CN107094143A - A kind of detection method and device of tactful redundancy - Google Patents
A kind of detection method and device of tactful redundancy Download PDFInfo
- Publication number
- CN107094143A CN107094143A CN201710296150.5A CN201710296150A CN107094143A CN 107094143 A CN107094143 A CN 107094143A CN 201710296150 A CN201710296150 A CN 201710296150A CN 107094143 A CN107094143 A CN 107094143A
- Authority
- CN
- China
- Prior art keywords
- strategy
- group
- security
- security strategy
- redundancy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a kind of detection method and device of tactful redundancy, and methods described includes:The pre-configured object group of each preset field in targeted security strategy group is deployed respectively, and merges the redundancy object obtained after expansion;After the completion of the redundancy object merging, based on the quantity of the corresponding object group of each preset field in the targeted security strategy group, the targeted security strategy assembling and dismantling are divided into some security strategies;Wherein, each preset field of some security strategies corresponds to unique object group respectively;Then some security strategies split out are traveled through, the redundant safety strategy in some security strategies is detected based on preset strategy.Technical scheme can effectively detect the redundant safety strategy in security strategy, to be handled by user for redundant safety strategy, improve the maintainability of safety means and the detection efficiency of tactful redundancy relationship.
Description
Technical field
The application is related to information security field, more particularly to a kind of detection method and device of tactful redundancy.
Background technology
Safety means handle the message received according to the security strategy of user configuring.The security strategy quantity of user configuring
It is numerous, generally up to up to ten thousand.When safety means are matched according to security strategy, the priority based on security strategy, priority match
The forward security strategy in position.
However, because security strategy is long term accumulation, and large number of, user often can not remember whether security strategy deposits
In redundancy, for example, the forward strategy 1 of priority is source IP:192.168.0.0/16, purpose IP is unrestricted, acts as packet loss;Newly
The strategy 2 of increasing is source IP 192.168.1.0/24, and purpose IP is unrestricted, acts to pass through, if the priority of strategy 2 is in strategy
After 1, then strategy 2 can not come into force.
True rule is more increasingly complex than the example above, therefore, and user is safeguarding safety means, detects security strategy redundancy
When, workload is huge, and detection efficiency is relatively low.
The content of the invention
In view of this, the application provides a kind of detection method and device of tactful redundancy, for fast and effeciently detecting peace
Redundant safety strategy in full strategy, improves the maintainability of safety means and the detection efficiency of tactful redundancy detection.
Specifically, the application is achieved by the following technical solution:
A kind of detection method of tactful redundancy, applied to safety means, the pre-configured some safety of the safety means
Tactful group, wherein, the security strategy group is made up of some preset fields;Each preset field corresponds to some pairs to be matched respectively
As group;Including:
The pre-configured object group of each preset field in targeted security strategy group is deployed respectively, and merge expansion after
The redundancy object arrived;
After the completion of the redundancy object merging, based on the corresponding object of each preset field in the targeted security strategy group
The targeted security strategy assembling and dismantling are divided into some security strategies by the quantity of group;Wherein, some security strategies is each
Preset field corresponds to unique object group respectively;
Some security strategies split out are traveled through, are detected based on preset strategy in some security strategies
Redundant safety strategy.
In the detection method of the tactful redundancy, methods described also includes:
After the completion of the redundancy object merging, the IP object groups in the targeted security strategy group are converted into standard
Presentation format.
In the detection method of the tactful redundancy, the presentation format of the standard is the presentation format of IP+ asterisk wildcards.
It is described to be detected based on preset strategy in some security strategies in the detection method of the tactful redundancy
Redundant safety strategy, including:
Some security strategies are chosen to be targeted security strategy successively;
The targeted security strategy is matched with other security strategies;
If the targeted security strategy includes any other security strategies, the targeted security strategy is recorded other with this
The redundancy relationship of security strategy.
In the detection method of the tactful redundancy, methods described also includes:
Before the redundant safety strategy during some security strategies are detected based on preset strategy, based on each security strategy
Priority, some security strategies are ranked up.
A kind of detection means of tactful redundancy, applied to safety means, the pre-configured some safety of the safety means
Tactful group, wherein, the security strategy group is made up of some preset fields;Each preset field corresponds to some pairs to be matched respectively
As group;Including:
Combining unit, for the pre-configured object group of each preset field in targeted security strategy group to be deployed respectively,
And merge the redundancy object obtained after expansion;
Split cells, for after the completion of the redundancy object merging, based on each default in the targeted security strategy group
The targeted security strategy assembling and dismantling are divided into some security strategies by the quantity of the corresponding object group of field;Wherein, it is described some
Each preset field of bar security strategy corresponds to unique object group respectively;
Detection unit, for traveling through some security strategies split out, detects described some based on preset strategy
Redundant safety strategy in bar security strategy.
In the device of the tactful redundancy, described device also includes:
Converting unit, for after the completion of the redundancy object merging, by the IP objects in the targeted security strategy group
Group is converted to the presentation format of standard.
In the device of the tactful redundancy, the presentation format of the standard is the presentation format of IP+ asterisk wildcards.
In the device of the tactful redundancy, the detection unit is further used for:
Some security strategies are chosen to be targeted security strategy successively;
The targeted security strategy is matched with other security strategies;
If the targeted security strategy includes any other security strategies, the targeted security strategy is recorded other with this
The redundancy relationship of security strategy.
In the device of the tactful redundancy, described device also includes:
Arrangement units, for before the redundant safety strategy during some security strategies are detected based on preset strategy,
Based on the priority of each security strategy, some security strategies are ranked up.
In the embodiment of the present application, safety means are by the pre-configured object group of each preset field in targeted security strategy group
Deployed respectively, and merge the redundancy object obtained after expansion, after the completion of the redundancy object merging, based on the target
The quantity of the corresponding object group of each preset field, some safe plans are split as by the targeted security strategy in security strategy group
Omit, wherein, each preset field of some security strategies corresponds to unique object group respectively;Then the institute split out is traveled through
Some security strategies are stated, the redundant safety strategy in some security strategies is detected based on preset strategy;
Because in the embodiment of the present application, safety means can include some pairs to be matched in targeted security strategy group
In the case of as group, by way of carrying out internal de-redundancy for the targeted security strategy group, to the targeted security plan
The internal structure slightly organized re-starts tissue, and targeted security strategy fractionation is corresponded to uniquely respectively as each preset field
Some security strategies of object group, then carry out tactful redundancy detection for each security strategy after fractionation;So as to letter
Change tactful redundancy detection, improve the maintainability of safety means and the detection efficiency of tactful redundancy detection.
Brief description of the drawings
Fig. 1 is a kind of flow chart of the detection method of tactful redundancy shown in the application;
Fig. 2 is a kind of structural representation of security strategy group shown in the application;
Fig. 3 is the structural representation of another security strategy group shown in the application;
Fig. 4 is a kind of structural representation of security strategy shown in the application;
Fig. 5 is a kind of embodiment block diagram of the detection means of tactful redundancy shown in the application;
Fig. 6 is a kind of hardware structure diagram of the detection means of tactful redundancy shown in the application.
Embodiment
In order that those skilled in the art more fully understand the technical scheme in the embodiment of the present invention, and make of the invention real
Applying the above-mentioned purpose of example, feature and advantage can be more obvious understandable, below in conjunction with the accompanying drawings to prior art and the present invention
Technical scheme in embodiment is described in further detail.
User would generally configure corresponding safety to safety means according to the attack source and attack pattern occurred in network
Strategy.The message that security strategy processing of the safety means based on user configuring is received.With the change of attack source and attack pattern
Change, the quantity for the security strategy being added on safety means can be more and more, often up to up to ten thousand.
, can message progress of the high security strategy of selection priority to receiving first when safety means use security strategy
Matching.User can not often be fully apparent from the whole security strategies configured before this, when subsequently adding new security strategy, new
Security strategy is probably due to the problem of priority, it is impossible to is matched, causes tactful redundancy.
Because security strategy is long-term accumulated, number of entries is numerous, the unavoidable situation for tactful redundancy occur, for example, excellent
The forward strategy 1 of first level is source IP:192.168.0.0/16, purpose IP is unrestricted, acts as packet loss;Newly-increased strategy 2 is source
IP192.168.1.0/24, purpose IP are unrestricted, act to pass through, if the priority of strategy 2 is after strategy 1, strategy 2
It can not come into force.
In practical application, the situation of tactful redundancy is increasingly complex, for example, source IP can be quoted during a security strategy configuration
More than one IP objects or IP object groups, wherein IP objects group can be according to tables such as IP+ masks, IP scopes or IP+ asterisk wildcards
Show form to represent, situations such as IP objects that different IP object groups include there may be repetition, intersection.In security strategy
Other preset fields, such as purpose IP, agreement, port numbers, it is also possible to similar situation occur.Wherein, when a security strategy
Each preset field when corresponding to some object groups to be matched respectively, the security strategy can be considered as to a security strategy group.
Therefore, user is safeguarding safety means, during detection security strategy redundancy, it may appear that many recheckings, causes
Workload is huge, and detection efficiency is low.
To solve the above problems, in the embodiment of the present application, by each preset field inside each security strategy group
Object group de-redundancy, then the security strategy assembling and dismantling after de-redundancy are divided into a plurality of security strategy, what then traversal was split out owns
Security strategy, and then determine tactful redundancy relationship.
It is a kind of flow chart of the detection method of tactful redundancy shown in the application, the execution master of the embodiment referring to Fig. 1
Body is safety means, the pre-configured some security strategy groups of the safety means, wherein, each security strategy group preset by several
Field is constituted, and each preset field corresponds to some object groups to be matched respectively;It the described method comprises the following steps:
Step 101:The pre-configured object group of each preset field in targeted security strategy group is deployed respectively, and merged
The redundancy object obtained after expansion.
Step 102:After the completion of the redundancy object merging, based on each preset field pair in the targeted security strategy group
The targeted security strategy assembling and dismantling are divided into some security strategies by the quantity for the object group answered;Wherein, some safety
Each preset field of strategy corresponds to unique object group respectively.
Step 103:Some security strategies split out are traveled through, some safety is detected based on preset strategy
Redundant safety strategy in strategy.
As previously described, because the multiple object groups of correspondence in a preset field inside same security strategy group, and it is each right
As the possible difference of the presentation format of group, the object in each object group is likely to occur repetition.Therefore, detecting superfluous for security strategy
Yu Shi, can first remove the redundancy inside same security strategy group first.
Specifically, in the embodiment of the present application, safety means are first when carrying out internal de-redundancy to targeted security strategy group
First the pre-configured object group of each preset field in the targeted security strategy group can respectively be deployed, obtain in each object group
Multiple objects.
In a kind of embodiment shown, safety means can be pre- by each IP fields in above-mentioned targeted security strategy group
Multiple IP objects groups of configuration are deployed respectively, so as to obtain multiple IP objects in each IP objects group.
Fig. 2 is referred to, is a kind of structural representation of security strategy group shown in the application, as shown in Fig. 2 security strategy
The preset field of group can include source IP, purpose IP, service, action and other information, wherein, service includes protocol number, source
Mouth and destination interface.
Wherein, source IP field can include that in multiple IP objects groups, each IP objects group multiple IP objects can be included.Safety
Equipment can be deployed multiple IP objects groups in source IP field respectively, obtain multiple IP objects.As shown in Fig. 2 IP pairs
As obtaining IP object 1-1-1,1-1-2,1-1-3 ... 1-1-m after group 1-1 expansion;IP objects are obtained after IP object groups 1-n expansion
1-n-1、1-n-2、1-n-3……1-n-m.There can also be multiple IP objects groups between IP object group 1-1 and IP object groups 1-n,
Same expansion obtains multiple IP objects.
It is pointed out that the IP objects group and IP objects in Fig. 2 are only used for illustrating the expansion process of IP object groups, it is actual
The mode of the expression of IP objects group and IP objects not in figure;If by taking actual IP objects group expansion as an example, IP object group
192.168.1.1-192.168.1.10 deploy after can obtain IP objects 192.168.1.1,192.168.1.2,
192.168.1.3、192.168.1.4、192.168.1.5、192.168.1.6、192.168.1.7、192.168.1.8、
And 192.168.1.10 192.168.1.9.
Safety means are obtained many except multiple IP objects groups in the source IP field of above-mentioned targeted security strategy group are deployed
Individual IP objects, multiple IP objects groups in purpose IP fields can also be deployed, obtain multiple IP objects in equivalent way.
In addition, safety means can also deploy the object group in other preset fields, multiple objects are obtained.Still with Fig. 2
Exemplified by, the object group service object 1 in service field is deployed to be included (Protocol 1-1 by safety means;Sport 1-
1;Dport 1-1) including multiple service objects.
In the embodiment of the present application, safety means are by pre-configured some of each preset field in targeted security strategy group
Individual object group to be matched is deployed respectively, obtains after multiple objects, can merge the redundancy object in each preset field, reach peace
The purpose of the complete internal de-redundancy of strategy group, now, safety means can obtain the targeted security strategy group removed after redundancy.
In a kind of embodiment shown, safety means can be by each IP fields in above-mentioned targeted security strategy group
Expansion after multiple IP objects in identical IP objects merge so that reach in IP fields remove redundancy purpose.
For example:There are IP object group 192.168.1.1-192.168.1.10 and IP object groups in source IP field
192.168.1.8-192.168.1.20, IP objects can be obtained after IP object groups 192.168.1.1-192.168.1.10 expansion
192.168.1.1、192.168.1.2、192.168.1.3、192.168.1.4、192.168.1.5、192.168.1.6、
192.168.1.7,192.168.1.8,192.168.1.9 and 192.168.1.10;
IP object groups 192.168.1.8-192.168.1.20 expansion after can obtain IP objects 192.168.1.8,
192.168.1.9、192.168.1.10、192.168.1.11、192.168.1.12、192.168.1.13、192.168.1.14、
192.168.1.15、192.168.1.16、192.168.1.17、192.168.1.18、192.168.1.19、
192.168.1.20;
Safety means by redundancy IP objects 192.168.1.8,192.168.1.9 in above-mentioned two IP object groups and
192.168.1.10 merge.
It is the structural representation of another security strategy group shown in the application, as shown in figure 3, security strategy referring to Fig. 3
Group is internally removed after redundancy, and the corresponding each object of each preset field is all unique.
Safety means merge after the redundancy object in each preset field of above-mentioned targeted security strategy group, can obtain new
Object group.Wherein, the relative quantity for removing the object group before redundancy of the quantity of new object group has been reduced.
For example, to merge IP object group 192.168.1.1-192.168.1.10 and IP the object groups in source IP field
192.168.1.8-192.168.1.20 exemplified by, after merging, occurred in that in the source IP field of above-mentioned targeted security strategy group new
IP object groups 192.168.1.1-192.168.1.20.
In a kind of embodiment shown, safety means merge identical in each IP fields of above-mentioned targeted security strategy group
IP objects, and obtain after new IP object groups, new IP object groups can be converted to the presentation format of standard so that be follow-up
The IP object groups in each IP fields can more easily be compared between different security strategies.
In several presentation formats of IP object groups, on the one hand, if the IP object groups of IP+ asterisk wildcard forms are converted to
The presentation format of IP scopes, it is generally the case that the IP objects group of an IP+ asterisk wildcard form can produce multiple IP range formats
IP object groups.
Therefore, the IP object groups of the IP+ asterisk wildcard forms in source IP field or purpose IP fields are being converted into IP scopes
During the IP object groups of form, the quantity of the IP object groups in source IP field can increase.With the number of the IP object groups in IP fields
IP strategy entries inside amount increase, above-mentioned targeted security strategy group can expand.If inside above-mentioned targeted security strategy group
IP strategy entries quantity is excessive, when can cause subsequently to compare the IP object groups of each IP fields between each security strategy, workload mistake
Greatly.
On the other hand, if the IP object groups of the IP range formats inside above-mentioned targeted security strategy group are converted into IP+
Asterisk wildcard form, then the IP strategy entries expansion inside above-mentioned targeted security strategy group is smaller.
Therefore, above-mentioned safety means can be unified turn by the IP objects group in each IP fields of above-mentioned targeted security strategy group
It is changed to the presentation format of IP+ asterisk wildcards.By the measure, above-mentioned safety means subsequently can more easily compare each safe plan
IP object groups inside slightly.
In the embodiment of the present application, above-mentioned safety means remove redundancy inside above-mentioned targeted security strategy group, and will be each
IP object groups in IP fields are converted to after the presentation format of IP+ asterisk wildcards, in order to subsequently more easily detect each security strategy
Between redundancy relationship, can the quantity based on the corresponding object group of each preset field in above-mentioned targeted security strategy group, will be upper
State targeted security strategy assembling and dismantling and be divided into some security strategies.
Wherein, above-mentioned safety means can be each security strategy addition strategy mark and above-mentioned targeted security split out
The strategy group mark of strategy group, in order to strategy group mark that subsequently can be based on above-mentioned strategy mark and targeted security strategy group
Record detects tactful redundancy relationship.
It is pointed out that each preset field of each security strategy split out corresponds to unique object group respectively, still with
Shown in Fig. 3, include x IP objects group, Target IP field bag if removing the source IP field of the targeted security strategy group after redundancy
Including y IP objects group, service field includes z service object's group (protocol object group), then when above-mentioned safety means are based on each pre-
If the quantity of the corresponding object group of field, by above-mentioned targeted security strategy assembling and dismantling separately win after security strategy, available peace
The total m=x*y*z of full strategy.
In the embodiment of the present application, when above-mentioned safety means arrange local pre-configured all security strategy groups based on above-mentioned
Apply and internally remove redundancy and split out after some security strategies, all security strategies split out, Ran Houji can be traveled through
The redundant safety strategy in all security strategies is detected in preset strategy.
In a kind of embodiment shown, before redundant safety strategy of the above-mentioned safety means in detection security strategy,
Default priority of all security strategies based on its corresponding security strategy group can be arranged first.
In addition, the object group of each preset field for ease of subsequently comparing each security strategy, above-mentioned safety means can be with
By the multilevel hierarchy expansion in security strategy.Such as, above-mentioned service field can be expanded into protocol number field, source port field
With destination interface field.
It is a kind of structural representation of security strategy shown in the application, as shown in figure 4, above-mentioned safety means referring to Fig. 4
Pre-configured all security strategy groups expansion is obtained into n bars security strategy altogether, the security strategy that security strategy assembling and dismantling are separated
Priority continues to use the priority of the security strategy group, therefore, it can stand out the high security strategy of priority.Same safety
Each security strategy that tactful assembling and dismantling are separated putting in order from each other does not influence on the process of subsequent detection redundancy, Ke Yiren
Meaning arrangement.
Wherein, above-mentioned safety means can be the strategy mark security strategy group corresponding with its added for each security strategy
Strategy group mark be written in other information field, be arranged in primary safety as shown in figure 4, just have recorded in INFO1
The strategy mark of strategy and the strategy group mark of the corresponding security strategy group of the security strategy.
In the security strategy for separating pre-configured whole security strategy assembling and dismantling, and by all security strategies based on corresponding
After priority is ranked up, above-mentioned safety means can be selected all security strategies successively since first security strategy
For targeted security strategy, then the targeted security strategy is matched with other security strategies.
For example, still by taking Fig. 4 as an example, after above-mentioned first security strategy is chosen to be into targeted security strategy, above-mentioned safety
Equipment can be by each pre- of (in addition to action field) each preset field of first security strategy and Article 2 security strategy
If field is compared, check whether the object group in each single item preset field of first security strategy is completely covered Article 2
Object group in each single item preset field of security strategy, that is, check SIP1, DIP1, PROTOCOL1, SPORT1,
Whether DPORT1 is covered each by SIP2, DIP2, PROTOCOL2, SPORT2, DPORT2;
If the object group that first security strategy has any preset field can not cover being somebody's turn to do for Article 2 security strategy
The object group of preset field, then illustrate that first security strategy does not include Article 2 security strategy, does not process now;
If the object group of each preset field of first security strategy covers each pre- of Article 2 security strategy respectively
If the object group of field, then illustrate that first security strategy contains Article 2 security strategy, due to first security strategy pair
The priority for the security strategy group answered is more than the priority of the corresponding security strategy group of Article 2 security strategy, therefore Article 2 is pacified
Full strategy can not be matched all the time, can now record the tactful redundancy between first security strategy and Article 2 security strategy
Relation;
Above-mentioned safety means are by the object group of each preset field of first security strategy and Article 2 security strategy
After the completion of the object group of each preset field compares, it can continue first security strategy and the progress of Article 3 security strategy
Match somebody with somebody, until completing matching for first security strategy and nth bar security strategy, it is target peace then to select Article 2 security strategy
Full strategy, is matched with other security strategies respectively, processing mode as above, until completing using nth bar security strategy as target
The process that security strategy is matched.
Above-mentioned safety means are after the comparison between completing each security strategy, it may be determined that the plan between all security strategies
Slightly redundancy relationship, and then obtain the tactful redundancy relationship between pre-configured all security strategy groups.
Wherein, above-mentioned tactful redundancy relationship can be recorded as the strategy mark and strategy group mark of the high security strategy of priority
Know, the incidence relation of the strategy mark of low security strategy and strategy group mark with priority.
If for example, tactful group of a security strategy group is designated A, the security strategy assembling and dismantling separate two safe plans
Slightly, the strategy mark of two security strategies is respectively 1 and 2;Tactful group of another security strategy group is designated B, the safe plan
Slightly assembling and dismantling separate three security strategies, and the strategy mark of three security strategies is respectively 1,2 and 3;Wherein, above-mentioned safety means inspection
The object group for measuring each preset field of security strategy group A first article of security strategy covers the of security strategy group B respectively
The object group of each preset field of two security strategies, then can be using recording strategy redundancy relationship as (A-1;B-2), priority is high
Before security strategy group writes on, security strategy group A first security strategy and the security strategy group B safe plan of Article 2 are represented
Slightly there is redundancy, security strategy group B Article 2 security strategy is redundant safety strategy, it is impossible to be matched.
Above-mentioned safety means are after the tactful redundancy relationship in detecting security strategy, and user can be set based on above-mentioned safety
The tactful redundancy relationship of note, is handled redundant safety strategy.
In summary, in the embodiment of the present application, safety means can be pre- by each preset field in targeted security strategy group
The object group of configuration is deployed respectively, and merges the redundancy object obtained after expansion, after the completion of the redundancy object merging,
Can the quantity based on the corresponding object group of each preset field in the targeted security strategy group, by the targeted security strategy group
Some security strategies are split as, wherein, each preset field of some security strategies corresponds to unique object group respectively;
Then some security strategies split out are traveled through, and detect superfluous in some security strategies based on preset strategy
Remaining security strategy;
Due in this application, in the case of some object groups to be matched can be included in targeted security strategy group,
By way of carrying out internal de-redundancy for the targeted security strategy group, to the internal structure of the targeted security strategy group
Tissue is re-started, and targeted security strategy fractionation is turned into some that each preset field corresponds to unique object group respectively
Security strategy, then carries out tactful redundancy detection for each security strategy after fractionation;So as to simplified strategy redundancy detection,
Improve the maintainability of safety means and the detection efficiency of tactful redundancy detection.
Embodiment with the detection method of foregoing tactful redundancy is corresponding, and present invention also provides the detection of tactful redundancy dress
The embodiment put.
It is a kind of embodiment block diagram of the detection means of tactful redundancy shown in the application referring to Fig. 5:
As shown in figure 5, the detection means 50 of the tactful redundancy includes:
Combining unit 510, for the pre-configured object group of each preset field in targeted security strategy group to be carried out into exhibition respectively
Open, and merge the redundancy object obtained after expansion.
Split cells 520, for after the completion of the redundancy object merging, based on each pre- in the targeted security strategy group
If the targeted security strategy assembling and dismantling are divided into some security strategies by the quantity of the corresponding object group of field;Wherein, if described
Each preset field of dry bar security strategy corresponds to unique object group respectively.
Detection unit 530, for traveling through some security strategies split out, if described based on preset strategy detection
Redundant safety strategy in dry bar security strategy.
In this example, described device also includes:
Converting unit 540, for after the completion of the redundancy object merging, by IP pairs in the targeted security strategy group
As group is converted to the presentation format of standard.
In this example, the presentation format of the standard, is the presentation format of IP+ asterisk wildcards.
In this example, the detection unit 530, is further used for:
Some security strategies are chosen to be targeted security strategy successively;
The targeted security strategy is matched with other security strategies;
If the targeted security strategy includes any other security strategies, the targeted security strategy is recorded other with this
The redundancy relationship of security strategy.
In this example, described device also includes:
Arrangement units 550, for the redundant safety strategy in some security strategies are detected based on preset strategy
Before, based on the priority of each security strategy, some security strategies are ranked up.
The embodiment of the detection means of the application strategy redundancy can be using on a security device.Device embodiment can lead to
Software realization is crossed, can also be realized by way of hardware or software and hardware combining.Exemplified by implemented in software, a logic is used as
Device in meaning, is to be referred to corresponding computer program in nonvolatile memory by the processor of safety means where it
Order reads what operation in internal memory was formed.For hardware view, as shown in fig. 6, being the detection means of the application strategy redundancy
A kind of hardware structure diagram of place safety means, except the processor shown in Fig. 6, internal memory, network interface and non-volatile is deposited
Outside reservoir, the safety means in embodiment where device are gone back generally according to the actual functional capability of the detection means of the tactful redundancy
Other hardware can be included, this is repeated no more.
The function of unit and the implementation process of effect specifically refer to correspondence step in the above method in said apparatus
Implementation process, will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method
Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component
The unit of explanation can be or may not be physically separate, and the part shown as unit can be or can also
It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality
Selection some or all of module therein is needed to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, not to limit the application, all essences in the application
God is with principle, and any modification, equivalent substitution and improvements done etc. should be included within the scope of the application protection.
Claims (10)
1. a kind of detection method of tactful redundancy, applied to safety means, the pre-configured some safe plans of the safety means
Slightly group, wherein, the security strategy group is made up of some preset fields;Each preset field corresponds to some objects to be matched respectively
Group;It is characterised in that it includes:
The pre-configured object group of each preset field in targeted security strategy group is deployed respectively, and merges what is obtained after expansion
Redundancy object;
After the completion of the redundancy object merging, based on the corresponding object group of each preset field in the targeted security strategy group
The targeted security strategy assembling and dismantling are divided into some security strategies by quantity;Wherein, some security strategies is each default
Field corresponds to unique object group respectively;
Some security strategies split out are traveled through, the redundancy in some security strategies is detected based on preset strategy
Security strategy.
2. according to the method described in claim 1, it is characterised in that methods described also includes:
After the completion of the redundancy object merging, the IP object groups in the targeted security strategy group are converted to the expression of standard
Form.
3. method according to claim 2, it is characterised in that the presentation format of the standard, is the expression of IP+ asterisk wildcards
Form.
4. according to the method described in claim 1, it is characterised in that described that some safe plans are detected based on preset strategy
Redundant safety strategy in slightly, including:
Some security strategies are chosen to be targeted security strategy successively;
The targeted security strategy is matched with other security strategies;
If the targeted security strategy includes any other security strategies, the targeted security strategy and other safety are recorded
The redundancy relationship of strategy.
5. method according to claim 4, it is characterised in that methods described also includes:
Before the redundant safety strategy during some security strategies are detected based on preset strategy, based on the excellent of each security strategy
First level, is ranked up to some security strategies.
6. a kind of detection means of tactful redundancy, applied to safety means, the pre-configured some safe plans of the safety means
Slightly group, wherein, the security strategy group is made up of some preset fields;Each preset field corresponds to some objects to be matched respectively
Group;It is characterised in that it includes:
Combining unit, for the pre-configured object group of each preset field in targeted security strategy group to be deployed respectively, and is closed
And the redundancy object obtained after deploying;
Split cells, for after the completion of the redundancy object merging, based on each preset field in the targeted security strategy group
The targeted security strategy assembling and dismantling are divided into some security strategies by the quantity of corresponding object group;Wherein, some peaces
Each preset field of full strategy corresponds to unique object group respectively;
Detection unit, for traveling through some security strategies split out, based on the preset strategy detection some peaces
Redundant safety strategy in full strategy.
7. device according to claim 6, it is characterised in that described device also includes:
Converting unit, for after the completion of the redundancy object merging, the IP objects group in the targeted security strategy group to be turned
It is changed to the presentation format of standard.
8. device according to claim 7, it is characterised in that the presentation format of the standard, is the expression of IP+ asterisk wildcards
Form.
9. device according to claim 6, it is characterised in that the detection unit, is further used for:
Some security strategies are chosen to be targeted security strategy successively;
The targeted security strategy is matched with other security strategies;
If the targeted security strategy includes any other security strategies, the targeted security strategy and other safety are recorded
The redundancy relationship of strategy.
10. device according to claim 9, it is characterised in that described device also includes:
Arrangement units, for before the redundant safety strategy during some security strategies are detected based on preset strategy, being based on
The priority of each security strategy, is ranked up to some security strategies.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710296150.5A CN107094143B (en) | 2017-04-28 | 2017-04-28 | Method and device for detecting policy redundancy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710296150.5A CN107094143B (en) | 2017-04-28 | 2017-04-28 | Method and device for detecting policy redundancy |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107094143A true CN107094143A (en) | 2017-08-25 |
CN107094143B CN107094143B (en) | 2020-08-04 |
Family
ID=59638663
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710296150.5A Active CN107094143B (en) | 2017-04-28 | 2017-04-28 | Method and device for detecting policy redundancy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107094143B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108768879A (en) * | 2018-04-26 | 2018-11-06 | 新华三信息安全技术有限公司 | A kind of policy priority grade method of adjustment and device |
CN109413019A (en) * | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of firewall policy optimizing check method and device |
CN110113356A (en) * | 2019-05-22 | 2019-08-09 | 北京明朝万达科技股份有限公司 | A kind of data monitoring method and device |
CN111708733A (en) * | 2020-05-28 | 2020-09-25 | 浪潮电子信息产业股份有限公司 | Policy detection method, system, equipment and computer readable storage medium |
CN113691522A (en) * | 2021-08-20 | 2021-11-23 | 北京天融信网络安全技术有限公司 | Data traffic processing method and device, electronic equipment and storage medium |
CN114039853A (en) * | 2021-11-15 | 2022-02-11 | 北京天融信网络安全技术有限公司 | Method, device, storage medium and electronic equipment for detecting security policy |
CN114389897A (en) * | 2022-03-18 | 2022-04-22 | 苏州市卫生计生统计信息中心 | IT infrastructure security policy centralized management and control optimization method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6826698B1 (en) * | 2000-09-15 | 2004-11-30 | Networks Associates Technology, Inc. | System, method and computer program product for rule based network security policies |
CN101753369A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for detecting firewall rule conflict |
CN104270384A (en) * | 2014-10-20 | 2015-01-07 | 山石网科通信技术有限公司 | Fire wall policy redundancy detection method and device |
CN104735026A (en) * | 2013-12-19 | 2015-06-24 | 华为技术有限公司 | Security strategy control method and device |
CN106230736A (en) * | 2016-07-19 | 2016-12-14 | 东软集团股份有限公司 | A kind of merging method and device of network access policies |
-
2017
- 2017-04-28 CN CN201710296150.5A patent/CN107094143B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6826698B1 (en) * | 2000-09-15 | 2004-11-30 | Networks Associates Technology, Inc. | System, method and computer program product for rule based network security policies |
CN101753369A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for detecting firewall rule conflict |
CN104735026A (en) * | 2013-12-19 | 2015-06-24 | 华为技术有限公司 | Security strategy control method and device |
CN104270384A (en) * | 2014-10-20 | 2015-01-07 | 山石网科通信技术有限公司 | Fire wall policy redundancy detection method and device |
CN106230736A (en) * | 2016-07-19 | 2016-12-14 | 东软集团股份有限公司 | A kind of merging method and device of network access policies |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108768879A (en) * | 2018-04-26 | 2018-11-06 | 新华三信息安全技术有限公司 | A kind of policy priority grade method of adjustment and device |
CN108768879B (en) * | 2018-04-26 | 2022-04-22 | 新华三信息安全技术有限公司 | Method and device for adjusting policy priority |
CN109413019A (en) * | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of firewall policy optimizing check method and device |
CN110113356A (en) * | 2019-05-22 | 2019-08-09 | 北京明朝万达科技股份有限公司 | A kind of data monitoring method and device |
CN111708733A (en) * | 2020-05-28 | 2020-09-25 | 浪潮电子信息产业股份有限公司 | Policy detection method, system, equipment and computer readable storage medium |
CN113691522A (en) * | 2021-08-20 | 2021-11-23 | 北京天融信网络安全技术有限公司 | Data traffic processing method and device, electronic equipment and storage medium |
CN114039853A (en) * | 2021-11-15 | 2022-02-11 | 北京天融信网络安全技术有限公司 | Method, device, storage medium and electronic equipment for detecting security policy |
CN114039853B (en) * | 2021-11-15 | 2024-02-09 | 天融信雄安网络安全技术有限公司 | Method and device for detecting security policy, storage medium and electronic equipment |
CN114389897A (en) * | 2022-03-18 | 2022-04-22 | 苏州市卫生计生统计信息中心 | IT infrastructure security policy centralized management and control optimization method |
CN114389897B (en) * | 2022-03-18 | 2022-06-10 | 苏州市卫生计生统计信息中心 | IT infrastructure security policy centralized management and control optimization method |
Also Published As
Publication number | Publication date |
---|---|
CN107094143B (en) | 2020-08-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107094143A (en) | A kind of detection method and device of tactful redundancy | |
US10680961B2 (en) | Using headerspace analysis to identify flow entry reachability | |
CN104978601B (en) | neural network model training system and method | |
CN104462979B (en) | The automation dynamic testing method and device of a kind of application program | |
CN107566152A (en) | Method and device for virtual network link detection | |
CN106790170B (en) | Data packet filtering method and device | |
CN108139965A (en) | Management server and the management method using the management server | |
CN106131027A (en) | A kind of exception flow of network based on software defined network detection system of defense | |
CN108471420A (en) | Based on network mode identification and matched vessel safety defence method and device | |
CN108205623A (en) | For the method and apparatus of share directory | |
CN105429946A (en) | System and method of preventing forging IP address based on SDN virtual switch | |
CN108304318A (en) | The test method and terminal device of equipment compatibility | |
CN106550208A (en) | Video method for splitting, equipment and video analytic system | |
Soucha et al. | SPYH-method: an improvement in testing of finite-state machines | |
CN106649186A (en) | Communication method and device for application program and serial port peripheral | |
CN107977310B (en) | Traversal test command generation method and device | |
CN103632099B (en) | The Native api function acquisition methods do not derived and device | |
CN106776409B (en) | Data processing method and device for sensor in Android system | |
CN104205742B (en) | Packet processing method and forwarding element | |
CN107547378A (en) | A kind of VPN route learnings method and apparatus | |
CN107682300A (en) | The method and apparatus for determining secure group rule chain | |
CN103544354B (en) | Network parallel computer dynamic emulation method and device | |
CN110430140A (en) | Path processing method, device, equipment and storage medium | |
DE102015107071B3 (en) | Device and method for controlling a communication network | |
CN109391626A (en) | A kind of method and relevant apparatus determining that network attack result is not accomplished |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |