CN116112260A - Firewall security policy processing method, device, equipment and medium - Google Patents
Firewall security policy processing method, device, equipment and medium Download PDFInfo
- Publication number
- CN116112260A CN116112260A CN202310104491.3A CN202310104491A CN116112260A CN 116112260 A CN116112260 A CN 116112260A CN 202310104491 A CN202310104491 A CN 202310104491A CN 116112260 A CN116112260 A CN 116112260A
- Authority
- CN
- China
- Prior art keywords
- packet
- external network
- session table
- firewall
- security policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Abstract
The invention provides a processing method, a device, equipment and a medium of a firewall security policy, wherein the method is applied to a firewall and is used for receiving a first packet sent by an external network; according to the first packet and the routing table, searching whether an inter-domain security policy matched with the first packet exists in the routing table; if the inter-domain security policy matched with the first packet exists in the routing table, a session table corresponding to the external network is created according to the first packet and the user demand information, so that the firewall forwards the first packet and the subsequent packet sent by the external network according to the session table corresponding to the external network, and the efficiency of receiving effective data by the internal network is improved. If the inter-domain security policy matched with the first packet does not exist in the routing table, a session table corresponding to the external network is created according to the first packet, and the state of the session table corresponding to the external network is set to be a blacklist state, so that the firewall intercepts the first packet and the subsequent packets sent by the external network.
Description
Technical Field
The present invention relates to the field of firewall technologies, and in particular, to a method, an apparatus, a device, and a medium for processing a firewall security policy.
Background
The firewall technology is a technology for helping computer networks to construct a relatively isolated protection barrier between the internal network and the external network by organically combining various software and hardware devices for safety management and screening so as to protect user data and information safety. Network security protection is required between different servers of the data center through a firewall. In the prior art, when the intranet receives data transmitted by the extranet, the firewall technology can be used for blocking the data files infected by viruses of the extranet, so that the network safety protection of the intranet is realized.
However, the security policy used by the existing firewall is single and simple, and only the data transmitted by the external network and infected by the virus can be blocked, so that the effective data actually required by the internal network can not be further filtered out, and the efficiency of receiving the effective data by the internal network is lower. For example, the intranet actually only needs to receive data in a word document format, but the existing firewall technology cannot filter out valid data in the word document format, so that the intranet still needs to further filter the data forwarded by the firewall, and the efficiency is low.
Disclosure of Invention
In view of this, the embodiments of the present invention provide a method, an apparatus, a device, and a medium for processing a firewall security policy, so as to forward and intercept a data packet through an inter-domain security policy, a session table, and a blacklist state in the session table, thereby improving the efficiency of receiving effective data by an intranet.
In order to achieve the above object, the embodiment of the present invention provides the following technical solutions:
in a first aspect, the present application discloses a method for processing a firewall security policy, which is applied to a firewall, where the method for processing the firewall security policy includes:
receiving a first packet sent by an external network;
searching whether an inter-domain security policy matched with the first packet exists in the routing table according to the first packet and the routing table;
if the inter-domain security policy matched with the first packet exists in the routing table, a session table corresponding to the external network is created according to the first packet and user demand information, so that the firewall forwards the first packet and the subsequent packet sent by the external network according to the session table corresponding to the external network;
if no inter-domain security policy matched with the first packet exists in the routing table, a session table corresponding to the external network is created according to the first packet, and the state of the session table corresponding to the external network is set to be a blacklist state, so that the firewall intercepts both the first packet and the subsequent packets sent by the external network.
Optionally, in the method for processing a firewall security policy, after receiving the first packet sent by the external network, the method further includes:
receiving a subsequent packet sent by the external network;
according to the subsequent packet, searching whether a session table matched with the subsequent packet exists in the created session table;
if the session table matched with the subsequent packet exists, checking whether the session table matched with the subsequent packet is in a blacklist state;
if the session table matched with the subsequent packet is in a blacklist state, intercepting the subsequent packet;
if the session table matched with the subsequent packet is not in the blacklist state, determining whether the subsequent packet is effective data meeting the user requirement according to the session table matched with the subsequent packet;
and if the subsequent packet is determined to be the effective data meeting the user requirement, forwarding the subsequent packet according to the output interface in the session table matched with the subsequent packet.
Optionally, in the method for processing the firewall security policy, the method further includes:
and in response to a user's session table modification operation, adding the user-specified IP address to a blacklist state of the user-specified session table.
Optionally, in the method for processing a firewall security policy, before searching whether an inter-domain security policy matched with the first packet exists in the routing table according to the first packet and the routing table, the method further includes:
storing the first packet in an intermediate domain.
Optionally, in the method for processing a firewall security policy, before searching whether a session table matched with the subsequent packet exists in the created session table according to the subsequent packet, the method further includes:
the subsequent packets are stored in the intermediate domain.
Optionally, in the method for processing a firewall security policy, before forwarding the first packet and the subsequent packet sent by the external network, the firewall further includes:
and refreshing the latest transmission time and the transmission times of the session table corresponding to the external network.
Optionally, in the method for processing a firewall security policy, after finding that the routing table has the inter-domain security policy matching with the first packet, the method further includes:
determining the category of the data packet of the external network according to the inter-domain security policy matched with the first packet;
the creating the session table corresponding to the external network according to the first packet and the user demand information includes:
and creating a session table corresponding to the external network in a session table memory corresponding to the category to which the data packet of the external network belongs according to the first packet and the user demand information.
In a second aspect, the present application discloses a processing apparatus for firewall security policy, applied to a firewall, where the processing apparatus for firewall security policy includes:
the first receiving unit is used for receiving the first packet sent by the external network;
the first searching unit is used for searching whether an inter-domain security policy matched with the first packet exists in the routing table according to the first packet and the routing table;
a first creating unit, configured to create a session table corresponding to the external network according to the first packet and user requirement information if an inter-domain security policy matched with the first packet exists in the routing table, so that the firewall forwards the first packet and a subsequent packet sent by the external network according to the session table corresponding to the external network;
and the second creating unit is used for creating a session table corresponding to the external network according to the first packet if the inter-domain security policy matched with the first packet does not exist in the routing table, setting the state of the session table corresponding to the external network as a blacklist state, and enabling the firewall to intercept the first packet and the subsequent packet sent by the external network.
In a third aspect, the present application discloses a computer readable medium having stored thereon a computer program, wherein the program, when executed by a processor, implements a method according to any of the first aspects described above.
In a fourth aspect, the present application discloses a firewall security policy processing device, including:
one or more processors;
a storage device having one or more programs stored thereon;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of the first aspects described above.
Based on the processing method of the firewall security policy provided by the embodiment of the invention, the firewall searches whether the inter-domain security policy matched with the first packet exists in the routing table according to the first packet and the routing table by receiving the first packet sent by the external network. If the inter-domain security policy matched with the first packet exists in the routing table, a session table corresponding to the external network is created according to the first packet and the user demand information, so that the firewall forwards the first packet and the subsequent packet sent by the external network according to the session table corresponding to the external network, further the intranet receives the effective data which are forwarded by the firewall and meet the user demand, and the efficiency of receiving the effective data by the intranet is improved. If the inter-domain security policy matched with the first packet does not exist in the routing table, a session table corresponding to the external network is created according to the first packet, and the state of the session table corresponding to the external network is set to be a blacklist state, so that the firewall intercepts the first packet and the subsequent packets sent by the external network, and the possibility of receiving invalid data by the internal network is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a firewall security policy processing system according to the present application;
fig. 2 is a flow chart of a method for processing a firewall security policy according to the present application;
FIG. 3 is a flow chart of a method for processing a subsequent packet according to the present application;
fig. 4 is a schematic structural diagram of a processing device for firewall security policy provided in the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Referring to fig. 1, an embodiment of the present application discloses a firewall security policy processing system 100, where the system 100 includes: an extranet 101, a firewall 102, and an intranet 103. When the external network 101 sends a data packet to the internal network 103, the firewall 102 intercepts or forwards the data packet through a firewall security policy, the data packet intercepted by the firewall 102 cannot enter the internal network 103, and the data packet forwarded by the firewall 102 can enter the internal network 103.
Specifically, the firewall security policy in the system 100 is processed as follows: the external network 101 sends the first packet to the firewall 102, and the firewall 102 searches whether an inter-domain security policy matched with the first packet exists in the routing table according to the first packet and the routing table. If the inter-domain security policy matched with the first packet exists in the routing table, the firewall 102 creates a session table corresponding to the external network 101 according to the first packet and the user demand information, so that the firewall 102 forwards the first packet and the subsequent packet sent by the external network 101 to the internal network 103 according to the session table corresponding to the external network 101. If the firewall 102 finds that the inter-domain security policy matched with the first packet does not exist in the routing table, a session table corresponding to the external network 101 is created according to the first packet, and the state of the session table corresponding to the external network 101 is set to be a blacklist state, so that the firewall 102 intercepts both the first packet and the subsequent packet sent by the external network 101.
Based on the processing system 100 of firewall security policy provided in the embodiment of the present application, the firewall 102 searches whether there is an inter-domain security policy matching with the first packet in the routing table according to the first packet and the routing table by receiving the first packet sent by the external network 101. If the inter-domain security policy matched with the first packet exists in the routing table, a session table corresponding to the external network 101 is created according to the first packet and the user demand information, so that the firewall forwards the first packet and the subsequent packet sent by the external network 101 according to the session table corresponding to the external network 101, further, the internal network 103 receives the valid data which is forwarded by the firewall and meets the user demand, and the efficiency of the internal network 103 for receiving the valid data is improved. If the firewall 102 finds that the inter-domain security policy matched with the first packet does not exist in the routing table, a session table corresponding to the external network 101 is created according to the first packet, and the state of the session table corresponding to the external network 101 is set to be a blacklist state, so that the firewall 102 intercepts both the first packet and the subsequent packet sent by the external network 101, and the possibility that the internal network 103 receives invalid data is reduced.
Specifically, in the above-mentioned processing procedure of the firewall security policy in the system shown in fig. 1, reference may be made to the processing method of the firewall security policy provided in the embodiment of the present application.
Referring to fig. 2, an embodiment of the application discloses a method for processing a firewall security policy, which is applied to a firewall, and specifically includes the following steps:
s201, receiving a first packet sent by an external network.
The intranet in the embodiment of the present application may be understood as a local area network, and mainly refers to an interconnection network of computers within a small range. This "small area" may be a home, a school, a company, or a division, etc. While the extranet of the embodiments of the present application may be understood as a network outside of the intranet coverage. When the external network needs to transmit data to the internal network, in order to ensure the safety of the internal network, the data packet sent by the external network is received by the firewall first, and then the firewall determines whether to forward the data packet to the internal network.
The first packet is understood to be the first data packet. The first data packet may be understood as a data packet sent to the intranet for the first time by an external network server that has not established a connection with the intranet.
For example, the step S201 may be performed by establishing a connection between a server of the external network and a server of the internal network, and then sending a first packet to the internal network. The first packet sent by the external network server is sent to the firewall corresponding to the internal network after passing through the router, and the firewall further receives the first packet sent by the external network.
The first packet may carry information such as an IP address of the external network (i.e., a source IP address), an IP address of the internal network (i.e., a destination IP address), and the like. The embodiment of the application does not limit the specific data format and content of the first packet.
S202, according to the first packet and the routing table, searching whether an inter-domain security policy matched with the first packet exists in the routing table.
The firewall can find out the route with the same network prefix as the IP address according to the IP address carried in the first packet, and then find out whether the matched inter-domain security policy exists in the route table according to the IP address. If it is found that the inter-domain security policy matching the first packet exists in the routing table, step S203 is executed, and if it is found that the inter-domain security policy matching the first packet does not exist in the routing table, step S204 is executed.
The inter-domain security policy is used for controlling forwarding of inter-domain traffic, and is applicable to scenes of interfaces joining different security areas. The inter-domain security policy may match traffic in various ways, such as IP address, time period and service (port or protocol type), user, etc., and perform packet filtering control (permission/density) on the packets that are eligible, allowing or denying to receive the packets.
The inter-domain security policy may include a transmission control protocol (Transmission Control Protocol, TCP), a user packet protocol (User Datagram Protocol, UDP), a network address translation protocol, a control message protocol, a group management protocol, an interior gateway protocol, etc., and the user may change the comparison number and types of protocols according to the user's requirement information.
Whether the matched inter-domain security policy exists in the routing table can be understood as judging whether the first packet is matched with the inter-domain security policy. If the first packet does not match the inter-domain security policy, it indicates that the data packet sent by the external network does not meet the network security requirement, and the data packet sent by the external network cannot be received, and the step S204 is executed by the factor. If the first packet matches the inter-domain security policy, it indicates that the data packet sent by the external network meets the network security requirement, and thus step S203 is performed.
Optionally, in an embodiment of the present application, before performing step S202, the method further includes: the first packet is stored in the intermediate domain. In the process that the firewall decides whether to intercept the first packet, the first packet can be temporarily stored in the middle domain. The intermediate domain may be understood as a network area that belongs neither to the external network that sends the first packet, nor to the internal network.
S203, creating a session table corresponding to the external network according to the first packet and the user demand information, so that the firewall forwards the first packet and the subsequent packet sent by the external network according to the session table corresponding to the external network.
Because the routing table can find out the security policy between the first packet and the matching domain, a session table corresponding to the external network is created through the IPd address and other information in the first packet and the user demand information, so that the firewall forwards the first packet and the subsequent packets sent by the external network according to the session table corresponding to the external network.
Wherein the subsequent packet is a non-first data packet sent from the external network to the internal network. The session table may be understood as an expected table of packets, and the session table may include: source IP address, destination IP address, source port number, destination port number, upper layer protocol, etc. Because the session table is quite an expected table of the package, in order to filter out effective data required by the user by using the session table, the embodiment of the application uses user requirement information to create when creating the session table corresponding to the external network. And the firewall can filter out the data packets meeting the user demands from the data packets sent by the external network according to the session table corresponding to the external network, and forward the data packets to the internal network.
The user demand information may be understood as the user demand for the data packet. In particular, the format requirements, content requirements, etc. of the data packets. For example, the user demand information may be a demand that the data packet must belong to a video file.
Specifically, when the session table corresponding to the external network is created, the session table corresponding to the external network is not set to be in a blacklist state (can be understood as being set to be in a whitelist state), so that the subsequent firewall can pass through the session table corresponding to the external network without intercepting all data packets sent by the external network.
Optionally, in a specific embodiment of the present application, the method further includes: and modifying the session table specified by the user in response to the session table modification operation of the user.
In addition to the firewall being able to create a session table, the session table may be manually modified by the user. When the user has new demand information or needs to intercept the data packet of the individual IP address, the firewall can modify the session table appointed by the user by inputting the session table modification operation of the user to the firewall.
Illustratively, the firewall, in response to a user's session table modification operation, adds the user-specified IP address to the blacklist state of the user-specified session table to enable the firewall to intercept all packets sent by the user-specified IP address.
The embodiment of the session table modification operation is not limited, and the modification operation may be performed by inputting a command line or by the Web, for example.
After creating the session table corresponding to the external network in step S203, it is determined whether to forward the first packet to the internal network through the session table corresponding to the external network. And when a subsequent packet sent by the external network is received subsequently, determining whether to forward the subsequent packet to the internal network or not through a session table corresponding to the external network. And then the effective data is sent to the intranet, and the ineffective data is intercepted.
Optionally, in an embodiment of the present application, after performing step S203, the method further includes:
and determining the category of the data packet of the external network according to the inter-domain security policy matched with the first packet. Wherein, when executing step S203 to create a session table corresponding to the external network according to the first packet and the user requirement information, the method includes: and creating a session table corresponding to the external network in a session table memory corresponding to the category to which the data packet of the external network belongs according to the first packet and the user demand information.
Specifically, the data packets may be stored in different session table memories according to the types of the data packets output by the external network. And then when searching the session table corresponding to the external network, the session table memory for storing the session table corresponding to the external network can be quickly found according to the category of the data packet of the external network, so that the session table corresponding to the external network can be quickly read. Illustratively, the firewall may classify according to inter-domain security policies that match the first packet, and then store the session table classification inside a different session table store using the newly created session table tool.
Alternatively, different session tables may be stored in different session table storages, and when the protection wall receives a data packet sent by the external network, the firewall may simultaneously compare (match) the session tables stored in the multiple session table storages to find a session table corresponding to the external network.
Optionally, in an embodiment of the present application, before forwarding the first packet and the subsequent packet sent by the external network, the firewall further includes:
and refreshing the latest transmission time and the transmission times of the session table corresponding to the external network.
The session table can have aging time, and whether the session table needs to be destroyed or not can be determined by recording the latest transmission time and the transmission times of the session table corresponding to the external network, and if the session table is not used for transmitting the data packet for a long time, the session table can be destroyed so as not to occupy the memory space.
S204, creating a session table corresponding to the external network according to the first packet, and setting the state of the session table corresponding to the external network to be a blacklist state, so that the firewall intercepts the first packet and the subsequent packets sent by the external network.
Because the routing table does not have the inter-domain security policy matched with the first packet, the fact that the internal network is not trusted to the IP of the external network is indicated, a session table corresponding to the external network is required to be established according to the first packet, and the state of the session table corresponding to the external network is set to be a blacklist state. When the session table is in a blacklist state, the data packets sent by the IP address in the session table are intercepted by the firewall, so that the firewall can intercept the first packets and the subsequent packets sent by the external network.
Illustratively, performing an embodiment of step S204 includes adding the IP address of the external network to the blacklist state of the session table after creating the session table corresponding to the external network.
Optionally, referring to fig. 3, based on the method shown in fig. 2, the processing flow of the subsequent packet sent by the firewall to the external network may specifically include the following steps:
s301, receiving a subsequent packet sent by the external network.
The implementation and principle of step S301 are similar to that of step S201, except that step S201 receives the first packet and step S301 receives the subsequent packet.
Optionally, after the firewall receives the data packet sent by the external network, whether the first packet or the subsequent packet is received may be determined by searching whether a session table matched with the data packet exists. If there is a session table matching the data packet, the received data packet may be considered to be a subsequent packet, and then the flow shown in fig. 3 is performed. If there is no session table matching the data packet, the first packet of the received data packet may be considered, and the execution of the flow shown in fig. 2 is triggered.
S302, according to the subsequent packet, searching whether a session table matched with the subsequent packet exists in the created session table.
Specifically, whether a session table matched with the subsequent packet exists or not can be searched from the created session tables according to the information of the IP address of the subsequent packet. When the session table matching with the subsequent packet is found, step S303 is executed, and if the session table matching with the subsequent packet is not found, the flow is ended and the subsequent packet is not processed.
Optionally, before performing step S302, the method further includes: the subsequent packets are stored in the intermediate domain until it is determined to forward or intercept the subsequent packets.
S303, checking whether a session table matched with the subsequent packet is in a blacklist state.
If the session table matching the subsequent packet is in the blacklist state, step S304 is performed, and if the session table matching the subsequent packet is not in the blacklist state, step S305 is performed.
S304, intercepting the subsequent packets.
S305, determining whether the subsequent packet is valid data meeting the user requirement according to the session table matched with the subsequent packet.
Because the session table not in the blacklist state is created according to the user's requirement information, it can be used to determine whether the subsequent package is valid data meeting the user's requirement.
If it is determined that the subsequent packet is valid data meeting the user requirement, step S306 is executed, and if it is determined that the subsequent packet is not valid data meeting the user requirement, the interception process is performed.
S306, forwarding the subsequent packet according to the output interface in the session table matched with the subsequent packet.
According to the firewall security policy processing method provided by the embodiment of the invention, the firewall searches whether the inter-domain security policy matched with the first packet exists in the routing table according to the first packet and the routing table by receiving the first packet sent by the external network. If the inter-domain security policy matched with the first packet exists in the routing table, a session table corresponding to the external network is created according to the first packet and the user demand information, so that the firewall forwards the first packet and the subsequent packet sent by the external network according to the session table corresponding to the external network, further the intranet receives the effective data which are forwarded by the firewall and meet the user demand, and the efficiency of receiving the effective data by the intranet is improved. If the inter-domain security policy matched with the first packet does not exist in the routing table, a session table corresponding to the external network is created according to the first packet, and the state of the session table corresponding to the external network is set to be a blacklist state, so that the firewall intercepts the first packet and the subsequent packets sent by the external network, and the possibility of receiving invalid data by the internal network is reduced.
Referring to fig. 4, based on the method for processing a firewall security policy provided in the embodiment of the present application, the embodiment of the present application correspondingly discloses a device for processing a firewall security policy, where the device for processing a firewall security policy is applied to a firewall, and the device for processing a firewall security policy includes: a first receiving unit 401, a first finding unit 402, a first creating unit 403, and a second creating unit 404.
A first receiving unit 401, configured to receive a first packet sent by an external network.
A first lookup unit 402, configured to lookup whether an inter-domain security policy matching the first packet exists in the routing table according to the first packet and the routing table.
The first creating unit 403 is configured to create a session table corresponding to the external network according to the first packet and the user requirement information if the inter-domain security policy matching the first packet exists in the routing table, so that the firewall forwards the first packet and the subsequent packet sent by the external network according to the session table corresponding to the external network.
And the second creating unit 404 is configured to create a session table corresponding to the external network according to the first packet if the routing table is found that there is no inter-domain security policy matching with the first packet, and set the state of the session table corresponding to the external network to be a blacklist state, so that the firewall intercepts both the first packet and the subsequent packet sent by the external network.
Optionally, in a specific embodiment of the present application, the processing device of the firewall security policy further includes: the system comprises a second receiving unit, a second searching unit, a first checking unit, a first intercepting unit, a first determining unit and a first forwarding unit.
And the second receiving unit is used for receiving the subsequent packets sent by the external network.
And the second searching unit is used for searching whether a session table matched with the subsequent packet exists from the created session table according to the subsequent packet.
And the first checking unit checks whether the session table matched with the subsequent packet is in a blacklist state or not if the session table matched with the subsequent packet exists.
And the first interception unit is used for intercepting the subsequent packets if the session table matched with the subsequent packets is in a blacklist state.
And the first determining unit is used for determining whether the subsequent packet is valid data meeting the user requirement according to the session table matched with the subsequent packet if the session table matched with the subsequent packet is not in the blacklist state.
And the first forwarding unit is used for forwarding the subsequent packet according to the output interface in the session table matched with the subsequent packet if the subsequent packet is determined to be the effective data meeting the user requirement.
Optionally, in a specific embodiment of the present application, the processing device of the firewall security policy further includes:
and the modification unit is used for responding to the session table modification operation of the user and adding the IP address appointed by the user into the blacklist state of the session table appointed by the user.
Optionally, in a specific embodiment of the present application, the processing device of the firewall security policy further includes:
and the first storage unit is used for storing the first packet in the intermediate domain.
Optionally, in a specific embodiment of the present application, the processing device of the firewall security policy further includes:
and a second storage unit for storing the subsequent packets in the intermediate domain.
Optionally, in a specific embodiment of the present application, the processing device of the firewall security policy further includes:
and the refreshing unit is used for refreshing the latest transmission time and the transmission times of the session table corresponding to the external network.
Optionally, in a specific embodiment of the present application, the processing device of the firewall security policy further includes:
and the second determining unit is used for determining the category of the data packet of the external network according to the inter-domain security policy matched with the first packet.
Wherein the first creation unit includes:
the creation subunit is configured to create, according to the first packet and the user requirement information, a session table corresponding to the external network in a session table memory corresponding to a class to which the data packet of the external network belongs.
It should be noted that, in the processing device for firewall security policies disclosed in the present application, the execution principle of each unit and subunit is consistent with the method for firewall security policies disclosed in the foregoing embodiments of the present application, and will not be described herein again.
Based on the processing device for firewall security policy provided in the above embodiment of the present invention, the first receiving unit 401 receives the first packet sent by the external network, and the first searching unit 402 searches, according to the first packet and the routing table, whether there is an inter-domain security policy matching with the first packet in the routing table. If the inter-domain security policy matched with the first packet exists in the routing table, the first creating unit 403 creates a session table corresponding to the external network according to the first packet and the user requirement information, so that the firewall forwards the first packet and the subsequent packet sent by the external network according to the session table corresponding to the external network, further, the intranet receives the valid data which is forwarded by the firewall and meets the user requirement, and the efficiency of receiving the valid data by the intranet is improved. If it is found that the routing table does not have the inter-domain security policy matched with the first packet, the second creating unit 404 creates a session table corresponding to the external network according to the first packet, and sets the state of the session table corresponding to the external network to be a blacklist state, so that the firewall intercepts both the first packet and the subsequent packet sent by the external network, and the possibility that the internal network receives invalid data is reduced.
The application also discloses a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements a method for processing a firewall security policy according to any one of the embodiments of the application.
The application also discloses a firewall security policy processing device, which comprises: one or more processors. A storage device having one or more programs stored thereon. The one or more programs, when executed by the one or more processors, cause the one or more processors to implement a method of processing a firewall security policy as described in any of the embodiments of the application.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for a system or system embodiment, since it is substantially similar to a method embodiment, the description is relatively simple, with reference to the description of the method embodiment being made in part. The systems and system embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. The method for processing the firewall security policy is characterized by being applied to a firewall, and comprises the following steps:
receiving a first packet sent by an external network;
searching whether an inter-domain security policy matched with the first packet exists in the routing table according to the first packet and the routing table;
if the inter-domain security policy matched with the first packet exists in the routing table, a session table corresponding to the external network is created according to the first packet and user demand information, so that the firewall forwards the first packet and the subsequent packet sent by the external network according to the session table corresponding to the external network;
if no inter-domain security policy matched with the first packet exists in the routing table, a session table corresponding to the external network is created according to the first packet, and the state of the session table corresponding to the external network is set to be a blacklist state, so that the firewall intercepts both the first packet and the subsequent packets sent by the external network.
2. The method of claim 1, further comprising, after receiving the first packet sent by the external network:
receiving a subsequent packet sent by the external network;
according to the subsequent packet, searching whether a session table matched with the subsequent packet exists in the created session table;
if the session table matched with the subsequent packet exists, checking whether the session table matched with the subsequent packet is in a blacklist state;
if the session table matched with the subsequent packet is in a blacklist state, intercepting the subsequent packet;
if the session table matched with the subsequent packet is not in the blacklist state, determining whether the subsequent packet is effective data meeting the user requirement according to the session table matched with the subsequent packet;
and if the subsequent packet is determined to be the effective data meeting the user requirement, forwarding the subsequent packet according to the output interface in the session table matched with the subsequent packet.
3. The method as recited in claim 1, further comprising:
and in response to a user's session table modification operation, adding the user-specified IP address to a blacklist state of the user-specified session table.
4. The method of claim 1, wherein the searching the routing table for the presence of the inter-domain security policy matching the first packet according to the first packet and the routing table, further comprises:
storing the first packet in an intermediate domain.
5. The method of claim 2, wherein the searching for whether a session table matching the subsequent packet exists from the created session table based on the subsequent packet further comprises:
the subsequent packets are stored in the intermediate domain.
6. The method of claim 1, wherein before forwarding the first packet and the subsequent packet sent by the external network, the firewall further includes:
and refreshing the latest transmission time and the transmission times of the session table corresponding to the external network.
7. The method of claim 1, wherein after the searching for the inter-domain security policy in the routing table that matches the first packet, further comprising:
determining the category of the data packet of the external network according to the inter-domain security policy matched with the first packet;
the creating the session table corresponding to the external network according to the first packet and the user demand information includes:
and creating a session table corresponding to the external network in a session table memory corresponding to the category to which the data packet of the external network belongs according to the first packet and the user demand information.
8. A firewall security policy processing apparatus, applied to a firewall, the firewall security policy processing apparatus comprising:
the first receiving unit is used for receiving the first packet sent by the external network;
the first searching unit is used for searching whether an inter-domain security policy matched with the first packet exists in the routing table according to the first packet and the routing table;
a first creating unit, configured to create a session table corresponding to the external network according to the first packet and user requirement information if an inter-domain security policy matched with the first packet exists in the routing table, so that the firewall forwards the first packet and a subsequent packet sent by the external network according to the session table corresponding to the external network;
and the second creating unit is used for creating a session table corresponding to the external network according to the first packet if the inter-domain security policy matched with the first packet does not exist in the routing table, setting the state of the session table corresponding to the external network as a blacklist state, and enabling the firewall to intercept the first packet and the subsequent packet sent by the external network.
9. A computer readable medium, characterized in that a computer program is stored thereon, wherein the program, when executed by a processor, implements the method according to any of claims 1 to 7.
10. A firewall security policy processing apparatus, comprising:
one or more processors;
a storage device having one or more programs stored thereon;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310104491.3A CN116112260A (en) | 2023-02-13 | 2023-02-13 | Firewall security policy processing method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310104491.3A CN116112260A (en) | 2023-02-13 | 2023-02-13 | Firewall security policy processing method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116112260A true CN116112260A (en) | 2023-05-12 |
Family
ID=86255812
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310104491.3A Pending CN116112260A (en) | 2023-02-13 | 2023-02-13 | Firewall security policy processing method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116112260A (en) |
-
2023
- 2023-02-13 CN CN202310104491.3A patent/CN116112260A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20170374030A1 (en) | System and method for redirected firewall discovery in a network environment | |
| US7143438B1 (en) | Methods and apparatus for a computer network firewall with multiple domain support | |
| US7873038B2 (en) | Packet processing | |
| US7360245B1 (en) | Method and system for filtering spoofed packets in a network | |
| US6141749A (en) | Methods and apparatus for a computer network firewall with stateful packet filtering | |
| JP4174392B2 (en) | Network unauthorized connection prevention system and network unauthorized connection prevention device | |
| JP3443529B2 (en) | Method of providing firewall service and computer system providing firewall service | |
| US7107609B2 (en) | Stateful packet forwarding in a firewall cluster | |
| US7830898B2 (en) | Method and apparatus for inter-layer binding inspection | |
| US8904514B2 (en) | Implementing a host security service by delegating enforcement to a network device | |
| US20080189769A1 (en) | Secure network switching infrastructure | |
| US20120210416A1 (en) | Load balancing in a network with session information | |
| CN105991655B (en) | Method and apparatus for mitigating neighbor discovery-based denial of service attacks | |
| JPH11167537A (en) | Fire wall service supply method | |
| CN108881328B (en) | Data packet filtering method and device, gateway equipment and storage medium | |
| US20090094691A1 (en) | Intranet client protection service | |
| US11329959B2 (en) | Virtual routing and forwarding (VRF)-aware socket | |
| US20220021653A1 (en) | Network security device | |
| US10320839B2 (en) | Automatic anti-spoof for multicast routing | |
| Rietz et al. | An SDN-based approach to ward off LAN attacks | |
| US7447782B2 (en) | Community access control in a multi-community node | |
| US20160205135A1 (en) | Method and system to actively defend network infrastructure | |
| CN116112260A (en) | Firewall security policy processing method, device, equipment and medium | |
| US20070147376A1 (en) | Router-assisted DDoS protection by tunneling replicas | |
| Akashi et al. | A vulnerability of dynamic network address translation to denial-of-service attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |