CN108650222B - Firewall rule updating method and system based on stretching filtering - Google Patents

Firewall rule updating method and system based on stretching filtering Download PDF

Info

Publication number
CN108650222B
CN108650222B CN201810273650.1A CN201810273650A CN108650222B CN 108650222 B CN108650222 B CN 108650222B CN 201810273650 A CN201810273650 A CN 201810273650A CN 108650222 B CN108650222 B CN 108650222B
Authority
CN
China
Prior art keywords
rule
address
module
tuple
output
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810273650.1A
Other languages
Chinese (zh)
Other versions
CN108650222A (en
Inventor
李文强
董美林
汤红
邹振茂
代迪
谭彪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHENZHEN HUAFU INFORMATION TECHNOLOGY Co.,Ltd.
Original Assignee
Huafu Cloud Technology Shenzhen Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huafu Cloud Technology Shenzhen Co ltd filed Critical Huafu Cloud Technology Shenzhen Co ltd
Priority to CN201810273650.1A priority Critical patent/CN108650222B/en
Publication of CN108650222A publication Critical patent/CN108650222A/en
Application granted granted Critical
Publication of CN108650222B publication Critical patent/CN108650222B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a firewall rule updating method based on stretching filtering and a system thereof, wherein the method comprises the steps of obtaining an IP rule text set; identifying and reconstructing the IP rule text set to obtain a corresponding rule strategy; and according to the corresponding rule strategy, carrying out identification operation on a certain input end and a certain output end under a certain safety layer number based on a stretching filtering algorithm, and obtaining and outputting an operation result. The invention reduces the time complexity from the hierarchical power of the total quantity of IP to the sum of the hierarchical level and the related node number related to the query condition, detects whether a certain input end is effectively communicated with a certain output end under a certain security hierarchical level, outputs a communication path if the input end is communicated with the output end, and outputs an effective path or no effective path under the similar security level if the input end is not communicated, thereby realizing the reduction of retrieval time and resource consumption, being suitable for the related basic configuration of a large-scale firewall cluster and being convenient for quickly searching the optimal firewall IP combination under a certain communication path in the large-scale firewall cluster.

Description

Firewall rule updating method and system based on stretching filtering
Technical Field
The invention relates to a firewall rule updating method, in particular to a firewall rule updating method and a firewall rule updating system based on stretching filtering.
Background
Firewall access control is one of the most important core policies for ensuring network security, and an Access Control List (ACL) is an instruction List of an interface of a router and a switch, and the ACL not only can control network flow and flow direction, but also plays a key role in protecting network equipment and servers to a great extent. As a first pass of gate for the outer network to enter the inner network of the enterprise, the access control list on the router becomes an effective means for protecting the safety of the inner network.
At present, when updating and configuring the existing massive IP fire wall, the fire wall configuration system has low retrieval efficiency and high algorithm complexity in calculation of optimal configuration, Chinese patent 201310180635X provides a fire wall rule updating method based on a bipartite graph, which constructs a bipartite graph expressed as a fire wall rule according to the fire wall rule, then matches the updating requirement of the fire wall rule with the bipartite graph expressed as the fire wall rule, confirms the updating requirement of the fire wall rule and updates the fire wall rule, converts the updating of the fire wall rule into the modification of edges and fixed points in the bipartite graph of the fire wall rule, the bipartite graph of the fire wall rule clearly expresses the relationship among all rules in the fire wall, abstracts the whole IP rule into the bipartite graph for rule identification and retrieval, if the new rule accords with the cycle number of the bipartite graph, if not, the method needs to load the IP rule full-text retrieval for graph calculation, the algorithm complexity is high, the IP rule full-text retrieval needs to load the IP rule full-text, each IP section is a node, whether the IP sections are communicated or not is used as a side for calculation, and the algorithm complexity is positively correlated with the quantity of the IP rule full-text retrieval and the node.
However, in practical application, because of security requirements, firewall IP rule configuration is usually unidirectional, that is, directional, and calculation using an undirected graph principle such as a bipartite graph is beneficial to rule abstraction, but increases the complexity of calculation, and with the increase of the number of IP rules, the graph operation efficiency of full-text IP rule retrieval decreases exponentially, which is not beneficial to efficient utilization of computing resources, and for different service scenarios, there are complex task requirements such as security hierarchy setting, and the like, and it is necessary for a rule update algorithm to be able to adapt to such configuration requirements, and efficiently calculate the optimal path thereof, and the like.
Therefore, it is necessary to design a new firewall rule updating method, which reduces the search time and resource consumption, is suitable for the relevant basic configuration of a large-scale firewall cluster, and is convenient for quickly finding the optimal firewall IP combination under a certain communication path in the large-scale firewall cluster.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a firewall rule updating method and a firewall rule updating system based on stretching filtering.
In order to achieve the purpose, the invention adopts the following technical scheme: a firewall rule updating method based on stretching filtering comprises the following steps:
acquiring an IP rule text set;
identifying and reconstructing the IP rule text set to obtain a corresponding rule strategy;
and according to the corresponding rule strategy, carrying out identification operation on a certain input end and a certain output end under a certain safety layer number based on a stretching filtering algorithm, and obtaining and outputting an operation result.
The further technical scheme is as follows: the method comprises the following steps of identifying and reconstructing an IP rule text set to obtain a corresponding rule strategy, wherein the steps comprise the following specific steps:
filtering the IP rule text set to remove texts which do not accord with the IP identification rule;
removing the duplicate of the filtered IP rule text set, and removing repeated IP rule texts;
sequencing the IP rule text set after the duplication is removed;
cutting the sequenced IP rule text set, distributing the IP rule text set to numerical groups with the numbers of A-J, marking the relationship among the numerical group elements in a mapping mode, and acquiring the numerical group of the mapping relationship;
and reconstructing the digital group with the same mapping relation to form a rule strategy.
The further technical scheme is as follows: the method comprises the following steps of reconstructing a digital group with the same mapping relation to form a rule strategy, wherein the method comprises the following specific steps:
judging whether each digital group in the digital groups with numbers of A-D and F-I under the same mapping relation consists of all numbers of 0-255 or 256;
if yes, marking the number group as (-1, -1) tuple;
if not, representing the number of the interval from a to a + b but not a + b by the (a, b) tuple;
judging whether the number groups with the numbers of E and J under the same mapping relation consist of all numbers of 10000-99999 or the first digit is 0;
if yes, returning the step of marking the digit group as (-1, -1) tuple;
if not, returning the number of the (a, b) tuple representing the interval from a to a + b but not including a + b;
and (3) acquiring the tuple set with the element (a, b) and the related mapping relation to form a rule strategy.
The further technical scheme is as follows: according to a corresponding rule strategy, identifying and calculating a certain input end and a certain output end under a certain safety layer number based on a stretching filtering algorithm, and acquiring and outputting a calculation result, wherein the method comprises the following specific steps:
distributing the rule strategies to computing units with the numbers of A-J;
acquiring a security level, an input IP address and a detection request word string of an output IP address;
judging whether the input IP address and the output IP address exist in the tuple range of any one of the computing units A to J;
if not, interrupting the computing tasks of each computing unit in a broadcast mode, and outputting a message without an effective path;
if yes, detecting whether the tuple in the E calculation unit can meet any one of the F-J number groups and the number of iteration layers is 1;
if yes, outputting a message of the direct connection path;
if not, selectively starting the A-J computing units to perform iterative computation, and summarizing the computing results of the computing units.
The further technical scheme is as follows: selectively starting the A-J computing units to perform iterative computation, and summarizing the computing results of the computing units, wherein the method comprises the following specific steps of:
taking the calculation units with the numbers of A to E and the calculation units with the numbers of F to J as two integers, and distinguishing element combinations in tuples of the two integers;
marking the intersection tuple of the two integers as an edge group, the non-intersection tuple of the two integers as respective vertex groups, and the first vertex group as an initial vertex group;
judging whether the input IP address and the port are not in the initial vertex group of the A-E computing unit or the output IP address and the port are not in the initial vertex group of the F-J computing unit;
if yes, finishing the calculation task and outputting a message without an effective path;
if not, recombining the tuple element combination in the F-J computing unit which is mapped by the input IP address and the port and the tuple element combination in the A-E computing unit which is mapped by the output IP address and the port into two new integers to carry out stretching filtering iterative computation, and recalculating a new vertex group and an edge group;
judging whether elements exist in an edge group or a previous vertex group or an initial vertex group in iterative calculation;
if yes, finishing the calculation task;
and outputting the corresponding iteration times and the IP connection path generated along with the iteration of each whole as an output result.
The further technical scheme is as follows: the step of outputting the corresponding iteration times and the IP connection paths generated along with the iteration of each whole as the output result comprises the following specific steps:
judging whether the current iteration times plus 1 is equal to the number of iteration layers;
if yes, outputting an effective path, and combining the IP connection path calculated by the A-E calculation unit and the IP connection path calculated by the F-J calculation unit in an ordering mode according to a path result;
if not, obtaining an iteration number result which is closest to the iteration layer number minus 1;
and outputting the IP connection paths which have similar effective paths and have the path result of orderly merging of the IP connection paths calculated by the A-E calculation unit and the IP connection paths calculated by the F-J calculation unit.
The further technical scheme is as follows: the step of judging whether the input IP address and the output IP address exist in the tuple range of any one of the computing units A to J comprises the following specific steps:
orderly arranging the tuples of any one of the computing units A to J;
acquiring the minimum element which is closest to an input IP address and an output IP address in the first element in the tuple of any one of the computing units A to J;
judging whether the difference between the input IP address and the output IP address and the minimum element is smaller than the second element in the corresponding tuple;
if yes, the input IP address and the output IP address exist in the tuple range of any one of the computing units A to J;
if not, the input IP address and the output IP address do not exist in the tuple range of any one of the computing units A to J.
The invention also provides a firewall rule updating system based on the stretching filtering, which comprises a text set acquisition unit, a strategy acquisition unit and an arithmetic unit;
the text set acquisition unit is used for acquiring an IP rule text set;
the strategy acquisition unit is used for identifying and reconstructing the IP rule text set to acquire a corresponding rule strategy;
and the operation unit is used for performing identification operation on a certain input end and a certain output end under a certain safety layer number based on a stretching filtering algorithm according to a corresponding rule strategy, and acquiring and outputting an operation result.
The further technical scheme is as follows: the strategy acquisition unit comprises a filtering module, a duplicate removal module, a sorting module, a cutting module and a reconstruction module;
the filtering module is used for filtering the IP rule text set and removing the texts which do not accord with the IP identification rule;
the duplication removing module is used for removing duplication from the filtered IP rule text set and removing repeated IP rule texts;
the sorting module is used for sorting the IP rule text set after the duplication is removed;
the cutting module is used for cutting the sequenced IP rule text set, distributing the sequenced IP rule text set to numerical groups with numbers of A-J, marking the relationship among elements of each numerical group in a mapping mode, and acquiring the numerical group of the mapping relationship;
and the reconstruction module is used for reconstructing the digital groups with the same mapping relation to form a rule strategy.
The further technical scheme is as follows: the reconstruction module comprises a first judgment submodule, a marking submodule, a representation submodule, a second judgment submodule and a forming submodule;
the first judgment submodule is used for judging whether each digital group in the digital groups with the numbers of A-D and F-I under the same mapping relation consists of all the numbers of 0-255 or 256;
the marking submodule is used for marking the digital group as a (-1, -1) tuple if the digital group is positive;
the representing submodule is used for representing the number starting from a to a + b but not including a + b by using (a, b) tuples if the number is not included;
the second judgment submodule is used for judging whether the number groups with the numbers of E and J under the same mapping relation consist of all numbers of 10000-99999 or the first digit is 0;
and the forming submodule is used for acquiring the tuple set with the elements (a, b) and the related mapping relation to form a rule strategy.
Compared with the prior art, the invention has the beneficial effects that: the firewall rule updating method based on the stretching filtering is characterized in that an IP rule text set is reconstructed, the time complexity is reduced to the sum of the number of layer levels relevant to the query condition and the number of relevant nodes from the hierarchical power of the total number of IP through a stretching filtering algorithm, whether a certain input end is effectively communicated with a certain output end or not is detected under a certain security layer level, if the input end is effectively communicated with the certain output end, a communicated path is output, and if the input end cannot be communicated with the certain output end, an effective path or no effective path under the similar security layer number is output, so that the retrieval time and the resource consumption are reduced, the method is suitable for relevant basic configuration of a large-scale firewall cluster, and the optimal IP combination under the certain communicated path is conveniently and quickly found in the large-scale firewall cluster.
The invention is further described below with reference to the accompanying drawings and specific embodiments.
Drawings
Fig. 1 is a flowchart of a firewall rule updating method based on stretch filtering according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating vertex groups and edge groups according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating iterative computation of stretch filtering according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating finding associated tuples by mapping according to an embodiment of the present invention;
FIG. 5 is a schematic illustration of stretching according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating the recording and redefining of various tuple sets according to an embodiment of the present invention;
fig. 7 is a schematic diagram of an output result of the stretch filtering algorithm ending when the edge group exists at a certain time after iteration according to the embodiment of the present invention;
fig. 8 is a block diagram of a firewall rule updating system based on stretch filtering according to an embodiment of the present invention.
Detailed Description
In order to more fully understand the technical content of the present invention, the technical solution of the present invention will be further described and illustrated with reference to the following specific embodiments, but not limited thereto.
As shown in the specific embodiments of fig. 1 to 8, the firewall rule updating method based on stretch filtering provided in this embodiment can be applied to relevant basic configurations of a large-scale firewall cluster, so as to reduce retrieval time and resource consumption, and facilitate quick search of an optimal firewall IP combination under a certain communication path in the large-scale firewall cluster.
As shown in fig. 1, the present embodiment provides a firewall rule updating method based on stretch filtering, including:
s1, acquiring an IP rule text set;
s2, identifying and reconstructing the IP rule text set to obtain a corresponding rule strategy;
and S3, according to the corresponding rule strategy, carrying out identification operation on a certain input end and a certain output end under a certain security layer number based on a stretching filtering algorithm, and obtaining and outputting an operation result.
For the steps from S1 to S3, whether an input end is effectively communicated with an output end is detected under a certain security level, if the input end is effectively communicated with the output end, a communication path of the input end is output, if the input end is not communicated with the output end, an effective path or no effective path under the similar security level is output, and if the communication path is not communicated with the output end, the effective path or no effective path under the similar security level is output.
For the above step S1, the IP rule text set is divided into two text sets, i.e., a TCP/IP rule text set and a UDP/IP rule text set, and the writing modes of the two text sets are completely the same. The constituent elements are numbers, "-" symbols, ": a "symbol, a" > "symbol, etc., each line of text consisting of text such as" 192.168.38.28:89424>192.143.22.31:28903 "separated by or with a" - "symbol and": "the number between symbols is a combination of a number between 0 and 256, and represents a server IP, and if the number is" 256 ", it represents any IP between 0 and 255; ": between the "symbol and the" > "symbol or": the number from the symbol to the tail of the row is composed of any number between 5 bits 0-9, and represents a server port, and if the head is 0, any port is represented; the ">" symbol indicates a point. The combination of the IP and the port of two firewall servers are connected through a '>' symbol, which means that the IP and the port from one IP and the port of the former server to the IP and the port of the latter server are communicated, each line in the text set consists of the texts to form a text set, and the text set represents all the rules of the firewall servers communicated under a certain IP rule (TCP/IP or UDP/IP rule).
Because the text writing modes under the two sets of rules are completely the same, the same text processing mode is adopted for processing.
Further, regarding the step of S2, the step of identifying and reconstructing the IP rule text set to obtain the corresponding rule policy includes the following specific steps:
s21, filtering the IP rule text set, and removing the text which does not accord with the IP identification rule;
s22, carrying out duplication removal on the filtered IP rule text set, and removing repeated IP rule texts;
s23, sorting the IP rule text set after the duplication is removed;
s24, cutting the sorted IP rule text set, distributing the cut IP rule text set to numerical groups with numbers of A-J, marking the relationship among the numerical group elements in a mapping mode, and acquiring the numerical group of the mapping relationship;
and S25, reconstructing the digit group with the same mapping relation to form a rule strategy.
The full text of the IP rule is processed and reconstructed in a tuple form, so that the time complexity and the space complexity are reduced to be only related to the number of digital breakpoints, and the running efficiency of full text loading and retrieval is greatly improved.
Specifically, in the step S23, the text lines are arranged in order, and the arrangement order is from small to large according to ASCII code.
In the step S24, the aligned results are cut, and the cutting symbols are ".", ": "," > ", and assign the results to ten number groups numbered a-J in sequence, with the repeated elements in each number group being recorded only once, and the relationships between the elements of each number group being marked in a mapping fashion.
Preferably, for the step S25, the step of reconstructing the number group of the same mapping relationship to form a rule policy includes the following specific steps:
s251, judging whether each digital group in the digital groups with the numbers of A-D and F-I under the same mapping relation consists of all the numbers of 0-255 or 256;
s252, if yes, marking the number group as (-1, -1) tuple;
s253, if not, representing the number starting from a to a + b but not including a + b interval by using a (a, b) tuple;
s254, judging whether the number groups with numbers E and J under the same mapping relation consist of all numbers of 10000-99999 or the first digit is 0;
if yes, returning to the step S252;
if not, returning to the step S253;
s255, obtaining the tuple set with the element (a, b) and the related mapping relation to form a rule strategy.
Aiming at the same mapping tail end, in the numerical groups A-D and F-I, if the numerical group is composed of all the numbers of 0-255 or 256, the numerical group is marked as (-1, -1), otherwise, the numerical group is represented by (a, b) starting from a to a + b but excluding a + b; aiming at the same mapping tail end, in the E and J digit groups, if the digit group is composed of all the digits of 10000-99999 or the head is 0, the digit group is marked as (-1, -1), if the situation is not the above situation, the digits of the interval from a to a + b but not a + b are represented by (a, b), finally, a combination composed of the mappings of the digit groups is obtained, each mapping element is an orderly-arranged combination composed of (a, b) tuples, and the combination is used as an IP rule strategy to be uploaded to a matching identifier for calling.
Further, in some embodiments, the step of S3, according to the corresponding rule policy, performs an identification operation on an input end and an output end of a certain security layer based on a stretch filtering algorithm, and obtains and outputs an operation result, including the following specific steps:
s31, distributing the rule strategy to the calculation units with the numbers of A-J;
s32, acquiring a security level, an input IP address and a detection request string of an output IP address;
s33, judging whether the input IP address and the output IP address exist in the tuple range of any one of the computing units A to J;
s34, if not, interrupting the computing task of each computing unit in a broadcast mode and outputting a message without an effective path;
s35, if yes, detecting whether the tuple in the E calculation unit can meet any one of the F-J number groups and the iteration layer number is 1;
s36, if yes, outputting the message of the direct connection path;
and S37, if not, selectively starting the A-J calculation units to perform iterative calculation, and summarizing the calculation results of the calculation units.
For the above steps S31 to S37, a distributed computing layout is adopted, each IP rule policy transmitted from an IP rule full-text processor is preloaded and allocated to each of a to J ten computing units, if resources are not sufficient, a breakpoint is set according to the IP rule policies so that all the IP rule policies can be placed in the computing units, each computing unit is responsible for detecting whether a certain number and a mapping number combination corresponding to the number exist, and performing concurrent computing processing in a thread manner or the like, specifically, whether each control unit is started can be regulated and controlled according to a required computing amount, if a certain computing unit is detected to be a (-1, -1) tuple, the computing unit is directly passed through the computing unit to compute tasks, computing results of each started computing unit are summarized, and the computing tasks of the computing unit are interrupted in a broadcast manner. Through managing the related resources, the computing efficiency is met, the dynamic allocation of the resources is realized, and unnecessary loss is avoided.
Specifically, when a legal detection request string containing a security level, an input IP address, and an output IP address is transmitted, the control unit of the matching identifier assigns an "IP calculation task" and an "iteration layer number". Firstly, ten computing units are started to perform ' start-stop end list detection ' on input IP addresses and output IP addresses, namely whether the input and output IP addresses exist in tuple ranges contained in the A-J computing units, if the returned result of any computing unit is ' no ', the control unit issues ' stop computing ' broadcast, and outputs ' no effective path ' as a result, otherwise, the calculation units pass through the ' start-stop end list detection ', direct connection detection ' is performed, namely, whether the mapping combination of the E computing unit can meet the digital combination of the F-J is detected, if the returned result of any computing unit is ' yes ', and if the number of iteration layers is 1, the control unit outputs ' the existence of the direct connection path ', otherwise, the control unit does not pass through the ' direct connection path '. And if the direct connection detection does not pass, performing a stretching filtering algorithm, selectively starting ten calculation units A to J to perform iterative calculation, summarizing calculation results of the calculation units, and selectively outputting the results according to the iterative layer number. The iterative computation result comprises three types of results, namely 'no effective path', 'existence of a close effective path, … …' as a path result, and 'existence of the effective path and … …' as a path result.
The detection combination which does not need to be calculated is filtered out through condition screening, so that the consumption of a large amount of resources and calculation efficiency caused by carrying out bipartite graph operation on all IP addresses and port rules is avoided, and the detection efficiency is improved.
For the stretch filtering algorithm, as shown in fig. 2 to 7, preferably, the step of selectively starting the a to J calculation units to perform iterative calculations and summarizing the calculation results of the calculation units in the step S37 includes the following specific steps:
s371, taking the calculation units with the numbers of A to E and the calculation units with the numbers of F to J as two integers, and distinguishing element combinations in tuples of the two integers;
s372, marking the intersection tuple of the two integers as an edge group, marking the non-intersection tuple of the two integers as respective vertex groups, and marking the first vertex group as an initial vertex group;
s373, judging whether the input IP address and the port are not in the initial vertex group of the A-E computing unit or the output IP address and the port are not in the initial vertex group of the F-J computing unit;
s374, if yes, ending the calculation task and outputting a message without an effective path;
s375, if not, recombining tuple element combinations in the F-J computing units corresponding to the input IP address and the port mapping and tuple element combinations in the A-E computing units corresponding to the output IP address and the port to form two new integers for performing stretching filtering iterative computation, and recalculating new vertex groups and edge groups;
s376, judging whether elements exist in the edge group, the previous vertex group or the initial vertex group in the iterative calculation;
s377, if yes, the calculation task is ended;
and S378, outputting the corresponding iteration times and the IP connection paths generated along with the iteration of the whole as output results.
A stretching filtering algorithm designed based on the directed graph principle only relates the time complexity to the maximum security level and the number of mapping nodes, but not reduces the exponential efficiency caused by the whole graph circulation detection in the bipartite graph. The method is particularly suitable for quickly finding the optimal firewall IP combination under a certain communication path in a large-scale firewall cluster.
For the above S378, the step of outputting the corresponding iteration number and the IP join path generated with the iteration for each whole as the output result includes the following specific steps:
s3781, judging whether the current iteration times plus 1 is equal to the number of iteration layers;
s3782, if yes, outputting an effective path, and combining the IP connection path calculated by the A-E calculation unit and the IP connection path calculated by the F-J calculation unit in an ordering manner;
s3783, if not, obtaining an iteration number result closest to the iteration layer number minus 1;
s3784, outputting the IP connection path calculated by the A-E calculating unit and the IP connection path calculated by the F-J calculating unit as the path result.
After the stretch filtering algorithm receives the IP rule strategy and before the IP calculation task is loaded, the ABCDE calculation unit and the FGHIJ calculation unit are taken as two integers to distinguish the mapping tuple element combination. The intersection of the two is called the "edge group" and the non-intersection of the two is called the respective "vertex group", where the first "vertex group" of the ABCDE and FGHIJ computing units as a whole is called the respective "starting vertex group". When the IP calculation task is received, if the input IP address and the port in the IP calculation task are not in the initial vertex group of the ABCDE calculation unit or the output IP address and the port are not in the initial vertex group of the FGHIJ calculation unit, finishing the calculation and outputting no effective path. If yes, the tuple element combination in the FGHIJ computing unit which is mapped by the input IP address and the port and the tuple element combination in the ABCDE computing unit which is mapped by the output IP address and the port are recombined into two new integers to carry out stretching filtering iterative computation, and new vertex groups and edge groups are recalculated. The calculation rule of the stretch filtering iterative calculation is: and performing iterative computation by taking another overall tuple set which is mapped by the last computation result set as a new parameter condition during each computation. If the elements exist in the edge group or the previous vertex group in the iterative calculation, the calculation is ended, and the corresponding iteration times and the IP connection paths generated along with the iteration of each whole are output as output results. If the iteration number plus 1 equals the iteration number, the output is "there is a valid path, the path result is … …", where "… …" is the ordered combination of the IP join path calculated by the ABCDE calculation unit and the IP join path calculated by the FGHIJ calculation unit. If the iteration times plus 1 is not equal to the iteration layer number, the calculation is continued, the iteration time result closest to the iteration layer number minus 1 is compared, and the result that 'the similar effective path exists and the path result is … …' is output, wherein '… …' is the ordered combination of the IP join path calculated by the ABCDE calculation unit and the IP join path calculated by the FGHIJ calculation unit. And if the result of the stretching filtering iterative computation of a certain whole exists in the initial vertex group of another whole, the result is no, and the stretching filtering iterative computation is ended. And if all the stretching filtering iteration calculation results are negative, finishing the calculation and outputting 'no effective path'.
Preferably, the step of determining whether the input IP address and the output IP address exist in the tuple range of any one of the computing units a to J in the step of S33 includes the following specific steps:
s331, orderly arranging tuples of any one of the computing units A-J;
s332, acquiring the minimum element which is closest to the input IP address and the output IP address in the first element in the tuple of any one of the computing units A to J;
s333, judging whether the difference between the input IP address and the output IP address and the minimum element is smaller than the second element in the corresponding tuple;
s334, if yes, the input IP address and the output IP address exist in the tuple range of any one of the computing units A to J;
s335, if not, the input IP address and the output IP address are not in the tuple range of any one of the computing units A to J.
According to the firewall rule updating method based on the stretching filtering, the IP rule text set is reconstructed, the time complexity is reduced to the sum of the number of the layer levels relevant to the query condition and the number of the relevant nodes from the hierarchical power of the total number of the IP through the stretching filtering algorithm, whether a certain input end is effectively communicated with a certain output end or not is detected under a certain safety layer level, if the input end is effectively communicated, a communication path is output, if the input end is not communicated, an effective path or no effective path under the similar safety layer number is output, the retrieval time and the resource consumption are reduced, the relevant basic configuration of a large-scale firewall cluster is suitable, and the optimal firewall IP combination under a certain communication path is conveniently and quickly found in the large-scale firewall cluster.
As shown in fig. 8, the present invention further provides a firewall rule updating system based on stretch filtering, which includes a text set obtaining unit 1, a policy obtaining unit 2, and an arithmetic unit 3; a text set obtaining unit 1, configured to obtain an IP rule text set. And the strategy acquisition unit 2 is used for identifying and reconstructing the IP rule text set to acquire a corresponding rule strategy. And the operation unit 3 is used for performing identification operation on a certain input end and a certain output end under a certain safety layer number based on a stretching filtering algorithm according to a corresponding rule strategy, and acquiring and outputting an operation result.
Under a certain security level, whether an input end is effectively communicated with an output end is detected, if the input end is effectively communicated with the output end, a communicated path is output, if the input end is not effectively communicated, an effective path or no effective path under the similar security level is output, if the input end is not effectively communicated with the output end, the effective path or no effective path under the similar security level is output, and aiming at the problems that the existing IP configuration retrieval is low in retrieval efficiency and high in algorithm complexity in calculation of optimal configuration when the existing massive IP firewall is updated and configured, an IP retrieval text is reconstructed at first, the time complexity is reduced to the sum of the level related to the query condition and the number of related nodes from the level of the total quantity of the IP through a set of stretching filtering algorithm, the retrieval time and the resource consumption are greatly reduced, and the method is suitable for related.
The IP rule text set is composed of two text sets, namely a TCP/IP rule text set and a UDP/IP rule text set, and the two text sets have the same writing mode. The constituent elements are numbers, "-" symbols, ": a "symbol, a" > "symbol, etc., each line of text consisting of text such as" 192.168.38.28:89424>192.143.22.31:28903 "separated by or with a" - "symbol and": "the number between symbols is a combination of a number between 0 and 256, and represents a server IP, and if the number is" 256 ", it represents any IP between 0 and 255; ": between the "symbol and the" > "symbol or": the number from the symbol to the tail of the row is composed of any number between 5 bits 0-9, and represents a server port, and if the head is 0, any port is represented; the ">" symbol indicates a point. The combination of the IP and the port of two firewall servers are connected through a '>' symbol, which means that the IP and the port from one IP and the port of the former server to the IP and the port of the latter server are communicated, each line in the text set consists of the texts to form a text set, and the text set represents all the rules of the firewall servers communicated under a certain IP rule (TCP/IP or UDP/IP rule).
Because the text writing modes under the two sets of rules are completely the same, the same text processing mode is adopted for processing.
Furthermore, the policy obtaining unit 2 includes a filtering module, a duplicate removal module, a sorting module, a cutting module and a reconstruction module; and the filtering module is used for filtering the IP rule text set and removing the text which does not accord with the IP identification rule. And the duplication removing module is used for removing duplication from the filtered IP rule text set and removing repeated IP rule texts. The sorting module is used for sorting the IP rule text set after the duplication is removed; and arranging the text lines in order, wherein the arrangement order is arranged from small to large according to the ASCII codes. And the cutting module is used for cutting the sequenced IP rule text set, distributing the sequenced IP rule text set to numerical groups with numbers of A-J, marking the relationship among elements of each numerical group in a mapping mode, and acquiring the numerical group of the mapping relationship. Cutting the arranged results, wherein the cutting symbols are '. ', ': "," > ", and assign the results to ten number groups numbered a-J in sequence, with the repeated elements in each number group being recorded only once, and the relationships between the elements of each number group being marked in a mapping fashion.
And the reconstruction module is used for reconstructing the digital groups with the same mapping relation to form a rule strategy.
The full text of the IP rule is processed and reconstructed in a tuple form, so that the time complexity and the space complexity are reduced to be only related to the number of digital breakpoints, and the running efficiency of full text loading and retrieval is greatly improved.
Preferably, the reconstruction module includes a first judgment sub-module, a marking sub-module, a representation sub-module, a second judgment sub-module and a formation sub-module; and the first judgment submodule is used for judging whether each digital group in the digital groups with the numbers of A-D and F-I under the same mapping relation consists of all the numbers of 0-255 or 256. And the marking submodule is used for marking the number group as a (-1, -1) tuple if the number group is positive. And the representing submodule is used for representing the number starting from a to a + b but not including a + b by using (a, b) tuples if the number is not the same as the number of the first byte. And the second judgment submodule is used for judging whether the number groups with the numbers of E and J under the same mapping relation consist of all numbers of 10000-99999 or the first digit is 0. And the forming submodule is used for acquiring the tuple set with the element (a, b) and the related mapping relation to form a rule strategy.
And after the processing of the reconstruction module, finally obtaining a combination which is formed by mapping of all the digital groups and is formed by orderly arranging (a, b) tuples as mapping elements, and uploading the combination serving as an IP rule strategy to the matching recognizer for calling.
Furthermore, the operation unit 3 includes an allocation module, a string obtaining module, a third determining module, a broadcasting module, a detecting module, a first output module, and an iterative computation module; and the distribution module is used for distributing the rule strategies to the calculation units with the numbers of A-J. And the string acquiring module is used for acquiring the security level, the input IP address and the detection request string of the output IP address. And the third judging module is used for judging whether the input IP address and the output IP address exist in the tuple range of any one of the computing units A to J. And the broadcasting module is used for interrupting the computing tasks of the computing units in a broadcasting mode and outputting the message without the effective path if the current computing unit does not have the effective path. And the detection module is used for detecting whether the tuple in the E calculation unit can meet any one of the F-J number groups and the number of iteration layers is 1 if the tuple in the E calculation unit can meet the number group. And the first output module is used for outputting the message of the direct connection path if the direct connection path exists. And the iterative computation module is used for selectively starting the A-J computation units to perform iterative computation if the A-J computation units are not used for performing iterative computation, and summarizing the computation results of the computation units.
The distributed computing layout is adopted, all IP rule strategies transmitted by an IP rule full-text processor are preloaded and are respectively distributed to A to J ten computing units, if resources are insufficient, breakpoints are set according to the IP rule strategies to meet the requirement that all the IP rule strategies can be placed in the computing units, all the computing units are responsible for detecting whether a certain number exists and a mapping number combination corresponding to the number exists, concurrent computing processing can be carried out in a thread mode and the like, specifically, whether each control unit is started can be regulated and controlled according to required computing quantity, if a certain computing unit is detected to be a (-1, -1) tuple, computing tasks directly cross the computing unit are carried out, computing results of all started computing units are summarized, and the computing tasks of the computing units are interrupted in a broadcasting mode. Through managing the related resources, the computing efficiency is met, the dynamic allocation of the resources is realized, and unnecessary loss is avoided.
Specifically, when a legal detection request string containing a security level, an input IP address, and an output IP address is transmitted, the control unit of the matching identifier assigns an "IP calculation task" and an "iteration layer number". Firstly, ten computing units are started to perform ' start-stop end list detection ' on input IP addresses and output IP addresses, namely whether the input and output IP addresses exist in tuple ranges contained in the A-J computing units, if the returned result of any computing unit is ' no ', the control unit issues ' stop computing ' broadcast, and outputs ' no effective path ' as a result, otherwise, the calculation units pass through the ' start-stop end list detection ', direct connection detection ' is performed, namely, whether the mapping combination of the E computing unit can meet the digital combination of the F-J is detected, if the returned result of any computing unit is ' yes ', and if the number of iteration layers is 1, the control unit outputs ' the existence of the direct connection path ', otherwise, the control unit does not pass through the ' direct connection path '. And if the direct connection detection does not pass, performing a stretching filtering algorithm, selectively starting ten calculation units A to J to perform iterative calculation, summarizing calculation results of the calculation units, and selectively outputting the results according to the iterative layer number. The iterative computation result comprises three types of results, namely 'no effective path', 'existence of a close effective path, … …' as a path result, and 'existence of the effective path and … …' as a path result.
The detection combination which does not need to be calculated is filtered out through condition screening, so that the consumption of a large amount of resources and calculation efficiency caused by carrying out bipartite graph operation on all IP addresses and port rules is avoided, and the detection efficiency is improved.
In addition, the iterative computation module comprises an integration submodule, a marking submodule, a fourth judgment submodule, a second output submodule, a recombination submodule, a fifth judgment submodule, a task ending submodule and a third output submodule; and the integration submodule is used for taking the calculation units with the numbers of A to E and the calculation units with the numbers of F to J as two integers and distinguishing the element combinations in the tuples of the two integers. And the marking sub-module is used for marking the intersection tuples of the two integers as edge groups, the non-intersection tuples of the two integers as respective vertex groups and the first vertex group as an initial vertex group. And the fourth judgment submodule is used for judging whether the input IP address and the port are not in the initial vertex group of the A-E calculation units or the output IP address and the port are not in the initial vertex group of the F-J calculation units. And the second output submodule is used for finishing the calculation task and outputting a message without an effective path if the second output submodule is used for finishing the calculation task. And the recombination submodule is used for recombining the tuple element combination in the F-J calculation unit and the tuple element combination in the A-E calculation unit, which accord with the mapping of the input IP address and the port, into two new integers to perform stretching filtering iterative calculation if the tuple element combination in the F-J calculation unit and the tuple element combination in the A-E calculation unit accord with the mapping of the output IP address and the port are not consistent with the mapping of the input IP address and the port, and recalculating new vertex groups and edge groups. And the fifth judgment submodule is used for judging whether the elements exist in the edge group or the previous vertex group or the initial vertex group in the iterative calculation. And the task ending submodule is used for ending the calculation task if the task ending submodule is used for ending the calculation task. And the third output submodule is used for outputting the corresponding iteration times and the IP connection paths generated along with the iteration of each whole as output results.
A stretching filtering algorithm designed based on the directed graph principle only relates the time complexity to the maximum security level and the number of mapping nodes, but not reduces the exponential efficiency caused by the whole graph circulation detection in the bipartite graph. The method is particularly suitable for quickly finding the optimal firewall IP combination under a certain communication path in a large-scale firewall cluster.
The third output submodule comprises a sixth judgment submodule, a first merging submodule, a result obtaining submodule and a second merging submodule; and the sixth judgment submodule is used for judging whether the current iteration times plus 1 is equal to the iteration layer number. And the first merging submodule is used for outputting the effective path if the effective path exists, and the path result is the ordered merging of the IP connection path calculated by the A-E calculating unit and the IP connection path calculated by the F-J calculating unit. And the result obtaining submodule is used for obtaining the iteration number result closest to the iteration layer number minus 1 if the iteration layer number is not the same as the iteration layer number minus 1. And the second merging submodule is used for outputting the ordered merging of the IP joining paths calculated by the A-E calculating unit and the IP joining paths calculated by the F-J calculating unit, wherein the paths have similar effective paths.
Preferably, the third determining module includes an arranging submodule configured to arrange tuples of any one of the computing units a to J in order; the element acquisition submodule is used for acquiring the minimum element which is closest to the input IP address and the output IP address in the first element in the tuple of any one of the calculation units A to J; the element judgment submodule is used for judging whether the difference between the input IP address and the output IP address and the minimum element is smaller than the second element in the corresponding tuple; if yes, the input IP address and the output IP address exist in the tuple range of any one of the computing units A to J; if not, the input IP address and the output IP address do not exist in the tuple range of any one of the computing units A to J.
According to the firewall rule updating system based on the stretching filtering, the IP rule text set is reconstructed, the time complexity is reduced to the sum of the number of the layer levels relevant to the query condition and the number of the relevant nodes from the hierarchical power of the total number of the IP through the stretching filtering algorithm, whether a certain input end is effectively communicated with a certain output end or not is detected under a certain safety layer level, if the input end is effectively communicated, a communication path is output, if the input end is not communicated, an effective path or no effective path under the similar safety layer number is output, the retrieval time and the resource consumption are reduced, the relevant basic configuration of a large-scale firewall cluster is suitable, and the optimal firewall IP combination under a certain communication path is conveniently and quickly found in the large-scale firewall cluster.
The technical contents of the present invention are further illustrated by the examples only for the convenience of the reader, but the embodiments of the present invention are not limited thereto, and any technical extension or re-creation based on the present invention is protected by the present invention. The protection scope of the invention is subject to the claims.

Claims (5)

1. The firewall rule updating method based on the stretching filtering is characterized by comprising the following steps:
acquiring an IP rule text set;
identifying and reconstructing the IP rule text set to obtain a corresponding rule strategy;
according to a corresponding rule strategy, carrying out identification operation on a certain input end and a certain output end under a certain safety layer number based on a stretching filtering algorithm to obtain and output an operation result;
the method comprises the following steps of identifying and reconstructing an IP rule text set to obtain a corresponding rule strategy, wherein the steps comprise the following specific steps:
filtering the IP rule text set to remove texts which do not accord with the IP identification rule;
removing the duplicate of the filtered IP rule text set, and removing repeated IP rule texts;
sequencing the IP rule text set after the duplication is removed;
cutting the sequenced IP rule text set, distributing the IP rule text set to numerical groups with the numbers of A-J, marking the relationship among the numerical group elements in a mapping mode, and acquiring the numerical group of the mapping relationship;
reconstructing the digit groups of the same mapping relation to form a rule strategy;
the method comprises the following steps of reconstructing a digital group with the same mapping relation to form a rule strategy, wherein the method comprises the following specific steps:
judging whether each digital group in the digital groups with the numbers of A-D and F-I under the same mapping relation consists of all the numbers of 0-255 or has 256;
if yes, marking the number group as (-1, -1) tuple;
if not, representing the number of the interval from a to a + b but not a + b by the (a, b) tuple;
judging whether the number groups with the numbers of E and J under the same mapping relation consist of all numbers of 10000-99999 or the first digit is 0;
if yes, returning the step of marking the digit group as (-1, -1) tuple;
if not, returning the number of the (a, b) tuple representing the interval from a to a + b but not including a + b;
obtaining a tuple set with the elements (a, b) and a related mapping relation to form a rule strategy;
according to a corresponding rule strategy, identifying and calculating a certain input end and a certain output end under a certain safety layer number based on a stretching filtering algorithm, and acquiring and outputting a calculation result, wherein the method comprises the following specific steps:
distributing the rule strategies to computing units with the numbers of A-J;
acquiring a security level, an input IP address and a detection request word string of an output IP address;
judging whether the input IP address and the output IP address exist in the tuple range of any one of the computing units A to J;
if not, interrupting the computing tasks of each computing unit in a broadcast mode, and outputting a message without an effective path;
if yes, detecting whether the tuple in the E calculation unit can meet any one of the F-J number groups and the number of iteration layers is 1;
if yes, outputting a message with a direct connection path;
if not, selectively starting the A-J computing units to perform iterative computation, and summarizing the computing results of the computing units.
2. The firewall rule updating method based on stretching filtering as claimed in claim 1, wherein the step of selectively starting the computing units a to J to perform iterative computation and summarizing the computation results of the computing units comprises the following specific steps:
taking the calculation units with the numbers of A to E and the calculation units with the numbers of F to J as two integers, and distinguishing element combinations in tuples of the two integers;
marking the intersection tuple of the two integers as an edge group, the non-intersection tuple of the two integers as respective vertex groups, and the first vertex group as an initial vertex group;
judging whether the input IP address and the port are not in the initial vertex group of the A-E computing unit or the output IP address and the port are not in the initial vertex group of the F-J computing unit;
if yes, finishing the calculation task and outputting a message without an effective path;
if not, recombining the tuple element combination in the F-J computing unit which is mapped by the input IP address and the port and the tuple element combination in the A-E computing unit which is mapped by the output IP address and the port into two new integers to carry out stretching filtering iterative computation, and recalculating a new vertex group and an edge group;
judging whether elements exist in an edge group or a previous vertex group or an initial vertex group in iterative calculation;
if yes, finishing the calculation task;
and outputting the corresponding iteration times and the IP connection path generated along with the iteration of each whole as an output result.
3. The firewall rule updating method based on stretching filtering as claimed in claim 2, wherein the step of outputting the corresponding iteration number and the IP join path generated with each iteration as an output result comprises the following specific steps:
judging whether the current iteration times plus 1 is equal to the number of iteration layers;
if yes, outputting an effective path, and combining the IP connection path calculated by the A-E calculation unit and the IP connection path calculated by the F-J calculation unit in an ordering mode according to a path result;
if not, obtaining an iteration number result which is closest to the iteration layer number minus 1;
and outputting the IP connection paths which have similar effective paths and have the path result of orderly merging of the IP connection paths calculated by the A-E calculation unit and the IP connection paths calculated by the F-J calculation unit.
4. The firewall rule updating method based on stretching filtering as claimed in claim 1, wherein the step of determining whether the input IP address and the output IP address exist in the tuple range of any one of the computing units a-J comprises the following specific steps:
orderly arranging the tuples of any one of the computing units A to J;
acquiring the minimum element which is closest to an input IP address and an output IP address in the first element in the tuple of any one of the computing units A to J;
judging whether the difference between the input IP address and the output IP address and the minimum element is smaller than the second element in the corresponding tuple;
if yes, the input IP address and the output IP address exist in the tuple range of any one of the computing units A to J;
if not, the input IP address and the output IP address do not exist in the tuple range of any one of the computing units A to J.
5. The firewall rule updating system based on the stretching filtering is characterized by comprising a text set acquisition unit, a strategy acquisition unit and a calculation unit;
the text set acquisition unit is used for acquiring an IP rule text set;
the strategy acquisition unit is used for identifying and reconstructing the IP rule text set to acquire a corresponding rule strategy;
the operation unit is used for performing identification operation on a certain input end and a certain output end under a certain safety layer number based on a stretching filtering algorithm according to a corresponding rule strategy, and acquiring and outputting an operation result;
the strategy acquisition unit comprises a filtering module, a duplicate removal module, a sorting module, a cutting module and a reconstruction module;
the filtering module is used for filtering the IP rule text set and removing the texts which do not accord with the IP identification rule;
the duplication removing module is used for removing duplication from the filtered IP rule text set and removing repeated IP rule texts;
the sorting module is used for sorting the IP rule text set after the duplication is removed;
the cutting module is used for cutting the sequenced IP rule text set, distributing the sequenced IP rule text set to numerical groups with numbers of A-J, marking the relationship among elements of each numerical group in a mapping mode, and acquiring the numerical group of the mapping relationship;
the reconstruction module is used for reconstructing the digital groups with the same mapping relation to form a rule strategy; the reconstruction module comprises a first judgment submodule, a marking submodule, a representation submodule, a second judgment submodule and a forming submodule;
the first judgment submodule is used for judging whether each digital group in the digital groups with the numbers of A-D and F-I under the same mapping relation consists of all the numbers of 0-255 or 256;
the marking submodule is used for marking the digital group as a (-1, -1) tuple if the digital group is positive;
the representing submodule is used for representing the number starting from a to a + b but not including a + b by using (a, b) tuples if the number is not included;
the second judgment submodule is used for judging whether the number groups with the numbers of E and J under the same mapping relation consist of all numbers of 10000-99999 or the first digit is 0;
the forming submodule is used for obtaining the tuple set with the elements (a, b) and the related mapping relation forming rule strategy;
the operation unit comprises a distribution module, a string acquisition module, a third judgment module, a broadcasting module, a detection module, a first output module and an iterative computation module; the distribution module is used for distributing the rule strategies to the calculation units with the numbers of A-J; the word string acquisition module is used for acquiring a security level, an input IP address and a detection request word string of an output IP address; the third judgment module is used for judging whether the input IP address and the output IP address exist in the tuple range of any one of the calculation units A to J; the broadcast module is used for interrupting the computing tasks of the computing units in a broadcast mode and outputting a message without an effective path if the computing tasks are not in the broadcast mode; the detection module is used for detecting whether the tuple in the E calculation unit can meet any one of the F-J digital groups and the number of iteration layers is 1 if the tuple in the E calculation unit can meet the requirement; the first output module is used for outputting the message with the direct connection path if the first output module is used for outputting the message with the direct connection path; and the iterative computation module is used for selectively starting the A-J computation units to perform iterative computation if the A-J computation units are not used for performing iterative computation, and summarizing the computation results of the computation units.
CN201810273650.1A 2018-03-29 2018-03-29 Firewall rule updating method and system based on stretching filtering Active CN108650222B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810273650.1A CN108650222B (en) 2018-03-29 2018-03-29 Firewall rule updating method and system based on stretching filtering

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810273650.1A CN108650222B (en) 2018-03-29 2018-03-29 Firewall rule updating method and system based on stretching filtering

Publications (2)

Publication Number Publication Date
CN108650222A CN108650222A (en) 2018-10-12
CN108650222B true CN108650222B (en) 2020-10-02

Family

ID=63744893

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810273650.1A Active CN108650222B (en) 2018-03-29 2018-03-29 Firewall rule updating method and system based on stretching filtering

Country Status (1)

Country Link
CN (1) CN108650222B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
MA54776B1 (en) 2021-10-29 2023-09-27 Univ Int Rabat Method for deploying a new firewall security policy in a computer network.

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103841095A (en) * 2013-05-10 2014-06-04 湖南大学 Firewall rule updating method based on bigraph
CN103973675A (en) * 2014-04-15 2014-08-06 湖南大学 Method for detecting segmented redundancy in cross-domain collaboration firewalls
CN105812326A (en) * 2014-12-29 2016-07-27 北京网御星云信息技术有限公司 Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system
CN108040055A (en) * 2017-12-14 2018-05-15 广东天网安全信息科技有限公司 A kind of fire wall combined strategy and safety of cloud service protection

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10015140B2 (en) * 2005-02-03 2018-07-03 International Business Machines Corporation Identifying additional firewall rules that may be needed
US8365287B2 (en) * 2010-06-18 2013-01-29 Samsung Sds Co., Ltd. Anti-malware system and operating method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103841095A (en) * 2013-05-10 2014-06-04 湖南大学 Firewall rule updating method based on bigraph
CN103973675A (en) * 2014-04-15 2014-08-06 湖南大学 Method for detecting segmented redundancy in cross-domain collaboration firewalls
CN105812326A (en) * 2014-12-29 2016-07-27 北京网御星云信息技术有限公司 Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system
CN108040055A (en) * 2017-12-14 2018-05-15 广东天网安全信息科技有限公司 A kind of fire wall combined strategy and safety of cloud service protection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"分布式防火墙策略配置错误的分析与检测";王卫平等;《中国科学院研究生院学报》;20070330;全文 *

Also Published As

Publication number Publication date
CN108650222A (en) 2018-10-12

Similar Documents

Publication Publication Date Title
US11487772B2 (en) Multi-party data joint query method, device, server and storage medium
CN104866502A (en) Data matching method and device
US9672239B1 (en) Efficient content addressable memory (CAM) architecture
CN112367211B (en) Method, device and storage medium for generating configuration template by device command line
CN101848248B (en) Rule searching method and device
CN110505322B (en) IP address field searching method and device
CN108920105B (en) Community structure-based graph data distributed storage method and device
WO2014047863A1 (en) Generating a shape graph for a routing table
CN108650222B (en) Firewall rule updating method and system based on stretching filtering
CN106802927A (en) A kind of date storage method and querying method
US20180152385A1 (en) Packet Classification
CN105550332A (en) Dual-layer index structure based origin graph query method
CN105701128B (en) A kind of optimization method and device of query statement
CN111309753A (en) Method, device and equipment for optimizing structured query statement and storage medium
CN112235197B (en) Parallel route searching method and system
CN108696418B (en) Privacy protection method and device in social network
CN106547877B (en) Data element Smart Logo analytic method based on 6W service logic model
CN111708921A (en) Number selection method, device, equipment and storage medium
CN107181715B (en) Service checking method and device
CN109828968B (en) Data deduplication processing method, device, equipment, cluster and storage medium
CN114461363A (en) Task execution method and device and computer readable storage medium
EP3793171B1 (en) Message processing method, apparatus, and system
CN108566388B (en) SDN flow rule conflict detection method and system based on bloom filter
CN112732715B (en) Data table association method, device and storage medium
CN107592207B (en) Network management service data management method and network management service data management device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210415

Address after: 518000 Room 201, building A, No. 1, Qian Wan Road, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong (Shenzhen Qianhai business secretary Co., Ltd.)

Patentee after: SHENZHEN HUAFU INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 518000 Room 201, building A, No. 1, Qian Wan Road, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong (Shenzhen Qianhai business secretary Co., Ltd.)

Patentee before: HUAFU CLOUD TECHNOLOGY (SHENZHEN) Co.,Ltd.