CN116016185A - Automatic issuing method for firewall policy - Google Patents
Automatic issuing method for firewall policy Download PDFInfo
- Publication number
- CN116016185A CN116016185A CN202211689498.8A CN202211689498A CN116016185A CN 116016185 A CN116016185 A CN 116016185A CN 202211689498 A CN202211689498 A CN 202211689498A CN 116016185 A CN116016185 A CN 116016185A
- Authority
- CN
- China
- Prior art keywords
- firewall
- target
- configuration
- source
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 238000012216 screening Methods 0.000 claims description 4
- 230000006870 function Effects 0.000 description 5
- 230000005284 excitation Effects 0.000 description 3
- 238000009825 accumulation Methods 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 2
- 210000002569 neuron Anatomy 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012432 intermediate storage Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012886 linear function Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network security, in particular to a firewall policy automatic issuing method, which comprises the following steps: s100, establishing a database; s200, acquiring configuration files of each firewall, analyzing configuration strategies of each firewall, and storing the configuration strategies of each firewall into a database; s300, acquiring a source IP and a target IP; s400, generating a target configuration strategy according to the source IP and the target IP, and storing the target configuration strategy into a database. By adopting the scheme, the network configuration cost can be reduced, and the network configuration efficiency is improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an automatic issuing method of firewall policies.
Background
Firewall technology is one of the most common and effective defensive measures in the field of network security technology. Considering the factors of safety protection, equipment management and the like, a network needs to be divided into a plurality of different network areas, a firewall is deployed between the network areas, and access and isolation of the different network areas are realized through a firewall policy. In general, service online is accompanied by the opening of related network policies, and at this time, a manager needs to manually comb out which firewalls need to be passed through according to the source IP and the target IP of the service, and configures a corresponding security access policy on each firewall management page.
When a large number of network strategies need to be opened, a large number of configuration works are needed to be repeated by related personnel, so that a large amount of manpower resources are wasted, a large amount of deployment time is needed, and manpower cost and time cost are increased. Therefore, it is highly desirable to provide a method for automatically issuing firewall policies, so as to reduce network configuration cost and improve network configuration efficiency.
Disclosure of Invention
The invention provides a firewall policy automatic issuing method, which can reduce network configuration cost and improve network configuration efficiency.
In order to achieve the above object, the basic scheme of the present invention is as follows:
a firewall policy automatic issuing method comprises the following steps:
s100, establishing a database;
s200, acquiring configuration files of each firewall, analyzing configuration strategies of each firewall, and storing the configuration strategies of each firewall into a database;
s300, acquiring a source IP and a target IP;
s400, generating a target configuration strategy according to the source IP and the target IP, and storing the target configuration strategy into a database.
Further, S400 includes:
s401, analyzing a relay firewall between a source IP and a target IP according to the source IP and the target IP;
s402, generating a target configuration strategy according to a relay firewall between the source IP and the target IP, and storing the target configuration strategy into a database.
Further, in S200, analyzing the network segments and the security domains maintained by each firewall, and storing the network segments and the security domains maintained by each firewall into a database;
s401 includes:
s4011, analyzing network segments and security domains to which the source IP and the target IP belong according to the source IP and the target IP;
s4012, comparing the network segments and the security domains of the source IP and the target IP with the network segments and the security domains maintained by each firewall in the database, and generating a comparison result;
s4013, analyzing the relay firewall between the source IP and the target IP according to the comparison result.
Further, S400 further includes:
s403, analyzing whether the target configuration strategy is repeated with the configuration strategy in the database, if so, executing S404, and if not, executing S405;
s404, screening out repeated target configuration strategies, and executing S405;
s405, the target configuration strategy is issued to the corresponding relay firewall, and the screened target configuration strategy is stored in a database.
Further, in S404, a repetition policy hint is generated.
Further, in S200, according to the preset time interval, a configuration file of each firewall is obtained.
The principle and the advantages of the invention are as follows:
1. periodically acquiring configuration files of each firewall, and storing configuration strategies of each firewall into a database; therefore, when the manager needs to call the configuration strategy, the stored configuration strategy in the database is directly extracted according to the source IP and the target IP of the service. Compared with manual network searching and configuration issuing by management staff, by adopting the scheme, the time cost and the labor cost of network configuration are reduced and the network configuration efficiency is improved by having a database with a large amount of accumulated resources (periodically acquiring and storing newly generated target configuration strategies in big data). Especially when the network configuration demand is large, the processing efficiency of network management personnel is greatly improved.
2. Comparing the network segments and the security domains of the source IP and the target IP with the network segments and the security domains maintained by each firewall in the database, so that the relay firewall needing to pass through between the source IP and the target IP can be analyzed, the target configuration strategy is further issued to the corresponding relay firewall, the screened target configuration strategy is stored in the database, the data volume of the database is expanded, and the issue of the firewall strategy is completed.
3. Analyzing whether the extracted configuration strategy is repeated, if so, screening out the repeated configuration strategy and generating a repeated strategy prompt. Thus, repeated configuration policies can be filtered out, avoiding the accumulation of a large number of repeated configurations.
Drawings
Fig. 1 is a flow chart of a firewall policy automatic issuing method according to an embodiment of the present invention.
Detailed Description
The following is a further detailed description of the embodiments:
example 1:
example 1 is substantially as shown in figure 1:
a firewall policy automatic issuing method comprises the following steps:
s100, establishing a database; in this embodiment, first, a network management platform is created, and then a database is built in the network management platform.
S200, acquiring configuration files of each firewall according to a preset time interval, analyzing configuration strategies of each firewall and network segments and security domains maintained by each firewall, and storing the configuration strategies of each firewall and the network segments and the security domains maintained by each firewall into a database. And periodically reading the configuration file of each firewall and updating the database.
S300, acquiring a source IP and a target IP; in this embodiment, a manager adds a policy to be configured to a network management platform through the network management platform, and then the platform automatically generates a target configuration policy according to a source IP and a target IP, and completes expansion of a database and issuing of the target configuration policy.
S400, generating a target configuration strategy according to the source IP and the target IP, and storing the target configuration strategy into a database. S400 includes:
s401, analyzing a relay firewall between a source IP and a target IP according to the source IP and the target IP; s401 includes:
s4011, analyzing network segments and security domains to which the source IP and the target IP belong according to the source IP and the target IP.
S4012, comparing the network segments and the security domains of the source IP and the target IP with the network segments and the security domains maintained by the firewalls in the database, and generating a comparison result. In this embodiment, if the network segments and security domains to which the source IP and the target IP belong overlap with the network segments and security domains maintained by each firewall in the database, it is indicated that the corresponding firewall should be a relay firewall.
S4013, analyzing the relay firewall between the source IP and the target IP according to the comparison result.
S402, generating a target configuration strategy according to a relay firewall between the source IP and the target IP, and storing the target configuration strategy into a database. In this embodiment, by means of artificial intelligence, the source IP, the target IP, the relay firewall, the network segments and the security domains to which the source IP and the target IP belong are used as input of the input layer, and the target configuration policy is used as output of the output layer.
Specifically, a BP neural network technology is used to generate a target configuration policy, firstly, a three-layer BP neural network model is constructed, which comprises an input layer, a hidden layer and an output layer, in this embodiment, the network segments and the security domains to which the source IP, the target IP, the relay firewall, the source IP and the target IP belong are used as the input of the input layer, so that the input layer has 4 nodes, and the output is the target configuration policy, so that 1 node is shared; for hidden layers, the present embodiment uses the following formula to determine the number of hidden layer nodes:
where l is the number of nodes in the hidden layer, n is the number of nodes in the input layer, m is the number of nodes in the output layer, a is a number between 1 and 10, and in this embodiment is taken as 6, so that the hidden layer has 9 nodes in total. BP neural networks typically employ Sigmoid micromanipulations and linear functions as the excitation functions of the network. The present embodiment selects the sigmoid tangent function tan sig as the excitation function of the hidden layer neurons. The predictive model selects an S-shaped logarithmic function tan sig as the excitation function of the neurons of the output layer. After the BP network model is built, the model is trained by using the historical data as a sample, and the model obtained after the training is completed can obtain more accurate results.
S403, analyzing whether the target configuration strategy is repeated with the configuration strategy in the database, if yes, executing S404, and if not, executing S405.
S404, screening out repeated target configuration strategies, generating repeated strategy prompts, and executing S405, so that the storage space aiming at the repeated configuration strategies in the intermediate storage can be greatly saved.
S405, the target configuration strategy is issued to the corresponding relay firewall, the screened target configuration strategy is stored in the database, and each relay firewall directly executes the strategy according to the issued configuration strategy, so that the automatic configuration of the firewall strategy is realized.
By adopting the scheme, the time cost and the labor cost of network configuration are reduced, and the network configuration efficiency is improved. Especially when the network configuration demand is large, the processing efficiency of network management personnel is greatly improved. In addition, the repeated configuration strategy can be filtered out, so that accumulation of a large number of repeated configurations is avoided, and the storage space is saved.
Example 2:
example 2 is substantially as shown in figure 1:
example 2 is identical to example 1 in basic principle, except that in example 2:
s200, analyzing configuration strategies of each firewall, analyzing whether the configuration strategies of each firewall are the same, and if yes, establishing the same jump link; if not, establishing different jump links; each jump link corresponds to a different access address, and a corresponding configuration strategy is stored in the access address.
S402, sequentially accessing the jump links according to a relay firewall between the source IP and the target IP, and extracting configuration strategies through access addresses corresponding to the jump links; analyzing whether the jump link is accessed, if not, continuing to access, and if not, skipping the current access task.
Therefore, the same configuration strategy is prevented from being accessed, invalid operation time is saved, and strategy configuration efficiency is improved; the data volume which needs to be temporarily stored in the intermediate memory is reduced, the capacity requirement of the intermediate memory is reduced, the same configuration strategy is not required to be specially removed in the follow-up process, and the configuration efficiency is further improved.
The foregoing is merely exemplary of the present invention, and the specific structures and features well known in the art are not described in any way herein, so that those skilled in the art will be able to ascertain all prior art in the field, and will not be able to ascertain any prior art to which this invention pertains, without the general knowledge of the skilled person in the field, before the application date or the priority date, to practice the present invention, with the ability of these skilled persons to perfect and practice this invention, with the help of the teachings of this application, with some typical known structures or methods not being the obstacle to the practice of this application by those skilled in the art. It should be noted that modifications and improvements can be made by those skilled in the art without departing from the structure of the present invention, and these should also be considered as the scope of the present invention, which does not affect the effect of the implementation of the present invention and the utility of the patent. The protection scope of the present application shall be subject to the content of the claims, and the description of the specific embodiments and the like in the specification can be used for explaining the content of the claims.
Claims (6)
1. A firewall policy automatic issuing method is characterized in that: the method comprises the following steps:
s100, establishing a database;
s200, acquiring configuration files of each firewall, analyzing configuration strategies of each firewall, and storing the configuration strategies of each firewall into a database;
s300, acquiring a source IP and a target IP;
s400, generating a target configuration strategy according to the source IP and the target IP, and storing the target configuration strategy into a database.
2. The firewall policy automatic issuing method according to claim 1, wherein: s400 includes:
s401, analyzing a relay firewall between a source IP and a target IP according to the source IP and the target IP;
s402, generating a target configuration strategy according to a relay firewall between the source IP and the target IP, and storing the target configuration strategy into a database.
3. The firewall policy automatic issuing method according to claim 2, wherein:
s200, analyzing network segments and security domains maintained by each firewall, and storing the network segments and the security domains maintained by each firewall into a database;
s401 includes:
s4011, analyzing network segments and security domains to which the source IP and the target IP belong according to the source IP and the target IP;
s4012, comparing the network segments and the security domains of the source IP and the target IP with the network segments and the security domains maintained by each firewall in the database, and generating a comparison result;
s4013, analyzing the relay firewall between the source IP and the target IP according to the comparison result.
4. A firewall policy automatic issuing method according to claim 3, wherein: s400 further includes:
s403, analyzing whether the target configuration strategy is repeated with the configuration strategy in the database, if so, executing S404, and if not, executing S405;
s404, screening out repeated target configuration strategies, and executing S405;
s405, the target configuration strategy is issued to the corresponding relay firewall, and the screened target configuration strategy is stored in a database.
5. The firewall policy automatic issuing method according to claim 4, wherein: in S404, a repetition policy hint is generated.
6. The firewall policy automatic issuing method according to claim 1, wherein: in S200, according to the preset time interval, a configuration file of each firewall is obtained.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211689498.8A CN116016185A (en) | 2022-12-27 | 2022-12-27 | Automatic issuing method for firewall policy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211689498.8A CN116016185A (en) | 2022-12-27 | 2022-12-27 | Automatic issuing method for firewall policy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116016185A true CN116016185A (en) | 2023-04-25 |
Family
ID=86026173
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211689498.8A Pending CN116016185A (en) | 2022-12-27 | 2022-12-27 | Automatic issuing method for firewall policy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116016185A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117596139A (en) * | 2024-01-18 | 2024-02-23 | 银联数据服务有限公司 | Firewall configuration command generation method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104580078A (en) * | 2013-10-15 | 2015-04-29 | 北京神州泰岳软件股份有限公司 | Network access control method and system |
| CN109600368A (en) * | 2018-12-07 | 2019-04-09 | 中盈优创资讯科技有限公司 | A kind of method and device of determining firewall policy |
| CN110661670A (en) * | 2019-10-21 | 2020-01-07 | 中国民航信息网络股份有限公司 | Network equipment configuration management method and device |
| CN111835794A (en) * | 2020-09-17 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Firewall policy control method and device, electronic equipment and storage medium |
| CN111935117A (en) * | 2020-07-30 | 2020-11-13 | 平安科技(深圳)有限公司 | Firewall policy issuing method and device, electronic equipment and storage medium |
| CN113660281A (en) * | 2021-08-20 | 2021-11-16 | 烽火通信科技股份有限公司 | Method and device for adaptively configuring firewall rules based on historical scenes |
| KR102430988B1 (en) * | 2022-02-10 | 2022-08-11 | (주)제너럴데이타 | Method, device and system for controlling policy setting of host firewall based on artificial intelligence |
-
2022
- 2022-12-27 CN CN202211689498.8A patent/CN116016185A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104580078A (en) * | 2013-10-15 | 2015-04-29 | 北京神州泰岳软件股份有限公司 | Network access control method and system |
| CN109600368A (en) * | 2018-12-07 | 2019-04-09 | 中盈优创资讯科技有限公司 | A kind of method and device of determining firewall policy |
| CN110661670A (en) * | 2019-10-21 | 2020-01-07 | 中国民航信息网络股份有限公司 | Network equipment configuration management method and device |
| CN111935117A (en) * | 2020-07-30 | 2020-11-13 | 平安科技(深圳)有限公司 | Firewall policy issuing method and device, electronic equipment and storage medium |
| CN111835794A (en) * | 2020-09-17 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Firewall policy control method and device, electronic equipment and storage medium |
| CN113660281A (en) * | 2021-08-20 | 2021-11-16 | 烽火通信科技股份有限公司 | Method and device for adaptively configuring firewall rules based on historical scenes |
| KR102430988B1 (en) * | 2022-02-10 | 2022-08-11 | (주)제너럴데이타 | Method, device and system for controlling policy setting of host firewall based on artificial intelligence |
Non-Patent Citations (1)
| Title |
|---|
| 雷艳晴;尚文利;万明;曾鹏;: "工业防火墙规则自学习算法设计", 计算机工程与设计, no. 12, 16 December 2016 (2016-12-16), pages 1 - 6 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117596139A (en) * | 2024-01-18 | 2024-02-23 | 银联数据服务有限公司 | Firewall configuration command generation method and device |
| CN117596139B (en) * | 2024-01-18 | 2024-05-31 | 银联数据服务有限公司 | Firewall configuration command generation method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lorenz et al. | The algocracy as a new ideal type for government organizations: Predictive policing in Berlin as an empirical case | |
| Khan et al. | Modeling the Big Data challenges in context of smart cities–an integrated fuzzy ISM-DEMATEL approach | |
| CN116016185A (en) | Automatic issuing method for firewall policy | |
| Prodel et al. | Discovery of patient pathways from a national hospital database using process mining and integer linear programming | |
| CN112820105A (en) | Road network abnormal area processing method and system | |
| Legato et al. | Yard crane management by simulation and optimisation | |
| US10957421B2 (en) | System and method for inter-species DNA mixture interpretation | |
| CN114595970A (en) | Resource scheduling intelligent decision method and device, electronic equipment and storage medium | |
| Wang et al. | Extract rules from software quality prediction model based on neural network | |
| Piankov et al. | Mathematical modeling of multicriteria conflicts of analytical activity in situation centers of the internal affairs authorities | |
| Vulfin et al. | Algorithms for detecting network attacks in an enterprise industrial network based on data mining algorithms | |
| Bezerra et al. | A self-adaptive approach for particle swarm optimization applied to wind speed forecasting | |
| Beigh | A new classification scheme for intrusion detection systems | |
| Singh et al. | Modeling threats | |
| CN114039837B (en) | Alarm data processing method, device, system, equipment and storage medium | |
| CN115297016A (en) | Deep learning-based power network activity evaluation and prediction method | |
| Zdravković et al. | Modified PROMETHEE approach for solving multi-criteria location problems with complex criteria functions | |
| Behboudi et al. | Identifying and prioritizing the key cores of the service sector of East Azerbaijan Province: MSA analytical model | |
| Yakovlev et al. | CREATION AND APPLICATION OF INFORMATION AND ANALYTICAL SYSTEMS FOR THE NATIONAL GUARD OF UKRAINE IN THE INTERESTS OF THE CITIZENS SAFETY ENSURANCE | |
| CN112036794A (en) | Engineering material warehousing method, system and device for cost control | |
| CN114553726B (en) | Network security operation and maintenance method and system based on functions and resource levels | |
| Shakibazad | A framework to create a virtual cyber battlefield for cyber maneuvers and impact assessment | |
| Zabel et al. | A collaborative approach in adaptive management at a large-landscape scale | |
| Pulawski et al. | Extracting and leveraging value from a decision interdependency network (DIN) in a policing/law enforcement setting | |
| Tao et al. | A proposed Bi-layer crime prevention framework using big data analytics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |