CN108092979A - A kind of firewall policy processing method and processing device - Google Patents
A kind of firewall policy processing method and processing device Download PDFInfo
- Publication number
- CN108092979A CN108092979A CN201711382103.9A CN201711382103A CN108092979A CN 108092979 A CN108092979 A CN 108092979A CN 201711382103 A CN201711382103 A CN 201711382103A CN 108092979 A CN108092979 A CN 108092979A
- Authority
- CN
- China
- Prior art keywords
- security domain
- target
- information
- firewall policy
- operational order
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of firewall policy processing method and processing devices, are pre-created the topological correspondence between corresponding firewall policy in network security domain.After the operational order for obtaining firewall policy input by user and corresponding target strategy information, security domain relevant information associated with the target strategy information is searched from above-mentioned correspondence.Then, according to the corresponding security domain relevant information of the target strategy information, it is determined whether perform the operational order;If it is determined that performing, then the operational order and the corresponding target firewall policy of the target strategy information are sent to target fire wall, which performed by target fire wall.Security domain path associated with target strategy information and security domain assets information can be precisely determined using this method, it need not manually check that network topology structure searches the security domain involved by firewall policy, therefore, the efficiency of management of firewall policy is improved, while reduces the error rate of configuration firewall policy.
Description
Technical field
The invention belongs to network safety filed more particularly to a kind of firewall policy processing method and processing devices.
Background technology
Fire wall is one and is composed of software and hardware equipment, between in-house network and extranets, private network with it is public
The protective barrier constructed on interface between common network, so as to which internal network be protected to be invaded from disabled user.Fire wall is exactly one
The combination of a software and hardware between computer and network that it is connected, all nets which flows in and out
Network communication data packet will pass through the filtering of the fire wall.
Firewall policy management method is exactly the processing newly such as to be increased, changed, checked, deleted to firewall policy.Tradition
Firewall policy management method mostly by being manually managed, operation maintenance personnel (or safety manager) is according to real network need
Formulation firewall policy is sought, checks network topology by personal experience, the security domain involved by lookup firewall policy is (wherein,
A set of firewall policy corresponds to a security domain), then, firewall policy is handled accordingly, firewall policy comes into force
Effect is difficult to estimate.This mode safeguards by not operating manually, so as to cause firewall policy the combing of firewall policy
Inefficiency and easily error when configuration and management.
The content of the invention
In view of this, it is an object of the invention to provide a kind of firewall policy processing method and processing device, with solve with
The technical issues of efficiency is low, error rate is high when putting with managing firewall strategy.To solve the above problems, this application provides as follows
Technical solution:
In a first aspect, this application provides a kind of firewall policy processing method, including:
Obtain the operational order of current network and corresponding target strategy information;
Matching between the security domain relevant information for the current network being pre-created and corresponding firewall policy
As a result in, search associated with target strategy information security domain relevant information, the security domain relevant information including with
The corresponding security domain path of target strategy information, alternatively, the security domain path and corresponding security domain assets information;
According to the corresponding security domain relevant information of the target strategy information, it is determined whether perform the operation and refer to
Order;
When determining to perform the operational order, the operational order and the corresponding target of the target strategy information are prevented
Wall with flues strategy is sent to target fire wall, so that the target fire wall performs the operational order.
Optionally, the method further includes:
Obtain the corresponding security domain topology of each security domain in the current network, security domain assets information and fire prevention
Wall strategy;
The firewall policy is converted to the firewall policy of preset format, and stores the fire wall of the preset format
Strategy;
According to security domain topology, determine the firewall policy of the preset format corresponding to each security domain, obtain
To the topological matching result between the firewall policy of the preset format of the security domain.
Optionally, the operational order for obtaining current network and corresponding target strategy information, including:
Receive the operational order operated to the firewall policy of the current network;
When the action type of the operational order is to look at, deletes or changes, source IP address and purpose IP address are obtained,
And from the firewall policy of the corresponding preset format of the pre-stored current network, find the source IP address and institute
State the target strategy information of the corresponding preset format of purpose IP address;
When the action type of the operational order is newly-increased, the firewall policy for obtaining the preset format of input is made
For the target strategy information.
Optionally, it is described to be corresponded to according to the target strategy information if the action type of the operational order is to delete
The security domain relevant information, it is determined whether perform the operational order, including:
According to security domain path corresponding with the target strategy information and security domain assets information, determine to delete the mesh
The security domain and corresponding security domain assets information that mark policy information is influenced;
The security domain and the security domain assets information that displaying is influenced by the deletion target strategy information, so that
Operating body is confirmed whether to perform the operational order;
The instruction execution result of the operating body input is received, described instruction implementing result includes performing the operational order
The operational order is not performed.
Optionally, it is described to be believed according to the target strategy if the action type of the operational order is newly-increased or change
Cease the corresponding security domain relevant information, it is determined whether the operational order is performed, including:
According to security domain relevant information associated with the target strategy information, obtain and the target strategy information phase
Associated targeted security domain;
Obtain the corresponding whole firewall policies in the targeted security domain;
According to the corresponding whole firewall policies in the targeted security domain, determine whether the target strategy information is redundancy
Strategy or Conflict Strategies;
When the target strategy information is not the redundancy strategy and the Conflict Strategies, it is determined to perform the mesh
Mark policy information.
Optionally, it is described to be sent to the operational order and the corresponding target firewall policy of the target strategy information
Target fire wall, including:
According to the associated security domain relevant information of the target strategy information, it is corresponding to obtain the target strategy information
Firewall policy template;
The target strategy information is converted to the target firewall policy to match with the firewall policy template;
The target firewall policy and the operational order are sent to the corresponding target fire wall of the current network.
Second aspect, this application provides a kind of firewall policy processing unit, including:
First acquisition module, for obtaining the operational order of current network and corresponding target strategy information;
Searching module, for from the security domain relevant information for the current network being pre-created and corresponding fire wall plan
In matching result between slightly, security domain relevant information associated with the target strategy information is searched, wherein, the safety
Domain relevant information include with the corresponding security domain path of the target strategy information, alternatively, the security domain path and correspondence
Security domain assets information;
Determining module, for according to the corresponding security domain relevant information of the target strategy information, it is determined whether hold
The row operational order;
Sending module, for when determining to perform the operational order, the operational order and the target strategy to be believed
It ceases corresponding target firewall policy and is sent to target fire wall, so that the target fire wall performs the operational order.
Optionally, described device further includes:
Second acquisition module, for obtaining the corresponding security domain topology of each security domain in the current network, peace
Universe assets information and firewall policy;
Format converting module for the firewall policy to be converted to the firewall policy of preset format, and stores institute
State the firewall policy of preset format;
Security domain and strategy matching module, for according to security domain topology, determining the institute corresponding to each security domain
The firewall policy of preset format is stated, obtains the topological matching between the firewall policy of the preset format of the security domain
As a result.
Optionally, the sending module, including:
First acquisition submodule, for according to the associated security domain relevant information of the target strategy information, obtaining institute
State the corresponding firewall policy template of target strategy information;
Format conversion submodule matches for being converted to the target strategy information with the firewall policy template
Target firewall policy;
Sending submodule, for the target firewall policy and the operational order to be sent to the current network pair
The target fire wall answered.
Optionally, if the action type of the operational order is newly-increased or change, the determining module, including:
Second acquisition submodule, for according to security domain relevant information associated with the target strategy information, obtaining
Targeted security domain associated with the target strategy information;
3rd acquisition submodule, for obtaining the corresponding whole firewall policies in the targeted security domain;
Judging submodule, for according to the corresponding whole firewall policies in the targeted security domain, determining the target plan
Whether slightly information is redundancy strategy or Conflict Strategies;
Determination sub-module, for when the target strategy information is not the redundancy strategy or the Conflict Strategies, really
Surely it is able to carry out the target strategy information.
It is topological with corresponding fire wall to be pre-created network security domain for firewall policy processing method provided in this embodiment
Correspondence between strategy.After the operational order for obtaining firewall policy input by user and corresponding target strategy information,
Security domain relevant information associated with the target strategy information is searched from above-mentioned correspondence.Then, according to the target plan
The slightly corresponding security domain relevant information of information, it is determined whether perform the operational order;If it is determined that performing, then the operation is referred to
Order and the corresponding target firewall policy of the target strategy information are sent to target fire wall, and the behaviour is performed by target fire wall
It instructs.It can precisely determine that security domain path associated with target strategy information and security domain assets are believed using this method
Breath need not manually check that network topology structure searches the security domain involved by firewall policy, and this improves fire wall plans
The efficiency of management slightly, while reduce the error rate of configuration firewall policy.Moreover, firewall policy is audited, into one
Step improves firewall configuration and the accuracy rate of management.
Description of the drawings
It in order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the present invention
Some embodiments, for those of ordinary skill in the art, without creative efforts, can also basis
These attached drawings obtain other attached drawings.
Fig. 1 is a kind of functional block diagram of fire wall processing system of the embodiment of the present application;
Fig. 2 is a kind of flow chart of firewall policy processing method of the embodiment of the present application;
Fig. 3 is the flow chart of the embodiment of the present application another kind firewall policy processing method;
Fig. 4 is a kind of block diagram of firewall policy processing unit of the embodiment of the present application.
Specific embodiment
Before the embodiment of the present invention is discussed in detail, concept term according to the present invention is first introduced:
Firewall policy:That is the filtering rule of fire wall determines the security and ease for use of protected network.It is usually every
Firewall policy is made of five-tuple and action, wherein, five-tuple is with including agreement, source IP address, source port, destination IP
Location, destination interface;It acts value and represents that the data packet tactful to this is let pass for accept or deny, accept, deny is represented
The data package capture tactful to this.
Security domain:Referring to has identical safeguard protection demand in same environment, trust each other and with identical secure access
The network or system of control strategy.
Redundancy strategy:For any one firewall policy, if complete with it there are five-tuple and action before it
Identical strategy, then the firewall policy is redundancy strategy.
Conflict Strategies:For arbitrary two firewall policies, if their five-tuple is identical, but act on the contrary,
Then this two strategies generate conflict, are known as Conflict Strategies.
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, the technical solution in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
Part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
All other embodiments obtained without making creative work belong to the scope of protection of the invention.
Fig. 1 is referred to, shows a kind of functional block diagram of fire wall processing system of the embodiment of the present application, fire wall processing
System includes:Tactful formatting module 11, security domain and strategy matching module 12, security domain memory module 13, policy store mould
Block 14, tactful editor module 15, security domain association analysis module 16, tactful audit decision-making module 17, tactful recovery module 18, plan
Slightly issue module 19.
Tactful formatting module 11, for the firewall policy that different fire-proof policy template is used in current network to be turned
The firewall policy of preset format is changed to, and will be in the firewall policy deposit policy store module 14 of preset format.
During practical application, firewall policy template used in different firewall vendors may be different, i.e. fire wall plan
Form slightly may be different.Therefore, in order to realize to firewall policy centralized management, it is necessary to will using different-format fire prevention
Wall strategy is converted into unified form.
Policy store module 14 is in addition to the firewall policy of the corresponding preset format of store current network, also storage conversion
The firewall policy template involved by firewall policy and current network before form.
Security domain memory module 13, for the security domain relevant information of store current network;Wherein, security domain relevant information
Including security domain topology structure, security domain assets information etc., wherein, security domain assets information include security domain in fire wall, hand over
It changes planes, the information such as server.
Security domain and strategy matching module 12, for determining that each security domain is corresponding default according to security domain topological structure
The firewall policy of form obtains the matching result between security domain topological structure and the firewall policy of preset format, and will
In matching result deposit security domain memory module.
Tactful editor module 15, for receiving policy related information input by user and corresponding operational order, and according to
The policy related information obtains target strategy information.
Security domain association analysis module 16, target strategy information and operation for being exported according to tactful editor module refer to
Order searches from security domain memory module and obtains the associated security domain path of target strategy information and security domain assets information,
And it inputs to tactful audit decision-making module 17.
Tactful audit decision-making module 17, for according to the associated security domain path of target strategy information and security domain assets
Information audits target strategy information, so that user makes final decision according to auditing result.
Tactful recovery module 18 for the security domain according to associated by target strategy information and security domain path, is determined
In the associated firewall policy template of the target strategy information, then, by firewall policy conversion and the phase of preset format
The form for the firewall policy template matches answered.
Front Utilization strategies formatting module is therefore, anti-being issued to fire wall to the format unification of firewall policy
It needs before wall with flues strategy the firewall policy after unified form being reduced into the form that fire wall can identify.
Firewall policy and operational order for the operational order according to user, are sent to phase by policy distribution module 19
The fire wall answered.
Wherein, security domain memory module 13, policy store module 14, tactful formatting module 11 are process of data preprocessing
Correlation module.
Fig. 2 is referred to, shows a kind of flow chart of firewall policy processing method of the embodiment of the present application, this method application
In firewall policy processing unit shown in FIG. 1.As shown in Fig. 2, this method may comprise steps of:
S110 obtains the operational order of current network and corresponding target strategy information.
Utilization strategies editor module 15 obtains operational order of the user for the firewall policy of current network, wherein, behaviour
That makees to instruct includes:Review Policies, deletion strategy, change strategy and newly-increased strategy.
If 1) operational order is to look at strategy, user is prompted to input source IP address and purpose IP address, it is defeated according to user
The source IP address and purpose IP address entered is searched and the source IP address and the destination IP address phase from policy store module
Matched target strategy information exports and shows the target strategy information and Review Policies this operational orders to user;
For example, certain associate needs to access a server of company's internal network, end used in the said firm personnel
End address is source IP address (being assumed to be address A), and the address of the server is purpose IP address (being assumed to be address B), from strategy
The firewall policy corresponding to the security domain passed through from address A to address B is searched in memory module.
If 2) operational order is deletion strategy, source IP address input by user and purpose IP address are obtained, and from strategy
The policy information of the preset format corresponding to from source IP address to purpose IP address is found in memory module, as target strategy
Information and " deletion strategy " operational order are sent to security domain association analysis module;
If 3) operational order is change strategy, source IP address input by user and purpose IP address are obtained, and from strategy
The policy information of the preset format corresponding to from source IP address to purpose IP address is found in memory module, and receives user couple
The change of the policy information obtains target strategy information;Target strategy information and " change strategy " operational order are sent to safety
Domain association analysis module;
If 4) operational order is newly-increased strategy, user is prompted to obtain user according to preset format template input policing information
The policy information of the preset format of input refers to as target strategy information, and by the target strategy information and " newly-increased strategy " operation
Order is sent to security domain association analysis module.
S120, between the security domain relevant information for the current network being pre-created and corresponding firewall policy
In matching result, security domain relevant information associated with the target strategy information is searched.
The step is performed by security domain association analysis module, and security domain association analysis module receives tactful editor module and sends
Target strategy information and operational order, associated with target strategy information security domain is searched from security domain memory module
Relevant information.
Wherein, which includes security domain path and security domain assets information, for example, security domain assets are believed
Breath includes the information such as fire wall, interchanger, the server in security domain.
If 1) operational order is deletion strategy, mould is stored according to the target strategy information searching security domain to be deleted of user
Block determines the corresponding security domain path of the target strategy information and security domain assets information, and is shown to user and delete the target
Impacted security domain and security domain assets information after policy information, so that user is confirmed whether to delete the target strategy information.
If detecting that user confirms the operation information for deleting the target strategy information, tactful recovery module is directly entered;Otherwise return
Return tactful editor module.
If 2) operational order is change strategy or newly-increased strategy, after being changed according to user, strategy or newly-increased strategy be (i.e.,
Target strategy information), security domain path associated with the target strategy information is found out from security domain memory module.So
Afterwards, after the security domain path and user being changed or newly-increased target strategy information is inputted to tactful audit decision-making module.
S130, according to the corresponding security domain relevant information of target strategy information, it is determined whether perform operational order.
If 1) operational order is deletion strategy, determined by security domain association analysis module for the target strategy information phase
Corresponding security domain path and security domain assets information, and show the security domain path and security domain assets information to user, it carries
Show whether user confirms and delete the target strategy information, if user, which confirms, deletes the target strategy information, be directly entered plan
Slightly recovery module;If user does not delete the target strategy information, tactful editor module is returned.
2) if operational order is change strategy or newly-increased strategy, by the target strategy information and corresponding security domain path
On associated safety domain all firewall policies, input to tactful Audit Module and audit, audit algorithm base may be employed
In the audit algorithm of decision tree, judge whether the target strategy information is redundancy strategy or Conflict Strategies;If not redundancy plan
Summary or Conflict Strategies, determine that the target strategy information is able to carry out, and Access strategy recovery module;If user remodifies plan
Slightly, then tactful editor module is returned.
S140, it is when determining to perform the operational order, the operational order and the target strategy information is corresponding
Target firewall policy is sent to target fire wall, so that the target fire wall performs the operational order.
If it is determined that being able to carry out the operational order, institute is called in the security domain path according to corresponding to target strategy information
The firewall policy template involved by security domain path is stated, the target strategy information of preset format is converted to and meets corresponding strategy
The target firewall policy of template;That is, the target strategy information of preset format is converted to and meets corresponding firewall vendor and carried
The target firewall policy of the policy template of confession.
Then, target firewall policy is sent to target fire wall, so that target fire wall performs the target fire wall
Strategy.
It is topological with corresponding fire wall to be pre-created network security domain for firewall policy processing method provided in this embodiment
Correspondence between strategy.After the operational order for obtaining firewall policy input by user and corresponding target strategy information,
Security domain relevant information associated with the target strategy information is searched from above-mentioned correspondence.Then, according to the target plan
The slightly corresponding security domain relevant information of information, it is determined whether perform the operational order;If it is determined that performing, then the operation is referred to
Order and the corresponding target firewall policy of the target strategy information are sent to target fire wall, and the behaviour is performed by target fire wall
It instructs.It can precisely determine that security domain path associated with target strategy information and security domain assets are believed using this method
Breath need not manually check that network topology structure searches the security domain involved by firewall policy, and this improves fire wall plans
The efficiency of management slightly, while reduce the error rate of configuration firewall policy.Moreover, firewall policy is audited, into one
Step improves firewall configuration and the accuracy rate of management.
Fig. 3 is referred to, shows the flow chart of the embodiment of the present application another kind firewall policy processing method, this method should
For in firewall policy processing unit shown in FIG. 1, as shown in figure 3, this method comprises the following steps:
S210, obtain the corresponding security domain topology of each security domain in current network, security domain assets information and store to
It and, obtains the corresponding firewall policy of each security domain in security domain memory module and stores to policy store module.
The firewall policy, is converted to the firewall policy of preset format by S220, and is stored to policy store module.
S230 according to security domain topology, determines the firewall policy of the preset format corresponding to each security domain, obtains
Matching result between security domain topology and the firewall policy of preset format, and store to security domain memory module.
S240 receives operational order input by user and corresponding target strategy information.
S250, determines the instruction type of the operational order, and described instruction type includes Review Policies, deletion strategy, more
Change strategy and newly-increased strategy;If instruction type is to look at strategy, S260 is performed;If instruction type is deletion strategy, perform
S270;If instruction type is newly-increased strategy, S2110 is performed;If instruction type is change strategy, S2120 is performed.
S260, in the firewall policy of the preset format stored from policy store module, find with it is input by user
Source IP address and the corresponding target strategy information of purpose IP address, and show the target strategy information to user.
S270, according to source IP address input by user and purpose IP address, the default lattice stored from policy store module
In the firewall policy of formula, target strategy information corresponding with source IP address and purpose IP address is searched.
S280 is searched and the corresponding security domain path of the target strategy information and security domain assets from security domain module
Information.
S290 shows that the security domain path and the security domain assets will be influenced by deleting the target strategy information to user
Information.
S2100 judges whether to perform the operational order;If it is, perform S2170;Otherwise, current process is terminated.
S2110 receives the firewall policy of preset format input by user, as the target strategy information.
S2140 is continued to execute after having performed S2110.
S2120, in the firewall policy of the preset format stored from policy store module, find with it is input by user
Source IP address and the corresponding firewall policy of purpose IP address;
S2130 according to the firewall policy that operational order change is found, obtains target strategy information.
S2140 searches security domain module, obtains security domain path associated with the target strategy information.
S2150, query strategy memory module obtain whole firewall policies on security domain path.
S2160 according to whole firewall policies on the security domain path, judges whether the target strategy information is superfluous
Remaining strategy or Conflict Strategies.If it is not, then perform S2170;If it is, terminate current process.
S2170 according to the associated security domain relevant information of target strategy information, obtains the target strategy information and corresponds to
Firewall policy template.
Target strategy information is converted to the target firewall policy to match with the firewall policy template by S2180.
The target firewall policy and operational order are sent to the corresponding target fire wall of current network by S2190, so that
Target fire wall performs the operational order.
If operational order is deletion strategy, corresponding each target fire wall performs the behaviour of delete target firewall policy
Make.
If operational order is change strategy or newly-increased strategy, corresponding each target fire wall performs change or newly strengthens defences
The operation of wall with flues strategy.
It is topological with corresponding fire wall to be pre-created network security domain for firewall policy processing method provided in this embodiment
Correspondence between strategy.After the operational order for obtaining firewall policy input by user and corresponding target strategy information,
Security domain relevant information associated with the target strategy information is searched from above-mentioned correspondence.Then, according to the target plan
The slightly corresponding security domain relevant information of information, it is determined whether perform the operational order;If it is determined that performing, then the operation is referred to
Order and the corresponding target firewall policy of the target strategy information are sent to target fire wall, and the behaviour is performed by target fire wall
It instructs.It can precisely determine that security domain path associated with target strategy information and security domain assets are believed using this method
Breath need not manually check that network topology structure searches the security domain involved by firewall policy, and this improves fire wall plans
The efficiency of management slightly, while reduce the error rate of configuration firewall policy.Moreover, firewall policy is audited, into one
Step improves firewall configuration and the accuracy rate of management.
For foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as to a series of combination of actions, but
It is that those skilled in the art should know, the present invention and from the limitation of described sequence of movement, because according to the present invention, certain
A little steps may be employed other orders or be carried out at the same time.Secondly, those skilled in the art should also know, be retouched in specification
The embodiment stated belongs to preferred embodiment, and involved action and module are not necessarily essential to the invention.
Corresponding to above-mentioned firewall policy processing method embodiment, present invention also provides firewall policy processing units
Embodiment.
Fig. 4 is referred to, shows a kind of block diagram of firewall policy processing unit of the embodiment of the present application, as shown in figure 4, should
Device includes:First acquisition module 110, security domain association analysis module 120, determining module 130, sending module 140, second are obtained
Modulus block 150, format conversion mould 160 and security domain and strategy matching module 170.
Second acquisition module 150, for obtaining the corresponding security domain topology of each security domain in current network, security domain money
Produce information and firewall policy.
The corresponding security domain topology of each security domain and security domain assets information are stored in security domain storage mould shown in FIG. 1
In block.
The corresponding firewall policy of each security domain is stored in policy store module shown in FIG. 1.
Format converting module 160 for firewall policy to be converted to the firewall policy of preset format, and stores default
The firewall policy of form.
During practical application, firewall policy template used in different firewall vendors may be different, i.e. fire wall plan
Form slightly may be different.Therefore, in order to realize to firewall policy centralized management, it is necessary to will using different-format fire prevention
Wall strategy is converted into unified form.
The format converting module 160 is run in tactful formatting module shown in FIG. 1, and details are not described herein again.
Security domain and strategy matching module 170, for according to security domain topology, determining described corresponding to each security domain
The firewall policy of preset format obtains the topological matching knot between the firewall policy of the preset format of the security domain
Fruit.
The security domain is run on strategy matching module 170 in security domain shown in FIG. 1 and strategy matching module, herein not
It repeats again.
First acquisition module 110, for obtaining the operational order of current network and corresponding target strategy information.
First acquisition module is run in tactful editor module shown in FIG. 1.
Searching module 120, for from the security domain relevant information for the current network being pre-created and corresponding fire prevention
In matching result between wall strategy, security domain relevant information associated with the target strategy information is searched.
Wherein, the security domain relevant information include with the corresponding security domain path of the target strategy information, alternatively,
The security domain path and corresponding security domain assets information.
Security domain memory module memory in Fig. 1 contains the security domain relevant information of each security domain in current network with preventing
Result is mutually matched between wall with flues strategy.Security domain association analysis module in Fig. 1 is searched to be stored in security domain memory module
The matching result, obtain the associated security domain relevant information of target strategy information.
Determining module 130, for according to the corresponding security domain relevant information of target strategy information, it is determined whether described in execution
Operational order.
For the operational order of deletion strategy, security domain that searching module is run on determining module in Fig. 1 associates point
It analyses in module, details are not described herein again.
For change strategy or increase tactful operational order newly, which runs on strategy audit shown in FIG. 1 and determine
In plan module.Wherein, which includes:Second acquisition submodule, the 3rd acquisition submodule, judging submodule and really
Stator modules.
Second acquisition submodule, for according to security domain relevant information associated with target strategy information, acquisition and institute
State the associated targeted security domain of target strategy information;
3rd acquisition submodule, for obtaining the corresponding whole firewall policies in the targeted security domain;
Judging submodule, for according to the corresponding whole firewall policies in the targeted security domain, determining the target plan
Whether slightly information is redundancy strategy or Conflict Strategies;
Determination sub-module, for when the target strategy information is not the redundancy strategy or the Conflict Strategies, really
Surely it is able to carry out the target strategy information.
Sending module 140, for when determine perform the operational order when, by the operational order and the target strategy
The corresponding target firewall policy of information is sent to target fire wall, so that the target fire wall performs the operational order.
Since target strategy information is preset format, target fire wall may the None- identified target strategy information, because
This, it is necessary to which the target strategy information of preset format is converted into target before target strategy information is issued to target fire wall
The form that fire wall can identify.
The sending module 140 can include:First acquisition submodule, format conversion submodule and sending submodule.
First acquisition submodule, for according to the associated security domain relevant information of target strategy information, obtaining target plan
The slightly corresponding firewall policy template of information.
Format conversion submodule is prevented for target strategy information to be converted to the target to match with firewall policy template
Wall with flues strategy.
Sending submodule is prevented fires for target firewall policy and operational order to be sent to the corresponding target of current network
Wall.
It is topological with corresponding fire wall to be pre-created network security domain for firewall policy processing method provided in this embodiment
Correspondence between strategy.After the operational order for obtaining firewall policy input by user and corresponding target strategy information,
Security domain relevant information associated with the target strategy information is searched from above-mentioned correspondence.Then, according to the target plan
The slightly corresponding security domain relevant information of information, it is determined whether perform the operational order;If it is determined that performing, then the operation is referred to
Order and the corresponding target firewall policy of the target strategy information are sent to target fire wall, and the behaviour is performed by target fire wall
It instructs.It can precisely determine that security domain path associated with target strategy information and security domain assets are believed using this method
Breath need not manually check that network topology structure searches the security domain involved by firewall policy, and this improves fire wall plans
The efficiency of management slightly, while reduce the error rate of configuration firewall policy.Moreover, firewall policy is audited, into one
Step improves firewall configuration and the accuracy rate of management.
It should be noted that each embodiment in this specification is described by the way of progressive, each embodiment weight
Point explanation is all difference from other examples, and just to refer each other for identical similar part between each embodiment.
For device class embodiment, since it is basicly similar to embodiment of the method, so description is fairly simple, related part ginseng
See the part explanation of embodiment of the method.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, term " comprising ", "comprising" or its any other variant meaning
Covering non-exclusive inclusion, so that process, method, article or equipment including a series of elements not only include that
A little elements, but also including other elements that are not explicitly listed or further include for this process, method, article or
The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged
Except also there are other identical elements in the process, method, article or apparatus that includes the element.
The foregoing description of the disclosed embodiments enables those skilled in the art to realize or use the present invention.To this
A variety of modifications of a little embodiments will be apparent for a person skilled in the art, and the general principles defined herein can
Without departing from the spirit or scope of the present invention, to realize in other embodiments.Therefore, the present invention will not be limited
The embodiments shown herein is formed on, and is to fit to consistent with the principles and novel features disclosed herein most wide
Scope.
The above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (10)
1. a kind of firewall policy processing method, which is characterized in that including:
Obtain the operational order of current network and corresponding target strategy information;
Matching result between the security domain relevant information for the current network being pre-created and corresponding firewall policy
In, search associated with target strategy information security domain relevant information, the security domain relevant information including with it is described
The corresponding security domain path of target strategy information, alternatively, the security domain path and corresponding security domain assets information;
According to the corresponding security domain relevant information of the target strategy information, it is determined whether perform the operational order;
When determining to perform the operational order, by the operational order and the corresponding target fire wall of the target strategy information
Strategy is sent to target fire wall, so that the target fire wall performs the operational order.
2. according to the method described in claim 1, it is characterized in that, the method further includes:
Obtain the corresponding security domain topology of each security domain in the current network, security domain assets information and fire wall plan
Slightly;
The firewall policy is converted to the firewall policy of preset format, and stores the fire wall plan of the preset format
Slightly;
According to security domain topology, determine the firewall policy of the preset format corresponding to each security domain, obtain institute
State the topological matching result between the firewall policy of the preset format of security domain.
3. according to the method described in claim 1, it is characterized in that, the operational order for obtaining current network and correspondence
Target strategy information, including:
Receive the operational order operated to the firewall policy of the current network;
When the action type of the operational order is to look at, deletes or changes, acquisition source IP address and purpose IP address, and from
In the firewall policy of the corresponding preset format of the pre-stored current network, the source IP address and the mesh are found
The corresponding preset format of IP address target strategy information;
When the action type of the operational order is newly-increased, the firewall policy of the preset format of input is obtained as institute
State target strategy information.
If 4. according to the method described in claim 1, it is characterized in that, the action type of the operational order be delete, institute
It states according to the corresponding security domain relevant information of the target strategy information, it is determined whether the operational order is performed, including:
According to security domain path corresponding with the target strategy information and security domain assets information, determine to delete the target plan
The security domain and corresponding security domain assets information that slightly information is influenced;
Displaying is by the security domain and the security domain assets information that the target strategy information is influenced is deleted, so that operation
Body is confirmed whether to perform the operational order;
The instruction execution result of the operating body input is received, described instruction implementing result is including the execution operational order and not
Perform the operational order.
5. if according to the method described in claim 1, it is characterized in that, the action type of the operational order is newly-increased or more
Change, then it is described according to the corresponding security domain relevant information of the target strategy information, it is determined whether to perform the operation and refer to
Order, including:
According to security domain relevant information associated with the target strategy information, obtain associated with the target strategy information
Targeted security domain;
Obtain the corresponding whole firewall policies in the targeted security domain;
According to the corresponding whole firewall policies in the targeted security domain, determine whether the target strategy information is redundancy strategy
Or Conflict Strategies;
When the target strategy information is not the redundancy strategy and the Conflict Strategies, it is determined to perform the target plan
Slightly information.
It is 6. according to the method described in claim 1, it is characterized in that, described by the operational order and the target strategy information
Corresponding target firewall policy is sent to target fire wall, including:
According to the associated security domain relevant information of the target strategy information, the corresponding fire prevention of the target strategy information is obtained
Wall policy template;
The target strategy information is converted to the target firewall policy to match with the firewall policy template;
The target firewall policy and the operational order are sent to the corresponding target fire wall of the current network.
7. a kind of firewall policy processing unit, which is characterized in that including:
First acquisition module, for obtaining the operational order of current network and corresponding target strategy information;
Searching module, for from the security domain relevant information for the current network being pre-created and corresponding firewall policy it
Between matching result in, search associated with target strategy information security domain relevant information, wherein, the security domain phase
Close information include with the corresponding security domain path of the target strategy information, alternatively, the security domain path and corresponding peace
Universe assets information;
Determining module, for according to the corresponding security domain relevant information of the target strategy information, it is determined whether perform institute
State operational order;
Sending module, for when determine perform the operational order when, by the operational order and the target strategy information pair
The target firewall policy answered is sent to target fire wall, so that the target fire wall performs the operational order.
8. device according to claim 7, which is characterized in that described device further includes:
Second acquisition module, for obtaining the corresponding security domain topology of each security domain in the current network, security domain
Assets information and firewall policy;
Format converting module for the firewall policy to be converted to the firewall policy of preset format, and stores described pre-
If the firewall policy of form;
Security domain and strategy matching module, for according to security domain topology, determining described pre- corresponding to each security domain
If the firewall policy of form, the topological matching knot between the firewall policy of the preset format of the security domain is obtained
Fruit.
9. device according to claim 7, which is characterized in that the sending module, including:
First acquisition submodule, for according to the associated security domain relevant information of the target strategy information, obtaining the mesh
Mark the corresponding firewall policy template of policy information;
Format conversion submodule, for the target strategy information to be converted to the mesh to match with the firewall policy template
Mark firewall policy;
Sending submodule, it is corresponding for the target firewall policy and the operational order to be sent to the current network
Target fire wall.
10. device according to claim 7, which is characterized in that if the action type of the operational order is newly-increased or more
Change, then the determining module, including:
Second acquisition submodule, for according to security domain relevant information associated with the target strategy information, acquisition and institute
State the associated targeted security domain of target strategy information;
3rd acquisition submodule, for obtaining the corresponding whole firewall policies in the targeted security domain;
Judging submodule, for according to the corresponding whole firewall policies in the targeted security domain, determining the target strategy letter
Whether breath is redundancy strategy or Conflict Strategies;
Determination sub-module, for when the target strategy information is not the redundancy strategy or the Conflict Strategies, determining energy
Enough perform the target strategy information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711382103.9A CN108092979B (en) | 2017-12-20 | 2017-12-20 | Firewall policy processing method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711382103.9A CN108092979B (en) | 2017-12-20 | 2017-12-20 | Firewall policy processing method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108092979A true CN108092979A (en) | 2018-05-29 |
CN108092979B CN108092979B (en) | 2021-05-28 |
Family
ID=62177346
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711382103.9A Active CN108092979B (en) | 2017-12-20 | 2017-12-20 | Firewall policy processing method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108092979B (en) |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108718322A (en) * | 2018-06-20 | 2018-10-30 | 北京网藤科技有限公司 | A kind of industrial fireproof wall and its means of defence |
CN109040089A (en) * | 2018-08-15 | 2018-12-18 | 深圳前海微众银行股份有限公司 | Network strategy auditing method, equipment and computer readable storage medium |
CN109327472A (en) * | 2018-11-30 | 2019-02-12 | 深圳天元云科技有限公司 | Dynamic Programming firewall policy insertion method, system, terminal and storage medium |
CN109600368A (en) * | 2018-12-07 | 2019-04-09 | 中盈优创资讯科技有限公司 | A kind of method and device of determining firewall policy |
CN109768962A (en) * | 2018-12-13 | 2019-05-17 | 平安科技(深圳)有限公司 | Firewall strategy-generating method, device, computer equipment and storage medium |
CN110336834A (en) * | 2019-07-31 | 2019-10-15 | 中国工商银行股份有限公司 | Treating method and apparatus for firewall policy |
CN110430206A (en) * | 2019-08-13 | 2019-11-08 | 上海新炬网络技术有限公司 | Based on script template metaplasia at the method for configuration firewall security policy |
CN110661670A (en) * | 2019-10-21 | 2020-01-07 | 中国民航信息网络股份有限公司 | Network equipment configuration management method and device |
CN110677383A (en) * | 2019-08-22 | 2020-01-10 | 平安科技(深圳)有限公司 | Firewall opening method and device, storage medium and computer equipment |
CN111428094A (en) * | 2020-04-02 | 2020-07-17 | 深信服科技股份有限公司 | Asset-based network topology generation method, device, equipment and storage medium |
CN111835794A (en) * | 2020-09-17 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Firewall policy control method and device, electronic equipment and storage medium |
CN111988273A (en) * | 2020-07-07 | 2020-11-24 | 国网思极网安科技(北京)有限公司 | Firewall policy management method and device |
CN112351014A (en) * | 2020-10-28 | 2021-02-09 | 武汉思普崚技术有限公司 | Firewall security policy compliance baseline management method and device between security domains |
CN112383507A (en) * | 2020-10-16 | 2021-02-19 | 深圳力维智联技术有限公司 | Firewall policy management method, device and system and computer readable storage medium |
CN113079128A (en) * | 2020-01-06 | 2021-07-06 | 中国移动通信集团安徽有限公司 | Information plugging method and device, computing equipment and computer storage medium |
CN113114683A (en) * | 2021-04-14 | 2021-07-13 | 中国工商银行股份有限公司 | Firewall policy processing method and device |
CN113141369A (en) * | 2021-04-28 | 2021-07-20 | 平安证券股份有限公司 | Artificial intelligence-based firewall policy management method and related equipment |
CN113691488A (en) * | 2020-05-19 | 2021-11-23 | 奇安信科技集团股份有限公司 | Access control method, apparatus, device and medium executed by firewall device |
CN114039853A (en) * | 2021-11-15 | 2022-02-11 | 北京天融信网络安全技术有限公司 | Method, device, storage medium and electronic equipment for detecting security policy |
CN114143090A (en) * | 2021-11-30 | 2022-03-04 | 招商局金融科技有限公司 | Firewall deployment method, device, equipment and medium based on network security architecture |
CN114301841A (en) * | 2021-12-20 | 2022-04-08 | 山石网科通信技术股份有限公司 | K8S-based micro-isolation strategy processing method and device |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1313290A1 (en) * | 2001-11-19 | 2003-05-21 | Stonesoft Corporation | A personal firewall with location dependent functionality |
CN103067344A (en) * | 2011-10-24 | 2013-04-24 | 国际商业机器公司 | Non-invasive method and equipment for automatically issuing safety regulations in cloud environment |
CN104052635A (en) * | 2014-06-05 | 2014-09-17 | 北京江南天安科技有限公司 | Risk situation prediction method and system based on safety pre-warning |
US20140282855A1 (en) * | 2013-03-13 | 2014-09-18 | FireMon, LLC | Modeling network devices for behavior analysis |
CN105812326A (en) * | 2014-12-29 | 2016-07-27 | 北京网御星云信息技术有限公司 | Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system |
CN105827649A (en) * | 2016-05-19 | 2016-08-03 | 上海携程商务有限公司 | Method and system for automatically generating firewall policy |
CN105847236A (en) * | 2016-03-15 | 2016-08-10 | 北京网御星云信息技术有限公司 | Firewall security strategy configuration method and device as well as firewall |
US9479479B1 (en) * | 2014-09-25 | 2016-10-25 | Juniper Networks, Inc. | Detector tree for detecting rule anomalies in a firewall policy |
US20170005988A1 (en) * | 2015-06-30 | 2017-01-05 | Nicira, Inc. | Global objects for federated firewall rule management |
-
2017
- 2017-12-20 CN CN201711382103.9A patent/CN108092979B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1313290A1 (en) * | 2001-11-19 | 2003-05-21 | Stonesoft Corporation | A personal firewall with location dependent functionality |
CN103067344A (en) * | 2011-10-24 | 2013-04-24 | 国际商业机器公司 | Non-invasive method and equipment for automatically issuing safety regulations in cloud environment |
US20140282855A1 (en) * | 2013-03-13 | 2014-09-18 | FireMon, LLC | Modeling network devices for behavior analysis |
CN104052635A (en) * | 2014-06-05 | 2014-09-17 | 北京江南天安科技有限公司 | Risk situation prediction method and system based on safety pre-warning |
US9479479B1 (en) * | 2014-09-25 | 2016-10-25 | Juniper Networks, Inc. | Detector tree for detecting rule anomalies in a firewall policy |
CN105812326A (en) * | 2014-12-29 | 2016-07-27 | 北京网御星云信息技术有限公司 | Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system |
US20170005988A1 (en) * | 2015-06-30 | 2017-01-05 | Nicira, Inc. | Global objects for federated firewall rule management |
CN105847236A (en) * | 2016-03-15 | 2016-08-10 | 北京网御星云信息技术有限公司 | Firewall security strategy configuration method and device as well as firewall |
CN105827649A (en) * | 2016-05-19 | 2016-08-03 | 上海携程商务有限公司 | Method and system for automatically generating firewall policy |
Cited By (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108718322B (en) * | 2018-06-20 | 2021-04-09 | 北京网藤科技有限公司 | Industrial firewall and protection method thereof |
CN108718322A (en) * | 2018-06-20 | 2018-10-30 | 北京网藤科技有限公司 | A kind of industrial fireproof wall and its means of defence |
CN109040089A (en) * | 2018-08-15 | 2018-12-18 | 深圳前海微众银行股份有限公司 | Network strategy auditing method, equipment and computer readable storage medium |
CN109327472A (en) * | 2018-11-30 | 2019-02-12 | 深圳天元云科技有限公司 | Dynamic Programming firewall policy insertion method, system, terminal and storage medium |
CN109327472B (en) * | 2018-11-30 | 2021-06-25 | 深圳天元云科技有限公司 | Method, system, terminal and storage medium for dynamically planning firewall policy insertion |
CN109600368A (en) * | 2018-12-07 | 2019-04-09 | 中盈优创资讯科技有限公司 | A kind of method and device of determining firewall policy |
CN109600368B (en) * | 2018-12-07 | 2021-04-13 | 中盈优创资讯科技有限公司 | Method and device for determining firewall policy |
CN109768962A (en) * | 2018-12-13 | 2019-05-17 | 平安科技(深圳)有限公司 | Firewall strategy-generating method, device, computer equipment and storage medium |
CN109768962B (en) * | 2018-12-13 | 2022-04-12 | 平安科技(深圳)有限公司 | Firewall strategy generation method and device, computer equipment and storage medium |
CN110336834A (en) * | 2019-07-31 | 2019-10-15 | 中国工商银行股份有限公司 | Treating method and apparatus for firewall policy |
CN110430206A (en) * | 2019-08-13 | 2019-11-08 | 上海新炬网络技术有限公司 | Based on script template metaplasia at the method for configuration firewall security policy |
CN110430206B (en) * | 2019-08-13 | 2022-03-01 | 上海新炬网络技术有限公司 | Method for generating and configuring firewall security policy based on script templating |
CN110677383A (en) * | 2019-08-22 | 2020-01-10 | 平安科技(深圳)有限公司 | Firewall opening method and device, storage medium and computer equipment |
CN110661670A (en) * | 2019-10-21 | 2020-01-07 | 中国民航信息网络股份有限公司 | Network equipment configuration management method and device |
CN113079128B (en) * | 2020-01-06 | 2022-10-18 | 中国移动通信集团安徽有限公司 | Information blocking method and device, computing equipment and computer storage medium |
CN113079128A (en) * | 2020-01-06 | 2021-07-06 | 中国移动通信集团安徽有限公司 | Information plugging method and device, computing equipment and computer storage medium |
CN111428094A (en) * | 2020-04-02 | 2020-07-17 | 深信服科技股份有限公司 | Asset-based network topology generation method, device, equipment and storage medium |
CN113691488A (en) * | 2020-05-19 | 2021-11-23 | 奇安信科技集团股份有限公司 | Access control method, apparatus, device and medium executed by firewall device |
CN111988273A (en) * | 2020-07-07 | 2020-11-24 | 国网思极网安科技(北京)有限公司 | Firewall policy management method and device |
CN111835794A (en) * | 2020-09-17 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Firewall policy control method and device, electronic equipment and storage medium |
CN111835794B (en) * | 2020-09-17 | 2021-01-05 | 腾讯科技(深圳)有限公司 | Firewall policy control method and device, electronic equipment and storage medium |
CN112383507A (en) * | 2020-10-16 | 2021-02-19 | 深圳力维智联技术有限公司 | Firewall policy management method, device and system and computer readable storage medium |
CN112351014A (en) * | 2020-10-28 | 2021-02-09 | 武汉思普崚技术有限公司 | Firewall security policy compliance baseline management method and device between security domains |
CN112351014B (en) * | 2020-10-28 | 2022-06-07 | 武汉思普崚技术有限公司 | Firewall security policy compliance baseline management method and device between security domains |
CN113114683A (en) * | 2021-04-14 | 2021-07-13 | 中国工商银行股份有限公司 | Firewall policy processing method and device |
CN113114683B (en) * | 2021-04-14 | 2023-04-07 | 中国工商银行股份有限公司 | Firewall policy processing method and device |
CN113141369B (en) * | 2021-04-28 | 2023-02-07 | 平安证券股份有限公司 | Artificial intelligence-based firewall policy management method and related equipment |
CN113141369A (en) * | 2021-04-28 | 2021-07-20 | 平安证券股份有限公司 | Artificial intelligence-based firewall policy management method and related equipment |
CN114039853B (en) * | 2021-11-15 | 2024-02-09 | 天融信雄安网络安全技术有限公司 | Method and device for detecting security policy, storage medium and electronic equipment |
CN114039853A (en) * | 2021-11-15 | 2022-02-11 | 北京天融信网络安全技术有限公司 | Method, device, storage medium and electronic equipment for detecting security policy |
CN114143090A (en) * | 2021-11-30 | 2022-03-04 | 招商局金融科技有限公司 | Firewall deployment method, device, equipment and medium based on network security architecture |
CN114143090B (en) * | 2021-11-30 | 2024-02-06 | 招商局金融科技有限公司 | Firewall deployment method, device, equipment and medium based on network security architecture |
CN114301841A (en) * | 2021-12-20 | 2022-04-08 | 山石网科通信技术股份有限公司 | K8S-based micro-isolation strategy processing method and device |
CN114301841B (en) * | 2021-12-20 | 2024-02-06 | 山石网科通信技术股份有限公司 | K8S-based micro-isolation strategy processing method and device |
Also Published As
Publication number | Publication date |
---|---|
CN108092979B (en) | 2021-05-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108092979A (en) | A kind of firewall policy processing method and processing device | |
CN111935192B (en) | Network attack event tracing processing method, device, equipment and storage medium | |
EP3449597B1 (en) | A data driven orchestrated network using a voice activated light weight distributed sdn controller | |
JP4020912B2 (en) | Unauthorized access detection device, unauthorized access detection program, and unauthorized access detection method | |
CN104113433B (en) | Management and the network operating system of protection network | |
US9507944B2 (en) | Method for simulation aided security event management | |
US7710900B2 (en) | Method and system for providing network management based on defining and applying network administrative intents | |
EP3797503B1 (en) | Cyber defence system | |
US7543045B1 (en) | System and method for estimating the geographical location and proximity of network devices and their directly connected neighbors | |
US9313175B2 (en) | Method and system for mapping between connectivity requests and a security rule set | |
CN104753857B (en) | Control of network flow quantity equipment and its security policy configuration method and device | |
WO2017108790A1 (en) | A data driven orchestrated network using a light weight distributed sdn controller | |
Chkirbene et al. | A combined decision for secure cloud computing based on machine learning and past information | |
CN108040055A (en) | A kind of fire wall combined strategy and safety of cloud service protection | |
CN110138788A (en) | A kind of fragile sexual assault cost quantitative evaluating method based on depth index | |
CN110287392A (en) | A kind of safe space network inquiry method based on safe partition tree | |
CN114422224B (en) | Threat information intelligent analysis method and system for attack tracing | |
CN106878343B (en) | It is the system serviced that network security is provided under a kind of cloud computing environment | |
Rahman et al. | A formal framework for network security design synthesis | |
CN107360115A (en) | A kind of SDN means of defence and device | |
CN108270677A (en) | A kind of fast route convergence method and device | |
US20230344755A1 (en) | Determining flow paths of packets through nodes of a network | |
CN106685813B (en) | Suitable for accessing the output service response device and method of net gateway security | |
CN114915536A (en) | Network architecture based on SDP component and terminal equipment safety protection method facing novel network | |
CN101820394B (en) | Statistical method and equipment of access flow |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |