CN108600198A - Access control method, device, computer storage media and the terminal of fire wall - Google Patents
Access control method, device, computer storage media and the terminal of fire wall Download PDFInfo
- Publication number
- CN108600198A CN108600198A CN201810299618.0A CN201810299618A CN108600198A CN 108600198 A CN108600198 A CN 108600198A CN 201810299618 A CN201810299618 A CN 201810299618A CN 108600198 A CN108600198 A CN 108600198A
- Authority
- CN
- China
- Prior art keywords
- server
- access control
- configuration file
- access
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000011217 control strategy Methods 0.000 claims description 34
- 230000002159 abnormal effect Effects 0.000 claims description 15
- 238000007726 management method Methods 0.000 description 102
- 230000006870 function Effects 0.000 description 9
- 238000012544 monitoring process Methods 0.000 description 5
- 238000013475 authorization Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 241000109539 Conchita Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
A kind of access control method of fire wall, device, computer storage media and terminal, including:According to the management information of each server and pre-set access control policy, the configuration file for the control that accesses to the system fire wall of one or one or more server is generated;Distribute the configuration file generated to each server, to realize the access control to system fire wall after each server loading configuration file.The embodiment of the present invention improves the access control management efficiency of system fire wall, reduces system firewall access control management influence caused by Service Operation.
Description
Technical Field
The present disclosure relates to, but not limited to, computer technologies, and in particular, to a method and an apparatus for controlling access to a firewall, a computer storage medium, and a terminal.
Background
Whether in the traditional industry or the emerging internet industry, more and more enterprises provide higher service operation capability for enterprises by using a large number of Personal Computer (PC) servers. In terms of managing and controlling a large number of servers, how to manage access control of a system firewall of the server is particularly important, including: the unification and the effectiveness of the access control strategy are kept, and the condition that the service operation capacity is influenced by the illegal change of a system firewall is avoided.
At present, the access control management of the system firewall is mainly realized by configuring and changing the system firewall of each server through manual operation by a system administrator.
In the related art, the processing method for configuring and changing the system firewall by a human participation mode has low processing efficiency, cannot audit configuration change, and is easy to cause configuration errors caused by human operation. When the number of servers is large, the access control management problem of a system firewall is more serious, and the service operation of an enterprise is influenced when the access control management problem is serious.
Disclosure of Invention
The following is a summary of the subject matter described in detail herein. This summary is not intended to limit the scope of the claims.
Embodiments of the present invention provide a firewall access control method and apparatus, a computer storage medium, and a terminal, which can improve access control management efficiency of a system firewall and reduce influence of access control management of the system firewall on service operation.
The embodiment of the invention provides an access control method of a firewall, which comprises the following steps:
generating a configuration file for controlling access to a system firewall of one or more servers according to the management information of each server and a preset access control strategy;
and distributing the generated configuration file to each server so as to realize access control on a system firewall after each server loads the configuration file.
Optionally, before generating the configuration file for controlling access to the system firewall of one or more servers, the access control method further includes:
acquiring management information of each server;
wherein, the management information comprises the following part or all information of each server: server type, operating system version, type and version of system firewall software, service port access control list, and server remote management information.
Optionally, after distributing the generated configuration file to each server, the access control method further includes:
determining whether each server receives a configuration file;
and when the server receives the configuration file, controlling the server to load the received configuration file.
Optionally, the generating a configuration file for performing access control on a system firewall of one or more servers includes:
setting one or more access management templates, and loading corresponding part or all of the access control strategies on each access management template;
and loading one or more than one access management template according to the acquired management information and a preset access control strategy to generate a configuration file for controlling the access of the system firewall of one or more than one server.
Optionally, the access control method further includes:
setting corresponding system roles of the servers;
and generating the same configuration file for the server with the same system role to perform the access control of the system firewall.
Optionally, the setting of the system role corresponding to each server includes:
and setting corresponding system roles for each server according to the service type and/or security level of the server and/or the server configuration.
Optionally, before distributing the generated configuration file to each server, the access control method further includes:
judging whether the configuration file issued to the server at the previous time is abnormal or not;
and when judging that the configuration file sent to the server at the previous time is abnormal, selecting the configuration file meeting the preset requirement for sending.
Optionally, the distributing the generated configuration file to each server includes:
and distributing the generated configuration file to a corresponding server according to the preset grouping information.
On the other hand, an embodiment of the present invention further provides an access control device for a firewall, including: the system comprises a generation module and a distribution module; wherein,
the generation module is to: generating a configuration file for controlling access to a system firewall of one or more servers according to the management information of each server and a preset access control strategy;
the distribution module is used for: and distributing the generated configuration file to each server so as to realize access control on a system firewall after each server loads the configuration file.
Optionally, the access control apparatus further includes an obtaining module, configured to:
acquiring management information of each server;
wherein, the management information comprises the following part or all information of each server: server type, operating system version, type and version of system firewall software, service port access control list, and server remote management information.
Optionally, the access control apparatus further includes a management module, configured to:
determining whether each server receives a configuration file;
and when the server receives the configuration file, controlling the server to load the received configuration file.
Optionally, the generating module is specifically configured to:
setting one or more access management templates, and loading corresponding part or all of the access control strategies on each access management template;
and loading one or more than one access management template according to the acquired management information and a preset access control strategy to generate a configuration file for controlling the access of the system firewall of one or more than one server.
Optionally, the access control apparatus further includes a role setting module;
the role setting module is used for: setting corresponding system roles of the servers;
the generation unit is further configured to: and generating the same configuration file for the server with the same system role to perform the access control of the system firewall.
Optionally, the role setting module is specifically configured to:
and setting corresponding system roles for each server according to the service type and/or security level of the server and/or the server configuration.
Optionally, the access control apparatus further includes a checking module, configured to:
judging whether the configuration file issued to the server at the previous time is abnormal or not;
the distribution module is further configured to: and when judging that the configuration file sent to the server at the previous time is abnormal, selecting the configuration file meeting the preset requirement for sending.
Optionally, the distribution module is specifically configured to:
and distributing the generated configuration file to a corresponding server according to the preset grouping information.
In another aspect, an embodiment of the present invention further provides a computer storage medium, where computer-executable instructions are stored in the computer storage medium, and the computer-executable instructions are used to execute the method for controlling access to the firewall.
In another aspect, an embodiment of the present invention further provides a terminal, including: a memory and a processor; wherein,
the processor is configured to execute program instructions in the memory;
the program instructions read on the processor to perform the following operations:
generating a configuration file for controlling access to a system firewall of one or more servers according to the management information of each server and a preset access control strategy;
and distributing the generated configuration file to each server so as to realize access control on a system firewall after each server loads the configuration file.
Compared with the related art, the technical scheme of the application comprises the following steps: generating a configuration file for controlling access to a system firewall of one or more servers according to the management information of each server and a preset access control strategy; and distributing the generated configuration file to each server so as to realize access control on a system firewall after each server loads the configuration file. The embodiment of the invention improves the access control management efficiency of the system firewall and reduces the influence of the access control management of the system firewall on service operation.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the example serve to explain the principles of the invention and not to limit the invention.
FIG. 1 is a flowchart of an access control method of a firewall according to an embodiment of the present invention;
fig. 2 is a block diagram of an access control device of a firewall according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
Fig. 1 is a flowchart of an access control method of a firewall according to an embodiment of the present invention, as shown in fig. 1, including:
step 101, generating a configuration file for controlling access to a system firewall of one or more servers according to management information of each server and a preset access control strategy;
it should be noted that, the access control policy in the embodiment of the present invention may include a control policy determined by analysis of a person skilled in the art according to the service type, the security level, the server configuration, and the like.
Optionally, the generating a configuration file for performing access control on a system firewall of one or more servers in the embodiment of the present invention includes:
setting one or more access management templates, and loading corresponding part or all of the access control strategies on each access management template;
and loading one or more than one access management template according to the acquired management information and a preset access control strategy to generate a configuration file for controlling the access of the system firewall of one or more than one server.
It should be noted that, in the embodiments of the present invention, an access management template may be set according to one or more access control policies; the access management module can be implemented based on loadable files in the related art; the access management module can be pre-stored in a certain database or storage space, and the mode of loading the access management template can comprise the existing implementation mode of the related technology; according to the access management template, a person skilled in the art can perform processing according to the related art to generate the configuration file according to the embodiment of the present invention.
Optionally, before generating a configuration file for performing access control on a system firewall of one or more servers, the access control method according to the embodiment of the present invention further includes:
acquiring management information of each server;
wherein, the management information comprises the following part or all information of each server: server type, operating system version, type and version of system firewall software, service port access control list, and server remote management information.
It should be noted that the server remote management information according to the embodiment of the present invention may include: secure Shell protocol (SSH) telnet address, login username, password information, and other information that needs to be provided depending on the remote server management tools used by the enterprise;
and 102, distributing the generated configuration file to each server so as to realize access control on a system firewall after each server loads the configuration file.
Optionally, after distributing the generated configuration file to each server, the access control method according to the embodiment of the present invention further includes:
determining whether each server receives a configuration file;
and when the server receives the configuration file, controlling the server to load the received configuration file.
It should be noted that the method for determining whether to receive the configuration file and controlling the server to load the configuration file may be implemented based on a method existing in the related art, and is not described herein again.
Optionally, before generating a configuration file for performing access control on a system firewall of one or more servers, the access control method according to the embodiment of the present invention further includes:
setting corresponding system roles of the servers;
and after the system roles corresponding to the servers are set, generating the same configuration file for controlling the access of the system firewall for the servers with the same system roles.
It should be noted that the system role may be determined by information including server attributes, and the system role may be described by a mark including a distinguishing code, an identifier, and the like.
Optionally, the setting of the system role corresponding to each server in the embodiment of the present invention includes:
and setting corresponding system roles for each server according to the service type and/or security level of the server and/or the server configuration.
Optionally, before distributing the generated configuration file to each server in step 102, the access control method according to the embodiment of the present invention further includes:
judging whether the configuration file issued to the server at the previous time is abnormal or not;
and when judging that the configuration file sent to the server at the previous time is abnormal, selecting the configuration file meeting the preset requirement for sending.
Here, the configuration file satisfying the preset requirement may include: a previously loaded configuration file that meets security requirements.
Optionally, the distributing the generated configuration file to each server in the embodiment of the present invention includes:
and distributing the generated configuration file to a corresponding server according to the preset grouping information.
Compared with the related art, the technical scheme of the application comprises the following steps: generating a configuration file for controlling access to a system firewall of one or more servers according to the management information of each server and a preset access control strategy; and distributing the generated configuration file to each server so as to realize access control on a system firewall after each server loads the configuration file. The embodiment of the invention improves the access control management efficiency of the system firewall and reduces the influence of the access control management of the system firewall on service operation.
Fig. 2 is a block diagram of an access control device of a firewall according to an embodiment of the present invention, as shown in fig. 2, including: the system comprises a generation module and a distribution module; wherein,
the generation module is to: generating a configuration file for controlling access to a system firewall of one or more servers according to the management information of each server and a preset access control strategy;
optionally, the access control apparatus in this embodiment of the present invention further includes an obtaining module, configured to:
acquiring management information of each server;
wherein, the management information comprises the following part or all information of each server: server type, operating system version, type and version of system firewall software, service port access control list, and server remote management information.
Optionally, the generating module in the embodiment of the present invention is specifically configured to:
setting one or more access management templates, and loading corresponding part or all of the access control strategies on each access management template;
and loading one or more than one access management template according to the acquired management information and a preset access control strategy to generate a configuration file for controlling the access of the system firewall of one or more than one server.
The distribution module is used for: and distributing the generated configuration file to each server so as to realize access control on a system firewall after each server loads the configuration file.
Optionally, the access control apparatus according to the embodiment of the present invention further includes a management module, configured to:
determining whether each server receives a configuration file;
and when the server receives the configuration file, controlling the server to load the received configuration file.
Optionally, the access control apparatus in the embodiment of the present invention further includes a role setting module;
the role setting module is used for: setting corresponding system roles of the servers;
optionally, the role setting module in the embodiment of the present invention is specifically configured to:
and setting corresponding system roles for each server according to the service type and/or security level of the server and/or the server configuration.
Optionally, the generating unit in the embodiment of the present invention is further configured to: and generating the same configuration file for the server with the same system role to perform the access control of the system firewall.
Optionally, the access control apparatus in this embodiment of the present invention further includes a checking module, configured to:
judging whether the configuration file issued to the server at the previous time is abnormal or not;
the distribution module is further configured to: and when judging that the configuration file sent to the server at the previous time is abnormal, selecting the configuration file meeting the preset requirement for sending.
Optionally, the distribution module in the embodiment of the present invention is specifically configured to:
and distributing the generated configuration file to a corresponding server according to the preset grouping information.
The embodiment of the invention also provides a computer storage medium, wherein a computer executable instruction is stored in the computer storage medium and used for executing the access control method of the firewall.
An embodiment of the present invention further provides a terminal, including: a memory and a processor; wherein,
the processor is configured to execute program instructions in the memory;
the program instructions read on the processor to perform the following operations:
generating a configuration file for controlling access to a system firewall of one or more servers according to the management information of each server and a preset access control strategy;
and distributing the generated configuration file to each server so as to realize access control on a system firewall after each server loads the configuration file.
Compared with the related art, the technical scheme of the application comprises the following steps: generating a configuration file for controlling access to a system firewall of one or more servers according to the management information of each server and a preset access control strategy; and distributing the generated configuration file to each server so as to realize access control on a system firewall after each server loads the configuration file. The embodiment of the invention improves the access control management efficiency of the system firewall and reduces the influence of the access control management of the system firewall on service operation.
The method of the embodiment of the present invention is described in detail below by using application examples, which are only used for illustrating the present invention and are not used for limiting the protection scope of the present invention.
Application example
The present application example is exemplified based on the composition results of the above-described embodiments; wherein,
the configuration module is to: for one or more servers, generating a configuration file for controlling the access of a system firewall according to the acquired management information and a preset access control strategy; namely, a system administrator can perform configuration management on the access control of the system firewall of one or a batch of servers through the configuration management module. It should be noted that the present application example may implement the function of the configuration module based on world wide WEB (WEB); the access control policy may include: the determined control strategy is analyzed by those skilled in the art according to the service type, the security level, the server configuration, and the like.
The configuration module is specifically configured to: generating a configuration file based on one or more preset access management templates; the access management template of the application example has the management function of providing access control strategy definition, configuration and authorization; a system administrator can apply configuration files generated based on the same access control strategy to a batch of servers through an access management template; when the access control strategy is changed and maintained, the corresponding configuration file can be generated through the access management template, so that access control management of system firewalls of a batch of servers is realized; for example, corresponding access management templates are respectively set for a remote office server, a log collection server and a monitoring server, and corresponding configuration files of various types of servers are generated through the set access management templates; the application example provides a technical basis for batch management of system firewall access control of the server through the access management template, and improves the efficiency of access control management on the system firewall; the application example can also generate configuration files for the access control strategies acting on all the servers through the access management template; the setting of an access control strategy of a unified system firewall is realized by uniformly authorizing all the servers, and universal and unified basic access control authorization is configured for the servers with the same purpose; may include configuring allowed and prohibited network communication behaviors of a class of servers; for example, the application example may set a bastion machine access management template for the requirement of the bastion machine SSH to remotely log in the service server, and set an access control policy including IP addresses of the master and the slave machines permitted to use the bastion machine, an authorization rule for accessing the service port of the remote service server SSH, and the like in the bastion machine access management template.
Before generating the configuration file, the application example further includes, by the obtaining module: acquiring management information of each server; the method of acquiring the management information may include a method of receiving external input information; the management information may include, for each server: server type, operating system version, type and version of system firewall software, service port Access Control List (ACL) and server remote management information, etc. Referring to the related art, differences in access control may be caused by differences in server types, differences in operating systems, differences in operating system versions, and the like; for example, when the operating systems are different in version, firewall software used by the system firewall may be different; for example, the operating System of Red Hat enterprise level System (RHEL), Red Hat enterprise operating System/sixth edition of Community enterprise operating System (centros 6, Community enterprise operating System6), the configuration of the System firewall uses IPTABLES (IPTABLES is an internet address (IP) packet filtering System integrated with the latest 3.5 edition Linux kernel); RHEL/CentOS 7 version of the operating system, the configuration of the system firewall uses Firewall (Firewall D is the default firewall management tool available on the CentOS 7 server) software. Therefore, the configuration file needs to be generated according to the acquired management information; the application example server remote management information may include: secure Shell protocol (SSH) telnet address, login username, password information, and other information that needs to be provided depending on the remote server management tools used by the enterprise; the server remote management information can provide information support for batch management of the server;
the application example further comprises a distribution module configured to: after the configuration file is generated, the generated configuration file is distributed to each server for realizing the access control of a server system firewall; the distribution of the configuration file of the application example can be realized by the existing distribution method in the related art, including but not limited to: the system comprises an android (android is an automatic operation and maintenance tool, is developed based on Python, integrates the advantages of a plurality of operation and maintenance tools, realizes the functions of batch system configuration, batch program deployment, batch operation commands and the like), a SaltStack (SaltStack is a centralized management platform of a server infrastructure and has the functions of configuration management, remote execution, monitoring and the like), the SaltStack is realized based on Python language, and can execute commands in batches on thousands of servers by deploying a SaltStack environment, and perform centralized configuration management, file distribution, server data collection, operating system foundation, software package management and the like according to different service characteristics).
The distribution module can distribute the configuration files of the servers belonging to the same group according to the preset group information; the application examples can be grouped according to the level of the host and the application setting of the host; the application example can also determine each server for batch processing through other information of the server; the configuration file of the present application example may further include: adding, deleting and modifying the configuration file of the access control strategy; batch configuration is a synchronous process and can be realized based on an integrated open-source configuration management tool; including but not limited to: ansible, SaltStack, or Puppet (Puppet is a centralized configuration management system of Linux, Unix, and windows platforms, and uses a self-owned description language to manage configuration files, users, software packages, system services, and the like); the analytical choice can be made by a person skilled in the art according to the requirements of the application. The main functions of the configuration management tool include: technical support on the aspects of description of configuration files, network communication mechanism, configuration file synchronization and the like is provided for batch management of the server, and the capabilities can be opened to a service program of an upper layer through various Application Programming Interface (API) interfaces.
The application example further comprises a management module, which is used for detecting and determining the server receiving the configuration file, and controlling the server to load the configuration file for the determined server receiving the configuration file; the application example completes the access control management of the system firewall after the configuration file is loaded.
The application example can also set corresponding system roles for each server through the role setting module based on the attribute information of the server; generating the same configuration file for the servers with the same system roles according to the set system roles based on the same access management template; and configuring the same configuration file for the servers with the same system role through the set access management template corresponding to the system role. For example, the application example sets the same system roles for all servers of a certain enterprise, which provide the remote office, the log collection and the monitoring service; according to the access control strategy formulated for the system role, the same configuration file can be generated for setting the system role according to the access management template. When the server is set with the system role, the server is issued and controlled to load the configuration file corresponding to the system role. The system role of the application example can be set according to the server type, for example, a server monitoring service role for monitoring service is set, a server remote management role for remote management service is set, a server data service role for database service is set, and the like; a server may also be set up with multiple system roles. Each system role can correspond to one or a group of access management templates, and efficient access control management can be realized through the access management templates corresponding to the system roles.
The application example further provides an inspection module, which performs integrity check on the configuration file issued last time before distributing the configuration file containing the access control information to the server, so as to determine whether the configuration file issued last time is abnormal; the application example can generate a fifth version (MD5) of message digest algorithm check file for the configuration files which are issued from the top down, and according to the check file; for example, when the function of the check module implemented by python programming is used, md5() function in the hashlib (a library specially providing hash algorithm, which supports all algorithms provided by openssl (Open Secure Sockets Layer) library) module is used; in order to realize integrity check, the application example can back up the configuration files distributed to each server and generate corresponding integrity check information for the backed-up configuration files; judging whether the configuration file is abnormal or not through the generated integrity check information; if the configuration file sent before is found to be abnormal, the application example can select the configuration file meeting the safety requirement to be issued and loaded. Here, the secure profile can be analytically determined by a person skilled in the art based on the previous server operating state.
It will be understood by those skilled in the art that all or part of the steps of the above methods may be implemented by a program instructing associated hardware (e.g., a processor) to perform the steps, and the program may be stored in a computer readable storage medium, such as a read only memory, a magnetic or optical disk, and the like. Alternatively, all or part of the steps of the above embodiments may be implemented using one or more integrated circuits. Accordingly, each module/unit in the above embodiments may be implemented in hardware, for example, by an integrated circuit to implement its corresponding function, or in software, for example, by a processor executing a program/instruction stored in a memory to implement its corresponding function. The present invention is not limited to any specific form of combination of hardware and software.
Although the embodiments of the present invention have been described above, the above description is only for the convenience of understanding the present invention, and is not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (18)
1. An access control method for a firewall, comprising:
generating a configuration file for controlling access to a system firewall of one or more servers according to the management information of each server and a preset access control strategy;
and distributing the generated configuration file to each server so as to realize access control on a system firewall after each server loads the configuration file.
2. The access control method according to claim 1, wherein before generating the configuration file for controlling access to the system firewall of the one or more servers, the access control method further comprises:
acquiring the management information of each server;
wherein, the management information comprises the following part or all information of each server: server type, operating system version, type and version of system firewall software, service port access control list, and server remote management information.
3. The access control method according to claim 1, wherein after distributing the generated configuration file to each server, the access control method further comprises:
determining whether each server receives the configuration file;
and when the server is determined to receive the configuration file, controlling the server to load the received configuration file.
4. The method of claim 1, wherein generating a profile for controlling access to a system firewall of one or more servers comprises:
setting one or more access management templates, and loading corresponding partial or all access control strategies on each access management template;
and loading one or more access management templates according to the acquired management information and the preset access control strategy to generate the configuration file for controlling the access of the system firewall of one or more servers.
5. The access control method according to any one of claims 1 to 4, characterized by further comprising:
setting corresponding system roles of the servers;
and generating the same configuration file for the server with the same system role to perform the access control of the system firewall.
6. The access control method according to claim 5, wherein the setting of the system role corresponding to each server comprises:
and setting the corresponding system role for each server according to the service type and/or security level of the server and/or the server configuration.
7. The access control method according to any one of claims 1 to 4, wherein before distributing the generated configuration file to each server, the access control method further comprises:
judging whether the configuration file issued to the server at the previous time is abnormal or not;
and when the configuration file sent to the server at the previous time is judged to be abnormal, selecting the configuration file meeting the preset requirement for sending.
8. The access control method according to any one of claims 1 to 4, wherein the distributing the generated configuration file to each server includes:
and distributing the generated configuration file to a corresponding server according to preset grouping information.
9. An access control apparatus of a firewall, comprising: the system comprises a generation module and a distribution module; wherein,
the generation module is to: generating a configuration file for controlling access to a system firewall of one or more servers according to the management information of each server and a preset access control strategy;
the distribution module is used for: and distributing the generated configuration file to each server so as to realize access control on a system firewall after each server loads the configuration file.
10. The access control device of claim 9, further comprising an acquisition module to:
acquiring the management information of each server;
wherein, the management information comprises the following part or all information of each server: server type, operating system version, type and version of system firewall software, service port access control list, and server remote management information.
11. The access control device of claim 9, further comprising a management module to:
determining whether each server receives the configuration file;
and when the server is determined to receive the configuration file, controlling the server to load the received configuration file.
12. The access control device according to claim 9, wherein the generating module is specifically configured to:
setting one or more access management templates, and loading corresponding partial or all access control strategies on each access management template;
and loading one or more access management templates according to the acquired management information and the preset access control strategy to generate the configuration file for controlling the access of the system firewall of one or more servers.
13. The access control device according to any one of claims 9 to 12, further comprising a role setting module;
the role setting module is used for: setting corresponding system roles of the servers;
the generation unit is further configured to: and generating the same configuration file for the server with the same system role to perform the access control of the system firewall.
14. The access control device of claim 13, wherein the role setting module is specifically configured to:
and setting corresponding system roles for each server according to the service type and/or security level of the server and/or the server configuration.
15. The access control device according to any of claims 9 to 12, further comprising a checking module for:
judging whether the configuration file issued to the server at the previous time is abnormal or not;
the distribution module is further configured to: and when the configuration file sent to the server at the previous time is judged to be abnormal, selecting the configuration file meeting the preset requirement for sending.
16. The access control device according to any one of claims 9 to 12, wherein the distribution module is specifically configured to:
and distributing the generated configuration file to a corresponding server according to preset grouping information.
17. A computer storage medium having stored therein computer-executable instructions for performing the method of access control of a firewall according to any one of claims 1 to 8.
18. A terminal, comprising: a memory and a processor; wherein,
the processor is configured to execute program instructions in the memory;
the program instructions read on the processor to perform the following operations:
generating a configuration file for controlling access to a system firewall of one or more servers according to the management information of each server and a preset access control strategy;
and distributing the generated configuration file to each server so as to realize access control on a system firewall after each server loads the configuration file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810299618.0A CN108600198A (en) | 2018-04-04 | 2018-04-04 | Access control method, device, computer storage media and the terminal of fire wall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810299618.0A CN108600198A (en) | 2018-04-04 | 2018-04-04 | Access control method, device, computer storage media and the terminal of fire wall |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108600198A true CN108600198A (en) | 2018-09-28 |
Family
ID=63625488
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810299618.0A Pending CN108600198A (en) | 2018-04-04 | 2018-04-04 | Access control method, device, computer storage media and the terminal of fire wall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108600198A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109361711A (en) * | 2018-12-14 | 2019-02-19 | 泰康保险集团股份有限公司 | Firewall configuration method, apparatus, electronic equipment and computer-readable medium |
| CN110611591A (en) * | 2019-09-18 | 2019-12-24 | 重庆特斯联智慧科技股份有限公司 | Network topology establishing method and device |
| CN112311741A (en) * | 2019-07-31 | 2021-02-02 | 贵州白山云科技股份有限公司 | Firewall rule management method, device, medium and equipment |
| CN112243003B (en) * | 2020-10-13 | 2023-04-11 | 中移(杭州)信息技术有限公司 | Access control method, electronic device, and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102055735A (en) * | 2009-11-04 | 2011-05-11 | 中国移动通信集团山东有限公司 | Configuration method and device of firewall access control policy |
| US20130022033A1 (en) * | 2010-04-06 | 2013-01-24 | Zte Corporation | Method and terminal for access control of network service |
| CN103457920A (en) * | 2012-06-04 | 2013-12-18 | 中国科学院声学研究所 | Method and system for distributed firewall security policy configuration based on overlay network |
| CN104580099A (en) * | 2013-10-22 | 2015-04-29 | 北京神州泰岳软件股份有限公司 | Method and system for managing firewall policy versions |
| CN105100109A (en) * | 2015-08-19 | 2015-11-25 | 华为技术有限公司 | Method and device for deploying security access control policy |
| CN105871930A (en) * | 2016-06-21 | 2016-08-17 | 上海携程商务有限公司 | Self-adaptive firewall security policy configuration method and system based on applications |
| US20180063085A1 (en) * | 2016-08-23 | 2018-03-01 | Cisco Technology, Inc. | Automatic firewall configuration based on aggregated cloud managed information |
-
2018
- 2018-04-04 CN CN201810299618.0A patent/CN108600198A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102055735A (en) * | 2009-11-04 | 2011-05-11 | 中国移动通信集团山东有限公司 | Configuration method and device of firewall access control policy |
| US20130022033A1 (en) * | 2010-04-06 | 2013-01-24 | Zte Corporation | Method and terminal for access control of network service |
| CN103457920A (en) * | 2012-06-04 | 2013-12-18 | 中国科学院声学研究所 | Method and system for distributed firewall security policy configuration based on overlay network |
| CN104580099A (en) * | 2013-10-22 | 2015-04-29 | 北京神州泰岳软件股份有限公司 | Method and system for managing firewall policy versions |
| CN105100109A (en) * | 2015-08-19 | 2015-11-25 | 华为技术有限公司 | Method and device for deploying security access control policy |
| CN105871930A (en) * | 2016-06-21 | 2016-08-17 | 上海携程商务有限公司 | Self-adaptive firewall security policy configuration method and system based on applications |
| US20180063085A1 (en) * | 2016-08-23 | 2018-03-01 | Cisco Technology, Inc. | Automatic firewall configuration based on aggregated cloud managed information |
Non-Patent Citations (1)
| Title |
|---|
| 王玮: "防火墙技术中基于角色访问的控制策略", 《煤炭技术》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109361711A (en) * | 2018-12-14 | 2019-02-19 | 泰康保险集团股份有限公司 | Firewall configuration method, apparatus, electronic equipment and computer-readable medium |
| CN109361711B (en) * | 2018-12-14 | 2021-10-29 | 泰康保险集团股份有限公司 | Firewall configuration method and device, electronic equipment and computer readable medium |
| CN112311741A (en) * | 2019-07-31 | 2021-02-02 | 贵州白山云科技股份有限公司 | Firewall rule management method, device, medium and equipment |
| CN110611591A (en) * | 2019-09-18 | 2019-12-24 | 重庆特斯联智慧科技股份有限公司 | Network topology establishing method and device |
| CN110611591B (en) * | 2019-09-18 | 2022-09-09 | 重庆特斯联智慧科技股份有限公司 | Network topology establishing method and device |
| CN112243003B (en) * | 2020-10-13 | 2023-04-11 | 中移(杭州)信息技术有限公司 | Access control method, electronic device, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112840326B (en) | Test engine for automated operation management | |
| CN108536519B (en) | Method for automatically building Kubernetes main node and terminal equipment | |
| RU2523113C1 (en) | System and method for target installation of configured software | |
| CN115335810A (en) | Digital twinning of IT infrastructure | |
| US8099588B2 (en) | Method, system and computer program for configuring firewalls | |
| US20180211032A1 (en) | Log information generation apparatus and recording medium, and log information extraction apparatus and recording medium | |
| US10880332B2 (en) | Enterprise security management tool | |
| US20120005325A1 (en) | Systems and methods for automated processing of devices | |
| US10652280B2 (en) | User interface features for enterprise security management | |
| JP4848430B2 (en) | Virtual role | |
| CN108600198A (en) | Access control method, device, computer storage media and the terminal of fire wall | |
| CN112269570B (en) | Security code development method and device, computing device and medium | |
| WO2016137397A2 (en) | Multi-tenant cloud based systems and methods for secure semiconductor design-to-release manufacturing workflow and digital rights management | |
| CN115604120B (en) | A multi-cloud cluster resource sharing method, device, equipment and storage medium | |
| US11063982B2 (en) | Object scope definition for enterprise security management tool | |
| US10158674B2 (en) | Multi-level affinitization for enterprise security management | |
| US10979455B2 (en) | Solution definition for enterprise security management | |
| US7454791B1 (en) | Method and system for checking the security on a distributed computing environment | |
| CN114598500B (en) | Security service providing method, platform, electronic device, medium and program | |
| CN111935195B (en) | Distributed system management method, device, storage medium and distributed management system | |
| US9389991B1 (en) | Methods, systems, and computer readable mediums for generating instruction data to update components in a converged infrastructure system | |
| US20130073729A1 (en) | User terminal, and method and apparatus for controlling the software management thereof | |
| CN114386047A (en) | Application vulnerability detection method, device, electronic device and storage medium | |
| CN114329444A (en) | System safety lifting method and device | |
| CN116962260A (en) | Cluster security inspection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180928 |
|
| RJ01 | Rejection of invention patent application after publication |