Summary of the invention
In view of this, the object of the present invention is to provide the method that issues security strategy, use this method and can limit issuing in a large number of security strategy.
For achieving the above object, the present invention proposes three kinds of technical schemes, specifically be achieved in that
First kind of technical scheme is:
A kind of method that issues security strategy is provided with maximum and issues speed, carries out following steps:
A1, storage are attacked the new security strategy that produces according to each;
B1, when satisfying trigger condition, obtain the current speed that issues security strategy, judge whether the current speed that issues security strategy issues speed less than maximum, if then obtain and issue at first the security strategy of storage; Otherwise, abandon issuing security strategy.
In addition, this method further comprises: timer and timing length are set; Then among the step B1, describedly satisfy trigger condition and be: stored the new security strategy and the timer that produce and arrived in the timing length at least one.
In addition, this method further comprises: be provided with and do not issue the security strategy table, further comprised before steps A 1:
A, security strategy that will newly produce and the security strategy that does not issue in the security strategy table compare, judge whether to exist identical security strategy, if exist, then in not issuing the security strategy table, the blocking-up time of security strategy that will be identical with new generation security strategy is updated to the entrained blocking-up time of new security strategy; If there is no, execution in step A1 then;
Be stored as described in the steps A 1: the security strategy that storage produces in not issuing the security strategy table.
In addition, this method further comprises: be provided with and issued the security strategy table; Obtain at first after the security strategy of storage among the step B1, issue before the security strategy that obtains, further comprise:
B11, the security strategy that obtains and the security strategy that has issued in the security strategy table are compared, judge whether to exist identical security strategy,, then abandon the security strategy that obtains if exist; Otherwise, issue the security strategy that obtains.
Wherein, after step B1, this method further comprises:
C1, judge whether the current security strategy that issues issues successfully, if success, the security strategy adding that then will currently issue has issued the security strategy table; Otherwise, abandon the current security strategy that issues.
In addition, this method further comprises: maximum distributing policy number is set, after step a, before the steps A 1, further comprises:
Judge whether the security strategy number do not issue in the security strategy table has reached maximum distributing policy number, if then abandon the new security strategy of current generation; Otherwise, execution in step A1.
In addition, before the security strategy that obtains storage at first, further comprise:
Judge whether the security strategy number that has issued in the security strategy table has reached maximum distributing policy number, if then abandon issuing security strategy; Otherwise, obtain the security strategy of storage at first.
In addition, this method further comprises: the fixed time is set, every fixed time will not issue the security strategy table and will have issued that the entrained blocking-up time of security strategy deducts the fixed time in the security strategy table, when the entrained blocking-up time of security strategy is zero, then this security strategy is deleted in the security strategy table at its place.
Wherein, counter is set, periodically constantly storage has issued the security strategy number, and the current speed that issues security strategy of described acquisition is: issue the size of security strategy number divided by the cycle with what store.
Wherein, described security strategy is the interlock rule.
Wherein, described security strategy is: the interlock rule; The described security strategy table that do not issue is: do not issue the interlock rule list; The described security strategy table that issued is: issued the interlock rule list; Described maximum distributing policy number is: maximum issues regular number.
Second kind of technical scheme is:
A kind of method that issues security strategy is provided with and does not issue the security strategy table, carries out following steps:
A2, will attack the new security strategy that produces according to each and not compare with the security strategy that issues in the security strategy table, judge whether to exist identical security strategy, if exist, then in not issuing the security strategy table, the blocking-up time of security strategy that will be identical with new generation security strategy is updated to the entrained blocking-up time of new security strategy; If there is no, then in not issuing the security strategy table, store the security strategy of current new generation;
B2, when satisfying trigger condition, obtain and issue at first the security strategy of storage.
In addition, this method further comprises: timer and timing length are set; Then among the step B2, describedly satisfy trigger condition and be: stored the new security strategy and the timer that produce and arrived in the timing length at least one.
In addition, this method further comprises: maximum distributing policy number is set, in steps A 2, before the security strategy of the current new generation of storage in not issuing the security strategy table, further comprises:
Judge whether the security strategy number do not issue in the security strategy table has reached maximum distributing policy number, if then abandon the new security strategy of current generation; Otherwise, the security strategy of the current new generation of storage in not issuing the security strategy table.
In addition, this method further comprises: the fixed time is set, to not issue that the entrained blocking-up time of security strategy deducts the fixed time in the security strategy table every fixed time, when the entrained blocking-up time of security strategy is zero, then in issuing the security strategy table, this security strategy is not deleted.
Described, described security strategy is: the interlock rule; The described security strategy table that do not issue is: do not issue the interlock rule list; Described maximum distributing policy number is: maximum issues regular number.
In addition, setting has issued the security strategy table; Obtain at first after the security strategy of storage among the step B2, issue before the security strategy that obtains, further comprise:
B21, the security strategy that obtains and the security strategy that has issued in the security strategy table are compared, judge whether to exist identical security strategy,, then abandon the security strategy that obtains if exist; Otherwise, issue the security strategy that obtains.
Wherein, after step B2, this method further comprises:
C2, judge whether the current security strategy that issues issues successfully, if success, the security strategy adding that then will currently issue has issued the security strategy table; Otherwise, abandon the current security strategy that issues.
In addition, this method further comprises: maximum distributing policy number is set, in steps A 2, before the security strategy of the current new generation of storage in not issuing the security strategy table, further comprises:
Judge whether the security strategy number do not issue in the security strategy table has reached maximum distributing policy number, if then abandon the new security strategy of current generation; Otherwise, the security strategy of the current new generation of storage in not issuing the security strategy table.
In addition, before the security strategy that obtains storage at first, further comprise:
Judge whether the security strategy number that has issued in the security strategy table has reached maximum distributing policy number, if then abandon issuing security strategy; Otherwise, obtain the security strategy of storage at first.
In addition, this method further comprises: the fixed time is set, every fixed time will not issue the security strategy table and will have issued that the entrained blocking-up time of security strategy deducts the fixed time in the security strategy table, when the entrained blocking-up time of security strategy is zero, then this security strategy is deleted in the security strategy table at its place.
Wherein, described security strategy is: the interlock rule; The described security strategy table that do not issue is: do not issue the interlock rule list; The described security strategy table that issued is: issued the interlock rule list; Described maximum distributing policy number is: maximum issues regular number.
The third technical scheme is:
A kind of method that issues security strategy is provided with and has issued the security strategy table, carries out following steps:
A3, storage are attacked the new security strategy that produces according to each;
B3, when satisfying trigger condition, obtain at first the security strategy of storage, and security strategy that obtains and the security strategy that has issued in the security strategy table compared, judge whether to exist identical security strategy, if exist, then abandon the security strategy that obtains; Otherwise, issue the security strategy that obtains.
In addition, this method further comprises: timer and timing length are set; Then among the step B3, describedly satisfy trigger condition and be: stored the new security strategy and the timer that produce and arrived in the timing length at least one.
In addition, after step B3, this method further comprises:
C3, judge whether the current security strategy that issues issues successfully, if success, the security strategy adding that then will currently issue has issued the security strategy table; Otherwise, abandon the current security strategy that issues.
Described, maximum distributing policy number is set, before the security strategy that obtains storage at first, further comprise:
Judge whether the security strategy number that has issued in the security strategy table has reached maximum distributing policy number, if then abandon issuing security strategy; Otherwise, obtain the security strategy of storage at first.
In addition, this method further comprises: the fixed time is set, to issue that the entrained blocking-up time of security strategy deducts the fixed time in the security strategy table every fixed time, when the entrained blocking-up time of security strategy is zero, then issue the security strategy table this security strategy deletion.
The method that issues security strategy provided by the present invention, by the security strategy that produces is stored, when satisfying when issuing the condition of security strategy, by security detection equipment the security strategy that produces is issued to the method for detected equipment again, realized that the control security detection equipment issues the quantity of security strategy, detected equipment can not normally not moved because of the security strategy that issues in a large number, reduce issuing the shared transfer resource of security strategy.Moreover, the present invention also by the effective polymerization to security strategy, has realized in security strategy not repeating to issue identical security strategy in the effective time.
Embodiment
Core concept of the present invention is: when security detection equipment produces security strategy at the attack that takes place, at first the security strategy that produces is stored, when satisfying when issuing the condition of security strategy, again the security strategy that produces is issued to detected equipment.
In the present invention, need setting not issue the security strategy table, issue the security strategy table, maximum distributing policy number and maximum issue speed.Wherein, do not issue the security strategy table and offer security detection equipment, be used for storing the security strategy that does not issue; Issue the security strategy table and offered security detection equipment, be used for storing the security strategy that has issued; Maximum distributing policy number is to be used for stipulating not issue the security strategy table and to have issued the maximum security strategy number that can store in the security strategy table; Maximum issues speed, is to be used for limiting the speed that security detection equipment issues security strategy, and the speed that security detection equipment issues security strategy must not issue speed above maximum.
Method provided by the present invention can be used in any security detection equipment, and is applicable to the process that issues of any security strategy.At this, be that the interlocking equipment of security detection equipment, IDS equipment is that detected equipment, IDS equipment are that security strategy is an example to the interlock rule that interlocking equipment sends only with IDS equipment, method proposed by the invention is further described.
In the present embodiment, need not issue the interlock rule list, issue the interlock rule list in the setting of the inside of IDS equipment, maximum issues regular number and maximum issues speed; Do not issue the interlock rule list, issue interlock rule list and maximum and issue regular number, correspond to respectively and do not issue the security strategy table, issue security strategy table and maximum distributing policy number.Wherein, do not issue the interlock rule list and offer IDS equipment, be used for storing the interlock rule that does not issue; Issue the interlock rule list and offered IDS equipment, be used for storing the interlock rule that has issued; It is to be used for stipulating not issue the interlock rule list and to have issued the maximum interlock rule number that can store in the interlock rule list that maximum issues regular number, can different or identical maximum is not set respectively issue regular number at issuing the interlock rule list and issuing the rule list that links, in the present embodiment, identical maximum is not set issues regular number for issuing the interlock rule list and issuing the rule list that links; Maximum issues speed, is to be used for limiting the speed that IDS equipment issues the interlock rule, and the speed that IDS equipment issues the interlock rule must not issue speed above maximum.Here, maximum issues regular number and can determine according to the maximum list item number that can comprise in the access control list (ACL) in the interlocking equipment.
Fig. 1 is the flow chart of present embodiment, and referring to Fig. 1, this flow process may further comprise the steps:
Step 101~102:IDS equipment produces new interlock rule at the attack of current generation, and the interlock that will newly produce rule compares with the interlock rule that does not issue in the interlock rule list, whether judgement does not exist identical interlock rule in issuing the interlock rule list, if there is no, execution in step 103; Otherwise, execution in step 104.
Step 103: judge that the maximum whether regular number of the interlock that does not issue in the interlock rule list has reached issues regular number, if not, then execution in step 105; Otherwise, execution in step 106.
Step 104: in not issuing the interlock rule list, carry out polymerization at the interlock rule of current generation.
Here, described identical interlock rule, be determined according to the parameter that is contained in the interlock rule, the parameter that comprises in the interlock rule is: source medium access control (MAC) address, target MAC (Media Access Control) address, the Virtual Local Area Network label, source IP address, the source IP address mask, purpose IP address, purpose IP address mask, source port, destination interface, the current limliting type, the blocking-up time, total flow, mode bit, version and protocol type then think to have identical source MAC, target MAC (Media Access Control) address, the VLAN label, source IP address, the source IP address mask, purpose IP address, purpose IP address mask, source port, destination interface, current limliting type and protocol type are identical interlock rule.Described the rule that links is polymerized to: will not issue the blocking-up time in the interlock rule identical in the interlock rule list with the interlock rule of current generation, be revised as the blocking-up time of carrying in the interlock rule of current generation, and the interlock rule that will newly produce abandons.
Step 105: the interlock rule adding of current new generation is not issued interlock rule list, execution in step 107.
In the present embodiment, do not issue the principle that the interlock rule list adopts first in first out.
Step 106: abandon the interlock rule of current new generation, process ends, and wait for the generation of the interlock rule that IDS equipment is new next time.
Step 107: obtain the current speed that issues the interlock rule, and judge whether the current speed that issues the interlock rule issues speed less than maximum, if then execution in step 108; Otherwise execution in step 114.
Here, the speed that issues the interlock rule is the interlock rule number that successfully issues in the unit interval, also can be described as and issues speed.Wherein, the method that acquisition issues the regular speed of interlock can be: counter is set, and this counter then restarts counting whenever whole second, and the content of rolling counters forward is the regular number of the interlock that successfully issues.Certainly, flow performing can not all be the whole one second moment during to step 107, therefore, when obtaining to issue the speed of interlock rule, only need directly read the count value of current counter, and need not wait for that counter arrives the whole one second time.Certainly, counter also can be set restart counting with certain cycle, cycle duration can be set arbitrarily as required, and is corresponding, count value can be obtained the speed that issues of current interlock rule divided by cycle duration.
Step 108: judge whether the interlock rule number that has issued in the interlock rule list has reached maximum and issued regular number, if not, then execution in step 109; Otherwise, execution in step 114.
Step 109~110: obtain and do not issue the list item that is positioned at gauge outfit in the interlock rule list, and with the interlock rule of current taking-up, compare with the interlock rule that issues in the interlock rule list, judge whether to exist identical interlock rule, if there is no, execution in step 111 then; Otherwise, execution in step 115.
Wherein, judge the identical method of interlock rule and judge described in the step 104 that interlock is regular identical the same, be not described in detail in this.
Step 111: the interlock rule downloading of current taking-up is arrived all interlocking equipments.
Step 112: judge whether the current interlock rule that issues issues successfully, if success, then execution in step 113; Otherwise, execution in step 115.
Here, describedly judge whether the current interlock rule that issues issues successfully, in the time of can issuing the interlock rule according to IDS equipment, judge whether current bottom link is available, determine whether the current interlock rule that issues issues successfully.Under the disabled situation of bottom link, when IDS equipment issues when rule interlock to interlocking equipment, IDS equipment can return immediately usually and issue the regular unsuccessful message of interlock, therefore can judge in time whether the interlock rule issues successfully according to this message.
The step 112 here is an optional step, can be after execution of step 111, and direct execution in step 113.
Step 113: the current interlock rule that has issued is added into issues interlock rule list, process ends.
Step 114: that abandons this interlock rule issues process ends.
Step 115: the interlock rule that abandons current taking-up.
In the present embodiment, also further comprise not issuing the interlock rule list and having issued the burin-in process of the rule list that links.The process of burin-in process is specially: every through a fixed time when the time, then will not issue the interlock rule list and issued that the regular entrained blocking-up time of interlock deducts this fixed time in the interlock rule list, when the interlock entrained blocking-up time of rule is 0, then this interlock rule is left out from the interlock rule list at its place.Preferable, can select this fixed time is 1 second.
In the present embodiment, main what introduce is that to produce an interlock rule with IDS equipment be that trigger condition triggers IDS equipment and issues the interlock rule, claims this trigger condition to trigger for the interlock rule at this.
In the present invention, timer and timing length can also be set, when IDS equipment brings into operation, start timer, rely on timer arrival timing length to trigger IDS equipment and issue the interlock process of rule, claim that at this this trigger condition is that timer triggers.When timer arrived timing length, then the step 107 from flow process began to carry out, and other process and the description in the present embodiment are identical, are not described in detail in this.Being provided with of timing length can be according to the treatment effeciency of interlocking equipment, and the situation of attacking in the network is provided with.Here, when timer arrives timing length, might exist an interlock rule downloading process that triggers by the interlock rule to carry out, at this moment, after both can having waited for that the interlock rule downloading process that is this time triggered by the interlock rule finished, carry out the interlock rule downloading process that triggers by timer again; Also can in carrying out the interlock rule downloading process that triggers by the interlock rule, arrive the process that issues that timing length triggers the interlock rule simultaneously, promptly have the interlock rule downloading process that triggers by two kinds of trigger conditions simultaneously by timer.When being existed simultaneously by timer triggering and the triggering of interlock rule, the method that issues rate calculations is constant.
Among the present invention, can also not use the process that issues that is triggered the interlock rule by the interlock rule of generation, only use is triggered by timer arrival timing length and issues the interlock process of rule.Under this trigger condition, issue the interlock process of rule and can be divided into two parts, a part is a storage area, comprises step 101~106 of introducing among the embodiment; One then for issuing part, comprises step 107~114 among the embodiment.The concrete operations of these two parts just when timer arrives timing length, trigger and issue part, otherwise only carry out the flow process of storage area with identical described in the embodiment.
In an embodiment, can be according to the concrete condition of IDS equipment and interlocking equipment, do not judge in execution in step 103 and the step 108 that at this moment, the step of other in the flow process is constant, a flow process that only needs to judge is removed and is got final product.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.