CN112738114B - Configuration method of network security policy - Google Patents
Configuration method of network security policy Download PDFInfo
- Publication number
- CN112738114B CN112738114B CN202011626889.6A CN202011626889A CN112738114B CN 112738114 B CN112738114 B CN 112738114B CN 202011626889 A CN202011626889 A CN 202011626889A CN 112738114 B CN112738114 B CN 112738114B
- Authority
- CN
- China
- Prior art keywords
- network
- policy
- strategy
- network object
- network security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Abstract
The invention discloses a configuration method of network security policy, which realizes the configuration of the policy according to the action of the policy, if the policy action is allowed, firstly judging whether a source network object and a target network object of the policy belong to the same network area, if yes, configuring the policy on the corresponding network security equipment; if not, configuring according to a specific network security strategy on the network security equipment where the source network object is located, and simultaneously releasing access of IP from all internal network segments to the network segment governed by the equipment according to a loose strategy configured on the network security equipment where the target network object is located; and if the policy action is rejection, configuring the policy only on the network security equipment where the source network object is located. The invention effectively reduces the number of network security strategies by configuring the security protection devices related to the network security strategies by using a unified principle, does not need to reduce the protection capability at all, well promotes the subsequent management and optimizes the working efficiency.
Description
Technical Field
The invention relates to the technical field of network information security, in particular to a configuration method of a network security policy.
Background
With the rapid development of the internet, malicious behaviors on the network are increased more and more, and the network security policy is used as a main means for network security prevention and protection, so that the security of a network system is maintained and network resources are protected from being illegally accessed. For enterprises and public institutions, different network areas can be divided in enterprises, and according to related network security regulations, network security equipment needs to be deployed at the boundary of the network area for security protection, wherein a network security policy plays the most basic role in protection.
The existing configuration methods of the network security policy are generally divided into two types, one type is configured according to a large network segment, and the method has the advantages of simple policy, small quantity, difficulty in change and convenience for subsequent maintenance and management; the disadvantage is that the protection granularity is relatively coarse by taking a network segment as granularity, so that the protection capability of a network security strategy is directly reduced; the other is configured according to the detailed IP, and the method has the advantages that the configuration is carried out according to the requirement, and the protection capability is strong; the method has the disadvantages that the number of the strategies is large, and the strategies are configured according to needs, so that maintenance personnel are required to frequently change the configuration of the network security strategies under the scene that the updating of the access relation of the system application is fast, the operation is complicated, and the later maintenance management is troublesome.
Disclosure of Invention
The invention aims to provide a configuration method of a network security policy, which solves the problem that the existing configuration method of the network security policy cannot combine the characteristics of stronger protection capability and convenient operation, maintenance and management.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a configuration method of network security policy comprises the following steps:
(1) Preprocessing all network security policies to be configured; the network security policy comprises an active network object, a target network object, a port and an action;
(2) After preprocessing, configuring each strategy according to the action of the strategy, if the action of the strategy is allowed, firstly judging whether a source network object and a target network object of the strategy belong to the same network area, if so, configuring the strategy on corresponding network security equipment; if not, executing the step (3); if the policy action is rejection, configuring the policy only on the network security equipment where the source network object is located, and not configuring the policy on the network security equipment where the destination network object is located;
(3) Configuring according to a specific network security strategy on the network security equipment where the source network object is located, and simultaneously releasing the access of IP from all internal network segments to the network segment controlled by the equipment according to a loose strategy configured on the network security equipment where the target network object is located;
(4) And (4) recycling the steps (1) to (3).
Further, when each policy is configured, the larger the policy ID, the higher the priority.
Specifically, the pretreatment process in step (1) is as follows:
(a) Analyzing the IP contained in the source network object and the IP contained in the target network object in the network security policy;
(b) If the IP in the source network object belongs to the same network area and the IP in the target network object belongs to the same network area, executing the step (2); otherwise, performing different processing according to the IP attribution condition and then executing the step (2), specifically as follows:
case 1: if the IP of the source network object belongs to the same network area and the IP of the target network object does not belong to the same network area, splitting the strategy according to the network area to which the IP of the target network object belongs;
case 2: if the IP of the target network object belongs to the same network area, splitting the strategy according to the network area to which the IP of the source network object belongs;
case 3: the IP in the source network object does not belong to the same network area, the IP of the target network object does not belong to the same network area, the original strategy is split according to the network area to which the IP of the source network object belongs, the processed strategy is the same as the condition 1, and then the strategy is split by secondary processing according to the condition 1; or splitting the original policy according to the network region to which the IP of the target network object belongs, and then performing secondary processing splitting on the policy according to the case 2, where the processed policy is the same as that in the case 2.
Compared with the prior art, the invention has the following beneficial effects:
the invention considers the configuration strategy of the network security equipment associated with the network security strategy when configuring the network security strategy, namely: the configuration is performed by using a unified principle (the strict in-and-out) among safety protection devices involved in the network safety strategy. Therefore, the invention not only ensures the effectiveness of the strategies, but also greatly reduces the number of the strategies (tests show that half of the configuration items of the network security strategies can be reduced to the maximum extent), and the protection capability does not need to be reduced at all, thereby laying a good foundation for the subsequent management and optimization work efficiency of the network security strategies.
Drawings
FIG. 1 is a schematic flow chart of the present invention.
Detailed Description
The invention discloses a configuration method of network security policies, which has the core idea that all the policies related to the network security policies are preprocessed and configured according to the strict 'wide-in' principle by analyzing the network security protection equipment related to each network security policy, and the specific flow is shown in figure 1.
Firstly, preprocessing all network security policies to be configured; the network security policy includes an active network object, a destination network object, a port, and an action.
The invention preprocesses the strategy, aiming at leading the IP in the source network object and the IP in the target network object to belong to the same network area, the processing mode is that the IP contained in the source network object and the IP contained in the target network object in the network security strategy are analyzed, then different processing is carried out according to the IP attribution condition, which comprises the following steps:
case 1: splitting the strategy according to the network area to which the IP of the target network object belongs if the IP of the source network object belongs to the same network area and the IP of the target network object does not belong to the same network area;
case 2: if the IP of the target network object belongs to the same network area, splitting the strategy according to the network area to which the IP of the source network object belongs;
case 3: the IP in the source network object does not belong to the same network area, the IP of the target network object does not belong to the same network area, the original strategy is split according to the network area to which the IP of the source network object belongs, the processed strategy is the same as the condition 1, and then the strategy is split by secondary processing according to the condition 1; or splitting the original strategy according to the network area to which the IP of the target network object belongs, wherein the processed strategy is the same as the case 2, and then splitting the strategy by secondary processing according to the case 2;
case 4: the IP in the source network object belongs to the same network object, and the IP in the target network object belongs to the same network area without processing.
Then, the configuration of each strategy is realized according to the action of the strategy, if the action of the strategy is allowed, whether the source network object and the target network object of the strategy belong to the same network area is judged, if yes, the strategy is configured on the corresponding network security equipment; if not, the network security equipment (such as a firewall) of the source network object is configured according to a specific network security strategy, and meanwhile, the network security equipment of the target network object is configured with a loose strategy to release the access of the IP from all internal network segments to the network segment controlled by the equipment.
If the policy action is rejection, the policy is configured only on the network security device where the source network object is located, and the policy is not configured on the network security device where the destination network object is located.
The present invention is further illustrated by the following examples, which include, but are not limited to, the following examples.
Examples
The scenario of multiple firewalls can be extended, illustrated with three firewalls.
Assume that the network area governed by the firewall F1 is 1.1.0.0/16, the network area governed by the firewall F2 is 1.2.0.0/16, and the network area governed by the firewall F3 is 1.3.0.0/16.
According to the service scenario, the following network security policies need to be configured:
(1)permit src host 1.1.1.1/31to dst host 1.1.2.1tcp port 3306
(2)permit src host 1.1.2.1to dst host 1.2.2.1tcp port 3306
(3)deny src host 1.1.1.1to dst host 1.1.3.1tcp port 443
(4)permit src host 1.2.1.1and 1.3.1.1to host 1.2.10.1tcp port 22
initially, three firewalls were configured with default rejection policies, as shown in table 1:
TABLE 1
For the first policy, because the source network object and the destination network object are both on the firewall F1, the policy is directly configured on the firewall F1, a default rejection policy is added, and after the configuration is completed, the network security policy on the current firewall F1 is as follows
Shown in Table 2:
TABLE 2
For the second policy, since the source network object and the destination network object are respectively on the firewalls F1 and F2, and the policy action is pass (allowed), a detailed policy is configured on the wall F1 where the source network object is located, a loose policy is configured on the wall F2 where the destination network object is located, and the policies of the firewalls F1 and F2 after configuration are shown in table 3:
TABLE 3
For the third policy, the source network object and the destination network object are respectively in the firewalls F1 and F3, and the action is rejection, so the rejection policy of the detail IP is configured on the firewall F1, the configuration of the policy is not performed on the firewall F3, and after the configuration is completed, as shown in table 4:
TABLE 4
For the fourth policy, because the IP in the source network object does not belong to the same firewall, the policy is preprocessed and split into two policies 4.1 and 4.2:
4.1:permit src host 1.2.1.1to host 1.2.10.1tcp port 22
4.2:permit src host 1.3.1.1to host 1.2.10.1tcp port 22
for 4.1, the source network object and the destination network object belong to the same firewall F2, so that the policy configuration only needs to be performed on F2 according to 4.1;
for 4.2, the source network object and the destination network object do not belong to the same firewall, so it is sufficient to configure a detailed policy on the wall F3 where the source and destination network objects are located, and to configure a rough policy on the wall F2 where the destination network object is located, and the configuration is completed as shown in table 5:
TABLE 5
The larger the policy ID is, the higher the priority is in this embodiment.
Through the ingenious design, the configuration of the network security policy has the characteristics of strong protection capability and convenient operation and maintenance management, and lays a good foundation for the subsequent management and optimization work efficiency of the network security policy. The scheme of the invention seems to be simple, is not easy to think of in fact, and can break through the limitation of the prior art by the simplest and most effective means only by deeply researching the network security characteristics and combining practice and theory, thereby realizing the maximization of the effect. Therefore, compared with the prior art, the invention has outstanding substantive features and remarkable progress.
The above-mentioned embodiments are only preferred embodiments of the present invention, and should not be construed as limiting the scope of the present invention, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Claims (3)
1. A configuration method of network security policy is characterized by comprising the following steps:
(1) Preprocessing all network security policies to be configured; the network security policy comprises an active network object, a target network object, a port and an action;
(2) After preprocessing, configuring each strategy according to the action of the strategy, if the action of the strategy is allowed, firstly judging whether a source network object and a target network object of the strategy belong to the same network area, if so, configuring the strategy on corresponding network security equipment; if not, executing the step (3); if the policy action is rejection, configuring the policy only on the network security equipment where the source network object is located, and not configuring the policy on the network security equipment where the destination network object is located;
(3) Configuring according to the detailed strategy on the network security equipment where the source network object is located, and simultaneously releasing the access of the IP from all internal network segments to the network segment controlled by the network security equipment where the target network object is located according to the loose strategy configured on the network security equipment where the target network object is located;
(4) And (4) recycling the steps (1) to (3).
2. The method of claim 1, wherein the higher the policy ID, the higher the priority when configuring each policy.
3. The method for configuring network security policy according to claim 1 or 2, wherein the preprocessing in step (1) is performed as follows:
(a) Analyzing the IP contained in the source network object and the IP contained in the target network object in the network security policy;
(b) If the IP in the source network object belongs to the same network area and the IP in the target network object belongs to the same network area, executing the step (2); otherwise, performing different processing according to the IP attribution condition and then executing the step (2), specifically as follows:
case 1: splitting the strategy according to the network area to which the IP of the target network object belongs if the IP of the source network object belongs to the same network area and the IP of the target network object does not belong to the same network area;
case 2: if the IP of the target network object belongs to the same network area, splitting the strategy according to the network area to which the IP of the source network object belongs;
case 3: the IP in the source network object does not belong to the same network area, the IP of the target network object does not belong to the same network area, the original strategy is split according to the network area to which the IP of the source network object belongs, the processed strategy is the same as the condition 1, and then the strategy is split by secondary processing according to the condition 1; or splitting the original policy according to the network region to which the IP of the target network object belongs, and then performing secondary processing splitting on the policy according to the case 2, where the processed policy is the same as that in the case 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011626889.6A CN112738114B (en) | 2020-12-31 | 2020-12-31 | Configuration method of network security policy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011626889.6A CN112738114B (en) | 2020-12-31 | 2020-12-31 | Configuration method of network security policy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112738114A CN112738114A (en) | 2021-04-30 |
| CN112738114B true CN112738114B (en) | 2023-04-07 |
Family
ID=75609756
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011626889.6A Active CN112738114B (en) | 2020-12-31 | 2020-12-31 | Configuration method of network security policy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112738114B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2008219150A (en) * | 2007-02-28 | 2008-09-18 | Hitachi Ltd | Mobile communication system, gateway device and mobile terminal |
| WO2008127124A2 (en) * | 2007-04-16 | 2008-10-23 | Kubekit As | Method and apparatus for verification of information access in ict- systems having multiple security dimensions and multiple security levels |
| CN102210158A (en) * | 2008-12-24 | 2011-10-05 | Lg电子株式会社 | An iptv receiver and method for controlling an application in the iptv receiver |
| CN102362283A (en) * | 2008-12-05 | 2012-02-22 | 社会传播公司 | Managing interactions in a network communications environment |
| CN102725748A (en) * | 2010-01-26 | 2012-10-10 | 社会传播公司 | Web browser interface for spatial communication environments |
| CN104901960A (en) * | 2015-05-26 | 2015-09-09 | 汉柏科技有限公司 | Device and method for network security management based on alarm strategy |
| CN105099730A (en) * | 2014-04-23 | 2015-11-25 | 北京奇虎科技有限公司 | Terminal equipment and network flow calculation method and system based on terminal equipment |
| CN109413088A (en) * | 2018-11-19 | 2019-03-01 | 中国科学院信息工程研究所 | Threat Disposal Strategies decomposition method and system in a kind of network |
| CN111163062A (en) * | 2019-12-12 | 2020-05-15 | 之江实验室 | Multi-network address hopping security defense method for cross fire attack |
| CN111935186A (en) * | 2020-10-09 | 2020-11-13 | 四川新网银行股份有限公司 | Optimization method of network security policy |
Family Cites Families (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6735701B1 (en) * | 1998-06-25 | 2004-05-11 | Macarthur Investments, Llc | Network policy management and effectiveness system |
| CN100359889C (en) * | 2004-10-29 | 2008-01-02 | 江苏南大苏富特软件股份有限公司 | Policy tree based packet filtering and management method |
| US8370819B2 (en) * | 2005-03-25 | 2013-02-05 | Microsoft Corporation | Mechanism to store information describing a virtual machine in a virtual disk image |
| CN100596351C (en) * | 2006-04-26 | 2010-03-31 | 南京大学 | Firewall method and system based on high-speed network data processing platform |
| CN101640614B (en) * | 2009-09-03 | 2012-01-04 | 成都市华为赛门铁克科技有限公司 | Method and device for configuring IPSEC security strategy |
| US20160345131A9 (en) * | 2012-04-04 | 2016-11-24 | Port Nexus Corporation | Mobile device tracking monitoring system and device for enforcing organizational policies and no distracted driving protocols |
| US9313096B2 (en) * | 2012-12-04 | 2016-04-12 | International Business Machines Corporation | Object oriented networks |
| CN105991562B (en) * | 2015-02-05 | 2019-07-23 | 华为技术有限公司 | IPSec accelerated method, apparatus and system |
| CN104811437B (en) * | 2015-03-16 | 2017-12-22 | 南京麦伦思科技有限公司 | A kind of system and method that security strategy is generated in industrial control network |
| CN105049347B (en) * | 2015-09-01 | 2018-02-06 | 重庆邮电大学 | A kind of DTN method for routing based on community network task distribution model |
| CN106789873B (en) * | 2016-11-11 | 2020-09-01 | 国家电网公司 | Inspection method for level protection safety boundary |
| CN108667776B (en) * | 2017-03-31 | 2022-02-22 | 中兴通讯股份有限公司 | Network service diagnosis method |
| WO2019005511A1 (en) * | 2017-06-29 | 2019-01-03 | Amazon Technologies, Inc. | Security policy analyzer service and satisfiability engine |
| CN107948205B (en) * | 2017-12-31 | 2020-10-27 | 中国移动通信集团江苏有限公司 | Firewall strategy generation method, device, equipment and medium |
| CN110719256A (en) * | 2019-09-04 | 2020-01-21 | 贵阳忆联网络有限公司 | IP fragment attack defense method and device and network attack defense equipment |
| CN111368095B (en) * | 2020-02-28 | 2022-08-26 | 河海大学 | Decision support system architecture and method based on water conservancy knowledge-affair coupling network |
| CN111147528B (en) * | 2020-04-03 | 2020-08-21 | 四川新网银行股份有限公司 | Method for managing network security policy |
| CN111600912A (en) * | 2020-07-22 | 2020-08-28 | 四川新网银行股份有限公司 | Network security policy management system |
-
2020
- 2020-12-31 CN CN202011626889.6A patent/CN112738114B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2008219150A (en) * | 2007-02-28 | 2008-09-18 | Hitachi Ltd | Mobile communication system, gateway device and mobile terminal |
| WO2008127124A2 (en) * | 2007-04-16 | 2008-10-23 | Kubekit As | Method and apparatus for verification of information access in ict- systems having multiple security dimensions and multiple security levels |
| CN102362283A (en) * | 2008-12-05 | 2012-02-22 | 社会传播公司 | Managing interactions in a network communications environment |
| CN102210158A (en) * | 2008-12-24 | 2011-10-05 | Lg电子株式会社 | An iptv receiver and method for controlling an application in the iptv receiver |
| CN102725748A (en) * | 2010-01-26 | 2012-10-10 | 社会传播公司 | Web browser interface for spatial communication environments |
| CN105099730A (en) * | 2014-04-23 | 2015-11-25 | 北京奇虎科技有限公司 | Terminal equipment and network flow calculation method and system based on terminal equipment |
| CN104901960A (en) * | 2015-05-26 | 2015-09-09 | 汉柏科技有限公司 | Device and method for network security management based on alarm strategy |
| CN109413088A (en) * | 2018-11-19 | 2019-03-01 | 中国科学院信息工程研究所 | Threat Disposal Strategies decomposition method and system in a kind of network |
| CN111163062A (en) * | 2019-12-12 | 2020-05-15 | 之江实验室 | Multi-network address hopping security defense method for cross fire attack |
| CN111935186A (en) * | 2020-10-09 | 2020-11-13 | 四川新网银行股份有限公司 | Optimization method of network security policy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112738114A (en) | 2021-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230208811A1 (en) | Rule Swapping in a Packet Network | |
| US10917417B2 (en) | Method, apparatus, server, and storage medium for network security joint defense | |
| US9342691B2 (en) | Internet protocol threat prevention | |
| CN109587174B (en) | Collaborative defense method and system for network protection | |
| CN105791213B (en) | Policy optimization device and method | |
| CN101022343A (en) | Network invading detecting/resisting system and method | |
| CN104378387A (en) | Virtual platform information security protection method | |
| CN103746996A (en) | Packet filtering method for firewall | |
| CN103475653A (en) | Method for detecting network data package | |
| CN105282169A (en) | DDoS attack warning method and system based on SDN controller threshold | |
| CN102123396A (en) | Cloud detection method of virus and malware of mobile phone based on communication network | |
| CN101083665B (en) | Method and apparatus for limiting session number | |
| WO2023041039A1 (en) | Secure access control method, system and apparatus based on dns resolution, and device | |
| CN101605136B (en) | A method and an apparatus for Internet protocol security IPSec processing to packets | |
| CN110324334A (en) | Secure group policy management method, device, equipment and computer readable storage medium | |
| CN112738114B (en) | Configuration method of network security policy | |
| CN107451469A (en) | A kind of process management system and method | |
| US20030084317A1 (en) | Reverse firewall packet transmission control system | |
| Zhang et al. | A firewall rules optimized model based on service-grouping | |
| Lee et al. | Managing cyber threat intelligence in a graph database: Methods of analyzing intrusion sets, threat actors, and campaigns | |
| CN107493279B (en) | nginx-based safety protection method and device | |
| Brahmi et al. | A Snort-based mobile agent for a distributed intrusion detection system | |
| CN111262815A (en) | Virtual host management system | |
| CN115658220A (en) | Data processing method, equipment and computer readable storage medium | |
| CN109756456B (en) | Method for improving network equipment safety, network equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |