.5、192.168.1.6、192.168.1.7、192.168.1.8、 And 192.168.1.10 192.168.1.9.
Safety means are obtained many except multiple IP objects groups in the source IP field of above-mentioned targeted security strategy group are deployed Individual IP objects, multiple IP objects groups in purpose IP fields can also be deployed, obtain multiple IP objects in equivalent way.
In addition, safety means can also deploy the object group in other preset fields, multiple objects are obtained.Still with Fig. 2 Exemplified by, the object group service object 1 in service field is deployed to be included (Protocol 1-1 by safety means;Sport 1- 1;Dport 1-1) including multiple service objects.
In the embodiment of the present application, safety means are by pre-configured some of each preset field in targeted security strategy group Individual object group to be matched is deployed respectively, obtains after multiple objects, can merge the redundancy object in each preset field, reach peace The purpose of the complete internal de-redundancy of strategy group, now, safety means can obtain the targeted security strategy group removed after redundancy.
In a kind of embodiment shown, safety means can be by each IP fields in above-mentioned targeted security strategy group Expansion after multiple IP objects in identical IP objects merge so that reach in IP fields remove redundancy purpose.
For example:There are IP object group 192.168.1.1-192.168.1.10 and IP object groups in source IP field 192.168.1.8-192.168.1.20, IP objects can be obtained after IP object groups 192.168.1.1-192.168.1.10 expansion 192.168.1.1、192.168.1.2、192.168.1.3、192.168.1.4、192.168.1.5、192.168.1.6、 192.168.1.7,192.168.1.8,192.168.1.9 and 192.168.1.10;
IP object groups 192.168.1.8-192.168.1.20 expansion after can obtain IP objects 192.168.1.8, 192.168.1.9、192.168.1.10、192.168.1.11、192.168.1.12、192.168.1.13、192.168.1.14、 192.168.1.15、192.168.1.16、192.168.1.17、192.168.1.18、192.168.1.19、 192.168.1.20;
Safety means by redundancy IP objects 192.168.1.8,192.168.1.9 in above-mentioned two IP object groups and 192.168.1.10 merge.
It is the structural representation of another security strategy group shown in the application, as shown in figure 3, security strategy referring to Fig. 3 Group is internally removed after redundancy, and the corresponding each object of each preset field is all unique.
Safety means merge after the redundancy object in each preset field of above-mentioned targeted security strategy group, can obtain new Object group.Wherein, the relative quantity for removing the object group before redundancy of the quantity of new object group has been reduced.
For example, to merge IP object group 192.168.1.1-192.168.1.10 and IP the object groups in source IP field 192.168.1.8-192.168.1.20 exemplified by, after merging, occurred in that in the source IP field of above-mentioned targeted security strategy group new IP object groups 192.168.1.1-192.168.1.20.
In a kind of embodiment shown, safety means merge identical in each IP fields of above-mentioned targeted security strategy group IP objects, and obtain after new IP object groups, new IP object groups can be converted to the presentation format of standard so that be follow-up The IP object groups in each IP fields can more easily be compared between different security strategies.
In several presentation formats of IP object groups, on the one hand, if the IP object groups of IP+ asterisk wildcard forms are converted to The presentation format of IP scopes, it is generally the case that the IP objects group of an IP+ asterisk wildcard form can produce multiple IP range formats IP object groups.
Therefore, the IP object groups of the IP+ asterisk wildcard forms in source IP field or purpose IP fields are being converted into IP scopes During the IP object groups of form, the quantity of the IP object groups in source IP field can increase.With the number of the IP object groups in IP fields IP strategy entries inside amount increase, above-mentioned targeted security strategy group can expand.If inside above-mentioned targeted security strategy group IP strategy entries quantity is excessive, when can cause subsequently to compare the IP object groups of each IP fields between each security strategy, workload mistake Greatly.
On the other hand, if the IP object groups of the IP range formats inside above-mentioned targeted security strategy group are converted into IP+ Asterisk wildcard form, then the IP strategy entries expansion inside above-mentioned targeted security strategy group is smaller.
Therefore, above-mentioned safety means can be unified turn by the IP objects group in each IP fields of above-mentioned targeted security strategy group It is changed to the presentation format of IP+ asterisk wildcards.By the measure, above-mentioned safety means subsequently can more easily compare each safe plan IP object groups inside slightly.
In the embodiment of the present application, above-mentioned safety means remove redundancy inside above-mentioned targeted security strategy group, and will be each IP object groups in IP fields are converted to after the presentation format of IP+ asterisk wildcards, in order to subsequently more easily detect each security strategy Between redundancy relationship, can the quantity based on the corresponding object group of each preset field in above-mentioned targeted security strategy group, will be upper State targeted security strategy assembling and dismantling and be divided into some security strategies.
Wherein, above-mentioned safety means can be each security strategy addition strategy mark and above-mentioned targeted security split out The strategy group mark of strategy group, in order to strategy group mark that subsequently can be based on above-mentioned strategy mark and targeted security strategy group Record detects tactful redundancy relationship.
It is pointed out that each preset field of each security strategy split out corresponds to unique object group respectively, still with Shown in Fig. 3, include x IP objects group, Target IP field bag if removing the source IP field of the targeted security strategy group after redundancy Including y IP objects group, service field includes z service object's group (protocol object group), then when above-mentioned safety means are based on each pre- If the quantity of the corresponding object group of field, by above-mentioned targeted security strategy assembling and dismantling separately win after security strategy, available peace The total m=x*y*z of full strategy.
In the embodiment of the present application, when above-mentioned safety means arrange local pre-configured all security strategy groups based on above-mentioned Apply and internally remove redundancy and split out after some security strategies, all security strategies split out, Ran Houji can be traveled through The redundant safety strategy in all security strategies is detected in preset strategy.
In a kind of embodiment shown, before redundant safety strategy of the above-mentioned safety means in detection security strategy, Default priority of all security strategies based on its corresponding security strategy group can be arranged first.
In addition, the object group of each preset field for ease of subsequently comparing each security strategy, above-mentioned safety means can be with By the multilevel hierarchy expansion in security strategy.Such as, above-mentioned service field can be expanded into protocol number field, source port field With destination interface field.
It is a kind of structural representation of security strategy shown in the application, as shown in figure 4, above-mentioned safety means referring to Fig. 4 Pre-configured all security strategy groups expansion is obtained into n bars security strategy altogether, the security strategy that security strategy assembling and dismantling are separated Priority continues to use the priority of the security strategy group, therefore, it can stand out the high security strategy of priority.Same safety Each security strategy that tactful assembling and dismantling are separated putting in order from each other does not influence on the process of subsequent detection redundancy, Ke Yiren Meaning arrangement.
Wherein, above-mentioned safety means can be the strategy mark security strategy group corresponding with its added for each security strategy Strategy group mark be written in other information field, be arranged in primary safety as shown in figure 4, just have recorded in INFO1 The strategy mark of strategy and the strategy group mark of the corresponding security strategy group of the security strategy.
In the security strategy for separating pre-configured whole security strategy assembling and dismantling, and by all security strategies based on corresponding After priority is ranked up, above-mentioned safety means can be selected all security strategies successively since first security strategy For targeted security strategy, then the targeted security strategy is matched with other security strategies.
For example, still by taking Fig. 4 as an example, after above-mentioned first security strategy is chosen to be into targeted security strategy, above-mentioned safety Equipment can be by each pre- of (in addition to action field) each preset field of first security strategy and Article 2 security strategy If field is compared, check whether the object group in each single item preset field of first security strategy is completely covered Article 2 Object group in each single item preset field of security strategy, that is, check SIP1, DIP1, PROTOCOL1, SPORT1, Whether DPORT1 is covered each by SIP2, DIP2, PROTOCOL2, SPORT2, DPORT2;
If the object group that first security strategy has any preset field can not cover being somebody's turn to do for Article 2 security strategy The object group of preset field, then illustrate that first security strategy does not include Article 2 security strategy, does not process now;
If the object group of each preset field of first security strategy covers each pre- of Article 2 security strategy respectively If the object group of field, then illustrate that first security strategy contains Article 2 security strategy, due to first security strategy pair The priority for the security strategy group answered is more than the priority of the corresponding security strategy group of Article 2 security strategy, therefore Article 2 is pacified Full strategy can not be matched all the time, can now record the tactful redundancy between first security strategy and Article 2 security strategy Relation;
Above-mentioned safety means are by the object group of each preset field of first security strategy and Article 2 security strategy After the completion of the object group of each preset field compares, it can continue first security strategy and the progress of Article 3 security strategy Match somebody with somebody, until completing matching for first security strategy and nth bar security strategy, it is target peace then to select Article 2 security strategy Full strategy, is matched with other security strategies respectively, processing mode as above, until completing using nth bar security strategy as target The process that security strategy is matched.
Above-mentioned safety means are after the comparison between completing each security strategy, it may be determined that the plan between all security strategies Slightly redundancy relationship, and then obtain the tactful redundancy relationship between pre-configured all security strategy groups.
Wherein, above-mentioned tactful redundancy relationship can be recorded as the strategy mark and strategy group mark of the high security strategy of priority Know, the incidence relation of the strategy mark of low security strategy and strategy group mark with priority.
If for example, tactful group of a security strategy group is designated A, the security strategy assembling and dismantling separate two safe plans Slightly, the strategy mark of two security strategies is respectively 1 and 2;Tactful group of another security strategy group is designated B, the safe plan Slightly assembling and dismantling separate three security strategies, and the strategy mark of three security strategies is respectively 1,2 and 3;Wherein, above-mentioned safety means inspection The object group for measuring each preset field of security strategy group A first article of security strategy covers the of security strategy group B respectively The object group of each preset field of two security strategies, then can be using recording strategy redundancy relationship as (A-1;B-2), priority is high Before security strategy group writes on, security strategy group A first security strategy and the security strategy group B safe plan of Article 2 are represented Slightly there is redundancy, security strategy group B Article 2 security strategy is redundant safety strategy, it is impossible to be matched.
Above-mentioned safety means are after the tactful redundancy relationship in detecting security strategy, and user can be set based on above-mentioned safety The tactful redundancy relationship of note, is handled redundant safety strategy.
In summary, in the embodiment of the present application, safety means can be pre- by each preset field in targeted security strategy group The object group of configuration is deployed respectively, and merges the redundancy object obtained after expansion, after the completion of the redundancy object merging, Can the quantity based on the corresponding object group of each preset field in the targeted security strategy group, by the targeted security strategy group Some security strategies are split as, wherein, each preset field of some security strategies corresponds to unique object group respectively; Then some security strategies split out are traveled through, and detect superfluous in some security strategies based on preset strategy Remaining security strategy;
Due in this application, in the case of some object groups to be matched can be included in targeted security strategy group, By way of carrying out internal de-redundancy for the targeted security strategy group, to the internal structure of the targeted security strategy group Tissue is re-started, and targeted security strategy fractionation is turned into some that each preset field corresponds to unique object group respectively Security strategy, then carries out tactful redundancy detection for each security strategy after fractionation;So as to simplified strategy redundancy detection, Improve the maintainability of safety means and the detection efficiency of tactful redundancy detection.
Embodiment with the detection method of foregoing tactful redundancy is corresponding, and present invention also provides the detection of tactful redundancy dress The embodiment put.
It is a kind of embodiment block diagram of the detection means of tactful redundancy shown in the application referring to Fig. 5:
As shown in figure 5, the detection means 50 of the tactful redundancy includes:
Combining unit 510, for the pre-configured object group of each preset field in targeted security strategy group to be carried out into exhibition respectively Open, and merge the redundancy object obtained after expansion.
Split cells 520, for after the completion of the redundancy object merging, based on each pre- in the targeted security strategy group If the targeted security strategy assembling and dismantling are divided into some security strategies by the quantity of the corresponding object group of field;Wherein, if described Each preset field of dry bar security strategy corresponds to unique object group respectively.
Detection unit 530, for traveling through some security strategies split out, if described based on preset strategy detection Redundant safety strategy in dry bar security strategy.
In this example, described device also includes:
Converting unit 540, for after the completion of the redundancy object merging, by IP pairs in the targeted security strategy group As group is converted to the presentation format of standard.
In this example, the presentation format of the standard, is the presentation format of IP+ asterisk wildcards.
In this example, the detection unit 530, is further used for:
Some security strategies are chosen to be targeted security strategy successively;
The targeted security strategy is matched with other security strategies;
If the targeted security strategy includes any other security strategies, the targeted security strategy is recorded other with this The redundancy relationship of security strategy.
In this example, described device also includes:
Arrangement units 550, for the redundant safety strategy in some security strategies are detected based on preset strategy Before, based on the priority of each security strategy, some security strategies are ranked up.
The embodiment of the detection means of the application strategy redundancy can be using on a security device.Device embodiment can lead to Software realization is crossed, can also be realized by way of hardware or software and hardware combining.Exemplified by implemented in software, a logic is used as Device in meaning, is to be referred to corresponding computer program in nonvolatile memory by the processor of safety means where it Order reads what operation in internal memory was formed.For hardware view, as shown in fig. 6, being the detection means of the application strategy redundancy A kind of hardware structure diagram of place safety means, except the processor shown in Fig. 6, internal memory, network interface and non-volatile is deposited Outside reservoir, the safety means in embodiment where device are gone back generally according to the actual functional capability of the detection means of the tactful redundancy Other hardware can be included, this is repeated no more.
The function of unit and the implementation process of effect specifically refer to correspondence step in the above method in said apparatus Implementation process, will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component The unit of explanation can be or may not be physically separate, and the part shown as unit can be or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality Selection some or all of module therein is needed to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, not to limit the application, all essences in the application God is with principle, and any modification, equivalent substitution and improvements done etc. should be included within the scope of the application protection.

Claims (10)

1. a kind of detection method of tactful redundancy, applied to safety means, the pre-configured some safe plans of the safety means Slightly group, wherein, the security strategy group is made up of some preset fields;Each preset field corresponds to some objects to be matched respectively Group;It is characterised in that it includes:
The pre-configured object group of each preset field in targeted security strategy group is deployed respectively, and merges what is obtained after expansion Redundancy object;
After the completion of the redundancy object merging, based on the corresponding object group of each preset field in the targeted security strategy group The targeted security strategy assembling and dismantling are divided into some security strategies by quantity;Wherein, some security strategies is each default Field corresponds to unique object group respectively;
Some security strategies split out are traveled through, the redundancy in some security strategies is detected based on preset strategy Security strategy.
2. according to the method described in claim 1, it is characterised in that methods described also includes:
After the completion of the redundancy object merging, the IP object groups in the targeted security strategy group are converted to the expression of standard Form.
3. method according to claim 2, it is characterised in that the presentation format of the standard, is the expression of IP+ asterisk wildcards Form.
4. according to the method described in claim 1, it is characterised in that described that some safe plans are detected based on preset strategy Redundant safety strategy in slightly, including:
Some security strategies are chosen to be targeted security strategy successively;
The targeted security strategy is matched with other security strategies;
If the targeted security strategy includes any other security strategies, the targeted security strategy and other safety are recorded The redundancy relationship of strategy.
5. method according to claim 4, it is characterised in that methods described also includes:
Before the redundant safety strategy during some security strategies are detected based on preset strategy, based on the excellent of each security strategy First level, is ranked up to some security strategies.
6. a kind of detection means of tactful redundancy, applied to safety means, the pre-configured some safe plans of the safety means Slightly group, wherein, the security strategy group is made up of some preset fields;Each preset field corresponds to some objects to be matched respectively Group;It is characterised in that it includes:
Combining unit, for the pre-configured object group of each preset field in targeted security strategy group to be deployed respectively, and is closed And the redundancy object obtained after deploying;
Split cells, for after the completion of the redundancy object merging, based on each preset field in the targeted security strategy group The targeted security strategy assembling and dismantling are divided into some security strategies by the quantity of corresponding object group;Wherein, some peaces Each preset field of full strategy corresponds to unique object group respectively;
Detection unit, for traveling through some security strategies split out, based on the preset strategy detection some peaces Redundant safety strategy in full strategy.
7. device according to claim 6, it is characterised in that described device also includes:
Converting unit, for after the completion of the redundancy object merging, the IP objects group in the targeted security strategy group to be turned It is changed to the presentation format of standard.
8. device according to claim 7, it is characterised in that the presentation format of the standard, is the expression of IP+ asterisk wildcards Form.
9. device according to claim 6, it is characterised in that the detection unit, is further used for:
Some security strategies are chosen to be targeted security strategy successively;
The targeted security strategy is matched with other security strategies;
If the targeted security strategy includes any other security strategies, the targeted security strategy and other safety are recorded The redundancy relationship of strategy.
10. device according to claim 9, it is characterised in that described device also includes:
Arrangement units, for before the redundant safety strategy during some security strategies are detected based on preset strategy, being based on The priority of each security strategy, is ranked up to some security strategies.
CN201710296150.5A 2017-04-28 2017-04-28 Method and device for detecting policy redundancy Active CN107094143B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710296150.5A CN107094143B (en) 2017-04-28 2017-04-28 Method and device for detecting policy redundancy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710296150.5A CN107094143B (en) 2017-04-28 2017-04-28 Method and device for detecting policy redundancy

Publications (2)

Publication Number Publication Date
CN107094143A true CN107094143A (en) 2017-08-25
CN107094143B CN107094143B (en) 2020-08-04

Family

ID=59638663

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710296150.5A Active CN107094143B (en) 2017-04-28 2017-04-28 Method and device for detecting policy redundancy

Country Status (1)

Country Link
CN (1) CN107094143B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768879A (en) * 2018-04-26 2018-11-06 新华三信息安全技术有限公司 A kind of policy priority grade method of adjustment and device
CN109413019A (en) * 2018-04-28 2019-03-01 武汉思普崚技术有限公司 A kind of firewall policy optimizing check method and device
CN110113356A (en) * 2019-05-22 2019-08-09 北京明朝万达科技股份有限公司 A kind of data monitoring method and device
CN111708733A (en) * 2020-05-28 2020-09-25 浪潮电子信息产业股份有限公司 Policy detection method, system, equipment and computer readable storage medium
CN113691522A (en) * 2021-08-20 2021-11-23 北京天融信网络安全技术有限公司 Data traffic processing method and device, electronic equipment and storage medium
CN114039853A (en) * 2021-11-15 2022-02-11 北京天融信网络安全技术有限公司 Method, device, storage medium and electronic equipment for detecting security policy
CN114389897A (en) * 2022-03-18 2022-04-22 苏州市卫生计生统计信息中心 IT infrastructure security policy centralized management and control optimization method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6826698B1 (en) * 2000-09-15 2004-11-30 Networks Associates Technology, Inc. System, method and computer program product for rule based network security policies
CN101753369A (en) * 2008-12-03 2010-06-23 北京天融信网络安全技术有限公司 Method and device for detecting firewall rule conflict
CN104270384A (en) * 2014-10-20 2015-01-07 山石网科通信技术有限公司 Fire wall policy redundancy detection method and device
CN104735026A (en) * 2013-12-19 2015-06-24 华为技术有限公司 Security strategy control method and device
CN106230736A (en) * 2016-07-19 2016-12-14 东软集团股份有限公司 A kind of merging method and device of network access policies

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6826698B1 (en) * 2000-09-15 2004-11-30 Networks Associates Technology, Inc. System, method and computer program product for rule based network security policies
CN101753369A (en) * 2008-12-03 2010-06-23 北京天融信网络安全技术有限公司 Method and device for detecting firewall rule conflict
CN104735026A (en) * 2013-12-19 2015-06-24 华为技术有限公司 Security strategy control method and device
CN104270384A (en) * 2014-10-20 2015-01-07 山石网科通信技术有限公司 Fire wall policy redundancy detection method and device
CN106230736A (en) * 2016-07-19 2016-12-14 东软集团股份有限公司 A kind of merging method and device of network access policies

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768879A (en) * 2018-04-26 2018-11-06 新华三信息安全技术有限公司 A kind of policy priority grade method of adjustment and device
CN108768879B (en) * 2018-04-26 2022-04-22 新华三信息安全技术有限公司 Method and device for adjusting policy priority
CN109413019A (en) * 2018-04-28 2019-03-01 武汉思普崚技术有限公司 A kind of firewall policy optimizing check method and device
CN110113356A (en) * 2019-05-22 2019-08-09 北京明朝万达科技股份有限公司 A kind of data monitoring method and device
CN111708733A (en) * 2020-05-28 2020-09-25 浪潮电子信息产业股份有限公司 Policy detection method, system, equipment and computer readable storage medium
CN113691522A (en) * 2021-08-20 2021-11-23 北京天融信网络安全技术有限公司 Data traffic processing method and device, electronic equipment and storage medium
CN114039853A (en) * 2021-11-15 2022-02-11 北京天融信网络安全技术有限公司 Method, device, storage medium and electronic equipment for detecting security policy
CN114039853B (en) * 2021-11-15 2024-02-09 天融信雄安网络安全技术有限公司 Method and device for detecting security policy, storage medium and electronic equipment
CN114389897A (en) * 2022-03-18 2022-04-22 苏州市卫生计生统计信息中心 IT infrastructure security policy centralized management and control optimization method
CN114389897B (en) * 2022-03-18 2022-06-10 苏州市卫生计生统计信息中心 IT infrastructure security policy centralized management and control optimization method

Also Published As

Publication number Publication date
CN107094143B (en) 2020-08-04

Similar Documents

Publication Publication Date Title
CN107094143A (en) A kind of detection method and device of tactful redundancy
US10680961B2 (en) Using headerspace analysis to identify flow entry reachability
CN104978601B (en) neural network model training system and method
CN104462979B (en) The automation dynamic testing method and device of a kind of application program
CN107566152A (en) Method and device for virtual network link detection
CN106790170B (en) Data packet filtering method and device
CN108139965A (en) Management server and the management method using the management server
CN106131027A (en) A kind of exception flow of network based on software defined network detection system of defense
CN108471420A (en) Based on network mode identification and matched vessel safety defence method and device
CN108205623A (en) For the method and apparatus of share directory
CN105429946A (en) System and method of preventing forging IP address based on SDN virtual switch
CN108304318A (en) The test method and terminal device of equipment compatibility
CN106550208A (en) Video method for splitting, equipment and video analytic system
Soucha et al. SPYH-method: an improvement in testing of finite-state machines
CN106649186A (en) Communication method and device for application program and serial port peripheral
CN107977310B (en) Traversal test command generation method and device
CN103632099B (en) The Native api function acquisition methods do not derived and device
CN106776409B (en) Data processing method and device for sensor in Android system
CN104205742B (en) Packet processing method and forwarding element
CN107547378A (en) A kind of VPN route learnings method and apparatus
CN107682300A (en) The method and apparatus for determining secure group rule chain
CN103544354B (en) Network parallel computer dynamic emulation method and device
CN110430140A (en) Path processing method, device, equipment and storage medium
DE102015107071B3 (en) Device and method for controlling a communication network
CN109391626A (en) A kind of method and relevant apparatus determining that network attack result is not accomplished

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant