CN114567494A - Method, device and system for centralized management of heterogeneous firewall policies - Google Patents
Method, device and system for centralized management of heterogeneous firewall policies Download PDFInfo
- Publication number
- CN114567494A CN114567494A CN202210207022.XA CN202210207022A CN114567494A CN 114567494 A CN114567494 A CN 114567494A CN 202210207022 A CN202210207022 A CN 202210207022A CN 114567494 A CN114567494 A CN 114567494A
- Authority
- CN
- China
- Prior art keywords
- strategy
- policy
- module
- risk
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000008859 change Effects 0.000 claims abstract description 40
- 238000004140 cleaning Methods 0.000 claims abstract description 26
- 238000004891 communication Methods 0.000 claims abstract description 20
- 238000005457 optimization Methods 0.000 claims abstract description 17
- 238000012423 maintenance Methods 0.000 claims abstract description 16
- 238000004458 analytical method Methods 0.000 claims abstract description 15
- 238000011217 control strategy Methods 0.000 claims abstract description 9
- 230000008569 process Effects 0.000 claims abstract description 9
- 230000000007 visual effect Effects 0.000 claims abstract description 8
- 238000013507 mapping Methods 0.000 claims abstract description 5
- 238000012544 monitoring process Methods 0.000 claims abstract description 5
- 238000007726 management method Methods 0.000 claims description 150
- 238000012502 risk assessment Methods 0.000 claims description 19
- 238000011156 evaluation Methods 0.000 claims description 17
- 238000013515 script Methods 0.000 claims description 16
- 238000004088 simulation Methods 0.000 claims description 16
- 238000004364 calculation method Methods 0.000 claims description 15
- 238000013070 change management Methods 0.000 claims description 13
- 230000006872 improvement Effects 0.000 claims description 11
- 238000012795 verification Methods 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 8
- 238000010219 correlation analysis Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 claims description 3
- 238000010606 normalization Methods 0.000 claims description 3
- 238000012954 risk control Methods 0.000 claims description 3
- 238000013024 troubleshooting Methods 0.000 claims description 3
- 238000013461 design Methods 0.000 abstract 1
- 238000004590 computer program Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 7
- 230000009471 action Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000004913 activation Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 230000007774 longterm Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000032683 aging Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002787 reinforcement Effects 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0813—Configuration setting characterised by the conditions triggering a change of settings
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0876—Aspects of the degree of configuration automation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Human Computer Interaction (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of communication security, in particular to a method, a device and a system for heterogeneous firewall policy centralized management. The method comprises the following steps: introducing an NSPM special tool; mapping the whole network equipment, the security policy and the access control rule thereof into a virtual network topology; acquiring policy configuration data and performing centralized management; clearing and optimizing the problem and risk strategies through preset rules; and managing the addition or change process of the strategy. The design of the invention can realize the quick optimization and cleaning of mass strategy rules, reduce the network risk and simultaneously reduce the performance load of the network access control equipment; the network security topology is generated based on the modeling analysis of the network security infrastructure, so that the setting and dynamic monitoring of a policy security baseline can be realized, and the visual analysis of the network exposure risk is realized; the newly added strategy can be ensured to meet the requirements of compliance management and safety control, continuous compliance operation and maintenance of the access control strategy can be realized, and the efficiency of strategy change work can be greatly improved.
Description
Technical Field
The invention relates to the technical field of communication security, in particular to a method, a device and a system for heterogeneous firewall policy centralized management.
Background
Firewalls are the most common network security protection devices and are widely deployed in networks of various financial institutions. The basic functions of the firewall are to prevent unauthorized access and prevent and reduce network risks by setting a network access control strategy, converging network access authority and falling to the ground minimum authorization principle. The access control strategy is the soul of the firewall and the basis of a network security defense system, and the set effect directly influences the application effect of the firewall and the overall level of network security defense. If the access control policy deployment of a network is not good enough, even if the network security device is advanced, an attacker can realize illegal intrusion in the simplest way. Currently, most financial institutions use manual management for firewall policies. With the continuous expansion of network scale and frequent change of services, the number and day of strategy rules are increased dramatically, effect evaluation is difficult to complete, and compliance is difficult to guarantee. At present, based on the requirement of network security, the management requirements of fine and centralized firewall strategies are provided, however, for a user unit or an evaluation mechanism, under a complex network scene, the analysis of the mass firewall strategies exceeds the manpower scope, and meanwhile, due to the inherent characteristics of heterogeneity, complexity and dynamics of a large number of firewalls, the fine management work and the evaluation work of the firewall strategies are difficult to fall to the ground. In view of this, we propose a method, apparatus and system for heterogeneous firewall policy centralized management.
Disclosure of Invention
The present invention provides a method, an apparatus, and a system for centralized management of heterogeneous firewall policies, so as to solve the problems in the background art.
In order to solve the above technical problem, an object of the present invention is to provide a method for policy centralized management of a heterogeneous firewall, including the following steps:
s1, introducing a special tool of an intelligent operation and maintenance management platform (NSPM);
s2, mapping the whole network equipment, the security policy and the access control rule thereof into a visual virtual network topology;
s3, acquiring policy configuration data and performing centralized management aiming at cross-manufacturer and diversified heterogeneous firewall policies in a mixed network environment;
s4, finding the problem strategy and the risk strategy in the strategy through a preset rule, and clearing and optimizing the problem strategy and the risk strategy;
and S5, when the strategy configuration is newly added or changed, receiving the service application of the strategy change, calculating and inquiring a change path based on the change requirement, and carrying out risk evaluation in advance to avoid the error configuration.
As a further improvement of the present technical solution, in S3, the specific method for performing centralized management on a cross-vendor, diversified and heterogeneous firewall policy in a hybrid network environment includes the following steps:
s3.1, periodically capturing strategy configuration files and routing table information of devices such as heterogeneous firewalls, routing exchange, load balancing and VPN (virtual private network) in an online acquisition mode;
and S3.2, analyzing and storing the online acquired data into a unified security policy model in a normalization mode.
The second purpose of the invention is to provide a device for the centralized management of heterogeneous firewall policies, which is used for supporting the implementation process of the steps of the method for the centralized management of heterogeneous firewall policies and comprises a whole network device, a service operation platform, a database and a security operation management center; the whole network equipment is in signal connection with the service operation platform through a signal line, the service operation platform is in communication connection with the database in a wired/wireless mode, and the safety operation management center is in communication connection with the whole network equipment, the service operation platform and the database simultaneously in a wired/wireless mode.
As a further improvement of the present technical solution, the whole network device includes but is not limited to a firewall, a router, a switch, and load balancing; and the firewall and/or the router and/or the switch and/or the load balancing are sequentially connected through signal lines in a signal mode.
As a further improvement of the technical solution, the service operation platform includes a processor and a memory that are connected by signal lines, the memory is loaded with an NSPM specific tool, and the processor drives the NSPM specific tool to execute corresponding program instructions.
As a further improvement of the present technical solution, the database includes, but is not limited to, a risk rule base, a profile base, and a security policy base; the risk rule base, the configuration file base and the security policy base are sequentially in communication connection and independent and coexisting.
The third objective of the present invention is to provide a system for centralized management of heterogeneous firewall policies, which is installed in the device for centralized management of heterogeneous firewall policies and the operation process of the system is used to implement the method for centralized management of heterogeneous firewall policies, including a hybrid centralized management unit, a security risk management unit, a policy change management unit and an application connection management unit; the hybrid centralized management unit, the security risk management unit and the policy change management unit are sequentially connected through network communication, and the application connection management unit and the hybrid centralized management unit are connected through network communication; wherein:
the hybrid centralized management unit is used for introducing a special tool to intensively manage the access control strategy of the hybrid network aiming at a network firewall with more diversified forms under the hybrid network environment;
the security risk management unit is used for analyzing and managing various risks and vulnerabilities existing in the firewall configuration strategy by combining with the matching technology of the rule base;
the strategy change management unit is used for translating the change requirement into an executable command line script, realizing the full-flow closed-loop management of the strategy change service and realizing the integral improvement of the safety operation and maintenance capability in the aspects of efficiency improvement and risk control;
the application connection management unit is used for providing end-to-end visual connection details of the application in the network through the associated modeling of the network and the safety equipment strategy, and practically feeding back the inter-access relation between assets, support fault troubleshooting, comprehensive risk assessment and the like to operation and maintenance personnel.
As a further improvement of the technical solution, the hybrid centralized management unit includes a policy configuration management module, a policy risk assessment module, a problem policy cleaning module, and an optimization policy configuration module; the signal output end of the strategy configuration management module is connected with the signal input end of the strategy risk evaluation module, the signal output end of the strategy risk evaluation module is connected with the signal input end of the problem strategy cleaning module, and the signal output end of the problem strategy cleaning module is connected with the signal input end of the optimization strategy configuration module; wherein:
the strategy configuration management module is used for collecting network access control equipment configurations of different brands and different types, extracting strategy related data, providing standardized data to the upper layer computing module, and simultaneously reversely issuing a configuration script to the equipment; specifically, the policy configuration management module may log in to the device for configuration collection in a SSH, Telnet, https, or the like, or may obtain the configuration from the device or the CMDB through the API interface; then, strategy related data such as strategy ID, source address object, destination address object, service, action, effective time, aging time and the like need to be analyzed and output based on a standardized format, so that the strategy configuration data adopting different grammars can be uniformly and standardizedly displayed; the strategy configuration management module needs to support the presetting and self-defining of strategy configuration script templates of fire walls of different brands so as to realize the automatic generation and issuing of the strategy configuration script of the fire wall; in order to realize the automatic generation of the security topology, the policy configuration management module also needs to realize the analysis of data such as interfaces, IP, routing, NAT, and the like.
The policy risk evaluation module is used for carrying out compliance check on the security policy according to a large number of preset policy risk detection rules and the access control rules between the security domains, so as to realize the check of the garbage policy and the risk policy and reduce the security risk brought by policy configuration;
the problem strategy cleaning module is used for cleaning the garbage strategy or the problem strategy detected to have risks and the like, and regularly cleaning and optimizing the stock strategy rules to improve the network security level;
the optimization strategy configuration module realizes the balance of minimization and refinement of strategy rules through risk detection and problem removal, provides the basis for strategy cleaning and optimization for operation and maintenance personnel, and improves the operation efficiency of equipment.
In the strategy optimization cleaning module, standardized strategy data needs to be calculated, the mutual relation among strategy rules is checked, so that hidden strategies, redundant strategies and combinable strategies are found, empty strategies, ANY-containing strategies and overdue strategies are found through analysis of certain fields, the detection of garbage strategies and risk strategies is realized, disposal suggestions are provided, and the strategy rules are optimized; for some deeper problem strategies, the analysis of the strategy configuration cannot be realized, the strategy configuration data needs to be compared with the session log data, the hit rate and the hit details of a source address, a destination address and a service in the strategy configuration are counted in a period of time, and the analysis of a loose strategy and a long-term miss strategy is realized.
As a further improvement of the technical solution, the security risk management unit includes a domain and topology management module, an access control baseline module, and a network storm risk management module; the domain and topology management module, the access control baseline module and the network storm risk management module are sequentially connected through network communication and run in parallel; wherein:
the domain and topology management module is used for automatically generating a security topology by realizing the correlation analysis modeling of the global access control strategy; the network topology based on the SNMP mainly describes the physical state and physical connection relation of equipment, and the safety topology describes the logical connection relation and access control relation among network objects.
The access control baseline module is used for setting access control baselines between regions according to the inter-security domain access control rules; the access control baseline information at least comprises information of a source domain, a source address, a destination domain, a destination address, a protocol, a port, an action and the like, supports self-definition of a black and white list, a high-risk port and a virus port, and supports regular inspection of a network access control strategy according to the access control baseline to find an illegal strategy.
The network storm risk management module is used for automatically realizing analysis of network exposure paths and exposure risks by taking a certain host or a host group as an object.
Specifically, the external exposure condition is described from the perspective of the network access relationship and the security path, which can help the user to know the size and the risk of the network exposure surfaces of some important hosts and host groups in time, and assist the user in performing the convergence of the exposure surfaces and the security reinforcement of the exposure path.
As a further improvement of the technical scheme, the policy change management unit comprises a service work order management module, a calculation simulation path module, a compliance risk analysis module and a policy fulfillment verification module; the signal output end of the business work order management module is connected with the signal input end of the calculation simulation path module, the signal output end of the calculation simulation path module is connected with the signal input end of the compliance risk analysis module, and the signal output end of the compliance risk analysis module is connected with the signal input end of the strategy opening verification module; wherein:
the business work order management module is used for receiving the strategy change application of the business department, monitoring the work order execution progress and recording and auditing the execution result;
the calculation simulation path module is used for calculating and inquiring a changed path based on the requirement of the strategy change work order, and automatically finding out a path to be opened and target equipment to be subjected to strategy configuration change;
the compliance risk analysis module is used for analyzing whether a conflict relationship exists between the newly added strategy rule and the existing strategy rule, avoiding the occurrence of redundancy and hidden rules, and analyzing whether the newly added strategy rule conforms to the inter-domain security baseline and the risk strategy rule;
the strategy opening verification module is used for generating strategy change configuration scripts aiming at different target devices according to the calculation result of the path simulation, and after the generated configuration scripts are issued, performing source-to-target path query according to the path opening requirement of the strategy change work order so as to confirm whether the strategy change is completed correctly.
The fourth objective of the present invention is to provide an operating device of a heterogeneous firewall policy centralized management system, including a processor, a memory, and a computer program stored in the memory and operating on the processor, where the processor is configured to implement the steps of the system and method for heterogeneous firewall policy centralized management when executing the computer program.
The fifth objective of the present invention is to provide a computer-readable storage medium, wherein a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements the steps of the system and the method for policy centralized management of a heterogeneous firewall.
Compared with the prior art, the invention has the beneficial effects that:
1. in the method, the device and the system for the centralized management of the heterogeneous firewall policies, the rapid optimization and cleaning of a large number of policy rules can be realized through the refinement and the centralized management of the floor firewall policies, the network risk is reduced, and the performance load of network access control equipment is reduced;
2. in the method, the device and the system for the centralized management of the heterogeneous firewall policies, the network security topology is generated based on the modeling analysis of the network security infrastructure, the setting and the dynamic monitoring of the policy security baseline can be realized, the visual analysis of the network exposure risk is realized, the convergence of the network exposure surface by a user is facilitated, and the network risk is reduced;
3. according to the method, the device and the system for the centralized management of the heterogeneous firewall policies, the automatic closed-loop management of the firewall policy change full process is realized, the newly added policies can be ensured to meet the requirements of compliance management and safety control, the continuous compliance operation and maintenance of the access control policies are realized, and the efficiency of the policy change work is greatly improved.
Drawings
FIG. 1 is an overall flow chart of a management method in the present invention;
FIG. 2 is a partial flow diagram of a management method of the present invention;
FIG. 3 is a block diagram of an exemplary management device of the present invention;
FIG. 4 is a diagram showing an overall configuration of a management system according to the present invention;
FIG. 5 is a diagram of one of the partial device structures of the management system of the present invention;
FIG. 6 is a second diagram of the structure of a local device of the management system of the present invention;
FIG. 7 is a third diagram of the structure of a part of the management system of the present invention;
fig. 8 is a schematic diagram of an exemplary electronic computer device according to the present invention.
In the figure:
1. whole network equipment; 11. a firewall; 12. a router; 13. a switch; 14. load balancing;
2. a service operation platform; 21. a processor; 22. a memory; 23. an NSPM specialized tool;
3. a database; 31. a risk rule base; 32. a configuration file library; 33. a security policy repository;
4. a secure operation management center;
100. a hybrid centralized management unit; 101. a policy configuration management module; 102. a policy risk assessment module; 103. a problem strategy cleaning module; 104. an optimization strategy configuration module;
200. a security risk management unit; 201. a domain and topology management module; 202. an access control baseline module; 203. a network storm risk management module;
300. a policy change management unit; 301. a business work order management module; 302. a simulation path calculating module; 303. a compliance risk analysis module; 304. a policy activation verification module;
400. an application connection management unit.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
As shown in fig. 1 to 8, the present embodiment provides a method, an apparatus, and a system for centralized management of heterogeneous firewall policies, which are specifically divided into three aspects, namely a method, an apparatus, and a system.
As shown in fig. 1-2, the present embodiment provides a method for policy centralized management of a heterogeneous firewall, including the following steps:
s1, introducing a special tool of an intelligent operation and maintenance management platform (NSPM);
s2, mapping the whole network equipment, the security policy and the access control rule thereof into a visual virtual network topology;
s3, acquiring policy configuration data and performing centralized management aiming at cross-manufacturer and diversified heterogeneous firewall policies in a mixed network environment;
s4, finding the problem strategy and the risk strategy in the strategy through a preset rule, and clearing and optimizing the problem strategy and the risk strategy;
and S5, when the strategy configuration is newly added or changed, receiving the service application of the strategy change, calculating and inquiring a change path based on the change requirement, and carrying out risk evaluation in advance to avoid the error configuration.
In the hybrid network environment, the diversified network firewalls include, but are not limited to, dedicated physical devices, virtual devices, embedded firewall modules, and firewall control systems provided by the IaaS platform.
Specifically, currently, NSPM product manufacturers mainly include SkyBox, RedSeal, Firemon, algoesc and amboto in China.
Meanwhile, in terms of product function perfectness and maturity, the SkyBox, RedSeal and Anboson are in the first fleet, and the Firemon and Algosec are in the second fleet. The first echelon manufacturer is relatively perfect in data foundation and application function, especially in data aspects of routing configuration, address mapping configuration and the like; the second fleet is primarily focused on inspection and maintenance of firewall policies.
Further, in S3, the specific method for performing centralized management on a cross-vendor, diversified and heterogeneous firewall policy in a hybrid network environment includes the following steps:
s3.1, periodically capturing strategy configuration files and routing table information of devices such as heterogeneous firewalls, routing exchange, load balancing and VPN (virtual private network) in an online acquisition mode;
and S3.2, analyzing and storing the online collected data into a unified security policy model in a normalization mode.
As shown in fig. 3, the present embodiment further provides a device for centralized management of heterogeneous firewall policies, where the device is configured to support the implementation process of the method steps for centralized management of heterogeneous firewall policies, and includes an entire network device 1, a service operation platform 2, a database 3, and a security operation management center 4; the whole network equipment 1 is in signal connection with the business operation platform 2 through a signal line, the business operation platform 2 is in communication connection with the database 3 in a wired/wireless mode, and the safe operation management center 4 is in communication connection with the whole network equipment 1, the business operation platform 2 and the database 3 simultaneously in a wired/wireless mode.
Further, the whole network device 1 includes, but is not limited to, a firewall 11, a router 12, a switch 13, and a load balancing 14; the firewall 11 and/or the router 12 and/or the switch 13 and/or the load balancing 14 are in turn signal-connected via signal lines.
Further, the service operation platform 2 includes a processor 21 and a memory 22 connected by signal lines, the memory 22 is loaded with an NSPM specific tool 23, and the processor 21 drives the NSPM specific tool 23 to execute corresponding program instructions.
Further, the database 3 includes, but is not limited to, a risk rule base 31, a profile base 32, and a security policy base 33; the risk rule base 31, the profile base 32 and the security policy base 33 are in communication connection in sequence and are independent and coexistent.
As shown in fig. 4-7, the present embodiment further provides a system for centralized management of policies of a heterogeneous firewall, where the system is installed in the apparatus for centralized management of policies of the heterogeneous firewall, and an operation process of the system is used to implement the steps of the method for centralized management of policies of the heterogeneous firewall, where the method includes a hybrid centralized management unit 100, a security risk management unit 200, a policy change management unit 300, and an application connection management unit 400; the hybrid centralized management unit 100, the security risk management unit 200, and the policy change management unit 300 are connected in sequence by network communication, and the application connection management unit 400 and the hybrid centralized management unit 100 are connected by network communication; wherein:
the hybrid centralized management unit 100 is configured to introduce a special tool to centrally manage an access control policy of a hybrid network for a network firewall with a more diversified form in a hybrid network environment;
the security risk management unit 200 is configured to analyze and manage various risks and vulnerabilities existing in the firewall configuration policy in combination with a matching technology of the rule base;
the policy change management unit 300 is configured to translate change requirements into executable command line scripts, implement full-flow closed-loop management of policy change services, and implement overall enhancement of security operation and maintenance capabilities in terms of efficiency enhancement and risk control;
the application connection management unit 400 is configured to provide end-to-end visual connection details of the application in the network by performing association modeling on the network and the security device policy, and practically feed back the inter-access relationship between the assets, the support troubleshooting, the comprehensive risk assessment, and the like to the operation and maintenance staff.
Further, the hybrid centralized management unit 100 includes a policy configuration management module 101, a policy risk evaluation module 102, a problem policy cleaning module 103, and an optimization policy configuration module 104; the signal output end of the strategy configuration management module 101 is connected with the signal input end of the strategy risk evaluation module 102, the signal output end of the strategy risk evaluation module 102 is connected with the signal input end of the problem strategy cleaning module 103, and the signal output end of the problem strategy cleaning module 103 is connected with the signal input end of the optimization strategy configuration module 104; wherein:
the policy configuration management module 101 is configured to collect configurations of different brands and different types of network access control devices, extract policy-related data, provide standardized data to the upper-layer computing module, and issue a configuration script to the devices in reverse;
the policy risk evaluation module 102 is configured to perform compliance check on a security policy according to a large number of preset policy risk detection rules and an inter-security-domain access control rule, so as to implement check of a spam policy and a risk policy, and reduce security risk caused by policy configuration;
the problem strategy cleaning module 103 is used for cleaning the garbage strategy or the problem strategy detected to have risks and the like, and regularly cleaning and optimizing the stock strategy rules to improve the network security level;
the optimization strategy configuration module 104 realizes the balance of minimization and refinement of strategy rules through risk detection and problem removal, provides the basis for strategy cleaning and optimization for operation and maintenance personnel, and improves the operation efficiency of equipment.
The policy configuration management module 101 may log in to the device for configuration collection in a SSH, Telnet, https, or may obtain configuration from the device or the CMDB through an API interface; then, strategy related data such as strategy ID, source address object, destination address object, service, action, effective time, aging time and the like need to be analyzed and output based on a standardized format, so that the strategy configuration data adopting different grammars can be uniformly and standardizedly displayed; the policy configuration management module 101 needs to support the presetting and customization of different brand firewall policy configuration script templates to realize the automatic generation and issuing of the firewall policy configuration scripts; in addition, in order to realize automatic generation of the security topology, the policy configuration management module needs to realize analysis of data such as an interface, an IP, a route, and an NAT.
In a specific operation process, the problems of risk configuration and non-compliance are easily caused when the strategy is opened or changed; by presetting a large number of policy risk detection rules, multiple dimensions such as improper configuration, inter-domain violation, high-risk port opening and the like can be covered; and setting an access control baseline between the regions according to the access control rule between the security domains, so that the compliance check can be performed on quintuple information of the security policy, and the operation and maintenance personnel can be helped to reduce the security risk brought by policy configuration to the maximum extent.
Meanwhile, it is worth explaining that the firewall forms a lot of garbage strategies due to long-term accumulation, service change and other reasons, and the protection effect is reduced accordingly. Specifically, in the policy risk evaluation module 102, the problem policy cleaning module 103, and the optimization policy configuration module 104, it is necessary to calculate standardized policy data, compare and analyze security policies in the configuration file with other policies one by one, check the interrelations between policy rules, such as inclusion and inclusion, to find hidden policies, redundant policies, and combinable policies, and find empty policies, policy containing ANY, and overdue policies through analysis of some fields, to implement the check of spam policies and risk policies, and provide disposal suggestions, and optimize policy rules; for some deeper problem strategies, the analysis of the strategy configuration cannot be realized, the strategy configuration data needs to be compared with the session log data, the hit rate and the hit details of a source address, a destination address and a service in the strategy configuration are counted in a period of time, and the analysis of a loose strategy and a long-term miss strategy is realized.
Further, the security risk management unit 200 includes a domain and topology management module 201, an access control baseline module 202, and a cyber storm risk management module 203; the domain and topology management module 201, the access control baseline module 202 and the network storm risk management module 203 are connected in sequence through network communication and run in parallel; wherein:
the domain and topology management module 201 is used for automatically generating a security topology by implementing the correlation analysis modeling of the global access control policy; the network topology based on the SNMP mainly describes the physical state and physical connection relation of equipment, and the safety topology describes the logical connection relation and access control relation among network objects;
the access control baseline module 202 is used for setting an access control baseline between regions according to the inter-security domain access control rule; the access control baseline information at least comprises information of a source domain, a source address, a destination domain, a destination address, a protocol, a port, an action and the like, supports the self-definition of a black and white list, a high-risk port and a virus port, and supports the regular inspection of a network access control strategy according to the access control baseline to find an illegal strategy;
the storm risk management module 203 is configured to automatically analyze the network exposure path and the exposure risk by using a certain host or a host group as an object.
Specifically, the external exposure condition is described from the perspective of the network access relationship and the security path, which can help the user to know the size and the risk of the network exposure surfaces of some important hosts and host groups in time, and assist the user in performing the convergence of the exposure surfaces and the security reinforcement of the exposure path.
Further, the policy change management unit 300 includes a business work order management module 301, a calculation simulation path module 302, a compliance risk analysis module 303, and a policy fulfillment verification module 304; a signal output end of the service work order management module 301 is connected with a signal input end of the calculation simulation path module 302, a signal output end of the calculation simulation path module 302 is connected with a signal input end of the compliance risk analysis module 303, and a signal output end of the compliance risk analysis module 303 is connected with a signal input end of the strategy fulfillment verification module 304; wherein:
the business work order management module 301 is used for receiving the policy change application of the business department, monitoring the work order execution progress and recording and auditing the execution result;
the calculation simulation path module 302 is configured to calculate and query a change path based on a requirement of the policy change work order, and automatically find a path to be opened and a target device to be subjected to policy configuration change;
the compliance risk analysis module 303 is configured to analyze whether a conflict relationship exists between the newly added policy rule and the existing policy rule, avoid occurrence of redundancy and hidden rules, and analyze whether the newly added policy rule conforms to the inter-domain security baseline and the risk policy rule;
the policy activation verification module 304 is configured to generate a policy change configuration script for different target devices according to a calculation result of the path simulation, and perform a source-to-destination path query according to a path activation requirement of the policy change work order after issuing the generated configuration script to determine whether the policy change is completed correctly.
As shown in fig. 8, the present embodiment further provides an operating apparatus of a heterogeneous firewall policy centralized management system, where the apparatus includes a processor, a memory, and a computer program stored in the memory and running on the processor.
The processor comprises one or more processing cores, the processor is connected with the memory through the bus, the memory is used for storing program instructions, and the steps of the system and the method for the centralized management of the heterogeneous firewall policies are realized when the processor executes the program instructions in the memory.
Alternatively, the memory may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
In addition, the present invention further provides a computer readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements the steps of the system and the method for policy centralized management of a heterogeneous firewall.
Optionally, the present invention further provides a computer program product containing instructions, which when run on a computer, causes the computer to perform the steps of the above-mentioned system and method for centralized management of heterogeneous firewall policies.
It will be understood by those skilled in the art that the processes for implementing all or part of the steps of the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, and the program may be stored in a computer readable storage medium, where the above mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The foregoing shows and describes the general principles, principal features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and the preferred embodiments of the present invention are described in the above embodiments and the description, and are not intended to limit the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (10)
1. The method for the strategy centralized management of the heterogeneous firewall is characterized in that: the method comprises the following steps:
s1, introducing a special tool of an intelligent operation and maintenance management platform (NSPM);
s2, mapping the whole network equipment, the security policy and the access control rule thereof into a visual virtual network topology;
s3, aiming at cross-manufacturer and diversified heterogeneous firewall policies in the mixed network environment, acquiring policy configuration data and performing centralized management;
s4, finding the problem strategy and the risk strategy in the strategy through a preset rule, and clearing and optimizing the problem strategy and the risk strategy;
and S5, when the strategy configuration is newly added or changed, receiving the service application of the strategy change, calculating and inquiring a change path based on the change requirement, and carrying out risk evaluation in advance to avoid the error configuration.
2. The method for policy centralized management of heterogeneous firewalls according to claim 1, wherein: in S3, the specific method for performing centralized management on a cross-vendor, diversified and heterogeneous firewall policy in a hybrid network environment includes the following steps:
s3.1, periodically capturing strategy configuration files and routing table information of devices such as heterogeneous firewalls, routing exchange, load balancing and VPN (virtual private network) in an online acquisition mode;
and S3.2, analyzing and storing the online acquired data into a unified security policy model in a normalization mode.
3. Device for heterogeneous firewall policy centralized management, for supporting the implementation of the method steps of heterogeneous firewall policy centralized management according to any of claims 1-2, characterized in that: the system comprises a whole network device (1), a service operation platform (2), a database (3) and a safety operation management center (4); the whole network equipment (1) is in signal connection with the service operation platform (2) through a signal line, the service operation platform (2) is in communication connection with the database (3) in a wired/wireless mode, and the safe operation management center (4) is in communication connection with the whole network equipment (1), the service operation platform (2) and the database (3) simultaneously in a wired/wireless mode.
4. The apparatus for centralized policy management for heterogeneous firewalls according to claim 3, wherein: the whole network equipment (1) comprises but is not limited to a firewall (11), a router (12), a switch (13) and a load balancing (14); the firewall (11) and/or the router (12) and/or the switch (13) and/or the load balancing (14) are in turn connected by signal lines.
5. The apparatus for centralized management of heterogeneous firewall policies according to claim 3, wherein: the service operation platform (2) comprises a processor (21) and a memory (22) which are connected through signal lines, wherein the memory (22) is loaded with an NSPM special tool (23), and the processor (21) drives the NSPM special tool (23) to execute corresponding program instructions.
6. The apparatus for centralized policy management for heterogeneous firewalls according to claim 3, wherein: the database (3) includes but is not limited to a risk rule base (31), a profile base (32) and a security policy base (33); the risk rule base (31), the configuration file base (32) and the security policy base (33) are sequentially in communication connection and independently coexist.
7. The system for centralized management of heterogeneous firewall policies, which is loaded in the device for centralized management of heterogeneous firewall policies according to any one of claims 3 to 6, and the operation process of the system is used to implement the steps of the method for centralized management of heterogeneous firewall policies according to any one of claims 1 to 2, wherein: the system comprises a hybrid centralized management unit (100), a security risk management unit (200), a policy change management unit (300) and an application connection management unit (400); the hybrid centralized management unit (100), the security risk management unit (200) and the policy change management unit (300) are sequentially connected through network communication, and the application connection management unit (400) and the hybrid centralized management unit (100) are connected through network communication; wherein:
the hybrid centralized management unit (100) is used for introducing a special tool to intensively manage the access control strategy of the hybrid network aiming at the network firewall with more diversified forms under the hybrid network environment;
the security risk management unit (200) is used for analyzing and managing various risks and vulnerabilities existing in a firewall configuration strategy by combining with a matching technology of a rule base;
the policy change management unit (300) is used for translating change requirements into executable command line scripts, realizing full-flow closed-loop management of policy change services, and realizing overall improvement of safety operation and maintenance capacity in the aspects of efficiency improvement and risk control;
the application connection management unit (400) is used for providing end-to-end visual connection details of the application in the network through the associated modeling of the network and the security device strategy, and practically feeding back the inter-access relation between assets, support troubleshooting, comprehensive risk assessment and the like to operation and maintenance personnel.
8. The system for policy centralized management of heterogeneous firewalls according to claim 1, wherein: the hybrid centralized management unit (100) comprises a policy configuration management module (101), a policy risk assessment module (102), a problem policy cleaning module (103) and an optimization policy configuration module (104); the signal output end of the strategy configuration management module (101) is connected with the signal input end of the strategy risk evaluation module (102), the signal output end of the strategy risk evaluation module (102) is connected with the signal input end of the problem strategy cleaning module (103), and the signal output end of the problem strategy cleaning module (103) is connected with the signal input end of the optimization strategy configuration module (104); wherein:
the policy configuration management module (101) is used for acquiring network access control equipment configurations of different brands and different types, extracting policy related data, providing standardized data to the upper layer computing module, and meanwhile reversely issuing a configuration script to the equipment;
the policy risk evaluation module (102) is used for performing compliance check on the security policy according to a large number of preset policy risk detection rules and the inter-security domain access control rules, so as to realize the check of the garbage policy and the risk policy and reduce the security risk brought by policy configuration;
the problem strategy cleaning module (103) is used for cleaning the garbage strategy or the problem strategy detected to have risks and the like, and regularly cleaning and optimizing the stock strategy rules to improve the network security level;
the optimization strategy configuration module (104) realizes the balance of minimization and refinement of strategy rules through risk detection and problem removal, provides the basis for strategy cleaning and optimization for operation and maintenance personnel, and improves the operation efficiency of equipment.
9. The system for policy centralized management of heterogeneous firewalls according to claim 1, wherein: the security risk management unit (200) comprises a domain and topology management module (201), an access control baseline module (202) and a storm risk management module (203); the domain and topology management module (201), the access control baseline module (202) and the network storm risk management module (203) are sequentially connected through network communication and run in parallel; wherein:
the domain and topology management module (201) is used for automatically generating a security topology by realizing the correlation analysis modeling of a global access control strategy;
the access control baseline module (202) is used for setting access control baselines between regions according to a security inter-domain access control rule;
the network storm risk management module (203) is used for automatically realizing the analysis of network exposure paths and exposure risks by taking a certain host or a host group as an object.
10. The system for policy centralized management of heterogeneous firewalls according to claim 1, wherein: the policy change management unit (300) comprises a business work order management module (301), a calculation simulation path module (302), a compliance risk analysis module (303) and a policy opening verification module (304); a signal output end of the service work order management module (301) is connected with a signal input end of the calculation simulation path module (302), a signal output end of the calculation simulation path module (302) is connected with a signal input end of the compliance risk analysis module (303), and a signal output end of the compliance risk analysis module (303) is connected with a signal input end of the policy fulfillment verification module (304); wherein:
the business work order management module (301) is used for receiving the strategy change application of the business department, monitoring the work order execution progress and recording and auditing the execution result;
the calculation simulation path module (302) is used for calculating and inquiring a changed path based on the requirement of the strategy change work order, and automatically finding out a path to be opened and target equipment to be subjected to strategy configuration change;
the compliance risk analysis module (303) is used for analyzing whether a conflict relationship exists between the newly added strategy rule and the existing strategy rule, avoiding the occurrence of redundancy and hidden rules, and analyzing whether the newly added strategy rule conforms to the inter-domain security baseline and the risk strategy rule;
the strategy opening verification module (304) is used for generating strategy change configuration scripts aiming at different target devices according to the calculation result of the path simulation, and after the generated configuration scripts are issued, performing source-to-target path query according to the path opening requirement of the strategy change work order so as to confirm whether the strategy change is completed correctly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210207022.XA CN114567494A (en) | 2022-03-04 | 2022-03-04 | Method, device and system for centralized management of heterogeneous firewall policies |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210207022.XA CN114567494A (en) | 2022-03-04 | 2022-03-04 | Method, device and system for centralized management of heterogeneous firewall policies |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114567494A true CN114567494A (en) | 2022-05-31 |
Family
ID=81718639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210207022.XA Pending CN114567494A (en) | 2022-03-04 | 2022-03-04 | Method, device and system for centralized management of heterogeneous firewall policies |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114567494A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170134426A1 (en) * | 2015-11-05 | 2017-05-11 | International Business Machines Corporation | Providing a common security policy for a heterogeneous computer architecture environment |
| CN111786949A (en) * | 2020-05-22 | 2020-10-16 | 山东鲁能软件技术有限公司 | Firewall security policy automatic adaptation system and method |
| CN113364801A (en) * | 2021-06-24 | 2021-09-07 | 深圳前海微众银行股份有限公司 | Management method, system, terminal device and storage medium of network firewall policy |
-
2022
- 2022-03-04 CN CN202210207022.XA patent/CN114567494A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170134426A1 (en) * | 2015-11-05 | 2017-05-11 | International Business Machines Corporation | Providing a common security policy for a heterogeneous computer architecture environment |
| CN111786949A (en) * | 2020-05-22 | 2020-10-16 | 山东鲁能软件技术有限公司 | Firewall security policy automatic adaptation system and method |
| CN113364801A (en) * | 2021-06-24 | 2021-09-07 | 深圳前海微众银行股份有限公司 | Management method, system, terminal device and storage medium of network firewall policy |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101883400B1 (en) | detecting methods and systems of security vulnerability using agentless | |
| US10841332B2 (en) | System and method for passive assessment of industrial perimeter security | |
| CN105139139B (en) | Data processing method and device and system for O&M audit | |
| CN103166794A (en) | Information security management method with integration security control function | |
| CN103338128A (en) | Information security management system with integrated security management and control function | |
| US20090198707A1 (en) | System and method for managing firewall log records | |
| WO2019005399A1 (en) | Firewall configuration manager | |
| CN107295010A (en) | A kind of enterprise network security management cloud service platform system and its implementation | |
| CN112636985B (en) | Network asset detection device based on automatic discovery algorithm | |
| CN111181978B (en) | Abnormal network traffic detection method and device, electronic equipment and storage medium | |
| CN109995582A (en) | Asset equipment management system and method based on real-time status | |
| US20200311231A1 (en) | Anomalous user session detector | |
| CN103326883A (en) | Uniform safety management and comprehensive audit system | |
| CN113407949A (en) | Information security monitoring system, method, equipment and storage medium | |
| CN113965355B (en) | Illegal IP (Internet protocol) intra-provincial network plugging method and device based on SOC (system on chip) | |
| RU2747476C1 (en) | Intelligent risk and vulnerability management system for infrastructure elements | |
| US20160283949A1 (en) | Method for checking compliance of payment application in virtualized environment | |
| CN113206761A (en) | Application connection detection method and device, electronic equipment and storage medium | |
| CN113301040B (en) | Firewall strategy optimization method, device, equipment and storage medium | |
| CN114567494A (en) | Method, device and system for centralized management of heterogeneous firewall policies | |
| CN116781412A (en) | Automatic defense method based on abnormal behaviors | |
| CN116070193A (en) | Authority auditing method, system and storage medium for operation and maintenance personnel | |
| CN115514519A (en) | Active defense method based on transverse micro-isolation and plug-in | |
| CN113328996B (en) | Intelligent security policy configuration method based on target perception | |
| CN112291263A (en) | Data blocking method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |