[go: up one dir, main page]

CN115412351A - An industrial control firewall policy analysis method and device - Google Patents

An industrial control firewall policy analysis method and device Download PDF

Info

Publication number
CN115412351A
CN115412351A CN202211064731.3A CN202211064731A CN115412351A CN 115412351 A CN115412351 A CN 115412351A CN 202211064731 A CN202211064731 A CN 202211064731A CN 115412351 A CN115412351 A CN 115412351A
Authority
CN
China
Prior art keywords
strategy
analysis
policy
industrial control
asset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211064731.3A
Other languages
Chinese (zh)
Inventor
侯守东
谭曙光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huierte Technology Co ltd
Original Assignee
Beijing Huierte Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huierte Technology Co ltd filed Critical Beijing Huierte Technology Co ltd
Priority to CN202211064731.3A priority Critical patent/CN115412351A/en
Publication of CN115412351A publication Critical patent/CN115412351A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请公开了一种工控防火墙策略分析方法及装置,包括:获取流经工控防火墙的报文并进行分析,生成资产条目;导入工艺流程文件进行解析,生成工艺流程条目;设置策略分析粒度和策略宽限期;根据资产条目和工艺流程条目对一级策略和二级策略做全局策略分析,生成策略分析报告并根据策略分析粒度和策略宽限期生成推荐策略;部署推荐策略。本申请提供的工控防火墙策略分析方法及装置,能够根据工控防火墙部署的网络环境和工艺流程做全局性关联策略分析,并能够根据预设的策略分析粒度,自动调整策略分析的精细度。

Figure 202211064731

This application discloses an industrial control firewall strategy analysis method and device, including: obtaining and analyzing messages flowing through the industrial control firewall to generate asset entries; importing process flow files for analysis to generate process flow entries; setting strategy analysis granularity and strategy Grace period; conduct global strategy analysis on the first-level strategy and second-level strategy according to asset entries and process flow entries, generate strategy analysis reports and generate recommended strategies according to the granularity of strategy analysis and strategy grace period; deploy recommended strategies. The industrial control firewall policy analysis method and device provided in this application can perform overall correlation policy analysis according to the network environment and process flow deployed by the industrial control firewall, and can automatically adjust the fineness of policy analysis according to the preset policy analysis granularity.

Figure 202211064731

Description

一种工控防火墙策略分析方法及装置An industrial control firewall policy analysis method and device

技术领域technical field

本申请涉及工控防火墙技术领域,具体涉及一种工控防火墙策略分析方法及装置。The present application relates to the technical field of industrial control firewalls, in particular to an industrial control firewall policy analysis method and device.

背景技术Background technique

请参阅图1,工控防火墙上一般存在两种策略:访问控制策略(ACL)和白名单策略(或叫白名单规则)。由于工控防火墙在网络中的部署位置是在网关处,往往访问控制策略和白名单规则会多达几十甚至几百条,并且随着网络环境的变化,策略也需要跟着做相应的调整,因此,需要一种策略分析方法来帮助配置管理员快速、高效的分析定位哪些策略是冗余的、冲突的、有安全风险的。Please refer to Figure 1. There are generally two policies on the industrial control firewall: access control policy (ACL) and white list policy (or white list rule). Since the industrial control firewall is deployed at the gateway in the network, there are usually dozens or even hundreds of access control policies and whitelist rules, and as the network environment changes, the policies need to be adjusted accordingly. Therefore, a policy analysis method is needed to help configuration administrators quickly and efficiently analyze and locate which policies are redundant, conflicting, and have security risks.

目前的工控防火墙很少有策略分析功能,有些有此功能的工控防火墙是在各自策略模块里根据策略自带的信息(如五元组信息等)做策略冗余分析;有些是根据报文命中策略的次数做未匹配检测。The current industrial control firewalls rarely have the policy analysis function. Some industrial control firewalls with this function perform policy redundancy analysis based on the information (such as quintuple information, etc.) that comes with the policy in their respective policy modules; some are based on packet hits. The number of times the policy does a mismatch check.

上述两种策略分析方法,只能根据策略的五元组等信息在策略模块内部进行分析,不能结合应用场景,且各个策略模块(访问控制策略和白名单策略)各自独立的做分析,不能做全局性的关联策略分析,也不能根据策略分析粒度,自动调整策略分析的精细度,策略分析后的结果只能够分析查看,不能快速部署。The above two policy analysis methods can only be analyzed within the policy module based on information such as the five-tuple of the policy, and cannot be combined with application scenarios, and each policy module (access control policy and whitelist policy) can be analyzed independently, and cannot Global association policy analysis also cannot automatically adjust the fineness of policy analysis according to the granularity of policy analysis. The results of policy analysis can only be analyzed and viewed, and cannot be quickly deployed.

发明内容Contents of the invention

为此,本申请提供一种工控防火墙策略分析方法及装置,以解决现有技术存在的不能结合应用场景做全局性的关联策略分析以及不能自动调整策略分析的精细度的问题。For this reason, the present application provides a method and device for industrial control firewall policy analysis to solve the problems existing in the prior art that cannot be combined with application scenarios for overall associated policy analysis and cannot automatically adjust the fineness of policy analysis.

为了实现上述目的,本申请提供如下技术方案:In order to achieve the above object, the application provides the following technical solutions:

第一方面,一种工控防火墙策略分析方法,包括:In the first aspect, an industrial control firewall policy analysis method includes:

获取流经工控防火墙的报文并进行分析,生成资产条目;Obtain and analyze the packets passing through the industrial control firewall to generate asset entries;

导入工艺流程文件进行解析,生成工艺流程条目;Import the process flow file for analysis and generate process flow entries;

设置策略分析粒度和策略宽限期;Set policy analysis granularity and policy grace period;

根据所述资产条目和所述工艺流程条目对一级策略和二级策略做全局策略分析,生成策略分析报告并根据所述策略分析粒度和所述策略宽限期生成推荐策略;Perform a global strategy analysis on the first-level strategy and the second-level strategy according to the asset entry and the process flow entry, generate a strategy analysis report, and generate a recommended strategy according to the strategy analysis granularity and the strategy grace period;

部署所述推荐策略。Deploy the recommended policy.

进一步的,所述做全局策略分析时包括未覆盖、冗余、冲突、不贴合场景和策略宽限期超时五个方面的策略分析。Further, the global policy analysis includes five aspects of policy analysis: non-coverage, redundancy, conflict, non-fitting scenarios, and policy grace period timeout.

进一步的,对于特定时间内未有报文匹配的策略,如果不在所述策略宽限期内,所述推荐策略生成后将被过滤掉。Further, for a policy that has no packet matching within a specific time, if it is not within the policy grace period, the recommended policy will be filtered out after it is generated.

进一步的,所述资产条目内容包括mac地址、ip地址、目的端口号和流入接口。Further, the content of the asset entry includes mac address, ip address, destination port number and incoming interface.

进一步的,所述分析粒度为离散地址型、网段型或地址范围型。Further, the analysis granularity is discrete address type, network segment type or address range type.

进一步的,所述分析粒度为网段型时需设置掩码。Further, when the analysis granularity is network segment type, a mask needs to be set.

进一步的,所述工艺流程文件为用户自定义的工艺操作流程和操作指令对照表。Further, the process flow file is a user-defined process operation flow and operation instruction comparison table.

进一步的,所述资产条目能够通过用户手动添加。Further, the asset item can be manually added by the user.

第二方面,一种工控防火墙策略分析装置,包括:In the second aspect, an industrial control firewall policy analysis device includes:

资产收集与存储模块,用于获取流经工控防火墙的流量并进行分析,生成资产条目;The asset collection and storage module is used to obtain and analyze the traffic flowing through the industrial control firewall, and generate asset entries;

工艺流程解析与存储模块模块,用于导入工艺流程文件进行解析,生成工艺流程条目;The process flow analysis and storage module is used to import process flow files for analysis and generate process flow entries;

策略智能分析模块,用于设置策略分析粒度和策略宽限期,根据所述资产条目和所述工艺流程条目对一级策略和二级策略做全局策略分析,生成策略分析报告并根据所述策略分析粒度和所述策略宽限期生成推荐策略;The strategy intelligent analysis module is used to set the strategy analysis granularity and the strategy grace period, conduct global strategy analysis on the first-level strategy and the second-level strategy according to the asset entry and the process flow entry, generate a strategy analysis report and analyze it according to the strategy Granularity and said policy grace period to generate a recommendation policy;

策略分析结果存储模块,用于存储所述推荐策略;A strategy analysis result storage module, configured to store the recommended strategy;

部署模块,用于部署所述推荐策略。A deployment module, configured to deploy the recommended strategy.

进一步的,所述资产收集与存储模块包括:Further, the asset collection and storage module includes:

资产自学习和自定义模块,用于对流经工控防火墙的报文进行自学习,生成mac地址、ip地址、目的端口号和流入接口数据在内的资产条目;Asset self-learning and self-definition module, which is used to self-learn the packets flowing through the industrial control firewall, and generate asset entries including mac address, ip address, destination port number and incoming interface data;

资产存储模块,用于存储生成的资产条目。Asset storage module, used to store generated asset entries.

相比现有技术,本申请至少具有以下有益效果:Compared with the prior art, the present application has at least the following beneficial effects:

本申请提供一种工控防火墙策略分析方法及装置,包括:获取流经工控防火墙的报文并进行分析,生成资产条目;导入工艺流程文件进行解析,生成工艺流程条目;设置策略分析粒度和策略宽限期;根据资产条目和工艺流程条目对一级策略和二级策略做全局策略分析,生成策略分析报告并根据策略分析粒度和策略宽限期生成推荐策略;部署推荐策略。本申请提供的工控防火墙策略分析方法及装置,能够根据工控防火墙部署的网络环境和工艺流程做全局性关联策略分析,并能够根据预设的策略分析粒度,自动调整策略分析的精细度。This application provides an industrial control firewall policy analysis method and device, including: obtaining and analyzing the messages flowing through the industrial control firewall to generate asset entries; importing process flow files for analysis to generate process flow entries; setting policy analysis granularity and policy width Deadline; according to asset entries and process entries, conduct global strategy analysis on primary and secondary strategies, generate strategy analysis reports and generate recommended strategies based on strategy analysis granularity and strategy grace period; deploy recommended strategies. The industrial control firewall policy analysis method and device provided in this application can perform overall correlation policy analysis according to the network environment and process flow deployed by the industrial control firewall, and can automatically adjust the fineness of policy analysis according to the preset policy analysis granularity.

本申请还能够快速部署应用策略分析后的推荐策略。The present application can also quickly deploy the recommended strategy after applying the strategy analysis.

附图说明Description of drawings

为了更直观地说明现有技术以及本申请,下面给出几个示例性的附图。应当理解,附图中所示的具体形状、构造,通常不应视为实现本申请时的限定条件;例如,本领域技术人员基于本申请揭示的技术构思和示例性的附图,有能力对某些单元(部件)的增/减/归属划分、具体形状、位置关系、连接方式、尺寸比例关系等容易作出常规的调整或进一步的优化。In order to illustrate the prior art and the present application more intuitively, several exemplary drawings are given below. It should be understood that the specific shapes and structures shown in the accompanying drawings should generally not be regarded as limiting conditions for the implementation of the present application; for example, those skilled in the art are able to The increase/decrease/attribution division, specific shape, positional relationship, connection mode, size ratio relationship, etc. of some units (parts) are easy to make conventional adjustments or further optimization.

图1为现有技术结构示意图;Fig. 1 is a schematic structural diagram of the prior art;

图2为本申请实施例一提供的一种工控防火墙策略分析方法基本流程图;FIG. 2 is a basic flowchart of an industrial control firewall policy analysis method provided in Embodiment 1 of the present application;

图3为本申请实施例一提供的一种工控防火墙策略分析方法原理流程图;FIG. 3 is a schematic flowchart of an industrial control firewall policy analysis method provided in Embodiment 1 of the present application;

图4为本申请实施例一提供的全局策略分析流程图。FIG. 4 is a flowchart of global policy analysis provided by Embodiment 1 of the present application.

具体实施方式Detailed ways

以下结合附图,通过具体实施例对本申请作进一步详述。The present application will be further described in detail through specific embodiments below in conjunction with the accompanying drawings.

在本申请的描述中:除非另有说明,“多个”的含义是两个或两个以上。本申请中的术语“第一”、“第二”、“第三”等旨在区别指代的对象,而不具有技术内涵方面的特别意义(例如,不应理解为对重要程度或次序等的强调)。“包括”、“包含”、“具有”等表述方式,同时还意味着“不限于”(某些单元、部件、材料、步骤等)。In the description of this application: unless otherwise specified, "plurality" means two or more. The terms "first", "second", and "third" in this application are intended to distinguish the referred objects, and have no special meaning in terms of technical connotation (for example, it should not be understood as a reference to the degree of importance or order, etc. emphasis). Expressions such as "comprising", "including", and "having" also mean "not limited to" (certain elements, components, materials, steps, etc.).

本申请中所引用的如“上”、“下”、“左”、“右”、“中间”等的用语,通常是为了便于对照附图直观理解,而并非对实际产品中位置关系的绝对限定。在未脱离本申请揭示的技术构思的情况下,这些相对位置关系的改变,当亦视为本申请表述的范畴。Terms such as "upper", "lower", "left", "right", "middle", etc. quoted in this application are usually for the convenience of intuitive understanding with reference to the drawings, rather than absolute terms for the positional relationship in the actual product limited. Without departing from the technical concept disclosed in this application, changes in these relative positional relationships should also be regarded as the scope of this application.

实施例一Embodiment one

请参阅图2和图3,本实施例提供一种工控防火墙策略分析方法,包括:Please refer to Fig. 2 and Fig. 3, this embodiment provides a kind of industrial control firewall policy analysis method, including:

S1:获取流经工控防火墙的报文并进行分析,生成资产条目;S1: Obtain and analyze the packets passing through the industrial control firewall, and generate asset entries;

因为工控生产环境下的流量(即报文)具有持续且内容比较固定的特点,所以本实施例根据这一特点,可以对经过工控防火墙的流量进行分析,生成资产条目,资产条目里的内容包括:mac地址、ip地址、目的端口号、流入工控墙的接口名称等。同时,用户也可以手动添加包含上述数据的资产条目。Because the traffic (that is, the message) in the industrial control production environment has the characteristics of continuous and relatively fixed content, so this embodiment can analyze the traffic passing through the industrial control firewall according to this characteristic, and generate an asset entry. The content in the asset entry includes : mac address, ip address, destination port number, interface name flowing into the industrial control wall, etc. At the same time, users can also manually add asset entries containing the above data.

S2:导入工艺流程文件进行解析,生成工艺流程条目;S2: Import the process flow file for analysis, and generate process flow entries;

因为工业生产的业务工艺流程通常是不会实时变化的,所以通过导入工艺流程文件可以将用户自定义的工艺操作流程和操作指令对照表导入工控防火墙,生成工艺流程条目。Because the business process flow of industrial production usually does not change in real time, by importing the process flow file, the user-defined process operation process and operation instruction comparison table can be imported into the industrial control firewall to generate process flow entries.

S3:设置策略分析粒度和策略宽限期;S3: Set policy analysis granularity and policy grace period;

具体的,分析粒度可以是离散地址型、网段型或地址范围型;当分析粒度是网段型时需要设置掩码。Specifically, the analysis granularity can be a discrete address type, a network segment type, or an address range type; when the analysis granularity is a network segment type, a mask needs to be set.

更具体的,地址范围型指的是特殊的网段,是地址为0.0.0.0掩码为0.0.0.0的网段。More specifically, the address range type refers to a special network segment, which is a network segment with an address of 0.0.0.0 and a mask of 0.0.0.0.

S4:根据所述资产条目和所述工艺流程条目对一级策略和二级策略做全局策略分析,生成策略分析报告并根据所述策略分析粒度和所述策略宽限期生成推荐策略(新策略);S4: Perform a global strategy analysis on the first-level strategy and the second-level strategy according to the asset entry and the process flow entry, generate a strategy analysis report, and generate a recommended strategy (new strategy) according to the strategy analysis granularity and the strategy grace period ;

具体的,因为工控防火墙的策略是有依赖关系的,可以分为一级策略(访问控制策略)和二级策略(白名单策略),只有通过了一级策略才会进入到二级策略的匹配,可以将一级策略比喻为开了一道口子,二级策略相当于对通过这道口子进入的报文做更多维度的匹配过滤。Specifically, because the policies of industrial control firewalls are dependent, they can be divided into first-level policies (access control policies) and second-level policies (whitelist policies). Only after passing the first-level policies can they enter the matching of the second-level policies , the first-level strategy can be compared to opening an opening, and the second-level strategy is equivalent to performing more dimensional matching and filtering on packets entering through this opening.

请参阅图4,在做全局策略分析时包括未覆盖、冗余、冲突、不贴合场景和策略宽限期超时五个方面的策略分析。Please refer to Figure 4. When doing global policy analysis, it includes policy analysis in five aspects: non-coverage, redundancy, conflict, non-fitting scenarios, and policy grace period timeout.

更具体的:more specific:

未覆盖:未覆盖指的是资产条目或工艺流程条目里面包含的ip、mac、操作指令等在已经存在的策略里没有找到,其策略防护范围里面不包含这些资产和工艺流程,这就属于策略防护高风险漏洞;Uncovered: Uncovered means that the ip, mac, and operation instructions contained in the asset entry or process entry are not found in the existing policies, and these assets and process flows are not included in the policy protection scope, which belongs to the policy Protection against high-risk vulnerabilities;

冗余:冗余指的是一条或多条策略与其他策略相同或者属于其他策略的真子集;Redundancy: Redundancy refers to the fact that one or more policies are the same as other policies or belong to a proper subset of other policies;

冲突:冲突指的是一些策略的五元组信息相同但是执行的动作不同;冲突还包括:一级策略防护了A网段,但是引用一级策略的二级策略防护了A、B两个网段,这也属于冲突的一种;Conflict: Conflict refers to the fact that some policies have the same quintuple information but perform different actions; conflicts also include: the first-level policy protects network segment A, but the second-level policy that refers to the first-level policy protects both networks A and B. paragraph, which is also a kind of conflict;

不贴合场景:不贴合场景指的是策略的防护范围或部分防护范围不在资产条目或工艺流程里面;Non-fitting scenario: Non-fitting scenario refers to the protection range or part of the protection range of the policy is not in the asset item or process flow;

策略宽限期超时:策略宽限期超时指的是策略的防护范围在资产条目或工艺流程内,但是该策略在一定时间内没有报文命中,属于未匹配策略(即无用策略)。Policy grace period timeout: policy grace period timeout means that the protection scope of the policy is within the asset entry or process flow, but the policy has no packet hit within a certain period of time, which belongs to the unmatched policy (that is, useless policy).

本实施例中,对于一段时间内未有报文匹配的策略,如果不在策略宽限期内那么策略分析后的新策略将过滤掉该策略。In this embodiment, for a policy that has no packet matching within a period of time, if it is not within the policy grace period, the new policy after policy analysis will filter out the policy.

S5:部署所述推荐策略。S5: Deploy the recommended policy.

本实施例提供的工控防火墙策略分析方法,能够根据工控防火墙部署的网络环境和业务工艺流程做全局性关联策略分析,并能够根据预设的策略分析粒度,自动调整策略分析的精细度,且能够快速部署应用策略分析后的新策略。The industrial control firewall policy analysis method provided in this embodiment can perform overall correlation policy analysis according to the network environment and business process flow deployed by the industrial control firewall, and can automatically adjust the fineness of policy analysis according to the preset policy analysis granularity, and can Quickly deploy new policies after applying policy analysis.

实施例二Embodiment two

本实施例提供了一种工控防火墙策略分析装置,包括:This embodiment provides an industrial control firewall policy analysis device, including:

资产收集与存储模块,用于获取流经工控防火墙的流量并进行分析,生成资产条目;The asset collection and storage module is used to obtain and analyze the traffic flowing through the industrial control firewall, and generate asset entries;

具体的,资产收集与存储模块包括:Specifically, the asset collection and storage module includes:

资产自学习和自定义模块,用于对流经工控防火墙的报文进行自学习,生成mac地址、ip地址、目的端口号和流入接口数据在内的资产条目;Asset self-learning and self-definition module, which is used to self-learn the packets flowing through the industrial control firewall, and generate asset entries including mac address, ip address, destination port number and incoming interface data;

资产存储模块,用于存储生成的资产条目。Asset storage module, used to store generated asset entries.

工艺流程解析与存储模块模块,用于导入工艺流程文件进行解析,生成工艺流程条目;The process flow analysis and storage module is used to import process flow files for analysis and generate process flow entries;

策略智能分析模块,用于设置策略分析粒度和策略宽限期,根据所述资产条目和所述工艺流程条目对一级策略和二级策略做全局策略分析,生成策略分析报告并根据所述策略分析粒度和所述策略宽限期生成推荐策略;The strategy intelligent analysis module is used to set the strategy analysis granularity and the strategy grace period, conduct global strategy analysis on the first-level strategy and the second-level strategy according to the asset entry and the process flow entry, generate a strategy analysis report and analyze it according to the strategy Granularity and said policy grace period to generate a recommendation policy;

策略分析结果存储模块,用于存储所述推荐策略;A strategy analysis result storage module, configured to store the recommended strategy;

部署模块,用于部署所述推荐策略。A deployment module, configured to deploy the recommended strategy.

关于工控防火墙策略分析装置的具体限定可以参见上文中对于工控防火墙策略分析方法的限定,在此不再赘述。上述工控防火墙策略分析装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。For specific limitations on the industrial control firewall policy analysis device, please refer to the above-mentioned limitations on the industrial control firewall policy analysis method, and details will not be repeated here. Each module in the above-mentioned industrial control firewall policy analysis device can be fully or partially realized by software, hardware and combinations thereof. The above-mentioned modules can be embedded in or independent of the processor in the computer device in the form of hardware, and can also be stored in the memory of the computer device in the form of software, so that the processor can invoke and execute the corresponding operations of the above-mentioned modules.

以上实施例的各技术特征可以进行任意的组合(只要这些技术特征的组合不存在矛盾),为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述;这些未明确写出的实施例,也都应当认为是本说明书记载的范围。The technical features of the above embodiments can be combined arbitrarily (as long as there is no contradiction in the combination of these technical features), for the sake of concise description, all possible combinations of the various technical features in the above embodiments are not described; these are not clear All the written examples should also be regarded as within the scope of the description in this specification.

上文中通过一般性说明及具体实施例对本申请作了较为具体和详细的描述。应当理解,基于本申请的技术构思,还可以对这些具体实施例作出若干常规的调整或进一步的创新;但只要未脱离本申请的技术构思,这些常规的调整或进一步的创新得到的技术方案也同样落入本申请的权利要求保护范围。The present application has been described more specifically and in detail through general descriptions and specific examples above. It should be understood that based on the technical concept of the present application, some conventional adjustments or further innovations can also be made to these specific embodiments; Also fall within the protection scope of the claims of the present application.

Claims (10)

1. A method for analyzing industrial control firewall policies is characterized by comprising the following steps:
obtaining and analyzing messages flowing through an industrial control firewall to generate asset items;
importing a process flow file for analysis to generate a process flow item;
setting strategy analysis granularity and strategy grace period;
performing global strategy analysis on a primary strategy and a secondary strategy according to the asset entries and the process flow entries, generating a strategy analysis report, and generating a recommendation strategy according to the strategy analysis granularity and the strategy grace period;
and deploying the recommendation strategy.
2. The industrial control firewall policy analysis method according to claim 1, wherein the global policy analysis includes policy analysis in five aspects of uncovered, redundant, conflicting, non-conforming scenarios and policy grace period timeout.
3. The method for analyzing the industrial control firewall policy according to claim 1, wherein for a policy that no message is matched within a specific time, if the policy is not within the policy grace period, the recommended policy is filtered out after being generated.
4. The industrial control firewall policy analysis method of claim 1, wherein the asset entry content comprises a mac address, an ip address, a destination port number and an ingress interface.
5. The industrial control firewall policy analysis method according to claim 1, wherein the analysis granularity is of a discrete address type, a segment type, or an address range type.
6. The method for analyzing industrial control firewall policies according to claim 5, wherein a mask is required to be set when the analysis granularity is a network segment type.
7. The method for analyzing the industrial control firewall policy of claim 1, wherein the process flow file is a user-defined comparison table of process operation flows and operation instructions.
8. The industrial firewall policy analysis method of claim 1, wherein the asset entries can be added manually by a user.
9. The utility model provides an industrial control firewall policy analysis device which characterized in that includes:
the asset collecting and storing module is used for acquiring and analyzing the flow passing through the industrial control firewall to generate asset items;
the process flow analyzing and storing module is used for importing a process flow file for analyzing and generating process flow items;
the intelligent strategy analysis module is used for setting strategy analysis granularity and a strategy grace period, performing overall strategy analysis on a primary strategy and a secondary strategy according to the asset entries and the process flow entries, generating a strategy analysis report and generating a recommendation strategy according to the strategy analysis granularity and the strategy grace period;
the strategy analysis result storage module is used for storing the recommendation strategy;
and the deployment module is used for deploying the recommendation strategy.
10. The industrial control firewall policy analysis device according to claim 9, wherein the asset collection and storage module comprises:
the asset self-learning and self-defining module is used for self-learning the messages flowing through the industrial control firewall and generating asset items including a mac address, an ip address, a destination port number and inflow interface data;
and the asset storage module is used for storing the generated asset entry.
CN202211064731.3A 2022-09-01 2022-09-01 An industrial control firewall policy analysis method and device Pending CN115412351A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211064731.3A CN115412351A (en) 2022-09-01 2022-09-01 An industrial control firewall policy analysis method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211064731.3A CN115412351A (en) 2022-09-01 2022-09-01 An industrial control firewall policy analysis method and device

Publications (1)

Publication Number Publication Date
CN115412351A true CN115412351A (en) 2022-11-29

Family

ID=84164224

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211064731.3A Pending CN115412351A (en) 2022-09-01 2022-09-01 An industrial control firewall policy analysis method and device

Country Status (1)

Country Link
CN (1) CN115412351A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847236A (en) * 2016-03-15 2016-08-10 北京网御星云信息技术有限公司 Firewall security strategy configuration method and device as well as firewall
US9553845B1 (en) * 2013-09-30 2017-01-24 F5 Networks, Inc. Methods for validating and testing firewalls and devices thereof
CN111262861A (en) * 2020-01-16 2020-06-09 四川效率源科技有限责任公司 Method for identifying and filtering MODBUS TCP/UDP protocol
CN113301040A (en) * 2021-05-21 2021-08-24 恒安嘉新(北京)科技股份公司 Firewall strategy optimization method, device, equipment and storage medium
CN113507454A (en) * 2021-06-23 2021-10-15 北京惠而特科技有限公司 Industrial firewall strategy automatic generation and deployment method based on flow analysis
CN113992407A (en) * 2021-10-27 2022-01-28 北京天融信网络安全技术有限公司 Security policy configuration method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9553845B1 (en) * 2013-09-30 2017-01-24 F5 Networks, Inc. Methods for validating and testing firewalls and devices thereof
CN105847236A (en) * 2016-03-15 2016-08-10 北京网御星云信息技术有限公司 Firewall security strategy configuration method and device as well as firewall
CN111262861A (en) * 2020-01-16 2020-06-09 四川效率源科技有限责任公司 Method for identifying and filtering MODBUS TCP/UDP protocol
CN113301040A (en) * 2021-05-21 2021-08-24 恒安嘉新(北京)科技股份公司 Firewall strategy optimization method, device, equipment and storage medium
CN113507454A (en) * 2021-06-23 2021-10-15 北京惠而特科技有限公司 Industrial firewall strategy automatic generation and deployment method based on flow analysis
CN113992407A (en) * 2021-10-27 2022-01-28 北京天融信网络安全技术有限公司 Security policy configuration method and device

Similar Documents

Publication Publication Date Title
US11716265B2 (en) Anomaly detection and reporting in a network assurance appliance
US11379602B2 (en) Internal controls engine and reporting of events generated by a network or associated applications
US10862749B1 (en) Systems for and methods of network management and verification using intent inference
US10504025B2 (en) Parallel processing of data by multiple semantic reasoning engines
US11303531B2 (en) Generation of counter examples for network intent formal equivalence failures
EP3613174B1 (en) Static network policy analysis for networks
US20200007583A1 (en) Assurance of security rules in a network
Al-Shaer et al. Discovery of policy anomalies in distributed firewalls
CN104115463B (en) Streaming method and system for processing network metadata
US10439875B2 (en) Identification of conflict rules in a network intent formal equivalence failure
US11038743B2 (en) Event clustering for a network assurance platform
US20170288952A1 (en) Network policy conflict detection and resolution
EP3639476B1 (en) Event generation in response to network intent formal equivalence failures
EP3639479B1 (en) Distributed fault code aggregation across application centric dimensions
US10623271B2 (en) Intra-priority class ordering of rules corresponding to a model of network intents
WO2018232073A1 (en) Collecting network models and node information from a network
EP3632044A1 (en) Generating device-level logical models for a network
Zhang et al. A conflict resolution scheme in intent-driven network
CN112019523A (en) Network auditing method and device for industrial control system
CN115412351A (en) An industrial control firewall policy analysis method and device
CN111147516B (en) SDN-based dynamic interconnection and intelligent routing decision system and method for security equipment
Wang et al. Rule anomalies detecting and resolving for software defined networks
CN110011971B (en) Manual configuration method of network security policy
US10659298B1 (en) Epoch comparison for network events
CN100393047C (en) System and method for linkage between intrusion detection system and network equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination