CN107948205A - Firewall strategy-generating method, device, equipment and medium - Google Patents
Firewall strategy-generating method, device, equipment and medium Download PDFInfo
- Publication number
- CN107948205A CN107948205A CN201711495427.3A CN201711495427A CN107948205A CN 107948205 A CN107948205 A CN 107948205A CN 201711495427 A CN201711495427 A CN 201711495427A CN 107948205 A CN107948205 A CN 107948205A
- Authority
- CN
- China
- Prior art keywords
- group
- addresses
- character string
- array
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a kind of firewall strategy-generating method, device, equipment and medium.This method includes:The first group of addresses is extracted from accesses control list;The second group of addresses is extracted in the configuration file of slave firewall equipment;Compare corresponding first character string of the first group of addresses and whether corresponding second character string of the second group of addresses is equal;When first character string the second character string corresponding with all second group of addresses in the configuration file of the firewall box is all unequal, new group of addresses is created according to first group of addresses;When first character string is equal with second character string, corresponding first group of addresses of first character string is exported.The present invention can realize shielding different vendor equipment difference, generate firewall policy on the premise of accuracy is ensured, greatly improve firewall policy formation efficiency.
Description
Technical field
The present invention relates to technical field of computer network management, more particularly to a kind of firewall strategy-generating method, device,
Equipment and medium.
Background technology
Due to factors such as security risk protection, IP address extensions, it is generally the case that network needs to be divided into different safety
Region, needs between each safety zone to dispose fire wall to realize access control and security isolation, and the number of filtering port disengaging
According to bag, to realize system security protection.And access control is realized by firewall policy, therefore write firewall policy
It is the important process that current fire wall is safeguarded, it is maintenance work that how efficiently and accurately, which writes the firewall policy of different vendor,
The middle major issue for needing to solve.
Existing firewall policy preparation package, mainly or is translated and is write one by one using artificial means, manually
Judge the contents such as manufacturer belonging to every fire wall, order row format, object group, this is dependent on network engineers to each factory
The familiarity of the tactful grammer and collocation method of business's fire wall.For firewall box, manufacturer is numerous, and version model differs
Catenet, the limitation of this artificial means can highlight more.
Above-mentioned prior art has some limitations, and leaving multiple problems needs to solve:The fire prevention of each manufacturer
Wall has oneself unique policy specification, and under the support of no unified southbound interface, network engineers are needed by a large amount of
Time goes to be familiar with and grasps the syntax rule of a manufacturer, time-consuming and laborious;Fire wall brand is numerous in catenet, and model is not
One, firewall policy regular maintenance is complicated and difficulty is big, and O&M cost is high;It is manually one-to-one to go judgement to write order line, manually
Judge manufacturer belonging to every fire wall, order row format, object group content etc., inefficiency, discrimination are low, and error rate
, easily there is substantial amounts of redundancy command row in height, and over time, redundancy command row may influence whether firewall box
Execution efficiency, can more likely cause error strategy, there are security risk.
The content of the invention
An embodiment of the present invention provides a kind of firewall strategy-generating method, device, equipment and medium, it is possible to increase writes
The efficiency of firewall policy.
In a first aspect, an embodiment of the present invention provides a kind of firewall strategy-generating method, the described method includes:
(1) the first group of addresses is extracted from accesses control list;
(2) it is wildcard mask form by each address conversion in the first group of addresses of extraction;
(3) format analysis processing is carried out to each address of wildcard mask form in the first group of addresses, will be each after format analysis processing
Address sort;
(4) the first character string is merged into each address after sorting in the first group of addresses;
(5) the second group of addresses is extracted in the configuration file of slave firewall equipment;
(6) it is the second wildcard mask form by each address conversion in the second group of addresses extracted in configuration file;
(7) format analysis processing is carried out to each address of wildcard mask form in the second group of addresses, will be each after format analysis processing
Address sort;
(8) the second character string is merged into each address after sorting in the second group of addresses;
(9) compare the first character string and whether the second character string is equal;
(10) when first character string and second character string are unequal, step (5)-(9) are performed, by described in
First group of addresses is compared with all second group of addresses in the configuration file of the firewall box;
(11) when first character string is corresponding with all second group of addresses in the configuration file of the firewall box
The second character string it is all unequal when, new group of addresses is created according to first group of addresses;
(12) when first character string is equal with second character string, first character string corresponding first is exported
Group of addresses.
Optionally, the mode to each address progress format analysis processing of wildcard mask form in the first group of addresses uses
The mode of retention figures.
Optionally, first character string length for referring to the first character string and the second character string identical with the second character string
It is identical, and the first character string is identical with each character in the second character string.
Optionally, the method further includes:This method further includes:
(1) first port group is extracted from accesses control list;
(2) the first port group of extraction is converted into the first array;
(3) second port group is extracted in the configuration file of slave firewall equipment;
(4) it is second array identical with the first array formats by the second port group extracted in configuration file;
(5) judge whether the length of the first array is equal with the length of the second array;
(6) when the first array and the equal length of the second array, judge in the element and the second array in the first array
Whether element is identical;
(7) when the length of the first array and the length of the second array is unequal and/or the first array in element and second
When element in array differs, step (3)-(6) are performed, by the configuration of the first port group and the firewall box
All second port groups in file compare;
(8) when the element in the first array is identical with the element in the second array, first array corresponding is exported
Single port group;
(9) length of first array is corresponding with all second port groups in the configuration file of the firewall box
The second array it is all unequal, or element in first array and all the in the configuration file of the firewall box
When element in corresponding second array of Two-port netwerk group is different from, new port set is created according to first port group.
Optionally, first array it is identical with the element in the second array refer to the first array with it is every in the second array
One character is identical.
Optionally, the form of first array and the second array is that tcp or udp addresses add port numbers or port numbers
Scope.
Optionally, the method further includes:
Call the fire wall order flow in firewall box and held based on firewall policy generation firewall policy
Row instruction, to complete the laying of firewall policy in firewall box.
Second aspect, the present invention also provides a kind of fire wall policy generating device, described device includes:
Extracting sub-module, for extracting the first group of addresses from accesses control list;
Change submodule, be wildcard mask form for each address conversion in the first group of addresses by extraction;
Sorting sub-module, for carrying out format analysis processing to each address of wildcard mask form in the first group of addresses, by form
Each address sort after processing;
Merge submodule, for each address after sorting in the first group of addresses to be merged into the first character string;
The extracting sub-module, is additionally operable to extract the second group of addresses in the configuration file of slave firewall equipment;
The transformation submodule, is additionally operable to each address conversion in the second group of addresses for will being extracted in configuration file as the
Two wildcard mask forms;
The sorting sub-module, is additionally operable to carry out format analysis processing to each address of wildcard mask form in the second group of addresses,
By each address sort after format analysis processing;
Also merge submodule, for each address after sorting in the second group of addresses to be merged into the second character string;
Judging submodule, it is whether equal for comparing the first character string and the second character string, and judge first address
Group with all second group of addresses in the configuration file of the firewall box whether all compared with finish;
Submodule is created, for when all second in the configuration file of first character string and the firewall box
When corresponding second character string of group of addresses is all unequal, new group of addresses is created according to first group of addresses;
Output sub-module, for when first character string is equal with second character string, exporting first character
Go here and there corresponding first group of addresses.
The third aspect, an embodiment of the present invention provides a kind of firewall policy to generate equipment, including:At least one processing
Device, at least one processor and computer program instructions stored in memory, when computer program instructions are by processor
Realized during execution such as the method for first aspect in the above embodiment.
Fourth aspect, an embodiment of the present invention provides a kind of computer-readable recording medium, is stored thereon with computer journey
Sequence instructs, and is realized when computer program instructions are executed by processor such as the method for first aspect in the above embodiment.
Firewall strategy-generating method, device, equipment and medium provided in an embodiment of the present invention, utilize the first general matching
Algorithm and the second general matching algorithm realize standardization southbound interface, and shielding different vendor equipment difference, is ensureing accuracy
On the premise of automatically generate firewall policy, greatly improve firewall policy formation efficiency.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, it will make below to required in the embodiment of the present invention
Attached drawing is briefly described, for those of ordinary skill in the art, without creative efforts, also
Other attached drawings can be obtained according to these attached drawings.
Fig. 1 shows the schematic diagram of the firewall strategy-generating method of the embodiment of the present invention.
Fig. 2 shows the structure diagram of the fire wall policy generating device of the embodiment of the present invention.
Fig. 3 shows the structure diagram in comparison module in the fire wall policy generating device of the embodiment of the present invention.
Fig. 4 shows a kind of structure diagram of the firewall policy generation equipment of the embodiment of the present invention.
Fig. 5 shows the schematic diagram of the accesses control list of the embodiment of the present invention.
Fig. 6 shows the flow chart of group of addresses generation method in the firewall policy of the embodiment of the present invention.
Fig. 7 shows the simplified flowchart of the group of addresses generation method based on an embodiment in Fig. 6.
Fig. 8 shows the flow chart of the firewall strategy-generating method middle port group generation method of the embodiment of the present invention.
Fig. 9 shows the simplified flowchart of the port set generation method based on an embodiment in Fig. 8.
Embodiment
The feature and exemplary embodiment of various aspects of the invention is described more fully below, in order to make the mesh of the present invention
, technical solution and advantage be more clearly understood, with reference to the accompanying drawings and embodiments, the present invention is further retouched in detail
State.It is to be understood that specific embodiment described herein is only configured to explain the present invention, it is not configured as limiting the present invention.
To those skilled in the art, the present invention can be real in the case of some details being not required in these details
Apply.The description to embodiment is used for the purpose of by showing that the example of the present invention is better understood from the present invention to provide below.
Exemplified by convenient explanation, before describing the invention in detail, fire wall relational language is defined.
Fire wall is a kind of technical measure for protecting network security, it on network boundary by establishing corresponding network
Communications monitor system isolates inside and outside network, to stop from exterior network intrusions.The basic role of fire wall is
Protect particular network from the attack of the network of " distrust ", but must also allow be closed between two networks at the same time
The communication of method.
Firewall policy be by it is certain rule check data flow whether can by the basic security controlling mechanism of fire wall,
Firewall policy is instructed with fire wall strategy execution to complete the laying of firewall policy.Form perform check data flow.It is logical
Cross and performing check is flowed into data, fire wall could be passed through by meeting the legitimate traffic of firewall policy.Pass through firewall security plan
Access rights between the authority of accessing outer network from inner network, the subnet of control Intranet difference security level etc. can slightly be controlled.At the same time
The access of equipment in itself can be controlled.
Five-tuple is Communication terminology, typically refers to source address, source port, destination address, destination interface, and transport layer association
View.Wherein, the IP address of source address representative of data flow originating end.The IP address that destination address representative of data flow eventually arrives at.Source
The communication port that port representative of data flow originating end uses.The communication port that destination interface representative of data flow accesses.Transport layer is assisted
Discuss as in Transmission Control Protocol or udp protocol, offer privacy and reliability between two communication application programs.
Accesses control list (Access Control List, ACL) is the instruction list applied in router interface, institute
Instruction list is stated to be used for telling which data packet of router can receive, which data packet needs to refuse.
Group of addresses:It is made of multiple IP address or the network segment, described address group can be source address or destination address, if by
Repeatedly call, object group can be defined as, it is convenient to call, while can also reduce the order line of ACL.
Port set:It is made of multiple ports, if repeatedly called, object group can be defined as, it is convenient to call, together
When can also reduce the order line number of ACL.
Algorithm (Algorithm):Finger is solved a problem the accurate of scheme and is completely described, and is a series of clearly fingers solved the problems, such as
Order, algorithm represents describes the policy mechanism that solves the problems, such as with the method for system.I.e. it is capable to the defeated of certain specification
Enter, required output is obtained in finite time.Different algorithms may be completed same with different time, space or efficiency
The task of sample.The quality of one algorithm can be weighed with space complexity with time complexity.
Fig. 1 shows the schematic diagram of the firewall strategy-generating method of the embodiment of the present invention.
This method comprises the following steps:
Step S10:Automatically extract each parameter region content in accesses control list.At least wrapped in the accesses control list
Include, but be not limited to, the data such as source address, destination address, procotol, destination interface, custom parameter.At one of the present invention
In embodiment, the accesses control list is the work order of standardization.Specifically, as shown in figure 4, the accesses control list is divided into
4 regions, are respectively source address region (region of storage source address), destination address region (the i.e. area of storage destination address
Domain), destination interface region the region of port areas (store) and parameter region (storing user-defined parameter), its
In, being separated between different zones with space, space is occurred without in the same area, last parameter region is additional function,
Used when needs.The accesses control list can be with, but is not limited to, with other any files such as TXT forms, WORD forms
The mode of form preserves.
The accesses control list meets the requirement of following 5 aspects:(1) a line content represents a firewall policy,
The accesses control list supports a plurality of firewall policy to exist at the same time, for example, in as shown in Figure 4, the first row includes source address
(192.168.76.2,192.168.77), destination address (10.33.254.103,10.33.254.1), destination interface (udp_
8105-8888,1235);(2) source address and destination address support ip addresses, the network segment and the customized special network segment, multiple addresses
Separated with comma;(3) destination interface indicates protocol type, supports port and port range, between port and port or port with
Separated between port range with comma;(4) parameter region is used for the starting for representing rule numbers (number represented with rule)
The self-defined informations such as sequence number (i.e. numeral " 200 " in Fig. 4), firewall policy numbering (i.e. numeral " 3000 " in Fig. 4);(5)
When the element in a region is more than 3, it will go to judge object group (i.e. group of addresses and/or port set).
Step S20:It is corresponding data object according to the parameters region Content Transformation of extraction.Specifically, the number
Include the number of the data object of group of addresses, the data object of procotol, the data object of port set, custom parameter according to object
According to data object.Wherein, the data object of described address group includes the data object of source address and the data object of destination address.
Specifically, source address and destination address are converted into the data object of group of addresses, procotol is converted into procotol
Data object, the data object that destination interface is converted to port set, the data that custom parameter is converted to custom parameter
Data object.
Step S30:By the data object of conversion with compared with data and being generated anti-in configuration file in firewall box
Wall with flues strategy.In one embodiment of the invention, by source in configuration file in the data object and firewall box of group of addresses
Address is compared, is compared procotol numbering in configuration file in the data object and firewall box of procotol
Compared with, by the data object of port set compared with configuration file middle-end slogan in firewall box, by the number of custom parameter
According to data object with rule numbers in configuration file in firewall box compared with firewall policy number.Need what is illustrated
It is, since the firewall box of different vendor is to group of addresses (i.e. source address, destination address etc.) and port set (the i.e. letter such as port numbers
Breath) formal Specification difference, different formats, if simple computing is compared, inefficiency.Therefore, one embodiment of the present of invention
In, for group of addresses data object (or data object of port set) compared with the configuration file of firewall box when,
Can be at the same time by corresponding data in the data object (or data object of port set) and the configuration file of firewall box of group of addresses
Carry out specific format conversion.
The data object (i.e. the data object of the data object of source address, destination address) of described address group is set with fire wall
The manner of comparison of group of addresses data will elaborate in Fig. 5 into Fig. 6 in standby configuration file.And the data of the port set
The manner of comparison of the configuration file middle port data of object and firewall box will elaborate in Fig. 7 into Fig. 8.
Further, since the procotol, rule numbers and strategy number are relatively fixed and change less,
Procotol, rule numbers and strategy number can be used directly relatively, i.e., by the procotol in accesses control list, rule
Numbering and strategy number and the configuration file corresponding data in firewall box directly compared with.
Further, the comparison of firewall policy numbering needs to read the configuration file on firewall box, due to difference
Definition of the manufacturer to strategy number differs, and can not find unified solution, it is necessary to firewall policy according to each manufacturer
Numbering is customized processing.Wherein, for example, manufacturer Juniper is that strategy number set is added in the form of rule
security policies from-zone Trust to-zone DMZ policy XXX match source-address
10.0.0.0/8 sequence number is added, the firewall box of Huawei is with policy XXX addition firewall policies numbering, China three
Firewall box is with acl number XXX addition firewall policy numberings.Further, in generation firewall policy numbering
When should be noted ordered series of numbers number from increasing, some necessary situations can determine strategy number in work order document, to ensure what is generated
Firewall policy execute instruction row correctly can use.
In addition, there is part vendor equipment to need to judge the direction of firewall policy, it is necessary to read the region in device configuration
Definition, further judges.For this part vendor equipment, it is necessary to independently define template.User is needed to specify template number
Can further it be judged.For example Juniper companies are from-zone XXX to-zone XXX to be indicated, and are needed herein pre-
Accurate judgement could be made to work order by first having customized the content in region.
Step S40:Call the fire wall order flow in firewall box.Specifically, the firewall box of each manufacturer
Corresponding fire wall order flow is inside both provided with, can be called in advance in slave firewall equipment.
Step S50:Held according to the fire wall order flow in firewall box and firewall policy generation firewall policy
Row instruction, to complete the laying of firewall policy in firewall box..Specifically, in the firewall box of each manufacturer
Corresponding fire wall order flow is provided with, performing the fire wall order flow and inputting corresponding firewall policy to generate
Corresponding firewall policy execute instruction is to complete the laying of firewall policy., the firewall policy execute instruction that is generated uses
Order line in execution firewall policy.
It should be noted that can largely be related in the writing of firewall policy execute instruction to five-tuple, group of addresses,
The calling of port set, wherein, the judgement to group of addresses and port set is most difficult to.Because different vendor is to group of addresses and port set
Formal Specification is different, and pattern is different, if compared by simple computing, efficiency is very low.The present invention is logical using first
Port set is matched to group of addresses and using the second general matching algorithm with matching algorithm, not only increases matching efficiency also
Accuracy rate has been taken into account at the same time, has improved the formation efficiency of firewall policy.
With reference to shown in figure 6 to Fig. 7, Fig. 6 shows group of addresses generation method in the firewall policy of the embodiment of the present invention
Flow chart.Fig. 7 shows the simplified flowchart of the group of addresses generation method based on an embodiment in Fig. 6.
Step S100:The first group of addresses is extracted from accesses control list.In one embodiment of the invention, with purpose
Illustrated exemplified by group of addresses.Specifically, destination address group is extracted from accesses control list is:10.33.208.0/24,
10.33.208.231,10.33.208.232。
Step S101:It is wildcard mask form by each address conversion in the first group of addresses of extraction.Specifically, will
10.33.208.0/24,10.33.208.231,10.33.208.232 be converted to three the first wildcard masks
10.33.208.0.0.0.0.255,10.33.208.231.0 and 10.33.208.232.0.
Step S102:Format analysis processing is carried out to each address of wildcard mask form in the first group of addresses, after format analysis processing
Each address sort.Specifically, a retention figures (removes dropping character, such as removes period, comma, sky in the first wildcard mask
Lattice number and other characters) sort afterwards.For example, be changed to 10332080000255 after three the first wildcard mask retention figures,
10332082310 and 10332082320, it is changed to 10332082310,10332082320 and 10332080000255 after sequence.
Step S103:The first character string is merged into each address after sorting in first group of addresses.Specifically, will
10332082310,10332082320 and 10332080000255 merge into
103320823101033208232010332080000255.In other words, step S103 is to close the character string of multiple network segments
And it is a character string.
Step S104:The second group of addresses extracted in the configuration file of slave firewall equipment.
Step S105:It is the second wildcard mask lattice by each address conversion in the second group of addresses extracted in configuration file
Formula.
Step S106:Format analysis processing is carried out to each address of wildcard mask form in the second group of addresses, after format analysis processing
Each address sort.
Step S107:The second wildcard mask after sequence is merged into the second character string.
It should be noted that technical step that the generating mode of the second character string is taken and the generation side of the first character string
The technical step that formula is taken is identical.
Step S108:Judge whether the first character string is identical with the second character string.When the first character string and the second character string
When differing, flow enters step S109.When the first character string is equal with the second character string, flow enters step S111.Institute
State that the first character string is identical with the second character string to refer to that the first character string is identical with the length of the second character string, and the first character string
It is identical with each character in the second character string.
Step S109:When the first character string and the second character string differ, all second addresses in configuration file are judged
Corresponding second character string of group and the first character string whether all compared with finish.When all second group of addresses correspond in configuration file
The second character string and the first character string all compared with when finishing, flow enters step S110.Otherwise, when in configuration file also have
Corresponding second character string of second group of addresses and the first character string not compared with when, flow return to step S104, from configuration file
Next group of the second group of addresses of middle extraction.
Step S110:New group of addresses is created according to first group of addresses.The new group of addresses created is fire wall
Group of addresses in strategy.
Step S111:Export the corresponding group of addresses of the first character string and be used as a firewall policy.
It should be noted that when carrying out array and comparing, it is necessary to which element is compared one by one in array, with array member
The increase of element, computing cost can the increases of exponentially level.Specifically, in relatively group of addresses, Normal practice is:(1) address is calculated
The size and scope of section;(2) address segment information is confirmed by comparing.However, the increasing with group of addresses quantity or group interior element
Add, it will a large amount of calculation amounts occur, influence its work efficiency.And the technical solution in above-mentioned Fig. 5 is using between single character string
It is compared, computational complexity is that time cost will be greatly reduced, while before character string comparison, element is once arranged
Sequence, it also avoid the possibility of false judgment.
With reference to shown in figure 8 to Fig. 9, Fig. 8 shows the firewall strategy-generating method middle port group life of the embodiment of the present invention
Into the flow chart of method.Fig. 9 shows the simplified flowchart of the port set generation method based on an embodiment in Fig. 8.
Step S200:First port group is extracted from accesses control list.Specifically, from the port areas of access control plate
The first port group tcp_22,23,80-88 of extraction.
Step S201:The first port group of extraction is converted into the first array.Specifically, the form of the first array is tcp
Or udp addresses add port numbers or the form of range of port number.For example, if first port group is tcp_22,23,80-88, then should
Corresponding first array of first port group (removes comma and retains the character in space number) for 22 23 80-88 of tcp.
Step S202:One group of second port group is extracted in the configuration file of slave firewall equipment.
Step S203:The second port group extracted in configuration file is converted to second number identical with the first array formats
Group.
It should be noted that technical step that the generating mode of the second array is taken and the generating mode institute of the first array
The technical step taken is identical.
Step S204:Judge whether the first array is equal with the length of the second array.If the first array and the second array
Equal length, flow enter step S205.If the length of the first array and the second array is unequal, flow enters step S206.
Step S205:Judge whether the first array and the element in the second array are identical.If the first array and the second array
Interior element differs, then flow enters step S206.If the first array is identical with the element in the second array, flow enters
Step S208.First array is identical with the element in the second array to refer to the first array and each word in the second array
Accord with identical.
Step S206:Judge in configuration file all second port groups and the first array whether all compared with finish.If match somebody with somebody
When putting corresponding second array of all second port groups in file and all relatively being finished with the first array, flow enters step
S207.Otherwise, if when compared with also having corresponding second array of second port group and the first array in configuration file not, flow is returned
Step S202 is returned, next group of port set is extracted from configuration file.
Step S207:New port set is created according to first port group.The new port set created is firewall policy
In a port group.
Step S208:Export the corresponding first port group of first array and form a firewall policy.
It should be noted that since port set is there are the special literary style of port range, so can not be sentenced using group of addresses
All elements are changed into numeral and are compared by disconnected mode.And it is directly to go to compare two arrays by computing in existing technology
It is whether consistent, but under normal circumstances, if there are substantial amounts of port set in a upper equipment, compare to lose time one by one very much.
In order to improve efficiency, the technical solution in Fig. 6 is first to compare the length of two arrays before relatively array, if length one
Cause is accurately compared again, can greatly improve operation efficiency.
The corresponding firewall policy explanation of all big enterprises illustrated below based on technical solution of the present invention.
The firewall policy generation of Juniper companies illustrates in the following way:
(a) judge that each element in ACL whether there is in configuration file, will not formed newly, if object
Group, it will generate corresponding object group, i.e., using the corresponding object group of generation of such as issuing orders:(NEW_SOURCE_ADDRESS_
GROUP、NEW_DESTINATION_ADDRESS_GROUP)
set security zones security-zone Trust address-book address 10.1.1.1/
3210.1.1.1/32
set security zones security-zone Trust address-book address-set NEW_
DESTINATION_ADDRESS_GROUP address 10.3.1.2/32
set security policies from-zone DMZ to-zone Trust policy A-access-B
match destination-address NEW_DESTINATION_ADDRESS_GROUP
Wherein, when each element in (a) in ACL is compared with configuration file, using in technical solution of the present invention
General matching algorithm group of addresses and port set are compared, realize standardization southbound interface, shielding different vendor equipment is poor
It is different, greatly improve firewall policy formation efficiency on the premise of accuracy is ensured.
(b) order of element does not interfere with the judgement of object group in object;
(c) host IP address in accesses control list, the order line of generation can add/32 masks;
(d) there is `10.2.0.0/16-10.4.0.0/16` in source address, or have `192.168.7.0/24,
192.168.7.0/24 the advance customized special network segment such as 192.168.8.0/24,192.168.9.0/24`, will be judged
For particular address group:set security policies from-zone DMZ to-zone Trust policy A-
access-B match source-address oavpn-group;
(e) 10 network segments and 192 network segments, the judgement in influence area direction not occur at the same time in destination address, and can jump out police
Accuse prompting;
(f) when generating address object, if the 2.1.*.* network segments, region DMZ, other are Trust set
security zones security-zone Trust address-book address 1.1.1.1/321.1.1.1/32
set security zones security-zone DMZ address-book address 2.1.1.1/
322.1.1.1/32
(g) destination address is the 1.1.1.* network segments, and region direction is that * * Trust to-zone DMZ** destination addresses are
2.1.1.* the network segment or other time domain directions are * * DMZ to-zone Trust**
(h) when detecting new port, new port object (po) is generated, using the new port object (po) of generation of such as issuing orders:
set applications application tcp_111-1111protocol tcp
set applications application tcp_111-1111destination-port 111-1111
(i) parameter region is used to indicate that firewall policy title, reads filled in content when having content, does not fill in
When be defaulted as A-access-B.
Firewall policy generation of the Huawei Company based on HuaWei Policy illustrates in the following way:
(a) judge that each element in ACL whether there is in configuration file, will not formed newly, if object
Group, it will generate corresponding object group, i.e., using the corresponding object group of generation of such as issuing orders:
(NEW_SOURCE_ADDRESS_GROUP,NEW_DESTINATION_ADDRE SS_GROUP,NEW_PORT_
GROUP)
ip address-set NEW_DESTINATION_ADDRESS_GROUP type object
policy destination address-set NEW_DESTINATION_ADDRESS_GROUP
Wherein, when each element in (a) in ACL is compared with configuration file, using in technical solution of the present invention
General matching algorithm group of addresses and port set are compared, realize standardization southbound interface, shielding different vendor equipment is poor
It is different, greatly improve firewall policy formation efficiency on the premise of accuracy is ensured.
(b) order of element does not interfere with the judgement of object group in object;
(c) new object group is generated, sequence number is had before prompting, the serial number policy, wherein, if #276 then needs to note
Meaning:This is a unknown port set, it is necessary to time update port group name when generating new port set.
(d) host IP address in ATL, the order line of generation can be converted into " x.x.x.x 0 ", and IP network section can change into
" network number wildcard mask ";
(e) port changes into shyA, and port range needs A-B being converted into shyAtoB and A to B
ip service-set shy8106type object
service 0protocol tcp source-port 0to 65535destination-port 1111
ip service-set NEW_PORT_GROUP type object
service 0protocol tcp source-port 0to 65535destination-port 111to
1111
(f) in group of addresses, shown in the form of " address sequence number ip wildcard masks "
ip address-set NEW_SOURCE_ADDRESS_GROUP type object
address 0 10.2.2.3 0
address 1 10.2.2.4 0
address 2 10.2.3.5 0.0.0.3
(g) the fixation beginning of firewall policy is
policy interzone trust untrust outbound
undo policy 1000
(h) tactful fixation end is
policy 1000
action deny
policy logging
* script is to read No. policy by `policy interzone trust untrust outbound`.
Firewall policy generation of the Huawei Company based on HuaWei ACL illustrates in the following way:
(a) equipment of Huawei will use different orders when using ACL addition strategies;
(b) all rules are all write under acl number****;
(c) port range A-B is converted into range A B;
(d) reference address group needs to add address-set printed words;
(e) group of addresses order line " ip address-set objects group name " does not have type object printed words;
ip address-set NEW_SOURCE_ADDRESS_GROUP
ip address-set NEW_DESTINATION_ADDRESS_GROUP
(f) due to not having policy number, the sequence number of prompting is corresponding with the line number in acl.txt, if in addition, sequence
Number it is #1, then it may be noted that this is a unknown source address group, generates new group of addresses, asks time update object oriented;If sequence
Number it is #2, then it may be noted that this is a unknown destination address group, generates new group of addresses, asks time update object oriented;
(g) the starting number of rule is to read the sequence number of `deny ip` in `acl number****` to position rule
931permit tcp source address-set NEW_SOURCE_ADDRESS_GROUP destination
10.3.1.1 0destination-port eq 80
Example IV:
The firewall policy generation of magnificent three Products illustrates in the following way:
1) China three is not judged group of addresses, is not judged port set, create-rule and `HuaWeiACL` using acl addition strategies
Implementation is similar
2) when source address starts with 1, work order is started with `acl number 30**`, other situations `acl number
30**`。
In above-described embodiment one into example IV, generation firewall policy configuration order is to directly invoke fire wall to set
Standby fire wall order flow can automatically generate.
Multiple main brand fire walls can be adapted to using the present invention, shielding different vendor equipment difference, realizes standardization
Southbound interface, while can realize that firewall policy batch is write automatically, firewall policy configuration flow is simplified, improves fire prevention
Wall strategy generating efficiency, reduces network operation complexity, can bring huge Saving in time costs, saves O&M cost.In addition, from
Traditional manual mode is transformed into automatic batch generation, reduces the error probability of manual intervention, effectively improves firewall policy life
Into efficiency and accuracy, the appearance of invalidation policy redundancy strategy is avoided, it is ensured that the safe and stable operation of system.
In addition, the firewall strategy-generating method with reference to Fig. 1 embodiment of the present invention stated can be generated by firewall policy
Device is realized.Fig. 2 shows the structure diagram of fire wall policy generating device provided in an embodiment of the present invention.
Specifically, the fire wall policy generating device include acquisition module 301, modular converter 302, comparison module 303,
Calling module 304 and generation module 305.
The acquisition module 301, for obtaining each parameter region content in accesses control list automatically.The access control
Include at least, but be not limited in list, the data such as source address, destination address, procotol, destination interface, custom parameter.
In one embodiment of the present of invention, the accesses control list is the work order of standardization.Specifically, as shown in figure 4, the access
Control list is divided into 4 regions, and respectively mesh (is stored in source address region (region of storage source address), destination address region
Address region), destination interface region the region of port areas (store) and parameter region (store user-defined
Parameter), wherein, separated between different zones with space, space is occurred without in the same area, last parameter region is additional
Function, uses when needing.The accesses control list can be with, but is not limited to, other with TXT forms, WORD forms etc.
The mode of any file format preserves.
The modular converter 302, for being corresponding data object according to the parameters region Content Transformation of extraction.Tool
Body, by each parameter region contents extraction and be converted to the data object of source address, the data object of destination address, procotol
Data object, data object, the Data Data object of custom parameter of port set.
The comparison module 303, carries out for data in configuration file in the data object and firewall box by conversion
Relatively and generate firewall policy.In one embodiment of the invention, by the data object and firewall box of source address
Source address is compared, by destination address in configuration file in the data object and firewall box of destination address in configuration file
Be compared, by the data object of procotol with configuration file in firewall box procotol numbering compared with, will
The data object of port set compared with configuration file middle-end slogan in firewall box, by the Data Data of custom parameter
Object is with rule numbers in configuration file in firewall box compared with firewall policy number.It should be noted that due to
The firewall box of different vendor is to group of addresses (i.e. source address, destination address etc.) and port set (i.e. the information such as port numbers) form
Specification is different, different formats, if simple computing is compared, inefficiency.Therefore, in one embodiment of the present of invention, for
When the data object (or data object of port set) of group of addresses is compared with the configuration file of firewall box, meeting at the same time will
Corresponding data carries out specific in the data object (or data object of port set) and the configuration file of firewall box of group of addresses
Format conversion.
Further, since the procotol, rule numbers and strategy number are relatively fixed and change less,
Procotol, rule numbers and strategy number can be used directly relatively, i.e., by the procotol in accesses control list, rule
Numbering and strategy number and the configuration file corresponding data in firewall box directly compared with.
Further, the comparison of firewall policy numbering needs to read the configuration file on firewall box, due to difference
Definition of the manufacturer to strategy number differs, and can not find unified solution, it is necessary to firewall policy according to each manufacturer
Numbering is customized processing.Wherein, for example, manufacturer Juniper is that strategy number set is added in the form of rule
security policies from-zone Trust to-zone DMZ policy XXX match source-address
10.0.0.0/8 sequence number is added, the firewall box of Huawei is with policy XXX addition firewall policies numbering, Hua Sanshi
With acl number XXX addition firewall policy numberings.Further, should be noted to count when generating firewall policy numbering
Row number can determine strategy number from increasing, some necessary situations in work order document, to ensure that the firewall policy of generation is held
Row is instructed to complete the laying of firewall policy.Row is correct available.
In addition, there is part vendor equipment to need to judge the direction of firewall policy, it is necessary to read the region in device configuration
Definition, further judges.For this part vendor equipment, it is necessary to independently define template.User is needed to specify template number
Can further it be judged.For example Juniper companies are from-zone XXX to-zone XXX to be indicated, and are needed herein pre-
Accurate judgement could be made to work order by first having customized the content in region.
The calling module 304, for calling the fire wall order flow in firewall box.Specifically, each manufacturer
Firewall box in be both provided with corresponding fire wall order flow, can call in advance in slave firewall equipment.
The generation module 305, for according to the fire wall order flow in firewall box and firewall policy generation
Firewall policy execute instruction is to complete the laying of firewall policy..Specifically, it is respectively provided with the firewall box of each manufacturer
There is corresponding fire wall order flow, correspondence can be generated by performing the fire wall order flow and inputting corresponding firewall policy
Firewall policy execute instruction to complete the laying of firewall policy., the firewall policy execute instruction that is generated is to complete
The laying of firewall policy.For performing firewall policy.
It should be noted that in firewall policy execute instruction to complete the laying of firewall policy.Write it is middle can be big
Amount is related to five-tuple, group of addresses, the calling of port set, wherein, the judgement to group of addresses and port set is most difficult to.Because
Different vendor is different with port set formal Specification to group of addresses, and pattern is different, if compared by simple computing, efficiency is very
Low.The present invention matches group of addresses and port set using general matching algorithm, and it is also same to not only increase matching efficiency
When taken into account accuracy rate.
In addition, the comparison module 303 further includes extracting sub-module 3030, transformation submodule 3031, sorting sub-module
3032nd, merge submodule 3033, judging submodule 3034, create submodule 3035 and output sub-module 3036.
For situation of the group of addresses (or data object of port set) compared with the configuration file of firewall box.
The extracting sub-module 3030, for extracting the first group of addresses from accesses control list.At one of the present invention
In embodiment, illustrated by taking destination address group as an example.Specifically, destination address group is extracted from accesses control list is:
10.33.208.0/24,10.33.208.231,10.33.208.232。
The transformation submodule 3031, is wildcard mask lattice for each address conversion in the first group of addresses by extraction
Formula.Specifically, by 10.33.208.0/24,10.33.208.231,10.33.208.232 are converted to three the first wildcard masks
10.33.208.0.0.0.0.255,10.33.208.231.0 and 10.33.208.232.0.
The sorting sub-module 3032, for each address to wildcard mask form in the first group of addresses at row format
Reason, by each address sort after format analysis processing.Specifically, a retention figures (is removed dropping character, is such as gone in the first wildcard mask
Fall period, comma, space number and other characters) sort afterwards.For example, it is changed to after three the first wildcard mask retention figures
10332080000255th, 10332082310 and 10332082320, be changed to after sequence 10332082310,10332082320 and
10332080000255。
The merging submodule 3033, for each address after sorting in the first group of addresses to be merged into the first character
String.Specifically, 10332082310,10332082320 and 10332080000255 are merged into
103320823101033208232010332080000255.In other words, step S103 is to close the character string of multiple network segments
And it is a character string.
The extracting sub-module 3030, is additionally operable to the second group of addresses that will be extracted in configuration file of slave firewall equipment.
The transformation submodule 3031, each address conversion being additionally operable in the second group of addresses for will being extracted in configuration file
For the second wildcard mask form.
The sorting sub-module 3032, is additionally operable to each address of wildcard mask form in the second group of addresses at row format
Reason, by each address sort after format analysis processing.
The merging submodule 3033, is additionally operable to the second wildcard mask after sequence merging into the second character string.
It should be noted that technical step that the generating mode of the second character string is taken and the generation side of the first character string
The technical step that formula is taken is identical.
The judging submodule 3034, for judging whether the first character string is identical with the second character string.When the first character
When string is differed with the second character string, corresponding second character string of all second group of addresses and the first character in configuration file are judged
Whether string all relatively finishes.When the first character string is equal with the second character string, flow enters step S111.First word
Symbol string is identical with the second character string to refer to that the first character string is identical with the length of the second character string, and the first character string and the second word
Each character in symbol string is identical.
The extracting sub-module 3030, be additionally operable to work as configuration file in also have corresponding second character string of the second group of addresses with
When first character string does not compare, next group of the second group of addresses is extracted from configuration file.
The establishment submodule 3035, be additionally operable to work as in configuration file corresponding second character string of all second group of addresses with
First character string comparison finishes, and corresponding second character string of all second group of addresses and the first character string are equal in the configuration file
When differing, new group of addresses is created according to first group of addresses.The new group of addresses created is in firewall policy
Group of addresses.
The output sub-module 3036, is additionally operable to, when the first character string is equal with the second character string, export first word
The corresponding group of addresses of symbol string is simultaneously used as a firewall policy.
It should be noted that when carrying out array and comparing, it is necessary to which element is compared one by one in array, with array member
The increase of element, computing cost can the increases of exponentially level.Specifically, in relatively group of addresses, Normal practice is:(1) address is calculated
The size and scope of section;(2) address segment information is confirmed by comparing.However, the increasing with group of addresses quantity or group interior element
Add, it will a large amount of calculation amounts occur, influence its work efficiency.And the technical solution in above-mentioned Fig. 5 is using between single character string
It is compared, computational complexity is that time cost will be greatly reduced, while before character string comparison, element is once arranged
Sequence, it also avoid the possibility of false judgment.
For situation of the port set compared with the configuration file of firewall box.
The extracting sub-module 3030, for extracting first port group from accesses control list.Specifically, controlled from access
The first port group tcp_22,23,80-88 of the port areas extraction of making sheet.
The transformation submodule 3031, for the first port group of extraction to be converted to the first array.Specifically, the first number
The form of group adds port numbers or the form of range of port number for tcp or udp addresses.For example, if first port group is tcp_22,
23,80-88, then corresponding first array of the first port group is that 22 23 80-88 of tcp (remove comma and retain space number
Character).
The extracting sub-module 3030, is additionally operable to extract one group of second port group in the configuration file of slave firewall equipment.
The transformation submodule 3031, the second port group for being additionally operable to extract in configuration file are converted to and the first array
The second identical array of form.
It should be noted that technical step that the generating mode of the second array is taken and the generating mode institute of the first array
The technical step taken is identical.
The judging submodule 3034, for judging whether the first array is equal with the length of the second array, judging first
Whether array is identical with the element in the second array, corresponding second array that judges in configuration file all second port groups and the
Whether one array, which all compares, finishes.
If the length of the first array and the second array is unequal and/or the first array and the element in the second array not phase
Together, judge in configuration file corresponding second array of all second port groups and the first array whether all compared with finish.
The step creates submodule 3035:In the length of first array and the configuration file of the firewall box
Corresponding second array of all second port groups is all unequal, and/or the element in first array is set with the fire wall
When the element in corresponding second array of all second port groups in standby configuration file is different from, according to first port group
Create new port set.The new port set created is a port group in firewall policy.
The output sub-module 3036:It is defeated for when the element in the first array is identical with the element in the second array
Go out the corresponding first port group of first array and form a firewall policy.
It should be noted that since port set is there are the special literary style of port range, so can not be sentenced using group of addresses
All elements are changed into numeral and are compared by disconnected mode.And it is directly to go to compare two arrays by computing in existing technology
It is whether consistent, but under normal circumstances, if there are substantial amounts of port set in a upper equipment, compare to lose time one by one very much.
In order to improve efficiency, the technical solution of above-mentioned general matching algorithm is first to compare the length of two arrays before relatively array
Degree, if length is unanimously accurately compared again, can greatly improve operation efficiency.
In addition, the firewall strategy-generating method with reference to Fig. 1 embodiment of the present invention described can be given birth to by firewall policy
Forming apparatus is realized.Fig. 3 shows the hardware architecture diagram of firewall policy generation equipment provided in an embodiment of the present invention.
Firewall policy generation equipment can include processor 401 and be stored with the memory of computer program instructions
402。
Specifically, above-mentioned processor 401 can include central processing unit (CPU), or specific integrated circuit
(Application Specific Integrated Circuit, ASIC), or may be configured to implement implementation of the present invention
One or more integrated circuits of example.
Memory 402 can include the mass storage for data or instruction.Processor 401 is by reading and performing
The computer program instructions stored in memory 402, to realize any one firewall policy generation side in above-described embodiment
Method.In one example, firewall policy generation equipment may also include communication interface 403 and bus 410.Wherein, such as Fig. 4 institutes
Show, processor 401, memory 402, communication interface 403 are connected by bus 410 and complete mutual communication.Communication interface
403, it is mainly used for realizing the communication between each module, device, unit and/or equipment in the embodiment of the present invention.Bus 410 includes
Hardware, software or both, the component of firewall policy generation equipment is coupled to each other together.
In addition, with reference to the firewall strategy-generating method in above-described embodiment, the embodiment of the present invention can provide a kind of calculating
Machine readable storage medium storing program for executing is realized.Computer program instructions are stored with the computer-readable recording medium;The computer program
Any one firewall strategy-generating method in above-described embodiment is realized in instruction when being executed by processor.
The above description is merely a specific embodiment, it is apparent to those skilled in the art that,
For convenience of description and succinctly, the specific work process of the system of foregoing description, module and unit, may be referred to preceding method
Corresponding process in embodiment, details are not described herein.It is to be understood that protection scope of the present invention is not limited thereto, it is any to be familiar with
Those skilled in the art the invention discloses technical scope in, various equivalent modifications or substitutions can be readily occurred in,
These modifications or substitutions should be covered by the protection scope of the present invention.
Claims (10)
- A kind of 1. firewall strategy-generating method, it is characterised in that the described method includes:(1) the first group of addresses is extracted from accesses control list;(2) it is wildcard mask form by each address conversion in the first group of addresses of extraction;(3) format analysis processing is carried out to each address of wildcard mask form in the first group of addresses, by each address after format analysis processing Sequence;(4) the first character string is merged into each address after sorting in the first group of addresses;(5) the second group of addresses is extracted in the configuration file of slave firewall equipment;(6) it is the second wildcard mask form by each address conversion in the second group of addresses extracted in configuration file;(7) format analysis processing is carried out to each address of wildcard mask form in the second group of addresses, by each address after format analysis processing Sequence;(8) the second character string is merged into each address after sorting in the second group of addresses;(9) compare the first character string and whether the second character string is equal;(10) when first character string and second character string are unequal, step (5)-(9) are performed, by described first Group of addresses is compared with all second group of addresses in the configuration file of the firewall box;(11) when first character string corresponding with all second group of addresses in the configuration file of the firewall box When two character strings are all unequal, new group of addresses is created according to first group of addresses;(12) when first character string is equal with second character string, corresponding first address of first character string is exported Group.
- 2. according to the method described in claim 1, it is characterized in that, described pair in the first group of addresses wildcard mask form it is each Address carries out the mode of format analysis processing by the way of retention figures.
- 3. according to the method described in claim 1, it is characterized in that, first character string is identical with the second character string to refer to One character string is identical with the length of the second character string, and the first character string is identical with each character in the second character string.
- 4. according to the method described in claim 1, it is characterized in that, the method further includes:This method further includes:(1) first port group is extracted from accesses control list;(2) the first port group of extraction is converted into the first array;(3) second port group is extracted in the configuration file of slave firewall equipment;(4) it is second array identical with the first array formats by the second port group extracted in configuration file;(5) judge whether the length of the first array is equal with the length of the second array;(6) when the first array and the equal length of the second array, the element in the element and the second array in the first array is judged It is whether identical;(7) when the length of the first array and the length of the second array is unequal and/or the first array in element and the second array When interior element differs, step (3)-(6) are performed, by the first port group and the configuration file of the firewall box In all second port groups compare;(8) when the element in the first array is identical with the element in the second array, the corresponding first end of the first array is exported Mouth group;(9) length of first array corresponding with all second port groups in the configuration file of the firewall box Two arrays are all unequal, or the element in first array and all second ends in the configuration file of the firewall box When the element that mouth organizes in corresponding second array is different from, new port set is created according to first port group.
- 5. according to the method described in claim 4, it is characterized in that, first array is identical with the element in the second array is It is identical with each character in the second array to refer to the first array.
- 6. according to the method described in claim 4, it is characterized in that, the form of first array and the second array is tcp Or udp addresses add port numbers or range of port number.
- 7. according to the method described in claim 1, it is characterized in that, the method further includes:Call the fire wall order flow in firewall box and performed based on firewall policy generation firewall policy and referred to Order, to complete the laying of firewall policy in firewall box.
- 8. a kind of fire wall policy generating device, it is characterised in that described device includes:Extracting sub-module, for extracting the first group of addresses from accesses control list;Change submodule, be wildcard mask form for each address conversion in the first group of addresses by extraction;Sorting sub-module, for carrying out format analysis processing to each address of wildcard mask form in the first group of addresses, by format analysis processing Each address sort afterwards;Merge submodule, for each address after sorting in the first group of addresses to be merged into the first character string;The extracting sub-module, is additionally operable to extract the second group of addresses in the configuration file of slave firewall equipment;The transformation submodule, each address conversion being additionally operable in the second group of addresses for will being extracted in configuration file are anti-for second Mask form;The sorting sub-module, is additionally operable to carry out format analysis processing to each address of wildcard mask form in the second group of addresses, by lattice Each address sort after formula processing;Also merge submodule, for each address after sorting in the second group of addresses to be merged into the second character string;Judging submodule, it is whether equal for comparing the first character string and the second character string, and judge first group of addresses with Whether all second group of addresses in the configuration file of the firewall box, which all compare, finishes;Submodule is created, for when all second addresses in the configuration file of first character string and the firewall box When corresponding second character string of group is all unequal, new group of addresses is created according to first group of addresses;Output sub-module, for when first character string is equal with second character string, exporting first character string pair The first group of addresses answered.
- 9. a kind of firewall policy generates equipment, it is characterised in that including:At least one processor, at least one processor with And the computer program instructions in the memory are stored in, it is real when the computer program instructions are performed by the processor The now method as any one of claim 1-8.
- 10. a kind of computer-readable recording medium, is stored thereon with computer program instructions, it is characterised in that when the calculating The method as any one of claim 1-8 is realized when machine programmed instruction is executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711495427.3A CN107948205B (en) | 2017-12-31 | 2017-12-31 | Firewall strategy generation method, device, equipment and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711495427.3A CN107948205B (en) | 2017-12-31 | 2017-12-31 | Firewall strategy generation method, device, equipment and medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107948205A true CN107948205A (en) | 2018-04-20 |
CN107948205B CN107948205B (en) | 2020-10-27 |
Family
ID=61938258
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711495427.3A Active CN107948205B (en) | 2017-12-31 | 2017-12-31 | Firewall strategy generation method, device, equipment and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107948205B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109040089A (en) * | 2018-08-15 | 2018-12-18 | 深圳前海微众银行股份有限公司 | Network strategy auditing method, equipment and computer readable storage medium |
CN109088886A (en) * | 2018-09-29 | 2018-12-25 | 郑州云海信息技术有限公司 | The management method and device of monitoring strategies on firewall |
CN109361711A (en) * | 2018-12-14 | 2019-02-19 | 泰康保险集团股份有限公司 | Firewall configuration method, apparatus, electronic equipment and computer-readable medium |
CN109547502A (en) * | 2019-01-22 | 2019-03-29 | 成都亚信网络安全产业技术研究院有限公司 | Firewall ACL management method and device |
CN111163061A (en) * | 2019-12-11 | 2020-05-15 | 中盈优创资讯科技有限公司 | Method and device for analyzing policy information of gateway equipment |
CN111711635A (en) * | 2020-06-23 | 2020-09-25 | 平安银行股份有限公司 | Firewall opening method and device, computer equipment and storage medium |
CN112383507A (en) * | 2020-10-16 | 2021-02-19 | 深圳力维智联技术有限公司 | Firewall policy management method, device and system and computer readable storage medium |
CN112738114A (en) * | 2020-12-31 | 2021-04-30 | 四川新网银行股份有限公司 | Configuration method of network security policy |
CN112968896A (en) * | 2021-02-24 | 2021-06-15 | 深圳天元云科技有限公司 | Vector compression-based firewall policy filtering method, system, terminal and storage medium |
CN113329022A (en) * | 2021-05-31 | 2021-08-31 | 北京天融信网络安全技术有限公司 | Information processing method of virtual firewall and electronic equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012051868A1 (en) * | 2010-10-20 | 2012-04-26 | 中兴通讯股份有限公司 | Firewall policy distribution method, client, access server and system |
CN104717182A (en) * | 2013-12-12 | 2015-06-17 | 华为技术有限公司 | Security policy deployment method and device for network firewall |
CN105704093A (en) * | 2014-11-25 | 2016-06-22 | 中国移动通信集团设计院有限公司 | Firewall access control strategy debugging method, device and system |
-
2017
- 2017-12-31 CN CN201711495427.3A patent/CN107948205B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012051868A1 (en) * | 2010-10-20 | 2012-04-26 | 中兴通讯股份有限公司 | Firewall policy distribution method, client, access server and system |
CN104717182A (en) * | 2013-12-12 | 2015-06-17 | 华为技术有限公司 | Security policy deployment method and device for network firewall |
CN105704093A (en) * | 2014-11-25 | 2016-06-22 | 中国移动通信集团设计院有限公司 | Firewall access control strategy debugging method, device and system |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109040089A (en) * | 2018-08-15 | 2018-12-18 | 深圳前海微众银行股份有限公司 | Network strategy auditing method, equipment and computer readable storage medium |
CN109040089B (en) * | 2018-08-15 | 2021-06-08 | 深圳前海微众银行股份有限公司 | Network policy auditing method, equipment and computer readable storage medium |
CN109088886A (en) * | 2018-09-29 | 2018-12-25 | 郑州云海信息技术有限公司 | The management method and device of monitoring strategies on firewall |
CN109361711B (en) * | 2018-12-14 | 2021-10-29 | 泰康保险集团股份有限公司 | Firewall configuration method and device, electronic equipment and computer readable medium |
CN109361711A (en) * | 2018-12-14 | 2019-02-19 | 泰康保险集团股份有限公司 | Firewall configuration method, apparatus, electronic equipment and computer-readable medium |
CN109547502A (en) * | 2019-01-22 | 2019-03-29 | 成都亚信网络安全产业技术研究院有限公司 | Firewall ACL management method and device |
CN111163061A (en) * | 2019-12-11 | 2020-05-15 | 中盈优创资讯科技有限公司 | Method and device for analyzing policy information of gateway equipment |
CN111711635A (en) * | 2020-06-23 | 2020-09-25 | 平安银行股份有限公司 | Firewall opening method and device, computer equipment and storage medium |
CN111711635B (en) * | 2020-06-23 | 2024-03-26 | 平安银行股份有限公司 | Firewall wall opening method and device, computer equipment and storage medium |
CN112383507A (en) * | 2020-10-16 | 2021-02-19 | 深圳力维智联技术有限公司 | Firewall policy management method, device and system and computer readable storage medium |
CN112738114A (en) * | 2020-12-31 | 2021-04-30 | 四川新网银行股份有限公司 | Configuration method of network security policy |
CN112968896A (en) * | 2021-02-24 | 2021-06-15 | 深圳天元云科技有限公司 | Vector compression-based firewall policy filtering method, system, terminal and storage medium |
CN112968896B (en) * | 2021-02-24 | 2022-06-24 | 深圳天元云科技有限公司 | Vector compression-based firewall policy filtering method, system, terminal and storage medium |
CN113329022A (en) * | 2021-05-31 | 2021-08-31 | 北京天融信网络安全技术有限公司 | Information processing method of virtual firewall and electronic equipment |
CN113329022B (en) * | 2021-05-31 | 2022-08-05 | 北京天融信网络安全技术有限公司 | Information processing method of virtual firewall and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN107948205B (en) | 2020-10-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107948205A (en) | Firewall strategy-generating method, device, equipment and medium | |
CN103946834B (en) | virtual network interface objects | |
JP5874796B2 (en) | Programming device, system, and programmable controller | |
CN102112980B (en) | Use the secure resource name resolution of cache | |
Guttman et al. | Rigorous automated network security management | |
Robles-Durazno et al. | PLC memory attack detection and response in a clean water supply system | |
CN112367211B (en) | Method, device and storage medium for generating configuration template by device command line | |
CN103117993B (en) | For the method, apparatus and product of the fire wall for providing Process Control System | |
CN101411159A (en) | Policy-based security certificate filtering | |
CN107622211A (en) | A kind of large data sets monarchial power limit access control method and device | |
Kotenko et al. | Verification of security policy filtering rules by model checking | |
CN101771669A (en) | Method for setting firewall policy and device therefor | |
CN108763963A (en) | Distributed approach, apparatus and system based on data access authority | |
He et al. | Research on network programming language and policy conflicts for SDN | |
CN101242409B (en) | An efficient filtering method for multi-language network data packets | |
CN102077171B (en) | System and method for remote communication between a central computer and a machine controller | |
CN107566375A (en) | Access control method and device | |
CN106888185B (en) | industrial network safety protection method based on serial link | |
US9781162B2 (en) | Predictive generation of a security network protocol configuration | |
CN112650638B (en) | Hardware security vulnerability detection method based on gate-level pollution label tracking model | |
CN104065486A (en) | Encryption strategy matching algorithm module verification platform and realizing method thereof | |
Martínez et al. | Model-driven extraction and analysis of network security policies | |
CN116015983B (en) | Network security vulnerability analysis method and system based on digital twin | |
Xiang et al. | Modeling and verifying the topology discovery mechanism of OpenFlow controllers in software-defined networks using process algebra | |
CN108375946A (en) | A kind of information spy device and industrial control system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |