CN108667776A - A kind of network service diagnostic method - Google Patents
A kind of network service diagnostic method Download PDFInfo
- Publication number
- CN108667776A CN108667776A CN201710208010.8A CN201710208010A CN108667776A CN 108667776 A CN108667776 A CN 108667776A CN 201710208010 A CN201710208010 A CN 201710208010A CN 108667776 A CN108667776 A CN 108667776A
- Authority
- CN
- China
- Prior art keywords
- security strategy
- service request
- safety equipment
- rule
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a kind of network service diagnostic methods.Network service diagnostic method in the embodiment of the present invention includes:The configuration information for the safety equipment that service request is passed through is obtained, configuration information includes security strategy rule;It is pre-processed according to the configuration information of service request and safety equipment;Pretreatment includes:According to the type of each safety equipment, corresponding security strategy matching way is selected, and determine the incoming interface and outgoing interface for the safety equipment that service request is passed through, generate service request to be analyzed;According to the security strategy matching way and preset matching algorithm of selection, the service request being analysed to is matched with the security strategy rule of safety equipment, generates allowance situation of each safety equipment to service request.Technical solution provided in an embodiment of the present invention is realized when executing network service diagnosis, the safety equipment of different type and producer can be compatible with, to improve the practicability of network service diagnostic method.
Description
Technical field
The present invention relates to network topologies field, espespecially a kind of network service diagnostic method.
Background technology
With the continuous development of Internet technology, network environment is increasingly complicated, and network security becomes the main of enterprise's care
Problem.In order to solve security risk present in network, enterprise can dispose the safety equipments such as fire wall in internal network, especially
It is more safety equipments to be disposed in internal network in the complicated huge company of internal network.
At present when disposing more safety equipments, it will usually internal network are divided into multiple regions, and will be at these
Multigroup firewall rule sets under discrimination is disposed on safety equipment, allows different regional interconnections, therefore, company's internal network security maintenance personnel
It needs to go through, rule set on different safety equipments is avoided to influence each other, introduce security breaches.With company's internal network day
Cost that is beneficial complicated and safeguarding network increases, and safety officer is difficult whether the safety equipment assessed in company's internal network allows
By the safety equipment, the reason for causing the security strategy of assessment company's internal network relatively difficult is for example wrapped for specified service
It includes:(1), the safety equipments configuration language such as fire wall is more obscure, configures and safeguard that security strategy is all relatively difficult;(2), due to
The configuration language of the safety equipment of different vendor's production has differences, and safety officer needs to be familiar with safety in company's internal network
Otherness between equipment increases the management difficulty of safety equipment;(3), between source address and destination address, message may have
Mulitpath, the different safety equipment of different path traversals, to answer an inquiry, safety officer needs manually to verify these
Strictly all rules on safety equipment can expend a large amount of human resources.Compare for the security strategy of assessment company's internal network
Difficult reason, safety officer can use existing network service diagnostic tool, complicated internal network in diagnostic companies,
Which can solve the problems, such as, but still have the following disadvantages:
(1), network service diagnostic tool can only carry out business diagnosis to the network of the safety equipment of single factory and type,
Different manufacturers and the safety equipment of type cannot be compatible with.
(2), some behaviors not accounted in particular secure device influence service request, such as including two layers/tri- layers
Blocking strategy, DNAT address conversions etc..
(3), for safety equipment disapprove in network service request by the case where, effective solution party is not provided
Case.
In conclusion using network service diagnostic tool to carry out business diagnosis in the prior art, although can solve
Problem, but still there are some insurmountable problems so that the practicability that business diagnosis is carried out to company's internal network is poor.
Invention content
In order to solve the above-mentioned technical problem, an embodiment of the present invention provides a kind of network service diagnostic methods, by reasonable
Planned network business diagnostic mode, realize when executing network service diagnosis, different type and producer can be compatible with
Safety equipment, to improve the practicability of network service diagnostic method.
In a first aspect, the embodiment of the present invention provides a kind of network service diagnostic method, including:
The configuration information for the safety equipment that service request is passed through is obtained, the configuration information includes security strategy rule;
It is pre-processed according to the configuration information of the service request and the safety equipment;The pretreatment includes:Root
According to the type of each safety equipment, corresponding security strategy matching way is selected, and determines that the service request is passed through
Safety equipment incoming interface and outgoing interface, generate service request to be analyzed;
According to the security strategy matching way and preset matching algorithm of selection, by the service request to be analyzed with it is described
The security strategy rule of safety equipment is matched, and allowance situation of each safety equipment to the service request is generated.
In the first possible realization method of first aspect, the configuration information further includes blocking strategy and destination
One or more in location conversion DNAT, the pretreatment further includes one or more in following processing:
The service request is compared with the blocking strategy of each safety equipment, filters out safety equipment quilt
The service request that the blocking strategy blocks;
Before being converted using DNAT according to the security strategy rule of each safety equipment or transformed addresses DNAT, really
It is fixed whether DNAT conversions to be carried out to the service request in safety equipment;Wherein, when the safety of one of safety equipment
When policing rule is using the transformed addresses DNAT, DNAT conversions are carried out to the service request on the safety equipment.
In second of possible realization method of first aspect, the type of the safety equipment includes the first kind,
Two types and third type, wherein the security strategy rule of the safety equipment of the first kind forms excellent according to configuration sequence
The security strategy rule of first grade list, the safety equipment of the Second Type includes interregional security strategy rule and global safety
Policing rule, the security strategy rule of the safety equipment of the third type include the security strategy rule on incoming interface and outgoing interface
Then;The type of each safety equipment of the basis, selects corresponding security strategy matching way, including:
When the device type is the first kind, selection is by the service request according to the priority list
Sequence carries out matched security strategy matching way with the security strategy rule;
When the device type is the Second Type, select first by the service request and the interregional safe plan
Slightly rule is matched, then the service request and the global safety policing rule are carried out matched security strategy match party
Formula;
When the device type be the third type when, selection by the service request respectively on the safety equipment
Incoming interface and outgoing interface on security strategy rule carry out matched security strategy matching way.
In the third possible realization method of first aspect, the security strategy matching way according to selection and pre-
If matching algorithm, the service request to be analyzed is matched with the security strategy rule of the safety equipment, is generated every
A safety equipment to the allowance situation of the service request, including:
According to the security strategy matching way and preset matching algorithm of selection, by the service request to be analyzed with it is described
The security strategy rule of safety equipment is matched, and obtaining allows request list, refusal request list and the service request
Match condition;
According to the match condition of the permission request list, the refusal request list and the service request, generate every
Allowance situation of a safety equipment to the service request.
According to the third possible realization method of first aspect, in the 4th kind of possible realization method, the basis
The security strategy matching way and preset matching algorithm of selection, by the peace of the service request to be analyzed and the safety equipment
Full policing rule is matched, including:
When there is not matched security strategy rule in the safety equipment, and when the service request does not exactly match,
Judge whether the service request and the security strategy rule have repeating part;
When judging to have repeating part, safety policing rule is added according to the action of each security strategy rule
It is added in the permission request list or the refusal request list;
The repeating part is deleted from the service request, constitutes new service request.
According to the third possible realization method of first aspect, in the 5th kind of possible realization method, the basis
The security strategy matching way and preset matching algorithm of selection, by the peace of the service request to be analyzed and the safety equipment
Full policing rule is matched, including:
When having not matched security strategy rule, and the service request and security strategy rule in the safety equipment
When then having repeating part, the repeating part and the security strategy rule is constituted into new security strategy, repeating part row are added
Table;
When having repeat element in the repeating part list, judge whether the service request exactly matches;
When judging that the service request does not exactly match, the service request and current repeating part list are judged
Whether middle security strategy rule has repeating part;
When judging to have repeating part, according to each security strategy rule in the current repeating part list
Safety policing rule is added in the permission request list or the refusal request list by action;
The repeating part is deleted from the service request, constitutes new service request.
According to the 4th of first aspect the kind or the 5th kind of possible realization method, in the 6th kind of possible realization method,
It is described to judge whether the service request and the security strategy rule have repeating part, including:
Judge project below executing respectively and return to corresponding result:
Judge whether the source domain of the security strategy rule includes the incoming interface of service request, when judging not include,
The matching result of return is sky, when judging to include, executes it is judged that project;
Judge whether the purpose domain of the security strategy rule includes the outgoing interface of service request, when judging not include
When, the matching result of return is sky, when judging to include, executes it is judged that project;
Judge whether the security strategy rule and the source address of the service request have repeating part, when judging do not have
When repeating part, the matching result of return is sky, when judging to have repeating part, executes it is judged that project;
Judge whether the security strategy rule and the destination address of the service request have repeating part, when judgement is haunted
When having repeating part, the matching result of return is sky, when judging to have repeating part, executes it is judged that project;
Judge whether the security strategy rule and the service of the service request have repeating part, when judging not weigh
When multiple part, the matching result of return is sky, when judging to have repeating part, executes it is judged that project;
When the judging result of each judgement project is "Yes", the security strategy rule and the business are calculated
The matching result of the repeating part of request, return is the repeating part.
According to the third possible realization method of first aspect, in the 7th kind of possible realization method, the basis
The match condition for allowing request list, the refusal request list and the service request, generates each safety and sets
The standby allowance situation to the service request, including:
When the permission request list is not sky, the refusal request list is sky, and the service request exactly matches
When, the allowance situation is to allow;
When the permission request list is not sky, and the service request does not exactly match, the allowance situation is portion
Dividing allows;
When the permission request list is sky, the refusal request list is not sky, and the service request exactly matches
When, the allowance situation is refusal.
In the 8th kind of possible realization method of first aspect, the method further includes:
According to each safety equipment to the allowance situation of the service request, the safe plan to safety equipment is generated
Slightly change is suggested;
Wherein, when the allowance situation is to allow, the security strategy change for not generating corresponding safety equipment is suggested;
When the allowance situation, which is part, to be allowed or refuse, the security strategy change for generating corresponding safety equipment is suggested,
The security strategy change suggests including addition and/or the suggestion of modification security strategy.
According to first aspect, first aspect the first to any one in the 8th kind of possible realization method, the 9th
In the possible realization method of kind, the method further includes:
By one or more being shown by user interface UI in following generation result:Each safety equipment pair
The allowance situation of the service request changes the security strategy of each safety equipment and suggests.
Second aspect, the embodiment of the present invention provide a kind of network service diagnostic device, including:
Acquisition module is configured, the configuration information of the safety equipment for obtaining service request process, the configuration information packet
Include security strategy rule;
Preprocessing module, the safety equipment for being used to be obtained according to the service request and the configuration acquisition module
Configuration information is pre-processed;The pretreatment that the preprocessing module executes includes:According to the type of each safety equipment,
Corresponding security strategy matching way is selected, and determines the incoming interface for the safety equipment that the service request is passed through and goes out to connect
Mouthful, generate service request to be analyzed;
Security strategy matching module, security strategy matching way for select according to the preprocessing module and presets
With algorithm, the service request to be analyzed is matched with the security strategy rule of the safety equipment, generates each institute
State allowance situation of the safety equipment to the service request.
In the first possible realization method of second aspect, the configuration information of the configuration acquisition module acquisition
Further include one or more in blocking strategy and destination address conversion DNAT, the pretreatment that the preprocessing module executes also is wrapped
It includes one or more in following processing:
The service request is compared with the blocking strategy of each safety equipment, filters out safety equipment quilt
The service request that the blocking strategy blocks;
Before being converted using DNAT according to the security strategy rule of each safety equipment or transformed addresses DNAT, really
It is fixed whether DNAT conversions to be carried out to the service request in safety equipment;Wherein, when the security strategy of the first safety equipment
When regular address transformed using DNAT, DNAT conversions are carried out to the service request on first safety equipment.
In second of possible realization method of second aspect, the security strategy matching module includes:
Security strategy matching unit will be described for the security strategy matching way and preset matching algorithm according to selection
Service request to be analyzed is matched with the security strategy rule of the safety equipment, and obtaining allows request list, refusal to ask
Seek the match condition of list and the service request;
Generation unit, the permission request list, the refusal for being obtained according to the security strategy matching unit
The match condition of request list and the service request generates allowance feelings of each safety equipment to the service request
Condition.
In the third possible realization method of second aspect, described device further includes:
Security strategy changes module, for according to each of the security strategy matching module generation safety equipment pair
The allowance situation of the service request generates to change the security strategy of safety equipment and suggest;
Wherein, when the allowance situation is to allow, the security strategy change module does not generate corresponding safety equipment
Security strategy change is suggested;
When the allowance situation, which is part, to be allowed or refuse, the security strategy change module generates corresponding safety equipment
Security strategy change suggest that security strategy change, which is suggested, to be included addition and/or change the suggestion of security strategy.
According to the third possible realization method of second aspect, in the 4th kind of possible realization method, described device
Further include:
As a result display module, for by one or more being shown by user interface UI in following generation result:
Each of the security strategy matching module generation safety equipment is to the allowance situation of the service request, the safe plan
The security strategy to each safety equipment that slightly change module generates, which changes, suggests.
The third aspect, the embodiment of the present invention provide a kind of network service diagnosis server, including:
Memory, for preserving executable instruction;
Processor, the executable instruction preserved for executing the memory, proceeds as follows:
The configuration information for the safety equipment that service request is passed through is obtained, the configuration information includes security strategy rule;
It is pre-processed according to the configuration information of the service request and the safety equipment;The pretreatment includes:Root
According to the type of each safety equipment, corresponding security strategy matching way is selected, and determines that the service request is passed through
Safety equipment incoming interface and outgoing interface, generate service request to be analyzed;
According to the security strategy matching way and preset matching algorithm of selection, by the service request to be analyzed with it is described
The security strategy rule of safety equipment is matched, and allowance situation of each safety equipment to the service request is generated.
In the first possible realization method of the third aspect, the configuration information further includes blocking strategy and destination
One or more in location conversion DNAT, when the processor executes the executable instruction, the pretreatment further includes following
It is one or more in processing:
The service request is compared with the blocking strategy of each safety equipment, filters out safety equipment quilt
The service request that the blocking strategy blocks;
Before being converted using DNAT according to the security strategy rule of each safety equipment or transformed addresses DNAT, really
It is fixed whether DNAT conversions to be carried out to the service request in safety equipment;Wherein, when the safety of one of safety equipment
When policing rule is using the transformed addresses DNAT, DNAT conversions are carried out to the service request on the safety equipment.
In second of possible realization method of the third aspect, when the processor executes the executable instruction, hold
Capable operation " the security strategy matching way and preset matching algorithm according to selection, by the service request to be analyzed
It is matched with the security strategy rule of the safety equipment, generates each allowance of the safety equipment to the service request
Situation ", including:
According to the security strategy matching way and preset matching algorithm of selection, by the service request to be analyzed with it is described
The security strategy rule of safety equipment is matched, and obtaining allows request list, refusal request list and the service request
Match condition;
According to the match condition of the permission request list, the refusal request list and the service request, generate every
Allowance situation of a safety equipment to the service request.
In the third possible realization method of the third aspect, when the processor executes the executable instruction, also
It proceeds as follows:
According to each safety equipment to the allowance situation of the service request, the safe plan to safety equipment is generated
Slightly change is suggested;
Wherein, when the allowance situation is to allow, the security strategy change for not generating corresponding safety equipment is suggested;
When the allowance situation, which is part, to be allowed or refuse, the security strategy change for generating corresponding safety equipment is suggested,
The security strategy change suggests including addition and/or the suggestion of modification security strategy.
According to the third possible realization method of the third aspect, in the 4th kind of possible realization method, the processing
When device executes the executable instruction, also proceed as follows:
By one or more being shown by user interface UI in following generation result:Each safety equipment pair
The allowance situation of the service request changes the security strategy of each safety equipment and suggests.
Network service diagnostic method provided in an embodiment of the present invention, the safety equipment passed through by acquisition service request are matched
Confidence ceases, and is pre-processed according to the configuration information and service request, which includes:According to each safety equipment
Type, select corresponding security strategy matching way, and determine the incoming interface for the safety equipment that above-mentioned service request is passed through
And outgoing interface, service request to be analyzed is generated, then, is calculated according to the security strategy matching way and preset matching selected
Method, the service request being analysed to are matched with the security strategy rule in configuration information, generate each safety equipment to industry
The allowance situation of business request;Technical solution provided in an embodiment of the present invention can select not for different types of safety equipment
Same security strategy matching way, i.e., when carrying out security strategy matching, meeting basis has selected different types of safety equipment
Adaptable mode carries out security strategy matching with the safety equipment of the type, therefore, can be with when executing network service diagnosis
The safety equipment of compatible different type and producer, to improve the practicability of network service diagnostic method.
Description of the drawings
Attached drawing is used for providing further understanding technical solution of the present invention, and a part for constitution instruction, with this
The embodiment of application technical solution for explaining the present invention together, does not constitute the limitation to technical solution of the present invention.
Fig. 1 is a kind of flow chart of network service diagnostic method provided in an embodiment of the present invention;
Fig. 2 is a kind of schematic diagram of access path in network service diagnostic method provided in an embodiment of the present invention;
Fig. 3 is a kind of pretreated flow chart in network service diagnostic method provided in an embodiment of the present invention;
Fig. 4 is a kind of stream of selection security strategy matching way in network service diagnostic method provided in an embodiment of the present invention
Cheng Tu;
Fig. 5 is the flow chart of another network service diagnostic method provided in an embodiment of the present invention;
Fig. 6 is the matched flow of a kind of execution security strategy in network service diagnostic method provided in an embodiment of the present invention
Figure;
Fig. 7 is another execution matched flow of security strategy in network service diagnostic method provided in an embodiment of the present invention
Figure;
Fig. 8 is a kind of analysis service request in network service diagnostic method provided in an embodiment of the present invention and security strategy rule
The flow chart of repeating part then;
Fig. 9 is a kind of allowance situation generating service request in network service diagnostic method provided in an embodiment of the present invention
Flow chart;
Figure 10 is the flow chart of another network service diagnostic method provided in an embodiment of the present invention;
Figure 11 is a kind of schematic diagram of displaying matching result in network service diagnostic method provided in an embodiment of the present invention;
Figure 12 is a kind of structural schematic diagram of network service diagnostic device provided in an embodiment of the present invention;
Figure 13 is the structural schematic diagram of another network service diagnostic device provided in an embodiment of the present invention;
Figure 14 is the structural schematic diagram of another network service diagnostic device provided in an embodiment of the present invention;
Figure 15 is a kind of structural schematic diagram of network service diagnosis server provided in an embodiment of the present invention.
Specific implementation mode
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention
Embodiment be described in detail.It should be noted that in the absence of conflict, in the embodiment and embodiment in the application
Feature mutually can arbitrarily combine.
Step shown in the flowchart of the accompanying drawings can be in the computer system of such as a group of computer-executable instructions
It executes.Also, although logical order is shown in flow charts, and it in some cases, can be with suitable different from herein
Sequence executes shown or described step.
Technical scheme of the present invention is described in detail below by specific embodiment, the peace in the embodiment of the present invention
Full equipment is, for example, fire wall, router, interchanger, security gateway of the service request between source address to destination address
(Unified Threat Management, referred to as:The safety equipments such as UTM), network diagnosis server are, for example, to asking industry
The access path of business carries out the server of network service diagnosis.The present invention provides following specific embodiment and can mutually tie
It closes, same or analogous concept or process may be repeated no more in some embodiments.
Fig. 1 is a kind of flow chart of network service diagnostic method provided in an embodiment of the present invention.Net provided in this embodiment
Network business diagnostic method suitable for the access path to service request safety equipment carry out business diagnosis in the case of, this method
It can be executed by network service diagnostic device, which is realized hardware and software in conjunction with by way of,
The device can be integrated in the processor of network diagnosis server, called and used for processor.As shown in Figure 1, the present embodiment
The method of offer may include steps of:
S110, obtains the configuration information for the safety equipment that service request is passed through, which includes security strategy rule.
Network service diagnostic method provided in an embodiment of the present invention is the safety in a kind of access path to service request
Equipment carries out the mode of business diagnosis.In embodiments of the present invention, it is necessary first to determine the access path that service request is passed through, with
And all safety equipments that the access path is passed through, to obtain the configuration information of above-mentioned each safety equipment, the configuration information
It usually may include security strategy rule.
For example, as shown in table 1 below, asked for a kind of business in network service diagnostic method provided in an embodiment of the present invention
The content asked.
Table 1
As shown in Table 1, service request may include source address, destination address and service etc.;Wherein,
The address style that source address and destination address are supported includes but not limited to host address, subnet address and network segment address
Etc. one or more combinations form, the type of service support includes but not limited to transmission control protocol (Transmission
Control Protocol, referred to as:TCP) service, User Datagram Protocol (User Datagram Protocol, abbreviation
For:UDP) service and Internet Control Message Protocol (Internet Control Message Protocol, referred to as:ICMP it) services
Deng one or more combination form.
At present in the management service of company's content network, pass through from specified source address to the service request of destination address needs
Which safety equipment can manually be determined by safety officer, or automatically generate the access path of the service request.Example
Such as, Fig. 2 is a kind of schematic diagram of access path in network service diagnostic method provided in an embodiment of the present invention, and access path generates
Function is according to the service request in table 1, using corporate networks topological diagram, obtains service request in Fig. 2 and the safety accessed is needed to set
Standby path.From source address to destination address path in Fig. 2, different safety equipments is accessed successively, these safety equipments include
But be not limited to fire wall, router, interchanger, UTM etc..
The safety equipment that the access path of service request is passed through it can be seen from table 1 and Fig. 2 can be multiple, that is, obtain
Configuration information be usually:The corresponding configuration information of each safety equipment;In addition, security strategy rule for example including:Source interface
Section, source address etc., in actual deployment safety equipment, can by accesses control list (Access Control List,
Referred to as:ACL mode) is realized.In practical applications, network service diagnostic device can pass through safety shell protocol
(Secure Shell, referred to as:SSH), safety to be analyzed in the modes connection figure 2 such as remote terminal protocol (Telnet) is set
It is standby, and the configuration information of these equipment is obtained, alternatively, the configuration information of safety equipment is imported in network service diagnostic device,
And obtain the configuration information of these equipment;Then, the configuration information of acquisition is normalized, different type is set safely
Standby upper configuration information is converted to the content of unified format, to generate for carrying out pretreated configuration information.
It should be noted that the content of service request and format are not limited to content and lattice shown in table 1 in the embodiment of the present invention
The form of formula, access path is also not necessarily limited to form shown in Fig. 2, as long as meeting the content and lattice of the service request of the network standard
Formula, and meet service request access path can be applied to the embodiment of the present invention in.
S120 is pre-processed according to the policy information of service request and safety equipment;The pretreatment includes:According to each
The type of safety equipment selects corresponding security strategy matching way, and determines entering for the safety equipment that service request is passed through
Interface and outgoing interface generate service request to be analyzed.
It in embodiments of the present invention, can according to the configuration information and such as after getting the configuration information of safety equipment
Service request is pre-processed shown in table 1.Pretreatment may include following two parts content in the embodiment of the present invention:First,
According to the type of each safety equipment, the corresponding security strategy matching way of the safety equipment is selected, for subsequently carrying out safety
The matching of strategy;Second, by the access path of service request, determine the safety equipment that service request is passed through in the access path
Incoming interface and outgoing interface, generate service request to be analyzed;In practical applications, pass through the access path in Fig. 2, Ke Yixian
Determine the service request pass through safety equipment incoming interface, by destination address in service request on safety equipment routing and connect
Message breath is compared, and determines the outgoing interface of service request on the safety equipment, and can be according to the incoming interface of service request
Source secure section and purpose secure section are determined with outgoing interface.By above-mentioned preprocessing process, service request can be converted to the following table 2
Format, table 2 be network service diagnostic method provided in an embodiment of the present invention in a kind of content of service request to be analyzed.
Table 2
As shown in upper table 2, the service request to be analyzed generated after pretreatment may include that (also referred to as source connects incoming interface
Mouth/section) source address, outgoing interface (being also referred to as purpose interface/section), destination address and service etc..
It should be noted that the execution that the embodiment of the present invention does not limit two parts content in above-mentioned preprocessing process is suitable
Sequence can be that sequence executes, can also be to execute parallel;In addition, the service request to be analyzed generated after pretreatment
Content and format are also not necessarily limited to content and format shown in table 2, as long as meet that the network standard and pretreatment mode generate waits for point
The content and format of the service request of analysis can be applied in the embodiment of the present invention.
S130, according to the security strategy matching way and preset matching algorithm of selection, the service request and peace being analysed to
The security strategy rule of full equipment is matched, and allowance situation of each safety equipment to service request is generated.
In embodiments of the present invention, the corresponding security strategy of each safety equipment is had selected in above-mentioned preprocessing process
Matching way, and service request to be analyzed is generated, then, according to the security strategy match party for each safety equipment
Formula and preset matching algorithm, the service request being analysed to are matched with the security strategy rule of safety equipment, i.e., will
Preset matching algorithm is substituted into the security strategy matching way selected and is matched, and is generated each safety equipment and is asked to business
The allowance situation asked.
It should be noted that preset matching algorithm can be that designer is preconfigured, the rule of design is, for example,
Whether the security strategy rule and service request for judging each safety equipment have repeating part,
If it is judged that there is repeating part, then the repeating part is added in corresponding list according to rule, and will weigh
Multiple part is deleted from service request, until not having security strategy rule or service request to exactly match in safety equipment or pacifying
When full policing rule does not have repeating part with service request, matching is completed;Then, each safety equipment is generated according to matching result
To the allowance situation of service request to get to the matching result of network service.
It uses network service diagnostic tool to carry out the mode of business diagnosis in the prior art, is only capable of to single factory and type
Safety equipment carry out business diagnosis, different manufacturers and the safety equipment of type cannot be compatible with, this is just needed in deployment company
When the safety equipment of portion's network, using same producer or using uniform type safety equipment, if desired increase safety equipment or
Old safety equipment is replaced, then it is difficult to ensure that the type of all safety equipments or producer are identical.In contrast, it is sent out by above-mentioned
The network service diagnostic method that bright embodiment provides can be seen that when carrying out network service diagnosis, for different types of peace
Full equipment can select different security strategy matching ways, i.e., different types of safety equipment when carrying out security strategy matching,
Security strategy matching can be carried out according to the mode adaptable with the safety equipment of the type selected, therefore, execute network
When business diagnoses, it can be compatible with the safety equipment of different type and producer, improve the practicability of network service diagnostic method.
Network service diagnostic method that the embodiment of the present invention is provided, the safety equipment passed through by obtaining service request
Configuration information is pre-processed according to the configuration information and service request, which includes:It is set according to each safety
Standby type, selects corresponding security strategy matching way, and determines that safety equipment that above-mentioned service request is passed through enters to connect
Mouth and outgoing interface, generate service request to be analyzed, then, are calculated according to the security strategy matching way and preset matching selected
Method, the service request being analysed to are matched with the security strategy rule in configuration information, generate each safety equipment to industry
The allowance situation of business request;Method provided in an embodiment of the present invention can select different for different types of safety equipment
Security strategy matching way, i.e., different types of safety equipment when carrying out security strategy matching, can according to selected and this
The adaptable mode of the safety equipment of type carries out security strategy matching, therefore, when executing network service diagnosis, can be compatible with
The safety equipment of different type and producer, to improve the practicability of network service diagnostic method.
As shown in figure 3, for a kind of pretreated flow chart in network service diagnostic method provided in an embodiment of the present invention, on
It states and has been described above pretreated realization method shown in Fig. 3 in embodiment and may comprise steps of:
S121 selects the corresponding security strategy matching way of the safety equipment according to the type of each safety equipment;
S122 determines the incoming interface and outgoing interface of the safety equipment that service request is passed through, generates service request to be analyzed.
Optionally, in this hair embodiment, since there may be special behavior, packets for some safety equipments in access path
Include but be not limited to two layers/tri- layers blocking strategy and DNAT address conversions etc..That is, the configuration strategy obtained in S110
Information may include not only the security strategy rule of safety equipment, can also include the blocking information and purpose of each safety equipment
Address conversion (Destination Network Address Translation, referred to as:DNAT one or more in).
Therefore, the pretreatment in the embodiment of the present invention can also include one or more in following processing:
Service request is compared by S123 with the blocking strategy of each safety equipment, and the resistance of safety equipment is fallen in filtering
The service request that disconnected strategy blocks.
In embodiments of the present invention, user can configure two layers/tri- layers blocking strategy on a security device, in pretreatment
Service request can be compared with the blocking strategy of the safety equipment, filters out the safety equipment and be blocked strategy blocking
Service request.
S124, before being converted using DNAT according to the security strategy rule of each safety equipment or transformed addresses DNAT,
Determine whether to carry out DNAT conversions to the service request in safety equipment;Wherein, when the safe plan of one of safety equipment
When slightly rule is using the transformed addresses DNAT, DNAT conversions are carried out to the service request on the safety equipment.
For example, if the security strategy rule of some safety equipment is using the address before DNAT conversions, business is asked
DNAT conversions need not be carried out by asking, you can carry out security strategy matching (executing S130);If the safety of some safety equipment
Policing rule uses the transformed addresses DNAT, then service request needs first to carry out DNAT conversions, then carries out security strategy matching
(executing S130).
It should be noted that in pretreatment process shown in Fig. 3 of the embodiment of the present invention, the execution of S121~S124 is not limited
Sequentially, it can be that sequence executes, can also be to execute parallel, when sequence executes, not limit holding for each step equally
Row sequence, flow chart shown in Fig. 3 are shown by taking the sequence of S121 to S124 as an example.
Further, the type of the safety equipment generated due to distinct device manufacturer is typically different, executing S121
When, it needs, according to different types of safety equipment, to select corresponding security strategy matching way.For example, the type of safety equipment
May include the first kind, Second Type and third type, wherein the security strategy rule of the safety equipment of the first kind according to
Configuration sequence forms priority list, and the security strategy rule of the safety equipment of Second Type includes interregional security strategy rule
With global safety policing rule, the security strategy rule of the safety equipment of third type includes the safety on incoming interface and outgoing interface
Policing rule.In practical application scene, some equipment vendors, the elder generation that the security strategy rule of user configuration strategically configures
Sequence and artificial adjustment afterwards, form a priority list, after safety equipment receives service request, by service request according to preferential
Grade list is matched from top to bottom, and the type equipment is known as the safety equipment of the first kind.Some equipment vendors, according to safety
Security strategy regular partition is interregional security strategy rule by the secure section of equipment, and global security strategy is regular, such
Type equipment is known as the safety equipment of Second Type.Equipment vendors also configure ACL, often on each interface of safety equipment
A ACL is made of a plurality of security strategy rule, and when service request passes through the safety equipment, service request will pass through safety equipment
On incoming interface and outgoing interface on security strategy rule matched, the type equipment is known as the safety equipment of third type.
Optionally, as shown in figure 4, for a kind of safe plan of selection in network service diagnostic method provided in an embodiment of the present invention
The slightly flow chart of matching way, in embodiments of the present invention, the realization method of S121 may include:
S1211, when device type is the first kind, selection is by service request according to the sequence and safety of priority list
Policing rule carries out matched security strategy matching way;It is matched that security strategy is carried out in selection which, it can be with
Service request is matched according to the sequence in priority list from top to bottom with security strategy rule.
S1212, when device type is Second Type, selection first carries out service request and interregional security strategy rule
Matching, then service request and global safety policing rule are subjected to matched security strategy matching way.
S1213, when device type be third type when, selection by service request respectively on safety equipment incoming interface and
Security strategy rule on outgoing interface carries out matched security strategy matching way;Security strategy matching is carried out in selection which
In the case of, the intersection of above-mentioned matching result twice can be obtained as matching result.
It should be noted that the type that the embodiment of the present invention does not limit safety equipment is the three types of foregoing description,
It is above-mentioned three kinds of modes not limit the security strategy matching way selected, as long as can be applied to the safety of company's internal network
The type of equipment, and the security strategy matching way being adapted with the type can be applied in the embodiment of the present invention.
Optionally, Fig. 5 is the flow chart of another network service diagnostic method provided in an embodiment of the present invention, in Fig. 1 institutes
On the basis of showing embodiment, the S130 in the embodiment of the present invention may include:
S131, according to the security strategy matching way and preset matching algorithm of selection, the service request and peace being analysed to
The security strategy rule of full equipment is matched, and the matching feelings for allowing request list, refusing request list and service request are obtained
Condition;
S132 generates each safety and sets according to the match condition for allowing request list, refusing request list and service request
The standby allowance situation to service request.
In embodiments of the present invention, the preset matching algorithm of configuration is different, the service request and safety equipment being analysed to
Security strategy rule to carry out matched realization method also different, illustrate the embodiment of the present invention by taking two kinds of matching algorithms as an example below
The realization method of middle S131.
In an implementation of the embodiment of the present invention, the realization method of S131 may include:
S11 judges when there is not matched security strategy rule in safety equipment, and when service request does not exactly match
Whether service request and security strategy rule have repeating part;
S12 adds safety policing rule according to the action of each security strategy rule when judging to have repeating part
Being added to allows in request list or refusal request list;
Repeating part is deleted from service request, constitutes new service request by S13.
For example, Fig. 6 is a kind of execution security strategy in network service diagnostic method provided in an embodiment of the present invention
The flow chart matched, the matched mode of security strategy is executed in the present embodiment may include:
S201 judges whether there is not matched acl rule in safety equipment;If no, matching flow to terminate;If so,
Then execute S202;
S202, judges whether service request exactly matches;If exactly matching, matches flow and terminate;If without complete
Match, then executes S203;
S203, judges whether service request and acl rule have repeating part;If without repeating part, repeat
S201, if repeated part, then execute S204;
S204, judge the action of acl rule for " accept (permission) " still " deny (refusal) ";If action is
Accept then executes S205;If action is deny, S206 is executed;
S205, which, which is added, allows request list;Then execute S207;
Refusal request list is added in the acl rule by S206;Then execute S207;
Repeating part is deleted from service request, constitutes new service request by S207;Then repeat S201.
In another realization method of the embodiment of the present invention, the realization method of S131 may include:
S21, when there is not matched security strategy rule in safety equipment, and service request and security strategy rule have repetition
When part, repeating part and security strategy rule is constituted into new security strategy, repeating part list is added;
S22 judges whether service request exactly matches when having repeat element in repeating part list;
S23 judges to pacify in service request and current repeating part list when judging that service request does not exactly match
Whether full policing rule has repeating part;
S24, when judging to have repeating part, according to the action of each security strategy rule in current repeating part list
Safety policing rule, which is added to, to be allowed in request list or refusal request list;
Repeating part is deleted from service request, constitutes new service request by S25.
For example, Fig. 7 is another execution security strategy in network service diagnostic method provided in an embodiment of the present invention
Matched flow chart, the matched mode of security strategy is executed in the present embodiment may include:
S301 judges whether there is not matched acl rule in safety equipment;If no, executing S304;If so, then holding
Row S302;
S302, judges whether service request and acl rule have repeating part;If without repeating part, repeat
S301, if repeated part, then execute S303;
Repeating part and acl rule are constituted new security strategy and repeating part list are added by S303;Then repeat
S301;
S304 judges whether there is repeat element in repeating part list;If no, matching flow to terminate;If so, then holding
Row S305;
S305, judges whether service request exactly matches;If exactly matching, matches flow and terminate;If without complete
Match, then executes S306;
S306, judges whether service request and acl rule have repeating part;If without repeating part, repeat
S304, if repeated part, then execute S307;
S307, judge the action of acl rule for " accept (permission) " still " deny (refusal) ";If action is
Accept then executes S308;If action is deny, S309 is executed;
S308, which, which is added, allows request list;Then execute S310;
Refusal request list is added in the acl rule by S309;Then execute S310;
Repeating part is deleted from service request, constitutes new service request by S310;Then repeat S304.
It should be noted that the embodiment of the present invention does not limit executes security strategy by mode shown in above-mentioned Fig. 6 and Fig. 7
Match, security strategy matching can also be executed by other matching algorithms.
Further, flow shown in Fig. 8 is used to be analyzed in the matching process, by service request and individual security strategy
Rule is matched, and obtains the repeating part of service request and security strategy rule, and Fig. 8 is provided in an embodiment of the present invention
A kind of flow chart of repeating part that analyzing service request and security strategy rule in network service diagnostic method, that is to say, that
Judge whether service request and security strategy rule have the realization method of repeating part, i.e. flow shown in Fig. 6 in above-described embodiment
In S203 and Fig. 7 shown in flow S302 and S306 realization method as shown in figure 8, may include steps of:
S401, judges whether the source domain of security strategy rule includes the incoming interface of service request;If not including, execute
S407, and the matching result returned is sky;If including executing S402;
S402, judges whether the purpose domain of security strategy rule includes the outgoing interface of service request;If not including, execute
S407, and the matching result returned is sky;If including executing S403;
S403, judges whether the source address of security strategy rule and service request has repeating part;If without repeating part,
S407 is then executed, and the matching result returned is sky;If repeated part then executes S404;
S404, judges whether the destination address of security strategy rule and service request has repeating part;If without repeating portion
Point, then S407 is executed, and the matching result returned is sky;If repeated when part, then S405 is executed;
S405, judges whether the service of security strategy rule and service request has repeating part;If without repeating part,
S407 is executed, and the matching result returned is sky;If repeated when part, then S406 is executed;
S406 calculates the repeating part of security strategy rule and service request.
S407 returns to matching result.
It, can be with it should be noted that S401~S405 executes sequence in flow shown in the unlimited drawing of the embodiment of the present invention 8
It is that sequence executes, can also be to execute parallel, and when the judgement of each step in S401~S405 is "Yes", hold
Row S406, is returned as empty matching result by one when being judged as "No" wherein.
Optionally, Fig. 9 is a kind of standard generating service request in network service diagnostic method provided in an embodiment of the present invention
Perhaps the flow chart of situation.In embodiments of the present invention, above-mentioned to be obtained according to the mode of above-mentioned Fig. 6 to embodiment illustrated in fig. 8
To the match condition for allowing request list, refusing request list and service request, at this point it is possible to according to having been obtained in S131
Hold, generate allowance situation of each safety equipment to service request, the realization method of S132 may include in the present embodiment:
S1321 is sky when allowing request list, and refusal request list is sky, and when service request exactly matches, and is permitted
Situation is to allow;
S1322, when permission request list is not sky, and service request does not exactly match, it is partly to allow to permit situation;
S1323, when allowing request list to be sky, refusal request list is not sky, and when service request exactly matches, is permitted
Situation is refusal.
According to the matching way that above-mentioned Fig. 5 to embodiment illustrated in fig. 9 is provided, can generate in the access path of service request
The analysis result of all safety equipments is as shown in table 3 a kind of peace in network service diagnostic method provided in an embodiment of the present invention
The content of full strategy matching result.
Table 3
As shown in upper table 3, may include in security strategy matching result:Safety equipment title, the plan that safety equipment comes into force
Slightly, permit situation, and allow content (including source address, destination address, agreement, the destination of the service request of (refusal)
Mouthful).
Optionally, in embodiments of the present invention, after generating each safety equipment to the allowance situation of service request, also
Analyzing processing can be further carried out, is another network service diagnostic method provided in an embodiment of the present invention as shown in Figure 10
Flow chart, on the basis of the above embodiments, method provided in an embodiment of the present invention can also include:
S140 generates the security strategy to safety equipment according to each safety equipment to the allowance situation of service request
Change is suggested.
In practical applications, generating realization method that the security strategy change of safety equipment is suggested can be with for the embodiment of the present invention
Including:When it is to allow to permit situation, the security strategy change for not generating corresponding safety equipment is suggested;It is part when permitting situation
Allow or when refusal, the security strategy change for generating corresponding safety equipment suggested, wherein security strategy change suggest include but not
It is limited to add and/or change the suggestion of security strategy.In embodiments of the present invention, it is part permission or refusal when permitting situation
When, rational strategy change can be provided for safety equipment and suggested so that the security strategy rule on safety equipment meets user
Business demand, for example, providing the specific security strategy rules and contents that change is suggested can be:
(1), when the source address of security strategy rule, destination address, service on safety equipment, with covering the source of service request
Location, destination address, service, and the action of security strategy rule be deny when, security strategy change suggest can be this pacify
Addition one allows service request to suggest by the strategy change of acl rule on full policing rule.
(2), when the source address of security strategy rule on safety equipment, destination address, service and service request source address,
Destination address, service it is identical, and the action of security strategy rule be deny when, can provide change security strategy rule plan
Slightly change is suggested, such as the action of security strategy rule is changed to accept by deny.
(3), when the source address of service request, destination address, service, with covering on safety equipment the source of security strategy rule
Location, destination address, service, and security strategy rule move for deny when, can provide modification security strategy rule strategy
Change is suggested, such as the action of security strategy rule is changed to accept by deny;And it provides and is advised in this security strategy
The strategy change that one allows surplus lines to ask the security strategy passed through rule is added on then to suggest.
Optionally, in embodiments of the present invention, after S130 or S140, can also include:
S150, by one or more being shown by UI in following generation result:Each safety equipment asks business
The allowance situation asked changes the security strategy of each safety equipment and suggests.
In embodiments of the present invention, after S130 or S140, user circle of network service diagnostic device can be passed through
Face (User Interface, referred to as:UI) result generated in S130 and/or S140 is shown.Exhibition method includes
But it is not limited to such as under type:
The matching result of the safety equipment to be analyzed in access path is intuitively presented in UI, and (i.e. each safety equipment asks business
The allowance situation asked), such as allowance situation of the safety equipment to service request is indicated by not isolabeling.As shown in figure 11, it is
A kind of schematic diagram of displaying matching result, passes through " black in Figure 11 in network service diagnostic method provided in an embodiment of the present invention
Heavy line " marks, and indicates that safety equipment allows service request to pass through in access path.
As shown in table 4, it is safety equipment pair in access path in network service diagnostic method provided in an embodiment of the present invention
The displaying content that allowance situation and the security strategy change of service request are suggested.
Table 4
Network service diagnostic method provided in an embodiment of the present invention, can automatically analyze in the access path of service request,
Allowance situation of the security strategy rule of all safety equipments to service request.In practical applications, by different types of
Safety equipment selects corresponding security strategy matching way, realizes the safety equipment of analysis and compatible different manufacturers and type,
Enable company that numerous safety equipments in complicated huge internal network are carried out with the diagnosis of service request;In addition, this method
Influence of some behaviors to service request being additionally contemplates that in particular secure device, improves the accuracy of deagnostic structure;Into one
Step ground, for safety equipment disapprove service request by the case where, the change suggestion of security strategy is additionally provided, to ensure industry
Business request can advance freely in corporate networks, so as to reduce requirement of the safety management to safety equipment know-how,
The security maintenance cost of corporate networks is reduced, and the safety and stability of corporate networks is provided.
Figure 12 is a kind of structural schematic diagram of network service diagnostic device provided in an embodiment of the present invention.The present embodiment provides
Network service diagnostic device suitable for the access path to service request safety equipment carry out business diagnosis in the case of, should
Device realizes that the device can be integrated in the processor of network diagnosis server hardware and software in conjunction with by way of,
It calls and uses for processor.As shown in figure 12, network service diagnostic device 10 provided in this embodiment may include:Configuration obtains
Module 11, preprocessing module 12 and security strategy matching module 13.
Wherein, acquisition module 11 is configured, the configuration information of the safety equipment for obtaining service request process should match confidence
Breath includes security strategy rule.
Network service diagnostic device 10 provided in an embodiment of the present invention, for executing in the access path to service request
Safety equipment carries out the mode of business diagnosis.In embodiments of the present invention, it is necessary first to determine the access road that service request is passed through
All safety equipments that diameter and the access path are passed through, to obtain the configuration information of above-mentioned each safety equipment, the configuration
Information usually may include security strategy rule.Service request in the embodiment of the present invention is equally referred to content shown in table 1,
Safety equipment in the access path and the access path that are determined according to the content of service request shown in table 1 is equally referred to figure
Content shown in 2, therefore details are not described herein.
The safety equipment that the access path of service request is passed through it can be seen from table 1 and Fig. 2 can be multiple, that is, obtain
Configuration information be usually:The corresponding configuration information of each safety equipment;In addition, security strategy rule for example including:Source interface
Section, source address etc. can be realized in actual deployment safety equipment by way of ACL.In practical applications, network
Business diagnostic device 10 can be obtained by safety equipment to be analyzed in the modes such as SSH, Telnet connection figure 2, and by configuration
Module 11 obtains the configuration information of these equipment, alternatively, the configuration information of safety equipment is imported network service diagnostic device 10
In, and by the configuration information of these equipment of the acquisition of configuration acquisition module 11;Then, place is normalized to the configuration information of acquisition
Configuration information on different type safety equipment is converted to the content of unified format, is used for generating preprocessing module 12 by reason
Carry out pretreated configuration information.
It should be noted that the content of service request and format are not limited to content and lattice shown in table 1 in the embodiment of the present invention
The form of formula, access path is also not necessarily limited to form shown in Fig. 2, as long as meeting the content and lattice of the service request of the network standard
Formula, and meet service request access path can be applied to the embodiment of the present invention in.
Preprocessing module 12, the configuration information of the safety equipment for being obtained according to service request and configuration acquisition module 11
It is pre-processed;The preprocessing module 12 execute pretreatment include:According to the type of each safety equipment, corresponding peace is selected
Full strategy matching mode, and determine the incoming interface and outgoing interface for the safety equipment that service request is passed through, generate industry to be analyzed
Business request.
In embodiments of the present invention, after configuration acquisition module 11 gets the configuration information of safety equipment, mould is pre-processed
Block 12 can be pre-processed according to the configuration information and service request as shown in Table 1.Pretreatment can in the embodiment of the present invention
To include following two parts content:First, according to the type of each safety equipment, select the corresponding security strategy of the safety equipment
Matching way, the matching for subsequently carrying out security strategy;Second, by the access path of service request, determine the access road
The incoming interface and outgoing interface for the safety equipment that service request is passed through on diameter, generate service request to be analyzed;In practical applications,
By the access path in Fig. 2, it can first determine that the service request passes through the incoming interface of safety equipment, by purpose in service request
Address on safety equipment routing and interface message be compared, determine the outgoing interface of service request on the safety equipment, and
And it can determine source secure section and purpose secure section according to the incoming interface and outgoing interface of service request.By above-mentioned pretreatment
Process, service request can equally be converted to the format of table 2 in above-described embodiment, and details are not described herein.
It should be noted that the execution that the embodiment of the present invention does not limit two parts content in above-mentioned preprocessing process is suitable
Sequence can be that sequence executes, can also be to execute parallel;In addition, the service request to be analyzed generated after pretreatment
Content and format are also not necessarily limited to content and format shown in table 2, as long as meet that the network standard and pretreatment mode generate waits for point
The content and format of the service request of analysis can be applied in the embodiment of the present invention.
Security strategy matching module 13, security strategy matching way for select according to preprocessing module 12 and presets
With algorithm, the service request being analysed to is matched with the security strategy rule of safety equipment, generates each safety equipment pair
The allowance situation of service request.
In embodiments of the present invention, above-mentioned preprocessing module 12 execute it is pretreated during have selected for each safety
The corresponding security strategy matching way of equipment, and service request to be analyzed is generated, then, set according to for each safety
Standby security strategy matching way and preset matching algorithm, the security strategy of the service request being analysed to and safety equipment
Rule is matched, i.e., substitutes into preset matching algorithm in the security strategy matching way selected and match, and is generated every
Allowance situation of a safety equipment to service request.
It should be noted that preset matching algorithm can be that designer is preconfigured, the rule of design is, for example,
Whether the security strategy rule and service request for judging each safety equipment have repeating part, if it is judged that there is repeating portion
Point, then the repeating part is added in corresponding list according to rule, and repeating part is deleted from service request, until
There is no security strategy regular in safety equipment or service request exactly matches or security strategy rule does not have weight with service request
When multiple part, matching is completed;Then, according to matching result generate each safety equipment to the allowance situation of service request to get
To the matching result of network service.
It uses network service diagnostic tool to carry out the mode of business diagnosis in the prior art, is only capable of to single factory and type
Safety equipment carry out business diagnosis, different manufacturers and the safety equipment of type cannot be compatible with, this is just needed in deployment company
When the safety equipment of portion's network, using same producer or using uniform type safety equipment, if desired increase safety equipment or
Old safety equipment is replaced, then it is difficult to ensure that the type of all safety equipments or producer are identical.In contrast, it is sent out by above-mentioned
The mode that the network service diagnostic device 10 that bright embodiment provides executes processing can be seen that when carrying out network service diagnosis,
For different types of safety equipment, different security strategy matching ways can be selected, i.e., different types of safety equipment into
When row security strategy matches, security strategy can be carried out according to the mode adaptable with the safety equipment of the type selected
Match, therefore, when executing network service diagnosis, the safety equipment of different type and producer can be compatible with, improve network service and examine
The practicability of disconnected device.
The network service diagnostic device 10 that inventive embodiments provide is used to execute the net that embodiment illustrated in fig. 1 of the present invention provides
Network business diagnostic method, has corresponding function module, and implementing principle and technical effect are similar, and details are not described herein again.
Preprocessing module 12 is had been described above in above-described embodiment executes pretreated two parts content.Optionally, in this hair
In embodiment, since there may be special behavior, including but not limited to two layers/tri- layers resistances for some safety equipments in access path
Disconnected strategy and DNAT address conversions etc..That is, the configuration strategy information that configuration acquisition module 11 obtains can not only wrap
The security strategy rule for including safety equipment, can also be including one or more in the blocking information and DNAT of each safety equipment
.Therefore, in embodiments of the present invention, preprocessing module 12 execute pretreatment can also include following processing in one or
It is multinomial:
On the one hand, service request is compared with the blocking strategy of each safety equipment, safety equipment is fallen in filtering
The service request that blocking strategy blocks.
On the other hand, before being converted using DNAT according to the security strategy rule of each safety equipment or DNAT is transformed
Location, it is determined whether DNAT conversions are carried out to the service request in safety equipment;Wherein, when the safety of one of safety equipment
When policing rule is using the transformed addresses DNAT, DNAT conversions are carried out to the service request on the safety equipment.
It should be noted that in the pretreatment operation that the preprocessing module 12 of the embodiment of the present invention executes, each is not limited
Pretreatment operation executes sequence, can be that sequence executes, can also be to execute parallel, when sequence executes, equally not
Limit each pretreatment operation executes sequence.
The network service diagnostic device 10 that inventive embodiments provide is used to execute the net that embodiment illustrated in fig. 3 of the present invention provides
Network business diagnostic method, has corresponding function module, and implementing principle and technical effect are similar, and details are not described herein again.
Further, the type of the safety equipment generated due to distinct device manufacturer is typically different, preprocessing module
12, when executing pretreatment, need, according to different types of safety equipment, to select corresponding security strategy matching way.For example,
The type of safety equipment may include the first kind, Second Type and third type, wherein the peace of the safety equipment of the first kind
Full policing rule forms priority list according to configuration sequence, and the security strategy rule of the safety equipment of Second Type includes region
Between security strategy rule and global safety policing rule, the security strategy rule of the safety equipment of third type include incoming interface and
Security strategy rule on outgoing interface.In practical application scene, the security strategy rule of some equipment vendors, user configuration is pressed
Sequencing according to strategy configuration and artificial adjustment, form a priority list, after safety equipment receives service request, by industry
Business request is matched from top to bottom according to priority list, and the type equipment is known as the safety equipment of the first kind.Some is set
Security strategy regular partition is interregional security strategy rule, global peace according to the secure section of safety equipment by standby manufacturer
Full policing rule, the type equipment are known as the safety equipment of Second Type.Equipment vendors also connect in each of safety equipment
ACL is configured on mouthful, each ACL is made of a plurality of security strategy rule, when service request passes through the safety equipment, service request
It will be matched by the security strategy rule on the incoming interface and outgoing interface on safety equipment, the type equipment is known as third class
The safety equipment of type.
Optionally, in embodiments of the present invention, preprocessing module 12 selects corresponding according to the type of each safety equipment
The realization method of security strategy matching way may include:
When device type is the first kind, selection advises service request according to the sequence of priority list with security strategy
Then carry out matched security strategy matching way;It is matched in selection which progress security strategy, it can be by business
Request is matched according to the sequence in priority list from top to bottom with security strategy rule.
When device type is Second Type, selection first matches service request with interregional security strategy rule,
Service request and global safety policing rule are subjected to matched security strategy matching way again.
When device type be third type when, selection by service request respectively with the incoming interface and outgoing interface on safety equipment
On security strategy rule carry out matched security strategy matching way;The case where selecting which to carry out security strategy matching
Under, the intersection of above-mentioned matching result twice can be obtained as matching result.
It should be noted that the type that the embodiment of the present invention does not limit safety equipment is the three types of foregoing description,
It is above-mentioned three kinds of modes not limit the security strategy matching way selected, as long as can be applied to the safety of company's internal network
The type of equipment, and the security strategy matching way being adapted with the type can be applied in the embodiment of the present invention.
The network service diagnostic device 10 that inventive embodiments provide is used to execute the net that embodiment illustrated in fig. 4 of the present invention provides
Network business diagnostic method, has corresponding function module, and implementing principle and technical effect are similar, and details are not described herein again.
Optionally, Figure 13 is the structural schematic diagram of another network service diagnostic device provided in an embodiment of the present invention,
On the architecture basics of Figure 12 shown devices, in device provided in an embodiment of the present invention, security strategy matching module 13 may include:
Security strategy matching unit 131 will be waited for for the security strategy matching way and preset matching algorithm according to selection
The service request of analysis is matched with the security strategy rule of safety equipment, and obtaining allows request list, refusal request list
With the match condition of service request;
Generation unit 132, permission request list, refusal request row for being obtained according to security strategy matching unit 131
The match condition of table and service request generates allowance situation of each safety equipment to service request.
In embodiments of the present invention, the preset matching algorithm of configuration is different, the service request and safety equipment being analysed to
Security strategy rule to carry out matched realization method also different, illustrate the embodiment of the present invention by taking two kinds of matching algorithms as an example below
Middle security strategy matching unit 131 executes matched realization method.
The network service diagnostic device 10 that inventive embodiments provide is used to execute the net that embodiment illustrated in fig. 5 of the present invention provides
Network business diagnostic method, has corresponding function module, and implementing principle and technical effect are similar, and details are not described herein again.
In an implementation of the embodiment of the present invention, security strategy matching unit 131 is according to the security strategy of selection
The security strategy rule of matching way and preset matching algorithm, the service request being analysed to and safety equipment carries out matched reality
Existing mode may include:
S11 judges when there is not matched security strategy rule in safety equipment, and when service request does not exactly match
Whether service request and security strategy rule have repeating part;
S12 adds safety policing rule according to the action of each security strategy rule when judging to have repeating part
Being added to allows in request list or refusal request list;
Repeating part is deleted from service request, constitutes new service request by S13.
In the realization method, executes the matched flow of security strategy and be referred to flow chart shown in fig. 6, therefore herein not
It repeats again.
In another realization method of the embodiment of the present invention, security strategy matching unit 131 is according to the safe plan of selection
The security strategy rule of slightly matching way and preset matching algorithm, the service request being analysed to and safety equipment carries out matched
Realization method may include:
S21, when there is not matched security strategy rule in safety equipment, and service request and security strategy rule have repetition
When part, repeating part and security strategy rule is constituted into new security strategy, repeating part list is added;
S22 judges whether service request exactly matches when having repeat element in repeating part list;
S23 judges to pacify in service request and current repeating part list when judging that service request does not exactly match
Whether full policing rule has repeating part;
S24, when judging to have repeating part, according to the action of each security strategy rule in current repeating part list
Safety policing rule, which is added to, to be allowed in request list or refusal request list;
Repeating part is deleted from service request, constitutes new service request by S25.
In the realization method, executes the matched flow of security strategy and be referred to flow chart shown in Fig. 7, therefore herein not
It repeats again.
Further, in embodiments of the present invention, security strategy matching unit 131 judges service request and security strategy rule
Then whether there is the realization method of repeating part, Ke Yiwei, execution is following respectively judges project and return to corresponding result:
S31, judges whether the source domain of security strategy rule includes the incoming interface of service request, when judging not include,
The matching result of return is sky, when judging to include, executes it is judged that project;
S32, judges whether the purpose domain of security strategy rule includes the outgoing interface of service request, when judging not include
When, the matching result of return is sky, when judging to include, executes it is judged that project;
S33, judges whether the source address of security strategy rule and service request has repeating part, when judging not repeat
When part, the matching result of return is sky, when judging to have repeating part, executes it is judged that project;
S34, judges whether the destination address of security strategy rule and service request has repeating part, when judging not weigh
When multiple part, the matching result of return is sky, when judging to have repeating part, executes it is judged that project;
S35, judges whether the service of security strategy rule and service request has repeating part, when judging no repeating portion
The matching result of timesharing, return is sky, when judging to have repeating part, executes it is judged that project;
S36 calculates the weight of security strategy rule and service request when the judging result of each judgement project is "Yes"
The matching result of multiple part, return is repeating part.
The embodiment of the present invention equally may be used flow shown in Fig. 8 during execution is matched and be analyzed, by business
Request is matched with individual security policing rule, and obtains the repeating part of service request and security strategy rule, also
To say, judge in above-described embodiment service request and security strategy rule whether have the realization method of repeating part as shown in figure 8,
It is had been described in above-described embodiment, therefore details are not described herein.
Optionally, in embodiments of the present invention, above-mentioned security strategy matching unit 131, which has been got, allows request to arrange
Table, the match condition for refusing request list and service request, therefore, generation unit 132 is according to security strategy in the present embodiment
With the match condition for allowing request list, refusing request list and service request that unit 131 obtains, each safety equipment is generated
To the realization method of the allowance situation of service request, may include:
It is sky when allowing request list, refusal request list is sky, and when service request exactly matches, and permits situation and is
Allow;
When permission request list is not sky, and service request does not exactly match, it is partly to allow to permit situation;
When allowing request list to be sky, refusal request list is not sky, and when service request exactly matches, and permits situation and is
Refusal.
The network service diagnostic device 10 that inventive embodiments provide is used to execute the net that embodiment illustrated in fig. 9 of the present invention provides
Network business diagnostic method, has corresponding function module, and implementing principle and technical effect are similar, and details are not described herein again.
The matching way executed by security strategy matching unit 131 and generation unit 132, can generate service request
The analysis result of all safety equipments in access path, the analysis result is referring again to content shown in table 3, and details are not described herein.
Optionally, in embodiments of the present invention, each safety equipment is generated in security strategy matching module 13 to ask business
After the allowance situation asked, analyzing processing can also be further carried out, is provided in an embodiment of the present invention another as shown in figure 14
The structural schematic diagram of kind network service diagnostic device, on the basis of the above embodiments, device provided in an embodiment of the present invention is also
May include:
Security strategy changes module 14, and each safety equipment for being generated according to security strategy matching module 13 is to business
The allowance situation of request generates to change the security strategy of safety equipment and suggest.
In practical applications, security strategy changes the security strategy change that module 14 generates safety equipment to the embodiment of the present invention
It is recommended that realization method may include:When it is to allow to permit situation, security strategy change module 14 does not generate corresponding safety and sets
Standby security strategy change is suggested;When it is partly to allow or refuse to permit situation, security strategy changes module 14 and generates correspondence
The security strategy change of safety equipment is suggested, wherein security strategy change suggestion is including but not limited to added and/or modification safety
The suggestion of strategy.In embodiments of the present invention, when it is part permission or refusal to permit situation, conjunction can be provided for safety equipment
The strategy change of reason is suggested so that the security strategy rule on safety equipment meets the business demand of user.It should be noted that
The rules and contents that specific security strategy change is suggested have been described in the above-described embodiments, therefore details are not described herein.
Optionally, in embodiments of the present invention, network service diagnostic device 10 can also include:
As a result display module 15, for by one or more being opened up by user interface UI in following generation result
Show:Each safety equipment that security strategy matching module 13 generates is to the allowance situation of service request, security strategy change module
14 security strategies to each safety equipment generated, which change, suggests.
In embodiments of the present invention, allowance of each safety equipment to service request is generated in security strategy matching module 13
After situation or security strategy change module 14 generate the security strategy change suggestion to each safety equipment, it can pass through net
The result display module 15 of network business diagnostic device 10 is shown the result of above-mentioned generation.Exhibition method includes but not limited to
Exhibition method shown in Figure 11 and table 4 in above-described embodiment.
The network service diagnostic device 10 that inventive embodiments provide is used to execute what embodiment illustrated in fig. 10 of the present invention provided
Network service diagnostic method has corresponding function module, and implementing principle and technical effect are similar, and details are not described herein again.
In practical applications, the configuration acquisition module 11 in each embodiment shown in Figure 12 to Figure 14 of the present invention, pretreatment mould
Block 12, security strategy matching module 13, security strategy change module 14 and result display module 15 can be examined by network service
The processor of disconnected device 10 realizes that the processor for example can be a central processing unit (Central Processing
Unit, referred to as:CPU) or specific integrated circuit (Application Specific Integrated Circuit,
Referred to as:ASIC), or complete implement the embodiment of the present invention one or more integrated circuits.
Figure 15 is a kind of structural schematic diagram of network diagnosis server provided in an embodiment of the present invention.It is provided in this embodiment
Network service diagnosis server 20 may include:Memory 21 and processor 22.
Wherein, memory 21, for preserving executable instruction;
Processor 22, the executable instruction for executing the preservation of memory 21, proceeds as follows:
The configuration information for the safety equipment that service request is passed through is obtained, which includes security strategy rule;
It is pre-processed according to the configuration information of service request and safety equipment;The pretreatment includes:According to each safety
The type of equipment selects corresponding security strategy matching way, and determines the incoming interface for the safety equipment that service request is passed through
And outgoing interface, generate service request to be analyzed;
According to the security strategy matching way and preset matching algorithm of selection, the service request being analysed to and safety equipment
Security strategy rule matched, generate allowance situation of each safety equipment to service request.
Optionally, in embodiments of the present invention, above-mentioned configuration information further includes blocking strategy and destination address conversion DNAT
In it is one or more, processor 22 execute executable instruction when, pretreatment further includes one or more in following processing:
Service request is compared with the blocking strategy of each safety equipment, safety equipment is filtered out and is blocked strategy
The service request of blocking;
Before being converted using DNAT according to the security strategy rule of each safety equipment or the transformed addresses DNAT, determination are
The no service request in safety equipment carries out DNAT conversions;Wherein, when the security strategy of one of safety equipment rule
When address transformed using DNAT, DNAT conversions are carried out to the service request on safety equipment.
Optionally, in embodiments of the present invention, when processor 22 executes executable instruction, the operation of execution is " according to selection
Security strategy matching way and preset matching algorithm, the security strategy rule of the service request being analysed to and safety equipment into
Row matching, generates allowance situation of each safety equipment to service request ", may include:
According to the security strategy matching way and preset matching algorithm of selection, the service request being analysed to and safety equipment
Security strategy rule matched, obtain allow request list, refuse request list and service request match condition;
According to the match condition for allowing request list, refusing request list and service request, each safety equipment pair is generated
The allowance situation of service request.
Optionally, in embodiments of the present invention, it when processor 22 executes executable instruction, also proceeds as follows:
According to each safety equipment to the allowance situation of service request, generates and the security strategy change of safety equipment is built
View;
Wherein, when it is to allow to permit situation, the security strategy change for not generating corresponding safety equipment is suggested;
When it is part permission or refusal to permit situation, the security strategy change suggestion of corresponding safety equipment, safety are generated
Strategy change suggests including addition and/or the suggestion of modification security strategy.
Optionally, in embodiments of the present invention, it when processor 22 executes executable instruction, also proceeds as follows:
By one or more being shown by user interface UI in following generation result:Each safety equipment is to business
The allowance situation of request changes the security strategy of each safety equipment and suggests.
The network service diagnosis server 20 that inventive embodiments provide is for executing any reality shown in Fig. 1 to Figure 10 of the present invention
The network service diagnostic method for applying example offer, has corresponding entity apparatus, implementing principle and technical effect are similar, herein not
It repeats again.
One of ordinary skill in the art will appreciate that all or part of step in the above method can be referred to by program
Related hardware (such as processor) is enabled to complete, described program can be stored in computer readable storage medium, such as read-only storage
Device, disk or CD etc..Optionally, all or part of step of above-described embodiment can also use one or more integrated circuits
To realize.Correspondingly, the form realization of hardware may be used in each module/unit in above-described embodiment, such as passes through integrated electricity
Its corresponding function is realized on road, can also be realized in the form of software function module, such as is stored in by processor execution
Program/instruction in memory realizes its corresponding function.The embodiment of the present invention be not limited to any particular form hardware and
The combination of software.
Although disclosed herein embodiment it is as above, the content only for ease of understanding the present invention and use
Embodiment is not limited to the present invention.Technical staff in any fields of the present invention is taken off not departing from the present invention
Under the premise of the spirit and scope of dew, any modification and variation, but the present invention can be carried out in the form and details of implementation
Scope of patent protection, still should be subject to the scope of the claims as defined in the appended claims.
Claims (10)
1. a kind of network service diagnostic method, which is characterized in that including:
The configuration information for the safety equipment that service request is passed through is obtained, the configuration information includes security strategy rule;
It is pre-processed according to the configuration information of the service request and the safety equipment;The pretreatment includes:According to every
The type of a safety equipment selects corresponding security strategy matching way, and determines the peace that the service request is passed through
The incoming interface and outgoing interface of full equipment, generate service request to be analyzed;
According to the security strategy matching way and preset matching algorithm of selection, by the service request to be analyzed and the safety
The security strategy rule of equipment is matched, and allowance situation of each safety equipment to the service request is generated.
2. network service diagnostic method according to claim 1, which is characterized in that the configuration information further includes blocking plan
One or more slightly and in destination address conversion DNAT, the pretreatment further includes one or more in following processing:
The service request is compared with the blocking strategy of each safety equipment, it is described to filter out safety equipment
The service request that blocking strategy blocks;
Before being converted using DNAT according to the security strategy rule of each safety equipment or the transformed addresses DNAT, determination are
The no service request in safety equipment carries out DNAT conversions;Wherein, when the security strategy of one of safety equipment
When regular address transformed using DNAT, DNAT conversions are carried out to the service request on the safety equipment.
3. network service diagnostic method according to claim 1, which is characterized in that the type of the safety equipment includes the
One type, Second Type and third type, wherein the security strategy rule of the safety equipment of the first kind is suitable according to configuring
Sequence forms priority list, the security strategy rule of the safety equipment of the Second Type include interregional security strategy rule and
Global safety policing rule, the security strategy rule of the safety equipment of the third type include the peace on incoming interface and outgoing interface
Full policing rule;The type of each safety equipment of the basis, selects corresponding security strategy matching way, including:
When the device type is the first kind, selection is by the service request according to the sequence of the priority list
Matched security strategy matching way is carried out with the security strategy rule;
When the device type is the Second Type, selection first advises the service request and the interregional security strategy
It is then matched, then the service request and the global safety policing rule is subjected to matched security strategy matching way;
When the device type be the third type when, selection by the service request respectively with entering on the safety equipment
Security strategy rule on interface and outgoing interface carries out matched security strategy matching way.
4. network service diagnostic method according to claim 1, which is characterized in that the security strategy according to selection
With mode and preset matching algorithm, by the service request to be analyzed and the progress of the security strategy rule of the safety equipment
Match, generates allowance situation of each safety equipment to the service request, including:
According to the security strategy matching way and preset matching algorithm of selection, by the service request to be analyzed and the safety
The security strategy rule of equipment is matched, and the matching for allowing request list, refusing request list and the service request is obtained
Situation;
According to the match condition of the permission request list, the refusal request list and the service request, each institute is generated
State allowance situation of the safety equipment to the service request.
5. network service diagnostic method according to claim 4, which is characterized in that the security strategy according to selection
With mode and preset matching algorithm, by the service request to be analyzed and the progress of the security strategy rule of the safety equipment
Match, including:
When there is not matched security strategy rule in the safety equipment, and when the service request does not exactly match, judge
Whether the service request and the security strategy rule have repeating part;
When judging to have repeating part, safety policing rule is added to according to the action of each security strategy rule
In the permission request list or the refusal request list;
The repeating part is deleted from the service request, constitutes new service request.
6. network service diagnostic method according to claim 4, which is characterized in that the security strategy according to selection
With mode and preset matching algorithm, by the service request to be analyzed and the progress of the security strategy rule of the safety equipment
Match, including:
When there is not matched security strategy rule in the safety equipment, and the service request and the security strategy rule have
When repeating part, the repeating part and the security strategy rule is constituted into new security strategy, repeating part list is added;
When having repeat element in the repeating part list, judge whether the service request exactly matches;
When judging that the service request does not exactly match, judge to pacify in the service request and current repeating part list
Whether full policing rule has repeating part;
When judging to have repeating part, according to the action of each security strategy rule in the current repeating part list
Safety policing rule is added in the permission request list or the refusal request list;
The repeating part is deleted from the service request, constitutes new service request.
7. network service diagnostic method according to claim 5 or 6, which is characterized in that described to judge the service request
Whether there is repeating part with the security strategy rule, including:
Judge project below executing respectively and return to corresponding result:
Judge whether the source domain of the security strategy rule includes the incoming interface of service request, when judging not include, returns
Matching result be sky, when judging to include, execute it is judged that project;
Judge whether the purpose domain of the security strategy rule includes the outgoing interface of service request, when judging not include, returns
The matching result returned is sky, when judging to include, executes it is judged that project;
Judge whether the security strategy rule and the source address of the service request have repeating part, when judging not repeat
When part, the matching result of return is sky, when judging to have repeating part, executes it is judged that project;
Judge whether the security strategy rule and the destination address of the service request have repeating part, when judging not weigh
When multiple part, the matching result of return is sky, when judging to have repeating part, executes it is judged that project;
Judge whether the security strategy rule and the service of the service request have repeating part, when judging no repeating portion
The matching result of timesharing, return is sky, when judging to have repeating part, executes it is judged that project;
When the judging result of each judgement project is "Yes", the security strategy rule and the service request are calculated
Repeating part, the matching result of return is the repeating part.
8. network service diagnostic method according to claim 4, which is characterized in that described to allow request to arrange according to described
The match condition of table, the refusal request list and the service request generates each safety equipment and is asked to the business
The allowance situation asked, including:
When the permission request list is not sky, the refusal request list is empty, and when the service request exactly matches, institute
It states and permits situation to allow;
When the permission request list is not sky, and the service request does not exactly match, the allowance situation is that part permits
Perhaps;
When the permission request list is sky, the refusal request list is not empty, and when the service request exactly matches, institute
It states and permits situation for refusal.
9. network service diagnostic method according to claim 1, which is characterized in that the method further includes:
According to each safety equipment to the allowance situation of the service request, generates and the security strategy of safety equipment is become
More suggest;
Wherein, when the allowance situation is to allow, the security strategy change for not generating corresponding safety equipment is suggested;
When the allowance situation, which is part, to be allowed or refuse, the security strategy change for generating corresponding safety equipment is suggested, described
Security strategy change suggests including addition and/or the suggestion of modification security strategy.
10. the network service diagnostic method according to any one of claim 1~6 and 8~9, which is characterized in that the side
Method further includes:
By one or more being shown by user interface UI in following generation result:Each safety equipment is to described
The allowance situation of service request changes the security strategy of each safety equipment and suggests.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710208010.8A CN108667776B (en) | 2017-03-31 | 2017-03-31 | Network service diagnosis method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710208010.8A CN108667776B (en) | 2017-03-31 | 2017-03-31 | Network service diagnosis method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108667776A true CN108667776A (en) | 2018-10-16 |
| CN108667776B CN108667776B (en) | 2022-02-22 |
Family
ID=63783704
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710208010.8A Active CN108667776B (en) | 2017-03-31 | 2017-03-31 | Network service diagnosis method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108667776B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109600368A (en) * | 2018-12-07 | 2019-04-09 | 中盈优创资讯科技有限公司 | A kind of method and device of determining firewall policy |
| CN111147519A (en) * | 2019-12-31 | 2020-05-12 | 奇安信科技集团股份有限公司 | Data detection method, device, electronic equipment and medium |
| CN112738114A (en) * | 2020-12-31 | 2021-04-30 | 四川新网银行股份有限公司 | Configuration method of network security policy |
| CN112910666A (en) * | 2019-11-19 | 2021-06-04 | 苏州至赛信息科技有限公司 | Simulation method and device for processing data packet by equipment and computer equipment |
| CN112910824A (en) * | 2019-11-19 | 2021-06-04 | 苏州至赛信息科技有限公司 | Network security policy configuration method and device, computer equipment and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030061506A1 (en) * | 2001-04-05 | 2003-03-27 | Geoffrey Cooper | System and method for security policy |
| US20050010765A1 (en) * | 2003-06-06 | 2005-01-13 | Microsoft Corporation | Method and framework for integrating a plurality of network policies |
| CN101252487A (en) * | 2008-04-11 | 2008-08-27 | 杭州华三通信技术有限公司 | Method for processing safety warning and safety policy equipment |
| CN101267437A (en) * | 2008-04-28 | 2008-09-17 | 杭州华三通信技术有限公司 | Packet access control method and system for network devices |
| CN101938474A (en) * | 2010-08-27 | 2011-01-05 | 清华大学 | Network intrusion detection and protection method and device |
| CN103825876A (en) * | 2013-11-07 | 2014-05-28 | 北京安码科技有限公司 | Firewall policy auditing system in complex network environment |
| CN103873441A (en) * | 2012-12-12 | 2014-06-18 | 中国电信股份有限公司 | Firewall safety rule optimization method and device thereof |
| CN104243487A (en) * | 2014-09-28 | 2014-12-24 | 网神信息技术(北京)股份有限公司 | Rule matching method and rule matching device of security gateway |
| CN105871930A (en) * | 2016-06-21 | 2016-08-17 | 上海携程商务有限公司 | Self-adaptive firewall security policy configuration method and system based on applications |
| CN106161399A (en) * | 2015-04-21 | 2016-11-23 | 杭州华三通信技术有限公司 | A kind of security service delivery method and system |
-
2017
- 2017-03-31 CN CN201710208010.8A patent/CN108667776B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030061506A1 (en) * | 2001-04-05 | 2003-03-27 | Geoffrey Cooper | System and method for security policy |
| US20050010765A1 (en) * | 2003-06-06 | 2005-01-13 | Microsoft Corporation | Method and framework for integrating a plurality of network policies |
| CN101252487A (en) * | 2008-04-11 | 2008-08-27 | 杭州华三通信技术有限公司 | Method for processing safety warning and safety policy equipment |
| CN101267437A (en) * | 2008-04-28 | 2008-09-17 | 杭州华三通信技术有限公司 | Packet access control method and system for network devices |
| CN101938474A (en) * | 2010-08-27 | 2011-01-05 | 清华大学 | Network intrusion detection and protection method and device |
| CN103873441A (en) * | 2012-12-12 | 2014-06-18 | 中国电信股份有限公司 | Firewall safety rule optimization method and device thereof |
| CN103825876A (en) * | 2013-11-07 | 2014-05-28 | 北京安码科技有限公司 | Firewall policy auditing system in complex network environment |
| CN104243487A (en) * | 2014-09-28 | 2014-12-24 | 网神信息技术(北京)股份有限公司 | Rule matching method and rule matching device of security gateway |
| CN106161399A (en) * | 2015-04-21 | 2016-11-23 | 杭州华三通信技术有限公司 | A kind of security service delivery method and system |
| CN105871930A (en) * | 2016-06-21 | 2016-08-17 | 上海携程商务有限公司 | Self-adaptive firewall security policy configuration method and system based on applications |
Non-Patent Citations (2)
| Title |
|---|
| PEDRO ADÃO: "Localizing Firewall Security Policies", 《2016 IEEE 29TH COMPUTER SECURITY FOUNDATIONS SYMPOSIUM (CSF)》 * |
| 胡斌彦: "一体化网关式防火墙策略设置分析", 《中国教育技术装备》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109600368A (en) * | 2018-12-07 | 2019-04-09 | 中盈优创资讯科技有限公司 | A kind of method and device of determining firewall policy |
| CN109600368B (en) * | 2018-12-07 | 2021-04-13 | 中盈优创资讯科技有限公司 | Method and device for determining firewall policy |
| CN112910666A (en) * | 2019-11-19 | 2021-06-04 | 苏州至赛信息科技有限公司 | Simulation method and device for processing data packet by equipment and computer equipment |
| CN112910824A (en) * | 2019-11-19 | 2021-06-04 | 苏州至赛信息科技有限公司 | Network security policy configuration method and device, computer equipment and storage medium |
| CN111147519A (en) * | 2019-12-31 | 2020-05-12 | 奇安信科技集团股份有限公司 | Data detection method, device, electronic equipment and medium |
| CN112738114A (en) * | 2020-12-31 | 2021-04-30 | 四川新网银行股份有限公司 | Configuration method of network security policy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108667776B (en) | 2022-02-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108667776A (en) | A kind of network service diagnostic method | |
| CN103946834B (en) | virtual network interface objects | |
| US8209738B2 (en) | Analysis of distributed policy rule-sets for compliance with global policy | |
| US7003562B2 (en) | Method and apparatus for network wide policy-based analysis of configurations of devices | |
| CN105247508B (en) | Use the distributed network management of the Policy model of logic-based various dimensions label | |
| CN105721420B (en) | Access right control method and Reverse Proxy | |
| CN104158767B (en) | A kind of network admittance device and method | |
| KR100843537B1 (en) | Security checking program for communication between networks | |
| CN102737177B (en) | The device based on SOC and packet filter method thereof for packet filtering | |
| CN107409079A (en) | System and method for global virtual network | |
| CN105684391A (en) | Automated generation of label-based access control rules | |
| CN105847300B (en) | The method for visualizing and device of enterprise network boundary device topology | |
| KR20110132973A (en) | Automating network reconfiguration during migrations | |
| JP2000253066A (en) | Method and system to manage firewall | |
| US20060153192A1 (en) | Network host isolation tool | |
| CN107426152B (en) | Multitask security isolation system and method under cloud platform actual situation Interconnection Environment | |
| Ranathunga et al. | Case studies of scada firewall configurations and the implications for best practices | |
| CN106161362A (en) | A kind of network application means of defence and equipment | |
| Durante et al. | A model for the analysis of security policies in service function chains | |
| US9325719B2 (en) | Method and system for evaluating access granted to users moving dynamically across endpoints in a network | |
| Gaudet et al. | Firewall configuration and path analysis for smartgrid networks | |
| Al-Fedaghi et al. | Network architecture as a thinging machine | |
| KR102036137B1 (en) | Method and apparatus for analyzing firewall policy | |
| CN106060040B (en) | Enterprise network access control method and device | |
| Alfaro et al. | Aggregating and deploying network access control policies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |