CN115150169A - Method, device, system and medium for strategy convergence - Google Patents
Method, device, system and medium for strategy convergence Download PDFInfo
- Publication number
- CN115150169A CN115150169A CN202210772312.9A CN202210772312A CN115150169A CN 115150169 A CN115150169 A CN 115150169A CN 202210772312 A CN202210772312 A CN 202210772312A CN 115150169 A CN115150169 A CN 115150169A
- Authority
- CN
- China
- Prior art keywords
- policy
- target
- convergence
- address
- converged
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000001914 filtration Methods 0.000 claims abstract description 20
- 238000012216 screening Methods 0.000 claims description 7
- 238000000605 extraction Methods 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 description 8
- 238000005457 optimization Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000000717 retained effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Abstract
The embodiment of the application provides a method, a device, a system and a medium for strategy convergence, wherein the method comprises the following steps: acquiring a plurality of strategies to be converged, wherein each strategy to be converged in the plurality of strategies to be converged is used for filtering an access request without access right through an address; extracting at least one address section included in the plurality of strategies to be converged, wherein each address section in the at least one address section comprises a starting address and an ending address; and obtaining a target convergence policy according to the address information of the target access flow and the at least one address section, so that the target security device controls the authority of the access flow according to the target convergence policy, wherein the target access flow is historical access flow within a preset time. Invalid data can be removed through some embodiments of the application, and therefore the efficiency of strategy convergence is improved.
Description
Technical Field
The embodiment of the application relates to the field of network security, in particular to a method, a device, a system and a medium for strategy convergence.
Background
The firewall limits the access authority by configuring the access policy rules, and if the firewall rules are configured too widely, the firewall can be wrongly released, so that the protection effect is lost, and a great safety risk is caused. If the firewall rule configuration is too much, the working efficiency of the firewall is low, the service is influenced, even the downtime occurs when the network flow is busy, and serious safety accidents are caused.
In order to solve the above problem, in the related art, the five-tuple information corresponding to all traffic accessing the firewall is matched with the configuration rule to implement policy convergence, but the convergence efficiency is reduced because the traffic acquired during the service peak period is very large.
Therefore, how to improve the efficiency of policy convergence becomes a problem to be solved.
Disclosure of Invention
Embodiments of the present application provide a method, an apparatus, a system, and a medium for policy convergence, which can remove at least an address that does not need to be converged in a policy to be converged, thereby improving efficiency of policy convergence.
In a first aspect, the present application provides a policy convergence method, where the method includes: acquiring a plurality of strategies to be converged, wherein each strategy to be converged in the plurality of strategies to be converged is used for filtering an access request without access right through an address; extracting at least one address section included in the plurality of strategies to be converged, wherein each address section in the at least one address section comprises a starting address and an ending address; and obtaining a target convergence policy according to the address information of the target access flow and the at least one address section, so that the target security device controls the authority of the access flow according to the target convergence policy, wherein the target access flow is historical access flow within a preset time.
Therefore, by extracting at least one address segment, the embodiments of the present application can filter addresses (e.g., single addresses) that do not need to be converged, thereby reducing the data amount of policy convergence and further improving the efficiency of policy convergence.
With reference to the first aspect, in an embodiment of the present application, the extracting at least one address section included in the plurality of policies to be converged includes: adopting address identifiers to represent addresses included in the multiple strategies to be converged to obtain multiple target identifiers, wherein one address corresponds to one target identifier; extracting the at least one address section from the plurality of to-be-converged policies based on the plurality of target identifications.
Therefore, by using the address identifier to characterize the addresses included in the plurality of policies to be converged, the embodiments of the present application can remove a single address (e.g., the sector 1.1.1-1.1.1.1, i.e., the single address 1.1.1.1) represented in the form of a sector, thereby ensuring accuracy in extracting at least one address sector.
With reference to the first aspect, in an implementation manner of the present application, after obtaining the target convergence policy according to the address information of the target access traffic and the at least one address segment, the method further includes: acquiring the times of the target access flow accessing the target security equipment; ranking the target convergence policy based on the times to obtain an updated convergence policy, so that the target security device controls the access flow permission according to the updated convergence policy.
Therefore, by ranking the target convergence policies, the number of times of inquiring the policy table can be reduced in the process of filtering the access request without the access authority, so that the resources of the firewall are saved, and the operating efficiency of the firewall is improved.
With reference to the first aspect, in an implementation manner of the present application, the update convergence policy includes a first update convergence policy and a second update convergence policy, where the first update convergence policy and the second update convergence policy are any two of the update convergence policies; after the ranking the target convergence policy based on the number of times to obtain an updated convergence policy, the method further comprises: and if the destination address or the source address of the first updated convergence strategy is the same as that of the second updated convergence strategy, combining the first updated convergence strategy and the second updated convergence strategy into one strategy.
Therefore, in the embodiment of the application, the number of the policies can be reduced as much as possible by combining the policies with the same destination address or source address into one policy on the premise of ensuring the security, and the service processing pressure of the firewall is further reduced.
With reference to the first aspect, in an implementation manner of the present application, the multiple policies to be converged are stored in a policy configuration device, where the policy configuration device is a switch, and the switch is connected to the target security device and is configured to allocate the target access traffic to the target security device; the acquiring a plurality of strategies to be converged comprises the following steps: acquiring a plurality of original strategies to be converged deployed on the switch; and screening the plurality of original strategies to be converged based on the strategy corresponding to the target security equipment to obtain the plurality of strategies to be converged.
Therefore, the embodiment of the application can obtain the accurate flow related to the service of the target security device by screening out the strategy related to the target security device, thereby reducing the flow matching times.
With reference to the first aspect, in an implementation manner of the present application, the obtaining a target convergence policy according to address information of a target access flow and the at least one address segment includes: matching the address information of the target access flow with the at least one address section one by one to obtain target address information, wherein the target address information exists in an address range limited by the at least one address section; generating the target convergence policy based on the target address information.
Therefore, the working efficiency of the target security device can be improved by generating the target convergence strategy.
In a second aspect, the present application provides an apparatus for policy convergence, the apparatus comprising: a policy obtaining module configured to obtain a plurality of policies to be converged, wherein each policy to be converged in the plurality of policies to be converged is used for filtering an access request without access right by an address; a section extraction module configured to extract at least one address section included in the plurality of policies to be converged, wherein each address section of the at least one address section includes a start address and an end address; and the policy convergence module is configured to obtain a target convergence policy according to the address information of the target access traffic and the at least one address section, so that the target security device controls the authority of the access traffic according to the target convergence policy, wherein the target access traffic is historical access traffic within a preset time.
With reference to the second aspect, in an embodiment of the present application, the section extraction module is further configured to: adopting address identifiers to represent address information included in the plurality of strategies to be converged, and obtaining a plurality of target identifiers, wherein one address corresponds to one target identifier; extracting the at least one address section from the plurality of to-be-converged policies based on the plurality of target identifications.
With reference to the second aspect, in an embodiment of the present application, the policy convergence module is further configured to: acquiring the times of accessing the target security equipment by the target access flow; ranking the target convergence policy based on the times to obtain an updated convergence policy, so that the target security device controls the access traffic authority according to the updated convergence policy.
With reference to the second aspect, in an embodiment of the present application, the update convergence policy includes a first update convergence policy and a second update convergence policy, where the first update convergence policy and the second update convergence policy are any two of the update convergence policies; the policy convergence module is further configured to: and if the destination address or the source address of the first updated convergence strategy is the same as that of the second updated convergence strategy, combining the first updated convergence strategy and the second updated convergence strategy into one strategy.
With reference to the second aspect, in an implementation manner of the present application, the multiple policies to be converged are stored in a policy configuration device, where the policy configuration device is a switch, and the switch is connected to the target security device and is configured to allocate the target access traffic to the target security device; the policy acquisition module is configured to: acquiring a plurality of original strategies to be converged deployed on the switch; and screening the plurality of original strategies to be converged based on the strategy corresponding to the target security equipment to obtain the plurality of strategies to be converged.
With reference to the second aspect, in an embodiment of the present application, the policy convergence module is further configured to: matching the address information of the target access flow with the at least one address section one by one to obtain target address information, wherein the target address information exists in an address range limited by the at least one address section; generating the target convergence policy based on the target address information.
In a third aspect, the present application provides a policy convergence system, including: a policy convergence device configured to obtain a plurality of policies to be converged and to execute the method according to any embodiment of the first aspect according to the plurality of policies to be converged to obtain a target convergence policy; a target security device configured to filter access requests without access rights through the target convergence policy.
In a fourth aspect, the present application provides an electronic device, comprising: a processor, a memory, and a bus; the processor is connected to the memory via the bus, and the memory stores computer-readable instructions for implementing the method according to any of the embodiments of the first aspect when the computer-readable instructions are executed by the processor.
In a fifth aspect, the present application provides a computer-readable storage medium having stored thereon a computer program which, when executed, implements a method as in any of the embodiments of the first aspect.
Drawings
FIG. 1 is a schematic diagram illustrating a system for policy convergence according to an embodiment of the present disclosure;
FIG. 2 is a flowchart of a policy convergence method according to an embodiment of the present disclosure;
FIG. 3 is a second flowchart of a policy convergence method according to an embodiment of the present application;
FIG. 4 is a third flowchart illustrating a method for policy convergence according to an embodiment of the present application;
FIG. 5 is a flowchart illustrating a method of policy convergence according to an embodiment of the present application;
FIG. 6 is a schematic diagram illustrating an apparatus for policy convergence according to an embodiment of the present application;
fig. 7 is a schematic diagram illustrating a composition of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as presented in the figures, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application can be applied to converging a plurality of strategies to be converged to obtain the target converging strategy, and the firewall filters the scene of the access request without the access permission by using the target converging strategy. In some embodiments of the present application, the target convergence policy is obtained by converging at least one address section included in the plurality of policies to be converged. For example, in some embodiments of the present application, a plurality of policies to be converged are obtained first, then at least one address segment included in the plurality of policies to be converged is extracted, and finally, at least one address segment is converged to obtain a target convergence policy, so that addresses that do not need to be converged in the policies to be converged can be removed, and efficiency of policy convergence is improved.
Fig. 1 provides a block diagram of a policy convergence system including a policy convergence device 110 and a target security device 120 in some embodiments of the present application. Specifically, the policy convergence device 110 obtains a plurality of policies to be converged, converges the plurality of policies to be converged to obtain a target convergence policy, and then sends the target convergence policy to a target security device (e.g., a firewall). The target security device 120, upon receiving the target convergence policy, deploys the target convergence policy and filters access requests without access rights using the target convergence policy.
With the development of network technologies, the application of information network technologies is becoming more and more extensive, the application level is deep, and the fields are various, for example: schools, banks, enterprises, etc. The data transmitted by the public communication network is secured without being protected by the firewall. Meanwhile, the firewall can be ensured to stably operate, so that the access strategy can effectively protect the service, and the optimization and convergence of the access strategy are very critical tasks.
Different from the embodiment of the application, in the related art, the quintuple information corresponding to all traffic accessing the firewall is matched with the configuration rule to further realize policy convergence, but the convergence efficiency is reduced because the acquired traffic is very huge during the service peak period. In the embodiment of the present application, a policy that needs to be converged (for example, at least one address segment included in a plurality of policies to be converged) is extracted, and then the policy is converged to obtain a target convergence policy, so that the efficiency of policy convergence can be improved.
The following describes an example of a policy convergence scheme provided by some embodiments of the present application by taking a stand-alone device (e.g., a policy convergence device) as an example. It is understood that the policy convergence scheme of the embodiment of the present application can also be implemented on a firewall.
At least to solve the above problem, as shown in fig. 2, some embodiments of the present application provide a policy convergence method, including:
s210, acquiring a plurality of strategies to be converged.
It should be noted that, a plurality of policies to be converged are stored in the policy configuration device, if the policy configuration device is a firewall, the step S220 is directly executed, and if the policy configuration device is a switch, it is described that the obtained policies to be converged (i.e., a plurality of original policies to be converged) include policies that are not related to the firewall, that is, the plurality of original policies to be converged need to be filtered.
It is to be understood that the target security device is any network security device that can filter access requests. As a specific embodiment of the present application, the network security device is a firewall.
In an embodiment of the present application, the policy configuration device is a switch, and the switch is connected to the target security device and configured to allocate the target access traffic to the target security device. S210, comprising: the method comprises the steps of obtaining a plurality of original strategies to be converged deployed on a switch, screening the plurality of original strategies to be converged based on a strategy corresponding to target security equipment, and obtaining a plurality of strategies to be converged.
That is to say, a plurality of original policies to be converged on the switch are acquired, and the policy on the target security device is acquired, and then the same part as the policy of the target security device is selected from the plurality of original policies to be converged, resulting in a plurality of policies to be converged. It will be appreciated that in the above embodiments, the policy on the target security device may be pre-stored in the policy convergence device.
For example, the plurality of original policies to be converged include: allowing the message with the destination address of 1.1.1.1-2.2.2.2, 3.3.3-5.5.5.5 and 4.4.4.4-6.6.6.6 to pass through, the strategy of the target security device comprises: allowing the messages with the destination addresses of 1.1.1.1-2.2.2.2.2 and 3.3.3.3-5.5.5.5 to pass through, and screening a plurality of original strategies to be converged into 1.1.1.1-2.2.2 and 3.3.3-5.5.5.5, then allowing the messages with the destination addresses of 1.1.1.1-2.2.2.2 and 3.3.3.3-5.5.5.5 to pass through.
In an embodiment of the present application, no matter a plurality of policies to be converged are obtained from a firewall or a plurality of original policies to be converged are obtained from a switch, the obtained policies to be converged need to be parsed into Json format, which may be understood as a general lightweight text data exchange format.
In an embodiment of the present application, address information of a target access traffic needs to be further acquired, and it can be understood that the target access traffic is a network traffic or a message passing through or accessing a policy configuration device, and is intended to access an intranet device protected by the policy configuration device. After the target access flow is obtained, the target access flow is analyzed according to the quintuple information to obtain a source address, a destination address, a source port, a destination port and a protocol, and the analyzed quintuple information is spliced into a Json format, for example, { src:1.1.1.1}.
It can be understood that, in the embodiment of the present application, each policy to be converged in the multiple policies to be converged is used to filter an access request without access permission by using an address, that is, the multiple policies to be converged specify an address that allows access to the intranet corresponding to the target security device.
S220, extracting at least one address section included in the plurality of strategies to be converged.
Since the policy convergence method in the present application converges a broader policy of the multiple policies to be converged, that is, a policy exhibited in the form of an address segment, that is, since the policy to be converged corresponding to a single address (for example, a single address is 1.1.1.1) is relatively clear and fine, convergence is not required, and if the single address is converged together with the policy to be converged corresponding to the address segment (for example, the address segment is 1.1.1.1-2.2.2.2), the efficiency of policy convergence is reduced. Therefore, in the embodiment of the present application, at least one address segment is extracted and then converged.
That is, in the policy table storing a plurality of policies to be converged, the policies to be converged corresponding to a single address are filtered out, and at least one address segment is obtained. And then storing the at least one address section which is filtered and the strategy corresponding to the single address respectively.
Specifically, the steps for obtaining the target strategy to be converged are as follows:
s2201: and adopting the address identifier to represent the addresses included in the plurality of strategies to be converged to obtain a plurality of target identifiers.
Specifically, the relevant personnel may use different forms to represent the single address, for example, the single address may be represented as 1.1.1.1/32 or 1.1.1.1-1.1.1, and may refer to multiple duplicate addresses to represent the single address, so that it is impossible to simply determine whether the address referred by the policy is the single address, and therefore, in order to ensure the accuracy of extracting at least one address segment, it is necessary to convert the source address or the destination address into an interval form for determination, that is, each IP address is represented by an address identifier.
As a specific embodiment of the present application, each IP address is converted into a unique number, for example: 1.1.1.1 converts to a digital X, then the interval is (X, X).
It will be appreciated that the policy for a single address is simply not involved in policy convergence, but still needs to be retained in the target security device.
S2202: at least one address segment is extracted from the plurality of policies to be converged based on the plurality of target identifications.
Specifically, when multiple intervals exist, the intervals are combined to obtain a unique interval, if the intervals cannot be combined, a non-single address (namely an address section) is determined, if the intervals are single intervals, only whether the left boundary and the right boundary are equal needs to be judged, if the left boundary and the right boundary are equal, the strategy can be filtered, and convergence processing is not performed.
As a specific embodiment of the present application, each policy to be converged is detected to determine whether it is a single address, and specifically, a plurality of addresses referenced by one policy to be converged are combined into an interval. For example: if the reference addresses are 1.1.1.1 and 2.2.2.2, then the translation is such that the left and right boundaries of the interval are not necessarily equal, and if both are 1.1.1.1, then the left and right boundaries of the interval are necessarily equal, then the single address (1.1.1.1) should be filtered.
In one embodiment of the present application, first, a source address and a destination address included in at least one address field are extracted, and a plurality of source addresses and a plurality of destination addresses are placed in a set, respectively.
Then, a source address and a target address of a target access flow of the target security device are obtained, an address set of the target security device is obtained, then the source address and the target address in the sets are compared with the address set of the target security device, if any address in the address set of the target security device is in the source address and the target address in the sets, the address is reserved, and if the address is not in the source address and the target address, the address is not an address for accessing the target security device and is filtered out. It will be appreciated that each time the filtering is completed, the flow is recorded, and when repeated flows are encountered, it is directly ignored, but the number of occurrences is recorded. More accurate service flow can be obtained through filtering, and the flow matching times are greatly reduced.
It is understood that the core idea of the above embodiments is to obtain only the traffic associated with the firewall policy, that is, at least one address segment and the filtered target access traffic are both associated with the firewall.
It should be noted that, in the process of obtaining the address set of the target security device, the address may also be characterized by an address identification method.
As shown in fig. 3, the implementation steps of the above embodiment include:
s301, a plurality of to-be-converged strategies for filtering access requests without access rights are obtained.
S302, filtering the policy which refers to the single address.
That is, a policy associated with a single address among a plurality of policies to be converged is filtered out.
S303, extracting a flow filtering interval.
That is, first, addresses related to services executed by the firewall are acquired, and then the addresses are combined into a traffic filtering interval, that is, traffic not within the traffic filtering interval is not related to the firewall.
And S304, filtering the acquired target access flow through a filtering interval.
That is, since the target access traffic may be obtained from the switch, the target access traffic needs to be filtered. Specifically, the traffic that is not in the filtering interval in the target access traffic is filtered, and the filtered target access traffic is obtained.
And S230, acquiring a target convergence strategy according to the filtered address information of the target access flow and at least one address section.
In one embodiment of the present application, S230 includes: and matching the address information of the target access flow with at least one address section one by one to obtain target address information, wherein the target address information exists in an address range limited by the at least one address section, and generating a target convergence strategy based on the target address information.
That is, the address information of the target access traffic filtered in the above embodiment is matched with at least one address segment one by one, the address hitting at least one address segment is retained, the target address information is obtained, and then the target address information is used as the address in the target convergence policy, thereby generating the target convergence policy.
For example, the address information of the target access traffic for which filtering is completed includes: target address 1.1.1.1, target address 2.2.2.2 and target address 3.3.3.3, the at least one address section comprising: 1.1.1.1-2.2.2.2, matching the address information of the target access traffic filtered in the above embodiment with at least one address segment one by one, the target address 1.1.1.1 and the target address 2.2.2.2 hit at least one address segment, so as to obtain the target address information 1.1.1.1 and 2.2.2.2, and then obtaining the target convergence policy that the access traffic with the target addresses 1.1.1.1 and 2.2.2.2 is allowed to pass.
In one embodiment of the present application, after the target convergence policy is obtained in S230, the target convergence policy needs to be optimized, which includes performing redundancy processing on the target convergence policy. Specifically, the single address filtered in S220 is obtained, and if a policy corresponding to the single address exists in the target convergence policy, the duplicate policy is deleted.
In an embodiment of the present application, since the prior art does not make corresponding adjustments to the deployment order of the policies, if the policies are deployed to the firewall, there may be unreasonable scenarios, for example, when there are frequent traffic networks, the policy priority is not high or is at the bottom of the firewall policy table, which actually seriously affects the performance of the firewall. Therefore, after the target convergence policy is obtained in S230, the target convergence policy needs to be optimized, which includes generating a deployment sequence and obtaining an updated convergence policy.
That is to say, the number of times of accessing the policy configuration device by the target access traffic is obtained, the target convergence policy is ranked based on the number of times, and the updated convergence policy is obtained, so that the target security device controls the authority of the access traffic according to the updated convergence policy.
Specifically, the target convergence policies are sorted from high to low according to the occurrence frequency of the target access traffic, and the target access traffic with high occurrence frequency has more times of policy hit, so that the target convergence policies frequently hit are placed at the top, the times of querying the policy table can be reduced as much as possible, and excessive firewall resources are not wasted.
In one embodiment of the present application, after obtaining the target convergence policy at S230, the target convergence policy needs to be optimized, which includes policy merging.
That is, the update convergence policy includes a first update convergence policy and a second update convergence policy, where the first update convergence policy and the second update convergence policy are any two of the update convergence policies. After S230, if the destination address or the source address of the first updated convergence policy and the second updated convergence policy are the same, the first updated convergence policy and the second updated convergence policy are merged into one policy.
For example, if the first update convergence policy is that a message with a destination IP address of 1.1.1.1 is allowed to access the intranet device 1, and the second update convergence policy is that a message with a destination IP address of 1.1.1.1 is allowed to access the intranet device 2, the first update convergence policy and the second update convergence policy are combined into a message with a destination IP address of 1.1.1.1, which is allowed to access the intranet device 1 and the intranet device 2, so that the two policies are combined into one policy.
For example, the first update convergence policy is that a message with a source IP address of 2.2.2.2 allows access to the intranet device 1, the second update convergence policy is that a message with a source IP address of 2.2.2.2 allows access to the intranet device 2, the first update convergence policy and the second update convergence policy are combined into a message with a source IP address of 2.2.2.2, which allows access to the intranet device 1 and the intranet device 2.
As another specific embodiment of the present application, the access control policies that are sorted are divided and traversed according to the priorities, each policy is compared with the high-priority policy, if only one of the five tuples is different, the policies are merged into one policy, and the deployment sequence of the merged policies is the deployment sequence of the high-priority policies. Through strategy combination, the number of strategies is reduced as much as possible on the premise of ensuring the service safety, and the pressure of a firewall on processing services is further reduced.
The method for policy convergence provided by the embodiment of the present application is described above, and a specific embodiment of the method for policy convergence provided by the embodiment of the present application is described below.
The policy convergence method in the embodiment of the application can be applied to a security policy management system, and can further optimize the configuration of firewall equipment managed by the security policy management system through the embodiment of the application, thereby improving the operation and maintenance capacity of the security policy management system. The specific implementation process is shown in fig. 4:
s410, selecting the device to be optimized in the security policy management system.
That is, since the optimization policy is optimized for the firewall policy, it is necessary to select a device to be policy converged in the security policy management system.
And S420, carrying out strategy convergence on the equipment.
As shown in fig. 5, first, a plurality of policies to be converged of the switch 510 and the firewall 520 are obtained, and it is understood that the switch 510 is a device that distributes traffic to the firewall 520. Then, S501 data acquisition parsing is performed. Specifically, the obtained access flow is analyzed according to the quintuple to obtain a source address, a destination address, a source port, a destination port and a protocol, and a policy to be converged is obtained. Next, data filtering is performed S502. Specifically, the policy to be converged corresponding to the single address is filtered, and the access traffic unrelated to the target security device is filtered. Then, convergence matching is performed S503. Specifically, the access traffic and the policy to be converged obtained in the above steps are matched one by one according to the quintuple, and the access traffic hit by matching is converted into the target convergence policy. Finally, strategy optimization is executed S504, namely the obtained target convergence strategy is optimized. Specifically, the target convergence policy is subjected to redundancy processing, policy deployment sequence rearrangement and policy combination, so as to obtain a convergence completed policy.
And S430, strategy issuing the strategy of convergence completion.
That is, the converged policy is issued to the target security device (e.g., firewall), and then the target security device deploys the converged policy and intercepts or releases the access traffic according to the converged policy.
And S440, deleting the redundancy strategy, and using a strategy optimization function of the system or issuing a corresponding deletion command line.
S450, selecting a corresponding time period to collect optimization strategy information in a timing task mode.
Therefore, the method and the device can obtain a set supporting flow filtering by collecting the strategies configured by the firewall, reorder and combine the converged strategies, and complete further optimization processing of the actual service after convergence.
The beneficial effect of this application is as follows: the convergence efficiency is high, and particularly, the flow data to be matched and the access control strategy configuration data are processed through classification and filtration, so that invalid data are removed, and the matching times are reduced. Strategy convergence can be optimized, specifically, one is optimized: finishing the strategy priority according to the condition that the flow meets the actual service matching condition; and (5) optimizing: further strategy combination reduces the number of strategies issued; through the two points, the working pressure of the firewall and the waste of resources are further reduced, and therefore the working efficiency of the firewall is improved.
The foregoing describes a specific embodiment of a method for policy convergence provided by the present application, and the following describes an apparatus for policy convergence provided by the present application.
As shown in fig. 6, the present application provides an apparatus 600 for policy convergence, comprising: a policy acquisition module 610, a segment extraction module 620, and a policy convergence module 630.
A policy obtaining module 610 configured to obtain a plurality of policies to be converged, where each policy to be converged in the plurality of policies to be converged is used to filter an access request without an access right by an address.
A section extracting module 620 configured to extract at least one address section included in the plurality of policies to be converged, wherein each address section of the at least one address section includes a start address and an end address.
A policy convergence module 630, configured to obtain a target convergence policy according to the address information of the target access traffic and the at least one address segment, so that the target security device controls the authority of the access traffic according to the target convergence policy, where the target access traffic is historical access traffic within a preset time.
In one embodiment of the present application, the section extraction module 620 is further configured to: address information included in the strategies to be converged is represented by address identification to obtain a plurality of target identifications, wherein one address corresponds to one target identification; extracting the at least one address section from the plurality of to-be-converged policies based on the plurality of target identifications.
In one embodiment of the present application, the policy convergence module 630 is further configured to: acquiring the times of the target access flow accessing the policy configuration equipment; ranking the target convergence policy based on the times to obtain an updated convergence policy, so that the target security device controls the access flow permission according to the updated convergence policy.
In an embodiment of the present application, the update convergence policy includes a first update convergence policy and a second update convergence policy, where the first update convergence policy and the second update convergence policy are any two of the update convergence policies; the policy convergence module 630 is further configured to: and if the destination address or the source address of the first updated convergence strategy is the same as that of the second updated convergence strategy, combining the first updated convergence strategy and the second updated convergence strategy into one strategy.
In an embodiment of the present application, the plurality of policies to be converged are stored in a policy configuration device, where the policy configuration device is a switch, and the switch is connected to the target security device and configured to allocate the target access traffic to the target security device; the policy acquisition module 610 is configured to: acquiring a plurality of original strategies to be converged deployed on the switch; and screening the plurality of original strategies to be converged based on the strategy corresponding to the target security equipment to obtain the plurality of strategies to be converged.
In one embodiment of the present application, the policy convergence module 630 is further configured to: matching the address information of the target access flow with the at least one address section one by one to obtain target address information, wherein the target address information exists in an address range limited by the at least one address section; generating the target convergence policy based on the target address information.
In the embodiment of the present application, the module shown in fig. 6 can implement each process in the method embodiments of fig. 1 to 5. The operations and/or functions of the respective modules in fig. 6 are respectively for implementing the corresponding flows in the method embodiments in fig. 1 to 5. Reference may be made specifically to the description of the above method embodiments, and a detailed description is omitted here where appropriate to avoid repetition.
As shown in fig. 7, an embodiment of the present application provides an electronic device 700, including: a processor 710, a memory 720 and a bus 730, wherein the processor is connected to the memory through the bus, and the memory stores computer readable instructions, which when executed by the processor, are used for implementing the method according to any of the above embodiments, and specifically refer to the description of the above embodiments of the method, and the detailed description is omitted here to avoid redundancy.
Wherein the bus is used for realizing direct connection communication of the components. The processor in the embodiment of the present application may be an integrated circuit chip having signal processing capability. The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The Memory may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like. The memory stores computer readable instructions that, when executed by the processor, perform the methods described in the embodiments above.
It will be appreciated that the configuration shown in fig. 7 is merely illustrative and may include more or fewer components than shown in fig. 7 or have a different configuration than shown in fig. 7. The components shown in fig. 7 may be implemented in hardware, software, or a combination thereof.
Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a server, the method in any of the above-mentioned all embodiments is implemented, which may specifically refer to the description in the above-mentioned method embodiments, and in order to avoid repetition, detailed description is appropriately omitted here.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made to the present application by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method of policy convergence, the method comprising:
acquiring a plurality of strategies to be converged, wherein each strategy to be converged in the plurality of strategies to be converged is used for filtering an access request without access right through an address;
extracting at least one address section included in the plurality of strategies to be converged, wherein each address section in the at least one address section comprises a starting address and an ending address;
and obtaining a target convergence policy according to the address information of the target access flow and the at least one address section, so that the target security device controls the authority of the access flow according to the target convergence policy, wherein the target access flow is historical access flow within a preset time.
2. The method according to claim 1, wherein said extracting at least one address section included in said plurality of policies to be converged comprises:
adopting address identifiers to represent addresses included in the multiple strategies to be converged to obtain multiple target identifiers, wherein one address corresponds to one target identifier;
extracting the at least one address section from the plurality of to-be-converged policies based on the plurality of target identifications.
3. The method according to any of claims 1-2, wherein after obtaining the target convergence policy according to the address information of the target access traffic and the at least one address segment, the method further comprises:
acquiring the times of the target access flow accessing the target security equipment;
ranking the target convergence policy based on the times to obtain an updated convergence policy, so that the target security device controls the access traffic authority according to the updated convergence policy.
4. The method of claim 3, wherein the update convergence policy comprises a first update convergence policy and a second update convergence policy, wherein the first update convergence policy and the second update convergence policy are any two of the update convergence policies;
after the ranking the target convergence policy based on the number of times to obtain an updated convergence policy, the method further comprises:
and if the destination address or the source address of the first updated convergence strategy is the same as that of the second updated convergence strategy, combining the first updated convergence strategy and the second updated convergence strategy into one strategy.
5. The method according to any one of claims 1-2, wherein the plurality of policies to be converged are stored in a policy configuration device, and the policy configuration device is a switch, and the switch is connected to the target security device and is configured to distribute the target access traffic to the target security device;
the acquiring a plurality of strategies to be converged comprises the following steps:
acquiring a plurality of original strategies to be converged deployed on the switch;
and screening the plurality of original strategies to be converged based on the strategy corresponding to the target security equipment to obtain the plurality of strategies to be converged.
6. The method according to any one of claims 1-2, wherein the obtaining a target convergence policy according to the address information of the target access traffic and the at least one address segment comprises:
matching the address information of the target access flow with the at least one address section one by one to obtain target address information, wherein the target address information exists in an address range limited by the at least one address section;
generating the target convergence policy based on the target address information.
7. A system for policy convergence, the system comprising:
a policy convergence device configured to obtain a plurality of policies to be converged and execute the method according to any one of claims 1 to 6 according to the plurality of policies to be converged to obtain a target convergence policy;
a target security device configured to filter access requests without access rights through the target convergence policy.
8. An apparatus for policy convergence, the apparatus comprising:
the system comprises a policy acquisition module, a policy acquisition module and a policy management module, wherein the policy acquisition module is configured to acquire a plurality of policies to be converged, and each policy to be converged in the plurality of policies to be converged is used for filtering an access request without access right through an address;
a section extraction module configured to extract at least one address section included in the plurality of policies to be converged, wherein each address section of the at least one address section includes a start address and an end address;
and the policy convergence module is configured to obtain a target convergence policy according to the address information of the target access traffic and the at least one address section, so that the target security device controls the authority of the access traffic according to the target convergence policy, wherein the target access traffic is historical access traffic within a preset time.
9. An electronic device, comprising: a processor, a memory, and a bus;
the processor is coupled to the memory via the bus, the memory storing computer readable instructions for implementing the method of any one of claims 1-6 when the computer readable instructions are executed by the processor.
10. A computer-readable storage medium, having stored thereon a computer program which, when executed, implements the method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210772312.9A CN115150169B (en) | 2022-06-30 | 2022-06-30 | Policy convergence method, device, system and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210772312.9A CN115150169B (en) | 2022-06-30 | 2022-06-30 | Policy convergence method, device, system and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115150169A true CN115150169A (en) | 2022-10-04 |
| CN115150169B CN115150169B (en) | 2024-02-09 |
Family
ID=83410570
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210772312.9A Active CN115150169B (en) | 2022-06-30 | 2022-06-30 | Policy convergence method, device, system and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115150169B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030031178A1 (en) * | 2001-08-07 | 2003-02-13 | Amplify.Net, Inc. | Method for ascertaining network bandwidth allocation policy associated with network address |
| US20080301765A1 (en) * | 2007-05-31 | 2008-12-04 | The Board Of Trustees Of The University Of Illinois | Analysis of distributed policy rule-sets for compliance with global policy |
| WO2014153766A1 (en) * | 2013-03-29 | 2014-10-02 | 华为技术有限公司 | Policy converging method, ue, and server |
| WO2021115183A1 (en) * | 2019-12-12 | 2021-06-17 | 中兴通讯股份有限公司 | Address management method, server and computer-readable storage medium |
| CN113382019A (en) * | 2021-06-30 | 2021-09-10 | 山石网科通信技术股份有限公司 | Flow data processing method |
| CN113572780A (en) * | 2021-07-28 | 2021-10-29 | 中国南方电网有限责任公司 | Equipment security policy configuration method |
| CN114205134A (en) * | 2021-12-07 | 2022-03-18 | 北京神州新桥科技有限公司 | Network policy detection method, electronic device, and storage medium |
| CN114547466A (en) * | 2022-02-28 | 2022-05-27 | 东北大学 | Information diversity recommendation method based on deep reinforcement learning |
-
2022
- 2022-06-30 CN CN202210772312.9A patent/CN115150169B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030031178A1 (en) * | 2001-08-07 | 2003-02-13 | Amplify.Net, Inc. | Method for ascertaining network bandwidth allocation policy associated with network address |
| US20080301765A1 (en) * | 2007-05-31 | 2008-12-04 | The Board Of Trustees Of The University Of Illinois | Analysis of distributed policy rule-sets for compliance with global policy |
| WO2014153766A1 (en) * | 2013-03-29 | 2014-10-02 | 华为技术有限公司 | Policy converging method, ue, and server |
| WO2021115183A1 (en) * | 2019-12-12 | 2021-06-17 | 中兴通讯股份有限公司 | Address management method, server and computer-readable storage medium |
| CN113382019A (en) * | 2021-06-30 | 2021-09-10 | 山石网科通信技术股份有限公司 | Flow data processing method |
| CN113572780A (en) * | 2021-07-28 | 2021-10-29 | 中国南方电网有限责任公司 | Equipment security policy configuration method |
| CN114205134A (en) * | 2021-12-07 | 2022-03-18 | 北京神州新桥科技有限公司 | Network policy detection method, electronic device, and storage medium |
| CN114547466A (en) * | 2022-02-28 | 2022-05-27 | 东北大学 | Information diversity recommendation method based on deep reinforcement learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115150169B (en) | 2024-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3304822B1 (en) | Method and apparatus for grouping features into classes with selected class boundaries for use in anomaly detection | |
| CN102769549B (en) | The method and apparatus of network security monitoring | |
| EP2760158A1 (en) | Policy processing method and network device | |
| CN106878038B (en) | Fault positioning method and device in communication network | |
| US20100070451A1 (en) | Method of automatic driving of a telecommunications network with local mutualization of knowledge | |
| CN108259426B (en) | DDoS attack detection method and device | |
| CN112988679A (en) | Log collection control method and device, storage medium and server | |
| CN111404768A (en) | DPI recognition realization method and equipment | |
| CN110120957B (en) | Safe disposal digital twin method and system based on intelligent scoring mechanism | |
| CN111147468A (en) | User access method, device, electronic equipment and storage medium | |
| CN115150169B (en) | Policy convergence method, device, system and medium | |
| CN112422434A (en) | IPFIX message processing method, application thereof and ASIC chip | |
| CN109740328B (en) | Authority identification method and device, computer equipment and storage medium | |
| CN115996201A (en) | Flow table processing method, openflow switch and computing device | |
| CN114374622B (en) | Shunting method based on fusion shunting equipment and fusion shunting equipment | |
| CN113709153B (en) | Log merging method and device and electronic equipment | |
| CN115209378A (en) | Service resource dynamic allocation method, system, management server and medium for vehicle | |
| CN112448862B (en) | Traffic processing method, device and equipment and computer readable storage medium | |
| EP3793171B1 (en) | Message processing method, apparatus, and system | |
| CN111431930A (en) | Flow cleaning method and related equipment | |
| CN112783673A (en) | Method and device for determining call chain, computer equipment and storage medium | |
| CN111464357A (en) | Resource allocation method and device | |
| CN111061719A (en) | Data collection method, device, equipment and storage medium | |
| CN116708356B (en) | IP feature library generation method | |
| CN103997488B (en) | The monitoring method and system of a kind of network attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |