CN113114683A - Firewall policy processing method and device - Google Patents
Firewall policy processing method and device Download PDFInfo
- Publication number
- CN113114683A CN113114683A CN202110400460.3A CN202110400460A CN113114683A CN 113114683 A CN113114683 A CN 113114683A CN 202110400460 A CN202110400460 A CN 202110400460A CN 113114683 A CN113114683 A CN 113114683A
- Authority
- CN
- China
- Prior art keywords
- firewall policy
- target
- firewall
- policy
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Abstract
The application provides a firewall policy processing method and device, which relate to the technical field of information security and the technical field of finance, and the method comprises the following steps: receiving user information and address information acquired by a target server; determining a target firewall policy according to a preset firewall policy set and the user information; and replacing the source address information of the target firewall policy by using the address information, and executing the replaced target firewall policy. The method and the device can realize the binding between the user and the firewall policy, improve the automation degree of firewall policy processing, and further guarantee the security of network access.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a firewall policy processing method and apparatus.
Background
With the development of the internet, the network scale is continuously enlarged, the network needs to be divided into different network areas in consideration of factors such as security protection and equipment management, a firewall is deployed between the network areas, access control and security isolation of the different network areas are realized through a firewall policy, and data in the areas are protected to be safe and stably operated. Firewall technology is the most common and effective defense measure in network security, and is a barrier to network security.
In the actual production process of an enterprise, a large number of firewalls are adopted to divide a network into different areas and form a local area network, and an administrator needs to manually configure firewall strategies deployed in the different areas; with the long-term use of firewalls and the adjustment of device IP addresses, configured policies are prone to have problems of redundancy, loss, unreasonable and the like, and the security of network access is affected.
Disclosure of Invention
Aiming at the problems in the prior art, the application provides a firewall policy processing method and device, which can realize the binding between a user and a firewall policy, improve the automation degree of firewall policy processing, and further ensure the security of network access.
In order to solve the technical problem, the present application provides the following technical solutions:
in a first aspect, the present application provides a firewall policy processing method, including:
receiving user information and address information acquired by a target server;
determining a target firewall policy according to a preset firewall policy set and the user information;
and replacing the source address information of the target firewall policy by using the address information, and executing the replaced target firewall policy.
Further, after the executing the replaced target firewall policy, the method further includes:
when the time for executing the target firewall policy reaches the preset rent-credit time, stopping executing the current target firewall policy, and returning to the policy executing processing step: receiving user information and address information acquired by a target server; determining a target firewall policy according to a preset firewall policy set and the user information; and replacing the source address information of the target firewall policy by using the address information, and executing the replaced target firewall policy.
Further, the firewall policy processing method further includes:
receiving a strategy change request sent by a target server;
determining a firewall policy to be changed according to the policy change request and a preset firewall policy set;
updating the firewall policy to be changed according to the policy change request to obtain a changed firewall policy and executing the changed firewall policy;
and when the time for executing the changed firewall policy reaches the preset lease time length, stopping executing the changed firewall policy, and returning to the step of executing the policy.
Further, the determining a target firewall policy according to a preset firewall policy set and the user information includes:
and if the user information exists in a preset user information table and the firewall policy corresponding to the user information exists in the preset firewall policy set, determining the firewall policy as a target firewall policy.
Further, after the suspending executing the current target firewall policy, the method further includes:
and outputting and displaying the execution result of the target firewall policy.
Further, the receiving the user information and the address information collected by the target server includes:
receiving user information and address information which are collected and encrypted by a target server;
and decrypting the user information and the address information by applying an asymmetric key algorithm.
Further, the preset firewall policy set includes: a plurality of firewall policies, each firewall policy comprising: source address, destination port, user unique identification, and validation time.
In a second aspect, the present application provides a firewall policy processing apparatus, including:
the receiving module is used for receiving the user information and the address information collected by the target server;
the determining module is used for determining a target firewall policy according to a preset firewall policy set and the user information;
and the execution module is used for replacing the source address information of the target firewall policy by applying the address information and executing the replaced target firewall policy.
In a third aspect, the present application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the firewall policy processing method when executing the computer program.
In a fourth aspect, the present application provides a computer-readable storage medium having stored thereon computer instructions that, when executed, implement the firewall policy processing method.
According to the technical scheme, the application provides a firewall policy processing method and device. Wherein, the method comprises the following steps: receiving user information and address information acquired by a target server; determining a target firewall policy according to a preset firewall policy set and the user information; the address information is used for replacing the source address information of the target firewall policy, the replaced target firewall policy is executed, binding between a user and the firewall policy can be achieved, the automation degree of firewall policy processing is improved, and therefore the safety of network access can be guaranteed; specifically, the reliability of the firewall strategy can be improved, the redundancy of the firewall strategy can be reduced, the network response speed can be improved, and the cost can be reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a firewall policy processing method in an embodiment of the present application;
FIG. 2 is a diagram illustrating an exemplary firewall policy of the present application;
fig. 3 is a flowchart illustrating steps 300 to 600 of a firewall policy processing method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a firewall policy processing apparatus in an embodiment of the present application;
FIG. 5 is a schematic structural diagram of a firewall policy processing apparatus in an application example of the present application;
FIG. 6 is a schematic diagram of a firewall device in an application example of the present application;
fig. 7 is a schematic structural diagram of a network access device in an application example of the present application;
FIG. 8 is a flow chart illustrating a firewall policy processing method in an application example of the present application;
fig. 9 is a schematic block diagram of a system configuration of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
With the development of the internet, the network scale is continuously enlarged, the types and models of firewalls are continuously increased, and the types of devices are numerous. There are roughly three architectural categories: a dual host architecture, a shielded host architecture, and a shielded subnet architecture; there are roughly two types of techniques: the firewall system comprises a packet filtering firewall and an application program level gateway, wherein the packet filtering firewall works at a network layer, and the application program level gateway works at an application layer. For large networks with numerous firewall equipment manufacturers and different versions and models, an administrator needs to implement firewall policy change, and the limitation of manual means is obvious.
In order to solve the problems in the prior art, the present application provides a firewall policy processing method and apparatus, considering starting from the aspects of firewall technology, device management, user management, and the like, the method including: receiving user information and address information acquired by a target server; obtaining a target firewall policy according to a preset firewall policy set and the user information; the address information in the user registration request is used as the source address information of the target firewall policy, and the target firewall policy is executed, so that access control and security isolation can be implemented on different network areas, and security management can be implemented on access equipment in a single network area; the firewall device can be applied to implement multidimensional authentication of users, authorities and addresses on a network communication layer for any equipment in a network, thereby greatly improving the network adaptation and protection capability of enterprises and ensuring the network security.
Based on this, the firewall policy processing apparatus provided in the embodiments of the present application may be a server or a client device, where the client device may include a smart phone, a tablet electronic device, a network set-top box, a portable computer, a desktop computer, a Personal Digital Assistant (PDA), an in-vehicle device, an intelligent wearable device, and the like. Wherein, intelligence wearing equipment can include intelligent glasses, intelligent wrist-watch and intelligent bracelet etc..
In practical applications, the firewall policy processing part may be executed on the server side as described above, or all operations may be completed in the client device. The selection may be specifically performed according to the processing capability of the client device, the limitation of the user usage scenario, and the like. This is not a limitation of the present application. The client device may further include a processor if all operations are performed in the client device.
The client device may have a communication module (i.e., a communication unit), and may be communicatively connected to a remote server to implement data transmission with the server. The server may include a server on the task scheduling center side, and in other implementation scenarios, the server may also include a server on an intermediate platform, for example, a server on a third-party server platform that is communicatively linked to the task scheduling center server. The server may include a single computer device, or may include a server cluster formed by a plurality of servers, or a server structure of a distributed apparatus.
The server and the client device may communicate using any suitable network protocol, including network protocols not yet developed at the filing date of this application. The network protocol may include, for example, a TCP/IP protocol, a UDP/IP protocol, an HTTP protocol, an HTTPS protocol, or the like. Of course, the network Protocol may also include, for example, an RPC Protocol (Remote Procedure Call Protocol), a REST Protocol (Representational State Transfer Protocol), and the like used above the above Protocol.
It should be noted that the firewall policy processing method and apparatus disclosed in the present application may be used in the field of financial technology, and may also be used in any field other than the field of financial technology.
The following examples are intended to illustrate the details.
In order to implement binding between a user and a firewall policy, improve the automation degree of firewall policy processing, and further ensure the security of network access, this embodiment provides a firewall policy processing method whose execution main body is a firewall policy processing apparatus, where the firewall policy processing apparatus includes, but is not limited to, a server, and as shown in fig. 1, the method specifically includes the following contents:
step 110: and receiving user information and address information collected by the target server.
Step 120: and determining a target firewall policy according to a preset firewall policy set and the user information.
Step 130: and replacing the source address information of the target firewall policy by using the address information, and executing the replaced target firewall policy.
In particular, the target server may represent a network access device in a network area; the user information and the address information collected by the target server can be received regularly. The user information may include: a user unique identifier, which may be a user ID, for distinguishing between different users, and a password. The preset firewall policy set may include a plurality of firewall policies, as shown in fig. 2, where the firewall policies include: the firewall policy management system comprises information such as a source address, a target port, a parameter area and the like, wherein the parameter area of the firewall policy comprises a user unique identifier, effective time and the like corresponding to the firewall policy.
In order to further improve the automation degree and reliability of the firewall policy processing, in an embodiment of the present application, after step 130, the method further includes:
step 200: when the time for executing the target firewall policy reaches the preset rent-credit time, stopping executing the current target firewall policy, and returning to the policy executing processing step: receiving user information and address information acquired by a target server; determining a target firewall policy according to a preset firewall policy set and the user information; and replacing the source address information of the target firewall policy by using the address information, and executing the replaced target firewall policy.
Specifically, the preset rental duration may be set according to actual needs, which is not limited in this application; for example, the preset rental period is 7 days. In order to improve the visualization degree of the execution result of the firewall policy, after the suspending the execution of the current target firewall policy, the method may further include: and outputting and displaying the execution result of the target firewall policy.
In order to improve the automation degree of the firewall policy change and further improve the efficiency of the firewall management, referring to fig. 3, in an embodiment of the present application, the method further includes:
step 300: and receiving a policy change request sent by the target server.
Specifically, the policy change request includes: the user information currently collected by the target server can be used for determining the firewall policy to be changed; and the strategy changing request comprises at least one of source address, target address and target port information and is used for replacing corresponding information in the firewall strategy to be changed.
Step 400: and determining the firewall policy to be changed according to the policy change request and a preset firewall policy set.
Step 500: and updating the firewall policy to be changed according to the policy change request to obtain a changed firewall policy and executing the changed firewall policy.
Step 600: and when the time for executing the changed firewall policy reaches the preset lease time length, stopping executing the changed firewall policy, and returning to the step of executing the policy.
To further ensure the security of the registered firewall policy, in one embodiment of the present application, step 120 comprises:
and if the user information exists in a preset user information table and the firewall policy corresponding to the user information exists in the preset firewall policy set, determining the firewall policy as a target firewall policy.
Specifically, the preset user information table may include user information corresponding to a user having the firewall policy, and may be pre-stored in the local firewall policy processing apparatus.
In order to further improve the reliability of the output transmission and further improve the accuracy of the firewall policy processing, in an embodiment of the present application, the step 110 includes: receiving user information and address information which are collected and encrypted by a target server; and decrypting the user information and the address information by applying an asymmetric key algorithm.
In terms of software, in order to implement binding between a user and a firewall policy, and improve the automation degree of firewall policy processing, thereby ensuring the security of network access, the present application provides an embodiment of a firewall policy processing apparatus for implementing all or part of the contents in the firewall policy processing method, and referring to fig. 4, the firewall policy processing apparatus specifically includes the following contents:
and the receiving module 10 is used for receiving the user information and the address information collected by the target server.
And the determining module 20 is configured to determine a target firewall policy according to a preset firewall policy set and the user information.
And the execution module 30 is configured to apply the address information to replace the source address information of the target firewall policy, and execute the replaced target firewall policy.
The embodiment of the firewall policy processing apparatus provided in this specification may be specifically configured to execute the processing flow of the embodiment of the firewall policy processing method, and its functions are not described herein again, and refer to the detailed description of the embodiment of the firewall policy processing method.
In order to further explain the scheme, the application example of the firewall policy processing system is provided, the firewall equipment implements multidimensional authentication of users, authorities and addresses on equipment accessed to a network on a network communication layer, the firewall policy is automatically matched in a security authorization mode for flow management, the strong binding relationship between the firewall policy and the equipment address is improved, the automation, agility and refinement degree of network policy processing are realized, and the network area security is greatly improved; referring to fig. 5, the firewall policy processing system is composed of a network area 001 (e.g., Internet), a network area 002 (e.g., lan Intranet), and a firewall device 003. The network area 002 includes: one or more network access devices 004, network region 001 may be the same or different in configuration from network region 002. Here, the function realized by the firewall device 003 may be equivalent to the function realized by the firewall policy processing device, and the function realized by the network access device 004 may be equivalent to the function realized by the target server.
The detailed description of each device is as follows:
1. firewall device 003
Referring to fig. 6, the firewall device 003 is composed of a reception module 31, an encryption/decryption module 32, a policy management module 33, an instruction processing module 34, a transmission module 35, and a security management module 36. Multiple firewall devices 003 may be deployed and network access device 004 for network zone 001 may exchange data with network zone 002 through any firewall device 003. The firewall device 003 is responsible for filtering the data packet according to the firewall policy, authenticating the registration information of the network access device 004, automatically adjusting the corresponding firewall policy to be effective immediately, authenticating the network change information of the network access device 004, and providing an administrator auditing function. Firewall device 003 can distribute instructions to network access device 004, including but not limited to permission status L, lease period M, fault code S, and monitoring information G, wherein the duration of each lease period can be the preset lease duration. Each module is described in detail as follows:
the receiving module 31: is responsible for receiving command packets and data packets from network region 001 and network region 002. The received instruction packet data includes information such as firewall policy registration and change, and is forwarded to the encryption/decryption module 32, and the received packet data is communication data information of each network access device 004, and is forwarded to the instruction processing module 34.
The encryption and decryption module 32: this module is responsible for encrypting and decrypting the instruction packet data and forwarding it to the security management module 36 in unison. An asymmetric encryption technique is employed.
The policy management module 33: is a storage module for firewall policies. And is responsible for adding, modifying and deleting firewall policies, resolving the firewall policies into program instructions and sending the program instructions to the instruction processing module 34. And binding the user through the parameter area, and automatically changing the firewall policy so that the address of the network access device 004 for logging in the user is effective in a lease period M.
The instruction processing module 34: and receiving the logic instruction of the policy management module 33, checking, filtering and modifying the passing data packet, and forwarding the passing data packet to the sending module 35.
The sending module 35: and is responsible for receiving the data packet from the instruction processing module 34 and the instruction packet from the encryption and decryption module 32, and forwarding the data packet and the instruction packet to the network access device 004 designated in the data packet and the instruction packet.
Security management module 36: and the encryption and decryption module 32 is responsible for performing user information authentication on the decrypted instruction packet and returning the instruction packet to the encryption and decryption module. After the authentication is successful, the module judges the authority of the user to determine whether manual audit needs to be introduced. After the authority passes, the security management module 36 sends the change policy to the policy management module 33. The module is responsible for monitoring firewall device 003 logs and distributing parameters and monitoring instructions to network access device 004.
2. Network access device 004
Referring to fig. 7, each network access device 004 is composed of a receiving module 41, a transmitting module 42, a registering module 43, an encrypting and decrypting module 44, and a security management module 45. The network access device 004 may be a system device of the network access apparatus, or may be an apparatus device of the network access apparatus. The network access device 004 is responsible for sending registration information and firewall policy change information to the firewall device. Network access device 004 may receive distribution instructions from firewall device 003 including, but not limited to, permit status L, lease period M, fault code S, and monitoring information G. Each module is described in detail as follows:
the receiving module 41: and is responsible for receiving the return command packet and the monitoring command packet from the firewall device 003. The instruction packet data is received and forwarded to the encryption and decryption module 44.
The sending module 42: and is responsible for receiving the command packet from the encryption/decryption module 44 and forwarding the command packet to the firewall device 003 specified in the command packet.
The registration module 43: and the network access device is responsible for inputting user information and acquiring address information of the network access device in a network area. Which combines the user information and the address information and forwards them to the encryption/decryption module 44 for encryption.
The encryption and decryption module 44: and the encryption and decryption of the instruction packet data are carried out. Adopting an asymmetric encryption technology;
the security management module 45: is a firewall information presentation module of the network access device 003. And is responsible for displaying the results and monitoring information returned by the firewall device 003. And can initiate a firewall policy change application.
Specifically, the user information a01 is authenticated by the security management module 45 of the network access device 004, the user information a01 and the address information a02 of the network access device 004 are encrypted by the encryption/decryption module 42 to become registration information b01, and the registration information b01 is transmitted to the firewall device 003 by the registration module 41. The receiving module 31 of the firewall device 003 receives the registration information b01, the encryption and decryption module 32 decrypts the registration information b01 into b02, and the security management module 36 of the firewall device 003 authenticates the registration information b02 and obtains the user information a01 and the address information a 02. After the authentication is successful, the policy management module 33 activates (distributes) the firewall policy information corresponding to the user through the user information a01, and continues for the duration of one lease and credit period M, and the sending module 36 of the firewall device 003 returns the registration result. The network access device 004 needs to send registration information once every time of a lease period M to activate the firewall policy corresponding to the user. The firewall policy processing system is a firewall policy processing system based on a rent-credit mode, wherein the rent-credit mode is that a lessee network access device applies for obtaining appointed network access permission from a lessee firewall device within appointed time. And if the appointed time is exceeded, the leasing party firewall device recovers the network access authority.
To further explain the present solution, in combination with the firewall policy processing system, the application example of the firewall policy processing method is provided in the present application, and with reference to fig. 8, the following is specifically described:
the details of the firewall registration procedure performed by the network access device 004 are as follows:
step S101: inputting user information; that is, the user logs in the device for the first time, enters user information including a user ID and a password in the registration module 43 of the network access apparatus 004, and goes to step S102.
Step S102: acquiring address information; that is, the registration module 43 acquires the address information of the network access device 004, and goes to step S103.
Step S103: combining the registration information, and periodically executing the step; that is, the registration module 43 logically combines the user information and the address information into registration information and sends the registration information to the encryption/decryption module 44, and the step S301 is performed with the registration information as the target information.
Step S301: encrypting the information; that is, the encryption/decryption module 44 encrypts the target information according to the asymmetric key algorithm, and sends the encrypted target information to the sending module 42, and the step S302 is performed.
Step S302: sending the information; that is, the sending module 42 reads the encrypted destination information, acquires the address of the firewall device 003, sends the encrypted destination information to the firewall device 003, and proceeds to step S303. The address of the firewall device 003 is public information in the network range, and can be entered by the user at the registration module.
Step S303: receiving information; that is, the receiving module 31 receives the encrypted target information, and forwards the encrypted target information to the encryption/decryption module 32, and then goes to step S304.
Step S304: decrypting the information; that is, the encryption/decryption module 32 decrypts the encrypted target information according to the asymmetric key algorithm, and sends the decrypted target information to the security management module 36 for authentication, and step S305 is performed.
Step S305: authentication information; that is, the security management module 36 analyzes the decrypted target information to obtain the user information and the address information, and then goes to step S306.
Specifically, if the target information is registration information, user information and address information can be obtained; and if the target information is the change information, user information, address information and strategy information can be obtained.
Step S306: judging whether the user information is correct or not; that is, security management module 36 determines whether the user information is correct. If not, executing the information returning process, failing to return the result, and executing the step S501; if so, go to step S307.
Specifically, whether the user account and password information are matched with the user information in the security management module or not can be judged, and if yes, the user information is correct.
Step S307: judging whether the user authority is satisfied; that is, security management module 36 determines whether the user rights satisfy the requirements. If not, executing the information returning process, failing to return the result, and executing the step S501; if yes, go to step S308.
Specifically, whether the user is allowed to access the network area or not can be judged, whether the user has a firewall policy in the network area or not can be judged, and if yes, the user permission meets the requirement.
Step S308: activating and changing a firewall strategy and lasting for the duration of a rent-credit period M; namely, the security management module 36 initiates to activate the firewall policy according to the target information, and the policy management module 33 executes to activate the firewall policy and issues a program instruction to the instruction processing module 34. After the completion, the information return flow is executed, the return result is successful, and step S501 is executed.
The steps of activating the firewall policy are as follows:
a) the policy management module 33 matches all stored firewall policy information of the user according to the user ID and the unique user ID of the firewall policy parameter area.
b) The policy management module 33 writes the network access device 004 address information in place of the source address information of the firewall policy information.
c) The policy management module 33 parses the activated firewall policy information, and issues a program instruction to the instruction processing module 304.
(ii) the network access device 004 firewall change workflow is described in detail as follows:
step S201: submitting change information; that is, the user submits the network change information in the security management module 45 of the network access device 004, and forwards the network change information to the encryption and decryption module 44, and then the step S301 is performed with the network change information as the target information.
Specifically, the firewall change is to change the firewall policy information stored by the user in the firewall device, and the user is not available with the firewall policy when using the firewall device for the first time, and needs to make a change addition.
The workflow of the firewall device 003 return information is described in detail as follows:
step S501: encrypting return information/monitoring information; the encryption/decryption module 32 of the firewall device 003 encrypts the return information according to the asymmetric key algorithm, and transmits the encrypted return information to the transmission module 35, and the process goes to step S502. The return information includes, but is not limited to, whether the registration or change was successful, lease validity time, user permission information, firewall policy profile information, and the like.
Step S502: sending return information/monitoring information; the sending module 35 of the firewall device 003 reads the encrypted return information, acquires the address of the corresponding network access device 004, sends the encrypted return information to the network access device 004, and goes to step S503.
Step S503: receiving return information/monitoring information; the receiving module 41 of the network access device 004 receives the encrypted return information, and forwards the encrypted return information to the encryption and decryption module 44, and then goes to step S504.
Step S504: decrypting the return information/monitoring information; the encryption/decryption module 44 of the network access device 004 decrypts the encrypted return information according to the asymmetric key algorithm, and forwards the encrypted return information to the security management module 45, and then goes to step S504.
Step S505: displaying return information/monitoring information; i.e. the security management module 45 presents the return information.
As can be seen from the above description, the firewall policy processing method and apparatus provided in the present application implement multidimensional authentication of a user, a right and an address on a network communication layer through a firewall device, so that a strong binding relationship between a firewall policy and an device address can be avoided, the automation, agility and refinement of firewall policy processing can be improved, the security of a network area can be greatly improved, and the following advantages are specifically provided:
1. the access control and the security isolation can be implemented for different network areas, the security management can be implemented for access equipment in a single network area, and a firewall can be used as a component of an enterprise internal control system.
2. So that the management of the firewall can be accurate to the lease period M in the time dimension.
3. The firewall strategy can be automatically changed, the firewall management efficiency is greatly improved, the system network adaptability is improved, the network change quick response is realized, and the cost is reduced.
4. The binding authentication of the user and the equipment on the network communication layer can be realized, the binding of the firewall policy and the relation of the user can be realized, and the user experience is greatly improved.
5. The decoupling of the firewall strategy and the communication address can be realized, and the redundancy problem of the firewall strategy is solved.
In terms of hardware, in order to implement binding between a user and a firewall policy, improve the automation degree of firewall policy processing, and further ensure the security of network access, the present application provides an embodiment of an electronic device for implementing all or part of the contents in the firewall policy processing method, where the electronic device specifically includes the following contents:
a processor (processor), a memory (memory), a communication Interface (Communications Interface), and a bus; the processor, the memory and the communication interface complete mutual communication through the bus; the communication interface is used for realizing information transmission between the firewall policy processing device and related equipment such as a user terminal; the electronic device may be a desktop computer, a tablet computer, a mobile terminal, and the like, but the embodiment is not limited thereto. In this embodiment, the electronic device may be implemented with reference to the embodiment for implementing the firewall policy processing method and the embodiment for implementing the firewall policy processing apparatus in the embodiments, and the contents of the embodiments are incorporated herein, and repeated details are not repeated here.
Fig. 9 is a schematic block diagram of a system configuration of an electronic device 9600 according to an embodiment of the present application. As shown in fig. 9, the electronic device 9600 can include a central processor 9100 and a memory 9140; the memory 9140 is coupled to the central processor 9100. Notably, this fig. 9 is exemplary; other types of structures may also be used in addition to or in place of the structure to implement telecommunications or other functions.
In one or more embodiments of the present application, the firewall policy processing functions can be integrated into the central processor 9100. The central processor 9100 may be configured to control as follows:
step 110: and receiving user information and address information collected by the target server.
Step 120: and determining a target firewall policy according to a preset firewall policy set and the user information.
Step 130: and replacing the source address information of the target firewall policy by using the address information, and executing the replaced target firewall policy.
As can be seen from the above description, the electronic device provided in the embodiment of the present application can implement binding between a user and a firewall policy, improve an automation degree of processing the firewall policy, and further ensure security of network access.
In another embodiment, the firewall policy processing apparatus may be configured separately from the central processor 9100, for example, the firewall policy processing apparatus may be configured as a chip connected to the central processor 9100, and the firewall policy processing function may be implemented by the control of the central processor.
As shown in fig. 9, the electronic device 9600 may further include: a communication module 9110, an input unit 9120, an audio processor 9130, a display 9160, and a power supply 9170. It is noted that the electronic device 9600 also does not necessarily include all of the components shown in fig. 9; in addition, the electronic device 9600 may further include components not shown in fig. 9, which may be referred to in the prior art.
As shown in fig. 9, a central processor 9100, sometimes referred to as a controller or operational control, can include a microprocessor or other processor device and/or logic device, which central processor 9100 receives input and controls the operation of the various components of the electronic device 9600.
The memory 9140 can be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information relating to the failure may be stored, and a program for executing the information may be stored. And the central processing unit 9100 can execute the program stored in the memory 9140 to realize information storage or processing, or the like.
The input unit 9120 provides input to the central processor 9100. The input unit 9120 is, for example, a key or a touch input device. Power supply 9170 is used to provide power to electronic device 9600. The display 9160 is used for displaying display objects such as images and characters. The display may be, for example, an LCD display, but is not limited thereto.
The memory 9140 can be a solid state memory, e.g., Read Only Memory (ROM), Random Access Memory (RAM), a SIM card, or the like. There may also be a memory that holds information even when power is off, can be selectively erased, and is provided with more data, an example of which is sometimes called an EPROM or the like. The memory 9140 could also be some other type of device. Memory 9140 includes a buffer memory 9141 (sometimes referred to as a buffer). The memory 9140 may include an application/function storage portion 9142, the application/function storage portion 9142 being used for storing application programs and function programs or for executing a flow of operations of the electronic device 9600 by the central processor 9100.
The memory 9140 can also include a data store 9143, the data store 9143 being used to store data, such as contacts, digital data, pictures, sounds, and/or any other data used by an electronic device. The driver storage portion 9144 of the memory 9140 may include various drivers for the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, contact book applications, etc.).
The communication module 9110 is a transmitter/receiver 9110 that transmits and receives signals via an antenna 9111. The communication module (transmitter/receiver) 9110 is coupled to the central processor 9100 to provide input signals and receive output signals, which may be the same as in the case of a conventional mobile communication terminal.
Based on different communication technologies, a plurality of communication modules 9110, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, may be provided in the same electronic device. The communication module (transmitter/receiver) 9110 is also coupled to a speaker 9131 and a microphone 9132 via an audio processor 9130 to provide audio output via the speaker 9131 and receive audio input from the microphone 9132, thereby implementing ordinary telecommunications functions. The audio processor 9130 may include any suitable buffers, decoders, amplifiers and so forth. In addition, the audio processor 9130 is also coupled to the central processor 9100, thereby enabling recording locally through the microphone 9132 and enabling locally stored sounds to be played through the speaker 9131.
As can be seen from the above description, the electronic device provided in the embodiment of the present application can implement binding between a user and a firewall policy, improve an automation degree of processing the firewall policy, and further ensure security of network access.
An embodiment of the present application further provides a computer-readable storage medium capable of implementing all the steps in the firewall policy processing method in the foregoing embodiment, where the computer-readable storage medium stores a computer program, and the computer program, when executed by a processor, implements all the steps in the firewall policy processing method in the foregoing embodiment, for example, when the processor executes the computer program, implements the following steps:
step 110: and receiving user information and address information collected by the target server.
Step 120: and determining a target firewall policy according to a preset firewall policy set and the user information.
Step 130: and replacing the source address information of the target firewall policy by using the address information, and executing the replaced target firewall policy.
As can be seen from the above description, the computer-readable storage medium provided in the embodiment of the present application can implement binding between a user and a firewall policy, improve an automation degree of processing the firewall policy, and further ensure security of network access.
In the present application, each embodiment of the method is described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. Reference is made to the description of the method embodiments.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the present application are explained by applying specific embodiments in the present application, and the description of the above embodiments is only used to help understanding the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A firewall policy processing method is characterized by comprising the following steps:
receiving user information and address information acquired by a target server;
determining a target firewall policy according to a preset firewall policy set and the user information;
and replacing the source address information of the target firewall policy by using the address information, and executing the replaced target firewall policy.
2. The firewall policy processing method according to claim 1, further comprising, after the executing the replaced target firewall policy:
when the time for executing the target firewall policy reaches the preset rent-credit time, stopping executing the current target firewall policy, and returning to the policy executing processing step: receiving user information and address information acquired by a target server; determining a target firewall policy according to a preset firewall policy set and the user information; and replacing the source address information of the target firewall policy by using the address information, and executing the replaced target firewall policy.
3. The firewall policy processing method according to claim 2, further comprising:
receiving a strategy change request sent by a target server;
determining a firewall policy to be changed according to the policy change request and a preset firewall policy set;
updating the firewall policy to be changed according to the policy change request to obtain a changed firewall policy and executing the changed firewall policy;
and when the time for executing the changed firewall policy reaches the preset lease time length, stopping executing the changed firewall policy, and returning to the step of executing the policy.
4. The firewall policy processing method according to claim 1, wherein the determining a target firewall policy according to a preset firewall policy set and the user information comprises:
and if the user information exists in a preset user information table and the firewall policy corresponding to the user information exists in the preset firewall policy set, determining the firewall policy as a target firewall policy.
5. The firewall policy processing method according to claim 2, further comprising, after the suspending execution of the current target firewall policy:
and outputting and displaying the execution result of the target firewall policy.
6. The firewall policy processing method according to claim 1, wherein the receiving the user information and the address information collected by the target server comprises:
receiving user information and address information which are collected and encrypted by a target server;
and decrypting the user information and the address information by applying an asymmetric key algorithm.
7. The firewall policy processing method according to any one of claims 1 to 6, wherein the preset firewall policy set includes: a plurality of firewall policies, each firewall policy comprising: source address, destination port, user unique identification, and validation time.
8. A firewall policy processing apparatus, comprising:
the receiving module is used for receiving the user information and the address information collected by the target server;
the determining module is used for determining a target firewall policy according to a preset firewall policy set and the user information;
and the execution module is used for replacing the source address information of the target firewall policy by applying the address information and executing the replaced target firewall policy.
9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the firewall policy processing method of any one of claims 1 to 7 when executing the program.
10. A computer-readable storage medium having stored thereon computer instructions, wherein the instructions, when executed, implement the firewall policy processing method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110400460.3A CN113114683B (en) | 2021-04-14 | 2021-04-14 | Firewall policy processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110400460.3A CN113114683B (en) | 2021-04-14 | 2021-04-14 | Firewall policy processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113114683A true CN113114683A (en) | 2021-07-13 |
| CN113114683B CN113114683B (en) | 2023-04-07 |
Family
ID=76716785
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110400460.3A Active CN113114683B (en) | 2021-04-14 | 2021-04-14 | Firewall policy processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113114683B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114257453A (en) * | 2021-12-27 | 2022-03-29 | 中国工商银行股份有限公司 | Firewall configuration conversion method, device, equipment, storage medium and program product |
| CN114285657A (en) * | 2021-12-28 | 2022-04-05 | 中国工商银行股份有限公司 | Firewall security policy change verification method and device |
| CN114285657B (en) * | 2021-12-28 | 2024-05-17 | 中国工商银行股份有限公司 | Firewall security policy change verification method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080229381A1 (en) * | 2007-03-12 | 2008-09-18 | Namit Sikka | Systems and methods for managing application security profiles |
| CN105592052A (en) * | 2015-09-10 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device for configuring firewall rules |
| CN108092979A (en) * | 2017-12-20 | 2018-05-29 | 国家电网公司 | A kind of firewall policy processing method and processing device |
-
2021
- 2021-04-14 CN CN202110400460.3A patent/CN113114683B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080229381A1 (en) * | 2007-03-12 | 2008-09-18 | Namit Sikka | Systems and methods for managing application security profiles |
| CN105592052A (en) * | 2015-09-10 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device for configuring firewall rules |
| CN108092979A (en) * | 2017-12-20 | 2018-05-29 | 国家电网公司 | A kind of firewall policy processing method and processing device |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114257453A (en) * | 2021-12-27 | 2022-03-29 | 中国工商银行股份有限公司 | Firewall configuration conversion method, device, equipment, storage medium and program product |
| CN114257453B (en) * | 2021-12-27 | 2024-02-02 | 中国工商银行股份有限公司 | Firewall configuration conversion method, device, equipment, storage medium and program product |
| CN114285657A (en) * | 2021-12-28 | 2022-04-05 | 中国工商银行股份有限公司 | Firewall security policy change verification method and device |
| CN114285657B (en) * | 2021-12-28 | 2024-05-17 | 中国工商银行股份有限公司 | Firewall security policy change verification method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113114683B (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11218323B2 (en) | Method and system for producing a secure communication channel for terminals | |
| US8532620B2 (en) | Trusted mobile device based security | |
| KR102323382B1 (en) | Facilitate transfer of funds between user accounts | |
| US20140380054A1 (en) | Multiple authority data security and access | |
| CN111131416B (en) | Service providing method and device, storage medium and electronic device | |
| US10263789B1 (en) | Auto-generation of security certificate | |
| CN104160653A (en) | Multi-factor certificate authority | |
| CN104054321A (en) | Security management for cloud services | |
| US9443069B1 (en) | Verification platform having interface adapted for communication with verification agent | |
| CN105721412A (en) | Method and device for authenticating identity between multiple systems | |
| CN112235294B (en) | Block chain cooperative authority control method and device | |
| CN109792433A (en) | Method and apparatus for equipment application to be tied to network service | |
| US11870760B2 (en) | Secure virtual personalized network | |
| KR20190052033A (en) | Transient transaction server | |
| CN113114683B (en) | Firewall policy processing method and device | |
| CN111666590A (en) | Distributed file secure transmission method, device and system | |
| KR20160012546A (en) | Remote control system of mobile | |
| CN113079506B (en) | Network security authentication method, device and equipment | |
| US7852782B2 (en) | Method of creating a split terminal between a base terminal and equipments connected in series | |
| CN113535852A (en) | File processing method, file access method, device and system based on block chain | |
| JP2003296279A (en) | Authentication method, and client device, server device, and program thereof | |
| KR20130053132A (en) | Memory card and portable terminal and encrypted message exchanging method | |
| US11310235B1 (en) | Internet of things system based on security orientation and group sharing | |
| JP5623326B2 (en) | Client server system | |
| CN107888565B (en) | Method and device for security processing and method and device for encryption processing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |