CN109413110A - A kind of method and system of the managing main frame strategy based on firewall policy linkage - Google Patents

A kind of method and system of the managing main frame strategy based on firewall policy linkage Download PDF

Info

Publication number
CN109413110A
CN109413110A CN201811555668.7A CN201811555668A CN109413110A CN 109413110 A CN109413110 A CN 109413110A CN 201811555668 A CN201811555668 A CN 201811555668A CN 109413110 A CN109413110 A CN 109413110A
Authority
CN
China
Prior art keywords
server
managed
strategy
firewall
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811555668.7A
Other languages
Chinese (zh)
Inventor
訾二勇
申亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuleng Technology Co Ltd
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuleng Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuleng Technology Co Ltd filed Critical Wuhan Sipuleng Technology Co Ltd
Priority to CN201811555668.7A priority Critical patent/CN109413110A/en
Publication of CN109413110A publication Critical patent/CN109413110A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the present application shows a kind of method and system of managing main frame strategy based on firewall policy linkage, which comprises analysis firewall security policy;Determine that the server that target is managed, the server that the target is managed are the server being managed associated with the firewall security policy;Send the server that the firewall security policy is managed to the target, the policy management capability of technical solution host shown in the embodiment of the present application is integrated in firewall module, it does not need individually to buy and dispose a set of host policies administrative center software, reduce financial expenditures and corresponding maintenance work, simultaneously, the server access control strategy being managed is derived by firewall security policy and is gone out, administrator no longer needs to the server configuration access control strategy for being individually for respectively being managed, reduce configuration and maintenance workload, the policy consistency of network-side and the server being managed is also ensured simultaneously.

Description

A kind of method and system of the managing main frame strategy based on firewall policy linkage
Technical field
The present invention relates to field of computer technology, in particular to a kind of managing main frame strategy based on firewall policy linkage Method and system.
Background technique
How the critical asset of server and the data stored thereon as enterprise ensures server not and will receive illegal visit It asks and malicious attack, is the important process that enterprise network administrator is faced.Server not will receive illegally in order to prevent Access and malicious attack, enterprise customer would generally buy firewall to protect intranet server data.
The infrastructure device of firewall (firewall) network security, for ensuring the network information security, firewall passes through it The strategy of definition passes through to determine to allow or limit the data transmitted.In order to prevent because that certain flows are without firewall is straight Server is asked in receiving, and server is caused to have the appearance of the problem of by unauthorized access and attack, and network administrator also can be in quilt The server side of management configures corresponding access control policy, will receive illegal visit to ensure server in no instance It asks and malicious attack.
The scheme of current host policies management mostly uses C/S model, i.e., disposes a set of host policies pipe in a network Center software is managed, then matched user terminal software is installed on each host being managed.All strategy configurations and adjustment It is all carried out on tactical management center, the user terminal of each host is then handed down to by tactical management center, then existed by user terminal Final strategy configuration prior art topology is carried out on each host as shown in Figure 1.
Host policies and firewall policy are all but to use existing master for protecting server host not by unauthorized access The scheme of machine tactical management needs network administrator to configure two parts of access control policies, and portion configuration is on firewall, Yi Fenpei It sets on the server being managed accordingly, when strategy has altered, can inevitably exist on host and the server that is managed The inconsistent problem of strategy.
Summary of the invention
Goal of the invention of the invention be to provide a kind of managing main frame strategy based on firewall policy linkage method and System, to solve the scheme of the host policies management shown in the prior art.
A kind of method that the embodiment of the present application first aspect shows managing main frame strategy based on firewall policy linkage, institute The method of stating includes:
Analyze firewall security policy;
Determine that the server that target is managed, the server that the target is managed are and the firewall security policy phase The associated server being managed;
Send the server that the firewall security policy is managed to the target.
It is selectable, the method also includes:
The control strategy for the server being managed described in access;
Judge whether the control strategy is consistent with the firewall security policy;
If inconsistent, alarm or re-synchronization strategy are issued.
Selectable, described the step of sending the server that firewall security policy is managed to the target, includes:
The identifiable control strategy of server that target is managed is converted by the firewall security policy;
Send the server that the control strategy is managed to the target.
Selectable, the step of server that the determining target is managed, includes:
Parse the preset correlation rule of the firewall security policy;
The server array being managed is traversed, determines that the server being managed for meeting the preset correlation rule is target The server being managed;
Establish contacting for the server being managed with the target.
Selectable, the preset correlation rule is based on source address, source port, destination address, destination port setting.
The embodiment of the present application second aspect shows a kind of managing main frame strategy linkage control based on firewall policy linkage The system of device strategy, the system comprises: the host policies linkage control device being integrated on firewall, and, with fire prevention The server being managed that fence net network is connected;
The server being managed is for receiving control strategy;
The host policies linkage control device includes:
Relating module, the incidence relation for analyzing firewall security policy between server that target is managed;
Tactful conversion module, for the associated firewall security policy of server being managed with target to be converted to mesh Mark the control strategy that the server being managed can identify;
Policy distribution module, the server for being managed to the target of management issue corresponding control strategy.
It is selectable, the host policies linkage control device further include:
Policy Status monitoring modular, for periodically removing to check the control strategy for the server being managed, if discovery and fire prevention Wall security strategy is inconsistent, then can issue alarm or re-synchronization strategy.
It is selectable, the host policies linkage control device further include:
Tactful conversion module, for being converted to the access control that the server being managed can identify for firewall security policy System strategy.
It is selectable, the host policies linkage control device further include:
Strategy analysis module is analyzed for the preset correlation rule content to security strategy, parses security strategy Preset the correlation rule source, purpose and the access end that are related to.
From the above technical scheme, the embodiment of the present application shows a kind of managing main frame plan based on firewall policy linkage Method and system slightly, which comprises analysis firewall security policy;Determine the server that target is managed, the mesh Marking the server being managed is the server being managed associated with the firewall security policy;Send the firewall peace The server that full strategy is managed to the target, the policy management capability collection of the technical solution host shown in the embodiment of the present application At in firewall module, not needing individually to buy and dispose a set of host policies administrative center software, reduce financial expenditures With corresponding maintenance work, meanwhile, the server access control strategy being managed by firewall security policy derive and go out, management Member no longer needs to the server configuration access control strategy for being individually for respectively being managed, and reduces configuration and maintenance workload, while Ensure the policy consistency of network-side with the server being managed.
Detailed description of the invention
It in order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, below will be to institute in embodiment Attached drawing to be used is needed to be briefly described, it should be apparent that, the accompanying drawings in the following description is only some implementations of the invention Example, for those of ordinary skill in the art, without creative efforts, can also obtain according to these attached drawings Obtain other attached drawings.
Fig. 1 is the firewall security policy topological diagram shown in the prior art;
Fig. 2 is the method that a kind of managing main frame strategy based on firewall policy linkage exemplified is preferably implemented according to one Flow chart;
Fig. 3 is to be preferably implemented to exemplify the detail flowchart of step S103 according to one;
Fig. 4 is to be preferably implemented to exemplify the detail flowchart of step S102 according to one;
Fig. 5 is the structural block diagram that the host policies linkage control device exemplified is preferably implemented according to one.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Whole description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
For ease of description, the part noun or term that occur in the embodiment of the present invention are described in detail below.
Firewall: being the equipment for assisting to ensure information security, can allow according to specific rule or limitation is transmitted Data pass through, firewall can be an exclusive hardware and be also possible to be erected at a set of software in typical hardware.Fire prevention Wall is the inspection station of a security strategy.The information of all disengaging must all be become by firewall, firewall as safety problem Checkpoint, make suspicious access denied in outdoors.The most basic function of firewall is exactly to control in a computer network, no With the data flow of the interregional transmission of trusting degree.Such as internet is fly-by-night region, and internal network is exceptionally high degree of trust Region.It is similar to the firewall functionality in building to avoid some communications forbidden in security strategy.It has control information base This task is in the region of different trusts.The region of typical trust includes in internet (region that do not trust) and one Portion's network (the one high region trusted).Final goal is to provide controlled connectivity and passes through safety in the trust region of different level According to principle of least privilege between the operation and connectivity modeling of policy.
Port: being the outlet of computer and extraneous Communication.
It is worth noting that, user terminal is managed server end in the technical solution shown in the embodiment of the present application.
Host policies linkage control device is in fact and server sometimes mutually to use.Sometimes it is also known as server host Tactful linkage control device.
Embodiment 1:
The scheme of firewall host policies management shown in technology, the embodiment of the present application first aspect Show it is a kind of based on firewall policy linkage managing main frame strategy method, specifically, referring to Fig. 2, the described method includes:
S101 analyzes firewall security policy;
Security strategy shown in the embodiment of the present application includes: security strategy in security strategy and/or domain between domain: for controlling Flow between domain in flow and/or domain, the existing traditional packet filtering function of security strategy at this time, also have to flow carry out IPS, The effect of the further application layer detection such as AV, Web filtering, application control.
Security strategy is the one of a variety of safety inspections such as packet filtering, the detection of UTM application layer while implementation between domain and/or in domain Body strategy.
Apply the filtering rule on interface: for the flow of control interface, i.e., based on two, three layers of report such as IP, MAC Address Literary attribute directly allows or refuses message to pass through.
Security strategy, which needs to be arranged, between domain transfers Way in i.e. inbound and outbound: forwarding strategy: control is set The flow of standby forwarding, is detected including the UTM of traditional packet filtering and application layer.Local policy: the extraneous exchanging visit with equipment of control, Only controlled according to five-tuple.Security strategy in domain: elementary tactics is same as above, and unique difference is not need setting forwarding to enter and leave Mouthful, and cannot be to flow control in the domain local.UTM strategy (application layer detection): matching condition is carried out by setting policy Judgement (the UTM strategy such as action { permit | deny } IPS, AV, default action are permit).
During the firewall security policy is established, preset correlation rule also generates accordingly, the preset pass Corresponding relationship between the regular server that recite filtering rule and be managed of connection.
S102 determines that the server that target is managed, the server that the target is managed are and the firewall security plan The slightly associated server being managed;
Specifically, can the foundation association of the local area network according to locating for the server being managed;
Host configures multiple firewall security policies, during the firewall security policy generates, prevents with described The associated server being managed of wall with flues security strategy just has determined.
Firewall security policy can be contacted with the one group of server being managed foundation, and administrator can be by firewall security Strategy is sent to one group of server being managed, and facilitates the unified management for the server that this group is managed;The safe plan of wall with flues It can slightly be contacted with the server foundation being individually managed, corresponding firewall security policy gives each target to be managed respectively Server, improve the flexibility of firewall security policy management.
If the server that master firewall administrator will be managed to one sends multiple firewall security policies, need It is noted that the sequence between them, because multiple firewall security policies are that the sequence specified according to administrator is matched.
For firewall security policy can be contacted with the one group of server being managed foundation, specific firewall security plan It is slightly as follows with being associated between the server being managed:
(1) firewall security policy can be the security strategy of the identity information configuration based on each user terminal.
Such as: it can be by the identity information (such as title, IP address of user terminal etc.) for the server being managed as pass The foundation of connection;Such as the corresponding filtering rule of firewall security policy are as follows: only allow to receive flow, refuses transmission flow outward, It is the server of the in-company finance department being managed that the filtering rule is corresponding;
Ministry of Finance's identity information (such as title, IP address of user terminal etc.) and above-mentioned security strategy can be established and be joined System;All servers being managed of the finance department are the server that above-mentioned security strategy target is managed.
During practical application, it can also be contacted according to some region of IP address and the foundation of a certain security strategy;
Host, when authenticating to the server being managed, can obtain during firewall security policy generates The identity information for getting user terminal, that is, the server name being managed or IP address.It is managed for the ease of searching target Server can configure the security strategy of the identity information based on each user terminal on host.
After completing building such as above-mentioned firewall security policy, when user terminal service is online, host can be to the clothes being managed Business device is authenticated, and judges whether the identity information for the server being managed by this matches with the firewall security policy, i.e., Whether be Finance Department the server being managed, if matching if determine, send the firewall security policy to the target The server being managed;As mismatched, refusal sends the firewall security policy to the server being managed.
(2) firewall security policy can be the security strategy configured based on each data source.Firewall security policy is point Group policy, is set as the server that the target of a certain firewall security policy is managed, and data source is group basis.
Such as: data source is the external equipment of 192.168.10.0/24, is allowed to business department's server transport flow; Then in the building process of firewall security policy, business department's server identity information (such as title, the IP address of user terminal Deng) with above-mentioned security strategy foundation contact (i.e. preset correlation rule);
Host receives above-mentioned firewall security policy, determines that all of business department are managed according to preset correlation rule Server be server that above-mentioned security strategy target is managed.
S103 sends the server that the firewall security policy is managed to the target.
The policy management capability of technical solution host shown in the embodiment of the present application is integrated in firewall, is not needed individually A set of host policies administrative center software is bought and disposed, financial expenditures are reduced, meanwhile, the server access control being managed Strategy sends corresponding firewall security policy by host, and administrator no longer needs to the server configuration access for being individually for respectively being managed Control strategy reduces maintenance workload, while also ensuring that manager server is consistent with the strategy of server being managed Property.
It is worth noting that, the peace of control strategy and control terminal (server being managed) when the application in embodiment Full strategy.
Embodiment 2:
It is frequently accompanied by that firewall security policy updates or control strategy the problem of being modified goes out in practical applications It is existing, cause firewall to fail, brings a series of loss to enterprise, in order to solve the above-mentioned technical problem, the embodiment of the present application is shown Technical solution out shows a kind of firewall monitoring scheme, specifically, please continue to refer to Fig. 2;
Technical solution shown in embodiment 2 has similar step to the technical solution shown in embodiment 1, unique to distinguish Be, the technical solution shown in embodiment 1 the method also includes:
The control strategy for the server being managed described in S104 access;
S105 judges whether the control strategy is consistent with the firewall security policy;
Technical solution shown in the embodiment of the present application judges control strategy and the whether consistent scheme of firewall security policy Mainly determine whether control strategy is consistent with firewall security policy by effect that control strategy reaches with security strategy;
Specifically, for example, the first security strategy is that the first user terminal reception source is allowed to be that 192.168.10.0/24 is passed originally Defeated flow;Rejection source is the flow of 192.168.10.0/22 transmission;
It is found during accessing the first user terminal, the first user terminal has received source as 192.168.10.0/22 transmission Flow, it is clear that the effect that the control strategy of the first server being managed and the security strategy of host reach be it is inconsistent, Conclude that control strategy is inconsistent with firewall security policy at this time.
For another example the second security strategy is that the period of user terminal access Internet resources is allowed to be 9:00 to 11:00 originally, The second received control strategy of server being managed allows user terminal to access the period of Internet resources as 9:00 to 11:00; With the update of system, and, security strategy is updated to that user terminal is allowed to access Internet resources by intra-company's demand, host Period is updated to 9:00 to 10:00;During the control strategy for the server being managed described in the access, it is found that There are still the appearance of user terminal end access Internet resources phenomenon after 10:00, conclude as a result, the control strategy of family end server with The effect that the security strategy of host reaches concludes that control strategy is inconsistent with firewall security policy when being inconsistent.
If inconsistent, S106 issues alarm or re-synchronization strategy.
During synchronization policy, the control strategy for the server that determination is managed is modified or management end server It is updated, is upgraded, or change.
If the control strategy for the server being managed is modified, such as: the first security strategy is to allow first to use originally Family end receives the flow that source is 192.168.10.0/24 transmission;Rejection source is the flow of 192.168.10.0/22 transmission; It is found during the server that access first is managed, the first user's control strategy modification is to allow to receive 192.168.10.0/22 the flow transmitted determines that the control strategy of the first user terminal is modified at this time, and corresponding host will again Send the server that the first security strategy is managed to first.Rather than the first security strategy is sent to and the first security strategy The server that corresponding one group of target is managed.
For another example the second security strategy is that the period of user terminal access Internet resources is allowed to be 9:00 to 11:00 originally, The second received control strategy of server being managed allows user terminal to access the period of Internet resources as 9:00 to 11:00; The update that clearly the second security strategy occurs, is sent to all second security strategies for updated second security strategy at this time The server that corresponding target is managed.
If inconsistent, S107 not as.
As it can be seen that the technical solution shown in the embodiment of the present application can periodically go to check on the server being managed being managed Access control policy can carry out alarm or re-synchronization if discovery is inconsistent with the security strategy on firewall according to setting Strategy, so that the strategy of the two is always consistent.
Embodiment 3:
It is frequently accompanied by the firewall security policy of host and the control strategy for the server being managed in practical applications The inconsistent phenomenon of the program language being based on occurs, and firewall security policy is directly sent to the server being managed at this time Obvious firewall security policy cannot be directly identified, and in order to solve the above-mentioned technical problem, the embodiment of the present application shows a kind of peace The conversion method of full strategy and control strategy, specifically, please referring to Fig. 3:
Technical solution shown in embodiment 3 has similar step to the technical solution shown in embodiment 1, unique to distinguish It is the step of embodiment 1 shows the server that transmission firewall security policy described in technical solution is managed to the target Include the following steps:
S1031 converts the firewall security policy to the identifiable control strategy of server that target is managed;
Technical solution shown in the embodiment of the present application is related to firewall security policy and controls with the server side access being managed Make the conversion between the statement law of strategy.
Specific conversion process:
Such as: the security strategy configured on firewall, permission source network segment is 192.168.10.0/24, accessible Destination IP is 192.168.0.250, the service that destination port is 445.Its configuration rule on firewall are as follows:
policy any any source 192.168.10.0/24 destinition 192.168.0.250 tcp dst-port 445 action permit
If destination IP 192.168.0.250 is a centos server, then being configured on the server host same Rule, sentence are as follows:
iptables-IINPUT-s 192.168.10.0/24-p tcp--dport 445-j ACCEPT
The essence of conversion is exactly to extract element relevant to access control rule in firewall security policy, then with clothes The grammer of business device host is filled with the access control rule that server can recognize and apply.
S1032 sends the server that the control strategy is managed to the target.
It can be seen that firewall security policy is converted the server that target is managed by the technical side shown in the embodiment of the present application Identifiable control strategy, the server that can successfully be managed of firewall security policy for guaranteeing that host is sent identified, The applicability for improving the technical solution shown in the embodiment of the present application, the server access control strategy being managed are pacified by firewall Full strategy derives and goes out, and administrator no longer needs to the server configuration access control strategy for being individually for respectively being managed, and reduces maintenance Workload, while also ensuring the policy consistency of host with the server being managed.
Embodiment 4:
Technical solution shown in embodiment 4 has similar step to the technical solution shown in embodiment 1, unique to distinguish It is in the technical solution shown in embodiment 1, the step following steps for the server that the determining target is managed specifically are asked Refering to Fig. 4:
S1021 parses the preset correlation rule of the firewall security policy;
The preset correlation rule is based on source address, source port, destination address, destination port setting.
Preset correlation rule recites the incidence relation of firewall security policy with the server being managed;It is specific logical It crosses, source port, destination address, destination port records the incidence relation of firewall security policy with the server being managed.
Preset correlation rule, the preset correlation rule note are just generated during the firewall security policy generates Carry source address, source port, destination address, destination port;
Network administrator configures corresponding secure access strategy according to service conditions on firewall.For example, market department's net Network is 192.168.10.0/24, and the file-sharing server of market department is 192.168.250.3.Setting default policy, which acts, is Then refusal increases a permission access strategy: source 192.168.10.0/24, purpose 192.168.250.3, destination Mouth is 445, is acted to allow.
The source port of preset correlation rule are as follows: source port 192.168.250.3;Source is 192.168.10.0/24, and purpose is 192.168.250.3 destination port 445;
S1022 traverses the server array being managed, and determines the server being managed for meeting the preset correlation rule The server being managed for target;
The server array being managed is traversed, IP address is that 192.168.250.3 is the server that target is managed;
S1023 establishes contacting for the server being managed with the target.
Concrete implementation process is as follows:
Step S100: network administrator configures corresponding secure access strategy according to service conditions on firewall.For example, Market department's network is 192.168.10.0/24, and the file-sharing server of market department is 192.168.250.3.Setting default plan Slightly movement is refusal, and then increase a permission access strategy: source 192.168.10.0/24, purpose are 192.168.250.3 destination port 445 acts to allow.
Step S200: addition IP address 192.168.250.3 is the server being managed being managed, and provides user Name, password, in order to which subsequent energy SSH logs on on the server being managed.
Step S300: strategy analysis module start analyze firewall on secure access strategy, find out with 192.168.250.3 relevant strategy, and regulative strategy relating module, are associated with these strategies on 192.168.250.3.
Step S400: tactful conversion module is converted to firewall security policy associated on 192.168.250.3 192.168.250.3 the upper access control policy that can be identified, and pass to policy distribution module.
Step S500: the information that policy distribution module utilizes host management module to provide, SSH log on to On 192.168.250.3, and on the access control policy to 192.168.250.3 of configuration association.
Step S600: Policy Status monitoring modular periodically goes to check access control policy on 192.168.250.3, if discovery It is inconsistent with the security strategy on firewall, then it re-issues on associated access control policy to 192.168.250.3.
The embodiment of the present application second aspect shows a kind of managing main frame strategy linkage control based on firewall policy linkage The server of device strategy, the host policies linkage control device include:
Relating module, the incidence relation for analyzing firewall security policy between server that target is managed;
Tactful conversion module, for the associated firewall security policy of server being managed with target to be converted to mesh Mark the control strategy that the server being managed can identify;
Policy distribution module, the server for being managed to the target of management issue corresponding control strategy.
It is selectable, the host policies linkage control device further include:
Policy Status monitoring modular, for periodically removing to check the control strategy for the server being managed, if discovery and fire prevention Wall security strategy is inconsistent, then can issue alarm or re-synchronization strategy.
It is selectable, the host policies linkage control device further include:
Tactful conversion module, for being converted to the access control that the server being managed can identify for firewall security policy System strategy.
It is selectable, the host policies linkage control device further include:
Strategy analysis module is analyzed for the preset correlation rule content to security strategy, parses security strategy Preset the correlation rule source, purpose and the access end that are related to.
The invention proposes the embodiment of the present application second aspects to show a kind of managing main frame based on firewall policy linkage The system of tactful linkage control device strategy, the system comprises: the host policies linkage control device being integrated on firewall Tactful linkage control software, and, the server being managed being connected with Firewall Network;
The server being managed is for receiving control strategy;
Relationship between the host policies linkage control device module is as shown in Figure 5:
The host policies linkage control device includes:
Relating module, the incidence relation for analyzing firewall security policy between server that target is managed;
Tactful conversion module, for the associated firewall security policy of server being managed with target to be converted to mesh Mark the control strategy that the server being managed can identify;
Policy distribution module, the server for being managed to the target of management issue corresponding control strategy.
It is selectable, the host policies linkage control device further include:
Policy Status monitoring modular, for periodically removing to check the control strategy for the server being managed, if discovery and fire prevention Wall security strategy is inconsistent, then can issue alarm or re-synchronization strategy.
It is selectable, the host policies linkage control device further include:
Tactful conversion module, for being converted to the access control that the server being managed can identify for firewall security policy System strategy.
It is selectable, the host policies linkage control device further include:
Strategy analysis module is analyzed for the preset correlation rule content to security strategy, parses security strategy Preset the correlation rule source, purpose and the access end that are related to.
The working principle of the invention is as follows:
Strategy analysis module is input with the firewall security policy being currently configured, to the Rule content of every security strategy It is analyzed, parses source, purpose and the access port etc. that the rule is related to, then regulative strategy relating module, is determined The rule is relevant with the server which is managed, and the server that the rule association is managed to this.
After the incidence relation for setting up the server and security strategy that are managed, regulative strategy conversion module, associated Firewall security policy is converted to the access control policy that the server being managed can identify, and the access control after conversion Strategy passes to policy distribution module.Policy distribution module combination host policies linkage control device management module controls access On policy distribution processed to the server being managed.
Policy Status monitoring modular can periodically remove the access control policy checked on the server being managed being managed, If alarm or re-synchronization strategy can be carried out according to setting, so that the two it was found that inconsistent with the security strategy on firewall Strategy it is always consistent.
From the above technical scheme, the embodiment of the present application shows a kind of managing main frame plan based on firewall policy linkage The slightly method and system of linkage control device strategy, which comprises analysis firewall security policy;Determine that target is managed Server, the server that the target is managed be the server being managed associated with the firewall security policy; Send the server that the firewall security policy is managed to the target, the technical solution host shown in the embodiment of the present application The policy management capability of tactful linkage control device is integrated in firewall module, does not need individually to buy and dispose a set of host Tactful linkage control device tactical management center software reduces financial expenditures and corresponding maintenance work, meanwhile, it is managed Server access control strategy is derived by firewall security policy and is gone out, and administrator no longer needs to the server for being individually for respectively being managed Configuration access control strategy reduces configuration and maintenance workload, while also ensuring network-side and the server that is managed Policy consistency.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to of the invention its Its embodiment.This application is intended to cover any variations, uses, or adaptations of the invention, these modifications, purposes or Person's adaptive change follows general principle of the invention and including the undocumented common knowledge in the art of the present invention Or conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by following Claim is pointed out.
It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, and And various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is limited only by the attached claims.
It is worth noting that, in the specific implementation, the application also provides a kind of computer storage medium, wherein the computer Storage medium can be stored with program, which may include the service providing method or use of user identity provided by the present application when executing Step some or all of in each embodiment of family register method.The storage medium can be magnetic disk, CD, read-only storage note Recall body (English: read-only memory, abbreviation: ROM) or random access memory (English: random access Memory, referred to as: RAM) etc..
It is required that those skilled in the art can be understood that the technology in the embodiment of the present application can add by software The mode of general hardware platform realize.Based on this understanding, the technical solution in the embodiment of the present application substantially or Say that the part that contributes to existing technology can be embodied in the form of software products, which can deposit Storage is in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that computer equipment (can be with It is personal computer, server or the network equipment etc.) execute certain part institutes of each embodiment of the application or embodiment The method stated.
Same and similar part may refer to each other between each embodiment in this specification.Especially for user identity Service providing apparatus or user's registration device embodiment for, since it is substantially similar to the method embodiment, thus description Comparison it is simple, related place is referring to the explanation in embodiment of the method.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to its of the application Its embodiment.This application is intended to cover the update of any modification of the application, purposes or adaptability, these modifications, purposes or The update of person's adaptability follows the general principle of the application and including the undocumented common knowledge in the art of the application Or conventional techniques.The description and examples are only to be considered as illustrative, and the true scope and spirit of the application are by following Claim is pointed out.

Claims (9)

1. a kind of method of the managing main frame strategy based on firewall policy linkage, which is characterized in that the described method includes:
Analyze firewall security policy;
Determine that the server that target is managed, the server that the target is managed are associated with the firewall security policy The server being managed;
Send the server that the firewall security policy is managed to the target.
2. the method according to claim 1, wherein the method also includes:
The control strategy for the server being managed described in access;
Judge whether the control strategy is consistent with the firewall security policy;
If inconsistent, alarm or re-synchronization strategy are issued.
3. the method according to claim 1, wherein the transmission firewall security policy is to the target by pipe The step of server of reason includes:
The identifiable control strategy of server that target is managed is converted by the firewall security policy;
Send the server that the control strategy is managed to the target.
4. the method according to claim 1, wherein the determining target be managed server the step of packet It includes:
Parse the preset correlation rule of the firewall security policy;
The server array being managed is traversed, determines that the server being managed for meeting the preset correlation rule is target by pipe The server of reason;
Establish contacting for the server being managed with the target.
5. according to the method described in claim 4, it is characterized in that, the preset correlation rule is based on source address, source port, mesh Address, destination port setting.
6. a kind of system of the managing main frame strategy linkage control device strategy based on firewall policy linkage, the system packet It includes: the host policies linkage control device being integrated on firewall, and, the service being managed being connected with Firewall Network Device;
The server being managed is for receiving control strategy;
The host policies linkage control device includes:
Relating module, the incidence relation for analyzing firewall security policy between server that target is managed;
Tactful conversion module, for the associated firewall security policy of server being managed with target to be converted to target quilt The control strategy that the server of management can identify;
Policy distribution module, the server for being managed to the target of management issue corresponding control strategy.
7. system according to claim 6, which is characterized in that the host policies linkage control device further include:
Policy Status monitoring modular, for periodically removing to check the control strategy for the server being managed, if discovery is pacified with firewall Full strategy is inconsistent, then can issue alarm or re-synchronization strategy.
8. system according to claim 6, which is characterized in that the host policies linkage control device further include:
Tactful conversion module, for being converted to the access control plan that the server being managed can identify for firewall security policy Slightly.
9. system according to claim 6, which is characterized in that the host policies linkage control device further include:
Strategy analysis module is analyzed for the preset correlation rule content to security strategy, parses the pre- of security strategy Set source, purpose and access end that correlation rule is related to.
CN201811555668.7A 2018-12-19 2018-12-19 A kind of method and system of the managing main frame strategy based on firewall policy linkage Pending CN109413110A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811555668.7A CN109413110A (en) 2018-12-19 2018-12-19 A kind of method and system of the managing main frame strategy based on firewall policy linkage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811555668.7A CN109413110A (en) 2018-12-19 2018-12-19 A kind of method and system of the managing main frame strategy based on firewall policy linkage

Publications (1)

Publication Number Publication Date
CN109413110A true CN109413110A (en) 2019-03-01

Family

ID=65459920

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811555668.7A Pending CN109413110A (en) 2018-12-19 2018-12-19 A kind of method and system of the managing main frame strategy based on firewall policy linkage

Country Status (1)

Country Link
CN (1) CN109413110A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112152854A (en) * 2020-09-25 2020-12-29 绿盟科技集团股份有限公司 Information processing method and device
CN113098851A (en) * 2021-03-25 2021-07-09 广州虎牙科技有限公司 Method, device, system, equipment and medium for implementing virtual firewall
CN113965402A (en) * 2021-11-01 2022-01-21 安天科技集团股份有限公司 Configuration method and device of firewall security policy and electronic equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184088A (en) * 2007-12-14 2008-05-21 浙江工业大学 Multi-point interlinked LAN firewall cooperating method
CN104202333A (en) * 2014-09-16 2014-12-10 浪潮电子信息产业股份有限公司 Implementation method of distributed firewall
US20140380414A1 (en) * 2012-03-02 2014-12-25 Hassen Saidi Method and system for application-based policy monitoring and enforcement on a mobile device
CN105516099A (en) * 2015-11-30 2016-04-20 北京奇艺世纪科技有限公司 Business side access method and device, and business side access rule configuration method and device
CN105592088A (en) * 2015-12-24 2016-05-18 北京奇虎科技有限公司 Virtual machine flow monitoring method and device, and terminal
CN105812326A (en) * 2014-12-29 2016-07-27 北京网御星云信息技术有限公司 Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system
CN105871930A (en) * 2016-06-21 2016-08-17 上海携程商务有限公司 Self-adaptive firewall security policy configuration method and system based on applications
CN108429743A (en) * 2018-02-28 2018-08-21 新华三信息安全技术有限公司 A kind of security policy configuration method, system, domain control server and firewall box

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184088A (en) * 2007-12-14 2008-05-21 浙江工业大学 Multi-point interlinked LAN firewall cooperating method
US20140380414A1 (en) * 2012-03-02 2014-12-25 Hassen Saidi Method and system for application-based policy monitoring and enforcement on a mobile device
CN104202333A (en) * 2014-09-16 2014-12-10 浪潮电子信息产业股份有限公司 Implementation method of distributed firewall
CN105812326A (en) * 2014-12-29 2016-07-27 北京网御星云信息技术有限公司 Heterogeneous firewall strategy centralized control method and heterogeneous firewall strategy centralized control system
CN105516099A (en) * 2015-11-30 2016-04-20 北京奇艺世纪科技有限公司 Business side access method and device, and business side access rule configuration method and device
CN105592088A (en) * 2015-12-24 2016-05-18 北京奇虎科技有限公司 Virtual machine flow monitoring method and device, and terminal
CN105871930A (en) * 2016-06-21 2016-08-17 上海携程商务有限公司 Self-adaptive firewall security policy configuration method and system based on applications
CN108429743A (en) * 2018-02-28 2018-08-21 新华三信息安全技术有限公司 A kind of security policy configuration method, system, domain control server and firewall box

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112152854A (en) * 2020-09-25 2020-12-29 绿盟科技集团股份有限公司 Information processing method and device
CN112152854B (en) * 2020-09-25 2023-11-07 绿盟科技集团股份有限公司 Information processing method and device
CN113098851A (en) * 2021-03-25 2021-07-09 广州虎牙科技有限公司 Method, device, system, equipment and medium for implementing virtual firewall
CN113965402A (en) * 2021-11-01 2022-01-21 安天科技集团股份有限公司 Configuration method and device of firewall security policy and electronic equipment

Similar Documents

Publication Publication Date Title
US7756981B2 (en) Systems and methods for remote rogue protocol enforcement
US9848016B2 (en) Identifying malicious devices within a computer network
KR100502068B1 (en) Security engine management apparatus and method in network nodes
CN114978584A (en) Network security protection safety method and system based on unit cell
CN100369037C (en) System and method for blocking harmful information online, and computer readable medium therefor
US20060037077A1 (en) Network intrusion detection system having application inspection and anomaly detection characteristics
EP1567926B1 (en) Method, system and computer software product for responding to a computer intrusion
EP2387746B1 (en) Methods and systems for securing and protecting repositories and directories
US20090313682A1 (en) Enterprise Multi-interceptor Based Security and Auditing Method and Apparatus
CN109413110A (en) A kind of method and system of the managing main frame strategy based on firewall policy linkage
Kim et al. DSS for computer security incident response applying CBR and collaborative response
JP2004302538A (en) Network security system and network security management method
CN111092910A (en) Database security access method, device, equipment, system and readable storage medium
CN109150853A (en) The intruding detection system and method for role-base access control
KR20090044202A (en) System and method for processing security for webservices detecting evasion attack by roundabout way or parameter alteration
KR20020075319A (en) Intelligent Security Engine and Intelligent and Integrated Security System Employing the Same
JP2000354034A (en) Business: hacker monitoring chamber
CN114745145A (en) Business data access method, device and equipment and computer storage medium
KR101910496B1 (en) Network based proxy setting detection system through wide area network internet protocol(IP) validation and method of blocking harmful site access using the same
CN113194088B (en) Access interception method, device, log server and computer readable storage medium
CN114710300B (en) Novel Windows remote safety protection method
KR101997181B1 (en) Apparatus for managing domain name servide and method thereof
Sato et al. An Evaluation on Feasibility of a Communication Classifying System
Abusamrah et al. Next-Generation Firewall, Deep Learning Endpoint Protection and Intelligent SIEM Integration
KR20240068104A (en) SVDD-based anomaly detection system and method available in SASE environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190301