CN114221808B - Security policy deployment method and device, computer equipment and readable storage medium - Google Patents
Security policy deployment method and device, computer equipment and readable storage medium Download PDFInfo
- Publication number
- CN114221808B CN114221808B CN202111525314.XA CN202111525314A CN114221808B CN 114221808 B CN114221808 B CN 114221808B CN 202111525314 A CN202111525314 A CN 202111525314A CN 114221808 B CN114221808 B CN 114221808B
- Authority
- CN
- China
- Prior art keywords
- information
- host
- deployment
- communication connection
- security policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 84
- 238000004891 communication Methods 0.000 claims abstract description 249
- 238000013515 script Methods 0.000 claims description 109
- 230000008859 change Effects 0.000 claims description 74
- 238000004458 analytical method Methods 0.000 claims description 28
- 230000008569 process Effects 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 9
- 238000007689 inspection Methods 0.000 claims description 9
- 238000012360 testing method Methods 0.000 claims description 7
- 238000010276 construction Methods 0.000 abstract description 11
- 230000005540 biological transmission Effects 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 14
- 230000002093 peripheral effect Effects 0.000 description 12
- 230000000694 effects Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000013473 artificial intelligence Methods 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000004883 computer application Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 241000509958 Moloch Species 0.000 description 1
- 230000032683 aging Effects 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
- H04L43/0811—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Abstract
The invention relates to the technical field of cloud deployment, and discloses a security policy deployment method, a security policy deployment device, computer equipment and a readable storage medium, wherein the security policy deployment method comprises the following steps: acquiring a demand form, constructing communication connection between a source host and a target host according to the demand form, and deploying a security policy on the communication connection; judging whether the security policy is successfully deployed on the communication connection; if the deployment is successful, checking connectivity of the communication connection; and if the communication connection passes the connectivity check, generating deployment success information, and sending the deployment success information to the terminal. According to the invention, the communication connection is automatically constructed through the demand form, and the corresponding security policy is deployed, so that the deployment efficiency of the communication connection and the security policy is greatly improved, and the timeliness and accuracy of the construction of the communication connection and the deployment work of the security policy are ensured.
Description
Technical Field
The present invention relates to the field of cloud deployment technologies, and in particular, to a security policy deployment method, a security policy deployment device, a computer device, and a readable storage medium.
Background
Security policy: refers to a set of rules for all security-related activities within a certain security area (a security area, typically a series of processing and communication resources belonging to a certain organization).
The current deployment mode of the security policy generally adopts manual construction of communication connection between a source host and a target host, and logs in a firewall to deploy the security policy for the communication connection, so that the efficiency is low, and the process of constructing the connection and deploying the security policy is complicated; thus, the inventors have appreciated that once a large number of communication connections have to be constructed and security policies deployed, this will result in slow progress in the construction of the communication connections and their deployment of security policies.
Disclosure of Invention
The invention aims to provide a security policy deployment method, a security policy deployment device, computer equipment and a readable storage medium, which are used for solving the problems that once a large number of communication connections are required to be constructed and security policies are deployed, the construction of the communication connections and the security policy deployment progress of the communication connections are slow in the prior art.
In order to achieve the above object, the present invention provides a security policy deployment method, including:
acquiring a demand form, constructing communication connection between a source host and a target host according to the demand form, and deploying a security policy on the communication connection; the demand form records host information used for representing the source host and the target host and deployment scripts used for calling a firewall to deploy the security policy, and the security policy represents the deployment mode of the firewall of the communication connection;
Judging whether the security policy is successfully deployed on the communication connection;
if the deployment is successful, checking connectivity of the communication connection; the connectivity check is to control the source host to send a data packet to the target host so as to judge whether the source host can access the connectivity check of the target host through the communication connection;
and if the communication connection passes the connectivity check, generating deployment success information, and sending the deployment success information to the terminal.
In the above solution, before the obtaining the requirement form, the method further includes:
receiving demand information sent by a terminal, and recording the demand information into the demand form; the requirement information comprises host information and deployment script, wherein the host information records source information and target information for constructing communication connection between a source host and a target host, and the deployment script characterizes security policy deployment requirement of the communication connection.
In the above solution, the determining whether the security policy is successfully deployed on the communication connection includes:
controlling the source host to access other ports except the target port in the target host through the communication connection;
If the source host cannot access the other ports, determining that the security policy has been successfully deployed on the communication connection;
and if the source host has access to the other ports, determining that the security policy is not successfully deployed on the communication connection.
In the above solution, the performing connectivity check on the communication connection includes:
invoking a preset test script to send a request message to the target host through the communication connection, and receiving a feedback message returned by the target host according to the request message;
if the feedback message has error codes which indicate that the communication connection cannot be communicated, judging that the communication connection fails the connectivity check;
and if the feedback message does not have error codes which indicate that the communication connection cannot be communicated, judging that the communication connection passes the connectivity check.
In the above solution, after the determining whether the source host can access the connectivity check of the target host through the communication connection, the method further includes:
if the communication connection fails the connectivity check, accessing the source host to acquire the number of lost packets during the connectivity check;
And/or accessing a firewall corresponding to the security policy, and acquiring a firewall session table in the firewall;
and/or the data packet in the connectivity inspection process is grabbed, and the grabbed data packet is subjected to backtracking analysis to obtain an analysis result;
and integrating the packet loss number and/or the firewall session table and/or the analysis result to generate connectivity error reporting information, and sending the connectivity error reporting information to the terminal.
In the above solution, after the determining whether the security policy is successfully deployed on the communication connection, the method further includes:
if the deployment is unsuccessful, extracting a deployment script corresponding to the requirement information in the requirement form, acquiring an interface number of a firewall interface called by the deployment script, generating deployment error reporting information with the interface number, and sending the deployment error reporting information to the terminal.
In the above solution, after the sending the deployment success information to the terminal, the method further includes:
when receiving change information sent by a terminal, extracting original host information in the change information, and identifying host information and deployment scripts corresponding to the original host information in the demand form; replacing host information and/or deployment scripts corresponding to the original host information with host change information and/or deployment change scripts in the change information so as to update the demand form;
Acquiring updated host change information in the demand form, constructing communication change connection between a source host and a target host according to the host change information, and deploying a security policy on the communication change connection according to the deployment script or the deployment change script; or (b)
Acquiring host information in the updated demand form, and deploying a security policy on a communication connection corresponding to the host information according to the deployment change script;
and uploading the change information to a blockchain.
In order to achieve the above object, the present invention further provides a security policy deployment device, including:
the policy deployment module is used for acquiring a demand form, constructing communication connection between a source host and a target host according to the demand form, and deploying a security policy on the communication connection; the demand form records host information used for representing the source host and the target host and deployment scripts used for calling a firewall to deploy the security policy, and the security policy represents the deployment mode of the firewall of the communication connection;
the deployment judging module is used for judging whether the security policy is successfully deployed on the communication connection;
The communication checking module is used for checking the connectivity of the communication connection; the connectivity check is to control the source host to send a data packet to the target host so as to judge whether the source host can access the connectivity check of the target host through the communication connection;
and the success feedback module is used for generating deployment success information and sending the deployment success information to the terminal.
To achieve the above object, the present invention also provides a computer device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the steps of the above-mentioned security policy deployment method are implemented when the processor of the computer device executes the computer program.
To achieve the above object, the present invention further provides a computer readable storage medium having a computer program stored thereon, which when executed by a processor, implements the steps of the above-described security policy deployment method.
According to the security policy deployment method, the security policy deployment device, the computer equipment and the readable storage medium, the technical effects of continuous communication connection and security policies thereof are realized by constructing communication connection between the source host and the target host according to the demand form and deploying the security policies on the communication connection, the situation that the source host needs to redeploy the security policies every time the target host is accessed is avoided, the construction of the communication connection can be realized only by calling host information in the demand form, and the deployment of the security policies can be realized only by running the deployment script. The problems of low efficiency, complexity and complexity of constructing and deploying the communication connection and the security policy thereof caused by manually constructing the communication connection between the source host and the target host and deploying the security policy on the communication connection are avoided.
And checking whether the security policy is deployed successfully or not by judging whether the security policy is deployed successfully on the communication connection or not, and ensuring the reliability of the security policy deployment and the reliability of the communication connection deployed with the security policy by checking the connectivity of the communication connection. The method comprises the steps of generating deployment success information with host information and deployment script names, and sending the deployment success information to a terminal so as to ensure that the terminal can clearly understand the specific condition of the current communication connection.
The communication connection is automatically constructed through the demand form, and the corresponding security policy is deployed, so that the deployment efficiency of the communication connection and the security policy is greatly improved, and the timeliness and accuracy of the construction of the communication connection and the deployment work of the security policy are ensured.
Drawings
FIG. 1 is a flowchart of a security policy deployment method according to a first embodiment of the present invention;
FIG. 2 is an environmental application schematic diagram of a security policy deployment method in a second embodiment of the security policy deployment method of the present invention;
FIG. 3 is a flowchart of a specific method of the security policy deployment method in the second embodiment of the security policy deployment method of the present invention;
FIG. 4 is a schematic diagram of a program module of a third embodiment of a security policy deployment device according to the present invention;
Fig. 5 is a schematic hardware structure of a computer device in a fourth embodiment of the computer device of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The security policy deployment method, the security policy deployment device, the computer equipment and the readable storage medium are suitable for the technical field of cloud deployment and provide the security policy deployment method based on the policy deployment module, the deployment judging module, the connectivity checking module and the success feedback module. According to the invention, communication connection between a source host and a target host is constructed according to a demand form, and a security policy is deployed on the communication connection; judging whether the security policy is successfully deployed on the communication connection; if the deployment is successful, checking connectivity of the communication connection; and if the communication connection passes the connectivity check, generating deployment success information and sending the deployment success information to the terminal.
Embodiment one:
referring to fig. 1, a security policy deployment method of the present embodiment includes:
s102: acquiring a demand form, constructing communication connection between a source host and a target host according to the demand form, and deploying a security policy on the communication connection; the demand form records host information used for representing the source host and the target host and deployment scripts used for calling a firewall to deploy the security policy, and the security policy represents the deployment mode of the firewall of the communication connection;
s103: judging whether the security policy is successfully deployed on the communication connection;
s104: if the deployment is successful, checking connectivity of the communication connection; the connectivity check is to control the source host to send a data packet to the target host so as to judge whether the source host can access the connectivity check of the target host through the communication connection;
s105: and if the communication connection passes the connectivity check, generating deployment success information, and sending the deployment success information to the terminal.
In an exemplary embodiment, by constructing a communication connection between the source host and the target host according to the requirement form and deploying a security policy on the communication connection, the technical effect of continuing the communication connection and the security policy thereof is achieved, and the situation that the security policy is redeployed every time the source host accesses the target host is avoided. The method comprises the steps of automatically constructing communication connection between a source host and a target host through a demand form, and constructing a security policy on the communication connection through a deployment script in the demand form, so that the communication connection can be constructed by only calling host information in the demand form due to the existence of the demand form, and deployment of the security policy can be realized by only running the deployment script. The problems of low efficiency, complexity and complexity of constructing and deploying the communication connection and the security policy thereof caused by manually constructing the communication connection between the source host and the target host and deploying the security policy on the communication connection are avoided.
And checking whether the security policy is deployed successfully or not by judging whether the security policy is deployed successfully on the communication connection or not, and ensuring the reliability of the security policy deployment and the reliability of the communication connection deployed with the security policy by checking the connectivity of the communication connection.
And generating deployment success information with the host information and the deployment script name, and sending the deployment success information to the terminal so as to ensure that the terminal can clearly know the specific condition of the current communication connection.
In summary, the communication connection is automatically constructed through the requirement form, and the corresponding security policy is deployed, so that the deployment efficiency of the communication connection and the security policy is greatly improved, and the timeliness and accuracy of the construction of the communication connection and the deployment work of the security policy are ensured.
Embodiment two:
the present embodiment is a specific application scenario of the first embodiment, and by this embodiment, the method provided by the present invention can be more clearly and specifically described.
The method provided in this embodiment is specifically described below by taking, as an example, a method for constructing a communication connection between a source host and a target host according to a demand form in a server running a security policy deployment method, deploying a security policy on the communication connection, and determining whether deployment is successful or not, and checking connectivity of the communication connection. It should be noted that the present embodiment is only exemplary, and does not limit the scope of protection of the embodiment of the present invention.
Fig. 2 schematically illustrates an environment application schematic diagram of a security policy deployment method according to a second embodiment of the present application.
In the exemplary embodiment, the server 2 where the security policy deployment method is located is connected to the source host 3 and the target host 4 respectively through a network; the server 2 may provide services over one or more networks and the network 3 may include various network devices such as routers, switches, multiplexers, hubs, modems, bridges, repeaters, firewalls, proxy devices, and/or the like. The network may include physical links such as coaxial cable links, twisted pair cable links, fiber optic links, combinations thereof, and/or the like. The network may include wireless links, such as cellular links, satellite links, wi-Fi links, and/or the like; the terminal 5 may be a computer device such as a smart phone, a tablet computer, a notebook computer, a desktop computer, etc.
Fig. 3 is a flowchart of a specific method of a security policy deployment method according to an embodiment of the present invention, where the method specifically includes steps S201 to S208.
S201: receiving demand information sent by a terminal, and recording the demand information into a preset demand form; the requirement information comprises host information and deployment script, wherein the host information records source information and target information for constructing communication connection between a source host and a target host, and the deployment script characterizes security policy deployment requirement of the communication connection.
In order to ensure that the requirements of constructing communication connection and constructing security policy deployment on the communication connection can be multiplexed, the method comprises the steps of obtaining a requirement form capable of being multiplexed in a mode of constructing the requirement form according to requirement information sent by a terminal, so that the problem that the communication efficiency between hosts is low because the requirement information needs to be frequently acquired from the terminal and the communication connection is constructed before the current source information accesses the target information is avoided; the source information comprises a source address and a source port, the target information comprises a target address and a target port, and the host information also comprises protocol information which characterizes the protocol type of the communication connection; the source host and the target host are computer application modules, or computer systems.
Illustratively, the demand information includes: source address 192.168.1.1, source port 10000, protocol information TCP, destination address: 121.14.88.76 destination port: 80 constitutes a five-tuple. The meaning is that a terminal with an IP address of 192.168.1.1 is connected with a terminal with an IP address of 121.14.88.76 and a port of 80 through a port 10000 by using the TCP protocol.
In a preferred embodiment, the building a requirement form according to the requirement information includes:
s11: extracting host information and deployment scripts in the demand information;
s12: judging whether the host information has a security rule which accords with the preset rule or not;
s13: if yes, the host information and the deployment script are stored in the requirement form, and an association relationship between the host information and the deployment script is built in the requirement form;
s14: if not, marking the content which does not accord with the security rule in the host information, converting the host information into host error reporting information, and sending the host error reporting information to the terminal.
In this embodiment, the security rule includes a judgment content, and a judgment condition constructed based on the judgment content, and if the host information satisfies the judgment condition, it is determined that the host information conforms to the security rule. For example: and taking a private network address as the judgment content of the security rule, and taking the host information without the private network address as the judgment condition of the security rule.
Specifically, the determining whether the host information has a security rule that meets a preset rule includes:
Extracting a source address and a target address in the host information;
judging whether the source address and the target address are private network addresses or not;
if the source address and/or the target address are private network addresses, judging that the host information does not accord with the security rule;
and if the source address and the target address are not the private network address, judging that the host information accords with the security rule.
It should be noted that the private network address is a private IP address built in the local area network, where the range of the private network address is:
class a address: 10.0.0.0 to 10.255.255.255
Class B address: 172.16.0.0 to 172.31.255.255
Class C address: 192.168.0.0-192.168.255.255
Thus, private network addresses are used in local area networks, which can only be used in internal networks such as local area networks, and cannot occur on public networks, so that all routers cannot send datagrams addressed to the private network address.
Optionally, constructing the security rule by adopting a white list and/or a black list;
the white list describes host information that allows to build a communication connection, for example: the source information and the target information in the host information belong to the white list, and the host information is judged to have no content violating the security rule; if the source information and/or the target information in the host information do not belong to the white list, judging that the host information violates the security rule; the source information and/or the target information which do not belong to the white list in the host information are contents which do not accord with the security rule in the host information.
The blacklist describes host information that is not allowed to construct a communication connection, for example: if the source information and the target information in the host information do not belong to the blacklist, judging that the host information does not have the content violating the security rule; if the source information and/or the target information in the host information belong to the blacklist, judging that the host information violates the security rule; and the source information and/or the target information belonging to the blacklist in the host information are contents which do not accord with the security rule in the host information.
In summary, the step avoids the situation that the private network address, the blacklist IP address or the IP address which does not belong to the white list in the demand form is input into the demand form by constructing the demand form and judging whether the host information in the demand form accords with the scheme of the security rule, so that communication connection cannot be constructed between the source information and the target information, or communication connection between the source information and/or the target information which belong to the risk IP is constructed fraudulently, and the data of the source information and/or the target information are acquired maliciously; therefore, the step ensures that the terminal can timely identify the private network address and/or the risk IP in the demand information and modify the private network address and/or the risk IP by timely sending the error reporting information to the terminal, thereby ensuring the availability and the reliability of the follow-up demand form.
S202: acquiring a demand form, constructing communication connection between the source host and the target host according to the demand form, and deploying a security policy on the communication connection; the demand form records host information used for representing a source host and a target host, and deployment scripts used for calling a firewall to deploy the security policy, and the security policy represents the deployment mode of the firewall of the communication connection.
In order to realize continuous communication connection between two hosts and maintain the security policy on the communication connection, and avoid the situation that the source host needs to redeploy the security policy every time the target host is accessed, the technical effects of continuous communication connection and security policy thereof are realized by constructing the communication connection between the source host and the target host according to the requirement form and disposing the security policy on the communication connection,
the method comprises the steps of automatically constructing communication connection between a source host and a target host through a demand form, and constructing a security policy on the communication connection through a deployment script in the demand form, so that the communication connection can be constructed by only calling host information in the demand form due to the existence of the demand form, and deployment of the security policy can be realized by only running the deployment script. The problem that the communication connection and the security policy are built and deployed inefficiently due to the fact that the communication connection and the security policy are built and deployed manually at present are avoided.
In a preferred embodiment, said constructing a communication connection between said source host and said target host according to said demand form and deploying a security policy on said communication connection comprises:
s21: and polling host information in the requirement form.
In the step, a polling method is adopted to acquire host information in the demand form, and a source host and a target host which need to be connected in a communication mode are identified; judging whether communication connection is established between the source host and the target host; if yes, extracting the next host information in the demand form; and if not, extracting the host information from the requirement form.
The concept of the polling method is as follows: the CPU sends out inquiry at regular time, and inquires whether each peripheral device (such as the computer application module and/or the computer system) needs the service, if so, the service is given, and after the service is finished, the next periphery is asked, and then the process is repeated.
In this embodiment, source information in host information is extracted, service query information with content being the host information is sent to a first peripheral device corresponding to the source information, and if the first peripheral device has established communication connection with a second peripheral device corresponding to target information in the host information, service rejection information sent by the first peripheral device is received; and if the first peripheral equipment does not establish communication connection with the second peripheral equipment, receiving service request information sent by the first peripheral equipment.
S22: and identifying a source host corresponding to the source information in the host information and a target host corresponding to the target information in the host information.
According to the source information, inquiring and traversing peripheral equipment connected with a server running the security policy deployment method to acquire equipment information of the peripheral equipment; setting peripheral equipment with the equipment information consistent with the source information as a source host, and setting peripheral equipment with the equipment information consistent with the target information as a target host; wherein the device information includes address information (e.g., IP address) and port information (e.g., port number).
S23: and extracting protocol information in the host information, and constructing communication connection between the source host and the target host according to the protocol information.
In this step, the protocol information refers to a network protocol of a set of rules, standards or conventions established for data exchange in a computer network, which includes: TCP/IP protocol (Transport Control Protocol/Internet Protocol, transmission control protocol/Internet protocol), netBEUI protocol (NetBios Enhanced User Interface, or NetBios enhanced user interface), IPX protocol (Internet work Packet Exchange, internet packet exchange).
According to the protocol information, namely: the TCP/IP protocol, or the NetBEUI protocol, or the IPX protocol, constructs a communication connection between the source host and the target host.
S24: extracting a deployment script corresponding to the requirement information in the requirement form, and operating the deployment script to call a preset firewall interface to construct a firewall meeting the deployment requirement in the deployment script on the communication connection, so as to realize deployment of a security policy on the communication connection.
In this step, the deployment script is a computer script for triggering a firewall interface, where the deployment requirement of a developer or a terminal where a user is located on a firewall deployment mode of the communication connection is recorded; and calling a firewall interface of the firewall through the deployment script, wherein the firewall deployment mode of the terminal to the communication connection is reflected, and entering deployment parameters (such as firewall grade, packet capturing frequency and the like) in the deployment script into the firewall interface through the firewall interface called by the deployment script to construct a firewall on the communication connection so as to realize the technical effect of deploying a security policy on the communication connection.
It should be noted that, the firewall is a technology for helping the computer network to construct a relatively isolated protection barrier between the internal network and the external network by organically combining various software and hardware devices for safety management and screening so as to protect the user data and information safety. The firewall deployment mode comprises the following steps: bridge mode, gateway mode, NAT mode, etc.
The bridge mode may also be called a transparent mode, in which a firewall device is added between the terminal and the server to safely control the passing traffic.
The gateway mode is suitable for the condition that the internal network and the external network are not in the same network segment, the firewall sets gateway addresses to realize the function of a router, and the router is forwarded for different network segments. The gateway mode has higher security than the bridge mode, realizes security isolation while performing access control, and has certain privacy.
The NAT mode, NAT (Network Address Translation) address translation technology, the firewall translates the IP address of the internal network, uses the IP address of the firewall to replace the source address of the internal network to send data to the external network; when the response data traffic of the external network returns to the firewall, the firewall replaces the destination address with the source address of the internal network. The NAT mode can realize that the external network can not directly see the IP address of the internal network, thereby further enhancing the safety protection of the internal network. Meanwhile, in the network of NAT mode, the internal network can use private network address, and the problem of limited IP address quantity can be solved.
S203: judging whether the security policy is successfully deployed on the communication connection;
in a preferred embodiment, said determining whether said security policy was successfully deployed on said communication connection comprises:
s31: controlling the source host to access other ports except the target port in the target host through the communication connection;
s32: if the source host cannot access the other ports, determining that the security policy has been successfully deployed on the communication connection;
s33: and if the source host has access to the other ports, determining that the security policy is not successfully deployed on the communication connection.
In this embodiment, the control source host generates telnet commands, for example: for accessing ports other than the target port in the target host, for example: the telnet command is telnet 127.0.0.1 8022, wherein the target port is 8080, and the other ports are 8022;
if the source host cannot access the other ports in the target host, for example: 127.0.0.1. connection is being made, connection to the host cannot be opened, port 8022 connection failure; it is stated that the security policy on the communication connection has been successfully deployed.
And if the source host can call the other ports in the target host, indicating that the security policy on the communication connection is not successfully deployed.
It should be noted that the telnet command is a computer instruction for remotely logging into the target host and accessing the target host port.
S204: if the deployment is successful, checking connectivity of the communication connection; the connectivity check is to control the source host to send a data packet to the target host so as to judge whether the source host can access the connectivity check of the target host through the communication connection.
In order to ensure successful deployment of the security policy on the communication connection and ensure connectivity of the communication connection on which the security policy is deployed, the step checks whether the security policy is successfully deployed or not by judging whether the security policy is successfully deployed on the communication connection, and ensures reliability of security policy deployment and reliability of the communication connection on which the security policy is deployed by checking connectivity of the communication connection.
In a preferred embodiment, said checking connectivity of said communication connection comprises:
S41: invoking a preset test script to send a request message to the target host through the communication connection, and receiving a feedback message returned by the target host according to the request message;
s42: if the feedback message has error codes which indicate that the communication connection cannot be communicated, judging that the communication connection fails the connectivity check;
s43: and if the feedback message does not have error codes which indicate that the communication connection cannot be communicated, judging that the communication connection passes the connectivity check.
Specifically, a control source host calls a ping module recorded with a verification script, and the ping module sends a request message to a target host according to the verification script; the verification script is used for extracting a target address and a target port in target information of the host information, and writing the target address and the target port into a ping command generated by the ping module to be used as a computer script of parameters of the ping command; receiving a feedback message generated by the target host according to the request message; if the feedback message has an error code indicating that the communication connection cannot be communicated, for example: error coding 769; determining that the communication connection fails the connectivity check; and if the feedback message does not have error codes which indicate that the communication connection cannot be communicated, judging that the communication connection passes the connectivity check.
Note that, the ping (Packet Internet Groper) module is a program for testing the network connection amount, which is an internet packet explorer. Ping is a service command of an application layer operating in a TCP/IP network architecture, and mainly sends an ICMP (Internet Control Message Protocol internet message control protocol) Echo request message to a specific destination host, and tests whether the destination host is reachable and knows about its status.
S205: and if the communication connection passes the connectivity check, generating deployment success information, and sending the deployment success information to the terminal.
In this step, deployment success information with the host information and the deployment script name is generated, and the deployment success information is sent to the terminal, so as to ensure that the terminal can clearly understand the specific situation of the current communication connection.
S206: if the communication connection fails the connectivity check, accessing the source host to acquire the number of lost packets during the connectivity check;
and/or accessing a firewall corresponding to the security policy, and acquiring a firewall session table in the firewall;
and/or the data packet in the connectivity inspection process is grabbed, and the grabbed data packet is subjected to backtracking analysis to obtain an analysis result;
And integrating the packet loss number and/or the firewall session table and/or the analysis result to generate connectivity error reporting information, and sending the connectivity error reporting information to the terminal.
In order to facilitate the terminal to locate the faults of the source host, the communication connection and the target host in the connectivity inspection process, the terminal can quickly and intuitively locate the fault parts of the source host, the communication connection and the target host according to the number of lost packets, the firewall session table and the analysis result by accessing the source host to obtain the number of lost packets in the connectivity inspection process and accessing the firewall corresponding to the security policy, capturing packets of the data packets in the connectivity inspection process, and carrying out backtracking analysis on the captured packets to obtain the analysis result, thereby obtaining the connectivity error reporting information comprising the number of lost packets and/or the firewall session table and/or the analysis result.
Specifically, the accessing the source host to obtain the number of packet loss during the connectivity check includes:
logging in the source host and obtaining ping statistical information in the source host, wherein the ping statistical information comprises the following steps: based on the number of data packets with request messages sent by the ping command source host to the target host, the target host receives the number of data packets, and the number of the data packets (namely, the number of lost packets) is lost on the communication connection, the data packets are sent from the source host to the target host, and the time length from the source host to the time when the feedback messages returned by the target host are received; thus, the ping statistics may also be entered into the connectivity error information.
Further, the firewall session table is: the firewall is used for recording log information of the whole process that the active host sends a data packet to the target host through the communication connection and the target host returns feedback information to the source host according to the data packet.
The firewall session table includes: a protocol indicating a protocol of a session; VPN, used in virtual firewall; ID, mark unique session; zon (ZONE), indicating the ZONE trend of the flow; TTL, aging time of session; left: session remaining time; output-interface: an outlet interface; next hop; MAC: a mac address; counting reverse flow; forward flow statistics; quintuple, source address: source port- > destination address: a destination port; policyName: a matched policy name;
therefore, through the firewall session table, the whole process that the source host sends the data packet to the target host and the target host sends the data packet to the source host in the connectivity checking process can be accurately represented, so that the terminal can analyze the reason that the source host cannot access the target host through the communication connection.
Further, packet capture (packet capture) refers to the operations of intercepting, retransmitting, editing, and restoring data packets sent and received by network transmission, and is also used for checking network security. Packet grabbing is also often used for data interception and the like.
The step of capturing the data packet in the connectivity inspection process and performing backtracking analysis on the captured data packet to obtain an analysis result comprises the following steps:
s61: invoking a preset flow packet grabbing and backtracking component to grab packets of the data packets appearing in the connectivity check;
in this step, a DataClue high-performance network traffic backtracking system or a Moloch network backtracking analysis system is adopted as the traffic packet capturing backtracking component, and the traffic packet capturing backtracking component captures packets of the data packets for backtracking analysis.
S62: constructing a data transmission path which takes the data packet of the grabbed packet as a node according to the grabbing time of the data packet of the grabbed packet, and representing the node arrangement sequence by the grabbing time; searching from the starting node of the data transmission path to the ending node of the data transmission path under preset preferential conditions, identifying the nodes which are not selected according to the preferential conditions in the data transmission path, and setting the nodes as non-optimal nodes.
In the step, from the initial node of the data transmission path, searching forward according to preset preferential conditions to reach the final node of the data transmission path; when a node is explored, if the selection of the node is found and is not the preferable condition of the data transmission path (for example, the node cannot go through, so that the situation that the source host cannot access the target host occurs), the node is set as a non-optimal node, and the node is rolled back to the node which is the last node of the non-optimal node.
S63: and returning to the last node of the non-optimal node, selecting a preferred node according to the preferred condition, and summarizing the non-optimal node, the last node and the preferred node to form the analysis result.
In this embodiment, the packet tracing component is grabbed based on the traffic, and a tracing algorithm is used for the tracing analysis, and a depth-first search is used as a preferred condition in the tracing analysis.
The backtracking algorithm is a similar enumerated search try process, mainly searching for solutions of problems in the search try process, and returning back to try other paths when the solution condition is not satisfied. The backtracking method is an optimal searching method, and searches forward according to optimal conditions so as to achieve the aim. However, when a certain step is explored, the original selection is not optimal or the target is not reached, the one-step reselection is performed, the technology that the user cannot walk and returns again is a backtracking method, and a point in a certain state meeting the backtracking condition is called a backtracking point.
Depth-first search is a method that is used more early in the development of crawlers. Its purpose is to reach leaf nodes of the searched structure (i.e. those HTML files that do not contain any hyperlinks). In an HTML document, when a hyperlink is selected, the linked HTML document will perform a depth-first search, i.e. a separate path chain must be searched completely before the rest of the hyperlink results are searched. Depth first searches walk along the hyperlinks on the HTML file until they can no longer go deep, then return to one of the HTML files, and continue to select other hyperlinks in that HTML file. When no more hyperlinks are available, the search is indicated as having ended. And if a certain node of the data transmission path is found and is inconsistent with the path chain searched by the depth-first search, setting the node above the certain node as a non-optimal node.
In the fig. 3, the S206 is shown by the following notation:
s206-1: if the communication connection fails the connectivity check, accessing the source host to acquire the number of lost packets during the connectivity check;
s206-2: accessing a firewall corresponding to the security policy, and acquiring a firewall session table in the firewall;
s206-3: capturing the data packet in the connectivity inspection process, and performing backtracking analysis on the captured data packet to obtain an analysis result;
s206-4: and integrating the packet loss number and/or the firewall session table and/or the analysis result to generate connectivity error reporting information, and sending the connectivity error reporting information to the terminal.
S207: if the deployment is unsuccessful, extracting a deployment script corresponding to the requirement information in the requirement form, acquiring an interface number of a firewall interface called by the deployment script, generating deployment error reporting information with the interface number, and sending the deployment error reporting information to the terminal.
If the firewall is not successfully constructed on the communication connection to deploy the security policy, the firewall interface is not successfully invoked to construct the firewall, so that the interface number of the firewall interface is used as the deployment error reporting information and is sent to the terminal, and terminal operators can change the corresponding deployment script or repair the corresponding firewall interface.
S208: when receiving change information sent by a terminal, extracting original host information in the change information, and identifying host information and deployment scripts corresponding to the original host information in the demand form; replacing host information and/or deployment scripts corresponding to the original host information with host change information and/or deployment change scripts in the change information so as to update the demand form;
acquiring updated host change information in the demand form, constructing communication change connection between a source host and a target host according to the host change information, and deploying a security policy on the communication change connection according to the deployment script or the deployment change script; or (b)
And acquiring host information in the updated demand form, and deploying a security policy on a communication connection corresponding to the host information according to the deployment change script.
In this step, the change information includes: the method comprises the steps that the source address and/or the source port of a source host are changed, the target address and/or the target port of a target host are changed, the protocol type of communication connection is required to be changed, and the security policy on the communication connection is required to be changed, so that any one condition or any combination of two or more conditions of the deployment script for constructing the security policy is changed.
Therefore, in order to avoid the situation that the terminal needs to reconstruct new communication connection and security policy based on the change information due to the change of the host information and/or the deployment script, the host information and the deployment script corresponding to the original host information in the requirement form are identified by extracting the original host information in the change information; replacing host information and/or deployment scripts corresponding to the original host information with host change information and/or deployment change scripts in the change information so as to update the demand form; acquiring updated host change information in the demand form, constructing communication change connection between a source host and a target host according to the host change information, and deploying a security policy on the communication change connection according to the deployment script or the deployment change script; or acquiring host information in the updated demand form, automatically updating the demand form according to the mode of deploying the security policy on the communication connection corresponding to the host information by the deployment change script, automatically establishing communication connection between a source host and a target host according to the updated demand form, and constructing a new security policy on the communication connection, thereby realizing the technical effect of automatically establishing the communication connection and the security policy thereof according to the change information.
Preferably, the change information is uploaded into the blockchain.
The digest information is obtained based on the change information, and specifically, the digest information is obtained by hashing the change information, for example, by using the sha256s algorithm. Uploading summary information to the blockchain can ensure its security and fair transparency to the user. The user device may download the digest information from the blockchain to verify that the change information has been tampered with. The blockchain referred to in this example is a novel mode of application for computer technology such as distributed data storage, point-to-point transmission, consensus mechanisms, encryption algorithms, and the like. The Blockchain (Blockchain), which is essentially a decentralised database, is a string of data blocks that are generated by cryptographic means in association, each data block containing a batch of information of network transactions for verifying the validity of the information (anti-counterfeiting) and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, an application services layer, and the like.
In the fig. 3, the S208 is shown by the following notation:
s208-1: when receiving change information sent by a terminal, extracting original host information in the change information, and identifying host information and deployment scripts corresponding to the original host information in the demand form; replacing host information and/or deployment scripts corresponding to the original host information with host change information and/or deployment change scripts in the change information so as to update the demand form;
S208-2: acquiring updated host change information in the demand form, constructing communication change connection between a source host and a target host according to the host change information, and deploying a security policy on the communication change connection according to the deployment script or the deployment change script;
s208-3: and acquiring host information in the updated demand form, and deploying a security policy on a communication connection corresponding to the host information according to the deployment change script.
Embodiment III:
referring to fig. 4, a security policy deployment device 1 of the present embodiment includes:
the policy deployment module 12 is configured to obtain a requirement form, construct a communication connection between a source host and a target host according to the requirement form, and deploy a security policy on the communication connection; the demand form records host information used for representing the source host and the target host and deployment scripts used for calling a firewall to deploy the security policy, and the security policy represents the deployment mode of the firewall of the communication connection;
a deployment determination module 13, configured to determine whether the security policy is successfully deployed on the communication connection;
A connectivity check module 14 for performing connectivity check on the communication connection; the connectivity check is to control the source host to send a data packet to the target host so as to judge whether the source host can access the connectivity check of the target host through the communication connection;
and the success feedback module 15 is used for generating deployment success information and sending the deployment success information to the terminal.
Optionally, the security policy deployment apparatus 1 further includes:
the form construction module 11 is used for receiving the requirement information sent by the terminal and inputting the requirement information into a preset requirement form; the requirement information comprises host information and deployment script, wherein the host information records source information and target information for constructing communication connection between a source host and a target host, and the deployment script characterizes security policy deployment requirement of the communication connection.
Optionally, the security policy deployment apparatus 1 further includes:
a connection error reporting module 16, configured to access the source host to obtain the number of lost packets during the connectivity check; and/or accessing a firewall corresponding to the security policy, and acquiring a firewall session table in the firewall; and/or the data packet in the connectivity inspection process is grabbed, and the grabbed data packet is subjected to backtracking analysis to obtain an analysis result; and integrating the packet loss number and/or the firewall session table and/or the analysis result to generate connectivity error reporting information, and sending the connectivity error reporting information to the terminal.
Optionally, the security policy deployment apparatus 1 further includes:
the deployment error reporting module 17 is configured to extract a deployment script corresponding to the requirement information in the requirement form, obtain an interface number of a firewall interface called by the deployment script, generate deployment error reporting information with the interface number, and send the deployment error reporting information to the terminal.
Optionally, the security policy deployment apparatus 1 further includes:
a deployment modification module 18, configured to extract original host information in modification information when modification information sent by a terminal is received, and identify host information and deployment scripts corresponding to the original host information in the requirement form; replacing host information and/or deployment scripts corresponding to the original host information with host change information and/or deployment change scripts in the change information so as to update the demand form; acquiring updated host change information in the demand form, constructing communication change connection between a source host and a target host according to the host change information, and deploying a security policy on the communication change connection according to the deployment script or the deployment change script; or acquiring host information in the updated demand form, and deploying a security policy on a communication connection corresponding to the host information according to the deployment change script.
Optionally, the form construction module 11 further includes:
an information extraction unit 111 for extracting host information and deployment script in the requirement information;
a rule judging unit 112, configured to judge whether the host information has a security rule that meets a preset rule;
an association construction unit 113, configured to save the host information and the deployment script in the requirement form, and construct an association relationship between the host information and the deployment script in the requirement form;
and the information error reporting unit 114 is configured to label the content in the host information that does not conform to the security rule, convert the host information into host error reporting information, and send the host error reporting information to the terminal.
Optionally, the policy deployment module 12 further includes:
an information polling unit 121 configured to poll the host information in the demand form;
a host identifying unit 122, configured to identify a source host corresponding to source information in the host information and a target host corresponding to target information in the host information;
a communication construction unit 123, configured to extract protocol information from the host information, and construct a communication connection between the source host and the target host according to the protocol information;
The policy deployment unit 124 is configured to extract a deployment script corresponding to the requirement information in the requirement form, run the deployment script, call a preset firewall interface, and be configured to construct a firewall meeting the deployment requirement in the deployment script on the communication connection, so as to implement deployment of a security policy on the communication connection.
Optionally, the deployment determining module 13 further includes:
an access test unit 131, configured to control the source host to access, through the communication connection, other ports of the target host except the target port;
a deployment failure unit 132 configured to determine that the security policy has been successfully deployed on the communication connection when the source host cannot access the other port;
a deployment success unit 133 for determining that the security policy was not successfully deployed on the communication connection when the source host is able to access the other port.
Optionally, the connectivity check module 14 further includes:
a script calling unit 141, configured to call a preset test script, configured to send a request message to the target host through the communication connection, and receive a feedback message returned by the target host according to the request message;
A checking failure unit 142, configured to determine that the communication connection fails the connectivity check when the feedback packet has an error code indicating that the communication connection cannot communicate;
and a checking and passing unit 143, configured to determine that the communication connection passes the connectivity check when there is no error code in the feedback packet, where the error code indicates that the communication connection cannot communicate.
Optionally, the communication error reporting module 16 further includes:
a data packet capturing unit 161, configured to invoke a preset traffic packet capturing traceback component, configured to capture a packet of a data packet that appears in the connectivity check;
a node identifying unit 162, configured to construct a data transmission path using the data packet of the grabbed packet as a node according to the grabbed packet time of the data packet of the grabbed packet, and characterize the node arrangement sequence with the grabbed packet time; searching from the starting node of the data transmission path to the ending node of the data transmission path under preset preferential conditions, identifying the nodes which are not selected according to the preferential conditions in the data transmission path, and setting the nodes as non-optimal nodes.
And a result analysis unit 163, configured to return a previous node of the non-optimal node, select a preferred node according to the preferred condition, and aggregate the non-optimal node, the previous node, and the preferred node to form the analysis result.
The technical scheme is applied to the technical field of cloud deployment, and a security policy is deployed on a communication connection by constructing the communication connection between a source host and a target host according to a demand form; the demand form records host information used for representing a source host and a target host and deployment scripts used for calling the firewall to deploy a security policy, and the security policy represents a deployment mode of the firewall in communication connection; and judging whether the security policy is successfully deployed on the communication connection or not, and performing connectivity check on the communication connection to realize end-to-end deployment.
Further, the embodiment of the application can acquire and process the related data based on the artificial intelligence technology. Among these, artificial intelligence (Artificial Intelligence, AI) is the theory, method, technique and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend and extend human intelligence, sense the environment, acquire knowledge and use knowledge to obtain optimal results.
Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
Embodiment four:
in order to achieve the above objective, the present invention further provides a computer device 6, where the components of the security policy deployment apparatus of the third embodiment may be dispersed in different computer devices, and the computer device 6 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack-mounted server, a blade server, a tower server, or a rack-mounted server (including a stand-alone server or a server cluster composed of multiple application servers) that executes a program, or the like. The computer device of the present embodiment includes at least, but is not limited to: a memory 61, a processor 62, which may be communicatively coupled to each other via a system bus, as shown in fig. 5. It should be noted that fig. 5 only shows a computer device with components-but it should be understood that not all of the illustrated components are required to be implemented and that more or fewer components may be implemented instead.
In the present embodiment, the memory 61 (i.e., readable storage medium) includes flash memory, a hard disk, a multimedia card, a card memory (e.g., SD or DX memory, etc.), random Access Memory (RAM), static Random Access Memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read-only memory (PROM), magnetic memory, magnetic disk, optical disk, etc. In some embodiments, the memory 61 may be an internal storage unit of a computer device, such as a hard disk or memory of the computer device. In other embodiments, the memory 61 may also be an external storage device of a computer device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like. Of course, the memory 61 may also include both internal storage units of the computer device and external storage devices. In this embodiment, the memory 61 is typically used to store an operating system installed in a computer device and various types of application software, such as program codes of the security policy deployment device of the third embodiment. Further, the memory 61 may also be used to temporarily store various types of data that have been output or are to be output.
The processor 62 may be a central processing unit (Central Processing Unit, CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments. The processor 62 is typically used to control the overall operation of the computer device. In this embodiment, the processor 62 is configured to execute the program code stored in the memory 61 or process data, for example, execute the security policy deployment device, so as to implement the security policy deployment methods of the first and second embodiments.
Fifth embodiment:
to achieve the above object, the present invention also provides a computer-readable storage medium such as a flash memory, a hard disk, a multimedia card, a card memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application store, etc., on which a computer program is stored, which when executed by the processor 62, performs the corresponding functions. The computer readable storage medium of the present embodiment is used to store a computer program implementing the security policy deployment method, and when executed by the processor 62, implements the security policy deployment methods of the first and second embodiments.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (10)
1. A security policy deployment method, comprising:
acquiring a demand form and polling host information in the demand form; identifying a source host corresponding to source information in the host information and a target host corresponding to target information in the host information; extracting protocol information in the host information, and constructing communication connection between the source host and the target host according to the protocol information; the protocol information refers to a network protocol of a set of rules, standards or conventions established for data exchange in a computer network; extracting a deployment script corresponding to the requirement information in the requirement form, and running the deployment script to call a preset firewall interface to construct a firewall meeting the deployment requirement in the deployment script on the communication connection so as to deploy a security policy on the communication connection; the demand form records host information used for representing the source host and the target host and deployment scripts used for calling a firewall to deploy the security policy, and the security policy represents the deployment mode of the firewall of the communication connection; the demand information comprises host information and deployment scripts, wherein the host information records source information and target information for constructing communication connection between a source host and a target host, the deployment scripts are computer scripts for triggering firewall interfaces, and the deployment scripts record deployment demands of a developer or a terminal where a user is located on a firewall deployment mode of the communication connection; the firewall deployment mode comprises the following steps: bridge mode, gateway mode, and NAT mode; polling host information in the demand form, including: acquiring host information in the demand form by adopting a polling method, and identifying a source host and a target host which need to be connected by communication; judging whether communication connection is established between the source host and the target host; if yes, extracting the next host information in the demand form; if not, extracting the host information from the demand form;
Judging whether the security policy is successfully deployed on the communication connection;
if the deployment is successful, checking connectivity of the communication connection; the connectivity check is to control the source host to send a data packet to the target host so as to judge whether the source host can access the connectivity check of the target host through the communication connection;
and if the communication connection passes the connectivity check, generating deployment success information, and sending the deployment success information to the terminal.
2. The security policy deployment method of claim 1, wherein prior to the obtaining the requirement form, the method further comprises:
and receiving the demand information sent by the terminal, and recording the demand information into the demand form.
3. The security policy deployment method of claim 1, wherein said determining whether the security policy was successfully deployed on the communication connection comprises:
controlling the source host to access other ports except the target port in the target host through the communication connection;
if the source host cannot access the other ports, determining that the security policy has been successfully deployed on the communication connection;
And if the source host has access to the other ports, determining that the security policy is not successfully deployed on the communication connection.
4. The security policy deployment method of claim 1, wherein said performing connectivity checks on said communication connection comprises:
invoking a preset test script to send a request message to the target host through the communication connection, and receiving a feedback message returned by the target host according to the request message;
if the feedback message has error codes which indicate that the communication connection cannot be communicated, judging that the communication connection fails the connectivity check;
and if the feedback message does not have error codes which indicate that the communication connection cannot be communicated, judging that the communication connection passes the connectivity check.
5. The security policy deployment method of claim 1, wherein after said determining whether said source host is capable of accessing connectivity checks of said target host over said communication connection, said method further comprises:
if the communication connection fails the connectivity check, accessing the source host to acquire the number of lost packets during the connectivity check;
And/or accessing a firewall corresponding to the security policy, and acquiring a firewall session table in the firewall;
and/or the data packet in the connectivity inspection process is grabbed, and the grabbed data packet is subjected to backtracking analysis to obtain an analysis result;
and integrating the packet loss number and/or the firewall session table and/or the analysis result to generate connectivity error reporting information, and sending the connectivity error reporting information to the terminal.
6. The security policy deployment method of claim 1, wherein said determining whether said security policy was successfully deployed over said communication connection is followed by said method further comprising:
if the deployment is unsuccessful, extracting a deployment script corresponding to the requirement information in the requirement form, acquiring an interface number of a firewall interface called by the deployment script, generating deployment error reporting information with the interface number, and sending the deployment error reporting information to the terminal.
7. The security policy deployment method according to claim 1, wherein after said sending the deployment success information to the terminal, the method further comprises:
when receiving change information sent by a terminal, extracting original host information in the change information, and identifying host information and deployment scripts corresponding to the original host information in the demand form; replacing host information and/or deployment scripts corresponding to the original host information with host change information and/or deployment change scripts in the change information so as to update the demand form;
Acquiring updated host change information in the demand form, constructing communication change connection between a source host and a target host according to the host change information, and deploying a security policy on the communication change connection according to the deployment script or the deployment change script; or (b)
Acquiring host information in the updated demand form, and deploying a security policy on a communication connection corresponding to the host information according to the deployment change script;
and uploading the change information to a blockchain.
8. A security policy deployment device, comprising:
the strategy deployment module is used for acquiring a demand form and polling host information in the demand form; identifying a source host corresponding to source information in the host information and a target host corresponding to target information in the host information; extracting protocol information in the host information, and constructing communication connection between the source host and the target host according to the protocol information; the protocol information refers to a network protocol of a set of rules, standards or conventions established for data exchange in a computer network; extracting a deployment script corresponding to the requirement information in the requirement form, and running the deployment script to call a preset firewall interface to construct a firewall meeting the deployment requirement in the deployment script on the communication connection so as to deploy a security policy on the communication connection; the demand form records host information used for representing the source host and the target host and deployment scripts used for calling a firewall to deploy the security policy, and the security policy represents the deployment mode of the firewall of the communication connection; the demand information comprises host information and deployment scripts, wherein the host information records source information and target information for constructing communication connection between a source host and a target host, the deployment scripts are computer scripts for triggering firewall interfaces, and the deployment scripts record deployment demands of a developer or a terminal where a user is located on a firewall deployment mode of the communication connection; the firewall deployment mode comprises the following steps: bridge mode, gateway mode, and NAT mode; polling host information in the demand form, including: acquiring host information in the demand form by adopting a polling method, and identifying a source host and a target host which need to be connected by communication; judging whether communication connection is established between the source host and the target host; if yes, extracting the next host information in the demand form; if not, extracting the host information from the demand form;
The deployment judging module is used for judging whether the security policy is successfully deployed on the communication connection;
the communication checking module is used for checking the connectivity of the communication connection; the connectivity check is to control the source host to send a data packet to the target host so as to judge whether the source host can access the connectivity check of the target host through the communication connection;
and the success feedback module is used for generating deployment success information and sending the deployment success information to the terminal.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the security policy deployment method according to any of claims 1 to 7 are implemented when the computer program is executed by the processor of the computer device.
10. A computer readable storage medium having a computer program stored thereon, characterized in that the computer program stored on the readable storage medium, when executed by a processor, implements the steps of the security policy deployment method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111525314.XA CN114221808B (en) | 2021-12-14 | 2021-12-14 | Security policy deployment method and device, computer equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111525314.XA CN114221808B (en) | 2021-12-14 | 2021-12-14 | Security policy deployment method and device, computer equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114221808A CN114221808A (en) | 2022-03-22 |
| CN114221808B true CN114221808B (en) | 2024-02-06 |
Family
ID=80701700
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111525314.XA Active CN114221808B (en) | 2021-12-14 | 2021-12-14 | Security policy deployment method and device, computer equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114221808B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109040037A (en) * | 2018-07-20 | 2018-12-18 | 南京方恒信息技术有限公司 | A kind of safety auditing system based on strategy and rule |
| CN109067877A (en) * | 2018-08-03 | 2018-12-21 | 平安科技(深圳)有限公司 | A kind of control method, server and the storage medium of cloud computing platform deployment |
| CN109257254A (en) * | 2018-09-21 | 2019-01-22 | 平安科技(深圳)有限公司 | Network connectivty inspection method, device, computer equipment and storage medium |
| CN110262795A (en) * | 2019-03-15 | 2019-09-20 | 北京航空航天大学 | A kind of application system deployment architecture modeling and verification method |
| CN110430206A (en) * | 2019-08-13 | 2019-11-08 | 上海新炬网络技术有限公司 | Based on script template metaplasia at the method for configuration firewall security policy |
| CN112422539A (en) * | 2020-11-08 | 2021-02-26 | 国家电网有限公司 | Strategy synchronous issuing method based on message queue |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8424053B2 (en) * | 2008-07-01 | 2013-04-16 | International Business Machines Corporation | Method of dynamically updating network security policy rules when new network resources are provisioned in a service landscape |
-
2021
- 2021-12-14 CN CN202111525314.XA patent/CN114221808B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109040037A (en) * | 2018-07-20 | 2018-12-18 | 南京方恒信息技术有限公司 | A kind of safety auditing system based on strategy and rule |
| CN109067877A (en) * | 2018-08-03 | 2018-12-21 | 平安科技(深圳)有限公司 | A kind of control method, server and the storage medium of cloud computing platform deployment |
| CN109257254A (en) * | 2018-09-21 | 2019-01-22 | 平安科技(深圳)有限公司 | Network connectivty inspection method, device, computer equipment and storage medium |
| CN110262795A (en) * | 2019-03-15 | 2019-09-20 | 北京航空航天大学 | A kind of application system deployment architecture modeling and verification method |
| CN110430206A (en) * | 2019-08-13 | 2019-11-08 | 上海新炬网络技术有限公司 | Based on script template metaplasia at the method for configuration firewall security policy |
| CN112422539A (en) * | 2020-11-08 | 2021-02-26 | 国家电网有限公司 | Strategy synchronous issuing method based on message queue |
Non-Patent Citations (1)
| Title |
|---|
| 基于软件定义网络资源优化的虚拟网络功能部署策略;黄梅根;汪涛;刘亮;庞瑞琴;杜欢;;计算机科学(第S1期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114221808A (en) | 2022-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Coffey et al. | Vulnerability analysis of network scanning on SCADA systems | |
| CN113037777B (en) | Honeypot bait distribution method and device, storage medium and electronic equipment | |
| US7463593B2 (en) | Network host isolation tool | |
| RU2634209C1 (en) | System and method of autogeneration of decision rules for intrusion detection systems with feedback | |
| CN107579874B (en) | Method and device for detecting data collection missing report of flow collection equipment | |
| CN110677381A (en) | Penetration testing method and device, storage medium and electronic device | |
| CN114679292B (en) | Honeypot identification method, device, equipment and medium based on network space mapping | |
| CN111431753A (en) | Asset information updating method, device, equipment and storage medium | |
| CN107294924A (en) | Detection method, the device and system of leak | |
| CN110880983A (en) | Penetration testing method and device based on scene, storage medium and electronic device | |
| CN110879891A (en) | Vulnerability detection method and device based on web fingerprint information | |
| US9641595B2 (en) | System management apparatus, system management method, and storage medium | |
| CN111698110B (en) | Network equipment performance analysis method, system, equipment and computer medium | |
| Chavez et al. | Network randomization and dynamic defense for critical infrastructure systems | |
| CN110768950A (en) | Permeation instruction sending method and device, storage medium and electronic device | |
| US20210385145A1 (en) | Communication coupling verification method, storage medium, and network verification apparatus | |
| CN110995763B (en) | Data processing method and device, electronic equipment and computer storage medium | |
| CN114221808B (en) | Security policy deployment method and device, computer equipment and readable storage medium | |
| CN112398857A (en) | Firewall testing method and device, computer equipment and storage medium | |
| CN112350939A (en) | Bypass blocking method, system, device, computer equipment and storage medium | |
| CN114244555B (en) | Security policy adjusting method | |
| CN114666249A (en) | Traffic collection method and device on cloud platform and computer-readable storage medium | |
| CN114666072B (en) | Illegal switching point detection method, server, platform, system and storage medium | |
| CN112910666B (en) | Simulation method and device for processing data packet by equipment and computer equipment | |
| Birkholz et al. | Enhancing security testing via automated replication of IT-asset topologies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |