WO2020232785A1 - Device security policy configuration method and apparatus - Google Patents

Device security policy configuration method and apparatus Download PDF

Info

Publication number
WO2020232785A1
WO2020232785A1 PCT/CN2019/091873 CN2019091873W WO2020232785A1 WO 2020232785 A1 WO2020232785 A1 WO 2020232785A1 CN 2019091873 W CN2019091873 W CN 2019091873W WO 2020232785 A1 WO2020232785 A1 WO 2020232785A1
Authority
WO
WIPO (PCT)
Prior art keywords
policy
target
configuration
parameter
parameters
Prior art date
Application number
PCT/CN2019/091873
Other languages
French (fr)
Chinese (zh)
Inventor
郭云川
李凤华
李凌
李勇俊
耿魁
房梁
Original Assignee
中国科学院信息工程研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院信息工程研究所 filed Critical 中国科学院信息工程研究所
Publication of WO2020232785A1 publication Critical patent/WO2020232785A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/54Presence management, e.g. monitoring or registration for receipt of user log-on information, or the connection status of the users

Definitions

  • This application relates to the technical field of computer network security, and more specifically, to a method and device for configuring a device security policy.
  • the devices in the network come from different manufacturers, they have personalized configuration commands and different configuration command syntax and semantics. Therefore, when configuring a large number of devices, the syntax and semantics of different configuration commands need to be compatible.
  • the generally applicable one-by-one configuration method requires administrators to learn different configuration command syntax and semantics, and configure the devices one by one through the command-line interface (CLI) provided by the device.
  • CLI command-line interface
  • This method requires the administrator to learn a large number of configuration syntax, and the work cost is high; and when the same strategy needs to be configured on multiple devices, the administrator needs to repeat a large number of the same operations, which is inefficient. Therefore, when a network threat occurs, it may cause Security policies cannot be configured to devices in a timely and effective manner, causing unpredictable consequences.
  • the embodiment of the present application provides a method and device for configuring a device security policy.
  • an embodiment of the present application provides a method for configuring a device security policy, including:
  • the normalized strategy including the strategy type, at least one target device and at least one configuration parameter;
  • a policy template corresponding to the target device For any target device in the normalized policy, obtain a policy template corresponding to the target device from a policy template library according to the policy type in the normalized policy, and the policy template includes at least one command line ;
  • an apparatus for configuring a device security policy including:
  • the normalization strategy building module is used to construct a normalization strategy corresponding to the target configuration requirements based on the unified strategy description language according to the target configuration requirements, and the normalization strategy includes a strategy type, at least one target device, and at least one configuration parameter;
  • the policy template obtaining module is configured to obtain, for any target device in the normalized policy, a policy template corresponding to the target device from a policy template library according to the policy type in the normalized policy, the policy
  • the template contains at least one command line;
  • the parameter and command line determination module is used for verifying the normalization strategy according to the policy template by using the policy verification rule, and if the verification is passed, then verifying the normalization strategy according to the policy template All configuration parameters are screened, each configuration parameter after screening is taken as a target parameter, and the target command line is obtained from all command lines in the policy template according to all target parameters;
  • the strategy conversion and configuration module is used to convert all target command lines according to all target parameters using the strategy conversion rules, generate a configuration strategy corresponding to the target device, and configure the target device according to the configuration strategy.
  • an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor.
  • the processor executes the program as described in the first aspect. Steps of the provided method.
  • an embodiment of the present application provides a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method provided in the first aspect are implemented.
  • the device security policy configuration method and device construct a normalized policy based on the unified policy description language according to the target configuration requirements, and obtain the policy template corresponding to the target device from the policy template library, and then normalize it from the policy template.
  • Target parameters are filtered out of all configuration parameters in the strategy, and the target command lines are obtained from all command lines in the policy template according to all target parameters, and all target command lines are converted according to all target parameters to generate the configuration corresponding to the target device.
  • Policy and finally the configuration policy is delivered and configured to the target device.
  • the method and device do not require the administrator to learn the syntax and semantics of different configuration commands, which is beneficial to reduce work costs; and the administrator only needs to issue configuration requirements once, which can effectively avoid repeated operations, and is beneficial to improve the configuration efficiency of equipment security policies. Ensure that the security policy can be configured to the device in time.
  • FIG. 1 is a schematic flowchart of a method for configuring a device security policy according to an embodiment of the application
  • FIG. 2 is a state transition diagram of a target device in a method for configuring a device security policy provided by an embodiment of the application;
  • FIG. 3 is a schematic structural diagram of a device security policy configuration device provided by an embodiment of the application.
  • FIG. 4 is a schematic diagram of the physical structure of an electronic device provided by an embodiment of the application.
  • FIG. 1 is a schematic flowchart of a method for configuring a device security policy according to an embodiment of the application. As shown in FIG. 1, an embodiment of the application provides a method for configuring a device security policy, including:
  • S1 Construct a normalized strategy corresponding to the target configuration requirement based on the unified strategy description language according to the target configuration requirement, and the normalized strategy includes the strategy type, at least one target device and at least one configuration parameter;
  • command line formats of devices of different manufacturers, types, and versions are different, and the number of parameters and the number of command lines in a complete configuration behavior are also different.
  • the embodiment of the application uses the complete configuration behavior as a unit, analyzes the configuration command lines of various manufacturers, and summarizes the differences in the following four aspects: difference in symbol expression, difference in keyword expression, difference in parameter format, number of parameters and commands The number of rows differs.
  • the difference in symbol expression means that different manufacturers use different symbols to express the same meaning
  • the difference in keyword expression means that different manufacturers use different keywords to express the same meaning
  • the difference in parameter format means that different manufacturers use different formats to express the same parameters
  • the difference between the number of parameters and the number of command lines means that different manufacturers use different numbers of parameters and command lines to achieve a configuration behavior.
  • TOPSEC and Huawei use the " ⁇ >” symbol and the " ⁇ ” symbol to indicate enumerated parameters, respectively;
  • TOPSEC and Huawei use the keyword “ipaddr” and The “destination-address” keyword guides the destination IP address parameter;
  • TOPSEC and Huawei use the "accept
  • TOPSEC uses 11 parameters and Three related command lines are used to implement the packet filtering function, while Huawei uses 17 parameters and 8 related command lines to implement the packet filtering function.
  • the embodiment of the present application designs a unified policy description language to be compatible with differences in different configuration command formats.
  • the above four differences are unified, and the specific design is as follows:
  • Keyword encoding is a code set for each parameter with a fixed meaning. Compared with the use of string representation, the encoding representation can be more easily recognized and analyzed by the computer.
  • Unified parameter format Different devices use different format representations for the same parameter value.
  • the embodiment of the present application defines three representation formats: enumerated type, string type and numeric type, and unified parameter representation format.
  • the parameters of the same capability are grouped into a set, and all capabilities are uniformly coded, so a parameter can be uniquely marked through capability encoding and parameter encoding.
  • this method can retain the individual characteristics of different devices, lay a foundation for precise strategic configuration, and help to better play the value of the device.
  • the redundancy of the parameter set is reduced by deleting duplicate semantic parameters and replacing parameters without special meaning with necessary parameters.
  • a normalized strategy corresponding to the target configuration requirement can be constructed based on the above unified policy description language according to the target configuration requirement.
  • the normalized strategy includes a strategy type, at least one target device, and at least one configuration parameter.
  • the normalization strategy can also include the strategy generator, which can be set according to actual needs, and there is no specific limitation here.
  • Table 2 is used to specifically describe the normalization strategy in the embodiment of the present application:
  • Table 2 is an example of the format of the normalized policy provided by the embodiments of this application.
  • the keyword “PolicyType” is used to identify the policy type; the keyword “PolicyObject” is used to identify the policy generator; the keyword “PolicySubject” is used to identify The target device is the policy configuration object; the keyword “PolicyParameter” is used to identify the configuration parameter.
  • each configuration parameter is represented by a code, such as "Parameter1_SerialNum”, “Parameter2_SerialNum”, “Parameter3_SerialNum” are the codes of parameter 1, parameter 2, and parameter 3 respectively.
  • each parameter is followed by the corresponding parameter value, such as " "P1_Enum_value1” and “P1_Enum_value2” are the values of "Parameter1_SerialNum”, their type is enumerated, which means that the parameter can only choose one of these two values; “P2_String_value” is the value of “Parameter2_SerialNum”, expressed in a string format; “P3_Num_value” is the value of "Parameter3_SerialNum”, expressed in numerical format.
  • policies in the embodiments of this application include but are not limited to: packet filtering policies, routing policies, device shutdown policies, device restart policies, service shutdown policies, service restart policies, service Migration strategy, data backup strategy, disconnection strategy (RST), connection closure strategy (FIN), vulnerability repair strategy, process killing strategy, registry modification strategy, user permission modification strategy, file Any one or more of the access authority modification strategy, the user password modification strategy, and the password resource operation strategy.
  • the target devices in the embodiments of this application include, but are not limited to: firewalls, routers, access gateways, Internet gateways, content filtering devices, terminals (fixed terminals, mobile terminals, satellite terminals), servers, cryptographic devices, authentication devices, VPNs, Any one or more of honeypots, switches, modems, hubs, and bridges.
  • the strategy template corresponding to the target device is obtained from the strategy template library according to the target device itself and the strategy type in the normalized strategy.
  • the policy templates of different policy types corresponding to different devices are pre-stored in the policy template library.
  • devices, policy types, and policy templates are pre-associated and stored in the policy template library. Therefore, the policy template corresponding to the target device can be obtained from the policy template library according to the target device itself and the policy type in the normalized policy.
  • the policy templates in the policy template library are a collection of command lines for configuring different policy types corresponding to different devices, that is, each policy template in the policy template library contains at least one command line.
  • the policy template obtained through the foregoing method steps is a command line set of the target device to configure a normalized policy.
  • the command line in the policy template needs to be used.
  • the normalization strategy is verified according to the policy template by using the policy verification rule, and if the verification passes, the target device Able to effectively configure the normalization strategy.
  • the configuration parameters included in the normalization strategy are Multiple target devices configure the union of configuration parameters required by the normalization strategy.
  • the target parameter is a parameter required by the target device to configure a normalization strategy.
  • the target parameter may not contain a required parameter and/or optional parameter of a certain command line in the policy template, so that the command line cannot be effectively configured.
  • the target command lines are obtained from all the command lines in the policy template according to all target parameters, so that each target command line All the parameters (including mandatory and optional parameters) in are included in the target parameters, so as to ensure that each target command line can be effectively configured.
  • S4 Use the strategy conversion rule to convert all target command lines according to all target parameters, generate a configuration strategy corresponding to the target device, and configure the target device according to the configuration strategy.
  • the strategy conversion rule is used to convert all target command lines according to all target parameters, that is, the target parameter is filled into the corresponding position of the target command line by the strategy conversion rule to realize the target command Conversion of lines.
  • the configuration strategy corresponding to the target device refers to the command line set that the target device can recognize, and the command line set can realize the normalization strategy Configuration.
  • the target device is configured according to the configuration strategy, that is, the configuration strategy is delivered and configured to the target device.
  • the administrator when the administrator needs to configure a certain type of security policy for one or more target devices, he only needs to issue a target configuration requirement including the policy type, target device, and configuration parameters.
  • the target configuration requirement is converted into a configuration strategy that can be recognized by each target device, and the configuration strategy is finally issued and configured to each target device.
  • the administrator There is no need for the administrator to learn different configuration command syntax and semantics, which is beneficial Reduce work costs; and the administrator only needs to issue configuration requirements once, which can effectively avoid repeated operations and help improve the configuration efficiency of device security policies to ensure that security policies can be configured to devices in a timely manner.
  • the device security policy configuration method constructs a normalized policy based on the unified policy description language according to the target configuration requirements, and obtains the policy template corresponding to the target device from the policy template library, and obtains the policy template corresponding to the target device according to the policy template. Filter out the target parameters from all the configuration parameters in the, and obtain the target command lines from all the command lines in the policy template according to all target parameters, convert all target command lines according to all target parameters, and generate the configuration policy corresponding to the target device. Finally, the configuration policy is delivered and configured to the target device.
  • This method does not require the administrator to learn the syntax and semantics of different configuration commands, which is beneficial to reduce work costs; and the administrator only needs to issue configuration requirements once, which can effectively avoid repeated operations, and is beneficial to improve the configuration efficiency of device security policies to ensure Configure the security policy to the device in time.
  • a device security policy configuration method is provided.
  • the policy template corresponding to the target device is obtained from the policy template library.
  • a strategy type is used as the target strategy type.
  • all command lines corresponding to the target strategy type are obtained from the device manual corresponding to the target device; all command lines corresponding to the target strategy type are converted based on the unified strategy description language, Combine all the converted command lines into a policy template; store the target device, target policy type and policy template in association with the policy template library.
  • the specific implementation process is as follows:
  • each policy type allowed to be configured by the target device is taken as the target policy type.
  • obtain all the command lines corresponding to the target policy type from the device manual corresponding to the target device.
  • all the command lines corresponding to the target policy type refer to all the command lines involved in configuring the target policy type by the target device.
  • all the command lines corresponding to the target strategy type can also be obtained from other databases other than the device manual, which can be set according to actual requirements, and no specific limitation is made here.
  • all the command lines corresponding to the target strategy type are converted based on the unified strategy description language, that is, the unified strategy description language is used to convert the keywords and keywords in all the command lines corresponding to the target strategy type.
  • the symbol and parameter formats are unified, and the specific conversion steps are as follows:
  • the prompt string is a string in the command line that does not need to be recognized by the device, and is used to prompt the user for the filling position of the parameter.
  • the unbold italic string in each command line is a prompt string.
  • the "hostname" in the first command line of Tianrongxin is used to prompt the user to enter the IP address name parameter here.
  • the device does not recognize this string. Different manufacturers may use different character strings in order to identify information with the same meaning, and these character strings do not need to be transmitted to the device.
  • the embodiment of the present application uses parameter encoding instead of complex and changeable character strings based on a unified policy description language.
  • the prompt symbol is a symbol in the command line that does not need to be recognized by the device. It is used to prompt the user for related information. For example, "#" identifies the beginning of a command line, and Huawei firewall uses " ⁇ " to identify enumeration parameters. Different manufacturers may use different symbols to identify information with the same meaning, and these symbols do not need to be transmitted to the device. Therefore, the embodiment of the present application defines seven symbols based on the unified policy description language to uniformly identify the corresponding meaning information. The 7 types of symbols include: “#", “@”, “%”, “[]”, " ⁇ >", “ ⁇ ” and "
  • the "#” symbol is used to identify the required command line
  • the "@” symbol is used to identify the optional command line
  • the "%” symbol is used to identify the position of the parameter
  • the "[]” symbol is used to identify the optional parameter
  • " ⁇ > The "” symbol is used to identify the target format of the parameter
  • the " ⁇ ” symbol is used to identify the required parameter of the enumeration type
  • " is used to separate the enumeration parameter or the target format.
  • the parameter format is the manifestation of the parameter.
  • the parameter format recognized by different manufacturers' equipment is different.
  • the action parameter in the packet filtering configuration command line TOPSEC firewall uses the "accept” logo to receive data packets, while the Huawei firewall uses the "permit” logo
  • TOPSEC firewall uses the format "xx:xx:xx:xx:xx:xx”
  • Huawei firewall uses "xx-xx-xx” -xx-xx-xx” format identification.
  • the embodiment of the application formulates a target format information for each parameter that needs to be converted based on the unified parameter format in the unified policy description language, and fills it in the policy template command line In the " ⁇ >" symbol after the corresponding parameter encoding. If the parameter format recognized by the target device is the same as the parameter format in the unified policy description language, the " ⁇ >" symbol and target format information are not required after the corresponding parameter encoding.
  • each command line has its own definite function. In actual use, some command lines may be used multiple times. Therefore, the command line in the conversion template is not just a collection of command lines given by the device manufacturer. It may contain multiple command lines with the same function. As shown in the command line that defines the IP address in the packet filtering policy configuration command line set of TOPSEC firewall, the command line does not restrict the use of IP addresses, so it can be used to define the source IP address and the destination IP address. Therefore, there should be two such command lines in the conversion template. Modify the parameter prompt string to the source IP address parameter code and the destination IP address parameter code to define the source IP address and destination IP address respectively.
  • all the command lines corresponding to the target strategy type can be converted, and all the converted command lines are formed into a strategy template corresponding to the target strategy type.
  • the target device, the target policy type, and the policy template are associated and stored in the policy template library, so that the policy template corresponding to the target device can be obtained from the policy template library according to the policy type in the normalized policy.
  • a method for configuring a device security policy is provided.
  • the normalized policy is verified according to a policy template using policy verification rules, specifically: obtaining all required parameters from all command lines of the policy template Dependent parameters corresponding to each mandatory parameter; determine whether all mandatory parameters and all dependent parameters are included in the normalization strategy; if all mandatory parameters and all dependent parameters are included, the normalization strategy is determined to pass, if If all required parameters and all dependent parameters are not included, it is determined that the normalization strategy verification fails.
  • the normalized policy is verified according to the policy template using the policy verification rule, and the specific implementation process is as follows:
  • all mandatory parameters and dependent parameters corresponding to each mandatory parameter are obtained from all command lines of the policy template, and on this basis, it is determined whether all mandatory parameters are included in the normalization strategy. Select parameters and all dependent parameters; if the normalization strategy includes all required parameters and all dependent parameters, the normalization strategy is determined to pass, which means that the target device can configure the normalization strategy; if the normalization strategy is If all required parameters and all dependent parameters are not included, it is determined that the normalization strategy verification fails, which means that the target device cannot be configured with the normalization strategy.
  • the device security policy configuration method provided by the embodiment of the application uses the policy verification rule to verify the normalized policy according to the policy template to determine whether the target device can configure the normalized policy, which can effectively reduce the probability of policy configuration failure .
  • a method for configuring a device security policy is provided. All configuration parameters in a normalized policy are filtered according to a policy template. Specifically, for any configuration parameter in the normalized policy, if the policy If the template does not contain configuration parameters, delete the configuration parameters from the normalization strategy; obtain all optional parameters and the dependent parameters corresponding to each optional parameter from all command lines in the strategy template. For any optional parameter, if If the normalization strategy includes optional parameters, and the normalization strategy does not include the dependent parameters corresponding to the optional parameters, the optional parameters are deleted from the normalization strategy.
  • the configuration parameters included in the normalization strategy are multiple target device configurations.
  • the configuration parameter is deleted from the normalization strategy.
  • all optional parameters and dependent parameters corresponding to each optional parameter are obtained from all the command lines of the policy template.
  • the optional parameter is included in the normalization strategy, and the normalization strategy If the dependent parameter corresponding to the optional parameter is not included, the optional parameter is deleted in the normalization strategy. After passing the above screening steps, each remaining configuration parameter in the normalization strategy is taken as the target parameter.
  • a method for configuring a device security policy is provided.
  • the target command line is obtained from all the command lines in the policy template according to all target parameters, specifically: for any command line in the policy template, if the command All required parameters in the line belong to the target parameter, the command line is regarded as the candidate command line; for any candidate command line, the optional parameters that are not the target parameter in the candidate command line are deleted to obtain the target command line.
  • the target parameter may not include a required parameter of a certain command line in the policy template, the command line cannot be effectively configured.
  • the target command line is obtained from all the command lines in the policy template according to all the target parameters. The specific steps are as follows:
  • any command line in the policy template obtain all required parameters in the command line, and determine whether all required parameters in the command line belong to the target parameter. If all required parameters in the command line belong to The target parameter indicates that the command line can be configured, and the command line is used as a candidate command line. After all candidate command lines are obtained, it is also necessary to determine whether the optional parameters in the candidate command lines can be configured. In view of this, in the embodiment of the present application, for any candidate command line, all the options in the candidate command line are obtained. Select parameters, and then judge whether each optional parameter belongs to the target parameter. If an optional parameter does not belong to the target parameter, delete the optional parameter in the candidate command line. That is, the optional parameters that are not the target parameters in the candidate command line are deleted. After deleting the optional parameters that are not target parameters in the candidate command line, the target command line can be obtained. It can be understood that the required parameters and optional parameters in the target command line are all target parameters, so that the target command line can be effectively configured.
  • a method for configuring device security policies uses policy conversion rules to convert all target command lines according to all target parameters. Specifically, for any target command line, set each target command line As the parameters to be converted, the position of each parameter to be converted in the target command line is obtained as the position to be filled, and the format corresponding to each parameter to be converted is obtained in the target command line as the target format; Conversion parameter: Obtain the target parameter that matches the parameter to be converted from all target parameters, as a matching parameter, convert the matching parameter according to the target format corresponding to the parameter to be converted, and fill the matching parameter after format conversion into the parameter to be converted The corresponding position to be filled.
  • all target command lines are converted according to all target parameters by using policy conversion rules, and the specific conversion steps are as follows:
  • any target command line For any target command line, take each parameter in the target command line as the parameter to be converted, obtain the position of each parameter to be converted in the target command line as the position to be filled, and obtain each parameter in the target command line.
  • the format corresponding to the conversion parameter is used as the target format; thus, the position and corresponding format of each parameter to be converted in the target command line can be obtained.
  • a target parameter matching the parameter to be converted is obtained from all target parameters as a matching parameter, and the matching parameter is formatted according to the target format corresponding to the parameter to be converted.
  • the matching parameter is a parameter in the normalization strategy, and its parameter format cannot be applied to all target devices; and the target format corresponding to the parameter to be converted is a parameter format that the target device can recognize, so the matching parameter
  • the format is converted to the target format.
  • the normalized IP address numeric parameter 0x0ca85a10 is converted into the format "192.168.90.10" required by the device according to the dotted decimal target format information required by the target device.
  • the matching parameters after format conversion are filled into the positions to be filled corresponding to the parameters to be converted.
  • all the converted target command lines are combined into the configuration strategy corresponding to the target device.
  • a method for configuring a device security policy is provided.
  • the target device is configured according to the configuration policy, specifically: each command line in the configuration policy is issued and configured to the target device, and each The configuration result of the command line; if the currently obtained configuration result is a failure, the configuration is interrupted or reconfigured, and all the obtained configuration results are fed back to the user for analysis.
  • the target device after obtaining the configuration policy corresponding to the target device, the target device is configured according to the configuration policy.
  • the specific configuration process is as follows:
  • the configuration result is determined by keyword comparison, that is, the keyword in the personalized configuration reply message of the device is recorded, and the configuration result is determined by comparing the keywords in different situations. For example, it will be returned when the configuration command of TOPSEC firewall fails The "error" keyword and the specific error code, so record the "error" keyword.
  • keyword exists in the comparison configuration response message, it means that the current command line configuration has failed, otherwise it means the configuration is successful. On this basis, for any current moment, if the currently obtained configuration result is a failure, the configuration is interrupted or reconfigured, and all the obtained configuration results are fed back to the user for analysis.
  • the target device in the process of delivering and configuring the configuration policy to the target device, has four states: Status0 indicates that the target device is in the state of monitoring data; Status1 indicates the state of the target device receiving the connection; Status2 indicates The target device is ready to configure the status after receiving the command line set; Status3 represents the status of the target device obtaining the configuration result after configuring the command line.
  • Figure 2 is a state transition diagram of the target device in the device security policy configuration method provided by an embodiment of the application. As shown in Figure 2, first the target device is in the Status0 state, and enters the Status1 state when it monitors the connection; it receives in the Status1 state.
  • the command line set When the command line set is not empty, it enters the Status2 state, and when the connection is timed out or receives a close connection signal, the connection is closed and enters the Status0 state; in the Status2 state, when the command line set is not empty, the command line is configured and the command line enters the Status3 state. , And when the command line set is empty, enter the Status1 state and continue to wait to receive the command line; in the Status3 state, return the configuration success result and enter the Status2 state to continue the configuration, and return the configuration failure result to enter the Status1 state and receive the command line again.
  • Example 1 Unified configuration of TOPSEC firewall and Huawei firewall packet filtering policy, the target configuration requirement is to allow the source IP address to be "10.11.12.13" (0x0a0b0c0d), the source port number to be 3344, and the destination IP address to be "13.12.11.10” (0x0d0c0b0a), the destination port number is 7788, the protocol number is 6, and the strategy number is 1.
  • the corresponding normalization strategy is constructed according to the above target configuration requirements.
  • the normalization strategy constructed is shown in Table 3 below:
  • the above-mentioned normalization strategy includes four types of information: the first type is the current policy type, which is identified by the keyword "PolicyType", and the packet filtering policy is coded as 0001 here; the second type is the policy generator, which uses the "PolicyObject "Keyword identification, the administrator who configures the current policy is User1; the third category is the policy configuration object, that is, the target device, which is identified by the keyword "PolicySubject”.
  • the target device configured by the current policy is TOPSEC firewall and Huawei firewall;
  • the fourth type is configuration parameter information, identified by the keyword "PolicyParameter”, each parameter is expressed in the form of "key: value”, a parameter has a unique code, and the code is used as the "key” value and its "value” value It is expressed according to the parameter format defined in the unified policy description language.
  • the parameter codes in the normalization strategy described above indicate actions, source starting IP address, source ending IP address, source starting port number, source ending port number, destination starting IP address, destination ending IP address, in order from 1 to 11 The destination start port number, destination end port number, protocol number, and policy number. When the source/destination start IP address parameter is not empty and the source/destination end IP address parameter is empty, the source/destination start IP address parameter represents a single IP address.
  • the fourth configuration command line is mandatory for adding firewall rules, involving filtering action "action”, log switch “log”, service “service”, IP address "sip", “dip” and other information.
  • filter action parameter “action” is not added with "[]"
  • the service "service” and IP address "sip” and “dip” information need to refer to the service and IP address object, so if you want to set this parameter, you must first define the related object.
  • Table 4 A collection of command lines for packet filtering configuration of a firewall of Tianrongxin
  • the configuration command lines that may be involved in a Huawei firewall packet filtering policy from the device manual.
  • the first 1, 2, 3, 7 and 8 commands are mandatory, so the involved action parameters are mandatory.
  • the 4th, 5th, and 6th commands are optional and can be selected according to actual configuration requirements.
  • the 4th command sets the source address related information of the packet filtering policy
  • the 5th command sets the destination address of the packet filtering policy.
  • the fifth command sets the service-related information of the packet filtering strategy.
  • the parameters enclosed in "[]" indicate that they are optional, and the symbol " ⁇ " indicates that the parameters can be selected, but it must be selected.
  • the "#” symbol is used to identify the required command line
  • the "@” symbol is used to identify the optional command line
  • the "%” symbol is used to identify the position of the parameter
  • the "[]” symbol is used to identify the optional parameter
  • the " ⁇ >” symbol is used to identify Parameter target format, use " ⁇ ” symbol to identify enumerated mandatory parameters, and use "
  • IP address type parameters there are two parameters that need to be converted: IP address type parameters and enumeration type parameters.
  • IP address parameters you need to convert the IP address in a unified hexadecimal format to a dotted decimal IP address that the device can recognize, so fill "%d.%” in the " ⁇ >" after the IP address parameter d.%d.%d” format information indicates the format that needs to be converted;
  • enumeration parameters the enumeration parameters in the unified shaping format need to be converted into enumeration strings that the device can recognize, such as action parameters and log switch parameters
  • the following " ⁇ >” symbols enumerate the enumerated strings in sequence, and use the "
  • IP address type parameters For Huawei firewalls, there are the same two parameters that need to be converted: IP address type parameters and enumeration type parameters.
  • IP address parameters you need to convert the IP address in a unified hexadecimal format to a dotted decimal IP address that the device can recognize, so fill "%d.%” in the " ⁇ >" after the IP address parameter d.%d.%d” format information indicates the format that needs to be converted;
  • enumeration parameters the enumeration parameters in the unified plastic format need to be converted into enumeration strings that can be recognized by the device, such as the " ⁇ >" enumerates the enumerated strings in turn, separated by the "
  • the mandatory parameters in the mandatory command line are mandatory parameters, that is, the action parameter "action” in the last command line is a mandatory parameter. If this parameter is missing, the entire policy configuration will fail. The selected parameters do not depend on other parameters.
  • the normalization strategy in Table 3 contains the action parameters, so the verification passes; in Table 7, the mandatory parameters in the mandatory command line are mandatory parameters, and the second command line
  • the rule name parameter "rule name” and the action parameter "action” of the 8th command line are mandatory parameters. If this parameter is missing, the entire policy configuration will fail. At the same time, the mandatory parameter does not depend on other parameters, as shown in Table 3.
  • the normalized strategy contains strategy number parameters and action parameters, so the verification passes.
  • the strategy conversion rule is used to convert the target command line corresponding to the TOPSEC firewall according to the target parameters corresponding to the TOPSEC firewall to generate the TOPSEC firewall packet filtering configuration policy.
  • the policy conversion rule is used to convert the target command line corresponding to the Huawei firewall according to the target parameters corresponding to the Huawei firewall to generate the Huawei firewall packet filtering configuration policy.
  • the generated data packet filtering configuration strategy of TOPSEC firewall and Huawei firewall data packet filtering configuration strategy are shown in Table 8 below.
  • the above-mentioned TOPSEC firewall packet filtering configuration policy is issued and configured to TOPSEC equipment, and the above-mentioned Huawei firewall packet filtering configuration policy is distributed and configured to Huawei equipment.
  • Fig. 3 is a schematic structural diagram of a device security policy configuration device provided by an embodiment of the application.
  • the device includes: a normalized policy construction module 31, a policy template acquisition module 32, and a parameter and command line determination module 33 And strategy conversion and configuration module 34, where:
  • the normalization strategy construction module 31 is configured to construct a normalization strategy corresponding to the target configuration requirements based on the unified strategy description language according to the target configuration requirements.
  • the normalization strategy includes a strategy type, at least one target device and at least one configuration parameter.
  • the embodiment of the present application designs a unified policy description language to be compatible with differences in different configuration command formats.
  • the normalization strategy construction module 31 constructs a normalization strategy corresponding to the target configuration requirement based on the unified policy description language according to the target configuration requirement.
  • the normalized strategy includes a strategy type, at least one target device, and at least one configuration parameter.
  • the normalization strategy can also include the strategy generator, which can be set according to actual needs, and there is no specific limitation here.
  • the policy template obtaining module 32 is configured to obtain a policy template corresponding to the target device from the policy template library according to the policy type in the normalized policy for any target device in the normalized policy, and the policy template includes at least one command line.
  • the policy template obtaining module 32 obtains the policy template corresponding to the target device from the policy template library according to the target device itself and the policy type in the normalized policy. It is understandable that the policy templates of different policy types corresponding to different devices are pre-stored in the policy template library. In other words, devices, policy types, and policy templates are pre-associated and stored in the policy template library. Therefore, the policy template corresponding to the target device can be obtained from the policy template library according to the target device itself and the policy type in the normalized policy.
  • the parameter and command line determination module 33 is used for verifying the normalized strategy according to the policy template by using the policy verification rule. If the verification is passed, all the configuration parameters in the normalized strategy are filtered according to the policy template, Each subsequent configuration parameter is used as a target parameter, and the target command line is obtained from all the command lines in the policy template according to all the target parameters.
  • the parameter and command line determination module 33 uses the policy verification rule to verify the normalization strategy according to the policy template. If the verification passes, it means that the target device can verify the normalization strategy. Make effective configuration. On the basis of passing the verification, the parameter and command line determination module 33 screens all configuration parameters in the normalized strategy according to the strategy template corresponding to the target device, and uses each configuration parameter after screening as the target parameter. It is understandable that the target parameter is a parameter required by the target device to configure a normalization strategy. After the target parameter is obtained, the target parameter may not contain the required and/or optional parameters of a certain command line in the policy template, which results in that the command line cannot be effectively configured.
  • the parameter and command line determination module 33 obtains the target command line from all the command lines in the policy template according to all target parameters. In this way, all parameters (including mandatory and optional parameters) in each target command line are included in the target parameters, so as to ensure that each target command line can be effectively configured.
  • the strategy conversion and configuration module 34 is configured to convert all target command lines according to all target parameters by using the strategy conversion rules, generate a configuration strategy corresponding to the target device, and configure the target device according to the configuration strategy.
  • the strategy conversion and configuration module 34 uses the strategy conversion rule to convert all target command lines according to all target parameters, that is, uses the strategy conversion rule to fill the target parameters into the corresponding positions of the target command line.
  • the strategy conversion rule to convert all target command lines according to all target parameters, that is, uses the strategy conversion rule to fill the target parameters into the corresponding positions of the target command line.
  • the configuration strategy corresponding to the target device refers to the command line set that the target device can recognize, and the command line set can realize the normalization strategy Configuration.
  • the target device is configured according to the configuration strategy, that is, the configuration strategy is delivered and configured to the target device.
  • the device security policy configuration device provided by the embodiments of the present application specifically executes the procedures of the foregoing method embodiments. For details, please refer to the content of the foregoing method embodiments, and details are not repeated here.
  • the device security policy configuration device constructs a normalized policy based on the unified policy description language according to the target configuration requirements, and obtains the policy template corresponding to the target device from the policy template library, and obtains the policy template corresponding to the target device according to the policy template. Filter out the target parameters from all the configuration parameters in the, and obtain the target command lines from all the command lines in the policy template according to all target parameters, convert all target command lines according to all target parameters, and generate the configuration policy corresponding to the target device. Finally, the configuration policy is delivered and configured to the target device.
  • the device does not require the administrator to learn the syntax and semantics of different configuration commands, which is beneficial to reduce work costs; and the administrator only needs to issue configuration requirements once, which can effectively avoid repeated operations and help improve the configuration efficiency of equipment security policies to ensure Configure the security policy to the device in time.
  • FIG. 4 is a schematic diagram of the physical structure of an electronic device provided by an embodiment of the application.
  • the electronic device includes: a processor (processor) 41, a memory (memory) 42 and a bus 43; wherein the processor 41 and the memory 42 communicate with each other through the bus 43;
  • the processor 41 is configured to call the program instructions in the memory 42 to execute the method provided in any of the foregoing method embodiments, for example, including: constructing a normalized strategy corresponding to the target configuration requirement based on the unified policy description language according to the target configuration requirement ,
  • the normalized strategy includes the strategy type, at least one target device and at least one configuration parameter; for any target device in the normalized strategy, the corresponding target device is obtained from the strategy template library according to the strategy type in the normalized strategy Policy template, the policy template contains at least one command line; the normalized policy is verified according to the policy template by the policy verification rule, and if the verification is passed, all configuration parameters in the normalized policy are performed according to the policy template Screening, each configuration
  • the aforementioned logic instructions in the memory 42 can be implemented in the form of software functional units and when sold or used as independent products, they can be stored in a computer readable storage medium.
  • the technical solutions of the embodiments of the present application can be embodied in the form of software products in essence or the parts that contribute to the prior art or the parts of the technical solutions, and the computer software products are stored in a storage medium.
  • Including several instructions to make a computer device (which can be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program code .
  • the embodiments of the present application also provide a non-transitory computer-readable storage medium on which a computer program is stored.
  • the computer program is implemented when executed by a processor to perform the methods provided in the foregoing embodiments, for example, including: description based on a unified policy
  • the language constructs the normalization strategy corresponding to the target configuration requirements according to the target configuration requirements.
  • the normalization strategy includes the strategy type, at least one target device and at least one configuration parameter; for any target device in the normalization strategy, according to the normalization strategy
  • the policy type in the standardized policy obtains the policy template corresponding to the target device from the policy template library.
  • the policy template contains at least one command line; the normalized policy is verified according to the policy template by the policy verification rule, and if the verification passes, All configuration parameters in the normalized strategy are filtered according to the strategy template, and each configuration parameter after filtering is used as the target parameter, and the target command line is obtained from all the command lines in the strategy template according to all the target parameters; using strategy conversion
  • the rule converts all target command lines according to all target parameters, generates a configuration strategy corresponding to the target device, and configures the target device according to the configuration strategy.
  • the device embodiments described above are merely illustrative.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the solutions of the embodiments. Those of ordinary skill in the art can understand and implement it without creative work.
  • each implementation manner can be implemented by software plus a necessary general hardware platform, and of course, it can also be implemented by hardware.
  • the above technical solutions can be embodied in the form of software products, which can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., include a number of instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute the methods described in each embodiment or some parts of the embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Embodiments of the present application provide a device security policy configuration method and apparatus. A normalized policy is constructed on the basis of a unified policy description language according to a target configuration requirement; a policy template corresponding to a target device is obtained from a policy template library; target parameters are screened out from all configuration parameters in the normalized policy according to the policy template, and target command lines are obtained from all command lines in the policy template according to all the target parameters; all the target command lines are converted according to all the target parameters, a configuration policy corresponding to the target device is generated, and finally the configuration policy is issued and configured to the target device. According to the method and apparatus, an administrator does not need to learn the syntax and semantics of various configuration commands, thereby contributing to reducing work costs; moreover, the administrator only needs to issue configuration requirements once, thereby effectively avoiding repeated operations and facilitating improvement of the device security policy configuration efficiency, and thus, it is ensured that a security policy can be configured to a device timely.

Description

一种设备安全策略的配置方法及装置Method and device for configuring equipment safety strategy
相关申请的交叉引用Cross references to related applications
本申请要求于2019年5月22日提交的申请号为201910427706.9,发明名称为“一种设备安全策略的配置方法及装置”的中国专利申请的优先权,其通过引用方式全部并入本申请。This application claims the priority of the Chinese patent application filed on May 22, 2019 with the application number 201910427706.9 and the invention title "A method and device for configuring a device security policy", which is fully incorporated into this application by reference.
技术领域Technical field
本申请涉及计算机网络安全技术领域,更具体地,涉及一种设备安全策略的配置方法及装置。This application relates to the technical field of computer network security, and more specifically, to a method and device for configuring a device security policy.
背景技术Background technique
随着网络技术发展,网络规模逐渐增大,网络节点日益错综复杂,使得网络威胁呈现出多样化、复杂化和频繁化的特征。为保证网络与系统的安全,需要部署大量、多样的设备,并为这些设备配置正确有效的安全策略,以及时处理网络威胁,保障网络稳定运行。With the development of network technology, the scale of the network has gradually increased, and network nodes have become increasingly intricate, making network threats appear diversified, complicated, and frequent. In order to ensure the security of the network and the system, a large number of diverse devices need to be deployed, and correct and effective security policies are configured for these devices to deal with network threats in a timely manner to ensure stable network operation.
由于网络中的设备来自不同厂商,具有个性化的配置命令和各异的配置命令语法语义。因此,在对大量设备进行配置时,需要兼容配置命令各异的语法语义。现如今普遍适用的逐一配置方式,要求管理员学习各异的配置命令语法语义,通过设备提供的命令行接口(CLI,command-line interface),对设备进行逐一的配置。该方法需要管理员学习大量配置语法,工作成本较高;且当需要对多台设备配置相同的策略时,管理员需要重复大量相同的操作,效率较低,因而当网络威胁产生时,可能导致安全策略无法及时有效地配置到设备,造成不可预料的后果。As the devices in the network come from different manufacturers, they have personalized configuration commands and different configuration command syntax and semantics. Therefore, when configuring a large number of devices, the syntax and semantics of different configuration commands need to be compatible. Nowadays, the generally applicable one-by-one configuration method requires administrators to learn different configuration command syntax and semantics, and configure the devices one by one through the command-line interface (CLI) provided by the device. This method requires the administrator to learn a large number of configuration syntax, and the work cost is high; and when the same strategy needs to be configured on multiple devices, the administrator needs to repeat a large number of the same operations, which is inefficient. Therefore, when a network threat occurs, it may cause Security policies cannot be configured to devices in a timely and effective manner, causing unpredictable consequences.
发明内容Summary of the invention
本申请实施例为了克服现有技术中在对大量设备进行配置时,需要管理员学习大量配置语法,工作成本较高且效率较低的问题,提供一种设备安全策略的配置方法及装置。In order to overcome the problems of high working cost and low efficiency, which require an administrator to learn a large amount of configuration syntax when configuring a large number of devices in the prior art, the embodiment of the present application provides a method and device for configuring a device security policy.
第一方面,本申请实施例提供一种设备安全策略的配置方法,包括:In the first aspect, an embodiment of the present application provides a method for configuring a device security policy, including:
基于统一策略描述语言根据目标配置需求构建所述目标配置需求对 应的归一化策略,所述归一化策略中包含策略类型、至少一个目标设备和至少一个配置参数;Constructing a normalized strategy corresponding to the target configuration demand based on the unified strategy description language according to the target configuration demand, the normalized strategy including the strategy type, at least one target device and at least one configuration parameter;
对于所述归一化策略中的任意一个目标设备,根据所述归一化策略中的策略类型从策略模板库中获取所述目标设备对应的策略模板,所述策略模板中包含至少一条命令行;For any target device in the normalized policy, obtain a policy template corresponding to the target device from a policy template library according to the policy type in the normalized policy, and the policy template includes at least one command line ;
利用策略校验规则根据所述策略模板对所述归一化策略进行校验,若校验通过,则根据所述策略模板对所述归一化策略中的所有配置参数进行筛选,将筛选后的每个配置参数作为目标参数,根据所有目标参数从所述策略模板中的所有命令行中获取目标命令行;Use the policy verification rule to verify the normalization strategy according to the policy template. If the verification passes, all configuration parameters in the normalization strategy are screened according to the policy template, and after screening Each configuration parameter of is used as a target parameter, and the target command line is obtained from all the command lines in the policy template according to all the target parameters;
利用策略转换规则根据所有目标参数对所有目标命令行进行转换,生成所述目标设备对应的配置策略,根据所述配置策略对所述目标设备进行配置。Using the strategy conversion rule to convert all target command lines according to all target parameters, generate a configuration strategy corresponding to the target device, and configure the target device according to the configuration strategy.
第二方面,本申请实施例提供一种设备安全策略的配置装置,包括:In the second aspect, an embodiment of the present application provides an apparatus for configuring a device security policy, including:
归一化策略构建模块,用于基于统一策略描述语言根据目标配置需求构建所述目标配置需求对应的归一化策略,所述归一化策略中包含策略类型、至少一个目标设备和至少一个配置参数;The normalization strategy building module is used to construct a normalization strategy corresponding to the target configuration requirements based on the unified strategy description language according to the target configuration requirements, and the normalization strategy includes a strategy type, at least one target device, and at least one configuration parameter;
策略模板获取模块,用于对于所述归一化策略中的任意一个目标设备,根据所述归一化策略中的策略类型从策略模板库中获取所述目标设备对应的策略模板,所述策略模板中包含至少一条命令行;The policy template obtaining module is configured to obtain, for any target device in the normalized policy, a policy template corresponding to the target device from a policy template library according to the policy type in the normalized policy, the policy The template contains at least one command line;
参数和命令行确定模块,用于利用策略校验规则根据所述策略模板对所述归一化策略进行校验,若校验通过,则根据所述策略模板对所述归一化策略中的所有配置参数进行筛选,将筛选后的每个配置参数作为目标参数,根据所有目标参数从所述策略模板中的所有命令行中获取目标命令行;The parameter and command line determination module is used for verifying the normalization strategy according to the policy template by using the policy verification rule, and if the verification is passed, then verifying the normalization strategy according to the policy template All configuration parameters are screened, each configuration parameter after screening is taken as a target parameter, and the target command line is obtained from all command lines in the policy template according to all target parameters;
策略转换与配置模块,用于利用策略转换规则根据所有目标参数对所有目标命令行进行转换,生成所述目标设备对应的配置策略,根据所述配置策略对所述目标设备进行配置。The strategy conversion and configuration module is used to convert all target command lines according to all target parameters using the strategy conversion rules, generate a configuration strategy corresponding to the target device, and configure the target device according to the configuration strategy.
第三方面,本申请实施例提供一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如第一方面所提供的方法的步骤。In a third aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor. The processor executes the program as described in the first aspect. Steps of the provided method.
第四方面,本申请实施例提供一种非暂态计算机可读存储介质,其上 存储有计算机程序,该计算机程序被处理器执行时实现如第一方面所提供的方法的步骤。In a fourth aspect, an embodiment of the present application provides a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method provided in the first aspect are implemented.
本申请实施例提供的设备安全策略的配置方法及装置,基于统一策略描述语言根据目标配置需求构建归一化策略,并从策略模板库中获取目标设备对应的策略模板,根据策略模板从归一化策略中的所有配置参数中筛选出目标参数,并根据所有目标参数从策略模板中的所有命令行中获取目标命令行,根据所有目标参数对所有目标命令行进行转换,生成目标设备对应的配置策略,最终将配置策略下发并配置到目标设备。该方法及装置无需管理员学习各异的配置命令语法语义,有利于降低工作成本;且管理员仅需下发一次配置需求,能够有效避免重复操作,有利于提高设备安全策略的配置效率,以确保能够将安全策略及时配置到设备。The device security policy configuration method and device provided in the embodiments of this application construct a normalized policy based on the unified policy description language according to the target configuration requirements, and obtain the policy template corresponding to the target device from the policy template library, and then normalize it from the policy template. Target parameters are filtered out of all configuration parameters in the strategy, and the target command lines are obtained from all command lines in the policy template according to all target parameters, and all target command lines are converted according to all target parameters to generate the configuration corresponding to the target device. Policy, and finally the configuration policy is delivered and configured to the target device. The method and device do not require the administrator to learn the syntax and semantics of different configuration commands, which is beneficial to reduce work costs; and the administrator only needs to issue configuration requirements once, which can effectively avoid repeated operations, and is beneficial to improve the configuration efficiency of equipment security policies. Ensure that the security policy can be configured to the device in time.
附图说明Description of the drawings
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly describe the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description These are some embodiments of the present application. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without creative work.
图1为本申请实施例提供的设备安全策略的配置方法的流程示意图;FIG. 1 is a schematic flowchart of a method for configuring a device security policy according to an embodiment of the application;
图2为本申请实施例提供的设备安全策略的配置方法中目标设备的状态转移图;FIG. 2 is a state transition diagram of a target device in a method for configuring a device security policy provided by an embodiment of the application;
图3为本申请实施例提供的设备安全策略的配置装置的结构示意图;3 is a schematic structural diagram of a device security policy configuration device provided by an embodiment of the application;
图4为本申请实施例提供的电子设备的实体结构示意图。FIG. 4 is a schematic diagram of the physical structure of an electronic device provided by an embodiment of the application.
具体实施方式Detailed ways
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present application clearer, the following will clearly and completely describe the technical solutions in the embodiments of the present application with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments It is a part of the embodiments of this application, not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work fall within the protection scope of this application.
图1为本申请实施例提供的设备安全策略的配置方法的流程示意图,如图1所示,本申请实施例提供一种设备安全策略的配置方法,包括:FIG. 1 is a schematic flowchart of a method for configuring a device security policy according to an embodiment of the application. As shown in FIG. 1, an embodiment of the application provides a method for configuring a device security policy, including:
S1,基于统一策略描述语言根据目标配置需求构建目标配置需求对应的归一化策略,归一化策略中包含策略类型、至少一个目标设备和至少一个配置参数;S1: Construct a normalized strategy corresponding to the target configuration requirement based on the unified strategy description language according to the target configuration requirement, and the normalized strategy includes the strategy type, at least one target device and at least one configuration parameter;
需要说明的是,不同厂商、类型、版本的设备的命令行格式存在差异,且一个完整的配置行为中参数数量和命令行数量也各有不同。有鉴于此,本申请实施例以完整的配置行为为单位,分析各家厂商配置命令行,总结出以下四个方面的差异:符号表述差异、关键词表述差异、参数格式差异、参数数量和命令行数量差异。其中,符号表述差异是指不同厂商采用不同的符号表示相同的含义;关键词表述差异是指不同厂商采用不同的关键词表示相同的含义;参数格式差异是指不同厂商采用不同格式表现相同的参数;参数数量和命令行数量差异是指不同厂商采用不同数量的参数和命令行以实现一种配置行为。It should be noted that the command line formats of devices of different manufacturers, types, and versions are different, and the number of parameters and the number of command lines in a complete configuration behavior are also different. In view of this, the embodiment of the application uses the complete configuration behavior as a unit, analyzes the configuration command lines of various manufacturers, and summarizes the differences in the following four aspects: difference in symbol expression, difference in keyword expression, difference in parameter format, number of parameters and commands The number of rows differs. Among them, the difference in symbol expression means that different manufacturers use different symbols to express the same meaning; the difference in keyword expression means that different manufacturers use different keywords to express the same meaning; the difference in parameter format means that different manufacturers use different formats to express the same parameters ; The difference between the number of parameters and the number of command lines means that different manufacturers use different numbers of parameters and command lines to achieve a configuration behavior.
如下表1所示,在特定型号的防火墙中,天融信和华为分别采用“<>”符号和“{}”符号表示枚举型参数;天融信和华为分别采用“ipaddr”关键词和“destination-address”关键词引导目的IP地址参数;天融信和华为分别采用“accept|reject”枚举值和“permit|deny”枚举值表示接收或拒绝;天融信采用11种参数与3条相关命令行以实现数据包过滤功能,而华为采用17种参数与8条相关命令行以实现数据包过滤功能。As shown in Table 1 below, in specific models of firewalls, TOPSEC and Huawei use the "<>" symbol and the "{}" symbol to indicate enumerated parameters, respectively; TOPSEC and Huawei use the keyword "ipaddr" and The "destination-address" keyword guides the destination IP address parameter; TOPSEC and Huawei use the "accept|reject" enumeration value and the "permit|deny" enumeration value respectively to indicate acceptance or rejection; TOPSEC uses 11 parameters and Three related command lines are used to implement the packet filtering function, while Huawei uses 17 parameters and 8 related command lines to implement the packet filtering function.
表1 天融信某防火墙和华为某防火墙数据包过滤配置命令集合示例Table 1 Example of a collection of packet filtering configuration commands for a firewall of Tianrongxin and a firewall of Huawei
Figure PCTCN2019091873-appb-000001
Figure PCTCN2019091873-appb-000001
基于上述四个方面的差异,本申请实施例设计一种统一策略描述语言,以兼容不同配置命令格式的差异。在统一策略描述语言中,对上述四个方面的差异进行统一,具体设计如下:Based on the differences in the above four aspects, the embodiment of the present application designs a unified policy description language to be compatible with differences in different configuration command formats. In the unified strategy description language, the above four differences are unified, and the specific design is as follows:
(1)统一符号格式。不同设备采用不同符号表示相同的语义功能,有鉴于此,本申请实施例基于语义对不同符号进行统一定义。(1) Unified symbol format. Different devices use different symbols to represent the same semantic function. In view of this, the embodiment of the present application uniformly defines different symbols based on semantics.
(2)统一关键词表示方式。不同设备采用不同的关键词表示相同的语义的标识,有鉴于此,本申请实施例基于编码简单、通用、易计算的特点,采用统一编码替代格式不一的字符串。关键词编码是给每个具有固定意义的参数设置的编码,相较于使用字符串表示法,编码表示法能更加方便地被计算机识别解析。(2) Unify the way of expressing keywords. Different devices use different keywords to represent the same semantic identification. In view of this, the embodiment of the present application uses a unified encoding to replace character strings with different formats based on the characteristics of simple, universal, and easy calculation of encoding. Keyword encoding is a code set for each parameter with a fixed meaning. Compared with the use of string representation, the encoding representation can be more easily recognized and analyzed by the computer.
(3)统一参数格式。不同设备对于相同的参数值采用不同格式的表示方式,为了统一参数格式,本申请实施例定义3种表述格式:枚举型、字符串型和数值型,统一参数的表述格式。(3) Unified parameter format. Different devices use different format representations for the same parameter value. In order to unify the parameter format, the embodiment of the present application defines three representation formats: enumerated type, string type and numeric type, and unified parameter representation format.
(4)统一参数种类和数量。不同设备具有各自的能力,如阻断网络数据。现如今为了实现设备的某种能力需要管理员设定一些目标参数,基于设备提供的个性化的命令行,通过设备提供的CLI接口,配置到设备以实现该能力。本申请实施例基于能力的语义,将来自不同设备共同实现同一个能力的命令行集合中的参数提取出来,整理为一个全集,删除具有相 同意义的重复参数,并删除没有特殊含义且可以用其他参数替代的参数,如IP对象名可以用IP地址本身替代。将相同能力的参数归为一个集合,并为所有能力进行统一编码,因此通过能力编码和参数编码可以唯一标记一个参数。相较于现阶段对相同能力中参数“求交集”方式,本方法能保留不同设备的个性化特征,为精准的策略配置打下基础,有利于更好地发挥设备的价值。同时,通过删除重复语义的参数和使用必要参数替代无特殊含义参数,降低参数集合的冗余度。(4) Unify the types and quantities of parameters. Different devices have their own capabilities, such as blocking network data. Nowadays, in order to realize a certain capability of the device, the administrator needs to set some target parameters, based on the personalized command line provided by the device, and configure the device to realize the capability through the CLI interface provided by the device. Based on the semantics of capabilities, the embodiment of this application extracts parameters from a collection of command lines that come from different devices that jointly implement the same capability, and organizes them into a complete set, deletes duplicate parameters with the same meaning, and deletes no special meaning and can use other parameters. Parameter substitution parameters, such as the IP object name, can be replaced by the IP address itself. The parameters of the same capability are grouped into a set, and all capabilities are uniformly coded, so a parameter can be uniquely marked through capability encoding and parameter encoding. Compared with the current "intersection" method for parameters of the same capability, this method can retain the individual characteristics of different devices, lay a foundation for precise strategic configuration, and help to better play the value of the device. At the same time, the redundancy of the parameter set is reduced by deleting duplicate semantic parameters and replacing parameters without special meaning with necessary parameters.
在上述技术方案的基础上,当存在目标配置需求时,可以基于上述统一策略描述语言根据目标配置需求构建目标配置需求对应的归一化策略。其中,归一化策略中包含策略类型、至少一个目标设备和至少一个配置参数。此外,归一化策略中还可以包含策略生成者,可以根据实际需求进行设置,此处不做具体限定。现以如下表2对本申请实施例中的归一化策略进行具体说明:On the basis of the above technical solution, when there is a target configuration requirement, a normalized strategy corresponding to the target configuration requirement can be constructed based on the above unified policy description language according to the target configuration requirement. Wherein, the normalized strategy includes a strategy type, at least one target device, and at least one configuration parameter. In addition, the normalization strategy can also include the strategy generator, which can be set according to actual needs, and there is no specific limitation here. The following table 2 is used to specifically describe the normalization strategy in the embodiment of the present application:
表2为本申请实施例提供的归一化策略的格式示例,如表2中,采用“PolicyType”关键词标识策略类型;采用“PolicyObject”关键词标识策略生成者;采用“PolicySubject”关键词标识目标设备,即策略配置对象;采用关键词“PolicyParameter”标识配置参数。其中,每个配置参数采用编码进行表示,如“Parameter1_SerialNum”、“Parameter2_SerialNum”、“Parameter3_SerialNum”分别是参数1、参数2、参数3的编码,每个参数的编码后面是对应的参数值,如“P1_Enum_value1”和“P1_Enum_value2”是“Parameter1_SerialNum”的值,其类型为枚举型,表示该参数只能选择这两个值之一;“P2_String_value”是“Parameter2_SerialNum”的值,采用字符串的格式表示;“P3_Num_value”是“Parameter3_SerialNum”的值,采用数值的格式表示。此外,采用英文冒号“:”链接参数的编码和参数值;采用英文分号“;”作为每行语句的结束标识;采用大括号“{”和“}”作为该条策略的参数部分的起始和结尾标识;采用英文双引号“"””标记字符串;采用中括号“[”与“]”标记枚举类型参数;采用竖线“|”分割枚举参数。Table 2 is an example of the format of the normalized policy provided by the embodiments of this application. In Table 2, the keyword "PolicyType" is used to identify the policy type; the keyword "PolicyObject" is used to identify the policy generator; the keyword "PolicySubject" is used to identify The target device is the policy configuration object; the keyword "PolicyParameter" is used to identify the configuration parameter. Among them, each configuration parameter is represented by a code, such as "Parameter1_SerialNum", "Parameter2_SerialNum", "Parameter3_SerialNum" are the codes of parameter 1, parameter 2, and parameter 3 respectively. The code of each parameter is followed by the corresponding parameter value, such as " "P1_Enum_value1" and "P1_Enum_value2" are the values of "Parameter1_SerialNum", their type is enumerated, which means that the parameter can only choose one of these two values; "P2_String_value" is the value of "Parameter2_SerialNum", expressed in a string format; "P3_Num_value" is the value of "Parameter3_SerialNum", expressed in numerical format. In addition, use the English colon ":" to link the parameter code and parameter value; use the English semicolon ";" as the end identifier of each line of sentences; use the braces "{" and "}" as the beginning of the parameter part of the strategy Start and end identification; use English double quotation marks """ to mark character strings; use square brackets "[" and "]" to mark enumeration type parameters; use vertical bars "|" to separate enumeration parameters.
表2 归一化策略格式示例Table 2 Examples of normalized strategy format
Figure PCTCN2019091873-appb-000002
Figure PCTCN2019091873-appb-000002
此外,需要说明的是,本申请实施例中的策略类型包括但不限于:包过滤类策略、路由类策略、设备关机类策略、设备重启类策略、服务关闭类策略、服务重启类策略、服务迁移类策略、数据备份类策略、连接断开类策略(RST)、连接关闭类策略(FIN)、漏洞修复类策略、进程查杀类策略、注册表修改类策略、用户权限修改类策略、文件访问权限修改类策略、用户密码修改类策略、密码资源操作类策略中的任意一种或多种。In addition, it should be noted that the types of policies in the embodiments of this application include but are not limited to: packet filtering policies, routing policies, device shutdown policies, device restart policies, service shutdown policies, service restart policies, service Migration strategy, data backup strategy, disconnection strategy (RST), connection closure strategy (FIN), vulnerability repair strategy, process killing strategy, registry modification strategy, user permission modification strategy, file Any one or more of the access authority modification strategy, the user password modification strategy, and the password resource operation strategy.
本申请实施例中的目标设备包括但不限于:防火墙、路由器、接入网关、互联网关、内容过滤设备、终端(固定终端、移动终端、卫星终端)、服务器、密码设备、认证设备、VPN、蜜罐、交换机、调制解调器、集线器和桥接器中的任意一种或多种。The target devices in the embodiments of this application include, but are not limited to: firewalls, routers, access gateways, Internet gateways, content filtering devices, terminals (fixed terminals, mobile terminals, satellite terminals), servers, cryptographic devices, authentication devices, VPNs, Any one or more of honeypots, switches, modems, hubs, and bridges.
S2,对于归一化策略中的任意一个目标设备,根据归一化策略中的策略类型从策略模板库中获取目标设备对应的策略模板,策略模板中包含至少一条命令行;S2, for any target device in the normalized policy, obtain a policy template corresponding to the target device from the policy template library according to the policy type in the normalized policy, and the policy template includes at least one command line;
具体地,在上述技术方案的基础上,若上述归一化策略中包含多个目标设备,则表明需要同时对多个目标设备配置上述归一化策略。在此基础上,对于归一化策略中的任意一个目标设备,根据目标设备本身和归一化策略中的策略类型从策略模板库中获取目标设备对应的策略模板。可以理解的是,策略模板库中预先存储了不同设备对应的不同策略类型的策略模板。也就是说,设备、策略类型和策略模板是预先关联存储在策略模板库中的。因此,根据目标设备本身和归一化策略中的策略类型即可从策略模板库中获取目标设备对应的策略模板。此外,需要说明的是,策略模板库 中的策略模板是用于配置不同设备对应的不同策略类型的命令行集合,也就是说,策略模板库中的每个策略模板中包含至少一条命令行。Specifically, on the basis of the aforementioned technical solution, if the aforementioned normalization strategy includes multiple target devices, it indicates that the aforementioned normalization strategy needs to be configured for multiple target devices at the same time. On this basis, for any target device in the normalized strategy, the strategy template corresponding to the target device is obtained from the strategy template library according to the target device itself and the strategy type in the normalized strategy. It is understandable that the policy templates of different policy types corresponding to different devices are pre-stored in the policy template library. In other words, devices, policy types, and policy templates are pre-associated and stored in the policy template library. Therefore, the policy template corresponding to the target device can be obtained from the policy template library according to the target device itself and the policy type in the normalized policy. In addition, it should be noted that the policy templates in the policy template library are a collection of command lines for configuring different policy types corresponding to different devices, that is, each policy template in the policy template library contains at least one command line.
S3,利用策略校验规则根据策略模板对归一化策略进行校验,若校验通过,则根据策略模板对归一化策略中的所有配置参数进行筛选,将筛选后的每个配置参数作为目标参数,根据所有目标参数从所述策略模板中的所有命令行中获取目标命令行;S3. Use the policy verification rule to verify the normalization strategy according to the policy template. If the verification passes, then filter all configuration parameters in the normalization strategy according to the policy template, and use each configuration parameter after screening as Target parameters, obtaining target command lines from all command lines in the policy template according to all target parameters;
具体地,在上述技术方案的基础上,可以理解的是,通过上述方法步骤所获得的策略模板是目标设备配置归一化策略的命令行集合。也就是说,在对目标设备配置归一化策略时,需要采用策略模板中的命令行。在此基础上,本申请实施例中,为了验证目标设备是否能够有效配置归一化策略,利用策略校验规则根据策略模板对归一化策略进行校验,若校验通过,则说明目标设备能够对归一化策略进行有效配置。Specifically, on the basis of the foregoing technical solution, it can be understood that the policy template obtained through the foregoing method steps is a command line set of the target device to configure a normalized policy. In other words, when configuring a normalized policy for the target device, the command line in the policy template needs to be used. On this basis, in the embodiment of this application, in order to verify whether the target device can effectively configure the normalization strategy, the normalization strategy is verified according to the policy template by using the policy verification rule, and if the verification passes, the target device Able to effectively configure the normalization strategy.
在校验通过的基础上,由于归一化策略中包含至少一个目标设备,也就是说,需对多个目标设备同时配置归一化策略,因此,归一化策略中所包含的配置参数是多个目标设备配置归一化策略所需配置参数的并集。有鉴于此,在对其中某个目标设备配置归一化策略时,需从归一化策略中筛选出该目标设备所需的配置参数,本申请实施例中,在对某个目标设备配置归一化策略时,根据该目标设备对应的策略模板对归一化策略中的所有配置参数进行筛选,将筛选后的每个配置参数作为目标参数。可以理解的是,目标参数是该目标设备配置归一化策略所需的参数。On the basis of passing the verification, since the normalization strategy contains at least one target device, that is to say, the normalization strategy needs to be configured for multiple target devices at the same time. Therefore, the configuration parameters included in the normalization strategy are Multiple target devices configure the union of configuration parameters required by the normalization strategy. In view of this, when configuring a normalization strategy for a certain target device, it is necessary to filter the configuration parameters required by the target device from the normalization strategy. In the embodiment of the present application, when configuring a normalization strategy for a certain target device, In a unified strategy, all configuration parameters in the normalized strategy are screened according to the strategy template corresponding to the target device, and each configuration parameter after screening is used as the target parameter. It can be understood that the target parameter is a parameter required by the target device to configure a normalization strategy.
在获得目标参数之后,由于目标参数中可能不包含策略模板中的某条命令行的必选参数和/或可选参数,从而导致该条命令行无法进行有效配置。有鉴于此,为了验证策略模板中的所有命令行是否能够进行有效配置,本申请实施例中,根据所有目标参数从策略模板中的所有命令行中获得目标命令行,以使得每条目标命令行中的所有参数(包括必选参数和可选参数)均包含在目标参数中,从而确保每条目标命令行都能够进行有效配置。After the target parameter is obtained, the target parameter may not contain a required parameter and/or optional parameter of a certain command line in the policy template, so that the command line cannot be effectively configured. In view of this, in order to verify whether all the command lines in the policy template can be effectively configured, in the embodiment of the present application, the target command lines are obtained from all the command lines in the policy template according to all target parameters, so that each target command line All the parameters (including mandatory and optional parameters) in are included in the target parameters, so as to ensure that each target command line can be effectively configured.
S4,利用策略转换规则根据所有目标参数对所有目标命令行进行转换,生成目标设备对应的配置策略,根据配置策略对目标设备进行配置。S4: Use the strategy conversion rule to convert all target command lines according to all target parameters, generate a configuration strategy corresponding to the target device, and configure the target device according to the configuration strategy.
具体地,在上述技术方案的基础上,利用策略转换规则根据所有目标参数对所有目标命令行进行转换,即,利用策略转换规则将目标参数填充 至目标命令行的对应位置,以实现对目标命令行的转换。将转换后的目标命令行作为目标设备对应的配置策略,可以理解的是,目标设备对应的配置策略指的是目标设备所能够识别的命令行集合,且该命令行集合能够实现归一化策略的配置。最终,根据配置策略对目标设备进行配置,即,将配置策略下发并配置到目标设备。Specifically, on the basis of the above technical solution, the strategy conversion rule is used to convert all target command lines according to all target parameters, that is, the target parameter is filled into the corresponding position of the target command line by the strategy conversion rule to realize the target command Conversion of lines. Regarding the converted target command line as the configuration strategy corresponding to the target device, it can be understood that the configuration strategy corresponding to the target device refers to the command line set that the target device can recognize, and the command line set can realize the normalization strategy Configuration. Finally, the target device is configured according to the configuration strategy, that is, the configuration strategy is delivered and configured to the target device.
需要说明的是,本申请实施例中,当管理员需要对一个或多个目标设备配置某类型的安全策略时,仅需下发包含策略类型、目标设备和配置参数的目标配置需求,即可通过上述方法步骤将目标配置需求转换成每个目标设备所能够识别的配置策略,并最终将配置策略下发并配置到每个目标设备,无需管理员学习各异的配置命令语法语义,有利于降低工作成本;且管理员仅需下发一次配置需求,能够有效避免重复操作,有利于提高设备安全策略的配置效率,以确保能够将安全策略及时配置到设备。It should be noted that, in this embodiment of the application, when the administrator needs to configure a certain type of security policy for one or more target devices, he only needs to issue a target configuration requirement including the policy type, target device, and configuration parameters. Through the above method steps, the target configuration requirement is converted into a configuration strategy that can be recognized by each target device, and the configuration strategy is finally issued and configured to each target device. There is no need for the administrator to learn different configuration command syntax and semantics, which is beneficial Reduce work costs; and the administrator only needs to issue configuration requirements once, which can effectively avoid repeated operations and help improve the configuration efficiency of device security policies to ensure that security policies can be configured to devices in a timely manner.
本申请实施例提供的设备安全策略的配置方法,基于统一策略描述语言根据目标配置需求构建归一化策略,并从策略模板库中获取目标设备对应的策略模板,根据策略模板从归一化策略中的所有配置参数中筛选出目标参数,并根据所有目标参数从策略模板中的所有命令行中获取目标命令行,根据所有目标参数对所有目标命令行进行转换,生成目标设备对应的配置策略,最终将配置策略下发并配置到目标设备。该方法无需管理员学习各异的配置命令语法语义,有利于降低工作成本;且管理员仅需下发一次配置需求,能够有效避免重复操作,有利于提高设备安全策略的配置效率,以确保能够将安全策略及时配置到设备。The device security policy configuration method provided by the embodiment of the application constructs a normalized policy based on the unified policy description language according to the target configuration requirements, and obtains the policy template corresponding to the target device from the policy template library, and obtains the policy template corresponding to the target device according to the policy template. Filter out the target parameters from all the configuration parameters in the, and obtain the target command lines from all the command lines in the policy template according to all target parameters, convert all target command lines according to all target parameters, and generate the configuration policy corresponding to the target device. Finally, the configuration policy is delivered and configured to the target device. This method does not require the administrator to learn the syntax and semantics of different configuration commands, which is beneficial to reduce work costs; and the administrator only needs to issue configuration requirements once, which can effectively avoid repeated operations, and is beneficial to improve the configuration efficiency of device security policies to ensure Configure the security policy to the device in time.
基于上述任一实施例,提供一种设备安全策略的配置方法,根据归一化策略中的策略类型从策略模板库中获取目标设备对应的策略模板,之前还包括:将目标设备允许配置的每个策略类型作为目标策略类型,对于任意一个目标策略类型,从目标设备对应的设备手册中获取目标策略类型对应的所有命令行;基于统一策略描述语言对目标策略类型对应的所有命令行进行转换,将转换后的所有命令行组成策略模板;将目标设备、目标策略类型和策略模板关联存储至策略模板库。Based on any of the above embodiments, a device security policy configuration method is provided. According to the policy type in the normalized policy, the policy template corresponding to the target device is obtained from the policy template library. Before this, it also includes: A strategy type is used as the target strategy type. For any target strategy type, all command lines corresponding to the target strategy type are obtained from the device manual corresponding to the target device; all command lines corresponding to the target strategy type are converted based on the unified strategy description language, Combine all the converted command lines into a policy template; store the target device, target policy type and policy template in association with the policy template library.
具体地,本申请实施例中,在根据归一化策略中的策略类型从策略模板库中获取目标设备对应的策略模板之前,还需将目标设备对应的不同策 略类型的策略模板关联存储至策略模板库中,具体实现过程如下:Specifically, in the embodiment of the present application, before obtaining the policy template corresponding to the target device from the policy template library according to the policy type in the normalized policy, it is also necessary to associate the policy templates of different policy types corresponding to the target device to the policy. In the template library, the specific implementation process is as follows:
可以理解的是,不同设备允许配置的策略类型不尽相同,且同一设备允许配置的策略类型往往不止一个,本申请实施例中,将目标设备允许配置的每个策略类型作为目标策略类型,在此基础上,对于任意一个目标策略类型,从目标设备对应的设备手册中获取目标策略类型对应的所有命令行。可以理解的是,目标策略类型对应的所有命令行指的是目标设备配置目标策略类型所涉及的所有命令行。在其他实施例中,还可以从设备手册之外的其他资料库中获取目标策略类型对应的所有命令行,可以根据实际需求进行设置,此处不做具体限定。It is understandable that the policy types allowed to be configured on different devices are not the same, and the policy types allowed to be configured on the same device are often more than one. In the embodiment of this application, each policy type allowed to be configured by the target device is taken as the target policy type. On this basis, for any target policy type, obtain all the command lines corresponding to the target policy type from the device manual corresponding to the target device. It is understandable that all the command lines corresponding to the target policy type refer to all the command lines involved in configuring the target policy type by the target device. In other embodiments, all the command lines corresponding to the target strategy type can also be obtained from other databases other than the device manual, which can be set according to actual requirements, and no specific limitation is made here.
在获得目标策略类型对应的所有命令行之后,基于统一策略描述语言对目标策略类型对应的所有命令行进行转换,即,采用统一策略描述语言对目标策略类型对应的所有命令行中的关键词、符号和参数格式进行统一,具体转换步骤如下:After all the command lines corresponding to the target strategy type are obtained, all the command lines corresponding to the target strategy type are converted based on the unified strategy description language, that is, the unified strategy description language is used to convert the keywords and keywords in all the command lines corresponding to the target strategy type. The symbol and parameter formats are unified, and the specific conversion steps are as follows:
(1)保留设备需使用的字符。如上表1所示,每条命令行中加粗的字符为设备解析命令行时需要使用的字符,因此将该类字符全部保留,不作任何修改。如天融信防火墙配置命令行中的“define add host name”字符串,该字符串需要被设备识别以确定命令行功能。(1) Reserve the characters that the device needs to use. As shown in Table 1 above, the bold characters in each command line are the characters that the device needs to use when parsing the command line. Therefore, all characters of this type are reserved without any modification. For example, the "define add host name" string in the TOPSEC firewall configuration command line must be recognized by the device to determine the command line function.
(2)修改用于提示的字符。命令行中存在两类用于提示用户的输入的字符:提示字符串、提示符号。提示字符串是命令行中不需要被设备识别的字符串,用于提示用户参数的填充位置。如上表1所示,每条命令行中不加粗斜体字符串为提示字符串,如天融信第1条命令行中“hostname”,用于提示用户应该于此处输入IP地址名称参数,实际中设备并不识别该字符串。不同的厂商为了标识相同含义的信息可能采用了不同的字符串,这些字符串不需要传给设备,因此本申请实施例基于统一策略描述语言使用参数编码代替复杂多变的字符串。提示符号是命令行中不需要被设备识别的符号,用于提示用户相关信息,如“#”标识一条命令行的开始,又如华为防火墙使用“{}”标识枚举参数。不同的厂商为了标识相同含义的信息可能采用了不同的符号,这些符号不需要传给设备,因此本申请实施例基于统一策略描述语言定义7种符号以统一标识对应含义的信息。7种符号包括:“#”、“@”、“%”、“[]”、“<>”、“{}”和“|”。其 中“#”符号用于标识必选命令行,“@”符号用于标识可选命令行,“%”符号用于标识参数位置,“[]”符号用于标识可选参数,“<>”符号用于标识参数目标格式,“{}”符号用于标识枚举型的必选参数,“|”用于分隔枚举参数或目标格式。(2) Modify the characters used for prompting. There are two types of characters used to prompt the user for input in the command line: prompt string and prompt symbol. The prompt string is a string in the command line that does not need to be recognized by the device, and is used to prompt the user for the filling position of the parameter. As shown in Table 1 above, the unbold italic string in each command line is a prompt string. For example, the "hostname" in the first command line of Tianrongxin is used to prompt the user to enter the IP address name parameter here. In practice, the device does not recognize this string. Different manufacturers may use different character strings in order to identify information with the same meaning, and these character strings do not need to be transmitted to the device. Therefore, the embodiment of the present application uses parameter encoding instead of complex and changeable character strings based on a unified policy description language. The prompt symbol is a symbol in the command line that does not need to be recognized by the device. It is used to prompt the user for related information. For example, "#" identifies the beginning of a command line, and Huawei firewall uses "{}" to identify enumeration parameters. Different manufacturers may use different symbols to identify information with the same meaning, and these symbols do not need to be transmitted to the device. Therefore, the embodiment of the present application defines seven symbols based on the unified policy description language to uniformly identify the corresponding meaning information. The 7 types of symbols include: "#", "@", "%", "[]", "<>", "{}" and "|". The "#" symbol is used to identify the required command line, the "@" symbol is used to identify the optional command line, the "%" symbol is used to identify the position of the parameter, and the "[]" symbol is used to identify the optional parameter, "<> The "" symbol is used to identify the target format of the parameter, the "{}" symbol is used to identify the required parameter of the enumeration type, and the "|" is used to separate the enumeration parameter or the target format.
(3)添加设备识别的参数格式信息。参数格式是参数的表现形式,不同的厂商设备识别的参数格式存在差异,如数据包过滤配置命令行中动作参数,天融信防火墙采用“accept”标识接收数据包而华为防火墙采用“permit”标识接收数据包,又如二层数据包过滤配置命令行中的硬件地址参数,天融信防火墙采用“xx:xx:xx:xx:xx:xx”格式标识而华为防火墙采用“xx-xx-xx-xx-xx-xx”格式标识。本申请实施例为了将统一的策略转换为个性化的配置命令集合,基于统一策略描述语言中的统一参数格式,为每个需要转换格式的参数制定一个目标格式信息,填充于策略模板命令行中相应参数编码后的“<>”符号中。若目标设备识别的参数格式与统一策略描述语言中的参数格式相同,则对应参数编码后不需要“<>”符号和目标格式信息。(3) Add parameter format information recognized by the device. The parameter format is the manifestation of the parameter. The parameter format recognized by different manufacturers' equipment is different. For example, the action parameter in the packet filtering configuration command line, TOPSEC firewall uses the "accept" logo to receive data packets, while the Huawei firewall uses the "permit" logo For receiving data packets, another example is the hardware address parameter in the configuration command line for layer 2 data packet filtering. TOPSEC firewall uses the format "xx:xx:xx:xx:xx:xx" and Huawei firewall uses "xx-xx-xx" -xx-xx-xx" format identification. In order to convert a unified policy into a set of personalized configuration commands, the embodiment of the application formulates a target format information for each parameter that needs to be converted based on the unified parameter format in the unified policy description language, and fills it in the policy template command line In the "<>" symbol after the corresponding parameter encoding. If the parameter format recognized by the target device is the same as the parameter format in the unified policy description language, the "<>" symbol and target format information are not required after the corresponding parameter encoding.
(4)修改转换模板中命令行的组成。如上表1所示,每条命令行具有各自确定的功能,在实际使用中有些命令行可能会被使用多次,因此转换模板中的命令行不仅仅是设备厂商给出的命令行集合,而可能包含多条相同功能的命令行。如天融信防火墙数据包过滤策略配置命令行集合中定义IP地址的命令行所示,该命令行并未限制IP地址使用情景,因此既可用于定义源IP地址也可用于定义目的IP地址,因此转换模板中应该存在两条该命令行,将参数提示字符串分别修改为源IP地址参数编码和目的IP地址参数编码,以分别定义源IP地址和目的IP地址。(4) Modify the composition of the command line in the conversion template. As shown in Table 1 above, each command line has its own definite function. In actual use, some command lines may be used multiple times. Therefore, the command line in the conversion template is not just a collection of command lines given by the device manufacturer. It may contain multiple command lines with the same function. As shown in the command line that defines the IP address in the packet filtering policy configuration command line set of TOPSEC firewall, the command line does not restrict the use of IP addresses, so it can be used to define the source IP address and the destination IP address. Therefore, there should be two such command lines in the conversion template. Modify the parameter prompt string to the source IP address parameter code and the destination IP address parameter code to define the source IP address and destination IP address respectively.
通过上述方法步骤即可将目标策略类型对应的所有命令行进行转换,并将转换后的所有命令行组成目标策略类型对应的策略模板。最终,将目标设备、目标策略类型和策略模板关联存储至策略模板库,由此可使得根据归一化策略中的策略类型从策略模板库中获取目标设备对应的策略模板。Through the above method steps, all the command lines corresponding to the target strategy type can be converted, and all the converted command lines are formed into a strategy template corresponding to the target strategy type. Finally, the target device, the target policy type, and the policy template are associated and stored in the policy template library, so that the policy template corresponding to the target device can be obtained from the policy template library according to the policy type in the normalized policy.
基于上述任一实施例,提供一种设备安全策略的配置方法,利用策略校验规则根据策略模板对归一化策略进行校验,具体为:从策略模板的所 有命令行中获取所有必选参数和每个必选参数对应的依赖参数;判断归一化策略中是否包含所有必选参数和所有依赖参数;若包含所有必选参数和所有依赖参数,则确定归一化策略校验通过,若不包含所有必选参数和所有依赖参数,则确定归一化策略校验失败。Based on any of the above embodiments, a method for configuring a device security policy is provided. The normalized policy is verified according to a policy template using policy verification rules, specifically: obtaining all required parameters from all command lines of the policy template Dependent parameters corresponding to each mandatory parameter; determine whether all mandatory parameters and all dependent parameters are included in the normalization strategy; if all mandatory parameters and all dependent parameters are included, the normalization strategy is determined to pass, if If all required parameters and all dependent parameters are not included, it is determined that the normalization strategy verification fails.
具体地,本申请实施例中,利用策略校验规则根据策略模板对归一化策略进行校验,具体实现过程如下:Specifically, in the embodiment of the present application, the normalized policy is verified according to the policy template using the policy verification rule, and the specific implementation process is as follows:
需要说明的是,不同的设备对相同的策略具有不同的要求,有些参数对于某些设备而言是配置当前策略的必须参数,即若缺少该参数将导致整个策略配置失败,本申请实施例中将配置当前策略的必须参数作为必选参数。此外,某些参数之间具有依赖性,即配置某一个参数需要同时配置其他相关的参数,本申请实施例中将与某一参数具有依赖关系的参数作为该参数对应的依赖参数。It should be noted that different devices have different requirements for the same policy. For some devices, some parameters are necessary parameters for configuring the current policy. That is, if the parameter is missing, the entire policy configuration will fail. In the embodiment of this application, Set the required parameters for configuring the current strategy as mandatory parameters. In addition, some parameters have dependencies, that is, configuring a certain parameter requires configuring other related parameters at the same time. In the embodiment of the present application, a parameter having a dependency relationship with a certain parameter is used as the dependent parameter corresponding to the parameter.
基于上述原理事实,本申请实施例中,从策略模板的所有命令行中获取所有必选参数和每个必选参数对应的依赖参数,在此基础上,判断归一化策略中是否包含所有必选参数和所有依赖参数;若归一化策略中包含所有必选参数和所有依赖参数,则确定归一化策略校验通过,即表明目标设备能够配置归一化策略;若归一化策略中不包含所有必选参数和所有依赖参数,则确定归一化策略校验失败,即表明目标设备无法配置归一化策略。Based on the foregoing principles and facts, in this embodiment of the application, all mandatory parameters and dependent parameters corresponding to each mandatory parameter are obtained from all command lines of the policy template, and on this basis, it is determined whether all mandatory parameters are included in the normalization strategy. Select parameters and all dependent parameters; if the normalization strategy includes all required parameters and all dependent parameters, the normalization strategy is determined to pass, which means that the target device can configure the normalization strategy; if the normalization strategy is If all required parameters and all dependent parameters are not included, it is determined that the normalization strategy verification fails, which means that the target device cannot be configured with the normalization strategy.
本申请实施例提供的设备安全策略的配置方法,利用策略校验规则根据策略模板对归一化策略进行校验,以判断目标设备是否能够配置归一化策略,能够有效降低策略配置失败的概率。The device security policy configuration method provided by the embodiment of the application uses the policy verification rule to verify the normalized policy according to the policy template to determine whether the target device can configure the normalized policy, which can effectively reduce the probability of policy configuration failure .
基于上述任一实施例,提供一种设备安全策略的配置方法,根据策略模板对归一化策略中的所有配置参数进行筛选,具体为:对于归一化策略中的任意一个配置参数,若策略模板中不包含配置参数,则在归一化策略中删除配置参数;从策略模板的所有命令行中获取所有可选参数和每个可选参数对应的依赖参数,对于任意一个可选参数,若归一化策略中包含可选参数,且归一化策略中不包含可选参数对应的依赖参数,则在归一化策略中删除可选参数。Based on any of the above embodiments, a method for configuring a device security policy is provided. All configuration parameters in a normalized policy are filtered according to a policy template. Specifically, for any configuration parameter in the normalized policy, if the policy If the template does not contain configuration parameters, delete the configuration parameters from the normalization strategy; obtain all optional parameters and the dependent parameters corresponding to each optional parameter from all command lines in the strategy template. For any optional parameter, if If the normalization strategy includes optional parameters, and the normalization strategy does not include the dependent parameters corresponding to the optional parameters, the optional parameters are deleted from the normalization strategy.
具体地,由于归一化策略中包含至少一个目标设备,也就是说,需对多个目标设备同时配置归一化策略,因此,归一化策略中所包含的配置参 数是多个目标设备配置归一化策略所需配置参数的并集。有鉴于此,在对其中某个目标设备配置归一化策略时,需从归一化策略中筛选出该目标设备所需的配置参数。本申请实施例中,对于归一化策略中的任意一个配置参数,若策略模板中不包含该配置参数,则在归一化策略中删除该配置参数。此外,从策略模板的所有命令行中获取所有可选参数和每个可选参数对应的依赖参数,对于任意一个可选参数,若归一化策略中包含该可选参数,且归一化策略中不包含该可选参数对应的依赖参数,则在归一化策略中删除该可选参数。通过上述筛选步骤之后,将归一化策略中剩余的每个配置参数作为目标参数。Specifically, since the normalization strategy includes at least one target device, that is, multiple target devices need to be configured with a normalization strategy at the same time, therefore, the configuration parameters included in the normalization strategy are multiple target device configurations. The union of the configuration parameters required by the normalization strategy. In view of this, when configuring a normalization strategy for one of the target devices, it is necessary to filter the configuration parameters required by the target device from the normalization strategy. In the embodiment of the present application, for any configuration parameter in the normalization strategy, if the configuration parameter is not included in the policy template, the configuration parameter is deleted from the normalization strategy. In addition, all optional parameters and dependent parameters corresponding to each optional parameter are obtained from all the command lines of the policy template. For any optional parameter, if the optional parameter is included in the normalization strategy, and the normalization strategy If the dependent parameter corresponding to the optional parameter is not included, the optional parameter is deleted in the normalization strategy. After passing the above screening steps, each remaining configuration parameter in the normalization strategy is taken as the target parameter.
基于上述任一实施例,提供一种设备安全策略的配置方法,根据所有目标参数从策略模板中的所有命令行中获取目标命令行,具体为:对于策略模板中的任意一条命令行,若命令行中的所有必选参数均属于目标参数,则将命令行作为候选命令行;对于任意一条候选命令行,删除候选命令行中不属于目标参数的可选参数,获得目标命令行。Based on any of the above embodiments, a method for configuring a device security policy is provided. The target command line is obtained from all the command lines in the policy template according to all target parameters, specifically: for any command line in the policy template, if the command All required parameters in the line belong to the target parameter, the command line is regarded as the candidate command line; for any candidate command line, the optional parameters that are not the target parameter in the candidate command line are deleted to obtain the target command line.
具体地,由于目标参数中可能不包含策略模板中的某条命令行的必选参数,从而导致该条命令行无法进行有效配置。有鉴于此,本申请实施例中,根据所有目标参数从策略模板中的所有命令行中获取目标命令行,具体步骤如下:Specifically, because the target parameter may not include a required parameter of a certain command line in the policy template, the command line cannot be effectively configured. In view of this, in the embodiment of the present application, the target command line is obtained from all the command lines in the policy template according to all the target parameters. The specific steps are as follows:
对于策略模板中的任意一条命令行,获取该命令行中的所有必选参数,并判断该命令行中的所有必选参数是否都属于目标参数,若该命令行中的所有必选参数均属于目标参数,则表明该命令行能够进行配置,将该命令行作为候选命令行。在获得所有候选命令行之后,还需确定候选命令行中的可选参数是否能够进行配置,有鉴于此,本申请实施例中,对于任意一条候选命令行,获取该候选命令行中的所有可选参数,再判断每个可选参数是否属于目标参数,若某个可选参数不属于目标参数,则在候选命令行中将该可选参数进行删除。即,删除候选命令行中不属于目标参数的可选参数。在删除候选命令行中不属于目标参数的可选参数之后,即可获得目标命令行。可以理解的是,目标命令行中的必选参数和可选参数均属于目标参数,以使得能够对目标命令行进行有效配置。For any command line in the policy template, obtain all required parameters in the command line, and determine whether all required parameters in the command line belong to the target parameter. If all required parameters in the command line belong to The target parameter indicates that the command line can be configured, and the command line is used as a candidate command line. After all candidate command lines are obtained, it is also necessary to determine whether the optional parameters in the candidate command lines can be configured. In view of this, in the embodiment of the present application, for any candidate command line, all the options in the candidate command line are obtained. Select parameters, and then judge whether each optional parameter belongs to the target parameter. If an optional parameter does not belong to the target parameter, delete the optional parameter in the candidate command line. That is, the optional parameters that are not the target parameters in the candidate command line are deleted. After deleting the optional parameters that are not target parameters in the candidate command line, the target command line can be obtained. It can be understood that the required parameters and optional parameters in the target command line are all target parameters, so that the target command line can be effectively configured.
基于上述任一实施例,提供一种设备安全策略的配置方法,利用策略 转换规则根据所有目标参数对所有目标命令行进行转换,具体为:对于任意一条目标命令行,将目标命令行中的每个参数作为待转换参数,获取每个待转换参数在目标命令行中的位置,作为待填充位置,并在目标命令行中获取每个待转换参数对应的格式,作为目标格式;对于任意一个待转换参数,从所有目标参数中获取与待转换参数匹配的目标参数,作为匹配参数,根据待转换参数对应的目标格式将匹配参数进行格式转换,并将格式转换后的匹配参数填充至待转换参数对应的待填充位置。Based on any of the above embodiments, a method for configuring device security policies is provided, which uses policy conversion rules to convert all target command lines according to all target parameters. Specifically, for any target command line, set each target command line As the parameters to be converted, the position of each parameter to be converted in the target command line is obtained as the position to be filled, and the format corresponding to each parameter to be converted is obtained in the target command line as the target format; Conversion parameter: Obtain the target parameter that matches the parameter to be converted from all target parameters, as a matching parameter, convert the matching parameter according to the target format corresponding to the parameter to be converted, and fill the matching parameter after format conversion into the parameter to be converted The corresponding position to be filled.
具体地,本申请实施例中,利用策略转换规则根据所有目标参数对所有目标命令行进行转换,具体转换步骤如下:Specifically, in the embodiment of the present application, all target command lines are converted according to all target parameters by using policy conversion rules, and the specific conversion steps are as follows:
对于任意一条目标命令行,将目标命令行中的每个参数作为待转换参数,获取每个待转换参数在目标命令行中的位置,作为待填充位置,并在目标命令行中获取每个待转换参数对应的格式,作为目标格式;由此,可获得目标命令行中每个待转换参数的位置和对应的格式。在此基础上,对于任意一个待转换参数,从所有目标参数中获取与待转换参数匹配的目标参数,作为匹配参数,根据待转换参数对应的目标格式将匹配参数进行格式转换。可以理解的是,匹配参数是归一化策略中的参数,其参数格式并不能够适用于所有目标设备;而待转换参数对应的目标格式是目标设备能够识别的参数格式,故而需将匹配参数的格式转换为目标格式。例如,将归一化IP地址数值型参数0x0ca85a10根据目标设备需要的点分十进制目标格式信息转换为设备需要的格式“192.168.90.10”。最终,将格式转换后的匹配参数填充至待转换参数对应的待填充位置。此外,还需在目标命令行中删除设备不能识别的字符串和字符,包括自定义的编码和符号,如“#”“[]”等。最终,将转换后的所有目标命令行组成目标设备对应的配置策略。For any target command line, take each parameter in the target command line as the parameter to be converted, obtain the position of each parameter to be converted in the target command line as the position to be filled, and obtain each parameter in the target command line. The format corresponding to the conversion parameter is used as the target format; thus, the position and corresponding format of each parameter to be converted in the target command line can be obtained. On this basis, for any parameter to be converted, a target parameter matching the parameter to be converted is obtained from all target parameters as a matching parameter, and the matching parameter is formatted according to the target format corresponding to the parameter to be converted. It is understandable that the matching parameter is a parameter in the normalization strategy, and its parameter format cannot be applied to all target devices; and the target format corresponding to the parameter to be converted is a parameter format that the target device can recognize, so the matching parameter The format is converted to the target format. For example, the normalized IP address numeric parameter 0x0ca85a10 is converted into the format "192.168.90.10" required by the device according to the dotted decimal target format information required by the target device. Finally, the matching parameters after format conversion are filled into the positions to be filled corresponding to the parameters to be converted. In addition, you need to delete strings and characters that are not recognized by the device in the target command line, including custom codes and symbols, such as "#" "[]", etc. Finally, all the converted target command lines are combined into the configuration strategy corresponding to the target device.
基于上述任一实施例,提供一种设备安全策略的配置方法,根据配置策略对目标设备进行配置,具体为:将配置策略中的每条命令行下发并配置到目标设备,并获取每条命令行的配置结果;若当前获取到的配置结果为失败,则中断配置或重新配置,并将已获取到的所有配置结果反馈给用户进行分析。Based on any of the above embodiments, a method for configuring a device security policy is provided. The target device is configured according to the configuration policy, specifically: each command line in the configuration policy is issued and configured to the target device, and each The configuration result of the command line; if the currently obtained configuration result is a failure, the configuration is interrupted or reconfigured, and all the obtained configuration results are fed back to the user for analysis.
具体地,本申请实施例中,在获得目标设备对应的配置策略之后,根 据配置策略对目标设备进行配置,具体配置过程如下:Specifically, in the embodiment of the present application, after obtaining the configuration policy corresponding to the target device, the target device is configured according to the configuration policy. The specific configuration process is as follows:
将配置策略中的每条命令行下发并配置到目标设备,并获取每条命令行的配置结果。本申请实施例中通过关键词对比判定配置结果,即记录设备个性化的配置回复信息中的关键词,通过比对不同情况的关键词确定配置结果,如天融信防火墙配置命令失败时会返回“error”关键词和具体的错误代码,因此将“error”关键词记录下来,当比对配置回复信息中存在该关键词,则表示当前命令行配置失败,否则表示配置成功。在此基础上,对于任意当前时刻,若当前获取到的配置结果为失败,则中断配置或重新配置,并将已获取到的所有配置结果反馈给用户进行分析。Send and configure each command line in the configuration policy to the target device, and obtain the configuration result of each command line. In the embodiment of this application, the configuration result is determined by keyword comparison, that is, the keyword in the personalized configuration reply message of the device is recorded, and the configuration result is determined by comparing the keywords in different situations. For example, it will be returned when the configuration command of TOPSEC firewall fails The "error" keyword and the specific error code, so record the "error" keyword. When the keyword exists in the comparison configuration response message, it means that the current command line configuration has failed, otherwise it means the configuration is successful. On this basis, for any current moment, if the currently obtained configuration result is a failure, the configuration is interrupted or reconfigured, and all the obtained configuration results are fed back to the user for analysis.
本申请实施例中,在将配置策略下发并配置到目标设备的过程中,目标设备存在4种状态:Status0表示目标设备处于监听数据的状态;Status1表示目标设备接收到连接的状态;Status2表示目标设备收到命令行集合后准备配置的状态;Status3表示目标设备配置命令行后获取配置结果的状态。图2为本申请实施例提供的设备安全策略的配置方法中目标设备的状态转移图,如图2所示,首先目标设备处于Status0状态,当监听到连接时进入Status1状态;在Status1状态时收到不为空的命令行集合后进入Status2状态,而在连接超时或收到关闭连接信号时关闭连接进入Status0状态;在Status2状态时,当命令行集合不为空时配置命令行后进入Status3状态,而当命令行集合为空时进入Status1状态继续等待接收命令行;在Status3状态时,返回配置成功结果进入Status2状态继续配置,而返回配置失败结果时进入Status1状态,重新接收命令行。In the embodiment of this application, in the process of delivering and configuring the configuration policy to the target device, the target device has four states: Status0 indicates that the target device is in the state of monitoring data; Status1 indicates the state of the target device receiving the connection; Status2 indicates The target device is ready to configure the status after receiving the command line set; Status3 represents the status of the target device obtaining the configuration result after configuring the command line. Figure 2 is a state transition diagram of the target device in the device security policy configuration method provided by an embodiment of the application. As shown in Figure 2, first the target device is in the Status0 state, and enters the Status1 state when it monitors the connection; it receives in the Status1 state. When the command line set is not empty, it enters the Status2 state, and when the connection is timed out or receives a close connection signal, the connection is closed and enters the Status0 state; in the Status2 state, when the command line set is not empty, the command line is configured and the command line enters the Status3 state. , And when the command line set is empty, enter the Status1 state and continue to wait to receive the command line; in the Status3 state, return the configuration success result and enter the Status2 state to continue the configuration, and return the configuration failure result to enter the Status1 state and receive the command line again.
为了便于理解上述方法实施例中的方法步骤,现以如下示例进行具体说明:In order to facilitate the understanding of the method steps in the above method embodiments, the following examples are used for specific descriptions:
示例1:统一配置天融信防火墙和华为防火墙数据包过滤策略,目标配置需求是允许源IP地址为“10.11.12.13”(0x0a0b0c0d)、源端口号为3344、目的IP地址为“13.12.11.10”(0x0d0c0b0a)、目的端口号为7788、协议号为6、策略编号为1的数据包。基于统一策略描述语言根据上述目标配置需求构建对应的归一化策略,所构建的归一化策略具体如下表3所示:Example 1: Unified configuration of TOPSEC firewall and Huawei firewall packet filtering policy, the target configuration requirement is to allow the source IP address to be "10.11.12.13" (0x0a0b0c0d), the source port number to be 3344, and the destination IP address to be "13.12.11.10" (0x0d0c0b0a), the destination port number is 7788, the protocol number is 6, and the strategy number is 1. Based on the unified policy description language, the corresponding normalization strategy is constructed according to the above target configuration requirements. The normalization strategy constructed is shown in Table 3 below:
表3 归一化策略实例Table 3 Examples of normalization strategies
Figure PCTCN2019091873-appb-000003
Figure PCTCN2019091873-appb-000003
上述归一化策略中包括四类信息:第一类是当前策略类型,采用“PolicyType”关键词标识,此处将数据包过滤策略编为0001号;第二类是策略生成者,采用“PolicyObject”关键词标识,配置当前策略的管理员为User1;第三类是策略配置对象,也即目标设备,采用“PolicySubject”关键词标识,当前策略配置的目标设备是天融信防火墙和华为防火墙;第四类是配置参数信息,用关键词“PolicyParameter”标识,每个参数采用“key:value”的形式表述,一个参数有一个唯一编码,采用该编码作为“key”值,其“value”值是根据统一策略描述语言中定义的参数格式表述。上述归一化策略中的参数编码从1至11依次表示动作、源起始IP地址、源结束IP地址、源起始端口号、源结束端口号、目的起始IP地址、目的结束IP地址、目的起始端口号、目的结束端口号、协议号和策略编号。其中当源/目的起始IP地址参数不为空时且源/目的结束IP地址参数为空时,源/目的起始IP地址参数表示单一IP地址。The above-mentioned normalization strategy includes four types of information: the first type is the current policy type, which is identified by the keyword "PolicyType", and the packet filtering policy is coded as 0001 here; the second type is the policy generator, which uses the "PolicyObject "Keyword identification, the administrator who configures the current policy is User1; the third category is the policy configuration object, that is, the target device, which is identified by the keyword "PolicySubject". The target device configured by the current policy is TOPSEC firewall and Huawei firewall; The fourth type is configuration parameter information, identified by the keyword "PolicyParameter", each parameter is expressed in the form of "key: value", a parameter has a unique code, and the code is used as the "key" value and its "value" value It is expressed according to the parameter format defined in the unified policy description language. The parameter codes in the normalization strategy described above indicate actions, source starting IP address, source ending IP address, source starting port number, source ending port number, destination starting IP address, destination ending IP address, in order from 1 to 11 The destination start port number, destination end port number, protocol number, and policy number. When the source/destination start IP address parameter is not empty and the source/destination end IP address parameter is empty, the source/destination start IP address parameter represents a single IP address.
从设备手册中获取天融信某防火墙数据包过滤策略可能涉及的配置命令行。如下表4所示,其中第4条配置命令行是添加防火墙规则必选的,涉及过滤动作“action”、日志开关“log”、服务“service”、IP地址“sip”“dip”等信息,除了过滤动作参数“action”是不加“[]”的,表示是必须配置的参数,其余的参数被“[]”括起来,表示可以根据实际情况设置。 其中服务“service”和IP地址“sip”“dip”信息需要引用服务和IP地址对象,因此如果要设置该参数要先定义相关对象。定义源IP地址对象使用第1条命令行,定义目的IP地址对象使用第2条命令行。定义服务的对象使用第3条命令行,倘若需要设置协议号和端口号,通过该命令定义服务对象。第3条命令中,服务名“name”、协议号“protocol”和端口1“port1”是必需设置的参数,表示设置一个协议对应的端口号,端口2“port2”是可选的,若是配置这个参数表示该服务对象的端口范围是从端口1“port1”至端口2“port2”。Obtain the configuration command lines that may be involved in a firewall packet filtering policy of TOPSEC from the device manual. As shown in Table 4 below, the fourth configuration command line is mandatory for adding firewall rules, involving filtering action "action", log switch "log", service "service", IP address "sip", "dip" and other information. Except that the filter action parameter "action" is not added with "[]", it means that it is a parameter that must be configured, and the rest of the parameters are enclosed in "[]", which means that it can be set according to the actual situation. The service "service" and IP address "sip" and "dip" information need to refer to the service and IP address object, so if you want to set this parameter, you must first define the related object. Use the first command line to define the source IP address object, and use the second command line to define the destination IP address object. Use the third command line to define the service object. If you need to set the protocol number and port number, define the service object through this command. In the third command, the service name "name", protocol number "protocol" and port 1 "port1" are required parameters to set the port number corresponding to a protocol, port 2 "port2" is optional, if it is configured This parameter indicates that the port range of the service object is from port 1 "port1" to port 2 "port2".
表4 天融信某防火墙数据包过滤配置命令行集合Table 4 A collection of command lines for packet filtering configuration of a firewall of Tianrongxin
Figure PCTCN2019091873-appb-000004
Figure PCTCN2019091873-appb-000004
从设备手册中获取华为某防火墙数据包过滤策略可能涉及的配置命令行。如下表5所示,其中第1、2、3、7、8条命令是必选,因此涉及到的动作参数是必选参数。第4、5、6条命令是可选的,根据实际配置需求选择,第4条命令设置该条数据包过滤策略的源地址相关信息,第5条命令设置该条数据包过滤策略的目的地址相关信息,第5条命令设置该条数据包过滤策略的服务相关信息,其中“[]”括起来的参数表示是可选的,“{}”符号表示参数的可选择情况,但是必须选择其中一种。Obtain the configuration command lines that may be involved in a Huawei firewall packet filtering policy from the device manual. As shown in Table 5 below, the first 1, 2, 3, 7 and 8 commands are mandatory, so the involved action parameters are mandatory. The 4th, 5th, and 6th commands are optional and can be selected according to actual configuration requirements. The 4th command sets the source address related information of the packet filtering policy, and the 5th command sets the destination address of the packet filtering policy. For related information, the fifth command sets the service-related information of the packet filtering strategy. The parameters enclosed in "[]" indicate that they are optional, and the symbol "{}" indicates that the parameters can be selected, but it must be selected. One kind.
表5 华为某防火墙数据包过滤配置命令行集合Table 5 A collection of Huawei firewall packet filtering configuration command lines
Figure PCTCN2019091873-appb-000005
Figure PCTCN2019091873-appb-000005
基于统一策略描述语言对表4和表5中的所有命令行进行转换,具体转换步骤如下:All the command lines in Table 4 and Table 5 are converted based on the unified policy description language. The specific conversion steps are as follows:
(1)保留设备需使用的字符。如表4和表5所示,每条命令行中加粗的字符为设备解析命令行时需要使用的字符,因此将该类字符全部保留,不作任何修改。(1) Reserve the characters that the device needs to use. As shown in Table 4 and Table 5, the bold characters in each command line are the characters that the device needs to use when parsing the command line. Therefore, all characters of this type are reserved without any modification.
(2)修改用于提示的字符。如表4和表5所示,每条命令行中的不加粗斜体字符串为提示字符串,基于统一策略描述语言采用参数编码代替复杂多变的字符串。对于其中对象名、规则名等用于唯一标识的参数,以对应对象或规则内容作为该名称,如使用源IP地址参数编码代替源IP地址对象名,又如使用策略编号代替规则名参数,使用默认掩码值代替需要填充的掩码参数。此外,采用7种符号统一标识提示字符。即用“#”符号标识必选命令行,用“@”符号标识可选命令行,用“%”符号标识参数位置,用“[]”符号标识可选参数,用“<>”符号标识参数目标格式,用“{}”符号标识枚举型的必选参数,用“|”分隔枚举参数或目标格式。(2) Modify the characters used for prompting. As shown in Table 4 and Table 5, the non-bold italicized character string in each command line is a prompt character string. Based on the unified policy description language, parameter encoding is used to replace the complex and changeable character string. For the parameters used for unique identification such as object name and rule name, use the corresponding object or rule content as the name. For example, use source IP address parameter encoding instead of source IP address object name, or use policy number instead of rule name parameter, use The default mask value replaces the mask parameters that need to be filled. In addition, seven symbols are used to uniformly identify prompt characters. That is, the "#" symbol is used to identify the required command line, the "@" symbol is used to identify the optional command line, the "%" symbol is used to identify the position of the parameter, the "[]" symbol is used to identify the optional parameter, and the "<>" symbol is used to identify Parameter target format, use "{}" symbol to identify enumerated mandatory parameters, and use "|" to separate enumerated parameters or target format.
(3)添加设备识别的参数格式信息。对于天融信防火墙,存在2种需要转换格式的参数:IP地址类参数和枚举类参数。对于IP地址类参数,需要将统一的十六进制格式的IP地址转换为设备能识别的点分十进制的IP地址,因此在IP地址类参数后的“<>”中填充“%d.%d.%d.%d”格式信息表明需要转换的格式;对于枚举类参数,需要将统一的整形格式的枚举参数转换为设备能识别的枚举字符串,如动作参数和日志开关参数后的“<>”符号中依次列举枚举字符串,并使用“|”符号分隔。对于华为防火墙,也存在相同的2种需要转换格式的参数:IP地址类参数和枚举类参数。对于IP地址类参数,需要将统一的十六进制格式的IP地址转换为设备能识别的点分十进制的IP地址,因此在IP地址类参数后的“<>”中填充“%d.%d.%d.%d”格式信息表明需要转换的格式;对于枚举类参数,需要将统一的整形格式的枚举参数转换为设备能识别的枚举字符串,如动作参数后的“<>”符号中依次列举枚举字符串,并使用“|”符号分隔。(3) Add parameter format information recognized by the device. For TOPSEC firewall, there are two parameters that need to be converted: IP address type parameters and enumeration type parameters. For IP address parameters, you need to convert the IP address in a unified hexadecimal format to a dotted decimal IP address that the device can recognize, so fill "%d.%" in the "<>" after the IP address parameter d.%d.%d" format information indicates the format that needs to be converted; for enumeration parameters, the enumeration parameters in the unified shaping format need to be converted into enumeration strings that the device can recognize, such as action parameters and log switch parameters The following "<>" symbols enumerate the enumerated strings in sequence, and use the "|" symbol to separate them. For Huawei firewalls, there are the same two parameters that need to be converted: IP address type parameters and enumeration type parameters. For IP address parameters, you need to convert the IP address in a unified hexadecimal format to a dotted decimal IP address that the device can recognize, so fill "%d.%" in the "<>" after the IP address parameter d.%d.%d" format information indicates the format that needs to be converted; for enumeration parameters, the enumeration parameters in the unified plastic format need to be converted into enumeration strings that can be recognized by the device, such as the "< >" enumerates the enumerated strings in turn, separated by the "|" symbol.
通过以上转换步骤,即可获得天融信防火墙数据包过滤策略的策略模板(如下表6)和华为防火墙的数据包过滤策略的策略模板(如下表7)。Through the above conversion steps, you can obtain the policy template of the packet filtering policy of TOPSEC firewall (see Table 6 below) and the policy template of the packet filtering policy of Huawei firewall (Table 7 below).
表6 天融信防火墙数据包过滤策略的策略模板Table 6 Policy template of TOPSEC firewall packet filtering policy
Figure PCTCN2019091873-appb-000006
Figure PCTCN2019091873-appb-000006
表7 华为防火墙的数据包过滤策略的策略模板Table 7 Policy template of Huawei firewall's packet filtering policy
Figure PCTCN2019091873-appb-000007
Figure PCTCN2019091873-appb-000007
利用策略校验规则分别根据表6和表7中的策略模板对表3中的归一化策略进行校验。具体地,表6中,必选命令行中的必选参数为必需参数,即最后一条命令行中动作参数“action”为必选参数,若是缺少该参数将导致整个策略配置失败,同时该必选参数不依赖于其它参数,表3中的归一化策略中包含该动作参数,因此校验通过;表7中,必选命令行中的必选参数为必需参数,第2条命令行的规则名参数“rule name”与第8条命令行的动作参数“action”为必选参数,若是缺少该参数将导致整个策略配置失败,同时该必选参数不依赖于其它参数,表3中的归一化策略中包含策略编号参数与动作参数,因此校验通过。Use the policy verification rules to verify the normalized policies in Table 3 according to the policy templates in Table 6 and Table 7 respectively. Specifically, in Table 6, the mandatory parameters in the mandatory command line are mandatory parameters, that is, the action parameter "action" in the last command line is a mandatory parameter. If this parameter is missing, the entire policy configuration will fail. The selected parameters do not depend on other parameters. The normalization strategy in Table 3 contains the action parameters, so the verification passes; in Table 7, the mandatory parameters in the mandatory command line are mandatory parameters, and the second command line The rule name parameter "rule name" and the action parameter "action" of the 8th command line are mandatory parameters. If this parameter is missing, the entire policy configuration will fail. At the same time, the mandatory parameter does not depend on other parameters, as shown in Table 3. The normalized strategy contains strategy number parameters and action parameters, so the verification passes.
根据表6和表7中的策略模板对表3中的归一化策略中的所有配置参数进行筛选。具体地,根据表6可知,天融信防火墙不能识别源端口参数和策略编号参数,因此在表3中的归一化策略中将这两种参数删除,将剩余参数作为天融信防火墙对应的目标参数。根据表7可知,华为防火墙可以识别表3中的归一化策略中的所有参数,因此不需要删除任何参数,即可将表3中的所有参数作为华为防火墙目标参数。All the configuration parameters in the normalized strategy in Table 3 are filtered according to the strategy templates in Table 6 and Table 7. Specifically, according to Table 6, it can be seen that TOPSEC firewall cannot identify source port parameters and policy number parameters. Therefore, these two parameters are deleted from the normalization strategy in Table 3, and the remaining parameters are regarded as the corresponding parameters of TOPSEC firewall. Target parameters. According to Table 7, Huawei firewall can identify all the parameters in the normalization strategy in Table 3, so there is no need to delete any parameters, and all parameters in Table 3 can be used as Huawei firewall target parameters.
根据天融信防火墙对应的目标参数从表6的策略模板中的所有命令行中获取天融信防火墙对应的目标命令行,并根据华为防火墙对应的目标参数从表7的策略模板中的所有命令行中获取华为防火墙对应的目标命令行。 具体地,对于天融信防火墙而言,需要使用两次定义IP地址的命令行以定义源IP地址与目的IP地址,并使用一次定义服务的命令行定义目的端口和协议号,且在最后一条命令行中选择源IP地址、目的IP地址和服务的参数;对于华为防火墙而言,除了配置策略必须的命令行,需要选择第4、5、6条命令行以分别定义源IP地址、目的IP地址和端口协议等,其中第4、5条选择单个IP地址参数,第6条使用单个端口参数。Obtain the target command line corresponding to the TOPSEC firewall from all the command lines in the policy template in Table 6 according to the target parameters corresponding to the TOPSEC firewall, and obtain all the commands in the policy template in Table 7 according to the target parameters corresponding to the Huawei firewall Obtain the target command line corresponding to Huawei firewall from the line. Specifically, for TOPSEC firewall, it is necessary to use the command line defining the IP address twice to define the source IP address and the destination IP address, and use the command line defining the service once to define the destination port and protocol number, and in the last one Select the source IP address, destination IP address, and service parameters in the command line; for Huawei firewalls, in addition to the command lines necessary to configure the policy, you need to select the 4th, 5th, and 6th command lines to define the source IP address and destination IP respectively Address and port protocol, etc., the fourth and fifth items select a single IP address parameter, and the sixth item uses a single port parameter.
最终,利用策略转换规则根据天融信防火墙对应的目标参数对天融信防火墙对应的目标命令行进行转换,生成天融信防火墙数据包过滤配置策略。同时,利用策略转换规则根据华为防火墙对应的目标参数对华为防火墙对应的目标命令行进行转换,生成华为防火墙数据包过滤配置策略。所生成的天融信防火墙数据包过滤配置策略和华为防火墙数据包过滤配置策略具体如下表8所示。Finally, the strategy conversion rule is used to convert the target command line corresponding to the TOPSEC firewall according to the target parameters corresponding to the TOPSEC firewall to generate the TOPSEC firewall packet filtering configuration policy. At the same time, the policy conversion rule is used to convert the target command line corresponding to the Huawei firewall according to the target parameters corresponding to the Huawei firewall to generate the Huawei firewall packet filtering configuration policy. The generated data packet filtering configuration strategy of TOPSEC firewall and Huawei firewall data packet filtering configuration strategy are shown in Table 8 below.
表8 天融信防火墙和华为防火墙数据包过滤配置策略Table 8 Data packet filtering configuration policies of Tianrongxin firewall and Huawei firewall
Figure PCTCN2019091873-appb-000008
Figure PCTCN2019091873-appb-000008
最终,将上述天融信防火墙数据包过滤配置策略下发并配置到天融信设备,并将上述华为防火墙数据包过滤配置策略下发并配置到华为设备。Finally, the above-mentioned TOPSEC firewall packet filtering configuration policy is issued and configured to TOPSEC equipment, and the above-mentioned Huawei firewall packet filtering configuration policy is distributed and configured to Huawei equipment.
图3为本申请实施例提供的设备安全策略的配置装置的结构示意图,如图3所示,该装置包括:归一化策略构建模块31、策略模板获取模块32、参数和命令行确定模块33和策略转换与配置模块34,其中:Fig. 3 is a schematic structural diagram of a device security policy configuration device provided by an embodiment of the application. As shown in Fig. 3, the device includes: a normalized policy construction module 31, a policy template acquisition module 32, and a parameter and command line determination module 33 And strategy conversion and configuration module 34, where:
归一化策略构建模块31用于基于统一策略描述语言根据目标配置需求构建目标配置需求对应的归一化策略,归一化策略中包含策略类型、至少一个目标设备和至少一个配置参数。The normalization strategy construction module 31 is configured to construct a normalization strategy corresponding to the target configuration requirements based on the unified strategy description language according to the target configuration requirements. The normalization strategy includes a strategy type, at least one target device and at least one configuration parameter.
具体地,本申请实施例设计一种统一策略描述语言,以兼容不同配置命令格式的差异。在此基础上,当存在目标配置需求时,归一化策略构建模块31基于统一策略描述语言根据目标配置需求构建目标配置需求对应的归一化策略。其中,归一化策略中包含策略类型、至少一个目标设备和至少一个配置参数。此外,归一化策略中还可以包含策略生成者,可以根据实际需求进行设置,此处不做具体限定。Specifically, the embodiment of the present application designs a unified policy description language to be compatible with differences in different configuration command formats. On this basis, when there is a target configuration requirement, the normalization strategy construction module 31 constructs a normalization strategy corresponding to the target configuration requirement based on the unified policy description language according to the target configuration requirement. Wherein, the normalized strategy includes a strategy type, at least one target device, and at least one configuration parameter. In addition, the normalization strategy can also include the strategy generator, which can be set according to actual needs, and there is no specific limitation here.
策略模板获取模块32用于对于归一化策略中的任意一个目标设备,根据归一化策略中的策略类型从策略模板库中获取目标设备对应的策略模板,策略模板中包含至少一条命令行。The policy template obtaining module 32 is configured to obtain a policy template corresponding to the target device from the policy template library according to the policy type in the normalized policy for any target device in the normalized policy, and the policy template includes at least one command line.
具体地,若上述归一化策略中包含多个目标设备,则表明需要同时对多个目标设备配置上述归一化策略。在此基础上,对于归一化策略中的任意一个目标设备,策略模板获取模块32根据目标设备本身和归一化策略中的策略类型从策略模板库中获取目标设备对应的策略模板。可以理解的是,策略模板库中预先存储了不同设备对应的不同策略类型的策略模板。也就是说,设备、策略类型和策略模板是预先关联存储在策略模板库中的。因此,根据目标设备本身和归一化策略中的策略类型即可从策略模板库中获取目标设备对应的策略模板。Specifically, if the aforementioned normalization strategy includes multiple target devices, it indicates that the aforementioned normalization strategy needs to be configured for multiple target devices at the same time. On this basis, for any target device in the normalized policy, the policy template obtaining module 32 obtains the policy template corresponding to the target device from the policy template library according to the target device itself and the policy type in the normalized policy. It is understandable that the policy templates of different policy types corresponding to different devices are pre-stored in the policy template library. In other words, devices, policy types, and policy templates are pre-associated and stored in the policy template library. Therefore, the policy template corresponding to the target device can be obtained from the policy template library according to the target device itself and the policy type in the normalized policy.
参数和命令行确定模块33用于利用策略校验规则根据策略模板对归一化策略进行校验,若校验通过,则根据策略模板对归一化策略中的所有配置参数进行筛选,将筛选后的每个配置参数作为目标参数,根据所有目标参数从所述策略模板中的所有命令行中获取目标命令行。The parameter and command line determination module 33 is used for verifying the normalized strategy according to the policy template by using the policy verification rule. If the verification is passed, all the configuration parameters in the normalized strategy are filtered according to the policy template, Each subsequent configuration parameter is used as a target parameter, and the target command line is obtained from all the command lines in the policy template according to all the target parameters.
具体地,在上述技术方案的基础上,参数和命令行确定模块33利用策略校验规则根据策略模板对归一化策略进行校验,若校验通过,则说明目标设备能够对归一化策略进行有效配置。在校验通过的基础上,参数和命令行确定模块33根据该目标设备对应的策略模板对归一化策略中的所有配置参数进行筛选,将筛选后的每个配置参数作为目标参数。可以理解的是,目标参数是该目标设备配置归一化策略所需的参数。在获得目标参数之后,由于目标参数中可能不包含策略模板中的某条命令行的必选参数和/或可选参数,从而导致该条命令行无法进行有效配置。有鉴于此,为了验证策略模板中的所有命令行是否能够进行有效配置,本申请实施例中, 参数和命令行确定模块33根据所有目标参数从策略模板中的所有命令行中获得目标命令行,以使得每条目标命令行中的所有参数(包括必选参数和可选参数)均包含在目标参数中,从而确保每条目标命令行都能够进行有效配置。Specifically, on the basis of the above technical solution, the parameter and command line determination module 33 uses the policy verification rule to verify the normalization strategy according to the policy template. If the verification passes, it means that the target device can verify the normalization strategy. Make effective configuration. On the basis of passing the verification, the parameter and command line determination module 33 screens all configuration parameters in the normalized strategy according to the strategy template corresponding to the target device, and uses each configuration parameter after screening as the target parameter. It is understandable that the target parameter is a parameter required by the target device to configure a normalization strategy. After the target parameter is obtained, the target parameter may not contain the required and/or optional parameters of a certain command line in the policy template, which results in that the command line cannot be effectively configured. In view of this, in order to verify whether all the command lines in the policy template can be effectively configured, in the embodiment of the present application, the parameter and command line determination module 33 obtains the target command line from all the command lines in the policy template according to all target parameters. In this way, all parameters (including mandatory and optional parameters) in each target command line are included in the target parameters, so as to ensure that each target command line can be effectively configured.
策略转换与配置模块34用于利用策略转换规则根据所有目标参数对所有目标命令行进行转换,生成目标设备对应的配置策略,根据配置策略对目标设备进行配置。The strategy conversion and configuration module 34 is configured to convert all target command lines according to all target parameters by using the strategy conversion rules, generate a configuration strategy corresponding to the target device, and configure the target device according to the configuration strategy.
具体地,在上述技术方案的基础上,策略转换与配置模块34利用策略转换规则根据所有目标参数对所有目标命令行进行转换,即,利用策略转换规则将目标参数填充至目标命令行的对应位置,以实现对目标命令行的转换。将转换后的目标命令行作为目标设备对应的配置策略,可以理解的是,目标设备对应的配置策略指的是目标设备所能够识别的命令行集合,且该命令行集合能够实现归一化策略的配置。最终,根据配置策略对目标设备进行配置,即,将配置策略下发并配置到目标设备。Specifically, on the basis of the above technical solution, the strategy conversion and configuration module 34 uses the strategy conversion rule to convert all target command lines according to all target parameters, that is, uses the strategy conversion rule to fill the target parameters into the corresponding positions of the target command line. , To achieve the conversion of the target command line. Regarding the converted target command line as the configuration strategy corresponding to the target device, it can be understood that the configuration strategy corresponding to the target device refers to the command line set that the target device can recognize, and the command line set can realize the normalization strategy Configuration. Finally, the target device is configured according to the configuration strategy, that is, the configuration strategy is delivered and configured to the target device.
本申请实施例提供的设备安全策略的配置装置,具体执行上述各方法实施例流程,具体请详见上述各方法实施例的内容,此处不再赘述。The device security policy configuration device provided by the embodiments of the present application specifically executes the procedures of the foregoing method embodiments. For details, please refer to the content of the foregoing method embodiments, and details are not repeated here.
本申请实施例提供的设备安全策略的配置装置,基于统一策略描述语言根据目标配置需求构建归一化策略,并从策略模板库中获取目标设备对应的策略模板,根据策略模板从归一化策略中的所有配置参数中筛选出目标参数,并根据所有目标参数从策略模板中的所有命令行中获取目标命令行,根据所有目标参数对所有目标命令行进行转换,生成目标设备对应的配置策略,最终将配置策略下发并配置到目标设备。该装置无需管理员学习各异的配置命令语法语义,有利于降低工作成本;且管理员仅需下发一次配置需求,能够有效避免重复操作,有利于提高设备安全策略的配置效率,以确保能够将安全策略及时配置到设备。The device security policy configuration device provided in the embodiment of the application constructs a normalized policy based on the unified policy description language according to the target configuration requirements, and obtains the policy template corresponding to the target device from the policy template library, and obtains the policy template corresponding to the target device according to the policy template. Filter out the target parameters from all the configuration parameters in the, and obtain the target command lines from all the command lines in the policy template according to all target parameters, convert all target command lines according to all target parameters, and generate the configuration policy corresponding to the target device. Finally, the configuration policy is delivered and configured to the target device. The device does not require the administrator to learn the syntax and semantics of different configuration commands, which is beneficial to reduce work costs; and the administrator only needs to issue configuration requirements once, which can effectively avoid repeated operations and help improve the configuration efficiency of equipment security policies to ensure Configure the security policy to the device in time.
图4为本申请实施例提供的电子设备的实体结构示意图。参照图4,所述电子设备,包括:处理器(processor)41、存储器(memory)42和总线43;其中,所述处理器41和存储器42通过所述总线43完成相互间的通信;所述处理器41用于调用所述存储器42中的程序指令,以执行上述任一方法实施例所提供的方法,例如包括:基于统一策略描述语言根据目标配置 需求构建目标配置需求对应的归一化策略,归一化策略中包含策略类型、至少一个目标设备和至少一个配置参数;对于归一化策略中的任意一个目标设备,根据归一化策略中的策略类型从策略模板库中获取目标设备对应的策略模板,策略模板中包含至少一条命令行;利用策略校验规则根据策略模板对归一化策略进行校验,若校验通过,则根据策略模板对归一化策略中的所有配置参数进行筛选,将筛选后的每个配置参数作为目标参数,根据所有目标参数从策略模板中的所有命令行中获取目标命令行;利用策略转换规则根据所有目标参数对所有目标命令行进行转换,生成目标设备对应的配置策略,根据配置策略对目标设备进行配置。FIG. 4 is a schematic diagram of the physical structure of an electronic device provided by an embodiment of the application. 4, the electronic device includes: a processor (processor) 41, a memory (memory) 42 and a bus 43; wherein the processor 41 and the memory 42 communicate with each other through the bus 43; The processor 41 is configured to call the program instructions in the memory 42 to execute the method provided in any of the foregoing method embodiments, for example, including: constructing a normalized strategy corresponding to the target configuration requirement based on the unified policy description language according to the target configuration requirement , The normalized strategy includes the strategy type, at least one target device and at least one configuration parameter; for any target device in the normalized strategy, the corresponding target device is obtained from the strategy template library according to the strategy type in the normalized strategy Policy template, the policy template contains at least one command line; the normalized policy is verified according to the policy template by the policy verification rule, and if the verification is passed, all configuration parameters in the normalized policy are performed according to the policy template Screening, each configuration parameter after screening is used as the target parameter, and the target command line is obtained from all the command lines in the policy template according to all target parameters; all target command lines are converted according to all target parameters by the strategy conversion rule to generate the target The configuration strategy corresponding to the device configures the target device according to the configuration strategy.
此外,上述的存储器42中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the aforementioned logic instructions in the memory 42 can be implemented in the form of software functional units and when sold or used as independent products, they can be stored in a computer readable storage medium. Based on this understanding, the technical solutions of the embodiments of the present application can be embodied in the form of software products in essence or the parts that contribute to the prior art or the parts of the technical solutions, and the computer software products are stored in a storage medium. , Including several instructions to make a computer device (which can be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program code .
本申请实施例还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述各实施例提供的方法,例如包括:基于统一策略描述语言根据目标配置需求构建目标配置需求对应的归一化策略,归一化策略中包含策略类型、至少一个目标设备和至少一个配置参数;对于归一化策略中的任意一个目标设备,根据归一化策略中的策略类型从策略模板库中获取目标设备对应的策略模板,策略模板中包含至少一条命令行;利用策略校验规则根据策略模板对归一化策略进行校验,若校验通过,则根据策略模板对归一化策略中的所有配置参数进行筛选,将筛选后的每个配置参数作为目标参数,根据所有目标参数从策略模板中的所有命令行中获取目标命令行;利用策略转换规则根据所有目标参数对所有目标命令行进行转换,生成目标设备对应的配置策略, 根据配置策略对目标设备进行配置。The embodiments of the present application also provide a non-transitory computer-readable storage medium on which a computer program is stored. The computer program is implemented when executed by a processor to perform the methods provided in the foregoing embodiments, for example, including: description based on a unified policy The language constructs the normalization strategy corresponding to the target configuration requirements according to the target configuration requirements. The normalization strategy includes the strategy type, at least one target device and at least one configuration parameter; for any target device in the normalization strategy, according to the normalization strategy The policy type in the standardized policy obtains the policy template corresponding to the target device from the policy template library. The policy template contains at least one command line; the normalized policy is verified according to the policy template by the policy verification rule, and if the verification passes, All configuration parameters in the normalized strategy are filtered according to the strategy template, and each configuration parameter after filtering is used as the target parameter, and the target command line is obtained from all the command lines in the strategy template according to all the target parameters; using strategy conversion The rule converts all target command lines according to all target parameters, generates a configuration strategy corresponding to the target device, and configures the target device according to the configuration strategy.
以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the objectives of the solutions of the embodiments. Those of ordinary skill in the art can understand and implement it without creative work.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。Through the description of the above implementation manners, those skilled in the art can clearly understand that each implementation manner can be implemented by software plus a necessary general hardware platform, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions can be embodied in the form of software products, which can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., include a number of instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute the methods described in each embodiment or some parts of the embodiment.
最后应说明的是:以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the application, not to limit them; although the application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions recorded in the foregoing embodiments are modified, or some of the technical features are equivalently replaced; and these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (10)

  1. 一种设备安全策略的配置方法,其特征在于,包括:A method for configuring a device security policy is characterized in that it includes:
    基于统一策略描述语言根据目标配置需求构建所述目标配置需求对应的归一化策略,所述归一化策略中包含策略类型、至少一个目标设备和至少一个配置参数;Constructing a normalized strategy corresponding to the target configuration requirement based on the unified strategy description language according to the target configuration requirement, where the normalized strategy includes a strategy type, at least one target device, and at least one configuration parameter;
    对于所述归一化策略中的任意一个目标设备,根据所述归一化策略中的策略类型从策略模板库中获取所述目标设备对应的策略模板,所述策略模板中包含至少一条命令行;For any target device in the normalized policy, obtain a policy template corresponding to the target device from a policy template library according to the policy type in the normalized policy, and the policy template includes at least one command line ;
    利用策略校验规则根据所述策略模板对所述归一化策略进行校验,若校验通过,则根据所述策略模板对所述归一化策略中的所有配置参数进行筛选,将筛选后的每个配置参数作为目标参数,根据所有目标参数从所述策略模板中的所有命令行中获取目标命令行;Use the policy verification rule to verify the normalization strategy according to the policy template. If the verification passes, all configuration parameters in the normalization strategy are screened according to the policy template, and after screening Each configuration parameter of is used as a target parameter, and the target command line is obtained from all the command lines in the policy template according to all the target parameters;
    利用策略转换规则根据所有目标参数对所有目标命令行进行转换,生成所述目标设备对应的配置策略,根据所述配置策略对所述目标设备进行配置。Using the strategy conversion rule to convert all target command lines according to all target parameters, generate a configuration strategy corresponding to the target device, and configure the target device according to the configuration strategy.
  2. 根据权利要求1所述的设备安全策略的配置方法,其特征在于,根据所述归一化策略中的策略类型从策略模板库中获取所述目标设备对应的策略模板,之前还包括:The method for configuring a device security policy according to claim 1, wherein the method for obtaining the policy template corresponding to the target device from the policy template library according to the policy type in the normalized policy further comprises:
    将目标设备允许配置的每个策略类型作为目标策略类型,对于任意一个目标策略类型,从目标设备对应的设备手册中获取所述目标策略类型对应的所有命令行;Use each policy type that the target device is allowed to configure as the target policy type, and for any target policy type, obtain all the command lines corresponding to the target policy type from the device manual corresponding to the target device;
    基于所述统一策略描述语言对所述目标策略类型对应的所有命令行进行转换,将转换后的所有命令行组成策略模板;Converting all command lines corresponding to the target policy type based on the unified policy description language, and composing all the converted command lines into a policy template;
    将所述目标设备、所述目标策略类型和所述策略模板关联存储至所述策略模板库。The target device, the target policy type, and the policy template are associated and stored in the policy template library.
  3. 根据权利要求1所述的设备安全策略的配置方法,其特征在于,利用策略校验规则根据所述策略模板对所述归一化策略进行校验,具体为:The method for configuring a device security policy according to claim 1, wherein the verification of the normalized policy according to the policy template using a policy verification rule is specifically:
    从所述策略模板的所有命令行中获取所有必选参数和每个必选参数对应的依赖参数;Obtain all mandatory parameters and dependent parameters corresponding to each mandatory parameter from all command lines of the policy template;
    判断所述归一化策略中是否包含所有必选参数和所有依赖参数;Determine whether the normalization strategy includes all required parameters and all dependent parameters;
    若包含所有必选参数和所有依赖参数,则确定所述归一化策略校验通过,若不包含所有必选参数和所有依赖参数,则确定所述归一化策略校验失败。If all mandatory parameters and all dependent parameters are included, it is determined that the normalization strategy verification passes, and if all mandatory parameters and all dependent parameters are not included, it is determined that the normalization strategy verification fails.
  4. 根据权利要求1所述的设备安全策略的配置方法,其特征在于,根据所述策略模板对所述归一化策略中的所有配置参数进行筛选,具体为:The method for configuring a device security policy according to claim 1, wherein the filtering of all configuration parameters in the normalized policy according to the policy template is specifically:
    对于所述归一化策略中的任意一个配置参数,若所述策略模板中不包含所述配置参数,则在所述归一化策略中删除所述配置参数;For any configuration parameter in the normalization strategy, if the configuration parameter is not included in the policy template, delete the configuration parameter in the normalization strategy;
    从所述策略模板的所有命令行中获取所有可选参数和每个可选参数对应的依赖参数,对于任意一个可选参数,若所述归一化策略中包含所述可选参数,且所述归一化策略中不包含所述可选参数对应的依赖参数,则在所述归一化策略中删除所述可选参数。Obtain all optional parameters and dependent parameters corresponding to each optional parameter from all the command lines of the policy template. For any optional parameter, if the normalization strategy includes the optional parameter, and If the normalization strategy does not include the dependent parameter corresponding to the optional parameter, then the optional parameter is deleted from the normalization strategy.
  5. 根据权利要求1所述的设备安全策略的配置方法,其特征在于,根据所有目标参数从所述策略模板中的所有命令行中获取目标命令行,具体为:The method for configuring a device security policy according to claim 1, wherein the target command line is obtained from all command lines in the policy template according to all target parameters, specifically:
    对于所述策略模板中的任意一条命令行,若所述命令行中的所有必选参数均属于所述目标参数,则将所述命令行作为候选命令行;For any command line in the policy template, if all mandatory parameters in the command line belong to the target parameter, then the command line is used as a candidate command line;
    对于任意一条候选命令行,删除所述候选命令行中不属于所述目标参数的可选参数,获得目标命令行。For any candidate command line, delete optional parameters that do not belong to the target parameter in the candidate command line to obtain the target command line.
  6. 根据权利要求1所述的设备安全策略的配置方法,其特征在于,利用策略转换规则根据所有目标参数对所有目标命令行进行转换,具体为:The method for configuring a device security policy according to claim 1, wherein the strategy conversion rule is used to convert all target command lines according to all target parameters, specifically:
    对于任意一条目标命令行,将所述目标命令行中的每个参数作为待转换参数,获取每个待转换参数在所述目标命令行中的位置,作为待填充位置,并在所述目标命令行中获取每个待转换参数对应的格式,作为目标格式;For any target command line, each parameter in the target command line is used as a parameter to be converted, the position of each parameter to be converted in the target command line is obtained as the position to be filled, and the target command Obtain the format corresponding to each parameter to be converted from the row as the target format;
    对于任意一个待转换参数,从所有目标参数中获取与所述待转换参数匹配的目标参数,作为匹配参数,根据所述待转换参数对应的目标格式将所述匹配参数进行格式转换,并将格式转换后的匹配参数填充至所述待转换参数对应的待填充位置。For any parameter to be converted, a target parameter that matches the parameter to be converted is obtained from all target parameters as a matching parameter, the matching parameter is formatted according to the target format corresponding to the parameter to be converted, and the format The converted matching parameters are filled in the positions to be filled corresponding to the parameters to be converted.
  7. 根据权利要求1所述的设备安全策略的配置方法,其特征在于,根据所述配置策略对所述目标设备进行配置,具体为:The device security policy configuration method according to claim 1, wherein the configuration of the target device according to the configuration policy is specifically:
    将所述配置策略中的每条命令行下发并配置到所述目标设备,并获取每条命令行的配置结果;Deliver and configure each command line in the configuration policy to the target device, and obtain the configuration result of each command line;
    若当前获取到的配置结果为失败,则中断配置或重新配置,并将已获取到的所有配置结果反馈给用户进行分析。If the currently obtained configuration result is a failure, the configuration is interrupted or reconfigured, and all the obtained configuration results are fed back to the user for analysis.
  8. 一种设备安全策略的配置装置,其特征在于,包括:A device for configuring an equipment security policy is characterized in that it includes:
    归一化策略构建模块,用于基于统一策略描述语言根据目标配置需求构建所述目标配置需求对应的归一化策略,所述归一化策略中包含策略类型、至少一个目标设备和至少一个配置参数;The normalization strategy building module is used to construct a normalization strategy corresponding to the target configuration requirements based on the unified strategy description language according to the target configuration requirements, and the normalization strategy includes a strategy type, at least one target device, and at least one configuration parameter;
    策略模板获取模块,用于对于所述归一化策略中的任意一个目标设备,根据所述归一化策略中的策略类型从策略模板库中获取所述目标设备对应的策略模板,所述策略模板中包含至少一条命令行;The policy template obtaining module is configured to obtain, for any target device in the normalized policy, a policy template corresponding to the target device from a policy template library according to the policy type in the normalized policy, the policy The template contains at least one command line;
    参数和命令行确定模块,用于利用策略校验规则根据所述策略模板对所述归一化策略进行校验,若校验通过,则根据所述策略模板对所述归一化策略中的所有配置参数进行筛选,将筛选后的每个配置参数作为目标参数,根据所有目标参数从所述策略模板中的所有命令行中获取目标命令行;The parameter and command line determination module is used for verifying the normalization strategy according to the policy template by using the policy verification rule, and if the verification is passed, then verifying the normalization strategy according to the policy template All configuration parameters are screened, each configuration parameter after screening is taken as a target parameter, and the target command line is obtained from all command lines in the policy template according to all target parameters;
    策略转换与配置模块,用于利用策略转换规则根据所有目标参数对所有目标命令行进行转换,生成所述目标设备对应的配置策略,根据所述配置策略对所述目标设备进行配置。The strategy conversion and configuration module is used to convert all target command lines according to all target parameters using the strategy conversion rules, generate a configuration strategy corresponding to the target device, and configure the target device according to the configuration strategy.
  9. 一种电子设备,包括至少一个处理器,以及与所述处理器通信连接的至少一个存储器,所述存储器存储有可被所述处理器执行的程序指令,其特征在于,所述处理器调用所述程序指令能够执行如权利要求1至7任一所述的方法。An electronic device, comprising at least one processor, and at least one memory communicatively connected with the processor, the memory storing program instructions executable by the processor, and is characterized in that the processor calls the The program instructions can execute the method according to any one of claims 1 to 7.
  10. 一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,其特征在于,所述计算机指令使所述计算机执行如权利要求1至7任一所述的方法。A non-transitory computer-readable storage medium storing computer instructions, wherein the computer instructions cause the computer to execute the method according to any one of claims 1 to 7 .
PCT/CN2019/091873 2019-05-22 2019-06-19 Device security policy configuration method and apparatus WO2020232785A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910427706.9 2019-05-22
CN201910427706.9A CN110348201B (en) 2019-05-22 2019-05-22 Method and device for configuring equipment security policy

Publications (1)

Publication Number Publication Date
WO2020232785A1 true WO2020232785A1 (en) 2020-11-26

Family

ID=68174607

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/091873 WO2020232785A1 (en) 2019-05-22 2019-06-19 Device security policy configuration method and apparatus

Country Status (2)

Country Link
CN (1) CN110348201B (en)
WO (1) WO2020232785A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115208671A (en) * 2022-07-15 2022-10-18 山石网科通信技术股份有限公司 Firewall configuration method and device, electronic equipment and storage medium

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113285906A (en) * 2020-02-19 2021-08-20 北京百度网讯科技有限公司 Security policy configuration method, device, equipment and storage medium
CN111447203B (en) * 2020-03-24 2020-11-10 江苏易安联网络技术有限公司 Security policy arranging method
CN114124688B (en) * 2020-08-11 2024-02-20 中国电信股份有限公司 Configuration method and system and computer storage medium
CN112165395B (en) * 2020-09-11 2023-04-18 烽火通信科技股份有限公司 Network management configuration data conversion method and system
CN114513419A (en) * 2020-11-16 2022-05-17 北京神州泰岳软件股份有限公司 Security policy configuration method and system
CN112636953A (en) * 2020-12-07 2021-04-09 杭州迪普科技股份有限公司 Policy command issuing method and device and electronic equipment
CN112367211B (en) * 2021-01-13 2021-04-13 武汉思普崚技术有限公司 Method, device and storage medium for generating configuration template by device command line
CN114915431B (en) * 2021-01-29 2024-05-24 中移(苏州)软件技术有限公司 State detection method, node, system and storage medium
CN113422778B (en) * 2021-07-01 2022-11-11 中国工商银行股份有限公司 Firewall policy configuration method and device and electronic equipment
CN113922979B (en) * 2021-08-23 2023-07-04 北京天融信网络安全技术有限公司 Network security equipment configuration system, configuration method and computer equipment
CN114024759B (en) * 2021-11-09 2024-02-02 北京天融信网络安全技术有限公司 Security policy management and control method, device, computer equipment and medium
CN114205125B (en) * 2021-11-25 2024-03-29 北京国泰网信科技有限公司 Policy management method, device, equipment and medium based on security area

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060021028A1 (en) * 2003-03-28 2006-01-26 Brunette Glenn M System and method for adaptive policy and dependency-based system security audit
CN1988478A (en) * 2006-12-14 2007-06-27 上海交通大学 Integrated tactic managing system based on expandable label language
US8161520B1 (en) * 2004-04-30 2012-04-17 Oracle America, Inc. Methods and systems for securing a system in an adaptive computer environment
CN106845246A (en) * 2016-12-22 2017-06-13 北京聆云信息技术有限公司 A kind of security strategy adaptation frameworks and its method
CN108429774A (en) * 2018-06-21 2018-08-21 蔡梦臣 A kind of firewall policy centralized optimization management method and its system
CN108717362A (en) * 2018-05-21 2018-10-30 北京晨宇泰安科技有限公司 It is a kind of based on can be after the network equipments configuration model and configuration method of bearing structure

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100440809C (en) * 2006-11-13 2008-12-03 杭州华三通信技术有限公司 Method and device for service configuration of network equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060021028A1 (en) * 2003-03-28 2006-01-26 Brunette Glenn M System and method for adaptive policy and dependency-based system security audit
US8161520B1 (en) * 2004-04-30 2012-04-17 Oracle America, Inc. Methods and systems for securing a system in an adaptive computer environment
CN1988478A (en) * 2006-12-14 2007-06-27 上海交通大学 Integrated tactic managing system based on expandable label language
CN106845246A (en) * 2016-12-22 2017-06-13 北京聆云信息技术有限公司 A kind of security strategy adaptation frameworks and its method
CN108717362A (en) * 2018-05-21 2018-10-30 北京晨宇泰安科技有限公司 It is a kind of based on can be after the network equipments configuration model and configuration method of bearing structure
CN108429774A (en) * 2018-06-21 2018-08-21 蔡梦臣 A kind of firewall policy centralized optimization management method and its system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115208671A (en) * 2022-07-15 2022-10-18 山石网科通信技术股份有限公司 Firewall configuration method and device, electronic equipment and storage medium
CN115208671B (en) * 2022-07-15 2024-07-26 山石网科通信技术股份有限公司 Firewall configuration method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN110348201B (en) 2020-09-01
CN110348201A (en) 2019-10-18

Similar Documents

Publication Publication Date Title
WO2020232785A1 (en) Device security policy configuration method and apparatus
US7376719B1 (en) Automatic generation of configuration data using implementation-specific configuration policies
US8166140B1 (en) Automatic application of implementation-specific configuration policies
US20170187577A1 (en) System for configuring network devices
US7505463B2 (en) Rule set conflict resolution
US9094299B1 (en) Auto-generation of platform-independent interface and operational scripts for configuring network devices
US9460417B2 (en) Using dynamic object modeling and business rules to dynamically specify and modify behavior
US7512071B2 (en) Distributed flow enforcement
US7760730B2 (en) Rule set verification
CN110710160B (en) Method and system for generating network-wide logic model for network policy analysis
CN112152835B (en) Managing multiple semantic versions of a device configuration schema
US10560370B1 (en) Intelligent exception recovery in network services
US9917800B2 (en) System and method for centralized virtual interface card driver logging in a network environment
US11489724B1 (en) Processing instructions to configure a network device
WO2024148833A1 (en) Container multi-network-interface-card network configuration method, apparatus, and device, and storage medium
US20100153322A1 (en) Method and apparatus for providing an adaptive parser
US20210243104A1 (en) Automated multi-node network performance testing
EP3885939A1 (en) Information query method, apparatus, device, and storage medium
CN103560918A (en) Method and system for managing CPE port
US11792069B2 (en) Processing instructions to configure a network device
CN111711532A (en) Unified management method for heterogeneous network equipment
US20230319115A1 (en) Systems and methods for validating, maintaining, and visualizing security policies
Cisco Release Notes for the Catalyst 3550 Multilayer Switch, Cisco IOS Release 12.1(8)EA1c
Cisco Release Notes for the Catalyst 3550 Multilayer Switch, Cisco IOS Release 12.1(8)EA1b
Cisco Release Notes for the Catalyst 3550 Multilayer Switch, Cisco IOS Release 12.1(6)EA1a

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19929235

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19929235

Country of ref document: EP

Kind code of ref document: A1