CN105391684A - Centralized management method and centralized management device for strategies - Google Patents
Centralized management method and centralized management device for strategies Download PDFInfo
- Publication number
- CN105391684A CN105391684A CN201510661903.9A CN201510661903A CN105391684A CN 105391684 A CN105391684 A CN 105391684A CN 201510661903 A CN201510661903 A CN 201510661903A CN 105391684 A CN105391684 A CN 105391684A
- Authority
- CN
- China
- Prior art keywords
- client
- strategy
- message queue
- policy
- queue
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a centralized management method and centralized management device for strategies. The method includes the following steps of: pre-establishing a strategy library including a plurality of strategies through the centralized management device; grouping a plurality of clients in a computer network; distributing corresponding strategies to the clients belonging to the same groups according to the plurality of strategies included in the strategy library; and issuing the distributed strategies to the corresponding clients. According to the method, the plurality of clients in the computer network are grouped, and strategy distribution of all the clients included in a group can be completed only through distributing the strategies to the group, in such a way that the efficiency of strategy configuration and issuing can be improved.
Description
Technical field
The present invention relates to policy management techniques field, particularly a kind of centralized management method of strategy and centralized management equipment.
Background technology
Along with the develop rapidly of computer networking technology, the safety product disposed in network gets more and more.In order to ensure the security performance in network, needing for each Equipments Setting included in network and issuing security strategy.
Existing policy management method is that each equipment being respectively included in network by the audit management equipment of management end, super management equipment and equipment safety control configures corresponding strategy one by one, and the security strategy of configuration is handed down to relevant device, and different management ends stores the strategy that it issues.
Because equipment included in computer network gets more and more, for each Equipments Setting and when issuing security strategy, comparatively greatly, the efficiency of configuration distributing is lower for the stock number expended.
Summary of the invention
In view of this, the invention provides a kind of centralized management method and centralized management equipment of strategy, to improve the efficiency of tactful configuration distributing.
First aspect, the invention provides a kind of centralized management method of strategy, is applied to centralized management equipment, and described centralized management equipment is pre-created and includes many tactful policy librarys; Also comprise:
Multiple clients in computer network are divided into groups;
According to many strategies that policy library comprises, for the client belonging to same grouping distributes corresponding strategy;
Each strategy be assigned is handed down to corresponding client respectively.
Preferably,
Described multiple clients in computer network to be divided into groups, comprising: according to client terminal attribute, the client in computer network with same alike result is divided into same group;
Or,
Described multiple clients in computer network to be divided into groups, comprising: according to the host identification belonging to client, the client of same main frame belonging in computer network is divided into same group.
Preferably,
Each strategy in described policy library comprises at least one regular group;
The described regular group of corresponding safety regulation comprising the object for required protection and configure respectively;
Wherein, each regular group comprises at least one class rule as follows: safety label is regular, file protect is regular, Process Protection is regular, Registry Protection is regular and trust list safeguard rule.
Preferably,
Comprise further: be pre-created the client message queue that policy determination message queue is corresponding with each client; And the policy determination thread be pre-created for the queue of monitoring strategies decision message;
Described each strategy be assigned is handed down to corresponding client respectively, comprises:
Each strategy be assigned is sent in policy determination message queue, policy determination thread, to each strategy implementation strategy decision process be respectively issued in described policy determination message queue, determines the client identification belonging to each strategy according to court verdict;
According to the client identification determined, by in the client message queue corresponding to each policy distribution to relative client, to make relative client when monitoring the client message queue corresponding with it and comprising strategy, the strategy in the client message queue corresponding with it is taken out and stores.
Preferably,
Described each strategy be assigned is handed down to corresponding client respectively before, comprise further: the data structure of each strategy is converted to HashMap data structure, wherein, the HashMap data structure converted to comprises: for characterizing the keyword key of the mark of client and the field value for characterizing tactful content;
According to court verdict, described each strategy implementation strategy decision process respectively to being issued in described policy determination message queue, determines that the client identification belonging to each strategy comprises: the keyword key corresponding to each strategy be issued in described policy determination message queue determines the client identification belonging to corresponding strategy.
Preferably,
Comprise further: be pre-created client end response queue;
Comprise further: when monitoring client end response queue and comprising response message, parse client identification included in this response message and corresponding target strategy, and judge that described target strategy is the need of synchronously, if desired synchronous, targeted packets corresponding to the client identification then comprised according to this response message belonging to client, target strategy described in this is issued in the client message queue that in described targeted packets, other clients are corresponding respectively, described target strategy to be synchronized to other clients in described targeted packets.
Second aspect, present invention also offers a kind of centralized management equipment, comprising:
Creating unit, includes many tactful policy librarys for creating;
Division unit, for dividing into groups the multiple clients in computer network;
Allocation units, for many strategies comprised according to policy library, for the client belonging to same grouping distributes corresponding target strategy;
Issue unit, for each strategy be assigned is handed down to corresponding client respectively.
Preferably,
Described creating unit, is further used for the client message queue that the queue of construction strategy decision message is corresponding with each client; And the policy determination thread be pre-created for the queue of monitoring strategies decision message;
Describedly issue unit, specifically for each strategy be assigned is sent in policy determination message queue, Utilization strategies judgement thread, to each strategy implementation strategy decision process be respectively issued in described policy determination message queue, determines the client identification belonging to each strategy according to court verdict; According to the client identification determined, by in the client message queue corresponding to each policy distribution to relative client, to make relative client when monitoring the client message queue corresponding with it and comprising strategy, the strategy in the client message queue corresponding with it is taken out and stores.
Preferably,
Comprise further: converting unit, for the data structure of each strategy is converted to HashMap data structure, wherein, the HashMap data structure converted to comprises: for characterizing the keyword key of the mark of client and the field value for characterizing tactful content;
Describedly issue unit, determine the client identification belonging to corresponding strategy specifically for the keyword key corresponding to each strategy be issued in described policy determination message queue.
Preferably,
Described creating unit, for creating client end response queue;
Comprise further: lock unit, for when monitoring client end response queue and comprising response message, parse client identification included in this response message and corresponding target strategy, and judge that described target strategy is the need of synchronously, if desired synchronous, targeted packets corresponding to the client identification then comprised according to this response message belonging to client, target strategy described in this is issued in the client message queue that in described targeted packets, other clients are corresponding respectively, described target strategy to be synchronized to other clients in described targeted packets.
Embodiments provide a kind of centralized management method and centralized management equipment of strategy, by dividing into groups to the multiple clients in computer network, only be required to be a point of set of allocation policies, can complete and the strategy of all clients included in this grouping is distributed, thus the efficiency of tactful configuration distributing can be improved.
Accompanying drawing explanation
Fig. 1 is the method flow diagram that the embodiment of the present invention provides;
Fig. 2 is the method flow diagram that another embodiment of the present invention provides;
Fig. 3 is the structure chart of the centralized management system that the embodiment of the present invention provides;
Fig. 4 is the hardware structure figure of the centralized management equipment that the embodiment of the present invention provides;
Fig. 5 is the centralized management equipment structural representation that the embodiment of the present invention provides;
Fig. 6 is the centralized management equipment structural representation that another embodiment of the present invention provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described.Obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
As shown in Figure 1, embodiments provide a kind of centralized management method of strategy, be applied to centralized management equipment, described centralized management equipment is pre-created policy library; The method can comprise the following steps:
Step 101: the multiple clients in computer network are divided into groups.
Step 102: many strategies comprised according to policy library, for the client belonging to same grouping distributes corresponding strategy.
Step 103: each strategy be assigned is handed down to corresponding client respectively.
According to the centralized management method of the strategy that the present embodiment provides, by dividing into groups to the multiple clients in computer network, only be required to be a point of set of allocation policies, can complete and the strategy of all clients included in this grouping is distributed, thus the efficiency of tactful configuration distributing can be improved.
In a preferred embodiment of the invention, in order to improve the efficiency of policy distribution further, the client message queue that policy determination message queue is corresponding with each client can be pre-created; And the policy determination thread be pre-created for the queue of monitoring strategies decision message.
When each strategy be assigned is handed down to corresponding client respectively, can issue in the following way: each strategy be assigned is sent in policy determination message queue, policy determination thread, to each strategy implementation strategy decision process be respectively issued in described policy determination message queue, determines the client identification belonging to each strategy according to court verdict; According to the client identification determined, by in the client message queue corresponding to each policy distribution to relative client, to make relative client when monitoring the client message queue corresponding with it and comprising strategy, the strategy in the client message queue corresponding with it is taken out and stores.
In a preferred embodiment of the invention, in order to improve the judgement efficiency of policy determination thread to client belonging to strategy in tactful decision message queue, can described each strategy be assigned is handed down to corresponding client respectively before, the data structure of each strategy is converted to HashMap data structure, wherein, the HashMap data structure converted to comprises: for characterizing the keyword key of the mark of client and the field value for characterizing tactful content; Can determine in the following way when determining the client identification belonging to each strategy: the keyword key corresponding to each strategy be issued in described policy determination message queue determines the client identification belonging to corresponding strategy.
By the data structure of strategy is converted to HashMap data structure, fast according to the feature of HashMap data structure, tactful content and the client identification belonging to this strategy can be known, thus the efficiency of policy distribution can be improved further.
In a preferred embodiment of the invention, can also to client by self-defining form collocation strategy, after being configured with strategy for a certain client is self-defined, also need in other clients judging whether further to divide into groups belonging to this policy synchronization to this client.Therefore, may further include: be pre-created client end response queue; When monitoring client end response queue and comprising response message, parse client identification included in this response message and corresponding target strategy, and judge that described target strategy is the need of synchronously, if desired synchronous, targeted packets corresponding to the client identification then comprised according to this response message belonging to client, target strategy described in this is issued in the client message queue that in described targeted packets, other clients are corresponding respectively, described target strategy to be synchronized to other clients in described targeted packets.
By creating client end response queue, can make client by self-defined be configured with strategy after, automatically can be uploaded to this client end response queue, to be determined whether by centralized management equipment to be carried out synchronously, thus the flexibility of strategy distribution can be improved.
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with drawings and the specific embodiments, the present invention is described in further detail.
As shown in Figure 2, embodiments provide a kind of centralized management method of strategy, the method can comprise the following steps:
Step 201: the centralized management equipment connected in management end and client, management end is by controlling centralized management equipment construction strategy storehouse.
In the prior art, need to store its strategy issued to each client respectively by different management ends, because number of devices in computer network is comparatively large, easily cause the confusion of tactical management.
In the present embodiment, can by setting up centralized management equipment, this centralized management equipment is connected between management end with client, please refer to Fig. 3, for centralized management system structure chart, it is client configuration strategy that different management ends can pass through in this centralized management equipment, and the strategy of configuration can be stored in the policy library of centralized management equipment, thus can manage concentratedly strategy, to carry out orderly management to strategy.
Wherein, management end is that the strategy of client configuration can comprise: System Security Policy, network security policy, warning strategies etc.
In the present embodiment, centralized management equipment can construction strategy storehouse, is the strategy of client configuration for storage administration end.
In the present embodiment, following Policy model can be configured:
Each strategy included in policy library can comprise at least one regular group, and wherein, regular group comprises is the set of a set of similar or dependency rule, comprises the corresponding safety regulation of the object assignment configuration for required protection; Strategy is the set of the rule group according to business demand formulation.
Wherein, strategy can comprise multiple regular group, and regular group is be made up of multiple different classes of rule.Wherein, regular group can comprise at least one class rule as follows: safety label is regular, file protect is regular, Process Protection is regular, Registry Protection is regular and trust list safeguard rule; Wherein, each rule-like can define at least one rule.
In the present embodiment, the establishment mode of strategy can be set as follows: system predefine mode and User Defined mode.Wherein, the strategy that can create for system predefine mode is set as not allowing the operations such as deletion and editor, when the strategy if desired created system predefine mode is modified, can copy this strategy, and edit the strategy after copying and issue.
In the present embodiment, can packet mode in setting computer network: 1, according to client terminal attribute, the client with same alike result is divided into same group; 2, according to the host identification belonging to client, the client of same main frame belonging in computer network is divided into same group.3, other packet modes.
In the present embodiment, the priority of the mode of issuing can be set, such as, carry out dividing into groups and the priority issued according to host mode belonging to client, carry out dividing into groups and the priority issued higher than according to client terminal attribute mode.
In the present embodiment, the page for tactical management can comprise following four parts:
Rule fabric anomaly: for coming rule group and definition safety regulation according to the object of protection.
Policy library manages: for carrying out custom strategies according to service needed, can combination in any rule group.
Grouping allocation rule: for the strategy configured in policy library batch is distributed to each client belonging to same grouping.Assigned in multiple grouping by according to different grouping mode same client, and have received multiple strategy being grouped into it and distributing respectively, the higher grouping of packet-priority can have been selected and issue strategy that mode issues as being its strategy distributed.
Client Policy: for being checked the strategy distributed by the dimension of client, can also carry out the individual cultivation of rule to client.
Step 202: the multiple clients in computer network are divided into groups.
In the present embodiment, can divide into groups to the multiple clients in computer network according to above-mentioned any one or multiple packet mode.
In a preferred embodiment of the invention, according to above-mentioned a kind of packet mode, the multiple clients in computer network are divided into groups.
Step 203: many strategies comprised according to policy library, for the client belonging to same grouping distributes corresponding strategy.
Step 204: the data structure of each strategy is converted to HashMap data structure, wherein, the HashMap data structure converted to comprises: for characterizing the keyword key of the mark of client and the field value for characterizing tactful content.
In the present embodiment, in order to improve the efficiency knowing client identification corresponding to each strategy, the data structure of each strategy can be converted to HashMap data structure.Wherein, also each strategy stored in policy library all can be stored with the form of HashMap data structure, to improve seek rate.
Wherein, can content as follows for HashMap data structure:
typedefstructGroupPolicy
{
intpriority;
intpolicyid;
}GroupListObject;
typedefstructPolicyObject
{
List<GroupListObject>HIPSlist;
List<GroupListObject>ADlist;
List<GroupListObject>SLlist;
List<GroupListObject>FClist;
List<GroupListObject>RAlist;
inthostpolicy;
intpolicytype;
}ValueObject;
HashMap<unsignedint,ValueObject>
Step 205: each strategy being converted to HashMap data structure is sent in policy determination message queue.
In the present embodiment, in order to determine that each strategy distributed belongs to the client of which grouping, policy determination message queue (Jqueue) and policy determination thread can be pre-created, wherein, policy determination message queue is for receiving each strategy issued, and policy determination thread is used for the queue of monitoring strategies decision message.
Step 206: policy determination thread is when monitoring policy determination message queue and comprising strategy, and the keyword key corresponding to each strategy comprised determines the client identification belonging to corresponding strategy.
Step 207: according to the client identification determined, by the client message queue corresponding to each policy distribution to relative client.
In the present embodiment, in order to can fast by each policy distribution to relative client, can set up in advance and the client message queue (Cqueue) corresponding to each client.Such as, when each client is registered, for each client creates a Cqueue, wherein, the title of Cqueue can be client identification.When needing when there being strategy to be issued to client, being become by the data assembling of this strategy Json form to join in this corresponding client message queue, waiting for that client takes out message from this client message queue.
In the present embodiment, determining the client identification corresponding to strategy, determining according to grouping other client identifications belonging to same grouping with this client identification, and by client message queue corresponding to each client in this policy distribution to this grouping.
Step 208: the strategy in the client message queue corresponding with it, when monitoring the client message queue corresponding with it and comprising strategy, takes out and stores by client.
In the present embodiment, the messaging bus between centralized management equipment and client can be set up, when transmitting data to make centralized management equipment between client, this messaging bus can be utilized to carry out transmitting and processing.
Step 209: create client end response queue (Rqueue) and the policy synchronization thread for monitoring this client end response queue, when policy synchronization thread monitor comprises message content to client end response queue, parse client identification included in this response message and corresponding target strategy.
Step 210: judge that target strategy is the need of synchronously, if desired synchronous, targeted packets corresponding to the client identification then comprised according to this response message belonging to client, target strategy described in this is issued in the client message queue that in described targeted packets, other clients are corresponding respectively, this target strategy to be synchronized to other clients in described targeted packets.
In the present embodiment, following thread can also be created:
Main thread: for initialization data and establishment thread.
Monitoring thread: be used for monitoring strategies judgement thread and the state of policy synchronization thread, if find that thread state is abnormal, restarts thread.
According to the Centralized management of policy method that the present embodiment provides, by dividing into groups to the multiple clients in computer network, only be required to be a point of set of allocation policies, can complete and the strategy of all clients included in this grouping is distributed, thus the efficiency of tactful configuration distributing can be improved.
As shown in Figure 4, Figure 5, a kind of centralized management equipment is embodiments provided.Device embodiment can pass through software simulating, also can be realized by the mode of hardware or software and hardware combining.Say from hardware view; as shown in Figure 4; for a kind of hardware structure diagram of embodiment of the present invention centralized management equipment place equipment; except the processor shown in Fig. 4, internal memory, network interface and nonvolatile memory; in embodiment, the equipment at device place can also comprise other hardware usually, as the forwarding chip etc. of responsible process message.For software simulating, as shown in Figure 5, as the device on a logical meaning, be by the CPU of its place equipment, computer program instructions corresponding in nonvolatile memory is read operation in internal memory to be formed.The centralized management equipment that the present embodiment provides comprises:
Creating unit 501, includes many tactful policy librarys for creating;
Division unit 502, for dividing into groups the multiple clients in computer network;
Allocation units 503, for many strategies comprised according to policy library, for the client belonging to same grouping distributes corresponding target strategy.
Issue unit 504, for each strategy be assigned is handed down to corresponding client respectively.
Further,
Described creating unit 501, is further used for the client message queue that the queue of construction strategy decision message is corresponding with each client; And the policy determination thread be pre-created for the queue of monitoring strategies decision message;
Describedly issue unit 504, specifically for each strategy be assigned is sent in policy determination message queue, Utilization strategies judgement thread, to each strategy implementation strategy decision process be respectively issued in described policy determination message queue, determines the client identification belonging to each strategy according to court verdict; According to the client identification determined, by in the client message queue corresponding to each policy distribution to relative client, to make relative client when monitoring the client message queue corresponding with it and comprising strategy, the strategy in the client message queue corresponding with it is taken out and stores.
In a preferred embodiment of the invention, as shown in Figure 6, this centralized management equipment can also comprise:
Converting unit 601, for the data structure of each strategy is converted to HashMap data structure, wherein, the HashMap data structure converted to comprises: for characterizing the keyword key of the mark of client and the field value for characterizing tactful content;
Describedly issue unit 504, determine the client identification belonging to corresponding strategy specifically for the keyword key corresponding to each strategy be issued in described policy determination message queue.
Further,
Described creating unit 501, for creating client end response queue;
Comprise further: lock unit 602, for when monitoring client end response queue and comprising response message, parse client identification included in this response message and corresponding target strategy, and judge that described target strategy is the need of synchronously, if desired synchronous, targeted packets corresponding to the client identification then comprised according to this response message belonging to client, target strategy described in this is issued in the client message queue that in described targeted packets, other clients are corresponding respectively, described target strategy to be synchronized to other clients in described targeted packets.
Further, described division unit 502, specifically for according to client terminal attribute, is divided into same group by the client in computer network with same alike result;
Or,
Described division unit 502, specifically for according to the host identification belonging to client, is divided into same group by the client of same main frame belonging in computer network.
Further, each strategy in described policy library comprises at least one regular group;
The described regular group of corresponding safety regulation comprising the object for required protection and configure respectively;
Wherein, each regular group comprises at least one class rule as follows: safety label is regular, file protect is regular, Process Protection is regular, Registry Protection is regular and trust list safeguard rule.
To sum up, the embodiment of the present invention at least can realize following beneficial effect:
1, in embodiments of the present invention, by dividing into groups to the multiple clients in computer network, only be required to be a point of set of allocation policies, can complete and the strategy of all clients included in this grouping is distributed, thus the efficiency of tactful configuration distributing can be improved.
2, in embodiments of the present invention, the client message queue that the queue of construction strategy decision message is corresponding with each client is crossed; And create the policy determination thread being used for the queue of monitoring strategies decision message, and each strategy be assigned is sent in policy determination message queue, policy determination thread is to each strategy implementation strategy decision process be respectively issued in described policy determination message queue, determine the client identification belonging to each strategy according to court verdict, thus the efficiency of policy distribution can be improved.
3, in embodiments of the present invention, by the data structure of each strategy is converted to HashMap data structure, wherein, the HashMap data structure converted to comprises: for characterizing the keyword key of the mark of client and the field value for characterizing tactful content; Can determine in the following way when determining the client identification belonging to each strategy: the keyword key corresponding to each strategy be issued in described policy determination message queue determines the client identification belonging to corresponding strategy, thus the judgement efficiency of policy determination thread to client belonging to strategy in tactful decision message queue can be improved, and then improve policy distribution efficiency.
4, in embodiments of the present invention, adopt centralized management pattern, may be used for the user having multiple stage client device, the cost of user can be saved, facilitate technical staff to the management of client device.Can be client device customization dissemination system security strategy, network security policy and warning strategies by centralized management equipment.This Centralized management of policy method can support the client device of management more than 3000, and configuration is simple, flexible and efficient.In addition, the communication between centralized management equipment and client can carry out asynchronous transmission and the process of message by messaging bus, realize loose couplings, can bear higher traffic carrying capacity, greatly improve throughput and the performance of system between system function module.
The content such as information interaction, implementation between each unit in the said equipment, due to the inventive method embodiment based on same design, particular content can see in the inventive method embodiment describe, repeat no more herein.
It should be noted that, in this article, the relational terms of such as first and second and so on is only used for an entity or operation to separate with another entity or operating space, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element " being comprised a 〃 〃 〃 〃 〃 〃 " limited by statement, and be not precluded within process, method, article or the equipment comprising described key element and also there is other identical factor.
One of ordinary skill in the art will appreciate that: all or part of step realizing said method embodiment can have been come by the hardware that program command is relevant, aforesaid program can be stored in the storage medium of embodied on computer readable, this program, when performing, performs the step comprising said method embodiment; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium in.
Finally it should be noted that: the foregoing is only preferred embodiment of the present invention, only for illustration of technical scheme of the present invention, be not intended to limit protection scope of the present invention.All any amendments done within the spirit and principles in the present invention, equivalent replacement, improvement etc., be all included in protection scope of the present invention.
Claims (10)
1. a tactful centralized management method, is characterized in that, be applied to centralized management equipment, and described centralized management equipment is pre-created and includes many tactful policy librarys; Also comprise:
Multiple clients in computer network are divided into groups;
According to many strategies that policy library comprises, for the client belonging to same grouping distributes corresponding strategy;
Each strategy be assigned is handed down to corresponding client respectively.
2. method according to claim 1, is characterized in that,
Described multiple clients in computer network to be divided into groups, comprising: according to client terminal attribute, the client in computer network with same alike result is divided into same group;
Or,
Described multiple clients in computer network to be divided into groups, comprising: according to the host identification belonging to client, the client of same main frame belonging in computer network is divided into same group.
3. method according to claim 1, is characterized in that,
Each strategy in described policy library comprises at least one regular group;
The described regular group of corresponding safety regulation comprising the object for required protection and configure respectively;
Wherein, each regular group comprises at least one class rule as follows: safety label is regular, file protect is regular, Process Protection is regular, Registry Protection is regular and trust list safeguard rule.
4. method according to claim 1, is characterized in that,
Comprise further: be pre-created the client message queue that policy determination message queue is corresponding with each client; And the policy determination thread be pre-created for the queue of monitoring strategies decision message;
Described each strategy be assigned is handed down to corresponding client respectively, comprises:
Each strategy be assigned is sent in policy determination message queue, policy determination thread, to each strategy implementation strategy decision process be respectively issued in described policy determination message queue, determines the client identification belonging to each strategy according to court verdict;
According to the client identification determined, by in the client message queue corresponding to each policy distribution to relative client, to make relative client when monitoring the client message queue corresponding with it and comprising strategy, the strategy in the client message queue corresponding with it is taken out and stores.
5. method according to claim 3, is characterized in that,
Described each strategy be assigned is handed down to corresponding client respectively before, comprise further: the data structure of each strategy is converted to HashMap data structure, wherein, the HashMap data structure converted to comprises: for characterizing the keyword key of the mark of client and the field value for characterizing tactful content;
According to court verdict, described each strategy implementation strategy decision process respectively to being issued in described policy determination message queue, determines that the client identification belonging to each strategy comprises: the keyword key corresponding to each strategy be issued in described policy determination message queue determines the client identification belonging to corresponding strategy.
6., according to described method arbitrary in claim 1-5, it is characterized in that,
Comprise further: be pre-created client end response queue;
Comprise further: when monitoring client end response queue and comprising response message, parse client identification included in this response message and corresponding target strategy, and judge that described target strategy is the need of synchronously, if desired synchronous, targeted packets corresponding to the client identification then comprised according to this response message belonging to client, target strategy described in this is issued in the client message queue that in described targeted packets, other clients are corresponding respectively, described target strategy to be synchronized to other clients in described targeted packets.
7. a centralized management equipment, is characterized in that, comprising:
Creating unit, includes many tactful policy librarys for creating;
Division unit, for dividing into groups the multiple clients in computer network;
Allocation units, for many strategies comprised according to policy library, for the client belonging to same grouping distributes corresponding target strategy;
Issue unit, for each strategy be assigned is handed down to corresponding client respectively.
8. centralized management equipment according to claim 7, is characterized in that,
Described creating unit, is further used for the client message queue that the queue of construction strategy decision message is corresponding with each client; And the policy determination thread be pre-created for the queue of monitoring strategies decision message;
Describedly issue unit, specifically for each strategy be assigned is sent in policy determination message queue, Utilization strategies judgement thread, to each strategy implementation strategy decision process be respectively issued in described policy determination message queue, determines the client identification belonging to each strategy according to court verdict; According to the client identification determined, by in the client message queue corresponding to each policy distribution to relative client, to make relative client when monitoring the client message queue corresponding with it and comprising strategy, the strategy in the client message queue corresponding with it is taken out and stores.
9. centralized management equipment according to claim 8, is characterized in that,
Comprise further: converting unit, for the data structure of each strategy is converted to HashMap data structure, wherein, the HashMap data structure converted to comprises: for characterizing the keyword key of the mark of client and the field value for characterizing tactful content;
Describedly issue unit, determine the client identification belonging to corresponding strategy specifically for the keyword key corresponding to each strategy be issued in described policy determination message queue.
10., according to described centralized management equipment arbitrary in claim 7-9, it is characterized in that,
Described creating unit, for creating client end response queue;
Comprise further: lock unit, for when monitoring client end response queue and comprising response message, parse client identification included in this response message and corresponding target strategy, and judge that described target strategy is the need of synchronously, if desired synchronous, targeted packets corresponding to the client identification then comprised according to this response message belonging to client, target strategy described in this is issued in the client message queue that in described targeted packets, other clients are corresponding respectively, described target strategy to be synchronized to other clients in described targeted packets.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510661903.9A CN105391684A (en) | 2015-10-14 | 2015-10-14 | Centralized management method and centralized management device for strategies |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510661903.9A CN105391684A (en) | 2015-10-14 | 2015-10-14 | Centralized management method and centralized management device for strategies |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105391684A true CN105391684A (en) | 2016-03-09 |
Family
ID=55423521
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510661903.9A Pending CN105391684A (en) | 2015-10-14 | 2015-10-14 | Centralized management method and centralized management device for strategies |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105391684A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105978882A (en) * | 2016-05-17 | 2016-09-28 | 浪潮电子信息产业股份有限公司 | Host safety strategy transmission method employing lisence and safety switch control at centralized management platform |
| CN106131033A (en) * | 2016-07-20 | 2016-11-16 | 浪潮电子信息产业股份有限公司 | A kind of policy management method of SSR centralized management platform |
| CN106302484A (en) * | 2016-08-22 | 2017-01-04 | 浪潮电子信息产业股份有限公司 | A kind of method of Centralized management of policy |
| CN106372512A (en) * | 2016-08-25 | 2017-02-01 | 浪潮电子信息产业股份有限公司 | Task-type security baseline execution method |
| CN106998265A (en) * | 2017-03-14 | 2017-08-01 | ***股份有限公司 | A kind of monitoring method and its device |
| CN108459878A (en) * | 2018-01-08 | 2018-08-28 | 郑州云海信息技术有限公司 | A kind of the centralized management platform and method of Intrusion Detection based on host control client starting up |
| CN108551439A (en) * | 2018-03-23 | 2018-09-18 | 杭州迪普科技股份有限公司 | A kind of improved method and device of policy template application |
| CN108809680A (en) * | 2017-05-04 | 2018-11-13 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of equipment management |
| CN108880860A (en) * | 2018-05-24 | 2018-11-23 | 杭州迪普科技股份有限公司 | A kind of policy management method and device |
| CN109150866A (en) * | 2018-08-09 | 2019-01-04 | 郑州云海信息技术有限公司 | A kind of policy distribution feedback and check system and method |
| CN110119622A (en) * | 2019-05-15 | 2019-08-13 | 苏州浪潮智能科技有限公司 | A kind of registration table Integrity Management method, system and equipment |
| CN111314312A (en) * | 2020-01-19 | 2020-06-19 | 苏州浪潮智能科技有限公司 | Policy management method, system, device and medium |
| CN112688818A (en) * | 2020-12-30 | 2021-04-20 | 北京天融信网络安全技术有限公司 | Data transmission method and device, electronic equipment and readable storage medium |
| CN113794717A (en) * | 2021-09-14 | 2021-12-14 | 京东科技信息技术有限公司 | Safety scheduling method, device and related equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103634156A (en) * | 2013-12-17 | 2014-03-12 | 中国联合网络通信集团有限公司 | Device, equipment and system for managing and controlling network safety in centralized manner |
| CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
| CN104714825A (en) * | 2015-03-20 | 2015-06-17 | 北京瑞星信息技术有限公司 | Method for uniformly configuring strategies |
-
2015
- 2015-10-14 CN CN201510661903.9A patent/CN105391684A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103634156A (en) * | 2013-12-17 | 2014-03-12 | 中国联合网络通信集团有限公司 | Device, equipment and system for managing and controlling network safety in centralized manner |
| CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
| CN104714825A (en) * | 2015-03-20 | 2015-06-17 | 北京瑞星信息技术有限公司 | Method for uniformly configuring strategies |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105978882A (en) * | 2016-05-17 | 2016-09-28 | 浪潮电子信息产业股份有限公司 | Host safety strategy transmission method employing lisence and safety switch control at centralized management platform |
| CN106131033A (en) * | 2016-07-20 | 2016-11-16 | 浪潮电子信息产业股份有限公司 | A kind of policy management method of SSR centralized management platform |
| CN106302484A (en) * | 2016-08-22 | 2017-01-04 | 浪潮电子信息产业股份有限公司 | A kind of method of Centralized management of policy |
| CN106372512A (en) * | 2016-08-25 | 2017-02-01 | 浪潮电子信息产业股份有限公司 | Task-type security baseline execution method |
| CN106998265B (en) * | 2017-03-14 | 2020-02-07 | ***股份有限公司 | Monitoring method and device thereof |
| CN106998265A (en) * | 2017-03-14 | 2017-08-01 | ***股份有限公司 | A kind of monitoring method and its device |
| CN108809680A (en) * | 2017-05-04 | 2018-11-13 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of equipment management |
| CN108809680B (en) * | 2017-05-04 | 2021-03-02 | 腾讯科技(深圳)有限公司 | Equipment management method and equipment |
| CN108459878A (en) * | 2018-01-08 | 2018-08-28 | 郑州云海信息技术有限公司 | A kind of the centralized management platform and method of Intrusion Detection based on host control client starting up |
| CN108551439A (en) * | 2018-03-23 | 2018-09-18 | 杭州迪普科技股份有限公司 | A kind of improved method and device of policy template application |
| CN108551439B (en) * | 2018-03-23 | 2021-01-26 | 杭州迪普科技股份有限公司 | Method and device for improving policy template application |
| CN108880860A (en) * | 2018-05-24 | 2018-11-23 | 杭州迪普科技股份有限公司 | A kind of policy management method and device |
| CN108880860B (en) * | 2018-05-24 | 2022-03-01 | 杭州迪普科技股份有限公司 | Policy management method and device |
| CN109150866A (en) * | 2018-08-09 | 2019-01-04 | 郑州云海信息技术有限公司 | A kind of policy distribution feedback and check system and method |
| CN110119622A (en) * | 2019-05-15 | 2019-08-13 | 苏州浪潮智能科技有限公司 | A kind of registration table Integrity Management method, system and equipment |
| CN111314312A (en) * | 2020-01-19 | 2020-06-19 | 苏州浪潮智能科技有限公司 | Policy management method, system, device and medium |
| CN112688818A (en) * | 2020-12-30 | 2021-04-20 | 北京天融信网络安全技术有限公司 | Data transmission method and device, electronic equipment and readable storage medium |
| CN112688818B (en) * | 2020-12-30 | 2023-01-10 | 北京天融信网络安全技术有限公司 | Data transmission method and device, electronic equipment and readable storage medium |
| CN113794717A (en) * | 2021-09-14 | 2021-12-14 | 京东科技信息技术有限公司 | Safety scheduling method, device and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105391684A (en) | Centralized management method and centralized management device for strategies | |
| CN104050248B (en) | A kind of document storage system and storage method | |
| CN102395144B (en) | Wireless access point upgrade method, system thereof and device thereof | |
| CN102932413B (en) | A kind of computational resource allocation method, cloud management platform node and computational resource cluster | |
| CN102790792A (en) | Method and apparatus of connectivity discovery between network switch and server based on vlan identifiers | |
| CN103078965B (en) | The IP address management method of virtual machine | |
| CN103647658B (en) | The management method of the network equipment and controller in a kind of software defined network system | |
| CN104202264A (en) | Carrying resource allocation method for clouded data center network, device and system | |
| CN111628941A (en) | Network traffic classification processing method, device, equipment and medium | |
| CN109962847A (en) | The packaging method and device and computer readable storage medium of business function chain message | |
| US9871864B2 (en) | Fibre channel peer zoning | |
| CN104767634A (en) | Method and apparatus for managing flow table | |
| CN104852869B (en) | A kind of port convergence method and device | |
| CN107562547A (en) | A kind of CTDB group systems and creation method, create system | |
| JP6256167B2 (en) | Risk reduction in data center networks | |
| CN105243078A (en) | File resource distribution method, system and apparatus | |
| CN106330492A (en) | Method, device and system of configuring user equipment forwarding table | |
| CN104270260A (en) | Method and device for elastic expansion of scale of SDN controller cluster | |
| TWI772721B (en) | System and method using blockchain to manage network devices | |
| CN103379097B (en) | CDN business automatic configuration system and method | |
| CN102148757B (en) | A kind of multiple nucleus system message distributing method and device | |
| CN107210996B (en) | Service chain management method and device | |
| WO2016062050A1 (en) | Method, device and system for micro-module management | |
| CN103516628A (en) | Method, device and system of updating network strategy | |
| CN104333875B (en) | A kind of frequency method of adjustment and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160309 |