CN112866214A - Firewall strategy issuing method and device, computer equipment and storage medium - Google Patents
Firewall strategy issuing method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN112866214A CN112866214A CN202110003901.6A CN202110003901A CN112866214A CN 112866214 A CN112866214 A CN 112866214A CN 202110003901 A CN202110003901 A CN 202110003901A CN 112866214 A CN112866214 A CN 112866214A
- Authority
- CN
- China
- Prior art keywords
- policy
- firewall
- target
- strategy
- issued
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 230000003068 static effect Effects 0.000 claims abstract description 87
- 238000004590 computer program Methods 0.000 claims description 13
- 238000010586 diagram Methods 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a firewall strategy issuing method, a firewall strategy issuing device, computer equipment and a storage medium, wherein the method comprises the following steps: acquiring a target policy to be issued, searching a static route matched with a target address in the target policy to be issued in a preset static route table, and inquiring a corresponding physical firewall according to the static route; determining a routing table of each virtual firewall on the physical firewall; matching a source address and a destination address in a target strategy to be issued in a routing table of each virtual firewall, and determining a first interface matched with the source address and a second interface matched with the destination address; when the first interface matched in the routing table of the same virtual firewall is different from the second interface, the target strategy to be issued is issued to the virtual firewall.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a firewall policy issuing method, a firewall policy issuing device, computer equipment and a storage medium.
Background
The firewall is a hardware device for security management, helps an enterprise network to construct an isolated facility between an internal network and an external network so as to protect data and information security, and can greatly improve the security of the internal network and reduce risks by filtering unsafe services.
At present, the issuing of firewall strategies is managed by manpower, a network administrator formulates the firewall strategies according to actual network requirements, looks up network topology by personal experience, evaluates which firewall strategies need to be executed on which firewalls, and carries out corresponding processing on the firewall strategies. However, with the expansion of network scale and the increase of external interfaces, the firewall policy is issued by manually positioning the firewall, which causes the problems of low processing efficiency of the firewall policy and easy error.
Disclosure of Invention
The invention aims to provide a firewall policy issuing method, a firewall policy issuing device, computer equipment and a storage medium, which are used for solving the problems of low firewall policy processing efficiency and easiness in making mistakes in the existing method of manually positioning a firewall to issue a firewall policy.
In a first aspect, a method for issuing a firewall policy is provided, where the method includes:
acquiring a target strategy to be issued;
searching a static route matched with a destination address in the target strategy in a preset static route table, and inquiring a corresponding physical firewall according to the static route;
determining a routing table of each virtual firewall on the physical firewall;
matching a source address and a destination address in the target strategy in a routing table of each virtual firewall, and determining a first interface matched with the source address and a second interface matched with the destination address;
and when the first interface matched in the routing table of the same virtual firewall is different from the second interface, issuing the target policy to the virtual firewall.
Further, the acquiring the target policy to be issued includes:
obtaining a firewall policy list to be issued, wherein the firewall policy list comprises at least one policy;
merging the addresses in the strategies according to preset address merging parameters to obtain an address set corresponding to the firewall strategy list, wherein the address merging parameters are source addresses or destination addresses;
and splitting the address set corresponding to the firewall policy list into single addresses to obtain the target policy.
Further, the finding out the static route matching with the destination address in the target policy in a preset static route table includes:
and searching the destination address in the target strategy according to the longest mask matching in the static routing table to obtain the static route matched with the destination address in the target strategy.
Further, the finding out the static route matching with the destination address in the target policy in a preset static route table includes:
converting the destination address in the target strategy into a corresponding first integer value, and converting the destination address of each route in the static routing table into a corresponding second integer value respectively;
and matching the first integer value with each second integer value respectively, and determining a route corresponding to the maximum second integer value as a static route matched with the destination address in the target policy.
Further, the issuing the target policy to the virtual firewall includes:
traversing a policy list of the virtual firewall, wherein the firewall policy list comprises at least one issued policy;
comparing the target strategy with the issued strategy traversed currently to obtain a comparison result;
when the comparison result indicates that the source address or the destination address in the target policy is included in the issued policy traversed currently and the action type in the issued policy is refused, issuing the target policy to the virtual firewall;
when the comparison result indicates that the destination address in the target policy is included in the currently traversed issued policy and the action type in the issued policy is allowable, adding the source address in the target policy to the currently traversed issued policy;
and when the source address and the destination address in the target strategy are not contained in each traversed issued strategy, issuing the target strategy to the virtual firewall.
Further, the method further comprises:
and updating the target strategy issued to the virtual firewall into a strategy list of the virtual firewall.
Further, the updating the target policy issued to the virtual firewall into the policy list of the virtual firewall includes:
and determining that the action type in the strategy list of the virtual firewall is a rejected issued strategy, and adding the target strategy in front of the issued strategy of which the action type is rejected.
In a second aspect, a firewall policy issuing apparatus is provided, where the apparatus includes:
the acquisition module is used for acquiring a target strategy to be issued;
the searching module is used for searching a static route matched with the destination address in the target strategy in a preset static route table and inquiring a corresponding physical firewall according to the static route;
a determining module for determining a routing table for each virtual firewall on the physical firewall;
the matching module is used for matching a source address and a destination address in the target strategy in a routing table of each virtual firewall and determining a first interface matched with the source address and a second interface matched with the destination address;
and the issuing module is used for issuing the target strategy to the virtual firewall when the first interface matched in the routing table of the same virtual firewall is different from the second interface.
Further, the obtaining module is specifically configured to:
obtaining a firewall policy list to be issued, wherein the firewall policy list comprises at least one policy;
merging the addresses in the strategies according to preset address merging parameters to obtain an address set corresponding to the firewall strategy list, wherein the address merging parameters are source addresses or destination addresses;
and splitting the address set corresponding to the firewall policy list into single addresses to obtain the target policy.
Further, the search module is specifically configured to:
and searching the destination address in the target strategy according to the longest mask matching in the static routing table to obtain the static route matched with the destination address in the target strategy.
Further, the search module is specifically configured to:
converting the destination address in the target strategy into a corresponding first integer value, and converting the destination address of each route in the static routing table into a corresponding second integer value respectively;
and matching the first integer value with each second integer value respectively, and determining a route corresponding to the maximum second integer value as a static route matched with the destination address in the target policy.
Further, the issuing module is specifically configured to:
traversing a policy list of the virtual firewall, wherein the firewall policy list comprises at least one issued policy;
comparing the target strategy with the issued strategy traversed currently to obtain a comparison result;
when the comparison result indicates that the source address or the destination address in the target policy is included in the issued policy traversed currently and the action type in the issued policy is refused, issuing the target policy to the virtual firewall;
when the comparison result indicates that the destination address in the target policy is included in the currently traversed issued policy and the action type in the issued policy is allowable, adding the source address in the target policy to the currently traversed issued policy;
and when the source address and the destination address in the target strategy are not contained in each traversed issued strategy, issuing the target strategy to the virtual firewall.
Further, the apparatus further includes an update module, and the update module is specifically configured to:
and updating the target strategy issued to the virtual firewall into a strategy list of the virtual firewall.
Further, the update module is specifically configured to:
and determining that the action type in the strategy list of the virtual firewall is a rejected issued strategy, and adding the target strategy in front of the issued strategy of which the action type is rejected.
In a third aspect, a computer device is provided, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the following steps are implemented:
acquiring a target strategy to be issued;
searching a static route matched with a destination address in the target strategy in a preset static route table, and inquiring a corresponding physical firewall according to the static route;
determining a routing table of each virtual firewall on the physical firewall;
matching a source address and a destination address in the target strategy in a routing table of each virtual firewall, and determining a first interface matched with the source address and a second interface matched with the destination address;
and when the first interface matched in the routing table of the same virtual firewall is different from the second interface, issuing the target policy to the virtual firewall.
In a fourth aspect, there is provided a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
acquiring a target strategy to be issued;
searching a static route matched with a destination address in the target strategy in a preset static route table, and inquiring a corresponding physical firewall according to the static route;
determining a routing table of each virtual firewall on the physical firewall;
matching a source address and a destination address in the target strategy in a routing table of each virtual firewall, and determining a first interface matched with the source address and a second interface matched with the destination address;
and when the first interface matched in the routing table of the same virtual firewall is different from the second interface, issuing the target policy to the virtual firewall.
The embodiment of the invention provides a firewall policy issuing method, a firewall policy issuing device, computer equipment and a storage medium, wherein a static route matched with a destination address in a target policy to be issued is searched in a preset static route table by acquiring the target policy to be issued, and a corresponding physical firewall is inquired according to the static route; determining a routing table of each virtual firewall on the physical firewall; matching a source address and a destination address in a target strategy to be issued in a routing table of each virtual firewall, and determining a first interface matched with the source address and a second interface matched with the destination address; when the first interface matched in the routing table of the same virtual firewall is different from the second interface, the target strategy to be issued is issued to the virtual firewall.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flowchart of a firewall policy issuing method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a firewall policy issuing apparatus according to an embodiment of the present invention;
fig. 3 is an internal structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It is to be understood that, unless the context clearly requires otherwise, throughout the description and the claims, the words "comprise", "comprising", and the like are to be construed in an inclusive sense as opposed to an exclusive or exhaustive sense; that is, what is meant is "including, but not limited to".
Furthermore, in the description of the present invention, it is to be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. In addition, in the description of the present invention, "a plurality" means two or more unless otherwise specified.
As described in the foregoing background art, with the expansion of network size and the increase of external interfaces, in the prior art, a firewall policy is issued by manually positioning a firewall, which has the problems of low processing efficiency of the firewall policy and easy error. Therefore, the firewall policy issuing method can achieve automatic positioning of the firewall and automatic issuing of the firewall policy, improves firewall policy issuing efficiency, and reduces error rate in the policy opening process.
In an embodiment, a firewall policy issuing method is provided, where the firewall policy issuing method may be applied to a computer device, and the computer device may be implemented by an independent server or a server cluster formed by multiple servers, and referring to fig. 1, the firewall policy issuing method may specifically include the following steps:
101, obtaining a target strategy to be issued.
The target policy to be issued is a firewall policy to be issued, the target policy includes a source address, a destination address and an action type, the source address is specifically a source IP address, the destination address is specifically a destination IP address, and in addition, the target policy to be issued may further include port information, service information, validation time and the like.
The server can receive a firewall policy issuing request from the client, wherein the firewall policy issuing request carries a target policy to be issued. The user can configure the firewall policy to be issued on a policy issuing interface provided by the client, and send the configured firewall policy to be issued to the server.
102, finding out a static route matched with the destination address in the target policy in a preset static route table, and querying out a corresponding physical firewall according to the static route.
The static routing table is preset with a destination address field, a mask and a static route (expressed in the form of a gateway address), a destination address in a target policy to be issued can be matched with the destination address field in the static routing table, the static route corresponding to the matched destination address field is determined as the static route matched with the destination address in the target policy to be issued, and a corresponding physical firewall is inquired according to the route ID of the static route.
103, determining a routing table of each virtual firewall on the physical firewall.
The physical firewall comprises a routing table, a routing table and a routing address information, wherein one or more virtual firewalls can be operated on each physical firewall, the routing table of each virtual firewall comprises the routing address information of the virtual firewall and an interface corresponding to the routing address information, and the routing address information comprises a source address and a destination address of the virtual firewall.
And 104, matching the source address and the destination address in the target strategy in a routing table of each virtual firewall, and determining a first interface matched with the source address and a second interface matched with the destination address.
Specifically, for each virtual firewall, comparing a source address in a target policy with a source address in a routing table of the virtual firewall, and if the source addresses in the target policy and the routing table of the virtual firewall are consistent, determining an interface corresponding to the source address in the routing table of the virtual firewall as a first interface matched with the source address in the target policy to be issued; and comparing the destination address in the target strategy with the destination address in the routing table of the virtual firewall, and if the destination address in the target strategy is consistent with the destination address in the routing table of the virtual firewall, determining the interface corresponding to the destination address in the routing table of the virtual firewall as a second interface matched with the destination address in the target strategy to be issued.
105, when the first interface matched in the routing table of the same virtual firewall is different from the second interface, the target policy is issued to the virtual firewall.
Specifically, whether a first interface and a second interface matched in a routing table of the same virtual firewall are the same is judged, if yes, it is determined that a target policy to be issued does not pass through the virtual firewall, and if not, the target policy is issued to the virtual firewall.
The embodiment of the invention provides a firewall policy issuing method, which comprises the steps of searching a static route matched with a destination address in a target policy to be issued in a preset static route table by acquiring the target policy to be issued, and inquiring a corresponding physical firewall according to the static route; determining a routing table of each virtual firewall on the physical firewall; matching a source address and a destination address in a target strategy to be issued in a routing table of each virtual firewall, and determining a first interface matched with the source address and a second interface matched with the destination address; when the first interface matched in the routing table of the same virtual firewall is different from the second interface, the target strategy to be issued is issued to the virtual firewall.
In an embodiment, the step 101 of obtaining the target policy to be issued may include:
obtaining a firewall policy list to be issued, wherein the firewall policy list comprises at least one policy;
merging the addresses in each strategy according to preset address merging parameters to obtain an address set corresponding to a firewall strategy list, wherein the address merging parameters are source addresses or destination addresses;
and splitting the address set corresponding to the firewall policy list into single addresses to obtain a target policy, wherein the target policy is any one of the firewall policy list after the address set is split.
Specifically, the client may generate a task for a firewall policy list to be issued, and send one or more firewall policies to be issued to the server through SSH remote connection or an API interface, before the server issues each received firewall policy to be issued, the server merges addresses of the policies in the firewall policy list by using a source address or a destination address as an address merging parameter to obtain an address set corresponding to the firewall policy list, and after the server receives the address set corresponding to the firewall policy list to be issued, the server splits the address set corresponding to the firewall policy list into individual addresses according to a splitting rule to obtain a target policy.
Wherein, the splitting rule may include: if the address set corresponding to the firewall policy list is a plurality of separated source IP addresses (such as 168.1.3, 192.168.1.33 and 192.168.3.44), splitting the firewall policy list into a plurality of IP lists; if the address set corresponding to the firewall policy list is a plurality of separated destination IP addresses, splitting the firewall policy list into a plurality of destination IP addresses.
In one embodiment, the step 102 finds a static route matching the destination address in the target policy in a preset static routing table, and the process may include:
and in the static routing table, searching the destination address in the target strategy according to the longest mask matching to obtain the static routing matched with the destination address in the target strategy.
Specifically, the destination address in the target policy is matched in the static routing table, and it is determined which prefixes of the static routes contain the destination address in the given target policy. And then, the mask of which prefix is matched from the routing prefixes is longest, namely the finally matched static route is obtained.
It will be appreciated that if the destination address in the destination policy is not matched to a static route in the static routing table, then the destination policy is not processed.
In one embodiment, the step 102 finds a static route matching the destination address in the target policy in a preset static routing table, and the process may include:
converting the destination address in the target strategy into a corresponding first integer value, and converting the destination address of each route in the static routing table into a corresponding second integer value respectively;
and matching the first integer value with each second integer value respectively, and determining the route corresponding to the maximum second integer value as a static route matched with the destination address in the target strategy.
Specifically, the destination address in the target policy may be converted into a corresponding first integer value according to a preset conversion rule, for example, the IP address: 10.200.10.22 into [180881942], IP address: 10.200.10.55 into [180881975 ]. Similarly, the destination address (route dst) of each route in the static route table is converted into a corresponding second integer value, the first integer value is matched with each second integer value, and the route corresponding to the largest matched second integer value is determined as the static route matched with the destination address in the target policy.
It will be appreciated that if the destination address in the destination policy is not matched to a static route in the static routing table, then the destination policy is not processed.
In one embodiment, the step 105 of issuing the target policy to the virtual firewall may include:
traversing a policy list of the virtual firewall, wherein the policy list comprises at least one issued policy;
comparing the target strategy with the currently traversed issued strategy to obtain a comparison result;
when the comparison result indicates that the source address or the destination address in the target strategy is contained in the currently traversed issued strategy and the action type in the issued strategy is refused, issuing the target strategy to the virtual firewall;
when the comparison result indicates that the destination address in the target strategy is contained in the currently traversed issued strategy and the action type in the issued strategy is allowable, adding the source address in the target strategy into the currently traversed issued strategy;
and when the source address and the destination address in the target strategy are not contained in each traversed issued strategy, issuing the target strategy to the virtual firewall.
The firewall policy of the virtual firewall may be composed of a quintuple and an action, where the quintuple includes: protocol, source IP address, source port, destination IP address, destination port. The action type can be an accept or a deny, the accept represents that the data packet of the strategy is released, and the deny represents that the data packet of the strategy is intercepted.
The policy list of the virtual firewall can be preset and stored in the redis, when the server issues a target policy to be issued to the virtual firewall, the server obtains the policy list of the virtual firewall from the redis, traverses all policies in the policy list of the virtual firewall, records a policy with a first action type of denial (deny), and moves all newly added policies to the front of the policy.
Specifically, the target policy to be issued is searched in the policy list of the virtual firewall to determine whether the target policy exists (is equal to or contained) in the policy list of the virtual firewall, or whether the source address or the target address in the target policy is contained by a certain policy in the policy list of the virtual firewall, that is, a part of the source address or the target address exists. If the action type of the traversed current strategy is accept, the target address in the target strategy to be issued is consistent with the target address in the traversed issued strategy, and the port in the target strategy to be issued is consistent with the port in the issued strategy, the issued strategy can be subjected to an apend address object operation according to the source address in the target strategy to be issued, and the strategy does not need to be re-established. If the source address in the target policy is contained in the currently traversed issued policy, and the action type of the issued policy is deny, it will be explained that a policy is to be added, and the policy ID of the issued policy is recorded. If the action is directly deny, the fact that the target address is deny means that a strategy needs to be added, and the strategy ID of the rejection strategy is recorded. If the source address in the target policy is contained in the issued policy traversed currently, and the action type of the issued policy is allowed (accept), which indicates that the target policy already exists in the policy list of the virtual firewall, the policy does not need to be created again.
In addition, if one of the following situations exists, the target policy to be issued is not processed, including:
the effective time limit in the target strategy to be issued is inconsistent with the effective time limit of the strategy in the virtual firewall;
the policy state in the virtual firewall is an unavailable state;
the port in the target strategy to be issued is inconsistent with the strategy port in the virtual firewall;
the destination address in the target strategy to be issued has no relation with the destination address in the issued strategy in the virtual firewall.
In the embodiment, the target strategy is compared with each issued strategy in the strategy list of the virtual firewall to obtain the comparison result, and the target strategy is issued to the virtual firewall according to the comparison result, so that the strategy conflict generated when the virtual firewall strategy is issued can be avoided, repeated issuing is avoided, and the issuing accuracy of the firewall strategy can be improved.
In one embodiment, the method further comprises:
and updating the target strategy issued to the virtual firewall into a strategy list of the virtual firewall.
Specifically, the process may include:
and determining that the action type in the strategy list of the virtual firewall is a rejected issued strategy, and adding the target strategy in front of the issued strategy of which the action type is rejected.
The firewall policies are in a matching sequence, and the firewall searches the corresponding firewall policies one by one from top to bottom. If the message passing through the firewall hits a certain firewall strategy, the action of the strategy is executed, and the downward search is not continued; if the message does not hit a certain security policy, the downward search is continued. Wherein the higher the priority of the strategy in the strategy list, the higher the rank in the strategy list. By preferentially matching the message passing through the firewall with the strategy of which the action type is the allowable type, the efficiency and the performance of the firewall can be favorably improved.
In an embodiment, there is provided a firewall policy issuing apparatus, as shown in fig. 2, the apparatus includes:
an obtaining module 201, configured to obtain a target policy to be issued;
the searching module 202 is configured to search a static route matching a destination address in the target policy in a preset static route table, and query a corresponding physical firewall according to the static route;
a determining module 203, configured to determine a routing table for each virtual firewall on the physical firewall;
a matching module 204, configured to match a source address and a destination address in the target policy in a routing table of each virtual firewall, and determine a first interface to which the source address is matched and a second interface to which the destination address is matched;
the issuing module 205 is configured to issue the target policy to the virtual firewall when the first interface matched in the routing table of the same virtual firewall is different from the second interface.
In one embodiment, the obtaining module 201 is specifically configured to:
obtaining a firewall policy list to be issued, wherein the firewall policy list comprises at least one policy;
merging the addresses in each strategy according to preset address merging parameters to obtain an address set corresponding to a firewall strategy list, wherein the address merging parameters are source addresses or destination addresses;
and splitting the address set corresponding to the firewall policy list into single addresses to obtain the target policy.
In one embodiment, the lookup module 202 is specifically configured to:
and in the static routing table, searching the destination address in the target strategy according to the longest mask matching to obtain the static routing matched with the destination address in the target strategy.
In one embodiment, the lookup module 202 is specifically configured to:
converting the destination address in the target strategy into a corresponding first integer value, and converting the destination address of each route in the static routing table into a corresponding second integer value respectively;
and matching the first integer value with each second integer value respectively, and determining the route corresponding to the maximum second integer value as a static route matched with the destination address in the target strategy.
In one embodiment, the issuing module 205 is specifically configured to:
traversing a strategy list of the virtual firewall, wherein the firewall strategy list comprises at least one issued strategy;
comparing the target strategy with the currently traversed issued strategy to obtain a comparison result;
when the comparison result indicates that the source address or the destination address in the target strategy is contained in the currently traversed issued strategy and the action type in the issued strategy is refused, issuing the target strategy to the virtual firewall;
when the comparison result indicates that the destination address in the target strategy is contained in the currently traversed issued strategy and the action type in the issued strategy is allowable, adding the source address in the target strategy into the currently traversed issued strategy;
and when the source address and the destination address in the target strategy are not contained in each traversed issued strategy, issuing the target strategy to the virtual firewall.
In one embodiment, the apparatus further includes an update module, and the update module is specifically configured to:
and updating the target strategy issued to the virtual firewall into a strategy list of the virtual firewall.
In one embodiment, the update module is specifically configured to:
and determining that the action type in the strategy list of the virtual firewall is a rejected issued strategy, and adding the target strategy in front of the issued strategy of which the action type is rejected.
The firewall policy issuing device provided by the embodiment of the invention belongs to the same inventive concept as the firewall policy issuing method provided by the embodiment of the invention, can execute the firewall policy issuing method provided by any embodiment of the invention, and has the corresponding functional module and beneficial effect of executing the firewall policy issuing method. The technical details that are not described in detail in this embodiment may refer to the firewall policy issuing method provided in this embodiment of the present invention, and are not described herein again.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 3. The server comprises a processor, a memory and a network interface which are connected through a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The nonvolatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used to communicate with other devices via a network connection. The computer program is executed by a processor to implement a firewall policy issuing method.
Those skilled in the art will appreciate that the architecture shown in fig. 3 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
acquiring a target strategy to be issued;
searching a static route matched with a destination address in a target strategy in a preset static route table, and inquiring a corresponding physical firewall according to the static route;
determining a routing table of each virtual firewall on the physical firewall;
matching a source address and a destination address in a target strategy in a routing table of each virtual firewall, and determining a first interface matched with the source address and a second interface matched with the destination address;
and when the first interface matched in the routing table of the same virtual firewall is different from the second interface, issuing the target strategy to the virtual firewall.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring a target strategy to be issued;
searching a static route matched with a destination address in a target strategy in a preset static route table, and inquiring a corresponding physical firewall according to the static route;
determining a routing table of each virtual firewall on the physical firewall;
matching a source address and a destination address in a target strategy in a routing table of each virtual firewall, and determining a first interface matched with the source address and a second interface matched with the destination address;
and when the first interface matched in the routing table of the same virtual firewall is different from the second interface, issuing the target strategy to the virtual firewall.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A firewall policy issuing method is characterized by comprising the following steps:
acquiring a target strategy to be issued;
searching a static route matched with a destination address in the target strategy in a preset static route table, and inquiring a corresponding physical firewall according to the static route;
determining a routing table of each virtual firewall on the physical firewall;
matching a source address and a destination address in the target strategy in a routing table of each virtual firewall, and determining a first interface matched with the source address and a second interface matched with the destination address;
and when the first interface matched in the routing table of the same virtual firewall is different from the second interface, issuing the target policy to the virtual firewall.
2. The method of claim 1, wherein the obtaining the target policy to be issued comprises:
obtaining a firewall policy list to be issued, wherein the firewall policy list comprises at least one policy;
merging the addresses in the strategies according to preset address merging parameters to obtain an address set corresponding to the firewall strategy list, wherein the address merging parameters are source addresses or destination addresses;
and splitting the address set corresponding to the firewall policy list into single addresses to obtain the target policy.
3. The method of claim 1, wherein the step of finding a static route matching a destination address in the target policy in a preset static routing table comprises:
and searching the destination address in the target strategy according to the longest mask matching in the static routing table to obtain the static route matched with the destination address in the target strategy.
4. The method of claim 1, wherein the step of finding a static route matching a destination address in the target policy in a preset static routing table comprises:
converting the destination address in the target strategy into a corresponding first integer value, and converting the destination address of each route in the static routing table into a corresponding second integer value respectively;
and matching the first integer value with each second integer value respectively, and determining a route corresponding to the maximum second integer value as a static route matched with the destination address in the target policy.
5. The method of any of claims 1 to 4, wherein said issuing the target policy to the virtual firewall comprises:
traversing a policy list of the virtual firewall, wherein the firewall policy list comprises at least one issued policy;
comparing the target strategy with the issued strategy traversed currently to obtain a comparison result;
when the comparison result indicates that the source address or the destination address in the target policy is included in the issued policy traversed currently and the action type in the issued policy is refused, issuing the target policy to the virtual firewall;
when the comparison result indicates that the destination address in the target policy is included in the currently traversed issued policy and the action type in the issued policy is allowable, adding the source address in the target policy to the currently traversed issued policy;
and when the source address and the destination address in the target strategy are not contained in each traversed issued strategy, issuing the target strategy to the virtual firewall.
6. The method of claim 5, further comprising:
and updating the target strategy issued to the virtual firewall into a strategy list of the virtual firewall.
7. The method of claim 6, wherein the updating the target policy issued to the virtual firewall into a policy list of the virtual firewall comprises:
and determining that the action type in the strategy list of the virtual firewall is a rejected issued strategy, and adding the target strategy in front of the issued strategy of which the action type is rejected.
8. A firewall policy issuing device is characterized by comprising:
the acquisition module is used for acquiring a target strategy to be issued;
the searching module is used for searching a static route matched with the destination address in the target strategy in a preset static route table and inquiring a corresponding physical firewall according to the static route;
a determining module for determining a routing table for each virtual firewall on the physical firewall;
the matching module is used for matching a source address and a destination address in the target strategy in a routing table of each virtual firewall and determining a first interface matched with the source address and a second interface matched with the destination address;
and the issuing module is used for issuing the target strategy to the virtual firewall when the first interface matched in the routing table of the same virtual firewall is different from the second interface.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 7 are implemented when the computer program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110003901.6A CN112866214A (en) | 2021-01-04 | 2021-01-04 | Firewall strategy issuing method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110003901.6A CN112866214A (en) | 2021-01-04 | 2021-01-04 | Firewall strategy issuing method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112866214A true CN112866214A (en) | 2021-05-28 |
Family
ID=76001349
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110003901.6A Pending CN112866214A (en) | 2021-01-04 | 2021-01-04 | Firewall strategy issuing method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112866214A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113329022A (en) * | 2021-05-31 | 2021-08-31 | 北京天融信网络安全技术有限公司 | Information processing method of virtual firewall and electronic equipment |
| CN113783778A (en) * | 2021-08-23 | 2021-12-10 | 杭州安恒信息技术股份有限公司 | Policy routing method, system, computer and storage medium based on DDoS equipment |
| CN114640532A (en) * | 2022-03-29 | 2022-06-17 | 联想(北京)有限公司 | Processing method and device and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102055735A (en) * | 2009-11-04 | 2011-05-11 | 中国移动通信集团山东有限公司 | Configuration method and device of firewall access control policy |
| CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
| CN111835794A (en) * | 2020-09-17 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Firewall policy control method and device, electronic equipment and storage medium |
-
2021
- 2021-01-04 CN CN202110003901.6A patent/CN112866214A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102055735A (en) * | 2009-11-04 | 2011-05-11 | 中国移动通信集团山东有限公司 | Configuration method and device of firewall access control policy |
| CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
| CN111835794A (en) * | 2020-09-17 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Firewall policy control method and device, electronic equipment and storage medium |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113329022A (en) * | 2021-05-31 | 2021-08-31 | 北京天融信网络安全技术有限公司 | Information processing method of virtual firewall and electronic equipment |
| CN113329022B (en) * | 2021-05-31 | 2022-08-05 | 北京天融信网络安全技术有限公司 | Information processing method of virtual firewall and electronic equipment |
| CN113783778A (en) * | 2021-08-23 | 2021-12-10 | 杭州安恒信息技术股份有限公司 | Policy routing method, system, computer and storage medium based on DDoS equipment |
| CN114640532A (en) * | 2022-03-29 | 2022-06-17 | 联想(北京)有限公司 | Processing method and device and electronic equipment |
| CN114640532B (en) * | 2022-03-29 | 2023-03-24 | 联想(北京)有限公司 | Processing method and device and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112866214A (en) | Firewall strategy issuing method and device, computer equipment and storage medium | |
| US10951495B2 (en) | Application signature generation and distribution | |
| US9628442B2 (en) | DNS snooping to create IP address-based trust database used to select deep packet inspection and storage of IP packets | |
| US10084713B2 (en) | Protocol type identification method and apparatus | |
| CN110311929B (en) | Access control method and device, electronic equipment and storage medium | |
| EP3449597B1 (en) | A data driven orchestrated network using a voice activated light weight distributed sdn controller | |
| US9106693B2 (en) | Attack detection and prevention using global device fingerprinting | |
| US9215237B2 (en) | Communication system, control device, communication method, and program | |
| CN105591973B (en) | Application identification method and device | |
| CN108234522B (en) | Method and device for preventing Address Resolution Protocol (ARP) attack, computer equipment and storage medium | |
| US7127739B2 (en) | Handling information about packet data connections in a security gateway element | |
| JP2013106354A (en) | Method, apparatus and program for detecting spoofed network traffic | |
| CN112261172A (en) | Service addressing access method, device, system, equipment and medium | |
| US11671405B2 (en) | Dynamic filter generation and distribution within computer networks | |
| CN110061921B (en) | Cloud platform data packet distribution method and system | |
| CN106060006B (en) | Access method and device | |
| CN115826444A (en) | Security access control method, system, device and equipment based on DNS analysis | |
| CN113595900B (en) | Routing control method, device and system and border gateway protocol peer | |
| US20150263953A1 (en) | Communication node, control apparatus, communication system, packet processing method and program | |
| CN107666444B (en) | Method and system for routing data flow | |
| CN112202888A (en) | Message forwarding method for edge user and SDN | |
| CN115842671A (en) | Rule processing method, equipment and storage medium | |
| US10320784B1 (en) | Methods for utilizing fingerprinting to manage network security and devices thereof | |
| CN112217770B (en) | Security detection method, security detection device, computer equipment and storage medium | |
| CN114338502A (en) | Gateway data processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210528 |