CN113726813B - Network security configuration method, device and storage medium - Google Patents
Network security configuration method, device and storage medium Download PDFInfo
- Publication number
- CN113726813B CN113726813B CN202111055024.3A CN202111055024A CN113726813B CN 113726813 B CN113726813 B CN 113726813B CN 202111055024 A CN202111055024 A CN 202111055024A CN 113726813 B CN113726813 B CN 113726813B
- Authority
- CN
- China
- Prior art keywords
- target
- target object
- network
- network security
- security policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000004590 computer program Methods 0.000 claims description 14
- 230000006870 function Effects 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000012795 verification Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 239000000523 sample Substances 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000004088 simulation Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network security configuration method, equipment and a storage medium, which are used for determining a target object of a network security policy to be configured according to related information of a target service application system; determining a target network security policy corresponding to the target object according to the attribute information of the target object; selecting at least one target connection mode from a plurality of alternative connection modes according to the attribute information of the target object; and sending an operation instruction to the target object in a target connection mode, so that the target object sets the network security policy as a target security policy according to the operation instruction. The embodiment of the invention can automatically determine the target object of the network security policy to be configured and the corresponding target network security policy, and then realize the issuing of the operation instruction through a proper connection mode, thereby completing the configuration of the target security policy of the target object, avoiding the situations of incomplete manual analysis, analysis error, manual configuration policy error, configuration omission and the like, and ensuring the security protection capability of the target service application system.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a network security configuration method, equipment and a storage medium.
Background
With the rapid development of the internet age, the application of information technology is rapidly penetrated into various fields of society and economy, the work and life of people are increasingly dependent on computer and network technology, and the network security problem is the most basic problem faced by enterprises.
When a service application system is on line, operation and maintenance personnel are required to analyze manually, identify which network devices and security software and hardware products need to be configured, what network security policies need to be configured, and then log in the network devices and security software and hardware product systems one by one to configure the network security policies.
The existing network security policy configuration method is based on manual analysis, and may have the conditions of incomplete analysis, analysis error, manual configuration policy error, missing configuration and the like, thereby affecting the security protection capability of the service application system.
Disclosure of Invention
The invention provides a network security configuration method, equipment and a storage medium, which are used for realizing the automatic completion of the configuration of network security policies.
A first aspect of the present invention provides a network security configuration method, the method including:
determining a target object of a network security policy to be configured according to the related information of the target service application system;
determining a target network security policy corresponding to the target object according to the attribute information of the target object;
selecting at least one target connection mode from a plurality of alternative connection modes according to the attribute information of the target object;
and sending an operation instruction to the target object in the target connection mode, so that the target object sets the network security policy as the target security policy according to the operation instruction.
Optionally, the determining, according to the related information of the target service application system, the target object of the network security policy to be configured includes:
determining a target network area where the target service application system is located according to the routing information of the target service application system;
and acquiring a target object of a network security policy to be configured, which is related to the target service application system, in the target network area, wherein the target object comprises at least one of network equipment and a security software and hardware product.
Optionally, the determining, according to the attribute information of the target object, a target network security policy corresponding to the target object includes:
if the target object is a firewall, selecting a corresponding security protection rule from preset network security policies according to the port number and/or the IP address of the target service application system, and determining the security protection rule as the target network security policy of the firewall.
Optionally, the determining, according to the attribute information of the target object, a target network security policy corresponding to the target object includes:
if the target equipment is the network middleware, selecting a corresponding security protection rule from preset network security policies according to version and/or type information of the network middleware, and determining the security protection rule as the target network security policy of the network middleware.
Optionally, the determining, according to the attribute information of the target object, a target network security policy corresponding to the target object includes:
if the target equipment is a database, selecting a corresponding security protection rule from preset network security policies according to version and/or type information of the database, and determining the security protection rule as the target network security policy of the database.
Optionally, the plurality of alternative connection modes include at least one of an SNMP connection mode, a connection mode of an analog terminal, and a connection mode of an analog browser access.
Optionally, the sending, by the target connection manner, an operation instruction to the target object includes:
if the target connection mode is an SNMP connection mode, connecting the target object through an SNMP protocol, and sending an operation instruction to the target object; or alternatively
If the target connection mode is the connection mode of the analog terminal, connecting the target object through an SSH protocol or a Telnet protocol, and sending an operation instruction to the target object by adopting the mode of the analog terminal; or alternatively
If the target connection mode is a connection mode simulating browser access, accessing a background management page of the target object, and simulating an operation instruction of submitting a form in the background management page.
Optionally, the method further comprises:
and after the target object completes the setting of the target security policy, sending a simulated access instruction and/or a simulated attack instruction to the target service application system so as to verify the network security policy of the target object.
A second aspect of the present invention provides a network security configuration apparatus, comprising:
the determining module is used for determining a target object of the network security policy to be configured according to the related information of the target service application system; determining a target network security policy corresponding to the target object according to the attribute information of the target object;
the connection module is used for selecting at least one target connection mode from a plurality of alternative connection modes according to the attribute information of the target object;
and the setting module is used for sending an operation instruction to the target object in the target connection mode so that the target object sets the network security policy as the target security policy according to the operation instruction.
Optionally, the determining module is configured to, when determining the target object of the network security policy to be configured according to the related information of the target service application system:
determining a target network area where the target service application system is located according to the routing information of the target service application system;
and acquiring a target object of a network security policy to be configured, which is related to the target service application system, in the target network area, wherein the target object comprises at least one of network equipment and a security software and hardware product.
Optionally, the determining module is configured to, when determining, according to attribute information of the target object, a target network security policy corresponding to the target object:
if the target object is a firewall, selecting a corresponding security protection rule from preset network security policies according to the port number and/or the IP address of the target service application system, and determining the security protection rule as the target network security policy of the firewall.
Optionally, the determining module is configured to, when determining, according to attribute information of the target object, a target network security policy corresponding to the target object:
if the target equipment is the network middleware, selecting a corresponding security protection rule from preset network security policies according to version and/or type information of the network middleware, and determining the security protection rule as the target network security policy of the network middleware.
Optionally, the determining module is configured to, when determining, according to attribute information of the target object, a target network security policy corresponding to the target object:
if the target equipment is a database, selecting a corresponding security protection rule from preset network security policies according to version and/or type information of the database, and determining the security protection rule as the target network security policy of the database.
Optionally, the plurality of alternative connection modes include at least one of an SNMP connection mode, a connection mode of an analog terminal, and a connection mode of an analog browser access.
Optionally, when sending an operation instruction to the target object through the target connection mode, the setting module is configured to:
if the target connection mode is an SNMP connection mode, connecting the target object through an SNMP protocol, and sending an operation instruction to the target object; or alternatively
If the target connection mode is the connection mode of the analog terminal, connecting the target object through an SSH protocol or a Telnet protocol, and sending an operation instruction to the target object by adopting the mode of the analog terminal; or alternatively
If the target connection mode is a connection mode simulating browser access, accessing a background management page of the target object, and simulating an operation instruction of submitting a form in the background management page.
Optionally, the setting instruction is further configured to:
and after the target object completes the setting of the target security policy, sending a simulated access instruction and/or a simulated attack instruction to the target service application system so as to verify the network security policy of the target object.
A third aspect of the present invention provides an electronic apparatus, comprising:
a memory for storing a computer program;
a processor for running a computer program stored in the memory to implement the method as described in the first aspect.
A fourth aspect of the present invention is to provide a computer-readable storage medium having a computer program stored thereon;
the computer program, when executed by a processor, implements the method as described in the first aspect.
According to the network security configuration method, the network security configuration equipment and the storage medium, the target object of the network security policy to be configured is determined according to the related information of the target service application system; determining a target network security policy corresponding to the target object according to the attribute information of the target object; selecting at least one target connection mode from a plurality of alternative connection modes according to the attribute information of the target object; and sending an operation instruction to the target object in a target connection mode, so that the target object sets the network security policy as a target security policy according to the operation instruction. The embodiment of the invention can automatically determine the target object of the network security policy to be configured and the corresponding target network security policy, and then realize the issuing of the operation instruction through a proper connection mode, thereby completing the configuration of the target security policy of the target object, avoiding the situations of incomplete manual analysis, analysis error, manual configuration policy error, configuration omission and the like, and ensuring the security protection capability of the target service application system.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.
Fig. 1 is a schematic diagram of an application scenario of a network security configuration method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a network security configuration method according to an embodiment of the present invention;
fig. 3 is a flowchart of a network security configuration method according to another embodiment of the present invention;
FIG. 4 is a block diagram of a network security configuration device according to an embodiment of the present invention;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
When a service application system is on line, operation and maintenance personnel are required to analyze manually, identify which network devices and security software and hardware products need to be configured, what network security policies need to be configured, and then log in the network devices and security software and hardware product systems one by one to configure the network security policies.
The existing network security policy configuration method is based on manual analysis, and may have the conditions of incomplete analysis, analysis error, manual configuration policy error, missing configuration and the like, thereby affecting the security protection capability of the service application system.
In order to solve the technical problems, the network security configuration method provided by the invention can determine the target object of the network security policy to be configured according to the related information of the target service application system; determining a target network security policy corresponding to the target object according to the attribute information of the target object; selecting at least one target connection mode from a plurality of alternative connection modes according to the attribute information of the target object; and sending an operation instruction to the target object in a target connection mode, so that the target object sets the network security policy as a target security policy according to the operation instruction. Through the process, the target object of the network security policy to be configured and the corresponding target network security policy can be automatically determined, and then the operation instruction is issued through a proper connection mode, so that the configuration of the target security policy of the target object is completed, the situations of incomplete manual analysis, analysis errors, manual configuration policy errors, configuration omission and the like are avoided, and the security protection capability of the target service application system is ensured.
The network security configuration method provided by the embodiment of the invention is suitable for the application scene shown in fig. 1, and comprises a server 101 and a target service application system 102; the target service application system 102 includes network devices, secure software and hardware products, and the like, and the server 101 and the network devices and the secure software and hardware products in the target service application system 102 can be connected through a plurality of alternative connection modes, for example, at least one of an SNMP (Simple Network Management Protocol ) connection mode, a connection mode of a simulation terminal, and a connection mode of a simulation browser access; the server 101 may determine a target object of the network security policy to be configured according to the related information of the target service application system, where the target object includes at least one of a network device and a security software product; determining a target network security policy corresponding to the target object according to the attribute information of the target object; selecting at least one target connection mode from a plurality of alternative connection modes according to the attribute information of the target object; and sending an operation instruction to the target object in a target connection mode, so that the target object sets the network security policy as a target security policy according to the operation instruction.
The network security configuration process is explained and illustrated in detail below in connection with specific embodiments.
Fig. 2 is a flowchart of a network security configuration method according to an embodiment of the present invention. The embodiment provides a network security configuration method, which is applied to electronic equipment such as a terminal or a server, and the method comprises the following specific steps:
s201, determining a target object of the network security policy to be configured according to the related information of the target service application system.
In this embodiment, when the target service application system is online, or when network security configuration is required, it may be determined which target objects need to be configured for network security. The target object comprises at least one of a network device and a secure software and hardware product.
Optionally, relevant information of the target service application system input by the user may be received, including, but not limited to, routing information such as an IP address, port number information, version and type of network middleware, version and type of database, etc., so that a target object of the network security policy to be configured may be determined based on the relevant information of the target service application system, for example, for the target service application system to be online, network equipment, a security software and hardware product through which the target service application system is online may be determined based on the relevant information of the target service application system, as the target object for determining the network security policy to be configured.
In an alternative embodiment, as shown in fig. 3, the determining, according to the related information of the target service application system, the target object of the network security policy to be configured may specifically include:
s301, determining a target network area where a target service application system is located according to routing information of the target service application system;
s302, a target object of a network security policy to be configured, which is related to the target service application system, in the target network area is obtained, wherein the target object comprises at least one of network equipment and a security software and hardware product.
In this embodiment, the information network may be divided into different network areas or security areas, where each network area includes various network devices and security software and hardware products, and the target service application system may be located in a certain network area, and the target network area where the target service application system is located may be determined according to the routing information of the target service application system, so that the network devices and security software and hardware products related to the target service application system may be determined in the target network area and used as the target object of the network security policy to be configured, so that security policy configuration is performed on the target object in the target network area without affecting other network areas.
S202, determining a target network security policy corresponding to the target object according to the attribute information of the target object.
In this embodiment, after determining the target object, it is further required to determine a target network security policy corresponding to the target object, and multiple preset network security policies may be preconfigured, so that an appropriate target network security policy is selected from the preset security policies based on attribute information of the target object, where the attribute information of the target object includes, but is not limited to, version, type, manufacturer, function, and so on. The preset network security policy can be a built-in default network security policy, and a user can add, delete and modify the network security policy according to own needs, and can also make a policy template for use.
Optionally, if the target object is a firewall, selecting a corresponding security protection rule from preset network security policies according to a port number and/or an IP address of the target service application system, and determining the security protection rule as the target network security policy of the firewall.
Specifically, according to the port number, it can be determined what security protection rule should be enabled, for example, the 22 port number should enable the security protection rule related to the SSH protocol, and the 80 port number should enable the security protection rule related to the WEB; meanwhile, the IP address and the port number can be combined to determine the firewall access control rule.
Optionally, if the target device is a network middleware, according to version and/or type information of the network middleware, selecting a corresponding security protection rule from preset network security policies, and determining the security protection rule as the target network security policy of the network middleware.
Specifically, according to the version and type of the network middleware, what security protection rule is enabled can be determined, what scanning rule is enabled can also be determined, for example, for the Apache middleware, the security protection rule related to the Apache vulnerability should be enabled, and when the security policy verification is performed, the scanning rule related to the Apache should be selected for the network security policy verification.
Optionally, if the target device is a database, selecting a corresponding security protection rule from preset network security policies according to version and/or type information of the database, and determining the security protection rule as the target network security policy of the database.
Specifically, it can determine which security area, which network area and which server the database is located on according to the IP address of the database, what security protection rule is enabled according to the version and type of the database, and what scanning rule is enabled, for example, for MySQL database, the security protection rule related to MySQL vulnerability should be enabled, and when performing security policy verification, the scanning rule related to MySQL database should be selected for network security policy verification.
S203, selecting at least one target connection mode from a plurality of alternative connection modes according to the attribute information of the target object.
In this embodiment, since the target objects are various, in order to improve the adaptation degree, and to be compatible with more kinds of target objects, network security configuration can be performed on more kinds of target objects, and in this embodiment, a plurality of alternative connection modes are configured, and further, at least one target connection mode can be selected from the alternative connection modes according to attribute information of the target objects.
Optionally, the plurality of alternative connection modes include at least one of an SNMP connection mode, a connection mode of an analog terminal, and a connection mode of an analog browser access; of course, alternative connection methods are not limited to the above-listed connection components, and other connection methods are also possible.
The SNMP protocol is a standard protocol specially designed for managing network nodes (servers, workstations, routers, switches, HUBS, etc.) in an IP network, and is an application layer protocol. SNMP enables network administrators to manage network performance, discover and solve network problems, and plan network growth. The management device can acquire the running state and/or the safety protection state of the network device and the safety software and hardware products through the SNMP connection component; if the network equipment, the safety software and hardware products support the writing function of the SNMP protocol and the management equipment has writing authority, the management equipment can send configuration instructions of the network safety strategy based on the SNMP protocol through the SNMP connection component.
The connection mode of the analog terminal can be connected with each network device and each Secure software and hardware product through an SSH (Secure Shell) protocol or a Telnet (Telnet) protocol, wherein the SSH is a protocol special for providing security for a Telnet session and other network services, and the Telnet protocol is a standard protocol and a main mode of Internet Telnet service, thereby providing the capability of completing remote host work on a local computer for a user. The management equipment can acquire the running state and/or the safety protection state of the network equipment and the safety software and hardware products in a mode of simulating terminal connection; in addition, the management device can send a configuration instruction of the network security policy based on the SSH protocol or the Telnet protocol by simulating a terminal connection mode.
The connection mode of the simulated browser access can access the Web background management pages of each network device and the safety software and hardware products in a mode of simulating the Web browser, and can simulate the behaviors of various different Web browsers, such as a *** browser, an IE browser, a firefox browser and the like, and the running states and/or the safety protection states of the network devices and the safety software and hardware products are obtained by accessing the Web background management pages of each network device and the safety software and hardware products; in addition, the management device can simulate the configuration instruction of the network security policy input in the Web background management page of the network device and the security software and hardware products by simulating the Web browser, and submit the configuration instruction.
Optionally, in this embodiment, at least one target connection mode is selected from a plurality of alternative connection modes according to attribute information of the target object, specifically, the target connection mode may be selected according to manufacturer and/or model of the target object, for example, the SNMP protocol is not supported for some manufacturer and/or model of the target object, and an SNMP protocol interface is not provided, and the SNMP connection mode cannot be adopted; for some Linux systems and target objects without Web interfaces, the connection mode of the simulation terminal can be selected; for some target objects, such as routers, which adopt a Web browser as a Web management background page, a connection mode simulating browser access can be selected.
Of course, the target object may not only support one connection mode, for example, some target objects may support an SNMP connection mode and an analog terminal connection mode at the same time, and an appropriate target connection mode may be selected from the supported connection modes, for example, the SNMP connection mode occupies the least resources, the SNMP connection mode may be selected when the resource occupancy rate of the CPU, the memory, etc. is higher, and other connection modes may be selected when the resource occupancy rate of the CPU, the memory, etc. is not higher; of course, a plurality of target connection modes can be selected to cooperate with each other. Of course, the policy of selecting the target connection mode is not limited to the above example, and more policies of selecting the target connection mode are not described here.
It should be noted that, in the present embodiment, the order of executing S202 and S203 may not be limited.
S204, sending an operation instruction to the target object in the target connection mode, so that the target object sets the network security policy as the target security policy according to the operation instruction.
In this embodiment, after determining the target security policy and the target connection mode, an operation instruction may be sent to the target object through the target connection mode, so that the target object sets the network security policy according to the operation instruction, and sets the network security policy as the target security policy.
Optionally, based on the foregoing embodiment, the sending, by the target connection manner, an operation instruction to the target object may specifically include:
if the target connection mode is an SNMP connection mode, connecting the target object through an SNMP protocol, and sending an operation instruction to the target object; or alternatively
If the target connection mode is the connection mode of the analog terminal, connecting the target object through an SSH protocol or a Telnet protocol, and sending an operation instruction to the target object by adopting the mode of the analog terminal; or alternatively
If the target connection mode is a connection mode simulating browser access, accessing a background management page of the target object, and simulating an operation instruction of submitting a form in the background management page.
By the mode, the configuration of the network security policy can be realized for different target objects, and most network equipment and security software and hardware products on the market are compatible.
As a specific example of the above embodiments, relevant information of the target service application system input by the user may be received, including but not limited to routing information such as IP address and port number information, version and type of network middleware, version and type of database, etc., according to the input relevant IP address and port number information, network equipment and security software and hardware products required to be passed through by the online release of the target service application system may be determined, and by selecting a target connection manner, the network equipment and security software and hardware products are connected, and then the determined network security policy required to be enabled may be issued, and an operation instruction may be issued on the corresponding network equipment and security software and hardware products to enable the corresponding security policy. For example, for a WEB application, a WEB protection policy needs to be enabled on a WEB application firewall, and a WEB tamper-proof policy needs to be enabled at the same time. Therefore, the method can be automatically connected to the WEB application firewall in a target connection mode, the WEB application protection strategy is started aiming at the corresponding IP address, port number and protocol, and meanwhile, the method is connected to the webpage tamper-proof system, and the tamper-proof strategy is started aiming at specific network middleware.
According to the network security configuration method provided by the embodiment, a target object of a network security policy to be configured is determined according to the related information of the target service application system; determining a target network security policy corresponding to the target object according to the attribute information of the target object; selecting at least one target connection mode from a plurality of alternative connection modes according to the attribute information of the target object; and sending an operation instruction to the target object in a target connection mode, so that the target object sets the network security policy as a target security policy according to the operation instruction. The embodiment can automatically determine the target object of the network security policy to be configured and the corresponding target network security policy, and then realize the issuing of the operation instruction through a proper connection mode, thereby completing the configuration of the target security policy of the target object, avoiding the situations of incomplete manual analysis, analysis error, manual configuration policy error, configuration omission and the like, and ensuring the security protection capability of the target service application system.
As a further improvement of the above embodiment, after the target object completes the setting of the target security policy, verification may also be performed with respect to the configured target security policy. Specifically, the method may further include:
and after the target object completes the setting of the target security policy, sending a simulated access instruction and/or a simulated attack instruction to the target service application system so as to verify the network security policy of the target object.
In this embodiment, the simulated access instruction and/or the simulated attack instruction may be sent to the target service application system, so as to verify whether the target network security policy of the target object is enabled, and further verify the connectivity of the target service application system.
Optionally, one or more probes (or scanners) may be deployed on the intranet and/or the extranet for the target service application system, and the control probes send a simulated access instruction and/or a simulated attack instruction to the target service application system. For example, aiming at a WEB application system, a probe can be controlled to carry out port scanning on an IP address of a target service application system, whether access control is strict or not is verified, and whether unnecessary ports are exposed or not is verified; and meanwhile, the probe can be controlled to scan the security holes of the service application system by using corresponding scanning rules according to the system type, verify whether the security protection capability is effective, and scan the security holes, for example, scan the security holes by using Apache related scanning rules for Apache, scan the security holes by using MySQL database related scanning rules for MySQL database, and the like. By verifying the network security policy, whether the target network security policy of the target object is effective or not can be verified, configuration errors or configuration missing situations can be prevented, and network security of the target service application system is further ensured.
Fig. 4 is a block diagram of a network security configuration device according to an embodiment of the present invention. The network security configuration device provided in this embodiment may execute the processing flow provided in the network security configuration method embodiment, as shown in fig. 4, where the network security configuration device 400 includes a determining module 401, a connecting module 402, and a setting module 403.
A determining module 401, configured to determine a target object of a network security policy to be configured according to related information of a target service application system; determining a target network security policy corresponding to the target object according to the attribute information of the target object;
a connection module 402, configured to select at least one target connection mode from a plurality of alternative connection modes according to attribute information of the target object;
and the setting module 403 is configured to send an operation instruction to the target object in the target connection manner, so that the target object sets the network security policy as the target security policy according to the operation instruction.
Optionally, the determining module 401 is configured to, when determining the target object of the network security policy to be configured according to the related information of the target service application system:
determining a target network area where the target service application system is located according to the routing information of the target service application system;
and acquiring a target object of a network security policy to be configured, which is related to the target service application system, in the target network area, wherein the target object comprises at least one of network equipment and a security software and hardware product.
Optionally, when determining, according to the attribute information of the target object, the determining module 401 is configured to:
if the target object is a firewall, selecting a corresponding security protection rule from preset network security policies according to the port number and/or the IP address of the target service application system, and determining the security protection rule as the target network security policy of the firewall.
Optionally, when determining, according to the attribute information of the target object, the determining module 401 is configured to:
if the target equipment is the network middleware, selecting a corresponding security protection rule from preset network security policies according to version and/or type information of the network middleware, and determining the security protection rule as the target network security policy of the network middleware.
Optionally, when determining, according to the attribute information of the target object, the determining module 401 is configured to:
if the target equipment is a database, selecting a corresponding security protection rule from preset network security policies according to version and/or type information of the database, and determining the security protection rule as the target network security policy of the database.
Optionally, the plurality of alternative connection modes include at least one of an SNMP connection mode, a connection mode of an analog terminal, and a connection mode of an analog browser access.
Optionally, when sending an operation instruction to the target object through the target connection manner, the setting module 403 is configured to:
if the target connection mode is an SNMP connection mode, connecting the target object through an SNMP protocol, and sending an operation instruction to the target object; or alternatively
If the target connection mode is the connection mode of the analog terminal, connecting the target object through an SSH protocol or a Telnet protocol, and sending an operation instruction to the target object by adopting the mode of the analog terminal; or alternatively
If the target connection mode is a connection mode simulating browser access, accessing a background management page of the target object, and simulating an operation instruction of submitting a form in the background management page.
Optionally, the setting instruction is further configured to:
and after the target object completes the setting of the target security policy, sending a simulated access instruction and/or a simulated attack instruction to the target service application system so as to verify the network security policy of the target object.
The network security configuration device provided in the embodiment of the present invention may be specifically used to execute the method embodiments provided in fig. 2 to 3, and specific functions are not described herein.
According to the network security configuration device provided by the embodiment of the invention, the target object of the network security policy to be configured is determined according to the related information of the target service application system; determining a target network security policy corresponding to the target object according to the attribute information of the target object; selecting at least one target connection mode from a plurality of alternative connection modes according to the attribute information of the target object; and sending an operation instruction to the target object in a target connection mode, so that the target object sets the network security policy as a target security policy according to the operation instruction. The embodiment can automatically determine the target object of the network security policy to be configured and the corresponding target network security policy, and then realize the issuing of the operation instruction through a proper connection mode, thereby completing the configuration of the target security policy of the target object, avoiding the situations of incomplete manual analysis, analysis error, manual configuration policy error, configuration omission and the like, and ensuring the security protection capability of the target service application system.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. The electronic device provided by the embodiment of the present invention may execute the processing flow provided by the embodiment of the network security configuration method, as shown in fig. 5, the electronic device 50 includes a memory 51, a processor 52, and a computer program; wherein the computer program is stored in the memory 51 and configured to be executed by the processor 52 for the network security configuration method described in the above embodiments. The electronic device 50 may also have a communication interface 53 for transmitting control instructions and/or data.
The electronic device of the embodiment shown in fig. 5 may be used to implement the technical solution of the above-mentioned method embodiment, and its implementation principle and technical effects are similar, and are not described here again.
In addition, the present embodiment also provides a computer-readable storage medium having stored thereon a computer program that is executed by a processor to implement the network security configuration method described in the above embodiments.
In addition, the present embodiment also provides a computer program product, including a computer program, where the computer program is executed by a processor to implement the network security configuration method described in the foregoing embodiment.
In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
The integrated units implemented in the form of software functional units described above may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium, and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) to perform part of the steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional modules is illustrated, and in practical application, the above-described functional allocation may be performed by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to perform all or part of the functions described above. The specific working process of the above-described device may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.
Claims (7)
1. A network security configuration method, comprising:
receiving relevant information of a target service application system input by a user;
when a target service application system is online, determining a target object of a network security policy to be configured according to related information of the target service application system, wherein the target object is at least one of network equipment and a security software and hardware product through which the target service application system is online;
determining a target network security policy corresponding to the target object according to the attribute information of the target object, wherein the attribute information of the target object comprises a version, a type, a manufacturer and a function;
selecting at least one target connection mode from a plurality of alternative connection modes according to the attribute information of the target object;
sending an operation instruction to the target object in the target connection mode, so that the target object sets a network security policy as a target security policy according to the operation instruction;
the determining the target network security policy corresponding to the target object according to the attribute information of the target object includes:
if the target object is a firewall, selecting a corresponding security protection rule from preset network security policies according to a port number and/or an IP address of a target service application system, and determining the security protection rule as a target network security policy of the firewall; when the port number is 22, enabling a security protection rule related to an SSH protocol, when the port number is 80, enabling a security protection rule related to WEB, and combining an IP address and the port number to determine a firewall access control rule;
if the target equipment is a network middleware, selecting a corresponding security protection rule from preset network security policies according to version and/or type information of the network middleware, and determining the security protection rule as a target network security policy of the network middleware;
if the target equipment is a database, selecting a corresponding security protection rule from preset network security policies according to version and/or type information of the database, and determining the security protection rule as the target network security policy of the database.
2. The method according to claim 1, wherein determining the target object of the network security policy to be configured according to the related information of the target service application system comprises:
determining a target network area where the target service application system is located according to the routing information of the target service application system;
and acquiring a target object of a network security policy to be configured, which is related to the target service application system, in the target network area, wherein the target object comprises at least one of network equipment and a security software and hardware product.
3. The method of claim 1, wherein the plurality of alternative connections includes at least one of SNMP connections, analog terminal connections, and analog browser access connections;
the sending the operation instruction to the target object through the target connection mode includes:
if the target connection mode is an SNMP connection mode, connecting the target object through an SNMP protocol, and sending an operation instruction to the target object; or alternatively
If the target connection mode is the connection mode of the analog terminal, connecting the target object through an SSH protocol or a Telnet protocol, and sending an operation instruction to the target object by adopting the mode of the analog terminal; or alternatively
If the target connection mode is a connection mode simulating browser access, accessing a background management page of the target object, and simulating an operation instruction of submitting a form in the background management page.
4. A method according to claim 3, further comprising:
and after the target object completes the setting of the target security policy, sending a simulated access instruction and/or a simulated attack instruction to the target service application system so as to verify the network security policy of the target object.
5. A network security configuration device, comprising:
the determining module is used for receiving the related information of the target business application system input by the user; when a target service application system is online, determining a target object of a network security policy to be configured according to related information of the target service application system; determining a target network security policy corresponding to the target object according to the attribute information of the target object, wherein the target object is at least one of network equipment and a security software and hardware product through which the target service application system goes online, and the attribute information of the target object comprises a version, a type, a manufacturer and a function;
the connection module is used for selecting at least one target connection mode from a plurality of alternative connection modes according to the attribute information of the target object;
the setting module is used for sending an operation instruction to the target object in the target connection mode so that the target object sets the network security policy as a target security policy according to the operation instruction;
the determining module is specifically configured to:
if the target object is a firewall, selecting a corresponding security protection rule from preset network security policies according to a port number and/or an IP address of a target service application system, and determining the security protection rule as a target network security policy of the firewall; when the port number is 22, enabling a security protection rule related to an SSH protocol, when the port number is 80, enabling a security protection rule related to WEB, and combining an IP address and the port number to determine a firewall access control rule;
if the target equipment is a network middleware, selecting a corresponding security protection rule from preset network security policies according to version and/or type information of the network middleware, and determining the security protection rule as a target network security policy of the network middleware;
if the target equipment is a database, selecting a corresponding security protection rule from preset network security policies according to version and/or type information of the database, and determining the security protection rule as the target network security policy of the database.
6. An electronic device, comprising:
a memory for storing a computer program;
a processor for running a computer program stored in the memory to implement the method of any one of claims 1-4.
7. A computer-readable storage medium, characterized in that a computer program is stored thereon;
the computer program implementing the method according to any of claims 1-4 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111055024.3A CN113726813B (en) | 2021-09-09 | 2021-09-09 | Network security configuration method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111055024.3A CN113726813B (en) | 2021-09-09 | 2021-09-09 | Network security configuration method, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113726813A CN113726813A (en) | 2021-11-30 |
| CN113726813B true CN113726813B (en) | 2023-08-15 |
Family
ID=78682961
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111055024.3A Active CN113726813B (en) | 2021-09-09 | 2021-09-09 | Network security configuration method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113726813B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338231B (en) * | 2022-02-22 | 2023-10-31 | 浙江网商银行股份有限公司 | Policy processing method and system |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516555A (en) * | 2013-10-23 | 2014-01-15 | 中国科学院信息工程研究所 | Network device monitoring method and system |
| CN107800709A (en) * | 2017-11-06 | 2018-03-13 | 杭州迪普科技股份有限公司 | A kind of method and device for generating network attack detection strategy |
| CN109005198A (en) * | 2018-09-12 | 2018-12-14 | 杭州和利时自动化有限公司 | A kind of controller attack protection security strategy generation method and system |
| CN110198313A (en) * | 2019-05-23 | 2019-09-03 | 新华三信息安全技术有限公司 | A kind of method and device of strategy generating |
| CN111669401A (en) * | 2020-06-22 | 2020-09-15 | 南方电网数字电网研究院有限公司 | Security protection method and device for network system, computer equipment and storage medium |
| CN111787001A (en) * | 2020-06-30 | 2020-10-16 | 中国电子科技集团公司电子科学研究院 | Network security information processing method and device, electronic equipment and storage medium |
| CN113114647A (en) * | 2021-04-01 | 2021-07-13 | 海尔数字科技(青岛)有限公司 | Network security risk detection method and device, electronic equipment and storage medium |
| CN113179271A (en) * | 2021-04-28 | 2021-07-27 | 深圳前海微众银行股份有限公司 | Intranet security policy detection method and device |
| CN113285906A (en) * | 2020-02-19 | 2021-08-20 | 北京百度网讯科技有限公司 | Security policy configuration method, device, equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7451488B2 (en) * | 2003-04-29 | 2008-11-11 | Securify, Inc. | Policy-based vulnerability assessment |
-
2021
- 2021-09-09 CN CN202111055024.3A patent/CN113726813B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516555A (en) * | 2013-10-23 | 2014-01-15 | 中国科学院信息工程研究所 | Network device monitoring method and system |
| CN107800709A (en) * | 2017-11-06 | 2018-03-13 | 杭州迪普科技股份有限公司 | A kind of method and device for generating network attack detection strategy |
| CN109005198A (en) * | 2018-09-12 | 2018-12-14 | 杭州和利时自动化有限公司 | A kind of controller attack protection security strategy generation method and system |
| CN110198313A (en) * | 2019-05-23 | 2019-09-03 | 新华三信息安全技术有限公司 | A kind of method and device of strategy generating |
| CN113285906A (en) * | 2020-02-19 | 2021-08-20 | 北京百度网讯科技有限公司 | Security policy configuration method, device, equipment and storage medium |
| CN111669401A (en) * | 2020-06-22 | 2020-09-15 | 南方电网数字电网研究院有限公司 | Security protection method and device for network system, computer equipment and storage medium |
| CN111787001A (en) * | 2020-06-30 | 2020-10-16 | 中国电子科技集团公司电子科学研究院 | Network security information processing method and device, electronic equipment and storage medium |
| CN113114647A (en) * | 2021-04-01 | 2021-07-13 | 海尔数字科技(青岛)有限公司 | Network security risk detection method and device, electronic equipment and storage medium |
| CN113179271A (en) * | 2021-04-28 | 2021-07-27 | 深圳前海微众银行股份有限公司 | Intranet security policy detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113726813A (en) | 2021-11-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2019242007A1 (en) | Device configuration method and apparatus, client terminal device, and cloud server | |
| EP2942750A1 (en) | Computer system for distributed discovery of vulnerabilities in applications | |
| CN107623698B (en) | Method and device for remotely debugging network equipment | |
| US7971238B2 (en) | Two-factor authentication of a remote administrator | |
| JP2014506045A (en) | Network stimulation engine | |
| US20120317287A1 (en) | System and method for management of devices accessing a network infrastructure via unmanaged network elements | |
| US10628764B1 (en) | Method of automatically generating tasks using control computer | |
| KR102108376B1 (en) | Inspection system for inspecting computers in computer systems on the inspection network | |
| CN112039868A (en) | Firewall policy verification method, device, equipment and storage medium | |
| KR102533536B1 (en) | A method, an apparatus, an electronic device and a storage medium for communicating between private networks | |
| CN109302397B (en) | Network security management method, platform and computer readable storage medium | |
| CN106648838B (en) | Resource pool management configuration method and device | |
| CN113726813B (en) | Network security configuration method, device and storage medium | |
| US9389991B1 (en) | Methods, systems, and computer readable mediums for generating instruction data to update components in a converged infrastructure system | |
| CN111147285B (en) | Cloud security product unified management method | |
| CN106603567B (en) | A kind of login management method and device of WEB administrator | |
| CN111736947A (en) | Open type multi-person online teaching system and experimental method | |
| CN115604095A (en) | Network equipment configuration method and system | |
| CN113726587B (en) | Network security management method and equipment | |
| US11784996B2 (en) | Runtime credential requirement identification for incident response | |
| CN111447080B (en) | Private network decentralization control method, device and computer readable storage medium | |
| KR102021466B1 (en) | Method and apparatus for configuring test environment of tactical data link software and computer readible storage medium therefor | |
| JP7074187B2 (en) | Monitoring equipment, monitoring methods and programs | |
| CN112637873A (en) | Robustness testing method and device based on wireless communication network of unmanned system | |
| Olivero | Asset Discovery Tools Supporting Cybersecurity Inventory |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Room 402, block B, Qingdao International Innovation Park, No.1 Keyuan Weiyi Road, Zhonghan street, Laoshan District, Qingdao City, Shandong Province, 266101 Applicant after: Haier digital technology (Qingdao) Co.,Ltd. Applicant after: CAOS industrial Intelligence Research Institute (Qingdao) Co.,Ltd. Applicant after: Karos IoT Technology Co.,Ltd. Address before: Room 402, block B, Qingdao International Innovation Park, No.1 Keyuan Weiyi Road, Zhonghan street, Laoshan District, Qingdao City, Shandong Province, 266101 Applicant before: Haier digital technology (Qingdao) Co.,Ltd. Applicant before: QINGDAO HAIER INDUSTRIAL INTELLIGENCE RESEARCH INSTITUTE Co.,Ltd. Applicant before: Haier Kaos IOT Technology Co.,Ltd. Address after: Room 402, block B, Qingdao International Innovation Park, No.1 Keyuan Weiyi Road, Zhonghan street, Laoshan District, Qingdao City, Shandong Province, 266101 Applicant after: Haier digital technology (Qingdao) Co.,Ltd. Applicant after: QINGDAO HAIER INDUSTRIAL INTELLIGENCE RESEARCH INSTITUTE Co.,Ltd. Applicant after: Haier Kaos IOT Technology Co.,Ltd. Address before: Room 402, block B, Qingdao International Innovation Park, No.1 Keyuan Weiyi Road, Zhonghan street, Laoshan District, Qingdao City, Shandong Province, 266101 Applicant before: Haier digital technology (Qingdao) Co.,Ltd. Applicant before: QINGDAO HAIER INDUSTRIAL INTELLIGENCE RESEARCH INSTITUTE Co.,Ltd. Applicant before: Haier CAOS IOT Ecological Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 3003, Building D1, Qingdao International Innovation Park, No.1 Keyuan Weiyi Road, Laoshan District, Qingdao City, Shandong Province, 266100 Patentee after: Kaos Digital Technology (Qingdao) Co.,Ltd. Patentee after: CAOS industrial Intelligence Research Institute (Qingdao) Co.,Ltd. Patentee after: Karos IoT Technology Co.,Ltd. Address before: Room 402, block B, Qingdao International Innovation Park, No.1 Keyuan Weiyi Road, Zhonghan street, Laoshan District, Qingdao City, Shandong Province, 266101 Patentee before: Haier digital technology (Qingdao) Co.,Ltd. Patentee before: CAOS industrial Intelligence Research Institute (Qingdao) Co.,Ltd. Patentee before: Karos IoT Technology Co.,Ltd. |