CN113162943B - Method and system for dynamically managing firewall policy - Google Patents
Method and system for dynamically managing firewall policy Download PDFInfo
- Publication number
- CN113162943B CN113162943B CN202110464930.2A CN202110464930A CN113162943B CN 113162943 B CN113162943 B CN 113162943B CN 202110464930 A CN202110464930 A CN 202110464930A CN 113162943 B CN113162943 B CN 113162943B
- Authority
- CN
- China
- Prior art keywords
- access request
- service system
- firewall
- random number
- source address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure relates to the technical field of information security, and in particular, to a method and a system for dynamically managing firewall policies, where the method includes: receiving an access request of a service system; determining a source address and a destination address of the access request and an identifier of a service system; judging whether the access request is an unknown access request according to the source address and the destination address, or judging whether the service system is a newly added service system according to the identification of the service system so as to determine whether the access request of the service system is legal; if the access request of the service system is illegal, evaluating the access request of the service system through an evaluation model or an application identifier; and when the evaluation is passed, opening a firewall strategy according to the topological structure of the corresponding service system.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method and a system for dynamically managing firewall policies.
Background
The firewall is a technology for protecting the security of user data and information by organically combining various software and hardware devices for security management and screening to help a computer network to construct a relatively isolated protection barrier between an internal network and an external network.
The existing firewall mainly depends on manual maintenance and issues a static strategy, specifically, firewall information is manually sorted and the firewall is opened in a manual change implementation mode, and if a service system needs to be added, a firewall rule needs to be manually deployed. However, with the continuous development of internet technology, firewalls, as security barriers for the intranet, have been greatly increased in both their own number and security policy entries, which may result in a doubled workload of operation and maintenance staff.
Disclosure of Invention
Embodiments of the present disclosure provide a method and a system for dynamically managing firewall policies, so as to reduce workload of operation and maintenance personnel and improve work efficiency.
To achieve the above object, in one aspect, an embodiment herein provides a method for dynamically managing firewall policies, including:
receiving an access request of a service system;
determining a source address and a destination address of the access request and an identifier of a service system;
judging whether the access request is an unknown access request according to the source address and the destination address, or judging whether the service system is a newly added service system according to the identification of the service system so as to determine whether the access request of the service system is legal;
if the access request of the service system is illegal, evaluating the access request of the service system through an evaluation model or an application identifier;
and when the evaluation is passed, opening a firewall strategy according to the topological structure of the corresponding service system.
Preferably, the determining whether the access request is an unknown access request according to the source address and the destination address includes:
judging whether the source address and the destination address of the access request are recorded in a configuration management system or not;
and if the source address and the destination address of the access request are not recorded in the configuration management system, the access request is an unknown access request.
Preferably, before the evaluating the access request of the business system by the evaluation model, the method further includes:
determining the message content of the access request;
the evaluating the access request of the business system through the evaluation model comprises the following steps:
judging whether the access request of the service system conforms to one or a combination of the following conditions:
the source address of the access request is recorded in the corresponding firewall entry;
the destination address of the access request is recorded in the corresponding firewall entry;
the message content of the access request conforms to a specific service rule;
the message content of the access request contains specific keywords;
if the access request meets one or a combination of the above, the evaluation passes.
Preferably, the method further comprises the following steps:
encrypting the source address of the access request and the identification of the service system to form a ciphertext string;
before determining the source address and the destination address of the access request and the identification of the service system, the method further includes:
and decrypting the ciphertext string of the access request, and executing subsequent steps when decryption is successful.
Preferably, the evaluating the access request of the service system by the application identifier includes:
judging whether the identification of the service system is the identification existing in an identification white list or not;
and if the identification of the service system is the identification existing in the identification white list and the source address corresponding to the access request is the address of the request initiator, the evaluation is passed.
Preferably, the method for determining the identification white list includes:
determining the access times of the service system in a set period according to a historical information record table;
judging whether the access times of the service system in a set period are within a specified range;
and if the access times of the service system in a set period are within a specified range, adding the identifier of the service system into an identifier white list.
Preferably, the method further comprises the following steps:
and when the evaluation fails or the decryption fails, blocking the access request of the service system, adding a source address corresponding to the access request into a blocking table, and directly blocking the request sent by the source address in the blocking table within a set period.
In another aspect, embodiments herein provide a system for dynamic management of firewall policies, the system comprising:
a receiving module: receiving an access request of a service system;
a determination module: determining a source address and a destination address of the access request and an identifier of a service system;
a judging module: judging whether the access request is an unknown access request according to the source address and the destination address, or judging whether the service system is a newly added service system according to the identification of the service system so as to determine whether the access request of the service system is legal;
an evaluation module: if the access request of the service system is illegal, evaluating the access request of the service system through an evaluation model or an application identifier;
opening a module: and when the evaluation is passed, opening a firewall strategy according to the topological structure of the corresponding service system.
According to the technical scheme provided by the embodiment, whether the access request of the service system is legal or not can be determined by judging the source address, the destination address and the identification of the service system in the embodiment. For an illegal access request, the access request can be automatically evaluated through an evaluation model or an application identifier, and a firewall policy is opened for a service system corresponding to the access request which is evaluated to pass, so that the access request corresponding to the service system can normally access the server. Therefore, the operation of manually deploying the corresponding firewall is reduced, automatic evaluation can be performed, labor consumption is reduced, and the working efficiency is improved.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments or technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart illustrating a method for dynamically managing firewall policies provided in an embodiment of the present disclosure;
FIG. 2 shows a schematic flow chart for performing an evaluation provided by embodiments herein;
fig. 3 illustrates a flow diagram for determining an identification white list provided by an embodiment herein;
FIG. 4 is a block diagram illustrating a system for dynamically managing firewall policies according to an embodiment of the present disclosure;
fig. 5 shows a schematic structural diagram of a computer device provided in an embodiment herein.
Description of the symbols of the drawings:
100. a receiving module;
200. a determination module;
300. a judgment module;
400. an evaluation module;
500. opening a module;
502. a computer device;
504. a processor;
506. a memory;
508. a drive mechanism;
510. an input/output module;
512. an input device;
514. an output device;
516. a presentation device;
518. a graphical user interface;
520. a network interface;
522. a communication link;
524. a communication bus.
Detailed Description
The technical solutions in the embodiments of the present invention will be described below clearly and completely with reference to the drawings in the embodiments of the present invention, and it is obvious that the embodiments described are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments herein without making any creative effort, shall fall within the scope of protection.
The existing firewall mainly depends on manual maintenance and issues a static strategy, specifically, firewall information is manually sorted and the firewall is opened in a manual change implementation mode, and if a service system needs to be added, a firewall rule needs to be manually deployed. However, with the continuous development of internet technology, the firewall is used as a security barrier of the intranet, and the number of firewalls and security policy entries are both greatly increased, which results in the doubled workload of operation and maintenance personnel.
In order to solve the above problem, embodiments herein provide a method for dynamically managing a firewall policy, which can reduce the workload of operation and maintenance personnel and improve the work efficiency. Fig. 1 is a schematic diagram of steps of a method for dynamically managing firewall policies provided in an embodiment herein, and the present specification provides the method operation steps as described in the embodiment or the flowchart, but may include more or less operation steps based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual system or apparatus product executes, it can execute sequentially or in parallel according to the method shown in the embodiment or the figures.
The firewall is a method for separating an internal network from an external network, and is actually an isolation technology. When an external service system needs to access some ports of an internal server, a firewall can intercept and judge an access request of the service system, and the access is allowed only after the access request of the service system is determined to be legal. The service system may be a system capable of implementing a specific function, such as a panning client, a banking system client, a Baidu query interface, etc., the access request of the service system may be to play a video, send a link, etc., and the port corresponding to the server may be a port providing video playing and a port providing link sending.
Referring to fig. 1, a method for dynamically managing firewall policies includes the following steps:
s101: an access request for a business system is received.
S102: and determining the source address and the destination address of the access request and the identification of a service system.
S103: and judging whether the access request is an unknown access request according to the source address and the destination address, or judging whether the service system is a newly added service system according to the identifier of the service system so as to determine whether the access request of the service system is legal.
S104: and if the access request of the service system is illegal, evaluating the access request of the service system through an evaluation model or an application identifier.
S105: and when the evaluation is passed, opening a firewall strategy according to the topological structure of the corresponding service system.
After receiving the access request of the service system, the access request is analyzed, and then the source address and the destination address of the access request and the identification of the service system are obtained. Whether the access request of the service system is legal or not can be determined after the source address, the destination address and the identification of the service system are judged. For an illegal access request, the access request can be automatically evaluated through an evaluation model or an application identifier, a firewall policy is opened for a service system corresponding to the access request which is evaluated to pass, namely, the access of the corresponding service system is released, so that the access request of the corresponding service system can normally access the server. Therefore, the operation of manually deploying the corresponding firewall is reduced, automatic evaluation can be performed, labor consumption is reduced, and the working efficiency is improved.
The topology structure of the service system is the structure of network devices and link resources, such as switches, hubs, firewalls and the like, which need to be passed through according to the data flow. And determining firewall equipment to be opened according to the topological structure, and further opening a firewall strategy.
The access request is transmitted in the form of a data packet, and the firewall device can perform message analysis, that is to say: the firewall equipment is added with a message analysis function, and the firewall equipment identifies the head of the data packet, so that the source address and the destination address of the access request and the identification of the service system can be determined.
In addition, the firewall validity period parameter can be set, and for the topological structure which has no access request of the service system after the set time is exceeded, the corresponding firewall policy can be automatically closed, wherein the set time can be defined according to the actual requirement. In this way, other malicious requests are reduced from accessing the server, and the robustness and the safety of the firewall strategy are improved.
In this embodiment, the determining whether the access request is an unknown access request according to the source address and the destination address includes:
judging whether the source address and the destination address of the access request are recorded in the configuration management system;
and if the source address and the destination address of the access request are not recorded in the configuration management system, the access request is an unknown access request.
The configuration management system records address information including an external source address allowing access to the internal server and a server destination address allowing external access. And inquiring whether the source address and the destination address have records in the configuration management system, and if not, proving that the access request is an unknown access request.
In this embodiment, whether the service system is a newly added service system is determined according to the identifier of the service system, specifically, relevant information of the service system allowed to be accessed, including the identifier of the service system, the name of the service system, and the like, is recorded in the configuration management system, and whether the service system is the newly added service system is determined by querying whether the identifier of the current service system has a record in the configuration management system, and if not, the service system is the newly added service system.
In this embodiment, if it is determined that the access request is an unknown access request or the service system is a newly added service system, it is determined that the access request of the service system is illegal. And if the access request of the service system is illegal, evaluating the access request of the service system through an evaluation model or an application identifier. Through the automatic evaluation mode, the manpower labor is reduced, and the working efficiency is improved.
In this embodiment, before the evaluating the access request of the business system by the evaluation model, the method further includes:
and determining the message content of the access request.
The evaluating the access request of the business system through the evaluation model comprises the following steps:
judging whether the access request of the service system conforms to one or a combination of the following conditions:
the source address of the access request is recorded in the corresponding firewall entry.
The destination address of the access request is recorded in the corresponding firewall entry.
The message content of the access request conforms to a specific service rule.
The message content of the access request contains specific keywords.
If the access request meets one or a combination of the above, the evaluation passes.
Specifically, for each firewall, when an access request of a service system passes through the firewall, the firewall records a source address and a destination address of the access request, and records the source address and the destination address into its firewall entry. When the evaluation is performed, the corresponding firewall queries the firewall entry, and determines whether the source address or the destination address of the access request has a record therein.
After receiving an access request of a service system, when identifying a header of a data packet, a message content of the access request is identified, which may specifically be a content of the message header, and on one hand, the content of the message header may meet a specific service rule, for example: a particular business rule conveys a data set representing a certain meaning for bits 3-5 of the message header. On the other hand, the content of the message header may contain specific keywords, such as: the specific key is a specific key transmitted by the 3 rd bit of the header of the message.
If the condition is met or combined, the evaluation can be passed, so that the steps of manual judgment can be reduced, and the working efficiency is improved.
Preferably, the method further comprises the following steps:
and encrypting the source address of the access request and the identification of the service system to form a ciphertext string.
Before determining the source address and the destination address of the access request and the identification of the service system, the method further includes:
and decrypting the ciphertext string of the access request, and executing subsequent steps when decryption is successful.
Optionally, before the service system initiates the access request, the source address of the access request and the identifier of the service system may be encrypted as a ciphertext string. Therefore, when an access request corresponding to a service system is received, the ciphertext string of the access request needs to be decrypted first, and after the decryption is successful, the source address, the destination address and the identifier of the service system of the access request can be determined, so that the subsequent steps are further performed. The encrypted ciphertext string can be used for encrypting and protecting the address information and the identification information, so that errors possibly occurring in the subsequent evaluation process are reduced, and the evaluation precision is improved.
Specifically, in order to ensure the security of the ciphertext string and avoid the situation that the blocked abnormal access passes through the firewall due to illegal tampering with information such as a service system identifier and the like, the ciphertext string can be generated by adopting a one-time pad encryption method, namely, a new ciphertext string is generated through one firewall each time.
Because the key of the one-time pad is disposable, the key is invalid even if the key is lost, so that the influence is avoided, the ciphertext string can be effectively prevented from being cracked, and the safety of the ciphertext string is improved. The encryption and decryption can use a symmetric encryption algorithm, such as AES, SM4, and the like, and the key string used for encryption and decryption can be obtained by generating a random number which meets the key length requirement of the encryption algorithm. The acquisition of the random number requires that each service system and the firewall equipment maintain respective random number tables, and the random number generation adopts a random number generation algorithm based on system time so as to ensure that the random numbers generated by the service system and the firewall equipment are the same on the premise of complete time synchronization.
When the random number is generated, a random number sequence number and a flag bit are correspondingly generated, wherein the random number sequence number is used for uniquely representing the corresponding random number, and the flag bit is used for representing whether the random number is used or not. And after the random number, the random number sequence number and the flag bit are generated, the random number sequence number and the flag bit are stored in a random number table. And in the process of transmitting the access request, only the random number sequence number is transmitted, and the random number table is inquired according to the random number sequence number to obtain the corresponding random number. If the corresponding flag bit is not used, the random number is used for decryption to obtain plaintext information, and then the corresponding flag bit is set to be used. By the method, the safety performance of the firewall strategy is improved.
Referring to fig. 2, in this embodiment, the evaluating the access request of the business system by the application identifier includes:
s1041: and judging whether the identification of the service system is the identification existing in the identification white list.
S1042: and if the identification of the service system is the identification existing in the identification white list and the source address corresponding to the access request is the address of the request initiator, the evaluation is passed.
Specifically, the identification white list records information such as names of service systems and identifications of the service systems that are allowed to access the server. In order to improve the evaluation accuracy of the identification white list, the identification white list is periodically synchronized with the configuration management system. The configuration management system can update the relevant information of the service system in time through manual maintenance, and then synchronize the updated information into the identification white list at regular time, so that the accuracy of the identification white list evaluation is improved.
The request initiator address is generally stored in the network device, and in order to prevent the source address from being maliciously tampered, the source address and the request initiator address need to be compared.
Referring to fig. 3, further, the method for determining the identification white list includes:
s1043: and determining the access times of the service system in a set period according to a historical information record table.
S1044: and judging whether the access times of the service system in a set period are in a specified range.
S1045: and if the access times of the service system in a set period are within a specified range, adding the identifier of the service system into an identifier white list.
Specifically, the history information recording table is a recording table for recording service systems accessed to the server in a past period of time, and records the latest access event of each service system and the access times in a set period. For a business system with access times within a prescribed range in a set period, for example, the prescribed range is 2-20 times of one-hour access, and if the a system is 5 times of one-hour access, it may be added to the identification white list within the prescribed range. For the determination of the specified range, if the number of access times in one hour is less than 2, it can be regarded as a service system access error, and if it is more than 20, it can be regarded as a malicious access, so that the service system within the specified range represents that the corresponding service system has a normal access demand according to the actual demand.
In embodiments herein, further comprising:
and when the evaluation fails or the decryption fails, blocking the access request of the service system, adding a source address corresponding to the access request into a blocking table, and directly blocking the request sent by the source address in the blocking table within a set period.
Specifically, after the access request of the service system is evaluated through the evaluation model or the application identifier, the evaluation fails, or the decryption fails in the decryption process, and the decryption failure may include situations that a plaintext cannot be decrypted or a scrambled code cannot be decrypted. When the above situation is faced, the access request of the service system is blocked. And because the consumption of the computing resources is larger in the process of evaluating and judging, the source address corresponding to the access request can be added into the blocking table, if the access requests with the same source address still exist in the set period, the access requests can be directly blocked, the evaluating process is not carried out, so that the consumption of the computing resources is saved, and the working efficiency is improved.
Based on the above method for dynamically managing firewall policies, the embodiments herein further provide a device for dynamically managing firewall policies. The apparatus may include systems (including distributed systems), software (applications), modules, components, servers, clients, etc. that employ the methods described herein in embodiments, in conjunction with any necessary apparatus to implement the hardware. Based on the same innovative concepts, embodiments herein provide an apparatus as described in the following embodiments. Since the implementation scheme of the apparatus for solving the problem is similar to that of the method, the specific apparatus implementation in the embodiment of the present disclosure may refer to the implementation of the foregoing method, and repeated details are not repeated. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware or a combination of software and hardware is also possible and contemplated.
Specifically, fig. 4 is a schematic block diagram of an embodiment of a system for dynamically managing firewall policies, provided in an embodiment of the present disclosure, and referring to fig. 4, the system for dynamically managing firewall policies provided in an embodiment of the present disclosure includes: the device comprises a receiving module 100, a determining module 200, a judging module 300, an evaluating module 400 and a starting module 500.
The receiving module 100: an access request for a business system is received.
The determination module 200: and determining the source address and the destination address of the access request and the identification of a service system.
The judging module 300: and judging whether the access request is an unknown access request according to the source address and the destination address, or judging whether the service system is a newly added service system according to the identifier of the service system so as to determine whether the access request of the service system is legal.
The evaluation module 400: and if the access request of the service system is illegal, evaluating the access request of the service system through an evaluation model or an application identifier.
The startup module 500: and when the evaluation is passed, opening a firewall strategy according to the topological structure of the corresponding service system.
In an embodiment herein, referring to fig. 5, a computer device 502 is also provided. Computer device 502 may include one or more processors 504, such as one or more Central Processing Units (CPUs) or Graphics Processors (GPUs), each of which may implement one or more hardware threads. The computer device 502 may also include any memory 506 for storing any kind of information, such as code, settings, data, etc., and in a particular embodiment a computer program on the memory 506 and executable on the processor 504, which computer program, when executed by the processor 504, may perform the instructions according to the above-described method. For example, and without limitation, memory 506 may include any one or more of the following in combination: any type of RAM, any type of ROM, flash memory devices, hard disks, optical disks, etc. More generally, any memory may use any technology to store information. Further, any memory may provide volatile or non-volatile retention of information. Further, any memory may represent fixed or removable components of computer device 502. In one case, when the processor 504 executes the associated instructions, which are stored in any memory or combination of memories, the computer device 502 can perform any of the operations of the associated instructions. The computer device 502 also includes one or more drive mechanisms 408, such as a hard disk drive mechanism, an optical disk drive mechanism, etc., for interacting with any memory.
Corresponding to the methods in fig. 1-3, the embodiments herein also provide a computer-readable storage medium having stored thereon a computer program, which, when executed by a processor, performs the steps of the above-described method.
Embodiments herein also provide computer readable instructions, wherein when executed by a processor, a program thereof causes the processor to perform the method as shown in fig. 1-3.
It should be understood that, in various embodiments herein, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments herein.
It should also be understood that, in the embodiments herein, the term "and/or" is only one kind of association relation describing an associated object, meaning that three kinds of relations may exist. For example, a and/or B, may represent: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided herein, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electrical, mechanical or other form of connection.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purposes of the embodiments herein.
In addition, functional units in the embodiments herein may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present invention may be implemented in a form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The principles and embodiments of this document are explained herein using specific examples, which are presented only to aid in understanding the methods and their core concepts; meanwhile, for the general technical personnel in the field, according to the idea of this document, there may be changes in the concrete implementation and the application scope, in summary, this description should not be understood as the limitation of this document.
Claims (7)
1. A method for dynamically managing firewall policies, comprising:
the service system generates a random number, a random number sequence number and a flag bit, wherein the random number sequence number is used for uniquely representing the corresponding random number, and the flag bit is used for representing whether the random number is used or not;
the service system encrypts a source address and a destination address of the access request and the identification of the service system according to the random number to form a ciphertext string; the access request comprises a ciphertext string and a random number sequence number;
the firewall equipment receives an access request of a service system; the firewall equipment determines the random number according to the random number sequence number;
if the firewall equipment determines that the flag bit corresponding to the random number is not used, the cipher text string of the access request is decrypted according to the random number, when the decryption is successful, the source address, the destination address and the identification of the service system of the access request are determined, and the flag bit corresponding to the random number is used;
the firewall equipment judges whether the access request is an unknown access request according to the source address and the destination address, or judges whether the service system is a newly added service system according to the identification of the service system so as to determine whether the access request of the service system is legal;
if the firewall equipment determines that the access request of the service system is illegal, the firewall equipment evaluates the access request of the service system through an evaluation model or an application identifier;
when the evaluation is passed, the firewall equipment opens a firewall strategy according to the topological structure of the corresponding service system;
wherein, evaluating the access request of the service system by an evaluation model comprises:
judging whether the access request of the service system conforms to one or a combination of the following conditions:
the source address of the access request is recorded in the corresponding firewall entry;
the destination address of the access request is recorded in the corresponding firewall entry;
the message content of the access request conforms to a specific service rule;
the message content of the access request contains specific keywords;
if the access request meets one or a combination of the above, the evaluation passes.
2. The method of claim 1, wherein the determining, by the firewall device, whether the access request is an unknown access request according to the source address and the destination address comprises:
the firewall equipment judges whether the source address and the destination address of the access request are recorded in a configuration management system;
and if the source address and the destination address of the access request are not recorded in the configuration management system, the access request is an unknown access request.
3. The method of claim 1, wherein before the firewall device evaluates the access request of the service system through an evaluation model, the firewall device further comprises:
and determining the message content of the access request.
4. The method of claim 1, wherein the firewall device evaluates the access request of the service system by applying an identifier, comprising:
the firewall equipment judges whether the identifier of the service system is an identifier existing in an identifier white list or not;
and if the identification of the service system is the identification existing in the identification white list and the source address corresponding to the access request is the address of the request initiator, the evaluation is passed.
5. The method of claim 4, wherein the determining the identification white list comprises:
determining the access times of the service system in a set period according to a historical information record table;
judging whether the access times of the service system in a set period are within a specified range;
and if the access times of the service system in a set period are within a specified range, adding the identifier of the service system into an identifier white list.
6. The method of claim 1, wherein the firewall device further comprises:
and when the evaluation fails or the decryption fails, blocking the access request of the service system, adding a source address corresponding to the access request into a blocking table, and directly blocking the request sent by the source address in the blocking table within a set period.
7. A system for dynamic management of firewall policies, the system comprising:
a service system:
the service system generates a random number, a random number sequence number and a flag bit, wherein the random number sequence number is used for uniquely representing the corresponding random number, and the flag bit is used for representing whether the random number is used or not;
the service system encrypts a source address and a destination address of the access request and the identifier of the service system according to the random number to form a ciphertext string; the access request comprises a ciphertext string and a random number sequence number;
a firewall device, the firewall device comprising:
a receiving module: receiving an access request of a service system;
a determination module: determining the random number according to the random number sequence number; if the firewall equipment determines that the flag bit corresponding to the random number is not used, the cipher text string of the access request is decrypted according to the random number, when the decryption is successful, the source address, the destination address and the identification of the service system of the access request are determined, and the flag bit corresponding to the random number is used;
a judging module: judging whether the access request is an unknown access request according to the source address and the destination address, or judging whether the service system is a newly added service system according to the identification of the service system so as to determine whether the access request of the service system is legal;
an evaluation module: if the firewall equipment determines that the access request of the service system is illegal, the firewall equipment evaluates the access request of the service system through an evaluation model or an application identifier; wherein, evaluating the access request of the service system by an evaluation model comprises: judging whether the access request of the service system conforms to one or a combination of the following conditions: the source address of the access request has a record in the corresponding firewall entry; the destination address of the access request is recorded in the corresponding firewall entry; the message content of the access request conforms to a specific service rule; the message content of the access request contains specific keywords; if the access request meets one or a combination of the above, the evaluation is passed;
opening a module: and when the evaluation is passed, the firewall equipment opens a firewall strategy according to the topological structure of the corresponding service system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110464930.2A CN113162943B (en) | 2021-04-28 | 2021-04-28 | Method and system for dynamically managing firewall policy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110464930.2A CN113162943B (en) | 2021-04-28 | 2021-04-28 | Method and system for dynamically managing firewall policy |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113162943A CN113162943A (en) | 2021-07-23 |
CN113162943B true CN113162943B (en) | 2023-01-31 |
Family
ID=76872000
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110464930.2A Active CN113162943B (en) | 2021-04-28 | 2021-04-28 | Method and system for dynamically managing firewall policy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113162943B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113992369B (en) * | 2021-10-18 | 2023-07-18 | 北京天融信网络安全技术有限公司 | Topology management method and system for network security equipment |
CN115001964B (en) * | 2022-05-19 | 2023-08-22 | 中国人民银行数字货币研究所 | Method and device for managing firewall |
CN115622808B (en) * | 2022-12-13 | 2023-05-23 | 北京市大数据中心 | Method for secure isolation, electronic device, computer readable medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107979615A (en) * | 2018-01-05 | 2018-05-01 | 新华三信息安全技术有限公司 | Message encryption transmission, authentication method, device, client and fire wall |
CN108810017A (en) * | 2018-07-12 | 2018-11-13 | 中国工商银行股份有限公司 | Business processing safe verification method and device |
CN110875907A (en) * | 2018-08-31 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Access request control method and device |
CN111355721A (en) * | 2020-02-25 | 2020-06-30 | 深信服科技股份有限公司 | Access control method, device, equipment and system and storage medium |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7877795B2 (en) * | 2006-10-30 | 2011-01-25 | At&T Intellectual Property I, Lp | Methods, systems, and computer program products for automatically configuring firewalls |
CN106302371B (en) * | 2015-06-12 | 2019-06-28 | 北京网御星云信息技术有限公司 | A kind of firewall control method and system based on subscriber service system |
US10237240B2 (en) * | 2016-07-21 | 2019-03-19 | AT&T Global Network Services (U.K.) B.V. | Assessing risk associated with firewall rules |
US10951582B2 (en) * | 2018-02-09 | 2021-03-16 | Comcast Cable Communications, Llc | Dynamic firewall configuration |
-
2021
- 2021-04-28 CN CN202110464930.2A patent/CN113162943B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107979615A (en) * | 2018-01-05 | 2018-05-01 | 新华三信息安全技术有限公司 | Message encryption transmission, authentication method, device, client and fire wall |
CN108810017A (en) * | 2018-07-12 | 2018-11-13 | 中国工商银行股份有限公司 | Business processing safe verification method and device |
CN110875907A (en) * | 2018-08-31 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Access request control method and device |
CN111355721A (en) * | 2020-02-25 | 2020-06-30 | 深信服科技股份有限公司 | Access control method, device, equipment and system and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN113162943A (en) | 2021-07-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113162943B (en) | Method and system for dynamically managing firewall policy | |
US10601874B2 (en) | System and apparatus for providing network security | |
US8705348B2 (en) | Use of metadata for time based anti-replay | |
US10212135B2 (en) | Locked down network interface | |
US8079081B1 (en) | Systems and methods for automated log event normalization using three-staged regular expressions | |
EP2957063B1 (en) | Policy enforcement with associated data | |
US9043589B2 (en) | System and method for safeguarding and processing confidential information | |
US11201872B2 (en) | Inline filtering to secure access and data between user and application to device and between device to device | |
US7590844B1 (en) | Decryption system and method for network analyzers and security programs | |
US20240061790A1 (en) | Locally-stored remote block data integrity | |
EP2843897A1 (en) | Locked Down Network Interface | |
WO2013118280A1 (en) | Device and method for preventing confidential data leaks | |
US8805741B2 (en) | Classification-based digital rights management | |
CN110417739B (en) | Safe network in-band measurement method based on block chain technology | |
US20200252411A1 (en) | Enterprise security management packet inspection and monitoring | |
JP4775980B2 (en) | Secret data communication in web services | |
US9547860B2 (en) | System for processing feedback entries received from software | |
US10951605B2 (en) | Centrally managing data for distributed identity-based firewalling | |
CN103379103A (en) | Linear encryption and decryption hardware implementation method | |
CN117874789B (en) | Dynamic privacy data encryption method and system | |
KR102120225B1 (en) | Access control management system and method of 4-tier type CASB | |
JP2023519910A (en) | Methods for handling data anomalies, especially in automobiles | |
KR102432835B1 (en) | Security Event De-Identification System and Its Method | |
KR102660695B1 (en) | Data management device, data management method and a computer-readable storage medium for storing data management program | |
CN113486380B (en) | Encryption method of text file |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |