CN111371766A - Log-based firewall policy management method and system - Google Patents
Log-based firewall policy management method and system Download PDFInfo
- Publication number
- CN111371766A CN111371766A CN202010122332.2A CN202010122332A CN111371766A CN 111371766 A CN111371766 A CN 111371766A CN 202010122332 A CN202010122332 A CN 202010122332A CN 111371766 A CN111371766 A CN 111371766A
- Authority
- CN
- China
- Prior art keywords
- log
- firewall
- firewall policy
- equipment
- policy management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a log-based firewall policy management method and a log-based firewall policy management system. The method reduces the complexity of firewall policy management, realizes incremental updating of firewall policy data by butting firewall rsyslog logs of different types, and visually checks effective policies of firewall equipment. The invention is suitable for scenes with various different types of firewalls, is convenient to use, can meet business requirements by butting the user with the acquisition module and transmitting the rsyslog to the acquisition module, can update the strategy reflecting the actual use in the firewall in real time, and is convenient to manage.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a log-based firewall policy management method and a log-based firewall policy management system.
Background
The firewall is a barrier for protecting the internal and external networks under the condition of combining hardware and software, thereby realizing the blocking of unsafe network factors of the computer. The firewall detects the data packet according to the corresponding strategy, intercepts the illegal data packet and realizes the safety protection of the network. With the development of the internet, the network scale is continuously enlarged, and the types of firewalls are continuously increasing, such as disp, H3C, huashi, natural trust, cisco and so on. In actual use, a firewall policy corresponding to the firewall is configured, but only increased operation is often performed in the configuration process; after a certain time, the firewall strategies are huge, and the search of the corresponding strategies from the huge strategies is very difficult due to the addition of various different types of firewalls; such as: the checking process is particularly troublesome when the user wants to find out whether the port is blocked by the firewall policy.
Disclosure of Invention
The invention aims to provide a log-based firewall policy management method and a log-based firewall policy management system, which aim at various types of firewalls and various firewall policies and perform centralized management and verification on the firewall policies through firewall logs.
The technical scheme adopted by the invention is as follows:
a log-based firewall policy management method comprises the following steps:
step 1, butting firewall equipment and acquisition equipment, and outputting a corresponding firewall log to the acquisition equipment;
step 2, the collection equipment transmits the log to a data cleaning module;
step 3, the data cleaning module preliminarily analyzes the log and distinguishes different firewall equipment types;
step 4, filtering the pass logs and the blocking logs corresponding to different actions according to the firewall equipment types, and matching corresponding analysis rules;
step 5, analyzing access record data from the pass log and the blocking log according to the matched analysis rule;
and 6, the firewall policy management module verifies the validity of the firewall policy based on the access record data and manages the firewall policy to the firewall policy table for management.
Further, in step 2, the data cleaning module judges the firewall device type corresponding to the log by analyzing the device to which the log belongs, the log behavior, the level and the action information.
Further, the access record data in step 5 includes corresponding protocol type, source IP, source port, destination IP, destination port, access direction, and device type data.
Further, in step 6, based on the validity of the firewall policy verified by the access record data, access policies for different access directions and different source and destination addresses of different protocols are formed and then managed in the firewall policy table.
Furthermore, the invention also discloses a log-based firewall policy management system, which adopts the log-based firewall policy management method and is characterized in that: the system comprises the following devices:
the acquisition equipment: the firewall equipment is in butt joint with rsyslog logs, and the rsyslog logs are output to the data cleaning module;
a data cleaning module: analyzing the rsyslog to judge the type of the firewall, and analyzing access record data from the pass log and the blocking log;
firewall policy management module: and verifying the validity of the firewall policy through the pass log and the blocking log of the firewall, and managing the firewall policy into a firewall policy table for management.
Furthermore, the acquisition equipment is compatible with various different types of firewall equipment.
Further, the data cleaning module judges the firewall device type corresponding to the log by analyzing the device to which the log belongs, the log behavior, the level and the action information.
Further, the access record data includes corresponding protocol type, source IP, source port, destination IP, destination port, access direction, and device type data.
Furthermore, the firewall policy management module verifies the validity of the firewall policy based on the access record data, forms access policies for different access directions and different source and destination addresses of different protocols, and manages the access policies to the firewall policy table for management.
According to the technical scheme, the acquisition module with high compatibility is selected and is in butt joint with different types of firewall equipment, and firewall strategies are verified and managed in a centralized mode through rsyslog logs. The method reduces the complexity of firewall policy management, realizes incremental updating of firewall policy data by butting firewall rsyslog logs of different types, and visually checks effective policies of firewall equipment. The invention is suitable for scenes with various types of firewalls, is convenient to use, and can meet business requirements by butt-jointing the user with the acquisition module and transmitting the rsyslog to the acquisition module. The invention can ensure the centralized display of the strategies of different firewall equipment and ensure the intuitiveness and the effectiveness of the strategies.
Drawings
The invention is described in further detail below with reference to the accompanying drawings and the detailed description;
fig. 1 is a schematic structural diagram of a log-based firewall policy management system according to the present invention.
Detailed Description
As shown in fig. 1, the present invention discloses a log-based firewall policy management method, which comprises the following steps:
step 1, butting firewall equipment and acquisition equipment, and outputting a corresponding firewall log to the acquisition equipment;
step 2, the collection equipment transmits the log to a data cleaning module;
step 3, the data cleaning module preliminarily analyzes the log and distinguishes different firewall equipment types;
step 4, filtering the pass logs and the blocking logs corresponding to different actions according to the firewall equipment types, and matching corresponding analysis rules;
step 5, analyzing access record data from the pass log and the blocking log according to the matched analysis rule;
and 6, the firewall policy management module verifies the validity of the firewall policy based on the access record data and manages the firewall policy to the firewall policy table for management.
Further, in step 2, the data cleaning module judges the firewall device type corresponding to the log by analyzing the device to which the log belongs, the log behavior, the level and the action information.
Further, the access record data in step 5 includes corresponding protocol type, source IP, source port, destination IP, destination port, access direction, and device type data.
Further, in step 6, based on the validity of the firewall policy verified by the access record data, access policies for different access directions and different source and destination addresses of different protocols are formed and then managed in the firewall policy table.
Furthermore, the invention also discloses a log-based firewall policy management system, which adopts the log-based firewall policy management method and is characterized in that: the system comprises the following devices:
the acquisition equipment: the firewall equipment is in butt joint with rsyslog logs, and the rsyslog logs are output to the data cleaning module;
a data cleaning module: analyzing the rsyslog to judge the type of the firewall, and analyzing access record data from the pass log and the blocking log;
firewall policy management module: and verifying the validity of the firewall policy through the pass log and the blocking log of the firewall, and managing the firewall policy into a firewall policy table for management.
Furthermore, the acquisition equipment is compatible with various different types of firewall equipment.
Further, the data cleaning module judges the firewall device type corresponding to the log by analyzing the device to which the log belongs, the log behavior, the level and the action information.
Further, the access record data includes corresponding protocol type, source IP, source port, destination IP, destination port, access direction, and device type data.
Furthermore, the firewall policy management module verifies the validity of the firewall policy based on the access record data, forms access policies for different access directions and different source and destination addresses of different protocols, and manages the access policies to the firewall policy table for management.
By adopting the technical scheme, the acquisition module with high compatibility is selected to be in butt joint with different types of firewall equipment, the firewall strategy is verified and managed in a centralized way through the rsyslog log, and a separate interface is not needed for butt joint. The method reduces the complexity of firewall policy management, realizes incremental updating of firewall policy data by butting firewall rsyslog logs of different types, and visually checks effective policies of firewall equipment. The invention is suitable for scenes with various different types of firewalls, is convenient to use, can meet business requirements by butting the user with the acquisition module and transmitting the rsyslog to the acquisition module, can update the strategy reflecting the actual use in the firewall in real time, and is convenient to manage. The invention can ensure the centralized display of the strategies of different firewall equipment and ensure the intuitiveness and the effectiveness of the strategies.
Claims (9)
1. A log-based firewall policy management method is characterized in that: which comprises the following steps:
step 1, butting firewall equipment and acquisition equipment, and outputting a corresponding firewall log to the acquisition equipment;
step 2, the collection equipment transmits the log to a data cleaning module,
step 3, the data cleaning module preliminarily analyzes the log and distinguishes different firewall equipment types;
step 4, filtering the pass logs and the blocking logs corresponding to different actions according to the firewall equipment types, and matching corresponding analysis rules;
step 5, analyzing the access record data from the pass log and the blocking log according to the matched analysis rule,
and 6, the firewall policy management module verifies the validity of the firewall policy based on the access record data and manages the firewall policy to the firewall policy table for management.
2. The log-based firewall policy management method according to claim 1, wherein: and in the step 2, the data cleaning module judges the firewall equipment type corresponding to the log by analyzing the equipment to which the log belongs, the log behavior, the grade and the action information.
3. The log-based firewall policy management method according to claim 1, wherein: the access record data in step 5 includes corresponding protocol type, source IP, source port, destination IP, destination port, access direction and device type data.
4. The log-based firewall policy management method according to claim 1, wherein: and 6, verifying the validity of the firewall policy based on the access record data to form access policies aiming at different access directions and different source and destination addresses of different protocols, and managing the access policies into a firewall policy table.
5. A log-based firewall policy management system, which employs the log-based firewall policy management method of any one of claims 1 to 4, characterized in that: the system comprises the following devices:
the acquisition equipment: the firewall equipment is in butt joint with rsyslog logs, and the rsyslog logs are output to the data cleaning module;
a data cleaning module: analyzing the rsyslog to judge the type of the firewall, and analyzing access record data from the pass log and the blocking log;
firewall policy management module: and verifying the validity of the firewall policy through the pass log and the blocking log of the firewall, and managing the firewall policy into a firewall policy table for management.
6. The log-based firewall policy management system according to claim 5, wherein: the acquisition equipment is compatible with various different types of firewall equipment.
7. The log-based firewall policy management system according to claim 5, wherein: and the data cleaning module judges the firewall equipment type corresponding to the log by analyzing the equipment to which the log belongs, the log behavior, the log grade and the action information.
8. The log-based firewall policy management system according to claim 5, wherein: the access record data includes corresponding protocol type, source IP, source port, destination IP, destination port, access direction and device type data.
9. The log-based firewall policy management method according to claim 5, wherein: the firewall policy management module verifies the validity of the firewall policy based on the access record data, forms access policies aiming at different access directions and different source and destination addresses of different protocols and then manages the access policies into the firewall policy table for management.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010122332.2A CN111371766A (en) | 2020-02-27 | 2020-02-27 | Log-based firewall policy management method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010122332.2A CN111371766A (en) | 2020-02-27 | 2020-02-27 | Log-based firewall policy management method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111371766A true CN111371766A (en) | 2020-07-03 |
Family
ID=71212616
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010122332.2A Pending CN111371766A (en) | 2020-02-27 | 2020-02-27 | Log-based firewall policy management method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111371766A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112019546A (en) * | 2020-08-28 | 2020-12-01 | 杭州安恒信息技术股份有限公司 | Protection strategy adjusting method, system, equipment and computer storage medium |
| CN112583788A (en) * | 2020-11-03 | 2021-03-30 | 惠州市德赛西威智能交通技术研究院有限公司 | Intelligent generation method and system for vehicle-mounted firewall strategy |
| CN115150166A (en) * | 2022-06-30 | 2022-10-04 | 广东电网有限责任公司 | Log collection and analysis management system |
| CN115174219A (en) * | 2022-07-06 | 2022-10-11 | 哈尔滨工业大学(威海) | Management system capable of adapting to multiple industrial firewalls |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2327211A1 (en) * | 2000-12-01 | 2002-06-01 | Nortel Networks Limited | Management of log archival and reporting for data network security systems |
| CN103577307A (en) * | 2013-11-07 | 2014-02-12 | 浙江中烟工业有限责任公司 | Method for automatically extracting and analyzing firewall logs based on XML rule model |
| US20140164595A1 (en) * | 2012-12-11 | 2014-06-12 | International Business Machines Corporation | Firewall event reduction for rule use counting |
| US20150163199A1 (en) * | 2012-04-30 | 2015-06-11 | Zscaler, Inc. | Systems and methods for integrating cloud services with information management systems |
| CN108429774A (en) * | 2018-06-21 | 2018-08-21 | 蔡梦臣 | A kind of firewall policy centralized optimization management method and its system |
| CN108933791A (en) * | 2018-07-09 | 2018-12-04 | 国网山东省电力公司信息通信公司 | One kind being based on Electricity Information Network Safeguard tactics intelligent optimization method and device |
| CN110287163A (en) * | 2019-06-25 | 2019-09-27 | 浙江乾冠信息安全研究院有限公司 | Security log acquires analytic method, device, equipment and medium |
| US20190364072A1 (en) * | 2018-05-22 | 2019-11-28 | Appviewx Inc. | System for monitoring and managing firewall devices and firewall management platforms |
-
2020
- 2020-02-27 CN CN202010122332.2A patent/CN111371766A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2327211A1 (en) * | 2000-12-01 | 2002-06-01 | Nortel Networks Limited | Management of log archival and reporting for data network security systems |
| US20150163199A1 (en) * | 2012-04-30 | 2015-06-11 | Zscaler, Inc. | Systems and methods for integrating cloud services with information management systems |
| US20140164595A1 (en) * | 2012-12-11 | 2014-06-12 | International Business Machines Corporation | Firewall event reduction for rule use counting |
| CN103577307A (en) * | 2013-11-07 | 2014-02-12 | 浙江中烟工业有限责任公司 | Method for automatically extracting and analyzing firewall logs based on XML rule model |
| US20190364072A1 (en) * | 2018-05-22 | 2019-11-28 | Appviewx Inc. | System for monitoring and managing firewall devices and firewall management platforms |
| CN108429774A (en) * | 2018-06-21 | 2018-08-21 | 蔡梦臣 | A kind of firewall policy centralized optimization management method and its system |
| CN108933791A (en) * | 2018-07-09 | 2018-12-04 | 国网山东省电力公司信息通信公司 | One kind being based on Electricity Information Network Safeguard tactics intelligent optimization method and device |
| CN110287163A (en) * | 2019-06-25 | 2019-09-27 | 浙江乾冠信息安全研究院有限公司 | Security log acquires analytic method, device, equipment and medium |
Non-Patent Citations (1)
| Title |
|---|
| 张俊林: "基于日志分析的网络管理与安全审计系统", 《硅谷》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112019546A (en) * | 2020-08-28 | 2020-12-01 | 杭州安恒信息技术股份有限公司 | Protection strategy adjusting method, system, equipment and computer storage medium |
| CN112019546B (en) * | 2020-08-28 | 2022-11-25 | 杭州安恒信息技术股份有限公司 | Protection strategy adjusting method, system, equipment and computer storage medium |
| CN112583788A (en) * | 2020-11-03 | 2021-03-30 | 惠州市德赛西威智能交通技术研究院有限公司 | Intelligent generation method and system for vehicle-mounted firewall strategy |
| CN115150166A (en) * | 2022-06-30 | 2022-10-04 | 广东电网有限责任公司 | Log collection and analysis management system |
| CN115150166B (en) * | 2022-06-30 | 2024-03-12 | 广东电网有限责任公司 | Log collection and analysis management system |
| CN115174219A (en) * | 2022-07-06 | 2022-10-11 | 哈尔滨工业大学(威海) | Management system capable of adapting to multiple industrial firewalls |
| CN115174219B (en) * | 2022-07-06 | 2024-04-19 | 哈尔滨工业大学(威海) | Management system capable of adapting to various industrial firewalls |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111371766A (en) | Log-based firewall policy management method and system | |
| JP3968724B2 (en) | Network security system and operation method thereof | |
| CN103391216B (en) | A kind of illegal external connection is reported to the police and blocking-up method | |
| US7464407B2 (en) | Attack defending system and attack defending method | |
| CN107872456A (en) | Network intrusion prevention method, apparatus, system and computer-readable recording medium | |
| KR102033169B1 (en) | intelligence type security log analysis method | |
| CN104468632A (en) | Loophole attack prevention method, device and system | |
| CN112347485B (en) | Processing method for acquiring loopholes and automatically penetrating multiple engines | |
| CN110362992B (en) | Method and apparatus for blocking or detecting computer attacks in cloud-based environment | |
| US8548998B2 (en) | Methods and systems for securing and protecting repositories and directories | |
| CN104158767B (en) | A kind of network admittance device and method | |
| CN105847300B (en) | The method for visualizing and device of enterprise network boundary device topology | |
| CN112261144A (en) | Novel cross-network data exchange mode and communication method | |
| EP1241849A2 (en) | Method of and apparatus for filtering access, and computer product | |
| CN114553537A (en) | Abnormal flow monitoring method and system for industrial Internet | |
| Fovino et al. | Through the description of attacks: A multidimensional view | |
| CN1326365C (en) | Worm blocking system and method using hardware-based pattern matching | |
| Fry et al. | Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks | |
| KR102494831B1 (en) | Network intrusion detection system for information processing system of nuclear power plants | |
| CN115776517A (en) | Service request processing method and device, storage medium and electronic equipment | |
| KR20070061017A (en) | Apparatus and method for blocking attack into web-application | |
| Lekkas et al. | Handling and reporting security advisories: A scorecard approach | |
| Moraes | Cisco Firewalls: Concepts, Design and Deployment for Cisco Stateful Firewall Solutions | |
| KR101498647B1 (en) | Security Management System And Security Management Method Using The Same | |
| CN115102725B (en) | Security audit method, device and medium for industrial robot |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200703 |
|
| RJ01 | Rejection of invention patent application after publication |