CN1777122A - Method for sending safety strategy - Google Patents
Method for sending safety strategy Download PDFInfo
- Publication number
- CN1777122A CN1777122A CN 200510131841 CN200510131841A CN1777122A CN 1777122 A CN1777122 A CN 1777122A CN 200510131841 CN200510131841 CN 200510131841 CN 200510131841 A CN200510131841 A CN 200510131841A CN 1777122 A CN1777122 A CN 1777122A
- Authority
- CN
- China
- Prior art keywords
- security strategy
- issue
- issues
- issued
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Setting up maximal down delivering rate, the method carries out following steps: (1) storing new security policy generated based on each attack; (2) when toggle condition is satisfied, obtaining present rate for down delivering security policy, determining whether present rate for down delivering security policy is smaller than maximal down delivering rate; if yes, then, obtaining and down delivering foremost security policy stored; otherwise, quitting down delivering security policy. The invention also discloses two methods for down delivering security policy. The invention controls quantity of down delivering security policy by security detection device to prevent device to be tested from being unable to run normally caused by large quantity of security policy down delivered. Through effective aggregation of security policy, the invention does not down deliver identical security policy repeatedly.
Description
Technical field
The present invention relates to the network security detection technique, refer to a kind of method that issues security strategy especially.
Background technology
Intrusion detection is exactly by to the some key point acquisition of information in computer network or the computer system and analyze, therefrom find whether to have in network or the system behavior of violating security strategy and the sign of being attacked, move targetedly and with these move targetedly be issued to all intrusion detections at object, comprise on the network equipments such as switch, router, fire compartment wall.Carrying out the software of intrusion detection and the combination of hardware is intruding detection system (IDS).The object that IDS detects and moves targetedly as switch, router, fire compartment wall etc., is called the interlocking equipment of IDS.The strategy that IDS formulates different blocking-up attacks at different attacks is called the interlock rule.Usually, be provided with the blocking-up time in the interlock rule, interlocking equipment is blocked defined message in the rule that links in the blocking-up time.
When IDS whenever detects when once attacking, then can produce an interlock rule at current attack, and with this interlock rule downloading to all interlocking equipments of IDS, interlocking equipment then can be used the interlock rule that IDS issues and block current attack.But, because interlocking equipment is limited to the disposal ability of the rule that links, when attacking a large amount of the generation, IDS also can constantly issue a large amount of interlock rules to interlocking equipment at the attack of a large amount of generations, and the interlock rule that issues has in a large number influenced the normal operation of interlocking equipment greatly.Particularly for identical attack, not only issue the interlock rule to interlocking equipment in a large number, can greatly influence the normal operation of interlocking equipment, and for identical attack in the interlock also effective time of rule, it is nonsensical repeating to issue.
Summary of the invention
In view of this, the object of the present invention is to provide the method that issues security strategy, use this method and can limit issuing in a large number of security strategy.
For achieving the above object, the present invention proposes three kinds of technical schemes, specifically be achieved in that
First kind of technical scheme is:
A kind of method that issues security strategy is provided with maximum and issues speed, carries out following steps:
A1, storage are attacked the new security strategy that produces according to each;
B1, when satisfying trigger condition, obtain the current speed that issues security strategy, judge whether the current speed that issues security strategy issues speed less than maximum, if then obtain and issue at first the security strategy of storage; Otherwise, abandon issuing security strategy.
In addition, this method further comprises: timer and timing length are set; Then among the step B1, describedly satisfy trigger condition and be: stored the new security strategy and the timer that produce and arrived in the timing length at least one.
In addition, this method further comprises: be provided with and do not issue the security strategy table, further comprised before steps A 1:
A, security strategy that will newly produce and the security strategy that does not issue in the security strategy table compare, judge whether to exist identical security strategy, if exist, then in not issuing the security strategy table, the blocking-up time of security strategy that will be identical with new generation security strategy is updated to the entrained blocking-up time of new security strategy; If there is no, execution in step A1 then;
Be stored as described in the steps A 1: the security strategy that storage produces in not issuing the security strategy table.
In addition, this method further comprises: be provided with and issued the security strategy table; Obtain at first after the security strategy of storage among the step B1, issue before the security strategy that obtains, further comprise:
B11, the security strategy that obtains and the security strategy that has issued in the security strategy table are compared, judge whether to exist identical security strategy,, then abandon the security strategy that obtains if exist; Otherwise, issue the security strategy that obtains.
Wherein, after step B1, this method further comprises:
C1, judge whether the current security strategy that issues issues successfully, if success, the security strategy adding that then will currently issue has issued the security strategy table; Otherwise, abandon the current security strategy that issues.
In addition, this method further comprises: maximum distributing policy number is set, after step a, before the steps A 1, further comprises:
Judge whether the security strategy number do not issue in the security strategy table has reached maximum distributing policy number, if then abandon the new security strategy of current generation; Otherwise, execution in step A1.
In addition, before the security strategy that obtains storage at first, further comprise:
Judge whether the security strategy number that has issued in the security strategy table has reached maximum distributing policy number, if then abandon issuing security strategy; Otherwise, obtain the security strategy of storage at first.
In addition, this method further comprises: the fixed time is set, every fixed time will not issue the security strategy table and will have issued that the entrained blocking-up time of security strategy deducts the fixed time in the security strategy table, when the entrained blocking-up time of security strategy is zero, then this security strategy is deleted in the security strategy table at its place.
Wherein, counter is set, periodically constantly storage has issued the security strategy number, and the current speed that issues security strategy of described acquisition is: issue the size of security strategy number divided by the cycle with what store.
Wherein, described security strategy is the interlock rule.
Wherein, described security strategy is: the interlock rule; The described security strategy table that do not issue is: do not issue the interlock rule list; The described security strategy table that issued is: issued the interlock rule list; Described maximum distributing policy number is: maximum issues regular number.
Second kind of technical scheme is:
A kind of method that issues security strategy is provided with and does not issue the security strategy table, carries out following steps:
A2, will attack the new security strategy that produces according to each and not compare with the security strategy that issues in the security strategy table, judge whether to exist identical security strategy, if exist, then in not issuing the security strategy table, the blocking-up time of security strategy that will be identical with new generation security strategy is updated to the entrained blocking-up time of new security strategy; If there is no, then in not issuing the security strategy table, store the security strategy of current new generation;
B2, when satisfying trigger condition, obtain and issue at first the security strategy of storage.
In addition, this method further comprises: timer and timing length are set; Then among the step B2, describedly satisfy trigger condition and be: stored the new security strategy and the timer that produce and arrived in the timing length at least one.
In addition, this method further comprises: maximum distributing policy number is set, in steps A 2, before the security strategy of the current new generation of storage in not issuing the security strategy table, further comprises:
Judge whether the security strategy number do not issue in the security strategy table has reached maximum distributing policy number, if then abandon the new security strategy of current generation; Otherwise, the security strategy of the current new generation of storage in not issuing the security strategy table.
In addition, this method further comprises: the fixed time is set, to not issue that the entrained blocking-up time of security strategy deducts the fixed time in the security strategy table every fixed time, when the entrained blocking-up time of security strategy is zero, then in issuing the security strategy table, this security strategy is not deleted.
Described, described security strategy is: the interlock rule; The described security strategy table that do not issue is: do not issue the interlock rule list; Described maximum distributing policy number is: maximum issues regular number.
In addition, setting has issued the security strategy table; Obtain at first after the security strategy of storage among the step B2, issue before the security strategy that obtains, further comprise:
B21, the security strategy that obtains and the security strategy that has issued in the security strategy table are compared, judge whether to exist identical security strategy,, then abandon the security strategy that obtains if exist; Otherwise, issue the security strategy that obtains.
Wherein, after step B2, this method further comprises:
C2, judge whether the current security strategy that issues issues successfully, if success, the security strategy adding that then will currently issue has issued the security strategy table; Otherwise, abandon the current security strategy that issues.
In addition, this method further comprises: maximum distributing policy number is set, in steps A 2, before the security strategy of the current new generation of storage in not issuing the security strategy table, further comprises:
Judge whether the security strategy number do not issue in the security strategy table has reached maximum distributing policy number, if then abandon the new security strategy of current generation; Otherwise, the security strategy of the current new generation of storage in not issuing the security strategy table.
In addition, before the security strategy that obtains storage at first, further comprise:
Judge whether the security strategy number that has issued in the security strategy table has reached maximum distributing policy number, if then abandon issuing security strategy; Otherwise, obtain the security strategy of storage at first.
In addition, this method further comprises: the fixed time is set, every fixed time will not issue the security strategy table and will have issued that the entrained blocking-up time of security strategy deducts the fixed time in the security strategy table, when the entrained blocking-up time of security strategy is zero, then this security strategy is deleted in the security strategy table at its place.
Wherein, described security strategy is: the interlock rule; The described security strategy table that do not issue is: do not issue the interlock rule list; The described security strategy table that issued is: issued the interlock rule list; Described maximum distributing policy number is: maximum issues regular number.
The third technical scheme is:
A kind of method that issues security strategy is provided with and has issued the security strategy table, carries out following steps:
A3, storage are attacked the new security strategy that produces according to each;
B3, when satisfying trigger condition, obtain at first the security strategy of storage, and security strategy that obtains and the security strategy that has issued in the security strategy table compared, judge whether to exist identical security strategy, if exist, then abandon the security strategy that obtains; Otherwise, issue the security strategy that obtains.
In addition, this method further comprises: timer and timing length are set; Then among the step B3, describedly satisfy trigger condition and be: stored the new security strategy and the timer that produce and arrived in the timing length at least one.
In addition, after step B3, this method further comprises:
C3, judge whether the current security strategy that issues issues successfully, if success, the security strategy adding that then will currently issue has issued the security strategy table; Otherwise, abandon the current security strategy that issues.
Described, maximum distributing policy number is set, before the security strategy that obtains storage at first, further comprise:
Judge whether the security strategy number that has issued in the security strategy table has reached maximum distributing policy number, if then abandon issuing security strategy; Otherwise, obtain the security strategy of storage at first.
In addition, this method further comprises: the fixed time is set, to issue that the entrained blocking-up time of security strategy deducts the fixed time in the security strategy table every fixed time, when the entrained blocking-up time of security strategy is zero, then issue the security strategy table this security strategy deletion.
The method that issues security strategy provided by the present invention, by the security strategy that produces is stored, when satisfying when issuing the condition of security strategy, by security detection equipment the security strategy that produces is issued to the method for detected equipment again, realized that the control security detection equipment issues the quantity of security strategy, detected equipment can not normally not moved because of the security strategy that issues in a large number, reduce issuing the shared transfer resource of security strategy.Moreover, the present invention also by the effective polymerization to security strategy, has realized in security strategy not repeating to issue identical security strategy in the effective time.
Description of drawings
Fig. 1 is the flow chart of the embodiment of the invention.
Embodiment
Core concept of the present invention is: when security detection equipment produces security strategy at the attack that takes place, at first the security strategy that produces is stored, when satisfying when issuing the condition of security strategy, again the security strategy that produces is issued to detected equipment.
In the present invention, need setting not issue the security strategy table, issue the security strategy table, maximum distributing policy number and maximum issue speed.Wherein, do not issue the security strategy table and offer security detection equipment, be used for storing the security strategy that does not issue; Issue the security strategy table and offered security detection equipment, be used for storing the security strategy that has issued; Maximum distributing policy number is to be used for stipulating not issue the security strategy table and to have issued the maximum security strategy number that can store in the security strategy table; Maximum issues speed, is to be used for limiting the speed that security detection equipment issues security strategy, and the speed that security detection equipment issues security strategy must not issue speed above maximum.
Method provided by the present invention can be used in any security detection equipment, and is applicable to the process that issues of any security strategy.At this, be that the interlocking equipment of security detection equipment, IDS equipment is that detected equipment, IDS equipment are that security strategy is an example to the interlock rule that interlocking equipment sends only with IDS equipment, method proposed by the invention is further described.
In the present embodiment, need not issue the interlock rule list, issue the interlock rule list in the setting of the inside of IDS equipment, maximum issues regular number and maximum issues speed; Do not issue the interlock rule list, issue interlock rule list and maximum and issue regular number, correspond to respectively and do not issue the security strategy table, issue security strategy table and maximum distributing policy number.Wherein, do not issue the interlock rule list and offer IDS equipment, be used for storing the interlock rule that does not issue; Issue the interlock rule list and offered IDS equipment, be used for storing the interlock rule that has issued; It is to be used for stipulating not issue the interlock rule list and to have issued the maximum interlock rule number that can store in the interlock rule list that maximum issues regular number, can different or identical maximum is not set respectively issue regular number at issuing the interlock rule list and issuing the rule list that links, in the present embodiment, identical maximum is not set issues regular number for issuing the interlock rule list and issuing the rule list that links; Maximum issues speed, is to be used for limiting the speed that IDS equipment issues the interlock rule, and the speed that IDS equipment issues the interlock rule must not issue speed above maximum.Here, maximum issues regular number and can determine according to the maximum list item number that can comprise in the access control list (ACL) in the interlocking equipment.
Fig. 1 is the flow chart of present embodiment, and referring to Fig. 1, this flow process may further comprise the steps:
Step 101~102:IDS equipment produces new interlock rule at the attack of current generation, and the interlock that will newly produce rule compares with the interlock rule that does not issue in the interlock rule list, whether judgement does not exist identical interlock rule in issuing the interlock rule list, if there is no, execution in step 103; Otherwise, execution in step 104.
Step 103: judge that the maximum whether regular number of the interlock that does not issue in the interlock rule list has reached issues regular number, if not, then execution in step 105; Otherwise, execution in step 106.
Step 104: in not issuing the interlock rule list, carry out polymerization at the interlock rule of current generation.
Here, described identical interlock rule, be determined according to the parameter that is contained in the interlock rule, the parameter that comprises in the interlock rule is: source medium access control (MAC) address, target MAC (Media Access Control) address, the Virtual Local Area Network label, source IP address, the source IP address mask, purpose IP address, purpose IP address mask, source port, destination interface, the current limliting type, the blocking-up time, total flow, mode bit, version and protocol type then think to have identical source MAC, target MAC (Media Access Control) address, the VLAN label, source IP address, the source IP address mask, purpose IP address, purpose IP address mask, source port, destination interface, current limliting type and protocol type are identical interlock rule.Described the rule that links is polymerized to: will not issue the blocking-up time in the interlock rule identical in the interlock rule list with the interlock rule of current generation, be revised as the blocking-up time of carrying in the interlock rule of current generation, and the interlock rule that will newly produce abandons.
Step 105: the interlock rule adding of current new generation is not issued interlock rule list, execution in step 107.
In the present embodiment, do not issue the principle that the interlock rule list adopts first in first out.
Step 106: abandon the interlock rule of current new generation, process ends, and wait for the generation of the interlock rule that IDS equipment is new next time.
Step 107: obtain the current speed that issues the interlock rule, and judge whether the current speed that issues the interlock rule issues speed less than maximum, if then execution in step 108; Otherwise execution in step 114.
Here, the speed that issues the interlock rule is the interlock rule number that successfully issues in the unit interval, also can be described as and issues speed.Wherein, the method that acquisition issues the regular speed of interlock can be: counter is set, and this counter then restarts counting whenever whole second, and the content of rolling counters forward is the regular number of the interlock that successfully issues.Certainly, flow performing can not all be the whole one second moment during to step 107, therefore, when obtaining to issue the speed of interlock rule, only need directly read the count value of current counter, and need not wait for that counter arrives the whole one second time.Certainly, counter also can be set restart counting with certain cycle, cycle duration can be set arbitrarily as required, and is corresponding, count value can be obtained the speed that issues of current interlock rule divided by cycle duration.
Step 108: judge whether the interlock rule number that has issued in the interlock rule list has reached maximum and issued regular number, if not, then execution in step 109; Otherwise, execution in step 114.
Step 109~110: obtain and do not issue the list item that is positioned at gauge outfit in the interlock rule list, and with the interlock rule of current taking-up, compare with the interlock rule that issues in the interlock rule list, judge whether to exist identical interlock rule, if there is no, execution in step 111 then; Otherwise, execution in step 115.
Wherein, judge the identical method of interlock rule and judge described in the step 104 that interlock is regular identical the same, be not described in detail in this.
Step 111: the interlock rule downloading of current taking-up is arrived all interlocking equipments.
Step 112: judge whether the current interlock rule that issues issues successfully, if success, then execution in step 113; Otherwise, execution in step 115.
Here, describedly judge whether the current interlock rule that issues issues successfully, in the time of can issuing the interlock rule according to IDS equipment, judge whether current bottom link is available, determine whether the current interlock rule that issues issues successfully.Under the disabled situation of bottom link, when IDS equipment issues when rule interlock to interlocking equipment, IDS equipment can return immediately usually and issue the regular unsuccessful message of interlock, therefore can judge in time whether the interlock rule issues successfully according to this message.
The step 112 here is an optional step, can be after execution of step 111, and direct execution in step 113.
Step 113: the current interlock rule that has issued is added into issues interlock rule list, process ends.
Step 114: that abandons this interlock rule issues process ends.
Step 115: the interlock rule that abandons current taking-up.
In the present embodiment, also further comprise not issuing the interlock rule list and having issued the burin-in process of the rule list that links.The process of burin-in process is specially: every through a fixed time when the time, then will not issue the interlock rule list and issued that the regular entrained blocking-up time of interlock deducts this fixed time in the interlock rule list, when the interlock entrained blocking-up time of rule is 0, then this interlock rule is left out from the interlock rule list at its place.Preferable, can select this fixed time is 1 second.
In the present embodiment, main what introduce is that to produce an interlock rule with IDS equipment be that trigger condition triggers IDS equipment and issues the interlock rule, claims this trigger condition to trigger for the interlock rule at this.
In the present invention, timer and timing length can also be set, when IDS equipment brings into operation, start timer, rely on timer arrival timing length to trigger IDS equipment and issue the interlock process of rule, claim that at this this trigger condition is that timer triggers.When timer arrived timing length, then the step 107 from flow process began to carry out, and other process and the description in the present embodiment are identical, are not described in detail in this.Being provided with of timing length can be according to the treatment effeciency of interlocking equipment, and the situation of attacking in the network is provided with.Here, when timer arrives timing length, might exist an interlock rule downloading process that triggers by the interlock rule to carry out, at this moment, after both can having waited for that the interlock rule downloading process that is this time triggered by the interlock rule finished, carry out the interlock rule downloading process that triggers by timer again; Also can in carrying out the interlock rule downloading process that triggers by the interlock rule, arrive the process that issues that timing length triggers the interlock rule simultaneously, promptly have the interlock rule downloading process that triggers by two kinds of trigger conditions simultaneously by timer.When being existed simultaneously by timer triggering and the triggering of interlock rule, the method that issues rate calculations is constant.
Among the present invention, can also not use the process that issues that is triggered the interlock rule by the interlock rule of generation, only use is triggered by timer arrival timing length and issues the interlock process of rule.Under this trigger condition, issue the interlock process of rule and can be divided into two parts, a part is a storage area, comprises step 101~106 of introducing among the embodiment; One then for issuing part, comprises step 107~114 among the embodiment.The concrete operations of these two parts just when timer arrives timing length, trigger and issue part, otherwise only carry out the flow process of storage area with identical described in the embodiment.
In an embodiment, can be according to the concrete condition of IDS equipment and interlocking equipment, do not judge in execution in step 103 and the step 108 that at this moment, the step of other in the flow process is constant, a flow process that only needs to judge is removed and is got final product.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.
Claims (27)
1, a kind of method that issues security strategy is characterized in that, maximum is set issues speed, carries out following steps:
A1, storage are attacked the new security strategy that produces according to each;
B1, when satisfying trigger condition, obtain the current speed that issues security strategy, judge whether the current speed that issues security strategy issues speed less than maximum, if then obtain and issue at first the security strategy of storage; Otherwise, abandon issuing security strategy.
2, method according to claim 1 is characterized in that, this method further comprises: timer and timing length are set; Then among the step B1, describedly satisfy trigger condition and be: stored the new security strategy and the timer that produce and arrived in the timing length at least one.
3, method according to claim 1 and 2 is characterized in that, this method further comprises: be provided with and do not issue the security strategy table, further comprised before steps A 1:
A, security strategy that will newly produce and the security strategy that does not issue in the security strategy table compare, judge whether to exist identical security strategy, if exist, then in not issuing the security strategy table, the blocking-up time of security strategy that will be identical with new generation security strategy is updated to the entrained blocking-up time of new security strategy; If there is no, execution in step A1 then;
Be stored as described in the steps A 1: the security strategy that storage produces in not issuing the security strategy table.
4, method according to claim 3 is characterized in that, this method further comprises: be provided with and issued the security strategy table; Obtain at first after the security strategy of storage among the step B1, issue before the security strategy that obtains, further comprise:
B11, the security strategy that obtains and the security strategy that has issued in the security strategy table are compared, judge whether to exist identical security strategy,, then abandon the security strategy that obtains if exist; Otherwise, issue the security strategy that obtains.
5, method according to claim 4 is characterized in that, after step B1, this method further comprises:
C1, judge whether the current security strategy that issues issues successfully, if success, the security strategy adding that then will currently issue has issued the security strategy table; Otherwise, abandon the current security strategy that issues.
6, method according to claim 5 is characterized in that, this method further comprises: maximum distributing policy number is set, after step a, before the steps A 1, further comprises:
Judge whether the security strategy number do not issue in the security strategy table has reached maximum distributing policy number, if then abandon the new security strategy of current generation; Otherwise, execution in step A1.
7, method according to claim 6 is characterized in that, before the security strategy that obtains storage at first, further comprises:
Judge whether the security strategy number that has issued in the security strategy table has reached maximum distributing policy number, if then abandon issuing security strategy; Otherwise, obtain the security strategy of storage at first.
8, method according to claim 7, it is characterized in that, this method further comprises: the fixed time is set, every fixed time will not issue the security strategy table and will have issued that the entrained blocking-up time of security strategy deducts the fixed time in the security strategy table, when the entrained blocking-up time of security strategy is zero, then this security strategy is deleted in the security strategy table at its place.
9, method according to claim 1 and 2 is characterized in that, counter is set, and periodically constantly storage has issued the security strategy number, and the current speed that issues security strategy of described acquisition is: issue the size of security strategy number divided by the cycle with what store.
10, method according to claim 1 and 2 is characterized in that, described security strategy is the interlock rule.
11, method according to claim 8 is characterized in that, described security strategy is: the interlock rule; The described security strategy table that do not issue is: do not issue the interlock rule list; The described security strategy table that issued is: issued the interlock rule list; Described maximum distributing policy number is: maximum issues regular number.
12, a kind of method that issues security strategy is characterized in that, is provided with not issue the security strategy table, carries out following steps:
A2, will attack the new security strategy that produces according to each and not compare with the security strategy that issues in the security strategy table, judge whether to exist identical security strategy, if exist, then in not issuing the security strategy table, the blocking-up time of security strategy that will be identical with new generation security strategy is updated to the entrained blocking-up time of new security strategy; If there is no, then in not issuing the security strategy table, store the security strategy of current new generation;
B2, when satisfying trigger condition, obtain and issue at first the security strategy of storage.
13, method according to claim 12 is characterized in that, this method further comprises: timer and timing length are set; Then among the step B2, describedly satisfy trigger condition and be: stored the new security strategy and the timer that produce and arrived in the timing length at least one.
14, method according to claim 12 is characterized in that, this method further comprises: maximum distributing policy number is set, in steps A 2, before the security strategy of the current new generation of storage in not issuing the security strategy table, further comprises:
Judge whether the security strategy number do not issue in the security strategy table has reached maximum distributing policy number, if then abandon the new security strategy of current generation; Otherwise, the security strategy of the current new generation of storage in not issuing the security strategy table.
15, according to claim 12,13 or 14 described methods, it is characterized in that, this method further comprises: the fixed time is set, to not issue that the entrained blocking-up time of security strategy deducts the fixed time in the security strategy table every fixed time, when the entrained blocking-up time of security strategy is zero, then in issuing the security strategy table, this security strategy is not deleted.
16, method according to claim 14 is characterized in that, described security strategy is: the interlock rule; The described security strategy table that do not issue is: do not issue the interlock rule list; Described maximum distributing policy number is: maximum issues regular number.
17, according to claim 12,13 or 14 described methods, it is characterized in that, be provided with and issued the security strategy table; Obtain at first after the security strategy of storage among the step B2, issue before the security strategy that obtains, further comprise:
B21, the security strategy that obtains and the security strategy that has issued in the security strategy table are compared, judge whether to exist identical security strategy,, then abandon the security strategy that obtains if exist; Otherwise, issue the security strategy that obtains.
18, method according to claim 17 is characterized in that, after step B2, this method further comprises:
C2, judge whether the current security strategy that issues issues successfully, if success, the security strategy adding that then will currently issue has issued the security strategy table; Otherwise, abandon the current security strategy that issues.
19, method according to claim 18 is characterized in that, this method further comprises: maximum distributing policy number is set, in steps A 2, before the security strategy of the current new generation of storage in not issuing the security strategy table, further comprises:
Judge whether the security strategy number do not issue in the security strategy table has reached maximum distributing policy number, if then abandon the new security strategy of current generation; Otherwise, the security strategy of the current new generation of storage in not issuing the security strategy table.
20, method according to claim 19 is characterized in that, before the security strategy that obtains storage at first, further comprises:
Judge whether the security strategy number that has issued in the security strategy table has reached maximum distributing policy number, if then abandon issuing security strategy; Otherwise, obtain the security strategy of storage at first.
21, method according to claim 20, it is characterized in that, this method further comprises: the fixed time is set, every fixed time will not issue the security strategy table and will have issued that the entrained blocking-up time of security strategy deducts the fixed time in the security strategy table, when the entrained blocking-up time of security strategy is zero, then this security strategy is deleted in the security strategy table at its place.
22, method according to claim 19 is characterized in that, described security strategy is: the interlock rule; The described security strategy table that do not issue is: do not issue the interlock rule list; The described security strategy table that issued is: issued the interlock rule list; Described maximum distributing policy number is: maximum issues regular number.
23, a kind of method that issues security strategy is characterized in that, is provided with to have issued the security strategy table, carries out following steps:
A3, storage are attacked the new security strategy that produces according to each;
B3, when satisfying trigger condition, obtain at first the security strategy of storage, and security strategy that obtains and the security strategy that has issued in the security strategy table compared, judge whether to exist identical security strategy, if exist, then abandon the security strategy that obtains; Otherwise, issue the security strategy that obtains.
24, method according to claim 23 is characterized in that, this method further comprises: timer and timing length are set; Then among the step B3, describedly satisfy trigger condition and be: stored the new security strategy and the timer that produce and arrived in the timing length at least one.
According to claim 23 or 24 described methods, it is characterized in that 25, after step B3, this method further comprises:
C3, judge whether the current security strategy that issues issues successfully, if success, the security strategy adding that then will currently issue has issued the security strategy table; Otherwise, abandon the current security strategy that issues.
26, method according to claim 25 is characterized in that, maximum distributing policy number is set, and before the security strategy that obtains storage at first, further comprises:
Judge whether the security strategy number that has issued in the security strategy table has reached maximum distributing policy number, if then abandon issuing security strategy; Otherwise, obtain the security strategy of storage at first.
27, method according to claim 23, it is characterized in that, this method further comprises: the fixed time is set, to issue that the entrained blocking-up time of security strategy deducts the fixed time in the security strategy table every fixed time, when the entrained blocking-up time of security strategy is zero, then issuing the security strategy table with this security strategy deletion.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101318417A CN100364280C (en) | 2005-12-15 | 2005-12-15 | Method for sending safety strategy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101318417A CN100364280C (en) | 2005-12-15 | 2005-12-15 | Method for sending safety strategy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1777122A true CN1777122A (en) | 2006-05-24 |
| CN100364280C CN100364280C (en) | 2008-01-23 |
Family
ID=36766441
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101318417A Active CN100364280C (en) | 2005-12-15 | 2005-12-15 | Method for sending safety strategy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100364280C (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431430B (en) * | 2007-11-07 | 2011-09-21 | 中兴通讯股份有限公司 | Policy execution system and method |
| CN106464659A (en) * | 2014-06-30 | 2017-02-22 | 上海贝尔股份有限公司 | Security in software defined network |
| CN106790016A (en) * | 2016-12-14 | 2017-05-31 | 盐城工学院 | One kind self-regulation filter method, device and network safety system |
| CN109510834A (en) * | 2018-12-07 | 2019-03-22 | 北京神州绿盟信息安全科技股份有限公司 | A kind of security strategy delivery method and device |
| CN111857941A (en) * | 2019-04-30 | 2020-10-30 | 华为技术有限公司 | Security policy management method and device |
| CN112153053A (en) * | 2020-09-25 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | DDoS (distributed denial of service) protection configuration detection method, device, equipment and readable storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6834350B1 (en) * | 1999-07-06 | 2004-12-21 | Watchguard Technologies, Inc. | Secure and differentiated delivery of network security information |
| US20040083386A1 (en) * | 2002-10-28 | 2004-04-29 | Bertrand Marquet | Non-repudiable distributed security policy synchronization |
| US7308711B2 (en) * | 2003-06-06 | 2007-12-11 | Microsoft Corporation | Method and framework for integrating a plurality of network policies |
| CN100525184C (en) * | 2004-05-27 | 2009-08-05 | 华为技术有限公司 | Network security protecting system and method |
| CN100346610C (en) * | 2004-11-01 | 2007-10-31 | 沈明峰 | Security policy based network security management system and method |
-
2005
- 2005-12-15 CN CNB2005101318417A patent/CN100364280C/en active Active
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431430B (en) * | 2007-11-07 | 2011-09-21 | 中兴通讯股份有限公司 | Policy execution system and method |
| CN106464659A (en) * | 2014-06-30 | 2017-02-22 | 上海贝尔股份有限公司 | Security in software defined network |
| US10666689B2 (en) | 2014-06-30 | 2020-05-26 | Alcatel Lucent | Security in software defined network |
| CN106790016A (en) * | 2016-12-14 | 2017-05-31 | 盐城工学院 | One kind self-regulation filter method, device and network safety system |
| CN109510834A (en) * | 2018-12-07 | 2019-03-22 | 北京神州绿盟信息安全科技股份有限公司 | A kind of security strategy delivery method and device |
| CN109510834B (en) * | 2018-12-07 | 2021-06-11 | 绿盟科技集团股份有限公司 | Security policy issuing method and device |
| CN111857941A (en) * | 2019-04-30 | 2020-10-30 | 华为技术有限公司 | Security policy management method and device |
| WO2020220937A1 (en) * | 2019-04-30 | 2020-11-05 | 华为技术有限公司 | Security policy management method and device |
| CN111857941B (en) * | 2019-04-30 | 2021-09-03 | 华为技术有限公司 | Security policy management method and device |
| CN112153053A (en) * | 2020-09-25 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | DDoS (distributed denial of service) protection configuration detection method, device, equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100364280C (en) | 2008-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1777122A (en) | Method for sending safety strategy | |
| CN1878082A (en) | Protective method for network attack | |
| CN1761939A (en) | Method and system for preventing virus infection | |
| CN102281295B (en) | Method for easing distributed denial of service attacks | |
| CN1777874A (en) | System and method for network quality of service protection on security breach detection | |
| CN102487339A (en) | Attack preventing method for network equipment and device | |
| CN1655518A (en) | Network security system and method | |
| CN1798436A (en) | Method and system for ensuring safe data service in mobile communication system | |
| CN1874303A (en) | Method for implementing black sheet | |
| CN1773944A (en) | Detecting malicious codes | |
| CN101036369A (en) | Offline analysis of packets | |
| CN1834978A (en) | Access controller and access control method | |
| CN1781098A (en) | Internet protocol security matching values in an associative memory | |
| CN101060485A (en) | Topology changed messages processing method and processing device | |
| CN101039314A (en) | Method for realizing safety warranty in evolution accessing network | |
| CN1725736A (en) | Method for configuring access control list and its application | |
| CN101064597A (en) | Network security device and method for processing packet data using the same | |
| CN1757220A (en) | Apparatus and method for detecting tiny fragment attacks | |
| CN1906905A (en) | Service disabling attack protecting system, service disabling attack protecting method, and service disabling attack protecting program | |
| CN101039326A (en) | Service flow recognition method, apparatus and method and system for defending distributed refuse attack | |
| CN107645502A (en) | A kind of message detecting method and device | |
| CN1394041A (en) | Method for implementing safety guard to Internet service provider | |
| Atre et al. | SurgeProtector: Mitigating temporal algorithmic complexity attacks using adversarial scheduling | |
| CN1925458A (en) | Method for realizing network port address conversion | |
| CN106357652B (en) | Method and device for preventing VXLAN message from being attacked |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou science and Technology Industrial Park, high tech Industrial Development Zone, Zhejiang, HUAWEI,, Hangzhou, No. six Patentee before: Huasan Communication Technology Co., Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180929 Address after: 230088 the 541 phase of H2 two, two innovation industrial park, No. 2800, innovation Avenue, Hi-tech Zone, Hefei, Anhui. Patentee after: Xinhua three information Safe Technology Ltd Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: Xinhua three Technology Co., Ltd. |