CN111049801B - Firewall strategy detection method - Google Patents
Firewall strategy detection method Download PDFInfo
- Publication number
- CN111049801B CN111049801B CN201911121211.XA CN201911121211A CN111049801B CN 111049801 B CN111049801 B CN 111049801B CN 201911121211 A CN201911121211 A CN 201911121211A CN 111049801 B CN111049801 B CN 111049801B
- Authority
- CN
- China
- Prior art keywords
- firewall
- address
- policy
- field
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the technical field of information security, in particular to a firewall policy detection method, which comprises the following steps: s10, constructing a firewall policy database and a firewall log file, and analyzing the recording and displaying modes of address book information, policy configuration information and port information of a firewall visual page; s20, extracting the IP address configured in the strategy configuration information, converting the IP address into a specific numerical value or a numerical value range, and giving an alarm when an alarm rule is met; s30, analyzing the firewall log file recording mode in the step S10, analyzing the meaning of each field storage information in the firewall log file, classifying the fields, and writing the field classification into a firewall policy database; and S40, storing the firewall policy database in the terminal for displaying and inquiring policy configuration information. The method can quickly and comprehensively acquire the firewall policy configuration information, and can realize quick query; and converting the IP address into a specific numerical value, and improving the identification speed of the computer strategy by using numerical value comparison.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a firewall policy detection method.
Background
Currently, information security has attracted much attention, wherein data security is a very important link in information security, and lan security mainly relies on firewalls for management and control. In recent years, one of the key points of network information security protection is access control, and a firewall does not allow redundant policy to be reserved, does not allow an excessively wide address field to be configured, does not allow an excessively wide port to be configured, and completely blocks a high-risk port. In addition, the access strategies configured in the enterprise-level firewall account for hundreds, time and labor are consumed for manually detecting and checking the configuration condition of the strategies, and the conditions of wrong checking and omission are generated, so that the network stability and the safe operation of an information system are influenced.
At present, the following problems mainly exist in firewall policy detection and problem troubleshooting: (1) network access strategies configured and used in the firewall are hundreds, most firewalls require an administrator to name a source IP address and a destination IP address before configuring the access strategies, so that once the administrator needs to query the strategies according to the IP, the strategy naming and strategy configuration pages need to be repeatedly switched, the time and energy consumption is large, the labor cost is high, and errors are easy to occur when a plurality of addresses need to be checked; (2) the firewall can count the hit times by itself when the strategy is hit, and if a certain strategy fails, the number of strategy hits is displayed as zero; according to the information security requirement, the working personnel need to restart and switch the firewall every month; after switching and restarting, the strategy hit number of the firewall is cleared; effective strategies and failure strategies cannot be distinguished, and the access strategies are related to the operation of a global production network and have great influence; (3) each piece of log information output by the firewall log has more fields, the amount of information data generated every day is huge, and the log file is in a text document format and is not beneficial to query and analysis of the firewall log.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a firewall policy detection method, which can quickly acquire firewall configuration data, simultaneously acquire policy information and a policy hit number, can completely export the firewall information and can realize quick detection of firewall policy configuration.
In order to solve the technical problems, the invention adopts the technical scheme that:
the firewall policy detection method comprises the following steps:
s10, constructing a firewall policy database and a firewall log file, analyzing the recording and displaying modes of address book information, policy configuration information and port information of a firewall visual page, and establishing a firewall data extraction mode;
s20, extracting the IP address configured in the strategy configuration information by using a crawler tool and the matching function of the firewall strategy database in the step S10, converting the IP address into a specific numerical value or a numerical value range, and giving an alarm when the specific numerical value or the numerical value range meets an alarm rule;
s30, analyzing the firewall log file recording mode in the step S10, analyzing the meaning of each field storage information in the firewall log file, classifying the fields, and writing the field classification into a firewall policy database;
and S40, storing the firewall policy database in the terminal for displaying and inquiring policy configuration information.
The firewall policy detection method can quickly and comprehensively acquire firewall configuration data such as policy ID, number of hits, source address name, source address IP, source port, destination address name, destination address IP, destination port and the like, is completely presented on a table after automatic matching, and can realize quick query through any information; and converting the IP address into a specific numerical value or a numerical value range, and comparing the numerical values, thereby improving the identification speed of the computer strategy.
Preferably, step S10 is performed as follows: regularly logging in a firewall by using a crawler technology to capture firewall data, wherein the firewall data comprises a strategy ID, a number of hits, a source address name, a source address IP, a source interface, a destination address name, a destination address IP and a destination port; and matching the firewall data with each other, displaying the matched firewall data on a table and exporting the matched firewall data.
Preferably, step S20 is performed as follows:
s21, extracting the IP address configured in the strategy configuration information, and judging the IP address: if the address is a single IP address, directly calculating; if the address field is the IP address field, extracting the minimum value and the maximum value in the IP address field;
s22, calculating and extracting numerical values of the IP addresses, and numbering the numerical values;
s23, summing and converting the numerical values in the step S22 to obtain an IP conversion value;
s24, traversing all IP addresses to convert the IP addresses to obtain a conversion value N, and converting the conversion values N of any two IP addresses1、N2Comparing, and alarming if the following rules are satisfied: when N is present1、N2When it is a single address, if N is satisfied1=N2Then an alarm is given; when N is present1As a single address, N2When it is an address field, if N is satisfied2min≤N1≤N2maxThen an alarm is given; when N is present1、N2When all are address fields, if all are satisfiedOrAn alarm is given.
Preferably, in step S22, according to the characteristics of IPV4 addresses, each IPV4 address is 4 bytes, 32-bit binary, and is divided into ". quadrature.", then IPV4 ═ is expressed as (P1.P2.P3.P4), and decimal numbers converted from 4 groups of 8-bit binary are extracted by way of de-dotting extraction, and the extracted numerical values are respectively expressed as P1, P2, P3, and P4, and 0 ≦ P1, P2, P3, and P4 ≦ 256.
Preferably, in step S22, bit number i is set for the 4 sets of values P1, P2, P3, P4 calculated in the first step, and is respectively expressed as: i (P1) is 0, i (P2) is 1, i (P3) is 2, and i (P4) is 3.
Preferably, in step S23, the values are summed and converted to obtain an IP conversion value according to the following formula: sigma N-P/256X 2563-iN is a conversion value, P is an IP address extraction value, and i is an address extraction value number.
Preferably, step S30 is performed as follows: and importing a firewall log file, splitting log fields, and storing the log fields in a firewall policy database according to field category collection.
Preferably, the firewall log files are sorted by field using scripts.
Preferably, the field types include a value type, a character string type and a date type, and can be divided into a date field, an src field, a dst field, a Sport field and a smac field.
Preferably, in step S40, when querying the policy configuration information, the query is performed by matching keywords.
Compared with the prior art, the invention has the beneficial effects that:
the firewall policy detection method can quickly and comprehensively acquire firewall configuration data such as policy ID, number of hits, source address name, source address IP, source port, destination address name, destination address IP, destination port and the like, is completely presented on a table after automatic matching, and can realize quick query through any information; the invention converts the IP address into a special numerical value or a numerical value range, and judges the alarm condition by using numerical value comparison, thereby improving the strategy identification speed.
Drawings
FIG. 1 is a flow diagram of firewall policy capture detection;
fig. 2 is a flow chart of firewall log file query.
Detailed Description
The present invention will be further described with reference to the following embodiments.
Examples
Fig. 1 to fig. 2 show an embodiment of a firewall policy detection method according to the present invention, which includes the following steps:
s10, constructing a firewall policy database and a firewall log file, analyzing the recording and displaying modes of address book information, policy configuration information and port information of a firewall visual page, and establishing a firewall data extraction mode;
s20, extracting the IP address configured in the strategy configuration information by using a crawler tool and the matching function of the firewall strategy database in the step S10, converting the IP address into a specific numerical value or a numerical value range, and giving an alarm when the specific numerical value or the numerical value range meets the alarm rule;
s30, analyzing the firewall log file recording mode in the step S10, analyzing the meaning of each field storage information in the firewall log file, classifying the fields, and writing the field classification into a firewall policy database;
and S40, storing the firewall policy database in the terminal for displaying and inquiring policy configuration information.
Wherein, step S10 is performed according to the following steps: regularly logging in a firewall by using a crawler technology to capture firewall data, wherein the firewall data comprises a strategy ID, a number of hits, a source address name, a source address IP, a source interface, a destination address name, a destination address IP and a destination port; and matching the firewall data with each other, displaying the matched firewall data on a table and exporting the matched firewall data.
Step S20 is performed as follows:
s21, extracting the IP address configured in the strategy configuration information, and judging the IP address: if the address is a single IP address, directly calculating; if the address field is the IP address field, extracting the minimum value and the maximum value in the IP address field;
s22, calculating and extracting numerical values of the IP addresses, and numbering the numerical values;
s23, summing and converting the numerical values in the step S22 to obtain an IP conversion value;
s24, traversing all IP addresses to convert the IP addresses to obtain a conversion value N, and converting the conversion values N of any two IP addresses1、N2And comparing, and giving an alarm if the following rules are met: when N is present1、N2When it is a single address, if it is satisfiedN1=N2Then an alarm is given; when N is present1As a single address, N2When it is an address field, if N is satisfied2min≤N1≤N2maxThen an alarm is given; when N is present1、N2When all are address fields, if all are satisfiedOrAn alarm is given.
In step S22, according to the characteristics of IPV4 addresses, each IPV4 address is 4 bytes, a 32-bit binary system is divided into "·", and IPV4 ═ is expressed as (p1.p2.p3.p4), and a decimal number converted from 4 groups of 8-bit binary systems is extracted by way of dotting extraction, and the implementation code is: the extracted values are represented as P1, P2, P3 and P4, and 0 ≦ P1, P2, P3 and P4 ≦ 256.
In step S22, digit number i is set for the 4 sets of values P1, P2, P3, and P4 calculated in the first step, and is respectively expressed as: i (P1) is 0, i (P2) is 1, i (P3) is 2, and i (P4) is 3.
In step S23, the values are summed and converted according to the following formula to obtain an IP conversion value: sigma N-P/256X 2563-iN is a conversion value, P is an IP address extraction value, and i is an address extraction value number. The core code to implement this formula on C # is:
step S30 is performed as follows: and importing a firewall log file, splitting log fields, and storing the log fields in a firewall policy database according to field category collection. The firewall log files are classified according to fields by using scripts; the field types comprise a numerical value type, a character string type and a date type and can be divided into a date field, an src field, a dst field, a Sport field and a smac field.
In step S40, when policy configuration information is queried, a matching keyword is used for query. Those skilled in the art can develop a desktop tool based on c #/winform, and when the tool is opened on a desktop, inquiry and display of firewall information can be conveniently realized.
Through the steps, the firewall configuration data can be rapidly acquired, the strategy information and the strategy number of hits are acquired, the firewall information can be completely exported, and the firewall strategy configuration can be rapidly detected.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.
Claims (9)
1. A firewall policy detection method is characterized by comprising the following steps:
s10, constructing a firewall policy database and a firewall log file, analyzing the recording and displaying modes of address book information, policy configuration information and port information of a firewall visual page, and establishing a firewall data extraction mode;
s20, extracting the IP address configured in the strategy configuration information by using a crawler tool and the matching function of the firewall strategy database in the step S10, converting the IP address into a specific numerical value or a numerical value range, and giving an alarm when the specific numerical value or the numerical value range meets an alarm rule;
s30, analyzing the firewall log file recording mode in the step S10, analyzing the meaning of each field storage information in the firewall log file, classifying the fields, and writing the field classification into a firewall policy database;
s40, storing a firewall policy database in a terminal for displaying and inquiring policy configuration information;
step S20 is performed as follows:
s21, extracting the IP address configured in the strategy configuration information, and judging the IP address: if the address is a single IP address, directly calculating; if the address field is the IP address field, extracting the minimum value and the maximum value in the IP address field;
s22, calculating and extracting numerical values of the IP addresses, and numbering the numerical values;
s23, summing and converting the numerical values in the step S22 to obtain an IP conversion value;
s24, traversing all IP addresses, converting the IP addresses to obtain a conversion value N, and converting the conversion values N of any two IP addresses1、N2Comparing, and alarming if the following rules are satisfied: when N is present1、N2When it is a single address, if N is satisfied1=N2Then an alarm is given; when N is present1As a single address, N2When it is an address field, if N is satisfied2min≤N1≤N2maxThen an alarm is given; when N is present1、N2When all are address fields, if all are satisfiedOrAn alarm is given.
2. The firewall policy detection method according to claim 1, wherein step S10 is performed according to the following steps: regularly logging in a firewall by using a crawler technology to capture firewall data, wherein the firewall data comprises a strategy ID, a number of hits, a source address name, a source address IP, a source interface, a destination address name, a destination address IP and a destination port; and matching the firewall data with each other, displaying the matched firewall data on a table and exporting the matched firewall data.
3. The fire wall policy detection method according to claim 1, wherein in step S22, according to the characteristics of IPV4 addresses, each IPV4 address is 4 bytes, 32-bit binary systems are divided by ". quadrature.", and then represented as IPV4 ═ (P1.P2.P3.P4), decimal numbers converted from 4 groups of 8-bit binary systems are extracted by way of de-dotting extraction, and the extracted numerical values are represented as P1, P2, P3, and P4, and 0 ≦ P1, P2, P3, and P4 ≦ 256, respectively.
4. The fire wall policy inspection method according to claim 3, wherein in step S22, the 4 groups of values P1, P2, P3 and P4 calculated in the first step are set with the bit number i, which is respectively expressed as: i (P1) is 0, i (P2) is 1, i (P3) is 2, and i (P4) is 3.
5. The fire wall policy detection method according to claim 4, wherein in step S23, the values are summed and converted according to the following formula to obtain an IP conversion value: sigma N-P/256X 2563-iN is a conversion value, P is an IP address extraction value, and i is an address extraction value number.
6. The firewall policy detection method according to any one of claims 1 to 5, wherein the step S30 is performed according to the following steps: and importing a firewall log file, splitting log fields, and storing the log fields in a firewall policy database according to field category collection.
7. The firewall policy detection method according to claim 6, wherein the firewall log files are classified by field using a script.
8. The firewall policy detection method according to claim 7, wherein the field categories comprise a numerical category, a string category and a date category.
9. The fire wall policy detection method according to claim 7, wherein in step S40, when querying the policy configuration information, querying is performed by matching keywords.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911121211.XA CN111049801B (en) | 2019-11-15 | 2019-11-15 | Firewall strategy detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911121211.XA CN111049801B (en) | 2019-11-15 | 2019-11-15 | Firewall strategy detection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111049801A CN111049801A (en) | 2020-04-21 |
CN111049801B true CN111049801B (en) | 2022-02-11 |
Family
ID=70232105
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911121211.XA Active CN111049801B (en) | 2019-11-15 | 2019-11-15 | Firewall strategy detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111049801B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111970275B (en) * | 2020-08-14 | 2022-10-11 | 中国工商银行股份有限公司 | Data processing method, device, computing equipment and medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103577307A (en) * | 2013-11-07 | 2014-02-12 | 浙江中烟工业有限责任公司 | Method for automatically extracting and analyzing firewall logs based on XML rule model |
CN104270384A (en) * | 2014-10-20 | 2015-01-07 | 山石网科通信技术有限公司 | Fire wall policy redundancy detection method and device |
CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
CN110430159A (en) * | 2019-06-20 | 2019-11-08 | 国网辽宁省电力有限公司信息通信分公司 | A kind of excessive method for early warning of Platform Server firewall policy range of opening |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2109976B1 (en) * | 2006-12-29 | 2018-09-12 | Telecom Italia S.p.A. | METHOD AND SYSTEM FOR ENFORCING SECURITY POLICIES IN MANETs |
US8365272B2 (en) * | 2007-05-30 | 2013-01-29 | Yoggie Security Systems Ltd. | System and method for providing network and computer firewall protection with dynamic address isolation to a device |
-
2019
- 2019-11-15 CN CN201911121211.XA patent/CN111049801B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103577307A (en) * | 2013-11-07 | 2014-02-12 | 浙江中烟工业有限责任公司 | Method for automatically extracting and analyzing firewall logs based on XML rule model |
CN104270384A (en) * | 2014-10-20 | 2015-01-07 | 山石网科通信技术有限公司 | Fire wall policy redundancy detection method and device |
CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
CN110430159A (en) * | 2019-06-20 | 2019-11-08 | 国网辽宁省电力有限公司信息通信分公司 | A kind of excessive method for early warning of Platform Server firewall policy range of opening |
Also Published As
Publication number | Publication date |
---|---|
CN111049801A (en) | 2020-04-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110336827B (en) | Modbus TCP protocol fuzzy test method based on abnormal field positioning | |
CN102171702B (en) | The detection of confidential information | |
CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
US10872270B2 (en) | Exploit kit detection system based on the neural network using image | |
CN109510737A (en) | Protocol interface test method, device, computer equipment and storage medium | |
CN104168288A (en) | Automatic vulnerability discovery system and method based on protocol reverse parsing | |
JP2022118108A (en) | Log auditing method, device, electronic apparatus, medium and computer program | |
CN111800404B (en) | Method and device for identifying malicious domain name and storage medium | |
CN115021997B (en) | Network intrusion detection system based on machine learning | |
WO2018075819A1 (en) | Universal link to extract and classify log data | |
CN113706100B (en) | Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network | |
CN109088903A (en) | A kind of exception flow of network detection method based on streaming | |
CN111274218A (en) | Multi-source log data processing method for power information system | |
CN111049801B (en) | Firewall strategy detection method | |
CN114386100A (en) | Public cloud user sensitive data management method | |
CN1223941C (en) | Hierarchial invasion detection system based on related characteristic cluster | |
Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set | |
CN111274056B (en) | Self-learning method and device for fault library of intelligent electric energy meter | |
CN110008701A (en) | Static detection Rules extraction method and detection method based on ELF file characteristic | |
CN103455754A (en) | Regular expression-based malicious search keyword recognition method | |
CN114969450B (en) | User behavior analysis method, device, equipment and storage medium | |
EP4020887B1 (en) | Method and apparatus for detecting anomalies of a dns traffic | |
Dong et al. | Traffic Characteristic Map-based Intrusion Detection Model for Industrial Internet. | |
KR20200070775A (en) | Apparatus and method for normalizing security information of heterogeneous systems | |
CN114024701A (en) | Domain name detection method, device and communication system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |