[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN112804221A - Firewall rule processing method and device, network equipment and readable storage medium - Google Patents

Firewall rule processing method and device, network equipment and readable storage medium Download PDF

Info

Publication number
CN112804221A
CN112804221A CN202011643312.6A CN202011643312A CN112804221A CN 112804221 A CN112804221 A CN 112804221A CN 202011643312 A CN202011643312 A CN 202011643312A CN 112804221 A CN112804221 A CN 112804221A
Authority
CN
China
Prior art keywords
rule
interval
target
rules
updating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011643312.6A
Other languages
Chinese (zh)
Other versions
CN112804221B (en
Inventor
王亚森
汪洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202011643312.6A priority Critical patent/CN112804221B/en
Publication of CN112804221A publication Critical patent/CN112804221A/en
Application granted granted Critical
Publication of CN112804221B publication Critical patent/CN112804221B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a firewall rule processing method, a firewall rule processing device, network equipment and a readable storage medium. The method comprises the following steps: when an instruction for updating the rule is received, acquiring a first rule for updating; determining a target rule set corresponding to a target area from a policy library according to the target area where the first rule is located, wherein the policy library comprises a plurality of groups of rule sets, and the areas of the same group of rule sets are the same; and updating the rules in the target rule set according to the first rule to obtain an updated target rule set. In the scheme, when the first rule needs to be added into the policy base, the rule set of the target area where the first rule is located is directly used for carrying out matching detection on the first rule so as to realize rule updating. Therefore, other rules except the target rule set do not need to be detected, so that the calculation amount is favorably reduced, and the efficiency of rule matching and rule updating is improved.

Description

Firewall rule processing method and device, network equipment and readable storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a firewall rule processing method, an apparatus, a network device, and a readable storage medium.
Background
In a firewall of a network device, an access control policy is generally configured to perform security detection on various types of network data received by the network device. As the variety of data received by the network device is large, the number of rules in the configured policy is also large. When the rule is required to be updated, the newly added rule needs to be matched and detected with the historical rule set, so that the new rule is fused in the historical rule set. At present, because the matching mode of the firewall access control strategy is from top to bottom, matching is performed from high to low according to the priority, when a new rule is matched, the condition that each rule in all rule sets is detected and matched exists, and therefore the matching and rule updating efficiency is low.
Disclosure of Invention
An object of the embodiments of the present application is to provide a firewall rule processing method, an apparatus, a network device, and a readable storage medium, which can improve the efficiency of rule matching and rule updating when rule updating is needed.
In order to achieve the above object, embodiments of the present application are implemented as follows:
in a first aspect, an embodiment of the present application provides a firewall rule processing method, where the method includes:
when an instruction for updating the rule is received, acquiring a first rule for updating;
determining a target rule set corresponding to the target area from a policy base according to the target area where the first rule is located, wherein the policy base comprises a plurality of groups of rule sets, and the areas corresponding to the same group of rule sets are the same;
and updating the rules in the target rule set according to the first rule to obtain an updated target rule set.
In the foregoing embodiment, when the first rule needs to be added to the policy base, the rule set of the target area where the first rule is located is directly used to perform matching detection on the first rule, so as to implement rule updating. Therefore, other rules except the target rule set do not need to be detected, so that the calculation amount is favorably reduced, and the efficiency of rule matching and rule updating is improved.
With reference to the first aspect, in some optional embodiments, updating rules in the target rule set according to the first rule to obtain an updated target rule set includes:
judging whether the first rule conflicts with the rules in the target rule set or not;
when a conflict exists, adding the first rule in the target rule set, and deleting a second rule in the target rule set, which conflicts with the first rule; or, deleting the first rule; or, performing fusion operation on the first rule and the second rule to obtain the updated target rule set;
and when no conflict exists, adding the first rule into the target rule set to obtain the updated target rule set.
In the above embodiment, by detecting whether the first rule conflicts with the rule in the target rule set, and then performing targeted rule updating according to the detection result of whether the conflict exists, the rule can be updated and optimized quickly.
With reference to the first aspect, in some optional embodiments, when there is a conflict, performing a fusion operation on the first rule and the second rule to obtain the updated target rule set, includes:
converting an identification name corresponding to the first rule into a first interval and converting an identification name corresponding to the second rule into a second interval based on a corresponding relation between the identification name and the interval, wherein the identification name comprises a port name or an address name corresponding to the rule;
and when the actions corresponding to the first rule and the second rule conflict, the first interval is an interval needing to be deleted, and an intersection exists with a second interval of the second rule, deleting an interval overlapped with the first interval from the second interval to obtain the updated target rule set.
With reference to the first aspect, in some optional embodiments, when there is no conflict, adding the first rule to the target rule set to obtain the updated target rule set, including:
converting an identification name corresponding to the first rule into a first interval and converting an identification name corresponding to the second rule into a second interval based on a corresponding relation between the identification name and the interval, wherein the identification name comprises a port name or an address name corresponding to the rule;
when the actions corresponding to the first rule and the second rule are the same, the first interval is an interval which does not need to be deleted, and an intersection exists between the first interval and the second interval of the second rule, merging the first interval and the second interval to obtain the updated target rule set;
and when the first interval is an interval which does not need to be deleted and an intersection does not exist with the second interval of the second rule, adding the first rule to the target rule set to obtain the updated target rule set.
With reference to the first aspect, in some optional embodiments, before determining whether the first rule conflicts with a rule in the target rule set, the method further includes:
and filtering out the rule in which the state mark in the target rule set is a first mark according to the state mark in the rule, wherein the state mark comprises the first mark representing rule failure or a second mark representing rule effectiveness.
With reference to the first aspect, in some optional embodiments, before obtaining the first rule for updating, the method further includes:
acquiring all rules corresponding to the access control strategy of the firewall;
grouping all the rules to obtain a plurality of groups of rule sets, wherein the regions of the same group of rule sets are the same;
and for each group of rule sets, when the rule sets have rules with the same action, merging intervals of the rules with the same action, wherein the intervals are address areas or port ranges corresponding to the rules.
With reference to the first aspect, in some optional embodiments, the method further comprises:
and when a second rule in the target rule set conflicts with the first rule, sending out prompt information.
In a second aspect, an embodiment of the present application further provides a firewall rule processing apparatus, where the firewall rule processing apparatus includes:
an acquisition unit configured to acquire a first rule for update when an instruction for updating the rule is received;
the determining unit is used for determining a target rule set corresponding to the target area from a policy library according to the target area where the first rule is located, wherein the policy library comprises a plurality of groups of rule sets, and the areas corresponding to the same group of rule sets are the same;
and the updating unit is used for updating the rules in the target rule set according to the first rule to obtain an updated target rule set.
In a third aspect, an embodiment of the present application further provides a network device, where the network device includes a processor and a memory coupled to each other, and a computer program is stored in the memory, and when the computer program is executed by the processor, the network device is caused to perform the method described above.
In a fourth aspect, the present application further provides a computer-readable storage medium, in which a computer program is stored, and when the computer program runs on a computer, the computer is caused to execute the above method.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of a network device according to an embodiment of the present application.
Fig. 2 is a flowchart illustrating a firewall rule processing method according to an embodiment of the present application.
Fig. 3 is a schematic distribution diagram of a policy repository and a first rule provided in the embodiment of the present application.
Fig. 4 is a block diagram of a firewall rule processing apparatus according to an embodiment of the present application.
Icon: 10-a network device; 11-a processing module; 12-a storage module; 13-a communication module; 100-firewall rule processing means; 110-an obtaining unit; 120-a determination unit; 130-update unit.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It should be noted that the terms "first," "second," and the like are used merely to distinguish one description from another, and are not intended to indicate or imply relative importance. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Referring to fig. 1, the present application provides a network device 10 storing a policy repository. Understandably, the network device 10 may act as a firewall, and the policy repository includes corresponding rules corresponding to access control policies of the firewall, which may be used to perform security checks on the network data.
For example, the rules in the policy repository can be used to detect whether there is a network threat such as attack behavior, phishing, malicious scanning, etc. to the network data. The rules in the policy base and the manner of using the rules to perform network data detection are well known to those skilled in the art.
The network device 10 in this embodiment may include a processing module 11 and a storage module 12. The memory module 12 stores therein a computer program which, when executed by said processing module 11, enables the network device 10 to perform the steps of the method described below.
Of course, the network device 10 may also include other hardware modules as well as software modules. For example, the network device 10 may further include a communication module 13, a software function module of the firewall rule processing apparatus 100 solidified in the storage module 12.
The processing module 11, the storage module 12, the communication module 13, and the firewall rule processing apparatus 100 are electrically connected directly or indirectly to each other to implement data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
Referring to fig. 2, an embodiment of the present application further provides a firewall rule processing method, which can be applied to the network device 10, and the network device 10 executes or implements the steps of the method. The method may comprise the steps of:
step S210, when receiving an instruction for updating the rule, acquiring a first rule for updating;
step S220, determining a target rule set corresponding to the target area from a policy library according to the target area where the first rule is located, wherein the policy library comprises a plurality of groups of rule sets, and the areas corresponding to the same group of rule sets are the same;
step S230, updating the rule in the target rule set according to the first rule, to obtain an updated target rule set.
In the foregoing embodiment, when the first rule needs to be added to the policy base, the rule set of the target area where the first rule is located is directly used to perform matching detection on the first rule, so as to implement rule updating. Therefore, other rules except the target rule set do not need to be detected, so that the calculation amount is favorably reduced, and the efficiency of rule matching and rule updating is improved.
The individual steps of the process are explained in detail below, as follows:
prior to step 210, the method may further comprise:
acquiring all rules corresponding to the access control strategy of the firewall;
grouping all the rules to obtain a plurality of groups of rule sets, wherein the regions of the same group of rule sets are the same;
and for each group of rule sets, when the rule sets have rules with the same action, merging intervals of the rules with the same action, wherein the intervals are address areas or port ranges corresponding to the rules.
Referring to fig. 3, the network device 10 generally has a plurality of interfaces, and different interfaces may be used to receive various types of network data sent by various external devices. The administrator may pre-divide the plurality of interfaces into different regions, each region may include at least one interface, e.g., each region includes only one interface. Each rule in the policy repository is typically associated with a respective interface for detecting network data of the respective interface. The rules of different interfaces can be the same or different, and can be set according to actual conditions. All rules corresponding to access control policies of firewalls are well known to those skilled in the art. The administrator can group all the rules into regions according to the corresponding interfaces of the rules, so as to obtain a plurality of sets of rules, wherein the regions of all the rules in the same set of rules are the same.
Illustratively, as shown in fig. 3, a policy base may include multiple sets of rule sets, such as rule set 1, …, rule set m, etc.; rule set 1 may include a plurality of rules, rule 1, …, rule i, etc.; the rule set m may include a plurality of rules such as rule 1, …, rule j, and the like, where m, i, and j are integers greater than 1, and may be determined according to actual situations.
One rule may include source address, source port, destination address, destination port, and action. The action refers to a data detection strategy corresponding to the rule, and can be set according to actual conditions. The format of the rules in the policy repository may be a uniform specified format, and may be set according to actual situations, for example, the rule may be in a JSON format, so as to perform centralized management on the rules. Generally speaking, the rules in different groups do not affect each other, and are independent, and the network data received by the area where the rule is located can be independently detected. If there are two rules that conflict with each other, they will usually occur in the same set of rules but not in both sets of rules.
After the multiple sets of rule sets are obtained through division, optimization can be performed on each rule of each set of rule sets. Understandably, each rule set usually includes a large number of rules, and in the large number of rules, there may be cases where there are repeated rules, there are conflicting rules, and there are containing relationships, etc. By optimizing each group of rule sets, the content of the rule sets can be simplified, and the subsequent rule detection and matching efficiency can be improved.
For each group of rule sets, the optimization process of the rules in the group may be as follows:
for example, if there are rules with the same action in the rules in the group, the intervals of the rules with the same action may be merged. The interval may be an address interval, a port range, etc. corresponding to the rule. For example, the action of rule a is the same as that of rule B, and only the address interval is different, assuming that the address interval applicable to rule a is 1.1.1 to 2.2.2.2; rule B applies to address ranges from 2.1.1.1 to 5.5.5.5; at this time, address B and address a have an intersection (the intersection is 2.1.1.1 to 2.2.2.2), and network device 10 may merge the address intervals of rule a and rule B to obtain a merged rule, where the address of the merged rule is 1.1.1.1 to 5.5.5.5, and the action is the same as that of rule a or rule B.
For another example, following the address intervals in rule a and rule B in the above example, it is assumed that rule a and rule B act differently and have a conflict. For example, the action of the rule a is to execute the detection policy S (the detection policy S is an assumed action policy, and may be determined according to an actual situation in an actual application), and the action of the rule B is to not execute the detection policy S or disable the detection policy S. Exemplarily, it is assumed that the rule a is continuously used as an effective rule, and the rule B is fused to obtain a fused rule B', at this time, the effective address interval of the rule a is still 1.1.1 to 2.2.2.2, and the action is to execute the detection policy S; the valid address range of rule B' is 2.2.2.3-5.5.5.5, and the action is not to execute the detection policy S. That is, the address range intersecting with rule a (intersection is 2.1.1 to 2.2.2.2) is removed from the address range of rule B.
In addition, for repeated rules, one rule may be directly retained, and all remaining rules in the repeated rules may be deleted. For a rule having an inclusion relationship, the included rule can be deleted directly. For example, the actions of rule a and rule B are the same, and rule a and rule B differ only in address interval, and assume that the address interval of rule a is 1.1.1.1 to 2.2.2, and the address interval of rule B is 1.1.1.1 to 5.5.5.5, at this time, rule a can be deleted directly to simplify the rules in the policy repository.
It should be noted that the optimization of the rule port range is similar to the above optimization of the address interval of the rule. For example, in the intra-group rule, there are rules with the same action, and only when the port ranges of the rules are different, the port ranges may be merged. Assuming that rule a is different from rule B only in port range, where the port range of rule a is 0 to 50 and the port range of rule B is 30 to 150, the port range after rule a and rule B are combined is 0 to 150.
In step S210, the network device 10 may receive an instruction of updating with an irregularity transmitted by another device. Wherein the other devices may be management terminals, servers, etc. For example, a developer may upload a newly set rule to network device 10, and at this time, an instruction for updating the rule may be automatically triggered. Alternatively, the server automatically transmits an instruction for rule update to the network device 10 when detecting that a new rule exists, and the manner of transmitting the instruction for update is not particularly limited.
When the network device 10 receives the update instruction, the rule for updating may be automatically acquired. Wherein the rule for updating is the first rule. The first rule may be one or more rules, and may be determined according to actual conditions. The manner of obtaining the first rule may be set according to actual conditions.
For example, the first rule has a corresponding identifier for identifying the rule as a rule for updating, and the identifiers of the other rules are different from the identifier of the first rule, so that the network device 10 can accurately obtain the first rule for updating through the identifiers in the rule.
For another example, the server may identify the first rule for updating when issuing the instruction, and after receiving the instruction, the network device 10 may send a download request for updating the rule to the server, and after receiving the download request, the server may automatically send the first rule for updating to the network device 10.
In step S220, a policy library stored in the network device 10 includes a plurality of sets of rules grouped in advance. Each group of rule sets comprises at least one rule, the rules of the same region are in the same group of rule sets, and the region of the target rule set is the same as the target region of the first rule. The area may be an interface through which the network device 10 receives data or a transmission channel for receiving data. For example, a region may be a single interface or a combination of multiple interfaces, and may be divided according to actual situations.
Each rule is usually associated with an interface or an area to which the rule applies, and the interface or the area associated with the rule is a target area of the rule. In addition, each set of rules may include an identification of the region to which it belongs.
During the determination of the target rule set of the first rule, it may be determined whether a rule set identical to the target region of the first rule exists in the policy repository according to the region identifier, and when the rule set identical to the target region of the first rule exists in the policy repository, the rule set identical to the target region may be determined as the target rule set of the first rule.
And if the same rule set as the target area of the first rule does not exist in the policy base, indicating that no rule of the target area is recorded in the policy base. At this time, the network device 10 may create a new rule set in the policy repository, and then add the first rule in the created new rule set, so that the policy repository rule can be updated. Wherein, the area of the new rule set is the area of the first rule.
In step S230, the network device 10 may perform matching detection according to the rule in the target rule set and the first rule, and then perform rule fusion to obtain an updated target rule.
In the process of matching the first rule with the target rule set, if any rule has the same action as the first rule, the rule with the same action as the first rule can be determined to be matched with the first rule; and if the source address and the source port of any rule are respectively the same as the source address and the source port of the first rule, determining that the rule is matched with the first rule. And then, rule fusion is carried out aiming at the matched rules so as to simplify the rules and realize the rule optimization of the strategy library.
As an alternative implementation, step S230 may include:
judging whether the first rule conflicts with the rules in the target rule set or not;
when a conflict exists, adding the first rule in the target rule set, and deleting a second rule in the target rule set, which conflicts with the first rule; or, deleting the first rule; or, performing fusion operation on the first rule and the second rule to obtain the updated target rule set;
and when no conflict exists, adding the first rule into the target rule set to obtain the updated target rule set.
Understandably, the manner of determining whether the first rule conflicts with the rule in the target rule set may be set according to actual conditions. For example, the first rule and the second rule in the target rule set intersect each other in the address range and the port range, and the actions conflict, and at this time, the first rule and the second rule are confirmed to conflict. For example, the address intervals and the port ranges of the first rule and the second rule are the same, the action of the first rule is to execute the detection policy S, and the action of the second rule is to disable the detection policy S.
When the rules conflict, the conflicting rules can be fused according to the actual situation. For example, for a part where an address interval (or a port range) has an intersection, a newly added first rule may be modified, the address interval circumference where the intersection exists is deleted in the first rule, so as to obtain a modified first rule, and a second rule is continuously retained; or modifying the second rule, deleting the address interval with the intersection to obtain the modified second rule, wherein the first rule does not need to be modified. Understandably, when the first rule and the second rule have conflict, the process of rule fusion may refer to a process of processing when the rules in the policy repository have conflict, and is not described herein again.
In detecting whether the first rule and the rule in the target rule set conflict, matching may be performed in order from high to low based on the priority of the rule.
As an alternative embodiment, when the first rule conflicts with a rule in the target rule set, step S230 may include:
converting an identification name corresponding to the first rule into a first interval and converting an identification name corresponding to the second rule into a second interval based on a corresponding relation between the identification name and the interval, wherein the identification name comprises a port name or an address name corresponding to the rule;
when the actions corresponding to the first rule and the second rule conflict, the first interval is an interval needing to be deleted, and an intersection exists between the first interval and a second interval of the second rule, deleting an interval overlapped with the first interval from the second interval, and obtaining the updated target rule set;
and when the actions corresponding to the first rule and the second rule conflict, the second interval of the second rule is an interval needing to be deleted, and the first interval and the second interval of the first rule have intersection, adding the first rule, and deleting the interval overlapped with the first interval in the second interval of the second rule to obtain the updated target rule set.
In this embodiment, the address in the rule is usually an address name, and the address name has a mapping relationship with an actual address, and the port in the rule is a port name, and the port name has a mapping relationship with an actual port number. When judging whether the address intervals of the rules have intersection, the address names in the rules need to be converted into actual address intervals. For example, the name of the address object of a rule is "src _ demo", the corresponding real address is "1.1.1.1", and when the rule is identified in an address interval, address recovery is required, that is, "src _ demo" is converted into the real address of "1.1.1.1" based on the correspondence between the address name and the real address. The address interval may be one address or a plurality of addresses, and is not limited herein.
After the address of the port is obtained, the address can be converted into a corresponding numerical value, and after the address is converted into the numerical value, the range of the address can be converted into an address interval. For example, the IP addresses are divided into IPv4 and IPv6, and a unique long integer data can be obtained through data conversion. For example: the IPv4 address is generally 32-bit binary data, is divided into 4 8-bit binary numbers, each represents 8 power smaller than 2, and is converted into decimal a.b.c.d, wherein abcd is decimal data between 0 and 255. Then a 256 × 256+ b 256 × 256+ c × 256+ d is performed to obtain a unique long integer data, which can be denoted as x.
Similarly, when identifying the port interval, the port name in the rule may be converted into an actual port number based on a mapping relationship between the port name and the actual port number, where the port number is usually a specific numerical value, and a range of the port number is the port interval.
When the added first rule conflicts with the rule in the target rule set, the conflict can be solved in the manner described above, and thus, the optimization of the policy base rule can be realized.
As an alternative embodiment, when the first rule does not conflict with the rule in the target rule set, step S230 may include:
converting an identification name corresponding to the first rule into a first interval and converting an identification name corresponding to the second rule into a second interval based on a corresponding relation between the identification name and the interval, wherein the identification name comprises a port name or an address name corresponding to the rule;
when the actions corresponding to the first rule and the second rule are the same, the first interval is an interval which does not need to be deleted, and an intersection exists between the first interval and the second interval of the second rule, merging the first interval and the second interval to obtain the updated target rule set;
and when the first interval is an interval which does not need to be deleted and an intersection does not exist with the second interval of the second rule, adding the first rule to the target rule set to obtain the updated target rule set.
Understandably, if the actions of the first rule and the second rule are not conflicted, it may be determined that the first rule and the second rule are not conflicted, and at this time, the corresponding address intervals and port intervals of the first rule and the second rule may be merged to simplify the rules, so as to avoid redundant address intervals.
Or, the actions of the first rule and the second rule conflict, but there is no intersection between the address regions of the first rule and the second rule, and there is no intersection between the port regions, at this time, there is no conflict between the first rule and the second rule; the first rule may be added directly to the target rule set.
In addition, the network device 10 may also detect whether any rule (including the first rule) in the policy repository opens the long link and whether the log is disabled, so as to determine whether the current access control policy is normal, which is well known to those skilled in the art. The long link may be labeled as permanent: yes | no, when labeled as permanent: yes, indicating that a long link is opened; when the flag is permanent: no, indicating that the long link is closed. When the log is marked as log on, indicating that the log is opened; when the log flag is log off, the log is disabled.
As an optional implementation manner, before determining whether the first rule conflicts with a rule in the target rule set, the method further includes:
and filtering out the rule in which the state mark in the target rule set is a first mark according to the state mark in the rule, wherein the state mark comprises the first mark representing rule failure or a second mark representing rule effectiveness.
In this embodiment, the rules in the policy repository may include valid or invalid states. The rule in the failure state is not used for detecting the network data, and does not need to be detected and matched with the first rule. The rule in the valid state may be used to detect the network data, and needs to be detected and matched with the first rule to determine whether there is a conflict between the first rule and the valid rule.
Understandably, some rules may be time sensitive. For example, part of the rules are valid for a specified period of time and invalid after the specified period of time, or part of the rules are disabled, and the timeliness can be set according to actual conditions. In addition, the specified period may be set according to actual conditions. A disabled or expired rule is a failed rule. When the rule conflict is detected, the failed rule does not need to be detected and matched, so that the number of the detected rules can be reduced, and the detection efficiency is improved.
The status flags may be set according to actual conditions, for example, the first flag may be "enable", the second flag may be "disable", and by the status flags, the failed rule may be quickly filtered out from the target rule set, so as to reduce the number of rules for match detection.
As an optional implementation, the method may further include: and when a second rule in the target rule set conflicts with the first rule, sending out prompt information.
Understandably, when the first rule conflicts with the second rule in the target rule set, the conflict rule is timely solved by sending prompt information and then according to the prompt by a manager. For example, the administrator may select a first rule and delete a second rule to effect an update of the policy repository rules; or the second rule is continuously reserved, and the first rule is discarded, at this time, the rule of the policy base does not need to be updated.
Based on the design, irrelevant access control strategies and rules are removed through the regional grouping concept so as to reduce the matching times. The health state of the current access control strategy is judged by adding rule redundancy (for example, the intervals of the rules have intersection, for example, the intervals are the same, the intervals partially contain and the like), rule conflict, rule invalidation, rule combination, whether long link exists, rule expiration, rule forbidding, log forbidding and other detection means, so that operation and maintenance personnel can maintain the strategy library in time conveniently. Compatible retrieval of the IPV4 address and the IPV6 address can be realized, and detection efficiency is prevented from being improved again by using a large number of if statements for judgment in a direct rule matching mode.
Referring to fig. 4, an embodiment of the present invention further provides a firewall rule processing apparatus 100, which can be applied to the network device 10 for executing the steps of the method. The firewall rule processing apparatus 100 includes at least one software function module which may be stored in the storage module 12 in the form of software or Firmware (Firmware) or solidified in an Operating System (OS) of the network device 10. The processing module 11 is used for executing executable modules stored in the storage module 12, such as software functional modules and computer programs included in the firewall rule processing apparatus 100.
The firewall rule processing apparatus 100 may include an obtaining unit 110, a determining unit 120, and an updating unit 130, and may perform the following operations:
an acquisition unit 110 configured to acquire a first rule for updating when an instruction for updating a rule is received;
a determining unit 120, configured to determine, according to a target area where the first rule is located, a target rule set corresponding to the target area from a policy library, where the policy library includes multiple sets of rule sets, and areas corresponding to the same set of rule sets are the same;
an updating unit 130, configured to update a rule in the target rule set according to the first rule, so as to obtain an updated target rule set.
As an optional implementation, the updating unit 130 may further be configured to:
judging whether the first rule conflicts with the rules in the target rule set or not;
when a conflict exists, adding the first rule in the target rule set, and deleting a second rule in the target rule set, which conflicts with the first rule; or, deleting the first rule; or, performing fusion operation on the first rule and the second rule to obtain the updated target rule set;
and when no conflict exists, adding the first rule into the target rule set to obtain the updated target rule set.
As an optional implementation, when the first rule conflicts with a rule in the target rule set, the updating unit 130 may further be configured to:
converting an identification name corresponding to the first rule into a first interval and converting an identification name corresponding to the second rule into a second interval based on a corresponding relation between the identification name and the interval, wherein the identification name comprises a port name or an address name corresponding to the rule;
and when the actions corresponding to the first rule and the second rule conflict, the first interval is an interval needing to be deleted, and an intersection exists with a second interval of the second rule, deleting an interval overlapped with the first interval from the second interval to obtain the updated target rule set.
As an optional implementation manner, when the first rule does not conflict with the rule in the target rule set, the updating unit 130 may further be configured to:
converting an identification name corresponding to the first rule into a first interval and converting an identification name corresponding to the second rule into a second interval based on a corresponding relation between the identification name and the interval, wherein the identification name comprises a port name or an address name corresponding to the rule;
when the actions corresponding to the first rule and the second rule are the same, the first interval is an interval which does not need to be deleted, and an intersection exists between the first interval and the second interval of the second rule, merging the first interval and the second interval to obtain the updated target rule set;
and when the first interval is an interval which does not need to be deleted and an intersection does not exist with the second interval of the second rule, adding the first rule to the target rule set to obtain the updated target rule set.
As an optional implementation manner, the firewall rule processing apparatus 100 may further include a screening unit, and before the updating unit 130 determines whether the first rule conflicts with a rule in the target rule set, the screening unit may be configured to:
and filtering out the rule in which the state mark in the target rule set is a first mark according to the state mark in the rule, wherein the state mark comprises the first mark representing rule failure or a second mark representing rule effectiveness.
As an optional implementation manner, the firewall rule processing apparatus 100 may further include a grouping unit and a rule optimization unit, before the obtaining unit 110 performs step 210, the obtaining unit 110 may be configured to obtain all rules corresponding to the access control policy of the firewall; the grouping unit may be configured to group all the rules to obtain a plurality of sets of rules, where regions of the same set of rules are the same; the rule optimization unit is used for: and for each group of rule sets, when the rule sets have rules with the same action, merging intervals of the rules with the same action, wherein the intervals are address areas or port ranges corresponding to the rules.
As an optional implementation manner, the firewall rule processing apparatus 100 may further include a prompting unit, configured to send a prompting message when there is a conflict between the first rule and the second rule in the target rule set.
In this embodiment, the processing module 11 may be an integrated circuit chip having signal processing capability. The processing module 11 may be a general-purpose processor. For example, the processor may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present Application.
The memory module 12 may be, but is not limited to, a random access memory, a read only memory, a programmable read only memory, an erasable programmable read only memory, an electrically erasable programmable read only memory, and the like. In this embodiment, the storage module 12 may be used to store various types of rules in the policy repository. Of course, the storage module 12 may also be used to store a program, and the processing module 11 executes the program after receiving the execution instruction.
The communication module 13 is used for establishing communication connection between the network device 10 and other devices through a network, and transceiving data through the network.
It is understood that the configuration shown in fig. 1 is merely a schematic diagram of the configuration of the network device 10, and that the network device 10 may include more components than those shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
It should be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the network device 10 and the firewall rule processing apparatus 100 described above may refer to the corresponding processes of the steps in the foregoing method, and are not described in detail herein.
The embodiment of the application also provides a computer readable storage medium. The computer-readable storage medium has stored therein a computer program which, when run on a computer, causes the computer to execute the firewall rule processing method as described in the above embodiments.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by hardware, or by software plus a necessary general hardware platform, and based on such understanding, the technical solution of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions to enable a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments of the present application.
In summary, the present application provides a firewall rule processing method, a firewall rule processing apparatus, a network device, and a readable storage medium. The method comprises the following steps: when an instruction for updating the rule is received, acquiring a first rule for updating; determining a target rule set corresponding to a target area from a policy library according to the target area where the first rule is located, wherein the policy library comprises a plurality of groups of rule sets, and the areas of the same group of rule sets are the same; and updating the rules in the target rule set according to the first rule to obtain an updated target rule set. In the scheme, when the first rule needs to be added into the policy base, the rule set of the target area where the first rule is located is directly used for carrying out matching detection on the first rule so as to realize rule updating. Therefore, other rules except the target rule set do not need to be detected, so that the calculation amount is favorably reduced, and the efficiency of rule matching and rule updating is improved.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus, system, and method may be implemented in other ways. The apparatus, system, and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A method for processing firewall rules, the method comprising:
when an instruction for updating the rule is received, acquiring a first rule for updating;
determining a target rule set corresponding to the target area from a policy base according to the target area where the first rule is located, wherein the policy base comprises a plurality of groups of rule sets, and the areas corresponding to the same group of rule sets are the same;
and updating the rules in the target rule set according to the first rule to obtain an updated target rule set.
2. The method of claim 1, wherein updating the rules in the target rule set according to the first rule to obtain an updated target rule set comprises:
judging whether the first rule conflicts with the rules in the target rule set or not;
when a conflict exists, adding the first rule in the target rule set, and deleting a second rule in the target rule set, which conflicts with the first rule; or, deleting the first rule; or, performing fusion operation on the first rule and the second rule to obtain the updated target rule set;
and when no conflict exists, adding the first rule into the target rule set to obtain the updated target rule set.
3. The method of claim 2, wherein performing a blending operation on the first rule and the second rule to obtain the updated target rule set when there is a conflict comprises:
converting an identification name corresponding to the first rule into a first interval and converting an identification name corresponding to the second rule into a second interval based on a corresponding relation between the identification name and the interval, wherein the identification name comprises a port name or an address name corresponding to the rule;
and when the actions corresponding to the first rule and the second rule conflict, the first interval is an interval needing to be deleted, and an intersection exists with a second interval of the second rule, deleting an interval overlapped with the first interval from the second interval to obtain the updated target rule set.
4. The method of claim 2, wherein adding the first rule to the target rule set when there is no conflict, resulting in the updated target rule set, comprises:
converting an identification name corresponding to the first rule into a first interval and converting an identification name corresponding to the second rule into a second interval based on a corresponding relation between the identification name and the interval, wherein the identification name comprises a port name or an address name corresponding to the rule;
when the actions corresponding to the first rule and the second rule are the same, the first interval is an interval which does not need to be deleted, and an intersection exists between the first interval and the second interval of the second rule, merging the first interval and the second interval to obtain the updated target rule set;
and when the first interval is an interval which does not need to be deleted and an intersection does not exist with the second interval of the second rule, adding the first rule to the target rule set to obtain the updated target rule set.
5. The method of claim 2, wherein prior to determining whether the first rule conflicts with a rule in the target rule set, the method further comprises:
and filtering out the rule in which the state mark in the target rule set is a first mark according to the state mark in the rule, wherein the state mark comprises the first mark representing rule failure or a second mark representing rule effectiveness.
6. The method of claim 1, wherein prior to obtaining the first rule for updating, the method further comprises:
acquiring all rules corresponding to the access control strategy of the firewall;
grouping all the rules to obtain a plurality of groups of rule sets, wherein the regions of the same group of rule sets are the same;
and for each group of rule sets, when the rule sets have rules with the same action, merging intervals of the rules with the same action, wherein the intervals are address areas or port ranges corresponding to the rules.
7. The method of claim 1, further comprising:
and when a second rule in the target rule set conflicts with the first rule, sending out prompt information.
8. A firewall rule processing apparatus, characterized in that the apparatus comprises:
an acquisition unit configured to acquire a first rule for update when an instruction for updating the rule is received;
the determining unit is used for determining a target rule set corresponding to the target area from a policy library according to the target area where the first rule is located, wherein the policy library comprises a plurality of groups of rule sets, and the areas corresponding to the same group of rule sets are the same;
and the updating unit is used for updating the rules in the target rule set according to the first rule to obtain an updated target rule set.
9. A network device, characterized in that the network device comprises a processor and a memory coupled to each other, the memory storing a computer program which, when executed by the processor, causes the network device to perform the method according to any one of claims 1-7.
10. A computer-readable storage medium, in which a computer program is stored which, when run on a computer, causes the computer to carry out the method according to any one of claims 1 to 7.
CN202011643312.6A 2020-12-30 2020-12-30 Firewall rule processing method and device, network equipment and readable storage medium Active CN112804221B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011643312.6A CN112804221B (en) 2020-12-30 2020-12-30 Firewall rule processing method and device, network equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011643312.6A CN112804221B (en) 2020-12-30 2020-12-30 Firewall rule processing method and device, network equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN112804221A true CN112804221A (en) 2021-05-14
CN112804221B CN112804221B (en) 2022-11-15

Family

ID=75809365

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011643312.6A Active CN112804221B (en) 2020-12-30 2020-12-30 Firewall rule processing method and device, network equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN112804221B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113641708A (en) * 2021-08-11 2021-11-12 华院计算技术(上海)股份有限公司 Rule engine optimization method, data matching method and device, storage medium and terminal
CN114039853A (en) * 2021-11-15 2022-02-11 北京天融信网络安全技术有限公司 Method, device, storage medium and electronic equipment for detecting security policy
CN114205130A (en) * 2021-12-03 2022-03-18 紫光云(南京)数字技术有限公司 Method for realizing firewall object policy rule priority
CN115695309A (en) * 2022-12-30 2023-02-03 苏州浪潮智能科技有限公司 Access control list rule configuration method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108429774A (en) * 2018-06-21 2018-08-21 蔡梦臣 A kind of firewall policy centralized optimization management method and its system
US10063519B1 (en) * 2017-03-28 2018-08-28 Verisign, Inc. Automatically optimizing web application firewall rule sets
CN109495435A (en) * 2017-09-13 2019-03-19 北京国双科技有限公司 The firewall update method and device of server
CN110365697A (en) * 2019-07-26 2019-10-22 新华三大数据技术有限公司 A kind of virtual firewall setting method, device, electronic equipment and storage medium
CN111835794A (en) * 2020-09-17 2020-10-27 腾讯科技(深圳)有限公司 Firewall policy control method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10063519B1 (en) * 2017-03-28 2018-08-28 Verisign, Inc. Automatically optimizing web application firewall rule sets
CN109495435A (en) * 2017-09-13 2019-03-19 北京国双科技有限公司 The firewall update method and device of server
CN108429774A (en) * 2018-06-21 2018-08-21 蔡梦臣 A kind of firewall policy centralized optimization management method and its system
CN110365697A (en) * 2019-07-26 2019-10-22 新华三大数据技术有限公司 A kind of virtual firewall setting method, device, electronic equipment and storage medium
CN111835794A (en) * 2020-09-17 2020-10-27 腾讯科技(深圳)有限公司 Firewall policy control method and device, electronic equipment and storage medium

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113641708A (en) * 2021-08-11 2021-11-12 华院计算技术(上海)股份有限公司 Rule engine optimization method, data matching method and device, storage medium and terminal
CN113641708B (en) * 2021-08-11 2022-07-26 华院计算技术(上海)股份有限公司 Rule engine optimization method, data matching method and device, storage medium and terminal
CN114039853A (en) * 2021-11-15 2022-02-11 北京天融信网络安全技术有限公司 Method, device, storage medium and electronic equipment for detecting security policy
CN114039853B (en) * 2021-11-15 2024-02-09 天融信雄安网络安全技术有限公司 Method and device for detecting security policy, storage medium and electronic equipment
CN114205130A (en) * 2021-12-03 2022-03-18 紫光云(南京)数字技术有限公司 Method for realizing firewall object policy rule priority
CN115695309A (en) * 2022-12-30 2023-02-03 苏州浪潮智能科技有限公司 Access control list rule configuration method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112804221B (en) 2022-11-15

Similar Documents

Publication Publication Date Title
CN112804221B (en) Firewall rule processing method and device, network equipment and readable storage medium
JP7199775B2 (en) Data processing method, data processing device, node device, and computer program based on smart contract
US8474039B2 (en) System and method for proactive detection and repair of malware memory infection via a remote memory reputation system
US20040088565A1 (en) Method of identifying software vulnerabilities on a computer system
CN105580022A (en) Systems and methods for using a reputation indicator to facilitate malware scanning
CN109379347B (en) Safety protection method and equipment
EP3623983A1 (en) Method and device for identifying security threats, storage medium, processor and terminal
CN111711711A (en) Block chain-based top-level domain name management and analysis method and system
CN114065196A (en) Java memory horse detection method and device, electronic equipment and storage medium
CN113098852B (en) Log processing method and device
CN114257651A (en) Request response method, device, network equipment and computer readable storage medium
CN113965497A (en) Server abnormity identification method and device, computer equipment and readable storage medium
CN114244555B (en) Security policy adjusting method
CN110727636A (en) System on chip and device isolation method thereof
CN115208671B (en) Firewall configuration method, device, electronic equipment and storage medium
CN110809004A (en) Safety protection method and device, electronic equipment and storage medium
CN113824748B (en) Asset characteristic active detection countermeasure method, device, electronic equipment and medium
CN109194700B (en) Flow control method and related device
CN114095186A (en) Threat information emergency response method and device
CN115208590A (en) Cross-domain communication system, method and storage medium
CN116582370B (en) Multi-level risk management and control digital safety system and safety monitoring and management method
US12041080B2 (en) Persistent device identifier driven compromised device quarantine
CN117034210B (en) Event image generation method and device, storage medium and electronic equipment
CN114186225B (en) Database detection method and device, electronic equipment and storage medium
CN114338777B (en) Escape control method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant