CN114465809A - Method for calculating security policy granularity - Google Patents
Method for calculating security policy granularity Download PDFInfo
- Publication number
- CN114465809A CN114465809A CN202210206720.8A CN202210206720A CN114465809A CN 114465809 A CN114465809 A CN 114465809A CN 202210206720 A CN202210206720 A CN 202210206720A CN 114465809 A CN114465809 A CN 114465809A
- Authority
- CN
- China
- Prior art keywords
- policy
- granularity
- address
- service
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 70
- 238000004364 calculation method Methods 0.000 claims abstract description 22
- 238000011161 development Methods 0.000 claims abstract description 16
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 13
- 238000012360 testing method Methods 0.000 claims abstract description 11
- 230000006978 adaptation Effects 0.000 claims abstract description 7
- 210000001503 joint Anatomy 0.000 claims abstract description 7
- 238000003032 molecular docking Methods 0.000 claims description 18
- 238000007405 data analysis Methods 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 abstract description 4
- 238000011156 evaluation Methods 0.000 abstract description 3
- 238000013461 design Methods 0.000 abstract 1
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/31—Programming languages or programming paradigms
- G06F8/315—Object-oriented languages
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Abstract
The invention relates to the technical field of computers, in particular to a method for calculating security policy granularity. The method comprises the following steps: building a test and development environment, and building a test and development server; investigating and researching firewall policy data, scale, configuration habit, configuration internal regulation and other information of a client site; carrying out development works such as firewall butt joint, brand adaptation, data formatting, strategy granularity calculation and the like; and checking the calculation result. The design of the invention can make a policy granularity judgment rule, and calculate the policy granularity according to the components of the policy by a relevant algorithm; by simulating and adapting to firewalls of various brands, simulating firewall strategies of clients in various industries and performing granularity calculation and evaluation on the obtained strategy data, the set target can be completely reached, and the calculation result is accurate and correct; the firewall strategy with more standard unification can be configured, the strategy operation and maintenance personnel can be helped to evaluate and calculate the firewall strategy, and the strategy configuration adaptability is improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method for calculating security policy granularity.
Background
The firewall system is the most important device in ensuring network security, and is generally deployed at the network boundary and the zone boundary, only one firewall is deployed at the network boundary in a small network, and firewalls are generally deployed at a plurality of network boundaries, a plurality of zone boundaries and a plurality of service system boundaries in a large network. The policy (access control) of the firewall is the most important function of the firewall, and controls whether the internal and external network sessions of the firewall can pass through the firewall through the policy, the policy mainly comprises elements such as a source area, a destination area, a source address, a destination address, a transport layer protocol, a source port and a destination port, and the network session mainly comprises elements such as the source address, the destination address, the transport layer protocol, the source port and the destination port. When a network session is generated, judging a network path according to the route of each device (other gateway devices such as a router, a switch and a firewall) so as to judge whether the firewall at the position needs to be passed through. Based on the above functions, with the increase of various application systems and business systems, the strategies on the firewall are more and more disordered, operation and maintenance personnel are not fixed, unified standards and instruction manuals do not exist, some strategies are strictly configured, the passing of a certain source IP address, a certain destination IP address and a corresponding port is strictly limited, but most of strategies are relatively loose in configuration, the released 'permission' is large, and the strategy cannot be exerted. Therefore, a calculation method of policy granularity is needed to help policy operation and maintenance personnel to evaluate and calculate the existing policy or the future configuration policy, judge the granularity of the policy and make the policy more strict as much as possible.
The following conclusions are drawn through the current research on firewall and firewall policy management related products: the existing firewall mainly considers the flexibility of policy configuration, and also has higher adaptability for improving the policy configuration, the policy configuration on the general firewall can be configured at will, the too loose policy configuration (similar to the development of any port from any address to any address) cannot be forbidden, whether the policy configuration is reasonable or not cannot be considered, and the granularity of the configured policy is not evaluated and calculated by rules or algorithms; the firewall policy management products on the market are mainly embodied in the functions of policy relationship judgment, policy path visualization, policy issuing and the like, and do not have the related technology of policy granularity calculation and evaluation. In view of this, we propose a method for computing security policy granularity.
Disclosure of Invention
The present invention is directed to a method for calculating security policy granularity, so as to solve the problems set forth in the background art.
In order to solve the above technical problem, an object of the present invention is to provide a method for calculating security policy granularity, including the following steps:
s1, preparing various domestic common fire walls of brands, establishing a test and development environment, and establishing a test and development server;
s2, investigating information such as firewall policy data, policy scale, policy configuration habit, policy configuration internal regulation and the like of a client site, and using the investigated policy configuration for testing a firewall;
s3, carrying out development work such as firewall butt joint, brand adaptation, data formatting, strategy granularity calculation and the like;
and S4, checking the calculation result and summarizing the problems.
As a further improvement of the technical solution, in S3, the specific method for performing development work such as firewall docking, brand adaptation, data formatting, policy granularity calculation, and the like includes the following steps:
s3.1, different firewall butt joint modes are used for firewalls of different brands;
s3.2, selecting different modes to obtain resource data and strategy data according to different docking modes;
s3.3, the obtained resources and the strategies are placed into a memory, and the resources quoted by the strategies are associated according to the unique characteristic of the resource names in the same firewall;
s3.4, defining the granularity of the strategy according to the information such as the size range of the definition of the strategy source address and the target address, the quantity of the definition of the strategy source area and the target area, the range of a protocol and a port defined by the strategy service and the like, and dividing the granularity of the strategy into 5 grades, wherein the grade 1 is most loose and the grade 5 is most strict;
s3.5, calculating address resource types corresponding to the strategy source address and the target address, calculating service resource types corresponding to the strategy service, and calculating the strategy granularity in a combined mode.
As a further improvement of the technical solution, in S3.1, a specific method for using different firewall docking manners for firewalls of different brands includes the following steps:
s3.1.1, butting against most common firewalls in a mode of simulating manual login SSH;
s3.1.2, logging and docking in an API mode aiming at the firewall with the individual open interface;
s3.1.3, for firewalls that cannot be docked using the two methods, docking is done using a method that simulates a manual login web interface.
As a further improvement of the technical solution, in S3.2, a specific method for acquiring resource data and policy data in different ways according to different docking ways includes the following steps:
s3.2.1, aiming at adopting SSH login mode, simulating manual command execution mode after login is successful, executing corresponding command on the firewall, capturing the result returned by the command, capturing the data analysis text, and extracting useful data;
s3.2.2, for the mode of adopting API login, obtaining the corresponding result by requesting the corresponding path and transmitting the corresponding parameters;
s3.2.3, acquiring data of corresponding page by crawler mode aiming at WEB login mode.
As a further improvement of the present technical solution, in S3.3, a specific method for associating resources referenced by a policy includes the following steps:
s3.3.1, storing the address resources into a database according to the field formats of ID, internal number, name, reference times, specific address and the like;
s3.3.2, storing the service resources into the database according to the field formats of ID, internal number, name, protocol, port, reference times and the like;
s3.3.3, storing time, area, etc. into database according to certain format;
s3.3.4, storing the policy in the database according to the field format of ID, policy name, internal number, source address, destination address, service, source area, destination area, time, etc.
As a further improvement of the present technical solution, in S3.3, mysql is used as a database.
As a further improvement of the present technical solution, in S3.4, the specific rule for classifying the policy granularity into 5 levels is as follows (policy granularity level is from high to low):
policy granularity level 5: both source and destination addresses are defined to a single IP address, services are defined to protocols and ports;
policy granularity level 4: the source address defines a single IP, range and subnet, the destination address defines a single IP, range and subnet, and the service defines a protocol and a port or a port range;
policy granularity level 3:
(a) the source address is defined as any or null, the destination address is not defined as any or null, and the service is not defined as null or TCP, UDP or ICMP;
(b) the destination address is defined as any or null, the source address is not defined as any or null, and the service is not defined as null or TCP, UDP or ICMP;
(c) the service is defined as empty or TCP, UDP, ICMP, the source address is not defined as any or empty, the destination address is not defined as any or empty;
policy granularity level 2:
(a) the source address is defined as any or null, the destination address is defined as any or null, and the service is not defined as null or TCP, UDP or ICMP;
(b) the destination address is defined as any or null, the service is defined as null or TCP, UDP, ICMP, the source address is not defined as any or null;
(c) the service is defined as empty or TCP, UDP, ICMP, the source address is defined as any or empty, the destination address is not defined as any or empty;
policy granularity level 1: the source address is defined as any or null, the destination address is defined as any or null, and the service is defined as null or as TCP, UDP, ICMP.
As a further improvement of the present technical solution, in S3.4, a specific calculation formula for calculating each definition target of the policy granularity includes the following:
firstly, setting the level defined by an address, and the algorithm is as follows:
the address is null or any is assigned a value of 0;
the address is assigned a range or subnet value of 2;
the address is assigned to 3 for a single address;
secondly, setting the level of service definition, and the algorithm is as follows:
the service is null or the value of TCP, UDP and ICMP is set to 0;
the service is assigned a range of 2;
the service is a single protocol plus a port assignment of 3;
thirdly, counting the source address level of the strategy by taking the source address of the strategy, and assigning the source address level to sl, wherein the method comprises the following steps:
the level of each source address is respectively counted as sl1, sl2, sln, and the minimum level of all the source addresses is calculated as the total minimum level of the source addresses, namely sl:
sl=min(sl1,sl2,.....,sln);
fourthly, counting the destination address level of the strategy according to the destination address of the strategy, assigning the destination address level to dl, and the method comprises the following steps:
the level of each destination address is respectively counted as dl1, dl2, dln, and the smallest level of all destination addresses is calculated as the smallest level of the destination addresses, namely dl:
dl=min(dl1,dl2,......,dln);
fifthly, the service level of the strategy is counted, the service level is assigned to pl, and the method comprises the following steps:
the level of each service is respectively counted as pl1, pl2,.... times.pln, and the minimum level of all services is taken as the minimum level of the total service, namely pl:
pl=min(pl1,pl2,......,pln);
and seventhly, assigning the granularity of the final counting strategy to pg by the method as follows:
the source address level sl, the destination address level dl and the service level are added, divided by 2, rounded down, and then 1 is added, that is:
as a further improvement of the technical scheme, in S3.4, each algorithm is implemented by using JAVA language.
As a further improvement of the technical solution, in S3.5, the specific method for calculating the policy granularity includes the following steps:
s3.5.1, firstly, calculating address resource types corresponding to the policy source address and the policy destination address, assigning values according to different types, wherein a single IP address is assigned to 3, a range or network segment is assigned to 2, any is assigned to 1, and a null assignment is 0, and if multiple types of addresses exist in the source address or the destination address, assigning values according to the lowest value;
s3.5.2, recalculating the service resource types corresponding to the policy service, assigning a protocol and a port to be 3, assigning a protocol and port range to be 2, assigning TCP, UDP and ICMP to be 1, and assigning a null value to be 0, and if a plurality of services exist in the policy, assigning the services according to the lowest value;
s3.5.3, finally, calculating the granularity of the strategy in a combined mode according to the strategy granularity specific rules defined in the step S3.4.
The second objective of the present invention is to provide an operating system of a method for calculating security policy granularity and an operating apparatus thereof, including a processor, a memory, and a computer program stored in the memory and running on the processor, where the processor is configured to implement the steps of the method for calculating security policy granularity when executing the computer program.
It is a further object of the present invention that the computer readable storage medium stores a computer program which, when executed by a processor, implements the steps of the above-described method for calculating security policy granularity.
Compared with the prior art, the invention has the beneficial effects that:
1. the method for calculating the security policy granularity can configure a way of butting a firewall, configure a method for acquiring resource data and policy data after butting the firewall, associate the acquired resource data and the policy data, format the resource and the policy data and store the formatted resource and policy data in a library, formulate a policy granularity judgment rule, calculate the policy granularity according to the constituent elements of the policy including but not limited to a source address, a destination address, a protocol, a port, a source region, a destination region and the like through a related algorithm and a related rule, and divide the policy granularity into 5 levels;
2. the method for calculating the security policy granularity is realized by performing algorithm through JAVA language, mysql is used as a database, firewall policies of client sites in various industries are simulated by simulating and adapting to firewalls of various brands, granularity calculation and evaluation are performed on the obtained policy data, a set target can be completely reached, and a calculation result is accurate and correct;
3. the method for calculating the security policy granularity can configure a standard and uniform firewall policy and help policy operation and maintenance personnel to evaluate and calculate the firewall policy, so that the adaptability of the policy configuration is improved, the rationality of the policy configuration is improved and the functionality of the policy configuration is improved on the basis of ensuring the flexibility of the policy configuration.
Drawings
FIG. 1 is a flow diagram of the overall process of the present invention;
FIG. 2 is a flow chart of a partial method of the present invention;
FIG. 3 is a second flowchart of a partial method according to the present invention;
FIG. 4 is a third flowchart of a partial method of the present invention;
FIG. 5 is a fourth flowchart of a partial method of the present invention;
FIG. 6 is a fifth flowchart of a partial method of the present invention;
fig. 7 is a schematic diagram of an exemplary apparatus of an electronic computer product according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
As shown in fig. 1 to fig. 6, the present embodiment provides a method for calculating security policy granularity, including the following steps:
s1, preparing various domestic common fire walls of brands, establishing a test and development environment, and establishing a test and development server;
s2, investigating information such as firewall policy data, policy scale, policy configuration habit, policy configuration internal regulation and the like of a client site, and using the investigated policy configuration for testing a firewall;
s3, carrying out development work such as firewall butt joint, brand adaptation, data formatting, strategy granularity calculation and the like;
and S4, checking the calculation result and summarizing the problems.
In this embodiment, in S3, the specific method for performing development work such as firewall docking, brand adaptation, data formatting, and policy granularity calculation includes the following steps:
s3.1, different firewall butt joint modes are used for firewalls of different brands;
s3.2, selecting different modes to obtain resource data and strategy data according to different docking modes;
s3.3, the obtained resources and the strategies are placed into a memory, and the resources quoted by the strategies are associated according to the unique characteristic of the resource names in the same firewall;
s3.4, defining the granularity of the strategy according to the information such as the size range of the definition of the strategy source address and the target address, the quantity of the definition of the strategy source area and the target area, the range of a protocol and a port defined by the strategy service and the like, and dividing the granularity of the strategy into 5 grades, wherein the grade 1 is most loose and the grade 5 is most strict;
s3.5, calculating address resource types corresponding to the strategy source address and the target address, calculating service resource types corresponding to the strategy service, and calculating the strategy granularity in a combined mode.
In this embodiment, in S3.1, the specific method for using different firewall docking manners for firewalls of different brands includes the following steps:
s3.1.1, butting against most common firewalls in a mode of simulating manual login SSH;
s3.1.2, performing login and docking by using an API mode aiming at individual firewalls with open interfaces;
s3.1.3, for firewalls that cannot be docked using the two methods, docking is done using a method that simulates a manual login web interface.
In this embodiment, in S3.2, the specific method for acquiring the resource data and the policy data in different ways according to different docking ways includes the following steps:
s3.2.1, aiming at adopting SSH login mode, simulating manual command execution mode after login is successful, executing corresponding command on the firewall, capturing the result returned by the command, capturing the data analysis text, and extracting useful data;
s3.2.2, for the mode of adopting API login, obtaining the corresponding result by requesting the corresponding path and transmitting the corresponding parameters;
s3.2.3, acquiring data of corresponding page by crawler mode aiming at WEB login mode.
In this embodiment, in S3.3, a specific method for associating resources referenced by a policy includes the following steps:
s3.3.1, storing the address resources into a database according to the field formats of ID, internal number, name, reference times, specific address and the like;
s3.3.2, storing the service resources into the database according to the field formats of ID, internal number, name, protocol, port, reference times and the like;
s3.3.3, storing time, area, etc. into database according to certain format;
s3.3.4, storing the policy in the database according to the field format of ID, policy name, internal number, source address, destination address, service, source area, destination area, time, etc.
Specifically, in S3.3, mysql was used as the database.
In this embodiment, in S3.4, the specific rule for classifying the policy granularity into 5 levels is as follows (the policy granularity level is from high to low):
policy granularity level 5: both source and destination addresses are defined to a single IP address, services are defined to protocols and ports;
policy granularity level 4: the source address defines a single IP, range and subnet, the destination address defines a single IP, range and subnet, and the service defines a protocol and a port or a port range;
policy granularity level 3:
(a) the source address is defined as any or null, the destination address is not defined as any or null, and the service is not defined as null or TCP, UDP or ICMP;
(b) the destination address is defined as any or null, the source address is not defined as any or null, and the service is not defined as null or is TCP, UDP or ICMP;
(c) the service is defined as empty or TCP, UDP, ICMP, the source address is not defined as any or empty, the destination address is not defined as any or empty;
policy granularity level 2:
(a) the source address is defined as any or null, the destination address is defined as any or null, and the service is not defined as null or TCP, UDP or ICMP;
(b) the destination address is defined as any or null, the service is defined as null or TCP, UDP, ICMP, the source address is not defined as any or null;
(c) the service is defined as empty or TCP, UDP, ICMP, the source address is defined as any or empty, the destination address is not defined as any or empty;
policy granularity level 1: the source address is defined as any or null, the destination address is defined as any or null, and the service is defined as null or as TCP, UDP, ICMP.
Further, in S3.4, the specific calculation formula for each definition target of the calculation policy granularity includes the following:
firstly, setting the level defined by an address, and the algorithm is as follows:
the address is null or any is assigned a value of 0;
the address is assigned a range or subnet value of 2;
the address is assigned to 3 for a single address;
secondly, setting the level of service definition, and the algorithm is as follows:
the service is null or the value of TCP, UDP and ICMP is set to 0;
the service is assigned a range of 2;
the service is a single protocol plus a port assignment of 3;
thirdly, counting the source address level of the strategy by taking the source address of the strategy, and assigning the source address level to sl, wherein the method comprises the following steps:
the level of each source address is respectively counted as sl1, sl2, sln, and the minimum level of all the source addresses is calculated as the total minimum level of the source addresses, namely sl:
sl=min(sl1,sl2,.....,sln);
fourthly, counting the destination address level of the strategy according to the destination address of the strategy, assigning the destination address level to dl, and the method comprises the following steps:
the level of each destination address is respectively counted as dl1, dl2, dln, and the smallest level of all destination addresses is calculated as the smallest level of the destination addresses, namely dl:
dl=min(dl1,dl2,......,dln);
fifthly, the service level of the strategy is counted, the service level is assigned to pl, and the method comprises the following steps:
the level of each service is respectively counted as pl1, pl2,.... times.pln, and the minimum level of all services is taken as the minimum level of the total service, namely pl:
pl=min(pl1,pl2,......,pln);
and eighth, assigning the granularity of the final counting strategy to pg by the method as follows:
the source address level sl, the destination address level dl and the service level are added, divided by 2, rounded down, and then 1 is added, that is:
specifically, in S3.4, each algorithm is implemented by using JAVA language.
In this embodiment, in S3.5, the specific method for calculating the policy granularity includes the following steps:
s3.5.1, firstly, calculating address resource types corresponding to the policy source address and the policy destination address, assigning values according to different types, wherein a single IP address is assigned to 3, a range or network segment is assigned to 2, any is assigned to 1, and a null assignment is 0, and if multiple types of addresses exist in the source address or the destination address, assigning values according to the lowest value;
s3.5.2, recalculating the service resource types corresponding to the policy service, assigning a protocol and a port to be 3, assigning a protocol and port range to be 2, assigning TCP, UDP and ICMP to be 1, and assigning a null value to be 0, and if a plurality of services exist in the policy, assigning the services according to the lowest value;
s3.5.3, finally, calculating the granularity of the strategy in a combined mode according to the strategy granularity specific rules defined in the step S3.4.
As shown in fig. 7, the present embodiment further provides an operating system of a method for calculating security policy granularity and an operating apparatus thereof, where the operating system includes a processor, a memory, and a computer program stored in the memory and running on the processor.
The processor comprises one or more processing cores, the processor is connected with the processor through a bus, the memory is used for storing program instructions, and the calculation method of the security policy granularity is realized when the processor executes the program instructions in the memory.
Alternatively, the memory may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
In addition, the present invention further provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the above-mentioned method for calculating the security policy granularity.
Optionally, the present invention also provides a computer program product containing instructions which, when run on a computer, cause the computer to perform the steps of the above-described method for computing security policy granularity in various aspects.
It will be understood by those skilled in the art that the processes for implementing all or part of the steps of the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and the preferred embodiments of the present invention are described in the above embodiments and the description, and are not intended to limit the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (10)
1. A method for calculating security policy granularity is characterized in that: the method comprises the following steps:
s1, preparing various domestic common fire walls of brands, establishing a test and development environment, and establishing a test and development server;
s2, investigating information such as firewall policy data, policy scale, policy configuration habit, policy configuration internal regulation and the like of a client site, and using the investigated policy configuration for testing a firewall;
s3, carrying out development work such as firewall butt joint, brand adaptation, data formatting, strategy granularity calculation and the like;
and S4, checking the calculation result and summarizing the problems.
2. The method of computing security policy granularity according to claim 1, wherein: in S3, the specific method for performing development work such as firewall docking, brand adaptation, data formatting, policy granularity calculation, and the like, includes the following steps:
s3.1, different firewall butt joint modes are used for firewalls of different brands;
s3.2, selecting different modes to obtain resource data and strategy data according to different docking modes;
s3.3, the obtained resources and the strategies are placed into a memory, and the resources quoted by the strategies are associated according to the unique characteristic of the resource names in the same firewall;
s3.4, defining the granularity of the strategy according to the information such as the size range of the definition of the strategy source address and the target address, the quantity of the definition of the strategy source area and the target area, the range of a protocol and a port defined by the strategy service and the like, and dividing the granularity of the strategy into 5 grades, wherein the grade 1 is most loose and the grade 5 is most strict;
s3.5, calculating address resource types corresponding to the strategy source address and the target address, calculating service resource types corresponding to the strategy service, and calculating the strategy granularity in a combined mode.
3. The method of computing security policy granularity according to claim 2, wherein: in S3.1, the specific method for using different firewall docking modes for firewalls of different brands comprises the following steps:
s3.1.1, butting against most common firewalls in a mode of simulating manual login SSH;
s3.1.2, performing login and docking by using an API mode aiming at individual firewalls with open interfaces;
s3.1.3, for firewalls that cannot be docked using the two methods, docking is done using a method that simulates a manual login web interface.
4. The method of computing security policy granularity according to claim 3, wherein: in S3.2, the specific method for acquiring the resource data and the policy data in different ways according to different docking ways includes the following steps:
s3.2.1, aiming at adopting SSH login mode, simulating manual command execution mode after login is successful, executing corresponding command on the firewall, capturing the result returned by the command, capturing the data analysis text, and extracting useful data;
s3.2.2, for the mode of adopting API login, obtaining the corresponding result by requesting the corresponding path and transmitting the corresponding parameters;
s3.2.3, acquiring data of corresponding page by crawler mode aiming at WEB login mode.
5. The method of computing security policy granularity of claim 4, wherein: in S3.3, the specific method for associating the resources referenced by the policy includes the following steps:
s3.3.1, storing the address resources into a database according to the field formats of ID, internal number, name, reference times, specific address and the like;
s3.3.2, storing the service resources into the database according to the field formats of ID, internal number, name, protocol, port, reference times and the like;
s3.3.3, storing time, area, etc. into database according to certain format;
s3.3.4, storing the policy in the database according to the field format of ID, policy name, internal number, source address, destination address, service, source area, destination area, time, etc.
6. The method of computing security policy granularity of claim 5, wherein: in S3.3, mysql is used as a database.
7. The method of computing security policy granularity of claim 5, wherein: in S3.4, the specific rule for classifying the policy granularity into 5 levels is as follows (the policy granularity level is from high to low):
policy granularity level 5: both source and destination addresses are defined to a single IP address, services are defined to protocols and ports;
policy granularity level 4: the source address defines a single IP, range and subnet, the destination address defines a single IP, range and subnet, and the service defines a protocol and a port or a port range;
policy granularity level 3:
(a) the source address is defined as any or null, the destination address is not defined as any or null, and the service is not defined as null or TCP, UDP or ICMP;
(b) the destination address is defined as any or null, the source address is not defined as any or null, and the service is not defined as null or TCP, UDP or ICMP;
(c) the service is defined as empty or TCP, UDP, ICMP, the source address is not defined as any or empty, the destination address is not defined as any or empty;
policy granularity level 2:
(a) the source address is defined as any or null, the destination address is defined as any or null, and the service is not defined as null or is TCP, UDP or ICMP;
(b) the destination address is defined as any or null, the service is defined as null or TCP, UDP or ICMP, and the source address is not defined as any or null;
(c) the service is defined as empty or TCP, UDP, ICMP, the source address is defined as any or empty, the destination address is not defined as any or empty;
policy granularity level 1: the source address is defined as any or null, the destination address is defined as any or null, and the service is defined as null or as TCP, UDP, ICMP.
8. The method of computing security policy granularity according to claim 7, wherein: in S3.4, the specific calculation formulas for calculating the definition targets of the policy granularity include the following:
firstly, setting the level defined by an address, and the algorithm is as follows:
the address is null or any is assigned a value of 0;
the address is assigned a range or subnet value of 2;
the address is assigned to 3 for a single address;
secondly, setting the level of service definition, and the algorithm is as follows:
the service is null or the value of TCP, UDP and ICMP is set to 0;
the service is assigned a range of 2;
the service is a single protocol plus a port assignment of 3;
thirdly, counting the source address level of the strategy by taking the source address of the strategy, and assigning the source address level to sl, wherein the method comprises the following steps:
the level of each source address is respectively counted as sl1, sl2, and the level of each source address is respectively counted as sln, and the minimum level of all the source addresses is calculated as the total minimum level of the source addresses, namely sl:
sl=min(sl1,sl2,.....,sln);
fourthly, counting the destination address level of the strategy according to the destination address of the strategy, assigning the destination address level to dl, and the method comprises the following steps:
the level of each destination address is respectively counted as dl1, dl2, dln, and the smallest level of all destination addresses is calculated as the smallest level of the destination addresses, namely dl:
dl=min(dl1,dl2,......,dln);
fifthly, the service level of the strategy is counted, the service level is assigned to pl, and the method comprises the following steps:
the level of each service is respectively counted as pl1, pl2,.... times.pln, and the minimum level of all services is taken as the minimum level of the total service, namely pl:
pl=min(pl1,pl2,......,pln);
and sixthly, assigning the granularity of the final counting strategy to pg by the method as follows:
the source address level sl, the destination address level dl and the service level are added, divided by 2, rounded down, and then 1 is added, that is:
9. the method of computing security policy granularity according to claim 8, wherein: and in S3.4, all algorithms are realized by JAVA language.
10. The method of computing security policy granularity according to claim 8, wherein: in S3.5, the specific method for calculating the policy granularity includes the following steps:
s3.5.1, firstly, calculating address resource types corresponding to the policy source address and the policy destination address, assigning values according to different types, wherein a single IP address is assigned to 3, a range or network segment is assigned to 2, any is assigned to 1, and a null assignment is 0, and if multiple types of addresses exist in the source address or the destination address, assigning values according to the lowest value;
s3.5.2, recalculating the service resource types corresponding to the policy service, assigning a protocol and a port to be 3, assigning a protocol and port range to be 2, assigning TCP, UDP and ICMP to be 1, and assigning a null value to be 0, and if a plurality of services exist in the policy, assigning the services according to the lowest value;
s3.5.3, finally, calculating the granularity of the strategy in a combined mode according to the strategy granularity specific rules defined in the step S3.4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210206720.8A CN114465809A (en) | 2022-03-04 | 2022-03-04 | Method for calculating security policy granularity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210206720.8A CN114465809A (en) | 2022-03-04 | 2022-03-04 | Method for calculating security policy granularity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114465809A true CN114465809A (en) | 2022-05-10 |
Family
ID=81414502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210206720.8A Pending CN114465809A (en) | 2022-03-04 | 2022-03-04 | Method for calculating security policy granularity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114465809A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108040055A (en) * | 2017-12-14 | 2018-05-15 | 广东天网安全信息科技有限公司 | A kind of fire wall combined strategy and safety of cloud service protection |
| CN108429774A (en) * | 2018-06-21 | 2018-08-21 | 蔡梦臣 | A kind of firewall policy centralized optimization management method and its system |
| US20190089677A1 (en) * | 2017-09-15 | 2019-03-21 | Palo Alto Networks, Inc. | Fine-grained firewall policy enforcement using session app id and endpoint process id correlation |
| CN111935182A (en) * | 2020-09-25 | 2020-11-13 | 武汉思普崚技术有限公司 | Firewall policy checking method, device and storage medium of network equipment |
| CN113301040A (en) * | 2021-05-21 | 2021-08-24 | 恒安嘉新(北京)科技股份公司 | Firewall strategy optimization method, device, equipment and storage medium |
-
2022
- 2022-03-04 CN CN202210206720.8A patent/CN114465809A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190089677A1 (en) * | 2017-09-15 | 2019-03-21 | Palo Alto Networks, Inc. | Fine-grained firewall policy enforcement using session app id and endpoint process id correlation |
| CN108040055A (en) * | 2017-12-14 | 2018-05-15 | 广东天网安全信息科技有限公司 | A kind of fire wall combined strategy and safety of cloud service protection |
| CN108429774A (en) * | 2018-06-21 | 2018-08-21 | 蔡梦臣 | A kind of firewall policy centralized optimization management method and its system |
| CN111935182A (en) * | 2020-09-25 | 2020-11-13 | 武汉思普崚技术有限公司 | Firewall policy checking method, device and storage medium of network equipment |
| CN113301040A (en) * | 2021-05-21 | 2021-08-24 | 恒安嘉新(北京)科技股份公司 | Firewall strategy optimization method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9088617B2 (en) | Method, a system, and a computer program product for managing access change assurance | |
| US9203808B2 (en) | Method and system for management of security rule set | |
| EP3149583B1 (en) | Method and apparatus for automating the building of threat models for the public cloud | |
| US7593911B1 (en) | System and method for applying rule sets and rule interactions | |
| EP3216177B1 (en) | Network policy graphs | |
| US9122990B2 (en) | Method and system for management of security rule set | |
| CN109240830B (en) | Application intelligent request management based on server health and client information | |
| CN104580349B (en) | Secure cloud administration agent | |
| US9313175B2 (en) | Method and system for mapping between connectivity requests and a security rule set | |
| CN105939305A (en) | Access control method and device | |
| CN109547502A (en) | Firewall ACL management method and device | |
| US11811736B2 (en) | Generating network infastructure firewalls | |
| WO2018177167A1 (en) | Method for analyzing ip address, system, computer readable storage medium, and computer device | |
| US10013237B2 (en) | Automated approval | |
| WO2021028060A1 (en) | Security automation system | |
| CN106506553B (en) | A kind of Internet protocol IP filter method and system | |
| CN114465809A (en) | Method for calculating security policy granularity | |
| CN112311728A (en) | Host attack and sink judgment method and device, computing equipment and computer storage medium | |
| CN114281668A (en) | Abnormal case generation method, abnormal case generation device, electronic device, and storage medium | |
| CN112883422A (en) | Database access control method and device based on protocol analysis and server | |
| KR20210106896A (en) | System for managing security control and method thereof | |
| CN113301040A (en) | Firewall strategy optimization method, device, equipment and storage medium | |
| Shakibazad | A framework to create a virtual cyber battlefield for cyber maneuvers and impact assessment | |
| CN110969349B (en) | Network security risk probability determination method and device and electronic equipment | |
| US20220400126A1 (en) | Threat Representation And Automated Tracking and Analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |