CN110138742A - Firewall policy optimization method, system and computer readable storage medium - Google Patents
Firewall policy optimization method, system and computer readable storage medium Download PDFInfo
- Publication number
- CN110138742A CN110138742A CN201910307041.8A CN201910307041A CN110138742A CN 110138742 A CN110138742 A CN 110138742A CN 201910307041 A CN201910307041 A CN 201910307041A CN 110138742 A CN110138742 A CN 110138742A
- Authority
- CN
- China
- Prior art keywords
- strategy
- list
- ranking
- policy optimization
- ranking number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000005457 optimization Methods 0.000 title claims abstract description 130
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000007717 exclusion Effects 0.000 claims description 48
- 238000004590 computer program Methods 0.000 claims description 16
- 235000013399 edible fruits Nutrition 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 6
- 206010022000 influenza Diseases 0.000 description 6
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The present invention provides a kind of firewall policy optimization method, system and computer readable storage mediums.Wherein, firewall policy optimization method, comprising: obtain all policies of firewall, generate first list;Every tactful hits are obtained, sort from large to small generation second list based on hits;Take out strategy one by one from second list, and whether ranking number of the determination strategy in second list is less than the ranking number in first list;Ranking number based on strategy in second list is less than the judging result of the ranking number in first list, optimizes to ranking of the strategy in first list;According to the ranking number after every policy optimization, third list is generated, so that firewall carries out strategy matching to data packet according to the ranking sequence in third list.Firewall policy optimization method through the invention, policy optimization can be carried out for hits intelligent recognition strategy use situation by realizing, and greatly improve the overall performance and efficiency of firewall.
Description
Technical field
The present invention relates to technical field of network security, in particular to a kind of firewall policy optimization method, Yi Zhongfang
Wall with flues policy optimization system and a kind of computer readable storage medium.
Background technique
In traditional telecom operators, E-Government, mobile Internet enterprise, firewall in use, due to having
Business rule on many networks often configures very more firewall policies, and is to match to postpone in strategy to tend not to arbitrarily
Deletion, if deletion error will lead to business access exception, it has been capable that an increase for firewall policy configuration, which is not deleted,
The fact that industry standard.Based on this contradiction, firewall policy can be all the more more, some core firewall policies often reach
Ten thousand rules.Rule is more and more, and firewall efficiency and performance are with regard under lower and lower, because its data packet wants matched rule to get over
Come more, is matched to after the rule met and is not just matched toward following rule.
Current existing solution and technology:
(1) it is based on artificially judging which business is optimized using the tactful ranking of more progress, rather than real-time intelligent judges plan
Slightly service condition;
(2) artificial determination strategy mutual exclusion situation, rather than intelligent decision mutual exclusion situation are based on.
Summary of the invention
The present invention is directed to solve at least one of the technical problems existing in the prior art or related technologies.
For this purpose, it is an aspect of the invention to propose a kind of firewall policy optimization method.
Another aspect of the present invention is to propose a kind of firewall policy optimization system.
Another aspect of the invention is to propose a kind of computer readable storage medium.
In view of this, an aspect of of the present present invention proposes a kind of firewall policy optimization method, comprising: obtain firewall
All policies generate first list;Every tactful hits are obtained, sort from large to small generation secondary series based on hits
Table;Take out strategy one by one from second list, and whether ranking number of the determination strategy in second list is less than in first list
In ranking number;Ranking number based on strategy in second list is less than the judging result of the ranking number in first list, right
Ranking of the strategy in first list optimizes;According to the ranking number after every policy optimization, third list is generated, for anti-
Wall with flues carries out strategy matching to data packet according to the ranking sequence in third list.
Firewall policy optimization method according to the present invention obtains all policies of firewall first, forms original strategy
List, i.e. first list, before not carrying out sequential optimization to strategy, firewall carries out data according to the sequence in first list
Packet matching;Then every tactful hits in first list are obtained, all policies are arranged from big to small according to hits
Sequence forms second list;Take out all policies one by one in second list again, it is preferable that sequence takes out all policies one by one, this
Sample preferentially can carry out sequential optimization by high to hits strategy;The strategy currently taken out according to ranking number judgement is in second list
In ranking sequence it is whether more forward than the ranking in first list, if forward, need to the strategy in first list
Ranking optimize, otherwise, judge whether next strategy needs to carry out sequential optimization;In particular it is required that in first list
It is middle that the ranking of the strategy is moved along, after strategy carries out ranking optimization one by one, third list is formed, firewall is arranged according to third
The sequence of table carries out data packet matched.Firewall policy optimization method provided by the invention can be directed to hits intelligent recognition
Strategy use situation carry out policy optimization, keep the higher strategy of hits in the top, not only increase optimization efficiency and accurately
Property, and greatly improve the overall performance and efficiency of firewall.
Wherein, the hits of firewall policy are to reflect the strategy use situation, and hits height then indicates that the strategy is frequent
It uses, needs in the top, the too many strategy of matching just hit clearance data packet is not had to when firewall data packet detects, is no longer matched
Other strategies.
Wherein, ranking number indicates the priority of strategy, and ranking number is lower, and the priority of the strategy is higher.
The above-mentioned firewall policy optimization method provided according to the present invention, can also have following technical characteristic:
In the above-mentioned technical solutions, it is preferable that the step of ranking of the strategy in first list is optimized, comprising:
In first list, determination strategy and strategy from current location be moved to position of the strategy in second list across its
He strategy whether mutual exclusion;Judging result based on strategy and other strategy all mutual exclusions, by ranking number of the strategy in second list
As the ranking number after policy optimization;Otherwise, it determines first strategy non-exclusive with strategy in other strategies, according to non-exclusive
Strategy ranking number determine policy optimization after ranking number.
In the technical scheme, the ranking to strategy in first list optimizes, specifically, judge the strategy with
The strategy moves forward to other plans that position of the strategy in second list is crossed over from the current location in first list
Slightly whether mutual exclusion, in the case where the strategy and other tactful all mutual exclusions, using ranking of the strategy in second list as
Otherwise ranking number after the policy optimization determines the ranking after the policy optimization according to the ranking number of nearest one non-exclusive strategy
Number.Firewall policy optimization method provided by the invention, can be for tactful hits to determine whether needing progress sequence excellent
Change, the specific order position after optimization can be determined for tactful alternative, it is automatic to improve strategy sequence, to improve anti-
Wall with flues efficiency and performance.
In any of the above-described technical solution, it is preferable that after determining the policy optimization according to the ranking number of non-exclusive strategy
Ranking the step of, comprising: by the ranking number plus 1 of non-exclusive strategy as the ranking number after the policy optimization.
In the technical scheme, non-exclusive by nearest one in the case where the strategy and other strategies are not all mutual exclusions
Strategy ranking number plus 1 as the ranking number after the policy optimization, i.e., the strategy is moved to a nearest non-exclusive plan
Next position slightly, to ensure to move the ranking of strategy in the case where mutual exclusion.
In any of the above-described technical solution, it is preferable that determination strategy is moved to strategy second from current location with strategy
Position in list across other strategies whether mutual exclusion the step of, comprising: in the corresponding source address of strategy and other plans
In the case where being subset or cross reference between slightly corresponding source address, and/or in the corresponding destination address of strategy and other plans
In the case where being subset or cross reference between slightly corresponding destination address, decision plan and other strategies are non-exclusive.
In the technical scheme, the source address of any two firewall policies and/or destination address include subset or friendship
When the relationship of fork, then it is assumed that it is non-exclusive relationship, it, can when strategy is mobile because if having this relationship between two strategies
Its original access business rule can be will affect, such as original data packet matched strategy A, moved data packet matched after sequence
Tactful B, such case do not allow.So must judge be mutual exclusion relationship, just can be carried out movement.
In any of the above-described technical solution, it is preferable that every strategy wraps in first list, second list and third list
It includes: ranking number, strategy number, source address, destination address, and any one of following or combinations thereof: source port, moves destination port
Make;Every strategy further includes hits in second list and third list.
Another aspect of the present invention proposes a kind of firewall policy optimization system, including memory, processor and storage
On a memory and the computer program that can run on a processor, processor are realized when executing computer program: obtaining fire prevention
The all policies of wall generate first list;Every tactful hits are obtained, sort from large to small generation second based on hits
List;Take out strategy one by one from second list, and whether ranking number of the determination strategy in second list is less than in first row
Ranking number in table;Ranking number based on strategy in second list is less than the judging result of the ranking number in first list,
Ranking of the strategy in first list is optimized;According to the ranking number after every policy optimization, third list is generated, for
Firewall carries out strategy matching to data packet according to the ranking sequence in third list.
Firewall policy optimization system according to the present invention obtains all policies of firewall first, forms original strategy
List, i.e. first list, before not carrying out sequential optimization to strategy, firewall carries out data according to the sequence in first list
Packet matching;Then every tactful hits in first list are obtained, all policies are arranged from big to small according to hits
Sequence forms second list;Take out all policies one by one in second list again, it is preferable that sequence takes out all policies one by one, this
Sample preferentially can carry out sequential optimization by high to hits strategy;The strategy currently taken out according to ranking number judgement is in second list
In ranking sequence it is whether more forward than the ranking in first list, if forward, need to the strategy in first list
Ranking optimize, otherwise, judge whether next strategy needs to carry out sequential optimization;In particular it is required that in first list
It is middle that the ranking of the strategy is moved along, after strategy carries out ranking optimization one by one, third list is formed, firewall is arranged according to third
The sequence of table carries out data packet matched.Firewall policy optimization system provided by the invention can be directed to hits intelligent recognition
Strategy use situation carry out policy optimization, keep the higher strategy of hits in the top, not only increase optimization efficiency and accurately
Property, and greatly improve the overall performance and efficiency of firewall.
Wherein, the hits of firewall policy are to reflect the strategy use situation, and hits height then indicates that the strategy is frequent
It uses, needs in the top, the too many strategy of matching just hit clearance data packet is not had to when firewall data packet detects, is no longer matched
Other strategies.
Wherein, ranking number indicates the priority of strategy, and ranking number is lower, and the priority of the strategy is higher.
In the above-mentioned technical solutions, it is preferable that specific implementation is to strategy in first row when processor executes computer program
The step of ranking in table optimizes, comprising: in first list, determination strategy is moved to strategy from current location with strategy
Position in second list across other strategies whether mutual exclusion;Judgement knot based on strategy and other strategy all mutual exclusions
Fruit, by ranking number of the strategy in second list as the ranking number after policy optimization;Otherwise, it determines first in other strategies
The non-exclusive strategy with strategy, the ranking number after policy optimization is determined according to the ranking number of non-exclusive strategy.
In the technical scheme, the ranking to strategy in first list optimizes, specifically, judge the strategy with
The strategy moves forward to other plans that position of the strategy in second list is crossed over from the current location in first list
Slightly whether mutual exclusion, in the case where the strategy and other tactful all mutual exclusions, using ranking of the strategy in second list as
Otherwise ranking number after the policy optimization determines the ranking after the policy optimization according to the ranking number of nearest one non-exclusive strategy
Number.Firewall policy optimization method provided by the invention, can be for tactful hits to determine whether needing progress sequence excellent
Change, the specific order position after optimization can be determined for tactful alternative, it is automatic to improve strategy sequence, to improve anti-
Wall with flues efficiency and performance.
In any of the above-described technical solution, it is preferable that specific implementation is according to non-exclusive when processor executes computer program
The ranking number of strategy the step of determining the ranking after policy optimization, comprising: by the ranking number plus 1 conduct of non-exclusive strategy
Ranking number after policy optimization.
In the technical scheme, non-exclusive by nearest one in the case where the strategy and other strategies are not all mutual exclusions
Strategy ranking number plus 1 as the ranking number after the policy optimization, i.e., the strategy is moved to a nearest non-exclusive plan
Next position slightly, to ensure to move the ranking of strategy in the case where mutual exclusion.
In any of the above-described technical solution, it is preferable that processor execute computer program when specific implementation determination strategy with
Strategy from current location be moved to strategy in second list position institute across other strategy whether mutual exclusion the step of, wrap
It includes: in the case where between the corresponding source address of strategy and the corresponding source addresses of other strategies for subset or cross reference, and/or
In the case where being subset or cross reference between the corresponding destination address of strategy destination address corresponding with other strategies, determine
Strategy is non-exclusive with other strategies.
In the technical scheme, the source address of any two firewall policies and/or destination address include subset or friendship
When the relationship of fork, then it is assumed that it is non-exclusive relationship, it, can when strategy is mobile because if having this relationship between two strategies
Its original access business rule can be will affect, such as original data packet matched strategy A, moved data packet matched after sequence
Tactful B, such case do not allow.So must judge be mutual exclusion relationship, just can be carried out movement.
In any of the above-described technical solution, it is preferable that every strategy wraps in first list, second list and third list
It includes: ranking number, strategy number, source address, destination address, and any one of following or combinations thereof: source port, moves destination port
Make;Every strategy further includes hits in second list and third list.
Another aspect of the invention proposes a kind of computer readable storage medium, is stored thereon with computer program, meter
Calculation machine program is realized when being executed by processor such as the step of any one of above-mentioned technical proposal firewall policy optimization method, because
And have whole technical effects of the firewall policy optimization method, details are not described herein.
Additional aspect and advantage of the invention will become obviously in following description section, or practice through the invention
Recognize.
Detailed description of the invention
Above-mentioned or additional aspect of the invention and advantage will become bright from the description of the embodiment in conjunction with the following figures
It shows and is readily appreciated that, in which:
Fig. 1 shows the flow diagram of firewall policy optimization method according to an embodiment of the invention;
Fig. 2 shows the flow diagrams of firewall policy optimization method according to another embodiment of the invention;
Fig. 3 shows the logical schematic of the firewall policy optimization method of a specific embodiment according to the present invention;
Fig. 4 shows the schematic block diagram of firewall policy optimization system according to an embodiment of the invention.
Specific embodiment
To better understand the objects, features and advantages of the present invention, with reference to the accompanying drawing and specific real
Applying mode, the present invention is further described in detail.It should be noted that in the absence of conflict, the implementation of the application
Feature in example and embodiment can be combined with each other.
In the following description, numerous specific details are set forth in order to facilitate a full understanding of the present invention, still, the present invention may be used also
To be implemented using other than the one described here other modes, therefore, protection scope of the present invention is not by described below
Specific embodiment limitation.
As shown in Figure 1, the flow diagram of firewall policy optimization method according to an embodiment of the invention.Its
In, the firewall policy optimization method, comprising:
Step 102, all policies of firewall are obtained, first list is generated;
Step 104, every tactful hits are obtained, sort from large to small generation second list based on hits;
Step 106, strategy is taken out one by one from second list, and whether ranking number of the determination strategy in second list be small
In the ranking number in first list;
Step 108, the ranking number based on strategy in second list is less than the judgement knot of the ranking number in first list
Fruit optimizes ranking of the strategy in first list;
Step 110, according to the ranking number after every policy optimization, third list is generated, so that firewall is arranged according to third
Ranking sequence in table carries out strategy matching to data packet.
Firewall policy optimization method provided in an embodiment of the present invention obtains all policies of firewall first, is formed former
Beginning Policy List, i.e. first list, not to strategy carry out sequential optimization before, firewall according to the sequence in first list into
Row is data packet matched;Then every tactful hits in first list are obtained, according to hits from big to small all policies
It is ranked up to form second list;Take out all policies one by one in second list again, it is preferable that sequentially take out all plans one by one
Slightly, preferentially sequential optimization can be carried out by high to hits strategy in this way;The strategy currently taken out according to ranking number judgement is the
Whether the ranking sequence in two lists is more forward than the ranking in first list, if forward, needs to the strategy first
Ranking in list optimizes, and otherwise, judges whether next strategy needs to carry out sequential optimization;In particular it is required that
The ranking of the strategy is moved along in one list, after strategy carries out ranking optimization one by one, formed third list, firewall according to
The sequence of third list carries out data packet matched.Firewall policy optimization method provided by the invention can be directed to hits intelligence
Energy recognition strategy service condition carries out policy optimization, keeps the higher strategy of hits in the top, not only increases optimization efficiency
And accuracy, and greatly improve the overall performance and efficiency of firewall.
Wherein, the hits of firewall policy are to reflect the strategy use situation, and hits height then indicates that the strategy is frequent
It uses, needs in the top, the too many strategy of matching just hit clearance data packet is not had to when firewall data packet detects, is no longer matched
Other strategies.
Wherein, ranking number indicates the priority of strategy, and ranking number is lower, and the priority of the strategy is higher.
As shown in Fig. 2, the flow diagram of firewall policy optimization method according to another embodiment of the invention.Its
In, the firewall policy optimization method, comprising:
Step 202, all policies of firewall are obtained, first list is generated;
Step 204, every tactful hits are obtained, sort from large to small generation second list based on hits;
Step 206, strategy is taken out one by one from second list, and whether ranking number of the determination strategy in second list be small
In the ranking number in first list;
Step 208, the ranking number based on strategy in second list is less than the judgement knot of the ranking number in first list
Fruit, determination strategy and strategy from the current location of first list be moved to position of the strategy in second list across its
He strategy whether mutual exclusion;
Step 210, the judging result based on strategy and other strategy all mutual exclusions, by ranking number of the strategy in second list
As the ranking number after policy optimization;
Step 212, otherwise, it determines in other strategies first with the non-exclusive strategy of strategy, according to non-exclusive strategy
Ranking number determine policy optimization after ranking number;
Step 214, according to the ranking number after every policy optimization, third list is generated, so that firewall is arranged according to third
Ranking sequence in table carries out strategy matching to data packet.
In this embodiment, the ranking to strategy in first list optimizes, and specifically, judges the strategy and is somebody's turn to do
Strategy moves forward to other strategies that position of the strategy in second list is crossed over from the current location in first list
Whether ranking number of the strategy in second list is used as and is somebody's turn to do in the case where the strategy and other tactful all mutual exclusions by mutual exclusion
Otherwise ranking number after policy optimization determines the ranking after the policy optimization according to the ranking number of nearest one non-exclusive strategy
Number.Firewall policy optimization method provided by the invention, can be for tactful hits to determine whether needing progress sequence excellent
Change, the specific order position after optimization can be determined for tactful alternative, it is automatic to improve strategy sequence, to improve anti-
Wall with flues efficiency and performance.
In one embodiment of the invention, it is preferable that the policy optimization is determined according to the ranking number of non-exclusive strategy
The step of rear ranking, comprising: by the ranking number plus 1 of non-exclusive strategy as the ranking number after the policy optimization.
In this embodiment, non-exclusive by nearest one in the case where the strategy and other strategies are not all mutual exclusions
The strategy is moved to a nearest non-exclusive strategy as the ranking number after the policy optimization by the ranking number of strategy plus 1
Next position, with ensure in the case where mutual exclusion to strategy ranking move.
In one embodiment of the invention, it is preferable that determination strategy and strategy are moved to strategy the from current location
Position in two lists across other strategies whether mutual exclusion the step of, comprising: in the corresponding source address of strategy and other
In the case where being subset or cross reference between the corresponding source address of strategy, and/or in the corresponding destination address of strategy and other
In the case where being subset or cross reference between the corresponding destination address of strategy, decision plan and other strategies are non-exclusive.
In this embodiment, the source address of any two firewall policies and/or destination address include subset or intersection
Relationship when, then it is assumed that be non-exclusive relationship, may when strategy is mobile because if having this relationship between two strategies
It will affect its original access business rule, such as original data packet matched strategy A, move data packet matched plan after sequence
Slightly B, such case do not allow.So must judge be mutual exclusion relationship, just can be carried out movement.
In any of the above-described embodiment, it is preferable that every strategy wraps in first list, second list and third list
It includes: ranking number, strategy number, source address, destination address, and any one of following or combinations thereof: source port, moves destination port
Make;Every strategy further includes hits in second list and third list.
Specific embodiment, provides a kind of firewall policy optimization method, and Fig. 3 shows a specific implementation of the invention
The logical schematic of the firewall policy optimization method of example.As shown in figure 3, obtaining the original strategy column of firewall by order
Table, as shown in table 1;By order timing go obtain firewall policy hits, according to hits from big to small strategy into
Row sequence forms a hits ordering strategy list, as shown in table 2;Then sequence takes out strategy one by one in table 2, and judgement should
Whether strategy is more forward than the ranking in table 1 in the ranking sequence of table 2, if forward, may need in table 1 the strategy
Ranking be moved along.
Table 1
| Ranking number | Strategy number | Source address | Destination address | Source port | Destination port | Movement |
| 1 | 4 | 10.10.101.10 | 10.10.100.20 | 80 | 8080 | Refusal |
| 2 | 6 | 10.10.103.* | 10.10.104.* | 80 | 8080 | Allow |
| 3 | 8 | 10.11.101.* | 10.12.100.* | 80 | 8080 | Allow |
| 4 | 11 | 10.10.101.* | 10.10.100.* | 80 | 8080 | Allow |
Table 2
Specifically whether really need to be moved along, then need to judge the strategy be moved along across other policy contents
Whether mutual exclusion, including source address and destination address, if source address and/or destination address include the relationship of subset or intersection,
It is then non-exclusive, is otherwise mutual exclusion, if it is being then moved along for mutual exclusion, if until the ranking of table 2 is all
Mutual exclusion, then the strategy is moved to the ranking of table 2, is otherwise just moved to next position of nearest one non-exclusive strategy.
Strategy repeats position movement one by one, forms new sequential optimization Policy List, as shown in table 3, then table 3 is exactly
Ranking sequence after optimization, firewall is data packet matched according to the sequence progress of table 3, due to the higher strategy of hits
Forward, efficiency can greatly promote.
Table 3
The specific implementation of the firewall policy optimization method is described in further detail below.Firewall policy optimization
Method includes:
Step 1 obtains the list of firewall original strategy, i.e. table 1;
Step 2 obtains firewall policy hits, generates the hits sequence plan sorted from large to small based on hits
Slightly list, i.e. table 2;
Step 3 sequentially takes out strategy in table 2;
Step 4 judges whether the strategy is more forward than the ranking in table 1 in the ranking sequence of table 2;
Step 5 needs to be moved along position if forward, judges to cross position in table 2 from the position in table 1
All policies whether mutual exclusion, if it is mutual exclusion, then the position in table 2 is the ranking number after the optimization of the strategy;
Step 6, if judging in step 5 is not all mutual exclusion, judge nearest one be not mutual exclusion ranking number, the row
Position number adds 1 position for the newest ranking number of the strategy;
Step 7, the physical location of the mobile strategy in table 1;
Step 8 repeats step 2 to step 7;
Step 9, the table 3 regenerated are exactly the strategy sequence after optimization.
As shown in figure 4, the schematic block diagram of firewall policy optimization system according to an embodiment of the invention.Wherein,
The firewall policy optimization system 400, including memory 402, processor 404 and be stored on memory 402 and can handle
The computer program run on device 404, processor 404 are realized when executing computer program: all policies of firewall are obtained, it is raw
At first list;Every tactful hits are obtained, sort from large to small generation second list based on hits;From second list
In take out strategy one by one, and whether ranking number of the determination strategy in second list is less than ranking number in first list;Base
It is less than the judging result of the ranking number in first list in ranking number of the strategy in second list, to strategy in first list
In ranking optimize;According to the ranking number after every policy optimization, third list is generated, so that firewall is arranged according to third
Ranking sequence in table carries out strategy matching to data packet.
Firewall policy optimization system 400 provided in an embodiment of the present invention obtains all policies of firewall first, is formed
Original strategy list, i.e. first list, before not carrying out sequential optimization to strategy, firewall is according to the sequence in first list
It carries out data packet matched;Then every tactful hits in first list are obtained, according to hits from big to small all plans
Slightly it is ranked up to form second list;Take out all policies one by one in second list again, it is preferable that sequence is taken out all one by one
Strategy preferentially can carry out sequential optimization by high to hits strategy in this way;Existed according to the strategy that ranking number judgement is currently taken out
Whether the ranking sequence in second list is more forward than the ranking in first list, if forward, needs to the strategy the
Ranking in one list optimizes, and otherwise, judges whether next strategy needs to carry out sequential optimization;In particular it is required that
The ranking of the strategy is moved along in first list, after strategy carries out ranking optimization one by one, forms third list, firewall is pressed
Sequence progress according to third list is data packet matched.Firewall policy optimization system 400 provided by the invention, can be for hit
Number intelligent recognition strategy use situation carries out policy optimization, keeps the higher strategy of hits in the top, not only increases optimization
Efficiency and accuracy, and greatly improve the overall performance and efficiency of firewall.
Wherein, the hits of firewall policy are to reflect the strategy use situation, and hits height then indicates that the strategy is frequent
It uses, needs in the top, the too many strategy of matching just hit clearance data packet is not had to when firewall data packet detects, is no longer matched
Other strategies.
Wherein, ranking number indicates the priority of strategy, and ranking number is lower, and the priority of the strategy is higher.
In the above embodiment, it is preferable that specific implementation is to strategy in first row when processor 404 executes computer program
The step of ranking in table optimizes, comprising: in first list, determination strategy is moved to strategy from current location with strategy
Position in second list across other strategies whether mutual exclusion;Judgement knot based on strategy and other strategy all mutual exclusions
Fruit, by ranking number of the strategy in second list as the ranking number after policy optimization;Otherwise, it determines first in other strategies
The non-exclusive strategy with strategy, the ranking number after policy optimization is determined according to the ranking number of non-exclusive strategy.
In this embodiment, the ranking to strategy in first list optimizes, and specifically, judges the strategy and is somebody's turn to do
Strategy moves forward to other strategies that position of the strategy in second list is crossed over from the current location in first list
Whether ranking number of the strategy in second list is used as and is somebody's turn to do in the case where the strategy and other tactful all mutual exclusions by mutual exclusion
Otherwise ranking number after policy optimization determines the ranking after the policy optimization according to the ranking number of nearest one non-exclusive strategy
Number.Firewall policy optimization method provided by the invention, can be for tactful hits to determine whether needing progress sequence excellent
Change, the specific order position after optimization can be determined for tactful alternative, it is automatic to improve strategy sequence, to improve anti-
Wall with flues efficiency and performance.
In any of the above-described embodiment, it is preferable that specific implementation is according to non-exclusive when processor 404 executes computer program
The ranking number of strategy the step of determining the ranking after policy optimization, comprising: by the ranking number plus 1 conduct of non-exclusive strategy
Ranking number after policy optimization.
In this embodiment, non-exclusive by nearest one in the case where the strategy and other strategies are not all mutual exclusions
The strategy is moved to a nearest non-exclusive strategy as the ranking number after the policy optimization by the ranking number of strategy plus 1
Next position, with ensure in the case where mutual exclusion to strategy ranking move.
In any of the above-described embodiment, it is preferable that processor 404 execute computer program when specific implementation determination strategy with
Strategy from current location be moved to strategy in second list position institute across other strategy whether mutual exclusion the step of, wrap
It includes: in the case where between the corresponding source address of strategy and the corresponding source addresses of other strategies for subset or cross reference, and/or
In the case where being subset or cross reference between the corresponding destination address of strategy destination address corresponding with other strategies, determine
Strategy is non-exclusive with other strategies.
In this embodiment, the source address of any two firewall policies and/or destination address include subset or intersection
Relationship when, then it is assumed that be non-exclusive relationship, may when strategy is mobile because if having this relationship between two strategies
It will affect its original access business rule, such as original data packet matched strategy A, move data packet matched plan after sequence
Slightly B, such case do not allow.So must judge be mutual exclusion relationship, just can be carried out movement.
In any of the above-described embodiment, it is preferable that every strategy wraps in first list, second list and third list
It includes: ranking number, strategy number, source address, destination address, and any one of following or combinations thereof: source port, moves destination port
Make;Every strategy further includes hits in second list and third list.
Another aspect of the invention embodiment proposes a kind of computer readable storage medium, is stored thereon with computer journey
Sequence realizes the step such as any one of above-described embodiment firewall policy optimization method when computer program is executed by processor
Suddenly, thus have whole technical effects of the firewall policy optimization method, details are not described herein.
In the description of this specification, term " first ", " second " are only used for the purpose of description, and should not be understood as indicating
Or imply relative importance, unless otherwise clearly defined and limited;Term " connection ", " installation ", " fixation " etc. should all be done extensively
Reason and good sense solution, for example, " connection " may be fixed connection or may be dismantle connection, or integral connection;It can be direct phase
It even, can also be indirectly connected through an intermediary.For the ordinary skill in the art, it can manage as the case may be
Solve the concrete meaning of above-mentioned term in the present invention.
In the description of this specification, the description of term " one embodiment ", " some embodiments ", " specific embodiment " etc.
Mean that particular features, structures, materials, or characteristics described in conjunction with this embodiment or example are contained at least one reality of the invention
It applies in example or example.In the present specification, schematic expression of the above terms are not necessarily referring to identical embodiment or reality
Example.Moreover, description particular features, structures, materials, or characteristics can in any one or more of the embodiments or examples with
Suitable mode combines.
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this field
For art personnel, the invention may be variously modified and varied.All within the spirits and principles of the present invention, made any to repair
Change, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.
Claims (11)
1. a kind of firewall policy optimization method characterized by comprising
The all policies of firewall are obtained, first list is generated;
The hits for obtaining every strategy sort from large to small generation second list based on the hits;
It takes out the strategy one by one from the second list, and judges that ranking number of the strategy in the second list is
It is no to be less than the ranking number in the first list;
Ranking number based on the strategy in the second list is less than the judgement knot of the ranking number in the first list
Fruit optimizes ranking of the strategy in the first list;
According to the ranking number after policy optimization described in every, third list is generated, so that the firewall is arranged according to the third
Ranking sequence in table carries out strategy matching to data packet.
2. firewall policy optimization method according to claim 1, which is characterized in that the strategy in the first row
The step of ranking in table optimizes, comprising:
In the first list, judge that the strategy is moved to the strategy described second from current location with the strategy
Position in list across other strategies whether mutual exclusion;
Judging result based on the strategy and other strategy all mutual exclusions, by ranking number of the strategy in second list
As the ranking number after the policy optimization;
Otherwise, it determines first strategy non-exclusive with the strategy in other described strategies, according to the non-exclusive strategy
Ranking number determine the ranking number after the policy optimization.
3. firewall policy optimization method according to claim 2, which is characterized in that described according to the non-exclusive plan
Ranking number slightly determines the step of ranking after the policy optimization, comprising:
By the ranking number plus 1 of the non-exclusive strategy as the ranking number after the policy optimization.
4. firewall policy optimization method according to claim 2, which is characterized in that it is described judgement it is described strategy with it is described
Strategy from current location be moved to position institute of the strategy in the second list across other it is tactful whether mutual exclusion
The step of, comprising:
It is subset or the feelings of cross reference between the corresponding source address of strategy source address corresponding with other described strategies
It under condition, and/or between the corresponding destination address of the strategy and other described corresponding destination addresses of strategy is subset or friendship
In the case where fork relationship, determine that the strategy is non-exclusive with other described strategies.
5. firewall policy optimization method according to any one of claim 1 to 4, which is characterized in that
Every strategy includes: the ranking number, plan in the first list, the second list and the third list
Slightly number, source address, destination address, and any one of following or combinations thereof: source port, destination port, movement;
Every strategy further includes the hits in the second list and third list.
6. a kind of firewall policy optimization system, which is characterized in that including memory, processor and be stored on the memory
And the computer program that can be run on the processor, the processor are realized when executing the computer program:
The all policies of firewall are obtained, first list is generated;
The hits for obtaining every strategy sort from large to small generation second list based on the hits;
It takes out the strategy one by one from the second list, and judges that ranking number of the strategy in the second list is
It is no to be less than the ranking number in the first list;
Ranking number based on the strategy in the second list is less than the judgement knot of the ranking number in the first list
Fruit optimizes ranking of the strategy in the first list;
According to the ranking number after policy optimization described in every, third list is generated, so that the firewall is arranged according to the third
Ranking sequence in table carries out strategy matching to data packet.
7. firewall policy optimization system according to claim 6, which is characterized in that the processor executes the calculating
The step of optimizing to ranking of the strategy in the first list is implemented when machine program, comprising:
In the first list, judge that the strategy is moved to the strategy described second from current location with the strategy
Position in list across other strategies whether mutual exclusion;
Judging result based on the strategy and other strategy all mutual exclusions, by ranking number of the strategy in second list
As the ranking number after the policy optimization;
Otherwise, it determines first strategy non-exclusive with the strategy in other described strategies, according to the non-exclusive strategy
Ranking number determine the ranking number after the policy optimization.
8. firewall policy optimization system according to claim 7, which is characterized in that the processor executes the calculating
The ranking number according to the non-exclusive strategy is implemented when machine program determines the ranking number after the policy optimization
Step, comprising:
By the ranking number plus 1 of the non-exclusive strategy as the ranking number after the policy optimization.
9. firewall policy optimization system according to claim 7, which is characterized in that the processor executes the calculating
The judgement strategy is implemented when machine program is moved to the strategy described second from current location with the strategy
Position in list across other strategies whether mutual exclusion the step of, comprising:
It is subset or the feelings of cross reference between the corresponding source address of strategy source address corresponding with other described strategies
It under condition, and/or between the corresponding destination address of the strategy and other described corresponding destination addresses of strategy is subset or friendship
In the case where fork relationship, determine that the strategy is non-exclusive with other described strategies.
10. firewall policy optimization system according to any one of claims 6 to 9, which is characterized in that
Every strategy includes: the ranking number, plan in the first list, the second list and the third list
Slightly number, source address, destination address, and any one of following or combinations thereof: source port, destination port, movement;
Every strategy further includes the hits in the second list and third list.
11. a kind of computer readable storage medium, which is characterized in that be stored thereon with computer program, which is characterized in that described
Realizing the firewall policy optimization method as described in any one of claims 1 to 5 when computer program is executed by processor
Step.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910307041.8A CN110138742B (en) | 2019-04-17 | 2019-04-17 | Firewall policy optimization method, system and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910307041.8A CN110138742B (en) | 2019-04-17 | 2019-04-17 | Firewall policy optimization method, system and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110138742A true CN110138742A (en) | 2019-08-16 |
| CN110138742B CN110138742B (en) | 2022-05-31 |
Family
ID=67569991
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910307041.8A Expired - Fee Related CN110138742B (en) | 2019-04-17 | 2019-04-17 | Firewall policy optimization method, system and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110138742B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935186A (en) * | 2020-10-09 | 2020-11-13 | 四川新网银行股份有限公司 | Optimization method of network security policy |
| CN113411336A (en) * | 2021-06-21 | 2021-09-17 | 深圳天元云科技有限公司 | Firewall strategy position optimization method, system, terminal and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104270384A (en) * | 2014-10-20 | 2015-01-07 | 山石网科通信技术有限公司 | Fire wall policy redundancy detection method and device |
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| US20160191466A1 (en) * | 2014-12-30 | 2016-06-30 | Fortinet, Inc. | Dynamically optimized security policy management |
| US20160277357A1 (en) * | 2013-03-18 | 2016-09-22 | British Telecommunications Public Limited Company | Firewall testing |
| US9553845B1 (en) * | 2013-09-30 | 2017-01-24 | F5 Networks, Inc. | Methods for validating and testing firewalls and devices thereof |
| CN108418801A (en) * | 2018-02-01 | 2018-08-17 | 杭州安恒信息技术股份有限公司 | A kind of firewall policy optimization method and system based on big data analysis |
| CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
-
2019
- 2019-04-17 CN CN201910307041.8A patent/CN110138742B/en not_active Expired - Fee Related
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160277357A1 (en) * | 2013-03-18 | 2016-09-22 | British Telecommunications Public Limited Company | Firewall testing |
| US9553845B1 (en) * | 2013-09-30 | 2017-01-24 | F5 Networks, Inc. | Methods for validating and testing firewalls and devices thereof |
| CN104270384A (en) * | 2014-10-20 | 2015-01-07 | 山石网科通信技术有限公司 | Fire wall policy redundancy detection method and device |
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| US20160191466A1 (en) * | 2014-12-30 | 2016-06-30 | Fortinet, Inc. | Dynamically optimized security policy management |
| CN108418801A (en) * | 2018-02-01 | 2018-08-17 | 杭州安恒信息技术股份有限公司 | A kind of firewall policy optimization method and system based on big data analysis |
| CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935186A (en) * | 2020-10-09 | 2020-11-13 | 四川新网银行股份有限公司 | Optimization method of network security policy |
| CN113411336A (en) * | 2021-06-21 | 2021-09-17 | 深圳天元云科技有限公司 | Firewall strategy position optimization method, system, terminal and storage medium |
| CN113411336B (en) * | 2021-06-21 | 2022-08-26 | 深圳天元云科技有限公司 | Firewall strategy position optimization method, system, terminal and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110138742B (en) | 2022-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108260169B (en) | QoS guarantee-based dynamic service function chain deployment method | |
| US8750144B1 (en) | System and method for reducing required memory updates | |
| CN104580027B (en) | A kind of OpenFlow message forwarding methods and equipment | |
| Clímaco et al. | Multicriteria path and tree problems: discussion on exact algorithms and applications | |
| CN108764777A (en) | Electronic logistic car dispatching method with time window and system | |
| CN112702399B (en) | Network community cooperation caching method and device, computer equipment and storage medium | |
| CN106230716A (en) | A kind of ant group algorithm and power telecom network communication service intelligent allocation method | |
| CN110138742A (en) | Firewall policy optimization method, system and computer readable storage medium | |
| CN101018172A (en) | A method for optimizing the P2P transfer in the MAN | |
| CN105634956A (en) | Message forwarding method, device and system | |
| CN104917659B (en) | A kind of mapping method of virtual network based on virtual network connection performance | |
| CN116610896B (en) | Manufacturing service supply and demand matching method based on subgraph isomorphism | |
| CN113037627B (en) | Method and device for selecting network service line resources | |
| CN102420771A (en) | Method for increasing concurrent transmission control protocol (TCP) connection speed in high-speed network environment | |
| CN107679148A (en) | Session lookup method, device and the equipment of a kind of distributed file system | |
| CN108563697A (en) | A kind of data processing method, device and storage medium | |
| CN104252504B (en) | Data query method, apparatus and system | |
| CN109376789B (en) | Network packet classification algorithm and system | |
| Scherb et al. | Execution plans for serverless computing in information centric networking | |
| CN115470236A (en) | Multi-subgraph matching method, device and equipment | |
| CN110677306B (en) | Network topology replica server configuration method and device, storage medium and terminal | |
| Kurniawan et al. | Modified-LRU algorithm for caching on named data network | |
| CN105657054A (en) | Content center network caching method based on K means algorithm | |
| CN112437065B (en) | Strategy conflict detection and solution method based on graphic representation under SDN environment | |
| Cartledge et al. | Connectivity damage to a graph by the removal of an edge or a vertex |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20220531 |