CN114285657B - Firewall security policy change verification method and device - Google Patents
Firewall security policy change verification method and device Download PDFInfo
- Publication number
- CN114285657B CN114285657B CN202111623959.7A CN202111623959A CN114285657B CN 114285657 B CN114285657 B CN 114285657B CN 202111623959 A CN202111623959 A CN 202111623959A CN 114285657 B CN114285657 B CN 114285657B
- Authority
- CN
- China
- Prior art keywords
- security policy
- firewall security
- firewall
- policy change
- change
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000008859 change Effects 0.000 title claims abstract description 204
- 238000012795 verification Methods 0.000 title claims abstract description 108
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000012544 monitoring process Methods 0.000 claims abstract description 17
- 238000004590 computer program Methods 0.000 claims description 22
- 238000012423 maintenance Methods 0.000 claims description 8
- 238000010200 validation analysis Methods 0.000 claims 1
- 238000004891 communication Methods 0.000 description 16
- 230000006870 function Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 9
- 239000000872 buffer Substances 0.000 description 4
- 230000000052 comparative effect Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000004888 barrier function Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The embodiment of the application provides a firewall security policy change verification method and device, which can be used in the financial field, and the method comprises the following steps: monitoring firewall security policy changing information, and executing corresponding firewall security policy changing operation according to the type and configuration mode of the firewall in the firewall security policy changing information; acquiring a corresponding original firewall security policy according to the firewall security policy change information, and performing associated object comparison verification according to the original firewall security policy and the firewall security policy change information; if the correlation object passes the comparison verification, judging that the firewall security policy change operation is successful, otherwise, feeding back that the firewall security policy change operation fails; the application can automatically, accurately and efficiently verify the change of the firewall security policy.
Description
Technical Field
The application relates to the field of network security protection and also can be used in the financial field, in particular to a firewall security policy change verification method and device.
Background
Firewalls, a common network security protection technique, are commonly deployed in large numbers in data center networks. The data center network is generally divided into different areas according to different functions and data sensitivity, and a large number of software and hardware firewall devices deployed among the network areas become a security barrier for resisting internal and external network attacks, so that security risks such as unauthorized access, data leakage and malicious attacks are effectively reduced. With the gradual expansion of the deployment scale of the data center network and the firewall, the network access of the service system is more and more complex, and meanwhile, the firewall security policy management becomes a big pain point facing operation and maintenance personnel along with the production line of new applications and the migration and transformation of service applications and system platforms.
After the current firewall security policy is changed, the verification is mainly to input a query command, compare and verify the output result with the security policy change content, and the method approximately comprises the following steps:
1. logging in the corresponding firewall device (or management platform).
2. The input inquiry firewall security policy command verifies whether each object (including address object, service object, execution action, on time, etc.) is consistent with the firewall security policy change content.
3. If the firewall security policy is verified to be consistent with the firewall security policy changing content, the firewall security policy is successfully changed, otherwise, the firewall security policy is failed to be changed, and the corresponding firewall security policy changing content is manually executed again and verified again.
The inventor finds that the manual operation and judgment content in the prior art is more, in addition, the verification output result caused by the difference between the firewall brand and the software platform is huge due to the heterogeneous requirements of key network equipment of the data center, the manual operation is easy to cause omission and error, and the manual verification efficiency is low.
Disclosure of Invention
Aiming at the problems in the prior art, the application provides a firewall security policy change verification method and device, which can automatically, accurately and efficiently verify the change of the firewall security policy.
In order to solve at least one of the problems, the application provides the following technical scheme:
In a first aspect, the present application provides a firewall security policy change verification method, including:
Monitoring firewall security policy changing information, and executing corresponding firewall security policy changing operation according to the type and configuration mode of the firewall in the firewall security policy changing information;
acquiring a corresponding original firewall security policy according to the firewall security policy change information, and performing associated object comparison verification according to the original firewall security policy and the firewall security policy change information;
if the correlation object passes the comparison verification, judging that the firewall security policy changing operation is successful, otherwise, feeding back that the firewall security policy changing operation fails.
Further, the monitoring firewall security policy change information includes:
And adding a hardware device tag and a version information tag to each change step in the monitored firewall security policy change information.
Further, the executing the corresponding firewall security policy changing operation according to the firewall type and the configuration mode in the firewall security policy changing information includes:
if the firewall type in the firewall security policy changing information is a hardware firewall, a corresponding device configuration interface is called according to the hardware device tag and the version information tag to execute corresponding firewall security policy changing operation;
and if the firewall type in the firewall security policy changing information is a software firewall, calling a software program interface corresponding to each changing step to execute corresponding firewall security policy changing operation.
Further, the obtaining the corresponding original firewall security policy according to the firewall security policy change information, and performing associated object comparison verification according to the original firewall security policy and the firewall security policy change information, includes:
Invoking a software and hardware firewall query interface corresponding to the firewall security policy change information to acquire a corresponding original firewall security policy;
And judging whether the associated object in the original firewall security policy is consistent with the associated object in the firewall security policy change information.
Further, if the correlation object passes the comparison verification, determining that the firewall security policy change operation is successful, otherwise, feeding back that the firewall security policy change operation fails, including:
The associated object in the original firewall security policy is consistent with the associated object in the firewall security policy change information, and the firewall security policy change operation is judged to be successful;
And if the comparison verification of the association object does not pass, re-executing the firewall security policy changing operation, re-executing the comparison verification of the association object after the firewall security policy changing operation is completed, and feeding back failure of the firewall security policy changing operation when the comparison verification of the association object does not pass twice continuously.
Further, if the correlation object passes the comparison verification, determining that the firewall security policy change operation is successful, otherwise, feeding back that the firewall security policy change operation fails, and further including:
and collecting and recording an operation execution log and a change operation result of firewall security policy change operation, and sending the operation execution log and the change operation result to an operation and maintenance end.
In a second aspect, the present application provides a firewall security policy change verification device, including:
The policy change execution module is used for monitoring firewall security policy change information and executing corresponding firewall security policy change operation according to the firewall type and configuration mode in the firewall security policy change information;
The comparison verification module is used for acquiring a corresponding original firewall security policy according to the firewall security policy change information, and carrying out associated object comparison verification according to the original firewall security policy and the firewall security policy change information;
And the verification result module is used for judging that the firewall security policy change operation is successful if the correlation object passes the comparison verification, otherwise, feeding back that the firewall security policy change operation fails.
In a third aspect, the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the firewall security policy change verification method when executing the program.
In a fourth aspect, the present application provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the firewall security policy change verification method.
In a fifth aspect, the present application provides a computer program product comprising computer programs/instructions which when executed by a processor implement the steps of the firewall security policy change verification method.
According to the technical scheme, the firewall security policy change verification method and device provided by the application are used for accurately executing corresponding firewall security policy change operation by monitoring different firewall security policy change information, carrying out comparison verification of related objects on the change operation by combining the original firewall security policy, and judging success of the change operation according to the comparison verification, so that the change of the firewall security policy can be verified automatically, accurately and efficiently.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for verifying a firewall security policy change according to an embodiment of the application;
FIG. 2 is a second flowchart of a method for verifying a security policy change of a firewall according to an embodiment of the application;
FIG. 3 is a third flowchart illustrating a method for verifying a firewall security policy change according to an embodiment of the application;
FIG. 4 is a flowchart illustrating a method for verifying a security policy change of a firewall according to an embodiment of the application;
FIG. 5 is a block diagram of a firewall security policy change verification device according to an embodiment of the application;
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In consideration of the problems of more manual operation and judgment contents in the prior art, and huge verification output result difference caused by the key network equipment heterogeneous requirements of the data center, firewall brands and software platform differences, easy omission and errors of manual operation and low manual verification efficiency, the application provides a firewall security policy change verification method and device.
In order to automatically, accurately and efficiently verify the change of the firewall security policy, the application provides an embodiment of a firewall security policy change verification method, referring to fig. 1, the firewall security policy change verification method specifically includes the following contents:
step S101: and monitoring firewall security policy change information, and executing corresponding firewall security policy change operation according to the firewall type and configuration mode in the firewall security policy change information.
Optionally, the application can monitor, identify and collect the security policy change information of the software and hardware firewalls of different platforms through various prior art channels (including automatic tool generation and manual writing), wherein the security policy change information comprises each change step of the firewall security policy.
Optionally, the method and the device can add labels to each change step in the monitored firewall security policy change information, wherein the labels of the software firewall can be used for identifying different change steps, and the hardware firewall can add more hardware equipment labels and version information labels, so that the pertinence and the accuracy in the subsequent change operation execution are facilitated by adding the labels.
Optionally, according to the firewall type difference (software firewall or hardware firewall) in the firewall security policy change information, the present application may further combine the above-mentioned labels to determine a specific configuration mode, so as to accurately execute the corresponding firewall security policy change operation.
Specifically, if the firewall type is a hardware firewall, the method and the device can call the corresponding device configuration interface to execute corresponding firewall security policy changing operation according to the hardware device tag and the version information tag.
If the firewall type is a software firewall, the application can execute corresponding firewall security policy changing operation through the Restful API calling the software program interface corresponding to each changing step.
Step S102: and acquiring a corresponding original firewall security policy according to the firewall security policy change information, and performing associated object comparison verification according to the original firewall security policy and the firewall security policy change information.
Optionally, the present application may obtain the corresponding original firewall security policy according to the firewall security policy change information, that is, the original firewall security policy of the firewall before the change, and it may be understood that the original firewall security policy includes an original association object, where the association object includes but is not limited to: address object, service object, execution action, on time, the association object may also contain other parameters related to firewall configuration.
Optionally, the application can determine whether the associated object is changed before and after the change operation by comparing and verifying the original firewall security policy and the associated object of the firewall security policy change information, thereby determining whether the change operation is successful.
Optionally, the application can query the original security policy of the related firewall and the related object thereof by calling the software and hardware firewall query interface.
Step S103: if the correlation object passes the comparison verification, judging that the firewall security policy changing operation is successful, otherwise, feeding back that the firewall security policy changing operation fails.
As can be seen from the above description, the firewall security policy change verification method provided by the embodiment of the application can accurately execute corresponding firewall security policy change operations by monitoring different firewall security policy change information, and perform comparison verification of association objects of the change operations in combination with original firewall security policies, and determine successful identification of the change operations according to the comparison verification, so that the change of the firewall security policies can be verified automatically, accurately and efficiently.
In order to facilitate the security policy change operation on different firewalls, in an embodiment of the firewall security policy change verification method of the present application, the step S101 may further specifically include the following:
And adding a hardware device tag and a version information tag to each change step in the monitored firewall security policy change information.
Optionally, the method and the device can add labels to each change step in the monitored firewall security policy change information, wherein the labels of the software firewall can be used for identifying different change steps, and the hardware firewall can add more hardware equipment labels and version information labels, so that the pertinence and the accuracy in the subsequent change operation execution are facilitated by adding the labels.
In order to accurately perform the security policy change operation on different firewalls, in an embodiment of the firewall security policy change verification method of the present application, referring to fig. 2, the step S101 may further specifically include the following:
Step S201: and if the firewall type in the firewall security policy changing information is a hardware firewall, calling a corresponding equipment configuration interface to execute corresponding firewall security policy changing operation according to the hardware equipment tag and the version information tag.
Step S202: and if the firewall type in the firewall security policy changing information is a software firewall, calling a software program interface corresponding to each changing step to execute corresponding firewall security policy changing operation.
Optionally, according to the firewall type difference (software firewall or hardware firewall) in the firewall security policy change information, the present application may further combine the above-mentioned labels to determine a specific configuration mode, so as to accurately execute the corresponding firewall security policy change operation.
Specifically, if the firewall type is a hardware firewall, the method and the device can call the corresponding device configuration interface to execute corresponding firewall security policy changing operation according to the hardware device tag and the version information tag.
If the firewall type is a software firewall, the application can execute corresponding firewall security policy changing operation through the Restful API calling the software program interface corresponding to each changing step.
In order to accurately verify the accuracy of the change operation, in an embodiment of the firewall security policy change verification method of the present application, referring to fig. 3, the step S102 may further specifically include the following:
Step S301: and calling a software and hardware firewall query interface corresponding to the firewall security policy change information to acquire a corresponding original firewall security policy.
Step S302: and judging whether the associated object in the original firewall security policy is consistent with the associated object in the firewall security policy change information.
Optionally, the application can query the original security policy of the related firewall and the related object thereof by calling the software and hardware firewall query interface.
Optionally, the application can determine whether the associated object is changed before and after the change operation by comparing and verifying the original firewall security policy and the associated object of the firewall security policy change information (i.e. whether the associated object is consistent before and after the change operation), thereby determining whether the change operation is successful.
In order to make the comparison verification result more accurate, in an embodiment of the firewall security policy change verification method of the present application, referring to fig. 4, the step S103 may further specifically include the following:
Step S401: and if the associated object in the original firewall security policy is consistent with the associated object in the firewall security policy change information, judging that the firewall security policy change operation is successful.
Step S402: and if the comparison verification of the association object does not pass, re-executing the firewall security policy changing operation, re-executing the comparison verification of the association object after the firewall security policy changing operation is completed, and feeding back failure of the firewall security policy changing operation when the comparison verification of the association object does not pass twice continuously.
Optionally, if the comparison and verification result of the associated objects shows that the associated objects before and after the firewall security policy is changed are consistent, judging that the firewall security policy is changed successfully, and collecting logs of the result of successful implementation of the firewall security policy change; if the comparison verification result of the associated objects shows that the associated objects before and after the firewall security policy is changed are inconsistent, the firewall security policy can be verified again, and if the firewall security policy is inconsistent, the firewall security policy changing operation failure is judged and a failure signal is fed back or log collection is carried out.
In order to improve the operation and maintenance efficiency, in an embodiment of the firewall security policy change verification method of the present application, the step S103 may further specifically include the following:
and collecting and recording an operation execution log and a change operation result of firewall security policy change operation, and sending the operation execution log and the change operation result to an operation and maintenance end.
It can be understood that the method provides an important technical reference for operation and maintenance personnel to check the reasons of failure in changing the firewall security policy, improves the operation and maintenance efficiency and reduces the operation and maintenance cost of the data center.
In order to automatically, accurately and efficiently verify the change of the firewall security policy, the application provides an embodiment of a firewall security policy change verification device for implementing all or part of the content of the firewall security policy change verification method, referring to fig. 5, the firewall security policy change verification device specifically includes the following contents:
The policy change execution module 10 is configured to monitor firewall security policy change information, and execute corresponding firewall security policy change operation according to a firewall type and a configuration mode in the firewall security policy change information.
And the comparison and verification module 20 is configured to obtain a corresponding original firewall security policy according to the firewall security policy change information, and perform associated object comparison and verification according to the original firewall security policy and the firewall security policy change information.
And the verification result module 30 is configured to determine that the firewall security policy change operation is successful if the correlation object passes the comparison verification, and otherwise, feedback that the firewall security policy change operation fails.
As can be seen from the above description, the firewall security policy change verification device provided by the embodiment of the application can accurately execute corresponding firewall security policy change operations by monitoring different firewall security policy change information, and perform comparison verification of association objects of the change operations in combination with original firewall security policies, and determine successful identification of the change operations according to the comparison verification, so that the change of the firewall security policies can be verified automatically, accurately and efficiently.
In order to automatically, accurately and efficiently verify the change of the firewall security policy from the hardware level, the application provides an embodiment of an electronic device for implementing all or part of the content in the firewall security policy change verification method, wherein the electronic device specifically comprises the following contents:
A processor (processor), a memory (memory), a communication interface (Communications Interface), and a bus; the processor, the memory and the communication interface complete communication with each other through the bus; the communication interface is used for realizing information transmission between the firewall security policy change verification device and related equipment such as a core service system, a user terminal, a related database and the like; the logic controller may be a desktop computer, a tablet computer, a mobile terminal, etc., and the embodiment is not limited thereto. In this embodiment, the logic controller may refer to an embodiment of the firewall security policy change verification method in the embodiment and an embodiment of the firewall security policy change verification device in the embodiment, and the contents thereof are incorporated herein, and are not repeated here.
It is understood that the user terminal may include a smart phone, a tablet electronic device, a network set top box, a portable computer, a desktop computer, a Personal Digital Assistant (PDA), a vehicle-mounted device, a smart wearable device, etc. Wherein, intelligent wearing equipment can include intelligent glasses, intelligent wrist-watch, intelligent bracelet etc..
In practical application, part of the firewall security policy change verification method may be executed on the electronic device side as described above, or all operations may be completed in the client device. Specifically, the selection may be made according to the processing capability of the client device, and restrictions of the use scenario of the user. The application is not limited in this regard. If all operations are performed in the client device, the client device may further include a processor.
The client device may have a communication module (i.e. a communication unit) and may be connected to a remote server in a communication manner, so as to implement data transmission with the server. The server may include a server on the side of the task scheduling center, and in other implementations may include a server of an intermediate platform, such as a server of a third party server platform having a communication link with the task scheduling center server. The server may include a single computer device, a server cluster formed by a plurality of servers, or a server structure of a distributed device.
Fig. 6 is a schematic block diagram of a system configuration of an electronic device 9600 according to an embodiment of the present application. As shown in fig. 6, the electronic device 9600 may include a central processor 9100 and a memory 9140; the memory 9140 is coupled to the central processor 9100. Notably, this fig. 6 is exemplary; other types of structures may also be used in addition to or in place of the structures to implement telecommunications functions or other functions.
In one embodiment, the firewall security policy change verification method functionality may be integrated into the central processor 9100. The central processor 9100 may be configured to perform the following control:
step S101: and monitoring firewall security policy change information, and executing corresponding firewall security policy change operation according to the firewall type and configuration mode in the firewall security policy change information.
Step S102: and acquiring a corresponding original firewall security policy according to the firewall security policy change information, and performing associated object comparison verification according to the original firewall security policy and the firewall security policy change information.
Step S103: if the correlation object passes the comparison verification, judging that the firewall security policy changing operation is successful, otherwise, feeding back that the firewall security policy changing operation fails.
As can be seen from the above description, the electronic device provided by the embodiment of the present application accurately executes the corresponding firewall security policy changing operation by monitoring the different firewall security policy changing information, performs the comparison verification of the association object of the changing operation in combination with the original firewall security policy, and determines the successful identification of the current changing operation according to the comparison verification, so that the change of the firewall security policy can be automatically, accurately and efficiently verified.
In another embodiment, the firewall security policy change verification device may be configured separately from the central processing unit 9100, for example, the firewall security policy change verification device may be configured as a chip connected to the central processing unit 9100, and the firewall security policy change verification method function is implemented under the control of the central processing unit.
As shown in fig. 6, the electronic device 9600 may further include: a communication module 9110, an input unit 9120, an audio processor 9130, a display 9160, and a power supply 9170. It is noted that the electronic device 9600 need not include all of the components shown in fig. 6; in addition, the electronic device 9600 may further include components not shown in fig. 6, and reference may be made to the related art.
As shown in fig. 6, the central processor 9100, sometimes referred to as a controller or operational control, may include a microprocessor or other processor device and/or logic device, which central processor 9100 receives inputs and controls the operation of the various components of the electronic device 9600.
The memory 9140 may be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information about failure may be stored, and a program for executing the information may be stored. And the central processor 9100 can execute the program stored in the memory 9140 to realize information storage or processing, and the like.
The input unit 9120 provides input to the central processor 9100. The input unit 9120 is, for example, a key or a touch input device. The power supply 9170 is used to provide power to the electronic device 9600. The display 9160 is used for displaying display objects such as images and characters. The display may be, for example, but not limited to, an LCD display.
The memory 9140 may be a solid state memory such as Read Only Memory (ROM), random Access Memory (RAM), SIM card, etc. But also a memory which holds information even when powered down, can be selectively erased and provided with further data, an example of which is sometimes referred to as EPROM or the like. The memory 9140 may also be some other type of device. The memory 9140 includes a buffer memory 9141 (sometimes referred to as a buffer). The memory 9140 may include an application/function storage portion 9142, the application/function storage portion 9142 storing application programs and function programs or a flow for executing operations of the electronic device 9600 by the central processor 9100.
The memory 9140 may also include a data store 9143, the data store 9143 for storing data, such as contacts, digital data, pictures, sounds, and/or any other data used by an electronic device. The driver storage portion 9144 of the memory 9140 may include various drivers of the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, address book applications, etc.).
The communication module 9110 is a transmitter/receiver 9110 that transmits and receives signals via an antenna 9111. A communication module (transmitter/receiver) 9110 is coupled to the central processor 9100 to provide input signals and receive output signals, as in the case of conventional mobile communication terminals.
Based on different communication technologies, a plurality of communication modules 9110, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, etc., may be provided in the same electronic device. The communication module (transmitter/receiver) 9110 is also coupled to a speaker 9131 and a microphone 9132 via an audio processor 9130 to provide audio output via the speaker 9131 and to receive audio input from the microphone 9132 to implement usual telecommunications functions. The audio processor 9130 can include any suitable buffers, decoders, amplifiers and so forth. In addition, the audio processor 9130 is also coupled to the central processor 9100 so that sound can be recorded locally through the microphone 9132 and sound stored locally can be played through the speaker 9131.
The embodiment of the present application further provides a computer-readable storage medium capable of implementing all the steps in the firewall security policy change verification method in which the execution subject is a server or a client in the above embodiment, the computer-readable storage medium storing thereon a computer program which, when executed by a processor, implements all the steps in the firewall security policy change verification method in which the execution subject is a server or a client in the above embodiment, for example, the processor implements the following steps when executing the computer program:
step S101: and monitoring firewall security policy change information, and executing corresponding firewall security policy change operation according to the firewall type and configuration mode in the firewall security policy change information.
Step S102: and acquiring a corresponding original firewall security policy according to the firewall security policy change information, and performing associated object comparison verification according to the original firewall security policy and the firewall security policy change information.
Step S103: if the correlation object passes the comparison verification, judging that the firewall security policy changing operation is successful, otherwise, feeding back that the firewall security policy changing operation fails.
As can be seen from the above description, the computer readable storage medium provided by the embodiment of the present application accurately executes corresponding firewall security policy changing operations by monitoring different firewall security policy changing information, performs comparative verification of related objects of the changing operations in combination with original firewall security policies, and determines successful identification of the current changing operation according to the comparative verification, so that the change of the firewall security policies can be automatically, accurately and efficiently verified.
The embodiment of the present application further provides a computer program product capable of implementing all the steps in the firewall security policy change verification method in which the execution subject in the above embodiment is a server or a client, where the steps of the firewall security policy change verification method are implemented when the computer program/instructions are executed by a processor, for example, the computer program/instructions implement the steps of:
step S101: and monitoring firewall security policy change information, and executing corresponding firewall security policy change operation according to the firewall type and configuration mode in the firewall security policy change information.
Step S102: and acquiring a corresponding original firewall security policy according to the firewall security policy change information, and performing associated object comparison verification according to the original firewall security policy and the firewall security policy change information.
Step S103: if the correlation object passes the comparison verification, judging that the firewall security policy changing operation is successful, otherwise, feeding back that the firewall security policy changing operation fails.
As can be seen from the above description, the computer program product provided by the embodiment of the present application accurately executes corresponding firewall security policy changing operation by monitoring different firewall security policy changing information, performs comparative verification of the association object of the changing operation in combination with the original firewall security policy, and determines successful identification of the current changing operation according to the comparison verification, so that the change of the firewall security policy can be automatically, accurately and efficiently verified.
It will be apparent to those skilled in the art that embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principles and embodiments of the present invention have been described in detail with reference to specific examples, which are provided to facilitate understanding of the method and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Claims (8)
1. A method for firewall security policy change verification, the method comprising:
Monitoring firewall security policy changing information, and executing corresponding firewall security policy changing operation according to the type and configuration mode of the firewall in the firewall security policy changing information;
Acquiring a corresponding original firewall security policy according to the firewall security policy change information, and performing associated object comparison verification according to the original firewall security policy and the firewall security policy change information; determining whether the related objects are changed before and after the changing operation, thereby determining whether the changing operation is successful;
if the correlation object passes the comparison verification, judging that the firewall security policy change operation is successful, otherwise, feeding back that the firewall security policy change operation fails;
The obtaining the corresponding original firewall security policy according to the firewall security policy change information, and performing associated object comparison verification according to the original firewall security policy and the firewall security policy change information, includes:
Invoking a software and hardware firewall query interface corresponding to the firewall security policy change information to acquire a corresponding original firewall security policy;
judging whether the associated object in the original firewall security policy is consistent with the associated object in the firewall security policy change information;
If the correlation object passes the comparison verification, determining that the firewall security policy change operation is successful, otherwise, feeding back that the firewall security policy change operation fails, including:
The associated object in the original firewall security policy is consistent with the associated object in the firewall security policy change information, and the firewall security policy change operation is judged to be successful;
And if the comparison verification of the association object does not pass, re-executing the firewall security policy changing operation, re-executing the comparison verification of the association object after the firewall security policy changing operation is completed, and feeding back failure of the firewall security policy changing operation when the comparison verification of the association object does not pass twice continuously.
2. The method for verifying firewall security policy change according to claim 1, wherein the monitoring firewall security policy change information comprises:
And adding a hardware device tag and a version information tag to each change step in the monitored firewall security policy change information.
3. The method for verifying firewall security policy change according to claim 2, wherein said executing the corresponding firewall security policy change operation according to the firewall type and configuration mode in the firewall security policy change information comprises:
if the firewall type in the firewall security policy changing information is a hardware firewall, a corresponding device configuration interface is called according to the hardware device tag and the version information tag to execute corresponding firewall security policy changing operation;
and if the firewall type in the firewall security policy changing information is a software firewall, calling a software program interface corresponding to each changing step to execute corresponding firewall security policy changing operation.
4. The method for verifying the change of the firewall security policy according to claim 1, wherein if the comparison verification of the association object is passed, determining that the operation of the change of the firewall security policy is successful, otherwise, feeding back that the operation of the change of the firewall security policy is failed, further comprising:
and collecting and recording an operation execution log and a change operation result of firewall security policy change operation, and sending the operation execution log and the change operation result to an operation and maintenance end.
5. A firewall security policy change verification device, comprising:
The policy change execution module is used for monitoring firewall security policy change information and executing corresponding firewall security policy change operation according to the firewall type and configuration mode in the firewall security policy change information;
The comparison verification module is used for acquiring a corresponding original firewall security policy according to the firewall security policy change information, and carrying out associated object comparison verification according to the original firewall security policy and the firewall security policy change information; determining whether the related objects are changed before and after the changing operation, thereby determining whether the changing operation is successful;
the verification result module is used for judging that the firewall security policy change operation is successful if the correlation object comparison verification is passed, otherwise, feeding back that the firewall security policy change operation fails;
The contrast verification module is specifically configured to:
Invoking a software and hardware firewall query interface corresponding to the firewall security policy change information to acquire a corresponding original firewall security policy;
judging whether the associated object in the original firewall security policy is consistent with the associated object in the firewall security policy change information;
the verification result module is specifically configured to:
The associated object in the original firewall security policy is consistent with the associated object in the firewall security policy change information, and the firewall security policy change operation is judged to be successful;
And if the comparison verification of the association object does not pass, re-executing the firewall security policy changing operation, re-executing the comparison verification of the association object after the firewall security policy changing operation is completed, and feeding back failure of the firewall security policy changing operation when the comparison verification of the association object does not pass twice continuously.
6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the firewall security policy change validation method of any one of claims 1 to 4 when the program is executed by the processor.
7. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor implements the steps of the firewall security policy change verification method of any one of claims 1 to 4.
8. A computer program product comprising computer program/instructions which, when executed by a processor, implement the steps of the firewall security policy change verification method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111623959.7A CN114285657B (en) | 2021-12-28 | 2021-12-28 | Firewall security policy change verification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111623959.7A CN114285657B (en) | 2021-12-28 | 2021-12-28 | Firewall security policy change verification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114285657A CN114285657A (en) | 2022-04-05 |
| CN114285657B true CN114285657B (en) | 2024-05-17 |
Family
ID=80877162
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111623959.7A Active CN114285657B (en) | 2021-12-28 | 2021-12-28 | Firewall security policy change verification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114285657B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115150161B (en) * | 2022-06-30 | 2024-03-08 | 中国工商银行股份有限公司 | Firewall security policy configuration method and device, storage medium and electronic device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102063319A (en) * | 2010-12-30 | 2011-05-18 | 汉柏科技有限公司 | Software updating method |
| CN104717182A (en) * | 2013-12-12 | 2015-06-17 | 华为技术有限公司 | Security policy deployment method and device for network firewall |
| CN108090361A (en) * | 2016-11-22 | 2018-05-29 | 腾讯科技(深圳)有限公司 | Security strategy update method and device |
| CN108462676A (en) * | 2017-02-20 | 2018-08-28 | 中兴通讯股份有限公司 | The management method and device of Network Security Device |
| CN109547502A (en) * | 2019-01-22 | 2019-03-29 | 成都亚信网络安全产业技术研究院有限公司 | Firewall ACL management method and device |
| CN110505186A (en) * | 2018-05-18 | 2019-11-26 | 深信服科技股份有限公司 | A kind of recognition methods of safety regulation conflict, identification equipment and storage medium |
| CN111641601A (en) * | 2020-05-12 | 2020-09-08 | 中信银行股份有限公司 | Firewall management method, device, equipment and storage medium |
| CN113114683A (en) * | 2021-04-14 | 2021-07-13 | 中国工商银行股份有限公司 | Firewall policy processing method and device |
-
2021
- 2021-12-28 CN CN202111623959.7A patent/CN114285657B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102063319A (en) * | 2010-12-30 | 2011-05-18 | 汉柏科技有限公司 | Software updating method |
| CN104717182A (en) * | 2013-12-12 | 2015-06-17 | 华为技术有限公司 | Security policy deployment method and device for network firewall |
| CN108090361A (en) * | 2016-11-22 | 2018-05-29 | 腾讯科技(深圳)有限公司 | Security strategy update method and device |
| CN108462676A (en) * | 2017-02-20 | 2018-08-28 | 中兴通讯股份有限公司 | The management method and device of Network Security Device |
| CN110505186A (en) * | 2018-05-18 | 2019-11-26 | 深信服科技股份有限公司 | A kind of recognition methods of safety regulation conflict, identification equipment and storage medium |
| CN109547502A (en) * | 2019-01-22 | 2019-03-29 | 成都亚信网络安全产业技术研究院有限公司 | Firewall ACL management method and device |
| CN111641601A (en) * | 2020-05-12 | 2020-09-08 | 中信银行股份有限公司 | Firewall management method, device, equipment and storage medium |
| CN113114683A (en) * | 2021-04-14 | 2021-07-13 | 中国工商银行股份有限公司 | Firewall policy processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114285657A (en) | 2022-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110908875B (en) | Inspection method and device based on operation terminal | |
| CN104796385A (en) | Terminal binding method, device and system | |
| CN105814591A (en) | Verification information transmission method and terminal | |
| CN112615753B (en) | Link abnormity tracking method, first node, second node and link | |
| CN111782470B (en) | Distributed container log data processing method and device | |
| CN104618316A (en) | Method, device and system of safety verification | |
| WO2017071579A1 (en) | Method and device for mining android system vulnerabilities | |
| CN111953668B (en) | Network security information processing method and device | |
| CN104735657A (en) | Security terminal verification method, device and system and wireless access point binding method | |
| CN114257532B (en) | Method and device for detecting state of server | |
| CN114285657B (en) | Firewall security policy change verification method and device | |
| CN113760611B (en) | System site switching method and device, electronic equipment and storage medium | |
| CN113596226B (en) | Interface display method, electronic device and readable storage medium | |
| CN113050985B (en) | Front-end engineering dependency automatic registration method and device | |
| CN111767558B (en) | Data access monitoring method, device and system | |
| CN113191169A (en) | Terminal code scanning login method, device and system | |
| CN115099930A (en) | Financial business data processing method and device | |
| CN113515447B (en) | Automatic testing method and device for system | |
| CN112910911B (en) | Network intrusion detection method and device | |
| CN115562898A (en) | Distributed payment system exception handling method and device | |
| CN113434423A (en) | Interface test method and device | |
| CN113158259A (en) | Block chain integrity verification method and device | |
| CN113377385A (en) | Client automatic deployment method and device | |
| CN107295179A (en) | The method and apparatus that a kind of short message is shown | |
| CN113438083A (en) | Signature adding and checking method and device based on interface automatic test |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |