CN116582307A - Firewall configuration method and device - Google Patents
Firewall configuration method and device Download PDFInfo
- Publication number
- CN116582307A CN116582307A CN202310448244.5A CN202310448244A CN116582307A CN 116582307 A CN116582307 A CN 116582307A CN 202310448244 A CN202310448244 A CN 202310448244A CN 116582307 A CN116582307 A CN 116582307A
- Authority
- CN
- China
- Prior art keywords
- src
- dst
- configuration
- zone
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000004458 analytical method Methods 0.000 claims abstract description 59
- 238000004088 simulation Methods 0.000 claims abstract description 24
- 230000009471 action Effects 0.000 claims description 36
- 238000010219 correlation analysis Methods 0.000 claims description 8
- 238000010845 search algorithm Methods 0.000 claims description 6
- 238000012098 association analyses Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 7
- 238000004590 computer program Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 241000721662 Juniperus Species 0.000 description 2
- 238000010835 comparative analysis Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- DYWNLSQWJMTVGJ-UHFFFAOYSA-N (1-hydroxy-1-phenylpropan-2-yl)azanium;chloride Chemical compound Cl.CC(N)C(O)C1=CC=CC=C1 DYWNLSQWJMTVGJ-UHFFFAOYSA-N 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/50—Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
In order to efficiently and accurately perform automatic deployment on firewall policies, the inventor proposes a firewall configuration method, which comprises the following steps: based on network topology data, carrying out path analysis on the IP_SRC to the IP_DST, and determining configuration requirements of the configuration target equipment and the target equipment; and comparing and analyzing according TO the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and determining three key elements of the position LINE, the security-entering zone_FROM and the security-exiting zone_TO. The inventors have also proposed a device for implementing the above method. The invention provides a more accurate configuration element analysis method, which analyzes interfaces, strategy routes, NAT, security domains and the like affecting firewall configuration elements by adopting a flow simulation method, and performs relevance analysis on existing strategies and the like, thereby improving the effectiveness of firewall strategy configuration and reducing the probability of error configuration.
Description
Technical Field
The present invention relates to the field of computer software, and in particular, to a firewall configuration classification method and apparatus.
Background
To improve the security level of enterprise network security and meet industry regulatory requirements, financial enterprises typically divide a network of data centers into multiple security domains based on security levels, business attributes, and the like. Each security domain deploys a firewall in the form of a whitelist that omits control network access by strict security policies. Therefore, deploying the security policy becomes a frequent, repetitive and important task in the enterprise IT operation and maintenance scene, and how to efficiently and accurately automatically deploy the firewall policy becomes a need to be solved.
Disclosure of Invention
In order to solve the problem of automatic deployment of firewall policies, the invention provides the following technical scheme:
a firewall configuration method comprising the steps of:
based on network topology data, carrying out path analysis on the IP_SRC to the IP_DST, and determining configuration requirements of the configuration target equipment and the target equipment; the firewall policy configured by the method comprises key elements and non-key elements, wherein the key elements comprise: position LINE, in interface inf_from, in security zone_from, out interface inf_to, out security zone_to; the non-critical elements include: ACTION, PROTOCOL, source address ip_src, source port_src, destination address ip_dst, destination port_dst; the filling of the non-key elements is determined according to actual requirements;
and comparing and analyzing according TO the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and determining three key elements of the position LINE, the security-entering zone_FROM and the security-exiting zone_TO.
Further, in the firewall configuration method, the step of "path analysis" specifically includes:
based on a route longest matching algorithm, taking the IP_SRC and the IP_DST as inputs, and matching ALL device routes_ALL to obtain source device information SRC_DEV, an original device interface SRC_INF, a destination device DST_DEV and a destination device interface DST_INF; and label marking is carried out on the interface of non-business access based on topology, and the algorithm is as follows:
routes=label_filter(routes all )
dev src ,inf src =LPM(IP src ,routes)
dev dst ,inf dst =LPM(IP dst ,routes);
with dev_src and dev_dst as inputs, all connected paths of dev_src to dev_dst are calculated by breadth-first search algorithm bfs=bfs (topology, DEV) src ,dev dst ) The method comprises the steps of carrying out a first treatment on the surface of the The TARGET device devtarget is obtained.
Further, the firewall configuration method further includes a flow simulation step: starting from source equipment in the PATS, carrying out flow simulation on the equipment one by one to obtain key element output interfaces; and obtaining configuration requirements for configuring the target device and the target device.
Further, in the firewall configuration method, the step of performing comparative analysis according TO the configuration requirement of the target device and the existing security policy configuration of the target device, and determining three key elements of the location LINE, the ingress security zone_from and the egress security zone_to specifically includes:
analyzing the target equipment configuration to obtain an input security domain and an output security domainSecurity domain: zone (Zone) from =find_zone(inf src )
zone to =find_zone(inf dst );
Obtaining a policy table: polies = get_polics (zone) from ,zone to );
Correlation analysis: and comparing and analyzing the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and calculating and generating a policy configuration element position LINE.
Further, in the firewall configuration method, the step of association analysis: comparing and analyzing the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and calculating and generating the policy configuration element position LINE' specifically comprises the following steps:
when the demand comparison result is that the existing strategy contains the demand or is equal, LINE is-1;
the existing strategy is different from the requirement ACTION, and when other elements have intersections, the LINE is obtained by manual inquiry;
the existing strategy is identical to the requirement ACTION and ProTOCOL, and the merging strategy is executed when at least two of the three are identical:
action!=ACTION&&protocol
=PROTOCOL&&ip src ∩IP src ||ip dst ∩IP dst ||port src ∩PORT src ||port dst ∩PORT dst 。
the inventor also provides a firewall configuration device, which comprises a path analysis unit and a comparison analysis unit;
the path analysis unit is used for carrying out path analysis on the IP_SRC to the IP_DST based on the network topology data and determining configuration requirements for configuring the target equipment and the target equipment; the configured firewall policy includes key elements and non-key elements, the key elements including: position LINE, in interface inf_from, in security zone_from, out interface inf_to, out security zone_to; the non-critical elements include: ACTION, PROTOCOL, source address ip_src, source port_src, destination address ip_dst, destination port_dst; the filling of the non-key elements is determined according to actual requirements;
the comparison analysis unit is used for carrying out comparison analysis according TO the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and determining three key elements of the position LINE, the security-entering zone_FROM and the security-exiting ZONE ZONE_TO.
Further, in the firewall configuration device, the path analysis unit includes a matching module and a tag module; the path analysis performed specifically includes:
the matching module takes IP_SRC and IP_DST as input based on a longest route matching algorithm, and matches ALL device routes_ALL to obtain source device information SRC_DEV, an original device interface SRC_INF, a destination device DST_DEV and a destination device interface DST_INF; the label module labels the interface of non-business access based on topology, and the algorithm is as follows:
routes=label_filter(routes all )
dev src ,inf src =LPM(IP src ,routes)
dev dst ,inf dst =LPM(IP dst ,routes);
with dev_src and dev_dst as inputs, all connected paths of dev_src to dev_dst are calculated by breadth-first search algorithm bfs=bfs (topology, DEV) src ,dev dst ) The method comprises the steps of carrying out a first treatment on the surface of the The TARGET device devtarget is obtained.
Further, in the firewall configuration device, the path analysis unit further includes a flow simulation module, configured to start from a source device in the PATHS, perform flow simulation on the devices one by one, and obtain a key element output interface; and obtaining configuration requirements for configuring the target device and the target device.
Further, in the firewall configuration apparatus, the comparison analysis unit performs comparison analysis according TO a configuration requirement of the target device and an existing security policy configuration of the target device, and determines three key elements of the location LINE, the security-in zone_from and the security-out ZONE zone_to, which specifically include:
analyzing the target equipment configuration to obtain an input security domain and an output security domain:
zone from =find_zone(inf src )
zone to =find_zone(inf dst );
obtaining a policy table: poliies = get-policy (zone) from ,zone to );
The comparison analysis unit comprises a correlation analysis module which is used for comparing and analyzing the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and calculating and generating a policy configuration element position LINE.
Further, in the firewall configuration device, the association analysis module performs "comparing and analyzing the configuration requirement of the target device and the existing security policy configuration of the target device", and calculating and generating the policy configuration element location LINE "specifically includes:
when the demand comparison result is that the existing strategy contains the demand or is equal, LINE is-1;
the existing strategy is different from the requirement ACTION, and when other elements have intersections, the LINE is obtained by manual inquiry;
the existing strategy is identical to the requirement ACTION and ProTOCOL, and the merging strategy is executed when at least two of the three are identical:
action!=ACTION&&protocol
=PROTOCOL&&ip src ∩IP src ||ip dst ∩IP dst ||port src ∩PORT src ||port dst ∩PORT dst 。
compared with the firewall policy configuration element analysis method based on the network topology communication graph of the mainstream at the present stage, the invention provides a more accurate configuration element analysis method, wherein interfaces, policy routes, NAT, security domains and the like affecting the firewall configuration elements are analyzed by adopting a flow simulation method, and the correlation analysis is carried out on the existing policies and the like, thereby improving the effectiveness of the firewall policy configuration and reducing the probability of error configuration; the simulation analysis can be carried out without depending on global network configuration data, so that the application implementation cost of the method is reduced; in addition, the label-based route matching filtering method improves the robustness of the method in analysis, and solves the problem that the route configuration is not standard and cannot be matched with the source and destination devices in the firewall policy configuration accurately.
Drawings
FIG. 1 is a flow chart of a firewall configuration method according to the present invention;
fig. 2 is a block diagram of a firewall configuration device according to the present invention.
Reference numerals illustrate:
1-path analysis unit
2-contrast analysis unit
11-match module
12-Label Module
13-flow simulation module
21-correlation analysis module
Detailed Description
In order to describe the technical content, constructional features, achieved objects and effects of the technical solution in detail, the following description is made in connection with the specific embodiments in conjunction with the accompanying drawings.
Referring to fig. 1, a flowchart of a firewall configuration method according to the present invention is shown; the method comprises the following steps:
s1, carrying out path analysis on IP_SRC to IP_DST based on network topology data, and determining configuration requirements for configuring target equipment and target equipment;
s2, comparing and analyzing according to the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and determining three key elements of the position, the security entering domain and the security exiting domain.
The firewall policy configured by the method comprises key elements and non-key elements, wherein the key elements comprise: position LINE, in interface inf_from, in security zone_from, out interface inf_to, out security zone_to; the non-critical elements include: ACTION, PROTOCOL, source address ip_src, source port_src, destination address ip_dst, destination port_dst; and the filling of the non-key elements is determined according to actual requirements.
Specifically, the policy configuration elements are as follows:
ACTION (ACTION): non-critical elements, filling on demand;
position (LINE): the key element is that the access control mechanism of the firewall matches the security policies in sequence, so the insertion position of the firewall policy directly influences the correctness and effectiveness of the firewall policy configuration;
PROTOCOL (pro col): non-critical elements, filling on demand;
ingress interface (inf_from): key elements, determining configuration of ZONE_FROM;
security domain (zone_from): key elements, determining an inserted policy table;
source address (ip_src): non-critical elements, filling on demand;
source PORT (port_src): non-critical elements, filling on demand;
(inf_to): key elements, determining configuration of ZONE_TO;
out of Security Domain (ZONE_TO): key elements, determining an inserted policy table;
destination address (ip_dst): non-critical elements, filling on demand;
destination PORT (port_dst): non-critical elements, filling on demand;
further, the "path analysis" in step S1 includes the following operations:
s11, based on a route longest matching algorithm, taking the IP_SRC and the IP_DST as inputs, and matching ALL device routes_ALL to obtain source device information SRC_DEV, an original device interface SRC_INF, a destination device DST_DEV and a destination device interface DST_INF; and label marking is carried out on the interface of non-business access based on topology, and the algorithm is as follows:
routes=label_filter(routes all )
dev src ,inf src =LPM(IP src ,routes)
dev dst ,inf dst =LPM(IP dst ,routes);
in this step, a matching algorithm based on the route longest matching algorithm LPM alone often encounters a problem in the actual environment verification: the static route or the dynamic route of manual configuration is not standard, a plurality of routes are often matched in different devices in the same topology, the cost Metric of the routes is consistent, and the real destination device cannot be judged. The technical proposal before the invention is used for solving the problem, and all three layers of network equipment need to be managed, and accurate target equipment is obtained through matching direct connection routes. This solution consumes a lot of system resources and increases implementation difficulties. Therefore, the invention provides a label screening method, which can label the interface of non-business access based on topology, eliminate the route which forms interference to the accurate matching of source and destination equipment, and reduce the resource consumption and the implementation difficulty.
S12, taking dev_src and dev_dst as inputs, to calculate all communication paths path=bfs (topology, DEV) from dev_src to dev_dst by breadth-first search algorithm BFS src ,dev dst ) The method comprises the steps of carrying out a first treatment on the surface of the The TARGET device devtarget is obtained.
In this step, the path is one or more PATHS including from dev_src to dev_dst. The path also contains side information of each device connection, i.e. connection information between device interfaces. From the network perspective, only physically reachable link information is currently available, and there are many factors involved as to whether the network layer is reachable or not: interfaces, policy routing, network address translation, etc. Therefore, the method provides a flow simulation method based on equipment configuration on the basis of physical reachable link information, and further verifies and analyzes key elements of firewall policy configuration, namely the following step S13:
s13, flow simulation: starting from source equipment in the PATS, carrying out flow simulation on the equipment one by one to obtain key element output interfaces; and obtaining configuration requirements for configuring the target device and the target device.
The input quantity of the flow simulation is as follows: DEV, INF_SRC, IP_SRC, IP_DST
The output of the flow simulation is: INF_DST
The purpose of the flow simulation is to determine the correct outgoing interface based on the configuration simulation of the device. Because the devices of different brands and models have different flows for processing the IP packet, more factors influence the forwarding of the IP packet. Taking Juniper brand firewall as an example, factors influencing Juniper device IP packet output interface selection include StaticNAT, DNAT, routes, reverse StaticNAT, sourceNAT, and the like. After the flow simulation is completed, configuration targets and policy configuration requirements (including key elements INF_SRC and INF_DST) on each target are obtained.
The policy configuration requirements include: (ACTION, PROTOCOL, INF _SRC, IP_SRC, PORT_SRC, INF_DST, IP_DST, PORT_DST)
The step S2 of performing comparative analysis according to the configuration requirement of the target device and the existing security policy configuration of the target device, and determining three key elements of the location, the security entering domain and the security exiting domain specifically includes:
s21, analyzing the target equipment configuration to obtain an input security domain and an output security domain:
zone from =find_zone(inf src )
zone to =find_zone(inf dst );
s22, acquiring a strategy table: polies = get_polics (zone) from ,zone to );
S23, association analysis: and comparing and analyzing the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and calculating and generating a policy configuration element position LINE.
The step S23 specifically includes:
when the demand comparison result is that the existing strategy contains the demand or is equal, LINE is-1;
the existing strategy is different from the requirement ACTION, and when other elements have intersections, the IINE is obtained by manual inquiry;
the existing strategy is identical to the requirement ACTION and ProTOCOL, and the merging strategy is executed when at least two of the three are identical:
action!=ACTION&&protocol
=PROTOCOL&&ip src ∩IP src ||ip dst ∩IP dst ||port src ∩PORT src ||port dst ∩PORT dst 。
in summary, the analysis of the satisfied policy in the association analysis can avoid invalid configuration; the analysis of conflict strategies can avoid the generation of error configuration; policy analysis can be combined, so that the number of policy configurations can be reduced, and the configuration is kept clean and tidy.
The inventor also provides a firewall configuration device, which comprises a path analysis unit 1 and a comparison analysis unit 2;
the path analysis unit 1 is configured to perform path analysis on the ip_src to the ip_dst based on network topology data, and determine configuration requirements for configuring the target device and the target device; the configured firewall policy includes key elements and non-key elements, the key elements including: position LINE, in interface inf_from, in security zone_from, out interface inf_to, out security zone_to; the non-critical elements include: ACTION, PROTOCOL, source address ip_src, source port_src, destination address ip_dst, destination port_dst; the filling of the non-key elements is determined according to actual requirements;
the comparison analysis unit 2 is configured TO perform comparison analysis according TO a configuration requirement of the target device and an existing security policy configuration of the target device, and determine three key elements of the location LINE, the security-in zone_from and the security-out zone_to.
The path analysis unit 1 comprises a matching module 11 and a label module 12; the path analysis performed specifically includes: the matching module 11 uses the ip_src and the ip_dst as inputs based on the longest routing matching algorithm, and matches ALL the device routing routes_all to obtain source device information src_dev, an original device interface src_inf, a destination device dst_dev and a destination device interface dst_inf; the label module 12 labels the interface of non-service access based on topology, and the algorithm is as follows:
routes=label_filter(routes all )
dev src ,inf src =LPM(IP src ,routes)
dev ast ,inf dst =LPM(IP dst ,routes);
with dev_src and dev_dst as inputs, all connected paths of dev_src to dev_dst are calculated by breadth-first search algorithm bfs=bfs (topology, DEV) src ,dev dst ) The method comprises the steps of carrying out a first treatment on the surface of the The TARGET device devtarget is obtained.
The path analysis unit 1 further comprises a flow simulation module 13, which is used for performing flow simulation on the devices one by one from the source device in the PATS to obtain key element output interfaces; and obtaining configuration requirements for configuring the target device and the target device.
The comparison analysis unit 2 "performs comparison analysis according TO the configuration requirement of the target device and the existing security policy configuration of the target device", and determines three key elements of the location LINE, the security-in zone_from and the security-out zone_to "specifically include:
analyzing the target equipment configuration to obtain an input security domain and an output security domain: zone (Zone) from =find_zone(inf src )
zone to =find_zone(inf dst );
Obtaining a policy table: polies = get_polics (zone) from ,zone to );
The comparison analysis unit comprises a correlation analysis module 21, which is used for comparing and analyzing the configuration requirement of the target device and the existing security policy configuration of the target device, and calculating and generating a policy configuration element position LINE. The method specifically comprises the following steps:
when the demand comparison result is that the existing strategy contains the demand or is equal, LINE is-1;
the existing strategy is different from the requirement ACTION, and when other elements have intersections, the LINE is obtained by manual inquiry;
the existing strategy is identical to the requirement ACTION and ProTOCOL, and the merging strategy is executed when at least two of the three are identical:
action!=ACTION&&protocol
=PROTOCOL&&ip src ∩IP src ||ip dst ∩IP dst ||port src ∩PORT src ||port dst ∩PORT dst 。
compared with the firewall policy configuration element analysis method based on the network topology communication graph of the mainstream at the present stage, the invention provides a more accurate configuration element analysis method, wherein interfaces, policy routes, NAT, security domains and the like affecting the firewall configuration elements are analyzed by adopting a flow simulation method, and the correlation analysis is carried out on the existing policies and the like, thereby improving the effectiveness of the firewall policy configuration and reducing the probability of error configuration; the simulation analysis can be carried out without depending on global network configuration data, so that the application implementation cost of the method is reduced; in addition, the label-based route matching filtering method improves the robustness of the method in analysis, and solves the problem that the route configuration is not standard and cannot be matched with the source and destination devices in the firewall policy configuration accurately.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the statement "comprising … …" or "comprising … …" does not exclude the presence of additional elements in a process, method, article or terminal device comprising the element. Further, herein, "greater than," "less than," "exceeding," and the like are understood to not include the present number; "above", "below", "within" and the like are understood to include this number.
It will be appreciated by those skilled in the art that the various embodiments described above may be provided as methods, apparatus, or computer program products. These embodiments may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. All or part of the steps in the methods according to the above embodiments may be implemented by a program for instructing related hardware, and the program may be stored in a storage medium readable by a computer device, for performing all or part of the steps in the methods according to the above embodiments. The computer device includes, but is not limited to: personal computers, servers, general purpose computers, special purpose computers, network devices, embedded devices, programmable devices, intelligent mobile terminals, intelligent home devices, wearable intelligent devices, vehicle-mounted intelligent devices and the like; the storage medium includes, but is not limited to: RAM, ROM, magnetic disk, magnetic tape, optical disk, flash memory, usb disk, removable hard disk, memory card, memory stick, web server storage, web cloud storage, etc.
The embodiments described above are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a computer device to produce a machine, such that the instructions, which execute via the processor of the computer device, create means for implementing the functions specified in the flowchart block or blocks and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer device-readable memory that can direct a computer device to function in a particular manner, such that the instructions stored in the computer device-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer apparatus to cause a series of operational steps to be performed on the computer apparatus to produce a computer implemented process such that the instructions which execute on the computer apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the embodiments have been described above, other variations and modifications will occur to those skilled in the art once the basic inventive concepts are known, and it is therefore intended that the foregoing description and drawings illustrate only embodiments of the invention and not limit the scope of the invention, and it is therefore intended that the invention not be limited to the specific embodiments described, but that the invention may be practiced with their equivalent structures or with their equivalent processes or with their use directly or indirectly in other related fields.
Claims (10)
1. A method for firewall configuration, comprising the steps of:
based on network topology data, carrying out path analysis on the IP_SRC to the IP_DST, and determining configuration requirements of the configuration target equipment and the target equipment; the firewall policy configured by the method comprises key elements and non-key elements, wherein the key elements comprise: position LINE, in interface inf_from, in security zone_from, out interface inf_to, out security zone_to; the non-critical elements include: ACTION, PROTOCOL, source address ip_src, source port_src, destination address ip_dst, destination port_dst; the filling of the non-key elements is determined according to actual requirements;
and comparing and analyzing according TO the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and determining three key elements of the position LINE, the security-entering zone_FROM and the security-exiting zone_TO.
2. The firewall configuration method of claim 1, wherein the step of "path analysis" specifically comprises:
based on a route longest matching algorithm, taking the IP_SRC and the IP_DST as inputs, and matching ALL device routes_ALL to obtain source device information SRC_DEV, an original device interface SRC_INF, a destination device DST_DEV and a destination device interface DST_INF; and label marking is carried out on the interface of non-business access based on topology, and the algorithm is as follows:
routes=label_filter(routes all )
dev src ,inf src =LPM(IP src ,routes)
dev dst ,inf dst =LPM(IP dst ,routes);
with dev_src and dev_dst as inputs, all connected paths of dev_src to dev_dst are calculated by breadth-first search algorithm bfs=bfs (topology, DEV) src ,dev dst ) The method comprises the steps of carrying out a first treatment on the surface of the The TARGET device devtarget is obtained.
3. The firewall configuration method of claim 2, further comprising the step of traffic simulation: starting from source equipment in the PATS, carrying out flow simulation on the equipment one by one to obtain key element output interfaces; and obtaining configuration requirements for configuring the target device and the target device.
4. The firewall configuration method according TO claim 3, wherein the step of comparing and analyzing according TO the configuration requirement of the target device and the existing security policy configuration of the target device, and determining three key elements of the location LINE, the ingress security domain zonefrom and the egress security domain zonefto specifically comprises:
analyzing the target equipment configuration TO obtain a security-in zone_from and a security-out ZONE zone_to:
zone from =find_zone(inf src )
zone to =find_zone(inf dst );
obtaining a policy table: polies = get_polics (zone) from zone to );
Correlation analysis: and comparing and analyzing the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and calculating and generating a policy configuration element position LINE.
5. The firewall configuration method of claim 4, wherein the step of associating analyzes: comparing and analyzing the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and calculating and generating the policy configuration element position LINE' specifically comprises the following steps:
when the demand comparison result is that the existing strategy contains the demand or is equal, LINE is-1;
the existing strategy is different from the requirement ACTION, and when other elements have intersections, the LINE is obtained by manual inquiry;
the existing strategy is identical to the requirement ACTION and ProTOCOL, and the merging strategy is executed when at least two of the three are identical:
action!=ACTION&&protocol
=PROTOCOL&&ip src ∩IP src ||ip dst ∩IP dst ||port src ∩PORT src ||port dst ∩PORT dst 。
6. the firewall configuration device is characterized by comprising a path analysis unit and a comparison analysis unit;
the path analysis unit is used for carrying out path analysis on the IP_SRC to the IP_DST based on the network topology data and determining configuration requirements for configuring the target equipment and the target equipment; the configured firewall policy includes key elements and non-key elements, the key elements including: position LINE, in interface inf_from, in security zone_from, out interface inf_to, out security zone_to; the non-critical elements include: ACTION, PROTOCOL, source address ip_src, source port_src, destination address ip_dst, destination port_dst; the filling of the non-key elements is determined according to actual requirements;
the comparison analysis unit is used for carrying out comparison analysis according TO the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and determining three key elements of the position LINE, the security-entering zone_FROM and the security-exiting ZONE ZONE_TO.
7. The firewall configuration apparatus of claim 6, wherein the path analysis unit comprises a matching module and a tag module; the path analysis performed specifically includes:
the matching module takes IP_SRC and IP_DST as input based on a longest route matching algorithm, and matches ALL device routes_ALL to obtain source device information SRC_DEV, an original device interface SRC_INF, a destination device DST_DEV and a destination device interface DST_INF; the label module labels the interface of non-business access based on topology, and the algorithm is as follows:
routes=label_Tilter(routes all )
dev src ,inf src =LPM(IP src ,routes)
dev dst ,inf dst =LPM(IP dst ,routes);
with dev_src and dev_dst as inputs, all connected paths of dev_src to dev_dst are calculated by breadth-first search algorithm bfs=bfs (topology, DEV) src ,dev dst ) The method comprises the steps of carrying out a first treatment on the surface of the The TARGET device devtarget is obtained.
8. The firewall configuration apparatus of claim 7, wherein the path analysis unit further comprises a flow simulation module, configured to perform flow simulation on the devices one by one from a source device in the PATHS to obtain a key element output interface; and obtaining configuration requirements for configuring the target device and the target device.
9. The firewall configuration apparatus of claim 8, wherein the comparison analysis unit performs comparison analysis according TO a configuration requirement of the target device and an existing security policy configuration of the target device, and determines three key elements of a location LINE, a security-in zone_from, and a security-out ZONE zone_to specifically includes:
analyzing the target equipment configuration to obtainTo the ingress and egress security domains: zone (Zone) from =find_zone(inf src )
zone to =find_zone(inf dst );
Obtaining a policy table: polies = get_polics (zone) from ,zone to );
The comparison analysis unit comprises a correlation analysis module which is used for comparing and analyzing the configuration requirement of the target equipment and the existing security policy configuration of the target equipment, and calculating and generating a policy configuration element position LINE.
10. The firewall configuration apparatus of claim 9, wherein the association analysis module performs a comparison analysis of the configuration requirement of the target device and the existing security policy configuration of the target device, and calculating the policy configuration element location LINE comprises:
when the demand comparison result is that the existing strategy contains the demand or is equal, LINE is-1;
the existing strategy is different from the requirement ACTION, and when other elements have intersections, the LINE is obtained by manual inquiry;
the existing strategy is identical to the requirement ACTION and ProTOCOL, and the merging strategy is executed when at least two of the three are identical:
action!=ACTION&&protocol
=PROTOCOL&&ip src ∩IP src ||ip dst ∩IP dst ||port src ∩PORT src ||port dst ∩PORT dst 。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310448244.5A CN116582307A (en) | 2023-04-24 | 2023-04-24 | Firewall configuration method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310448244.5A CN116582307A (en) | 2023-04-24 | 2023-04-24 | Firewall configuration method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116582307A true CN116582307A (en) | 2023-08-11 |
Family
ID=87542353
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310448244.5A Pending CN116582307A (en) | 2023-04-24 | 2023-04-24 | Firewall configuration method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116582307A (en) |
-
2023
- 2023-04-24 CN CN202310448244.5A patent/CN116582307A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10691445B2 (en) | Isolating a portion of an online computing service for testing | |
| US10680961B2 (en) | Using headerspace analysis to identify flow entry reachability | |
| US11570271B2 (en) | Differentiated smart sidecars in a service mesh | |
| CN107690800B (en) | Managing dynamic IP address allocation | |
| Backes et al. | Reachability analysis for AWS-based networks | |
| US9787558B2 (en) | Identifying configuration inconsistency in edge-based software defined networks (SDN) | |
| CN110785965B (en) | System and method for performing network assurance checks on correct deployment of configurations in a fabric | |
| US20220076066A1 (en) | Using generative adversarial networks (gans) to enable sharing of sensitive data | |
| CN107534568B (en) | Synthetic constraints for network policies | |
| US11368407B2 (en) | Failover management using availability groups | |
| US20200186429A1 (en) | Determining violation of a network invariant | |
| CN108011819A (en) | Route sending-down method and device | |
| CN112491789B (en) | OpenStack framework-based virtual firewall construction method and storage medium | |
| US10873513B2 (en) | Workload identification for network flows in hybrid environments with non-unique IP addresses | |
| US11824716B2 (en) | Systems and methods for controlling the deployment of network configuration changes based on weighted impact | |
| CN107995032B (en) | Method and device for building network experiment platform based on cloud data center | |
| WO2020069647A1 (en) | System for deploying incremental network updates | |
| US10541872B2 (en) | Network policy distribution | |
| US20140226523A1 (en) | Mechanism to dynamically apply configuration settings to interfaces using a port-profile | |
| CN116582307A (en) | Firewall configuration method and device | |
| CN109547252A (en) | The method, apparatus and server of instantiated nodes | |
| US7971244B1 (en) | Method of determining network penetration | |
| Lange et al. | Time series data mining for network service dependency analysis | |
| CN114615015A (en) | Method, device, equipment and medium for determining repair priority of service system | |
| CN103457864A (en) | Method, device and network equipment for processing next-hop of routing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |