CN112565287B - Asset exposure surface determination method, device, firewall and storage medium - Google Patents
Asset exposure surface determination method, device, firewall and storage medium Download PDFInfo
- Publication number
- CN112565287B CN112565287B CN202011515402.7A CN202011515402A CN112565287B CN 112565287 B CN112565287 B CN 112565287B CN 202011515402 A CN202011515402 A CN 202011515402A CN 112565287 B CN112565287 B CN 112565287B
- Authority
- CN
- China
- Prior art keywords
- asset
- target
- determining
- permission
- acquiring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The invention belongs to the technical field of firewalls, and discloses a method and a device for determining an asset exposure face, a firewall and a storage medium. The method comprises the following steps: acquiring a target IP address range, and acquiring a target IP asset according to the target IP address range; obtaining the actual use permission of the target IP asset according to the flow data in the preset time; comparing the actual use permission with the theoretical permission in the access control list to obtain a comparison result; and determining the asset exposure surface of the target IP asset according to the comparison result. The target IP address is used for determining the target IP asset, the flow passing through the firewall is analyzed, the actual use authority of the target IP asset is obtained, the actual use authority is compared with the theoretical authority, the exposed surface of the target IP asset is determined, network operation and maintenance personnel are helped to manage and control the asset, and the safety of the target IP asset is improved.
Description
Technical Field
The present invention relates to the field of firewall technologies, and in particular, to a method and apparatus for determining an exposed surface of an asset, a firewall, and a storage medium.
Background
With the rapid development of business, the number of business assets is explosive and the carding of the exposed surfaces of the business assets is always a simple but very troublesome matter which consumes time and energy of users, and no clear carding of the exposed surfaces of the assets can lead to the strategy on the fireproof wall to be greatly put through, and the web penetration attack and the intranet lateral penetration of hackers are given to the multiplicative machines.
In the daily operation and maintenance process of an operation and maintenance manager, how to continuously dynamically analyze the actual use condition of the asset is a very difficult manual operation. NSPM and single firewall policy optimization existing in the industry cannot comb the exposed surface of the asset from the asset angle, so that network operation and maintenance management staff cannot conveniently manage and control the exposed surface of the asset, and safety problems are prone to occurring.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
The invention mainly aims to provide a method, a device, a firewall and a storage medium for determining an asset exposure face, and aims to solve the technical problem that network operation and maintenance management staff cannot conveniently manage the asset exposure face in the prior art.
To achieve the above object, the present invention provides an asset exposure surface determination method comprising the steps of:
acquiring a target IP address range, and acquiring a target IP asset according to the target IP address range;
obtaining the actual use permission of the target IP asset according to the flow data in the preset time;
comparing the actual use permission with the theoretical permission in the access control list to obtain a comparison result;
and determining the asset exposure surface of the target IP asset according to the comparison result.
Optionally, the obtaining the target IP address range, obtaining the target IP asset according to the target IP address range, includes:
acquiring the target IP address range;
determining each target IP address in the target IP address range;
and detecting each target IP address respectively, and taking the target IP address with detection feedback as a target IP asset.
Optionally, the obtaining the actual usage rights of the target IP asset according to the traffic data within the preset time includes:
acquiring flow data in the preset time;
according to the flow data, determining the interaction behavior of the target IP asset and the user equipment within a preset time;
and determining the actual use permission of the target IP asset according to the interaction behavior.
Optionally, comparing the actual usage right with the theoretical right in the access control list to obtain a comparison result includes:
selecting a theoretical authority corresponding to the target IP asset in the preset authorities of the access control list;
comparing the actual use permission with the theoretical permission, and determining the same permission and different permission of the actual use permission with the theoretical permission;
and taking the same authority and the different authorities as comparison results.
Optionally, before determining the asset exposure surface of the target IP asset according to the comparison result, the method further includes:
acquiring a flow log and an access control log within the preset time;
acquiring mutual access data of the target IP asset and the user equipment;
generating a mutual access relation diagram of the target IP asset according to the flow log, the access control log and the mutual access data;
and determining an asset exposure surface of the target IP asset according to the comparison result, wherein the asset exposure surface comprises:
and determining the asset exposure surface of the target IP asset according to the comparison result and the interview relation diagram.
Optionally, the generating a interview relationship graph of the target IP asset according to the traffic log, the access control log, and the interview data includes:
generating a log analysis result according to the flow log and the access control log;
according to the log analysis result, determining interaction information of the user equipment and the target IP asset;
recording the interaction information into an asset analysis form;
obtaining a mutual access relationship between the user equipment and the target IP asset according to the asset analysis form and the mutual access data;
and generating the interview relation graph according to the interview relation.
Optionally, after determining the asset exposure surface of the target IP asset according to the comparison result, the method further includes:
obtaining the exposure surface information according to the asset exposure surface;
acquiring a preset strategy corresponding to the target IP asset in the access control list;
and generating an asset analysis report of the target IP asset according to the exposure face information and the preset strategy.
In addition, in order to achieve the above object, the present invention also proposes an asset exposure face determination apparatus including:
the IP acquisition module is used for acquiring a target IP address range and acquiring a target IP asset according to the target IP address range;
the permission acquisition module is used for acquiring the actual use permission of the target IP asset according to the flow data in the preset time;
the permission comparison module is used for comparing the actual use permission with the theoretical permission in the access control list to obtain a comparison result;
and the exposure face determining module is used for determining the asset exposure face of the target IP asset according to the comparison result.
In addition, in order to achieve the above object, the present invention also proposes a firewall comprising: a memory, a processor, and an asset exposure surface determination program stored on the memory and executable on the processor, the asset exposure surface determination program configured to implement the steps of the asset exposure surface determination method as described above.
In addition, to achieve the above object, the present invention also proposes a storage medium having stored thereon an asset exposure surface determination program which, when executed by a processor, implements the steps of the asset exposure surface determination method as described above.
According to the invention, the actual use permission of the target IP asset can be obtained by analyzing the flow passing through the firewall, the actual use permission is compared with the theoretical permission, the exposed surface of the target IP asset can be determined, the network operation and maintenance personnel are helped to manage and control the exposed surface, and the safety of the target IP asset is greatly improved.
Drawings
FIG. 1 is a schematic diagram of the architecture of a firewall of a hardware operating environment in accordance with an embodiment of the invention;
FIG. 2 is a flow chart of a first embodiment of the asset exposure surface determination method of the present invention;
FIG. 3 is a flow chart of a second embodiment of the asset exposure surface determination method of the present invention;
FIG. 4 is a flow chart of a third embodiment of the asset exposure surface determination method of the present invention;
FIG. 5 is a block diagram of a first embodiment of an asset exposure surface determination apparatus of the invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic diagram of a firewall structure of a hardware running environment according to an embodiment of the present invention.
As shown in fig. 1, the firewall may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) Memory or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the structure shown in fig. 1 is not limiting of a firewall and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
As shown in fig. 1, an operating system, a network communication module, a user interface module, and an asset exposure surface determination program may be included in the memory 1005 as one type of storage medium.
In the firewall shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the firewall of the present invention may be disposed in the firewall, and the firewall calls the asset exposure surface determination program stored in the memory 1005 through the processor 1001 and executes the asset exposure surface determination method provided by the embodiment of the present invention.
An embodiment of the invention provides an asset exposure surface determination method, referring to fig. 2, fig. 2 is a flowchart of a first embodiment of an asset exposure surface determination method according to the invention.
In this embodiment, the method for determining the exposed surface of the asset includes the following steps:
step S10: and acquiring a target IP address range, and acquiring a target IP asset according to the target IP address range.
It should be noted that, the execution main body of the embodiment is a firewall, and the firewall mainly has the functions of timely finding and processing the possible problems of security risk, data transmission and the like when the computer network is running, wherein the processing measures include isolation and protection, and meanwhile, recording and detection can be implemented on each operation in the security of the computer network so as to ensure the running security of the computer network, ensure the integrity of user data and information, and provide better and safer computer network use experience for users.
It should be appreciated that the target IP address range is a server segment range and the target IP asset may be a host device such as a server in units of IP addresses (Internet Protocol Address) in the system.
Further, obtaining a target IP address range, obtaining a target IP asset according to the target IP address range, including: acquiring the target IP address range; determining each target IP address in the target IP address range; and detecting each target IP address respectively, and taking the target IP address with detection feedback as a target IP asset.
In a specific implementation, the present embodiment has the following way to obtain the target IP asset:
firstly, network operation and maintenance manager inputs the network segment range corresponding to the server and the user equipment into the firewall, the firewall periodically performs traversal detection according to the target IP in the network segment range of the server, the detection mode is that a request data packet is sent to the target IP, if a feedback data packet is obtained, the target IP is indicated to have target IP assets, for example: the server segments range from 10.110.17.1 to 10.110.17.254, each week probes for all IP within range, and indicates 10.110.17.5 the presence of a target IP asset when a request packet is sent to 10.110.17.5 and a feedback packet sent to 10.110.17.5 is received. When the detection is performed, the frequent transmission of the request data to the target IP in a short time may trigger the security mechanism, so that the detection cannot be performed continuously, and therefore, the frequency of transmitting the request data packet is reduced, and the detection can be performed smoothly.
Second, the firewall obtains the information of the passing data flow, and the information of the data flow contains five tuples, so that the target IP address in the range of the server network segment is obtained, and the existence of the target IP asset in the target IP address can be judged without detecting the target IP.
Step S20: and obtaining the actual use permission of the target IP asset according to the flow data in the preset time.
Further, obtaining the actual use permission of the target IP asset according to the flow data in the preset time includes: acquiring flow data in the preset time; according to the flow data, determining the interaction behavior of the target IP asset and the user equipment within a preset time; and determining the actual use permission of the target IP asset according to the interaction behavior.
It should be noted that, the preset time includes 7 days, 30 days, 90 days, etc., and the user equipment includes a computer, a mobile phone, a tablet computer, etc., which is not limited in this embodiment.
It can be understood that the firewall acquires the passing flow data in real time within the preset time, and analyzes the data flow, so as to obtain the interaction behavior when the target IP asset interacts with the external user equipment within the preset time, for example: when a computer accesses web service, the firewall analyzes the generated flow data to obtain the 80 port of the target IP asset accessed by the computer, and at the moment, the web service accessed by the computer to the target IP asset through the 80 port is the actual use authority.
Step S30: and comparing the actual use permission with the theoretical permission in the access control list to obtain a comparison result.
Further, comparing the actual use permission with the theoretical permission in the access control list to obtain a comparison result, including: selecting a theoretical authority corresponding to the target IP asset in the preset authorities of the access control list; comparing the actual use permission with the theoretical permission, and determining the same permission and different permission of the actual use permission with the theoretical permission; and taking the same authority and the different authorities as comparison results.
It should be noted that, the access control list is an access control technology based on packet filtering, which can filter the data packet on the interface according to the set condition, and allow it to pass or discard. The access control list is widely applied to firewalls, routers and three-layer switches, and by means of the access control list, the access of users to a network can be effectively controlled, and effective partition isolation is performed, so that the network security is guaranteed to the greatest extent.
It will be appreciated that the theoretical rights in the access control list are configured in advance by the network operation manager, and are rights that the access control list allows the user device to interact with the target IP asset, for example: the source address, destination address and port number are used as basic elements for checking data flow, and whether the data packet meeting the condition is allowed to pass or not can be specified. Security problems may occur when the rights that the user device is able to use exceed theoretical rights.
In a specific implementation, the actual use permission when the user equipment interacts with the target IP asset is compared with the theoretical permission, so that the same permission and the different permission of the actual use permission with the theoretical permission can be determined. For example: the theoretical authority is that the target IP asset can provide FTP service (File Transfer Protocol Server, file transfer protocol service) for the user equipment when the user connection amount of 20 ports is lower than the preset connection amount, but when the user equipment connected with the FTP service increases rapidly, the user connection amount of 20 ports may exceed the preset throughput, so that when part of the user equipment is connected through 21 ports, the actual use authority of the target IP asset is different from the theoretical authority.
Step S40: and determining the asset exposure surface of the target IP asset according to the comparison result.
It should be noted that, if the comparison result includes the right same as the theoretical right, for example, the 80 ports described above, the 80 ports are determined to be the security exposure surface of the target IP asset; the comparison result also comprises rights different from the theoretical rights, for example, the 20 and 21 ports are the risk exposure surfaces of the target IP assets. The risk exposure may cause security problems for the target IP asset.
It should be appreciated that network operations and maintenance administrators may manage the risk exposure of the target IP asset, reducing the risk of the target IP asset.
The embodiment obtains a target IP (Internet protocol) asset according to a target IP address range by obtaining the target IP address range; obtaining the actual use permission of the target IP asset according to the flow data in the preset time; comparing the actual use permission with the theoretical permission in the access control list to obtain a comparison result; and determining the asset exposure surface of the target IP asset according to the comparison result. The target IP address is used for determining the target IP asset, the flow passing through the firewall is analyzed, the actual use authority of the target IP asset is obtained, the actual use authority is compared with the theoretical authority, the exposed surface of the target IP asset is determined, network operation and maintenance personnel are helped to manage and control the exposed surface, and the safety of the target IP asset is greatly improved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of an asset exposure surface determination method according to the present invention.
Based on the first embodiment, the asset exposure surface determination method of the present embodiment further includes, before the step S40:
step S31: and acquiring a flow log and an access control log within the preset time.
It should be noted that, the traffic log is a traffic log recorded by a firewall, and includes: the source address, source port, destination address, destination port, protocol, etc. before and after the network address conversion can understand the conversion relation between the data flow information and the actual NAT (Network Address Translation, network address conversion), the reason of the session closing can be understood, and the actual interaction condition of the data flow can be further analyzed by combining the session closing field with the number of receiving and transmitting packets field. Sufficient information support can be provided when network operators perform network diagnosis, policy combing and abnormal traffic handling.
It should be noted that the access control log includes: when the access control list filters the data packet, the data packet and the five-tuple information of the discarded data packet are passed through, and the preset strategy used in the access control list is accessed. The preset policy is generally configured in advance in the firewall for network operators to filter the data flowing through the router based on specific rules. For example: all data of the TCP (Transmission Control Protocol ) protocol 23 port accessing the target IP asset is filtered, i.e. all packets accessing the target IP asset 23 port are discarded.
Step S32: and acquiring mutual access data of the target IP asset and the user equipment.
It will be appreciated that the interview data represents information records of the user device when interacting with the target IP asset, and includes the IP addresses of the user device and the target IP asset, the time of interaction, etc. For example: user equipment with IP address 55.146.67.80 interacts with a target IP asset with IP address 1.10.21.13 on month 10 and 1 of 2020.
It should be noted that the firewall may continuously analyze the passing traffic data and store the interview data for a long time, for example, store the interview data for one year.
Step S33: and generating a mutual access relation diagram of the target IP asset according to the flow log, the access control log and the mutual access data.
Further, the generating a interview relationship graph of the target IP asset according to the traffic log, the access control log, and the interview data includes: generating a log analysis result according to the flow log and the access control log; according to the log analysis result, determining interaction information of the user equipment and the target IP asset; recording the interaction information into an asset analysis form; obtaining a mutual access relationship between the user equipment and the target IP asset according to the asset analysis form and the mutual access data; and generating the interview relation graph according to the interview relation.
It should be noted that, according to the quintuple information, the time information and the like of the flow log and the access control log, a log analysis result can be obtained, the log analysis result can determine the interaction information of the user equipment and the target IP asset, and the interaction information obtained by the log analysis result and the interaction data are complementary, so that a more perfect interaction relationship between the user equipment and the target IP asset can be obtained.
It will be appreciated that the asset analysis form includes not only interaction information, but also information such as the service and usage of the application of the target IP asset, from which detailed usage of the target IP asset may be derived.
It should be understood that the mutual access relation graph is a visual result of the interaction relation, and the mutual access relation graph can more clearly display the interaction information of the user equipment and the target IP asset, so that an asset off-line and other asset exposure surface can be obtained, a long-time off-line asset can also be obtained, and network operation and maintenance personnel can conveniently check and optimize the asset.
Step S34: and determining an asset exposure surface of the target IP asset according to the comparison result, wherein the asset exposure surface comprises: and determining the asset exposure surface of the target IP asset according to the comparison result and the interview relation diagram.
It should be noted that, according to the rights comparison result and the interview relationship diagram, the asset exposure surface can be obtained more comprehensively, for example: open websites, systems, applications, services, APP interfaces, asset offline, port put through large, etc.
In the embodiment, the flow log and the access control log in the preset time are obtained; acquiring mutual access data of the target IP asset and the user equipment; generating a mutual access relation diagram of the target IP asset according to the flow log, the access control log and the mutual access data; and determining an asset exposure surface of the target IP asset according to the comparison result, wherein the asset exposure surface comprises: and determining the asset exposure surface of the target IP asset according to the comparison result and the interview relation diagram. According to the method and the system, the assets are analyzed through multiple dimensions, the condition of the exposed surface of the assets can be obtained more comprehensively, network operation and maintenance personnel can manage the assets more conveniently and effectively, and safety problems are reduced.
Referring to fig. 4, fig. 4 is a flowchart illustrating a third embodiment of an asset exposure surface determination method according to the present invention.
A third embodiment of the asset exposure surface determination method according to the present invention, which is described based on the first embodiment, is proposed based on the first embodiment or the second embodiment, and further includes, after the step S40:
step S50: and obtaining the information of the exposed surface according to the exposed surface of the asset.
It will be appreciated that the exposed surface information includes information of both the safe exposed surface and the risk exposed surface, both of which may create a safety problem for the asset. Information of the exposed face such as: the IP address and port number of the asset, the actual use authority behavior which is not in accordance with the theoretical authority, and the like.
Step S60: and acquiring a preset strategy corresponding to the target IP asset in the access control list.
It should be noted that, the preset policies corresponding to the target IP asset include policies related to the target IP asset, for example, the IP address of the asset is 1.10.21.13, and the corresponding preset policies are: all data accessing the TCP protocol 23 port of 1.10.21.13 is filtered, i.e., all packets accessing the destination IP asset 23 port are discarded.
Step S70: and generating an asset analysis report of the target IP asset according to the exposure face information and the preset strategy.
It should be appreciated that based on the exposure level information and the preset policy, the firewall may generate asset management suggestions and record in the asset analysis report, network operators actual conditions, and reference asset management suggestions to optimize the asset. Such as reducing risk exposure, configuring more sophisticated preset strategies, etc.
The present embodiment obtains the exposure surface information by reference to the asset exposure surface; acquiring a preset strategy corresponding to the target IP asset in the access control list; and generating an asset analysis report of the target IP asset according to the exposure face information and the preset strategy. The implementation generates the asset analysis report by the related information of the exposed surface of the asset, thereby being convenient for network management staff to manage the asset and improving the safety of the asset.
In addition, the embodiment of the invention also provides a storage medium, wherein the storage medium is stored with an asset exposure surface determination program, and the asset exposure surface determination program realizes the steps of the asset exposure surface determination method when being executed by a processor.
Referring to FIG. 4, FIG. 4 is a block diagram of a first embodiment of an asset exposure surface determination apparatus of the present invention.
As shown in fig. 4, the asset exposure surface determining apparatus according to the embodiment of the present invention includes:
the IP acquisition module 10 is used for acquiring a target IP address range and acquiring a target IP asset according to the target IP address range;
the permission acquisition module 20 is used for acquiring the actual use permission of the target IP asset according to the flow data in the preset time;
the permission comparison module 30 is configured to compare the actual usage permission with a theoretical permission in an access control list, so as to obtain a comparison result;
an exposure face determination module 40, configured to determine an asset exposure face of the target IP asset according to the comparison result.
The IP obtaining module 10 is further configured to obtain the target IP address range; determining each target IP address in the target IP address range; and detecting each target IP address respectively, and taking the target IP address with detection feedback as a target IP asset.
The permission obtaining module 20 is further configured to obtain flow data within the preset time; according to the flow data, determining the interaction behavior of the target IP asset and the user equipment within a preset time; and determining the actual use permission of the target IP asset according to the interaction behavior.
The permission comparison module 30 is further configured to select a theoretical permission corresponding to the target IP asset from preset permissions in the access control list; comparing the actual use permission with the theoretical permission, and determining the same permission and different permission of the actual use permission with the theoretical permission; and taking the same authority and the different authorities as comparison results.
The exposed surface determining module 40 is further configured to obtain a flow log and an access control log within the preset time; acquiring mutual access data of the target IP asset and the user equipment; generating a mutual access relation diagram of the target IP asset according to the flow log, the access control log and the mutual access data; and determining an asset exposure surface of the target IP asset according to the comparison result, wherein the asset exposure surface comprises: and determining the asset exposure surface of the target IP asset according to the comparison result and the interview relation diagram.
The exposed surface determining module 40 is further configured to generate a log analysis result according to the flow log and the access control log; according to the log analysis result, determining interaction information of the user equipment and the target IP asset; recording the interaction information into an asset analysis form; obtaining a mutual access relationship between the user equipment and the target IP asset according to the asset analysis form and the mutual access data; and generating the interview relation graph according to the interview relation.
The exposure surface determination module 40 is further configured to obtain the exposure surface information based on the asset exposure surface; acquiring a preset strategy corresponding to the target IP asset in the access control list; and generating an asset analysis report of the target IP asset according to the exposure face information and the preset strategy.
It should be understood that the foregoing is illustrative only and is not limiting, and that in specific applications, those skilled in the art may set the invention as desired, and the invention is not limited thereto.
The embodiment obtains a target IP asset according to a target IP address range by obtaining the target IP address range; obtaining the actual use permission of the target IP asset according to the flow data in the preset time; comparing the actual use permission with the theoretical permission in the access control list to obtain a comparison result; and determining the asset exposure surface of the target IP asset according to the comparison result. The target IP address is used for determining the target IP asset, the flow passing through the firewall is analyzed, the actual use authority of the target IP asset is obtained, the actual use authority is compared with the theoretical authority, the exposed surface of the target IP asset is determined, network operation and maintenance personnel are helped to manage and control the exposed surface, and the safety of the target IP asset is greatly improved.
It should be noted that the above-described working procedure is merely illustrative, and does not limit the scope of the present invention, and in practical application, a person skilled in the art may select part or all of them according to actual needs to achieve the purpose of the embodiment, which is not limited herein.
In addition, technical details that are not described in detail in this embodiment may refer to the method for determining the exposed surface of the asset provided in any embodiment of the present invention, which is not described herein.
Furthermore, it should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. Read Only Memory)/RAM, magnetic disk, optical disk) and including several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (8)
1. An asset exposure face determination method, wherein an execution subject of the asset exposure face determination method is a firewall, the asset exposure face determination method comprising:
acquiring a target IP address range, and acquiring a target IP asset according to the target IP address range;
obtaining the actual use permission of the target IP asset according to the flow data in the preset time;
comparing the actual use permission with the theoretical permission in the access control list to obtain a comparison result;
determining an asset exposure face of the target IP asset according to the comparison result;
the obtaining the actual use permission of the target IP asset according to the flow data in the preset time comprises the following steps:
acquiring flow data in the preset time;
according to the flow data, determining the interaction behavior of the target IP asset and the user equipment within a preset time;
determining the actual use authority of the target IP asset according to the interaction behavior;
before determining the asset exposure surface of the target IP asset according to the comparison result, the method further comprises:
acquiring a flow log and an access control log within the preset time;
acquiring mutual access data of the target IP asset and the user equipment;
generating a mutual access relation diagram of the target IP asset according to the flow log, the access control log and the mutual access data;
and determining an asset exposure surface of the target IP asset according to the comparison result, wherein the asset exposure surface comprises:
and determining the asset exposure surface of the target IP asset according to the comparison result and the interview relation diagram.
2. The asset exposure mask determination method of claim 1, wherein the obtaining a target IP address range, obtaining a target IP asset from the target IP address range, comprises:
acquiring the target IP address range;
determining each target IP address in the target IP address range;
and detecting each target IP address respectively, and taking the target IP address with detection feedback as a target IP asset.
3. The method of claim 1, wherein comparing the actual usage rights with theoretical rights in an access control list to obtain a comparison result comprises:
selecting a theoretical authority corresponding to the target IP asset in the preset authorities of the access control list;
comparing the actual use permission with the theoretical permission, and determining the same permission and different permission of the actual use permission with the theoretical permission;
and taking the same authority and the different authorities as comparison results.
4. The asset exposure face determination method of claim 1, wherein the generating a interview relationship graph for the target IP asset from the traffic log, the access control log, and the interview data comprises:
generating a log analysis result according to the flow log and the access control log;
according to the log analysis result, determining interaction information of the user equipment and the target IP asset;
recording the interaction information into an asset analysis form;
obtaining a mutual access relationship between the user equipment and the target IP asset according to the asset analysis form and the mutual access data;
and generating the interview relation graph according to the interview relation.
5. The method for determining an exposed surface of an asset according to any one of claims 1 to 4, wherein after determining the exposed surface of the target IP asset according to the comparison result, further comprises:
obtaining the exposure surface information according to the asset exposure surface;
acquiring a preset strategy corresponding to the target IP asset in the access control list;
and generating an asset analysis report of the target IP asset according to the exposure face information and the preset strategy.
6. An asset exposure face determination apparatus, wherein the asset exposure face determination apparatus is a firewall, the asset exposure face determination apparatus comprising:
the IP acquisition module is used for acquiring a target IP address range and acquiring a target IP asset according to the target IP address range;
the permission acquisition module is used for acquiring the actual use permission of the target IP asset according to the flow data in the preset time;
the permission comparison module is used for comparing the actual use permission with the theoretical permission in the access control list to obtain a comparison result;
the exposure face determining module is used for determining an asset exposure face of the target IP asset according to the comparison result;
the permission acquisition module is also used for acquiring flow data in the preset time; according to the flow data, determining the interaction behavior of the target IP asset and the user equipment within a preset time; determining the actual use authority of the target IP asset according to the interaction behavior;
the exposure face determining module is further used for obtaining a flow log and an access control log in the preset time; acquiring mutual access data of the target IP asset and the user equipment; generating a mutual access relation diagram of the target IP asset according to the flow log, the access control log and the mutual access data; and determining the asset exposure surface of the target IP asset according to the comparison result and the interview relation diagram.
7. A firewall, said firewall comprising: a memory, a processor, and an asset exposure surface determination program stored on the memory and executable on the processor, the asset exposure surface determination program configured to implement the steps of the asset exposure surface determination method of any of claims 1 to 5.
8. A storage medium having stored thereon an asset exposure surface determination program which when executed by a processor performs the steps of the asset exposure surface determination method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011515402.7A CN112565287B (en) | 2020-12-18 | 2020-12-18 | Asset exposure surface determination method, device, firewall and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011515402.7A CN112565287B (en) | 2020-12-18 | 2020-12-18 | Asset exposure surface determination method, device, firewall and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112565287A CN112565287A (en) | 2021-03-26 |
| CN112565287B true CN112565287B (en) | 2023-05-12 |
Family
ID=75031022
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011515402.7A Active CN112565287B (en) | 2020-12-18 | 2020-12-18 | Asset exposure surface determination method, device, firewall and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112565287B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113472775B (en) * | 2021-06-29 | 2023-07-14 | 深信服科技股份有限公司 | Method, system and storage medium for determining exposed surface |
| CN113489720B (en) * | 2021-07-01 | 2023-09-08 | 中电智恒信息科技服务有限公司 | Attack exposure surface analysis method and system in ultra-large scale network |
| CN115225385B (en) * | 2022-07-20 | 2024-02-23 | 深信服科技股份有限公司 | Flow monitoring method, system, equipment and computer readable storage medium |
| CN115883628A (en) * | 2022-11-30 | 2023-03-31 | 北京安博通科技股份有限公司 | Method, device, equipment and storage medium for establishing asset mutual access relation |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005062233A2 (en) * | 2003-12-16 | 2005-07-07 | Applied Identity | Computer security system |
| CN110392013A (en) * | 2018-04-17 | 2019-10-29 | 深圳先进技术研究院 | A kind of Malware recognition methods, system and electronic equipment based on net flow assorted |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7743421B2 (en) * | 2005-05-18 | 2010-06-22 | Alcatel Lucent | Communication network security risk exposure management systems and methods |
| CN104135461A (en) * | 2013-05-02 | 2014-11-05 | 中国移动通信集团河北有限公司 | Firewall policy processing method and device |
| IL300653B1 (en) * | 2017-06-23 | 2024-02-01 | Cisoteria Ltd | Enterprise cyber security risk management and resource planning |
| CN108111487B (en) * | 2017-12-05 | 2022-08-09 | 全球能源互联网研究院有限公司 | Safety monitoring method and system |
| CN109525427A (en) * | 2018-11-12 | 2019-03-26 | 广东省信息安全测评中心 | Distributed assets information detection method and system |
-
2020
- 2020-12-18 CN CN202011515402.7A patent/CN112565287B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005062233A2 (en) * | 2003-12-16 | 2005-07-07 | Applied Identity | Computer security system |
| CN110392013A (en) * | 2018-04-17 | 2019-10-29 | 深圳先进技术研究院 | A kind of Malware recognition methods, system and electronic equipment based on net flow assorted |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112565287A (en) | 2021-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112565287B (en) | Asset exposure surface determination method, device, firewall and storage medium | |
| US9407602B2 (en) | Methods and apparatus for redirecting attacks on a network | |
| CN112637220B (en) | Industrial control system safety protection method and device | |
| US9854057B2 (en) | Network data collection and response system | |
| Pasquale et al. | Adaptive evidence collection in the cloud using attack scenarios | |
| CN113472775B (en) | Method, system and storage medium for determining exposed surface | |
| Rianafirin et al. | Design network security infrastructure cabling using network development life cycle methodology and ISO/IEC 27000 series in Yayasan Kesehatan (Yakes) Telkom Bandung | |
| KR20190119239A (en) | Apparatus and method for managing IT security risk | |
| Toosarvandani et al. | The risk assessment and treatment approach in order to provide LAN security based on ISMS standard | |
| Böck et al. | Processing of botnet tracking data under the GDPR | |
| Harikrishnan et al. | Mitigation of DDoS attacks using honeypot and firewall | |
| Nagendra et al. | Securing ultra-high-bandwidth science DMZ networks with coordinated situational awareness | |
| KR20110130203A (en) | Apparatus and method for managing it security risk | |
| Sianturi et al. | A Security Framework for Secure Host-to-Host Environments | |
| KR100906389B1 (en) | System, Server and Method for Analyzing Integrated Authentication-Logs based on ?????? | |
| Flynn et al. | Cloud service provider methods for managing insider threats: Analysis phase ii, expanded analysis and recommendations | |
| CN108540467A (en) | Safety isolation method based on firewall system | |
| Gheorghică et al. | A new framework for enhanced measurable cybersecurity in computer networks | |
| US10523715B1 (en) | Analyzing requests from authenticated computing devices to detect and estimate the size of network address translation systems | |
| CN116566747B (en) | Safety protection method and device based on industrial Internet | |
| Kumar et al. | Establishing a valuable method of packet capture and packet analyzer tools in firewall | |
| Gao et al. | Operational Security Analysis and Challenge for IoT Solutions | |
| Wei et al. | A layered decision model for cost-effective network defense | |
| Dudar et al. | Research of Ways to Increase the Efficiency of Functioning Between Firewalls in the Protection of Information Web-Portals in Telecommunications Networks | |
| Gunawan et al. | Security Implementation Againts a Server Using SonicWall |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |