CN110336834A - Treating method and apparatus for firewall policy - Google Patents
Treating method and apparatus for firewall policy Download PDFInfo
- Publication number
- CN110336834A CN110336834A CN201910705462.6A CN201910705462A CN110336834A CN 110336834 A CN110336834 A CN 110336834A CN 201910705462 A CN201910705462 A CN 201910705462A CN 110336834 A CN110336834 A CN 110336834A
- Authority
- CN
- China
- Prior art keywords
- firewall policy
- firewall
- policy
- request
- tactful
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Present disclose provides a kind of processing methods for firewall policy, this method comprises: receiving the firewall policy request to create from client, firewall policy request to create includes following information: the targeted source IP address of firewall policy, source port number, purpose IP address, destination slogan, transport layer protocol, the life cycle of firewall policy and switching information;In response to firewall policy request to create, the preset first tactful creation method is called;And information is handled using the first tactful creation method, to create the first firewall policy.The disclosure additionally provides a kind of for the processing unit of firewall policy, a kind of electronic equipment and a kind of computer readable storage medium.
Description
Technical field
This disclosure relates to field of computer technology, more particularly to a kind of processing method and dress for firewall policy
It sets.
Background technique
With the continuous development of cloud computing, financial industry Information technology is changed from traditional environment to cloud environment.OpenStack
The Scaledeployment stage is entered by the development of several years as open source cloud computing project.OpenStack is by getting through calculating, depositing
Storage, network realize the automation supply of underlying IT-resources, to provide the foundation the guarantee of IT resource layer using rapid deployment.
From the point of view of from application end to end administration, in addition to the fast supply of underlying IT-resources, while also needing to realize that application service request class becomes
Quick response more, including that self-service can dispose, configure and manage using required firewall, load balancing, bullet using personnel
Property scalable equal strategies.
It is required according to security control, financial industry needs large-scale use firewall policy control technology.In recent years, with
The quantity and complexity of service application are constantly promoted, and firewall manufacturing change quantity increases year after year.As firewall changes quantity
Growth, one side network O&M pressure is continuously increased, on the other hand limited by technology and process, be unable to satisfy service application
Especially requirement of the service application of internet financial industry to quick response.
In this regard, taking some automation means in the related technology to promote operation level, but still have sensitivity
The technical problems such as poor and policy consistency is poor.
Summary of the invention
An aspect of this disclosure provides a kind of processing method for firewall policy, comprising: receives and comes from client
The firewall policy request to create at end, the firewall policy request to create includes following information: firewall policy is targeted
Source IP address, source port number, purpose IP address, destination slogan, transport layer protocol, the life cycle of firewall policy and switch
Information;In response to the firewall policy request to create, the preset first tactful creation method is called;And described in utilizing
First tactful creation method handles the information, to create the first firewall policy.
Optionally, the method also includes: determine the attribute of firewall box;Call preset second strategy creation
Method;First firewall policy is converted to the attribute with the firewall box using the described second tactful creation method
Matched second firewall policy;And second firewall policy is disposed on the firewall box.
Optionally, the method also includes: receive the firewall policy removal request from the client;In response to institute
Firewall policy removal request is stated, preset tactful delet method is called;And the operation tactful delet method, to delete
Except the third firewall policy being deployed on the firewall box, the third firewall policy is that the firewall policy is deleted
Except the firewall policy for requesting deletion.
Optionally, described to call preset tactful delet method, comprising: determine on the firewall box whether portion
There is the third firewall policy in administration;And third firewall policy is stated if it is determined that disposing on the firewall box,
Then call the preset tactful delet method.
Optionally, the method also includes: receive firewall policy from the client and update request;In response to institute
Firewall policy removal request is stated, preset strategy renewing new method is called;And the operation strategy renewing new method, with more
The 4th firewall policy being newly deployed on the firewall box, the 4th firewall policy be the firewall policy more
Newly request the firewall policy updated.
Optionally, described that second firewall policy is disposed on the firewall box, comprising: predetermined by calling
The firewall box is written in second firewall policy by interface.
Optionally, described to call the preset first tactful creation method, comprising: institute is called by RESTful interface
State the first tactful creation method.
Another aspect of the disclosure provides a kind of processing unit for firewall policy, comprising: receiving module is used
In receiving the firewall policy request to create from client, following information is carried in the firewall policy request to create:
The targeted source IP address of firewall policy, source port number, purpose IP address, destination slogan, transport layer protocol, firewall plan
Life cycle slightly and switching information;Calling module, in response to the firewall policy request to create, calling to be preset
The first tactful creation method;And creation module, for handling the information using the described first tactful creation method, with wound
Build the first firewall policy.
Another aspect of the present disclosure provides a kind of electronic equipment, comprising: one or more processors;Memory is used for
Store one or more programs, wherein when one or more of programs are executed by one or more of processors, so that
One or more of processors realize method as described above.
Another aspect of the present disclosure provides a kind of computer readable storage medium, is stored with computer executable instructions,
Described instruction is when executed for realizing method as described above.
Another aspect of the present disclosure provides a kind of computer program, and the computer program, which includes that computer is executable, to be referred to
It enables, described instruction is when executed for realizing method as described above.
Detailed description of the invention
In order to which the disclosure and its advantage is more fully understood, referring now to being described below in conjunction with attached drawing, in which:
Fig. 1 is diagrammatically illustrated according to the treating method and apparatus for being suitable for use in firewall policy of the embodiment of the present disclosure
System architecture;
Fig. 2 diagrammatically illustrates the flow chart of the processing method for firewall policy according to the embodiment of the present disclosure;
Fig. 3 diagrammatically illustrates the process of the processing method for firewall policy according to another embodiment of the disclosure
Figure;
Fig. 4 diagrammatically illustrates the block diagram of the processing unit for firewall policy according to the embodiment of the present disclosure;And
Fig. 5 diagrammatically illustrates the block diagram of the electronic equipment according to the embodiment of the present disclosure.
Specific embodiment
Hereinafter, will be described with reference to the accompanying drawings embodiment of the disclosure.However, it should be understood that these descriptions are only exemplary
, and it is not intended to limit the scope of the present disclosure.In the following detailed description, to elaborate many specific thin convenient for explaining
Section is to provide the comprehensive understanding to the embodiment of the present disclosure.It may be evident, however, that one or more embodiments are not having these specific thin
It can also be carried out in the case where section.In addition, in the following description, descriptions of well-known structures and technologies are omitted, to avoid
Unnecessarily obscure the concept of the disclosure.
Term as used herein is not intended to limit the disclosure just for the sake of description specific embodiment.It uses herein
The terms "include", "comprise" etc. show the presence of the feature, step, operation and/or component, but it is not excluded that in the presence of
Or add other one or more features, step, operation or component.
There are all terms (including technical and scientific term) as used herein those skilled in the art to be generally understood
Meaning, unless otherwise defined.It should be noted that term used herein should be interpreted that with consistent with the context of this specification
Meaning, without that should be explained with idealization or excessively mechanical mode.
It, in general should be according to this using statement as " at least one in A, B and C etc. " is similar to
Field technical staff is generally understood the meaning of the statement to make an explanation (for example, " system at least one in A, B and C "
Should include but is not limited to individually with A, individually with B, individually with C, with A and B, with A and C, have B and C, and/or
System etc. with A, B, C).Using statement as " at least one in A, B or C etc. " is similar to, generally come
Saying be generally understood the meaning of the statement according to those skilled in the art to make an explanation (for example, " having in A, B or C at least
One system " should include but is not limited to individually with A, individually with B, individually with C, with A and B, have A and C, have
B and C, and/or the system with A, B, C etc.).
Shown in the drawings of some block diagrams and/or flow chart.It should be understood that some sides in block diagram and/or flow chart
Frame or combinations thereof can be realized by computer program instructions.These computer program instructions can be supplied to general purpose computer,
The processor of special purpose computer or other programmable data processing units, so that these instructions are when executed by this processor can be with
Creation is for realizing function/operation device illustrated in these block diagrams and/or flow chart.The technology of the disclosure can be hard
The form of part and/or software (including firmware, microcode etc.) is realized.In addition, the technology of the disclosure, which can be taken, is stored with finger
The form of computer program product on the computer readable storage medium of order, the computer program product is for instruction execution system
System uses or instruction execution system is combined to use.
It takes some automation means in the related technology to promote operation level, but is limited by traditional technology, prevented fires
Wall strategy can only be responsible for configuration by network personnel, and network department is caused to replace having done wilderness demand collection, reasonability using department
The work such as assessment.In addition, automation means are limited to the frame limitation of IT process, changing process is tediously long and does not have breakthrough, user's body
It tests and effective not high.Further, since firewall policy is likely to not configured simultaneously by the actual demand of application department
And influenced by traditional firewall performance, network department operates in upper would generally merge etc. of protecting wall strategy maintenance, this causes
The strategy of firewall actual disposition can not be corresponding with the demand of application department, it is also necessary to do a large amount of combing work.
Embodiment of the disclosure provides a kind of processing method for firewall policy and can be using this method
Processing unit for firewall policy.This method for example may include following operation.Receive the firewall plan from client
Slightly request to create, firewall policy request to create for example may include following information: the targeted source IP address of firewall policy,
Source port number, purpose IP address, destination slogan, transport layer protocol, the life cycle of firewall policy and switching information.Response
In firewall policy request to create, the preset first tactful creation method is called.It is handled using the first tactful creation method
Information, to create the first firewall policy.
Fig. 1 is diagrammatically illustrated according to the treating method and apparatus for being suitable for use in firewall policy of the embodiment of the present disclosure
System architecture.It should be noted that being only the example that can apply the system architecture of the embodiment of the present disclosure shown in Fig. 1, to help
Those skilled in the art understand that the technology contents of the disclosure, but it is not meant to that the embodiment of the present disclosure may not be usable for other and set
Standby, system, environment or scene.
As shown in Figure 1, the system architecture for example may include: client, cloud platform and firewall box.Wherein, Yun Ping
Platform for example may include cloud service and cloud storage.In addition, cloud service for example may include layer plug and driving layer again.
The self-service wound of user interface of client can be used in the technical solution provided by the embodiment of the present disclosure, such as user
It builds, delete, updating corresponding firewall policy.Cloud platform is docked with client, automatic in layer plug for being requested according to user
It calls and runs preset implementation method (such as creation method, delet method, update method, guarantor for firewall policy
Deposit method, synchronous method and hit rate method etc.), to realize the firewall Self-Service of user level.
For the sake of security due to enterprise's especially financial system, the firewall box of multiple producers generally can all be selected.
And the firewall box of different manufacturers generally uses the firewall policy of different-format.In order to improve compatibility, the disclosure is implemented
Example provides the firewall policy of unified format by the layer plug of cloud service, and then will unified format by the driving layer of cloud service
Firewall policy be converted to the firewall policy of the specific format being adapted to the attribute of firewall box (such as brand generic).
It should be understood that in the embodiments of the present disclosure, cloud storage can be used for storing firewall policy and each firewall is set
Standby configuration file (such as Neutron.conf).Wherein, configured with for describing fire prevention in the configuration file of the firewall box
The configuration information of the attribute of wall equipment.The disclosure is elaborated below with reference to attached drawing and in conjunction with specific embodiments.
Fig. 2 diagrammatically illustrates the flow chart of the processing method for firewall policy according to the embodiment of the present disclosure.
As shown in Fig. 2, this method for example may include operation S210~S230.
In operation S210, the firewall policy request to create from client is received.Firewall policy request to create includes
Following information: the targeted source IP address of firewall policy, source port number, purpose IP address, destination slogan, transport layer association
View, the life cycle of firewall policy and switching information.
The self-service corresponding firewall policy of creation of user interface of client can be used with reference to Fig. 1, such as user.Specifically
Ground, when creating firewall policy, user can be by five-tuple (i.e. source IP address, source port number, the destination IP of firewall policy
Address, destination slogan, transport layer protocol) and firewall policy life cycle and the configuration such as switching information in firewall plan
Slightly in request to create, and it is sent to cloud service processing.
It should be understood that in the embodiments of the present disclosure, switching information, that is, switching-state information.Wherein switch state for example can be with
Including allowing and forbidding two states.
In addition, user can also in firewall policy request to create the information such as configuration strategy title.
Next, in response to firewall policy request to create, calling preset first strategy creation in operation S220
Method.
Specifically, as a kind of optional embodiment, cloud service is asked in response to the firewall policy creation from client
It asks, such as RESTful (Representational State Transfer ful) interface or order line can be passed through
(Command-line interface, abbreviation CLI) or remote procedure call (Remote Procedure Call, referred to as
RPC the first tactful creation method) is called.
Then, in operation S230, information is handled using the first tactful creation method, to create the first firewall policy.
Specifically, such as it can use the first tactful creation method parsing firewall policy request to create, to parse
Source IP address, source port number, purpose IP address, destination slogan, transport layer protocol and the firewall policy wherein carried
Life cycle and switching information etc. configuration informations, and then based on these configuration informations generate a firewall policy.
It should be understood that the first tactful creation method can based on user configuration if user configuration policy name
Policy name generates the title of newly created strategy.If user does not have configuration strategy title, the first tactful creation method
A title can be generated at random for newly created strategy.
By the embodiment of the present disclosure, user can be corresponding using the self-service creation of the user interface of client according to actual needs
Firewall policy, so as to solve to create in the related technology, responsibility boundary existing for firewall policy is more fuzzy and plan
The slightly technical problems such as consistency difference.
Fig. 3 diagrammatically illustrates the process of the processing method for firewall policy according to another embodiment of the disclosure
Figure.
As shown in figure 3, as a kind of optional embodiment, this method in addition to include operation S210 shown in Figure 2~
It except S230, such as can also include operation S310~S340.For simplicity, in the embodiments of the present disclosure only to operation
S310~S340 is described in detail.
S310 is operated, determines the attribute of firewall box.
Specifically, the targeted firewall of firewall policy that cloud service can read user's request creation from cloud storage is set
Standby configuration file, to read the attribute information (such as brand message) of the firewall box from the configuration file, in turn
The attribute of firewall box is determined according to the attribute information of reading.
Next, operation S320, calls the preset second tactful creation method.
According to the embodiment of the present disclosure, since the format of firewall policy may be with the firewall box of the actual deployment strategy
Firewall policy format it is inconsistent, if the firewall policy of creation is directly deployed on firewall box, may lead
It causes firewall box that can not identify the strategy, and then causes the strategy practical unavailable.For this purpose, in the embodiment of the present disclosure by setting
Driving layer is set, and by driving layer to call and running the second strategy creation method, so as to by the format of firewall policy
Be converted to the specific format being adapted to the attribute of firewall box (such as brand generic).
It should be noted that in the embodiments of the present disclosure, for example, can also by RESTful interface or order line or
Remote procedure call calls the second tactful creation method.
RESTful is not only suitable for client application but also is suitable for the application of server-side, Neng Goutong as a kind of software architecture style
It crosses a set of unified api interface and provides service for clients such as Web, iOS and Android.
API based on RESTful (Representational State Transfer) building is exactly RESTful interface.
RESTful style has the advantage that api interface, as long as write an interface for a variety of headend equipments such as Web,
IOS and Android etc. is used simultaneously.It can make exploitation more quick in this way, most importantly make the division of labor more clear.Such as one
People specially writes interface, other people it is only necessary to know that how to call can, completely without knowing how to realize.
Then, in operation S330, the first firewall policy is converted to using the second tactful creation method and is set with firewall
Second firewall policy of standby attributes match.
Specifically, the second tactful creation method can according to the mapping ruler between the strategy of different-format, by this first
Firewall policy is converted to second firewall policy.
Subsequently, in operation S340, the second firewall policy is disposed on firewall box.
That is, the second firewall policy is written in firewall box.
As a kind of optional embodiment, above-mentioned second firewall policy of disposing on firewall box for example may include
It operates below.I.e. by calling predetermined interface that firewall box is written in the second firewall policy.Wherein, the predetermined interface is for example
It may include Restconf interface and Netconf interface.
It should be understood that Restconf interface refers to the interface using Restconf agreement.Netconf interface refers to use
The interface of Netconf agreement.
As a kind of optional embodiment, this method for example can also include following operation.It receives anti-from client
Wall with flues strategy removal request.In response to firewall policy removal request, preset tactful delet method is called.Operation reserve
Delet method, to delete the third firewall policy being deployed on firewall box, third firewall policy is firewall policy
Removal request requests the firewall policy deleted.
It should be understood that in the embodiments of the present disclosure, such as user can also use the self-service deletion of user interface of client
Corresponding firewall policy.Specifically, when deleting firewall policy, the name for the firewall policy that user can delete request
Claim or the information configurations such as code are in firewall policy removal request, and is sent to cloud service processing.
Specifically, the strategy delet method can be called and be run to cloud service in response to the firewall policy removal request,
To which the firewall policy for corresponding to title or code be deleted from corresponding firewall box.It should be understood that in the disclosure
In embodiment, the means of regulative strategy delet method are similar with the means of regulative strategy creation method, and details are not described herein.
As a kind of optional embodiment, the preset tactful delet method of above-mentioned calling for example may include following behaviour
Make.Determine third firewall policy whether is deployed on firewall box.If it is determined that it is anti-to be deployed with third on firewall box
Wall with flues strategy then calls preset tactful delet method.
For example, cloud service can be called first and be set in advance after receiving the firewall policy removal request from client
Fixed policy lookup method, and by operation this method to inquire in cloud storage (such as neutron.db) whether be stored with the request
Request the strategy deleted.Wherein, if being stored with the request requests the strategy deleted, it is determined that on corresponding firewall box
The firewall policy deleted is requested in deployment.
It should be understood that, if it is determined that it is deployed with the strategy of request deletion on firewall box, then the strategy is called to delete
Method is deleted.Otherwise, then it is not processed, and returns to the relevant information of request failure.
It should be understood that in the embodiments of the present disclosure, the means of regulative strategy querying method and regulative strategy creation method with
And the means of tactful delet method are similar, details are not described herein.
As a kind of optional embodiment, this method for example can also include following operation.It receives anti-from client
The request of wall with flues policy update.In response to firewall policy removal request, preset strategy renewing new method is called.Operation reserve
Update method, to update the 4th firewall policy being deployed on firewall box, the 4th firewall policy is firewall policy
Update the firewall policy for requesting to update.
It should be understood that in the embodiments of the present disclosure, such as user can also use the self-service update of user interface of client
Corresponding firewall policy.Specifically, when updating firewall policy, the name for the firewall policy that user can update request
The information such as title or code, and the parameter (such as life cycle, switching information, source IP address, source port number) that request updates
Etc. information configurations firewall policy update request in, and be sent to cloud service processing.
Specifically, cloud service is updated in response to the firewall policy and is requested, and can call and run the strategy renewing new method,
So that the firewall policy for corresponding to title or code is updated based on the parameter that user newly configures, and by updated plan
It is slightly stored in cloud storage, while will be deleted in the tactful slave firewall equipment before update, and updated policy deployment is arrived
In firewall box.It should be understood that in the embodiments of the present disclosure, means and the regulative strategy creation of regulative strategy update method,
Deletion, the means of querying method are similar, and details are not described herein.
In addition, in the embodiments of the present disclosure, after receiving the firewall policy from client and updating request, cloud service
Preset policy lookup method can also be first called, and by operation this method to inquire in cloud storage whether be stored with this
Request the strategy updated.Wherein, the anti-of update is requested if it is present determining and disposing on corresponding firewall box
Wall with flues strategy.
It should be understood that, if it is determined that it is deployed with the strategy of request update on firewall box, then calls the policy update
Method is updated processing to it.Otherwise, then it is not processed, and returns to the relevant information of request failure.
In addition, it should be noted that, the embodiment of the present disclosure is also provided in the layer plug of cloud service with lower interface: strategy is protected
Deposit interface, policy synchronization interface and hit rate interface.Wherein, preset strategy can be called to protect by tactful saving interface
Method is deposited, to save firewall policy.Preset policy synchronization method can be called by policy synchronization interface, with synchronization
Firewall policy is into the cloud storage for strategy backup.Preset hit rate can be called to calculate by hit rate interface
Method calculates the hit rate (i.e. the number that certain firewall policy is used) of firewall policy.
It should be understood that in order to be adapted to the firewall box of different attribute, the embodiment of the present disclosure cloud service driving layer also
Adaptability is provided with lower interface: strategy deletes interface, policy update interface, tactful saving interface, policy synchronization interface and life
Middle rate interface.It is to be further understood that corresponding strategy process can be called by these interfaces, to realize that format is converted.
Fig. 4 diagrammatically illustrates the block diagram of the processing unit for firewall policy according to the embodiment of the present disclosure.
As shown in figure 4, the processing unit 400 for being used for firewall policy for example may include receiving module 401, call mould
Block 402 and creation module 403.The processing unit can for example execute the method described above with reference to embodiment of the method part,
This is repeated no more.
Specifically, receiving module 401 for example can be used for receiving the firewall policy request to create from client, described
Following information: the targeted source IP address of firewall policy, source port number, destination IP is carried in firewall policy request to create
Address, destination slogan, transport layer protocol, the life cycle of firewall policy and switching information.
Calling module 402 for example can be used in response to the firewall policy request to create, call preset the
One tactful creation method.
Creation module 403 for example can be used for handling the information using the described first tactful creation method, to create the
One firewall policy.
It should be noted that the way of example of device part is corresponding with the way of example of method part similar, and
Technical effect achieved also corresponds to similar, and details are not described herein.
Any number of or in which any number of at least partly functions in module according to an embodiment of the present disclosure can be with
It is realized in a module.Multiple modules can be split into according to any one or more in the module of the embodiment of the present disclosure
To realize.It can be at least implemented partly as according to any one or more in the module of the embodiment of the present disclosure, unit hard
Part circuit, for example, field programmable gate array (FPGA), programmable logic array (PLA), system on chip, the system on substrate,
System, specific integrated circuit (ASIC) in encapsulation, or can be by carrying out any other conjunction that is integrated or encapsulating to circuit
The hardware or firmware of reason mode realizes, or with any one in three kinds of software, hardware and firmware implementations or with wherein
It is any several appropriately combined to realize.Alternatively, according to one or more of module of the embodiment of the present disclosure can at least by
It is implemented partly as computer program module, when the computer program module is run, corresponding function can be executed.
For example, any number of in receiving module 401, calling module 402 and creation module 403 may be incorporated in a mould
It is realized in block or any one module therein can be split into multiple modules.Alternatively, one or more in these modules
At least partly function of a module can be combined at least partly function of other modules, and be realized in a module.Root
According to embodiment of the disclosure, at least one of receiving module 401, calling module 402 and creation module 403 can be at least by portions
Ground is divided to be embodied as hardware circuit, such as field programmable gate array (FPGA), programmable logic array (PLA), system on chip, base
The system in system, encapsulation, specific integrated circuit (ASIC) on plate, or can be by carrying out times that be integrated or encapsulating to circuit
The hardware such as what other rational method or firmware realize, or with any one in three kinds of software, hardware and firmware implementations
Kind or several appropriately combined realized with wherein any.Alternatively, receiving module 401, calling module 402 and creation module 403
At least one of can at least be implemented partly as computer program module, when the computer program module is run,
Corresponding function can be executed.
Fig. 5 diagrammatically illustrates the block diagram of the electronic equipment according to the embodiment of the present disclosure.Electronic equipment shown in Fig. 5 is only
An example, should not function to the embodiment of the present disclosure and use scope bring any restrictions.
As shown in figure 5, electronic equipment 500 includes processor 510, computer readable storage medium 520.The electronic equipment
500 can execute the method according to the embodiment of the present disclosure.
Specifically, processor 510 for example may include general purpose microprocessor, instruction set processor and/or related chip group
And/or special microprocessor (for example, specific integrated circuit (ASIC)), etc..Processor 510 can also include using for caching
The onboard storage device on way.Processor 510 can be the different movements for executing the method flow according to the embodiment of the present disclosure
Single treatment unit either multiple processing units.
Computer readable storage medium 520, such as can be non-volatile computer readable storage medium, specific example
Including but not limited to: magnetic memory apparatus, such as tape or hard disk (HDD);Light storage device, such as CD (CD-ROM);Memory, such as
Random access memory (RAM) or flash memory;Etc..
Computer readable storage medium 520 may include computer program 521, which may include generation
Code/computer executable instructions execute processor 510 according to the embodiment of the present disclosure
Method or its any deformation.
Computer program 521 can be configured to have the computer program code for example including computer program module.Example
Such as, in the exemplary embodiment, the code in computer program 521 may include one or more program modules, for example including
521A, module 521B ....It should be noted that the division mode and number of module are not fixation, those skilled in the art can
To be combined according to the actual situation using suitable program module or program module, when these program modules are combined by processor 510
When execution, processor 510 is executed according to the method for the embodiment of the present disclosure or its any deformation.
In accordance with an embodiment of the present disclosure, at least one of receiving module 401, calling module 402 and creation module 403 can
To be embodied as the computer program module with reference to Fig. 5 description, when being executed by processor 510, may be implemented described above
Corresponding operating.
The disclosure additionally provides a kind of computer readable storage medium, which can be above-mentioned reality
It applies included in equipment/device/system described in example;Be also possible to individualism, and without be incorporated the equipment/device/
In system.Above-mentioned computer readable storage medium carries one or more program, when said one or multiple program quilts
When execution, the method according to the embodiment of the present disclosure is realized.
Flow chart and block diagram in attached drawing are illustrated according to the system of the various embodiments of the disclosure, method and computer journey
The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation
A part of one module, program segment or code of table, a part of above-mentioned module, program segment or code include one or more
Executable instruction for implementing the specified logical function.It should also be noted that in some implementations as replacements, institute in box
The function of mark can also occur in a different order than that indicated in the drawings.For example, two boxes succeedingly indicated are practical
On can be basically executed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.Electricity is wanted
It is noted that the combination of each box in block diagram or flow chart and the box in block diagram or flow chart, can use and execute rule
The dedicated hardware based systems of fixed functions or operations is realized, or can use the group of specialized hardware and computer instruction
It closes to realize.
It will be understood by those skilled in the art that although showing and describing referring to the certain exemplary embodiments of the disclosure
The disclosure, it will be appreciated by those skilled in the art that in this public affairs limited without departing substantially from the following claims and their equivalents
In the case where the spirit and scope opened, a variety of changes in form and details can be carried out to the disclosure.Therefore, the model of the disclosure
It encloses and should not necessarily be limited by above-described embodiment, but should be not only determined by appended claims, also by appended claims
Equivalent be defined.
Claims (10)
1. a kind of processing method for firewall policy, comprising:
The firewall policy request to create from client is received, the firewall policy request to create includes following information: anti-
The targeted source IP address of wall with flues strategy, source port number, purpose IP address, destination slogan, transport layer protocol, firewall policy
Life cycle and switching information;
In response to the firewall policy request to create, the preset first tactful creation method is called;And
The information is handled using the described first tactful creation method, to create the first firewall policy.
2. according to the method described in claim 1, wherein, the method also includes:
Determine the attribute of firewall box;
Call the preset second tactful creation method;
First firewall policy is converted to the attribute with the firewall box using the described second tactful creation method
Matched second firewall policy;And
Second firewall policy is disposed on the firewall box.
3. according to the method described in claim 2, wherein, the method also includes:
Receive the firewall policy removal request from the client;
In response to the firewall policy removal request, preset tactful delet method is called;And
The tactful delet method is run, to delete the third firewall policy being deployed on the firewall box, described the
Three firewall policies are requested the firewall policy deleted by the firewall policy removal request.
4. described to call preset tactful delet method according to the method described in claim 3, wherein, comprising:
Determine the third firewall policy whether is deployed on the firewall box;And
Third firewall policy is stated if it is determined that disposing on the firewall box, then calls the preset strategy
Delet method.
5. according to the method described in claim 2, wherein, the method also includes:
It receives the firewall policy from the client and updates request;
In response to the firewall policy removal request, preset strategy renewing new method is called;And
The strategy renewing new method is run, to update the 4th firewall policy that is deployed on the firewall box, described the
Four firewall policies are updated the firewall policy that request request updates by the firewall policy.
6. described to dispose the second firewall plan on the firewall box according to the method described in claim 2, wherein
Slightly, comprising:
By calling predetermined interface that the firewall box is written in second firewall policy.
7. described to call the preset first tactful creation method according to the method described in claim 1, wherein, comprising:
The described first tactful creation method is called by RESTful interface.
8. a kind of processing unit for firewall policy, comprising:
Receiving module, for receiving the firewall policy request to create from client, in the firewall policy request to create
Carry following information: the targeted source IP address of firewall policy, source port number, purpose IP address, destination slogan, transmission
Layer protocol, the life cycle of firewall policy and switching information;
Calling module, for calling the preset first tactful creation method in response to the firewall policy request to create;
And
Creation module, for handling the information using the described first tactful creation method, to create the first firewall policy.
9. a kind of electronic equipment, comprising:
One or more processors;
Memory, for storing one or more programs,
Wherein, when one or more of programs are executed by one or more of processors, so that one or more of
Processor realizes method described in any one of claims 1 to 7.
10. a kind of computer readable storage medium, is stored with computer executable instructions, described instruction is used for reality when executed
Method described in existing any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910705462.6A CN110336834A (en) | 2019-07-31 | 2019-07-31 | Treating method and apparatus for firewall policy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910705462.6A CN110336834A (en) | 2019-07-31 | 2019-07-31 | Treating method and apparatus for firewall policy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110336834A true CN110336834A (en) | 2019-10-15 |
Family
ID=68148373
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910705462.6A Pending CN110336834A (en) | 2019-07-31 | 2019-07-31 | Treating method and apparatus for firewall policy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110336834A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110730178A (en) * | 2019-10-21 | 2020-01-24 | 广州海颐信息安全技术有限公司 | Method and device for dynamically controlling privileged system port and strategy opening |
| CN110995768A (en) * | 2019-12-31 | 2020-04-10 | 奇安信科技集团股份有限公司 | Method, apparatus, device, medium, and program product for constructing and generating firewall |
| CN111586022A (en) * | 2020-04-30 | 2020-08-25 | 深圳壹账通智能科技有限公司 | Firewall opening verification method, electronic device, computer equipment and storage medium |
| CN112003720A (en) * | 2020-07-13 | 2020-11-27 | 烽火通信科技股份有限公司 | Cloud management platform and method for managing multiple firewall resources |
| CN113691488A (en) * | 2020-05-19 | 2021-11-23 | 奇安信科技集团股份有限公司 | Access control method, apparatus, device and medium executed by firewall device |
| CN114362983A (en) * | 2020-10-12 | 2022-04-15 | 中国移动通信集团江西有限公司 | Firewall policy management method and device, computer equipment and storage medium |
| CN115695045A (en) * | 2022-12-14 | 2023-02-03 | 深圳富联富桂精密工业有限公司 | Dynamic configuration method and device for security group and computer readable storage medium |
| CN115766278A (en) * | 2022-12-06 | 2023-03-07 | 深圳市天源景云科技有限公司 | Firewall strategy generation method, device, equipment and storage medium |
| CN115913785A (en) * | 2023-01-09 | 2023-04-04 | 北京微步在线科技有限公司 | Multi-firewall linkage method and equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714997A (en) * | 2010-01-15 | 2010-05-26 | 中国工商银行股份有限公司 | Firewall strategy-generating method, device and system |
| US20140282854A1 (en) * | 2013-03-13 | 2014-09-18 | FireMon, LLC | System and method for modeling a networking device policy |
| CN104580078A (en) * | 2013-10-15 | 2015-04-29 | 北京神州泰岳软件股份有限公司 | Network access control method and system |
| CN105939322A (en) * | 2015-12-08 | 2016-09-14 | 杭州迪普科技有限公司 | Message attack protection method and device |
| CN106453333A (en) * | 2016-10-19 | 2017-02-22 | 深圳市深信服电子科技有限公司 | Method and device for creating firewall rule of virtualization platform |
| CN108092979A (en) * | 2017-12-20 | 2018-05-29 | 国家电网公司 | A kind of firewall policy processing method and processing device |
| CN108429774A (en) * | 2018-06-21 | 2018-08-21 | 蔡梦臣 | A kind of firewall policy centralized optimization management method and its system |
| CN108900543A (en) * | 2018-08-13 | 2018-11-27 | 郑州云海信息技术有限公司 | The method and apparatus of managing firewall rule |
-
2019
- 2019-07-31 CN CN201910705462.6A patent/CN110336834A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714997A (en) * | 2010-01-15 | 2010-05-26 | 中国工商银行股份有限公司 | Firewall strategy-generating method, device and system |
| US20140282854A1 (en) * | 2013-03-13 | 2014-09-18 | FireMon, LLC | System and method for modeling a networking device policy |
| CN104580078A (en) * | 2013-10-15 | 2015-04-29 | 北京神州泰岳软件股份有限公司 | Network access control method and system |
| CN105939322A (en) * | 2015-12-08 | 2016-09-14 | 杭州迪普科技有限公司 | Message attack protection method and device |
| CN106453333A (en) * | 2016-10-19 | 2017-02-22 | 深圳市深信服电子科技有限公司 | Method and device for creating firewall rule of virtualization platform |
| CN108092979A (en) * | 2017-12-20 | 2018-05-29 | 国家电网公司 | A kind of firewall policy processing method and processing device |
| CN108429774A (en) * | 2018-06-21 | 2018-08-21 | 蔡梦臣 | A kind of firewall policy centralized optimization management method and its system |
| CN108900543A (en) * | 2018-08-13 | 2018-11-27 | 郑州云海信息技术有限公司 | The method and apparatus of managing firewall rule |
Non-Patent Citations (3)
| Title |
|---|
| 徐雷: ""基于OpenFlow的分布式防火墙系统的设计与实现"", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》 * |
| 王宁: ""基于SDN控制器的防火墙设计实现"", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》 * |
| 陈伯胜: ""基于SDN控制器的恶意数据流控制技术研究"", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110730178A (en) * | 2019-10-21 | 2020-01-24 | 广州海颐信息安全技术有限公司 | Method and device for dynamically controlling privileged system port and strategy opening |
| CN110995768A (en) * | 2019-12-31 | 2020-04-10 | 奇安信科技集团股份有限公司 | Method, apparatus, device, medium, and program product for constructing and generating firewall |
| CN111586022A (en) * | 2020-04-30 | 2020-08-25 | 深圳壹账通智能科技有限公司 | Firewall opening verification method, electronic device, computer equipment and storage medium |
| CN113691488A (en) * | 2020-05-19 | 2021-11-23 | 奇安信科技集团股份有限公司 | Access control method, apparatus, device and medium executed by firewall device |
| CN112003720A (en) * | 2020-07-13 | 2020-11-27 | 烽火通信科技股份有限公司 | Cloud management platform and method for managing multiple firewall resources |
| CN112003720B (en) * | 2020-07-13 | 2022-07-08 | 烽火通信科技股份有限公司 | Cloud management platform and method for managing multiple firewall resources |
| CN114362983A (en) * | 2020-10-12 | 2022-04-15 | 中国移动通信集团江西有限公司 | Firewall policy management method and device, computer equipment and storage medium |
| CN115766278A (en) * | 2022-12-06 | 2023-03-07 | 深圳市天源景云科技有限公司 | Firewall strategy generation method, device, equipment and storage medium |
| CN115766278B (en) * | 2022-12-06 | 2023-08-15 | 深圳市宜嘉科技有限公司 | Firewall policy generation method, device, equipment and storage medium |
| CN115695045A (en) * | 2022-12-14 | 2023-02-03 | 深圳富联富桂精密工业有限公司 | Dynamic configuration method and device for security group and computer readable storage medium |
| CN115695045B (en) * | 2022-12-14 | 2023-06-06 | 深圳富联富桂精密工业有限公司 | Dynamic configuration method and device for security group and computer readable storage medium |
| CN115913785A (en) * | 2023-01-09 | 2023-04-04 | 北京微步在线科技有限公司 | Multi-firewall linkage method and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110336834A (en) | Treating method and apparatus for firewall policy | |
| US11374817B2 (en) | Determining span of logical network element | |
| US11310284B2 (en) | Validation of cloud security policies | |
| US11159374B2 (en) | Networking visualizations that update data model and deploy server nodes | |
| US10713071B2 (en) | Method and apparatus for network function virtualization | |
| WO2020237797A1 (en) | Dynamic configuration management method and system in microservice framework | |
| US11146620B2 (en) | Systems and methods for instantiating services on top of services | |
| US11575563B2 (en) | Cloud security management | |
| US9229771B2 (en) | Cloud bursting and management of cloud-bursted applications | |
| US10277705B2 (en) | Virtual content delivery network | |
| US20210120029A1 (en) | Modeling Application Dependencies to Identify Operational Risk | |
| US9661064B2 (en) | Systems and methods for deploying legacy software in the cloud | |
| RU2653292C2 (en) | Service migration across cluster boundaries | |
| EP3944081B1 (en) | Data center resource monitoring with managed message load balancing with reordering consideration | |
| CN103685608A (en) | Method and device for automatically configuring IP (Internet Protocol) address of security virtual machine | |
| CN105635311A (en) | Method for synchronizing resource pool information in cloud management platform | |
| US20230153162A1 (en) | Resource capacity management in clouds | |
| CN112417051A (en) | Container arrangement engine resource management method and device, readable medium and electronic equipment | |
| CN109714188A (en) | Configuration data management method, equipment and storage medium based on Zookeeper | |
| CN112035216A (en) | Communication method for Kubernetes cluster network and OpenStack network | |
| US9985840B2 (en) | Container tracer | |
| CN109257228A (en) | A kind of data-updating method and Edge Server | |
| US20200412619A1 (en) | Network System, Topology Management Method, and Program | |
| CN110221910A (en) | Method and apparatus for executing MPI operation | |
| CN112181049B (en) | Cluster time synchronization method, device, system, equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191015 |
|
| RJ01 | Rejection of invention patent application after publication |