CN116566720A - Firewall policy translation method, device, computer equipment and storage medium - Google Patents

Firewall policy translation method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN116566720A
CN116566720A CN202310667695.8A CN202310667695A CN116566720A CN 116566720 A CN116566720 A CN 116566720A CN 202310667695 A CN202310667695 A CN 202310667695A CN 116566720 A CN116566720 A CN 116566720A
Authority
CN
China
Prior art keywords
policy
address
firewall
firewall policy
translated
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310667695.8A
Other languages
Chinese (zh)
Inventor
张倩倩
宋浩
吕嘉祥
周明月
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202310667695.8A priority Critical patent/CN116566720A/en
Publication of CN116566720A publication Critical patent/CN116566720A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a firewall policy translation method, a firewall policy translation device, computer equipment and a storage medium, relates to the technical field of computers, and can be used in the technical field of finance and technology or other related fields. The method comprises the following steps: responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address; modifying the original firewall policy according to the first IP address and the second IP address to obtain a target firewall policy; according to the second IP address, carrying out opening verification on the target firewall policy to obtain a policy to be translated; and translating the strategy to be translated to the second IP address. By adopting the method, the accuracy and reliability of the translation of the firewall policy can be improved, and the translation efficiency of the firewall policy can be improved.

Description

Firewall policy translation method, device, computer equipment and storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a firewall policy translation method, device, computer apparatus, and storage medium, which may be used in the field of financial science and technology or other related fields.
Background
Along with the increasing complexity of network security threat situation, firewall equipment is deployed between each network area in a data center local area network of a large financial industry, and security control is performed between each test client and each network area for testing and production through firewall strategies. With the rapid development of financial industry business in recent years, the access control requirements of data centers, especially test environments, are increasingly complex, the number of access control strategies is rapidly increased, and great challenges are brought to the accurate implementation of firewall strategies. In addition, thousands of servers and storage devices are usually deployed in a data center local area network in the large financial industry, and daily operations of hundreds of application systems are carried, so that extremely complex access relations exist between different applications and between different nodes of the same application in order to ensure normal development of various services.
With the continuous development of cloud and virtualization technologies, data centers in the financial industry have increasingly demanded firewall policy translation, and related firewall policies need to be restarted due to the change of the IP addresses of the application systems before and after the translation. At present, the existing firewall policy migration mode is generally that an operator manually combs and confirms an application access relation, and manually identifies firewall requirements and implements firewall policies according to the application access relation. However, this is inefficient and easy to miss, with the application access relationships being extremely complex, and presents a significant risk to the overall migration process.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a firewall policy translation method, apparatus, computer device, and storage medium that can improve accuracy and reliability of firewall policy translation and improve efficiency of firewall policy translation.
In a first aspect, the present application provides a firewall policy translation method, where the method includes:
responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address;
modifying the original firewall policy according to the first IP address and the second IP address to obtain a target firewall policy;
according to the second IP address, carrying out opening verification on the target firewall policy to obtain a policy to be translated;
and translating the strategy to be translated to the second IP address.
In one embodiment, modifying the original firewall policy according to the first IP address and the second IP address to obtain the target firewall policy includes:
determining a strategy translation scene according to the first IP address and the second IP address;
updating the original firewall policy according to the policy translation scene to obtain an updated original firewall policy;
And replacing the first IP address contained in the updated original firewall policy by adopting the second IP address to obtain the target firewall policy.
In one embodiment, updating an original firewall policy according to a policy translation scenario to obtain an updated original firewall policy includes:
extracting a standby firewall strategy from the original firewall strategy according to the strategy translation scene;
and cleaning the standby firewall policy to obtain an updated original firewall policy.
In one embodiment, according to the second IP address, performing a continuity check on the target firewall policy to obtain the policy to be translated, including:
acquiring a reference firewall policy corresponding to the second IP address;
according to the reference firewall policy, carrying out openness verification on the target firewall policy;
and taking the firewall policy which is not passed by the verification result of the openness verification in the target firewall policy as the policy to be translated.
In one embodiment, performing the openness check on the target firewall policy according to the reference firewall policy includes:
comparing the reference firewall policy with the target firewall policy;
and determining the opening verification result of the target firewall policy according to the comparison result.
In one embodiment, translating the policy to be translated to the second IP address includes:
and translating the strategy to be translated to the second IP address according to the firewall type of the strategy to be translated.
In one embodiment, translating the policy to be translated to the second IP address according to the firewall type of the policy to be translated includes:
if the firewall type is a soft wall, adding the strategy to be translated into a reference firewall strategy corresponding to the second IP address;
if the firewall type is a hard wall, acquiring a firewall policy corresponding to the policy to be translated from the reference firewall policy, and adding the second IP address into the acquired firewall policy.
In a second aspect, the present application further provides a firewall policy translation apparatus, where the apparatus includes:
the policy acquisition module is used for responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address;
the policy generation module is used for modifying the original firewall policy according to the first IP address and the second IP address to obtain a target firewall policy;
the policy checking module is used for carrying out openness checking on the target firewall policy according to the second IP address to obtain a policy to be translated;
And the strategy translation module is used for translating the strategy to be translated to the second IP address.
In a third aspect, the present application also provides a computer device comprising a memory storing a computer program and a processor implementing the following steps when executing the computer program:
responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address;
modifying the original firewall policy according to the first IP address and the second IP address to obtain a target firewall policy;
according to the second IP address, carrying out opening verification on the target firewall policy to obtain a policy to be translated;
and translating the strategy to be translated to the second IP address.
In a fourth aspect, the present application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address;
modifying the original firewall policy according to the first IP address and the second IP address to obtain a target firewall policy;
According to the second IP address, carrying out opening verification on the target firewall policy to obtain a policy to be translated;
and translating the strategy to be translated to the second IP address.
In a fifth aspect, the present application also provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of:
responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address;
modifying the original firewall policy according to the first IP address and the second IP address to obtain a target firewall policy;
according to the second IP address, carrying out opening verification on the target firewall policy to obtain a policy to be translated;
and translating the strategy to be translated to the second IP address.
According to the firewall policy translation method, the firewall policy translation device, the computer equipment and the storage medium, under the condition that the policy translation request is acquired, the original firewall policy corresponding to the first IP address is modified according to the first IP address and the second IP address, so that the target firewall policy can be obtained, and the operation process of acquiring the target firewall policy is simplified; and then, by introducing a process of carrying out open verification on the target firewall policy, the obtained policy to be translated can be more accurate, and the policy to be translated is translated to the second IP address, so that the firewall policies among different IP addresses can be translated efficiently and reliably.
Drawings
FIG. 1 is an application environment diagram of a firewall policy translation method in one embodiment;
FIG. 2 is a flow diagram of a firewall policy translation method in one embodiment;
FIG. 3 is a flow diagram of determining a target firewall policy in one embodiment;
FIG. 4 is a flow diagram of obtaining a policy to be translated in one embodiment;
FIG. 5 is a flowchart of a method for translating firewall policies according to another embodiment;
FIG. 6 is a block diagram of a firewall policy translation device in one embodiment;
FIG. 7 is a block diagram of a firewall policy translation device in another embodiment;
FIG. 8 is a block diagram of a firewall policy translation apparatus in yet another embodiment;
FIG. 9 is a block diagram of a firewall policy translation device in yet another embodiment;
fig. 10 is an internal structural view of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The firewall policy translation method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process, such as data of a first IP address, a second IP address, and so on. The data storage system may be integrated on the server 104 or may be located on a cloud or other network server. Specifically, when the firewall policy translation requirement exists for the operation and maintenance personnel, data such as a first IP address, a second IP address, etc. can be input in an interface provided by the operation and maintenance application configured in the terminal 102; the terminal 102 may generate a policy translation request according to the data such as the first IP address and the second IP address, interact with the server 104 through the network, and send the policy translation request including the first IP address and the second IP address to the server 104; after obtaining the policy translation request transmitted by the terminal 102, the service 104 may obtain an original firewall policy corresponding to the first IP address according to the first IP address and the second IP address included in the policy translation request, and combine the first IP address with the second IP address to generate a target firewall policy; and carrying out opening verification on the target firewall, and after obtaining the strategy to be translated, translating the strategy to be translated to a second IP address so as to realize translation of the firewall strategy. Further, the server 104 may interact with the terminal 102 through a network, and transmit the translation result to the terminal 102, so that the terminal 102 may feed back the translation result of the firewall policy to the operator.
The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.
In one embodiment, as shown in fig. 2, a firewall policy translation method is provided, and the method is applied to the server 104 in fig. 1 for illustration, and includes the following steps:
s201, responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address.
In this embodiment, the first IP address is the IP address corresponding to the firewall policy before translation; wherein, the first IP address can be one or more. The second IP address is the IP address corresponding to the translated firewall policy. The policy translation request is a request for translating firewall policies sent by the terminal to the server. The original firewall policy is all firewall policies including the first IP address, and may include one or more firewall policies.
Specifically, when the firewall policy translation requirement exists by the operation and maintenance personnel, data such as a first IP address, a second IP address and the like can be input in an interface provided by operation and maintenance application configured at the terminal; the terminal may generate a policy translation request according to the data such as the first IP address and the second IP address, interact with the server through the network, and send the policy translation request including the first IP address and the second IP address to the server 104.
Further, after receiving the policy translation request, the server may analyze the policy translation request to obtain a first IP address and a second IP address included in the policy translation request. Furthermore, according to the obtained first IP address, a firewall policy query interface can be called to query and obtain an original firewall policy corresponding to the first IP address.
Optionally, after the first IP address and the second IP address are obtained, the first IP address and the second IP address may be analyzed to determine whether the first IP address and the second IP address are in the same treatment area. If the first IP address and the second IP address are determined to be in the same treatment area, judging that the firewall policy can translate between the first IP address and the second IP address, and then continuing to execute the steps after the step S201; if the first IP address and the second IP address are not in the same treatment area, the firewall policy is judged to be unable to translate between the first IP address and the second IP address, and then the terminal is able to send an unable-to-translate result to the terminal through interaction with the terminal, so that the terminal feeds back the unable-to-translate condition to the operation and maintenance personnel.
Further, after determining that the first IP address and the second IP address are in the same treatment area, that is, the first IP address and the second IP address may be translated between the first IP address and the second IP address, it may be further determined whether both the first IP address and the second IP address exist in the base network segment. If it is determined that the first IP address and the second IP address both exist in the base network segment, the firewall policy may be directly translated, that is, the steps after S201 are continuously performed. If the first IP address and the second IP address are determined not to exist in the basic network segment, a translation work order containing information that the first IP address and the second IP address do not exist in the basic network segment is required to be sent to the terminal through interaction with the terminal, so that the terminal feeds the translation work order back to an operation and maintenance person to inform the operation and maintenance person of the information that the first IP address and the second IP address do not exist in the basic network segment; the steps after S201 are then continued.
Optionally, in order to make the translation of the subsequent firewall policy simpler and more accurate, if the first IP address is multiple, the first IP addresses may be combined to generate the source IP total address; further, the parent level upper limit corresponding to each first IP address may be determined and modified according to the source IP total address, and whether the subset query is required.
Specifically, modifying the upper limit of the parent level is to determine, for each first IP address, the upper limit of the parent level corresponding to the first IP address, and modify the upper limit of the parent level. For example, it may be determined whether the first IP address is a mobile cloud PASS or a regular application. If the mobile cloud PASS is the mobile cloud PASS, the upper limit of the parent level is required to be modified to be 16; if it is a conventional application, the parent upper limit needs to be modified to 24. The subset query is to determine, for each first IP address, whether a subset of the first IP addresses needs to be queried. Alternatively, the policy translation request may be analyzed to determine whether the policy translation request contains a subset query requirement. If the strategy translation request is determined to contain the subset query requirement, determining that the subset of the first IP address needs to be queried; if it is determined that the subset query requirement is not included in the policy translation request, it is determined that no query is required for the subset of the first IP address. By default, no subset query is performed for each first IP address.
S202, the original firewall policy is modified according to the first IP address and the second IP address, and the target firewall policy is obtained.
In this embodiment, the target firewall policy is a firewall policy that should be achieved after the firewall policy is translated, and may include one or more firewall policies.
Specifically, after the original firewall policy is obtained, the original firewall policy can be cleaned by combining preset business logic and a firewall management baseline, so that repeated and wrong firewall policies can be removed; further, the original firewall policy after cleaning treatment is modified according to the first IP address and the second IP address, and then the target firewall policy can be obtained.
S203, according to the second IP address, carrying out opening verification on the target firewall policy to obtain a policy to be translated.
In this embodiment, the openness verification is a verification means for verifying whether the firewall policy already opened exists in the target firewall policy. The policy to be translated is a firewall policy that fails the openness check, and may include one or more firewall policies.
Specifically, after the target firewall policy is obtained, according to preset verification logic, the target firewall policy can be subjected to opening verification to determine whether each firewall policy in the target firewall policy is opened; further, taking the firewall policy which is not opened in the target firewall policy as the policy to be translated.
S204, translating the strategy to be translated to the second IP address.
Specifically, after the policy to be translated is obtained, the policy to be translated can be translated to the second IP address one by one based on a preset translation mode, so as to realize translation of the firewall policy from the first IP address to the second IP address.
According to the firewall policy translation method, under the condition that the policy translation request is acquired, the original firewall policy corresponding to the first IP address is modified according to the first IP address and the second IP address, so that the target firewall policy can be obtained, and the operation process of acquiring the target firewall policy is simplified; and then, by introducing a process of carrying out open verification on the target firewall policy, the obtained policy to be translated can be more accurate, and the policy to be translated is translated to the target IP address, so that the firewall policies among different IP addresses can be translated efficiently and reliably.
In an embodiment, based on the foregoing embodiment, as shown in fig. 3, further refining the S202 may include the following steps:
s301, determining a strategy translation scene according to the first IP address and the second IP address.
In this embodiment, the policy translation scenario is a scenario where firewall policy translation is performed, and may include, but is not limited to, intranet translation, DMZ (Demilitarized Zone, isolation zone) translation, other translations, and the like.
Specifically, after the first IP address and the second IP address are obtained, the first IP address and the second IP address are analyzed, the area where the first IP address and the second IP address are located is determined, and then a strategy translation scene is determined. Optionally, if the area where the first IP address and the second IP address are located is determined to be an intranet area, determining that the policy translation scene is intranet translation; if the area where the first IP address and the second IP address are located is determined to be a DMZ area, determining that the strategy translation scene is DMZ translation; if the area where the first IP address is located and the area where the second IP address is located are determined to be an intranet area, a DMZ area or other areas, the policy translation scene can be determined to be other translations.
S302, updating the original firewall policy according to the policy translation scene to obtain an updated original firewall policy.
Specifically, after the policy translation scene is determined, a firewall policy corresponding to the policy translation scene in the original firewall policy can be determined according to the policy translation scene; and respectively updating the firewall policy corresponding to the policy translation scene in the original firewall policy and other firewall policies according to preset updating logic, so as to obtain the updated original firewall policy.
Optionally, in order to make the updated original firewall policy more simplified and accurate, an implementation manner is that after determining the policy translation scene, a standby firewall policy may be extracted from the original firewall policy according to the policy translation scene; and cleaning the standby firewall policy to obtain an updated original firewall policy.
Specifically, after the policy translation scene is determined, according to the policy translation scene, a firewall policy which is not associated with the policy translation scene is extracted from the original firewall policy and is used as a standby firewall policy. For example, if the policy translation scene is intranet translation, deleting all intranet firewall policies and the exit-direction firewall policies of the DMZ, and extracting firewall policies which are not associated with the intranet translation scene as standby firewall policies; if the policy translation scene is DMZ translation, deleting all the DMZ firewall policies and the exit-direction firewall policies of the intranet, and extracting firewall policies which are not associated with the DMZ translation scene as standby firewall policies; if the policy translation scene is other translations, extraction is not needed, and the original firewall policy is used as a standby firewall policy.
Further, after the standby firewall policy is determined, the preset business logic and the firewall management baseline are combined, the complete firewall policy table is cleaned, useless firewall policies (such as an expired firewall policy and a disaster recovery firewall policy) in the original firewall policy are deleted, and repeatedly occurring firewall policies (such as a source address, a destination address, protocol information, port information, a time stamp and a repeated policy with consistent long connection) are removed. And further, obtaining the updated original firewall policy.
It can be understood that the backup firewall policy extracted from the original firewall policy according to the policy translation scene is cleaned, so that the obtained updated original firewall policy is more simplified and accurate, further, the subsequent rapid firewall policy translation is realized, and the time required by translation is saved.
S303, replacing the first IP address contained in the updated original firewall policy by adopting the second IP address to obtain the target firewall policy.
Specifically, after the updated original firewall policy is obtained, all the first IP addresses contained in the updated original firewall policy can be found, and all the first IP addresses are replaced by the second IP addresses, so that the target firewall policy containing the second IP addresses can be obtained.
It can be understood that by determining the policy translation scene and updating the original firewall policy according to the policy translation scene, the obtained updated original firewall policy can be more accurate and simplified; and then the first IP address in the updated original firewall policy is replaced by the second IP address, so that a target firewall policy is obtained, the accuracy of the obtained target firewall policy is ensured, and the reliability and the effectiveness of translation of the subsequent firewall policy can be further ensured.
In order to ensure that the determined policy to be translated is more simplified and accurate, in an embodiment, as shown in fig. 4, further refining S203 may include the following steps:
s401, obtaining a reference firewall policy corresponding to the second IP address.
In this embodiment, the reference firewall policy is all firewall policies including the second IP address, and may include one or more firewall policies.
Specifically, the original firewall policy corresponding to the second IP address may be queried and obtained by calling the firewall policy query interface according to the second IP address.
S402, according to the reference firewall policy, carrying out opening verification on the target firewall policy.
Specifically, after the reference firewall policy is obtained, the firewall policies contained in the target firewall policy are checked one by one based on a preset check logic according to the reference firewall policy, whether each firewall policy contained in the target firewall policy exists in the reference firewall policy or not is determined, and then the openness check result of the target firewall policy is determined. For each firewall policy in the target firewall policy, if the firewall policy is determined to exist in the reference firewall policy, judging that the firewall policy passes the openness check, namely, the openness check result is passed; if the firewall policy is determined not to exist in the reference firewall policy, judging that the firewall policy fails the openness check, namely, the openness check result is failed.
Alternatively, after the reference firewall policy is obtained, the reference firewall policy may be compared with the target firewall policy; and determining the opening verification result of the target firewall policy according to the comparison result. Specifically, after the reference firewall policy is obtained, for each firewall policy in the target firewall policies, the firewall policy and the reference firewall policy can be compared, and whether the firewall policy is consistent with the reference firewall policy or not is determined, so that a comparison result is obtained; further, according to the comparison result, determining the opening verification result of the firewall policy. For example, if the comparison result of a certain firewall policy in the target firewall policy and the reference firewall policy is consistent, determining that the result of the openness verification of the firewall policy is passed; if the comparison result of a certain firewall policy in the target firewall policy and the reference firewall policy is inconsistent, determining that the opening verification result of the firewall policy is failed.
It can be understood that by comparing the reference firewall policy with the target firewall policy, the openness verification result of the target firewall policy can be rapidly and accurately determined according to the comparison result, so that the policy to be translated can be rapidly generated, and the efficiency of translating the firewall policy can be improved.
S403, taking the firewall policy which is not passed by the result of the opening verification in the target firewall policy as the policy to be translated.
Specifically, for a firewall policy that is not checked by the result of the openness check in the target firewall policy, the firewall policy may be used as a policy to be translated, so that the firewall policy translation from the first IP address to the second IP address is implemented subsequently.
It can be understood that by introducing the reference firewall policy corresponding to the second IP address, performing the openness check on the target firewall policy, and screening out the firewall policy that does not pass the openness check as the policy to be translated, repeated translation steps of the firewall policy can be reduced, so that translation of the firewall policy is quickly realized, and the required time is saved.
Optionally, in order to ensure that the firewall policy translation can be performed efficiently and accurately, one embodiment may translate the policy to be translated to the second IP address according to the firewall type of the policy to be translated.
Firewall types may include, among other things, soft wall types and hard wall types. The soft wall type is the firewall type which uses a software system to complete the firewall function, and the hard wall is the firewall type which uses hardware to execute the firewall function to enable a firewall program to be in a chip.
Specifically, after the policy to be translated is obtained, the policy to be translated can be analyzed, the firewall type of the policy to be translated is determined, and the corresponding translation mode is determined according to the firewall type, so that the policy to be translated is translated to the second IP address.
For example, if the firewall type is a soft wall, the policy to be translated is added to the reference firewall policy corresponding to the second IP address. Specifically, after the policy to be translated is analyzed, if the firewall type of the policy to be translated is determined to be a soft wall, the policy to be translated can be directly added into the reference firewall policy corresponding to the second IP address, so as to realize translation of the firewall policy.
Optionally, if the firewall type is a hard wall, a firewall policy corresponding to the policy to be translated may be obtained from the reference firewall policy, and the second IP address may be added to the obtained firewall policy. Specifically, after the firewall type of the policy to be translated is determined to be a hard wall, the policy number corresponding to the policy to be translated can be obtained, according to the policy number of the policy to be translated, the firewall policy corresponding to the policy number is found from the reference firewall policy corresponding to the second IP address, and according to the policy to be translated, the firewall policy corresponding to the policy number is modified (for example, the second IP address is added to the original address of the firewall policy corresponding to the policy number), so that the firewall policy corresponding to the policy number meets the requirement of the policy to be translated, and further translation of the firewall policy is achieved.
It can be understood that by determining the translation mode of the policy to be translated according to the firewall type of the policy to be translated, and then translating the firewall policy according to the translation mode, the consistency of the firewall policy before and after translation can be ensured, and the translation effect of the firewall policy can be efficiently and accurately completed.
In one embodiment, as shown in FIG. 5, a preferred example of a resource adjustment method is provided. The specific process is as follows:
s501, responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address.
S502, determining a strategy translation scene according to the first IP address and the second IP address.
S503, extracting a standby firewall policy from the original firewall policy according to the policy translation scene.
S504, cleaning the standby firewall policy to obtain an updated original firewall policy.
S505, the second IP address is adopted to replace the first IP address contained in the updated original firewall policy, so as to obtain the target firewall policy.
S506, obtaining the reference firewall policy corresponding to the second IP address.
S507, the reference firewall policy is compared with the target firewall policy.
S508, determining the opening verification result of the target firewall policy according to the comparison result.
S509, taking the firewall policy which is not passed by the result of the opening verification in the target firewall policy as the policy to be translated.
S510, determining whether the firewall type of the strategy to be translated is a soft wall; if yes, then execute S511; if not, S512 is performed.
And S511, adding the strategy to be translated into the reference firewall strategy corresponding to the second IP address.
S512, determining that the firewall type of the policy to be translated is a hard wall, acquiring the firewall policy corresponding to the policy to be translated from the reference firewall policy, and adding the second IP address into the acquired firewall policy.
The specific process of S501-S512 may refer to the description of the above method embodiment, and its implementation principle and technical effect are similar, and are not repeated here.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a firewall policy translation device for implementing the firewall policy translation method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the firewall policy translation device or devices provided below may refer to the limitation of the firewall policy translation method hereinabove, and will not be described herein.
In one embodiment, as shown in fig. 6, there is provided a firewall policy translation apparatus 1, including: a policy acquisition module 10, a policy generation module 20, a policy verification module 30, and a policy translation module 40, wherein:
the policy obtaining module 10 is configured to obtain an original firewall policy corresponding to the first IP address in response to a policy translation request including the first IP address and the second IP address;
the policy generation module 20 is configured to modify the original firewall policy according to the first IP address and the second IP address, so as to obtain a target firewall policy;
the policy checking module 30 is configured to perform openness checking on the target firewall policy according to the second IP address, to obtain a policy to be translated;
The policy translation module 40 is configured to translate the policy to be translated to the second IP address.
In one embodiment, on the basis of fig. 6, as shown in fig. 7, the policy generation module 20 may include:
a scenario determining unit 21, configured to determine a policy translation scenario according to the first IP address and the second IP address;
the policy updating unit 22 is configured to update the original firewall policy according to the policy translation scenario, so as to obtain an updated original firewall policy;
the first obtaining unit 23 is configured to replace the first IP address included in the updated original firewall policy with the second IP address, so as to obtain the target firewall policy.
In one embodiment, the policy updating unit 22 may be further configured to:
extracting a standby firewall strategy from the original firewall strategy according to the strategy translation scene; and cleaning the standby firewall policy to obtain an updated original firewall policy.
In one embodiment, based on the foregoing fig. 6 or fig. 7, as shown in fig. 8, the policy checking module 30 may include:
a second obtaining unit 31, configured to obtain a reference firewall policy corresponding to the second IP address;
a policy checking unit 32, configured to perform openness checking on the target firewall policy according to the reference firewall policy;
And a third obtaining unit 33, configured to use the firewall policy that is not passed by the verification result of the openness verification in the target firewall policy as the policy to be translated.
In one embodiment, the policy checking unit 32 may be further configured to:
comparing the reference firewall policy with the target firewall policy; and determining the opening verification result of the target firewall policy according to the comparison result.
In one embodiment, based on the foregoing fig. 6, fig. 7, or fig. 8, as shown in fig. 9, the policy translation module 40 may include:
the policy translation unit 41 is configured to translate the policy to be translated to the second IP address according to the firewall type of the policy to be translated.
In one embodiment, the policy translation unit 41 described above may also be used to:
if the firewall type is a soft wall, adding the strategy to be translated into a reference firewall strategy corresponding to the second IP address; if the firewall type is a hard wall, acquiring a firewall policy corresponding to the policy to be translated from the reference firewall policy, and adding the second IP address into the acquired firewall policy.
The above-mentioned firewall policy translation device may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 10. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing data such as a first IP address, a second IP address and the like. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program when executed by a processor implements a firewall policy translation method.
It will be appreciated by those skilled in the art that the structure shown in fig. 10 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of:
responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address;
modifying the original firewall policy according to the first IP address and the second IP address to obtain a target firewall policy;
according to the second IP address, carrying out opening verification on the target firewall policy to obtain a policy to be translated;
and translating the strategy to be translated to the second IP address.
In one embodiment, when the processor executes the computer program to modify the original firewall policy according to the first IP address and the second IP address to obtain the logic of the target firewall policy, the following steps are further implemented:
determining a strategy translation scene according to the first IP address and the second IP address; updating the original firewall policy according to the policy translation scene to obtain an updated original firewall policy; and replacing the first IP address contained in the updated original firewall policy by adopting the second IP address to obtain the target firewall policy.
In one embodiment, when the processor executes the logic of updating the original firewall policy according to the policy translation scenario to obtain the updated original firewall policy, the processor further implements the following steps:
extracting a standby firewall strategy from the original firewall strategy according to the strategy translation scene; and cleaning the standby firewall policy to obtain an updated original firewall policy.
In one embodiment, when the processor executes the computer program to perform the openness check on the target firewall policy according to the second IP address to obtain the logic of the policy to be translated, the following steps are further implemented:
acquiring a reference firewall policy corresponding to the second IP address; according to the reference firewall policy, carrying out openness verification on the target firewall policy; and taking the firewall policy which is not passed by the verification result of the openness verification in the target firewall policy as the policy to be translated.
In one embodiment, when the processor executes logic for performing a continuity check on the target firewall policy based on the reference firewall policy, the processor further performs the steps of:
comparing the reference firewall policy with the target firewall policy; and determining the opening verification result of the target firewall policy according to the comparison result.
In one embodiment, the processor, when executing the logic of the computer program to translate the policy to be translated to the second IP address, further performs the steps of:
and translating the strategy to be translated to the second IP address according to the firewall type of the strategy to be translated.
In one embodiment, when the processor executes logic for translating the policy to be translated to the second IP address according to the firewall type of the policy to be translated, the processor further performs the following steps:
if the firewall type is a soft wall, adding the strategy to be translated into a reference firewall strategy corresponding to the second IP address; if the firewall type is a hard wall, acquiring a firewall policy corresponding to the policy to be translated from the reference firewall policy, and adding the second IP address into the acquired firewall policy.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:
responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address;
modifying the original firewall policy according to the first IP address and the second IP address to obtain a target firewall policy;
According to the second IP address, carrying out opening verification on the target firewall policy to obtain a policy to be translated;
and translating the strategy to be translated to the second IP address.
In one embodiment, the computer program modifies the original firewall policy according to the first IP address and the second IP address, and when the logic for obtaining the target firewall policy is executed by the processor, the following steps are further implemented:
determining a strategy translation scene according to the first IP address and the second IP address; updating the original firewall policy according to the policy translation scene to obtain an updated original firewall policy; and replacing the first IP address contained in the updated original firewall policy by adopting the second IP address to obtain the target firewall policy.
In one embodiment, the computer program updates the original firewall policy according to the policy translation scenario, and when the logic for obtaining the updated original firewall policy is executed by the processor, the following steps are further implemented:
extracting a standby firewall strategy from the original firewall strategy according to the strategy translation scene; and cleaning the standby firewall policy to obtain an updated original firewall policy.
In one embodiment, the computer program performs the openness check on the target firewall policy according to the second IP address, and when the logic for obtaining the policy to be translated is executed by the processor, the following steps are further implemented:
acquiring a reference firewall policy corresponding to the second IP address; according to the reference firewall policy, carrying out openness verification on the target firewall policy; and taking the firewall policy which is not passed by the verification result of the openness verification in the target firewall policy as the policy to be translated.
In one embodiment, the computer program further performs the following steps when the logic for performing the openness check on the target firewall policy is executed by the processor, based on the reference firewall policy:
comparing the reference firewall policy with the target firewall policy; and determining the opening verification result of the target firewall policy according to the comparison result.
In one embodiment, the logic of the computer program to translate the policy to be translated to the second IP address, when executed by the processor, further performs the steps of:
and translating the strategy to be translated to the second IP address according to the firewall type of the strategy to be translated.
In one embodiment, the computer program further performs the following steps when the logic for translating the policy to be translated to the second IP address is executed by the processor, according to the firewall type of the policy to be translated:
If the firewall type is a soft wall, adding the strategy to be translated into a reference firewall strategy corresponding to the second IP address; if the firewall type is a hard wall, acquiring a firewall policy corresponding to the policy to be translated from the reference firewall policy, and adding the second IP address into the acquired firewall policy.
In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:
responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address;
modifying the original firewall policy according to the first IP address and the second IP address to obtain a target firewall policy;
according to the second IP address, carrying out opening verification on the target firewall policy to obtain a policy to be translated;
and translating the strategy to be translated to the second IP address.
In one embodiment, the computer program modifies the original firewall policy according to the first IP address and the second IP address, and when the logic for obtaining the target firewall policy is executed by the processor, the following steps are further implemented:
determining a strategy translation scene according to the first IP address and the second IP address; updating the original firewall policy according to the policy translation scene to obtain an updated original firewall policy; and replacing the first IP address contained in the updated original firewall policy by adopting the second IP address to obtain the target firewall policy.
In one embodiment, the computer program updates the original firewall policy according to the policy translation scenario, and when the logic for obtaining the updated original firewall policy is executed by the processor, the following steps are further implemented:
extracting a standby firewall strategy from the original firewall strategy according to the strategy translation scene; and cleaning the standby firewall policy to obtain an updated original firewall policy.
In one embodiment, the computer program performs the openness check on the target firewall policy according to the second IP address, and when the logic for obtaining the policy to be translated is executed by the processor, the following steps are further implemented:
acquiring a reference firewall policy corresponding to the second IP address; according to the reference firewall policy, carrying out openness verification on the target firewall policy; and taking the firewall policy which is not passed by the verification result of the openness verification in the target firewall policy as the policy to be translated.
In one embodiment, the computer program further performs the following steps when the logic for performing the openness check on the target firewall policy is executed by the processor, based on the reference firewall policy:
comparing the reference firewall policy with the target firewall policy; and determining the opening verification result of the target firewall policy according to the comparison result.
In one embodiment, the logic of the computer program to translate the policy to be translated to the second IP address, when executed by the processor, further performs the steps of:
and translating the strategy to be translated to the second IP address according to the firewall type of the strategy to be translated.
In one embodiment, the computer program further performs the following steps when the logic for translating the policy to be translated to the second IP address is executed by the processor, according to the firewall type of the policy to be translated:
if the firewall type is a soft wall, adding the strategy to be translated into a reference firewall strategy corresponding to the second IP address; if the firewall type is a hard wall, acquiring a firewall policy corresponding to the policy to be translated from the reference firewall policy, and adding the second IP address into the acquired firewall policy.
The data (including the data of the first IP address, the second IP address, etc.) referred to in the present application are information and data that are authorized or sufficiently authorized by each party.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims (11)

1. A firewall policy translation method, the method comprising:
responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address;
modifying the original firewall policy according to the first IP address and the second IP address to obtain a target firewall policy;
According to the second IP address, carrying out opening verification on the target firewall policy to obtain a policy to be translated;
and translating the strategy to be translated to the second IP address.
2. The method of claim 1, wherein modifying the original firewall policy according to the first IP address and the second IP address to obtain a target firewall policy comprises:
determining a strategy translation scene according to the first IP address and the second IP address;
updating the original firewall policy according to the policy translation scene to obtain an updated original firewall policy;
and replacing the first IP address contained in the updated original firewall policy by adopting the second IP address to obtain a target firewall policy.
3. The method of claim 2, wherein updating the original firewall policy according to the policy translation scenario to obtain an updated original firewall policy comprises:
extracting a standby firewall policy from the original firewall policy according to the policy translation scene;
and cleaning the standby firewall policy to obtain an updated original firewall policy.
4. The method of claim 1, wherein the performing, according to the second IP address, a continuity check on the target firewall policy to obtain a policy to be translated includes:
acquiring a reference firewall policy corresponding to the second IP address;
according to the reference firewall policy, carrying out openness verification on the target firewall policy;
and taking the firewall policy which is not passed by the verification result of the openness verification in the target firewall policy as the policy to be translated.
5. The method of claim 4, wherein said performing a continuity check on said target firewall policy based on said reference firewall policy comprises:
comparing the reference firewall policy with the target firewall policy;
and determining the opening verification result of the target firewall policy according to the comparison result.
6. The method of claim 1, wherein the translating the policy to be translated to the second IP address comprises:
and translating the strategy to be translated to the second IP address according to the firewall type of the strategy to be translated.
7. The method of claim 6, wherein the translating the policy to be translated to the second IP address according to the firewall type of the policy to be translated comprises:
If the firewall type is a soft wall, adding the strategy to be translated into a reference firewall strategy corresponding to the second IP address;
and if the firewall type is a hard wall, acquiring a firewall policy corresponding to the policy to be translated from the reference firewall policy, and adding the second IP address to the acquired firewall policy.
8. A firewall policy translation apparatus, said apparatus comprising:
the policy acquisition module is used for responding to a policy translation request comprising a first IP address and a second IP address, and acquiring an original firewall policy corresponding to the first IP address;
the policy generation module is used for modifying the original firewall policy according to the first IP address and the second IP address to obtain a target firewall policy;
the policy checking module is used for carrying out openness checking on the target firewall policy according to the second IP address to obtain a policy to be translated;
and the strategy translation module is used for translating the strategy to be translated to the second IP address.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
11. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
CN202310667695.8A 2023-06-07 2023-06-07 Firewall policy translation method, device, computer equipment and storage medium Pending CN116566720A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310667695.8A CN116566720A (en) 2023-06-07 2023-06-07 Firewall policy translation method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310667695.8A CN116566720A (en) 2023-06-07 2023-06-07 Firewall policy translation method, device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116566720A true CN116566720A (en) 2023-08-08

Family

ID=87491620

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310667695.8A Pending CN116566720A (en) 2023-06-07 2023-06-07 Firewall policy translation method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116566720A (en)

Similar Documents

Publication Publication Date Title
CN112910945B (en) Request link tracking method and service request processing method
EP2987090B1 (en) Distributed event correlation system
WO2020232884A1 (en) Data table migration method, apparatus, computer device and storage medium
US9020802B1 (en) Worldwide distributed architecture model and management
CN112395157B (en) Audit log acquisition method and device, computer equipment and storage medium
CN109144487B (en) Method, device, computer equipment and storage medium for developing business of parts
US9563485B2 (en) Business transaction context for call graph
CN116545678A (en) Network security protection method, device, computer equipment and storage medium
CN116644250B (en) Page detection method, page detection device, computer equipment and storage medium
CN108228611B (en) Document information copying method and device
CN109408532B (en) Data acquisition method, device, computer equipment and storage medium
CN116566720A (en) Firewall policy translation method, device, computer equipment and storage medium
CN115730016B (en) Data synchronization method, system, device, computer equipment and storage medium
CN110008220B (en) Method and device for obtaining attenuation coefficient of blacklist conduction spectrum and computer equipment
US12007969B2 (en) Automatic computer data deduplication process for application whitelisting system
CN112860666B (en) Data migration method, device, computer equipment and storage medium
CN117234951B (en) Function test method and device of application system, computer equipment and storage medium
CN118211248A (en) Access authority configuration method, device, equipment, storage medium and product
CN116909785A (en) Processing method, device, equipment, storage medium and program product for abnormal event
CN118260075A (en) Data processing method, apparatus, computer device, readable storage medium, and product
CN117708117A (en) Batch data processing method, device, electronic device and storage medium
CN116910069A (en) Database updating method, device, computer equipment and storage medium
CN117271445A (en) Log data processing method, device, server, storage medium and program product
CN116828505A (en) Fault processing method, device, computer equipment and storage medium
CN116521546A (en) Interface performance adjusting method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination