CN110138742B - Firewall policy optimization method, system and computer readable storage medium - Google Patents
Firewall policy optimization method, system and computer readable storage medium Download PDFInfo
- Publication number
- CN110138742B CN110138742B CN201910307041.8A CN201910307041A CN110138742B CN 110138742 B CN110138742 B CN 110138742B CN 201910307041 A CN201910307041 A CN 201910307041A CN 110138742 B CN110138742 B CN 110138742B
- Authority
- CN
- China
- Prior art keywords
- strategy
- list
- ranking
- policy
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000005457 optimization Methods 0.000 title claims abstract description 98
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000004590 computer program Methods 0.000 claims description 21
- 230000009471 action Effects 0.000 claims description 6
- 238000012163 sequencing technique Methods 0.000 description 9
- 230000007717 exclusion Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000011451 sequencing strategy Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a firewall policy optimization method, a firewall policy optimization system and a computer-readable storage medium. The firewall policy optimization method comprises the following steps: acquiring all policies of a firewall and generating a first list; obtaining the number of hits of each strategy, and generating a second list based on the ranking of the number of hits from big to small; taking out the strategies one by one from the second list, and judging whether the ranking numbers of the strategies in the second list are smaller than the ranking numbers in the first list or not; optimizing the ranking of the strategy in the first list based on the judgment result that the ranking number of the strategy in the second list is smaller than the ranking number in the first list; and generating a third list according to the ranking number optimized by each strategy, so that the firewall can perform strategy matching on the data packets according to the ranking sequence in the third list. By the firewall policy optimization method, policy optimization can be performed according to the service condition of the intelligent identification policy of the number of hits, and the overall performance and efficiency of the firewall are greatly improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a firewall policy optimization method, a firewall policy optimization system and a computer readable storage medium.
Background
In the use process of a firewall in a traditional telecom operator, e-government affairs and mobile internet enterprise, as a plurality of service rules on a network are usually configured with a plurality of firewall policies, the firewall policies can not be deleted randomly after the policy configuration, if a deletion error occurs, service access is abnormal, and the addition and deletion of the firewall policy configuration is an industry actual standard. Based on this contradiction, the more the firewall policies will increase, and some core firewall policies will often reach tens of thousands of rules. The more and more rules, the lower and lower efficiency and performance of the firewall, because the more and more rules to be matched with the data packets, the following rules are not matched until the matched rules are met.
The existing solutions and techniques:
(1) strategy ranking optimization is carried out based on artificial judgment of which service is used more, and real-time intelligent judgment of strategy use conditions is not carried out;
(2) the mutual exclusion situation is judged based on the artificial judgment strategy instead of the intelligent judgment.
Disclosure of Invention
The present invention is directed to solving at least one of the problems of the prior art or the related art.
To this end, an aspect of the present invention is to provide a firewall policy optimization method.
Another aspect of the present invention is to provide a firewall policy optimization system.
Yet another aspect of the present invention is to provide a computer-readable storage medium.
In view of this, an aspect of the present invention provides a firewall policy optimization method, including: acquiring all policies of a firewall and generating a first list; obtaining the number of hits of each strategy, and generating a second list based on the ranking of the number of hits from big to small; taking out the strategies one by one from the second list, and judging whether the ranking numbers of the strategies in the second list are smaller than the ranking numbers in the first list or not; optimizing the ranking of the strategy in the first list based on the judgment result that the ranking number of the strategy in the second list is smaller than that in the first list; and generating a third list according to the ranking number optimized by each strategy, so that the firewall can perform strategy matching on the data packets according to the ranking sequence in the third list.
According to the firewall policy optimization method, all policies of a firewall are obtained firstly, an original policy list, namely a first list, is formed, and before the policies are not sequentially optimized, the firewall performs data packet matching according to the sequence in the first list; then, the number of hits of each strategy in the first list is obtained, and all the strategies are sequenced from large to small according to the number of hits to form a second list; then all strategies are taken out one by one in the second list, preferably all strategies are taken out one by one, so that the strategies with high number of hits can be optimized sequentially; judging whether the ranking sequence of the currently taken strategy in the second list is earlier than that in the first list according to the ranking number, if so, optimizing the ranking of the strategy in the first list, otherwise, judging whether the next strategy needs to be optimized in sequence; specifically, the ranks of the policies need to be moved forward in the first list, and after performing rank optimization on each policy, a third list is formed, and the firewall performs packet matching according to the order of the third list. The firewall strategy optimization method provided by the invention can carry out strategy optimization aiming at the service condition of the intelligent identification strategy of the number of hits, so that the strategy with higher number of hits is ranked ahead, thereby not only improving the optimization efficiency and accuracy, but also greatly improving the overall performance and efficiency of the firewall.
The number of hits of the firewall strategy reflects the service condition of the strategy, the high number of hits indicates that the strategy is frequently used and needs to be ranked ahead, and the passing data packet is hit without matching too many strategies when the firewall data packet is detected, so that other strategies are not matched.
Wherein, the ranking number represents the priority of the strategy, and the lower the ranking number, the higher the priority of the strategy.
The firewall policy optimization method provided by the invention can also have the following technical characteristics:
in the above technical solution, preferably, the step of optimizing the ranking of the strategies in the first list includes: in the first list, judging whether the strategies and other strategies crossed by the strategies moved from the current position to the position of the strategies in the second list are mutually exclusive; based on the judgment result that the strategy and other strategies are mutually exclusive, taking the ranking number of the strategy in the second list as the ranking number after the strategy optimization; otherwise, determining the first strategy which is not mutually exclusive with the strategies in other strategies, and determining the ranking number after strategy optimization according to the ranking number of the non-mutually exclusive strategies.
In the technical scheme, the ranking of the policy in the first list is optimized, specifically, whether the policy and other policies spanned by the policy moving forward from the current position in the first list to the position of the policy in the second list are mutually exclusive is judged, under the condition that the policy and other policies are mutually exclusive, the ranking number of the policy in the second list is used as the ranking number after the policy is optimized, otherwise, the ranking number after the policy is optimized is determined according to the ranking number of the latest non-exclusive policy. The firewall strategy optimization method provided by the invention can judge whether sequence optimization is needed or not according to the strategy hit number, can determine the specific sequence position after optimization according to strategy mutual exclusivity, and automatically improves strategy sequencing, thereby improving the efficiency and performance of the firewall.
In any of the above technical solutions, preferably, the step of determining the rank number after the policy optimization according to the rank number of the non-mutually exclusive policy includes: and adding 1 to the ranking number of the non-mutually exclusive strategy to be used as the ranking number after the strategy is optimized.
In the technical scheme, under the condition that the strategy and other strategies are not mutually exclusive, the ranking number of the latest non-mutually exclusive strategy is added with 1 to be used as the ranking number after the strategy is optimized, namely, the strategy is moved to the next position of the latest non-mutually exclusive strategy, so that the ranking of the strategy is ensured to be moved under the condition of mutual exclusion.
In any of the above technical solutions, preferably, the step of determining whether the policy and another policy spanned by the policy moving from the current location to the location of the policy in the second list are mutually exclusive includes: and when the source address corresponding to the strategy and the source address corresponding to other strategies are in a subset or cross relationship, and/or when the destination address corresponding to the strategy and the destination address corresponding to other strategies are in a subset or cross relationship, judging that the strategy and other strategies are not mutually exclusive.
In the technical scheme, when the source address and/or the destination address of any two firewall policies include a subset or a cross relationship, the two firewall policies are regarded as a non-mutually exclusive relationship, because if the two policies have the relationship, when the policies move, the original access service rules may be influenced, for example, the original data packet matches policy a, and the data packet matches policy B after the sequence is moved, which is not allowed. So that it must judge the mutual exclusion relationship to move.
In any one of the above technical solutions, preferably, each policy in the first list, the second list, and the third list includes: a ranking number, a policy number, a source address, a destination address, and any one or combination of: source port, destination port, action; each policy in the second list and the third list also includes a number of hits.
Another aspect of the present invention provides a firewall policy optimization system, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement: acquiring all policies of a firewall and generating a first list; obtaining the number of hits of each strategy, and generating a second list based on the ranking of the number of hits from big to small; taking out the strategies one by one from the second list, and judging whether the ranking numbers of the strategies in the second list are smaller than the ranking numbers in the first list or not; optimizing the ranking of the strategy in the first list based on the judgment result that the ranking number of the strategy in the second list is smaller than the ranking number in the first list; and generating a third list according to the ranking number optimized by each strategy, so that the firewall can perform strategy matching on the data packets according to the ranking sequence in the third list.
According to the firewall policy optimization system, all policies of the firewall are obtained firstly, an original policy list, namely a first list, is formed, and before the policies are not optimized sequentially, the firewall performs data packet matching according to the sequence in the first list; then, the number of hits of each strategy in the first list is obtained, and all the strategies are sequenced from large to small according to the number of hits to form a second list; then all strategies are taken out one by one in the second list, preferably all strategies are taken out one by one, so that the strategies with high number of hits can be optimized sequentially; judging whether the ranking sequence of the currently taken strategy in the second list is earlier than that in the first list according to the ranking number, if so, optimizing the ranking of the strategy in the first list, otherwise, judging whether the next strategy needs to be optimized in sequence; specifically, the ranks of the policies need to be moved forward in the first list, and after performing rank optimization on each policy, a third list is formed, and the firewall performs packet matching according to the order of the third list. The firewall strategy optimization system provided by the invention can carry out strategy optimization aiming at the service condition of the intelligent identification strategy of the number of hits, so that the strategy with higher number of hits is ranked ahead, thereby not only improving the optimization efficiency and accuracy, but also greatly improving the overall performance and efficiency of the firewall.
The number of hits of the firewall strategy reflects the service condition of the strategy, the high number of hits indicates that the strategy is frequently used and needs to be ranked ahead, and the passing data packet is hit without matching too many strategies when the firewall data packet is detected, so that other strategies are not matched.
Wherein, the ranking number represents the priority of the strategy, and the lower the ranking number, the higher the priority of the strategy.
In the foregoing technical solution, preferably, when the processor executes the computer program, the step of optimizing the rank of the policy in the first list is specifically implemented, and includes: in the first list, judging whether the strategies and other strategies crossed by the strategies moved from the current position to the position of the strategies in the second list are mutually exclusive; based on the judgment result that the strategy and other strategies are mutually exclusive, taking the ranking number of the strategy in the second list as the ranking number after the strategy optimization; otherwise, determining the first strategy which is not mutually exclusive with the strategies in other strategies, and determining the ranking number after strategy optimization according to the ranking number of the non-mutually exclusive strategies.
In the technical scheme, the ranking of the policy in the first list is optimized, specifically, whether the policy and other policies spanned by the policy moving forward from the current position in the first list to the position of the policy in the second list are mutually exclusive is judged, under the condition that the policy and other policies are mutually exclusive, the ranking number of the policy in the second list is used as the ranking number after the policy is optimized, otherwise, the ranking number after the policy is optimized is determined according to the ranking number of the latest non-exclusive policy. The firewall strategy optimization method provided by the invention can judge whether sequence optimization is needed or not according to the strategy hit number, can determine the specific sequence position after optimization according to strategy mutual exclusivity, and automatically improves strategy sequencing, thereby improving the efficiency and performance of the firewall.
In any of the above technical solutions, preferably, when the processor executes the computer program, the step of specifically determining the rank number after the policy optimization according to the rank number of the non-mutually exclusive policy is implemented, including: and adding 1 to the ranking number of the non-mutually exclusive strategy to serve as the ranking number after strategy optimization.
In the technical scheme, under the condition that the strategy and other strategies are not mutually exclusive, the ranking number of the latest non-mutually exclusive strategy is added with 1 to be used as the ranking number after the strategy is optimized, namely, the strategy is moved to the next position of the latest non-mutually exclusive strategy, so that the ranking of the strategy is ensured to be moved under the condition of mutual exclusion.
In any of the above technical solutions, preferably, when the processor executes the computer program, the step of specifically determining whether the policy is mutually exclusive with other policies spanned by the policy moving from the current location to the location of the policy in the second list includes: and judging that the strategy and other strategies are not mutually exclusive under the condition that the source address corresponding to the strategy and the source address corresponding to other strategies are in subset or cross relationship and/or under the condition that the destination address corresponding to the strategy and the destination address corresponding to other strategies are in subset or cross relationship.
In the technical scheme, when the source address and/or the destination address of any two firewall policies include a subset or a cross relationship, the two firewall policies are regarded as a non-mutually exclusive relationship, because if the two policies have the relationship, when the policies move, the original access service rules may be influenced, for example, the original data packet matches policy a, and the data packet matches policy B after the sequence is moved, which is not allowed. So that it must judge the mutual exclusion relationship to move.
In any one of the above technical solutions, preferably, each policy in the first list, the second list, and the third list includes: a ranking number, a policy number, a source address, a destination address, and any one or combination of: source port, destination port, action; each policy in the second list and the third list also includes a number of hits.
In another aspect, the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of any one of the firewall policy optimization methods in the foregoing technical solutions, so as to have all the technical effects of the firewall policy optimization method, and details are not repeated herein.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The above and additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 shows a flow diagram of a firewall policy optimization method according to one embodiment of the invention;
FIG. 2 shows a flow diagram of a firewall policy optimization method according to another embodiment of the invention;
FIG. 3 illustrates a logical view of a firewall policy optimization method according to an embodiment of the present invention;
figure 4 shows a schematic block diagram of a firewall policy optimization system according to one embodiment of the invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.
Fig. 1 is a schematic flow chart of a firewall policy optimization method according to an embodiment of the present invention. The firewall policy optimization method comprises the following steps:
102, acquiring all policies of a firewall and generating a first list;
104, acquiring the number of hits of each strategy, and generating a second list based on the ranking of the number of hits from large to small;
108, optimizing the ranking of the strategy in the first list based on the judgment result that the ranking number of the strategy in the second list is smaller than the ranking number in the first list;
and step 110, generating a third list according to the ranking number optimized by each policy, so that the firewall performs policy matching on the data packets according to the ranking order in the third list.
The firewall policy optimization method provided by the embodiment of the invention comprises the steps of firstly obtaining all policies of a firewall to form an original policy list, namely a first list, and before the policies are not optimized in sequence, the firewall performs data packet matching according to the sequence in the first list; then obtaining the number of hits of each strategy in the first list, and sequencing all the strategies from large to small according to the number of hits to form a second list; then all strategies are taken out one by one in the second list, preferably all strategies are taken out one by one, so that the strategies with high number of hits can be optimized sequentially; judging whether the ranking sequence of the currently taken strategy in the second list is earlier than that in the first list according to the ranking number, if so, optimizing the ranking of the strategy in the first list, otherwise, judging whether the next strategy needs to be optimized in sequence; specifically, the ranks of the policies need to be moved forward in the first list, and after performing rank optimization on each policy, a third list is formed, and the firewall performs packet matching according to the order of the third list. The firewall strategy optimization method provided by the invention can carry out strategy optimization aiming at the service condition of the intelligent identification strategy of the number of hits, so that the strategy with higher number of hits is ranked ahead, thereby not only improving the optimization efficiency and accuracy, but also greatly improving the overall performance and efficiency of the firewall.
The number of hits of the firewall strategy reflects the service condition of the strategy, the high number of hits indicates that the strategy is frequently used and needs to be ranked ahead, and the passing data packet is hit without matching too many strategies when the firewall data packet is detected, so that other strategies are not matched.
Wherein, the ranking number represents the priority of the strategy, and the lower the ranking number, the higher the priority of the strategy.
Fig. 2 is a schematic flow chart of a firewall policy optimization method according to another embodiment of the present invention. The firewall policy optimization method comprises the following steps:
and 214, generating a third list according to the ranking numbers optimized by each policy, so that the firewall performs policy matching on the data packets according to the ranking order in the third list.
In this embodiment, the ranking of the policy in the first list is optimized, specifically, it is determined whether the policy and other policies spanned by the policy moving forward from the current position in the first list to the position of the policy in the second list are mutually exclusive, if the policy and other policies are mutually exclusive, the ranking number of the policy in the second list is used as the ranking number after the policy is optimized, otherwise, the ranking number after the policy is optimized is determined according to the ranking number of the latest non-mutually exclusive policy. The firewall strategy optimization method provided by the invention can judge whether sequence optimization is needed or not according to the strategy hit number, can determine the specific sequence position after optimization according to strategy mutual exclusivity, and automatically improves strategy sequencing, thereby improving the efficiency and performance of the firewall.
In an embodiment of the present invention, preferably, the step of determining the rank number after the policy optimization according to the rank number of the non-mutually exclusive policy includes: and adding 1 to the ranking number of the non-mutually exclusive strategy to be used as the ranking number after the strategy is optimized.
In this embodiment, when the policy and other policies are not mutually exclusive, the rank number of the latest non-mutually exclusive policy is added with 1 to be used as the rank number after the policy is optimized, that is, the policy is moved to the next position of the latest non-mutually exclusive policy, so as to ensure that the rank of the policy is moved under the mutually exclusive condition.
In an embodiment of the present invention, preferably, the step of determining whether the policy and the other policies spanned by the policy moving from the current location to the location of the policy in the second list are mutually exclusive includes: and judging that the strategy and other strategies are not mutually exclusive under the condition that the source address corresponding to the strategy and the source address corresponding to other strategies are in subset or cross relationship and/or under the condition that the destination address corresponding to the strategy and the destination address corresponding to other strategies are in subset or cross relationship.
In this embodiment, when the source address and/or the destination address of any two firewall policies include a subset or a cross relationship, the two policies are considered as a non-mutually-exclusive relationship, because if there is such a relationship between the two policies, when the policies move, the original access service rule may be affected, for example, the original data packet matches policy a, and after the sequence is moved, the data packet matches policy B, which is not allowed. So that it must judge the mutual exclusion relationship to move.
In any of the above embodiments, preferably, each policy in the first list, the second list, and the third list includes: a ranking number, a policy number, a source address, a destination address, and any one or combination of: source port, destination port, action; each policy in the second list and the third list also includes a number of hits.
Fig. 3 is a logic diagram illustrating a firewall policy optimization method according to an embodiment of the present invention. As shown in fig. 3, the original policy list of the firewall is obtained by command, as shown in table 1; obtaining the number of hits of the firewall strategy through command timing, and sequencing the strategies from large to small according to the number of hits to form a hit sequencing strategy list as shown in a table 2; then, the policy is sequentially fetched in table 2 one by one, and it is determined whether the ranking order of the policy in table 2 is earlier than the ranking in table 1, and if so, the ranking of the policy may need to be moved forward in table 1.
TABLE 1
| Rank number | Policy numbering | Source address | Destination address | Source port | Destination port | Movement of |
| 1 | 4 | 10.10.101.10 | 10.10.100.20 | 80 | 8080 | Rejection of |
| 2 | 6 | 10.10.103.* | 10.10.104.* | 80 | 8080 | Allow for |
| 3 | 8 | 10.11.101.* | 10.12.100.* | 80 | 8080 | Allow for |
| 4 | 11 | 10.10.101.* | 10.10.100.* | 80 | 8080 | Allow for |
TABLE 2
Specifically, if it is really necessary to move forward, it is necessary to determine whether the contents of other policies crossed by the policy move forward are mutually exclusive, including the source address and the destination address, if the source address and/or the destination address include a subset or a cross relationship, the policy is not mutually exclusive, otherwise, the policy is mutually exclusive, if the source address and/or the destination address are mutually exclusive, the policy moves forward, if the source address and/or the destination address include a subset or a cross relationship, the policy moves to the rank of the table 2 until the rank of the table 2 is mutually exclusive, otherwise, the policy moves to the next position of the latest non-mutually exclusive policy.
The position is repeatedly moved one by one strategy to form a new sequence optimization strategy list, as shown in table 3, the table 3 is the ranking sequence after optimization, the firewall performs data packet matching according to the sequence of the table 3, and the efficiency can be greatly improved because the strategy with higher number of hits is in front.
TABLE 3
The specific implementation of the firewall policy optimization method is described in further detail below. The firewall policy optimization method comprises the following steps:
step one, obtaining an original strategy list of a firewall, namely a table 1;
step two, obtaining the number of hits of the firewall strategy, and generating a hit number sequencing strategy list which is based on sequencing of the number of hits from large to small, namely a table 2;
step three, sequentially taking out the strategies in the table 2;
step four, judging whether the ranking sequence of the strategy in the table 2 is earlier than that in the table 1;
step five, if the position is moved forward, judging whether all strategies spanning from the position in the table 1 to the position in the table 2 are mutually exclusive, if so, the position in the table 2 is the optimized ranking number of the strategy;
step six, if the judgment in the step five is that the two are not mutually exclusive, judging that the latest ranking number is not mutually exclusive, and taking the position of adding 1 to the ranking number as the latest ranking number of the strategy;
step seven, moving the actual position of the strategy in the table 1;
step eight, repeating the step two to the step seven;
step nine, the regenerated table 3 is the optimized strategy sequence.
As shown in fig. 4, a schematic block diagram of a firewall policy optimization system according to one embodiment of the invention. The firewall policy optimization system 400 includes a memory 402, a processor 404, and a computer program stored in the memory 402 and executable on the processor 404, where the processor 404 executes the computer program to: acquiring all policies of a firewall and generating a first list; obtaining the number of hits of each strategy, and sequencing from large to small based on the number of hits to generate a second list; taking out the strategies one by one from the second list, and judging whether the ranking numbers of the strategies in the second list are smaller than the ranking numbers in the first list or not; optimizing the ranking of the strategy in the first list based on the judgment result that the ranking number of the strategy in the second list is smaller than the ranking number in the first list; and generating a third list according to the ranking number optimized by each strategy, so that the firewall can perform strategy matching on the data packets according to the ranking sequence in the third list.
The firewall policy optimization system 400 provided in the embodiment of the present invention first obtains all policies of a firewall to form an original policy list, that is, a first list, and before performing sequential optimization on the policies, the firewall performs packet matching according to the sequence in the first list; then, the number of hits of each strategy in the first list is obtained, and all the strategies are sequenced from large to small according to the number of hits to form a second list; then all strategies are taken out one by one in the second list, preferably all strategies are taken out one by one, so that the strategies with high number of hits can be optimized sequentially; judging whether the ranking sequence of the currently taken strategy in the second list is earlier than that in the first list according to the ranking number, if so, optimizing the ranking of the strategy in the first list, otherwise, judging whether the next strategy needs to be optimized in sequence; specifically, the ranks of the policies need to be moved forward in the first list, and after performing rank optimization on each policy, a third list is formed, and the firewall performs packet matching according to the order of the third list. The firewall strategy optimization system 400 provided by the invention can carry out strategy optimization aiming at the service condition of the intelligent identification strategy of the number of hits, and the strategy with higher number of hits is ranked ahead, so that not only the optimization efficiency and accuracy are improved, but also the overall performance and efficiency of the firewall are greatly improved.
The number of hits of the firewall strategy reflects the service condition of the strategy, the high number of hits indicates that the strategy is frequently used and needs to be ranked ahead, and the passing data packet is hit without matching too many strategies when the firewall data packet is detected, so that other strategies are not matched.
Wherein, the ranking number represents the priority of the strategy, and the lower the ranking number, the higher the priority of the strategy.
In the above embodiment, preferably, when the processor 404 executes the computer program, the step of optimizing the rank of the policy in the first list is specifically implemented, and includes: in the first list, judging whether the strategies and other strategies crossed by the strategies moved from the current position to the position of the strategies in the second list are mutually exclusive; based on the judgment result that the strategy and other strategies are mutually exclusive, taking the ranking number of the strategy in the second list as the ranking number after the strategy optimization; otherwise, determining the first strategy which is not mutually exclusive with the strategies in other strategies, and determining the ranking number after strategy optimization according to the ranking number of the non-mutually exclusive strategies.
In this embodiment, the ranking of the policy in the first list is optimized, specifically, it is determined whether the policy and other policies spanned by the policy moving forward from the current position in the first list to the position of the policy in the second list are mutually exclusive, if the policy and other policies are mutually exclusive, the ranking number of the policy in the second list is used as the ranking number after the policy is optimized, otherwise, the ranking number after the policy is optimized is determined according to the ranking number of the latest non-mutually exclusive policy. The firewall strategy optimization method provided by the invention can judge whether sequence optimization is needed or not according to the strategy hit number, can determine the specific sequence position after optimization according to strategy mutual exclusivity, and automatically improves strategy sequencing, thereby improving the efficiency and performance of the firewall.
In any of the above embodiments, preferably, when the processor 404 executes the computer program, the step of specifically determining the rank number after policy optimization according to the rank number of the non-mutually-exclusive policy includes: and adding 1 to the ranking number of the non-mutually exclusive strategy to be used as the ranking number after the strategy optimization.
In this embodiment, when the policy and other policies are not mutually exclusive, the rank number of the latest non-mutually exclusive policy is added with 1 to be used as the rank number after the policy is optimized, that is, the policy is moved to the next position of the latest non-mutually exclusive policy, so as to ensure that the rank of the policy is moved under the mutually exclusive condition.
In any of the above embodiments, preferably, when the processor 404 executes the computer program, the step of determining whether the policy is mutually exclusive with other policies spanned by the policy moving from the current location to the location of the policy in the second list includes: and judging that the strategy and other strategies are not mutually exclusive under the condition that the source address corresponding to the strategy and the source address corresponding to other strategies are in subset or cross relationship and/or under the condition that the destination address corresponding to the strategy and the destination address corresponding to other strategies are in subset or cross relationship.
In this embodiment, when the source address and/or the destination address of any two firewall policies include a subset or a cross relationship, the two firewall policies are considered as a non-mutually exclusive relationship, because if there is such a relationship between the two policies, when the policies move, the original access service rule may be affected, for example, the original data packet matches policy a, and after the sequence is moved, the data packet matches policy B, which is not allowed. So that it must judge the mutual exclusion relationship to move.
In any of the above embodiments, preferably, each policy in the first list, the second list, and the third list includes: a ranking number, a policy number, a source address, a destination address, and any one or combination of: source port, destination port, action; each policy in the second list and the third list also includes a number of hits.
In another aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of any one of the firewall policy optimization methods in the foregoing embodiments, so that the firewall policy optimization method has all technical effects of the firewall policy optimization method, and details are not described herein.
In the description herein, the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance unless explicitly stated or limited otherwise; the terms "connected," "mounted," "secured," and the like are to be construed broadly and include, for example, fixed connections, removable connections, or integral connections; may be directly connected or indirectly connected through an intermediate. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
In the description herein, the description of the terms "one embodiment," "some embodiments," "specific embodiments," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (9)
1. A firewall policy optimization method is characterized by comprising the following steps:
acquiring all policies of a firewall and generating a first list;
obtaining the number of hits of each strategy, and generating a second list based on the ranking of the number of hits from big to small;
taking the strategies out of the second list one by one, and judging whether the ranking numbers of the strategies in the second list are smaller than the ranking numbers in the first list or not;
optimizing the ranking of the policy in the first list based on a determination that the ranking number of the policy in the second list is less than the ranking number in the first list;
the step of optimizing the ranking of the policy in the first list comprises:
in the first list, judging whether the strategy and other strategies crossed by the strategy from the current position to the position of the strategy in the second list are mutually exclusive;
based on the judgment result that the strategy and the other strategies are mutually exclusive, taking the ranking number of the strategy in a second list as the ranking number after the strategy optimization;
otherwise, determining the first strategy in the other strategies and the strategy which is not mutually exclusive, and determining the ranking number after the strategy optimization according to the ranking number of the strategy which is not mutually exclusive;
and generating a third list according to the ranking number after each strategy is optimized, so that the firewall carries out strategy matching on the data packets according to the ranking sequence in the third list.
2. The firewall policy optimization method according to claim 1, wherein the step of determining the policy-optimized ranking number according to the ranking number of the non-mutually-exclusive policy comprises:
and adding 1 to the ranking number of the non-mutually exclusive strategy to be used as the ranking number after the strategy optimization.
3. The firewall policy optimization method according to claim 1, wherein the step of determining whether the policy is mutually exclusive with other policies spanned by the policy moving from the current location to the location of the policy in the second list comprises:
and under the condition that the source address corresponding to the strategy and the source address corresponding to the other strategy are in subset or cross relationship, and/or under the condition that the destination address corresponding to the strategy and the destination address corresponding to the other strategy are in subset or cross relationship, judging that the strategy and the other strategy are not mutually exclusive.
4. The firewall policy optimization method according to any one of claims 1 to 3,
each of the policies in the first list, the second list, and the third list includes: the ranking number, policy number, source address, destination address, and any one or combination of: source port, destination port, action;
each of the policies in the second and third lists also includes the number of hits.
5. A firewall policy optimization system, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor when executing the computer program implementing:
acquiring all policies of a firewall and generating a first list;
obtaining the number of hits of each strategy, and generating a second list based on the ranking of the number of hits from big to small;
taking the strategies out of the second list one by one, and judging whether the ranking numbers of the strategies in the second list are smaller than the ranking numbers in the first list or not;
optimizing the ranking of the policy in the first list based on a determination that the ranking number of the policy in the second list is less than the ranking number in the first list;
the processor, when executing the computer program, specifically implements a step of optimizing the ranking of the policy in the first list, including:
in the first list, judging whether the strategy and other strategies crossed by the strategy from the current position to the position of the strategy in the second list are mutually exclusive;
based on the judgment result that the strategy and the other strategies are mutually exclusive, taking the ranking number of the strategy in a second list as the ranking number after the strategy optimization;
otherwise, determining the first strategy in the other strategies and the strategy which is not mutually exclusive, and determining the ranking number after the strategy optimization according to the ranking number of the strategy which is not mutually exclusive;
and generating a third list according to each ranking number after the strategy optimization, so that the firewall performs strategy matching on the data packets according to the ranking sequence in the third list.
6. The firewall policy optimization system according to claim 5, wherein the step of determining the policy-optimized ranking number according to the ranking number of the non-mutually exclusive policy when the processor executes the computer program specifically comprises:
and adding 1 to the ranking number of the non-mutually exclusive strategy to be used as the ranking number after the strategy optimization.
7. The firewall policy optimization system of claim 5, wherein the processor, when executing the computer program, specifically implements the step of determining whether the policy is mutually exclusive from other policies spanned by the policy moving from the current location to the location of the policy in the second list, comprising:
and under the condition that the source address corresponding to the strategy and the source address corresponding to the other strategy are in subset or cross relationship, and/or under the condition that the destination address corresponding to the strategy and the destination address corresponding to the other strategy are in subset or cross relationship, judging that the strategy and the other strategy are not mutually exclusive.
8. The firewall policy optimization system according to any one of claims 5 to 7,
each of the policies in the first list, the second list, and the third list includes: the ranking number, policy number, source address, destination address, and any one or combination of: source port, destination port, action;
each of the policies in the second and third lists also includes the number of hits.
9. A computer-readable storage medium, on which a computer program is stored, wherein the computer program, when being executed by a processor, implements the steps of the firewall policy optimization method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910307041.8A CN110138742B (en) | 2019-04-17 | 2019-04-17 | Firewall policy optimization method, system and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910307041.8A CN110138742B (en) | 2019-04-17 | 2019-04-17 | Firewall policy optimization method, system and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110138742A CN110138742A (en) | 2019-08-16 |
| CN110138742B true CN110138742B (en) | 2022-05-31 |
Family
ID=67569991
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910307041.8A Expired - Fee Related CN110138742B (en) | 2019-04-17 | 2019-04-17 | Firewall policy optimization method, system and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110138742B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935186B (en) * | 2020-10-09 | 2020-12-25 | 四川新网银行股份有限公司 | Optimization method of network security policy |
| CN113411336B (en) * | 2021-06-21 | 2022-08-26 | 深圳天元云科技有限公司 | Firewall strategy position optimization method, system, terminal and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104270384A (en) * | 2014-10-20 | 2015-01-07 | 山石网科通信技术有限公司 | Fire wall policy redundancy detection method and device |
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| US9553845B1 (en) * | 2013-09-30 | 2017-01-24 | F5 Networks, Inc. | Methods for validating and testing firewalls and devices thereof |
| CN108418801A (en) * | 2018-02-01 | 2018-08-17 | 杭州安恒信息技术股份有限公司 | A kind of firewall policy optimization method and system based on big data analysis |
| CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2782311A1 (en) * | 2013-03-18 | 2014-09-24 | British Telecommunications public limited company | Methods of testing a firewall, and apparatus therefor |
| US9894100B2 (en) * | 2014-12-30 | 2018-02-13 | Fortinet, Inc. | Dynamically optimized security policy management |
-
2019
- 2019-04-17 CN CN201910307041.8A patent/CN110138742B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9553845B1 (en) * | 2013-09-30 | 2017-01-24 | F5 Networks, Inc. | Methods for validating and testing firewalls and devices thereof |
| CN104270384A (en) * | 2014-10-20 | 2015-01-07 | 山石网科通信技术有限公司 | Fire wall policy redundancy detection method and device |
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| CN108418801A (en) * | 2018-02-01 | 2018-08-17 | 杭州安恒信息技术股份有限公司 | A kind of firewall policy optimization method and system based on big data analysis |
| CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110138742A (en) | 2019-08-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104580027B (en) | A kind of OpenFlow message forwarding methods and equipment | |
| EP3151483B1 (en) | Path planning method and controller | |
| US8750144B1 (en) | System and method for reducing required memory updates | |
| CN104579940B (en) | Search the method and device of accesses control list | |
| CN109064348B (en) | A way to block rumour communities in social networks and suppress the spread of rumours | |
| US20080232359A1 (en) | Fast packet filtering algorithm | |
| CN110138742B (en) | Firewall policy optimization method, system and computer readable storage medium | |
| WO2016004981A1 (en) | Network topology estimation based on event correlation | |
| CN1520110A (en) | Distributed router and method for dynamically managing forwarding information | |
| WO1999006926A1 (en) | System and method for locating a route in a route table using hashing and compressed radix tree searching | |
| CN102255788A (en) | Message classification decision establishing system and method and message classification system and method | |
| CN105701128B (en) | A query statement optimization method and device | |
| CN114024859B (en) | Network topology generation method, storage medium and terminal based on equipment and link discovery | |
| CN109951393A (en) | Network segment lookup method and device | |
| CN105760411A (en) | Hybrid Wildcard Match Table | |
| CN108549688B (en) | Data operation optimization method, device, equipment and storage medium | |
| CN111049750B (en) | Message forwarding method, system and equipment | |
| CN112187743A (en) | Network policy matching method and system based on IP address longest prefix | |
| CN112666890A (en) | Curved surface workpiece machining track planning method | |
| CN111641729A (en) | Inter-domain path identification prefix conflict detection and decomposition method based on prefix tree | |
| CN116723143B (en) | Network target range resource allocation method and system based on traffic affinity | |
| CN110784487B (en) | A SDN node defense method based on data packet sampling model | |
| CN113762424B (en) | Network packet classification method and related device | |
| CN118740419A (en) | Network environment testing method, equipment and storage medium | |
| CN111698256A (en) | Method and device for detecting illegal link |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20220531 |