Disclosure of Invention
In view of the foregoing, it is desirable to provide an efficient security protection method and apparatus for a network system, a computer device, and a storage medium.
A method of securing a network system, the method comprising:
acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view.
In one embodiment, the performing security protection on the network system to be managed based on the target view by using a preset security policy service includes:
and adopting the security policy service, acquiring vulnerability information of the network system to be managed according to the target view, and carrying out security protection on the network system to be managed according to the vulnerability information.
In one embodiment, the obtaining vulnerability information of the network system to be managed according to the target view and performing security protection on the network system to be managed according to the vulnerability information by using the security policy slight service includes:
and acquiring the equipment information of the illegal access equipment appearing in the physical network topology view by adopting the security micro-service, and setting a firewall according to the equipment information of the illegal access equipment so as to perform security protection on the network system to be managed.
In one embodiment, the method further comprises:
acquiring role authority of a user; each role authority corresponds to the management authority of the target equipment in the network system to be managed;
and feeding back vulnerability information of the target equipment in the network system to be managed corresponding to the role authority to the terminal where the role authority is located.
In one embodiment, the method further comprises:
acquiring fault information of the network system to be managed according to the target view by adopting the safety strategy service;
and displaying the fault information on a target view corresponding to the fault information.
In one embodiment, the generating at least one target view according to the physical network node information includes:
generating the physical network topology view according to the physical network node information by adopting a preset physical network topology micro-service; and/or
Generating the routing topology view according to the key routing node parameters by adopting a preset routing topology view micro-service; and/or
Generating the VLAN management view according to the physical network node information by adopting a preset VLAN management view micro-service; and/or
Generating the VLAN topological view according to the physical network node information by adopting a preset VLAN topological view micro-service; and/or
And generating the IP address management view according to the physical network node information by adopting a preset IP address management view micro-service.
In one embodiment, the primitives in the physical network topology view include: the connection lines among the graphic elements in the physical network topology view are used for representing the physical connection relationship, the operation information and the physical network alarm information among the server, the network equipment, the safety equipment and the storage equipment;
the routing topology view comprises a routing structure and routing information which characterize the network system to be managed;
the VLAN management view comprises a VLAN structure, HSRP protocol information of a hot backup router of the VLAN and VRRP protocol information of virtual routing redundancy;
the VLAN topological view comprises showing the attribution relation among the VLAN, the switch and the switch port and is used for modifying the VLAN alias, the network address, the subnet mask and the subnet type based on a modification instruction;
the IP address management view is used for periodically collecting an Address Resolution Protocol (ARP) table, storing relation data of the IP and the hardware address MAC, and inquiring IP use information based on an inquiry instruction.
A security device for a network system, the device comprising:
the topology discovery module is used for acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
the target view module is used for generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and the security policy module is used for adopting a preset security policy to slightly serve and carrying out security protection on the network system to be managed based on the target view.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view.
According to the security protection method, the security protection device, the computer equipment and the storage medium of the network system, the physical network node information in the network system to be managed is obtained through the security management server, at least one target view is generated according to the physical network node information, then the preset security policy is adopted for slightly serving, and the network system to be managed is subjected to security protection based on the target view. Compared with the traditional technology, the method has high maintenance cost caused by the protective measures for directly modifying the codes, and because the safety strategy is adopted to carry out the safety protection of the network system to be managed, different strategies can be presented and operated in the form of each micro-service, so that each safety strategy is independently executed, and the safety protection is more convenient and quicker. Meanwhile, the security protection of the network system to be managed is carried out in the form of micro-services, so that the iteration of different strategies based on the micro-services is faster, and the protection efficiency of the network security is improved.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The management method of the network system provided by the application can be applied to the application environment shown in fig. 1. The security management server 102 is connected to the network system to be managed via a network, for example, the security device 104, the network device 106 and the storage device 108 are respectively in communication via the network. And performing safety protection on the network system to be managed by adopting the micro-service by acquiring the information of each physical network node in the network system. The security management server 102 may be implemented by a separate server or a server cluster composed of a plurality of servers.
Those skilled in the art will appreciate that the architecture shown in fig. 1 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific examples. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
It should be noted that the execution subject of the method embodiments described below may be a security protection device of a network system, and the device may be implemented as part of or all of the computer device described above by software, hardware, or a combination of software and hardware. The following method embodiments take the execution subject as an example of the security management server.
Fig. 1 is a flowchart illustrating a security protection method of a network system according to an embodiment. The embodiment relates to a specific process of security protection of the network system to be managed by the security management server. As shown in fig. 1, includes:
s101, acquiring physical network node information in a network system to be managed; the physical network node information includes at least one of an Internet Protocol (IP) network segment of the device in the network system to be managed, a key routing node parameter, configuration information of the key routing node, and a port connection link of the key routing node.
Specifically, the security management server can obtain the physical network node information in the network system to be managed. Alternatively, a protocol such as a network neighbor may be used to obtain the physical network node information of the network system to be managed, or a discovery tool of an existing network topology may be used to obtain the physical network node information. It should be noted that the network system to be managed is a network system that needs security maintenance, and may include a security device, a network device, and a storage device, and may also include other devices and loaded software, middleware, a connection bus, and the like. The physical network node information may include an IP network segment of each device in the network system to be managed; key routing node parameters may also be included, such as device parameters of security devices, such as bandwidth of network devices; configuration information for the key routing node may also be included, which may include, but is not limited to, device type, device name, make, model, IP address of the device, static and dynamic routing tables for the routing node, dynamic routing tables for the routing node. Port connection links for critical routing nodes may also be included, such as port identifications of connections between different critical routing nodes, and so forth.
S102, generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view.
Specifically, the security management server can generate different target views according to the physical network node information. The target view comprises one or more of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view. It should be noted that the physical network topology view is used to represent a network topology structure of a physical device in a network system to be managed, the routing topology view is used to represent a path of a signal in a route propagation process, the virtual local area network VLAN management view is used to represent a management relationship of devices in a VLAN, the VLAN topology view is used to represent a network topology structure of devices in the VLAN, and the IP address management view is used to represent a membership relationship between IP addresses.
S103, adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view.
Specifically, the security management server adopts a micro-service mode, that is, a preset security policy can be adopted to slightly service, and the security protection is performed on the network to be managed based on the target view. Alternatively, a security policy microservice for accommodating the above security policies may be established in advance, where the security policies include security policies for high risk port blocking, IP blocking, and protocols of session layer, application layer, etc. located in layers 4-7 of ISO layer 7 (typically, layers 3 and 4 are supported by network equipment, and layer 567 is protected by security policy reinforcement performed by WAF or soft load, etc.). Optionally, the security management server may identify and analyze the routing topology view by using the micro service to obtain a fault that a path of the route is not through in the network system to be managed, and then perform fault repair, for example, automatically repair a routing path according to a protection policy corresponding to the fault to ensure network security, so as to implement security protection on the network to be managed; and the security protection of the network to be managed can be realized by repairing the possible bugs of the new access equipment in the IP address management view.
In this embodiment, the security management server obtains physical network node information in a network system to be managed, generates at least one target view according to the physical network node information, and performs security protection on the network system to be managed based on the target view by using a preset security policy. Compared with the traditional technology, the method has high maintenance cost caused by the protective measures for directly modifying the codes, and because the safety strategy is adopted to carry out the safety protection of the network system to be managed, different strategies can be presented and operated in the form of each micro-service, so that each safety strategy is independently executed, and the safety protection is more convenient and quicker. Meanwhile, the security protection of the network system to be managed is carried out in the form of micro-services, so that the iteration of different strategies based on the micro-services is faster, and the protection efficiency of the network security is improved.
Optionally, one possible implementation manner of the foregoing S103 may include: and adopting the security policy service, acquiring vulnerability information of the network system to be managed according to the target view, and carrying out security protection on the network system to be managed according to the vulnerability information. Specifically, the security management server uses a security policy service to obtain vulnerability information of the network system to be managed according to one or more target views, for example, according to parameters of a node in a physical network topology view, it is determined that a device access protocol of the node has a vulnerability, and thus specific information of the vulnerability is obtained. The specific information of the vulnerability may include, but is not limited to, a determined high-risk port, and a security policy that is not configured to be effective is checked for which devices corresponding to the high-risk port in the network system to be managed, so that a whole network influence range is obtained; for example, the firmware bugs of the devices in the network system to be managed, and the number of affected devices and the distribution range of the devices in the corresponding network system to be managed. And then repairing the network system to be managed according to preset repairing strategies corresponding to different vulnerability types. By adopting the method, the vulnerability information existing in the network can be identified and repaired, the safety of the network system to be managed is further ensured, and the safety protection is realized.
Optionally, one possible implementation manner of the foregoing step "adopting the security policy slight service, obtaining vulnerability information of the network system to be managed according to the target view, and performing security protection on the network system to be managed according to the vulnerability information" may include: and acquiring the security risk information of the illegal access equipment appearing in the physical network topology view by adopting the security micro-service, and setting a firewall according to the security risk information of the illegal access equipment so as to perform security protection on the network system to be managed. Specifically, the security management server can adopt the security policy to slightly serve, acquire security risk information of the illegal access device appearing in the physical network topology view, and set a corresponding firewall based on the security risk of the device, that is, issue a security policy to devices such as the firewall to take effect, thereby implementing security protection of the network system to be managed.
Optionally, on the basis of the foregoing embodiments, as shown in fig. 3, the method further includes:
s104, acquiring role authority of a user; and each role authority corresponds to the management authority of the target equipment in the network system to be managed.
And S105, feeding back vulnerability information of the target equipment in the network system to be managed corresponding to the role authority to the terminal where the role authority is located.
Specifically, the security management server can also obtain role permissions corresponding to the account according to the login account of the user, and the role permissions correspond to the management permissions of the user on various target devices in the network system to be managed, such as information obtaining permissions or configuration modification permissions, and monitoring and management permissions on different types of vulnerability information. The target device may be various devices to be monitored in the network system to be managed. The security management server also feeds back vulnerability information of the target device in the to-be-managed network system corresponding to the role authority to the terminal where the role authority is located, for example, when a kernel vulnerability of an operating system of a certain device in the to-be-managed network system is exploded, the influence range and the quantity of the device responsible for the corresponding asset manager are pushed to the terminal where the asset manager is located, and therefore the asset manager can further make and develop a working plan. In this embodiment, the security management server can enable users with different role authorities to timely acquire corresponding vulnerability information by acquiring the role authorities of the users and feeding the vulnerability information of the target device in the network system to be managed corresponding to the role authorities back to the terminal where the role authorities are located, so that the vulnerability information can be managed based on the management authority of the users, classified or classified protection is realized, the security protection of the network system to be managed is more reasonable, and the security of the network is further improved.
Optionally, on the basis of the foregoing embodiments, the method may further include: acquiring fault information of the network system to be managed according to the target view by adopting the safety strategy service; and displaying the fault information on a target view corresponding to the fault information.
Optionally, on the basis of the foregoing embodiments, one possible implementation manner of step S102 may include at least one of the following steps: generating the physical network topology view according to the physical network node information by adopting a preset physical network topology micro-service; generating the routing topology view according to the key routing node parameters by adopting a preset routing topology view micro-service; generating the VLAN management view according to the physical network node information by adopting a preset VLAN management view micro-service; generating the VLAN topological view according to the physical network node information by adopting a preset VLAN topological view micro-service; and generating the IP address management view according to the physical network node information by adopting a preset IP address management view micro-service. Specifically, the security management server may identify the acquisition mode of the target view by using a micro service mode, which may include generating a physical network topology view according to physical network node information by using a preset physical network topology micro service; generating a routing topology view according to key routing node parameters by adopting a preset routing topology view micro-service; generating a VLAN management view according to physical network node information by adopting a preset VLAN management view micro-service; generating a VLAN topological view according to physical network node information by adopting a preset VLAN topological view micro-service; and generating an IP address management view according to the physical network node information by adopting a preset IP address management view micro-service. By adopting the method to obtain various target views, different target views can be obtained in the form of each micro service, so that the method is more convenient and quicker, the iteration of the micro services of different types of target views is quicker, the obtaining efficiency and the accuracy of the target views are improved, and therefore, the protection efficiency of network security is improved and the security of a network system is enhanced.
Optionally, on the basis of the foregoing embodiments, the primitives in the physical network topology view include: the connection lines among the graphic elements in the physical network topology view are used for representing the physical connection relationship and the operation information among the server, the network equipment, the safety equipment and the storage equipment, such as signal flow direction and physical network alarm information; the routing topology view comprises a routing structure and routing information which characterize the network system to be managed; the VLAN management view comprises a VLAN structure, Hot Standby Router (HSRP) Protocol information of the VLAN and Virtual Router Redundancy (VRRP) Protocol information; the VLAN topological view comprises the attribution relation between the VLAN and the switch and the port of the switch, and is used for modifying the VLAN alias, the network address, the subnet mask and the subnet type based on the modification instruction. The IP Address management view is used for periodically collecting an Address Resolution Protocol (ARP table for short), storing relationship data between an IP and a hardware Address MAC, and querying IP usage information based on a query instruction.
It should be understood that although the various steps in the flow charts of fig. 2-3 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2-3 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed in turn or alternately with other steps or at least some of the other steps.
In one embodiment, as shown in fig. 4, there is provided a security device of a network system, including:
a topology discovery module 100, configured to obtain information of a physical network node in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
a target view module 200, configured to generate at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and the security policy module 300 is configured to perform security protection on the network system to be managed based on the target view by using a preset security policy service.
In an embodiment, the security policy module 300 is specifically configured to adopt the security policy service, obtain vulnerability information of the network system to be managed according to the target view, and perform security protection on the network system to be managed according to the vulnerability information.
In an embodiment, the security policy module 300 is specifically configured to acquire, by using the security microservice, device information of an illegal access device appearing in the physical network topology view, and set a firewall according to the device information of the illegal access device, so as to perform security protection on the network system to be managed.
In one embodiment, the apparatus further comprises: the feedback module is used for acquiring the role authority of the user; each role authority corresponds to the management authority of the target equipment in the network system to be managed; and feeding back the vulnerability information of the target equipment in the network system to be managed corresponding to the role authority to the terminal where the role authority is located.
In one embodiment, the feedback module is further configured to obtain, by using the security policy slight service, fault information of the network system to be managed according to the target view; and displaying the fault information on a target view corresponding to the fault information.
In an embodiment, the target view module 200 is specifically configured to generate the physical network topology view according to the physical network node information by using a preset physical network topology microservice; and/or generating the routing topology view according to the key routing node parameters by adopting a preset routing topology view microservice; and/or generating the VLAN management view according to the physical network node information by adopting a preset VLAN management view micro-service; and/or generating the VLAN topological view according to the physical network node information by adopting a preset VLAN topological view micro-service; and/or generating the IP address management view according to the physical network node information by adopting a preset IP address management view micro-service.
In one embodiment, the primitives in the physical network topology view include: the connection lines among the graphic elements in the physical network topology view are used for representing the physical connection relationship, the operation information and the physical network alarm information among the server, the network equipment, the safety equipment and the storage equipment; the routing topology view comprises a routing structure and routing information which characterize the network system to be managed; the VLAN management view comprises a VLAN structure, HSRP protocol information of a hot backup router of the VLAN and VRRP protocol information of virtual routing redundancy; the VLAN topological view comprises showing the attribution relation among the VLAN, the switch and the switch port and is used for modifying the VLAN alias, the network address, the subnet mask and the subnet type based on a modification instruction; the IP address management view is used for periodically collecting an Address Resolution Protocol (ARP) table, storing relation data of the IP and the hardware address MAC, and inquiring IP use information based on an inquiry instruction.
In one embodiment, the structure of the security management server may also be as shown in fig. 5.
For specific limitations of the security protection apparatus of the network system, reference may be made to the above limitations of the security protection method of the network system, which are not described herein again. The modules in the security device of the network system may be implemented in whole or in part by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 6. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing physical network node information. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of securing a network system.
Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
and adopting the security policy service, acquiring vulnerability information of the network system to be managed according to the target view, and carrying out security protection on the network system to be managed according to the vulnerability information.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
and acquiring the equipment information of the illegal access equipment appearing in the physical network topology view by adopting the security micro-service, and setting a firewall according to the equipment information of the illegal access equipment so as to perform security protection on the network system to be managed.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
acquiring role authority of a user; each role authority corresponds to the management authority of the target equipment in the network system to be managed;
and feeding back vulnerability information of the target equipment in the network system to be managed corresponding to the role authority to the terminal where the role authority is located.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
acquiring fault information of the network system to be managed according to the target view by adopting the safety strategy service;
and displaying the fault information on a target view corresponding to the fault information.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
generating the physical network topology view according to the physical network node information by adopting a preset physical network topology micro-service; and/or
Generating the routing topology view according to the key routing node parameters by adopting a preset routing topology view micro-service; and/or
Generating the VLAN management view according to the physical network node information by adopting a preset VLAN management view micro-service; and/or
Generating the VLAN topological view according to the physical network node information by adopting a preset VLAN topological view micro-service; and/or
And generating the IP address management view according to the physical network node information by adopting a preset IP address management view micro-service.
In one embodiment, the primitives in the physical network topology view include: the connection lines among the graphic elements in the physical network topology view are used for representing the physical connection relationship, the operation information and the physical network alarm information among the server, the network equipment, the safety equipment and the storage equipment;
the routing topology view comprises a routing structure and routing information which characterize the network system to be managed;
the VLAN management view comprises a VLAN structure, HSRP protocol information of a hot backup router of the VLAN and VRRP protocol information of virtual routing redundancy;
the VLAN topological view comprises showing the attribution relation among the VLAN, the switch and the switch port and is used for modifying the VLAN alias, the network address, the subnet mask and the subnet type based on a modification instruction;
the IP address management view is used for periodically collecting an Address Resolution Protocol (ARP) table, storing relation data of the IP and the hardware address MAC, and inquiring IP use information based on an inquiry instruction.
It should be clear that, in the embodiments of the present application, the process of executing the computer program by the processor is consistent with the process of executing the steps in the above method, and specific reference may be made to the description above.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view.
In one embodiment, the computer program when executed by the processor further performs the steps of:
and adopting the security policy service, acquiring vulnerability information of the network system to be managed according to the target view, and carrying out security protection on the network system to be managed according to the vulnerability information.
In one embodiment, the computer program when executed by the processor further performs the steps of:
and acquiring the equipment information of the illegal access equipment appearing in the physical network topology view by adopting the security micro-service, and setting a firewall according to the equipment information of the illegal access equipment so as to perform security protection on the network system to be managed.
In one embodiment, the computer program when executed by the processor further performs the steps of:
acquiring role authority of a user; each role authority corresponds to the management authority of the target equipment in the network system to be managed;
and feeding back vulnerability information of the target equipment in the network system to be managed corresponding to the role authority to the terminal where the role authority is located.
In one embodiment, the computer program when executed by the processor further performs the steps of:
acquiring fault information of the network system to be managed according to the target view by adopting the safety strategy service;
and displaying the fault information on a target view corresponding to the fault information.
In one embodiment, the computer program when executed by the processor further performs the steps of:
generating the physical network topology view according to the physical network node information by adopting a preset physical network topology micro-service; and/or
Generating the routing topology view according to the key routing node parameters by adopting a preset routing topology view micro-service; and/or
Generating the VLAN management view according to the physical network node information by adopting a preset VLAN management view micro-service; and/or
Generating the VLAN topological view according to the physical network node information by adopting a preset VLAN topological view micro-service; and/or
And generating the IP address management view according to the physical network node information by adopting a preset IP address management view micro-service.
In one embodiment, the primitives in the physical network topology view include: the connection lines among the graphic elements in the physical network topology view are used for representing the physical connection relationship, the operation information and the physical network alarm information among the server, the network equipment, the safety equipment and the storage equipment;
the routing topology view comprises a routing structure and routing information which characterize the network system to be managed;
the VLAN management view comprises a VLAN structure, HSRP protocol information of a hot backup router of the VLAN and VRRP protocol information of virtual routing redundancy;
the VLAN topological view comprises showing the attribution relation among the VLAN, the switch and the switch port and is used for modifying the VLAN alias, the network address, the subnet mask and the subnet type based on a modification instruction;
the IP address management view is used for periodically collecting an Address Resolution Protocol (ARP) table, storing relation data of the IP and the hardware address MAC, and inquiring IP use information based on an inquiry instruction.
It should be clear that, in the embodiments of the present application, the process executed by the processor by the computer program is consistent with the execution process of each step in the above method, and specific reference may be made to the description above.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is specific and detailed, but not to be understood as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.