CN107094143B - Method and device for detecting policy redundancy - Google Patents
Method and device for detecting policy redundancy Download PDFInfo
- Publication number
- CN107094143B CN107094143B CN201710296150.5A CN201710296150A CN107094143B CN 107094143 B CN107094143 B CN 107094143B CN 201710296150 A CN201710296150 A CN 201710296150A CN 107094143 B CN107094143 B CN 107094143B
- Authority
- CN
- China
- Prior art keywords
- security
- policy
- security policy
- group
- redundant
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a method and a device for detecting policy redundancy, wherein the method comprises the following steps: respectively unfolding object groups pre-configured by preset fields in a target security policy group, and merging and unfolding to obtain redundant objects; after the redundant objects are combined, splitting the target security policy group into a plurality of security policies based on the number of object groups corresponding to each preset field in the target security policy group; each preset field of the plurality of security policies corresponds to a unique object group respectively; and traversing the plurality of split safety strategies, and detecting redundant safety strategies in the plurality of safety strategies based on a preset strategy. According to the technical scheme, the redundant security policies in the security policies can be effectively detected, so that the user can process the redundant security policies, and the maintainability of the security equipment and the detection efficiency of the policy redundancy relation are improved.
Description
Technical Field
The present application relates to the field of information security, and in particular, to a method and an apparatus for detecting policy redundancy.
Background
And the safety equipment processes the received message according to the safety strategy configured by the user. User-configured security policies are numerous, typically up to tens of thousands. And when the safety equipment is matched according to the safety strategy, the safety strategy with the front position is preferentially matched based on the priority of the safety strategy.
However, since the security policies are accumulated for a long time and are numerous, users often cannot remember whether the security policies have redundancy, for example, policy 1 with the top priority is the source IP: 192.168.0.0/16, no limitation of destination IP, and packet loss action; the newly added policy 2 is source IP192.168.1.0/24, the destination IP is unlimited, the action is pass, if the priority of policy 2 is after policy 1, then policy 2 cannot be effective.
The real rules are more complex than the examples, so that when a user maintains the safety equipment and detects the redundancy of the safety strategy, the workload is huge, and the detection efficiency is low.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for detecting policy redundancy, which are used to quickly and effectively detect a redundant security policy in a security policy, and improve maintainability of security devices and detection efficiency of policy redundancy detection.
Specifically, the method is realized through the following technical scheme:
a policy redundancy detection method is applied to a security device, wherein the security device is preconfigured with a plurality of security policy groups, and each security policy group consists of a plurality of preset fields; each preset field corresponds to a plurality of object groups to be matched respectively; the method comprises the following steps:
respectively unfolding object groups pre-configured by preset fields in a target security policy group, and merging and unfolding to obtain redundant objects;
after the redundant objects are combined, splitting the target security policy group into a plurality of security policies based on the number of object groups corresponding to each preset field in the target security policy group; each preset field of the plurality of security policies corresponds to a unique object group respectively;
traversing the split security strategies, and detecting redundant security strategies in the security strategies based on a preset strategy.
In the method for detecting policy redundancy, the method further includes:
and after the redundant objects are combined, converting the IP object group in the target security policy group into a standard representation format.
In the policy redundancy detection method, the standard representation format is an IP + wildcard representation format.
In the method for detecting policy redundancy, the detecting a redundant security policy of the plurality of security policies based on a preset policy includes:
sequentially selecting the plurality of security policies as target security policies;
matching the target security policy with other security policies;
and if the target security policy contains any other security policy, recording the redundancy relation between the target security policy and the other security policy.
In the method for detecting policy redundancy, the method further includes:
and before detecting redundant security strategies in the plurality of security strategies based on a preset strategy, sequencing the plurality of security strategies based on the priority of each security strategy.
A detection device of policy redundancy is applied to a safety device, wherein the safety device is preconfigured with a plurality of safety policy groups, and each safety policy group consists of a plurality of preset fields; each preset field corresponds to a plurality of object groups to be matched respectively; the method comprises the following steps:
the merging unit is used for respectively unfolding object groups pre-configured by preset fields in the target security policy group and merging and unfolding the obtained redundant objects;
the splitting unit is used for splitting the target security policy group into a plurality of security policies based on the number of object groups corresponding to each preset field in the target security policy group after the redundant objects are merged; each preset field of the plurality of security policies corresponds to a unique object group respectively;
and the detection unit is used for traversing the plurality of split safety strategies and detecting a redundant safety strategy in the plurality of safety strategies based on a preset strategy.
In the apparatus for policy redundancy, the apparatus further comprises:
and the conversion unit is used for converting the IP object group in the target security policy group into a standard representation format after the redundant objects are combined.
In the policy redundancy device, the standard representation format is an IP + wildcard representation format.
In the policy redundancy apparatus, the detecting unit is further configured to:
sequentially selecting the plurality of security policies as target security policies;
matching the target security policy with other security policies;
and if the target security policy contains any other security policy, recording the redundancy relation between the target security policy and the other security policy.
In the apparatus for policy redundancy, the apparatus further comprises:
and the arranging unit is used for sequencing the plurality of safety strategies based on the priority of each safety strategy before detecting the redundant safety strategies in the plurality of safety strategies based on the preset strategy.
In the embodiment of the application, a security device respectively expands object groups pre-configured for each preset field in a target security policy group, combines the object groups, and obtains a redundant object after expansion, and when the redundant object is combined, splits the target security policy into a plurality of security policies based on the number of object groups corresponding to each preset field in the target security policy group, wherein each preset field of the plurality of security policies corresponds to a unique object group; traversing the plurality of split safety strategies, and detecting redundant safety strategies in the plurality of safety strategies based on a preset strategy;
in the embodiment of the application, the security device may reorganize the internal structure of the target security policy group in a manner of performing internal redundancy removal on the target security policy group when the target security policy group includes a plurality of object groups to be matched, split the target security policy into a plurality of security policies, each preset field of which corresponds to a unique object group, and then perform policy redundancy detection on each split security policy; therefore, the strategy redundancy detection can be simplified, and the maintainability of the safety equipment and the detection efficiency of the strategy redundancy detection are improved.
Drawings
FIG. 1 is a flow chart of a method of detecting policy redundancy shown in the present application;
FIG. 2 is a schematic diagram of a security policy group structure shown in the present application;
FIG. 3 is a schematic diagram of another security policy group configuration shown in the present application;
FIG. 4 is a schematic diagram illustrating the structure of a security policy shown in the present application;
FIG. 5 is a block diagram of an embodiment of a policy redundancy detection apparatus shown in the present application;
fig. 6 is a hardware configuration diagram of a policy redundancy detection apparatus according to the present application.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the embodiments of the present invention more comprehensible, the following description of the prior art and the technical solutions in the embodiments of the present invention with reference to the accompanying drawings is provided.
A user will generally configure a corresponding security policy to the security device according to an attack source and an attack manner occurring in the network. And the safety equipment processes the received message based on a safety strategy configured by the user. With the change of attack sources and attack modes, the number of added security policies on the security device is increased more and more, and is often as many as ten thousand.
When the security device uses the security policy, the security policy with high priority is selected to match the received message. A user often cannot completely know all security policies configured before, and when a new security policy is subsequently added, the new security policy may not be matched due to a problem of priority, resulting in policy redundancy.
Since the security policy is accumulated for a long time, the number of entries is large, and the situation of policy redundancy is inevitable, for example, policy 1 with the top priority is source IP: 192.168.0.0/16, no limitation of destination IP, and packet loss action; the newly added policy 2 is source IP192.168.1.0/24, the destination IP is unlimited, the action is pass, if the priority of policy 2 is after policy 1, then policy 2 cannot be effective.
In practical applications, the situation of policy redundancy is more complicated, for example, when a security policy is configured, a source IP may refer to more than one IP object or IP object group, where the IP object group may be represented according to a representation format such as IP + mask, IP range, or IP + wildcard, and there may be duplication, intersection, and the like of IP objects included in different IP object groups. Similar situations may also occur with other preset fields in the security policy, such as destination IP, protocol, port number, etc. When each preset field of one security policy corresponds to a plurality of object groups to be matched, the security policy can be regarded as one security policy group.
Therefore, when a user maintains the safety equipment and detects the redundancy of the safety strategy, a lot of repeated checks occur, which causes huge workload and low detection efficiency.
In order to solve the above problem, in the embodiment of the present application, redundancy of an object group in each preset field inside each security policy group is removed, the security policy group with the redundancy removed is split into a plurality of security policies, and then all the split security policies are traversed, so as to determine a policy redundancy relationship.
Referring to fig. 1, which is a flowchart of a policy redundancy detection method shown in the present application, an execution main body of the embodiment is a security device, and the security device is preconfigured with a plurality of security policy groups, where each security policy group is formed by a plurality of preset fields, and each preset field corresponds to a plurality of object groups to be matched, respectively; the method comprises the following steps:
step 101: and respectively unfolding the object groups pre-configured by each preset field in the target security policy group, and combining and unfolding the object groups to obtain the redundant objects.
Step 102: after the redundant objects are combined, splitting the target security policy group into a plurality of security policies based on the number of object groups corresponding to each preset field in the target security policy group; and each preset field of the plurality of safety strategies corresponds to a unique object group.
Step 103: traversing the split security strategies, and detecting redundant security strategies in the security strategies based on a preset strategy.
As described above, since a plurality of object groups are corresponding to one preset field in the same security policy group, and the representation formats of the object groups may be different, the objects in the object groups may be duplicated. Therefore, when detecting redundancy for a security policy, redundancy within the same security policy group may first be removed.
Specifically, in this embodiment of the present application, when the security device performs internal redundancy removal on a target security policy group, first, object groups preconfigured in preset fields in the target security policy group may be respectively expanded to obtain a plurality of objects in each object group.
In an embodiment shown, the security device may expand a plurality of IP object groups pre-configured for each IP field in the target security policy group, respectively, so as to obtain a plurality of IP objects in each IP object group.
Referring to fig. 2, which is a schematic structural diagram of a security policy group shown in the present application, as shown in fig. 2, the preset fields of the security policy group may include a source IP, a destination IP, a service, an action, and other information, where the service includes a protocol number, a source port, and a destination port.
The source IP field may include a plurality of IP object groups, and each IP object group may include a plurality of IP objects. The security device may expand the plurality of IP object groups in the source IP field, respectively, to obtain a plurality of IP objects. As shown in fig. 2, the IP object group 1-1 is expanded to obtain IP objects 1-1-1, 1-1-2, 1-1-3 … … 1-1-1-m; the IP object group 1-n is expanded to obtain IP objects 1-n-1, 1-n-2 and 1-n-3 … … 1-n-m. A plurality of IP object groups can also exist between the IP object group 1-1 and the IP object group 1-n, and a plurality of IP objects are obtained by the same expansion.
It should be noted that the IP object group and the IP object in fig. 2 are only used to illustrate the expansion process of the IP object group, and the actual IP object group and the IP object are not shown in the figure; if the actual IP object group expansion is taken as an example, the IP object groups 192.168.1.1-192.168.1.10 can obtain the IP objects 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4, 192.168.1.5, 192.168.1.6, 192.168.1.7, 192.168.1.8, 192.168.1.9 and 192.168.1.10 after the expansion.
The security device may spread a plurality of IP object groups in the destination IP field in an equivalent manner to obtain a plurality of IP objects, in addition to spreading a plurality of IP object groups in the source IP field of the target security policy group.
In addition, the security device can also expand the object group in other preset fields to obtain a plurality of objects. Still taking fig. 2 as an example, the security device expands the object group service object 1 in the service field to obtain a plurality of service objects including (Protocol 1-1; Sport 1-1; Dport 1-1).
In the embodiment of the application, after the security device respectively expands a plurality of object groups to be matched, which are pre-configured in each preset field in the target security policy group, and obtains a plurality of objects, redundant objects in each preset field can be merged to achieve the purpose of removing redundancy in the security policy group, and at this time, the security device can obtain the target security policy group from which the redundancy is removed.
In an embodiment shown, the security device may merge the same IP object in the expanded multiple IP objects in each IP field in the target security policy group, so as to achieve the purpose of removing redundancy in the IP field.
For example: the source IP field is provided with IP object groups 192.168.1.1-192.168.1.10 and IP object groups 192.168.1.8-192.168.1.20, and the IP object groups 192.168.1.1-192.168.1.10 can obtain IP objects 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4, 192.168.1.5, 192.168.1.6, 192.168.1.7, 192.168.1.8, 192.168.1.9 and 192.168.1.10 after being unfolded;
after the IP object groups 192.168.1.8-192.168.1.20 are unfolded, IP objects 192.168.1.8, 192.168.1.9, 192.168.1.10, 192.168.1.11, 192.168.1.12, 192.168.1.13, 192.168.1.14, 192.168.1.15, 192.168.1.16, 192.168.1.17, 192.168.1.18, 192.168.1.19 and 192.168.1.20 can be obtained;
the security appliance merges the redundant IP objects 192.168.1.8, 192.168.1.9, and 192.168.1.10 in the two IP object groups.
Referring to fig. 3, which is a schematic structural diagram of another security policy group shown in the present application, as shown in fig. 3, after the redundancy is removed from the security policy group, each object corresponding to each preset field is unique.
And after the safety equipment merges the redundant objects in each preset field of the target safety strategy group, a new object group can be obtained. Wherein the number of new object groups is reduced relative to the number of object groups before redundancy removal.
For example, taking the IP object groups 192.168.1.1-192.168.1.10 and the IP object groups 192.168.1.8-192.168.1.20 in the source IP field of the merged source IP field as an example, after merging, a new IP object group 192.168.1.1-192.168.1.20 appears in the source IP field of the target security policy group.
In an embodiment, after the security device merges the same IP objects in the IP fields of the target security policy group and obtains a new IP object group, the new IP object group may be converted into a standard representation format, so that the IP object groups in the IP fields may be compared between different security policies more conveniently.
Among several representation formats of the IP object group, on one hand, if the IP object group in the form of IP + wildcards is converted into the representation format of IP ranges, one IP object group in the form of IP + wildcards will generally generate a plurality of IP object groups in the form of IP ranges.
Therefore, when converting an IP object group in the form of IP + wildcards in the source IP field or the destination IP field into an IP object group in the form of an IP range, the number of IP object groups in the source IP field may increase. As the number of IP object groups in the IP field increases, the IP policy entries within the target security policy group may expand. If the number of the IP policy entries in the target security policy group is too large, the workload is too large when the IP object groups of the IP fields between the security policies are compared subsequently.
On the other hand, if the IP object group in the IP range form inside the target security policy group is converted into the IP + wildcard form, the IP policy entry inside the target security policy group is less expanded.
Therefore, the security device can uniformly convert the IP object group in each IP field of the target security policy group into an IP + wildcard representation format. By the measure, the security device can compare the IP object groups in the security policies more conveniently in the follow-up process.
In this embodiment of the present application, after the security device removes redundancy in the target security policy group, and converts the IP object group in each IP field into an IP + wildcard format, in order to detect the redundancy relationship between the security policies more conveniently in the following, the target security policy group may be split into a plurality of security policies based on the number of object groups corresponding to each preset field in the target security policy group.
The security device may add a policy identifier and a policy group identifier of the target security policy group to each split security policy, so that a policy redundancy relationship may be subsequently detected based on the policy identifier and the policy group identifier record of the target security policy group.
It should be noted that, each preset field of each split security policy corresponds to a unique object group, still as shown in fig. 3, if the source IP field of the target security policy group from which redundancy is removed includes x IP object groups, the target IP field includes y IP object groups, and the service field includes z service object groups (protocol object groups), then when the security device splits the target security policy group to obtain security policies based on the number of object groups corresponding to each preset field, the total number m of security policies that can be obtained is x y z.
In this embodiment of the present application, after the security device internally removes redundancy from all locally preconfigured security policy groups based on the above measures and splits into a plurality of security policies, it may traverse all the split security policies, and then detect redundant security policies in all the security policies based on preset policies.
In an embodiment, before detecting a redundant security policy in the security policies, the security device may first rank all the security policies based on the preset priorities of their corresponding security policy groups.
In addition, in order to facilitate subsequent comparison of the object groups of the preset fields of the security policies, the security device may further expand a multi-level structure in the security policies. For example, the service field may be expanded into a protocol number field, a source port field, and a destination port field.
Referring to fig. 4, which is a schematic structural diagram of a security policy shown in the present application, as shown in fig. 4, the security device expands all preconfigured security policy groups to obtain n total security policies, and priorities of security policies split from a security policy group follow priorities of the security policy group, so that security policies with high priorities can be ranked in the front. The arrangement sequence of the security policies split from the same security policy group has no influence on the subsequent redundancy detection process, and the security policies can be arranged randomly.
The security device may write the policy identifier added for each security policy and the policy group identifier of the security policy group corresponding to the policy identifier into other information fields, as shown in fig. 4, the INFO1 records the policy identifier of the security policy arranged in the first place and the policy group identifier of the security policy group corresponding to the security policy.
After splitting all preconfigured security policy groups into security policies and sorting all security policies based on corresponding priorities, the security device may select all security policies in sequence from a first security policy as a target security policy, and then match the target security policy with other security policies.
For example, still taking fig. 4 as an example, after the first security policy is selected as the target security policy, the security device may compare preset fields (except for the action field) of the first security policy with preset fields of the second security policy, check whether the object group in each preset field of the first security policy completely covers the object group in each preset field of the second security policy, that is, check whether SIP1, DIP1, PROTOCO L1, SPORT1, DPORT1 respectively cover SIP2, DIP2, PROTOCO L2, SPORT2, DPORT 2;
if the first security policy has the object group of any preset field which can not cover the object group of the preset field of the second security policy, the first security policy does not contain the second security policy, and the processing is not performed at the moment;
if the object group of each preset field of the first security policy covers the object group of each preset field of the second security policy, the first security policy is indicated to contain the second security policy, and the second security policy cannot be matched all the time because the priority of the security policy group corresponding to the first security policy is greater than the priority of the security policy group corresponding to the second security policy, and the policy redundancy relationship between the first security policy and the second security policy can be recorded at the moment;
after the comparison between the object group of each preset field of the first security policy and the object group of each preset field of the second security policy is completed, the security device may continue to match the first security policy with the third security policy until the matching between the first security policy and the nth security policy is completed, then select the second security policy as the target security policy, and match the second security policy with other security policies respectively, in the above manner, until the matching process with the nth security policy as the target security policy is completed.
After the comparison between the security policies is completed, the security device can determine the policy redundancy relationship between all the security policies, and further obtain the policy redundancy relationship between all the preconfigured security policy groups.
The policy redundancy relationship may be recorded as a policy identifier and a policy group identifier of a security policy with a high priority, and an association relationship between the policy identifier and the policy group identifier of a security policy with a low priority.
For example, if the policy group identifier of one security policy group is a, the security policy group splits two security policies, and the policy identifiers of the two security policies are 1 and 2, respectively; the strategy group mark of the other safety strategy group is B, the safety strategy group is divided into three safety strategies, and the strategy marks of the three safety strategies are respectively 1, 2 and 3; when the security device detects that the object group of each preset field of the first security policy of the security policy group a covers the object group of each preset field of the second security policy of the security policy group B, the policy redundancy relationship may be recorded as (a-1; B-2), the security policy group with a high priority is written in front, which indicates that the first security policy of the security policy group a is redundant to the second security policy of the security policy group B, and the second security policy of the security policy group B is a redundant security policy and cannot be matched.
After the security device detects the policy redundancy relationship in the security policy, the user may process the redundant security policy based on the policy redundancy relationship recorded by the security device.
In summary, in the embodiment of the present application, a security device may respectively expand object groups preconfigured in preset fields in a target security policy group, and combine and expand the object groups to obtain redundant objects, and after the redundant objects are combined, the target security policy group may be split into a plurality of security policies based on the number of object groups corresponding to the preset fields in the target security policy group, where the preset fields of the plurality of security policies respectively correspond to unique object groups; traversing the plurality of split safety strategies, and detecting redundant safety strategies in the plurality of safety strategies based on a preset strategy;
according to the method and the device, under the condition that a target security policy group comprises a plurality of object groups to be matched, the internal structure of the target security policy group is reorganized in an internal redundancy removing mode aiming at the target security policy group, the target security policy is divided into a plurality of security policies of which preset fields respectively correspond to a unique object group, and then policy redundancy detection is carried out aiming at each divided security policy; therefore, the strategy redundancy detection can be simplified, and the maintainability of the safety equipment and the detection efficiency of the strategy redundancy detection are improved.
Corresponding to the embodiment of the detection method of the policy redundancy, the application also provides an embodiment of a detection device of the policy redundancy.
Referring to fig. 5, a block diagram of an embodiment of a policy redundancy detection apparatus is shown in the present application:
as shown in fig. 5, the policy redundancy detecting device 50 includes:
a merging unit 510, configured to expand object groups preconfigured in each preset field in the target security policy group, and merge the expanded redundant objects.
A splitting unit 520, configured to split the target security policy group into a plurality of security policies based on the number of object groups corresponding to each preset field in the target security policy group after the redundant objects are merged; and each preset field of the plurality of safety strategies corresponds to a unique object group.
The detecting unit 530 is configured to traverse the plurality of split security policies, and detect a redundant security policy of the plurality of security policies based on a preset policy.
In this example, the apparatus further comprises:
a converting unit 540, configured to convert the IP object group in the target security policy group into a standard representation format after the redundant object merging is completed.
In this example, the standard representation format is an IP + wildcard representation format.
In this example, the detecting unit 530 is further configured to:
sequentially selecting the plurality of security policies as target security policies;
matching the target security policy with other security policies;
and if the target security policy contains any other security policy, recording the redundancy relation between the target security policy and the other security policy.
In this example, the apparatus further comprises:
the ranking unit 550 is configured to rank the plurality of security policies based on priorities of the security policies before detecting a redundant security policy of the plurality of security policies based on a preset policy.
The embodiment of the detection device for the policy redundancy can be applied to safety equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor of the security device where the software implementation is located as a logical means. In terms of hardware, as shown in fig. 6, the present application is a hardware structure diagram of a security device where a policy redundancy detection apparatus is located, where the security device where the apparatus is located in the embodiment may further include other hardware according to an actual function of the policy redundancy detection apparatus in general, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 6, and details of this are not repeated.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A policy redundancy detection method is applied to a security device, wherein the security device is preconfigured with a plurality of security policy groups, and each security policy group consists of a plurality of preset fields; each preset field corresponds to a plurality of object groups to be matched respectively; it is characterized by comprising:
respectively unfolding object groups pre-configured in preset fields in each security policy group aiming at each security policy group pre-configured by security equipment, and combining and unfolding the object groups to obtain redundant objects;
after the redundant objects are combined, splitting the security policy group into a plurality of security policies based on the number of object groups corresponding to each preset field in the security policy group; each preset field of the plurality of security policies corresponds to a unique object group respectively;
traversing all the security policies split from all the security policy groups, and detecting redundant security policies in all the security policies based on a preset policy;
and the object group of each preset field of each redundant security policy is respectively covered by the object group of each preset field of a non-redundant security policy.
2. The method of claim 1, further comprising:
and after the redundant objects are combined, converting the IP object group in the security policy group into a standard representation format.
3. The method of claim 2, wherein the standard representation format is an IP + wildcard representation format.
4. The method according to claim 1, wherein the detecting a redundant security policy of the total security policies based on a preset policy comprises:
sequentially selecting all the security policies as target security policies;
matching the target security policy with other security policies;
and if the target security policy contains any other security policy, recording the redundancy relation between the target security policy and the other security policy.
5. The method of claim 4, further comprising:
and sequencing all the safety strategies based on the priority of each safety strategy before detecting the redundant safety strategies in all the safety strategies based on a preset strategy.
6. A detection device of policy redundancy is applied to a safety device, wherein the safety device is preconfigured with a plurality of safety policy groups, and each safety policy group consists of a plurality of preset fields; each preset field corresponds to a plurality of object groups to be matched respectively; it is characterized by comprising:
the merging unit is used for respectively expanding object groups pre-configured by preset fields in the security policy group aiming at the security equipment and each configured security policy group, and merging and expanding the object groups to obtain redundant objects;
the splitting unit is used for splitting the security policy group into a plurality of security policies based on the number of object groups corresponding to each preset field in the security policy group after the redundant objects are merged; each preset field of the plurality of security policies corresponds to a unique object group respectively;
the detection unit is used for traversing all the security policies split from all the security policy groups and detecting redundant security policies in all the security policies based on a preset policy;
and the object group of each preset field of each redundant security policy is respectively covered by the object group of each preset field of a non-redundant security policy.
7. The apparatus of claim 6, further comprising:
and the conversion unit is used for converting the IP object group in the security policy group into a standard representation format after the redundant objects are combined.
8. The apparatus of claim 7, wherein the standard representation format is an IP + wildcard representation format.
9. The apparatus of claim 6, wherein the detection unit is further configured to:
sequentially selecting all the security policies as target security policies;
matching the target security policy with other security policies;
and if the target security policy contains any other security policy, recording the redundancy relation between the target security policy and the other security policy.
10. The apparatus of claim 9, further comprising:
and the arranging unit is used for sequencing all the safety strategies based on the priority of each safety strategy before detecting the redundant safety strategies in all the safety strategies based on the preset strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710296150.5A CN107094143B (en) | 2017-04-28 | 2017-04-28 | Method and device for detecting policy redundancy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710296150.5A CN107094143B (en) | 2017-04-28 | 2017-04-28 | Method and device for detecting policy redundancy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107094143A CN107094143A (en) | 2017-08-25 |
| CN107094143B true CN107094143B (en) | 2020-08-04 |
Family
ID=59638663
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710296150.5A Active CN107094143B (en) | 2017-04-28 | 2017-04-28 | Method and device for detecting policy redundancy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107094143B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108768879B (en) * | 2018-04-26 | 2022-04-22 | 新华三信息安全技术有限公司 | Method and device for adjusting policy priority |
| CN109413019A (en) * | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of firewall policy optimizing check method and device |
| CN110113356A (en) * | 2019-05-22 | 2019-08-09 | 北京明朝万达科技股份有限公司 | A kind of data monitoring method and device |
| CN111708733A (en) * | 2020-05-28 | 2020-09-25 | 浪潮电子信息产业股份有限公司 | Policy detection method, system, equipment and computer readable storage medium |
| CN113691522A (en) * | 2021-08-20 | 2021-11-23 | 北京天融信网络安全技术有限公司 | Data traffic processing method and device, electronic equipment and storage medium |
| CN114039853B (en) * | 2021-11-15 | 2024-02-09 | 天融信雄安网络安全技术有限公司 | Method and device for detecting security policy, storage medium and electronic equipment |
| CN114389897B (en) * | 2022-03-18 | 2022-06-10 | 苏州市卫生计生统计信息中心 | IT infrastructure security policy centralized management and control optimization method |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104735026A (en) * | 2013-12-19 | 2015-06-24 | 华为技术有限公司 | Security strategy control method and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6826698B1 (en) * | 2000-09-15 | 2004-11-30 | Networks Associates Technology, Inc. | System, method and computer program product for rule based network security policies |
| CN101753369B (en) * | 2008-12-03 | 2012-03-28 | 北京天融信网络安全技术有限公司 | Method and device for detecting firewall rule conflict |
| CN104270384B (en) * | 2014-10-20 | 2017-10-03 | 山石网科通信技术有限公司 | Firewall policy redundant detecting method and device |
| CN106230736B (en) * | 2016-07-19 | 2019-03-05 | 东软集团股份有限公司 | A kind of merging method and device of network access policies |
-
2017
- 2017-04-28 CN CN201710296150.5A patent/CN107094143B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104735026A (en) * | 2013-12-19 | 2015-06-24 | 华为技术有限公司 | Security strategy control method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107094143A (en) | 2017-08-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107094143B (en) | Method and device for detecting policy redundancy | |
| US11902120B2 (en) | Synthetic data for determining health of a network security system | |
| JP4626811B2 (en) | Port hopping detection system, port hopping detection device, port hopping detection method, and program | |
| CN110099059B (en) | Domain name identification method and device and storage medium | |
| US20170279840A1 (en) | Automated event id field analysis on heterogeneous logs | |
| CN106790170B (en) | Data packet filtering method and device | |
| CN107968791B (en) | Attack message detection method and device | |
| CN111817891A (en) | Network fault processing method and device, storage medium and electronic equipment | |
| JP6904307B2 (en) | Specific device, specific method and specific program | |
| CN108471420B (en) | Container security defense method and device based on network pattern recognition and matching | |
| CN106933733A (en) | A kind of method and apparatus for determining RAM leakage position | |
| JP2019523952A (en) | Streaming data distributed processing method and apparatus | |
| CN106452955B (en) | A kind of detection method and system of abnormal network connection | |
| WO2005101292A3 (en) | Method for searching content particularly for extracts common to two computer files | |
| CN110764980A (en) | Log processing method and device | |
| WO2013061213A1 (en) | Passive monitoring of virtual systems using extensible indexing | |
| CN109039959B (en) | SDN rule consistency judgment method and related device | |
| WO2020195228A1 (en) | Analysis system, method, and program | |
| CN112084500A (en) | Method and device for clustering virus samples, electronic equipment and storage medium | |
| CN110572278B (en) | Method and device for positioning information of three-layer gateway of metropolitan area network | |
| CN106230616A (en) | A kind of service configuration information processing method and system | |
| CN104317675B (en) | The disaster tolerance treating method and apparatus of application | |
| CN107710165B (en) | Method and device for storage node synchronization service request | |
| CN112491820B (en) | Abnormity detection method, device and equipment | |
| CN113079148B (en) | Industrial Internet safety monitoring method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |