CN104735026A - Security strategy control method and device - Google Patents

Security strategy control method and device Download PDF

Info

Publication number
CN104735026A
CN104735026A CN201310704252.8A CN201310704252A CN104735026A CN 104735026 A CN104735026 A CN 104735026A CN 201310704252 A CN201310704252 A CN 201310704252A CN 104735026 A CN104735026 A CN 104735026A
Authority
CN
China
Prior art keywords
data
normalization
security strategy
filtering object
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310704252.8A
Other languages
Chinese (zh)
Other versions
CN104735026B (en
Inventor
刘剑波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201310704252.8A priority Critical patent/CN104735026B/en
Publication of CN104735026A publication Critical patent/CN104735026A/en
Application granted granted Critical
Publication of CN104735026B publication Critical patent/CN104735026B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Abstract

The embodiment of the invention provides a security strategy control method and device. The method includes the steps of obtaining filtering object data contained in security strategies in a firewall, normalizing the filtering object data of each security strategy, combining all the filtering object data to obtain normalized data of all filtering objects, making the normalized data of each filtering object not contain the same data, comparing the normalized data of the same filtering objects in any two security strategies with the same security domain, and determining that the redundancy relation exists between the two corresponding security strategies if the same data exist in the normalized data of any filtering object. By means of the method and the device, whether redundancy exists in the security strategies in the firewall or not is rapidly and accurately judged.

Description

Security strategy control method and device
Technical field
The embodiment of the present invention relates to technical field of network security, relates to a kind of security strategy control method and device in particular.
Background technology
Fire compartment wall is a kind of network safety system, by preset security strategy, can determine which data is allowed to or which data is rejected and passes through, realize the function of data filtering, thus protecting network resource.
Security strategy is made up of filtering object and filtration behavior, filtration behavior comprises permission or refusal, security strategy is by arranging data corresponding to filtering object, as arranged the concrete address, subnet, address field etc. of address object, the protocol name etc. of the concrete port numbers in service object, application is set, realizes the configuration of security strategy.For the transmission data of filtering object data in coupling security strategy, namely process according to the filtration behavior in security strategy.
Due in fire compartment wall, the quantity of security strategy is a lot, upgrade comparatively difficulty, inventor is realizing finding in process of the present invention, a large amount of security strategies is easy to cause redundancy, thus causes the O&M efficiency of fire compartment wall to reduce, and therefore how to determine in fire compartment wall security strategy whether redundancy fast and accurately, with can quick solution redundancy issue, become the technical problem that those skilled in the art are in the urgent need to address.
Summary of the invention
In order to realize the judgement of the whether redundancy of security strategy in fire compartment wall fast and accurately, embodiments provide a kind of security strategy control method and device.
For achieving the above object, the embodiment of the present invention provides following technical scheme:
First aspect, provides a kind of security strategy control method, comprising:
Obtain the filtering object data that the security strategy in fire compartment wall comprises;
The filtering object data of each security strategy are normalized, each filtering object data are merged, obtains the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object described;
Two normalization datas of identical filtering object in any two security strategies identical for security domain are compared;
If two of arbitrary filtering object normalization datas exist identical data, determine that described two security strategies exist redundancy relationship.
In the first possibility implementation of described first aspect, any two security strategies comprise the first security strategy and the second security strategy, and two normalization datas of identical filtering object comprise the first normalization data of described first security strategy and the second normalization data of described second security strategy;
Described determine that described two policy data exist redundancy relationship after, described method also comprises:
If when the first normalization data in two of each filtering object normalization datas comprises the total data of the second normalization data, determine that described second security strategy is fully redundance security strategy, otherwise be partial redundance security strategy.
In conjunction with the first possibility implementation of described first aspect, additionally provide the second possibility implementation of described first aspect, when first normalization data of two normalization datas of each filtering object described comprises the second normalization data, determine that the second security strategy of described second normalization data is that fully redundance security strategy comprises:
When first normalization data of two normalization datas of each filtering object comprises the total data of the second normalization data, if the coupling priority of described first security strategy is greater than the coupling priority of described second security strategy, determine that described second security strategy is fully redundance security strategy, otherwise be partial redundance security strategy.
In conjunction with described first aspect or described first aspect above-mentioned any one may implementation, two normalization datas of identical filtering object in any two security strategies identical for security domain may compare described in implementation and comprise by the third additionally providing described first aspect:
According to coupling priority orders, arbitrary security strategy is mated respectively priority with than it low and be not that the security strategy of fully redundance security strategy compares, and compares two normalization datas of identical filtering object in two security strategies.
In conjunction with described first aspect or described first aspect above-mentioned any one may implementation, additionally provide the 4th kind of possibility implementation of described first aspect, the described filtering object data to each security strategy are normalized, each filtering object data merged, the normalization data obtaining each filtering object comprises:
For each security strategy, will the filtering object data of data nest relation be had, remove described data nest relation;
Each filtering object data is merged, and is converted into same data type, obtain the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object.
Second aspect, provides a kind of security strategy control device, comprising:
Data capture unit, the filtering object data that the security strategy for obtaining in fire compartment wall comprises;
Normalization unit, for being normalized the filtering object data of each security strategy, each filtering object data is merged, obtains the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object described;
Comparing unit, for comparing two normalization datas of identical filtering object in any two security strategies identical for security domain;
First redundancy determining unit, if there are identical data for two normalization datas of arbitrary filtering object, determines that described two security strategies exist redundancy relationship.
In the first possibility implementation of described second aspect, also comprise:
Second redundancy determining unit, if when comprising the total data of the second normalization data for the first normalization data in two normalization datas of each filtering object, determine that the second security strategy of described second normalization data is fully redundance security strategy, otherwise be partial redundance security strategy.
In conjunction with the first possibility implementation of described second aspect, additionally provide the second possibility implementation of described second aspect, if described second redundancy determining unit comprises the total data of the second normalization data specifically for the first normalization data in two normalization datas of each filtering object, and the coupling priority of the first security strategy of described first normalization data is greater than the coupling priority of the second security strategy of described second normalization data, determine that described second security strategy is fully redundance security strategy, otherwise be partial redundance security strategy.
In conjunction with described second aspect or described second aspect above-mentioned any one may implementation, additionally provide the third possibility implementation of described second aspect, described comparing unit specifically for according to coupling priority orders, arbitrary security strategy is compared with the security strategy of mating priority low than it respectively, compares two normalization datas of identical filtering object in two security strategies.
In conjunction with described second aspect or described second aspect above-mentioned any one may implementation, additionally providing the 4th kind of described second aspect may in implementation, and described normalization unit comprises:
Flattening unit, for for each security strategy, will have the filtering object data of data nest relation, remove described data nest relation;
Normalization subelement, for each filtering object data being merged, and being converted into same data type, obtaining the normalization data of each filtering object, makes not comprise identical data in the normalization data of each filtering object.
To sum up, embodiments providing a kind of security strategy control method and device, by the filtering object data of each security strategy in fire compartment wall being normalized, obtaining the normalization data of filtering object; Two normalization datas of identical filtering object in any two security strategies identical for security domain are compared, if there are identical data in two of arbitrary filtering object normalization datas, then can determine that these two security strategies exist redundancy relationship, achieve the judgement of the whether redundancy of security strategy in fire compartment wall fast and accurately.And the data after normalization do not comprise the data of repetition, decrease and compare workload, further increase the judgement efficiency of security strategy redundancy.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only embodiments of the invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to the accompanying drawing provided.
The flow chart of a kind of security strategy control method embodiment that Fig. 1 provides for the embodiment of the present invention;
The flow chart of a kind of another embodiment of security strategy control method that Fig. 2 provides for the embodiment of the present invention;
The flow chart of a kind of another embodiment of security strategy control method that Fig. 3 provides for the embodiment of the present invention;
The structural representation of a kind of security strategy control device embodiment that Fig. 4 provides for the embodiment of the present invention;
The structural representation of a kind of another embodiment of security strategy control device that Fig. 5 provides for the embodiment of the present invention;
The structural representation of a kind of another embodiment of security strategy control device that Fig. 6 provides for the embodiment of the present invention;
The structural representation of a kind of control appliance embodiment that Fig. 7 provides for the embodiment of the present invention;
The structural representation of a kind of fire compartment wall embodiment that Fig. 8 provides for the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
The embodiment of the present invention can comprise:
Obtain the filtering object data of security strategy in fire compartment wall, the filtering object data of each security strategy in fire compartment wall are normalized, obtain the normalization data of filtering object, by being compared by two normalization datas of identical filtering object in any two security strategies identical for security domain.If there are identical data in two of arbitrary filtering object normalization datas, then can determine that these two security strategies exist redundancy relationship, by comparing the data after filtering object normalization, the judgement of the whether redundancy of security strategy in fire compartment wall can be realized fast and accurately.And the data after normalization do not comprise the data of repetition, decrease and compare workload, further increase the judgement efficiency of security strategy redundancy.
The flow chart of a kind of security strategy control method embodiment that Fig. 1 provides for the embodiment of the present invention, the method can comprise following step:
101: obtain the filtering object data that each security strategy in fire compartment wall comprises.
Wherein, described filtering object at least comprises address object and service object.
Fire compartment wall comprises a large amount of security strategies, and each security strategy is made up of filtering object and filtration behavior.Filtering object data constitute the filter condition of security strategy, and when not arranging filtering object data, fire compartment wall can refuse or allow all transmission data to pass through.Transmission data for coupling filter condition can formulate filtration behavior: refusal or permission etc.
For traditional firewall, filtering object mainly comprises address object and service object.Address object is source address object or object object.Service refers to the information flow with consensus standard, and service has certain feature, such as corresponding agreement and port numbers etc., and therefore service object can comprise port object (po) and protocol object, and port object (po) can refer to source port object or destination interface object etc. again.
Therefore filtering object data can comprise source address data, destination address data, source port data, destination interface data and protocol data.Source address data and destination address data, primarily of at least one composition in multiple address, multiple subnet, multiple address field, can filter the access to address or subnet.Source port data and destination interface data mainly comprise multiple port numbers, and protocol data mainly comprises protocol name etc., can filter the access to port or agreement.
For fire compartment wall of future generation, filtering object mainly comprises address object and service object, can comprise user object, application and time object etc. in addition.User object data comprise user's name etc., can restricting user access authority; Application data comprise Apply Names etc., such as RDP(RemoteDesktop Protoco, RDP) application, P2P(Peer to Peer peer-to-peer network) application, the access of application can be limited, time object data comprise multiple time period or cycle time section, such as 4:00-6:00, or the 5:00-8:00 etc. of every day, can binding hours access rights.
Realizing in the allocation plan of policy data based on object approach, filtering object data in advance is arranged, and when configuring security strategy, directly quotes the filtering object data pre-set.The filtering object data that this pre-sets can be quoted by different security strategies, and same filtering object may pre-set many group filtering object data, such as, for address object, can comprise multiple address set, can have nest relation between each address set.
102: the filtering object data of each security strategy are normalized, each filtering object data is merged, obtains the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object described.
Because each filtering object may comprise multiple data, the data of same filtering object may comprise identical data, such as address object data, it comprises multiple address, multiple address fields etc., the address that address field comprises may comprise at least one in the plurality of address, identical individual address may be comprised in different address field, for address object data, comprise 1.1.1.1,1.1.1.2,1.1.1.4,1.1.1.3-1.1.1.5, obvious address field 1.1.1.3-1.1.1.5 comprises address 1.1.1.4.
In order to reduce data processing amount, in the embodiment of the present invention, each filtering object data of each security strategy are all normalized, comprise and each filtering object data is merged, making not comprise identical data in the normalization data of the filtering object obtained, is also the repeating data deleted in normalization data in filtering object data.Such as address above mentioned object data 1.1.1.1,1.1.1.2,1.1.1.4,1.1.1.3-1.1.1.5, the normalization data after merging is 1.1.1.1-1.1.1.5.
When filtering object also comprises time object, be namely that union operation is carried out, such as 4:00-6:00, and 5:00-8:00 to the time period in time object, then can merge into 4:00-8:00.
Be normalized in process, for the filtering object not comprising identical data, then normalization data is still the initial data of filtering object.
103: two normalization datas of identical filtering object in any two security strategies identical for security domain are compared.
Fire compartment wall to conduct interviews control based on security domain, and what security strategy specifically controlled is whether transmission data are allowed to or are rejected from source security domain to object security domain.The strategy in same security domain is only had just to there is redundancy issue.
Therefore, in the embodiment of the present invention, be that any two security strategies identical to security domain compare.
Every bar security strategy comprises source security domain and object security domain, and security domain is identical herein refers to that source security domain is identical and object security domain is also identical.
104: if two of arbitrary filtering object normalization datas exist identical data, determine that described two security strategies exist redundancy relationship.
If two in security strategy, there is common factor in two normalization datas of arbitrary filtering object, then can determine that these two security strategies exist redundancy relationship.
After determining the security strategy with redundancy relationship, can also information be exported, to point out user, the security strategy with redundancy relationship be processed.
In the present embodiment, the filtering object data of each security strategy in fire compartment wall are normalized, obtain the normalization data of filtering object, by being compared by two normalization datas of identical filtering object in any two security strategies identical for security domain.If there are identical data in two of arbitrary filtering object normalization datas, then can determine that these two security strategies exist redundancy relationship, by comparing the data after filtering object normalization, the judgement of the whether redundancy of security strategy in fire compartment wall can be achieved fast and accurately.And the data after normalization do not comprise the data of repetition, decrease and compare workload, further increase the judgement efficiency of security strategy redundancy.
The flow chart of a kind of another embodiment of security strategy control method that Fig. 2 provides for the embodiment of the present invention, the method can comprise following step:
201: obtain the filtering object data that the security strategy in fire compartment wall comprises, described filtering object at least comprises address object and service object.
202: the filtering object data of each security strategy are normalized, each filtering object data is merged, obtains the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object described.
203: two normalization datas of identical filtering object in any two security strategies identical for security domain are compared.
204: if two of arbitrary filtering object normalization datas exist identical data, determine that described two security strategies exist redundancy relationship.
The operation of step 201 ~ step 204 is identical with the operation of step 101 ~ step 104, does not repeat them here.
205; Judge whether the first normalization data in two normalization datas of each filtering object comprises the second normalization data, if so, enters step 206, if not, enters step 207.
206: determine that in described two security strategies, the second security strategy is fully redundance security strategy.
207: determine that in described two security strategies, the second security strategy is partial redundance security strategy.
Any two security strategies comprise the first security strategy and the second security strategy, and for same filtering object, the normalization data of the first security strategy is the first normalization data, and the normalization data of the second security strategy is the second normalization data.If the first normalization data in two of each filtering object normalization datas comprises the total data of the second normalization data, namely the common factor of the first normalization data and the second normalization data equals this second normalization data, then the second security strategy that this second normalization data is corresponding is fully redundance security strategy.
When there is redundancy relationship in the first security strategy and the second security strategy, if two in security strategy, the first normalization data of each filtering object only includes the partial data of the second normalization data, namely, when the common factor of the first normalization data and the second normalization data is not equal to this second normalization data, the second security strategy is partial redundance security strategy.The situation that first normalization data of each filtering object does not comprise the second normalization data comprises: the first normalization data of at least one filtering object does not comprise the second normalization data.
Wherein, security strategy in fire compartment wall has coupling priority, and transmission data are mated with security strategy successively according to this coupling priority, if there is the security strategy with transmission Data Matching, then stop matching operation, no longer mate with residue security strategy.
Therefore in order to improve the accuracy of redundant safety strategy further, when the first normalization data of two normalization datas determining each filtering object comprises the second normalization data, if the coupling priority of described first security strategy is greater than the coupling priority of described second security strategy, determine that described second security strategy is fully redundance security strategy, otherwise be partial redundance security strategy.
If namely the first normalization data of two normalization datas of each filtering object comprises the second normalization data, but the coupling priority of the first security strategy is lower than the coupling priority of this second security strategy, then this second this security strategy is partial redundance security strategy.
Fully redundance security strategy and partial redundance security strategy, can perform different process.For fully redundance security strategy, this its slave firewall can be deleted by system.For partial redundance security strategy, can port redundancy information, to point out user to there is partial redundance security strategy, thus in time partial redundance security strategy can be processed by reminding user, to reduce firewall redundancy amount, improve O&M efficiency.
In the present embodiment, the filtering object data of each security strategy in fire compartment wall are normalized, obtain the normalization data of filtering object, by being compared by two normalization datas of identical filtering object in any two security strategies identical for security domain.If there are identical data in two of arbitrary filtering object normalization datas, then can determine that these two security strategies exist redundancy relationship, if the first normalization data in two normalization datas comprises the second normalization data, then can determine that the second security strategy that the second normalization data is corresponding is fully redundance security strategy, otherwise be partial redundance security strategy, thus can realize carrying out different disposal to the security strategy of different redundancy type.The present embodiment achieves the judgement of the whether redundancy of security strategy in fire compartment wall fast and accurately.And the data after normalization do not comprise the data of repetition, decrease and compare workload, further increase the judgement efficiency of security strategy redundancy.
The flow chart of a kind of another embodiment of security strategy control method that Fig. 3 provides for the embodiment of the present invention, the method can comprise following step:
301: obtain the filtering object data that the security strategy in fire compartment wall comprises, described filtering object at least comprises address object and service object.
302: for each security strategy, will the filtering object data of data nest relation be had, remove described data nest relation.
303: each filtering object data is merged, and is converted into same data type, obtain the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object.
Realizing in the allocation plan of policy data based on object approach, pre-setting filtering object data, when configuring security strategy, directly quoting the filtering object data pre-set.
The filtering object data that this pre-sets can be quoted by different security strategies, same filtering object may arrange many group filtering object data, often group can comprise multiple data, can be nested against one another between many groups filtering object data, such as address object, multiple address set can be comprised, nest relation can be had between each address set, the data comprised as address set A are: 1.1.1.1,1.1.1.2,1.1.1.4 and address set B, the data that address set B comprises are: 1.1.1.3-1.1.1.5, and known address set A is nested with the data of address set B.
Therefore, when being normalized, will the filtering object data of data nest relation be had, and remove described data nest relation, namely carry out flaky process.Such as address above mentioned collection A, the result of flattening is: 1.1.1.1,1.1.1.2,1.1.1.4,1.1.1.3-1.1.1.5.
Each filtering object data is merged, and is converted into same data type.
For the filtering object data with data nest relation, the filtering object data removing data nest relation merged, such as address above mentioned collection A, the data after merging can be: 1.1.1.1-1.1.1.5.
In merging process, if the data after merging have serial relation, then can represent in the mode of data area, such as address above mentioned collection A after removing repeating data is: 1.1.1.1,1.1.1.2,1.1.1.3,1.1.1.4,1.1.1.5, each address has serial relation, then the data after merging can be expressed as address field 1.1.1.1-1.1.1.5.
Being converted to same data type is different types of data data unified, for same data type, to facilitate data to compare.
Certainly this data type transform also can no longer normalized time carry out, can carrying out transforming again when data compare.
When filtering object data are normalized in security strategy, first the data of all filtering objects are extracted, these filtering objects comprise source address object, destination address object in address object, source port object, destination interface object and protocol object in service object.
User object, application and time object etc. can also be comprised.
304: according to coupling priority orders, arbitrary security strategy is compared with the security strategy of mating priority low than it respectively, compares two normalization datas of identical filtering object in two security strategies.
305: if two of arbitrary filtering object normalization datas exist identical data, determine that described two security strategies exist redundancy relationship.
306; Judge whether the first normalization data in two normalization datas of each filtering object comprises the second normalization data, if so, perform step 307, if not, perform step 309.
307: judge whether the coupling priority of the first security strategy of described first normalization data is greater than the coupling priority of the second security strategy of described second normalization data, if so, enters step 308, if not, perform step 309.
308: determine that in described two security strategies, described second security strategy is fully redundance security strategy.
309: determine that in described two security strategies, described second security strategy is partial redundance security strategy.
When there is redundancy relationship in the first security strategy and the second security strategy, if when two in security strategy, the first normalization data of two normalization datas of each filtering object comprises the second normalization data, and the coupling priority of described first security strategy is greater than the coupling priority of described second security strategy, determine that described second security strategy is fully redundance security strategy, otherwise be partial redundance security strategy.
If namely the first normalization data of two normalization datas of each filtering object only includes the partial data of the second normalization data; And first normalization data comprise the total data of the second normalization data, but the coupling priority of the first security strategy is lower than the coupling priority of this second security strategy, then this second this security strategy is partial redundance security strategy.
In the present embodiment, when carrying out security strategy and comparing, be the security strategy obtained successively according to coupling priority in same security domain, for arbitrary security strategy, travel through the security strategy of mating priority low with it and compare.Fire compartment wall comprises a large amount of security strategies, security strategy has coupling priority, when filtering data, mate with security strategy according to coupling priority order from high to low, if there is the security strategy matched, namely can terminate to mate flow process, according to the security strategy of this coupling, data be processed.Therefore, in the present embodiment, be that the security strategy that arbitrary security strategy mates priority low with it is respectively compared, to determine than the low security strategy of its coupling priority whether redundancy.
The security strategy that arbitrary security strategy mates priority low with it is respectively compared, to determine whether redundancy can be specifically the security strategy lower than its coupling priority: according to coupling priority orders, by the security strategy of the highest coupling priority, compare with the security strategy of mating priority low than it respectively, to determine fully redundance security strategy and partial redundance security strategy;
At the end of the security strategy of the highest coupling priority compares, according to coupling priority, select the security strategy lower than the highest coupling priority, and be not arbitrary security strategy of fully redundance security strategy, priority is mated respectively successively low and be not that the security strategy of fully redundance security strategy compares with than it, to determine fully redundance security strategy and partial redundance security strategy, until all security strategies all compare with the security strategy of mating priority low than it.
Fully redundance security strategy and partial redundance security strategy, can perform different process.For fully redundance security strategy, this its slave firewall can be deleted by system.For partial redundance security strategy, can port redundancy information, to point out user to there is partial redundance security strategy, thus in time partial redundance security strategy can be processed by reminding user, to reduce firewall redundancy amount, improve O&M efficiency.
In the present embodiment, the filtering object data of each security strategy in fire compartment wall are normalized, obtain the normalization data of filtering object, according to coupling priority, two normalization datas of identical filtering object in identical for security domain two security strategies are compared.If there are identical data in two of arbitrary filtering object normalization datas, then can determine that these two security strategies exist redundancy relationship, if the first normalization data in two normalization datas comprises the second normalization data, and the coupling priority of the first security strategy is higher than the second security strategy, then can determine that the second security strategy that the second normalization data is corresponding is fully redundance security strategy, otherwise be partial redundance security strategy, thus can realize carrying out different disposal to the security strategy of different redundancy type.The present embodiment can achieve the judgement of the whether redundancy of security strategy in fire compartment wall fast and accurately.And the data after normalization do not comprise the data of repetition, decrease and compare workload, further increase the judgement efficiency of security strategy redundancy.
For aforesaid each embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not by the restriction of described sequence of movement, because according to the embodiment of the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and involved action and module might not be that the present invention is necessary.
The structural representation of a kind of security strategy control device embodiment that Fig. 4 provides for the embodiment of the present invention, this device can comprise:
Data capture unit 401, the filtering object data that the security strategy for obtaining in fire compartment wall comprises.
Described filtering object at least comprises address object and service object.
Normalization unit 402, for being normalized the filtering object data of each security strategy, each filtering object data is merged, obtains the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object described.
Be normalized in process, for the filtering object not comprising identical data, then normalization data is still the initial data of filtering object.
Comparing unit 403, for comparing two normalization datas of identical filtering object in any two security strategies identical for security domain.
Fire compartment wall to conduct interviews control based on security domain, and what security strategy specifically controlled is whether transmission data are allowed to or are rejected from source security domain to object security domain.The strategy in same security domain is only had just to there is redundancy issue.
Every bar security strategy comprises source security domain and object security domain, and security domain is identical herein refers to that source security domain is identical and object security domain is also identical.
First redundancy determining unit 404, if there are identical data for two normalization datas of arbitrary filtering object, determines that described two security strategies exist redundancy relationship.
If two in security strategy, there is common factor in two normalization datas of arbitrary filtering object, then can determine that these two security strategies exist redundancy relationship.
After determining the security strategy with redundancy relationship, can also information be exported, to point out user, the security strategy with redundancy relationship be processed.
In the present embodiment, the filtering object data of each security strategy in fire compartment wall are normalized, obtain the normalization data of filtering object, by being compared by two normalization datas of identical filtering object in any two security strategies identical for security domain.If there are identical data in two of arbitrary filtering object normalization datas, then can determine that these two security strategies exist redundancy relationship, by comparing the data after filtering object normalization, the judgement of the whether redundancy of security strategy in fire compartment wall can be achieved fast and accurately.Data after normalization do not comprise the data of repetition, further increase the judgement efficiency of security strategy redundancy.
The structural representation of a kind of security strategy control device embodiment that Fig. 5 provides for the embodiment of the present invention, this device can comprise:
Data capture unit 501, the filtering object data that the security strategy for obtaining in fire compartment wall comprises.
Described filtering object at least comprises address object and service object.
Normalization unit 502, for being normalized the filtering object data of each security strategy, each filtering object data is merged, obtains the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object described.
Comparing unit 503, for comparing two normalization datas of identical filtering object in any two security strategies identical for security domain.
First redundancy determining unit 504, if there are identical data for two normalization datas of arbitrary filtering object, determines that described two security strategies exist redundancy relationship.
Second redundancy determining unit 505, if when comprising the total data of the second normalization data for the first normalization data in two normalization datas of each filtering object, determine that the second security strategy of described second normalization data is fully redundance security strategy, otherwise be partial redundance security strategy.
Any two security strategies comprise the first security strategy and the second security strategy, and for same filtering object, the normalization data of the first security strategy is the first normalization data, and the normalization data of the second security strategy is the second normalization data.If the first normalization data in two of each filtering object normalization datas comprises the total data of the second normalization data, namely the common factor of the first normalization data and the second normalization data equals this second normalization data, then the second security strategy that this second normalization data is corresponding is fully redundance security strategy.
When there is redundancy relationship in the first security strategy and the second security strategy, if two in security strategy, the first normalization data of each filtering object only includes the partial data of the second normalization data, namely, when the common factor of the first normalization data and the second normalization data is not equal to this second normalization data, the second security strategy is fully redundance security strategy.The situation that first normalization data of each filtering object does not comprise the second normalization data comprises: the first normalization data of at least one filtering object does not comprise the second normalization data.
Wherein, security strategy in fire compartment wall has coupling priority, and transmission data are mated with security strategy successively according to this coupling priority, if there is the security strategy with transmission Data Matching, then stop matching operation, no longer mate with residue security strategy.
Therefore in order to improve the accuracy of redundant safety strategy further, second redundancy determining unit is when the first normalization data of two normalization datas determining each filtering object comprises the second normalization data, if the coupling priority of described first security strategy is greater than the coupling priority of described second security strategy, determine that described second security strategy is fully redundance security strategy, otherwise be partial redundance security strategy.
Fully redundance security strategy and partial redundance security strategy, can perform different process.For fully redundance security strategy, this its slave firewall can be deleted by system.For partial redundance security strategy, can port redundancy information, to point out user to there is partial redundance security strategy, thus in time partial redundance security strategy can be processed by reminding user, to reduce firewall redundancy amount, improve O&M efficiency.
In the present embodiment, the filtering object data of each security strategy in fire compartment wall are normalized, obtain the normalization data of filtering object, by being compared by two normalization datas of identical filtering object in any two security strategies identical for security domain.If there are identical data in two of arbitrary filtering object normalization datas, then can determine that these two security strategies exist redundancy relationship, if the first normalization data in two normalization datas comprises the second normalization data, then can determine that the second security strategy that the second normalization data is corresponding is fully redundance security strategy, otherwise be partial redundance security strategy, thus can realize carrying out different disposal to the security strategy of different redundancy type.The present embodiment achieves the judgement of the whether redundancy of security strategy in fire compartment wall fast and accurately.And the data after normalization do not comprise the data of repetition, decrease and compare workload, further increase the judgement efficiency of security strategy redundancy.
The structural representation of a kind of another embodiment of security strategy control device that Fig. 6 provides for the embodiment of the present invention, this device can comprise:
Data capture unit 601, the filtering object data that the security strategy for obtaining in fire compartment wall comprises.
Described filtering object at least comprises address object and service object;
Normalization unit 602, for being normalized the filtering object data of each security strategy, each filtering object data is merged, obtains the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object described.
Wherein, in the present embodiment, this normalization unit 602 can comprise:
Flattening unit 6021, for for each security strategy, will have the filtering object data of data nest relation, remove described data nest relation;
Normalization subelement 6023, for each filtering object data being merged, and being converted into same data type, obtaining the normalization data of each filtering object, makes not comprise identical data in the normalization data of each filtering object.
Comparing unit 603, for arbitrary security strategy being compared with the security strategy of mating priority low than it respectively according to coupling priority orders, compares two normalization datas of identical filtering object in two security strategies.
As a kind of possible implementation, this comparing unit 603 can comprise:
First compares subelement; For according to coupling priority orders, by the security strategy of the highest coupling priority, compare with the security strategy of mating priority low than it respectively, to determine fully redundance security strategy and partial redundance security strategy, and trigger this and second compare subelement;
Second compares subelement: for according to coupling priority, select the security strategy lower than the highest coupling priority, and be not arbitrary security strategy of fully redundance security strategy, priority is mated respectively successively low and be not that the security strategy of fully redundance security strategy compares with than it, to determine fully redundance security strategy and partial redundance security strategy, until all security strategies all compare with the security strategy of mating priority low than it.
First redundancy determining unit 604, if there are identical data for two normalization datas of arbitrary filtering object, determines that described two security strategies exist redundancy relationship.
Second redundancy determining unit 605, if comprise the total data of the second normalization data for the first normalization data in two normalization datas of each filtering object, and the coupling priority of the first security strategy of described first normalization data is greater than the coupling priority of the second security strategy of described second normalization data, determine that described second security strategy is fully redundance security strategy, otherwise be partial redundance security strategy.
Fully redundance security strategy and partial redundance security strategy, can perform different process.For fully redundance security strategy, this its slave firewall can be deleted by system.For partial redundance security strategy, can port redundancy information, to point out user to there is partial redundance security strategy, thus in time partial redundance security strategy can be processed by reminding user, to reduce firewall redundancy amount, improve O&M efficiency.
Therefore this device can also comprise:
Processing unit, for deleting described second security strategy.
, for port redundancy information, there is partial redundance security strategy to point out user in Tip element.
In the present embodiment, the filtering object data of each security strategy in fire compartment wall are normalized, obtain the normalization data of filtering object, according to coupling priority, two normalization datas of identical filtering object in identical for security domain two security strategies are compared.If there are identical data in two of arbitrary filtering object normalization datas, then can determine that these two security strategies exist redundancy relationship, if the first normalization data in two normalization datas comprises the second normalization data, and the coupling priority of the first security strategy is higher than the second security strategy, then can determine that the second security strategy that the second normalization data is corresponding is fully redundance security strategy, otherwise be partial redundance security strategy, thus can realize carrying out different disposal to the security strategy of different redundancy type.The present embodiment can achieve the judgement of the whether redundancy of security strategy in fire compartment wall fast and accurately.And the data after normalization do not comprise the data of repetition, decrease and compare workload, further increase the judgement efficiency of security strategy redundancy.
Security strategy control device described in above-described embodiment, in actual applications, can be integrated into fire compartment wall or can connect in third party device with fire compartment wall.Dispose fire compartment wall or the equipment of embodiment of the present invention security strategy control device, security strategy whether redundancy can be determined fast and accurately.
Known by describing above, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realize.Therefore, see Fig. 7, the embodiment of the present invention additionally provides a kind of control appliance, memory 702, receiver 703 that this control appliance is at least comprised processor 701 and is connected respectively by bus with processor 701.
This memory 702 stores batch processing instruction, and this memory can be high-speed RAM memory, also may be nonvolatile memory (non-volatile memory), such as at least one magnetic disc store etc.
This processor 701, for calling the program command that this memory 702 stores, performing and operating as follows:
Trigger receptors 703 obtains the filtering object data that the security strategy in fire compartment wall comprises;
The filtering object data of each security strategy are normalized, each filtering object data are merged, obtains the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object described;
Two normalization datas of identical filtering object in any two security strategies identical for security domain are compared;
If two of arbitrary filtering object normalization datas exist identical data, determine that described two security strategies exist redundancy relationship.
Wherein, this processor may be a central processor CPU, or specific integrated circuit ASIC(Application Specific Integrated Circuit), or be configured to the one or more integrated circuits implementing the embodiment of the present invention.
Alternatively, this control appliance may be used for the arbitrary security strategy control method shown in Fig. 1-Fig. 3 that the execution embodiment of the present invention provides.
This control appliance can realize judging the redundancy of the security strategy in different fire-proof.
See Fig. 8, present invention also offers a kind of fire compartment wall, the memory 802 that this fire compartment wall is at least comprised processor 801 and is connected respectively by bus with processor 801.
This processor 701, for calling the program command that this memory 702 stores, performing and operating as follows:
Obtain the filtering object data that security strategy comprises;
The filtering object data of each security strategy are normalized, each filtering object data are merged, obtains the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object described;
Two normalization datas of identical filtering object in any two security strategies identical for security domain are compared;
If two of arbitrary filtering object normalization datas exist identical data, determine that described two security strategies exist redundancy relationship.
Wherein, this processor may be a central processor CPU, or specific integrated circuit ASIC(Application Specific Integrated Circuit), or be configured to the one or more integrated circuits implementing the embodiment of the present invention.
Alternatively, this fire compartment wall may be used for the arbitrary security strategy control method shown in Fig. 1-Fig. 3 that the execution embodiment of the present invention provides.
In this specification, each embodiment adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar portion mutually see.For device disclosed in embodiment, because it corresponds to the method disclosed in Example, so description is fairly simple, relevant part illustrates see method part.
Finally, also it should be noted that, in this article, the such as relational terms of first and second grades and so on is only used for an entity or operation to separate with another entity or operating space, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment comprising described key element and also there is other identical element.
For convenience of description, various unit is divided into describe respectively with function when describing above device.Certainly, the function of each unit can be realized in same or multiple software and/or hardware when implementing of the present invention.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realizes.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
To the above-mentioned explanation of the disclosed embodiments, professional and technical personnel in the field are realized or uses the present invention.To be apparent for those skilled in the art to the multiple amendment of these embodiments, General Principle as defined herein can without departing from the spirit or scope of the present invention, realize in other embodiments.Therefore, the present invention can not be restricted to these embodiments shown in this article, but will meet the widest scope consistent with principle disclosed herein and features of novelty.

Claims (10)

1. a security strategy control method, is characterized in that, comprising:
Obtain the filtering object data that the security strategy in fire compartment wall comprises;
The filtering object data of each security strategy are normalized, each filtering object data are merged, obtains the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object described;
Two normalization datas of identical filtering object in any two security strategies identical for security domain are compared;
If two of arbitrary filtering object normalization datas exist identical data, determine that described two security strategies exist redundancy relationship.
2. method according to claim 1, it is characterized in that, any two security strategies comprise the first security strategy and the second security strategy, and two normalization datas of identical filtering object comprise the first normalization data of described first security strategy and the second normalization data of described second security strategy;
Described determine that described two policy data exist redundancy relationship after, described method also comprises:
If when the first normalization data in two of each filtering object normalization datas comprises the total data of the second normalization data, determine that described second security strategy is fully redundance security strategy, otherwise be partial redundance security strategy.
3. method according to claim 2, it is characterized in that, when first normalization data of two normalization datas of each filtering object described comprises the total data of the second normalization data, determine that the second security strategy of described second normalization data is that fully redundance security strategy comprises:
When first normalization data of two normalization datas of each filtering object comprises the total data of the second normalization data, if the coupling priority of described first security strategy is greater than the coupling priority of described second security strategy, determine that described second security strategy is fully redundance security strategy, otherwise be partial redundance security strategy.
4. the method according to any one of claims 1 to 3, is characterized in that, described being compared by two normalization datas of identical filtering object in any two security strategies identical for security domain comprises:
According to coupling priority orders, arbitrary security strategy is compared with the security strategy of mating priority low than it respectively, compares two normalization datas of identical filtering object in two security strategies.
5. the method according to any one of Claims 1 to 4, is characterized in that, the described filtering object data to each security strategy are normalized, and each filtering object data merged, the normalization data obtaining each filtering object comprises:
For each security strategy, will the filtering object data of data nest relation be had, remove described data nest relation;
Each filtering object data is merged, and is converted into same data type, obtain the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object.
6. a security strategy control device, is characterized in that, comprising:
Data capture unit, the filtering object data that the security strategy for obtaining in fire compartment wall comprises;
Normalization unit, for being normalized the filtering object data of each security strategy, each filtering object data is merged, obtains the normalization data of each filtering object, make not comprise identical data in the normalization data of each filtering object described;
Comparing unit, for comparing two normalization datas of identical filtering object in any two security strategies identical for security domain;
First redundancy determining unit, if there are identical data for two normalization datas of arbitrary filtering object, determines that described two security strategies exist redundancy relationship.
7. device according to claim 6, is characterized in that, also comprises:
Second redundancy determining unit, if when comprising the total data of the second normalization data for the first normalization data in two normalization datas of each filtering object, determine that the second security strategy of described second normalization data is fully redundance security strategy, otherwise be partial redundance security strategy.
8. device according to claim 7, it is characterized in that, if described second redundancy determining unit comprises the total data of the second normalization data specifically for the first normalization data in two normalization datas of each filtering object, and the coupling priority of the first security strategy of described first normalization data is greater than the coupling priority of the second security strategy of described second normalization data, determine that described second security strategy is fully redundance security strategy, otherwise be partial redundance security strategy.
9. the device according to any one of claim 6 ~ 8, it is characterized in that, described comparing unit specifically for according to coupling priority orders, arbitrary security strategy is compared with the security strategy of mating priority low than it respectively, compares two normalization datas of identical filtering object in two security strategies.
10. the device according to any one of claim 6 ~ 9, is characterized in that, described normalization unit comprises:
Flattening unit, for for each security strategy, will have the filtering object data of data nest relation, remove described data nest relation;
Normalization subelement, for each filtering object data being merged, and being converted into same data type, obtaining the normalization data of each filtering object, makes not comprise identical data in the normalization data of each filtering object.
CN201310704252.8A 2013-12-19 2013-12-19 Security strategy control method and device Active CN104735026B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310704252.8A CN104735026B (en) 2013-12-19 2013-12-19 Security strategy control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310704252.8A CN104735026B (en) 2013-12-19 2013-12-19 Security strategy control method and device

Publications (2)

Publication Number Publication Date
CN104735026A true CN104735026A (en) 2015-06-24
CN104735026B CN104735026B (en) 2018-05-18

Family

ID=53458465

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310704252.8A Active CN104735026B (en) 2013-12-19 2013-12-19 Security strategy control method and device

Country Status (1)

Country Link
CN (1) CN104735026B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106603524A (en) * 2016-12-09 2017-04-26 浙江宇视科技有限公司 Method for combining safety rules and intelligent device
CN107094143A (en) * 2017-04-28 2017-08-25 杭州迪普科技股份有限公司 A kind of detection method and device of tactful redundancy
CN108768879A (en) * 2018-04-26 2018-11-06 新华三信息安全技术有限公司 A kind of policy priority grade method of adjustment and device
CN113098883A (en) * 2021-04-13 2021-07-09 高斌 Block chain and big data based security protection method and block chain service system
CN114039853A (en) * 2021-11-15 2022-02-11 北京天融信网络安全技术有限公司 Method, device, storage medium and electronic equipment for detecting security policy
CN114389897A (en) * 2022-03-18 2022-04-22 苏州市卫生计生统计信息中心 IT infrastructure security policy centralized management and control optimization method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6826698B1 (en) * 2000-09-15 2004-11-30 Networks Associates Technology, Inc. System, method and computer program product for rule based network security policies
CN101753369A (en) * 2008-12-03 2010-06-23 北京天融信网络安全技术有限公司 Method and device for detecting firewall rule conflict
CN103259761A (en) * 2012-02-15 2013-08-21 深圳市证通电子股份有限公司 Firewall system based on Android platform and construction method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6826698B1 (en) * 2000-09-15 2004-11-30 Networks Associates Technology, Inc. System, method and computer program product for rule based network security policies
CN101753369A (en) * 2008-12-03 2010-06-23 北京天融信网络安全技术有限公司 Method and device for detecting firewall rule conflict
CN103259761A (en) * 2012-02-15 2013-08-21 深圳市证通电子股份有限公司 Firewall system based on Android platform and construction method thereof

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
H. B. ACHARYA等: "Firewall verification and redundancy checking are equivalent", 《INFOCOM, 2011 PROCEEDINGS IEEE》 *
HONGXIN HU等: "Detecting and Resolving Firewall Policy Anomalies", 《IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING》 *
QI XIAO等: "Lightweight detecting and resolving algorithm for firewall policy conflict", 《UBIQUITOUS AND FUTURE NETWORKS (ICUFN) 2013 FIFTH INTERNATIONAL CONFERENCE》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106603524A (en) * 2016-12-09 2017-04-26 浙江宇视科技有限公司 Method for combining safety rules and intelligent device
CN107094143A (en) * 2017-04-28 2017-08-25 杭州迪普科技股份有限公司 A kind of detection method and device of tactful redundancy
CN107094143B (en) * 2017-04-28 2020-08-04 杭州迪普科技股份有限公司 Method and device for detecting policy redundancy
CN108768879A (en) * 2018-04-26 2018-11-06 新华三信息安全技术有限公司 A kind of policy priority grade method of adjustment and device
CN108768879B (en) * 2018-04-26 2022-04-22 新华三信息安全技术有限公司 Method and device for adjusting policy priority
CN113098883A (en) * 2021-04-13 2021-07-09 高斌 Block chain and big data based security protection method and block chain service system
CN114039853A (en) * 2021-11-15 2022-02-11 北京天融信网络安全技术有限公司 Method, device, storage medium and electronic equipment for detecting security policy
CN114039853B (en) * 2021-11-15 2024-02-09 天融信雄安网络安全技术有限公司 Method and device for detecting security policy, storage medium and electronic equipment
CN114389897A (en) * 2022-03-18 2022-04-22 苏州市卫生计生统计信息中心 IT infrastructure security policy centralized management and control optimization method
CN114389897B (en) * 2022-03-18 2022-06-10 苏州市卫生计生统计信息中心 IT infrastructure security policy centralized management and control optimization method

Also Published As

Publication number Publication date
CN104735026B (en) 2018-05-18

Similar Documents

Publication Publication Date Title
CN104735026A (en) Security strategy control method and device
CN106991165B (en) Method and device for processing financial data based on block chain and electronic equipment
CN110599095B (en) Block chain network-based hazardous waste treatment method and node of block chain network
CN108829691B (en) Rural electronic commerce data storage method
CN109656873B (en) Block chain-based data archiving method and device and terminal equipment
CN109600441B (en) Alliance link information publishing control method and terminal equipment
CN103064933A (en) Data query method and system
CN111538757B (en) Data storage method, query method, device, server and medium
CN105491078B (en) Data processing method and device, SOA system in SOA system
CN109522314A (en) Data archiving method and terminal device based on block chain
CN104702638A (en) Event subscribing and dispatching method and device
CN108459956A (en) Test report automatic management method, apparatus, equipment and storage medium
CN111932250A (en) Method for realizing power grid information sharing based on block chain technology
CN111260253A (en) Information sending method and device, computer equipment and storage medium
KR20200129879A (en) A management system for legal evidences
CN104021092A (en) Working condition data hierarchical storage structure and method
CN104125235A (en) Integrated multi-protocol storage method
CN110069564B (en) Information query system and method based on block chain
CN114978686A (en) Digital asset chaining method and device
CN104573107A (en) Network security application NoSQL database and relational database fusion interface method
KR102437006B1 (en) Information management method based on vertical block structure in a blockchain
CN114240651A (en) Cross-chain transaction sending method, device, equipment and storage medium
CN102314573A (en) Project management system
CN113961146A (en) Contract management system based on cloud signing
CN105683967A (en) Web page grabbing method and web page grabbing system based on big data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant