CN107948205A - Firewall strategy-generating method, device, equipment and medium - Google Patents

Firewall strategy-generating method, device, equipment and medium Download PDF

Info

Publication number
CN107948205A
CN107948205A CN201711495427.3A CN201711495427A CN107948205A CN 107948205 A CN107948205 A CN 107948205A CN 201711495427 A CN201711495427 A CN 201711495427A CN 107948205 A CN107948205 A CN 107948205A
Authority
CN
China
Prior art keywords
group
addresses
character string
array
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711495427.3A
Other languages
Chinese (zh)
Other versions
CN107948205B (en
Inventor
王永智
刘利明
陈劼
郭建波
匡保国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Jiangsu Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Jiangsu Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Jiangsu Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201711495427.3A priority Critical patent/CN107948205B/en
Publication of CN107948205A publication Critical patent/CN107948205A/en
Application granted granted Critical
Publication of CN107948205B publication Critical patent/CN107948205B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a kind of firewall strategy-generating method, device, equipment and medium.This method includes:The first group of addresses is extracted from accesses control list;The second group of addresses is extracted in the configuration file of slave firewall equipment;Compare corresponding first character string of the first group of addresses and whether corresponding second character string of the second group of addresses is equal;When first character string the second character string corresponding with all second group of addresses in the configuration file of the firewall box is all unequal, new group of addresses is created according to first group of addresses;When first character string is equal with second character string, corresponding first group of addresses of first character string is exported.The present invention can realize shielding different vendor equipment difference, generate firewall policy on the premise of accuracy is ensured, greatly improve firewall policy formation efficiency.

Description

Firewall strategy-generating method, device, equipment and medium
Technical field
The present invention relates to technical field of computer network management, more particularly to a kind of firewall strategy-generating method, device, Equipment and medium.
Background technology
Due to factors such as security risk protection, IP address extensions, it is generally the case that network needs to be divided into different safety Region, needs between each safety zone to dispose fire wall to realize access control and security isolation, and the number of filtering port disengaging According to bag, to realize system security protection.And access control is realized by firewall policy, therefore write firewall policy It is the important process that current fire wall is safeguarded, it is maintenance work that how efficiently and accurately, which writes the firewall policy of different vendor, The middle major issue for needing to solve.
Existing firewall policy preparation package, mainly or is translated and is write one by one using artificial means, manually Judge the contents such as manufacturer belonging to every fire wall, order row format, object group, this is dependent on network engineers to each factory The familiarity of the tactful grammer and collocation method of business's fire wall.For firewall box, manufacturer is numerous, and version model differs Catenet, the limitation of this artificial means can highlight more.
Above-mentioned prior art has some limitations, and leaving multiple problems needs to solve:The fire prevention of each manufacturer Wall has oneself unique policy specification, and under the support of no unified southbound interface, network engineers are needed by a large amount of Time goes to be familiar with and grasps the syntax rule of a manufacturer, time-consuming and laborious;Fire wall brand is numerous in catenet, and model is not One, firewall policy regular maintenance is complicated and difficulty is big, and O&M cost is high;It is manually one-to-one to go judgement to write order line, manually Judge manufacturer belonging to every fire wall, order row format, object group content etc., inefficiency, discrimination are low, and error rate , easily there is substantial amounts of redundancy command row in height, and over time, redundancy command row may influence whether firewall box Execution efficiency, can more likely cause error strategy, there are security risk.
The content of the invention
An embodiment of the present invention provides a kind of firewall strategy-generating method, device, equipment and medium, it is possible to increase writes The efficiency of firewall policy.
In a first aspect, an embodiment of the present invention provides a kind of firewall strategy-generating method, the described method includes:
(1) the first group of addresses is extracted from accesses control list;
(2) it is wildcard mask form by each address conversion in the first group of addresses of extraction;
(3) format analysis processing is carried out to each address of wildcard mask form in the first group of addresses, will be each after format analysis processing Address sort;
(4) the first character string is merged into each address after sorting in the first group of addresses;
(5) the second group of addresses is extracted in the configuration file of slave firewall equipment;
(6) it is the second wildcard mask form by each address conversion in the second group of addresses extracted in configuration file;
(7) format analysis processing is carried out to each address of wildcard mask form in the second group of addresses, will be each after format analysis processing Address sort;
(8) the second character string is merged into each address after sorting in the second group of addresses;
(9) compare the first character string and whether the second character string is equal;
(10) when first character string and second character string are unequal, step (5)-(9) are performed, by described in First group of addresses is compared with all second group of addresses in the configuration file of the firewall box;
(11) when first character string is corresponding with all second group of addresses in the configuration file of the firewall box The second character string it is all unequal when, new group of addresses is created according to first group of addresses;
(12) when first character string is equal with second character string, first character string corresponding first is exported Group of addresses.
Optionally, the mode to each address progress format analysis processing of wildcard mask form in the first group of addresses uses The mode of retention figures.
Optionally, first character string length for referring to the first character string and the second character string identical with the second character string It is identical, and the first character string is identical with each character in the second character string.
Optionally, the method further includes:This method further includes:
(1) first port group is extracted from accesses control list;
(2) the first port group of extraction is converted into the first array;
(3) second port group is extracted in the configuration file of slave firewall equipment;
(4) it is second array identical with the first array formats by the second port group extracted in configuration file;
(5) judge whether the length of the first array is equal with the length of the second array;
(6) when the first array and the equal length of the second array, judge in the element and the second array in the first array Whether element is identical;
(7) when the length of the first array and the length of the second array is unequal and/or the first array in element and second When element in array differs, step (3)-(6) are performed, by the configuration of the first port group and the firewall box All second port groups in file compare;
(8) when the element in the first array is identical with the element in the second array, first array corresponding is exported Single port group;
(9) length of first array is corresponding with all second port groups in the configuration file of the firewall box The second array it is all unequal, or element in first array and all the in the configuration file of the firewall box When element in corresponding second array of Two-port netwerk group is different from, new port set is created according to first port group.
Optionally, first array it is identical with the element in the second array refer to the first array with it is every in the second array One character is identical.
Optionally, the form of first array and the second array is that tcp or udp addresses add port numbers or port numbers Scope.
Optionally, the method further includes:
Call the fire wall order flow in firewall box and held based on firewall policy generation firewall policy Row instruction, to complete the laying of firewall policy in firewall box.
Second aspect, the present invention also provides a kind of fire wall policy generating device, described device includes:
Extracting sub-module, for extracting the first group of addresses from accesses control list;
Change submodule, be wildcard mask form for each address conversion in the first group of addresses by extraction;
Sorting sub-module, for carrying out format analysis processing to each address of wildcard mask form in the first group of addresses, by form Each address sort after processing;
Merge submodule, for each address after sorting in the first group of addresses to be merged into the first character string;
The extracting sub-module, is additionally operable to extract the second group of addresses in the configuration file of slave firewall equipment;
The transformation submodule, is additionally operable to each address conversion in the second group of addresses for will being extracted in configuration file as the Two wildcard mask forms;
The sorting sub-module, is additionally operable to carry out format analysis processing to each address of wildcard mask form in the second group of addresses, By each address sort after format analysis processing;
Also merge submodule, for each address after sorting in the second group of addresses to be merged into the second character string;
Judging submodule, it is whether equal for comparing the first character string and the second character string, and judge first address Group with all second group of addresses in the configuration file of the firewall box whether all compared with finish;
Submodule is created, for when all second in the configuration file of first character string and the firewall box When corresponding second character string of group of addresses is all unequal, new group of addresses is created according to first group of addresses;
Output sub-module, for when first character string is equal with second character string, exporting first character Go here and there corresponding first group of addresses.
The third aspect, an embodiment of the present invention provides a kind of firewall policy to generate equipment, including:At least one processing Device, at least one processor and computer program instructions stored in memory, when computer program instructions are by processor Realized during execution such as the method for first aspect in the above embodiment.
Fourth aspect, an embodiment of the present invention provides a kind of computer-readable recording medium, is stored thereon with computer journey Sequence instructs, and is realized when computer program instructions are executed by processor such as the method for first aspect in the above embodiment.
Firewall strategy-generating method, device, equipment and medium provided in an embodiment of the present invention, utilize the first general matching Algorithm and the second general matching algorithm realize standardization southbound interface, and shielding different vendor equipment difference, is ensureing accuracy On the premise of automatically generate firewall policy, greatly improve firewall policy formation efficiency.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, it will make below to required in the embodiment of the present invention Attached drawing is briefly described, for those of ordinary skill in the art, without creative efforts, also Other attached drawings can be obtained according to these attached drawings.
Fig. 1 shows the schematic diagram of the firewall strategy-generating method of the embodiment of the present invention.
Fig. 2 shows the structure diagram of the fire wall policy generating device of the embodiment of the present invention.
Fig. 3 shows the structure diagram in comparison module in the fire wall policy generating device of the embodiment of the present invention.
Fig. 4 shows a kind of structure diagram of the firewall policy generation equipment of the embodiment of the present invention.
Fig. 5 shows the schematic diagram of the accesses control list of the embodiment of the present invention.
Fig. 6 shows the flow chart of group of addresses generation method in the firewall policy of the embodiment of the present invention.
Fig. 7 shows the simplified flowchart of the group of addresses generation method based on an embodiment in Fig. 6.
Fig. 8 shows the flow chart of the firewall strategy-generating method middle port group generation method of the embodiment of the present invention.
Fig. 9 shows the simplified flowchart of the port set generation method based on an embodiment in Fig. 8.
Embodiment
The feature and exemplary embodiment of various aspects of the invention is described more fully below, in order to make the mesh of the present invention , technical solution and advantage be more clearly understood, with reference to the accompanying drawings and embodiments, the present invention is further retouched in detail State.It is to be understood that specific embodiment described herein is only configured to explain the present invention, it is not configured as limiting the present invention. To those skilled in the art, the present invention can be real in the case of some details being not required in these details Apply.The description to embodiment is used for the purpose of by showing that the example of the present invention is better understood from the present invention to provide below.
Exemplified by convenient explanation, before describing the invention in detail, fire wall relational language is defined.
Fire wall is a kind of technical measure for protecting network security, it on network boundary by establishing corresponding network Communications monitor system isolates inside and outside network, to stop from exterior network intrusions.The basic role of fire wall is Protect particular network from the attack of the network of " distrust ", but must also allow be closed between two networks at the same time The communication of method.
Firewall policy be by it is certain rule check data flow whether can by the basic security controlling mechanism of fire wall, Firewall policy is instructed with fire wall strategy execution to complete the laying of firewall policy.Form perform check data flow.It is logical Cross and performing check is flowed into data, fire wall could be passed through by meeting the legitimate traffic of firewall policy.Pass through firewall security plan Access rights between the authority of accessing outer network from inner network, the subnet of control Intranet difference security level etc. can slightly be controlled.At the same time The access of equipment in itself can be controlled.
Five-tuple is Communication terminology, typically refers to source address, source port, destination address, destination interface, and transport layer association View.Wherein, the IP address of source address representative of data flow originating end.The IP address that destination address representative of data flow eventually arrives at.Source The communication port that port representative of data flow originating end uses.The communication port that destination interface representative of data flow accesses.Transport layer is assisted Discuss as in Transmission Control Protocol or udp protocol, offer privacy and reliability between two communication application programs.
Accesses control list (Access Control List, ACL) is the instruction list applied in router interface, institute Instruction list is stated to be used for telling which data packet of router can receive, which data packet needs to refuse.
Group of addresses:It is made of multiple IP address or the network segment, described address group can be source address or destination address, if by Repeatedly call, object group can be defined as, it is convenient to call, while can also reduce the order line of ACL.
Port set:It is made of multiple ports, if repeatedly called, object group can be defined as, it is convenient to call, together When can also reduce the order line number of ACL.
Algorithm (Algorithm):Finger is solved a problem the accurate of scheme and is completely described, and is a series of clearly fingers solved the problems, such as Order, algorithm represents describes the policy mechanism that solves the problems, such as with the method for system.I.e. it is capable to the defeated of certain specification Enter, required output is obtained in finite time.Different algorithms may be completed same with different time, space or efficiency The task of sample.The quality of one algorithm can be weighed with space complexity with time complexity.
Fig. 1 shows the schematic diagram of the firewall strategy-generating method of the embodiment of the present invention.
This method comprises the following steps:
Step S10:Automatically extract each parameter region content in accesses control list.At least wrapped in the accesses control list Include, but be not limited to, the data such as source address, destination address, procotol, destination interface, custom parameter.At one of the present invention In embodiment, the accesses control list is the work order of standardization.Specifically, as shown in figure 4, the accesses control list is divided into 4 regions, are respectively source address region (region of storage source address), destination address region (the i.e. area of storage destination address Domain), destination interface region the region of port areas (store) and parameter region (storing user-defined parameter), its In, being separated between different zones with space, space is occurred without in the same area, last parameter region is additional function, Used when needs.The accesses control list can be with, but is not limited to, with other any files such as TXT forms, WORD forms The mode of form preserves.
The accesses control list meets the requirement of following 5 aspects:(1) a line content represents a firewall policy, The accesses control list supports a plurality of firewall policy to exist at the same time, for example, in as shown in Figure 4, the first row includes source address (192.168.76.2,192.168.77), destination address (10.33.254.103,10.33.254.1), destination interface (udp_ 8105-8888,1235);(2) source address and destination address support ip addresses, the network segment and the customized special network segment, multiple addresses Separated with comma;(3) destination interface indicates protocol type, supports port and port range, between port and port or port with Separated between port range with comma;(4) parameter region is used for the starting for representing rule numbers (number represented with rule) The self-defined informations such as sequence number (i.e. numeral " 200 " in Fig. 4), firewall policy numbering (i.e. numeral " 3000 " in Fig. 4);(5) When the element in a region is more than 3, it will go to judge object group (i.e. group of addresses and/or port set).
Step S20:It is corresponding data object according to the parameters region Content Transformation of extraction.Specifically, the number Include the number of the data object of group of addresses, the data object of procotol, the data object of port set, custom parameter according to object According to data object.Wherein, the data object of described address group includes the data object of source address and the data object of destination address. Specifically, source address and destination address are converted into the data object of group of addresses, procotol is converted into procotol Data object, the data object that destination interface is converted to port set, the data that custom parameter is converted to custom parameter Data object.
Step S30:By the data object of conversion with compared with data and being generated anti-in configuration file in firewall box Wall with flues strategy.In one embodiment of the invention, by source in configuration file in the data object and firewall box of group of addresses Address is compared, is compared procotol numbering in configuration file in the data object and firewall box of procotol Compared with, by the data object of port set compared with configuration file middle-end slogan in firewall box, by the number of custom parameter According to data object with rule numbers in configuration file in firewall box compared with firewall policy number.Need what is illustrated It is, since the firewall box of different vendor is to group of addresses (i.e. source address, destination address etc.) and port set (the i.e. letter such as port numbers Breath) formal Specification difference, different formats, if simple computing is compared, inefficiency.Therefore, one embodiment of the present of invention In, for group of addresses data object (or data object of port set) compared with the configuration file of firewall box when, Can be at the same time by corresponding data in the data object (or data object of port set) and the configuration file of firewall box of group of addresses Carry out specific format conversion.
The data object (i.e. the data object of the data object of source address, destination address) of described address group is set with fire wall The manner of comparison of group of addresses data will elaborate in Fig. 5 into Fig. 6 in standby configuration file.And the data of the port set The manner of comparison of the configuration file middle port data of object and firewall box will elaborate in Fig. 7 into Fig. 8.
Further, since the procotol, rule numbers and strategy number are relatively fixed and change less, Procotol, rule numbers and strategy number can be used directly relatively, i.e., by the procotol in accesses control list, rule Numbering and strategy number and the configuration file corresponding data in firewall box directly compared with.
Further, the comparison of firewall policy numbering needs to read the configuration file on firewall box, due to difference Definition of the manufacturer to strategy number differs, and can not find unified solution, it is necessary to firewall policy according to each manufacturer Numbering is customized processing.Wherein, for example, manufacturer Juniper is that strategy number set is added in the form of rule security policies from-zone Trust to-zone DMZ policy XXX match source-address 10.0.0.0/8 sequence number is added, the firewall box of Huawei is with policy XXX addition firewall policies numbering, China three Firewall box is with acl number XXX addition firewall policy numberings.Further, in generation firewall policy numbering When should be noted ordered series of numbers number from increasing, some necessary situations can determine strategy number in work order document, to ensure what is generated Firewall policy execute instruction row correctly can use.
In addition, there is part vendor equipment to need to judge the direction of firewall policy, it is necessary to read the region in device configuration Definition, further judges.For this part vendor equipment, it is necessary to independently define template.User is needed to specify template number Can further it be judged.For example Juniper companies are from-zone XXX to-zone XXX to be indicated, and are needed herein pre- Accurate judgement could be made to work order by first having customized the content in region.
Step S40:Call the fire wall order flow in firewall box.Specifically, the firewall box of each manufacturer Corresponding fire wall order flow is inside both provided with, can be called in advance in slave firewall equipment.
Step S50:Held according to the fire wall order flow in firewall box and firewall policy generation firewall policy Row instruction, to complete the laying of firewall policy in firewall box..Specifically, in the firewall box of each manufacturer Corresponding fire wall order flow is provided with, performing the fire wall order flow and inputting corresponding firewall policy to generate Corresponding firewall policy execute instruction is to complete the laying of firewall policy., the firewall policy execute instruction that is generated uses Order line in execution firewall policy.
It should be noted that can largely be related in the writing of firewall policy execute instruction to five-tuple, group of addresses, The calling of port set, wherein, the judgement to group of addresses and port set is most difficult to.Because different vendor is to group of addresses and port set Formal Specification is different, and pattern is different, if compared by simple computing, efficiency is very low.The present invention is logical using first Port set is matched to group of addresses and using the second general matching algorithm with matching algorithm, not only increases matching efficiency also Accuracy rate has been taken into account at the same time, has improved the formation efficiency of firewall policy.
With reference to shown in figure 6 to Fig. 7, Fig. 6 shows group of addresses generation method in the firewall policy of the embodiment of the present invention Flow chart.Fig. 7 shows the simplified flowchart of the group of addresses generation method based on an embodiment in Fig. 6.
Step S100:The first group of addresses is extracted from accesses control list.In one embodiment of the invention, with purpose Illustrated exemplified by group of addresses.Specifically, destination address group is extracted from accesses control list is:10.33.208.0/24, 10.33.208.231,10.33.208.232。
Step S101:It is wildcard mask form by each address conversion in the first group of addresses of extraction.Specifically, will 10.33.208.0/24,10.33.208.231,10.33.208.232 be converted to three the first wildcard masks 10.33.208.0.0.0.0.255,10.33.208.231.0 and 10.33.208.232.0.
Step S102:Format analysis processing is carried out to each address of wildcard mask form in the first group of addresses, after format analysis processing Each address sort.Specifically, a retention figures (removes dropping character, such as removes period, comma, sky in the first wildcard mask Lattice number and other characters) sort afterwards.For example, be changed to 10332080000255 after three the first wildcard mask retention figures, 10332082310 and 10332082320, it is changed to 10332082310,10332082320 and 10332080000255 after sequence.
Step S103:The first character string is merged into each address after sorting in first group of addresses.Specifically, will 10332082310,10332082320 and 10332080000255 merge into 103320823101033208232010332080000255.In other words, step S103 is to close the character string of multiple network segments And it is a character string.
Step S104:The second group of addresses extracted in the configuration file of slave firewall equipment.
Step S105:It is the second wildcard mask lattice by each address conversion in the second group of addresses extracted in configuration file Formula.
Step S106:Format analysis processing is carried out to each address of wildcard mask form in the second group of addresses, after format analysis processing Each address sort.
Step S107:The second wildcard mask after sequence is merged into the second character string.
It should be noted that technical step that the generating mode of the second character string is taken and the generation side of the first character string The technical step that formula is taken is identical.
Step S108:Judge whether the first character string is identical with the second character string.When the first character string and the second character string When differing, flow enters step S109.When the first character string is equal with the second character string, flow enters step S111.Institute State that the first character string is identical with the second character string to refer to that the first character string is identical with the length of the second character string, and the first character string It is identical with each character in the second character string.
Step S109:When the first character string and the second character string differ, all second addresses in configuration file are judged Corresponding second character string of group and the first character string whether all compared with finish.When all second group of addresses correspond in configuration file The second character string and the first character string all compared with when finishing, flow enters step S110.Otherwise, when in configuration file also have Corresponding second character string of second group of addresses and the first character string not compared with when, flow return to step S104, from configuration file Next group of the second group of addresses of middle extraction.
Step S110:New group of addresses is created according to first group of addresses.The new group of addresses created is fire wall Group of addresses in strategy.
Step S111:Export the corresponding group of addresses of the first character string and be used as a firewall policy.
It should be noted that when carrying out array and comparing, it is necessary to which element is compared one by one in array, with array member The increase of element, computing cost can the increases of exponentially level.Specifically, in relatively group of addresses, Normal practice is:(1) address is calculated The size and scope of section;(2) address segment information is confirmed by comparing.However, the increasing with group of addresses quantity or group interior element Add, it will a large amount of calculation amounts occur, influence its work efficiency.And the technical solution in above-mentioned Fig. 5 is using between single character string It is compared, computational complexity is that time cost will be greatly reduced, while before character string comparison, element is once arranged Sequence, it also avoid the possibility of false judgment.
With reference to shown in figure 8 to Fig. 9, Fig. 8 shows the firewall strategy-generating method middle port group life of the embodiment of the present invention Into the flow chart of method.Fig. 9 shows the simplified flowchart of the port set generation method based on an embodiment in Fig. 8.
Step S200:First port group is extracted from accesses control list.Specifically, from the port areas of access control plate The first port group tcp_22,23,80-88 of extraction.
Step S201:The first port group of extraction is converted into the first array.Specifically, the form of the first array is tcp Or udp addresses add port numbers or the form of range of port number.For example, if first port group is tcp_22,23,80-88, then should Corresponding first array of first port group (removes comma and retains the character in space number) for 22 23 80-88 of tcp.
Step S202:One group of second port group is extracted in the configuration file of slave firewall equipment.
Step S203:The second port group extracted in configuration file is converted to second number identical with the first array formats Group.
It should be noted that technical step that the generating mode of the second array is taken and the generating mode institute of the first array The technical step taken is identical.
Step S204:Judge whether the first array is equal with the length of the second array.If the first array and the second array Equal length, flow enter step S205.If the length of the first array and the second array is unequal, flow enters step S206.
Step S205:Judge whether the first array and the element in the second array are identical.If the first array and the second array Interior element differs, then flow enters step S206.If the first array is identical with the element in the second array, flow enters Step S208.First array is identical with the element in the second array to refer to the first array and each word in the second array Accord with identical.
Step S206:Judge in configuration file all second port groups and the first array whether all compared with finish.If match somebody with somebody When putting corresponding second array of all second port groups in file and all relatively being finished with the first array, flow enters step S207.Otherwise, if when compared with also having corresponding second array of second port group and the first array in configuration file not, flow is returned Step S202 is returned, next group of port set is extracted from configuration file.
Step S207:New port set is created according to first port group.The new port set created is firewall policy In a port group.
Step S208:Export the corresponding first port group of first array and form a firewall policy.
It should be noted that since port set is there are the special literary style of port range, so can not be sentenced using group of addresses All elements are changed into numeral and are compared by disconnected mode.And it is directly to go to compare two arrays by computing in existing technology It is whether consistent, but under normal circumstances, if there are substantial amounts of port set in a upper equipment, compare to lose time one by one very much. In order to improve efficiency, the technical solution in Fig. 6 is first to compare the length of two arrays before relatively array, if length one Cause is accurately compared again, can greatly improve operation efficiency.
The corresponding firewall policy explanation of all big enterprises illustrated below based on technical solution of the present invention.
The firewall policy generation of Juniper companies illustrates in the following way:
(a) judge that each element in ACL whether there is in configuration file, will not formed newly, if object Group, it will generate corresponding object group, i.e., using the corresponding object group of generation of such as issuing orders:(NEW_SOURCE_ADDRESS_ GROUP、NEW_DESTINATION_ADDRESS_GROUP)
set security zones security-zone Trust address-book address 10.1.1.1/ 3210.1.1.1/32
set security zones security-zone Trust address-book address-set NEW_ DESTINATION_ADDRESS_GROUP address 10.3.1.2/32
set security policies from-zone DMZ to-zone Trust policy A-access-B match destination-address NEW_DESTINATION_ADDRESS_GROUP
Wherein, when each element in (a) in ACL is compared with configuration file, using in technical solution of the present invention General matching algorithm group of addresses and port set are compared, realize standardization southbound interface, shielding different vendor equipment is poor It is different, greatly improve firewall policy formation efficiency on the premise of accuracy is ensured.
(b) order of element does not interfere with the judgement of object group in object;
(c) host IP address in accesses control list, the order line of generation can add/32 masks;
(d) there is `10.2.0.0/16-10.4.0.0/16` in source address, or have `192.168.7.0/24, 192.168.7.0/24 the advance customized special network segment such as 192.168.8.0/24,192.168.9.0/24`, will be judged For particular address group:set security policies from-zone DMZ to-zone Trust policy A- access-B match source-address oavpn-group;
(e) 10 network segments and 192 network segments, the judgement in influence area direction not occur at the same time in destination address, and can jump out police Accuse prompting;
(f) when generating address object, if the 2.1.*.* network segments, region DMZ, other are Trust set security zones security-zone Trust address-book address 1.1.1.1/321.1.1.1/32
set security zones security-zone DMZ address-book address 2.1.1.1/ 322.1.1.1/32
(g) destination address is the 1.1.1.* network segments, and region direction is that * * Trust to-zone DMZ** destination addresses are 2.1.1.* the network segment or other time domain directions are * * DMZ to-zone Trust**
(h) when detecting new port, new port object (po) is generated, using the new port object (po) of generation of such as issuing orders:
set applications application tcp_111-1111protocol tcp
set applications application tcp_111-1111destination-port 111-1111
(i) parameter region is used to indicate that firewall policy title, reads filled in content when having content, does not fill in When be defaulted as A-access-B.
Firewall policy generation of the Huawei Company based on HuaWei Policy illustrates in the following way:
(a) judge that each element in ACL whether there is in configuration file, will not formed newly, if object Group, it will generate corresponding object group, i.e., using the corresponding object group of generation of such as issuing orders:
(NEW_SOURCE_ADDRESS_GROUP,NEW_DESTINATION_ADDRE SS_GROUP,NEW_PORT_ GROUP)
ip address-set NEW_DESTINATION_ADDRESS_GROUP type object
policy destination address-set NEW_DESTINATION_ADDRESS_GROUP
Wherein, when each element in (a) in ACL is compared with configuration file, using in technical solution of the present invention General matching algorithm group of addresses and port set are compared, realize standardization southbound interface, shielding different vendor equipment is poor It is different, greatly improve firewall policy formation efficiency on the premise of accuracy is ensured.
(b) order of element does not interfere with the judgement of object group in object;
(c) new object group is generated, sequence number is had before prompting, the serial number policy, wherein, if #276 then needs to note Meaning:This is a unknown port set, it is necessary to time update port group name when generating new port set.
(d) host IP address in ATL, the order line of generation can be converted into " x.x.x.x 0 ", and IP network section can change into " network number wildcard mask ";
(e) port changes into shyA, and port range needs A-B being converted into shyAtoB and A to B
ip service-set shy8106type object
service 0protocol tcp source-port 0to 65535destination-port 1111
ip service-set NEW_PORT_GROUP type object
service 0protocol tcp source-port 0to 65535destination-port 111to 1111
(f) in group of addresses, shown in the form of " address sequence number ip wildcard masks "
ip address-set NEW_SOURCE_ADDRESS_GROUP type object
address 0 10.2.2.3 0
address 1 10.2.2.4 0
address 2 10.2.3.5 0.0.0.3
(g) the fixation beginning of firewall policy is
policy interzone trust untrust outbound
undo policy 1000
(h) tactful fixation end is
policy 1000
action deny
policy logging
* script is to read No. policy by `policy interzone trust untrust outbound`.
Firewall policy generation of the Huawei Company based on HuaWei ACL illustrates in the following way:
(a) equipment of Huawei will use different orders when using ACL addition strategies;
(b) all rules are all write under acl number****;
(c) port range A-B is converted into range A B;
(d) reference address group needs to add address-set printed words;
(e) group of addresses order line " ip address-set objects group name " does not have type object printed words;
ip address-set NEW_SOURCE_ADDRESS_GROUP
ip address-set NEW_DESTINATION_ADDRESS_GROUP
(f) due to not having policy number, the sequence number of prompting is corresponding with the line number in acl.txt, if in addition, sequence Number it is #1, then it may be noted that this is a unknown source address group, generates new group of addresses, asks time update object oriented;If sequence Number it is #2, then it may be noted that this is a unknown destination address group, generates new group of addresses, asks time update object oriented;
(g) the starting number of rule is to read the sequence number of `deny ip` in `acl number****` to position rule 931permit tcp source address-set NEW_SOURCE_ADDRESS_GROUP destination 10.3.1.1 0destination-port eq 80
Example IV:
The firewall policy generation of magnificent three Products illustrates in the following way:
1) China three is not judged group of addresses, is not judged port set, create-rule and `HuaWeiACL` using acl addition strategies Implementation is similar
2) when source address starts with 1, work order is started with `acl number 30**`, other situations `acl number 30**`。
In above-described embodiment one into example IV, generation firewall policy configuration order is to directly invoke fire wall to set Standby fire wall order flow can automatically generate.
Multiple main brand fire walls can be adapted to using the present invention, shielding different vendor equipment difference, realizes standardization Southbound interface, while can realize that firewall policy batch is write automatically, firewall policy configuration flow is simplified, improves fire prevention Wall strategy generating efficiency, reduces network operation complexity, can bring huge Saving in time costs, saves O&M cost.In addition, from Traditional manual mode is transformed into automatic batch generation, reduces the error probability of manual intervention, effectively improves firewall policy life Into efficiency and accuracy, the appearance of invalidation policy redundancy strategy is avoided, it is ensured that the safe and stable operation of system.
In addition, the firewall strategy-generating method with reference to Fig. 1 embodiment of the present invention stated can be generated by firewall policy Device is realized.Fig. 2 shows the structure diagram of fire wall policy generating device provided in an embodiment of the present invention.
Specifically, the fire wall policy generating device include acquisition module 301, modular converter 302, comparison module 303, Calling module 304 and generation module 305.
The acquisition module 301, for obtaining each parameter region content in accesses control list automatically.The access control Include at least, but be not limited in list, the data such as source address, destination address, procotol, destination interface, custom parameter. In one embodiment of the present of invention, the accesses control list is the work order of standardization.Specifically, as shown in figure 4, the access Control list is divided into 4 regions, and respectively mesh (is stored in source address region (region of storage source address), destination address region Address region), destination interface region the region of port areas (store) and parameter region (store user-defined Parameter), wherein, separated between different zones with space, space is occurred without in the same area, last parameter region is additional Function, uses when needing.The accesses control list can be with, but is not limited to, other with TXT forms, WORD forms etc. The mode of any file format preserves.
The modular converter 302, for being corresponding data object according to the parameters region Content Transformation of extraction.Tool Body, by each parameter region contents extraction and be converted to the data object of source address, the data object of destination address, procotol Data object, data object, the Data Data object of custom parameter of port set.
The comparison module 303, carries out for data in configuration file in the data object and firewall box by conversion Relatively and generate firewall policy.In one embodiment of the invention, by the data object and firewall box of source address Source address is compared, by destination address in configuration file in the data object and firewall box of destination address in configuration file Be compared, by the data object of procotol with configuration file in firewall box procotol numbering compared with, will The data object of port set compared with configuration file middle-end slogan in firewall box, by the Data Data of custom parameter Object is with rule numbers in configuration file in firewall box compared with firewall policy number.It should be noted that due to The firewall box of different vendor is to group of addresses (i.e. source address, destination address etc.) and port set (i.e. the information such as port numbers) form Specification is different, different formats, if simple computing is compared, inefficiency.Therefore, in one embodiment of the present of invention, for When the data object (or data object of port set) of group of addresses is compared with the configuration file of firewall box, meeting at the same time will Corresponding data carries out specific in the data object (or data object of port set) and the configuration file of firewall box of group of addresses Format conversion.
Further, since the procotol, rule numbers and strategy number are relatively fixed and change less, Procotol, rule numbers and strategy number can be used directly relatively, i.e., by the procotol in accesses control list, rule Numbering and strategy number and the configuration file corresponding data in firewall box directly compared with.
Further, the comparison of firewall policy numbering needs to read the configuration file on firewall box, due to difference Definition of the manufacturer to strategy number differs, and can not find unified solution, it is necessary to firewall policy according to each manufacturer Numbering is customized processing.Wherein, for example, manufacturer Juniper is that strategy number set is added in the form of rule security policies from-zone Trust to-zone DMZ policy XXX match source-address 10.0.0.0/8 sequence number is added, the firewall box of Huawei is with policy XXX addition firewall policies numbering, Hua Sanshi With acl number XXX addition firewall policy numberings.Further, should be noted to count when generating firewall policy numbering Row number can determine strategy number from increasing, some necessary situations in work order document, to ensure that the firewall policy of generation is held Row is instructed to complete the laying of firewall policy.Row is correct available.
In addition, there is part vendor equipment to need to judge the direction of firewall policy, it is necessary to read the region in device configuration Definition, further judges.For this part vendor equipment, it is necessary to independently define template.User is needed to specify template number Can further it be judged.For example Juniper companies are from-zone XXX to-zone XXX to be indicated, and are needed herein pre- Accurate judgement could be made to work order by first having customized the content in region.
The calling module 304, for calling the fire wall order flow in firewall box.Specifically, each manufacturer Firewall box in be both provided with corresponding fire wall order flow, can call in advance in slave firewall equipment.
The generation module 305, for according to the fire wall order flow in firewall box and firewall policy generation Firewall policy execute instruction is to complete the laying of firewall policy..Specifically, it is respectively provided with the firewall box of each manufacturer There is corresponding fire wall order flow, correspondence can be generated by performing the fire wall order flow and inputting corresponding firewall policy Firewall policy execute instruction to complete the laying of firewall policy., the firewall policy execute instruction that is generated is to complete The laying of firewall policy.For performing firewall policy.
It should be noted that in firewall policy execute instruction to complete the laying of firewall policy.Write it is middle can be big Amount is related to five-tuple, group of addresses, the calling of port set, wherein, the judgement to group of addresses and port set is most difficult to.Because Different vendor is different with port set formal Specification to group of addresses, and pattern is different, if compared by simple computing, efficiency is very Low.The present invention matches group of addresses and port set using general matching algorithm, and it is also same to not only increase matching efficiency When taken into account accuracy rate.
In addition, the comparison module 303 further includes extracting sub-module 3030, transformation submodule 3031, sorting sub-module 3032nd, merge submodule 3033, judging submodule 3034, create submodule 3035 and output sub-module 3036.
For situation of the group of addresses (or data object of port set) compared with the configuration file of firewall box.
The extracting sub-module 3030, for extracting the first group of addresses from accesses control list.At one of the present invention In embodiment, illustrated by taking destination address group as an example.Specifically, destination address group is extracted from accesses control list is: 10.33.208.0/24,10.33.208.231,10.33.208.232。
The transformation submodule 3031, is wildcard mask lattice for each address conversion in the first group of addresses by extraction Formula.Specifically, by 10.33.208.0/24,10.33.208.231,10.33.208.232 are converted to three the first wildcard masks 10.33.208.0.0.0.0.255,10.33.208.231.0 and 10.33.208.232.0.
The sorting sub-module 3032, for each address to wildcard mask form in the first group of addresses at row format Reason, by each address sort after format analysis processing.Specifically, a retention figures (is removed dropping character, is such as gone in the first wildcard mask Fall period, comma, space number and other characters) sort afterwards.For example, it is changed to after three the first wildcard mask retention figures 10332080000255th, 10332082310 and 10332082320, be changed to after sequence 10332082310,10332082320 and 10332080000255。
The merging submodule 3033, for each address after sorting in the first group of addresses to be merged into the first character String.Specifically, 10332082310,10332082320 and 10332080000255 are merged into 103320823101033208232010332080000255.In other words, step S103 is to close the character string of multiple network segments And it is a character string.
The extracting sub-module 3030, is additionally operable to the second group of addresses that will be extracted in configuration file of slave firewall equipment.
The transformation submodule 3031, each address conversion being additionally operable in the second group of addresses for will being extracted in configuration file For the second wildcard mask form.
The sorting sub-module 3032, is additionally operable to each address of wildcard mask form in the second group of addresses at row format Reason, by each address sort after format analysis processing.
The merging submodule 3033, is additionally operable to the second wildcard mask after sequence merging into the second character string.
It should be noted that technical step that the generating mode of the second character string is taken and the generation side of the first character string The technical step that formula is taken is identical.
The judging submodule 3034, for judging whether the first character string is identical with the second character string.When the first character When string is differed with the second character string, corresponding second character string of all second group of addresses and the first character in configuration file are judged Whether string all relatively finishes.When the first character string is equal with the second character string, flow enters step S111.First word Symbol string is identical with the second character string to refer to that the first character string is identical with the length of the second character string, and the first character string and the second word Each character in symbol string is identical.
The extracting sub-module 3030, be additionally operable to work as configuration file in also have corresponding second character string of the second group of addresses with When first character string does not compare, next group of the second group of addresses is extracted from configuration file.
The establishment submodule 3035, be additionally operable to work as in configuration file corresponding second character string of all second group of addresses with First character string comparison finishes, and corresponding second character string of all second group of addresses and the first character string are equal in the configuration file When differing, new group of addresses is created according to first group of addresses.The new group of addresses created is in firewall policy Group of addresses.
The output sub-module 3036, is additionally operable to, when the first character string is equal with the second character string, export first word The corresponding group of addresses of symbol string is simultaneously used as a firewall policy.
It should be noted that when carrying out array and comparing, it is necessary to which element is compared one by one in array, with array member The increase of element, computing cost can the increases of exponentially level.Specifically, in relatively group of addresses, Normal practice is:(1) address is calculated The size and scope of section;(2) address segment information is confirmed by comparing.However, the increasing with group of addresses quantity or group interior element Add, it will a large amount of calculation amounts occur, influence its work efficiency.And the technical solution in above-mentioned Fig. 5 is using between single character string It is compared, computational complexity is that time cost will be greatly reduced, while before character string comparison, element is once arranged Sequence, it also avoid the possibility of false judgment.
For situation of the port set compared with the configuration file of firewall box.
The extracting sub-module 3030, for extracting first port group from accesses control list.Specifically, controlled from access The first port group tcp_22,23,80-88 of the port areas extraction of making sheet.
The transformation submodule 3031, for the first port group of extraction to be converted to the first array.Specifically, the first number The form of group adds port numbers or the form of range of port number for tcp or udp addresses.For example, if first port group is tcp_22, 23,80-88, then corresponding first array of the first port group is that 22 23 80-88 of tcp (remove comma and retain space number Character).
The extracting sub-module 3030, is additionally operable to extract one group of second port group in the configuration file of slave firewall equipment.
The transformation submodule 3031, the second port group for being additionally operable to extract in configuration file are converted to and the first array The second identical array of form.
It should be noted that technical step that the generating mode of the second array is taken and the generating mode institute of the first array The technical step taken is identical.
The judging submodule 3034, for judging whether the first array is equal with the length of the second array, judging first Whether array is identical with the element in the second array, corresponding second array that judges in configuration file all second port groups and the Whether one array, which all compares, finishes.
If the length of the first array and the second array is unequal and/or the first array and the element in the second array not phase Together, judge in configuration file corresponding second array of all second port groups and the first array whether all compared with finish.
The step creates submodule 3035:In the length of first array and the configuration file of the firewall box Corresponding second array of all second port groups is all unequal, and/or the element in first array is set with the fire wall When the element in corresponding second array of all second port groups in standby configuration file is different from, according to first port group Create new port set.The new port set created is a port group in firewall policy.
The output sub-module 3036:It is defeated for when the element in the first array is identical with the element in the second array Go out the corresponding first port group of first array and form a firewall policy.
It should be noted that since port set is there are the special literary style of port range, so can not be sentenced using group of addresses All elements are changed into numeral and are compared by disconnected mode.And it is directly to go to compare two arrays by computing in existing technology It is whether consistent, but under normal circumstances, if there are substantial amounts of port set in a upper equipment, compare to lose time one by one very much. In order to improve efficiency, the technical solution of above-mentioned general matching algorithm is first to compare the length of two arrays before relatively array Degree, if length is unanimously accurately compared again, can greatly improve operation efficiency.
In addition, the firewall strategy-generating method with reference to Fig. 1 embodiment of the present invention described can be given birth to by firewall policy Forming apparatus is realized.Fig. 3 shows the hardware architecture diagram of firewall policy generation equipment provided in an embodiment of the present invention.
Firewall policy generation equipment can include processor 401 and be stored with the memory of computer program instructions 402。
Specifically, above-mentioned processor 401 can include central processing unit (CPU), or specific integrated circuit (Application Specific Integrated Circuit, ASIC), or may be configured to implement implementation of the present invention One or more integrated circuits of example.
Memory 402 can include the mass storage for data or instruction.Processor 401 is by reading and performing The computer program instructions stored in memory 402, to realize any one firewall policy generation side in above-described embodiment Method.In one example, firewall policy generation equipment may also include communication interface 403 and bus 410.Wherein, such as Fig. 4 institutes Show, processor 401, memory 402, communication interface 403 are connected by bus 410 and complete mutual communication.Communication interface 403, it is mainly used for realizing the communication between each module, device, unit and/or equipment in the embodiment of the present invention.Bus 410 includes Hardware, software or both, the component of firewall policy generation equipment is coupled to each other together.
In addition, with reference to the firewall strategy-generating method in above-described embodiment, the embodiment of the present invention can provide a kind of calculating Machine readable storage medium storing program for executing is realized.Computer program instructions are stored with the computer-readable recording medium;The computer program Any one firewall strategy-generating method in above-described embodiment is realized in instruction when being executed by processor.
The above description is merely a specific embodiment, it is apparent to those skilled in the art that, For convenience of description and succinctly, the specific work process of the system of foregoing description, module and unit, may be referred to preceding method Corresponding process in embodiment, details are not described herein.It is to be understood that protection scope of the present invention is not limited thereto, it is any to be familiar with Those skilled in the art the invention discloses technical scope in, various equivalent modifications or substitutions can be readily occurred in, These modifications or substitutions should be covered by the protection scope of the present invention.

Claims (10)

  1. A kind of 1. firewall strategy-generating method, it is characterised in that the described method includes:
    (1) the first group of addresses is extracted from accesses control list;
    (2) it is wildcard mask form by each address conversion in the first group of addresses of extraction;
    (3) format analysis processing is carried out to each address of wildcard mask form in the first group of addresses, by each address after format analysis processing Sequence;
    (4) the first character string is merged into each address after sorting in the first group of addresses;
    (5) the second group of addresses is extracted in the configuration file of slave firewall equipment;
    (6) it is the second wildcard mask form by each address conversion in the second group of addresses extracted in configuration file;
    (7) format analysis processing is carried out to each address of wildcard mask form in the second group of addresses, by each address after format analysis processing Sequence;
    (8) the second character string is merged into each address after sorting in the second group of addresses;
    (9) compare the first character string and whether the second character string is equal;
    (10) when first character string and second character string are unequal, step (5)-(9) are performed, by described first Group of addresses is compared with all second group of addresses in the configuration file of the firewall box;
    (11) when first character string corresponding with all second group of addresses in the configuration file of the firewall box When two character strings are all unequal, new group of addresses is created according to first group of addresses;
    (12) when first character string is equal with second character string, corresponding first address of first character string is exported Group.
  2. 2. according to the method described in claim 1, it is characterized in that, described pair in the first group of addresses wildcard mask form it is each Address carries out the mode of format analysis processing by the way of retention figures.
  3. 3. according to the method described in claim 1, it is characterized in that, first character string is identical with the second character string to refer to One character string is identical with the length of the second character string, and the first character string is identical with each character in the second character string.
  4. 4. according to the method described in claim 1, it is characterized in that, the method further includes:This method further includes:
    (1) first port group is extracted from accesses control list;
    (2) the first port group of extraction is converted into the first array;
    (3) second port group is extracted in the configuration file of slave firewall equipment;
    (4) it is second array identical with the first array formats by the second port group extracted in configuration file;
    (5) judge whether the length of the first array is equal with the length of the second array;
    (6) when the first array and the equal length of the second array, the element in the element and the second array in the first array is judged It is whether identical;
    (7) when the length of the first array and the length of the second array is unequal and/or the first array in element and the second array When interior element differs, step (3)-(6) are performed, by the first port group and the configuration file of the firewall box In all second port groups compare;
    (8) when the element in the first array is identical with the element in the second array, the corresponding first end of the first array is exported Mouth group;
    (9) length of first array corresponding with all second port groups in the configuration file of the firewall box Two arrays are all unequal, or the element in first array and all second ends in the configuration file of the firewall box When the element that mouth organizes in corresponding second array is different from, new port set is created according to first port group.
  5. 5. according to the method described in claim 4, it is characterized in that, first array is identical with the element in the second array is It is identical with each character in the second array to refer to the first array.
  6. 6. according to the method described in claim 4, it is characterized in that, the form of first array and the second array is tcp Or udp addresses add port numbers or range of port number.
  7. 7. according to the method described in claim 1, it is characterized in that, the method further includes:
    Call the fire wall order flow in firewall box and performed based on firewall policy generation firewall policy and referred to Order, to complete the laying of firewall policy in firewall box.
  8. 8. a kind of fire wall policy generating device, it is characterised in that described device includes:
    Extracting sub-module, for extracting the first group of addresses from accesses control list;
    Change submodule, be wildcard mask form for each address conversion in the first group of addresses by extraction;
    Sorting sub-module, for carrying out format analysis processing to each address of wildcard mask form in the first group of addresses, by format analysis processing Each address sort afterwards;
    Merge submodule, for each address after sorting in the first group of addresses to be merged into the first character string;
    The extracting sub-module, is additionally operable to extract the second group of addresses in the configuration file of slave firewall equipment;
    The transformation submodule, each address conversion being additionally operable in the second group of addresses for will being extracted in configuration file are anti-for second Mask form;
    The sorting sub-module, is additionally operable to carry out format analysis processing to each address of wildcard mask form in the second group of addresses, by lattice Each address sort after formula processing;
    Also merge submodule, for each address after sorting in the second group of addresses to be merged into the second character string;
    Judging submodule, it is whether equal for comparing the first character string and the second character string, and judge first group of addresses with Whether all second group of addresses in the configuration file of the firewall box, which all compare, finishes;
    Submodule is created, for when all second addresses in the configuration file of first character string and the firewall box When corresponding second character string of group is all unequal, new group of addresses is created according to first group of addresses;
    Output sub-module, for when first character string is equal with second character string, exporting first character string pair The first group of addresses answered.
  9. 9. a kind of firewall policy generates equipment, it is characterised in that including:At least one processor, at least one processor with And the computer program instructions in the memory are stored in, it is real when the computer program instructions are performed by the processor The now method as any one of claim 1-8.
  10. 10. a kind of computer-readable recording medium, is stored thereon with computer program instructions, it is characterised in that when the calculating The method as any one of claim 1-8 is realized when machine programmed instruction is executed by processor.
CN201711495427.3A 2017-12-31 2017-12-31 Firewall strategy generation method, device, equipment and medium Active CN107948205B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711495427.3A CN107948205B (en) 2017-12-31 2017-12-31 Firewall strategy generation method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711495427.3A CN107948205B (en) 2017-12-31 2017-12-31 Firewall strategy generation method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN107948205A true CN107948205A (en) 2018-04-20
CN107948205B CN107948205B (en) 2020-10-27

Family

ID=61938258

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711495427.3A Active CN107948205B (en) 2017-12-31 2017-12-31 Firewall strategy generation method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN107948205B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040089A (en) * 2018-08-15 2018-12-18 深圳前海微众银行股份有限公司 Network strategy auditing method, equipment and computer readable storage medium
CN109088886A (en) * 2018-09-29 2018-12-25 郑州云海信息技术有限公司 The management method and device of monitoring strategies on firewall
CN109361711A (en) * 2018-12-14 2019-02-19 泰康保险集团股份有限公司 Firewall configuration method, apparatus, electronic equipment and computer-readable medium
CN109547502A (en) * 2019-01-22 2019-03-29 成都亚信网络安全产业技术研究院有限公司 Firewall ACL management method and device
CN111163061A (en) * 2019-12-11 2020-05-15 中盈优创资讯科技有限公司 Method and device for analyzing policy information of gateway equipment
CN111711635A (en) * 2020-06-23 2020-09-25 平安银行股份有限公司 Firewall opening method and device, computer equipment and storage medium
CN112383507A (en) * 2020-10-16 2021-02-19 深圳力维智联技术有限公司 Firewall policy management method, device and system and computer readable storage medium
CN112738114A (en) * 2020-12-31 2021-04-30 四川新网银行股份有限公司 Configuration method of network security policy
CN112968896A (en) * 2021-02-24 2021-06-15 深圳天元云科技有限公司 Vector compression-based firewall policy filtering method, system, terminal and storage medium
CN113329022A (en) * 2021-05-31 2021-08-31 北京天融信网络安全技术有限公司 Information processing method of virtual firewall and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012051868A1 (en) * 2010-10-20 2012-04-26 中兴通讯股份有限公司 Firewall policy distribution method, client, access server and system
CN104717182A (en) * 2013-12-12 2015-06-17 华为技术有限公司 Security policy deployment method and device for network firewall
CN105704093A (en) * 2014-11-25 2016-06-22 中国移动通信集团设计院有限公司 Firewall access control strategy debugging method, device and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012051868A1 (en) * 2010-10-20 2012-04-26 中兴通讯股份有限公司 Firewall policy distribution method, client, access server and system
CN104717182A (en) * 2013-12-12 2015-06-17 华为技术有限公司 Security policy deployment method and device for network firewall
CN105704093A (en) * 2014-11-25 2016-06-22 中国移动通信集团设计院有限公司 Firewall access control strategy debugging method, device and system

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040089A (en) * 2018-08-15 2018-12-18 深圳前海微众银行股份有限公司 Network strategy auditing method, equipment and computer readable storage medium
CN109040089B (en) * 2018-08-15 2021-06-08 深圳前海微众银行股份有限公司 Network policy auditing method, equipment and computer readable storage medium
CN109088886A (en) * 2018-09-29 2018-12-25 郑州云海信息技术有限公司 The management method and device of monitoring strategies on firewall
CN109361711B (en) * 2018-12-14 2021-10-29 泰康保险集团股份有限公司 Firewall configuration method and device, electronic equipment and computer readable medium
CN109361711A (en) * 2018-12-14 2019-02-19 泰康保险集团股份有限公司 Firewall configuration method, apparatus, electronic equipment and computer-readable medium
CN109547502A (en) * 2019-01-22 2019-03-29 成都亚信网络安全产业技术研究院有限公司 Firewall ACL management method and device
CN111163061A (en) * 2019-12-11 2020-05-15 中盈优创资讯科技有限公司 Method and device for analyzing policy information of gateway equipment
CN111711635A (en) * 2020-06-23 2020-09-25 平安银行股份有限公司 Firewall opening method and device, computer equipment and storage medium
CN111711635B (en) * 2020-06-23 2024-03-26 平安银行股份有限公司 Firewall wall opening method and device, computer equipment and storage medium
CN112383507A (en) * 2020-10-16 2021-02-19 深圳力维智联技术有限公司 Firewall policy management method, device and system and computer readable storage medium
CN112738114A (en) * 2020-12-31 2021-04-30 四川新网银行股份有限公司 Configuration method of network security policy
CN112968896A (en) * 2021-02-24 2021-06-15 深圳天元云科技有限公司 Vector compression-based firewall policy filtering method, system, terminal and storage medium
CN112968896B (en) * 2021-02-24 2022-06-24 深圳天元云科技有限公司 Vector compression-based firewall policy filtering method, system, terminal and storage medium
CN113329022A (en) * 2021-05-31 2021-08-31 北京天融信网络安全技术有限公司 Information processing method of virtual firewall and electronic equipment
CN113329022B (en) * 2021-05-31 2022-08-05 北京天融信网络安全技术有限公司 Information processing method of virtual firewall and electronic equipment

Also Published As

Publication number Publication date
CN107948205B (en) 2020-10-27

Similar Documents

Publication Publication Date Title
CN107948205A (en) Firewall strategy-generating method, device, equipment and medium
CN103946834B (en) virtual network interface objects
JP5874796B2 (en) Programming device, system, and programmable controller
CN102112980B (en) Use the secure resource name resolution of cache
Guttman et al. Rigorous automated network security management
Robles-Durazno et al. PLC memory attack detection and response in a clean water supply system
CN112367211B (en) Method, device and storage medium for generating configuration template by device command line
CN103117993B (en) For the method, apparatus and product of the fire wall for providing Process Control System
CN101411159A (en) Policy-based security certificate filtering
CN107622211A (en) A kind of large data sets monarchial power limit access control method and device
Kotenko et al. Verification of security policy filtering rules by model checking
CN101771669A (en) Method for setting firewall policy and device therefor
CN108763963A (en) Distributed approach, apparatus and system based on data access authority
He et al. Research on network programming language and policy conflicts for SDN
CN101242409B (en) An efficient filtering method for multi-language network data packets
CN102077171B (en) System and method for remote communication between a central computer and a machine controller
CN107566375A (en) Access control method and device
CN106888185B (en) industrial network safety protection method based on serial link
US9781162B2 (en) Predictive generation of a security network protocol configuration
CN112650638B (en) Hardware security vulnerability detection method based on gate-level pollution label tracking model
CN104065486A (en) Encryption strategy matching algorithm module verification platform and realizing method thereof
Martínez et al. Model-driven extraction and analysis of network security policies
CN116015983B (en) Network security vulnerability analysis method and system based on digital twin
Xiang et al. Modeling and verifying the topology discovery mechanism of OpenFlow controllers in software-defined networks using process algebra
CN108375946A (en) A kind of information spy device and industrial control system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant