CN111163061B - Method and device for analyzing policy information of gateway equipment - Google Patents

Method and device for analyzing policy information of gateway equipment Download PDF

Info

Publication number
CN111163061B
CN111163061B CN201911265187.7A CN201911265187A CN111163061B CN 111163061 B CN111163061 B CN 111163061B CN 201911265187 A CN201911265187 A CN 201911265187A CN 111163061 B CN111163061 B CN 111163061B
Authority
CN
China
Prior art keywords
strategy
information
policy
port
destination address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911265187.7A
Other languages
Chinese (zh)
Other versions
CN111163061A (en
Inventor
何文娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unihub China Information Technology Co Ltd
Original Assignee
Unihub China Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unihub China Information Technology Co Ltd filed Critical Unihub China Information Technology Co Ltd
Priority to CN201911265187.7A priority Critical patent/CN111163061B/en
Publication of CN111163061A publication Critical patent/CN111163061A/en
Application granted granted Critical
Publication of CN111163061B publication Critical patent/CN111163061B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a device for analyzing policy information of gateway equipment, wherein the method comprises the following steps: acquiring the strategy information of each strategy in the gateway equipment action domain, wherein the strategy information comprises: the protocol type, source address information, destination address information and port information of each policy; according to the strategy information of each strategy, each strategy is divided into a source address element, a destination address element and port elements of different protocol types; based on the network address space, searching a father node strategy corresponding to each element, and recording strategy identification of the father node strategy corresponding to each element into a source address element, a destination address element and a port element of each strategy; and determining the policy relationship information among the policies in the action domain of the gateway device according to the policy identification of the father node policy recorded in each element in the action domain of the gateway device, and the priority information and the action information of each policy and the father node policy. The invention can greatly improve the analysis efficiency of the gateway equipment strategy.

Description

Method and device for analyzing policy information of gateway equipment
Technical Field
The present invention relates to the field of gateways, and in particular, to a method and an apparatus for analyzing policy information of a gateway device.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
At present, in existing gateway devices (including firewall, router, and other devices), access to different security domains is implemented by using a white list policy, that is, corresponding access control policies are issued between different security domains that are allowed to be accessed, and as time goes on, more and more policies are stored in the gateway device, which results in that the device performance is greatly affected.
In order to clean up or adjust some useless or redundant or conflict-related strategies on the gateway device, the existing strategy relations on the gateway device need to be regularly combed and analyzed. The existing strategy analysis method analyzes the strategy relationship among all the strategies by traversing the strategy information of all the strategies on the gateway equipment, and in this way, with the continuous increase of the number of the strategies, the time consumed for strategy analysis is also increased continuously, and when the strategies are changed, all the strategies need to be analyzed again.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a method for analyzing policy information of gateway equipment, which is used for solving the technical problems that in the prior art, the time consumption is long because the policy relationship among all the policies is analyzed by traversing the policy information of all the policies on the gateway equipment, and the policy relationship among all the policies needs to be analyzed again when the policies are changed, and the method comprises the following steps: acquiring the strategy information of each strategy in the gateway equipment action domain, wherein the strategy information of each strategy comprises: the protocol type, source address information, destination address information and port information of each policy; according to the strategy information of each strategy, each strategy is divided into a source address element, a destination address element and port elements with different protocol types, wherein the source address element comprises: the strategy identification and the source address information of the strategy, the destination address element comprises: the strategy identification and the destination address information of the strategy, the port element comprises: the strategy identification, protocol type and port information of the strategy; based on a network address space, searching a source address element, a destination address element and a father node strategy corresponding to a port element of each strategy, and recording strategy identifications of the source address element, the destination address element and the port element of each strategy, which correspond to the father node strategy, into the source address element, the destination address element and the port element of each strategy; determining policy relationship information between the policies in the scope of action of the gateway device according to policy identifiers of parent node policies recorded in source address elements, destination address elements and port elements of the policies in the scope of action of the gateway device, and priority information and action information of the policies and the parent node policies, wherein the priority information is used for determining the priority of policy execution, and the action information comprises: allow action or deny action.
An embodiment of the present invention further provides a policy information analysis apparatus for a gateway device, so as to solve technical problems in the prior art that a time consumption is long when policy relationships among policies are analyzed by traversing policy information of each policy on the gateway device, and the policy relationships among the policies need to be re-analyzed when the policies are changed, where the apparatus includes: the system comprises a policy information acquisition module, a policy information acquisition module and a policy information processing module, wherein the policy information acquisition module is used for acquiring policy information of each policy in the action domain of the gateway equipment, and the policy information of each policy comprises: the protocol type, source address information, destination address information and port information of each policy; the policy information processing module is configured to split each policy into a source address element, a destination address element, and port elements of different protocol types according to policy information of each policy, where the source address element includes: the strategy identification and the source address information of the strategy, the destination address element comprises: the strategy identification and the destination address information of the strategy, the port element comprises: the strategy identification, protocol type and port information of the strategy; the strategy information recording module is used for searching the father node strategy corresponding to the source address element, the destination address element or the port element of each strategy based on the network address space, and recording the strategy identification of the father node strategy corresponding to the source address element, the destination address element or the port element of each strategy into the source address element, the destination address element and the port element of each strategy; a policy information analysis module, configured to determine policy relationship information between policies in an action domain of a gateway device according to policy identifiers of a source address element, a destination address element, and a parent node policy recorded in a port element of each policy in the action domain of the gateway device, and priority information and action information of each policy and the parent node policy, where the priority information is used to determine a priority for executing the policies, and the action information includes: allow action or deny action.
The embodiment of the present invention further provides a computer device, which is used to solve the technical problems in the prior art that the time consumption is long due to the fact that the policy relationships among the policies are analyzed by traversing the policy information of the policies on the gateway device, and the policy relationships among the policies need to be re-analyzed when the policies are changed.
An embodiment of the present invention further provides a computer-readable storage medium, which is used to solve the technical problems in the prior art that a time consumption is long when policy relationships among the policies are analyzed by traversing policy information of the policies on the gateway device, and the policy relationships among the policies need to be re-analyzed when the policies are changed.
In the embodiment of the invention, after acquiring the policy information (including but not limited to protocol type, source address information, destination address information, port information and the like) of each policy in the gateway device action domain, splitting the source address information, the destination address information and the port information of each policy according to the protocol type of each policy, and splitting each policy into a plurality of elements (source address elements, destination address elements and port elements, wherein the source address elements comprise policy identification and source address information of the policy to which the policy belongs, the destination address elements comprise policy identification and destination address information of the policy to which the policy belongs, and the port elements comprise policy identification, protocol type and port information of the policy to which the policy belongs); and then, based on a network address space, searching a source address element, a destination address element and a parent node strategy corresponding to the port element of each strategy, and recording strategy identifications of the parent node strategy corresponding to the source address element, the destination address element and the port element of each strategy into the source address element, the destination address element and the port element of each strategy, so as to determine strategy relation information among the strategies in the gateway device action domain according to the strategy identifications of the parent node strategy recorded in the source address element, the destination address element and the port element of each strategy in the gateway device action domain.
According to the embodiment of the invention, based on the space position information of the network address, a multivariate space analysis method is used, each strategy in the gateway device action domain is split into different elements according to the protocol type, the source address, the destination address and the port supported by the strategy, and the identification of the strategy of the father node is recorded in each element, so that one-time analysis is realized, the strategy relation of all strategies can be determined, and the strategy analysis efficiency is greatly improved; when the strategy is changed, all the strategy relations can be obtained only by adjusting the position information of the affected strategy, and all the strategies do not need to be analyzed again.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
fig. 1 is a flowchart of a policy information analysis method of a gateway device according to an embodiment of the present invention;
fig. 2 is a schematic diagram of policy splitting according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an IP address space distribution hierarchy provided in an embodiment of the present invention;
fig. 4 is a schematic diagram of a policy information analysis apparatus of a gateway device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
In the description of the present specification, the terms "comprising," "including," "having," "containing," and the like are used in an open-ended fashion, i.e., to mean including, but not limited to. Reference to the description of the terms "one embodiment," "a particular embodiment," "some embodiments," "for example," etc., means that a particular feature, structure, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. The sequence of steps involved in the embodiments is for illustrative purposes to illustrate the implementation of the present application, and the sequence of steps is not limited and can be adjusted as needed.
The embodiment of the invention provides a method for analyzing policy information of gateway equipment, which is suitable for analyzing the relation (such as the relation of containing, overlapping, crossing or conflicting) among all policies on any kind of gateway equipment.
Fig. 1 is a flowchart of a policy information analysis method of a gateway device provided in an embodiment of the present invention, and as shown in fig. 1, the method may include the following steps:
s101, acquiring policy information of each policy in an action domain of the gateway equipment, wherein the policy information of each policy comprises: protocol type, source address information, destination address information, and port information for each policy.
It should be noted that, in the embodiment of the present invention, the gateway device may be, but is not limited to, a firewall, a router, and the like; the policy in the embodiment of the invention refers to a security policy (namely, a network security access control policy) of the gateway device; scope refers to the scope in which a security policy is effective. The protocol type of each policy described above may be, but is not limited to, the TCP protocol,
S102, according to the strategy information of each strategy, each strategy is divided into a source address element, a destination address element and port elements of different protocol types, wherein the source address element comprises: the strategy identification and the source address information of the strategy, the destination address element comprises: the strategy identification and the destination address information of the strategy, the port element comprises: policy identification, protocol type and port information of the policy to which the device belongs.
It should be noted that, in the embodiment of the present invention, the policy may be split into single elements according to the protocol type, the source address, the destination address, and the port supported by the policy, and each element records the policy identifier to which the element belongs. For example, fig. 2 is a schematic diagram of policy splitting provided in the embodiment of the present invention, as shown in fig. 2, a hash is performed to a root node belonging to a scope according to the scope of each policy, and if the root node does not exist, a new key is generated according to the scope and serves as the root node; each root node automatically generates a source address element, a destination address element and a port element corresponding to each strategy according to the protocol type supported by the strategy, and for a certain strategy supporting a TCP protocol, after the strategy is divided into the source address element, the destination address element and the port element, three sub-queues, namely srcpp, dstIp and TCP-port, are automatically generated; for a certain strategy supporting UDP protocol, after the strategy is divided into three elements of a source address, a destination address and a port, three sub-queues of srcpp, dstIp and UDP-port are automatically generated.
S103, based on the network address space, searching the source address element, the destination address element and the father node strategy corresponding to the port element of each strategy, and recording the strategy identification of the source address element, the destination address element and the father node strategy corresponding to the port element of each strategy into the source address element, the destination address element and the port element of each strategy.
Specifically, the source address and the destination address may be inserted into corresponding positions of the network address space according to the size of the address and the length of the mask, and the policy identifier of the parent node of the port is recorded according to the size of the range of the port. It should be noted that the parent node recorded in the embodiment of the present invention includes directly-owned and non-directly-owned parent nodes, and if the address and the mask are completely the same, the neighbor node identifier is recorded.
As an alternative implementation, the above S103 may be implemented by the following steps: searching a parent node strategy corresponding to the source address element or the destination address element of each strategy in a network address space according to the IP address and the subnet mask in the source address information or the destination address information; determining a father node strategy corresponding to the port element of each strategy in a network address space according to the port range corresponding to the port information; and recording the source address element, the destination address element and the strategy identification of the parent node strategy corresponding to the port element of each strategy into the source address element, the destination address element and the port element of each strategy.
When searching for a parent node policy corresponding to a source address element or a destination address element of each policy in a network address space according to an IP address and a subnet mask in source address information or destination address information, the following steps may be performed: searching a parent node corresponding to the source address information or the destination address information of each strategy in a network address space according to the IP address and the subnet mask in the source address information or the destination address information; and determining the strategy corresponding to the strategy identification contained in the parent node corresponding to the network address space of the source address information or the destination address information of each strategy as the parent node strategy corresponding to the source address element or the destination address element of each strategy in the network address space.
As an optional implementation manner, in an embodiment of the present invention, both source address information and destination address information are IP address information, and fig. 3 is a schematic diagram of a distribution hierarchy of an IP address space provided in the embodiment of the present invention, as shown in fig. 3, in an IP address space, address information with a long mask length in an IP address is located in a lower layer, and address information with a short mask length in an IP address is located in an upper layer.
Therefore, in an alternative embodiment, the embodiment of the present invention may search for a parent node corresponding to a node where the source address information or the destination address information is located in the network address space by the following steps: determining a first node corresponding to the source address information or the destination address information in a network address space according to the IP address and the subnet mask in the source address information or the destination address information; according to the IP address and the subnet mask in the source address information or the destination address information, calculating a subnet number corresponding to the source address information or the destination address information, and searching a second node with the highest similarity with the subnet number corresponding to the source address information or the destination address information in a network address space; comparing the mask lengths of the first node and the second node; if the mask length of the first node is larger than the subnet mask length of the second node, continuously traversing the lower-layer nodes of the second node until the third node with the longest mask length is found out and is used as a father node corresponding to the source address information or the destination address information in the network address space; and if the mask length of the first node is less than or equal to the subnet mask length of the second node, modifying the parent node corresponding to the second node into the first node.
Optionally, when determining the parent node policy corresponding to the port element of each policy in the network address space according to the port range corresponding to the port information, the following steps may be performed: acquiring a first port range of port information corresponding to the first port element and a second port range of port information corresponding to the second port element; and if the first port range contains the second port range, determining the strategy corresponding to the first port element as a parent node strategy corresponding to the second port element in the network address space.
S104, determining policy relationship information among the policies in the gateway device action domain according to the policy identifiers of the parent node policies recorded in the source address elements, the destination address elements and the port elements of the policies in the gateway device action domain, and the priority information and the action information of the policies and the parent node policies, wherein the priority information is used for determining the priority of policy execution, and the action information comprises: allow action or deny action.
It should be noted that, because the policy identifier of the parent node policy is recorded in a single element of each policy, all policy relationships can be obtained by counting the parent node information of each policy in the embodiment of the present invention. If all the entries have a certain father node, or if some entries have the same father node and the rest are all neighbor identifiers, the strategy is considered to be contained by the father node strategy, if the father node has high priority, the strategy is considered to be an invalid strategy, if the father node has low priority, the strategy is considered to be redundant, and if the actions are opposite, the strategy is considered to be a conflict. That is, all policy relationship information (e.g., including, overlapping, intersecting, conflicting, etc.) can be obtained according to the position information of the node itself and the parent node, thereby greatly improving the analysis efficiency of the policy.
As an alternative implementation, the embodiment of the present invention may determine whether the policy has a containment relationship with the policy by the following steps: judging whether each strategy and a father node strategy meet preset strategy containing conditions or not, wherein the strategy containing conditions are that a source address element, a destination address element and a port element of each strategy have the same father node, or that part of the source address element, the destination address element and the port element of each strategy have the same father node, and the rest of the elements are neighbor nodes; and determining each strategy meeting the preset strategy containing conditions and the parent node strategy as a strategy containing relation.
As an alternative implementation, the embodiment of the present invention may determine whether the policy has a containment relationship with the policy by the following steps: acquiring a source address element, a destination address element and a strategy identifier of a father node strategy recorded in a port element of a target strategy, and priority information and action information of the target strategy and the father node strategy, wherein the target strategy is any one strategy in an action domain of a gateway device; if all elements of the target strategy contain the same strategy identification of the parent node strategy and the strategy priority of the target strategy is lower than that of the parent node strategy, determining the target strategy as an invalid strategy; if all elements of the target strategy contain the same strategy identification of the parent node strategy, the strategy priority of the target strategy is higher than the strategy priority of the parent node strategy, and the action information of the target strategy is the same as that of the parent node strategy, the target strategy is determined as a redundant strategy of the parent node strategy; if all elements of the target strategy contain the same strategy identification of the parent node strategy, the strategy priority of the target strategy is higher than the strategy priority of the parent node strategy, and the action information of the target strategy is opposite to that of the parent node strategy, the target strategy is determined as a conflict strategy of the parent node strategy; and if the strategy identifications of the parent node strategies contained in the partial elements of the target strategy are the same, the strategy priority of the target strategy is higher than that of the parent node strategy, and the action information of the target strategy is opposite to that of the parent node strategy, determining the target strategy as the crossing strategy of the parent node strategy.
As can be seen from the above, in the method for analyzing policy information of a gateway device according to the embodiments of the present invention, after acquiring policy information (including but not limited to a protocol type, source address information, destination address information, port information, and the like) of each policy in an action domain of the gateway device, according to the protocol type of each policy, splitting the source address information, the destination address information, and the port information of each policy into a plurality of elements (a source address element, a destination address element, and a port element, where the source address element includes a policy identifier and source address information of the policy to which the policy belongs, the destination address element includes a policy identifier and destination address information of the policy to which the policy belongs, and the port element includes a policy identifier, a protocol type, and port information of the policy to which the policy belongs); and then, based on a network address space, searching a source address element, a destination address element and a parent node strategy corresponding to the port element of each strategy, and recording strategy identifications of the parent node strategy corresponding to the source address element, the destination address element and the port element of each strategy into the source address element, the destination address element and the port element of each strategy, so as to determine strategy relation information among the strategies in the gateway device action domain according to the strategy identifications of the parent node strategy recorded in the source address element, the destination address element and the port element of each strategy in the gateway device action domain.
According to the embodiment of the invention, based on the space position information of the network address, a multivariate space analysis method is used, each strategy in the gateway device action domain is split into different elements according to the protocol type, the source address, the destination address and the port supported by the strategy, and the identification of the strategy of the father node is recorded in each element, so that one-time analysis is realized, the strategy relation of all strategies can be determined, and the strategy analysis efficiency is greatly improved; when the strategy is changed, all the strategy relations can be obtained only by adjusting the position information of the affected strategy, and all the strategies do not need to be analyzed again.
In the following, the embodiment of the present invention will be described in detail by taking the security policy 100 as an example. Assuming that the security policy supports the TCP protocol, the source address is 192.168.10.0/28, 192.168.20.0/26; the destination address is 172.20.1.1; port number 8080. The method comprises the following steps:
the first step, according to the scope identification of the security policy, hash to the root node belonging to the scope (if the policy is a global policy, the root node of the scope is identified according to the device identification, if the policy is an inter-domain policy, the root node of the scope is hashed according to the inter-domain identification), if the root node does not exist, a new key is generated according to the scope and is used as the root node; each root node automatically generates three sub-queues srcIp, dstIp, tcp-port.
In the second step, the security policy 100 is split into srcpp-192.168.10.0/28, srcpp-192.168.20.0/26, dstIp-172.20.1.1, and tcp-dst-8080 according to the protocol types and corresponding address entries (source address, destination address, and port number) supported by the security policy. Suspending the srcIp-192.168.10.0/28 below a certain node of the srcIp of the sub-queue (for example, a node A-192.168.10.0/24 exists below the srcIp queue), calculating a sub-net number according to the address and the mask, and searching the node A which is matched with the sub-net number with the highest similarity. Traversing from the bottommost layer, comparing the mask lengths, and if the mask length of the matching element of the strategy is longer than that of the node A, continuing traversing the lower-layer node of the node A until finding the father node B with the longest mask length; if the mask length is shorter than the mask length of the matched node C, the position of the node C sinks, the father node information of the node C is modified into a strategy 100, and the strategy 100 occupies the position of the node C. The other source and destination addresses are handled in the same manner. The processing mode of the port is according to the port range matching, for example, the range of 1-65535 is larger than the range of 8080 and 8090, and the policy associated with 1-65535 is the parent node of the 8080 and 8090 association policy. In this way, the parent node of all the entries (source address, destination address and port number) of the policy is found.
And thirdly, obtaining the relation information of the strategy and other strategies according to the father node information of the strategy. If all the entries of the strategy have a certain father node, or some of the entries have the father node and other entries are in the same level with the strategy, the strategy is considered to be contained by the father node strategy; if the priority of the father node is high, the father node is regarded as an invalid strategy; if the priority of the father node is low and the actions are the same, the father node is considered to be redundant; if the priority of the father node is low and the actions are opposite, the father node is considered to be a conflict; if the source address, the destination address and the parent node of the port are all a certain policy, but other entries are not contained by the policy, it is determined that the policy and the parent node policy have intersection, that is, a cross policy.
Therefore, the embodiment of the invention splits the basic information of the strategy according to the multi-element space dimension, records the space position information of the strategy, and can obtain the relationship information of all strategies once the position of the strategy is determined, thereby greatly improving the analysis efficiency of the strategy.
Based on the same inventive concept, an embodiment of the present invention further provides a policy information analysis apparatus for a gateway device, as described in the following embodiments. Because the principle of the embodiment of the apparatus for solving the problem is similar to the policy information analysis method of the gateway device, the implementation of the embodiment of the apparatus may refer to the implementation of the method, and repeated parts are not described again.
Fig. 4 is a schematic diagram of a policy information analysis apparatus of a gateway device provided in an embodiment of the present invention, and as shown in fig. 4, the apparatus includes: a policy information collection module 41, a policy information processing module 42, a policy information recording module 43, and a policy information analysis module 44.
The policy information acquisition module 41 is configured to acquire policy information of each policy in the gateway device scope, where the policy information of each policy includes: the protocol type, source address information, destination address information and port information of each policy; a policy information processing module 42, configured to split each policy into a source address element, a destination address element, and port elements of different protocol types according to policy information of each policy, where the source address element includes: the strategy identification and the source address information of the strategy, the destination address element comprises: the strategy identification and the destination address information of the strategy, the port element comprises: the strategy identification, protocol type and port information of the strategy; a policy information recording module 43, configured to search, based on a network address space, a source address element, a destination address element, and a parent node policy corresponding to a port element of each policy, and record a policy identifier of the parent node policy corresponding to the source address element, the destination address element, and the port element of each policy into the source address element, the destination address element, and the port element of each policy; a policy information analysis module 44, configured to determine policy relationship information between the policies in the scope of action of the gateway device according to policy identifiers of parent node policies recorded in the source address element, the destination address element, and the port element of each policy in the scope of action of the gateway device, and priority information and action information of each policy and the parent node policies, where the priority information is used to determine a priority for executing the policies, and the action information includes: allow action or deny action.
As can be seen from the above, the policy information analysis apparatus for a gateway device provided in the embodiment of the present invention collects policy information (including but not limited to protocol type, source address information, destination address information, port information, and the like) of each policy in the domain of the gateway device through the policy information collection module 41; splitting the source address information, the destination address information and the port information of each policy by a policy information processing module 42 according to the protocol type of each policy, and splitting each policy into a plurality of elements (a source address element, a destination address element and a port element, wherein the source address element comprises the policy identifier and the source address information of the policy to which the policy belongs, the destination address element comprises the policy identifier and the destination address information of the policy to which the policy belongs, and the port element comprises the policy identifier, the protocol type and the port information of the policy to which the policy belongs); searching for the source address element, the destination address element and the parent node policy corresponding to the port element of each policy based on the network address space through the policy information recording module 43, and recording the policy identifier of the parent node policy corresponding to the source address element, the destination address element and the port element of each policy into the source address element, the destination address element and the port element of each policy; finally, the policy information analysis module 44 determines policy relationship information between the policies in the domain of the gateway device according to the source address element and the destination address element of each policy in the domain of the gateway device and the policy identifier of the parent node policy recorded in the port element.
According to the policy information analysis device of the gateway device provided by the embodiment of the invention, based on the space position information of the network address, a multivariate space analysis method is used, each policy in the action domain of the gateway device is split into different elements according to the protocol type, the source address, the destination address and the port supported by the policy, and the identification of the policy of the father node is recorded in each element, so that one-time analysis is realized, the policy relationship of all policies can be determined, and the efficiency of policy analysis is greatly improved; when the strategy is changed, all the strategy relations can be obtained only by adjusting the position information of the affected strategy, and all the strategies do not need to be analyzed again.
In an optional embodiment, in the policy information analysis apparatus of the gateway device provided in the embodiment of the present invention, the policy information recording module 43 may further be configured to search, according to the IP address and the subnet mask in the source address information or the destination address information, a parent node policy corresponding to a source address element or a destination address element of each policy in a network address space; determining a father node strategy corresponding to the port element of each strategy in a network address space according to the port range corresponding to the port information; and recording the source address element, the destination address element and the strategy identification of the parent node strategy corresponding to the port element of each strategy into the source address element, the destination address element and the port element of each strategy.
Optionally, the policy information recording module 43 may be further configured to search, according to the IP address and the subnet mask in the source address information or the destination address information, a parent node corresponding to the source address information or the destination address information of each policy in the network address space; and determining the strategy corresponding to the strategy identification contained in the parent node corresponding to the network address space of the source address information or the destination address information of each strategy as the parent node strategy corresponding to the source address element or the destination address element of each strategy in the network address space.
Further, the policy information recording module 43 may be further configured to determine, according to the IP address and the subnet mask in the source address information or the destination address information, a first node corresponding to the source address information or the destination address information in the network address space; according to the IP address and the subnet mask in the source address information or the destination address information, calculating a subnet number corresponding to the source address information or the destination address information, and searching a second node with the highest similarity with the subnet number corresponding to the source address information or the destination address information in a network address space; comparing the mask lengths of the first node and the second node; if the mask length of the first node is larger than the subnet mask length of the second node, continuously traversing the lower-layer nodes of the second node until the third node with the longest mask length is found out and is used as a father node corresponding to the source address information or the destination address information in the network address space; and if the mask length of the first node is less than or equal to the subnet mask length of the second node, modifying the parent node corresponding to the second node into the first node.
Optionally, the policy information recording module 43 may be further configured to obtain a first port range of the port information corresponding to the first port element, and a second port range of the port information corresponding to the second port element; and if the first port range contains the second port range, determining the strategy corresponding to the first port element as a parent node strategy corresponding to the second port element in the network address space.
In an optional embodiment, in the policy information analysis apparatus of the gateway device provided in the embodiment of the present invention, the policy information analysis module 44 may further be configured to determine whether each policy and a parent node policy meet a preset policy inclusion condition, where the policy inclusion condition is that a source address element, a destination address element, and a port element of each policy have a same parent node, or some elements of the source address element, the destination address element, and the port element of each policy have a same parent node, and the remaining elements are neighbor nodes; and determining each strategy meeting the preset strategy containing conditions and the parent node strategy as a strategy containing relation.
In an optional embodiment, in the policy information analysis apparatus of the gateway device provided in the embodiment of the present invention, the policy information analysis module 44 may further be configured to obtain a policy identifier of a parent node policy recorded in a source address element, a destination address element, and a port element of a target policy, and priority information and action information of the target policy and the parent node policy, where the target policy is any one of policies in an action domain of the gateway device; if all elements of the target strategy contain the same strategy identification of the parent node strategy and the strategy priority of the target strategy is lower than that of the parent node strategy, determining the target strategy as an invalid strategy; if all elements of the target strategy contain the same strategy identification of the parent node strategy, the strategy priority of the target strategy is higher than the strategy priority of the parent node strategy, and the action information of the target strategy is the same as that of the parent node strategy, the target strategy is determined as a redundant strategy of the parent node strategy; if all elements of the target strategy contain the same strategy identification of the parent node strategy, the strategy priority of the target strategy is higher than the strategy priority of the parent node strategy, and the action information of the target strategy is opposite to that of the parent node strategy, the target strategy is determined as a conflict strategy of the parent node strategy; and if the strategy identifications of the parent node strategies contained in the partial elements of the target strategy are the same, the strategy priority of the target strategy is higher than that of the parent node strategy, and the action information of the target strategy is opposite to that of the parent node strategy, determining the target strategy as the crossing strategy of the parent node strategy.
The embodiment of the invention also provides computer equipment, which is used for solving the technical problems that in the prior art, the time consumption is long because the strategy relationships among the strategies are analyzed by traversing the strategy information of each strategy on the gateway equipment, and the strategy relationships among the strategies need to be analyzed again when the strategies are changed.
An embodiment of the present invention further provides a computer-readable storage medium, which is used to solve the technical problems in the prior art that time is consumed for analyzing the policy relationship among the policies by traversing the policy information of each policy on the gateway device, and the policy relationship among the policies needs to be re-analyzed when the policies are changed.
In summary, the policy information analysis method, apparatus, computer device, and computer readable storage medium for a gateway device provided in the embodiments of the present invention divide each policy in an action domain of the gateway device into different elements according to a protocol type, a source address, a destination address, and a port, combine with a multivariate spatial analysis method, record policy identification information of a parent node layer by layer according to a mask length of an IP address and a port range, and obtain all policy relationships in the action domain according to policy relationship information between the policy and the parent node policy. The embodiment of the invention uses a multivariate spatial analysis method, which not only can greatly improve the efficiency of strategy analysis, but also can obtain all strategy relations through one-time analysis; and when the strategy is changed, all the strategy relations can be obtained only by adjusting the position information of the influenced strategy without analyzing all the strategies again. Therefore, the strategy analysis method provided by the embodiment of the invention can not influence the strategy analysis efficiency due to the adjustment of the strategy position or the change of the address.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (10)

1. A method for analyzing policy information of a gateway device is characterized by comprising the following steps:
acquiring the strategy information of each strategy in the gateway equipment action domain, wherein the strategy information of each strategy comprises: the protocol type, source address information, destination address information and port information of each policy;
according to the protocol type, the source address information, the destination address information and the port information of each strategy, each strategy is divided into a source address element, a destination address element and port elements of different protocol types, wherein the source address element comprises: the strategy identification and the source address information of the strategy, the destination address element comprises: the strategy identification and the destination address information of the strategy, the port element comprises: the strategy identification, protocol type and port information of the strategy;
based on a network address space, searching a source address element, a destination address element and a father node strategy corresponding to a port element of each strategy, and recording strategy identifications of the source address element, the destination address element and the port element of each strategy, which correspond to the father node strategy, into the source address element, the destination address element and the port element of each strategy;
determining policy relationship information between the policies in the gateway device scope according to policy identifiers of parent node policies recorded in source address elements, destination address elements and port elements of the policies in the gateway device scope, and priority information and action information of the policies and the parent node policies, wherein the priority information is used for determining the priority of policy execution, and the action information includes: allow action or deny action.
2. The method of claim 1, wherein the finding of the parent node policy corresponding to the source address element, the destination address element, and the port element of each policy based on the network address space, and the recording of the policy identifier of the parent node policy corresponding to the source address element, the destination address element, and the port element of each policy into the source address element, the destination address element, and the port element of each policy comprises:
searching a parent node strategy corresponding to the source address element or the destination address element of each strategy in a network address space according to the IP address and the subnet mask in the source address information or the destination address information; determining a father node strategy corresponding to the port element of each strategy in a network address space according to the port range corresponding to the port information;
and recording the source address element, the destination address element and the strategy identification of the parent node strategy corresponding to the port element of each strategy into the source address element, the destination address element and the port element of each strategy.
3. The method of claim 2, wherein finding the parent node policy corresponding to the source address element or the destination address element of each policy in the network address space according to the IP address and the subnet mask in the source address information or the destination address information comprises:
searching a parent node corresponding to the source address information or the destination address information of each strategy in a network address space according to the IP address and the subnet mask in the source address information or the destination address information;
and determining the strategy corresponding to the strategy identification contained in the parent node corresponding to the network address space of the source address information or the destination address information of each strategy as the parent node strategy corresponding to the source address element or the destination address element of each strategy in the network address space.
4. The method of claim 3, wherein searching for a parent node corresponding to the source address information or the destination address information of each policy in the network address space according to the IP address and the subnet mask in the source address information or the destination address information comprises:
determining a first node corresponding to the source address information or the destination address information in a network address space according to the IP address and the subnet mask in the source address information or the destination address information;
according to the IP address and the subnet mask in the source address information or the destination address information, calculating a subnet number corresponding to the source address information or the destination address information, and searching a second node with the highest similarity with the subnet number corresponding to the source address information or the destination address information in a network address space;
comparing the mask lengths of the first node and the second node;
if the mask length of the first node is larger than the subnet mask length of the second node, continuously traversing the lower-layer nodes of the second node until the third node with the longest mask length is found out and is used as a father node corresponding to the source address information or the destination address information in the network address space;
and if the mask length of the first node is less than or equal to the subnet mask length of the second node, modifying the parent node corresponding to the second node into the first node.
5. The method of claim 2, wherein determining the parent node policy corresponding to the port element of each policy in the network address space according to the port range corresponding to the port information comprises:
acquiring a first port range of port information corresponding to the first port element and a second port range of port information corresponding to the second port element;
and if the first port range contains the second port range, determining the strategy corresponding to the first port element as a parent node strategy corresponding to the second port element in the network address space.
6. The method of claim 1, wherein determining policy relationship information between the policies in the scope of the gateway device according to policy identifications of parent node policies recorded in a source address element, a destination address element and a port element of the policies in the scope of the gateway device comprises:
judging whether each strategy and a father node strategy meet a preset strategy containing condition, wherein the strategy containing condition is that a source address element, a destination address element and a port element of each strategy have the same father node, or a part of the source address element, the destination address element and the port element of each strategy have the same father node, and the rest elements are neighbor nodes;
and determining each strategy meeting the preset strategy inclusion condition and the parent node strategy as a strategy inclusion relation.
7. The method of claim 1, wherein determining policy relationship information between the policies in the scope of the gateway device according to policy identifications of parent node policies recorded in a source address element, a destination address element and a port element of the policies in the scope of the gateway device, and priority information and action information of the policies and the parent node policies comprises:
acquiring a source address element, a destination address element and a policy identifier of a parent node policy recorded in a port element of a target policy, and priority information and action information of the target policy and the parent node policy, wherein the target policy is any one of policies in an action domain of the gateway device;
if all elements of the target strategy contain the same strategy identification of the parent node strategy and the strategy priority of the target strategy is lower than that of the parent node strategy, determining the target strategy as an invalid strategy;
if all elements of the target strategy contain the same strategy identification of the parent node strategy, the strategy priority of the target strategy is higher than the strategy priority of the parent node strategy, and the action information of the target strategy is the same as that of the parent node strategy, the target strategy is determined as a redundant strategy of the parent node strategy;
if all elements of the target strategy contain the same strategy identification of the parent node strategy, the strategy priority of the target strategy is higher than the strategy priority of the parent node strategy, and the action information of the target strategy is opposite to that of the parent node strategy, the target strategy is determined as a conflict strategy of the parent node strategy;
and if the strategy identifications of the parent node strategies contained in the partial elements of the target strategy are the same, the strategy priority of the target strategy is higher than that of the parent node strategy, and the action information of the target strategy is opposite to that of the parent node strategy, determining the target strategy as the crossing strategy of the parent node strategy.
8. A policy information analysis apparatus of a gateway device, comprising:
the system comprises a policy information acquisition module, a policy information acquisition module and a policy information processing module, wherein the policy information acquisition module is used for acquiring policy information of each policy in the action domain of the gateway equipment, and the policy information of each policy comprises: the protocol type, source address information, destination address information and port information of each policy;
the policy information processing module is configured to split each policy into a source address element, a destination address element, and port elements of different protocol types according to the protocol type, the source address information, the destination address information, and the port information of each policy, where the source address element includes: the strategy identification and the source address information of the strategy, the destination address element comprises: the strategy identification and the destination address information of the strategy, the port element comprises: the strategy identification, protocol type and port information of the strategy;
the strategy information recording module is used for searching a source address element, a destination address element and a father node strategy corresponding to a port element of each strategy based on a network address space, and recording strategy identifications of the source address element, the destination address element and the father node strategy corresponding to the port element of each strategy into the source address element, the destination address element and the port element of each strategy;
a policy information analysis module, configured to determine policy relationship information between the policies in the scope of action of the gateway device according to policy identifiers of parent node policies recorded in source address elements, destination address elements, and port elements of the policies in the scope of action of the gateway device, and priority information and action information of the policies and the parent node policies, where the priority information is used to determine a priority for policy execution, and the action information includes: allow action or deny action.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the policy information analysis method of the gateway device according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a computer, implements the steps of the policy information analysis method of the gateway device according to any one of claims 1 to 7.
CN201911265187.7A 2019-12-11 2019-12-11 Method and device for analyzing policy information of gateway equipment Active CN111163061B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911265187.7A CN111163061B (en) 2019-12-11 2019-12-11 Method and device for analyzing policy information of gateway equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911265187.7A CN111163061B (en) 2019-12-11 2019-12-11 Method and device for analyzing policy information of gateway equipment

Publications (2)

Publication Number Publication Date
CN111163061A CN111163061A (en) 2020-05-15
CN111163061B true CN111163061B (en) 2022-02-15

Family

ID=70556944

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911265187.7A Active CN111163061B (en) 2019-12-11 2019-12-11 Method and device for analyzing policy information of gateway equipment

Country Status (1)

Country Link
CN (1) CN111163061B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113691522A (en) * 2021-08-20 2021-11-23 北京天融信网络安全技术有限公司 Data traffic processing method and device, electronic equipment and storage medium
CN113783778B (en) * 2021-08-23 2023-02-28 杭州安恒信息技术股份有限公司 Policy routing method, system, computer and storage medium based on DDoS equipment
CN114024868B (en) * 2022-01-06 2022-03-25 北京安博通科技股份有限公司 Flow statistical method, flow quality analysis method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN201577106U (en) * 2010-01-15 2010-09-08 中国工商银行股份有限公司 Fire wall policy generating device and system
CN101714997B (en) * 2010-01-15 2012-11-28 中国工商银行股份有限公司 Firewall strategy-generating method, device and system
US10291652B2 (en) * 2014-07-25 2019-05-14 Facebook, Inc. Policy evaluation trees
CN107948205B (en) * 2017-12-31 2020-10-27 中国移动通信集团江苏有限公司 Firewall strategy generation method, device, equipment and medium
CN109714347A (en) * 2018-12-29 2019-05-03 杭州迪普科技股份有限公司 Storage, querying method and the device of tactful hit results, equipment and medium

Also Published As

Publication number Publication date
CN111163061A (en) 2020-05-15

Similar Documents

Publication Publication Date Title
CN111163061B (en) Method and device for analyzing policy information of gateway equipment
US10812342B2 (en) Generating composite network policy
US20210021455A1 (en) Network operating system for managing and securing networks
EP2850791B1 (en) Network management
US9621554B2 (en) Method for propagating access policies
US10541857B1 (en) Public DNS resolver prioritization
CN108259218B (en) IP address allocation method and device
WO2014153366A1 (en) Maintaining rule coherency for applications
KR20140015546A (en) Method, device and system for migrating resources
CN112866214A (en) Firewall strategy issuing method and device, computer equipment and storage medium
WO2021017907A1 (en) Method and device for optimized inter-microservice communication
US7735128B2 (en) Method of storing pattern matching policy and method of controlling alert message
US9544218B2 (en) Processing nickname conflict in TRILL network
US20160337232A1 (en) Flow-indexing for datapath packet processing
CN107547382B (en) Neighbor relation discovery method and device
US20140282867A1 (en) Device local reputation score cache
Kang et al. Large scale complex network analysis using the hybrid combination of a MapReduce cluster and a highly multithreaded system
US11120052B1 (en) Dynamic distributed data clustering using multi-level hash trees
AU2013257420B2 (en) Network operating system for managing and securing networks
CN117251380B (en) Priority asynchronous scheduling method and system for monotone flow chart
US11792301B1 (en) Parallelized automated creation of proxy manifests
CN111106982B (en) Information filtering method and device, electronic equipment and storage medium
AU2018203193A1 (en) Network operating system for managing and securing networks
CN117768534A (en) Service route and access control parameter dynamic updating method for multiple network areas
US20220294759A1 (en) Method, apparatus, medium, and device for scheduling access request

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder

Address after: Room 702-2, No. 4811, Cao'an Highway, Jiading District, Shanghai

Patentee after: CHINA UNITECHS

Address before: 100872 5th floor, Renmin culture building, 59 Zhongguancun Street, Haidian District, Beijing

Patentee before: CHINA UNITECHS

CP02 Change in the address of a patent holder