CN109413110A - A kind of method and system of the managing main frame strategy based on firewall policy linkage - Google Patents
A kind of method and system of the managing main frame strategy based on firewall policy linkage Download PDFInfo
- Publication number
- CN109413110A CN109413110A CN201811555668.7A CN201811555668A CN109413110A CN 109413110 A CN109413110 A CN 109413110A CN 201811555668 A CN201811555668 A CN 201811555668A CN 109413110 A CN109413110 A CN 109413110A
- Authority
- CN
- China
- Prior art keywords
- server
- managed
- strategy
- firewall
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the present application shows a kind of method and system of managing main frame strategy based on firewall policy linkage, which comprises analysis firewall security policy;Determine that the server that target is managed, the server that the target is managed are the server being managed associated with the firewall security policy;Send the server that the firewall security policy is managed to the target, the policy management capability of technical solution host shown in the embodiment of the present application is integrated in firewall module, it does not need individually to buy and dispose a set of host policies administrative center software, reduce financial expenditures and corresponding maintenance work, simultaneously, the server access control strategy being managed is derived by firewall security policy and is gone out, administrator no longer needs to the server configuration access control strategy for being individually for respectively being managed, reduce configuration and maintenance workload, the policy consistency of network-side and the server being managed is also ensured simultaneously.
Description
Technical field
The present invention relates to field of computer technology, in particular to a kind of managing main frame strategy based on firewall policy linkage
Method and system.
Background technique
How the critical asset of server and the data stored thereon as enterprise ensures server not and will receive illegal visit
It asks and malicious attack, is the important process that enterprise network administrator is faced.Server not will receive illegally in order to prevent
Access and malicious attack, enterprise customer would generally buy firewall to protect intranet server data.
The infrastructure device of firewall (firewall) network security, for ensuring the network information security, firewall passes through it
The strategy of definition passes through to determine to allow or limit the data transmitted.In order to prevent because that certain flows are without firewall is straight
Server is asked in receiving, and server is caused to have the appearance of the problem of by unauthorized access and attack, and network administrator also can be in quilt
The server side of management configures corresponding access control policy, will receive illegal visit to ensure server in no instance
It asks and malicious attack.
The scheme of current host policies management mostly uses C/S model, i.e., disposes a set of host policies pipe in a network
Center software is managed, then matched user terminal software is installed on each host being managed.All strategy configurations and adjustment
It is all carried out on tactical management center, the user terminal of each host is then handed down to by tactical management center, then existed by user terminal
Final strategy configuration prior art topology is carried out on each host as shown in Figure 1.
Host policies and firewall policy are all but to use existing master for protecting server host not by unauthorized access
The scheme of machine tactical management needs network administrator to configure two parts of access control policies, and portion configuration is on firewall, Yi Fenpei
It sets on the server being managed accordingly, when strategy has altered, can inevitably exist on host and the server that is managed
The inconsistent problem of strategy.
Summary of the invention
Goal of the invention of the invention be to provide a kind of managing main frame strategy based on firewall policy linkage method and
System, to solve the scheme of the host policies management shown in the prior art.
A kind of method that the embodiment of the present application first aspect shows managing main frame strategy based on firewall policy linkage, institute
The method of stating includes:
Analyze firewall security policy;
Determine that the server that target is managed, the server that the target is managed are and the firewall security policy phase
The associated server being managed;
Send the server that the firewall security policy is managed to the target.
It is selectable, the method also includes:
The control strategy for the server being managed described in access;
Judge whether the control strategy is consistent with the firewall security policy;
If inconsistent, alarm or re-synchronization strategy are issued.
Selectable, described the step of sending the server that firewall security policy is managed to the target, includes:
The identifiable control strategy of server that target is managed is converted by the firewall security policy;
Send the server that the control strategy is managed to the target.
Selectable, the step of server that the determining target is managed, includes:
Parse the preset correlation rule of the firewall security policy;
The server array being managed is traversed, determines that the server being managed for meeting the preset correlation rule is target
The server being managed;
Establish contacting for the server being managed with the target.
Selectable, the preset correlation rule is based on source address, source port, destination address, destination port setting.
The embodiment of the present application second aspect shows a kind of managing main frame strategy linkage control based on firewall policy linkage
The system of device strategy, the system comprises: the host policies linkage control device being integrated on firewall, and, with fire prevention
The server being managed that fence net network is connected;
The server being managed is for receiving control strategy;
The host policies linkage control device includes:
Relating module, the incidence relation for analyzing firewall security policy between server that target is managed;
Tactful conversion module, for the associated firewall security policy of server being managed with target to be converted to mesh
Mark the control strategy that the server being managed can identify;
Policy distribution module, the server for being managed to the target of management issue corresponding control strategy.
It is selectable, the host policies linkage control device further include:
Policy Status monitoring modular, for periodically removing to check the control strategy for the server being managed, if discovery and fire prevention
Wall security strategy is inconsistent, then can issue alarm or re-synchronization strategy.
It is selectable, the host policies linkage control device further include:
Tactful conversion module, for being converted to the access control that the server being managed can identify for firewall security policy
System strategy.
It is selectable, the host policies linkage control device further include:
Strategy analysis module is analyzed for the preset correlation rule content to security strategy, parses security strategy
Preset the correlation rule source, purpose and the access end that are related to.
From the above technical scheme, the embodiment of the present application shows a kind of managing main frame plan based on firewall policy linkage
Method and system slightly, which comprises analysis firewall security policy;Determine the server that target is managed, the mesh
Marking the server being managed is the server being managed associated with the firewall security policy;Send the firewall peace
The server that full strategy is managed to the target, the policy management capability collection of the technical solution host shown in the embodiment of the present application
At in firewall module, not needing individually to buy and dispose a set of host policies administrative center software, reduce financial expenditures
With corresponding maintenance work, meanwhile, the server access control strategy being managed by firewall security policy derive and go out, management
Member no longer needs to the server configuration access control strategy for being individually for respectively being managed, and reduces configuration and maintenance workload, while
Ensure the policy consistency of network-side with the server being managed.
Detailed description of the invention
It in order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, below will be to institute in embodiment
Attached drawing to be used is needed to be briefly described, it should be apparent that, the accompanying drawings in the following description is only some implementations of the invention
Example, for those of ordinary skill in the art, without creative efforts, can also obtain according to these attached drawings
Obtain other attached drawings.
Fig. 1 is the firewall security policy topological diagram shown in the prior art;
Fig. 2 is the method that a kind of managing main frame strategy based on firewall policy linkage exemplified is preferably implemented according to one
Flow chart;
Fig. 3 is to be preferably implemented to exemplify the detail flowchart of step S103 according to one;
Fig. 4 is to be preferably implemented to exemplify the detail flowchart of step S102 according to one;
Fig. 5 is the structural block diagram that the host policies linkage control device exemplified is preferably implemented according to one.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Whole description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
For ease of description, the part noun or term that occur in the embodiment of the present invention are described in detail below.
Firewall: being the equipment for assisting to ensure information security, can allow according to specific rule or limitation is transmitted
Data pass through, firewall can be an exclusive hardware and be also possible to be erected at a set of software in typical hardware.Fire prevention
Wall is the inspection station of a security strategy.The information of all disengaging must all be become by firewall, firewall as safety problem
Checkpoint, make suspicious access denied in outdoors.The most basic function of firewall is exactly to control in a computer network, no
With the data flow of the interregional transmission of trusting degree.Such as internet is fly-by-night region, and internal network is exceptionally high degree of trust
Region.It is similar to the firewall functionality in building to avoid some communications forbidden in security strategy.It has control information base
This task is in the region of different trusts.The region of typical trust includes in internet (region that do not trust) and one
Portion's network (the one high region trusted).Final goal is to provide controlled connectivity and passes through safety in the trust region of different level
According to principle of least privilege between the operation and connectivity modeling of policy.
Port: being the outlet of computer and extraneous Communication.
It is worth noting that, user terminal is managed server end in the technical solution shown in the embodiment of the present application.
Host policies linkage control device is in fact and server sometimes mutually to use.Sometimes it is also known as server host
Tactful linkage control device.
Embodiment 1:
The scheme of firewall host policies management shown in technology, the embodiment of the present application first aspect
Show it is a kind of based on firewall policy linkage managing main frame strategy method, specifically, referring to Fig. 2, the described method includes:
S101 analyzes firewall security policy;
Security strategy shown in the embodiment of the present application includes: security strategy in security strategy and/or domain between domain: for controlling
Flow between domain in flow and/or domain, the existing traditional packet filtering function of security strategy at this time, also have to flow carry out IPS,
The effect of the further application layer detection such as AV, Web filtering, application control.
Security strategy is the one of a variety of safety inspections such as packet filtering, the detection of UTM application layer while implementation between domain and/or in domain
Body strategy.
Apply the filtering rule on interface: for the flow of control interface, i.e., based on two, three layers of report such as IP, MAC Address
Literary attribute directly allows or refuses message to pass through.
Security strategy, which needs to be arranged, between domain transfers Way in i.e. inbound and outbound: forwarding strategy: control is set
The flow of standby forwarding, is detected including the UTM of traditional packet filtering and application layer.Local policy: the extraneous exchanging visit with equipment of control,
Only controlled according to five-tuple.Security strategy in domain: elementary tactics is same as above, and unique difference is not need setting forwarding to enter and leave
Mouthful, and cannot be to flow control in the domain local.UTM strategy (application layer detection): matching condition is carried out by setting policy
Judgement (the UTM strategy such as action { permit | deny } IPS, AV, default action are permit).
During the firewall security policy is established, preset correlation rule also generates accordingly, the preset pass
Corresponding relationship between the regular server that recite filtering rule and be managed of connection.
S102 determines that the server that target is managed, the server that the target is managed are and the firewall security plan
The slightly associated server being managed;
Specifically, can the foundation association of the local area network according to locating for the server being managed;
Host configures multiple firewall security policies, during the firewall security policy generates, prevents with described
The associated server being managed of wall with flues security strategy just has determined.
Firewall security policy can be contacted with the one group of server being managed foundation, and administrator can be by firewall security
Strategy is sent to one group of server being managed, and facilitates the unified management for the server that this group is managed;The safe plan of wall with flues
It can slightly be contacted with the server foundation being individually managed, corresponding firewall security policy gives each target to be managed respectively
Server, improve the flexibility of firewall security policy management.
If the server that master firewall administrator will be managed to one sends multiple firewall security policies, need
It is noted that the sequence between them, because multiple firewall security policies are that the sequence specified according to administrator is matched.
For firewall security policy can be contacted with the one group of server being managed foundation, specific firewall security plan
It is slightly as follows with being associated between the server being managed:
(1) firewall security policy can be the security strategy of the identity information configuration based on each user terminal.
Such as: it can be by the identity information (such as title, IP address of user terminal etc.) for the server being managed as pass
The foundation of connection;Such as the corresponding filtering rule of firewall security policy are as follows: only allow to receive flow, refuses transmission flow outward,
It is the server of the in-company finance department being managed that the filtering rule is corresponding;
Ministry of Finance's identity information (such as title, IP address of user terminal etc.) and above-mentioned security strategy can be established and be joined
System;All servers being managed of the finance department are the server that above-mentioned security strategy target is managed.
During practical application, it can also be contacted according to some region of IP address and the foundation of a certain security strategy;
Host, when authenticating to the server being managed, can obtain during firewall security policy generates
The identity information for getting user terminal, that is, the server name being managed or IP address.It is managed for the ease of searching target
Server can configure the security strategy of the identity information based on each user terminal on host.
After completing building such as above-mentioned firewall security policy, when user terminal service is online, host can be to the clothes being managed
Business device is authenticated, and judges whether the identity information for the server being managed by this matches with the firewall security policy, i.e.,
Whether be Finance Department the server being managed, if matching if determine, send the firewall security policy to the target
The server being managed;As mismatched, refusal sends the firewall security policy to the server being managed.
(2) firewall security policy can be the security strategy configured based on each data source.Firewall security policy is point
Group policy, is set as the server that the target of a certain firewall security policy is managed, and data source is group basis.
Such as: data source is the external equipment of 192.168.10.0/24, is allowed to business department's server transport flow;
Then in the building process of firewall security policy, business department's server identity information (such as title, the IP address of user terminal
Deng) with above-mentioned security strategy foundation contact (i.e. preset correlation rule);
Host receives above-mentioned firewall security policy, determines that all of business department are managed according to preset correlation rule
Server be server that above-mentioned security strategy target is managed.
S103 sends the server that the firewall security policy is managed to the target.
The policy management capability of technical solution host shown in the embodiment of the present application is integrated in firewall, is not needed individually
A set of host policies administrative center software is bought and disposed, financial expenditures are reduced, meanwhile, the server access control being managed
Strategy sends corresponding firewall security policy by host, and administrator no longer needs to the server configuration access for being individually for respectively being managed
Control strategy reduces maintenance workload, while also ensuring that manager server is consistent with the strategy of server being managed
Property.
It is worth noting that, the peace of control strategy and control terminal (server being managed) when the application in embodiment
Full strategy.
Embodiment 2:
It is frequently accompanied by that firewall security policy updates or control strategy the problem of being modified goes out in practical applications
It is existing, cause firewall to fail, brings a series of loss to enterprise, in order to solve the above-mentioned technical problem, the embodiment of the present application is shown
Technical solution out shows a kind of firewall monitoring scheme, specifically, please continue to refer to Fig. 2;
Technical solution shown in embodiment 2 has similar step to the technical solution shown in embodiment 1, unique to distinguish
Be, the technical solution shown in embodiment 1 the method also includes:
The control strategy for the server being managed described in S104 access;
S105 judges whether the control strategy is consistent with the firewall security policy;
Technical solution shown in the embodiment of the present application judges control strategy and the whether consistent scheme of firewall security policy
Mainly determine whether control strategy is consistent with firewall security policy by effect that control strategy reaches with security strategy;
Specifically, for example, the first security strategy is that the first user terminal reception source is allowed to be that 192.168.10.0/24 is passed originally
Defeated flow;Rejection source is the flow of 192.168.10.0/22 transmission;
It is found during accessing the first user terminal, the first user terminal has received source as 192.168.10.0/22 transmission
Flow, it is clear that the effect that the control strategy of the first server being managed and the security strategy of host reach be it is inconsistent,
Conclude that control strategy is inconsistent with firewall security policy at this time.
For another example the second security strategy is that the period of user terminal access Internet resources is allowed to be 9:00 to 11:00 originally,
The second received control strategy of server being managed allows user terminal to access the period of Internet resources as 9:00 to 11:00;
With the update of system, and, security strategy is updated to that user terminal is allowed to access Internet resources by intra-company's demand, host
Period is updated to 9:00 to 10:00;During the control strategy for the server being managed described in the access, it is found that
There are still the appearance of user terminal end access Internet resources phenomenon after 10:00, conclude as a result, the control strategy of family end server with
The effect that the security strategy of host reaches concludes that control strategy is inconsistent with firewall security policy when being inconsistent.
If inconsistent, S106 issues alarm or re-synchronization strategy.
During synchronization policy, the control strategy for the server that determination is managed is modified or management end server
It is updated, is upgraded, or change.
If the control strategy for the server being managed is modified, such as: the first security strategy is to allow first to use originally
Family end receives the flow that source is 192.168.10.0/24 transmission;Rejection source is the flow of 192.168.10.0/22 transmission;
It is found during the server that access first is managed, the first user's control strategy modification is to allow to receive
192.168.10.0/22 the flow transmitted determines that the control strategy of the first user terminal is modified at this time, and corresponding host will again
Send the server that the first security strategy is managed to first.Rather than the first security strategy is sent to and the first security strategy
The server that corresponding one group of target is managed.
For another example the second security strategy is that the period of user terminal access Internet resources is allowed to be 9:00 to 11:00 originally,
The second received control strategy of server being managed allows user terminal to access the period of Internet resources as 9:00 to 11:00;
The update that clearly the second security strategy occurs, is sent to all second security strategies for updated second security strategy at this time
The server that corresponding target is managed.
If inconsistent, S107 not as.
As it can be seen that the technical solution shown in the embodiment of the present application can periodically go to check on the server being managed being managed
Access control policy can carry out alarm or re-synchronization if discovery is inconsistent with the security strategy on firewall according to setting
Strategy, so that the strategy of the two is always consistent.
Embodiment 3:
It is frequently accompanied by the firewall security policy of host and the control strategy for the server being managed in practical applications
The inconsistent phenomenon of the program language being based on occurs, and firewall security policy is directly sent to the server being managed at this time
Obvious firewall security policy cannot be directly identified, and in order to solve the above-mentioned technical problem, the embodiment of the present application shows a kind of peace
The conversion method of full strategy and control strategy, specifically, please referring to Fig. 3:
Technical solution shown in embodiment 3 has similar step to the technical solution shown in embodiment 1, unique to distinguish
It is the step of embodiment 1 shows the server that transmission firewall security policy described in technical solution is managed to the target
Include the following steps:
S1031 converts the firewall security policy to the identifiable control strategy of server that target is managed;
Technical solution shown in the embodiment of the present application is related to firewall security policy and controls with the server side access being managed
Make the conversion between the statement law of strategy.
Specific conversion process:
Such as: the security strategy configured on firewall, permission source network segment is 192.168.10.0/24, accessible
Destination IP is 192.168.0.250, the service that destination port is 445.Its configuration rule on firewall are as follows:
policy any any source 192.168.10.0/24 destinition 192.168.0.250 tcp
dst-port 445 action permit
If destination IP 192.168.0.250 is a centos server, then being configured on the server host same
Rule, sentence are as follows:
iptables-IINPUT-s 192.168.10.0/24-p tcp--dport 445-j ACCEPT
The essence of conversion is exactly to extract element relevant to access control rule in firewall security policy, then with clothes
The grammer of business device host is filled with the access control rule that server can recognize and apply.
S1032 sends the server that the control strategy is managed to the target.
It can be seen that firewall security policy is converted the server that target is managed by the technical side shown in the embodiment of the present application
Identifiable control strategy, the server that can successfully be managed of firewall security policy for guaranteeing that host is sent identified,
The applicability for improving the technical solution shown in the embodiment of the present application, the server access control strategy being managed are pacified by firewall
Full strategy derives and goes out, and administrator no longer needs to the server configuration access control strategy for being individually for respectively being managed, and reduces maintenance
Workload, while also ensuring the policy consistency of host with the server being managed.
Embodiment 4:
Technical solution shown in embodiment 4 has similar step to the technical solution shown in embodiment 1, unique to distinguish
It is in the technical solution shown in embodiment 1, the step following steps for the server that the determining target is managed specifically are asked
Refering to Fig. 4:
S1021 parses the preset correlation rule of the firewall security policy;
The preset correlation rule is based on source address, source port, destination address, destination port setting.
Preset correlation rule recites the incidence relation of firewall security policy with the server being managed;It is specific logical
It crosses, source port, destination address, destination port records the incidence relation of firewall security policy with the server being managed.
Preset correlation rule, the preset correlation rule note are just generated during the firewall security policy generates
Carry source address, source port, destination address, destination port;
Network administrator configures corresponding secure access strategy according to service conditions on firewall.For example, market department's net
Network is 192.168.10.0/24, and the file-sharing server of market department is 192.168.250.3.Setting default policy, which acts, is
Then refusal increases a permission access strategy: source 192.168.10.0/24, purpose 192.168.250.3, destination
Mouth is 445, is acted to allow.
The source port of preset correlation rule are as follows: source port 192.168.250.3;Source is 192.168.10.0/24, and purpose is
192.168.250.3 destination port 445;
S1022 traverses the server array being managed, and determines the server being managed for meeting the preset correlation rule
The server being managed for target;
The server array being managed is traversed, IP address is that 192.168.250.3 is the server that target is managed;
S1023 establishes contacting for the server being managed with the target.
Concrete implementation process is as follows:
Step S100: network administrator configures corresponding secure access strategy according to service conditions on firewall.For example,
Market department's network is 192.168.10.0/24, and the file-sharing server of market department is 192.168.250.3.Setting default plan
Slightly movement is refusal, and then increase a permission access strategy: source 192.168.10.0/24, purpose are
192.168.250.3 destination port 445 acts to allow.
Step S200: addition IP address 192.168.250.3 is the server being managed being managed, and provides user
Name, password, in order to which subsequent energy SSH logs on on the server being managed.
Step S300: strategy analysis module start analyze firewall on secure access strategy, find out with
192.168.250.3 relevant strategy, and regulative strategy relating module, are associated with these strategies on 192.168.250.3.
Step S400: tactful conversion module is converted to firewall security policy associated on 192.168.250.3
192.168.250.3 the upper access control policy that can be identified, and pass to policy distribution module.
Step S500: the information that policy distribution module utilizes host management module to provide, SSH log on to
On 192.168.250.3, and on the access control policy to 192.168.250.3 of configuration association.
Step S600: Policy Status monitoring modular periodically goes to check access control policy on 192.168.250.3, if discovery
It is inconsistent with the security strategy on firewall, then it re-issues on associated access control policy to 192.168.250.3.
The embodiment of the present application second aspect shows a kind of managing main frame strategy linkage control based on firewall policy linkage
The server of device strategy, the host policies linkage control device include:
Relating module, the incidence relation for analyzing firewall security policy between server that target is managed;
Tactful conversion module, for the associated firewall security policy of server being managed with target to be converted to mesh
Mark the control strategy that the server being managed can identify;
Policy distribution module, the server for being managed to the target of management issue corresponding control strategy.
It is selectable, the host policies linkage control device further include:
Policy Status monitoring modular, for periodically removing to check the control strategy for the server being managed, if discovery and fire prevention
Wall security strategy is inconsistent, then can issue alarm or re-synchronization strategy.
It is selectable, the host policies linkage control device further include:
Tactful conversion module, for being converted to the access control that the server being managed can identify for firewall security policy
System strategy.
It is selectable, the host policies linkage control device further include:
Strategy analysis module is analyzed for the preset correlation rule content to security strategy, parses security strategy
Preset the correlation rule source, purpose and the access end that are related to.
The invention proposes the embodiment of the present application second aspects to show a kind of managing main frame based on firewall policy linkage
The system of tactful linkage control device strategy, the system comprises: the host policies linkage control device being integrated on firewall
Tactful linkage control software, and, the server being managed being connected with Firewall Network;
The server being managed is for receiving control strategy;
Relationship between the host policies linkage control device module is as shown in Figure 5:
The host policies linkage control device includes:
Relating module, the incidence relation for analyzing firewall security policy between server that target is managed;
Tactful conversion module, for the associated firewall security policy of server being managed with target to be converted to mesh
Mark the control strategy that the server being managed can identify;
Policy distribution module, the server for being managed to the target of management issue corresponding control strategy.
It is selectable, the host policies linkage control device further include:
Policy Status monitoring modular, for periodically removing to check the control strategy for the server being managed, if discovery and fire prevention
Wall security strategy is inconsistent, then can issue alarm or re-synchronization strategy.
It is selectable, the host policies linkage control device further include:
Tactful conversion module, for being converted to the access control that the server being managed can identify for firewall security policy
System strategy.
It is selectable, the host policies linkage control device further include:
Strategy analysis module is analyzed for the preset correlation rule content to security strategy, parses security strategy
Preset the correlation rule source, purpose and the access end that are related to.
The working principle of the invention is as follows:
Strategy analysis module is input with the firewall security policy being currently configured, to the Rule content of every security strategy
It is analyzed, parses source, purpose and the access port etc. that the rule is related to, then regulative strategy relating module, is determined
The rule is relevant with the server which is managed, and the server that the rule association is managed to this.
After the incidence relation for setting up the server and security strategy that are managed, regulative strategy conversion module, associated
Firewall security policy is converted to the access control policy that the server being managed can identify, and the access control after conversion
Strategy passes to policy distribution module.Policy distribution module combination host policies linkage control device management module controls access
On policy distribution processed to the server being managed.
Policy Status monitoring modular can periodically remove the access control policy checked on the server being managed being managed,
If alarm or re-synchronization strategy can be carried out according to setting, so that the two it was found that inconsistent with the security strategy on firewall
Strategy it is always consistent.
From the above technical scheme, the embodiment of the present application shows a kind of managing main frame plan based on firewall policy linkage
The slightly method and system of linkage control device strategy, which comprises analysis firewall security policy;Determine that target is managed
Server, the server that the target is managed be the server being managed associated with the firewall security policy;
Send the server that the firewall security policy is managed to the target, the technical solution host shown in the embodiment of the present application
The policy management capability of tactful linkage control device is integrated in firewall module, does not need individually to buy and dispose a set of host
Tactful linkage control device tactical management center software reduces financial expenditures and corresponding maintenance work, meanwhile, it is managed
Server access control strategy is derived by firewall security policy and is gone out, and administrator no longer needs to the server for being individually for respectively being managed
Configuration access control strategy reduces configuration and maintenance workload, while also ensuring network-side and the server that is managed
Policy consistency.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to of the invention its
Its embodiment.This application is intended to cover any variations, uses, or adaptations of the invention, these modifications, purposes or
Person's adaptive change follows general principle of the invention and including the undocumented common knowledge in the art of the present invention
Or conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by following
Claim is pointed out.
It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, and
And various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is limited only by the attached claims.
It is worth noting that, in the specific implementation, the application also provides a kind of computer storage medium, wherein the computer
Storage medium can be stored with program, which may include the service providing method or use of user identity provided by the present application when executing
Step some or all of in each embodiment of family register method.The storage medium can be magnetic disk, CD, read-only storage note
Recall body (English: read-only memory, abbreviation: ROM) or random access memory (English: random access
Memory, referred to as: RAM) etc..
It is required that those skilled in the art can be understood that the technology in the embodiment of the present application can add by software
The mode of general hardware platform realize.Based on this understanding, the technical solution in the embodiment of the present application substantially or
Say that the part that contributes to existing technology can be embodied in the form of software products, which can deposit
Storage is in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that computer equipment (can be with
It is personal computer, server or the network equipment etc.) execute certain part institutes of each embodiment of the application or embodiment
The method stated.
Same and similar part may refer to each other between each embodiment in this specification.Especially for user identity
Service providing apparatus or user's registration device embodiment for, since it is substantially similar to the method embodiment, thus description
Comparison it is simple, related place is referring to the explanation in embodiment of the method.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to its of the application
Its embodiment.This application is intended to cover the update of any modification of the application, purposes or adaptability, these modifications, purposes or
The update of person's adaptability follows the general principle of the application and including the undocumented common knowledge in the art of the application
Or conventional techniques.The description and examples are only to be considered as illustrative, and the true scope and spirit of the application are by following
Claim is pointed out.
Claims (9)
1. a kind of method of the managing main frame strategy based on firewall policy linkage, which is characterized in that the described method includes:
Analyze firewall security policy;
Determine that the server that target is managed, the server that the target is managed are associated with the firewall security policy
The server being managed;
Send the server that the firewall security policy is managed to the target.
2. the method according to claim 1, wherein the method also includes:
The control strategy for the server being managed described in access;
Judge whether the control strategy is consistent with the firewall security policy;
If inconsistent, alarm or re-synchronization strategy are issued.
3. the method according to claim 1, wherein the transmission firewall security policy is to the target by pipe
The step of server of reason includes:
The identifiable control strategy of server that target is managed is converted by the firewall security policy;
Send the server that the control strategy is managed to the target.
4. the method according to claim 1, wherein the determining target be managed server the step of packet
It includes:
Parse the preset correlation rule of the firewall security policy;
The server array being managed is traversed, determines that the server being managed for meeting the preset correlation rule is target by pipe
The server of reason;
Establish contacting for the server being managed with the target.
5. according to the method described in claim 4, it is characterized in that, the preset correlation rule is based on source address, source port, mesh
Address, destination port setting.
6. a kind of system of the managing main frame strategy linkage control device strategy based on firewall policy linkage, the system packet
It includes: the host policies linkage control device being integrated on firewall, and, the service being managed being connected with Firewall Network
Device;
The server being managed is for receiving control strategy;
The host policies linkage control device includes:
Relating module, the incidence relation for analyzing firewall security policy between server that target is managed;
Tactful conversion module, for the associated firewall security policy of server being managed with target to be converted to target quilt
The control strategy that the server of management can identify;
Policy distribution module, the server for being managed to the target of management issue corresponding control strategy.
7. system according to claim 6, which is characterized in that the host policies linkage control device further include:
Policy Status monitoring modular, for periodically removing to check the control strategy for the server being managed, if discovery is pacified with firewall
Full strategy is inconsistent, then can issue alarm or re-synchronization strategy.
8. system according to claim 6, which is characterized in that the host policies linkage control device further include:
Tactful conversion module, for being converted to the access control plan that the server being managed can identify for firewall security policy
Slightly.
9. system according to claim 6, which is characterized in that the host policies linkage control device further include:
Strategy analysis module is analyzed for the preset correlation rule content to security strategy, parses the pre- of security strategy
Set source, purpose and access end that correlation rule is related to.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811555668.7A CN109413110A (en) | 2018-12-19 | 2018-12-19 | A kind of method and system of the managing main frame strategy based on firewall policy linkage |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811555668.7A CN109413110A (en) | 2018-12-19 | 2018-12-19 | A kind of method and system of the managing main frame strategy based on firewall policy linkage |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109413110A true CN109413110A (en) | 2019-03-01 |
Family
ID=65459920
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811555668.7A Pending CN109413110A (en) | 2018-12-19 | 2018-12-19 | A kind of method and system of the managing main frame strategy based on firewall policy linkage |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109413110A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112152854A (en) * | 2020-09-25 | 2020-12-29 | 绿盟科技集团股份有限公司 | Information processing method and device |
CN113098851A (en) * | 2021-03-25 | 2021-07-09 | 广州虎牙科技有限公司 | Method, device, system, equipment and medium for implementing virtual firewall |
CN113965402A (en) * | 2021-11-01 | 2022-01-21 | 安天科技集团股份有限公司 | Configuration method and device of firewall security policy and electronic equipment |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101184088A (en) * | 2007-12-14 | 2008-05-21 | 浙江工业大学 | Multi-point interlinked LAN firewall cooperating method |
CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
US20140380414A1 (en) * | 2012-03-02 | 2014-12-25 | Hassen Saidi | Method and system for application-based policy monitoring and enforcement on a mobile device |
CN105516099A (en) * | 2015-11-30 | 2016-04-20 | 北京奇艺世纪科技有限公司 | Business side access method and device, and business side access rule configuration method and device |
CN105592088A (en) * | 2015-12-24 | 2016-05-18 | 北京奇虎科技有限公司 | Virtual machine flow monitoring method and device, and terminal |
CN105812326A (en) * | 2014-12-29 | 2016-07-27 | 北京网御星云信息技术有限公司 | Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system |
CN105871930A (en) * | 2016-06-21 | 2016-08-17 | 上海携程商务有限公司 | Self-adaptive firewall security policy configuration method and system based on applications |
CN108429743A (en) * | 2018-02-28 | 2018-08-21 | 新华三信息安全技术有限公司 | A kind of security policy configuration method, system, domain control server and firewall box |
-
2018
- 2018-12-19 CN CN201811555668.7A patent/CN109413110A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101184088A (en) * | 2007-12-14 | 2008-05-21 | 浙江工业大学 | Multi-point interlinked LAN firewall cooperating method |
US20140380414A1 (en) * | 2012-03-02 | 2014-12-25 | Hassen Saidi | Method and system for application-based policy monitoring and enforcement on a mobile device |
CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
CN105812326A (en) * | 2014-12-29 | 2016-07-27 | 北京网御星云信息技术有限公司 | Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system |
CN105516099A (en) * | 2015-11-30 | 2016-04-20 | 北京奇艺世纪科技有限公司 | Business side access method and device, and business side access rule configuration method and device |
CN105592088A (en) * | 2015-12-24 | 2016-05-18 | 北京奇虎科技有限公司 | Virtual machine flow monitoring method and device, and terminal |
CN105871930A (en) * | 2016-06-21 | 2016-08-17 | 上海携程商务有限公司 | Self-adaptive firewall security policy configuration method and system based on applications |
CN108429743A (en) * | 2018-02-28 | 2018-08-21 | 新华三信息安全技术有限公司 | A kind of security policy configuration method, system, domain control server and firewall box |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112152854A (en) * | 2020-09-25 | 2020-12-29 | 绿盟科技集团股份有限公司 | Information processing method and device |
CN112152854B (en) * | 2020-09-25 | 2023-11-07 | 绿盟科技集团股份有限公司 | Information processing method and device |
CN113098851A (en) * | 2021-03-25 | 2021-07-09 | 广州虎牙科技有限公司 | Method, device, system, equipment and medium for implementing virtual firewall |
CN113965402A (en) * | 2021-11-01 | 2022-01-21 | 安天科技集团股份有限公司 | Configuration method and device of firewall security policy and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7756981B2 (en) | Systems and methods for remote rogue protocol enforcement | |
US9848016B2 (en) | Identifying malicious devices within a computer network | |
KR100502068B1 (en) | Security engine management apparatus and method in network nodes | |
CN114978584A (en) | Network security protection safety method and system based on unit cell | |
CN100369037C (en) | System and method for blocking harmful information online, and computer readable medium therefor | |
US20060037077A1 (en) | Network intrusion detection system having application inspection and anomaly detection characteristics | |
EP1567926B1 (en) | Method, system and computer software product for responding to a computer intrusion | |
EP2387746B1 (en) | Methods and systems for securing and protecting repositories and directories | |
US20090313682A1 (en) | Enterprise Multi-interceptor Based Security and Auditing Method and Apparatus | |
CN109413110A (en) | A kind of method and system of the managing main frame strategy based on firewall policy linkage | |
Kim et al. | DSS for computer security incident response applying CBR and collaborative response | |
JP2004302538A (en) | Network security system and network security management method | |
CN111092910A (en) | Database security access method, device, equipment, system and readable storage medium | |
CN109150853A (en) | The intruding detection system and method for role-base access control | |
KR20090044202A (en) | System and method for processing security for webservices detecting evasion attack by roundabout way or parameter alteration | |
KR20020075319A (en) | Intelligent Security Engine and Intelligent and Integrated Security System Employing the Same | |
JP2000354034A (en) | Business: hacker monitoring chamber | |
CN114745145A (en) | Business data access method, device and equipment and computer storage medium | |
KR101910496B1 (en) | Network based proxy setting detection system through wide area network internet protocol(IP) validation and method of blocking harmful site access using the same | |
CN113194088B (en) | Access interception method, device, log server and computer readable storage medium | |
CN114710300B (en) | Novel Windows remote safety protection method | |
KR101997181B1 (en) | Apparatus for managing domain name servide and method thereof | |
Sato et al. | An Evaluation on Feasibility of a Communication Classifying System | |
Abusamrah et al. | Next-Generation Firewall, Deep Learning Endpoint Protection and Intelligent SIEM Integration | |
KR20240068104A (en) | SVDD-based anomaly detection system and method available in SASE environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190301 |