CN108667776B - Network service diagnosis method - Google Patents
Network service diagnosis method Download PDFInfo
- Publication number
- CN108667776B CN108667776B CN201710208010.8A CN201710208010A CN108667776B CN 108667776 B CN108667776 B CN 108667776B CN 201710208010 A CN201710208010 A CN 201710208010A CN 108667776 B CN108667776 B CN 108667776B
- Authority
- CN
- China
- Prior art keywords
- service request
- security policy
- security
- matching
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003745 diagnosis Methods 0.000 title claims abstract description 114
- 238000000034 method Methods 0.000 title claims abstract description 104
- 238000007781 pre-processing Methods 0.000 claims abstract description 65
- 230000008859 change Effects 0.000 claims description 46
- 238000006243 chemical reaction Methods 0.000 claims description 31
- 230000000903 blocking effect Effects 0.000 claims description 27
- 230000009471 action Effects 0.000 claims description 20
- 238000013519 translation Methods 0.000 claims description 9
- 238000001914 filtration Methods 0.000 claims description 6
- 238000002405 diagnostic procedure Methods 0.000 claims 1
- 230000008569 process Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 13
- 230000000694 effects Effects 0.000 description 8
- 238000004458 analytical method Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 238000012423 maintenance Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000009683 ultrasonic thickness measurement Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a network service diagnosis method. The network service diagnosis method in the embodiment of the invention comprises the following steps: acquiring configuration information of security equipment through which a service request passes, wherein the configuration information comprises security policy rules; preprocessing according to the service request and the configuration information of the safety equipment; the pretreatment comprises the following steps: selecting a corresponding security policy matching mode according to the type of each security device, determining an input interface and an output interface of the security device through which the service request passes, and generating a service request to be analyzed; and matching the service request to be analyzed with the security policy rules of the security devices according to the selected security policy matching mode and the preset matching algorithm, and generating the permission condition of each security device to the service request. The technical scheme provided by the embodiment of the invention realizes that the safety equipment of different types and manufacturers can be compatible when the network service diagnosis is executed, thereby improving the practicability of the network service diagnosis method.
Description
Technical Field
The invention relates to the technical field of network topology, in particular to a network service diagnosis method.
Background
With the continuous development of internet technology, the network environment is increasingly complex, and network security becomes a major concern for enterprises. In order to solve the potential safety hazard existing in the network, an enterprise may deploy a firewall and other security devices in the internal network, and particularly, a company with a complex and large internal network may deploy multiple security devices in the internal network.
At present, when a plurality of safety devices are deployed, an internal network is generally divided into a plurality of areas, and a plurality of firewall rule sets are deployed on the safety devices to interconnect different areas, so that security maintenance personnel of the internal network of a company need to carefully check, the rule sets on different safety devices are prevented from influencing each other, and security holes are introduced. As corporate intranets become increasingly complex and the cost of maintaining networks increases, it becomes difficult for security administrators to assess whether a security device in a corporate intranet allows a given service to pass through it, and reasons that make it difficult to assess the security policies of a corporate intranet include, for example: (1) the configuration languages of safety equipment such as a firewall and the like are obscure, and the configuration and the maintenance of the safety strategies are difficult; (2) because the configuration languages of the safety devices produced by different manufacturers are different, a safety manager needs to be familiar with the difference between the safety devices in the internal network of the company, and the management difficulty of the safety devices is increased; (3) between the source address and the destination address, there may be multiple paths for the message, and different paths traverse different security devices, so that in order to answer a query, a security administrator needs to manually check all rules on these security devices, which may consume a large amount of human resources. For the reason that it is difficult to evaluate the security policy of the company internal network, the security administrator can use the existing network service diagnosis tool to diagnose the complex internal network in the company, which can solve some problems, but still has the following disadvantages:
(1) the network service diagnosis tool can only carry out service diagnosis on the network of the safety equipment of a single manufacturer and type, and cannot be compatible with the safety equipment of different manufacturers and types.
(2) Some actions on a specific security device are not considered to affect service requests, for example, two-layer/three-layer blocking strategies, DNAT address translation, and the like are included.
(3) No effective solution is provided for the case where the security device does not permit the passage of a service request in the network.
In summary, in the prior art, although some problems can be solved by using a network service diagnosis tool for service diagnosis, some problems which cannot be solved still exist, so that the practicability of service diagnosis on the internal network of the company is poor.
Disclosure of Invention
In order to solve the above technical problems, embodiments of the present invention provide a network service diagnosis method, which implements compatibility between security devices of different types and manufacturers when performing network service diagnosis by reasonably designing a network service diagnosis manner, thereby improving the practicability of the network service diagnosis method.
In a first aspect, an embodiment of the present invention provides a network service diagnosis method, including:
acquiring configuration information of security equipment through which a service request passes, wherein the configuration information comprises security policy rules;
preprocessing according to the service request and the configuration information of the safety equipment; the pretreatment comprises the following steps: selecting a corresponding security policy matching mode according to the type of each security device, determining an input interface and an output interface of the security device through which the service request passes, and generating a service request to be analyzed;
and matching the service request to be analyzed with the security policy rules of the security devices according to the selected security policy matching mode and a preset matching algorithm to generate the permission condition of each security device to the service request.
In a first possible implementation manner of the first aspect, the configuration information further includes one or more of a blocking policy and destination address translation DNAT, and the preprocessing further includes one or more of the following processes:
comparing the service request with the blocking strategy of each safety device, and filtering out the service request blocked by the blocking strategy of the safety device;
determining whether to perform DNAT conversion on the service request on the security device by using the address before DNAT conversion or after DNAT conversion according to the security policy rule of each security device; and when the safety strategy rule of one safety device uses the address converted by the DNAT, performing the DNAT conversion on the service request on the safety device.
In a second possible implementation manner of the first aspect, the types of the security devices include a first type, a second type, and a third type, where the security policy rules of the first type of security device form a priority list according to a configuration order, the security policy rules of the second type of security device include inter-area security policy rules and global security policy rules, and the security policy rules of the third type of security device include security policy rules on an ingress interface and an egress interface; the selecting a corresponding security policy matching mode according to the type of each security device includes:
when the equipment type is the first type, selecting a security policy matching mode for matching the service request with the security policy rules according to the sequence of the priority list;
when the equipment type is the second type, selecting a security policy matching mode for matching the service request with the inter-area security policy rule and then matching the service request with the global security policy rule;
and when the equipment type is the third type, selecting a security policy matching mode for respectively matching the service request with the security policy rules on the input interface and the output interface of the security equipment.
In a third possible implementation manner of the first aspect, the matching, according to the selected security policy matching manner and a preset matching algorithm, the service request to be analyzed and the security policy rule of the security device to generate an admission condition of each security device to the service request includes:
matching the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching mode and a preset matching algorithm to obtain an allowance request list, a rejection request list and the matching condition of the service request;
and generating the permission condition of each safety device to the service request according to the matching condition of the permission request list, the rejection request list and the service request.
According to a third possible implementation manner of the first aspect, in a fourth possible implementation manner, the matching, according to the selected security policy matching manner and a preset matching algorithm, the service request to be analyzed with the security policy rule of the security device includes:
when the security equipment has unmatched security policy rules and the service request is not completely matched, judging whether the service request and the security policy rules have repeated parts;
when the repeated part is judged, adding the security policy rule into the permission request list or the rejection request list according to the action of each security policy rule;
and deleting the repeated part from the service request to form a new service request.
According to a third possible implementation manner of the first aspect, in a fifth possible implementation manner, the matching, according to the selected security policy matching manner and a preset matching algorithm, the service request to be analyzed with the security policy rule of the security device includes:
when the security equipment has unmatched security policy rules and the service request and the security policy rules have repeated parts, forming a new security policy adding repeated part list by the repeated parts and the security policy rules;
when the repeated element exists in the repeated part list, judging whether the service request is completely matched;
when the service request is judged not to be completely matched, judging whether the service request and the security policy rule in the current repeated part list have repeated parts or not;
when the repeated part is judged, adding the security policy rule to the permission request list or the rejection request list according to the action of each security policy rule in the current repeated part list;
and deleting the repeated part from the service request to form a new service request.
According to a fourth possible implementation manner or a fifth possible implementation manner of the first aspect, in a sixth possible implementation manner, the determining whether there are duplicate portions in the service request and the security policy rule includes:
respectively executing the following judgment items and returning corresponding results:
judging whether the source domain of the security policy rule comprises an input interface of a service request, if so, returning a matching result to be null, and if so, executing other judgment items;
judging whether the target domain of the security policy rule comprises an output interface of the service request, if so, returning a matching result to be null, and if so, executing other judgment items;
judging whether the security policy rule and the source address of the service request have repeated parts, if so, returning a matching result to be null, and if so, executing other judgment items;
judging whether the safety strategy rule and the destination address of the service request have repeated parts, if so, returning a matching result to be null, and if so, executing other judgment items;
judging whether the safety strategy rule and the service of the service request have repeated parts, if so, returning a matching result to be null, and if so, executing other judgment items;
and when the judgment result of each judgment item is 'yes', calculating the repeated part of the security policy rule and the service request, and returning a matching result as the repeated part.
According to a third possible implementation manner of the first aspect, in a seventh possible implementation manner, the generating, according to the matching condition of the permission request list, the rejection request list, and the service request, a permission condition of each of the security devices for the service request includes:
when the permission request list is not empty, the rejection request list is empty, and the service request is completely matched, the permission condition is permission;
when the permission request list is not empty and the service request is not completely matched, the permission condition is partially permitted;
when the permission request list is empty, the rejection request list is not empty, and the service request is completely matched, the permission condition is rejection.
In an eighth possible implementation manner of the first aspect, the method further includes:
generating a security policy change suggestion for the security device according to the permission condition of each security device to the service request;
when the permission condition is allowed, not generating a security policy change suggestion of the corresponding security device;
and when the permission condition is partial permission or rejection, generating a security policy change suggestion of the corresponding security device, wherein the security policy change suggestion comprises a suggestion for adding and/or modifying the security policy.
According to the first aspect and any one of the first to eighth possible implementation manners of the first aspect, in a ninth possible implementation manner, the method further includes:
one or more of the following generated results are presented through a user interface UI: and the permission of each safety device to the service request is recommended to the safety strategy change of each safety device.
In a second aspect, an embodiment of the present invention provides a network service diagnosis apparatus, including:
the configuration acquisition module is used for acquiring configuration information of the security equipment through which the service request passes, wherein the configuration information comprises a security policy rule;
the preprocessing module is used for preprocessing according to the service request and the configuration information of the safety equipment acquired by the configuration acquisition module; the preprocessing performed by the preprocessing module comprises: selecting a corresponding security policy matching mode according to the type of each security device, determining an input interface and an output interface of the security device through which the service request passes, and generating a service request to be analyzed;
and the security policy matching module is used for matching the service request to be analyzed with the security policy rules of the security devices according to the security policy matching mode selected by the preprocessing module and a preset matching algorithm, and generating the permission condition of each security device to the service request.
In a first possible implementation manner of the second aspect, the configuration information acquired by the configuration acquisition module further includes one or more of a blocking policy and a destination address translation DNAT, and the preprocessing performed by the preprocessing module further includes one or more of the following processing:
comparing the service request with the blocking strategy of each safety device, and filtering out the service request blocked by the blocking strategy of the safety device;
determining whether to perform DNAT conversion on the service request on the security device by using the address before DNAT conversion or after DNAT conversion according to the security policy rule of each security device; and when the security policy rule of the first security device uses the DNAT converted address, performing DNAT conversion on the service request on the first security device.
In a second possible implementation manner of the second aspect, the security policy matching module includes:
the security policy matching unit is used for matching the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching mode and a preset matching algorithm to obtain an allowance request list, a rejection request list and the matching condition of the service request;
and the generating unit is used for generating the permission condition of each safety device to the service request according to the matching condition of the permission request list, the rejection request list and the service request acquired by the safety strategy matching unit.
In a third possible implementation manner of the second aspect, the apparatus further includes:
the security policy changing module is used for generating a security policy changing suggestion for the security device according to the permission condition of each security device to the service request, which is generated by the security policy matching module;
when the permission condition is allowed, the security policy changing module does not generate a security policy changing suggestion of the corresponding security device;
when the permission condition is partial permission or rejection, the security policy change module generates a security policy change suggestion of the corresponding security device, wherein the security policy change suggestion comprises a suggestion for adding and/or modifying the security policy.
According to a third possible implementation manner of the second aspect, in a fourth possible implementation manner, the apparatus further includes:
a result presentation module, configured to present one or more of the following generated results through a user interface UI: the security policy matching module generates the permission condition of each security device to the service request, and the security policy changing module generates the security policy changing proposal to each security device.
In a third aspect, an embodiment of the present invention provides a network service diagnosis server, including:
a memory for holding executable instructions;
a processor configured to execute the executable instructions stored in the memory to perform the following operations:
acquiring configuration information of security equipment through which a service request passes, wherein the configuration information comprises security policy rules;
preprocessing according to the service request and the configuration information of the safety equipment; the pretreatment comprises the following steps: selecting a corresponding security policy matching mode according to the type of each security device, determining an input interface and an output interface of the security device through which the service request passes, and generating a service request to be analyzed;
and matching the service request to be analyzed with the security policy rules of the security devices according to the selected security policy matching mode and a preset matching algorithm to generate the permission condition of each security device to the service request.
In a first possible implementation manner of the third aspect, the configuration information further includes one or more of a blocking policy and a destination address translation DNAT, and the processor, when executing the executable instructions, further includes one or more of the following processes:
comparing the service request with the blocking strategy of each safety device, and filtering out the service request blocked by the blocking strategy of the safety device;
determining whether to perform DNAT conversion on the service request on the security device by using the address before DNAT conversion or after DNAT conversion according to the security policy rule of each security device; and when the safety strategy rule of one safety device uses the address converted by the DNAT, performing the DNAT conversion on the service request on the safety device.
In a second possible implementation manner of the third aspect, when the processor executes the executable instruction, the operation "matching the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching method and a preset matching algorithm, and generating a permission condition of each security device for the service request" includes:
matching the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching mode and a preset matching algorithm to obtain an allowance request list, a rejection request list and the matching condition of the service request;
and generating the permission condition of each safety device to the service request according to the matching condition of the permission request list, the rejection request list and the service request.
In a third possible implementation manner of the third aspect, when the processor executes the executable instructions, the following operations are further performed:
generating a security policy change suggestion for the security device according to the permission condition of each security device to the service request;
when the permission condition is allowed, not generating a security policy change suggestion of the corresponding security device;
and when the permission condition is partial permission or rejection, generating a security policy change suggestion of the corresponding security device, wherein the security policy change suggestion comprises a suggestion for adding and/or modifying the security policy.
According to a third possible implementation manner of the third aspect, in a fourth possible implementation manner, when the processor executes the executable instructions, the following operations are further performed:
one or more of the following generated results are presented through a user interface UI: and the permission of each safety device to the service request is recommended to the safety strategy change of each safety device.
The network service diagnosis method provided by the embodiment of the invention carries out preprocessing according to the configuration information and the service request by acquiring the configuration information of the safety equipment through which the service request passes, wherein the preprocessing mode comprises the following steps: selecting a corresponding security policy matching mode according to the type of each security device, determining an input interface and an output interface of the security device through which the service request passes, generating a service request to be analyzed, and then matching the service request to be analyzed with a security policy rule in configuration information according to the selected security policy matching mode and a preset matching algorithm to generate the permission condition of each security device to the service request; the technical scheme provided by the embodiment of the invention can select different security policy matching modes for different types of security equipment, namely, the security policy matching can be carried out according to the selected mode which is suitable for the type of security equipment when the security policy matching is carried out on the different types of security equipment, so that the security equipment of different types and manufacturers can be compatible when the network service diagnosis is carried out, and the practicability of the network service diagnosis method is improved.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the example serve to explain the principles of the invention and not to limit the invention.
Fig. 1 is a flowchart of a network service diagnosis method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an access path in a network service diagnosis method according to an embodiment of the present invention;
fig. 3 is a flowchart of a preprocessing in a network service diagnosis method according to an embodiment of the present invention;
fig. 4 is a flowchart of selecting a security policy matching manner in the network service diagnosis method according to the embodiment of the present invention;
fig. 5 is a flowchart of another network service diagnosis method according to an embodiment of the present invention;
fig. 6 is a flowchart of performing security policy matching in the network service diagnosis method according to the embodiment of the present invention;
fig. 7 is a flowchart of another method for performing security policy matching in a network service diagnosis method according to an embodiment of the present invention;
fig. 8 is a flowchart of a repeated portion of analyzing a service request and a security policy rule in the network service diagnosis method according to the embodiment of the present invention;
fig. 9 is a flowchart of a permission condition for generating a service request in a network service diagnosis method according to an embodiment of the present invention;
fig. 10 is a flowchart of a network service diagnosis method according to another embodiment of the present invention;
fig. 11 is a schematic diagram illustrating a matching result in the network service diagnosis method according to the embodiment of the present invention;
fig. 12 is a schematic structural diagram of a network service diagnosis apparatus according to an embodiment of the present invention;
fig. 13 is a schematic structural diagram of another network service diagnosis device according to an embodiment of the present invention;
fig. 14 is a schematic structural diagram of another network service diagnosis device according to an embodiment of the present invention;
fig. 15 is a schematic structural diagram of a network service diagnosis server according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
The technical solution of the present invention is described in detail below with specific embodiments, where the security device in the embodiment of the present invention is, for example, a firewall, a router, a switch, a security gateway (UTM), and other security devices between a source address and a destination address of a service request, and the network diagnosis server is, for example, a server that performs network service diagnosis on an access path of a request service. The following specific embodiments of the present invention may be combined, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 1 is a flowchart of a network service diagnosis method according to an embodiment of the present invention. The network service diagnosis method provided by the embodiment is suitable for service diagnosis of security equipment in an access path of a service request, and the method can be executed by a network service diagnosis device, the network service diagnosis device is realized by combining hardware and software, and the device can be integrated in a processor of a network diagnosis server for the processor to call. As shown in fig. 1, the method provided by this embodiment may include the following steps:
s110, obtaining the configuration information of the security device through which the service request passes, wherein the configuration information comprises the security policy rule.
The network service diagnosis method provided by the embodiment of the invention is a mode for carrying out service diagnosis on the safety equipment in the access path of the service request. In the embodiment of the present invention, an access path through which a service request passes and all security devices through which the access path passes need to be determined first, so as to obtain configuration information of each of the above security devices, where the configuration information may generally include a security policy rule.
For example, as shown in table 1 below, the content of a service request in the network service diagnosis method provided by the embodiment of the present invention is provided.
TABLE 1
As shown in table 1 above, the service request may include a source address, a destination address, a service, and the like; wherein,
the address types supported by the source address and the destination address include but are not limited to one or more combination forms of a host address, a subnet address, a network segment address, and the like, and the types supported by the service include but not limited to one or more combination forms of a Transmission Control Protocol (TCP) service, a User Datagram Protocol (UDP) service, a Control Message Protocol (ICMP) service, and the like.
In the management and maintenance of the content network of the company at present, a service request from a specified source address to a specified destination address needs to pass through which security devices, the access path of the service request can be manually determined by a security administrator, or automatically generated. For example, fig. 2 is a schematic diagram of an access path in the network service diagnosis method provided by the embodiment of the present invention, and the access path generating function obtains a path of the security device that needs to be accessed by the service request in fig. 2 according to the service request in table 1 by using a company network topology. In fig. 2, the path from the source address to the destination address sequentially accesses different security devices including, but not limited to, firewalls, routers, switches, UTMs, etc.
As can be seen from table 1 and fig. 2, the number of security devices that the access path of the service request passes through may be multiple, that is, the obtained configuration information is generally: configuration information corresponding to each security device; in addition, the security policy rules include, for example: the source interface section, the source address, etc. may be implemented in an Access Control List (ACL) manner in the actual deployment security device. In practical applications, the network service diagnosis apparatus may connect the security devices to be analyzed in fig. 2 in a Secure Shell protocol (SSH), a remote terminal protocol (Telnet), or the like, and obtain configuration information of the devices, or introduce the configuration information of the security devices into the network service diagnosis apparatus and obtain configuration information of the devices; and then, normalizing the acquired configuration information, and converting the configuration information on the different types of security equipment into the content with the uniform format to generate the configuration information for preprocessing.
It should be noted that, in the embodiment of the present invention, the content and format of the service request are not limited to the content and format shown in table 1, and the form of the access path is not limited to the form shown in fig. 2, and any service request content and format and access path that conforms to the network specification may be applied to the embodiment of the present invention.
S120, preprocessing according to the service request and the strategy information of the safety equipment; the pretreatment comprises the following steps: and selecting a corresponding security policy matching mode according to the type of each security device, determining an input interface and an output interface of the security device through which the service request passes, and generating the service request to be analyzed.
In the embodiment of the present invention, after the configuration information of the security device is obtained, preprocessing may be performed according to the configuration information and the service request shown in table 1. The pretreatment in the embodiment of the invention can comprise the following two parts: firstly, selecting a security policy matching mode corresponding to each security device according to the type of each security device for subsequent security policy matching; secondly, determining an input interface and an output interface of the safety equipment through which the service request passes on the access path through the access path of the service request, and generating the service request to be analyzed; in practical applications, through the access path in fig. 2, an ingress interface of the service request passing through the security device may be determined first, a destination address in the service request is compared with routing and interface information on the security device, an egress interface of the service request on the security device is determined, and a source security zone and a destination security zone may be determined according to the ingress interface and the egress interface of the service request. Through the above preprocessing process, the service request is converted into the format shown in table 2 below, where table 2 is the content of the service request to be analyzed in the network service diagnosis method provided in the embodiment of the present invention.
TABLE 2
As shown in table 2 above, the service request to be analyzed generated after preprocessing may include an ingress interface (also referred to as source interface/section) source address, an egress interface (also referred to as destination interface/section), a destination address, a service, and the like.
It should be noted that, the embodiment of the present invention does not limit the execution sequence of the two parts of content in the preprocessing process, and the two parts of content may be executed sequentially or in parallel; in addition, the content and format of the service request to be analyzed generated after the preprocessing are not limited to those shown in table 2, and any content and format of the service request to be analyzed generated according to the network specification and the preprocessing mode may be applied in the embodiment of the present invention.
S130, according to the selected security policy matching mode and the preset matching algorithm, the service request to be analyzed is matched with the security policy rules of the security devices, and the permission condition of each security device to the service request is generated.
In the embodiment of the present invention, in the preprocessing process, a security policy matching manner corresponding to each security device has been selected, and a service request to be analyzed is generated, and then, according to the security policy matching manner for each security device and a preset matching algorithm, the service request to be analyzed is matched with the security policy rule of the security device, that is, the preset matching algorithm is substituted into the selected security policy matching manner for matching, so as to generate a permission condition of each security device for the service request.
It should be noted that the preset matching algorithm may be configured by the designer in advance, and the designed rule is, for example, to determine whether the security policy rule and the service request of each security device have a duplicate part,
if the repeated part is judged to exist, adding the repeated part into a corresponding list according to the rule, and deleting the repeated part from the service request until no security policy rule exists in the security equipment, or the service request is completely matched, or the security policy rule and the service request do not have the repeated part, completing matching; and then, generating the permission condition of each safety device to the service request according to the matching result, namely obtaining the matching result of the network service.
In the prior art, a method for performing service diagnosis by using a network service diagnosis tool can only perform service diagnosis on safety equipment of a single manufacturer and type, and cannot be compatible with safety equipment of different manufacturers and types, so that when the safety equipment of an internal network of a company is deployed, the same manufacturer or the safety equipment of a unified type is used, and if the safety equipment needs to be added or old safety equipment needs to be replaced, it is difficult to ensure that the types or manufacturers of all the safety equipment are the same. In contrast, it can be seen from the above network service diagnosis method provided in the embodiment of the present invention that, when performing network service diagnosis, different security policy matching manners are selected for different types of security devices, that is, when performing security policy matching, different types of security devices perform security policy matching according to a selected manner that is suitable for the type of security device, so that, when performing network service diagnosis, security devices of different types and manufacturers can be compatible, and the practicability of the network service diagnosis method is improved.
The network service diagnosis method provided by the embodiment of the invention carries out preprocessing according to the configuration information and the service request by acquiring the configuration information of the safety equipment through which the service request passes, wherein the preprocessing mode comprises the following steps: selecting a corresponding security policy matching mode according to the type of each security device, determining an input interface and an output interface of the security device through which the service request passes, generating a service request to be analyzed, and then matching the service request to be analyzed with a security policy rule in configuration information according to the selected security policy matching mode and a preset matching algorithm to generate the permission condition of each security device to the service request; the method provided by the embodiment of the invention can select different security policy matching modes for different types of security equipment, namely, the security policy matching can be carried out according to the selected mode which is suitable for the type of security equipment when the security policy matching is carried out on the different types of security equipment, so that the method can be compatible with the security equipment of different types and manufacturers when the network service diagnosis is carried out, thereby improving the practicability of the network service diagnosis method.
As shown in fig. 3, which is a flowchart of a preprocessing in the network service diagnosis method provided in the embodiment of the present invention, it has been described in the foregoing embodiment that the implementation manner of the preprocessing shown in fig. 3 may include the following steps:
s121, selecting a security policy matching mode corresponding to each security device according to the type of each security device;
and S122, determining an input interface and an output interface of the safety equipment through which the service request passes, and generating the service request to be analyzed.
Optionally, in this embodiment, there may be special behaviors due to some security devices in the access path, including but not limited to two-layer/three-layer blocking policy, and DNAT address translation, etc. That is, the configuration policy information acquired in S110 may include not only the security policy rules of the security devices, but also one or more items of blocking information and Destination Address Translation (DNAT) of each security device. Thus, the preprocessing in embodiments of the present invention may also include one or more of the following:
s123, comparing the service request with the blocking strategy of each safety device, and filtering the service request blocked by the blocking strategy of the safety device.
In the embodiment of the invention, a user can configure a two-layer/three-layer blocking policy on the security device, and can compare the service request with the blocking policy of the security device during preprocessing to filter out the service request blocked by the blocking policy of the security device.
S124, according to the security policy rule of each security device, using the address before DNAT conversion or after DNAT conversion to determine whether to perform DNAT conversion on the service request on the security device; and when the safety strategy rule of one safety device uses the address converted by the DNAT, performing the DNAT conversion on the service request on the safety device.
For example, if the security policy rule of a certain security device uses the address before the DNAT conversion, the service request may be subjected to the security policy matching without the DNAT conversion (i.e., S130 is performed); if the security policy rule of a certain security device uses the address converted by the DNAT, the service request needs to be subjected to the DNAT conversion first and then to the security policy matching (i.e., S130 is performed).
It should be noted that, in the preprocessing flow shown in fig. 3 according to the embodiment of the present invention, the execution sequence of S121 to S124 is not limited, and may be executed sequentially or in parallel, and the execution sequence of each step is also not limited when the preprocessing flow is executed sequentially, and the flowchart shown in fig. 3 is shown by taking the sequence of S121 to S124 as an example.
Further, since the types of the security devices generated by different device manufacturers are usually different, when S121 is executed, a corresponding security policy matching manner needs to be selected according to the different types of security devices. For example, the types of the security devices may include a first type, a second type and a third type, wherein the security policy rules of the first type of security device form a priority list according to a configuration order, the security policy rules of the second type of security device include inter-area security policy rules and global security policy rules, and the security policy rules of the third type of security device include security policy rules on an ingress interface and an egress interface. In an actual application scenario, some equipment manufacturers and security policy rules configured by users are manually adjusted according to the sequence of policy configuration to form a priority list, after receiving a service request, the security equipment matches the service request from top to bottom according to the priority list, and the type of equipment is called as first type of security equipment. Some equipment manufacturers divide the security policy rules into inter-area security policy rules and global security policy rules according to the security section of the security equipment, and this type of equipment is called as a second type of security equipment. And the equipment manufacturer configures an ACL on each interface of the security equipment, each ACL consists of a plurality of security policy rules, when a service request passes through the security equipment, the service request is matched with the security policy rules on an input interface and an output interface of the security equipment, and the type of equipment is called as third type of security equipment.
Optionally, as shown in fig. 4, a flowchart for selecting a security policy matching manner in the network service diagnosis method provided in the embodiment of the present invention is provided, and in the embodiment of the present invention, an implementation manner of S121 may include:
s1211, when the device type is the first type, selecting a security policy matching mode for matching the service request with the security policy rule according to the sequence of the priority list; in the case of selecting this way for security policy matching, the service request may be matched with the security policy rules in order from top to bottom in the priority list.
And S1212, when the device type is the second type, selecting a security policy matching mode that matches the service request with the inter-area security policy rule first, and then matches the service request with the global security policy rule.
S1213, when the device type is the third type, selecting a security policy matching mode for matching the service request with the security policy rules on the input interface and the output interface of the security device respectively; in the case of selecting the method for security policy matching, an intersection of the two matching results may be obtained as a matching result.
It should be noted that, in the embodiment of the present invention, the types of the security devices are not limited to the three types described above, and the selected security policy matching manner is not limited to the three types described above, and any type of security device that can be applied to the internal network of the company and any security policy matching manner that is suitable for the type may be applied to the embodiment of the present invention.
Optionally, fig. 5 is a flowchart of another network service diagnosis method provided in the embodiment of the present invention, and based on the embodiment shown in fig. 1, S130 in the embodiment of the present invention may include:
s131, matching the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching mode and the preset matching algorithm, and acquiring a matching condition of an allowed request list, a rejected request list and the service request;
s132, according to the matching condition of the permission request list, the rejection request list and the service request, the permission condition of each safety device to the service request is generated.
In the embodiment of the present invention, the preset matching algorithms configured are different, and the implementation manner of matching the service request to be analyzed with the security policy rule of the security device is also different, and the implementation manner of S131 in the embodiment of the present invention is described below by taking two matching algorithms as an example.
In an implementation manner of the embodiment of the present invention, the implementation manner of S131 may include:
s11, when there is unmatched safety strategy rule in the safety device and the service request is not completely matched, judging whether there is duplicate part in the service request and the safety strategy rule;
s12, when judging that there is duplication, adding the security policy rule to the permission request list or rejection request list according to the action of each security policy rule;
s13, the duplicate is deleted from the service request to form a new service request.
For example, fig. 6 is a flowchart of performing security policy matching in the network service diagnosis method provided in the embodiment of the present invention, and the manner of performing security policy matching in the embodiment may include:
s201, judging whether unmatched ACL rules exist in the safety equipment; if not, the matching process is ended; if yes, executing S202;
s202, judging whether the service requests are completely matched; if the matching is complete, the matching process is ended; if not, executing S203;
s203, judging whether the service request and the ACL rule have a repeated part; if there is no duplicate, repeatedly executing S201, and if there is a duplicate, executing S204;
s204, judging whether the action of the ACL rule is accepted or rejected; if the action is accept, executing S205; if the action is dense, executing S206;
s205, adding the ACL rule into an allowance request list; subsequently, S207 is executed;
s206, adding the ACL rule into a rejection request list; subsequently, S207 is executed;
s207, deleting the repeated part from the service request to form a new service request; s201 is then repeatedly performed.
In another implementation manner of the embodiment of the present invention, the implementation manner of S131 may include:
s21, when there is unmatched safety strategy rule in the safety device and there is duplicate part in the service request and safety strategy rule, the duplicate part and safety strategy rule form a new safety strategy to join in the duplicate part list;
s22, when the repeated element exists in the repeated part list, judging whether the service request is completely matched;
s23, when the service request is judged not to be completely matched, judging whether the service request and the security strategy rule in the current repeated part list have repeated parts;
s24, when the repeated part is judged, adding the security policy rule to the permission request list or the rejection request list according to the action of each security policy rule in the current repeated part list;
s25, the duplicate is deleted from the service request to form a new service request.
For example, fig. 7 is a flowchart of another method for performing security policy matching in a network service diagnosis method provided in an embodiment of the present invention, where the method for performing security policy matching in this embodiment may include:
s301, judging whether unmatched ACL rules exist in the security equipment; if not, executing S304; if yes, executing S302;
s302, judging whether the service request and the ACL rule have a repeated part; if there is no duplicate, then repeatedly executing S301, if there is duplicate, then executing S303;
s303, a new security policy formed by the repeated part and the ACL rule is added into the repeated part list; then, S301 is repeatedly performed;
s304, judging whether the repeated part list has repeated elements; if not, the matching process is ended; if yes, executing S305;
s305, judging whether the service requests are completely matched; if the matching is complete, the matching process is ended; if not, executing S306;
s306, judging whether the service request and the ACL rule have a repeated part; if there is no duplicate, repeatedly executing S304, if there is a duplicate, executing S307;
s307, judging whether the action of the ACL rule is accepted or rejected; if the action is accept, executing S308; if the action is dense, executing S309;
s308, adding the ACL rule into an allowance request list; then executing S310;
s309, adding the ACL rule into a rejection request list; then executing S310;
s310, deleting the repeated part from the service request to form a new service request; then S304 is repeatedly performed.
It should be noted that, the embodiment of the present invention is not limited to performing security policy matching in the manner shown in fig. 6 and fig. 7, and security policy matching may also be performed by other matching algorithms.
Further, in the matching process, the flow shown in fig. 8 is used for analyzing, matching the service request with a single security policy rule, and obtaining a repeated portion of the service request and the security policy rule, fig. 8 is a flow chart for analyzing the repeated portion of the service request and the security policy rule in the network service diagnosis method provided in the embodiment of the present invention, that is, an implementation manner for determining whether there is a repeated portion between the service request and the security policy rule in the above embodiment, that is, S203 in the flow shown in fig. 6, and implementations manners for S302 and S306 in the flow shown in fig. 7 are shown in fig. 8, and may include the following steps:
s401, judging whether the source domain of the security policy rule comprises an input interface of the service request; if not, executing S407, and returning a matching result to be null; if yes, executing S402;
s402, judging whether the target domain of the security policy rule comprises an output interface of the service request; if not, executing S407, and returning a matching result to be null; if yes, executing S403;
s403, judging whether the security policy rule and the source address of the service request have repeated parts; if no repeated part exists, executing S407, and returning a matching result to be null; if the repeated part exists, executing S404;
s404, judging whether the security policy rule and the destination address of the service request have repeated parts; if no repeated part exists, executing S407, and returning a matching result to be null; if the repeated part exists, executing S405;
s405, judging whether the security policy rule and the service of the service request have repeated parts; if no repeated part exists, executing S407, and returning a matching result to be null; if the repeated part exists, executing S406;
s406, the repeated part of the security policy rule and the service request is calculated.
And S407, returning a matching result.
It should be noted that the embodiment of the present invention does not limit the execution sequence of S401 to S405 in the flow shown in fig. 8, and may be executed sequentially or in parallel, and when the determination of each step of S401 to S405 is "yes", S406 is executed, and when one of the determinations is "no", an empty matching result is returned.
Optionally, fig. 9 is a flowchart of a permission condition for generating a service request in the network service diagnosis method according to the embodiment of the present invention. In this embodiment of the present invention, the matching condition of the permission request list, the denial request list, and the service request has been obtained according to the above embodiments shown in fig. 6 to fig. 8, at this time, the permission condition of each security device for the service request may be generated according to the content obtained in S131, and the implementation manner of S132 in this embodiment may include:
s1321, when the permission request list is not empty, the rejection request list is empty, and the service request is completely matched, the permission condition is permission;
s1322, when the permission request list is not empty and the service request is not completely matched, the permission condition is partial permission;
s1323, when the permission request list is empty, the denial request list is not empty, and the service request is completely matched, the permission condition is denial.
According to the matching methods provided in the embodiments shown in fig. 5 to fig. 9, the analysis results of all security devices on the access path of the service request may be generated, as shown in table 3, which is the content of the matching result of one security policy in the network service diagnosis method provided in the embodiment of the present invention.
TABLE 3
As shown in table 3 above, the security policy matching result may include: the name of the security device, the policy the security device is to take effect, the conditions of permission, and the contents of the allowed (denied) service request (including source address, destination address, protocol, destination port).
Optionally, in the embodiment of the present invention, after generating a permission condition of each security device for the service request, further performing analysis processing, as shown in fig. 10, which is a flowchart of another network service diagnosis method provided in the embodiment of the present invention, on the basis of the above embodiment, the method provided in the embodiment of the present invention may further include:
and S140, generating a security policy change suggestion for each security device according to the permission condition of each security device to the service request.
In practical application, the implementation manner of generating the security policy change suggestion of the security device in the embodiment of the present invention may include: when the permission condition is allowed, not generating a security policy change suggestion of the corresponding security device; and when the permission condition is partial permission or rejection, generating a security policy change suggestion of the corresponding security device, wherein the security policy change suggestion comprises but is not limited to suggestions for adding and/or modifying the security policy. In the embodiment of the present invention, when the permission condition is partial permission or rejection, a reasonable policy change suggestion may be provided for the security device, so that the security policy rule on the security device meets the business requirement of the user, for example, the rule and the content providing the specific security policy change suggestion may be:
(1) when the source address, the destination address and the service of the security policy rule on the security device cover the source address, the destination address and the service of the service request, and the action of the security policy rule is deny, the security policy change suggestion may be a policy change suggestion that allows the service request to pass through the ACL rule is added on the security policy rule.
(2) And when the source address, the destination address and the service of the security policy rule on the security device are the same as those of the service request, and the action of the security policy rule is deny, providing a policy change suggestion for modifying the security policy rule, for example, changing the action of the security policy rule from deny to accept.
(3) When the source address, the destination address and the service of the service request cover the source address, the destination address and the service of the security policy rule on the security device, and the action of the security policy rule is deny, a policy change suggestion for modifying the security policy rule can be provided, for example, the action of the security policy rule is changed from deny to accept; and providing a policy change suggestion that adds a security policy rule allowing the rest of the service requests to pass through on top of the security policy rule.
Optionally, in the embodiment of the present invention, after S130 or S140, the method may further include:
s150, displaying one or more of the following generated results through a UI: and the permission of each safety device to the service request and the safety strategy change proposal of each safety device.
In the embodiment of the present invention, after S130 or S140, the result generated in S130 and/or S140 may be displayed through a User Interface (UI) of the network service diagnosis apparatus. The display modes include, but are not limited to, the following modes:
the UI visually presents the matching results of the security devices to be analyzed on the access path (i.e. the conditions of grant of the service request by each security device), for example by means of different flags indicating the conditions of grant of the service request by the security devices. Fig. 11 is a schematic diagram showing a matching result in the network service diagnosis method according to the embodiment of the present invention, where a "black thick solid line" mark in fig. 11 indicates that the security device on the access path allows a service request to pass through.
As shown in table 4, the contents of the permission condition of the security device on the access path to the service request and the suggestion of security policy change in the network service diagnosis method provided in the embodiment of the present invention are shown.
TABLE 4
The network service diagnosis method provided by the embodiment of the invention can automatically analyze the permission condition of the security policy rules of all the security devices to the service request on the access path of the service request. In practical application, the security equipment of different manufacturers and types is analyzed and compatible by selecting corresponding security policy matching modes for the security equipment of different types, so that a company can diagnose service requests of a plurality of security equipment in a complex and huge internal network; in addition, the method also considers the influence of some behaviors on specific safety equipment on the service request, and improves the accuracy of the diagnosis structure; further, aiming at the condition that the safety device does not allow the service request to pass, a change suggestion of the safety strategy is provided to ensure that the service request can pass through the company network, so that the requirement of safety management on the knowledge level of the safety device can be reduced, the safety maintenance cost of the company network is reduced, and the safety and the stability of the company network are provided.
Fig. 12 is a schematic structural diagram of a network service diagnosis device according to an embodiment of the present invention. The network service diagnosis device provided by the embodiment is suitable for service diagnosis of the security device in the access path of the service request, and is realized in a mode of combining hardware and software. As shown in fig. 12, the network service diagnosis apparatus 10 provided in the present embodiment may include: a configuration acquisition module 11, a preprocessing module 12 and a security policy matching module 13.
The configuration obtaining module 11 is configured to obtain configuration information of a security device through which a service request passes, where the configuration information includes a security policy rule.
The network service diagnosis device 10 provided by the embodiment of the present invention is used for executing a service diagnosis manner for a security device in an access path of a service request. In the embodiment of the present invention, an access path through which a service request passes and all security devices through which the access path passes need to be determined first, so as to obtain configuration information of each of the above security devices, where the configuration information may generally include a security policy rule. The service request in the embodiment of the present invention may also refer to the content shown in table 1, and the access path determined according to the content of the service request shown in table 1 and the security device in the access path may also refer to the content shown in fig. 2, so details are not described here.
As can be seen from table 1 and fig. 2, the number of security devices that the access path of the service request passes through may be multiple, that is, the obtained configuration information is generally: configuration information corresponding to each security device; in addition, the security policy rules include, for example: the source interface section, the source address, and the like, in the actual deployment of the security device, may be implemented by means of an ACL. In practical application, the network service diagnosis apparatus 10 may connect to the security devices to be analyzed in fig. 2 in SSH, Telnet, or the like, and the configuration obtaining module 11 obtains configuration information of the devices, or the configuration information of the security devices is imported into the network service diagnosis apparatus 10, and the configuration obtaining module 11 obtains configuration information of the devices; subsequently, the acquired configuration information is normalized, and the configuration information on the different types of security devices is converted into the content in the uniform format, so as to generate the configuration information for preprocessing by the preprocessing module 12.
It should be noted that, in the embodiment of the present invention, the content and format of the service request are not limited to the content and format shown in table 1, and the form of the access path is not limited to the form shown in fig. 2, and any service request content and format and access path that conforms to the network specification may be applied to the embodiment of the present invention.
The preprocessing module 12 is configured to perform preprocessing according to the service request and the configuration information of the security device acquired by the configuration acquisition module 11; the preprocessing module 12 performs preprocessing including: and selecting a corresponding security policy matching mode according to the type of each security device, determining an input interface and an output interface of the security device through which the service request passes, and generating the service request to be analyzed.
In the embodiment of the present invention, after the configuration obtaining module 11 obtains the configuration information of the security device, the preprocessing module 12 may perform preprocessing according to the configuration information and the service request shown in table 1. The pretreatment in the embodiment of the invention can comprise the following two parts: firstly, selecting a security policy matching mode corresponding to each security device according to the type of each security device for subsequent security policy matching; secondly, determining an input interface and an output interface of the safety equipment through which the service request passes on the access path through the access path of the service request, and generating the service request to be analyzed; in practical applications, through the access path in fig. 2, an ingress interface of the service request passing through the security device may be determined first, a destination address in the service request is compared with routing and interface information on the security device, an egress interface of the service request on the security device is determined, and a source security zone and a destination security zone may be determined according to the ingress interface and the egress interface of the service request. Through the preprocessing process, the service request is also converted into the format shown in table 2 in the above embodiment, which is not described herein again.
It should be noted that, the embodiment of the present invention does not limit the execution sequence of the two parts of content in the preprocessing process, and the two parts of content may be executed sequentially or in parallel; in addition, the content and format of the service request to be analyzed generated after the preprocessing are not limited to those shown in table 2, and any content and format of the service request to be analyzed generated according to the network specification and the preprocessing mode may be applied in the embodiment of the present invention.
And the security policy matching module 13 is configured to match the service request to be analyzed with the security policy rules of the security devices according to the security policy matching method and the preset matching algorithm selected by the preprocessing module 12, and generate an admission condition of each security device to the service request.
In the embodiment of the present invention, in the process of executing the preprocessing by the preprocessing module 12, a security policy matching manner corresponding to each security device has been selected, and a service request to be analyzed is generated, and then, according to the security policy matching manner and a preset matching algorithm for each security device, the service request to be analyzed is matched with the security policy rule of the security device, that is, the preset matching algorithm is substituted into the selected security policy matching manner for matching, so as to generate the permission condition of each security device for the service request.
It should be noted that the preset matching algorithm may be configured in advance by a designer, where the designed rule is, for example, to determine whether the security policy rule of each security device and the service request have a duplicate, and if it is determined that there is a duplicate, add the duplicate to a corresponding list according to the rule, and delete the duplicate from the service request until there is no security policy rule in the security device, or the service request is completely matched, or the security policy rule and the service request have no duplicate, complete matching; and then, generating the permission condition of each safety device to the service request according to the matching result, namely obtaining the matching result of the network service.
In the prior art, a method for performing service diagnosis by using a network service diagnosis tool can only perform service diagnosis on safety equipment of a single manufacturer and type, and cannot be compatible with safety equipment of different manufacturers and types, so that when the safety equipment of an internal network of a company is deployed, the same manufacturer or the safety equipment of a unified type is used, and if the safety equipment needs to be added or old safety equipment needs to be replaced, it is difficult to ensure that the types or manufacturers of all the safety equipment are the same. In contrast, it can be seen from the manner in which the network service diagnosis apparatus 10 performs processing provided in the above embodiment of the present invention, when performing network service diagnosis, different security policy matching manners may be selected for different types of security devices, that is, when performing security policy matching, different types of security devices may perform security policy matching according to a selected manner that is suitable for the type of security device, so that, when performing network service diagnosis, security devices of different types and manufacturers may be compatible, and the practicability of the network service diagnosis apparatus is improved.
The network service diagnosis apparatus 10 provided in the embodiment of the present invention is used for executing the network service diagnosis method provided in the embodiment shown in fig. 1 of the present invention, and has corresponding functional modules, which implement similar principles and technical effects, and are not described herein again.
The above embodiment has described two parts of the preprocessing performed by the preprocessing module 12. Optionally, in this embodiment, there may be special behaviors due to some security devices in the access path, including but not limited to two-layer/three-layer blocking policy, and DNAT address translation, etc. That is, the configuration policy information acquired by the configuration acquisition module 11 may include not only the security policy rules of the security devices but also one or more of blocking information and DNAT of each security device. Therefore, in the embodiment of the present invention, the preprocessing performed by the preprocessing module 12 may further include one or more of the following processes:
on one hand, the service request is compared with the blocking strategy of each safety device, and the service request blocked by the blocking strategy of the safety device is filtered.
On the other hand, according to the security policy rule of each security device, whether the DNAT conversion is carried out on the service request on the security device is determined by using the address before the DNAT conversion or after the DNAT conversion; and when the safety strategy rule of one safety device uses the address converted by the DNAT, performing the DNAT conversion on the service request on the safety device.
It should be noted that, in the preprocessing operations executed by the preprocessing module 12 according to the embodiment of the present invention, the execution order of each preprocessing operation is not limited, and the preprocessing operations may be executed sequentially or in parallel, and when the preprocessing operations are executed sequentially, the execution order of each preprocessing operation is also not limited.
The network service diagnosis apparatus 10 according to the embodiment of the present invention is used for executing the network service diagnosis method according to the embodiment shown in fig. 3 of the present invention, and has corresponding functional modules, which implement similar principles and technical effects, and are not described herein again.
Further, since the types of the security devices generated by different device manufacturers are usually different, when the preprocessing module 12 executes the preprocessing, it is necessary to select a corresponding security policy matching manner according to the different types of security devices. For example, the types of the security devices may include a first type, a second type and a third type, wherein the security policy rules of the first type of security device form a priority list according to a configuration order, the security policy rules of the second type of security device include inter-area security policy rules and global security policy rules, and the security policy rules of the third type of security device include security policy rules on an ingress interface and an egress interface. In an actual application scenario, some equipment manufacturers and security policy rules configured by users are manually adjusted according to the sequence of policy configuration to form a priority list, after receiving a service request, the security equipment matches the service request from top to bottom according to the priority list, and the type of equipment is called as first type of security equipment. Some equipment manufacturers divide the security policy rules into inter-area security policy rules and global security policy rules according to the security section of the security equipment, and this type of equipment is called as a second type of security equipment. And the equipment manufacturer configures an ACL on each interface of the security equipment, each ACL consists of a plurality of security policy rules, when a service request passes through the security equipment, the service request is matched with the security policy rules on an input interface and an output interface of the security equipment, and the type of equipment is called as third type of security equipment.
Optionally, in this embodiment of the present invention, the selecting, by the preprocessing module 12, an implementation manner of a corresponding security policy matching manner according to a type of each security device may include:
when the equipment type is a first type, selecting a security policy matching mode for matching the service request with the security policy rules according to the sequence of the priority list; in the case of selecting this way for security policy matching, the service request may be matched with the security policy rules in order from top to bottom in the priority list.
And when the equipment type is the second type, selecting a security policy matching mode of firstly matching the service request with the inter-area security policy rule and then matching the service request with the global security policy rule.
When the equipment type is a third type, selecting a security policy matching mode for respectively matching the service request with the security policy rules on the input interface and the output interface of the security equipment; in the case of selecting the method for security policy matching, an intersection of the two matching results may be obtained as a matching result.
It should be noted that, in the embodiment of the present invention, the types of the security devices are not limited to the three types described above, and the selected security policy matching manner is not limited to the three types described above, and any type of security device that can be applied to the internal network of the company and any security policy matching manner that is suitable for the type may be applied to the embodiment of the present invention.
The network service diagnosis apparatus 10 provided in the embodiment of the present invention is used for executing the network service diagnosis method provided in the embodiment shown in fig. 4 of the present invention, and has corresponding functional modules, which implement similar principles and technical effects, and are not described herein again.
Optionally, fig. 13 is a schematic structural diagram of another network service diagnosis device provided in the embodiment of the present invention, and on the basis of the structure of the device shown in fig. 12, in the device provided in the embodiment of the present invention, the security policy matching module 13 may include:
the security policy matching unit 131 is configured to match the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching method and the preset matching algorithm, and obtain a matching condition between the permission request list, the denial request list, and the service request;
a generating unit 132, configured to generate a permission condition of each security device for the service request according to the matching condition of the permission request list, the rejection request list, and the service request acquired by the security policy matching unit 131.
In the embodiment of the present invention, the preset matching algorithms configured are different, and the implementation manner of matching the service request to be analyzed with the security policy rule of the security device is also different, and the implementation manner of performing matching by the security policy matching unit 131 in the embodiment of the present invention is described below by taking two matching algorithms as an example.
The network service diagnosis apparatus 10 provided in the embodiment of the present invention is used for executing the network service diagnosis method provided in the embodiment shown in fig. 5 of the present invention, and has corresponding functional modules, which implement similar principles and technical effects, and are not described herein again.
In an implementation manner of the embodiment of the present invention, an implementation manner in which the security policy matching unit 131 matches the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching manner and the preset matching algorithm may include:
s11, when there is unmatched safety strategy rule in the safety device and the service request is not completely matched, judging whether there is duplicate part in the service request and the safety strategy rule;
s12, when judging that there is duplication, adding the security policy rule to the permission request list or rejection request list according to the action of each security policy rule;
s13, the duplicate is deleted from the service request to form a new service request.
In this implementation, the process of performing security policy matching may refer to the flowchart shown in fig. 6, and therefore, is not described herein again.
In another implementation manner of the embodiment of the present invention, the implementation manner in which the security policy matching unit 131 matches the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching manner and the preset matching algorithm may include:
s21, when there is unmatched safety strategy rule in the safety device and there is duplicate part in the service request and safety strategy rule, the duplicate part and safety strategy rule form a new safety strategy to join in the duplicate part list;
s22, when the repeated element exists in the repeated part list, judging whether the service request is completely matched;
s23, when the service request is judged not to be completely matched, judging whether the service request and the security strategy rule in the current repeated part list have repeated parts;
s24, when the repeated part is judged, adding the security policy rule to the permission request list or the rejection request list according to the action of each security policy rule in the current repeated part list;
s25, the duplicate is deleted from the service request to form a new service request.
In this implementation, the process of performing security policy matching may refer to the flowchart shown in fig. 7, and therefore, is not described herein again.
Further, in the embodiment of the present invention, the security policy matching unit 131 may determine whether there is a duplicate implementation manner for the service request and the security policy rule, and may respectively execute the following determination items and return corresponding results:
s31, judging whether the source domain of the security policy rule includes the input interface of the service request, when judging that the source domain does not include the input interface of the service request, returning a matching result to be null, and when judging that the source domain includes the input interface of the service request, executing other judgment items;
s32, judging whether the target domain of the security policy rule includes the output interface of the service request, when judging that the target domain does not include the output interface of the service request, returning a matching result to be null, and when judging that the target domain includes the output interface of the service request, executing other judgment items;
s33, judging whether the security policy rule and the source address of the service request have repeated parts, when judging that no repeated part exists, returning a matching result as null, and when judging that the repeated part exists, executing other judgment items;
s34, judging whether the security policy rule and the destination address of the service request have repeated parts, when judging that no repeated part exists, returning a matching result as null, and when judging that the repeated part exists, executing other judgment items;
s35, judging whether the security policy rule and the service of the service request have repeated parts, when judging that there is no repeated part, the returned matching result is null, when judging that there is a repeated part, executing other judging items;
and S36, when the judgment result of each judgment item is 'yes', calculating the repeated part of the security policy rule and the service request, and returning a matching result which is the repeated part.
In the embodiment of the present invention, during the process of performing matching, the process shown in fig. 8 may also be used to perform analysis, match the service request with a single security policy rule, and obtain the repeated portion of the service request and the security policy rule, that is, the implementation manner of determining whether there is a repeated portion of the service request and the security policy rule in the above embodiment is shown in fig. 8, which has been described in detail in the above embodiment, and therefore, no further description is given here.
Optionally, in this embodiment of the present invention, the foregoing security policy matching unit 131 already obtains the matching condition of the permission request list, the rejection request list, and the service request, and therefore, in this embodiment, the implementation manner that the generating unit 132 generates the permission condition of each security device for the service request according to the matching condition of the permission request list, the rejection request list, and the service request obtained by the security policy matching unit 131 may include:
when the permission request list is not empty, the rejection request list is empty, and the service requests are completely matched, the permission condition is permission;
when the permission request list is not empty and the service request is not completely matched, the permission condition is partial permission;
when the permission request list is empty, the rejection request list is not empty, and the service requests are completely matched, the permission condition is rejection.
The network service diagnosis apparatus 10 provided in the embodiment of the present invention is used for executing the network service diagnosis method provided in the embodiment shown in fig. 9 of the present invention, and has corresponding functional modules, which implement similar principles and technical effects, and are not described herein again.
Through the matching manner executed by the security policy matching unit 131 and the generating unit 132, the analysis results of all security devices on the access path of the service request can be generated, and the analysis results also refer to the contents shown in table 3, which is not described herein again.
Optionally, in the embodiment of the present invention, after the security policy matching module 13 generates the permission condition of each security device to the service request, further analysis processing may be performed, as shown in fig. 14, which is a schematic structural diagram of another network service diagnosis apparatus provided in the embodiment of the present invention, on the basis of the foregoing embodiment, the apparatus provided in the embodiment of the present invention may further include:
and a security policy changing module 14, configured to generate a security policy change suggestion for each security device according to the permission condition of each security device to the service request, which is generated by the security policy matching module 13.
In practical application of the embodiment of the present invention, the implementation manner of the security policy changing module 14 generating the security policy change suggestion of the security device may include: when the permission condition is allowed, the security policy changing module 14 does not generate a security policy changing suggestion of the corresponding security device; when the permission condition is partial permission or denial, the security policy change module 14 generates a security policy change recommendation for the corresponding security device, wherein the security policy change recommendation includes, but is not limited to, a recommendation to add and/or modify a security policy. In the embodiment of the invention, when the permission condition is partial permission or rejection, a reasonable policy change suggestion can be provided for the security device, so that the security policy rule on the security device meets the business requirement of a user. It should be noted that, the rules and contents of the specific security policy change recommendation are described in detail in the above embodiments, and therefore, are not described herein again.
Optionally, in this embodiment of the present invention, the network service diagnosis apparatus 10 may further include:
a result presentation module 15, configured to present one or more of the following generated results through the user interface UI: the security policy matching module 13 generates a permission condition of each security device to the service request, and the security policy changing module 14 generates a security policy changing proposal for each security device.
In the embodiment of the present invention, after the security policy matching module 13 generates the permission condition of each security device to the service request or the security policy changing module 14 generates the security policy change suggestion for each security device, the generated result can be displayed by the result displaying module 15 of the network service diagnosis apparatus 10. The display mode includes, but is not limited to, the display mode shown in fig. 11 and table 4 in the above embodiments.
The network service diagnosis apparatus 10 provided in the embodiment of the present invention is used for executing the network service diagnosis method provided in the embodiment shown in fig. 10 of the present invention, and has corresponding functional modules, which implement similar principles and technical effects, and are not described herein again.
In practical applications, the configuration obtaining module 11, the preprocessing module 12, the security policy matching module 13, the security policy changing module 14 and the result displaying module 15 in the embodiments shown in fig. 12 to fig. 14 of the present invention can be implemented by a processor of the network service diagnosis apparatus 10, where the processor can be, for example, a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits that implement the embodiments of the present invention.
Fig. 15 is a schematic structural diagram of a network diagnostic server according to an embodiment of the present invention. The network service diagnosis server 20 provided in this embodiment may include: a memory 21 and a processor 22.
Wherein, the memory 21 is used for storing executable instructions;
a processor 22 for executing the executable instructions stored in the memory 21, and performing the following operations:
acquiring configuration information of security equipment through which a service request passes, wherein the configuration information comprises security policy rules;
preprocessing according to the service request and the configuration information of the safety equipment; the pretreatment comprises the following steps: selecting a corresponding security policy matching mode according to the type of each security device, determining an input interface and an output interface of the security device through which the service request passes, and generating a service request to be analyzed;
and matching the service request to be analyzed with the security policy rules of the security devices according to the selected security policy matching mode and the preset matching algorithm, and generating the permission condition of each security device to the service request.
Optionally, in this embodiment of the present invention, the configuration information further includes one or more of a blocking policy and a destination address translation DNAT, and when the processor 22 executes the executable instructions, the preprocessing further includes one or more of the following processes:
comparing the service request with the blocking strategy of each safety device, and filtering out the service request blocked by the blocking strategy of the safety device;
determining whether to perform DNAT conversion on the service request on the safety equipment according to the safety strategy rule of each safety equipment by using the address before DNAT conversion or after DNAT conversion; and when the safety strategy rule of one safety device uses the address converted by the DNAT, performing the DNAT conversion on the service request on the safety device.
Optionally, in this embodiment of the present invention, when the processor 22 executes the executable instruction, the executed operation "match the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching manner and the preset matching algorithm, and generate the permission condition of each security device for the service request" may include:
matching the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching mode and the preset matching algorithm to obtain a permission request list, a rejection request list and the matching condition of the service request;
and generating the permission condition of each safety device to the service request according to the matching condition of the permission request list, the rejection request list and the service request.
Optionally, in the embodiment of the present invention, when the processor 22 executes the executable instructions, the following operations are further performed:
generating a security policy change suggestion for each security device according to the permission condition of each security device to the service request;
when the permission condition is allowed, the safety strategy change suggestion corresponding to the safety equipment is not generated;
and when the permission condition is partial permission or rejection, generating a security policy change proposal of the corresponding security device, wherein the security policy change proposal comprises a proposal for adding and/or modifying the security policy.
Optionally, in the embodiment of the present invention, when the processor 22 executes the executable instructions, the following operations are further performed:
one or more of the following generated results are presented through a user interface UI: and the permission of each safety device to the service request and the safety strategy change proposal of each safety device.
The network service diagnosis server 20 provided in the embodiment of the present invention is configured to execute the network service diagnosis method provided in any one of the embodiments shown in fig. 1 to fig. 10 of the present invention, and has corresponding entity devices, which implement similar principles and technical effects and are not described herein again.
It will be understood by those skilled in the art that all or part of the steps of the above methods may be implemented by a program instructing associated hardware (e.g., a processor) which may be stored in a computer readable storage medium such as a read only memory, a magnetic or optical disk, etc. Alternatively, all or part of the steps of the above embodiments may be implemented using one or more integrated circuits. Accordingly, the modules/units in the above embodiments may be implemented in hardware, for example, by an integrated circuit, or may be implemented in software, for example, by a processor executing programs/instructions stored in a memory to implement the corresponding functions. Embodiments of the invention are not limited to any specific form of hardware or software combination.
Although the embodiments of the present invention have been described above, the above description is only for the convenience of understanding the present invention, and is not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (9)
1. A method for network traffic diagnosis, comprising:
acquiring configuration information of security equipment through which a service request passes, wherein the configuration information comprises security policy rules;
preprocessing according to the service request and the configuration information of the safety equipment; the pretreatment comprises the following steps: selecting a corresponding security policy matching mode according to the type of each security device, determining an input interface and an output interface of the security device through which the service request passes, and generating a service request to be analyzed;
matching the service request to be analyzed with the security policy rules of the security devices according to the selected security policy matching mode and a preset matching algorithm, and generating the permission condition of each security device to the service request;
the types of the safety equipment comprise a first type, a second type and a third type, wherein the safety strategy rules of the safety equipment of the first type form a priority list according to a configuration sequence, the safety strategy rules of the safety equipment of the second type comprise inter-area safety strategy rules and global safety strategy rules, and the safety strategy rules of the safety equipment of the third type comprise safety strategy rules on an input interface and an output interface;
the selecting a corresponding security policy matching mode according to the type of each security device includes:
when the equipment type is the first type, selecting a security policy matching mode for matching the service request with the security policy rules according to the sequence of the priority list;
when the equipment type is the second type, selecting a security policy matching mode for matching the service request with the inter-area security policy rule and then matching the service request with the global security policy rule;
and when the equipment type is the third type, selecting a security policy matching mode for respectively matching the service request with the security policy rules on the input interface and the output interface of the security equipment.
2. The network traffic diagnosis method of claim 1, wherein the configuration information further includes one or more of blocking policies and destination address translation DNAT, and wherein the preprocessing further includes one or more of:
comparing the service request with the blocking strategy of each safety device, and filtering out the service request blocked by the blocking strategy of the safety device;
determining whether to perform DNAT conversion on the service request on the security device by using the address before DNAT conversion or after DNAT conversion according to the security policy rule of each security device; and when the safety strategy rule of one safety device uses the address converted by the DNAT, performing the DNAT conversion on the service request on the safety device.
3. The method according to claim 1, wherein the matching the service request to be analyzed with the security policy rules of the security devices according to the selected security policy matching method and the preset matching algorithm to generate the permission of each security device to the service request comprises:
matching the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching mode and a preset matching algorithm to obtain an allowance request list, a rejection request list and the matching condition of the service request;
and generating the permission condition of each safety device to the service request according to the matching condition of the permission request list, the rejection request list and the service request.
4. The method according to claim 3, wherein the matching the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching method and a preset matching algorithm comprises:
when the security equipment has unmatched security policy rules and the service request is not completely matched, judging whether the service request and the security policy rules have repeated parts;
when the repeated part is judged, adding the security policy rule into the permission request list or the rejection request list according to the action of each security policy rule;
and deleting the repeated part from the service request to form a new service request.
5. The method according to claim 3, wherein the matching the service request to be analyzed with the security policy rule of the security device according to the selected security policy matching method and a preset matching algorithm comprises:
when the security equipment has unmatched security policy rules and the service request and the security policy rules have repeated parts, forming a new security policy adding repeated part list by the repeated parts and the security policy rules;
when the repeated element exists in the repeated part list, judging whether the service request is completely matched;
when the service request is judged not to be completely matched, judging whether the service request and the security policy rule in the current repeated part list have repeated parts or not;
when the repeated part is judged, adding the security policy rule to the permission request list or the rejection request list according to the action of each security policy rule in the current repeated part list;
and deleting the repeated part from the service request to form a new service request.
6. The method of claim 4 or 5, wherein the determining whether there are duplicate portions of the service request and the security policy rule comprises:
respectively executing the following judgment items and returning corresponding results:
judging whether the source domain of the security policy rule comprises an input interface of a service request, if so, returning a matching result to be null, and if so, executing other judgment items;
judging whether the target domain of the security policy rule comprises an output interface of the service request, if so, returning a matching result to be null, and if so, executing other judgment items;
judging whether the security policy rule and the source address of the service request have repeated parts, if so, returning a matching result to be null, and if so, executing other judgment items;
judging whether the safety strategy rule and the destination address of the service request have repeated parts, if so, returning a matching result to be null, and if so, executing other judgment items;
judging whether the safety strategy rule and the service of the service request have repeated parts, if so, returning a matching result to be null, and if so, executing other judgment items;
and when the judgment result of each judgment item is 'yes', calculating the repeated part of the security policy rule and the service request, and returning a matching result as the repeated part.
7. The method according to claim 3, wherein the generating the permission status of each of the security devices for the service request according to the matching status of the permission request list, the rejection request list and the service request comprises:
when the permission request list is not empty, the rejection request list is empty, and the service request is completely matched, the permission condition is permission;
when the permission request list is not empty and the service request is not completely matched, the permission condition is partially permitted;
when the permission request list is empty, the rejection request list is not empty, and the service request is completely matched, the permission condition is rejection.
8. The method of claim 1, further comprising:
generating a security policy change suggestion for the security device according to the permission condition of each security device to the service request;
when the permission condition is allowed, not generating a security policy change suggestion of the corresponding security device;
and when the permission condition is partial permission or rejection, generating a security policy change suggestion of the corresponding security device, wherein the security policy change suggestion comprises a suggestion for adding and/or modifying the security policy.
9. The network traffic diagnostic method of any one of claims 1-5 and 7-8, wherein the method further comprises:
one or more of the following generated results are presented through a user interface UI: and the permission of each safety device to the service request is recommended to the safety strategy change of each safety device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710208010.8A CN108667776B (en) | 2017-03-31 | 2017-03-31 | Network service diagnosis method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710208010.8A CN108667776B (en) | 2017-03-31 | 2017-03-31 | Network service diagnosis method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108667776A CN108667776A (en) | 2018-10-16 |
CN108667776B true CN108667776B (en) | 2022-02-22 |
Family
ID=63783704
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710208010.8A Active CN108667776B (en) | 2017-03-31 | 2017-03-31 | Network service diagnosis method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108667776B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109600368B (en) * | 2018-12-07 | 2021-04-13 | 中盈优创资讯科技有限公司 | Method and device for determining firewall policy |
CN112910824A (en) * | 2019-11-19 | 2021-06-04 | 苏州至赛信息科技有限公司 | Network security policy configuration method and device, computer equipment and storage medium |
CN112910666B (en) * | 2019-11-19 | 2023-04-07 | 苏州至赛信息科技有限公司 | Simulation method and device for processing data packet by equipment and computer equipment |
CN111147519A (en) * | 2019-12-31 | 2020-05-12 | 奇安信科技集团股份有限公司 | Data detection method, device, electronic equipment and medium |
CN112738114B (en) * | 2020-12-31 | 2023-04-07 | 四川新网银行股份有限公司 | Configuration method of network security policy |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030061506A1 (en) * | 2001-04-05 | 2003-03-27 | Geoffrey Cooper | System and method for security policy |
US7308711B2 (en) * | 2003-06-06 | 2007-12-11 | Microsoft Corporation | Method and framework for integrating a plurality of network policies |
CN101252487B (en) * | 2008-04-11 | 2010-12-22 | 杭州华三通信技术有限公司 | Method for processing safety warning and safety policy equipment |
CN101267437B (en) * | 2008-04-28 | 2011-01-19 | 杭州华三通信技术有限公司 | Packet access control method and system for network devices |
CN101938474B (en) * | 2010-08-27 | 2013-07-31 | 清华大学 | Network intrusion detection and protection method and device |
CN103873441A (en) * | 2012-12-12 | 2014-06-18 | 中国电信股份有限公司 | Firewall safety rule optimization method and device thereof |
CN103825876A (en) * | 2013-11-07 | 2014-05-28 | 北京安码科技有限公司 | Firewall policy auditing system in complex network environment |
CN104243487A (en) * | 2014-09-28 | 2014-12-24 | 网神信息技术(北京)股份有限公司 | Rule matching method and rule matching device of security gateway |
CN106161399B (en) * | 2015-04-21 | 2019-06-07 | 新华三技术有限公司 | A kind of security service delivery method and system |
CN105871930A (en) * | 2016-06-21 | 2016-08-17 | 上海携程商务有限公司 | Self-adaptive firewall security policy configuration method and system based on applications |
-
2017
- 2017-03-31 CN CN201710208010.8A patent/CN108667776B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN108667776A (en) | 2018-10-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11050713B2 (en) | Firewall configured with dynamic membership sets representing machine attributes | |
CN108667776B (en) | Network service diagnosis method | |
US8176561B1 (en) | Assessing network security risk using best practices | |
US8458766B2 (en) | Method and system for management of security rule set | |
US9467473B2 (en) | System and method for compact form exhaustive analysis of security policies | |
US9100363B2 (en) | Automatically recommending firewall rules during enterprise information technology transformation | |
US7406534B2 (en) | Firewall configuration validation | |
US8468113B2 (en) | Method and system for management of security rule set | |
KR101868633B1 (en) | Automating network reconfiguration during migrations | |
Bringhenti et al. | Improving the formal verification of reachability policies in virtualized networks | |
US11102174B2 (en) | Autonomous alerting based on defined categorizations for network space and network boundary changes | |
US9313175B2 (en) | Method and system for mapping between connectivity requests and a security rule set | |
US11811736B2 (en) | Generating network infastructure firewalls | |
Ranathunga et al. | Case studies of scada firewall configurations and the implications for best practices | |
WO2017014770A1 (en) | Adding metadata associated with a composite network policy | |
Martínez et al. | Model-driven extraction and analysis of network security policies | |
US7971244B1 (en) | Method of determining network penetration | |
Thwin et al. | Classification and discovery on intra-firewall policy anomalies | |
Saâdaoui et al. | Automated and optimized fdd-based method to fix firewall misconfigurations | |
Zhang et al. | Detecting and Resolving Flow Entries Collisions in Software Defined Networks | |
Sviridov et al. | AutoNet: Automatic Reachability Policy Management in Public Cloud Networks | |
Maity et al. | Formal integrated network security analysis tool: formal query‐based network security configuration analysis | |
CN109088886B (en) | Management method and device for monitoring policy on firewall | |
Basile et al. | Improved reachability analysis for security management | |
Clark | Firewall policy diagram: Novel data structures and algorithms for modeling, analysis, and comprehension of network firewalls |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |