CN109688093B - Firewall policy verification method, system, device and readable storage medium - Google Patents

Firewall policy verification method, system, device and readable storage medium Download PDF

Info

Publication number
CN109688093B
CN109688093B CN201811008170.9A CN201811008170A CN109688093B CN 109688093 B CN109688093 B CN 109688093B CN 201811008170 A CN201811008170 A CN 201811008170A CN 109688093 B CN109688093 B CN 109688093B
Authority
CN
China
Prior art keywords
firewall policy
verification request
file
verification
firewall
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811008170.9A
Other languages
Chinese (zh)
Other versions
CN109688093A (en
Inventor
翟士才
马晓龙
朱皓
祁明远
李林鸽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201811008170.9A priority Critical patent/CN109688093B/en
Priority to PCT/CN2018/122804 priority patent/WO2020042471A1/en
Publication of CN109688093A publication Critical patent/CN109688093A/en
Application granted granted Critical
Publication of CN109688093B publication Critical patent/CN109688093B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a firewall policy verification method, a system, equipment and a readable storage medium, wherein the firewall policy verification method comprises the following steps: when the front end monitors a firewall policy verification request, the front end verifies the firewall policy verification request, and when the firewall policy verification request passes the verification, the front end sends the firewall policy verification request to a background server; the background server receives a firewall policy verification request sent by the front end and executes remote login operation on each source host in the firewall policy verification request; and after the remote login of each source host in the firewall policy verification request is successful, the background server sends the firewall policy in the firewall policy verification request to the corresponding source host for verification. The method and the device can effectively improve the convenience of firewall policy verification and reduce the waste of background resources.

Description

Firewall policy verification method, system, device and readable storage medium
Technical Field
The invention relates to the technical field of information network security, in particular to a firewall policy verification method, a firewall policy verification system, firewall policy verification equipment and a readable storage medium.
Background
With the rapid development of network technology, more and more enterprises utilize networks to realize personnel management, product sales, business consultation and the like, in order to realize the functions, each company needs to build a plurality of servers, in order to improve the network information security inside the enterprise, the strategy on the firewall needs to be verified, namely the firewall strategy verification, specifically, when different services access each other in the production environment of an enterprise system, a verification instruction is input to verify the firewall strategy set by the accessed service by logging in the server, and then whether the firewall passes the verification result is returned, so as to confirm whether the two services have access and access permissions.
At present, the existing firewall policy verification is that a verifier manually inputs the IP of a host to be verified through a test tool, however, when there are many hosts needing to verify the policy, the user needs to manually log in different servers, or verify multiple hosts or multiple services needing to be accessed one by one on the same server, which is very tedious and inconvenient for the verification of the firewall policy.
Therefore, how to improve the convenience of firewall policy verification and reduce the waste of background resources is an urgent problem to be solved at present.
Disclosure of Invention
The invention mainly aims to provide a firewall policy verification method, a firewall policy verification system, firewall policy verification equipment and a readable storage medium, and aims to improve the convenience of firewall policy verification and avoid waste of background resources.
In order to achieve the above object, the present invention provides a firewall policy verification method, including the following steps:
when the front end monitors a firewall policy verification request, the front end verifies the firewall policy verification request, and when the firewall policy verification request passes the verification, the front end sends the firewall policy verification request to a background server;
the background server receives a firewall policy verification request sent by the front end and executes remote login operation on each source host in the firewall policy verification request;
and after the remote login of each source host in the firewall policy verification request is successful, the background server sends the firewall policy in the firewall policy verification request to the corresponding source host for verification.
Optionally, the step of performing a telnet operation on each source host in the firewall policy verification request includes:
the background server acquires key information of a service host and pushes a preset script and the key information to each source host in the firewall policy verification request;
the source hosts execute the preset scripts, write the key information into the configuration files of the source hosts, and return script execution results to the background server;
and when the background server receives script execution results returned by the source hosts, executing secret-free login authentication on the source hosts, and logging in the source hosts when the secret-free login authentication of the source hosts passes.
Optionally, the step of performing a telnet operation on each source host in the firewall policy verification request includes:
the background server calls a preset interface to acquire login passwords of all source hosts in the firewall policy verification request;
and the background server sends the login password of each source host in the firewall policy verification request to the corresponding source host so as to remotely log in each source host.
Optionally, the step of verifying the firewall policy verification request by the front end includes:
the front end determines whether a firewall policy file exists in the firewall policy verification request;
if the firewall policy verification request contains a firewall policy file, the front end verifies the firewall policy file in the firewall policy verification request;
when the firewall policy file in the firewall policy verification request passes verification, the front end analyzes the firewall policy file to obtain a firewall policy and verifies the firewall policy.
Optionally, the step of verifying, by the front end, the firewall policy file in the firewall policy verification request includes:
the front end acquires the attribute information of the firewall policy file from the firewall policy verification request and judges whether the file format in the attribute information is a preset format or not;
if the file format in the attribute information is a preset format, the front end judges whether the byte number of the file in the attribute information is smaller than or equal to a preset threshold value or not;
if the byte number of the file in the attribute information is smaller than or equal to a preset threshold value, the front end determines that the firewall policy file passes the verification, otherwise, the front end determines that the firewall policy file does not pass the verification.
Optionally, after the step of sending the firewall policy in the firewall policy validation request to the corresponding source host for validation, the method further includes:
the background server receives firewall policy verification results returned by the source hosts and sends the firewall policy verification results to the front end;
and the front end screens the firewall policy verification results according to preset screening conditions and displays the screened firewall policy verification results.
Optionally, the firewall policy verification method further includes:
the front end reads a background server state value in a preset storage area and determines the state of the background server according to the background server state value;
if the state of the background server is the firewall policy verification state, the front end locks the current page submission button, and when the front end monitors that the state of the background server is changed from the firewall policy verification state to the idle state, the front end unlocks the current page submission button.
In addition, to achieve the above object, the present invention further provides a firewall policy validation system, including: a front-end and a back-end server, the front-end comprises a check module, the back-end server comprises a remote login module and a strategy verification module, wherein,
the check module is used for checking the firewall policy verification request when the front end monitors the firewall policy verification request and sending the firewall policy verification request to a background server when the firewall policy verification request passes the check;
the remote login module is used for receiving the firewall policy verification request sent by the front end and executing remote login operation on each source host in the firewall policy verification request;
and the policy verification module is used for sending the firewall policy in the firewall policy verification request to the corresponding source host for verification after the remote login of each source host in the firewall policy verification request is successful.
In addition, to achieve the above object, the present invention further provides a firewall policy validation device, which includes a processor, a memory, and a firewall policy validation program stored on the memory and executable by the processor, wherein when the firewall policy validation program is executed by the processor, the steps of the firewall policy validation method as described above are implemented.
In addition, to achieve the above object, the present invention further provides a readable storage medium, on which a firewall policy validation program is stored, wherein when the firewall policy validation program is executed by a processor, the steps of the firewall policy validation method are implemented.
The invention provides a firewall policy verification method, system, device and readable storage medium, the front end checks the monitored firewall policy verification request, and after the firewall policy verification request passes the check, the firewall policy verification request is sent to the background server, the background server executes the remote login operation to each source host in the firewall policy verification request, and after the remote login succeeds, the firewall policy in the firewall policy verification request is sent to the corresponding source host for verification, because the front end checks the firewall policy verification request before sending the firewall policy verification request to the background server, and can send the firewall policy verification request to the background server only when the firewall policy verification request passes the check, the waste of background resources is effectively reduced, and the background server can automatically execute the remote login operation to each source host, the user does not need to manually log in different servers, and a plurality of hosts or a plurality of services needing to be accessed do not need to be verified one by one on the same server, so that the convenience of firewall policy verification is effectively improved.
Drawings
Fig. 1 is a schematic hardware structure diagram of a firewall policy validation apparatus according to embodiments of the present invention;
FIG. 2 is a flowchart illustrating a firewall policy verification method according to a first embodiment of the present invention;
FIG. 3 is a detailed flowchart of step S101 in the third embodiment of the present invention;
fig. 4 is a functional block diagram of a firewall policy validation system according to a first embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The firewall policy verification method according to the embodiment of the present invention is mainly applied to firewall policy verification equipment, which may be equipment with display and processing functions, such as a PC (personal computer), a portable computer, and a mobile terminal.
Referring to fig. 1, fig. 1 is a schematic diagram of a hardware structure of a firewall policy validation device according to an embodiment of the present invention. In this embodiment of the present invention, the firewall policy verifying apparatus may include a processor 1001 (e.g., a Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. The communication bus 1002 is used for realizing connection communication among the components; the user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard); the network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface); the memory 1005 may be a high-speed RAM memory, or may be a non-volatile memory (e.g., a magnetic disk memory), and optionally, the memory 1005 may be a storage system independent of the processor 1001. Those skilled in the art will appreciate that the hardware configuration depicted in FIG. 1 is not intended to be limiting of the present invention, and may include more or less components than those shown, or some components in combination, or a different arrangement of components.
With continued reference to fig. 1, the memory 1005 of fig. 1, which is one type of readable storage medium, may include an operating system, a network communication module, and a firewall policy validation program. In fig. 1, the network communication module is mainly used for connecting to a server and performing data communication with the server; the processor 1001 may call the firewall policy validation program stored in the memory 1005, and execute the firewall policy validation method provided in the embodiment of the present invention.
The embodiment of the invention provides a firewall policy verification method.
Referring to fig. 2, fig. 2 is a flowchart illustrating a firewall policy verification method according to a first embodiment of the present invention.
In this embodiment, the firewall policy verification method includes the following steps:
step S101, when the front end monitors a firewall policy verification request, the front end verifies the firewall policy verification request, and when the firewall policy verification request passes the verification, the front end sends the firewall policy verification request to a background server;
step S102, a background server receives a firewall policy verification request sent by a front end and executes remote login operation on each source host in the firewall policy verification request;
and step S103, after the remote login of each source host in the firewall policy verification request is successful, the background server sends the firewall policy in the firewall policy verification request to the corresponding source host for verification.
At present, the existing firewall policy verification is that a verifier manually inputs the IP of a host to be verified through a test tool, however, when there are many hosts needing to verify the policy, the user needs to manually log in different servers, or verify multiple hosts or multiple services needing to be accessed one by one on the same server, which is very tedious and inconvenient for the verification of the firewall policy. In view of the above problems, the present embodiment provides a firewall policy verification method, and the following detailed steps of the firewall policy verification method are described in detail:
step S101, when the front end monitors a firewall policy verification request, the front end verifies the firewall policy verification request, and when the firewall policy verification request passes the verification, the front end sends the firewall policy verification request to a background server;
in this embodiment, host information input by a user is received through a front-end page, and after receiving the host information input by the user, the front end triggers a firewall policy verification request carrying the host information, where the host information includes, but is not limited to, a source host IP, a target host IP, and a port. When the front end monitors a firewall policy verification request, the front end verifies the firewall policy verification request, sends the firewall policy verification request to a background server when the firewall policy verification request passes the verification, and displays reminding information when the firewall policy verification request does not pass the verification. In specific implementation, the firewall policy can be input by uploading the attachment, namely, the firewall policy file is uploaded, the firewall policy file is analyzed to obtain the firewall policy, and the firewall policy is input by uploading the attachment, so that the firewall policy can be prevented from being manually input, and the input convenience of the firewall policy is improved. The verification object includes, but is not limited to, a firewall policy file in the firewall policy validation request, and host information in the firewall policy file, that is, a source host IP, a destination host IP, and a port.
Specifically, if no firewall policy file exists in the firewall policy validation request, the front end directly acquires host information from the firewall policy validation request, classifies the host information, then verifies various types of host information according to verification rules corresponding to the categories, specifically verifies the types of a source host IP and a target host IP, namely verifies whether input information is an IP through a regular expression, if the input information is not the IP, the verification is not passed, and if the input information is the IP, the verification is passed; performing non-null check and digital type check on the port, namely checking whether the data type of the input port is a number or not and whether the port is not input, if the port is not input or the type of the input port is not a number, the check is not passed, and if the input port is a number, the check is passed; and (3) checking the physical host and the cloud host, namely checking whether a user at least selects one of physical host firewall verification and cloud host firewall verification, wherein the checking is not passed when the user selects both physical host firewall verification and cloud host firewall verification. The method comprises the steps that a user can input a plurality of application IPs through a front end, namely the user inputs each application IP according to separation characters appointed with a background server to obtain a character string carrying the plurality of application IPs, the background server receives the character string, divides the character string into single IPs through the appointed separation characters, and verifies each IP through a regular expression.
Furthermore, in the verification process, the firewall policy verification process of the background service can be verified, specifically, the front end reads a background server state value in a preset storage area, and determines the state of the background server according to the background server state value, namely when the background server state value is '0', the state of the background server is an idle state, and when the background server state value is '1', the state of the background server is the firewall verification state; and if the state of the background server is the firewall policy verification state, locking the page submission button of the front end, and unlocking the page submission button of the front end when the state of the background server is monitored to be changed from the firewall policy verification state to an idle state. Through the verification of the firewall verification process, the user is prevented from repeatedly submitting the firewall policy, the workload is increased for the background server, and the efficiency is reduced (as the firewall policies needing verification are more, the background server needs longer processing time).
Step S102, a background server receives a firewall policy verification request sent by a front end and executes remote login operation on each source host in the firewall policy verification request;
in this embodiment, the background server receives the firewall policy validation request sent by the front end, and performs a telnet operation on each source host in the firewall policy validation request. The specific mode of the remote login operation of each source host can be remote password-free login and remote password-calling login.
The remote secret-free login is to set a service host, manage all hosts and services through the service host, realize the remote secret-free login of all managed hosts and services, specifically to obtain the key information of the service host, calling the cloud interface to push a preset script and the key information to each source host, executing the preset script by each source host, detecting whether the key information exists in the configuration file of each source host, deleting the preset script if the key information exists in the configuration file of the source host, deleting the preset script if the key information does not exist in the configuration file of the source host, the key information is written to a configuration file, such that there is a serving host in the trust list of each source host, the login information list and the key information of the service host can remotely log in each source host without secret, different servers do not need to be logged in manually, and the convenience of firewall policy verification can be effectively improved.
When the firewall policy verification request is received by the background server, the interface is called in a URL splicing mode to obtain the login password of each source host, the login password is used for remotely logging in each source host in a specified password mode, namely, an instruction carrying an IP and the login password is sent to the corresponding source host, so that each source host can be remotely logged in, different servers do not need to be manually logged in, and the convenience of firewall policy verification can be effectively improved.
And step S103, after the remote login of each source host in the firewall policy verification request is successful, the background server sends the firewall policy in the firewall policy verification request to the corresponding source host for verification.
In this embodiment, after the remote login of each source host in the firewall policy validation request is successful, the background server sends the firewall policy in the firewall policy validation request to the corresponding source host for validation, namely, each source host executes telnet verification instruction when receiving the firewall policy to obtain the firewall policy verification result, namely whether the source host is communicated with the target host or not, and each source host returns the firewall policy verification result to the background server, if each source host in the firewall policy validation request fails to log in remotely, a reminder message is sent to the front end, wherein, the firewall policy verification results include but are not limited to connected and unconnected, the background server receives the firewall policy verification results returned by each source host, and sending the firewall policy verification result to the front end, and displaying the firewall policy verification result by the front end.
Further, the background server receives firewall policy verification results returned by the source hosts, sends the firewall policy verification results to the front end, and the front end screens the firewall policy verification results according to preset screening conditions and displays the screened firewall policy verification results. It should be noted that the preset screening condition may be set by a person skilled in the art based on actual situations, and this embodiment is not particularly limited thereto. The embodiment provides the firewall policy verification result screening function, and effectively improves the utilization rate of the firewall policy verification result. In the specific implementation, for the pages and the screening labels of the elements, the screening result can only screen the firewall policy verification result of the current page, so that all firewall policy verification results are backed up before the firewall policy verification result is screened, and in the process of screening the firewall policy verification result, if the front-end page displays the firewall policy verification result, the backed-up firewall policy verification result is used as a screening object to perform the screening operation, so that the screening of all firewall policy verification results can be realized.
In the embodiment, the front end checks the monitored firewall policy verification request, sends the firewall policy verification request to the background server after the firewall policy verification request passes the check, the background server executes the remote login operation on each source host in the firewall policy verification request, and sends the firewall policy in the firewall policy verification request to the corresponding source host for verification after the remote login is successful, because the front end checks the firewall policy verification request before sending the firewall policy verification request to the background server, and the firewall policy verification request can be sent to the background server only when the firewall policy verification request passes the check, the waste of background resources is effectively reduced, meanwhile, the background server can automatically execute the remote login operation on each source host, and a user does not need to manually log in different servers, and a plurality of hosts or a plurality of services needing to be accessed do not need to be verified one by one on the same server, so that the convenience of firewall policy verification is effectively improved.
Further, a second embodiment of the firewall policy verification method of the present invention is proposed based on the first embodiment, and is different from the foregoing embodiment in that the step S102 includes:
step a1, the background server acquires the key information of the service host, and pushes the preset script and the key information to each source host in the firewall policy verification request;
in this embodiment, a service host is set, all hosts and services are managed through the service host, remote secret-free login of all the managed hosts and services is achieved, when a background service receives a firewall policy verification request sent by a front end, a background server obtains key information of the service host, and a cloud interface is called to push a preset script and the key information to each source host in the firewall policy verification request. The preset script is used for detecting whether the key information of the service host exists in the configuration file of the source host or not, if the key information of the service host exists in the configuration file of the source host, the preset script is automatically deleted, and if the key information of the service host does not exist in the configuration file of the source host, the key information of the service host is written into the configuration file of the source host.
Step a2, executing the preset script by each source host, writing the key information into the configuration file of each source host, and returning the script execution result to the background server;
in this embodiment, after receiving the preset script, each source host executes the preset script, writes the key information of the service host into the configuration file of each source host, and returns a script execution result to the background server, that is, the key information of the service host is already present in the configuration file of each source host. After the configuration file of each source host has the key information of the service host, the trust list of each source host has the service host, that is, the background server can log in each source host in a secret-free manner through the key information of the service host.
Step a3, when receiving the script execution result returned by each source host, executing the secret-free login authentication for each source host, and when the secret-free login authentication of each source host passes, logging in each source host.
In this embodiment, when the background server receives a script execution result returned by each source host, the source host is executed with a secret-free login authentication, and when the secret-free login authentication of each source host passes, each source host is logged in, that is, the background server sends the key information of the service host to each source host, each source host compares the key information in the configuration file with the received key information of the service host, if the two are the same, the secret-free login authentication passes, and if the two are not the same, the secret-free login authentication fails.
Furthermore, the remote login operation can also call a preset interface for the background server to obtain the login password of each source host in the firewall policy verification request, and send the login password of each source host in the firewall policy verification request to the corresponding source host, so as to remotely log in each source host, that is, each source host receives the login password sent by the background server and verifies the login password, if the verification is passed, the remote login is allowed, if the verification is not passed, the remote login is not allowed, and the verification efficiency of the firewall policy can be effectively improved by the above method.
In the embodiment, all hosts and services are managed by arranging the service host, so that the secret-free remote login of all the managed hosts and services is realized, the firewall policies of the source host to be measured can be verified simultaneously, and the verification convenience and efficiency of the firewall policies are effectively improved.
Further, referring to fig. 3, a third embodiment of the firewall policy verification method of the present invention is proposed based on the first or second embodiment, and the difference from the foregoing embodiment is that step S101 includes:
step S1011, the front end determines whether a firewall policy file exists in the firewall policy verification request;
in this embodiment, the user inputs the firewall policy by means of the attachment upload, that is, uploads the firewall policy file through the front-end page, thereby triggering the firewall policy verification request carrying the firewall policy file. In the process of performing verification, the front end may first determine whether a firewall policy file exists in the firewall policy verification request, and if the firewall policy verification request does not have the firewall policy file, the front end may directly perform verification on the firewall policy in the firewall policy verification request without performing verification operation on the firewall policy file.
Step S1012, if the firewall policy file exists in the firewall policy validation request, the front end verifies the firewall policy file in the firewall policy validation request;
in this embodiment, if a firewall policy file exists in a firewall policy validation request, the front end checks the firewall policy file in the firewall policy validation request, specifically, obtains attribute information of the firewall policy file, including but not limited to a file format and a file byte number, from the firewall policy validation request, determines whether the file format in the attribute information is a preset format, that is, obtains a file name in the attribute information, and divides the file name to obtain a file suffix type, then determines whether the file suffix type is a preset type, determines that the file format in the attribute information is the preset format if the file suffix type is the preset type, determines that the file format in the attribute information is not the preset format if the file suffix type is not the preset type, determines that the file format in the attribute information is not the preset format if the file format in the attribute information is the preset format, the front end judges whether the byte number of the file in the attribute information is smaller than or equal to a preset threshold value, if the byte number of the file in the attribute information is smaller than or equal to the preset threshold value, the firewall policy file is determined to pass the verification, and if not, the firewall policy file is determined not to pass the verification. If the file format in the attribute information is not the preset format, it can also be determined that the firewall policy file has not been verified. It should be noted that the preset format and the preset suffix type may be set by those skilled in the art based on actual situations, and this embodiment is not particularly limited to this, and optionally, the preset format is excel, and the preset suffix type is xls or xlsx.
Step S1013, when the firewall policy file in the firewall policy verification request passes the verification, the front end parses the firewall policy file to obtain the firewall policy, and verifies the firewall policy.
In this embodiment, when the firewall policy file in the firewall policy verification request passes the verification, the front end parses the firewall policy file to obtain the firewall policy, and verifies the firewall policy, that is, verifies the IP and the port in the firewall policy, including IP type verification, port non-empty verification, port type verification, physical host and cloud host verification, and the specific verification process refers to the first embodiment and is not described herein again. It should be noted that, the analysis manners of the fire policy files with different formats are different, and the analysis manner of the fire policy file may be set by a person skilled in the art according to an actual situation, which is not specifically limited in this embodiment.
In the embodiment, the user can input the firewall policy in an accessory uploading mode, the user does not need to manually input more firewall policies, the input convenience of the firewall policy is improved, the front end can check the uploaded accessory files, subsequent checking operation is continued only when the files pass the checking, the firewall policy verification request can be sent to the background server only after all the checking passes, and the waste of background resources is effectively reduced.
In addition, the embodiment of the invention also provides a firewall policy verification system.
Referring to fig. 4, fig. 4 is a functional module diagram of a firewall policy validation system according to a first embodiment of the present invention.
The firewall policy validation system of the present invention is a virtual system, stored in the memory 1005 of the firewall policy validation device shown in fig. 1, and used for implementing all functions of the firewall policy validation program; when a firewall policy verification request is monitored, verifying the firewall policy verification request, and sending the firewall policy verification request to a background server when the firewall policy verification request passes the verification; receiving a firewall policy verification request sent by the front end, and executing remote login operation on each source host in the firewall policy verification request; and after the remote login of each source host in the firewall policy verification request is successful, the background server sends the firewall policy in the firewall policy verification request to the corresponding source host for verification.
Specifically, in this embodiment, the firewall policy verification system includes: a front end 100 and a backend server 200, the front end 100 comprises a check module 101, the backend server 200 comprises a remote login module 201 and a policy verification module 202, wherein,
the verification module 101 is configured to verify the firewall policy verification request when the front end monitors the firewall policy verification request, and send the firewall policy verification request to the background server when the firewall policy verification request passes the verification;
the remote login module 201 is configured to receive a firewall policy verification request sent by the front end, and perform a remote login operation on each source host in the firewall policy verification request;
the policy verification module 202 is configured to, after each source host in the firewall policy verification request successfully logs in remotely, send the firewall policy in the firewall policy verification request to the corresponding source host for verification.
Further, the remote login module 201 is further configured to:
acquiring key information of a service host, and pushing a preset script and the key information to each source host in the firewall policy verification request;
the source hosts execute the preset scripts, write the key information into the configuration files of the source hosts, and return script execution results to the background server;
and when receiving a script execution result returned by each source host, executing secret-free login authentication on each source host, and logging in each source host when the secret-free login authentication of each source host passes.
Further, the remote login module 201 is further configured to:
calling a preset interface to acquire login passwords of all source hosts in the firewall policy verification request;
and sending the login password of each source host in the firewall policy verification request to the corresponding source host so as to remotely log in each source host.
Further, the verification module 101 is further configured to:
determining whether a firewall policy file exists in the firewall policy verification request;
if the firewall policy verification request contains a firewall policy file, verifying the firewall policy file in the firewall policy verification request;
when the firewall policy file in the firewall policy verification request passes verification, analyzing the firewall policy file to obtain a firewall policy, and verifying the firewall policy.
Further, the verification module 101 is further configured to:
acquiring attribute information of the firewall policy file from the firewall policy verification request, and judging whether the file format in the attribute information is a preset format or not;
if the file format in the attribute information is a preset format, judging whether the number of bytes of the file in the attribute information is smaller than or equal to a preset threshold value or not;
and if the byte number of the file in the attribute information is smaller than or equal to a preset threshold value, determining that the firewall policy file passes the verification, otherwise, determining that the firewall policy file does not pass the verification by the front end.
Further, the background server further comprises:
the receiving and sending module is used for receiving firewall policy verification results returned by the source hosts and sending the firewall policy verification results to the front end;
and the front end screens the firewall policy verification results according to preset screening conditions and displays the screened firewall policy verification results.
Further, the front end further comprises:
the state determining module is used for reading a background server state value in a preset storage area and determining the state of the background server according to the background server state value;
and the button control module is used for locking the current page submission button if the state of the background server is the firewall policy verification state, and unlocking the current page submission button if the state of the background server is monitored to be changed from the firewall policy verification state to the idle state.
The function implementation of each module in the firewall policy validation system corresponds to each step in the firewall policy validation method embodiment, and the function and implementation process are not described in detail here.
In addition, the embodiment of the invention also provides a readable storage medium.
The readable storage medium of the present invention stores a firewall policy validation program, wherein the firewall policy validation program, when executed by a processor, implements the steps of the firewall policy validation method as described above.
The method implemented when the firewall policy validation program is executed may refer to each embodiment of the firewall policy validation method of the present invention, and will not be described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (8)

1. A firewall policy verification method is characterized by comprising the following steps:
when the front end monitors a firewall policy verification request, the front end verifies the firewall policy verification request, and when the firewall policy verification request passes the verification, the front end sends the firewall policy verification request to a background server; the step of verifying the firewall policy verification request by the front end includes: the front end determines whether a firewall policy file exists in the firewall policy verification request; if the firewall policy verification request contains a firewall policy file, the front end verifies the firewall policy file in the firewall policy verification request; when the firewall policy file in the firewall policy verification request passes verification, the front end analyzes the firewall policy file to obtain a firewall policy and verifies the firewall policy; the step of verifying the firewall policy file in the firewall policy verification request by the front end comprises the following steps: the front end acquires the attribute information of the firewall policy file from the firewall policy verification request and judges whether the file format in the attribute information is a preset format or not; if the file format in the attribute information is a preset format, the front end judges whether the byte number of the file in the attribute information is smaller than or equal to a preset threshold value or not; if the byte number of the file in the attribute information is smaller than or equal to a preset threshold value, the front end determines that the firewall policy file passes the verification, otherwise, the front end determines that the firewall policy file does not pass the verification;
the background server receives a firewall policy verification request sent by the front end and executes remote login operation on each source host in the firewall policy verification request;
and after the remote login of each source host in the firewall policy verification request is successful, the background server sends the firewall policy in the firewall policy verification request to the corresponding source host for verification.
2. The firewall policy validation method of claim 1, wherein performing a telnet operation on each source host in the firewall policy validation request comprises:
the background server acquires key information of a service host and pushes a preset script and the key information to each source host in the firewall policy verification request;
the source hosts execute the preset scripts, write the key information into the configuration files of the source hosts, and return script execution results to the background server;
and when the background server receives script execution results returned by the source hosts, executing secret-free login authentication on the source hosts, and logging in the source hosts when the secret-free login authentication of the source hosts passes.
3. The firewall policy validation method of claim 1, wherein performing a telnet operation on each source host in the firewall policy validation request comprises:
the background server calls a preset interface to acquire login passwords of all source hosts in the firewall policy verification request;
and the background server sends the login password of each source host in the firewall policy verification request to the corresponding source host so as to remotely log in each source host.
4. The firewall policy validation method according to any one of claims 1 to 3, wherein after the step of sending the firewall policy in the firewall policy validation request to the corresponding source host for validation, the method further comprises:
the background server receives firewall policy verification results returned by the source hosts and sends the firewall policy verification results to the front end;
and the front end screens the firewall policy verification results according to preset screening conditions and displays the screened firewall policy verification results.
5. The firewall policy validation method of any one of claims 1-3, further comprising:
the front end reads a background server state value in a preset storage area and determines the state of the background server according to the background server state value;
if the state of the background server is the firewall policy verification state, the front end locks the current page submission button, and when the front end monitors that the state of the background server is changed from the firewall policy verification state to the idle state, the front end unlocks the current page submission button.
6. A firewall policy validation system, comprising: a front-end and a back-end server, the front-end comprises a check module, the back-end server comprises a remote login module and a strategy verification module, wherein,
the check module is used for checking the firewall policy verification request by the front end when the front end monitors the firewall policy verification request and sending the firewall policy verification request to a background server when the firewall policy verification request passes the check; the step of verifying the firewall policy verification request by the front end includes: the front end determines whether a firewall policy file exists in the firewall policy verification request; if the firewall policy verification request contains a firewall policy file, the front end verifies the firewall policy file in the firewall policy verification request; when the firewall policy file in the firewall policy verification request passes verification, the front end analyzes the firewall policy file to obtain a firewall policy and verifies the firewall policy; the step of verifying the firewall policy file in the firewall policy verification request by the front end comprises the following steps: the front end acquires the attribute information of the firewall policy file from the firewall policy verification request and judges whether the file format in the attribute information is a preset format or not; if the file format in the attribute information is a preset format, the front end judges whether the byte number of the file in the attribute information is smaller than or equal to a preset threshold value or not; if the byte number of the file in the attribute information is smaller than or equal to a preset threshold value, the front end determines that the firewall policy file passes the verification, otherwise, the front end determines that the firewall policy file does not pass the verification;
the remote login module is used for receiving a firewall policy verification request sent by the front end and executing remote login operation on each source host in the firewall policy verification request;
and the policy verification module is used for sending the firewall policy in the firewall policy verification request to the corresponding source host for verification after the remote login of each source host in the firewall policy verification request is successful.
7. A firewall policy validation apparatus comprising a processor, a memory, and a firewall policy validation program stored on the memory and executable by the processor, wherein the firewall policy validation program when executed by the processor implements the steps of the firewall policy validation method of any of claims 1 to 5.
8. A readable storage medium having stored thereon a firewall policy validation program, wherein the firewall policy validation program, when executed by a processor, implements the steps of the firewall policy validation method of any of claims 1-5.
CN201811008170.9A 2018-08-31 2018-08-31 Firewall policy verification method, system, device and readable storage medium Active CN109688093B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201811008170.9A CN109688093B (en) 2018-08-31 2018-08-31 Firewall policy verification method, system, device and readable storage medium
PCT/CN2018/122804 WO2020042471A1 (en) 2018-08-31 2018-12-21 Firewall policy verification method, system and device, and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811008170.9A CN109688093B (en) 2018-08-31 2018-08-31 Firewall policy verification method, system, device and readable storage medium

Publications (2)

Publication Number Publication Date
CN109688093A CN109688093A (en) 2019-04-26
CN109688093B true CN109688093B (en) 2021-06-04

Family

ID=66184595

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811008170.9A Active CN109688093B (en) 2018-08-31 2018-08-31 Firewall policy verification method, system, device and readable storage medium

Country Status (2)

Country Link
CN (1) CN109688093B (en)
WO (1) WO2020042471A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110677383B (en) * 2019-08-22 2023-02-24 平安科技(深圳)有限公司 Firewall wall opening method and device, storage medium and computer equipment
CN111083011A (en) * 2019-12-18 2020-04-28 北京网太科技发展有限公司 Automatic testing method and device for routing security firewall and management platform
CN113572733B (en) * 2021-06-23 2024-04-12 北京思特奇信息技术股份有限公司 Safety control method and safety control system based on front-end module
CN116132200A (en) * 2023-04-18 2023-05-16 北京云澈科技有限公司 Processing method, device, processor and computer storage medium for monitoring firewall policy quality based on network space dynamic data

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101114953A (en) * 2007-07-03 2008-01-30 中兴通讯股份有限公司 Automatized test method for broadband accessing server
CN101447898A (en) * 2008-11-19 2009-06-03 中国人民解放军信息安全测评认证中心 Test system used for network safety product and test method thereof
CN102163173A (en) * 2011-04-06 2011-08-24 北京航空航天大学 Automated testing method for distributed information system interface
CN102467442A (en) * 2010-11-02 2012-05-23 腾讯科技(深圳)有限公司 Software testing method, system and equipment
CN105183649A (en) * 2015-09-08 2015-12-23 武汉虹信通信技术有限责任公司 Automatic telnet method and system used for automatic testing
CN105824726A (en) * 2015-01-07 2016-08-03 展讯通信(上海)有限公司 Remote automatic test system and method of mobile terminals

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101072101A (en) * 2006-05-12 2007-11-14 梁国恩 Firewall-penetrating terminal machine system and method
CN102088453A (en) * 2010-01-29 2011-06-08 蓝盾信息安全技术股份有限公司 Method, system and method for controlling access of host computer
CN101820414A (en) * 2010-01-29 2010-09-01 蓝盾信息安全技术股份有限公司 Host access control system and method
CN101789947B (en) * 2010-02-21 2012-10-03 成都市华为赛门铁克科技有限公司 Method and firewall for preventing HTTP POST flooding attacks

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101114953A (en) * 2007-07-03 2008-01-30 中兴通讯股份有限公司 Automatized test method for broadband accessing server
CN101447898A (en) * 2008-11-19 2009-06-03 中国人民解放军信息安全测评认证中心 Test system used for network safety product and test method thereof
CN102467442A (en) * 2010-11-02 2012-05-23 腾讯科技(深圳)有限公司 Software testing method, system and equipment
CN102163173A (en) * 2011-04-06 2011-08-24 北京航空航天大学 Automated testing method for distributed information system interface
CN105824726A (en) * 2015-01-07 2016-08-03 展讯通信(上海)有限公司 Remote automatic test system and method of mobile terminals
CN105183649A (en) * 2015-09-08 2015-12-23 武汉虹信通信技术有限责任公司 Automatic telnet method and system used for automatic testing

Also Published As

Publication number Publication date
WO2020042471A1 (en) 2020-03-05
CN109688093A (en) 2019-04-26

Similar Documents

Publication Publication Date Title
CN109688093B (en) Firewall policy verification method, system, device and readable storage medium
US20220276910A1 (en) Dynamically integrating a client application with third-party services
US11595392B2 (en) Gateway enrollment for internet of things device management
US20240089241A1 (en) Network connection automation
US10158670B1 (en) Automatic privilege determination
EP3552098B1 (en) Operating system update management for enrolled devices
CN109587233B (en) Multi-cloud container management method, device and computer-readable storage medium
US9210159B2 (en) Information processing system, information processing device, and authentication method
US10574699B1 (en) Load balancer request processing
US7433804B2 (en) Automated test script for communications server
US11336599B2 (en) Architecture for performing action in a third-party service by an email client
CN102306256A (en) The file that obtains is carried out the prestige inspection
US9059987B1 (en) Methods and systems of using single sign-on for identification for a web server not integrated with an enterprise network
KR101832535B1 (en) Trustworthy device claims as a service
JP6232136B2 (en) Force encryption on connected devices
CN110888838A (en) Object storage based request processing method, device, equipment and storage medium
KR101973361B1 (en) Computing environment selection techniques
CN112838951B (en) Operation and maintenance method, device and system of terminal equipment and storage medium
WO2019139855A1 (en) Data driven user interfaces for device management
US20180349983A9 (en) A system for periodically updating backings for resource requests
CN112150113A (en) Method, device and system for borrowing file data and method for borrowing data
CN110597662B (en) Backup data automatic verification method and device, user equipment and storage medium
CN108052842B (en) Signature data storage and verification method and device
CN111314326A (en) Method, device, equipment and medium for confirming HTTP vulnerability scanning host
CN109543398B (en) Application program account migration method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant