CN111049801A - Firewall strategy detection method - Google Patents

Firewall strategy detection method Download PDF

Info

Publication number
CN111049801A
CN111049801A CN201911121211.XA CN201911121211A CN111049801A CN 111049801 A CN111049801 A CN 111049801A CN 201911121211 A CN201911121211 A CN 201911121211A CN 111049801 A CN111049801 A CN 111049801A
Authority
CN
China
Prior art keywords
firewall
address
policy
field
detection method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911121211.XA
Other languages
Chinese (zh)
Other versions
CN111049801B (en
Inventor
凌子文
刘翠媚
陆庭辉
吴毅良
郭凤婵
殷锦辉
郝霞
罗序良
李文祺
刘可欣
尹婕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Power Grid Co Ltd
Jiangmen Power Supply Bureau of Guangdong Power Grid Co Ltd
Original Assignee
Guangdong Power Grid Co Ltd
Jiangmen Power Supply Bureau of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Power Grid Co Ltd, Jiangmen Power Supply Bureau of Guangdong Power Grid Co Ltd filed Critical Guangdong Power Grid Co Ltd
Priority to CN201911121211.XA priority Critical patent/CN111049801B/en
Publication of CN111049801A publication Critical patent/CN111049801A/en
Application granted granted Critical
Publication of CN111049801B publication Critical patent/CN111049801B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the technical field of information security, in particular to a firewall policy detection method, which comprises the following steps: s10, constructing a firewall policy database and a firewall log file, and analyzing the recording and displaying modes of address book information, policy configuration information and port information of a firewall visual page; s20, extracting the IP address configured in the strategy configuration information, converting the IP address into a specific numerical value or a numerical value range, and giving an alarm when an alarm rule is met; s30, analyzing the firewall log file recording mode in the step S10, analyzing the meaning of each field storage information in the firewall log file, classifying the fields, and writing the field classification into a firewall policy database; and S40, storing the firewall policy database in the terminal for displaying and inquiring policy configuration information. The method can quickly and comprehensively acquire the firewall policy configuration information, and can realize quick query; and converting the IP address into a specific numerical value, and improving the identification speed of the computer strategy by using numerical value comparison.

Description

Firewall strategy detection method
Technical Field
The invention relates to the technical field of information security, in particular to a firewall policy detection method.
Background
Currently, information security has attracted much attention, wherein data security is a very important link in information security, and lan security mainly relies on firewalls for management and control. In recent years, one of the key points of network information security protection is access control, and a firewall does not allow redundant policy to be reserved, does not allow an excessively wide address field to be configured, does not allow an excessively wide port to be configured, and completely blocks a high-risk port. In addition, the access strategies configured in the enterprise-level firewall account for hundreds, time and labor are consumed for manually detecting and checking the configuration condition of the strategies, and the conditions of wrong checking and omission are generated, so that the network stability and the safe operation of an information system are influenced.
At present, the following problems mainly exist in firewall policy detection and problem troubleshooting: (1) network access strategies configured and used in the firewall are hundreds, most firewalls require an administrator to name a source IP address and a destination IP address before configuring the access strategies, so that once the administrator needs to query the strategies according to the IP, the strategy naming and strategy configuration pages need to be repeatedly switched, the time and energy consumption is large, the labor cost is high, and errors are easy to occur when a plurality of addresses need to be checked; (2) the firewall can count the hit times by itself when the strategy is hit, and if a certain strategy fails, the number of strategy hits is displayed as zero; according to the information security requirement, the working personnel need to restart and switch the firewall every month; after switching and restarting, the strategy hit number of the firewall is cleared; effective strategies and failure strategies cannot be distinguished, and the access strategies are related to the operation of a global production network and have great influence; (3) each piece of log information output by the firewall log has more fields, the amount of information data generated every day is huge, and the log file is in a text document format and is not beneficial to query and analysis of the firewall log.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a firewall policy detection method, which can quickly acquire firewall configuration data, simultaneously acquire policy information and a policy hit number, can completely export the firewall information and can realize quick detection of firewall policy configuration.
In order to solve the technical problems, the invention adopts the technical scheme that:
the firewall policy detection method comprises the following steps:
s10, constructing a firewall policy database and a firewall log file, analyzing the recording and displaying modes of address book information, policy configuration information and port information of a firewall visual page, and establishing a firewall data extraction mode;
s20, extracting the IP address configured in the strategy configuration information by using a crawler tool and the matching function of the firewall strategy database in the step S10, converting the IP address into a specific numerical value or a numerical value range, and giving an alarm when the specific numerical value or the numerical value range meets an alarm rule;
s30, analyzing the firewall log file recording mode in the step S10, analyzing the meaning of each field storage information in the firewall log file, classifying the fields, and writing the field classification into a firewall policy database;
and S40, storing the firewall policy database in the terminal for displaying and inquiring policy configuration information.
The firewall policy detection method can quickly and comprehensively acquire firewall configuration data such as policy ID, number of hits, source address name, source address IP, source port, destination address name, destination address IP, destination port and the like, is completely presented on a table after automatic matching, and can realize quick query through any information; and converting the IP address into a specific numerical value or a numerical value range, and comparing the numerical values, thereby improving the identification speed of the computer strategy.
Preferably, step S10 is performed as follows: regularly logging in a firewall by using a crawler technology to capture firewall data, wherein the firewall data comprises a strategy ID, a number of hits, a source address name, a source address IP, a source interface, a destination address name, a destination address IP and a destination port; and matching the firewall data with each other, displaying the matched firewall data on a table and exporting the matched firewall data.
Preferably, step S20 is performed as follows:
s21, extracting the IP address configured in the strategy configuration information, and judging the IP address: if the address is a single IP address, directly calculating; if the address field is the IP address field, extracting the minimum value and the maximum value in the IP address field;
s22, calculating and extracting numerical values of the IP addresses, and numbering the numerical values;
s23, summing and converting the numerical values in the step S22 to obtain an IP conversion value;
s24, traversing all IP addresses to convert the IP addresses to obtain a conversion value N1、N2And comparing, and giving an alarm if the following rules are met: when N is present1、N2When it is a single address, if N is satisfied1=N2Then an alarm is given; when N is present1As a single address, N2When it is an address field, if N is satisfied2min≤N1≤N2maxThen an alarm is given; when N is present1、N2When all are address fields, if all are satisfied
Figure BDA0002275522930000021
Or
Figure BDA0002275522930000022
An alarm is given.
Preferably, in step S22, according to the characteristics of IPV4 addresses, each IPV4 address is 4 bytes, 32-bit binary, and is divided into ". quadrature.", then IPV4 ═ is expressed as (P1.P2.P3.P4), and decimal numbers converted from 4 groups of 8-bit binary are extracted by way of de-dotting extraction, and the extracted numerical values are respectively expressed as P1, P2, P3, and P4, and 0 ≦ P1, P2, P3, and P4 ≦ 256.
Preferably, in step S22, bit number i is set for the 4 sets of values P1, P2, P3, P4 calculated in the first step, and is respectively expressed as: i (P1) is 0, i (P2) is 1, i (P3) is 2, and i (P4) is 3.
Preferably, in step S23, the values are summed and converted to obtain an IP conversion value according to the following formula: sigma N-P/256X 2563-iN is a conversion value, P is an IP address extraction value, and i is an address extraction value number.
Preferably, step S30 is performed as follows: and importing a firewall log file, splitting log fields, and storing the log fields in a firewall policy database according to field category collection.
Preferably, the firewall log files are sorted by field using scripts.
Preferably, the field types include a value type, a character string type and a date type, and can be divided into a date field, an src field, a dst field, a Sport field and a smac field.
Preferably, in step S40, when querying the policy configuration information, the query is performed by matching keywords.
Compared with the prior art, the invention has the beneficial effects that:
the firewall policy detection method can quickly and comprehensively acquire firewall configuration data such as policy ID, number of hits, source address name, source address IP, source port, destination address name, destination address IP, destination port and the like, is completely presented on a table after automatic matching, and can realize quick query through any information; the invention converts the IP address into a special numerical value or a numerical value range, and judges the alarm condition by using numerical value comparison, thereby improving the strategy identification speed.
Drawings
FIG. 1 is a flow diagram of firewall policy capture detection;
fig. 2 is a flow chart of firewall log file query.
Detailed Description
The present invention will be further described with reference to the following embodiments.
Examples
Fig. 1 to fig. 2 show an embodiment of a firewall policy detection method according to the present invention, which includes the following steps:
s10, constructing a firewall policy database and a firewall log file, analyzing the recording and displaying modes of address book information, policy configuration information and port information of a firewall visual page, and establishing a firewall data extraction mode;
s20, extracting the IP address configured in the strategy configuration information by using a crawler tool and the matching function of the firewall strategy database in the step S10, converting the IP address into a specific numerical value or a numerical value range, and giving an alarm when the specific numerical value or the numerical value range meets the alarm rule;
s30, analyzing the firewall log file recording mode in the step S10, analyzing the meaning of each field storage information in the firewall log file, classifying the fields, and writing the field classification into a firewall policy database;
and S40, storing the firewall policy database in the terminal for displaying and inquiring policy configuration information.
Wherein, step S10 is performed according to the following steps: regularly logging in a firewall by using a crawler technology to capture firewall data, wherein the firewall data comprises a strategy ID, a number of hits, a source address name, a source address IP, a source interface, a destination address name, a destination address IP and a destination port; and matching the firewall data with each other, displaying the matched firewall data on a table and exporting the matched firewall data.
Step S20 is performed as follows:
s21, extracting the IP address configured in the strategy configuration information, and judging the IP address: if the address is a single IP address, directly calculating; if the address field is the IP address field, extracting the minimum value and the maximum value in the IP address field;
s22, calculating and extracting numerical values of the IP addresses, and numbering the numerical values;
s23, summing and converting the numerical values in the step S22 to obtain an IP conversion value;
s24, traversing all IP addresses to convert the IP addresses to obtain a conversion value N1、N2And comparing, and giving an alarm if the following rules are met: when N is present1、N2When it is a single address, if N is satisfied1=N2Then an alarm is given; when N is present1As a single address, N2When it is an address field, if N is satisfied2min≤N1≤N2maxThen an alarm is given; when N is present1、N2When all are address fields, if all are satisfied
Figure BDA0002275522930000042
Or
Figure BDA0002275522930000043
An alarm is given.
In step S22, according to the characteristics of IPV4 addresses, each IPV4 address is 4 bytes, a 32-bit binary system is divided into "·", and IPV4 ═ is expressed as (p1.p2.p3.p4), and a decimal number converted from 4 groups of 8-bit binary systems is extracted by way of dotting extraction, and the implementation code is: the extracted values are represented as P1, P2, P3 and P4, and 0 ≦ P1, P2, P3 and P4 ≦ 256.
In step S22, digit number i is set for the 4 sets of values P1, P2, P3, and P4 calculated in the first step, and is respectively expressed as: i (P1) is 0, i (P2) is 1, i (P3) is 2, and i (P4) is 3.
In step S23, the values are summed and converted according to the following formula to obtain an IP conversion value: sigma N-P/256X 2563-iN is the translation value and P is the IP addressAnd extracting the value, wherein i is the address extraction value number. The core code to implement this formula on C # is:
Figure BDA0002275522930000041
Figure BDA0002275522930000051
step S30 is performed as follows: and importing a firewall log file, splitting log fields, and storing the log fields in a firewall policy database according to field category collection. The firewall log files are classified according to fields by using scripts; the field types comprise a numerical value type, a character string type and a date type and can be divided into a date field, an src field, a dst field, a Sport field and a smac field.
In step S40, when policy configuration information is queried, a matching keyword is used for query. Those skilled in the art can develop a desktop tool based on c #/winform, and when the tool is opened on a desktop, inquiry and display of firewall information can be conveniently realized.
Through the steps, the firewall configuration data can be rapidly acquired, the strategy information and the strategy number of hits are acquired, the firewall information can be completely exported, and the firewall strategy configuration can be rapidly detected.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.

Claims (10)

1. A firewall policy detection method is characterized by comprising the following steps:
s10, constructing a firewall policy database and a firewall log file, analyzing the recording and displaying modes of address book information, policy configuration information and port information of a firewall visual page, and establishing a firewall data extraction mode;
s20, extracting the IP address configured in the strategy configuration information by using a crawler tool and the matching function of the firewall strategy database in the step S10, converting the IP address into a specific numerical value or a numerical value range, and giving an alarm when the specific numerical value or the numerical value range meets an alarm rule;
s30, analyzing the firewall log file recording mode in the step S10, analyzing the meaning of each field storage information in the firewall log file, classifying the fields, and writing the field classification into a firewall policy database;
and S40, storing the firewall policy database in the terminal for displaying and inquiring policy configuration information.
2. The firewall policy detection method according to claim 1, wherein step S10 is performed according to the following steps: regularly logging in a firewall by using a crawler technology to capture firewall data, wherein the firewall data comprises a strategy ID, a number of hits, a source address name, a source address IP, a source interface, a destination address name, a destination address IP and a destination port; and matching the firewall data with each other, displaying the matched firewall data on a table and exporting the matched firewall data.
3. The firewall policy detection method according to claim 1, wherein step S20 is performed according to the following steps:
s21, extracting the IP address configured in the strategy configuration information, and judging the IP address: if the address is a single IP address, directly calculating; if the address field is the IP address field, extracting the minimum value and the maximum value in the IP address field;
s22, calculating and extracting numerical values of the IP addresses, and numbering the numerical values;
s23, summing and converting the numerical values in the step S22 to obtain an IP conversion value;
s24, traversing all IP addresses,converting IP address to obtain conversion value N1、N2And comparing, and giving an alarm if the following rules are met: when N is present1、N2When it is a single address, if N is satisfied1=N2Then an alarm is given; when N is present1As a single address, N2When it is an address field, if N is satisfied2min≤N1≤N2maxThen an alarm is given; when N is present1、N2When all are address fields, if all are satisfied
Figure FDA0002275522920000011
Or
Figure FDA0002275522920000012
An alarm is given.
4. The fire wall policy detection method according to claim 3, wherein in step S22, according to the characteristics of IPV4 addresses, each IPV4 address is 4 bytes, 32-bit binary systems are divided by ". quadrature.", and then represented as IPV4 ═ (P1.P2.P3.P4), decimal numbers converted from 4 groups of 8-bit binary systems are extracted by way of de-dotting extraction, and the extracted numerical values are represented as P1, P2, P3, and P4, and 0 ≦ P1, P2, P3, and P4 ≦ 256, respectively.
5. The fire wall policy inspection method according to claim 4, wherein in step S22, bit number i is set for the 4 groups of values P1, P2, P3 and P4 calculated in the first step, and is respectively expressed as: i (P1) is 0, i (P2) is 1, i (P3) is 2, and i (P4) is 3.
6. The fire wall policy detection method according to claim 5, wherein in step S23, the values are summed and converted according to the following formula to obtain an IP conversion value: sigma N-P/256X 2563-iN is a conversion value, P is an IP address extraction value, and i is an address extraction value number.
7. The firewall policy detection method according to any one of claims 1 to 6, wherein the step S30 is performed according to the following steps: and importing a firewall log file, splitting log fields, and storing the log fields in a firewall policy database according to field category collection.
8. The firewall policy detection method according to claim 7, wherein the firewall log files are classified by field using a script.
9. The firewall policy detection method according to claim 8, wherein the field categories comprise a numerical category, a string category and a date category.
10. The fire wall policy detection method according to claim 8, wherein in step S40, when querying the policy configuration information, querying is performed by matching keywords.
CN201911121211.XA 2019-11-15 2019-11-15 Firewall strategy detection method Active CN111049801B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911121211.XA CN111049801B (en) 2019-11-15 2019-11-15 Firewall strategy detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911121211.XA CN111049801B (en) 2019-11-15 2019-11-15 Firewall strategy detection method

Publications (2)

Publication Number Publication Date
CN111049801A true CN111049801A (en) 2020-04-21
CN111049801B CN111049801B (en) 2022-02-11

Family

ID=70232105

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911121211.XA Active CN111049801B (en) 2019-11-15 2019-11-15 Firewall strategy detection method

Country Status (1)

Country Link
CN (1) CN111049801B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111970275A (en) * 2020-08-14 2020-11-20 中国工商银行股份有限公司 Data processing method, device, computing equipment and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100058442A1 (en) * 2006-12-29 2010-03-04 Luciana Costa Method and system for enforcing security polices in manets
CN103577307A (en) * 2013-11-07 2014-02-12 浙江中烟工业有限责任公司 Method for automatically extracting and analyzing firewall logs based on XML rule model
CN104270384A (en) * 2014-10-20 2015-01-07 山石网科通信技术有限公司 Fire wall policy redundancy detection method and device
CN105721188A (en) * 2014-12-04 2016-06-29 北京神州泰岳信息安全技术有限公司 Firewall strategy check method and system
US20190260806A1 (en) * 2007-05-30 2019-08-22 Cupp Computing As System and method for providing network and computer firewall protection with dynamic address isolation to a device
CN110430159A (en) * 2019-06-20 2019-11-08 国网辽宁省电力有限公司信息通信分公司 A kind of excessive method for early warning of Platform Server firewall policy range of opening

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100058442A1 (en) * 2006-12-29 2010-03-04 Luciana Costa Method and system for enforcing security polices in manets
US20190260806A1 (en) * 2007-05-30 2019-08-22 Cupp Computing As System and method for providing network and computer firewall protection with dynamic address isolation to a device
CN103577307A (en) * 2013-11-07 2014-02-12 浙江中烟工业有限责任公司 Method for automatically extracting and analyzing firewall logs based on XML rule model
CN104270384A (en) * 2014-10-20 2015-01-07 山石网科通信技术有限公司 Fire wall policy redundancy detection method and device
CN105721188A (en) * 2014-12-04 2016-06-29 北京神州泰岳信息安全技术有限公司 Firewall strategy check method and system
CN110430159A (en) * 2019-06-20 2019-11-08 国网辽宁省电力有限公司信息通信分公司 A kind of excessive method for early warning of Platform Server firewall policy range of opening

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111970275A (en) * 2020-08-14 2020-11-20 中国工商银行股份有限公司 Data processing method, device, computing equipment and medium

Also Published As

Publication number Publication date
CN111049801B (en) 2022-02-11

Similar Documents

Publication Publication Date Title
CN112104677B (en) Controlled host detection method and device based on knowledge graph
CN112866023B (en) Network detection method, model training method, device, equipment and storage medium
CN109510737A (en) Protocol interface test method, device, computer equipment and storage medium
CN112738126A (en) Attack tracing method based on threat intelligence and ATT & CK
US20200285893A1 (en) Exploit kit detection system based on the neural network using image
CN111800404B (en) Method and device for identifying malicious domain name and storage medium
CN105095369A (en) Website matching method and device
CN111767573A (en) Database security management method and device, electronic equipment and readable storage medium
CN115021997B (en) Network intrusion detection system based on machine learning
WO2018075819A1 (en) Universal link to extract and classify log data
CN109088903A (en) A kind of exception flow of network detection method based on streaming
CN111274218A (en) Multi-source log data processing method for power information system
CN112685738A (en) Malicious confusion script static detection method based on multi-stage voting mechanism
CN114386100A (en) Public cloud user sensitive data management method
CN111049801B (en) Firewall strategy detection method
CN111400500B (en) LCS-based Chameleon real-time log clustering method
CN1223941C (en) Hierarchial invasion detection system based on related characteristic cluster
CN111274056B (en) Self-learning method and device for fault library of intelligent electric energy meter
Harbola et al. Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set
CN110008701A (en) Static detection Rules extraction method and detection method based on ELF file characteristic
CN114969450B (en) User behavior analysis method, device, equipment and storage medium
JPH08314763A (en) Log information analyzer
Dong et al. Traffic Characteristic Map-based Intrusion Detection Model for Industrial Internet.
CN112887324B (en) Policy configuration management system for network security device of power monitoring system
CN114024701A (en) Domain name detection method, device and communication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant