CN1863193A - Method for implementing safety tactics of network safety apparatus - Google Patents
Method for implementing safety tactics of network safety apparatus Download PDFInfo
- Publication number
- CN1863193A CN1863193A CN 200510069130 CN200510069130A CN1863193A CN 1863193 A CN1863193 A CN 1863193A CN 200510069130 CN200510069130 CN 200510069130 CN 200510069130 A CN200510069130 A CN 200510069130A CN 1863193 A CN1863193 A CN 1863193A
- Authority
- CN
- China
- Prior art keywords
- domain name
- network address
- network
- address
- security strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for implementing safe policy, comprising: 1) establishing a corresponding relation of domain name address and network address; 2) configuring safe policy and quoting domain name address in the safe policy; 3) obtaining network address carried in data packet; 4) matching the network address carried in the data packet with the network address corresponding to the domain name address; 5) according to the matching result and safe policy, processing the data packet. And it dynamically manages the established corresponding relation of domain name address and network address; and maintains a network address-domain name address corresponding relation between safely set user space and kernel space and makes synchronous updating. Therefore, it is convenient to manage network safe device and improves adaptability of the network safe device to network environment.
Description
Technical field
The present invention relates to realize in the network security device method of security strategy.
Background technology
Along with the fast development of network technology and popularizing of internet, applications, network security receives concern more and more widely.Existing network security device generally includes safety means or functional modules such as fire compartment wall, intrusion detection device and VPN(Virtual Private Network).
Security strategy is a kind of description of handling the management strategy of safety problem, is used for the communication between the main control system, to improve the fail safe of inter-host communication.
When the configuration security strategy, source address in the security strategy and destination address use the network address usually; What described source address was described is the information of source network, and what destination address was described is the information of purpose network.When safety device is received a packet, extract the source address and the destination address of packet, and with security strategy in source address and matching destination address, according to the result of coupling, and packet is handled accordingly according to described security strategy.
According to above principle, a kind of method of existing realization security strategy is: manually resolve the network address of domain name addresses correspondence, and use the network address in the security strategy of safety device.The shortcoming of this method is: if the pairing network address, domain name address has produced variation, then need manually to resolve again domain name addresses, and use the network address that this parsing the obtains security strategy that comes into force again.
The another kind of prior art of security strategy that realizes is: directly use the domain name addresses of source network and purpose network in security strategy, when security strategy comes into force, resolve the pairing network address of domain name addresses.The defective of this method is: disposable parsing is only carried out in the pairing network address of domain name addresses when security strategy comes into force, when realizing security strategy, all use the network address of the described parsing acquisition first time and the network address in the packet to mate, therefore, if the pairing network address of the domain name addresses of using in the security strategy changes, then need to resolve again the pairing network address of domain name addresses, and then reconfigure security strategy, otherwise can't realize security strategy.
In sum, if the pairing network address of domain name addresses has produced variation, in the then existing security strategy implementation method, can not upgrade the corresponding relation of the network address and domain name addresses dynamically.Because the existing network safety device can't be tackled the dynamic change of the network address flexibly, thereby has improved the configuration management workload of network security device.
Summary of the invention
The problem to be solved in the present invention provides a kind of method that realizes safety tactics of network safety apparatus, and this method can adapt to the dynamic change of the network address, makes network security device realize security strategy fast.
In order to address the above problem, the invention provides a kind of method that realizes security strategy, comprise
1) sets up the corresponding relation of the domain name addresses and the network address;
2) the configuration security strategy is quoted domain name addresses in security strategy;
3) obtain the network address of carrying in the packet;
4) mate the network address of carrying in the packet is corresponding with the domain name address network address;
5) according to matching result and security strategy packet is handled.
Step 2) also comprises application network address configuration security strategy in; And,
Also comprise in the step 3): search whether defined the network address of carrying in the packet in the security strategy, if do not have, then carry out step 4), otherwise the network address that defines in the strategy safe in utilization mates, carry out step 5).
Setting up corresponding relation described in the step 1) is specially:
Network security device is to the pairing network address of server requests domain name addresses;
Server is resolved the domain name address, and resolves the network address of acquisition and the corresponding relation of domain name addresses to the network security device feedback.
Network security device is periodically to the pairing network address of server requests domain name addresses.
Setting up corresponding relation described in the step 1) is specially:
The network security device analysis is obtained the corresponding relation of the domain name addresses and the network address through the packet of the name server agreement of the network equipment.
Also comprise in the step 1):
In presetting duration,, then delete this corresponding relation if the corresponding relation of the described network address that obtains and domain name addresses upgrades.
The corresponding relation of setting up the domain name addresses and the network address respectively at the user's space and the kernel spacing of network security device.
The corresponding relation of the domain name addresses and the network address upgrades synchronously in described user's space and the kernel spacing.
Above technical scheme as can be seen, in the present invention, owing to when the configuration network security strategy, quoted domain name addresses, and set up the corresponding relation of the domain name addresses and the network address, thereby, during the network address that the present invention carries, can search the corresponding relation that the domain name addresses and the network address are set up in security strategy undefined data bag, the network address of carrying in the packet is mated, and then packet is handled according to described security strategy.
Further, the present invention carries out dynamic management to the domain name addresses of described foundation and the corresponding relation of the network address, can set up the corresponding relation of the domain name addresses and the dynamic network address, and in time this corresponding relation be upgraded, and needn't reconfigure security strategy; Therefore, when changing in the network address, mate the network address to carrying in the packet that the present invention can be correct, and then can carry out correct processing to packet according to security strategy.
Further, the corresponding relation that the present invention safeguards a network address and domain name addresses respectively at the user's space and the kernel spacing of safety device, and carry out synchronous renewal, therefore, when mate the network address of carrying in to packet, can search the corresponding relation of the described network address and domain name addresses more fast, improve the treatment effeciency of network security device.
In sum, the present invention has made things convenient for the management of network security device, has strengthened the adaptive capacity of Network Security Device to network environment.
Description of drawings
Fig. 1 is an embodiment of the invention flow chart;
Fig. 2 is a domain name addresses resource logical relation schematic diagram in user's space and the kernel spacing;
Fig. 3 is for carrying out the flow chart of network address coupling in the security strategy.
Embodiment
Core concept of the present invention is: quote the domain name address resource in the security strategy of network, the domain name address resource is safeguarded the corresponding relation between domain name addresses and its pairing network address, and described corresponding relation can be upgraded with the variation of network actual environment; In realizing security strategy, use the network address of resolving in the domain name addresses resource to finish the coupling of network packet, and then packet is handled accordingly according to described security strategy.
According to above-mentioned core concept, with reference to Fig. 1, the specific embodiment of the present invention is:
Step 1: set up the corresponding relation of the domain name addresses and the network address, the corresponding relation of the described network address of Dynamic Maintenance and domain name addresses;
In the present embodiment, by setting up and safeguarding that the method for domain name address resource realizes the present invention, comprising:
A) set up the domain name addresses resource:
The attribute that defines in the domain name addresses resource can comprise: the title of domain name addresses resource, the i.e. normally used title of certain domain name addresses; Domain name addresses comprises domain name addresses or Chinese domain name address that ascii character is formed, and when certain website had Chinese domain name, this Chinese domain name address was identical with the title of domain name address resource usually; Static network address, the i.e. network address of manually adding; The primary and secondary name server is used for dynamically resolving the server address of the pairing network address of domain name addresses; Dynamically resolve, i.e. the function of the pairing network address of domain name addresses is dynamically obtained in definition; Resolve at interval, dynamically obtain the time interval of the pairing network address of domain name addresses; Lose efficacy the time limit in time interval that the domain name addresses of dynamically obtaining and the corresponding relation of the network address lost efficacy; The dominant record number, the maximum number of each pairing network address of domain name addresses.
Realize before the security strategy that the user can pass through to add the domain name addresses resource, and can edit the attribute of domain name address resource, as adding static network address or selecting dynamic analytical capabilities etc., the user can delete the domain name addresses resource of having built up equally.
B) dynamically obtain the network address of domain name addresses correspondence, its method comprises:
B1) the domain name addresses resource method is to the pairing network address of name server active request domain name addresses.If opened dynamic analytical capabilities when promptly setting up the domain name addresses resource, then when adding the domain name addresses resource, the domain name addresses resource method can send the domain name addresses request to name server, and after the foundation of domain name addresses resource is finished, regularly send the pairing network address of domain name addresses of this domain name addresses resource to the name server request.The domain name server is the primary and secondary name server that defines in the domain name addresses Resource Properties, if do not define the primary and secondary domain name server address in the domain name addresses resource, then uses the domain name server address of safety device;
B2) pass the protocol package of the domain name addresses server (DNS) of the network equipment by the kernel module analysis of network security device, and therefrom obtain the corresponding relation of the domain name addresses and the network address.
C) safeguard the corresponding relation of the domain name addresses and the network address:
The domain name addresses resource method is respectively safeguarded the mapping table of a domain name addresses and the network address in user's space and kernel spacing, and the mapping table of user's space and kernel spacing keeps upgrading synchronously.As shown in Figure 2, in the user's space of network security device and kernel spacing, have a domain name addresses and network address mapping table 21 separately, functional unit 22 is quoted the domain name address resource for security strategy or other functional modules, and then obtain the network address in the described correspondence table 21 and the corresponding relation of domain name addresses, in subscriber unit, comprise domain name addresses parsing and updating block 23 automatically, this functional unit is used for safeguarding and upgrades the network address of described mapping table 21 and the corresponding relation of domain name addresses that domain name addresses in the network security device in kernel spacing and the user's space and network address mapping table 21 reach synchronous renewal by functional unit 23.
In the mapping table of the domain name address and the network address, the pairing network address of domain name addresses comprises: the manually static network address that adds and dynamically the dynamic network address of parsing.As mentioned above, owing to opened dynamic analytical capabilities when setting up the domain name addresses resource, thereby the dynamic network address of each domain name addresses correspondence all can regularly be parsed automatically, to set up the corresponding relation with domain name addresses; And, when not upgrading in the duration that the corresponding relation of described dynamic network address and domain name addresses is presetting, then in the domain name addresses resource with this dynamic network address deletion.The automatic parsing interval of each domain name addresses and the survival time limit of dynamic network address can be set to inequality.
Step 2: the configuration security strategy, and in security strategy, quote domain name addresses.Different demands according to the user are formulated the security strategy that adapts to network environments, among the present invention not the formulation to security strategy limit.In security strategy, quote the domain name address resource according to the domain name addresses resource name.Other modules in the network security device are quoted the domain name address resource according to the needs of this module.
Step 3: obtain the network address of carrying in the packet; Have source address and destination address with network address sign in the packet that transmits in the network, those skilled in the art can obtain the network address in the described packet according to prior art.
Step 4: mate the network address that the network address of carrying in the packet is corresponding with the domain name address.In security strategy or other functional modules, quote the domain name address resource, and when security strategy comes into force, domain name addresses resource name or sequence number according to the domain name addresses resource, search the corresponding network address the domain name addresses of safeguarding from the user's space of network security device or kernel spacing and the correspondence table of the network address, and then the network address of carrying in the packet is mated.
With reference to Fig. 3, in the present embodiment, step 31, network security device is received packet; Step 32 is extracted the network address in the packet; Behind the network address in obtaining packet, carry out step 33, judge whether when security strategy, to quote the domain name address resource; If need, then carry out step 34, obtain the network address in the domain name addresses resource correspondence table; And then carry out step 35, use these network addresss the network address of carrying in the packet is mated; If judging in the step 33 does not need to quote the domain name address resource, then carry out step 36, mate the network address of carrying in the packet network address in the using security strategy.
Step 5: according to matching result, packet is handled, as abandoned or packet is transmitted according to security strategy etc. with reference to security strategy.
More than the method for realization safety tactics of network safety apparatus provided by the present invention is described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (8)
1, a kind of method that realizes security strategy is characterized in that:
1) sets up the corresponding relation of the domain name addresses and the network address;
2) the configuration security strategy is quoted domain name addresses in security strategy;
3) obtain the network address of carrying in the packet;
4) mate the network address of carrying in the packet is corresponding with the domain name address network address;
5) according to matching result and security strategy packet is handled.
2, the method for realization security strategy as claimed in claim 1 is characterized in that:
Step 2) also comprises application network address configuration security strategy in; And,
Also comprise in the step 3): search whether defined the network address of carrying in the packet in the security strategy, if do not have, then carry out step 4), otherwise the network address that defines in the strategy safe in utilization mates, carry out step 5).
3, the method for realization security strategy as claimed in claim 1 is characterized in that, sets up corresponding relation described in the step 1) and is specially:
Network security device is to the pairing network address of server requests domain name addresses;
Server is resolved the domain name address, and resolves the network address of acquisition and the corresponding relation of domain name addresses to the network security device feedback.
4, the method for realization security strategy as claimed in claim 3 is characterized in that:
Network security device is periodically to the pairing network address of server requests domain name addresses.
5, the method for realization security strategy as claimed in claim 1 is characterized in that, sets up corresponding relation described in the step 1) and is specially:
The network security device analysis is obtained the corresponding relation of the domain name addresses and the network address through the packet of the name server agreement of the network equipment.
6, as the method for one of them described realization security strategy of claim 3 to 5, it is characterized in that, also comprise in the step 1):
In presetting duration,, then delete this corresponding relation if the corresponding relation of the described network address that obtains and domain name addresses upgrades.
7, as the method for one of them described realization security strategy of claim 1 to 5, it is characterized in that:
The corresponding relation of setting up the domain name addresses and the network address respectively at the user's space and the kernel spacing of network security device.
8, the method for realization security strategy as claimed in claim 7 is characterized in that:
The corresponding relation of the domain name addresses and the network address upgrades synchronously in described user's space and the kernel spacing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2005100691301A CN1863193B (en) | 2005-05-10 | 2005-05-10 | Method for implementing safety tactics of network safety apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2005100691301A CN1863193B (en) | 2005-05-10 | 2005-05-10 | Method for implementing safety tactics of network safety apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1863193A true CN1863193A (en) | 2006-11-15 |
| CN1863193B CN1863193B (en) | 2010-10-13 |
Family
ID=37390521
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2005100691301A Expired - Fee Related CN1863193B (en) | 2005-05-10 | 2005-05-10 | Method for implementing safety tactics of network safety apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1863193B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859384B (en) * | 2005-12-29 | 2011-02-02 | 华为技术有限公司 | Method for controlling user's message passing through network isolation device |
| WO2013068789A1 (en) * | 2011-11-11 | 2013-05-16 | Pismo Labs Technology Ltd. | Method and system for allowing the use of domain names in enforcing network policy |
| CN104753857A (en) * | 2013-12-26 | 2015-07-01 | 华为技术有限公司 | Network flow control equipment and security policy configuration method and device thereof |
| CN104994108A (en) * | 2015-07-14 | 2015-10-21 | 中国联合网络通信集团有限公司 | URL filtering method, device and system |
| CN106789959A (en) * | 2016-12-01 | 2017-05-31 | 北京锐安科技有限公司 | A kind of data safe processing device and processing method |
| US10666771B2 (en) | 2013-08-05 | 2020-05-26 | Pismo Labs Technology Limited | Method and system for allowing the use of domain name based network policies stored in a second device in enforcing network policy at a first device |
| WO2024001998A1 (en) * | 2022-06-29 | 2024-01-04 | 华为技术有限公司 | Security policy processing method and related apparatus |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1232922C (en) * | 2002-02-20 | 2005-12-21 | 华北计算机系统工程研究所 | Method for improving fire wall performance |
| CN1204719C (en) * | 2002-06-12 | 2005-06-01 | 华为技术有限公司 | Method for realizing domain name system address convertion applied gateway based on inner server |
| CN1298141C (en) * | 2004-05-20 | 2007-01-31 | 中国科学院软件研究所 | Safety platform for network data exchange |
-
2005
- 2005-05-10 CN CN2005100691301A patent/CN1863193B/en not_active Expired - Fee Related
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859384B (en) * | 2005-12-29 | 2011-02-02 | 华为技术有限公司 | Method for controlling user's message passing through network isolation device |
| US9369345B2 (en) | 2011-11-11 | 2016-06-14 | Pismo Labs Technology Limited | Method and system for allowing the use of domain names in enforcing network policy |
| WO2013068789A1 (en) * | 2011-11-11 | 2013-05-16 | Pismo Labs Technology Ltd. | Method and system for allowing the use of domain names in enforcing network policy |
| CN103621044A (en) * | 2011-11-11 | 2014-03-05 | 柏思科技有限公司 | Method and system for allowing the use of domain names in enforcing network policy |
| CN103621044B (en) * | 2011-11-11 | 2017-12-12 | 柏思科技有限公司 | Allow the method and system that domain name is used during network strategy is carried out |
| US10666771B2 (en) | 2013-08-05 | 2020-05-26 | Pismo Labs Technology Limited | Method and system for allowing the use of domain name based network policies stored in a second device in enforcing network policy at a first device |
| CN104753857A (en) * | 2013-12-26 | 2015-07-01 | 华为技术有限公司 | Network flow control equipment and security policy configuration method and device thereof |
| CN104753857B (en) * | 2013-12-26 | 2018-03-09 | 华为技术有限公司 | Control of network flow quantity equipment and its security policy configuration method and device |
| US10051007B2 (en) | 2013-12-26 | 2018-08-14 | Huawei Technologies Co., Ltd. | Network traffic control device, and security policy configuration method and apparatus thereof |
| WO2015096580A1 (en) * | 2013-12-26 | 2015-07-02 | 华为技术有限公司 | Network flow control device, and security strategy configuration method and device thereof |
| CN104994108A (en) * | 2015-07-14 | 2015-10-21 | 中国联合网络通信集团有限公司 | URL filtering method, device and system |
| CN106789959A (en) * | 2016-12-01 | 2017-05-31 | 北京锐安科技有限公司 | A kind of data safe processing device and processing method |
| WO2024001998A1 (en) * | 2022-06-29 | 2024-01-04 | 华为技术有限公司 | Security policy processing method and related apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1863193B (en) | 2010-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1232080C (en) | Method of providing internal service apparatus in network for saving IP address | |
| CN1863193A (en) | Method for implementing safety tactics of network safety apparatus | |
| CN1177439C (en) | Method of acting address analytic protocol Ethernet Switch in application | |
| CN103117947B (en) | A kind of load sharing method and device | |
| CN1750576A (en) | Access management apparatus, program and remote start-up method of terminal device | |
| CN101035031A (en) | Method and device for detecting the number of the shared access host | |
| CN101924707A (en) | Method and equipment for processing message of address resolution protocol (ARP) | |
| CN1188983C (en) | Method of altering network equipment IP address via network managing equipment | |
| CN101056306A (en) | Network device and its access control method | |
| CN103905572A (en) | Domain name resolution request processing method and device | |
| CN1761252A (en) | Method for implementing experimental system of firewall under multiple user's remote concurrency control in large scale | |
| CN100454901C (en) | ARP message processing method | |
| CN1835452A (en) | Computer network strategy management system and strategy management method | |
| CN1852160A (en) | Method for realizing data slow synchronization and system thereof | |
| CN1578487A (en) | Method for mobile terminal switching in packet network | |
| US20230108362A1 (en) | Key-value storage for url categorization | |
| US20230350966A1 (en) | Communicating url categorization information | |
| CN1917512A (en) | Method for establishing direct connected peer-to-peer channel | |
| CN1852263A (en) | Message access controlling method and a network apparatus | |
| CN101043465A (en) | Dynamic host configuration protocol service managing method and system thereof | |
| CN1300976C (en) | Method for obtaining user identification information for network application entity | |
| CN1277204C (en) | Facility centralizing management method based by plugging technology | |
| CN1197296C (en) | An information switch | |
| CN1921489A (en) | Secure communication equipment for processing send data packets | |
| CN1249572C (en) | Plug-and-play ether net access system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: BEIJING LEADSEC INFORMATION TECHNOLOGY CO., LTD. Free format text: FORMER NAME: LEADSEC TECHNOLOGY (BEIJING) CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100086, room 801-810, CLP information building, 6 South Avenue, Beijing, Haidian District, Zhongguancun Patentee after: Beijing Leadsec Technology Co.,Ltd. Address before: 100086, room 801-810, CLP information building, 6 South Avenue, Beijing, Haidian District, Zhongguancun Patentee before: Lenovo Wangyu Technology (Beijing) Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20101013 Termination date: 20150510 |
|
| EXPY | Termination of patent right or utility model |