CN108092979A - A kind of firewall policy processing method and processing device - Google Patents

A kind of firewall policy processing method and processing device Download PDF

Info

Publication number
CN108092979A
CN108092979A CN201711382103.9A CN201711382103A CN108092979A CN 108092979 A CN108092979 A CN 108092979A CN 201711382103 A CN201711382103 A CN 201711382103A CN 108092979 A CN108092979 A CN 108092979A
Authority
CN
China
Prior art keywords
security domain
target
information
firewall policy
operational order
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711382103.9A
Other languages
Chinese (zh)
Other versions
CN108092979B (en
Inventor
卢晓梅
刘安
王婵
郭永和
程杰
李静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Information and Telecommunication Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Information and Telecommunication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Information and Telecommunication Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201711382103.9A priority Critical patent/CN108092979B/en
Publication of CN108092979A publication Critical patent/CN108092979A/en
Application granted granted Critical
Publication of CN108092979B publication Critical patent/CN108092979B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of firewall policy processing method and processing devices, are pre-created the topological correspondence between corresponding firewall policy in network security domain.After the operational order for obtaining firewall policy input by user and corresponding target strategy information, security domain relevant information associated with the target strategy information is searched from above-mentioned correspondence.Then, according to the corresponding security domain relevant information of the target strategy information, it is determined whether perform the operational order;If it is determined that performing, then the operational order and the corresponding target firewall policy of the target strategy information are sent to target fire wall, which performed by target fire wall.Security domain path associated with target strategy information and security domain assets information can be precisely determined using this method, it need not manually check that network topology structure searches the security domain involved by firewall policy, therefore, the efficiency of management of firewall policy is improved, while reduces the error rate of configuration firewall policy.

Description

A kind of firewall policy processing method and processing device
Technical field
The invention belongs to network safety filed more particularly to a kind of firewall policy processing method and processing devices.
Background technology
Fire wall is one and is composed of software and hardware equipment, between in-house network and extranets, private network with it is public The protective barrier constructed on interface between common network, so as to which internal network be protected to be invaded from disabled user.Fire wall is exactly one The combination of a software and hardware between computer and network that it is connected, all nets which flows in and out Network communication data packet will pass through the filtering of the fire wall.
Firewall policy management method is exactly the processing newly such as to be increased, changed, checked, deleted to firewall policy.Tradition Firewall policy management method mostly by being manually managed, operation maintenance personnel (or safety manager) is according to real network need Formulation firewall policy is sought, checks network topology by personal experience, the security domain involved by lookup firewall policy is (wherein, A set of firewall policy corresponds to a security domain), then, firewall policy is handled accordingly, firewall policy comes into force Effect is difficult to estimate.This mode safeguards by not operating manually, so as to cause firewall policy the combing of firewall policy Inefficiency and easily error when configuration and management.
The content of the invention
In view of this, it is an object of the invention to provide a kind of firewall policy processing method and processing device, with solve with The technical issues of efficiency is low, error rate is high when putting with managing firewall strategy.To solve the above problems, this application provides as follows Technical solution:
In a first aspect, this application provides a kind of firewall policy processing method, including:
Obtain the operational order of current network and corresponding target strategy information;
Matching between the security domain relevant information for the current network being pre-created and corresponding firewall policy As a result in, search associated with target strategy information security domain relevant information, the security domain relevant information including with The corresponding security domain path of target strategy information, alternatively, the security domain path and corresponding security domain assets information;
According to the corresponding security domain relevant information of the target strategy information, it is determined whether perform the operation and refer to Order;
When determining to perform the operational order, the operational order and the corresponding target of the target strategy information are prevented Wall with flues strategy is sent to target fire wall, so that the target fire wall performs the operational order.
Optionally, the method further includes:
Obtain the corresponding security domain topology of each security domain in the current network, security domain assets information and fire prevention Wall strategy;
The firewall policy is converted to the firewall policy of preset format, and stores the fire wall of the preset format Strategy;
According to security domain topology, determine the firewall policy of the preset format corresponding to each security domain, obtain To the topological matching result between the firewall policy of the preset format of the security domain.
Optionally, the operational order for obtaining current network and corresponding target strategy information, including:
Receive the operational order operated to the firewall policy of the current network;
When the action type of the operational order is to look at, deletes or changes, source IP address and purpose IP address are obtained, And from the firewall policy of the corresponding preset format of the pre-stored current network, find the source IP address and institute State the target strategy information of the corresponding preset format of purpose IP address;
When the action type of the operational order is newly-increased, the firewall policy for obtaining the preset format of input is made For the target strategy information.
Optionally, it is described to be corresponded to according to the target strategy information if the action type of the operational order is to delete The security domain relevant information, it is determined whether perform the operational order, including:
According to security domain path corresponding with the target strategy information and security domain assets information, determine to delete the mesh The security domain and corresponding security domain assets information that mark policy information is influenced;
The security domain and the security domain assets information that displaying is influenced by the deletion target strategy information, so that Operating body is confirmed whether to perform the operational order;
The instruction execution result of the operating body input is received, described instruction implementing result includes performing the operational order The operational order is not performed.
Optionally, it is described to be believed according to the target strategy if the action type of the operational order is newly-increased or change Cease the corresponding security domain relevant information, it is determined whether the operational order is performed, including:
According to security domain relevant information associated with the target strategy information, obtain and the target strategy information phase Associated targeted security domain;
Obtain the corresponding whole firewall policies in the targeted security domain;
According to the corresponding whole firewall policies in the targeted security domain, determine whether the target strategy information is redundancy Strategy or Conflict Strategies;
When the target strategy information is not the redundancy strategy and the Conflict Strategies, it is determined to perform the mesh Mark policy information.
Optionally, it is described to be sent to the operational order and the corresponding target firewall policy of the target strategy information Target fire wall, including:
According to the associated security domain relevant information of the target strategy information, it is corresponding to obtain the target strategy information Firewall policy template;
The target strategy information is converted to the target firewall policy to match with the firewall policy template;
The target firewall policy and the operational order are sent to the corresponding target fire wall of the current network.
Second aspect, this application provides a kind of firewall policy processing unit, including:
First acquisition module, for obtaining the operational order of current network and corresponding target strategy information;
Searching module, for from the security domain relevant information for the current network being pre-created and corresponding fire wall plan In matching result between slightly, security domain relevant information associated with the target strategy information is searched, wherein, the safety Domain relevant information include with the corresponding security domain path of the target strategy information, alternatively, the security domain path and correspondence Security domain assets information;
Determining module, for according to the corresponding security domain relevant information of the target strategy information, it is determined whether hold The row operational order;
Sending module, for when determining to perform the operational order, the operational order and the target strategy to be believed It ceases corresponding target firewall policy and is sent to target fire wall, so that the target fire wall performs the operational order.
Optionally, described device further includes:
Second acquisition module, for obtaining the corresponding security domain topology of each security domain in the current network, peace Universe assets information and firewall policy;
Format converting module for the firewall policy to be converted to the firewall policy of preset format, and stores institute State the firewall policy of preset format;
Security domain and strategy matching module, for according to security domain topology, determining the institute corresponding to each security domain The firewall policy of preset format is stated, obtains the topological matching between the firewall policy of the preset format of the security domain As a result.
Optionally, the sending module, including:
First acquisition submodule, for according to the associated security domain relevant information of the target strategy information, obtaining institute State the corresponding firewall policy template of target strategy information;
Format conversion submodule matches for being converted to the target strategy information with the firewall policy template Target firewall policy;
Sending submodule, for the target firewall policy and the operational order to be sent to the current network pair The target fire wall answered.
Optionally, if the action type of the operational order is newly-increased or change, the determining module, including:
Second acquisition submodule, for according to security domain relevant information associated with the target strategy information, obtaining Targeted security domain associated with the target strategy information;
3rd acquisition submodule, for obtaining the corresponding whole firewall policies in the targeted security domain;
Judging submodule, for according to the corresponding whole firewall policies in the targeted security domain, determining the target plan Whether slightly information is redundancy strategy or Conflict Strategies;
Determination sub-module, for when the target strategy information is not the redundancy strategy or the Conflict Strategies, really Surely it is able to carry out the target strategy information.
It is topological with corresponding fire wall to be pre-created network security domain for firewall policy processing method provided in this embodiment Correspondence between strategy.After the operational order for obtaining firewall policy input by user and corresponding target strategy information, Security domain relevant information associated with the target strategy information is searched from above-mentioned correspondence.Then, according to the target plan The slightly corresponding security domain relevant information of information, it is determined whether perform the operational order;If it is determined that performing, then the operation is referred to Order and the corresponding target firewall policy of the target strategy information are sent to target fire wall, and the behaviour is performed by target fire wall It instructs.It can precisely determine that security domain path associated with target strategy information and security domain assets are believed using this method Breath need not manually check that network topology structure searches the security domain involved by firewall policy, and this improves fire wall plans The efficiency of management slightly, while reduce the error rate of configuration firewall policy.Moreover, firewall policy is audited, into one Step improves firewall configuration and the accuracy rate of management.
Description of the drawings
It in order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the present invention Some embodiments, for those of ordinary skill in the art, without creative efforts, can also basis These attached drawings obtain other attached drawings.
Fig. 1 is a kind of functional block diagram of fire wall processing system of the embodiment of the present application;
Fig. 2 is a kind of flow chart of firewall policy processing method of the embodiment of the present application;
Fig. 3 is the flow chart of the embodiment of the present application another kind firewall policy processing method;
Fig. 4 is a kind of block diagram of firewall policy processing unit of the embodiment of the present application.
Specific embodiment
Before the embodiment of the present invention is discussed in detail, concept term according to the present invention is first introduced:
Firewall policy:That is the filtering rule of fire wall determines the security and ease for use of protected network.It is usually every Firewall policy is made of five-tuple and action, wherein, five-tuple is with including agreement, source IP address, source port, destination IP Location, destination interface;It acts value and represents that the data packet tactful to this is let pass for accept or deny, accept, deny is represented The data package capture tactful to this.
Security domain:Referring to has identical safeguard protection demand in same environment, trust each other and with identical secure access The network or system of control strategy.
Redundancy strategy:For any one firewall policy, if complete with it there are five-tuple and action before it Identical strategy, then the firewall policy is redundancy strategy.
Conflict Strategies:For arbitrary two firewall policies, if their five-tuple is identical, but act on the contrary, Then this two strategies generate conflict, are known as Conflict Strategies.
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, the technical solution in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is Part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art All other embodiments obtained without making creative work belong to the scope of protection of the invention.
Fig. 1 is referred to, shows a kind of functional block diagram of fire wall processing system of the embodiment of the present application, fire wall processing System includes:Tactful formatting module 11, security domain and strategy matching module 12, security domain memory module 13, policy store mould Block 14, tactful editor module 15, security domain association analysis module 16, tactful audit decision-making module 17, tactful recovery module 18, plan Slightly issue module 19.
Tactful formatting module 11, for the firewall policy that different fire-proof policy template is used in current network to be turned The firewall policy of preset format is changed to, and will be in the firewall policy deposit policy store module 14 of preset format.
During practical application, firewall policy template used in different firewall vendors may be different, i.e. fire wall plan Form slightly may be different.Therefore, in order to realize to firewall policy centralized management, it is necessary to will using different-format fire prevention Wall strategy is converted into unified form.
Policy store module 14 is in addition to the firewall policy of the corresponding preset format of store current network, also storage conversion The firewall policy template involved by firewall policy and current network before form.
Security domain memory module 13, for the security domain relevant information of store current network;Wherein, security domain relevant information Including security domain topology structure, security domain assets information etc., wherein, security domain assets information include security domain in fire wall, hand over It changes planes, the information such as server.
Security domain and strategy matching module 12, for determining that each security domain is corresponding default according to security domain topological structure The firewall policy of form obtains the matching result between security domain topological structure and the firewall policy of preset format, and will In matching result deposit security domain memory module.
Tactful editor module 15, for receiving policy related information input by user and corresponding operational order, and according to The policy related information obtains target strategy information.
Security domain association analysis module 16, target strategy information and operation for being exported according to tactful editor module refer to Order searches from security domain memory module and obtains the associated security domain path of target strategy information and security domain assets information, And it inputs to tactful audit decision-making module 17.
Tactful audit decision-making module 17, for according to the associated security domain path of target strategy information and security domain assets Information audits target strategy information, so that user makes final decision according to auditing result.
Tactful recovery module 18 for the security domain according to associated by target strategy information and security domain path, is determined In the associated firewall policy template of the target strategy information, then, by firewall policy conversion and the phase of preset format The form for the firewall policy template matches answered.
Front Utilization strategies formatting module is therefore, anti-being issued to fire wall to the format unification of firewall policy It needs before wall with flues strategy the firewall policy after unified form being reduced into the form that fire wall can identify.
Firewall policy and operational order for the operational order according to user, are sent to phase by policy distribution module 19 The fire wall answered.
Wherein, security domain memory module 13, policy store module 14, tactful formatting module 11 are process of data preprocessing Correlation module.
Fig. 2 is referred to, shows a kind of flow chart of firewall policy processing method of the embodiment of the present application, this method application In firewall policy processing unit shown in FIG. 1.As shown in Fig. 2, this method may comprise steps of:
S110 obtains the operational order of current network and corresponding target strategy information.
Utilization strategies editor module 15 obtains operational order of the user for the firewall policy of current network, wherein, behaviour That makees to instruct includes:Review Policies, deletion strategy, change strategy and newly-increased strategy.
If 1) operational order is to look at strategy, user is prompted to input source IP address and purpose IP address, it is defeated according to user The source IP address and purpose IP address entered is searched and the source IP address and the destination IP address phase from policy store module Matched target strategy information exports and shows the target strategy information and Review Policies this operational orders to user;
For example, certain associate needs to access a server of company's internal network, end used in the said firm personnel End address is source IP address (being assumed to be address A), and the address of the server is purpose IP address (being assumed to be address B), from strategy The firewall policy corresponding to the security domain passed through from address A to address B is searched in memory module.
If 2) operational order is deletion strategy, source IP address input by user and purpose IP address are obtained, and from strategy The policy information of the preset format corresponding to from source IP address to purpose IP address is found in memory module, as target strategy Information and " deletion strategy " operational order are sent to security domain association analysis module;
If 3) operational order is change strategy, source IP address input by user and purpose IP address are obtained, and from strategy The policy information of the preset format corresponding to from source IP address to purpose IP address is found in memory module, and receives user couple The change of the policy information obtains target strategy information;Target strategy information and " change strategy " operational order are sent to safety Domain association analysis module;
If 4) operational order is newly-increased strategy, user is prompted to obtain user according to preset format template input policing information The policy information of the preset format of input refers to as target strategy information, and by the target strategy information and " newly-increased strategy " operation Order is sent to security domain association analysis module.
S120, between the security domain relevant information for the current network being pre-created and corresponding firewall policy In matching result, security domain relevant information associated with the target strategy information is searched.
The step is performed by security domain association analysis module, and security domain association analysis module receives tactful editor module and sends Target strategy information and operational order, associated with target strategy information security domain is searched from security domain memory module Relevant information.
Wherein, which includes security domain path and security domain assets information, for example, security domain assets are believed Breath includes the information such as fire wall, interchanger, the server in security domain.
If 1) operational order is deletion strategy, mould is stored according to the target strategy information searching security domain to be deleted of user Block determines the corresponding security domain path of the target strategy information and security domain assets information, and is shown to user and delete the target Impacted security domain and security domain assets information after policy information, so that user is confirmed whether to delete the target strategy information. If detecting that user confirms the operation information for deleting the target strategy information, tactful recovery module is directly entered;Otherwise return Return tactful editor module.
If 2) operational order is change strategy or newly-increased strategy, after being changed according to user, strategy or newly-increased strategy be (i.e., Target strategy information), security domain path associated with the target strategy information is found out from security domain memory module.So Afterwards, after the security domain path and user being changed or newly-increased target strategy information is inputted to tactful audit decision-making module.
S130, according to the corresponding security domain relevant information of target strategy information, it is determined whether perform operational order.
If 1) operational order is deletion strategy, determined by security domain association analysis module for the target strategy information phase Corresponding security domain path and security domain assets information, and show the security domain path and security domain assets information to user, it carries Show whether user confirms and delete the target strategy information, if user, which confirms, deletes the target strategy information, be directly entered plan Slightly recovery module;If user does not delete the target strategy information, tactful editor module is returned.
2) if operational order is change strategy or newly-increased strategy, by the target strategy information and corresponding security domain path On associated safety domain all firewall policies, input to tactful Audit Module and audit, audit algorithm base may be employed In the audit algorithm of decision tree, judge whether the target strategy information is redundancy strategy or Conflict Strategies;If not redundancy plan Summary or Conflict Strategies, determine that the target strategy information is able to carry out, and Access strategy recovery module;If user remodifies plan Slightly, then tactful editor module is returned.
S140, it is when determining to perform the operational order, the operational order and the target strategy information is corresponding Target firewall policy is sent to target fire wall, so that the target fire wall performs the operational order.
If it is determined that being able to carry out the operational order, institute is called in the security domain path according to corresponding to target strategy information The firewall policy template involved by security domain path is stated, the target strategy information of preset format is converted to and meets corresponding strategy The target firewall policy of template;That is, the target strategy information of preset format is converted to and meets corresponding firewall vendor and carried The target firewall policy of the policy template of confession.
Then, target firewall policy is sent to target fire wall, so that target fire wall performs the target fire wall Strategy.
It is topological with corresponding fire wall to be pre-created network security domain for firewall policy processing method provided in this embodiment Correspondence between strategy.After the operational order for obtaining firewall policy input by user and corresponding target strategy information, Security domain relevant information associated with the target strategy information is searched from above-mentioned correspondence.Then, according to the target plan The slightly corresponding security domain relevant information of information, it is determined whether perform the operational order;If it is determined that performing, then the operation is referred to Order and the corresponding target firewall policy of the target strategy information are sent to target fire wall, and the behaviour is performed by target fire wall It instructs.It can precisely determine that security domain path associated with target strategy information and security domain assets are believed using this method Breath need not manually check that network topology structure searches the security domain involved by firewall policy, and this improves fire wall plans The efficiency of management slightly, while reduce the error rate of configuration firewall policy.Moreover, firewall policy is audited, into one Step improves firewall configuration and the accuracy rate of management.
Fig. 3 is referred to, shows the flow chart of the embodiment of the present application another kind firewall policy processing method, this method should For in firewall policy processing unit shown in FIG. 1, as shown in figure 3, this method comprises the following steps:
S210, obtain the corresponding security domain topology of each security domain in current network, security domain assets information and store to It and, obtains the corresponding firewall policy of each security domain in security domain memory module and stores to policy store module.
The firewall policy, is converted to the firewall policy of preset format by S220, and is stored to policy store module.
S230 according to security domain topology, determines the firewall policy of the preset format corresponding to each security domain, obtains Matching result between security domain topology and the firewall policy of preset format, and store to security domain memory module.
S240 receives operational order input by user and corresponding target strategy information.
S250, determines the instruction type of the operational order, and described instruction type includes Review Policies, deletion strategy, more Change strategy and newly-increased strategy;If instruction type is to look at strategy, S260 is performed;If instruction type is deletion strategy, perform S270;If instruction type is newly-increased strategy, S2110 is performed;If instruction type is change strategy, S2120 is performed.
S260, in the firewall policy of the preset format stored from policy store module, find with it is input by user Source IP address and the corresponding target strategy information of purpose IP address, and show the target strategy information to user.
S270, according to source IP address input by user and purpose IP address, the default lattice stored from policy store module In the firewall policy of formula, target strategy information corresponding with source IP address and purpose IP address is searched.
S280 is searched and the corresponding security domain path of the target strategy information and security domain assets from security domain module Information.
S290 shows that the security domain path and the security domain assets will be influenced by deleting the target strategy information to user Information.
S2100 judges whether to perform the operational order;If it is, perform S2170;Otherwise, current process is terminated.
S2110 receives the firewall policy of preset format input by user, as the target strategy information.
S2140 is continued to execute after having performed S2110.
S2120, in the firewall policy of the preset format stored from policy store module, find with it is input by user Source IP address and the corresponding firewall policy of purpose IP address;
S2130 according to the firewall policy that operational order change is found, obtains target strategy information.
S2140 searches security domain module, obtains security domain path associated with the target strategy information.
S2150, query strategy memory module obtain whole firewall policies on security domain path.
S2160 according to whole firewall policies on the security domain path, judges whether the target strategy information is superfluous Remaining strategy or Conflict Strategies.If it is not, then perform S2170;If it is, terminate current process.
S2170 according to the associated security domain relevant information of target strategy information, obtains the target strategy information and corresponds to Firewall policy template.
Target strategy information is converted to the target firewall policy to match with the firewall policy template by S2180.
The target firewall policy and operational order are sent to the corresponding target fire wall of current network by S2190, so that Target fire wall performs the operational order.
If operational order is deletion strategy, corresponding each target fire wall performs the behaviour of delete target firewall policy Make.
If operational order is change strategy or newly-increased strategy, corresponding each target fire wall performs change or newly strengthens defences The operation of wall with flues strategy.
It is topological with corresponding fire wall to be pre-created network security domain for firewall policy processing method provided in this embodiment Correspondence between strategy.After the operational order for obtaining firewall policy input by user and corresponding target strategy information, Security domain relevant information associated with the target strategy information is searched from above-mentioned correspondence.Then, according to the target plan The slightly corresponding security domain relevant information of information, it is determined whether perform the operational order;If it is determined that performing, then the operation is referred to Order and the corresponding target firewall policy of the target strategy information are sent to target fire wall, and the behaviour is performed by target fire wall It instructs.It can precisely determine that security domain path associated with target strategy information and security domain assets are believed using this method Breath need not manually check that network topology structure searches the security domain involved by firewall policy, and this improves fire wall plans The efficiency of management slightly, while reduce the error rate of configuration firewall policy.Moreover, firewall policy is audited, into one Step improves firewall configuration and the accuracy rate of management.
For foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as to a series of combination of actions, but It is that those skilled in the art should know, the present invention and from the limitation of described sequence of movement, because according to the present invention, certain A little steps may be employed other orders or be carried out at the same time.Secondly, those skilled in the art should also know, be retouched in specification The embodiment stated belongs to preferred embodiment, and involved action and module are not necessarily essential to the invention.
Corresponding to above-mentioned firewall policy processing method embodiment, present invention also provides firewall policy processing units Embodiment.
Fig. 4 is referred to, shows a kind of block diagram of firewall policy processing unit of the embodiment of the present application, as shown in figure 4, should Device includes:First acquisition module 110, security domain association analysis module 120, determining module 130, sending module 140, second are obtained Modulus block 150, format conversion mould 160 and security domain and strategy matching module 170.
Second acquisition module 150, for obtaining the corresponding security domain topology of each security domain in current network, security domain money Produce information and firewall policy.
The corresponding security domain topology of each security domain and security domain assets information are stored in security domain storage mould shown in FIG. 1 In block.
The corresponding firewall policy of each security domain is stored in policy store module shown in FIG. 1.
Format converting module 160 for firewall policy to be converted to the firewall policy of preset format, and stores default The firewall policy of form.
During practical application, firewall policy template used in different firewall vendors may be different, i.e. fire wall plan Form slightly may be different.Therefore, in order to realize to firewall policy centralized management, it is necessary to will using different-format fire prevention Wall strategy is converted into unified form.
The format converting module 160 is run in tactful formatting module shown in FIG. 1, and details are not described herein again.
Security domain and strategy matching module 170, for according to security domain topology, determining described corresponding to each security domain The firewall policy of preset format obtains the topological matching knot between the firewall policy of the preset format of the security domain Fruit.
The security domain is run on strategy matching module 170 in security domain shown in FIG. 1 and strategy matching module, herein not It repeats again.
First acquisition module 110, for obtaining the operational order of current network and corresponding target strategy information.
First acquisition module is run in tactful editor module shown in FIG. 1.
Searching module 120, for from the security domain relevant information for the current network being pre-created and corresponding fire prevention In matching result between wall strategy, security domain relevant information associated with the target strategy information is searched.
Wherein, the security domain relevant information include with the corresponding security domain path of the target strategy information, alternatively, The security domain path and corresponding security domain assets information.
Security domain memory module memory in Fig. 1 contains the security domain relevant information of each security domain in current network with preventing Result is mutually matched between wall with flues strategy.Security domain association analysis module in Fig. 1 is searched to be stored in security domain memory module The matching result, obtain the associated security domain relevant information of target strategy information.
Determining module 130, for according to the corresponding security domain relevant information of target strategy information, it is determined whether described in execution Operational order.
For the operational order of deletion strategy, security domain that searching module is run on determining module in Fig. 1 associates point It analyses in module, details are not described herein again.
For change strategy or increase tactful operational order newly, which runs on strategy audit shown in FIG. 1 and determine In plan module.Wherein, which includes:Second acquisition submodule, the 3rd acquisition submodule, judging submodule and really Stator modules.
Second acquisition submodule, for according to security domain relevant information associated with target strategy information, acquisition and institute State the associated targeted security domain of target strategy information;
3rd acquisition submodule, for obtaining the corresponding whole firewall policies in the targeted security domain;
Judging submodule, for according to the corresponding whole firewall policies in the targeted security domain, determining the target plan Whether slightly information is redundancy strategy or Conflict Strategies;
Determination sub-module, for when the target strategy information is not the redundancy strategy or the Conflict Strategies, really Surely it is able to carry out the target strategy information.
Sending module 140, for when determine perform the operational order when, by the operational order and the target strategy The corresponding target firewall policy of information is sent to target fire wall, so that the target fire wall performs the operational order.
Since target strategy information is preset format, target fire wall may the None- identified target strategy information, because This, it is necessary to which the target strategy information of preset format is converted into target before target strategy information is issued to target fire wall The form that fire wall can identify.
The sending module 140 can include:First acquisition submodule, format conversion submodule and sending submodule.
First acquisition submodule, for according to the associated security domain relevant information of target strategy information, obtaining target plan The slightly corresponding firewall policy template of information.
Format conversion submodule is prevented for target strategy information to be converted to the target to match with firewall policy template Wall with flues strategy.
Sending submodule is prevented fires for target firewall policy and operational order to be sent to the corresponding target of current network Wall.
It is topological with corresponding fire wall to be pre-created network security domain for firewall policy processing method provided in this embodiment Correspondence between strategy.After the operational order for obtaining firewall policy input by user and corresponding target strategy information, Security domain relevant information associated with the target strategy information is searched from above-mentioned correspondence.Then, according to the target plan The slightly corresponding security domain relevant information of information, it is determined whether perform the operational order;If it is determined that performing, then the operation is referred to Order and the corresponding target firewall policy of the target strategy information are sent to target fire wall, and the behaviour is performed by target fire wall It instructs.It can precisely determine that security domain path associated with target strategy information and security domain assets are believed using this method Breath need not manually check that network topology structure searches the security domain involved by firewall policy, and this improves fire wall plans The efficiency of management slightly, while reduce the error rate of configuration firewall policy.Moreover, firewall policy is audited, into one Step improves firewall configuration and the accuracy rate of management.
It should be noted that each embodiment in this specification is described by the way of progressive, each embodiment weight Point explanation is all difference from other examples, and just to refer each other for identical similar part between each embodiment. For device class embodiment, since it is basicly similar to embodiment of the method, so description is fairly simple, related part ginseng See the part explanation of embodiment of the method.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation Between there are any actual relationship or orders.Moreover, term " comprising ", "comprising" or its any other variant meaning Covering non-exclusive inclusion, so that process, method, article or equipment including a series of elements not only include that A little elements, but also including other elements that are not explicitly listed or further include for this process, method, article or The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged Except also there are other identical elements in the process, method, article or apparatus that includes the element.
The foregoing description of the disclosed embodiments enables those skilled in the art to realize or use the present invention.To this A variety of modifications of a little embodiments will be apparent for a person skilled in the art, and the general principles defined herein can Without departing from the spirit or scope of the present invention, to realize in other embodiments.Therefore, the present invention will not be limited The embodiments shown herein is formed on, and is to fit to consistent with the principles and novel features disclosed herein most wide Scope.
The above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims (10)

1. a kind of firewall policy processing method, which is characterized in that including:
Obtain the operational order of current network and corresponding target strategy information;
Matching result between the security domain relevant information for the current network being pre-created and corresponding firewall policy In, search associated with target strategy information security domain relevant information, the security domain relevant information including with it is described The corresponding security domain path of target strategy information, alternatively, the security domain path and corresponding security domain assets information;
According to the corresponding security domain relevant information of the target strategy information, it is determined whether perform the operational order;
When determining to perform the operational order, by the operational order and the corresponding target fire wall of the target strategy information Strategy is sent to target fire wall, so that the target fire wall performs the operational order.
2. according to the method described in claim 1, it is characterized in that, the method further includes:
Obtain the corresponding security domain topology of each security domain in the current network, security domain assets information and fire wall plan Slightly;
The firewall policy is converted to the firewall policy of preset format, and stores the fire wall plan of the preset format Slightly;
According to security domain topology, determine the firewall policy of the preset format corresponding to each security domain, obtain institute State the topological matching result between the firewall policy of the preset format of security domain.
3. according to the method described in claim 1, it is characterized in that, the operational order for obtaining current network and correspondence Target strategy information, including:
Receive the operational order operated to the firewall policy of the current network;
When the action type of the operational order is to look at, deletes or changes, acquisition source IP address and purpose IP address, and from In the firewall policy of the corresponding preset format of the pre-stored current network, the source IP address and the mesh are found The corresponding preset format of IP address target strategy information;
When the action type of the operational order is newly-increased, the firewall policy of the preset format of input is obtained as institute State target strategy information.
If 4. according to the method described in claim 1, it is characterized in that, the action type of the operational order be delete, institute It states according to the corresponding security domain relevant information of the target strategy information, it is determined whether the operational order is performed, including:
According to security domain path corresponding with the target strategy information and security domain assets information, determine to delete the target plan The security domain and corresponding security domain assets information that slightly information is influenced;
Displaying is by the security domain and the security domain assets information that the target strategy information is influenced is deleted, so that operation Body is confirmed whether to perform the operational order;
The instruction execution result of the operating body input is received, described instruction implementing result is including the execution operational order and not Perform the operational order.
5. if according to the method described in claim 1, it is characterized in that, the action type of the operational order is newly-increased or more Change, then it is described according to the corresponding security domain relevant information of the target strategy information, it is determined whether to perform the operation and refer to Order, including:
According to security domain relevant information associated with the target strategy information, obtain associated with the target strategy information Targeted security domain;
Obtain the corresponding whole firewall policies in the targeted security domain;
According to the corresponding whole firewall policies in the targeted security domain, determine whether the target strategy information is redundancy strategy Or Conflict Strategies;
When the target strategy information is not the redundancy strategy and the Conflict Strategies, it is determined to perform the target plan Slightly information.
It is 6. according to the method described in claim 1, it is characterized in that, described by the operational order and the target strategy information Corresponding target firewall policy is sent to target fire wall, including:
According to the associated security domain relevant information of the target strategy information, the corresponding fire prevention of the target strategy information is obtained Wall policy template;
The target strategy information is converted to the target firewall policy to match with the firewall policy template;
The target firewall policy and the operational order are sent to the corresponding target fire wall of the current network.
7. a kind of firewall policy processing unit, which is characterized in that including:
First acquisition module, for obtaining the operational order of current network and corresponding target strategy information;
Searching module, for from the security domain relevant information for the current network being pre-created and corresponding firewall policy it Between matching result in, search associated with target strategy information security domain relevant information, wherein, the security domain phase Close information include with the corresponding security domain path of the target strategy information, alternatively, the security domain path and corresponding peace Universe assets information;
Determining module, for according to the corresponding security domain relevant information of the target strategy information, it is determined whether perform institute State operational order;
Sending module, for when determine perform the operational order when, by the operational order and the target strategy information pair The target firewall policy answered is sent to target fire wall, so that the target fire wall performs the operational order.
8. device according to claim 7, which is characterized in that described device further includes:
Second acquisition module, for obtaining the corresponding security domain topology of each security domain in the current network, security domain Assets information and firewall policy;
Format converting module for the firewall policy to be converted to the firewall policy of preset format, and stores described pre- If the firewall policy of form;
Security domain and strategy matching module, for according to security domain topology, determining described pre- corresponding to each security domain If the firewall policy of form, the topological matching knot between the firewall policy of the preset format of the security domain is obtained Fruit.
9. device according to claim 7, which is characterized in that the sending module, including:
First acquisition submodule, for according to the associated security domain relevant information of the target strategy information, obtaining the mesh Mark the corresponding firewall policy template of policy information;
Format conversion submodule, for the target strategy information to be converted to the mesh to match with the firewall policy template Mark firewall policy;
Sending submodule, it is corresponding for the target firewall policy and the operational order to be sent to the current network Target fire wall.
10. device according to claim 7, which is characterized in that if the action type of the operational order is newly-increased or more Change, then the determining module, including:
Second acquisition submodule, for according to security domain relevant information associated with the target strategy information, acquisition and institute State the associated targeted security domain of target strategy information;
3rd acquisition submodule, for obtaining the corresponding whole firewall policies in the targeted security domain;
Judging submodule, for according to the corresponding whole firewall policies in the targeted security domain, determining the target strategy letter Whether breath is redundancy strategy or Conflict Strategies;
Determination sub-module, for when the target strategy information is not the redundancy strategy or the Conflict Strategies, determining energy Enough perform the target strategy information.
CN201711382103.9A 2017-12-20 2017-12-20 Firewall policy processing method and device Active CN108092979B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711382103.9A CN108092979B (en) 2017-12-20 2017-12-20 Firewall policy processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711382103.9A CN108092979B (en) 2017-12-20 2017-12-20 Firewall policy processing method and device

Publications (2)

Publication Number Publication Date
CN108092979A true CN108092979A (en) 2018-05-29
CN108092979B CN108092979B (en) 2021-05-28

Family

ID=62177346

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711382103.9A Active CN108092979B (en) 2017-12-20 2017-12-20 Firewall policy processing method and device

Country Status (1)

Country Link
CN (1) CN108092979B (en)

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108718322A (en) * 2018-06-20 2018-10-30 北京网藤科技有限公司 A kind of industrial fireproof wall and its means of defence
CN109040089A (en) * 2018-08-15 2018-12-18 深圳前海微众银行股份有限公司 Network strategy auditing method, equipment and computer readable storage medium
CN109327472A (en) * 2018-11-30 2019-02-12 深圳天元云科技有限公司 Dynamic Programming firewall policy insertion method, system, terminal and storage medium
CN109600368A (en) * 2018-12-07 2019-04-09 中盈优创资讯科技有限公司 A kind of method and device of determining firewall policy
CN109768962A (en) * 2018-12-13 2019-05-17 平安科技(深圳)有限公司 Firewall strategy-generating method, device, computer equipment and storage medium
CN110336834A (en) * 2019-07-31 2019-10-15 中国工商银行股份有限公司 Treating method and apparatus for firewall policy
CN110430206A (en) * 2019-08-13 2019-11-08 上海新炬网络技术有限公司 Based on script template metaplasia at the method for configuration firewall security policy
CN110661670A (en) * 2019-10-21 2020-01-07 中国民航信息网络股份有限公司 Network equipment configuration management method and device
CN110677383A (en) * 2019-08-22 2020-01-10 平安科技(深圳)有限公司 Firewall opening method and device, storage medium and computer equipment
CN111428094A (en) * 2020-04-02 2020-07-17 深信服科技股份有限公司 Asset-based network topology generation method, device, equipment and storage medium
CN111835794A (en) * 2020-09-17 2020-10-27 腾讯科技(深圳)有限公司 Firewall policy control method and device, electronic equipment and storage medium
CN111988273A (en) * 2020-07-07 2020-11-24 国网思极网安科技(北京)有限公司 Firewall policy management method and device
CN112351014A (en) * 2020-10-28 2021-02-09 武汉思普崚技术有限公司 Firewall security policy compliance baseline management method and device between security domains
CN112383507A (en) * 2020-10-16 2021-02-19 深圳力维智联技术有限公司 Firewall policy management method, device and system and computer readable storage medium
CN113079128A (en) * 2020-01-06 2021-07-06 中国移动通信集团安徽有限公司 Information plugging method and device, computing equipment and computer storage medium
CN113114683A (en) * 2021-04-14 2021-07-13 中国工商银行股份有限公司 Firewall policy processing method and device
CN113141369A (en) * 2021-04-28 2021-07-20 平安证券股份有限公司 Artificial intelligence-based firewall policy management method and related equipment
CN113691488A (en) * 2020-05-19 2021-11-23 奇安信科技集团股份有限公司 Access control method, apparatus, device and medium executed by firewall device
CN114039853A (en) * 2021-11-15 2022-02-11 北京天融信网络安全技术有限公司 Method, device, storage medium and electronic equipment for detecting security policy
CN114143090A (en) * 2021-11-30 2022-03-04 招商局金融科技有限公司 Firewall deployment method, device, equipment and medium based on network security architecture
CN114301841A (en) * 2021-12-20 2022-04-08 山石网科通信技术股份有限公司 K8S-based micro-isolation strategy processing method and device

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1313290A1 (en) * 2001-11-19 2003-05-21 Stonesoft Corporation A personal firewall with location dependent functionality
CN103067344A (en) * 2011-10-24 2013-04-24 国际商业机器公司 Non-invasive method and equipment for automatically issuing safety regulations in cloud environment
CN104052635A (en) * 2014-06-05 2014-09-17 北京江南天安科技有限公司 Risk situation prediction method and system based on safety pre-warning
US20140282855A1 (en) * 2013-03-13 2014-09-18 FireMon, LLC Modeling network devices for behavior analysis
CN105812326A (en) * 2014-12-29 2016-07-27 北京网御星云信息技术有限公司 Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system
CN105827649A (en) * 2016-05-19 2016-08-03 上海携程商务有限公司 Method and system for automatically generating firewall policy
CN105847236A (en) * 2016-03-15 2016-08-10 北京网御星云信息技术有限公司 Firewall security strategy configuration method and device as well as firewall
US9479479B1 (en) * 2014-09-25 2016-10-25 Juniper Networks, Inc. Detector tree for detecting rule anomalies in a firewall policy
US20170005988A1 (en) * 2015-06-30 2017-01-05 Nicira, Inc. Global objects for federated firewall rule management

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1313290A1 (en) * 2001-11-19 2003-05-21 Stonesoft Corporation A personal firewall with location dependent functionality
CN103067344A (en) * 2011-10-24 2013-04-24 国际商业机器公司 Non-invasive method and equipment for automatically issuing safety regulations in cloud environment
US20140282855A1 (en) * 2013-03-13 2014-09-18 FireMon, LLC Modeling network devices for behavior analysis
CN104052635A (en) * 2014-06-05 2014-09-17 北京江南天安科技有限公司 Risk situation prediction method and system based on safety pre-warning
US9479479B1 (en) * 2014-09-25 2016-10-25 Juniper Networks, Inc. Detector tree for detecting rule anomalies in a firewall policy
CN105812326A (en) * 2014-12-29 2016-07-27 北京网御星云信息技术有限公司 Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system
US20170005988A1 (en) * 2015-06-30 2017-01-05 Nicira, Inc. Global objects for federated firewall rule management
CN105847236A (en) * 2016-03-15 2016-08-10 北京网御星云信息技术有限公司 Firewall security strategy configuration method and device as well as firewall
CN105827649A (en) * 2016-05-19 2016-08-03 上海携程商务有限公司 Method and system for automatically generating firewall policy

Cited By (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108718322B (en) * 2018-06-20 2021-04-09 北京网藤科技有限公司 Industrial firewall and protection method thereof
CN108718322A (en) * 2018-06-20 2018-10-30 北京网藤科技有限公司 A kind of industrial fireproof wall and its means of defence
CN109040089A (en) * 2018-08-15 2018-12-18 深圳前海微众银行股份有限公司 Network strategy auditing method, equipment and computer readable storage medium
CN109327472A (en) * 2018-11-30 2019-02-12 深圳天元云科技有限公司 Dynamic Programming firewall policy insertion method, system, terminal and storage medium
CN109327472B (en) * 2018-11-30 2021-06-25 深圳天元云科技有限公司 Method, system, terminal and storage medium for dynamically planning firewall policy insertion
CN109600368A (en) * 2018-12-07 2019-04-09 中盈优创资讯科技有限公司 A kind of method and device of determining firewall policy
CN109600368B (en) * 2018-12-07 2021-04-13 中盈优创资讯科技有限公司 Method and device for determining firewall policy
CN109768962A (en) * 2018-12-13 2019-05-17 平安科技(深圳)有限公司 Firewall strategy-generating method, device, computer equipment and storage medium
CN109768962B (en) * 2018-12-13 2022-04-12 平安科技(深圳)有限公司 Firewall strategy generation method and device, computer equipment and storage medium
CN110336834A (en) * 2019-07-31 2019-10-15 中国工商银行股份有限公司 Treating method and apparatus for firewall policy
CN110430206A (en) * 2019-08-13 2019-11-08 上海新炬网络技术有限公司 Based on script template metaplasia at the method for configuration firewall security policy
CN110430206B (en) * 2019-08-13 2022-03-01 上海新炬网络技术有限公司 Method for generating and configuring firewall security policy based on script templating
CN110677383A (en) * 2019-08-22 2020-01-10 平安科技(深圳)有限公司 Firewall opening method and device, storage medium and computer equipment
CN110661670A (en) * 2019-10-21 2020-01-07 中国民航信息网络股份有限公司 Network equipment configuration management method and device
CN113079128B (en) * 2020-01-06 2022-10-18 中国移动通信集团安徽有限公司 Information blocking method and device, computing equipment and computer storage medium
CN113079128A (en) * 2020-01-06 2021-07-06 中国移动通信集团安徽有限公司 Information plugging method and device, computing equipment and computer storage medium
CN111428094A (en) * 2020-04-02 2020-07-17 深信服科技股份有限公司 Asset-based network topology generation method, device, equipment and storage medium
CN113691488A (en) * 2020-05-19 2021-11-23 奇安信科技集团股份有限公司 Access control method, apparatus, device and medium executed by firewall device
CN111988273A (en) * 2020-07-07 2020-11-24 国网思极网安科技(北京)有限公司 Firewall policy management method and device
CN111835794A (en) * 2020-09-17 2020-10-27 腾讯科技(深圳)有限公司 Firewall policy control method and device, electronic equipment and storage medium
CN111835794B (en) * 2020-09-17 2021-01-05 腾讯科技(深圳)有限公司 Firewall policy control method and device, electronic equipment and storage medium
CN112383507A (en) * 2020-10-16 2021-02-19 深圳力维智联技术有限公司 Firewall policy management method, device and system and computer readable storage medium
CN112351014A (en) * 2020-10-28 2021-02-09 武汉思普崚技术有限公司 Firewall security policy compliance baseline management method and device between security domains
CN112351014B (en) * 2020-10-28 2022-06-07 武汉思普崚技术有限公司 Firewall security policy compliance baseline management method and device between security domains
CN113114683A (en) * 2021-04-14 2021-07-13 中国工商银行股份有限公司 Firewall policy processing method and device
CN113114683B (en) * 2021-04-14 2023-04-07 中国工商银行股份有限公司 Firewall policy processing method and device
CN113141369B (en) * 2021-04-28 2023-02-07 平安证券股份有限公司 Artificial intelligence-based firewall policy management method and related equipment
CN113141369A (en) * 2021-04-28 2021-07-20 平安证券股份有限公司 Artificial intelligence-based firewall policy management method and related equipment
CN114039853B (en) * 2021-11-15 2024-02-09 天融信雄安网络安全技术有限公司 Method and device for detecting security policy, storage medium and electronic equipment
CN114039853A (en) * 2021-11-15 2022-02-11 北京天融信网络安全技术有限公司 Method, device, storage medium and electronic equipment for detecting security policy
CN114143090A (en) * 2021-11-30 2022-03-04 招商局金融科技有限公司 Firewall deployment method, device, equipment and medium based on network security architecture
CN114143090B (en) * 2021-11-30 2024-02-06 招商局金融科技有限公司 Firewall deployment method, device, equipment and medium based on network security architecture
CN114301841A (en) * 2021-12-20 2022-04-08 山石网科通信技术股份有限公司 K8S-based micro-isolation strategy processing method and device
CN114301841B (en) * 2021-12-20 2024-02-06 山石网科通信技术股份有限公司 K8S-based micro-isolation strategy processing method and device

Also Published As

Publication number Publication date
CN108092979B (en) 2021-05-28

Similar Documents

Publication Publication Date Title
CN108092979A (en) A kind of firewall policy processing method and processing device
CN111935192B (en) Network attack event tracing processing method, device, equipment and storage medium
EP3449597B1 (en) A data driven orchestrated network using a voice activated light weight distributed sdn controller
JP4020912B2 (en) Unauthorized access detection device, unauthorized access detection program, and unauthorized access detection method
CN104113433B (en) Management and the network operating system of protection network
US9507944B2 (en) Method for simulation aided security event management
US7710900B2 (en) Method and system for providing network management based on defining and applying network administrative intents
EP3797503B1 (en) Cyber defence system
US7543045B1 (en) System and method for estimating the geographical location and proximity of network devices and their directly connected neighbors
US9313175B2 (en) Method and system for mapping between connectivity requests and a security rule set
CN104753857B (en) Control of network flow quantity equipment and its security policy configuration method and device
WO2017108790A1 (en) A data driven orchestrated network using a light weight distributed sdn controller
Chkirbene et al. A combined decision for secure cloud computing based on machine learning and past information
CN108040055A (en) A kind of fire wall combined strategy and safety of cloud service protection
CN110138788A (en) A kind of fragile sexual assault cost quantitative evaluating method based on depth index
CN110287392A (en) A kind of safe space network inquiry method based on safe partition tree
CN114422224B (en) Threat information intelligent analysis method and system for attack tracing
CN106878343B (en) It is the system serviced that network security is provided under a kind of cloud computing environment
Rahman et al. A formal framework for network security design synthesis
CN107360115A (en) A kind of SDN means of defence and device
CN108270677A (en) A kind of fast route convergence method and device
US20230344755A1 (en) Determining flow paths of packets through nodes of a network
CN106685813B (en) Suitable for accessing the output service response device and method of net gateway security
CN114915536A (en) Network architecture based on SDP component and terminal equipment safety protection method facing novel network
CN101820394B (en) Statistical method and equipment of access flow

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant