CN115150161A - Firewall security policy configuration method and device, storage medium and electronic device - Google Patents
Firewall security policy configuration method and device, storage medium and electronic device Download PDFInfo
- Publication number
- CN115150161A CN115150161A CN202210764415.0A CN202210764415A CN115150161A CN 115150161 A CN115150161 A CN 115150161A CN 202210764415 A CN202210764415 A CN 202210764415A CN 115150161 A CN115150161 A CN 115150161A
- Authority
- CN
- China
- Prior art keywords
- firewall
- security configuration
- policy
- feature library
- configuration policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000013515 script Methods 0.000 claims description 18
- 238000010586 diagram Methods 0.000 description 11
- 238000004590 computer program Methods 0.000 description 8
- 230000008859 change Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 238000012423 maintenance Methods 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a configuration method and device of a firewall security policy, a storage medium and an electronic device, and relates to the field of financial technology. The method comprises the following steps: acquiring equipment information of a plurality of firewall equipment, and determining application programs to be protected of the plurality of firewall equipment; grouping the firewall devices according to the application programs to obtain a group of firewall devices corresponding to each application program; acquiring a protection rule feature library, and issuing the protection rule feature library to each firewall device; and acquiring a security configuration policy corresponding to each application program, and issuing the security configuration policy to a group of firewall equipment corresponding to the application program. Through the application, the problem that the application security firewall cannot be managed and operated and maintained conveniently and efficiently in the related technology is solved.
Description
Technical Field
The application relates to the field of financial science and technology, in particular to a firewall security policy configuration method, a firewall security policy configuration device, a storage medium and an electronic device.
Background
In recent years, the external information security situation is getting more severe, the attack from the internet Application side is increasing, and in order to improve the security protection capability of the internet Application side, a Web Application Firewall (WAF website Application level intrusion prevention system) can be deployed in the device for protection. Due to the fact that the number of the internet applications which need to be used is increased, in order to ensure that the security protection can cover all the internet applications, the deployment number of the WAFs needs to be increased, and the WAFs need to be operated and maintained daily, so that the normal operation of the WAFs is guaranteed.
With the increasing of the number of WAFs, the operation and maintenance pressure on the WAFs is greatly increased, but at present, the WAFs are managed in a way of managing each device independently, each device needs to be operated in sequence during the operation and maintenance of the device, and the WAF configuration state of the device can only be checked and recorded manually, so that the operation, maintenance and management operations are large in workload, low in efficiency, prone to errors, and incapable of knowing the current situation of each device in time.
Aiming at the problem that the application security firewall cannot be managed, operated and maintained conveniently and efficiently in the related technology, an effective solution is not provided at present.
Disclosure of Invention
The application provides a configuration method and device of a firewall security policy, a storage medium and an electronic device, and aims to solve the problem that an application security firewall cannot be managed, operated and maintained conveniently and efficiently in the related art.
According to one aspect of the application, a method for configuring a firewall security policy is provided. The method comprises the following steps: acquiring equipment information of a plurality of firewall equipment, and determining application programs to be protected of the plurality of firewall equipment; grouping the firewall devices according to the application programs to obtain a group of firewall devices corresponding to each application program, wherein each group of firewall devices is used for protecting the corresponding application program; the method comprises the steps of obtaining a protection rule feature library, and sending the protection rule feature library to each firewall device, wherein the protection rule feature library comprises a plurality of protection rules; and acquiring a security configuration policy corresponding to each application program, and issuing the security configuration policy to a group of firewall equipment corresponding to the application program, wherein the security configuration policy is an enabling policy of the protection rules in the protection rule feature library.
Optionally, after obtaining the security configuration policy corresponding to each application program and sending the security configuration policy to a group of firewall devices corresponding to the application program, the method further includes: the method comprises the steps of collecting a security configuration strategy of each firewall device, and comparing the security configuration strategy of the firewall device with a preset security configuration strategy to obtain a comparison result, wherein the preset security configuration strategy is a security configuration strategy corresponding to an application program protected by the firewall device; and under the condition that the comparison result indicates that the security configuration strategy of the firewall equipment is inconsistent with the preset security configuration strategy, adjusting the security configuration strategy of the firewall equipment according to the preset security configuration strategy.
Optionally, the obtaining the protection rule feature library, and issuing the protection rule feature library to each firewall device includes: acquiring a protection rule feature library, and determining version information of the protection rule feature library to obtain first version information; judging whether the current firewall equipment is configured with a protection rule feature library or not, and determining the version information of the configured protection rule feature library under the condition of the configured protection rule feature library to obtain second version information; judging whether the second version information is the same as the first version information; and under the condition that the second version information is different from the first version information, updating the protection rule feature library configured by the current firewall equipment according to the obtained protection rule feature library.
Optionally, the obtaining the security configuration policy corresponding to each application program, and issuing the security configuration policy to a group of firewall devices corresponding to the application program includes: judging whether the current firewall equipment is configured with a security configuration strategy or not; under the condition that the current firewall equipment is configured with a security configuration strategy, judging whether application programs to be protected of the plurality of firewall equipment are changed or not; under the condition that application programs to be protected of a plurality of firewall devices are changed, a security configuration policy corresponding to each application program is obtained, and the configured security configuration policy in the firewall devices is updated according to the obtained security configuration policy.
Optionally, in a case that the current firewall device has configured the security configuration policy, after determining whether the application to be protected by the multiple firewall devices changes, the method further includes: under the condition that the application programs to be protected of the firewall equipment are not changed, the security configuration strategy corresponding to each application program is obtained, and whether the obtained security configuration strategy is changed or not is judged; and under the condition that the obtained security configuration strategy is changed, updating the security configuration strategy configured by the current firewall equipment according to the obtained security configuration strategy.
Optionally, before obtaining the device information of the plurality of firewall devices, the method further includes: obtaining a historical login data packet of each firewall device, and determining login scripts corresponding to a plurality of firewall devices according to data in the historical login data packet; acquiring equipment login information of each firewall equipment, configuring the equipment login information to a login script, and acquiring an updated login script, wherein the equipment login information at least comprises one of the following information: login account information and login password information; and logging in a plurality of firewall devices according to the updated login script.
Optionally, the determining that the plurality of firewall devices are to be protected includes: calling application programs to be protected of a plurality of firewall devices, and detecting whether an adjusting instruction of the application programs is received or not, wherein the adjusting instruction of the application programs is used for indicating that the application programs are added or deleted; and under the condition of receiving the adjusting instruction, adjusting the application programs to be protected of the plurality of firewall equipment according to the content of the adjusting instruction to obtain the updated application programs to be protected.
According to another aspect of the present application, an apparatus for configuring a firewall security policy is provided. The device includes: the first obtaining unit is used for obtaining the device information of a plurality of firewall devices and determining application programs to be protected of the firewall devices; the firewall protection device comprises a grouping unit, a judging unit and a judging unit, wherein the grouping unit is used for grouping a plurality of firewall devices according to application programs to obtain a group of firewall devices corresponding to each application program, and each group of firewall devices is used for protecting the corresponding application program; the first issuing unit is used for acquiring a protection rule feature library and issuing the protection rule feature library to each firewall device, wherein the protection rule feature library comprises a plurality of protection rules; and the second issuing unit is used for acquiring the security configuration strategy corresponding to each application program and issuing the security configuration strategy to a group of firewall equipment corresponding to the application program, wherein the security configuration strategy is an enabling strategy of the protection rules in the protection rule feature library.
According to another aspect of the embodiments of the present invention, a non-volatile storage medium is further provided, where the non-volatile storage medium is used to store a program, and the program controls, when running, a device in which the non-volatile storage medium is located to execute a configuration method of a firewall security policy.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device including one or more processors and a memory; the storage is stored with computer readable instructions, and the processor is used for executing the computer readable instructions, wherein the computer readable instructions execute a method for configuring the firewall security policy.
Through the application, the following steps are adopted: acquiring equipment information of a plurality of firewall equipment, and determining application programs to be protected of the plurality of firewall equipment; grouping the firewall devices according to the application programs to obtain a group of firewall devices corresponding to each application program, wherein each group of firewall devices is used for protecting the corresponding application program; the method comprises the steps of obtaining a protection rule feature library and sending the protection rule feature library to each firewall device, wherein the protection rule feature library comprises a plurality of protection rules; the method comprises the steps of obtaining a security configuration strategy corresponding to each application program, and sending the security configuration strategy to a group of firewall equipment corresponding to the application program, wherein the security configuration strategy is a starting strategy of a protection rule in a protection rule feature library, and the problem that the application security firewall cannot be managed, operated and maintained conveniently and efficiently in the related technology is solved. By acquiring the device information and the application program information of the multiple devices and simultaneously managing and issuing the security policies to the multiple devices according to the device information and the application program information, the effects of accurately and efficiently managing, operating and maintaining the application security firewall are achieved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, are included to provide a further understanding of the application, and the description of the exemplary embodiments of the application are intended to be illustrative of the application and are not intended to limit the application. In the drawings:
fig. 1 is a flowchart of a method for configuring a firewall security policy according to an embodiment of the present application;
fig. 2 is a schematic diagram of a configuration apparatus of a firewall security policy provided according to an embodiment of the present application;
fig. 3 is a schematic diagram of an electronic device according to an embodiment of the present application.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances in order to facilitate the description of the embodiments of the application herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for presentation, analyzed data, etc.) referred to in the present disclosure are information and data authorized by the user or sufficiently authorized by each party.
It should be noted that the configuration method, the configuration device, the storage medium, and the electronic device of the firewall security policy determined by the present disclosure may be used in the field of financial technology, and may also be used in any field other than the field of financial technology.
According to an embodiment of the application, a configuration method of a firewall security policy is provided.
Fig. 1 is a flowchart of a configuration method of a firewall security policy according to an embodiment of the present application. As shown in fig. 1, the method comprises the steps of:
step S101, obtaining device information of a plurality of firewall devices, and determining application programs to be protected by the plurality of firewall devices.
Specifically, each firewall device may correspond to protection of multiple application programs, when managing and configuring policies for multiple firewall devices, multiple firewall devices may be logged in at the same time, and device information of each firewall device is determined after logging in, where the device information may include device-related information such as an IP of the device, a device serial number, a device protection rule feature library version, and a device license.
It should be noted that after the device information of each firewall device is obtained, the information of the application program that needs to be protected and is contained in each device may be determined through the device information, for example, the application program to be protected in device No. 1 may contain an application a and an application B. The information of the application program to be protected included in the acquisition device may be configured according to the application program information.
And S102, grouping the firewall devices according to the application programs to obtain a group of firewall devices corresponding to each application program, wherein each group of firewall devices is used for protecting the corresponding application program.
Specifically, after the device information of each firewall device and the application program corresponding to each firewall device are obtained, the firewall devices are grouped according to the application program to be protected of each firewall device, and the corresponding relationship between each application program and the corresponding firewall device is obtained.
For example, the application to be protected in the device No. 1 may include an application a and an application B, the application to be protected in the device No. 2 may include an application B and an application C, and the application to be protected in the device No. 3 may include an application a and an application C, at this time, the grouping result obtained after grouping may be: the application A corresponds to the equipment No. 1 and the equipment No. 3, the application B corresponds to the equipment No. 1 and the equipment No. 2, and the application C corresponds to the equipment No. 2 and the equipment No. 3.
Step S103, a protection rule feature library is obtained and issued to each firewall device, wherein the protection rule feature library comprises a plurality of protection rules.
Specifically, the protection rule feature library includes corresponding protection rules and protection schemes for different devices and different security problems, and in order to ensure that each firewall device executes corresponding protection operations, the protection rule feature library needs to be issued to each firewall device in a unified manner, thereby ensuring that each firewall device can solve corresponding security problems.
And step S104, acquiring a security configuration policy corresponding to each application program, and sending the security configuration policy to a group of firewall equipment corresponding to the application program, wherein the security configuration policy is an enabling policy of the protection rules in the protection rule feature library.
Specifically, because the application programs to be protected of each firewall are different, and the application program to be protected corresponding to each firewall may also be changed, the security policy of each firewall needs to be adjusted according to the protection requirements, so that the protection rule in the protection rule feature library of each firewall is changed, and thus each firewall can perform different protection effects on the same application program.
According to the configuration method of the firewall security policy, the device information of the plurality of firewall devices is obtained, and the application programs to be protected of the plurality of firewall devices are determined. And grouping the firewall devices according to the application programs to obtain a group of firewall devices corresponding to each application program, wherein each group of firewall devices is used for protecting the corresponding application program. And acquiring a protection rule feature library, and issuing the protection rule features to each firewall device, wherein the protection rule feature library comprises a plurality of protection rules. The method comprises the steps of obtaining a security configuration strategy corresponding to each application program, and sending the security configuration strategy to a group of firewall equipment corresponding to the application program, wherein the security configuration strategy is a starting strategy of a protection rule in a protection rule feature library, and the problem that the application security firewall cannot be managed, operated and maintained conveniently and efficiently in the related technology is solved. By acquiring the device information and the application program information of the multiple devices and simultaneously managing and issuing the security policies to the multiple devices according to the device information and the application program information, the effects of accurately and efficiently managing, operating and maintaining the application security firewall are achieved.
Optionally, in the method for configuring a firewall security policy provided in this embodiment of the present application, after obtaining a security configuration policy corresponding to each application program and sending the security configuration policy to a group of firewall devices corresponding to the application program, the method further includes: collecting a security configuration policy of each firewall device, and comparing the security configuration policy of the firewall device with a preset security configuration policy to obtain a comparison result, wherein the preset security configuration policy is a security configuration policy corresponding to an application program protected by the firewall device; and under the condition that the comparison result indicates that the security configuration strategy of the firewall equipment is inconsistent with the preset security configuration strategy, adjusting the security configuration strategy of the firewall equipment according to the preset security configuration strategy.
Specifically, when the firewall device is running, the firewall security configuration policy may be abnormal due to a device failure, and at this time, the security configuration policy in the firewall device may be periodically confirmed. The method comprises the steps of comparing a security configuration strategy currently used by the firewall equipment with a preset security configuration strategy to obtain a comparison result, judging that the security configuration strategy of the firewall equipment is abnormal when the comparison result is different, and replacing the preset security configuration strategy with a target security configuration strategy which is obtained newly.
For example, the preset security configuration policy of the firewall a device is an a policy and a B policy, which correspond to the application a and the application B corresponding to the firewall device, respectively, but after logging in the firewall device, it is detected that the security configuration policy corresponding to the application B is changed to a C policy due to a failure of the firewall device, at this time, since the change of the security configuration policy is detected, the C policy of the firewall device is changed to the B policy according to the preset security configuration policy, thereby completing the correction of the abnormal policy. According to the embodiment, the security in the firewall equipment is checked regularly, so that the accuracy of the security configuration policy corresponding to the firewall equipment is ensured.
Optionally, in the method for configuring a firewall security policy provided in this embodiment of the present application, acquiring a protection rule feature library, and issuing the protection rule feature library to each firewall device includes: acquiring a protection rule feature library, and determining version information of the protection rule feature library to obtain first version information; judging whether the current firewall equipment is configured with a protection rule feature library or not, and determining the version information of the configured protection rule feature library under the condition of the configured protection rule feature library to obtain second version information; judging whether the second version information is the same as the first version information; and under the condition that the second version information is different from the first version information, updating the protection rule feature library configured by the current firewall equipment according to the obtained protection rule feature library.
Specifically, after logging in the firewall device, the device information of each firewall device needs to be obtained first, where the device information may include a device protection rule feature library version, and at this time, the latest version of the current protection rule feature library is obtained and compared with the rule feature library version in each firewall device, and the rule feature library version of the firewall device whose rule feature library version is not the latest version is updated, so that the rule feature library of each firewall device is updated to the latest version. The embodiment updates the version of the rule feature library in the firewall equipment in time, so that the firewall equipment can perform protection more accurately.
Optionally, in the method for configuring a firewall security policy provided in this embodiment of the present application, acquiring a security configuration policy corresponding to each application program, and issuing the security configuration policy to a group of firewall devices corresponding to the application program includes: judging whether the current firewall equipment is configured with a security configuration strategy or not; under the condition that the current firewall equipment is configured with a security configuration strategy, judging whether application programs to be protected of the plurality of firewall equipment are changed or not; under the condition that application programs to be protected of a plurality of firewall devices are changed, a security configuration policy corresponding to each application program is obtained, and the configured security configuration policy in the firewall devices is updated according to the obtained security configuration policies.
Specifically, when the security configuration policy is issued to a group of firewall devices corresponding to the application program, it is necessary to acquire whether there is a device change in the firewall device group corresponding to each application program, and when it is detected that a device change has occurred in the firewall device group corresponding to a certain application program, it is necessary to add the security configuration policy corresponding to the application program to the security configuration policy corresponding to the firewall, and send the acquired target security configuration policy to the firewall device.
For example, the existing security configuration policy of the firewall a device is the policy a and the policy B, which are respectively the security configuration policies issued by the application a and the application B, but when detecting the firewall device corresponding to the application C, the firewall a device is detected, and at this time, it indicates that the firewall device corresponding to the application C is changed, so the security configuration policy of the firewall a device needs to be changed, and the policy C corresponding to the application C is issued to the firewall a device, and at this time, the security configuration policy of the firewall a device is changed into the policy a, the policy B, and the policy C, so that the preset security configuration policy is replaced, and the security configuration policy is updated in time. The embodiment updates the version of the rule feature library in the firewall equipment in time, so that the firewall equipment can perform protection more accurately.
Optionally, in the method for configuring a firewall security policy provided in the embodiment of the present application, when a security configuration policy is configured on a current firewall device, after determining whether an application to be protected by multiple firewall devices changes, the method further includes: under the condition that the application programs to be protected of the firewall equipment are not changed, the security configuration strategy corresponding to each application program is obtained, and whether the obtained security configuration strategy is changed or not is judged; and under the condition that the obtained security configuration policy is changed, updating the security configuration policy configured by the current firewall equipment according to the obtained security configuration policy.
Specifically, when the application program to be protected of the plurality of firewall devices is not changed, the security configuration policy corresponding to each application program is acquired, whether the security configuration policy corresponding to each device is changed or wrong is determined, and when the preset security configuration policy is changed or wrong, the correct security configuration policy is issued to the plurality of firewall devices corresponding to the application program with the change or the mistake in the preset security configuration policy. The embodiment ensures the accuracy of the security configuration strategy of the firewall equipment.
Optionally, in the method for configuring a firewall security policy provided in this embodiment of the present application, before acquiring device information of a plurality of firewall devices, the method further includes: obtaining a historical login data packet of each firewall device, and determining login scripts corresponding to a plurality of firewall devices according to data in the historical login data packet; obtaining equipment login information of each firewall equipment, configuring the equipment login information to a login script, and obtaining an updated login script, wherein the equipment login information at least comprises one of the following information: login account information and login password information; and logging in a plurality of firewall devices according to the updated login script.
Specifically, when logging in a plurality of firewall devices, complete information, such as a user name, a password, a login location, a login website, an application scenario, and the like, may be input at the time of first login, and after the firewall devices receive the login information for the first time, a login packet may be generated by using part of the login information, and the login packet is stored in the firewall devices. When the firewall device is logged in again, the firewall device can be directly logged in through the login script by only inputting device login information, such as a user name and a password, acquiring a corresponding historical login data packet according to the device login information, and determining the login script corresponding to the firewall device through data in the historical login data packet. The embodiment achieves the effect of fast and convenient login of the firewall equipment.
Optionally, in the method for configuring a firewall security policy provided in the embodiment of the present application, determining an application to be protected by a plurality of firewall devices includes: calling a plurality of application programs to be protected of firewall equipment, and detecting whether an adjustment instruction of the application program is received, wherein the adjustment instruction of the application program is used for indicating that the application program is added or deleted; and under the condition of receiving the adjusting instruction, adjusting the application programs to be protected of the plurality of firewall equipment according to the content of the adjusting instruction to obtain the updated application programs to be protected.
Specifically, since the application program corresponding to each firewall device is changed, it is necessary to check the corresponding relationship between each firewall device and the application program at regular time, and change the application program in time after the firewall device receives an adjustment instruction for adding or deleting the application program, so as to accurately perform security protection on the application program. The embodiment adjusts the corresponding relation between the firewall equipment and the application program in time, so that the firewall equipment can accurately determine the protection object, and the protection efficiency and accuracy of the firewall equipment are improved.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
The embodiment of the present application further provides a configuration device of a firewall security policy, and it should be noted that the configuration device of the firewall security policy of the embodiment of the present application may be used to execute the configuration method for the firewall security policy provided in the embodiment of the present application. The following describes a configuration apparatus of a firewall security policy provided in an embodiment of the present application.
Fig. 2 is a schematic diagram of a configuration apparatus of a firewall security policy according to an embodiment of the present application. As shown in fig. 2, the apparatus includes: a first acquiring unit 21, a grouping unit 22, a first issuing unit 23, and a second issuing unit 24.
A first obtaining unit 21, configured to obtain device information of multiple firewall devices, and determine an application to be protected by the multiple firewall devices;
the grouping unit 22 is configured to group the firewall devices according to the application program to obtain a group of firewall devices corresponding to each application program, where each group of firewall devices is used to protect the corresponding application program;
the first issuing unit 23 is configured to obtain a protection rule feature library, and issue the protection rule feature library to each firewall device, where the protection rule feature library includes a plurality of protection rules;
the second issuing unit 24 is configured to acquire a security configuration policy corresponding to each application program, and issue the security configuration policy to a group of firewall devices corresponding to the application program, where the security configuration policy is an enabling policy of a protection rule in the protection rule feature library.
The firewall security policy configuration apparatus provided in the embodiment of the present application obtains, by using a first obtaining unit 21, device information of multiple firewall devices, and determines an application to be protected by the multiple firewall devices; the grouping unit 22 groups the firewall devices according to the application program to obtain a group of firewall devices corresponding to each application program, where each group of firewall devices is used to protect the corresponding application program; the first issuing unit 23 acquires a protection rule feature library and issues the protection rule feature library to each firewall device, wherein the protection rule feature library comprises a plurality of protection rules; the second issuing unit 24 obtains the security configuration policy corresponding to each application program, and issues the security configuration policy to a group of firewall devices corresponding to the application program, where the security configuration policy is an enabling policy of the protection rules in the protection rule feature library. The problem that management and operation and maintenance of the application security firewall cannot be carried out conveniently and efficiently in the related technology is solved. By acquiring the device information and the application program information of the multiple devices and simultaneously managing and issuing the security policies to the multiple devices according to the device information and the application program information, the effects of accurately and efficiently managing, operating and maintaining the application security firewall are achieved.
Optionally, in the apparatus for configuring a firewall security policy provided in the embodiment of the present application, the apparatus further includes: the system comprises an acquisition unit, a comparison unit and a processing unit, wherein the acquisition unit is used for acquiring the security configuration strategy of each firewall device and comparing the security configuration strategy of the firewall device with a preset security configuration strategy to obtain a comparison result, and the preset security configuration strategy is the security configuration strategy corresponding to an application program protected by the firewall device; and the adjusting unit is used for adjusting the security configuration strategy of the firewall equipment according to the preset security configuration strategy under the condition that the comparison result indicates that the security configuration strategy of the firewall equipment is inconsistent with the preset security configuration strategy.
Optionally, in the configuration apparatus of the firewall security policy provided in the embodiment of the present application, the first issue unit 23 includes: the first obtaining module is used for obtaining the protection rule feature library and determining the version information of the protection rule feature library to obtain first version information; the first judgment module is used for judging whether the current firewall equipment is configured with the protection rule feature library or not, and determining the version information of the configured protection rule feature library to obtain second version information under the condition of the configured protection rule feature library; the second judging module is used for judging whether the second version information is the same as the first version information; and the updating module is used for updating the protection rule feature library configured by the current firewall equipment according to the acquired protection rule feature library under the condition that the second version information is different from the first version information.
Optionally, in the configuration apparatus of the firewall security policy provided in this embodiment of the application, the second issuing unit 24 includes: the third judging module is used for judging whether the current firewall equipment is configured with a security configuration strategy or not; the fourth judging module is used for judging whether the application programs to be protected of the plurality of firewall equipment change or not under the condition that the security configuration strategy is configured on the current firewall equipment; and the second acquisition module is used for acquiring the security configuration policy corresponding to each application program under the condition that the application programs to be protected of the plurality of firewall devices are changed, and updating the configured security configuration policy in the firewall devices according to the acquired security configuration policy.
Optionally, in the apparatus for configuring a firewall security policy provided in the embodiment of the present application, the apparatus further includes: the second obtaining unit is used for obtaining the security configuration policy corresponding to each application program under the condition that the application programs to be protected of the plurality of firewall devices are not changed, and judging whether the obtained security configuration policy is changed or not; and the updating unit is used for updating the configured security configuration policy of the current firewall equipment according to the acquired security configuration policy under the condition that the acquired security configuration policy changes.
Optionally, in the apparatus for configuring a firewall security policy provided in the embodiment of the present application, the apparatus further includes: the third acquisition unit is used for acquiring a historical login data packet of each firewall device and determining login scripts corresponding to the firewall devices according to data in the historical login data packet; a fourth obtaining unit, configured to obtain device login information of each firewall device, configure the device login information to a login script, and obtain an updated login script, where the device login information at least includes one of the following: login account information and login password information; and the login unit is used for logging in the plurality of firewall equipment according to the updated login script.
Optionally, in the configuration apparatus of the firewall security policy provided in the embodiment of the present application, the first obtaining unit 21 includes: the system comprises a calling module, a receiving module and a processing module, wherein the calling module is used for calling a plurality of application programs to be protected of firewall equipment and detecting whether an adjusting instruction of the application program is received or not, and the adjusting instruction of the application program is used for indicating that the application program is added or deleted; and the adjusting module is used for adjusting the application programs to be protected of the plurality of firewall devices according to the content of the adjusting instruction under the condition of receiving the adjusting instruction to obtain the updated application programs to be protected.
The configuration device of the firewall security policy includes a processor and a memory, where the first obtaining unit 21, the grouping unit 22, the first issuing unit 23, the second issuing unit 24, and the like are all stored in the memory as program units, and the processor executes the program units stored in the memory to implement corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to be one or more than one, and the problem that the application security firewall cannot be managed, operated and maintained conveniently and efficiently in the related technology is solved by adjusting the kernel parameters.
The memory may include volatile memory in a computer readable medium, random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
The embodiment of the invention provides a computer readable storage medium, wherein a program is stored on the computer readable storage medium, and the program realizes the configuration method of the firewall security policy when being executed by a processor.
The embodiment of the invention provides a processor, which is used for running a program, wherein the configuration method of the firewall security policy is executed when the program runs.
As shown in fig. 3, an embodiment of the present invention provides an electronic device, where the electronic device 10 includes a processor, a memory, and a program stored in the memory and executable on the processor, and the processor executes the program to implement the following steps: acquiring equipment information of a plurality of firewall equipment, and determining application programs to be protected of the plurality of firewall equipment; grouping the firewall devices according to the application programs to obtain a group of firewall devices corresponding to each application program, wherein each group of firewall devices is used for protecting the corresponding application program; the method comprises the steps of obtaining a protection rule feature library, and sending the protection rule feature library to each firewall device, wherein the protection rule feature library comprises a plurality of protection rules; and acquiring a security configuration policy corresponding to each application program, and issuing the security configuration policy to a group of firewall equipment corresponding to the application program, wherein the security configuration policy is an enabling policy of the protection rules in the protection rule feature library. The device herein may be a server, a PC, a PAD, a mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: acquiring equipment information of a plurality of firewall equipment, and determining application programs to be protected of the plurality of firewall equipment; grouping the firewall devices according to the application programs to obtain a group of firewall devices corresponding to each application program, wherein each group of firewall devices is used for protecting the corresponding application program; the method comprises the steps of obtaining a protection rule feature library and sending the protection rule feature library to each firewall device, wherein the protection rule feature library comprises a plurality of protection rules; and acquiring a security configuration policy corresponding to each application program, and issuing the security configuration policy to a group of firewall equipment corresponding to the application program, wherein the security configuration policy is an enabling policy of the protection rules in the protection rule feature library.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional identical elements in the process, method, article, or apparatus comprising the element.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A method for configuring a firewall security policy is characterized by comprising the following steps:
acquiring equipment information of a plurality of firewall equipment, and determining application programs to be protected of the firewall equipment;
grouping the firewall devices according to the application programs to obtain a group of firewall devices corresponding to each application program, wherein each group of firewall devices is used for protecting the corresponding application program;
acquiring a protection rule feature library, and issuing the protection rule feature library to each firewall device, wherein the protection rule feature library comprises a plurality of protection rules;
and acquiring a security configuration policy corresponding to each application program, and sending the security configuration policy to a group of firewall equipment corresponding to the application program, wherein the security configuration policy is an enabling policy of a protection rule in the protection rule feature library.
2. The method of claim 1, wherein after obtaining the security configuration policy corresponding to each of the applications and sending the security configuration policy to a set of the firewall devices corresponding to the applications, the method further comprises:
collecting a security configuration policy of each firewall device, and comparing the security configuration policy of the firewall device with a preset security configuration policy to obtain a comparison result, wherein the preset security configuration policy is a security configuration policy corresponding to an application program protected by the firewall device;
and under the condition that the comparison result indicates that the security configuration policy of the firewall equipment is inconsistent with the preset security configuration policy, adjusting the security configuration policy of the firewall equipment according to the preset security configuration policy.
3. The method of claim 1, wherein obtaining a protection rule feature library and issuing the protection rule feature library to each firewall device comprises:
acquiring the protection rule feature library, and determining version information of the protection rule feature library to obtain first version information;
judging whether the firewall equipment is configured with a protection rule feature library or not at present, and determining the version information of the configured protection rule feature library under the condition of the configured protection rule feature library to obtain second version information;
judging whether the second version information is the same as the first version information;
and under the condition that the second version information is different from the first version information, updating a protection rule feature library configured by the firewall equipment according to the acquired protection rule feature library.
4. The method of claim 1, wherein obtaining the security configuration policy corresponding to each application and sending the security configuration policy to a group of the firewall devices corresponding to the application comprises:
judging whether the firewall equipment is configured with a security configuration policy currently;
under the condition that the firewall equipment is configured with a security configuration policy at present, judging whether the application programs to be protected of the plurality of firewall equipment are changed or not;
and under the condition that the application programs to be protected of the plurality of firewall devices are changed, acquiring the security configuration policy corresponding to each application program, and updating the configured security configuration policy in the firewall devices according to the acquired security configuration policy.
5. The method according to claim 1, wherein after determining whether the application to be protected by the plurality of firewall devices is changed when the firewall device is configured with the security configuration policy currently, the method further comprises:
under the condition that the application programs to be protected of the firewall equipment are not changed, acquiring a security configuration policy corresponding to each application program, and judging whether the acquired security configuration policy is changed or not;
and under the condition that the obtained security configuration strategy changes, updating the security configuration strategy configured by the firewall equipment according to the obtained security configuration strategy.
6. The method of claim 1, wherein prior to obtaining device information for a plurality of firewall devices, the method further comprises:
obtaining a historical login data packet of each firewall device, and determining login scripts corresponding to the firewall devices according to data in the historical login data packet;
obtaining device login information of each firewall device, configuring the device login information to the login script, and obtaining an updated login script, wherein the device login information at least comprises one of the following information: login account information and login password information;
and logging in the plurality of firewall devices according to the updated login script.
7. The method of claim 1, wherein determining the applications to be protected by the plurality of firewall devices comprises:
calling application programs to be protected of the firewall equipment, and detecting whether an adjusting instruction of the application programs is received or not, wherein the adjusting instruction of the application programs is used for indicating that the application programs are added or deleted;
and under the condition of receiving the adjusting instruction, adjusting the application programs to be protected of the plurality of firewall equipment according to the content of the adjusting instruction to obtain the updated application programs to be protected.
8. An apparatus for configuring a firewall security policy, comprising:
the firewall device protection method comprises a first obtaining unit, a second obtaining unit and a third obtaining unit, wherein the first obtaining unit is used for obtaining device information of a plurality of firewall devices and determining application programs to be protected of the firewall devices;
the grouping unit is used for grouping the firewall devices according to the application programs to obtain a group of firewall devices corresponding to each application program, wherein each group of firewall devices is used for protecting the corresponding application program;
the first issuing unit is used for acquiring a protection rule feature library and issuing the protection rule feature library to each firewall device, wherein the protection rule feature library comprises a plurality of protection rules;
and the second issuing unit is used for acquiring a security configuration policy corresponding to each application program and issuing the security configuration policy to a group of firewall equipment corresponding to the application program, wherein the security configuration policy is an enabling policy of a protection rule in the protection rule feature library.
9. A non-volatile storage medium, wherein the non-volatile storage medium is configured to store a program, and when the program runs, the program controls a device in which the non-volatile storage medium is located to perform the configuration method of the firewall security policy according to any one of claims 1 to 7.
10. An electronic device comprising one or more processors and memory storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of configuring firewall security policies of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210764415.0A CN115150161B (en) | 2022-06-30 | 2022-06-30 | Firewall security policy configuration method and device, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210764415.0A CN115150161B (en) | 2022-06-30 | 2022-06-30 | Firewall security policy configuration method and device, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115150161A true CN115150161A (en) | 2022-10-04 |
| CN115150161B CN115150161B (en) | 2024-03-08 |
Family
ID=83410935
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210764415.0A Active CN115150161B (en) | 2022-06-30 | 2022-06-30 | Firewall security policy configuration method and device, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115150161B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080115190A1 (en) * | 2006-11-13 | 2008-05-15 | Jeffrey Aaron | Methods, network services, and computer program products for dynamically assigning users to firewall policy groups |
| CN109120577A (en) * | 2017-06-23 | 2019-01-01 | 华为技术有限公司 | A kind of firewall dispositions method and device |
| CN109510803A (en) * | 2017-09-15 | 2019-03-22 | 中国联合网络通信集团有限公司 | A kind of method and apparatus adjusting Firewall Protection strategy |
| US20210144123A1 (en) * | 2016-03-17 | 2021-05-13 | Wells Fargo N.A. | Serialization of firewall rules with user, device, and application correlation |
| CN114285657A (en) * | 2021-12-28 | 2022-04-05 | 中国工商银行股份有限公司 | Firewall security policy change verification method and device |
-
2022
- 2022-06-30 CN CN202210764415.0A patent/CN115150161B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080115190A1 (en) * | 2006-11-13 | 2008-05-15 | Jeffrey Aaron | Methods, network services, and computer program products for dynamically assigning users to firewall policy groups |
| US20210144123A1 (en) * | 2016-03-17 | 2021-05-13 | Wells Fargo N.A. | Serialization of firewall rules with user, device, and application correlation |
| CN109120577A (en) * | 2017-06-23 | 2019-01-01 | 华为技术有限公司 | A kind of firewall dispositions method and device |
| CN109510803A (en) * | 2017-09-15 | 2019-03-22 | 中国联合网络通信集团有限公司 | A kind of method and apparatus adjusting Firewall Protection strategy |
| CN114285657A (en) * | 2021-12-28 | 2022-04-05 | 中国工商银行股份有限公司 | Firewall security policy change verification method and device |
Non-Patent Citations (1)
| Title |
|---|
| 曾亮英;: "浅析防火墙技术在网络安全中的应用", 网络安全技术与应用, no. 06, 15 June 2017 (2017-06-15) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115150161B (en) | 2024-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111835794B (en) | Firewall policy control method and device, electronic equipment and storage medium | |
| CN106997314B (en) | Exception handling method, device and system for distributed system | |
| US11366908B2 (en) | Detecting unknown software vulnerabilities and system compromises | |
| US10489145B2 (en) | Secure update of firmware and software | |
| CN106034054B (en) | Redundant access controls list acl rule file test method and device | |
| CN110245031B (en) | AI service opening middle platform and method | |
| CN104239156A (en) | External service call method and system | |
| US9946879B1 (en) | Establishing risk profiles for software packages | |
| CN113039542A (en) | Secure counting in cloud computing networks | |
| US11303678B2 (en) | Determination and autocorrection of modified security policies | |
| US11251976B2 (en) | Data security processing method and terminal thereof, and server | |
| CN111245897A (en) | Data processing method, device, system, storage medium and processor | |
| CN104767876A (en) | Safety software processing method and user terminal | |
| CN115150161A (en) | Firewall security policy configuration method and device, storage medium and electronic device | |
| CN110941825A (en) | Application monitoring method and device | |
| US9965618B1 (en) | Reducing privileges for imported software packages | |
| CN106357704A (en) | Method and device for invoking service on basis of development environments | |
| CN111491021B (en) | License data processing method and device for distributed cluster | |
| US10637877B1 (en) | Network computer security system | |
| KR101428769B1 (en) | Black box apparatus and method for supporting reconfiguration of smart grid system | |
| CN110677483B (en) | Information processing system and trusted security management system | |
| CN114021115A (en) | Malicious application detection method and device, storage medium and processor | |
| CN114064780A (en) | Session information processing method, system, device, storage medium and electronic equipment | |
| CN106909401B (en) | Application program control method and device | |
| CN114691395A (en) | Fault processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |