[go: up one dir, main page]

CN105391684A - Centralized management method and centralized management device for strategies - Google Patents

Centralized management method and centralized management device for strategies Download PDF

Info

Publication number
CN105391684A
CN105391684A CN201510661903.9A CN201510661903A CN105391684A CN 105391684 A CN105391684 A CN 105391684A CN 201510661903 A CN201510661903 A CN 201510661903A CN 105391684 A CN105391684 A CN 105391684A
Authority
CN
China
Prior art keywords
policy
client
clients
message queue
strategy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510661903.9A
Other languages
Chinese (zh)
Inventor
梁媛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
IEIT Systems Co Ltd
Original Assignee
Inspur Electronic Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Electronic Information Industry Co Ltd filed Critical Inspur Electronic Information Industry Co Ltd
Priority to CN201510661903.9A priority Critical patent/CN105391684A/en
Publication of CN105391684A publication Critical patent/CN105391684A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

本发明提供一种策略的集中管理方法及集中管理设备,其中方法可以包括:集中管理设备预先创建包括有多条策略的策略库;将计算机网络中的多个客户端进行分组;根据策略库中包括的多条策略,为属于同一个分组的客户端分配相应的策略;将分配完成的各个策略分别下发给相应的客户端。根据本方案,通过对计算机网络中的多个客户端进行分组,只需为一个分组分配策略,即可完成对该分组中所包括的所有客户端的策略分配,从而可以提高策略配置下发的效率。

The present invention provides a method for centralized management of policies and a centralized management device, wherein the method may include: the centralized management device pre-creates a policy library including multiple policies; groups multiple clients in the computer network; Multiple policies are included, and corresponding policies are assigned to clients belonging to the same group; the assigned policies are delivered to corresponding clients respectively. According to this solution, by grouping multiple clients in the computer network, it is only necessary to assign a policy to one group to complete the policy assignment to all clients included in the group, thereby improving the efficiency of policy configuration delivery .

Description

一种策略的集中管理方法及集中管理设备A method for centralized management of policies and centralized management equipment

技术领域technical field

本发明涉及策略管理技术领域,特别涉及一种策略的集中管理方法及集中管理设备。The present invention relates to the technical field of policy management, in particular to a centralized policy management method and centralized management equipment.

背景技术Background technique

随着计算机网络技术的飞速发展,网络中部署的安全产品越来越多。为了保证网络中的安全性能,需要为网络中所包括的各个设备配置并下发安全策略。With the rapid development of computer network technology, more and more security products are deployed in the network. In order to ensure the security performance of the network, it is necessary to configure and issue security policies for each device included in the network.

现有的策略管理方法是由管理端的审计管理设备、超级管理设备和安全管理设备分别为网络中所包括的每一台设备逐个配置相应的策略,并将配置的安全策略下发给相应设备,且不同的管理端存储其下发的策略。In the existing policy management method, the audit management device, the super management device and the security management device at the management end configure corresponding policies for each device included in the network one by one, and issue the configured security policies to the corresponding devices. And different management terminals store the strategies issued by them.

由于计算机网络中所包括的设备越来越多,在为每一个设备配置并下发安全策略时,耗费的资源量较大,配置下发的效率较低。Since more and more devices are included in the computer network, when configuring and delivering a security policy for each device, a large amount of resources is consumed, and the efficiency of configuration delivery is low.

发明内容Contents of the invention

有鉴于此,本发明提供一种策略的集中管理方法及集中管理设备,以提高策略配置下发的效率。In view of this, the present invention provides a centralized policy management method and centralized management equipment, so as to improve the efficiency of issuing policy configurations.

第一方面,本发明提供了一种策略的集中管理方法,应用于集中管理设备,所述集中管理设备预先创建包括有多条策略的策略库;还包括:In the first aspect, the present invention provides a method for centralized management of policies, which is applied to a centralized management device, and the centralized management device pre-creates a policy library including multiple policies; it also includes:

将计算机网络中的多个客户端进行分组;Group multiple clients in a computer network;

根据策略库中包括的多条策略,为属于同一个分组的客户端分配相应的策略;According to multiple policies included in the policy library, assign corresponding policies to clients belonging to the same group;

将分配完成的各个策略分别下发给相应的客户端。Send each policy that has been allocated to the corresponding client.

优选地,Preferably,

所述将计算机网络中的多个客户端进行分组,包括:按照客户端属性,将计算机网络中具有相同属性的客户端分成同一组;The grouping of multiple clients in the computer network includes: grouping clients with the same attribute in the computer network into the same group according to the attributes of the clients;

或,or,

所述将计算机网络中的多个客户端进行分组,包括:按照客户端所属的主机标识,将计算机网络中所属于同一主机的客户端分成同一组。The grouping of multiple clients in the computer network includes: grouping the clients belonging to the same host in the computer network into the same group according to the identifiers of the hosts to which the clients belong.

优选地,Preferably,

所述策略库中的每一条策略包括至少一个规则组;Each policy in the policy library includes at least one rule group;

所述规则组包括为所需保护的对象分别配置的相应安全规则;The rule group includes corresponding security rules respectively configured for the objects to be protected;

其中,每一个规则组包括至少一类如下规则:安全标记规则、文件保护规则、进程保护规则、注册表保护规则和信任列表保护规则。Wherein, each rule group includes at least one type of the following rules: security mark rules, file protection rules, process protection rules, registry protection rules and trust list protection rules.

优选地,Preferably,

进一步包括:预先创建策略判决消息队列和各个客户端对应的客户端消息队列;以及预先创建用于监控策略判决消息队列的策略判决线程;It further includes: pre-creating a policy decision message queue and a client message queue corresponding to each client; and pre-creating a policy decision thread for monitoring the policy decision message queue;

所述将分配完成的各个策略分别下发给相应的客户端,包括:The described strategies of completing the assignment are delivered to the corresponding clients respectively, including:

将分配完成的各个策略发送至策略判决消息队列中,策略判决线程对下发到所述策略判决消息队列中的各个策略分别执行策略判决处理,根据判决结果确定各个策略所属的客户端标识;Send each strategy that has been allocated to the policy decision message queue, and the policy decision thread executes policy decision processing on each strategy sent to the policy decision message queue, and determines the client identifier to which each strategy belongs according to the decision result;

根据确定的客户端标识,将各个策略下发至相应客户端所对应的客户端消息队列中,以使相应客户端在监控到与其对应的客户端消息队列中包括策略时,将与其对应的客户端消息队列中的策略取出进行存储。According to the determined client ID, send each policy to the client message queue corresponding to the corresponding client, so that when the corresponding client monitors that the corresponding client message queue includes the policy, it will send the corresponding client The policies in the terminal message queue are taken out for storage.

优选地,Preferably,

在所述将分配完成的各个策略分别下发给相应的客户端之前,进一步包括:将各个策略的数据结构转换为HashMap数据结构,其中,转换成的HashMap数据结构包括:用于表征客户端的标识的关键字key和用于表征策略内容的字段value;Before sending each strategy that has been allocated to the corresponding client respectively, it further includes: converting the data structure of each strategy into a HashMap data structure, wherein the converted HashMap data structure includes: an identifier for representing the client The keyword key and the field value used to represent the policy content;

所述对下发到所述策略判决消息队列中的各个策略分别执行策略判决处理,根据判决结果确定各个策略所属的客户端标识包括:根据下发到所述策略判决消息队列中的每一个策略所对应的关键字key确定相应策略所属的客户端标识。The step of performing policy decision processing on each policy delivered to the policy decision message queue, and determining the client ID to which each policy belongs according to the decision result includes: according to each policy sent to the policy decision message queue The corresponding keyword key determines the client ID to which the corresponding policy belongs.

优选地,Preferably,

进一步包括:预先创建客户端响应队列;It further includes: creating a client response queue in advance;

进一步包括:在监控到客户端响应队列中包括响应消息时,解析出该响应消息中所包括的客户端标识和对应的目标策略,并判断所述目标策略是否需要同步,若需要同步,则根据该响应消息中包括的客户端标识所对应客户端所属的目标分组,将该所述目标策略下发至所述目标分组中其他客户端分别对应的客户端消息队列中,以将所述目标策略同步至所述目标分组中的其他客户端。It further includes: when monitoring that the client response queue includes a response message, parsing out the client identifier and the corresponding target policy included in the response message, and judging whether the target policy needs to be synchronized, if synchronization is required, then according to The target group to which the client corresponding to the client identifier included in the response message belongs, sends the target policy to the client message queues respectively corresponding to other clients in the target group, so that the target policy Synchronize to other clients in the target group.

第二方面,本发明还提供了一种集中管理设备,包括:In the second aspect, the present invention also provides a centralized management device, including:

创建单元,用于创建包括有多条策略的策略库;Create a unit for creating a strategy library including multiple strategies;

划分单元,用于将计算机网络中的多个客户端进行分组;A division unit, used to group multiple clients in the computer network;

分配单元,用于根据策略库中包括的多条策略,为属于同一个分组的客户端分配相应的目标策略;An allocation unit, configured to assign corresponding target policies to clients belonging to the same group according to multiple policies included in the policy library;

下发单元,用于将分配完成的各个策略分别下发给相应的客户端。The sending unit is configured to send each policy that has been allocated to the corresponding client respectively.

优选地,Preferably,

所述创建单元,进一步用于创建策略判决消息队列和各个客户端对应的客户端消息队列;以及预先创建用于监控策略判决消息队列的策略判决线程;The creating unit is further configured to create a policy decision message queue and a client message queue corresponding to each client; and pre-create a policy decision thread for monitoring the policy decision message queue;

所述下发单元,具体用于将分配完成的各个策略发送至策略判决消息队列中,利用策略判决线程对下发到所述策略判决消息队列中的各个策略分别执行策略判决处理,根据判决结果确定各个策略所属的客户端标识;根据确定的客户端标识,将各个策略下发至相应客户端所对应的客户端消息队列中,以使相应客户端在监控到与其对应的客户端消息队列中包括策略时,将与其对应的客户端消息队列中的策略取出进行存储。The delivery unit is specifically configured to send each strategy that has been allocated to the policy decision message queue, and use the policy decision thread to perform policy decision processing on each strategy sent to the policy decision message queue, and according to the decision result Determine the client ID to which each policy belongs; according to the determined client ID, send each policy to the client message queue corresponding to the corresponding client, so that the corresponding client is monitored in the corresponding client message queue When the policy is included, the policy in the corresponding client message queue is taken out and stored.

优选地,Preferably,

进一步包括:转换单元,用于将各个策略的数据结构转换为HashMap数据结构,其中,转换成的HashMap数据结构包括:用于表征客户端的标识的关键字key和用于表征策略内容的字段value;It further includes: a conversion unit, which is used to convert the data structure of each strategy into a HashMap data structure, wherein the converted HashMap data structure includes: a keyword key used to represent the identity of the client and a field value used to represent the content of the strategy;

所述下发单元,具体用于根据下发到所述策略判决消息队列中的每一个策略所对应的关键字key确定相应策略所属的客户端标识。The delivery unit is specifically configured to determine the client identifier to which the corresponding policy belongs according to the keyword key corresponding to each policy delivered to the policy decision message queue.

优选地,Preferably,

所述创建单元,用于创建客户端响应队列;The creation unit is used to create a client response queue;

进一步包括:同步单元,用于在监控到客户端响应队列中包括响应消息时,解析出该响应消息中所包括的客户端标识和对应的目标策略,并判断所述目标策略是否需要同步,若需要同步,则根据该响应消息中包括的客户端标识所对应客户端所属的目标分组,将该所述目标策略下发至所述目标分组中其他客户端分别对应的客户端消息队列中,以将所述目标策略同步至所述目标分组中的其他客户端。It further includes: a synchronization unit, configured to parse out the client ID and the corresponding target policy included in the response message when monitoring that the client response queue includes a response message, and determine whether the target policy needs to be synchronized, if If synchronization is required, then according to the target group to which the client corresponding to the client identifier included in the response message belongs, the target policy is sent to the client message queues respectively corresponding to other clients in the target group, so as to Synchronizing the target policy to other clients in the target group.

本发明实施例提供了一种策略的集中管理方法及集中管理设备,通过对计算机网络中的多个客户端进行分组,只需为一个分组分配策略,即可完成对该分组中所包括的所有客户端的策略分配,从而可以提高策略配置下发的效率。The embodiment of the present invention provides a centralized management method of policies and a centralized management device. By grouping multiple clients in a computer network, all the policies included in the group can be completed only by assigning a policy to one group. Client-side policy allocation, which can improve the efficiency of policy configuration delivery.

附图说明Description of drawings

图1是本发明实施例提供的方法流程图;Fig. 1 is the flow chart of the method provided by the embodiment of the present invention;

图2是本发明另一实施例提供的方法流程图;Fig. 2 is a flow chart of a method provided by another embodiment of the present invention;

图3是本发明实施例提供的集中管理系统的结构图;Fig. 3 is a structural diagram of a centralized management system provided by an embodiment of the present invention;

图4是本发明实施例提供的集中管理设备的硬件架构图;FIG. 4 is a hardware architecture diagram of a centralized management device provided by an embodiment of the present invention;

图5是本发明实施例提供的集中管理设备结构示意图;Fig. 5 is a schematic structural diagram of a centralized management device provided by an embodiment of the present invention;

图6是本发明另一实施例提供的集中管理设备结构示意图。Fig. 6 is a schematic structural diagram of a centralized management device provided by another embodiment of the present invention.

具体实施方式detailed description

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述。显然,所描述的实施例仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the drawings in the embodiments of the present invention. Apparently, the described embodiments are only some of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

如图1所示,本发明实施例提供了一种策略的集中管理方法,应用于集中管理设备,所述集中管理设备预先创建策略库;该方法可以包括以下步骤:As shown in Figure 1, the embodiment of the present invention provides a method for centralized management of policies, which is applied to a centralized management device, and the centralized management device creates a policy library in advance; the method may include the following steps:

步骤101:将计算机网络中的多个客户端进行分组。Step 101: Group multiple clients in the computer network.

步骤102:根据策略库中包括的多条策略,为属于同一个分组的客户端分配相应的策略。Step 102: According to the multiple policies included in the policy library, assign corresponding policies to the clients belonging to the same group.

步骤103:将分配完成的各个策略分别下发给相应的客户端。Step 103: Send each policy that has been allocated to the corresponding client respectively.

根据本实施例提供的策略的集中管理方法,通过对计算机网络中的多个客户端进行分组,只需为一个分组分配策略,即可完成对该分组中所包括的所有客户端的策略分配,从而可以提高策略配置下发的效率。According to the centralized policy management method provided in this embodiment, by grouping multiple clients in the computer network, only one group is required to assign a policy to complete the policy assignment to all clients included in the group, thereby It can improve the efficiency of policy configuration delivery.

在本发明一个优选实施例中,为了进一步提高策略下发的效率,可以预先创建策略判决消息队列和各个客户端对应的客户端消息队列;以及预先创建用于监控策略判决消息队列的策略判决线程。In a preferred embodiment of the present invention, in order to further improve the efficiency of policy delivery, a policy decision message queue and a client message queue corresponding to each client can be pre-created; and a policy decision thread for monitoring the policy decision message queue can be pre-created .

在将分配完成的各个策略分别下发给相应的客户端时,可以通过如下方式进行下发:将分配完成的各个策略发送至策略判决消息队列中,策略判决线程对下发到所述策略判决消息队列中的各个策略分别执行策略判决处理,根据判决结果确定各个策略所属的客户端标识;根据确定的客户端标识,将各个策略下发至相应客户端所对应的客户端消息队列中,以使相应客户端在监控到与其对应的客户端消息队列中包括策略时,将与其对应的客户端消息队列中的策略取出进行存储。When each strategy that has been allocated is delivered to the corresponding client, it can be delivered in the following way: each strategy that is allocated is sent to the policy decision message queue, and the policy decision thread sends it to the policy decision Each policy in the message queue executes policy judgment processing respectively, and determines the client identifier to which each strategy belongs according to the judgment result; according to the determined client identifier, sends each strategy to the client message queue corresponding to the corresponding client, so as to When the corresponding client monitors that the policy is contained in the message queue of the corresponding client, it takes out and stores the policy in the message queue of the corresponding client.

在本发明一个优选实施例中,为了提高策略判决线程对策略判决消息队列中策略所属客户端的判决效率,可以在所述将分配完成的各个策略分别下发给相应的客户端之前,将各个策略的数据结构转换为HashMap数据结构,其中,转换成的HashMap数据结构包括:用于表征客户端的标识的关键字key和用于表征策略内容的字段value;在确定各个策略所属的客户端标识时可以通过如下方式进行确定:根据下发到所述策略判决消息队列中的每一个策略所对应的关键字key确定相应策略所属的客户端标识。In a preferred embodiment of the present invention, in order to improve the decision efficiency of the policy decision thread on the client to which the strategy belongs in the policy decision message queue, before sending each strategy that has been allocated to the corresponding client respectively, each strategy The data structure of the HashMap is converted into a HashMap data structure, wherein the converted HashMap data structure includes: a keyword key used to represent the identity of the client and a field value used to represent the content of the policy; when determining the client identity to which each policy belongs, it can be The determination is performed in the following manner: according to the keyword key corresponding to each policy delivered to the policy decision message queue, the client identifier to which the corresponding policy belongs is determined.

通过将策略的数据结构转换为HashMap数据结构,可以快速根据HashMap数据结构的特征,获知策略内容以及该策略所属的客户端标识,从而可以进一步提高策略下发的效率。By converting the policy data structure into a HashMap data structure, the content of the policy and the client ID to which the policy belongs can be quickly obtained according to the characteristics of the HashMap data structure, thereby further improving the efficiency of policy delivery.

在本发明一个优选实施例中,还可以对客户端通过自定义的形式配置策略,在为某一客户端自定义配置了策略之后,还需要进一步判断是否将该策略同步至该客户端所属分组的其他客户端中。因此,可以进一步包括:预先创建客户端响应队列;在监控到客户端响应队列中包括响应消息时,解析出该响应消息中所包括的客户端标识和对应的目标策略,并判断所述目标策略是否需要同步,若需要同步,则根据该响应消息中包括的客户端标识所对应客户端所属的目标分组,将该所述目标策略下发至所述目标分组中其他客户端分别对应的客户端消息队列中,以将所述目标策略同步至所述目标分组中的其他客户端。In a preferred embodiment of the present invention, it is also possible to configure policies for the client in a self-defined form. After customizing the policy for a certain client, it is necessary to further determine whether to synchronize the policy to the group to which the client belongs. of other clients. Therefore, it may further include: pre-creating a client response queue; when monitoring that the client response queue includes a response message, parsing out the client ID and the corresponding target policy included in the response message, and judging the target policy Whether synchronization is required, if synchronization is required, according to the target group to which the client corresponding to the client ID included in the response message belongs, the target policy is sent to the clients corresponding to other clients in the target group message queue to synchronize the target policy to other clients in the target group.

通过创建客户端响应队列,可以使客户端在被自定义配置了策略之后,可以自动上传至该客户端响应队列,以由集中管理设备来确定是否将其进行同步,从而可以提高策略分配的灵活性。By creating a client response queue, after the client is configured with a custom policy, it can be automatically uploaded to the client response queue, so that the centralized management device can determine whether to synchronize it, thereby improving the flexibility of policy allocation sex.

为使本发明的目的、技术方案和优点更加清楚,下面结合附图及具体实施例对本发明作进一步地详细描述。In order to make the purpose, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

如图2所示,本发明实施例提供了一种策略的集中管理方法,该方法可以包括以下步骤:As shown in Figure 2, the embodiment of the present invention provides a method for centralized management of policies, which may include the following steps:

步骤201:建立连接于管理端与客户端的集中管理设备,管理端通过控制集中管理设备创建策略库。Step 201: Establish a centralized management device connected to the management terminal and the client, and the management terminal creates a policy library by controlling the centralized management device.

在现有技术中,需要由不同的管理端分别存储其向各个客户端下发的策略,由于计算机网络中设备数量较大,容易造成策略管理的混乱。In the prior art, different management terminals need to separately store the policies issued to each client. Due to the large number of devices in the computer network, it is easy to cause confusion in policy management.

在本实施例中,可以通过建立集中管理设备,该集中管理设备将管理端与客户端之间相连接,请参考图3,为集中管理系统结构图,不同的管理端都可以通过该集中管理设备上为客户端配置策略,且配置的策略可以存储在集中管理设备的策略库中,从而可以对策略进行集中管理,以对策略进行有序管理。In this embodiment, a centralized management device can be established, which connects the management terminal and the client. Please refer to Figure 3, which is a structural diagram of the centralized management system. Different management terminals can be managed through the centralized Policies are configured on the device for the client, and the configured policies can be stored in the policy library of the centralized management device, so that the policies can be managed centrally and the policies can be managed in an orderly manner.

其中,管理端为客户端配置的策略可以包括:系统安全策略、网络安全策略、告警策略等。Wherein, the policy configured by the management terminal for the client may include: a system security policy, a network security policy, an alarm policy, and the like.

在本实施例中,集中管理设备可以创建策略库,用于存储管理端为客户端配置的策略。In this embodiment, the centralized management device can create a policy library for storing the policies configured by the management terminal for the client.

在本实施例中,可以配置如下策略模型:In this embodiment, the following policy models can be configured:

策略库中所包括的每一条策略可以包括至少一个规则组,其中,规则组包括是一套类似或相关规则的集合,包括为所需保护的对象分配配置的相应安全规则;策略是根据业务需求制定的规则组的集合。Each policy included in the policy library can include at least one rule group, where a rule group includes a set of similar or related rules, including corresponding security rules for the allocation and configuration of the objects to be protected; the policy is based on business needs A collection of specified rule groups.

其中,策略可以包含多个规则组,规则组是由多个不同类别的规则构成的。其中,规则组可以包括至少一类如下规则:安全标记规则、文件保护规则、进程保护规则、注册表保护规则和信任列表保护规则;其中,每一类规则可以定义至少一条规则。Wherein, a policy may contain multiple rule groups, and a rule group is composed of multiple rules of different categories. Wherein, the rule group may include at least one type of the following rules: security mark rule, file protection rule, process protection rule, registry protection rule and trust list protection rule; wherein, each type of rule may define at least one rule.

在本实施例中,可以设定如下策略的创建方式:系统预定义方式和用户自定义方式。其中,可以对于系统预定义方式创建的策略设定为不允许删除和编辑等操作,若需要对系统预定义方式创建的策略进行修改时,可以复制该策略,并对复制后的策略进行编辑和下发。In this embodiment, the following policy creation modes can be set: a system predefined mode and a user-defined mode. Among them, you can set the policy created in the system predefined way to not allow operations such as deletion and editing. If you need to modify the policy created in the system predefined way, you can copy the policy, and edit and edit the copied policy. Issued.

在本实施例中,可以设定计算机网络中的分组方式:1、按照客户端属性,将具有相同属性的客户端分成同一组;2、按照客户端所属的主机标识,将计算机网络中所属于同一主机的客户端分成同一组。3、其他分组方式。In this embodiment, the grouping method in the computer network can be set: 1. According to the attributes of the clients, the clients with the same attributes are divided into the same group; 2. According to the host IDs to which the clients belong, the Clients of the same host are grouped into the same group. 3. Other grouping methods.

在本实施例中,可以设定下发方式的优先级,例如,按照客户端所属主机方式进行分组并下发的优先级,高于按照客户端属性方式进行分组并下发的优先级。In this embodiment, the priority of the delivery method can be set, for example, the priority of grouping and delivery according to the host to which the client belongs is higher than the priority of grouping and delivery according to the client attribute.

在本实施例中,对于策略管理的页面可以包括如下四个部分:In this embodiment, the policy management page may include the following four parts:

规则组管理:用于根据保护的对象来管理规则组和定义安全规则。Rule group management: used to manage rule groups and define security rules based on protected objects.

策略库管理:用于根据业务需要来定制策略,可以任意组合规则组。Policy library management: used to customize policies according to business needs, and rule groups can be combined arbitrarily.

分组分配规则:用于将策略库中配置的策略批量分发到属于同一个分组的各个客户端上。在同一台客户端被按照不同分组方式分到了多个分组中,且分别接收到了多个分组为其分配的策略,可以选定分组优先级较高的分组下发方式所下发的策略作为为其分配的策略。Group distribution rules: used to distribute the policies configured in the policy library to clients belonging to the same group in batches. When the same client is divided into multiple groups according to different grouping methods, and has received policies assigned to it by multiple groups, you can select the policy issued by the group delivery method with higher group priority as the its allocation strategy.

客户端策略:用于通过客户端的维度查看已分配的策略,还可以对客户端进行规则的个性化配置。Client policy: It is used to view the assigned policy through the dimension of the client, and can also personalize the rules for the client.

步骤202:将计算机网络中的多个客户端进行分组。Step 202: Group multiple clients in the computer network.

在本实施例中,可以按照上述任意一种或多种分组方式对计算机网络中的多个客户端进行分组。In this embodiment, multiple clients in the computer network may be grouped according to any one or more of the foregoing grouping manners.

在本发明一个优选实施例中,按照上述一种分组方式对计算机网络中的多个客户端进行分组。In a preferred embodiment of the present invention, multiple clients in the computer network are grouped according to the above-mentioned grouping manner.

步骤203:根据策略库中包括的多条策略,为属于同一个分组的客户端分配相应的策略。Step 203: According to the multiple policies included in the policy library, assign corresponding policies to the clients belonging to the same group.

步骤204:将各个策略的数据结构转换为HashMap数据结构,其中,转换成的HashMap数据结构包括:用于表征客户端的标识的关键字key和用于表征策略内容的字段value。Step 204: Convert the data structure of each policy into a HashMap data structure, wherein the converted HashMap data structure includes: a keyword key used to represent the identity of the client and a field value used to represent the content of the policy.

在本实施例中,为了提高获知每个策略所对应客户端标识的效率,可以将各个策略的数据结构转换为HashMap数据结构。其中,也可以将策略库中存储的每一条策略均以HashMap数据结构的形式进行存储,以提高查找速度。In this embodiment, in order to improve the efficiency of obtaining the client ID corresponding to each policy, the data structure of each policy may be converted into a HashMap data structure. Wherein, each strategy stored in the strategy library may also be stored in the form of a HashMap data structure, so as to improve the search speed.

其中,对于HashMap数据结构可以如下内容:Among them, the HashMap data structure can be as follows:

typedefstructGroupPolicytypedefstructGroupPolicy

{{

intpriority;intpriority;

intpolicyid;intpolicyid;

}GroupListObject;}GroupListObject;

typedefstructPolicyObjecttypedefstructPolicyObject

{{

List<GroupListObject>HIPSlist;List<GroupListObject>HIPSlist;

List<GroupListObject>ADlist;List<GroupListObject>ADlist;

List<GroupListObject>SLlist;List<GroupListObject>SLlist;

List<GroupListObject>FClist;List<GroupListObject>FClist;

List<GroupListObject>RAlist;List<GroupListObject>RAlist;

inthostpolicy;inthostpolicy;

intpolicytype;intpolicytype;

}ValueObject;}ValueObject;

HashMap<unsignedint,ValueObject>HashMap<unsignedint, ValueObject>

步骤205:将转换为HashMap数据结构的各个策略发送至策略判决消息队列中。Step 205: Send each policy converted into the HashMap data structure to the policy decision message queue.

在本实施例中,为了确定分配的每一条策略属于哪一个分组的客户端,可以预先创建策略判决消息队列(Jqueue)和策略判决线程,其中,策略判决消息队列用于接收下发的各个策略,策略判决线程用于监控策略判决消息队列。In this embodiment, in order to determine which group of clients each assigned policy belongs to, a policy decision message queue (Jqueue) and a policy decision thread can be created in advance, wherein the policy decision message queue is used to receive each issued policy , the policy decision thread is used to monitor the policy decision message queue.

步骤206:策略判决线程在监控到策略判决消息队列中包括策略时,根据包括的每一条策略所对应的关键字key确定相应策略所属的客户端标识。Step 206: When the policy decision thread monitors that the policy decision message queue contains policies, it determines the client identifier to which the corresponding policy belongs according to the keyword key corresponding to each included policy.

步骤207:根据确定的客户端标识,将各个策略下发至相应客户端所对应的客户端消息队列中。Step 207: According to the determined client ID, deliver each policy to the client message queue corresponding to the corresponding client.

在本实施例中,为了能够快速将各个策略下发给相应客户端,可以预先建立与各个客户端所对应的客户端消息队列(Cqueue)。例如,在每个客户端进行注册时,为每一个客户端创建一个Cqueue,其中,Cqueue的名称可以为客户端标识。当有策略需要下发到客户端时,将该策略的数据组装成Json格式加入到该相应的客户端消息队列中,等待客户端从该客户端消息队列中取出消息。In this embodiment, in order to quickly deliver each policy to a corresponding client, a client message queue (Cqueue) corresponding to each client may be established in advance. For example, when each client registers, a Cqueue is created for each client, where the name of the Cqueue can be an identifier for the client. When there is a strategy that needs to be delivered to the client, the data of the strategy is assembled into Json format and added to the corresponding client message queue, and the client waits for the client to retrieve the message from the client message queue.

本实施例中,在确定了策略所对应的客户端标识,根据分组确定与该客户端标识属于同一个分组的其他客户端标识,并将该策略下发到该分组中每一个客户端所对应客户端消息队列中。In this embodiment, after the client ID corresponding to the policy is determined, other client IDs that belong to the same group as the client ID are determined according to the group, and the policy is delivered to each client in the group. in the client message queue.

步骤208:客户端在监控到与其对应的客户端消息队列中包括策略时,将与其对应的客户端消息队列中的策略取出进行存储。Step 208: When the client monitors that the corresponding client message queue contains policies, it takes out the policy from the corresponding client message queue and stores it.

在本实施例中,可以建立集中管理设备与客户端之间的消息总线,以使集中管理设备在与客户端之间传输数据时,可以利用该消息总线进行传输和处理。In this embodiment, a message bus between the centralized management device and the client can be established, so that when the centralized management device transmits data with the client, the message bus can be used for transmission and processing.

步骤209:创建客户端响应队列(Rqueue)以及用于监控该客户端响应队列的策略同步线程,在策略同步线程监控到客户端响应队列中包括消息内容时,解析出该响应消息中所包括的客户端标识和对应的目标策略。Step 209: Create a client response queue (Rqueue) and a policy synchronization thread for monitoring the client response queue. When the policy synchronization thread monitors that the client response queue includes message content, parse out the information included in the response message Client ID and corresponding target policy.

步骤210:判断目标策略是否需要同步,若需要同步,则根据该响应消息中包括的客户端标识所对应客户端所属的目标分组,将该所述目标策略下发至所述目标分组中其他客户端分别对应的客户端消息队列中,以将该目标策略同步至所述目标分组中的其他客户端。Step 210: Determine whether the target policy needs to be synchronized, and if it needs to be synchronized, send the target policy to other clients in the target group according to the target group to which the client corresponding to the client ID included in the response message belongs The target policy is synchronized to other clients in the target group.

在本实施例中,还可以创建如下线程:In this embodiment, the following threads can also be created:

主线程:用于初始化数据和创建线程。Main thread: used to initialize data and create threads.

监控线程:用来监控策略判决线程和策略同步线程的状态,如果发现线程状态异常则重新启动线程。Monitoring thread: used to monitor the status of the policy decision thread and policy synchronization thread, and restart the thread if the thread status is found to be abnormal.

根据本实施例提供的策略集中管理方法,通过对计算机网络中的多个客户端进行分组,只需为一个分组分配策略,即可完成对该分组中所包括的所有客户端的策略分配,从而可以提高策略配置下发的效率。According to the policy centralized management method provided in this embodiment, by grouping multiple clients in the computer network, only one group needs to assign a policy to complete the policy assignment to all clients included in the group, so that Improve the efficiency of policy configuration delivery.

如图4、图5所示,本发明实施例提供了一种集中管理设备。装置实施例可以通过软件实现,也可以通过硬件或者软硬件结合的方式实现。从硬件层面而言,如图4所示,为本发明实施例集中管理设备所在设备的一种硬件结构图,除了图4所示的处理器、内存、网络接口、以及非易失性存储器之外,实施例中装置所在的设备通常还可以包括其他硬件,如负责处理报文的转发芯片等等。以软件实现为例,如图5所示,作为一个逻辑意义上的装置,是通过其所在设备的CPU将非易失性存储器中对应的计算机程序指令读取到内存中运行形成的。本实施例提供的集中管理设备包括:As shown in FIG. 4 and FIG. 5 , an embodiment of the present invention provides a centralized management device. The device embodiments can be implemented by software, or by hardware or a combination of software and hardware. From the hardware level, as shown in Figure 4, it is a hardware structural diagram of the device where the centralized management device is located in the embodiment of the present invention, except for the processor, memory, network interface, and non-volatile memory shown in Figure 4 In addition, the device where the device in the embodiment is located may generally include other hardware, such as a forwarding chip responsible for processing packets, and the like. Taking software implementation as an example, as shown in Figure 5, as a device in a logical sense, it is formed by reading the corresponding computer program instructions in the non-volatile memory into the memory for operation by the CPU of the device where it is located. The centralized management equipment provided in this embodiment includes:

创建单元501,用于创建包括有多条策略的策略库;A creating unit 501, configured to create a policy library including multiple policies;

划分单元502,用于将计算机网络中的多个客户端进行分组;A division unit 502, configured to group multiple clients in the computer network;

分配单元503,用于根据策略库中包括的多条策略,为属于同一个分组的客户端分配相应的目标策略。The assigning unit 503 is configured to assign corresponding target policies to clients belonging to the same group according to multiple policies included in the policy library.

下发单元504,用于将分配完成的各个策略分别下发给相应的客户端。The delivery unit 504 is configured to deliver the allocated policies to corresponding clients respectively.

进一步地,further,

所述创建单元501,进一步用于创建策略判决消息队列和各个客户端对应的客户端消息队列;以及预先创建用于监控策略判决消息队列的策略判决线程;The creating unit 501 is further configured to create a policy decision message queue and a client message queue corresponding to each client; and pre-create a policy decision thread for monitoring the policy decision message queue;

所述下发单元504,具体用于将分配完成的各个策略发送至策略判决消息队列中,利用策略判决线程对下发到所述策略判决消息队列中的各个策略分别执行策略判决处理,根据判决结果确定各个策略所属的客户端标识;根据确定的客户端标识,将各个策略下发至相应客户端所对应的客户端消息队列中,以使相应客户端在监控到与其对应的客户端消息队列中包括策略时,将与其对应的客户端消息队列中的策略取出进行存储。The delivery unit 504 is specifically configured to send each strategy that has been allocated to the policy decision message queue, and use the policy decision thread to perform policy decision processing on each strategy delivered to the policy decision message queue, according to the decision As a result, the client ID to which each policy belongs is determined; according to the determined client ID, each policy is sent to the corresponding client message queue of the corresponding client, so that the corresponding client can monitor the corresponding client message queue When the policy is included in the policy, the policy in the corresponding client message queue is taken out and stored.

在本发明一个优选实施例中,如图6所示,该集中管理设备还可以包括:In a preferred embodiment of the present invention, as shown in Figure 6, the centralized management device may also include:

转换单元601,用于将各个策略的数据结构转换为HashMap数据结构,其中,转换成的HashMap数据结构包括:用于表征客户端的标识的关键字key和用于表征策略内容的字段value;The conversion unit 601 is configured to convert the data structure of each strategy into a HashMap data structure, wherein the converted HashMap data structure includes: a keyword key used to represent the identity of the client and a field value used to represent the content of the strategy;

所述下发单元504,具体用于根据下发到所述策略判决消息队列中的每一个策略所对应的关键字key确定相应策略所属的客户端标识。The delivery unit 504 is specifically configured to determine the client identifier to which the corresponding policy belongs according to the keyword key corresponding to each policy delivered to the policy decision message queue.

进一步地,further,

所述创建单元501,用于创建客户端响应队列;The creating unit 501 is configured to create a client response queue;

进一步包括:同步单元602,用于在监控到客户端响应队列中包括响应消息时,解析出该响应消息中所包括的客户端标识和对应的目标策略,并判断所述目标策略是否需要同步,若需要同步,则根据该响应消息中包括的客户端标识所对应客户端所属的目标分组,将该所述目标策略下发至所述目标分组中其他客户端分别对应的客户端消息队列中,以将所述目标策略同步至所述目标分组中的其他客户端。It further includes: a synchronizing unit 602, configured to parse out the client ID and the corresponding target policy included in the response message when it is monitored that the client response queue includes a response message, and determine whether the target policy needs to be synchronized, If synchronization is required, according to the target group to which the client corresponding to the client identifier included in the response message belongs, the target policy is sent to the client message queues respectively corresponding to other clients in the target group, to synchronize the target policy to other clients in the target group.

进一步的,所述划分单元502,具体用于按照客户端属性,将计算机网络中具有相同属性的客户端分成同一组;Further, the dividing unit 502 is specifically configured to divide clients with the same attribute in the computer network into the same group according to the attributes of the clients;

或,or,

所述划分单元502,具体用于按照客户端所属的主机标识,将计算机网络中所属于同一主机的客户端分成同一组。The dividing unit 502 is specifically configured to divide the clients belonging to the same host in the computer network into the same group according to the identifier of the host to which the clients belong.

进一步地,所述策略库中的每一条策略包括至少一个规则组;Further, each policy in the policy library includes at least one rule group;

所述规则组包括为所需保护的对象分别配置的相应安全规则;The rule group includes corresponding security rules respectively configured for the objects to be protected;

其中,每一个规则组包括至少一类如下规则:安全标记规则、文件保护规则、进程保护规则、注册表保护规则和信任列表保护规则。Wherein, each rule group includes at least one type of the following rules: security mark rules, file protection rules, process protection rules, registry protection rules and trust list protection rules.

综上,本发明实施例至少可以实现如下有益效果:In summary, the embodiments of the present invention can at least achieve the following beneficial effects:

1、在本发明实施例中,通过对计算机网络中的多个客户端进行分组,只需为一个分组分配策略,即可完成对该分组中所包括的所有客户端的策略分配,从而可以提高策略配置下发的效率。1. In the embodiment of the present invention, by grouping multiple clients in the computer network, it is only necessary to assign a strategy to one group to complete the strategy assignment to all clients included in the group, thereby improving the policy The efficiency of configuration delivery.

2、在本发明实施例中,过创建策略判决消息队列和各个客户端对应的客户端消息队列;以及创建用于监控策略判决消息队列的策略判决线程,并将分配完成的各个策略发送至策略判决消息队列中,策略判决线程对下发到所述策略判决消息队列中的各个策略分别执行策略判决处理,根据判决结果确定各个策略所属的客户端标识,从而可以提高策略下发的效率。2. In the embodiment of the present invention, create a policy decision message queue and a client message queue corresponding to each client; and create a policy decision thread for monitoring the policy decision message queue, and send each policy that has been allocated to the policy In the decision message queue, the policy decision thread executes policy decision processing on each strategy sent to the policy decision message queue, and determines the client ID to which each strategy belongs according to the decision result, thereby improving the efficiency of policy delivery.

3、在本发明实施例中,通过将各个策略的数据结构转换为HashMap数据结构,其中,转换成的HashMap数据结构包括:用于表征客户端的标识的关键字key和用于表征策略内容的字段value;在确定各个策略所属的客户端标识时可以通过如下方式进行确定:根据下发到所述策略判决消息队列中的每一个策略所对应的关键字key确定相应策略所属的客户端标识,从而可以提高策略判决线程对策略判决消息队列中策略所属客户端的判决效率,进而提高策略下发效率。3. In the embodiment of the present invention, by converting the data structure of each policy into a HashMap data structure, wherein the converted HashMap data structure includes: a keyword key used to represent the identity of the client and a field used to represent the content of the policy value; when determining the client identifier to which each strategy belongs, it can be determined in the following manner: according to the keyword key corresponding to each strategy in the policy judgment message queue issued to the policy, the client identifier to which the corresponding strategy belongs is determined, so that It can improve the decision efficiency of the policy decision thread on the client to which the policy belongs in the policy decision message queue, thereby improving the efficiency of policy delivery.

4、在本发明实施例中,采用集中管理模式,可以用于有多台客户端设备的用户,可节约用户的成本,方便技术人员对客户端设备的管理。通过集中管理设备可以为客户端设备定制分发系统安全策略、网络安全策略以及告警策略。该策略集中管理方法可支持管理3000台以上的客户端设备,配置简单、灵活和高效。另外,集中管理设备和客户端之间的通信可以通过消息总线进行消息的异步传输和处理,系统功能模块之间实现松散耦合,可承受更高的业务量,极大提高了系统的吞吐量和性能。4. In the embodiment of the present invention, the centralized management mode is adopted, which can be used for users with multiple client devices, which can save the user's cost and facilitate the management of the client devices by technicians. Through centralized management of devices, system security policies, network security policies, and alarm policies can be customized and distributed for client devices. This policy centralized management method can support the management of more than 3,000 client devices, and the configuration is simple, flexible and efficient. In addition, the communication between the centralized management device and the client can carry out asynchronous transmission and processing of messages through the message bus, and the loose coupling between the system function modules can withstand higher business volume, which greatly improves the system throughput and performance.

上述设备内的各单元之间的信息交互、执行过程等内容,由于与本发明方法实施例基于同一构思,具体内容可参见本发明方法实施例中的叙述,此处不再赘述。The information exchange and execution process among the units in the above-mentioned equipment are based on the same concept as the method embodiment of the present invention, and the specific content can refer to the description in the method embodiment of the present invention, and will not be repeated here.

需要说明的是,在本文中,诸如第一和第二之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个〃〃〃〃〃〃”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同因素。It should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that there is a relationship between these entities or operations. There is no such actual relationship or sequence. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a """""" does not exclude the presence of additional same elements in the process, method, article or apparatus comprising said element.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储在计算机可读取的存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质中。Those of ordinary skill in the art can understand that all or part of the steps to realize the above method embodiments can be completed by program instructions related hardware, and the aforementioned programs can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.

最后需要说明的是:以上所述仅为本发明的较佳实施例,仅用于说明本发明的技术方案,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所做的任何修改、等同替换、改进等,均包含在本发明的保护范围内。Finally, it should be noted that the above descriptions are only preferred embodiments of the present invention, and are only used to illustrate the technical solution of the present invention, and are not used to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present invention are included in the protection scope of the present invention.

Claims (10)

1.一种策略的集中管理方法,其特征在于,应用于集中管理设备,所述集中管理设备预先创建包括有多条策略的策略库;还包括:1. a centralized management method of strategy, it is characterized in that, is applied to centralized management equipment, and described centralized management equipment pre-creates the strategy storehouse that comprises multiple strategies; Also includes: 将计算机网络中的多个客户端进行分组;Group multiple clients in a computer network; 根据策略库中包括的多条策略,为属于同一个分组的客户端分配相应的策略;According to multiple policies included in the policy library, assign corresponding policies to clients belonging to the same group; 将分配完成的各个策略分别下发给相应的客户端。Send each policy that has been allocated to the corresponding client respectively. 2.根据权利要求1所述的方法,其特征在于,2. The method of claim 1, wherein, 所述将计算机网络中的多个客户端进行分组,包括:按照客户端属性,将计算机网络中具有相同属性的客户端分成同一组;The grouping of multiple clients in the computer network includes: grouping clients with the same attribute in the computer network into the same group according to the attributes of the clients; 或,or, 所述将计算机网络中的多个客户端进行分组,包括:按照客户端所属的主机标识,将计算机网络中所属于同一主机的客户端分成同一组。The grouping of multiple clients in the computer network includes: grouping the clients belonging to the same host in the computer network into the same group according to the identifiers of the hosts to which the clients belong. 3.根据权利要求1所述的方法,其特征在于,3. The method of claim 1, wherein, 所述策略库中的每一条策略包括至少一个规则组;Each policy in the policy library includes at least one rule group; 所述规则组包括为所需保护的对象分别配置的相应安全规则;The rule group includes corresponding security rules respectively configured for the objects to be protected; 其中,每一个规则组包括至少一类如下规则:安全标记规则、文件保护规则、进程保护规则、注册表保护规则和信任列表保护规则。Wherein, each rule group includes at least one type of the following rules: security mark rules, file protection rules, process protection rules, registry protection rules and trust list protection rules. 4.根据权利要求1所述的方法,其特征在于,4. The method of claim 1, wherein, 进一步包括:预先创建策略判决消息队列和各个客户端对应的客户端消息队列;以及预先创建用于监控策略判决消息队列的策略判决线程;It further includes: pre-creating a policy decision message queue and a client message queue corresponding to each client; and pre-creating a policy decision thread for monitoring the policy decision message queue; 所述将分配完成的各个策略分别下发给相应的客户端,包括:The described strategies of completing the assignment are delivered to the corresponding clients respectively, including: 将分配完成的各个策略发送至策略判决消息队列中,策略判决线程对下发到所述策略判决消息队列中的各个策略分别执行策略判决处理,根据判决结果确定各个策略所属的客户端标识;Send each strategy that has been allocated to the policy decision message queue, and the policy decision thread executes policy decision processing on each strategy sent to the policy decision message queue, and determines the client identifier to which each strategy belongs according to the decision result; 根据确定的客户端标识,将各个策略下发至相应客户端所对应的客户端消息队列中,以使相应客户端在监控到与其对应的客户端消息队列中包括策略时,将与其对应的客户端消息队列中的策略取出进行存储。According to the determined client ID, each policy is sent to the client message queue corresponding to the corresponding client, so that when the corresponding client monitors that the corresponding client message queue includes the policy, it will send the corresponding client The policies in the end message queue are taken out for storage. 5.根据权利要求3所述的方法,其特征在于,5. The method of claim 3, wherein, 在所述将分配完成的各个策略分别下发给相应的客户端之前,进一步包括:将各个策略的数据结构转换为HashMap数据结构,其中,转换成的HashMap数据结构包括:用于表征客户端的标识的关键字key和用于表征策略内容的字段value;Before sending each strategy that has been allocated to the corresponding client respectively, it further includes: converting the data structure of each strategy into a HashMap data structure, wherein the converted HashMap data structure includes: an identifier for representing the client The keyword key and the field value used to represent the policy content; 所述对下发到所述策略判决消息队列中的各个策略分别执行策略判决处理,根据判决结果确定各个策略所属的客户端标识包括:根据下发到所述策略判决消息队列中的每一个策略所对应的关键字key确定相应策略所属的客户端标识。The step of performing policy decision processing on each policy delivered to the policy decision message queue, and determining the client ID to which each policy belongs according to the decision result includes: according to each policy sent to the policy decision message queue The corresponding keyword key determines the client ID to which the corresponding policy belongs. 6.根据权利要求1-5中任一所述的方法,其特征在于,6. The method according to any one of claims 1-5, characterized in that, 进一步包括:预先创建客户端响应队列;It further includes: creating a client response queue in advance; 进一步包括:在监控到客户端响应队列中包括响应消息时,解析出该响应消息中所包括的客户端标识和对应的目标策略,并判断所述目标策略是否需要同步,若需要同步,则根据该响应消息中包括的客户端标识所对应客户端所属的目标分组,将该所述目标策略下发至所述目标分组中其他客户端分别对应的客户端消息队列中,以将所述目标策略同步至所述目标分组中的其他客户端。It further includes: when monitoring that the client response queue includes a response message, parsing out the client identifier and the corresponding target policy included in the response message, and judging whether the target policy needs to be synchronized, if synchronization is required, then according to The target group to which the client corresponding to the client identifier included in the response message belongs, sends the target policy to the client message queues respectively corresponding to other clients in the target group, so that the target policy Synchronize to other clients in the target group. 7.一种集中管理设备,其特征在于,包括:7. A centralized management device, characterized in that it comprises: 创建单元,用于创建包括有多条策略的策略库;Create a unit for creating a strategy library including multiple strategies; 划分单元,用于将计算机网络中的多个客户端进行分组;A division unit, used to group multiple clients in the computer network; 分配单元,用于根据策略库中包括的多条策略,为属于同一个分组的客户端分配相应的目标策略;An allocation unit, configured to assign corresponding target policies to clients belonging to the same group according to multiple policies included in the policy library; 下发单元,用于将分配完成的各个策略分别下发给相应的客户端。The sending unit is configured to send each policy that has been allocated to the corresponding client respectively. 8.根据权利要求7所述的集中管理设备,其特征在于,8. The centralized management device according to claim 7, characterized in that: 所述创建单元,进一步用于创建策略判决消息队列和各个客户端对应的客户端消息队列;以及预先创建用于监控策略判决消息队列的策略判决线程;The creating unit is further configured to create a policy decision message queue and a client message queue corresponding to each client; and pre-create a policy decision thread for monitoring the policy decision message queue; 所述下发单元,具体用于将分配完成的各个策略发送至策略判决消息队列中,利用策略判决线程对下发到所述策略判决消息队列中的各个策略分别执行策略判决处理,根据判决结果确定各个策略所属的客户端标识;根据确定的客户端标识,将各个策略下发至相应客户端所对应的客户端消息队列中,以使相应客户端在监控到与其对应的客户端消息队列中包括策略时,将与其对应的客户端消息队列中的策略取出进行存储。The delivery unit is specifically configured to send each strategy that has been allocated to the policy decision message queue, and use the policy decision thread to perform policy decision processing on each strategy sent to the policy decision message queue, and according to the decision result Determine the client ID to which each policy belongs; according to the determined client ID, send each policy to the client message queue corresponding to the corresponding client, so that the corresponding client is monitored in the corresponding client message queue When the policy is included, the policy in the corresponding client message queue is taken out and stored. 9.根据权利要求8所述的集中管理设备,其特征在于,9. The centralized management device according to claim 8, characterized in that: 进一步包括:转换单元,用于将各个策略的数据结构转换为HashMap数据结构,其中,转换成的HashMap数据结构包括:用于表征客户端的标识的关键字key和用于表征策略内容的字段value;It further includes: a conversion unit, which is used to convert the data structure of each strategy into a HashMap data structure, wherein the converted HashMap data structure includes: a keyword key used to represent the identity of the client and a field value used to represent the content of the strategy; 所述下发单元,具体用于根据下发到所述策略判决消息队列中的每一个策略所对应的关键字key确定相应策略所属的客户端标识。The delivery unit is specifically configured to determine the client identifier to which the corresponding policy belongs according to the keyword key corresponding to each policy delivered to the policy decision message queue. 10.根据权利要求7-9中任一所述的集中管理设备,其特征在于,10. The centralized management device according to any one of claims 7-9, characterized in that, 所述创建单元,用于创建客户端响应队列;The creation unit is used to create a client response queue; 进一步包括:同步单元,用于在监控到客户端响应队列中包括响应消息时,解析出该响应消息中所包括的客户端标识和对应的目标策略,并判断所述目标策略是否需要同步,若需要同步,则根据该响应消息中包括的客户端标识所对应客户端所属的目标分组,将该所述目标策略下发至所述目标分组中其他客户端分别对应的客户端消息队列中,以将所述目标策略同步至所述目标分组中的其他客户端。It further includes: a synchronization unit, configured to parse out the client ID and the corresponding target policy included in the response message when monitoring that the client response queue includes a response message, and determine whether the target policy needs to be synchronized, if If synchronization is required, then according to the target group to which the client corresponding to the client identifier included in the response message belongs, the target policy is sent to the client message queues respectively corresponding to other clients in the target group, so as to Synchronizing the target policy to other clients in the target group.
CN201510661903.9A 2015-10-14 2015-10-14 Centralized management method and centralized management device for strategies Pending CN105391684A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510661903.9A CN105391684A (en) 2015-10-14 2015-10-14 Centralized management method and centralized management device for strategies

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510661903.9A CN105391684A (en) 2015-10-14 2015-10-14 Centralized management method and centralized management device for strategies

Publications (1)

Publication Number Publication Date
CN105391684A true CN105391684A (en) 2016-03-09

Family

ID=55423521

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510661903.9A Pending CN105391684A (en) 2015-10-14 2015-10-14 Centralized management method and centralized management device for strategies

Country Status (1)

Country Link
CN (1) CN105391684A (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105978882A (en) * 2016-05-17 2016-09-28 浪潮电子信息产业股份有限公司 A method for issuing host security policies controlled by lisence and security switches on a centralized management platform
CN106131033A (en) * 2016-07-20 2016-11-16 浪潮电子信息产业股份有限公司 A policy management method of SSR centralized management platform
CN106302484A (en) * 2016-08-22 2017-01-04 浪潮电子信息产业股份有限公司 A method for centralized management of policies
CN106372512A (en) * 2016-08-25 2017-02-01 浪潮电子信息产业股份有限公司 A Task-Based Security Baseline Execution Method
CN106998265A (en) * 2017-03-14 2017-08-01 中国银联股份有限公司 A kind of monitoring method and its device
CN108459878A (en) * 2018-01-08 2018-08-28 郑州云海信息技术有限公司 A kind of the centralized management platform and method of Intrusion Detection based on host control client starting up
CN108551439A (en) * 2018-03-23 2018-09-18 杭州迪普科技股份有限公司 A kind of improved method and device of policy template application
CN108809680A (en) * 2017-05-04 2018-11-13 腾讯科技(深圳)有限公司 A kind of method and apparatus of equipment management
CN108880860A (en) * 2018-05-24 2018-11-23 杭州迪普科技股份有限公司 A kind of policy management method and device
CN109150866A (en) * 2018-08-09 2019-01-04 郑州云海信息技术有限公司 A kind of policy distribution feedback and check system and method
CN110119622A (en) * 2019-05-15 2019-08-13 苏州浪潮智能科技有限公司 A kind of registration table Integrity Management method, system and equipment
CN111314312A (en) * 2020-01-19 2020-06-19 苏州浪潮智能科技有限公司 A policy management method, system, device and medium
CN112688818A (en) * 2020-12-30 2021-04-20 北京天融信网络安全技术有限公司 Data transmission method and device, electronic equipment and readable storage medium
CN113794717A (en) * 2021-09-14 2021-12-14 京东科技信息技术有限公司 Safety scheduling method, device and related equipment
CN114201368A (en) * 2021-12-28 2022-03-18 湖北天融信网络安全技术有限公司 Management and control strategy configuration method and device based on data security protection
CN115842659A (en) * 2022-11-18 2023-03-24 山石网科通信技术股份有限公司 Policy updating method, system and device and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634156A (en) * 2013-12-17 2014-03-12 中国联合网络通信集团有限公司 Device, equipment and system for managing and controlling network safety in centralized manner
CN104202333A (en) * 2014-09-16 2014-12-10 浪潮电子信息产业股份有限公司 Implementation method of distributed firewall
CN104714825A (en) * 2015-03-20 2015-06-17 北京瑞星信息技术有限公司 Method for uniformly configuring strategies

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634156A (en) * 2013-12-17 2014-03-12 中国联合网络通信集团有限公司 Device, equipment and system for managing and controlling network safety in centralized manner
CN104202333A (en) * 2014-09-16 2014-12-10 浪潮电子信息产业股份有限公司 Implementation method of distributed firewall
CN104714825A (en) * 2015-03-20 2015-06-17 北京瑞星信息技术有限公司 Method for uniformly configuring strategies

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105978882A (en) * 2016-05-17 2016-09-28 浪潮电子信息产业股份有限公司 A method for issuing host security policies controlled by lisence and security switches on a centralized management platform
CN106131033A (en) * 2016-07-20 2016-11-16 浪潮电子信息产业股份有限公司 A policy management method of SSR centralized management platform
CN106302484A (en) * 2016-08-22 2017-01-04 浪潮电子信息产业股份有限公司 A method for centralized management of policies
CN106372512A (en) * 2016-08-25 2017-02-01 浪潮电子信息产业股份有限公司 A Task-Based Security Baseline Execution Method
CN106998265A (en) * 2017-03-14 2017-08-01 中国银联股份有限公司 A kind of monitoring method and its device
CN106998265B (en) * 2017-03-14 2020-02-07 中国银联股份有限公司 Monitoring method and device thereof
CN108809680B (en) * 2017-05-04 2021-03-02 腾讯科技(深圳)有限公司 Equipment management method and equipment
CN108809680A (en) * 2017-05-04 2018-11-13 腾讯科技(深圳)有限公司 A kind of method and apparatus of equipment management
CN108459878A (en) * 2018-01-08 2018-08-28 郑州云海信息技术有限公司 A kind of the centralized management platform and method of Intrusion Detection based on host control client starting up
CN108551439A (en) * 2018-03-23 2018-09-18 杭州迪普科技股份有限公司 A kind of improved method and device of policy template application
CN108551439B (en) * 2018-03-23 2021-01-26 杭州迪普科技股份有限公司 Method and device for improving policy template application
CN108880860A (en) * 2018-05-24 2018-11-23 杭州迪普科技股份有限公司 A kind of policy management method and device
CN108880860B (en) * 2018-05-24 2022-03-01 杭州迪普科技股份有限公司 Policy management method and device
CN109150866A (en) * 2018-08-09 2019-01-04 郑州云海信息技术有限公司 A kind of policy distribution feedback and check system and method
CN110119622A (en) * 2019-05-15 2019-08-13 苏州浪潮智能科技有限公司 A kind of registration table Integrity Management method, system and equipment
CN111314312A (en) * 2020-01-19 2020-06-19 苏州浪潮智能科技有限公司 A policy management method, system, device and medium
CN112688818A (en) * 2020-12-30 2021-04-20 北京天融信网络安全技术有限公司 Data transmission method and device, electronic equipment and readable storage medium
CN112688818B (en) * 2020-12-30 2023-01-10 北京天融信网络安全技术有限公司 Data transmission method and device, electronic equipment and readable storage medium
CN113794717A (en) * 2021-09-14 2021-12-14 京东科技信息技术有限公司 Safety scheduling method, device and related equipment
CN114201368A (en) * 2021-12-28 2022-03-18 湖北天融信网络安全技术有限公司 Management and control strategy configuration method and device based on data security protection
CN115842659A (en) * 2022-11-18 2023-03-24 山石网科通信技术股份有限公司 Policy updating method, system and device and electronic equipment

Similar Documents

Publication Publication Date Title
CN105391684A (en) Centralized management method and centralized management device for strategies
US11704144B2 (en) Creating virtual machine groups based on request
CN104380277B (en) For managing method, system and the equipment of the server hardware resource in cloud dispatch environment
WO2021017301A1 (en) Management method and apparatus based on kubernetes cluster, and computer-readable storage medium
CN105049502B (en) The method and apparatus that device software updates in a kind of cloud network management system
CN103220225B (en) Message processing method, device and system
WO2018205325A1 (en) Method and system for use in constructing content delivery network platform on heterogeneous resources
WO2024148833A1 (en) Container multi-network-interface-card network configuration method, apparatus, and device, and storage medium
US10447703B2 (en) VNF package operation method and apparatus
CN107895049A (en) Data processing method and device, computer readable storage medium, electronic device
CN112685148B (en) Asynchronous communication method and device for mass terminals, computer equipment and storage medium
CN106383764A (en) Data acquisition method and device
CN107122324B (en) A message transmission method and device
JP2016116184A (en) Network monitoring device and virtual network management method
CN104683428A (en) Network service processing method and device
CN110858846A (en) Resource allocation method, device and storage medium
CN113157611B (en) Data transmission control method, device, equipment and readable storage medium
CN105493444B (en) A network function virtualization NFV fault management device, equipment and method
CN117407159A (en) Memory space management method and device, equipment and storage medium
CN114362983A (en) Firewall policy management method and device, computer equipment and storage medium
CN109947676A (en) Data access method and device
CN117742931A (en) Method and device for determining big data cluster deployment scheme, clusters and storage medium
CN108667644A (en) Method for Configuring ACL Services and Forwarding Devices
WO2025035664A1 (en) Data partition management method and apparatus, and electronic device
CN114070889B (en) Configuration methods, traffic forwarding methods, equipment, storage media and program products

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160309