CN119299197A - A data processing method, device and equipment - Google Patents

Abstract

The embodiment of the specification discloses a data processing method, a device and equipment, wherein the method comprises the steps of receiving a configuration request of firewall policies, responding to the configuration request, determining a first firewall of source address equipment and a second firewall of destination address equipment corresponding to the configuration request, determining whether access policies are added in the first firewall and the second firewall according to the relation between a security area of the first firewall and a security area of the second firewall, judging whether target access policies corresponding to the configuration request exist in the first firewall and the second firewall if the access policies are added in the first firewall and the second firewall, and configuring the target access policies corresponding to the configuration request in the first firewall and the second firewall if the access policies corresponding to the configuration request do not exist in the first firewall and the second firewall.

Description

A data processing method, device and equipment

Technical Field

This document relates to the field of computer technology, and in particular to a data processing method, device and equipment.

Background Art

With the rapid development of computer technology, in order to improve data security, network architecture and firewall deployment are becoming more and more complex. Firewall administrators need to configure access policies on the corresponding firewall according to different access requirements.

However, due to the large number of firewalls, the number and types of access policies that need to be configured are also relatively complex, so the configuration efficiency and configuration accuracy of the manual configuration of access policies are low. To this end, the embodiments of this specification provide a technical solution to improve the configuration efficiency and configuration accuracy of access policies in firewalls.

Summary of the invention

The purpose of the embodiments of this specification is to provide a technical solution for improving the configuration efficiency and configuration accuracy of access policies in a firewall.

In order to implement the above technical solution, the embodiments of this specification are implemented as follows:

A data processing method provided by an embodiment of the present specification includes: receiving a configuration request for a firewall policy; in response to the configuration request, determining a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request; determining whether to add an access policy to the first firewall and the second firewall according to a relationship between a security zone of the first firewall and a security zone of the second firewall; if it is determined to add an access policy to the first firewall and the second firewall, determining whether a target access policy corresponding to the configuration request exists in the first firewall and the second firewall; if the access policy corresponding to the configuration request does not exist in the first firewall and the second firewall, configuring the target access policy corresponding to the configuration request in the first firewall and the second firewall.

An embodiment of the present specification provides a data processing device, the device comprising: a request receiving module, used to receive a configuration request for a firewall policy; a firewall determining module, used to determine, in response to the configuration request, a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request; a first judgment module, used to determine whether to add an access policy to the first firewall and the second firewall according to the relationship between the security area of the first firewall and the security area of the second firewall; a second judgment module, used to determine whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall if it is determined to add an access policy to the first firewall and the second firewall; and a policy configuration module, used to configure the target access policy corresponding to the configuration request in the first firewall and the second firewall if there is no access policy corresponding to the configuration request in the first firewall and the second firewall.

An embodiment of the present specification provides a data processing device, the data processing device comprising: a processor; and a memory arranged to store computer executable instructions, wherein when the executable instructions are executed, the processor: receives a configuration request for a firewall policy; in response to the configuration request, determines a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request; determines whether to add an access policy to the first firewall and the second firewall according to a relationship between a security zone of the first firewall and a security zone of the second firewall; if it is determined to add an access policy to the first firewall and the second firewall, determines whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall; if there is no access policy corresponding to the configuration request in the first firewall and the second firewall, configures the target access policy corresponding to the configuration request in the first firewall and the second firewall.

The embodiments of the present specification also provide a storage medium, which is used to store computer-executable instructions. When the executable instructions are executed by a processor, they implement the following process: receiving a configuration request for a firewall policy; in response to the configuration request, determining a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request; determining whether to add an access policy to the first firewall and the second firewall based on the relationship between the security area of the first firewall and the security area of the second firewall; if it is determined to add an access policy to the first firewall and the second firewall, determining whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall; if there is no access policy corresponding to the configuration request in the first firewall and the second firewall, configuring the target access policy corresponding to the configuration request in the first firewall and the second firewall.

The embodiments of the present specification also provide a computer program product, including a computer program, which implements the following process when executed by a processor: receiving a configuration request for a firewall policy; in response to the configuration request, determining a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request; determining whether to add an access policy to the first firewall and the second firewall based on the relationship between the security area of the first firewall and the security area of the second firewall; if it is determined to add an access policy to the first firewall and the second firewall, determining whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall; if there is no access policy corresponding to the configuration request in the first firewall and the second firewall, configuring the target access policy corresponding to the configuration request in the first firewall and the second firewall.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the technical solutions in the embodiments of this specification or the prior art, the drawings required for use in the embodiments or the prior art description will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this specification. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without creative labor.

FIG1 is an embodiment of a data processing method of the present specification;

FIG2 is a schematic diagram of a data processing process of this specification;

FIG3 is a schematic diagram of a data processing process of this specification;

FIG4 is a data processing device embodiment of the present specification;

FIG. 5 is a data processing device embodiment of the present specification.

DETAILED DESCRIPTION

The embodiments of this specification provide a data processing method, device and equipment.

In order to enable those skilled in the art to better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be clearly and completely described below in conjunction with the drawings in the embodiments of this specification. Obviously, the described embodiments are only part of the embodiments of this specification, not all of the embodiments. Based on the embodiments in this specification, all other embodiments obtained by ordinary technicians in this field without creative work should fall within the scope of protection of this specification.

The embodiment of this specification provides a technical solution for improving the configuration efficiency and configuration accuracy of access policies in firewalls. With the rapid development of computer technology, in order to improve data security, the deployment of network architecture and firewalls is becoming more and more complex. Firewall administrators need to configure access policies on corresponding firewalls according to different access requirements. However, due to the large number of firewalls, the number and types of access policies that need to be configured are also relatively complex, so the configuration efficiency and configuration accuracy of the manual configuration of access policies are low. To this end, the embodiment of this specification provides a technical solution for improving the configuration efficiency and configuration accuracy of access policies in firewalls. In this solution, by receiving a configuration request of a firewall policy, responding to the configuration request, determining a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request, and determining whether to add access policies to the first firewall and the second firewall according to the relationship between the security area of the first firewall and the security area of the second firewall. If it is determined to add access policies to the first firewall and the second firewall, it is determined whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall. If there is no access policy corresponding to the configuration request in the first firewall and the second firewall, the target access policy corresponding to the configuration request is configured in the first firewall and the second firewall. In this way, by making a double judgment on whether to add access policies in the first firewall and the second firewall, and whether there are target access policies corresponding to the configuration request in the first firewall and the second firewall, the issuance of redundant policies and invalid policies can be reduced, thereby avoiding an increase in firewall performance consumption and a reduction in the number of available firewall policy entries, thereby improving the configuration efficiency and configuration accuracy of the access policies in the firewalls. For specific processing, please refer to the specific content in the following embodiments.

As shown in FIG1 , an embodiment of this specification provides a data processing method, and the execution subject of the method may be a server, wherein the server may be an independent server, or a server cluster composed of multiple servers, etc. In this embodiment, the execution subject is taken as an example to be described in detail, and the method may specifically include the following steps:

In step S102, a configuration request for a firewall policy is received.

Among them, the firewall policy can be an access permission policy, etc. The configuration request can carry configuration requirement information, and the configuration requirement information can include the source address (Source address, src) information of the source address device, the destination address (Destination address, dst) information of the destination address device, the port (post) information of the source address device and the destination address device, and the security zone information, etc.

During implementation, users can submit wall-breaking work orders in the work order system. After the wall-breaking work order is approved, the operation and maintenance system can push the work order data of the wall-breaking work order to the policy delivery system through the API interface.

Since the work order data submitted by the user may contain data whose format does not conform to the preset format specifications, the policy issuance system can perform data verification processing on the work order data of the wall opening work order after receiving the work order data of the wall opening work order, so as to convert the data that does not conform to the preset format specifications into data that conforms to the preset format specifications.

The preset format specifications may include preset data format specifications such as IP address specifications and mask address specifications.

The server may trigger a configuration request for a firewall policy based on the converted work order data, wherein the server may determine configuration requirement information based on the converted work order data and carry the configuration requirement information in the configuration request.

In addition, since the same device can correspond to multiple different firewalls, the work order data received by the server can be policy configuration requests for multiple different firewalls. Therefore, in order to improve data processing efficiency, the server can also split the demand table corresponding to the work order data according to the firewall management and control network segment, and determine the configuration requirement information based on the demand sub-table obtained by the split.

For example, the demand table corresponding to the work order data may be shown in Table 1 below.

Table 1

The server may split the requirement table shown in Table 1 above to obtain multiple requirement sub-tables, and then determine the corresponding configuration requirement information and trigger the configuration request of the corresponding firewall policy according to each requirement sub-table.

For example, the server may construct a requirement sub-table according to each requirement in Table 1 above, or the server may filter out requirement information containing the same firewall in the requirement table based on firewalls, and construct a requirement sub-table according to the filtered requirement information.

In addition, the method for generating the configuration request of the above-mentioned firewall policy is an optional and feasible generation method. In actual application scenarios, there may be a variety of different generation methods. Different generation methods can be selected according to different actual application scenarios. The embodiments of this specification do not make specific limitations on this.

In step S104, in response to the configuration request, a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request are determined.

In step S106, according to the relationship between the security zone of the first firewall and the security zone of the second firewall, it is determined whether to add access policies in the first firewall and the second firewall.

A security zone can be a collection of networks connected to several interfaces of a firewall. Users within a security zone can have the same security attributes.

During implementation, the server can determine whether access between the first firewall and the second firewall needs to go through the wall based on the relationship between the security area of the first firewall and the security area of the second firewall (such as a pre-set trust relationship, non-trust relationship, etc.), so as to determine whether it is necessary to add access policies in the first firewall and the second firewall.

In step S108, if it is determined to add access policies in the first firewall and the second firewall, it is determined whether there are target access policies corresponding to the configuration request in the first firewall and the second firewall.

During implementation, when the server determines that an access policy needs to be added in the first firewall and the second firewall, it can determine whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall based on whether there is an access policy in the first firewall and the second firewall and the type of the access policy.

Among them, the types of access policies can include allow access policy, non-default deny policy, access traffic is not subject to firewall control and no policy needs to be issued, default access policy, etc.

In step S110, if the access policy corresponding to the configuration request does not exist in the first firewall and the second firewall, a target access policy corresponding to the configuration request is configured in the first firewall and the second firewall.

In implementation, when the server determines that there is no access policy corresponding to the configuration request in the first firewall and the second firewall, it can generate a script corresponding to the configuration request and send the script to the first firewall and the second firewall to configure the target access policy corresponding to the configuration request in the first firewall and the second firewall.

Among them, since there may be multiple configuration requests, after generating the script, the server can send the script generated within the preset sending period (such as 3 minutes, 10 minutes, etc.) to the corresponding firewall according to the preset sending period.

The embodiment of the specification provides a data processing method, which receives a configuration request of a firewall policy, responds to the configuration request, determines a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request, determines whether to add an access policy in the first firewall and the second firewall according to the relationship between the security zone of the first firewall and the security zone of the second firewall, and if it is determined to add an access policy in the first firewall and the second firewall, determines whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall, and if there is no access policy corresponding to the configuration request in the first firewall and the second firewall, configures the target access policy corresponding to the configuration request in the first firewall and the second firewall. In this way, by making a double judgment on whether to add an access policy in the first firewall and the second firewall, and whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall, the issuance of redundant policies and invalid policies can be reduced, thereby avoiding an increase in firewall performance consumption and a reduction in the number of available firewall policy entries, and improving the configuration efficiency and configuration accuracy of the access policy in the firewall.

In practical applications, in the above step S106, based on the relationship between the security zone of the first firewall and the security zone of the second firewall, it is determined whether to add access policies in the first firewall and the second firewall. There may be various specific processing methods. An optional processing method is provided below, as shown in FIG. 2, which may specifically include the processing of the following step S1062.

In step S1062, it is determined whether to add access policies in the first firewall and the second firewall according to the grouping information of the first firewall and the second firewall and the relationship between the security zone of the first firewall and the security zone of the second firewall.

In practical applications, there are various specific processing methods for determining whether to add access policies to the first firewall and the second firewall based on the grouping information of the first firewall and the second firewall and the relationship between the security areas of the first firewall and the second firewall in the above step S1062. An optional processing method is provided below, which may specifically include the processing of the following steps A1 to A2.

In step A1, when it is determined based on the grouping information of the first firewall and the second firewall that the first firewall and the second firewall do not belong to the same group and there is a preset association relationship between the first firewall and the second firewall, the logical security area in the security area of the first firewall and the logical security area in the security area of the second firewall are obtained.

The logical security area may be a security sub-area divided according to business processing logic in the security area, and the security area may include one or more logical security areas.

In step A2, when the logical security zone in the security zone of the first firewall is different from the logical security zone in the security zone of the second firewall, it is determined to add access policies in the first firewall and the second firewall.

In implementation, as shown in FIG3 , if it is determined according to the grouping information of the first firewall and the second firewall that the first firewall and the second firewall do not belong to the same group, it may be further determined whether the first firewall and the second firewall are associated firewalls (i.e., whether there is a preset association relationship between the first firewall and the second firewall).

If the first firewall and the second firewall are associated firewalls, you can continue to determine whether the logical security area in the security area of the first firewall is the same as the logical security area in the security area of the second firewall. If they are the same, there is no need to open the wall. If they are different, it is necessary to open the wall (that is, it is necessary to add access policies).

In addition, in the above step S1062, according to the grouping information of the first firewall and the second firewall, and the relationship between the security area of the first firewall and the security area of the second firewall, the specific processing method for determining whether to add access policies in the first firewall and the second firewall can be varied. An optional processing method is provided below, which can specifically include the processing of the following step B1.

In step B1, when it is determined based on the grouping information of the first firewall and the second firewall that the first firewall and the second firewall belong to the same group and the security area of the first firewall is different from the security area of the second firewall, it is determined to add access policies in the first firewall and the second firewall.

In addition, in the above step S1062, according to the grouping information of the first firewall and the second firewall, and the relationship between the security area of the first firewall and the security area of the second firewall, the specific processing method for determining whether to add access policies in the first firewall and the second firewall can be various. An optional processing method is provided below, which can specifically include the processing of the following steps C1 to C2.

In step C1, when it is determined based on the grouping information of the first firewall and the second firewall that the first firewall and the second firewall belong to the same group, and the security area of the first firewall is the same as the security area of the second firewall, the logical security area in the security area of the first firewall and the logical security area in the security area of the second firewall are obtained.

In step C2, when the logical security zone in the security zone of the first firewall is different from the logical security zone in the security zone of the second firewall, it is determined to add access policies in the first firewall and the second firewall.

In implementation, as shown in Figure 3, if it is determined based on the grouping information of the first firewall and the second firewall that the first firewall and the second firewall belong to the same group, it is possible to continue to determine whether the security area of the first firewall is the same as the security area of the second firewall. If they are different, it is necessary to open the wall. If they are the same, it is possible to continue to determine whether the logical security area in the security area of the first firewall is the same as the logical security area in the security area of the second firewall. If they are the same, it is not necessary to open the wall. If they are different, it is necessary to open the wall.

In actual applications, there may be various specific processing methods for determining whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall in the above step S108. An optional processing method is provided below, as shown in FIG. 2, which may specifically include the processing of the following step S1082.

In step S1082, if it is determined to add access policies in the first firewall and the second firewall, if the first firewall and the second firewall do not contain access policies, it is determined that there are no target access policies corresponding to the configuration request in the first firewall and the second firewall.

In implementation, as shown in FIG3 , when it is determined to add access policies in the first firewall and the second firewall, the server can query whether the target access policies exist in the first firewall and the second firewall. For example, the server can match the first firewall and the second firewall and find out whether the access policies exist in the two firewalls. If not, it can be determined that the wall needs to be opened, that is, it can be determined that the target access policy corresponding to the configuration request does not exist in the first firewall and the second firewall.

In actual applications, there may be various specific processing methods for determining whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall in the above step S108. An optional processing method is provided below, as shown in FIG. 2 , which may specifically include the processing of the following step S1084.

In step S1084, if it is determined to add access policies in the first firewall and the second firewall, if the first firewall and the second firewall contain access policies and the access policies are default deny policies, it is determined that there are no target access policies corresponding to the configuration request in the first firewall and the second firewall.

In implementation, as shown in FIG3 , when the server determines that the first firewall and the second firewall contain access policies according to the query results, it can determine whether the existing access policy is a default deny policy. If the access policy is not a default deny policy, that is, the access policy is a target access policy corresponding to the configuration request, then it can be determined that the target access policy already exists in the first firewall and the second firewall, and no wall opening processing is required.

If the access policy is a default deny policy, the server can determine that the firewall needs to be opened, that is, determine that there is no target access policy corresponding to the configuration request in the first firewall and the second firewall.

In actual applications, after the target access policy is configured, in order to avoid the situation where users are unable to access due to the existence of a default deny policy, the policy order of the target access policy in the access policy can also be adjusted. The specific processing methods for the adjustment processing can be varied. An optional processing method is provided below, as shown in Figure 2, which can specifically include the processing of the following steps S202~S204.

In step S202, access policies in the first firewall and the second firewall are obtained.

In step S204, when the access policies include other access policies except the target access policy, and the other access policies do not include a default deny policy, the policy order of the target access policy in the access policies is adjusted.

In implementation, if the server's access policy includes other access policies besides the target access policy, and other access policies do not contain a default deny policy, the server can record the policy identifier of the target access policy and, based on the policy identifier of the target access policy, adjust the policy order of the target access policy in the access policy to before the default deny policy to avoid a situation where users are unable to access.

In actual applications, after the target access policy configuration is completed, the configuration process of the target access policy can also be verified. The specific processing methods of the verification process can be varied. An optional processing method is provided below, as shown in Figure 2, which can specifically include the following steps S206~S208.

In step S206, configuration data corresponding to the target access policy is obtained.

In step S208, based on the matching between the configuration data and the configuration requirement information corresponding to the configuration request, the configuration process of the target access policy is verified to obtain a configuration verification result for the target access policy.

In implementation, as shown in FIG3 , after the target access policy is issued, the server can verify the configuration process of the target access policy. Specifically, the server can obtain the policy issuance log and record the policy identifier (such as policy ID or policy name) of the issued target access policy on the corresponding firewall. The server can find the corresponding target access policy according to the policy identifier and convert the configuration data (such as policy script) corresponding to the target access policy into a table file. The server can match the converted table file with the configuration requirement information to obtain the configuration verification result for the target access policy.

Among them, if it is determined according to the configuration verification result that the configuration data matches the configuration requirement information corresponding to the configuration request, then the surface verification is successful. If it does not match, it indicates that the verification has failed. At this time, the server can generate work order data for failed verification and submit the work order data to the engineer for manual adjustment.

In this way, by identifying non-default deny policies and adjusting the policy order, as well as verifying the access policies that have been issued, firewall administrators can understand the policy issuance situation and adjust the policies that failed to be issued, which can effectively improve work efficiency and user experience.

In addition, through the process of querying first, configuring second, and verifying last, the policy issuance can be combined with the current status of the firewall policy, reducing redundant policies and improving the success rate of policy changes.

The embodiment of the specification provides a data processing method, which receives a configuration request of a firewall policy, responds to the configuration request, determines a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request, determines whether to add an access policy in the first firewall and the second firewall according to the relationship between the security zone of the first firewall and the security zone of the second firewall, and if it is determined to add an access policy in the first firewall and the second firewall, determines whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall, and if there is no access policy corresponding to the configuration request in the first firewall and the second firewall, configures the target access policy corresponding to the configuration request in the first firewall and the second firewall. In this way, by making a double judgment on whether to add an access policy in the first firewall and the second firewall, and whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall, the issuance of redundant policies and invalid policies can be reduced, thereby avoiding an increase in firewall performance consumption and a reduction in the number of available firewall policy entries, and improving the configuration efficiency and configuration accuracy of the access policy in the firewall.

The above is the data processing method provided in the embodiment of this specification. Based on the same idea, the embodiment of this specification also provides a data processing device, as shown in FIG4 .

The data processing device includes: a request receiving module 401, a firewall determination module 402, a first judgment module 403, a second judgment module 404 and a policy configuration module 405, wherein:

The request receiving module 401 is used to receive a configuration request of a firewall policy;

A firewall determination module 402, configured to determine, in response to the configuration request, a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request;

A first judgment module 403, used to determine whether to add access policies in the first firewall and the second firewall according to the relationship between the security zone of the first firewall and the security zone of the second firewall;

A second determination module 404 is configured to determine whether a target access policy corresponding to the configuration request exists in the first firewall and the second firewall if it is determined to add an access policy in the first firewall and the second firewall;

The policy configuration module 405 is used to configure a target access policy corresponding to the configuration request in the first firewall and the second firewall if the access policy corresponding to the configuration request does not exist in the first firewall and the second firewall.

In the embodiment of this specification, the first determination module 403 is used to:

According to the grouping information of the first firewall and the second firewall, and the relationship between the security zone of the first firewall and the security zone of the second firewall, it is determined whether to add access policies in the first firewall and the second firewall.

In the embodiment of this specification, the first determination module 403 is used to:

When it is determined according to the grouping information of the first firewall and the second firewall that the first firewall and the second firewall do not belong to the same group and there is a preset association relationship between the first firewall and the second firewall, obtaining a logical security area in the security area of the first firewall and a logical security area in the security area of the second firewall;

When the logical security zone in the security zone of the first firewall is different from the logical security zone in the security zone of the second firewall, it is determined to add access policies in the first firewall and the second firewall.

In the embodiment of this specification, the first determination module 403 is used to:

When it is determined according to the grouping information of the first firewall and the second firewall that the first firewall and the second firewall belong to the same group and the security area of the first firewall is different from the security area of the second firewall, it is determined to add access policies in the first firewall and the second firewall.

In the embodiment of this specification, the first determination module 403 is used to:

When it is determined according to the grouping information of the first firewall and the second firewall that the first firewall and the second firewall belong to the same group and the security area of the first firewall is the same as the security area of the second firewall, obtaining a logical security area in the security area of the first firewall and a logical security area in the security area of the second firewall;

When the logical security zone in the security zone of the first firewall is different from the logical security zone in the security zone of the second firewall, it is determined to add access policies in the first firewall and the second firewall.

In the embodiment of this specification, the second determination module 404 is used to:

If the first firewall and the second firewall do not include an access policy, it is determined that the first firewall and the second firewall do not have a target access policy corresponding to the configuration request.

In the embodiment of this specification, the second determination module 404 is used to:

If the first firewall and the second firewall include access policies, and the access policies are default deny policies, it is determined that the target access policy corresponding to the configuration request does not exist in the first firewall and the second firewall.

In the embodiment of this specification, the device further includes:

A policy acquisition module, used to acquire access policies in the first firewall and the second firewall;

The order adjustment module is used to adjust the policy order of the target access policy in the access policy when the access policy includes other access policies except the target access policy and the other access policies do not include a default deny policy.

In the embodiment of this specification, the device further includes:

A data acquisition module, used to acquire configuration data corresponding to the target access policy;

The configuration verification module is used to verify the configuration process of the target access policy according to the matching between the configuration data and the configuration requirement information corresponding to the configuration request, and obtain the configuration verification result for the target access policy.

The embodiment of the present specification provides a data processing device, which receives a configuration request of a firewall policy, responds to the configuration request, determines a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request, determines whether to add an access policy in the first firewall and the second firewall according to the relationship between the security zone of the first firewall and the security zone of the second firewall, and if it is determined to add an access policy in the first firewall and the second firewall, determines whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall, and if there is no access policy corresponding to the configuration request in the first firewall and the second firewall, configures the target access policy corresponding to the configuration request in the first firewall and the second firewall. In this way, by making a double judgment on whether to add an access policy in the first firewall and the second firewall, and whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall, the issuance of redundant policies and invalid policies can be reduced, thereby avoiding an increase in firewall performance consumption and a reduction in the number of available firewall policy entries, and improving the configuration efficiency and configuration accuracy of the access policy in the firewall.

The above is a data processing device provided in the embodiment of this specification. Based on the same idea, the embodiment of this specification also provides a data processing device, as shown in FIG5 .

The data processing device may provide a terminal device or a server, etc. for the above-mentioned embodiments.

The data processing device may have relatively large differences due to different configurations or performances, and may include one or more processors 501 and memory 502, and the memory 502 may store one or more storage applications or data. Among them, the memory 502 may be a short-term storage or a persistent storage. The application stored in the memory 502 may include one or more modules (not shown in the figure), and each module may include a series of computer executable instructions in the data processing device. Furthermore, the processor 501 may be configured to communicate with the memory 502 and execute a series of computer executable instructions in the memory 502 on the data processing device. The data processing device may also include one or more power supplies 503, one or more wired or wireless network interfaces 504, one or more input and output interfaces 505, and one or more keyboards 506.

Specifically in this embodiment, the data processing device includes a memory and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer executable instructions in the data processing device, and the one or more programs are configured to be executed by one or more processors, including computer executable instructions for performing the following:

Receive configuration requests for firewall policies;

In response to the configuration request, determining a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request;

Determining whether to add access policies in the first firewall and the second firewall according to the relationship between the security zone of the first firewall and the security zone of the second firewall;

If it is determined to add access policies in the first firewall and the second firewall, determining whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall;

If the access policy corresponding to the configuration request does not exist in the first firewall and the second firewall, a target access policy corresponding to the configuration request is configured in the first firewall and the second firewall.

Each embodiment in this specification is described in a progressive manner, and the same or similar parts between the embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the data processing device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiment.

The embodiment of the present specification provides a data processing device, which receives a configuration request of a firewall policy, responds to the configuration request, determines a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request, determines whether to add an access policy in the first firewall and the second firewall according to the relationship between the security zone of the first firewall and the security zone of the second firewall, and if it is determined to add an access policy in the first firewall and the second firewall, determines whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall, and if there is no access policy corresponding to the configuration request in the first firewall and the second firewall, configures the target access policy corresponding to the configuration request in the first firewall and the second firewall. In this way, by making a double judgment on whether to add an access policy in the first firewall and the second firewall, and whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall, the issuance of redundant policies and invalid policies can be reduced, thereby avoiding an increase in firewall performance consumption and a reduction in the number of available firewall policy entries, and improving the configuration efficiency and configuration accuracy of the access policy in the firewall.

Further, based on the methods shown in FIG. 1 to FIG. 3 above, one or more embodiments of the present specification further provide a storage medium for storing computer executable instruction information. In a specific embodiment, the storage medium may be a USB flash drive, an optical disk, a hard disk, etc. When the computer executable instruction information stored in the storage medium is executed by a processor, the following process can be implemented:

Receive configuration requests for firewall policies;

In response to the configuration request, determining a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request;

Determining whether to add access policies in the first firewall and the second firewall according to the relationship between the security zone of the first firewall and the security zone of the second firewall;

If it is determined to add access policies in the first firewall and the second firewall, determining whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall;

If the access policy corresponding to the configuration request does not exist in the first firewall and the second firewall, a target access policy corresponding to the configuration request is configured in the first firewall and the second firewall.

Each embodiment in this specification is described in a progressive manner, and the same or similar parts between the embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the above-mentioned storage medium embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiment.

The embodiment of the present specification provides a storage medium, which receives a configuration request of a firewall policy, responds to the configuration request, determines a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request, determines whether to add an access policy in the first firewall and the second firewall according to the relationship between the security area of the first firewall and the security area of the second firewall, and if it is determined to add an access policy in the first firewall and the second firewall, determines whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall, and if there is no access policy corresponding to the configuration request in the first firewall and the second firewall, configures the target access policy corresponding to the configuration request in the first firewall and the second firewall. In this way, by making a double judgment on whether to add an access policy in the first firewall and the second firewall, and whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall, the issuance of redundant policies and invalid policies can be reduced, thereby avoiding an increase in firewall performance consumption and a reduction in the number of available firewall policy entries, and improving the configuration efficiency and configuration accuracy of the access policy in the firewall.

Further, based on the methods shown in FIG. 1 to FIG. 3 above, one or more embodiments of this specification further provide a computer program product, including a computer program. When the computer program in the computer program product is executed by a processor, the following process can be implemented:

Receive configuration requests for firewall policies;

In response to the configuration request, determining a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request;

Determining whether to add access policies in the first firewall and the second firewall according to the relationship between the security zone of the first firewall and the security zone of the second firewall;

If it is determined to add access policies in the first firewall and the second firewall, determining whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall;

If the access policy corresponding to the configuration request does not exist in the first firewall and the second firewall, a target access policy corresponding to the configuration request is configured in the first firewall and the second firewall.

Each embodiment in this specification is described in a progressive manner, and the same or similar parts between the embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the above-mentioned computer program product embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiment.

The embodiment of the present specification provides a computer program product, which receives a configuration request of a firewall policy, responds to the configuration request, determines a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request, determines whether to add an access policy in the first firewall and the second firewall according to the relationship between the security zone of the first firewall and the security zone of the second firewall, and if it is determined to add an access policy in the first firewall and the second firewall, determines whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall, and if there is no access policy corresponding to the configuration request in the first firewall and the second firewall, configures the target access policy corresponding to the configuration request in the first firewall and the second firewall. In this way, by making a double judgment on whether to add an access policy in the first firewall and the second firewall, and whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall, the issuance of redundant policies and invalid policies can be reduced, thereby avoiding an increase in firewall performance consumption and a reduction in the number of available firewall policy entries, and improving the configuration efficiency and configuration accuracy of the access policy in the firewall.

The above is a description of a specific embodiment of the specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recorded in the claims can be performed in an order different from that in the embodiments and still achieve the desired results. In addition, the processes depicted in the drawings do not necessarily require the specific order or continuous order shown to achieve the desired results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

In the 1990s, it was very clear whether the improvement of a technology was hardware improvement (for example, improvement of the circuit structure of diodes, transistors, switches, etc.) or software improvement (improvement of the method flow). However, with the development of technology, many improvements of the method flow today can be regarded as direct improvements of the hardware circuit structure. Designers almost always obtain the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be implemented with a hardware entity module. For example, a programmable logic device (PLD) (such as a field programmable gate array (FPGA)) is such an integrated circuit whose logical function is determined by the user's programming of the device. Designers can "integrate" a digital system on a PLD by programming themselves, without having to ask chip manufacturers to design and make dedicated integrated circuit chips. Moreover, nowadays, instead of manually making integrated circuit chips, this kind of programming is mostly implemented by "logic compiler" software, which is similar to the software compiler used when developing and writing programs, and the original code before compilation must also be written in a specific programming language, which is called hardware description language (HDL). There is not only one kind of HDL, but many kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, RHDL (Ruby Hardware Description Language), etc. The most commonly used ones are VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. Those skilled in the art should also know that it is only necessary to program the method flow slightly in the above-mentioned hardware description languages and program it into the integrated circuit, and then it is easy to obtain the hardware circuit that implements the logic method flow.

The controller may be implemented in any suitable manner, for example, the controller may take the form of a microprocessor or processor and a computer-readable medium storing a computer-readable program code (e.g., software or firmware) executable by the (micro)processor, a logic gate, a switch, an application-specific integrated circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include but are not limited to the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, and the memory controller may also be implemented as part of the control logic of the memory. It is also known to those skilled in the art that, in addition to implementing the controller in a purely computer-readable program code manner, the controller may be implemented in the form of a logic gate, a switch, an application-specific integrated circuit, a programmable logic controller, and an embedded microcontroller by logically programming the method steps. Therefore, such a controller may be considered as a hardware component, and the devices for implementing various functions included therein may also be considered as structures within the hardware component. Or even, the devices for implementing various functions may be considered as both software modules for implementing the method and structures within the hardware component.

The systems, devices, modules or units described in the above embodiments may be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. Specifically, the computer may be, for example, a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For the convenience of description, the above devices are described in terms of functions and are divided into various units. Of course, when implementing one or more embodiments of this specification, the functions of each unit can be implemented in the same or multiple software and/or hardware.

Those skilled in the art will appreciate that the embodiments of this specification may be provided as methods, systems, or computer program products. Therefore, one or more embodiments of this specification may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, one or more embodiments of this specification may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.

The embodiments of this specification are described with reference to the flowcharts and/or block diagrams of the methods, devices (systems), and computer program products according to the embodiments of this specification. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the processes and/or boxes in the flowchart and/or block diagram, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable fraud case serial and parallel device to produce a machine, so that the instructions executed by the processor of the computer or other programmable fraud case serial and parallel device produce a device for implementing the functions specified in one or more processes of the flowchart and/or one or more boxes of the block diagram.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable serial and parallel device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

These computer program instructions may also be loaded onto a computer or other programmable fraud case serial and parallel device so that a series of operating steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more flows in the flowchart and/or one or more blocks in the block diagram.

In a typical configuration, a computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.

Memory may include non-permanent storage in a computer-readable medium, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.

Computer readable media include permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information. Information can be computer readable instructions, data structures, program modules or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by a computing device. As defined in this article, computer readable media does not include temporary computer readable media (transitory media), such as modulated data signals and carrier waves.

It should also be noted that the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, commodity or device. In the absence of more restrictions, the elements defined by the sentence "comprises a ..." do not exclude the existence of other identical elements in the process, method, commodity or device including the elements.

Those skilled in the art will appreciate that the embodiments of the present specification may be provided as methods, systems or computer program products. Therefore, one or more embodiments of the present specification may be in the form of a complete hardware embodiment, a complete software embodiment or an embodiment combining software and hardware. Furthermore, one or more embodiments of the present specification may be in the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

One or more embodiments of the present specification may be described in the general context of computer-executable instructions executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types. One or more embodiments of the present specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules may be located in local and remote computer storage media, including storage devices.

Each embodiment in this specification is described in a progressive manner, and the same or similar parts between the embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiment.

The above description is only an embodiment of this specification and is not intended to limit this document. For those skilled in the art, this specification may have various changes and variations. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this specification should be included in the scope of the claims of this specification.

Claims (13)

1. A data processing method, the method comprising: Receive configuration requests for firewall policies; In response to the configuration request, determining a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request; Determining whether to add access policies in the first firewall and the second firewall according to the relationship between the security zone of the first firewall and the security zone of the second firewall; If it is determined to add access policies in the first firewall and the second firewall, determining whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall; If the access policy corresponding to the configuration request does not exist in the first firewall and the second firewall, a target access policy corresponding to the configuration request is configured in the first firewall and the second firewall. 2. The method according to claim 1, wherein determining whether to add access policies in the first firewall and the second firewall according to the relationship between the security zone of the first firewall and the security zone of the second firewall comprises: Whether to add access policies in the first firewall and the second firewall is determined according to the grouping information of the first firewall and the second firewall and the relationship between the security zone of the first firewall and the security zone of the second firewall. 3. The method according to claim 2, wherein determining whether to add access policies in the first firewall and the second firewall according to the grouping information of the first firewall and the second firewall and the relationship between the security zone of the first firewall and the security zone of the second firewall comprises: When it is determined according to the grouping information of the first firewall and the second firewall that the first firewall and the second firewall do not belong to the same group and there is a preset association relationship between the first firewall and the second firewall, obtaining a logical security area in the security area of the first firewall and a logical security area in the security area of the second firewall; When the logical security zone in the security zone of the first firewall is different from the logical security zone in the security zone of the second firewall, it is determined to add access policies in the first firewall and the second firewall. 4. The method according to claim 2, wherein determining whether to add access policies in the first firewall and the second firewall according to the grouping information of the first firewall and the second firewall and the relationship between the security zone of the first firewall and the security zone of the second firewall comprises: When it is determined according to the grouping information of the first firewall and the second firewall that the first firewall and the second firewall belong to the same group and the security area of the first firewall is different from the security area of the second firewall, it is determined to add access policies in the first firewall and the second firewall. 5. The method according to claim 2, wherein determining whether to add access policies to the first firewall and the second firewall according to the grouping information of the first firewall and the second firewall and the relationship between the security zone of the first firewall and the security zone of the second firewall comprises: When it is determined according to the grouping information of the first firewall and the second firewall that the first firewall and the second firewall belong to the same group and the security area of the first firewall is the same as the security area of the second firewall, obtaining a logical security area in the security area of the first firewall and a logical security area in the security area of the second firewall; When the logical security zone in the security zone of the first firewall is different from the logical security zone in the security zone of the second firewall, it is determined to add access policies in the first firewall and the second firewall. 6. The method according to claim 2, wherein determining whether a target access policy corresponding to the configuration request exists in the first firewall and the second firewall comprises: If the first firewall and the second firewall do not include an access policy, it is determined that the first firewall and the second firewall do not have a target access policy corresponding to the configuration request. 7. The method according to claim 2, wherein determining whether a target access policy corresponding to the configuration request exists in the first firewall and the second firewall comprises: If the first firewall and the second firewall include access policies, and the access policies are default deny policies, it is determined that the target access policy corresponding to the configuration request does not exist in the first firewall and the second firewall. 8. The method according to claim 2, further comprising: Obtaining access policies in the first firewall and the second firewall; When the access policy includes other access policies except the target access policy, and the other access policies do not include a default deny policy, the policy order of the target access policy in the access policy is adjusted. 9. The method according to claim 2, further comprising: Obtaining configuration data corresponding to the target access policy; According to the matching condition between the configuration data and the configuration requirement information corresponding to the configuration request, the configuration process of the target access policy is verified to obtain a configuration verification result for the target access policy. 10. A data processing device, comprising: A request receiving module, used for receiving a configuration request of a firewall policy; A firewall determination module, configured to determine, in response to the configuration request, a first firewall of a source address device and a second firewall of a destination address device corresponding to the configuration request; A first judgment module, used to determine whether to add access policies in the first firewall and the second firewall according to the relationship between the security zone of the first firewall and the security zone of the second firewall; A second judgment module is used to judge whether there is a target access policy corresponding to the configuration request in the first firewall and the second firewall if it is determined to add an access policy in the first firewall and the second firewall; A policy configuration module is used to configure a target access policy corresponding to the configuration request in the first firewall and the second firewall if the access policy corresponding to the configuration request does not exist in the first firewall and the second firewall. 11. An electronic device, characterized in that it comprises a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein when the computer program is executed by the processor, the steps of the data processing method according to any one of claims 1 to 9 are implemented. 12. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the data processing method according to any one of claims 1 to 9 are implemented. 13. A computer program product, characterized in that it comprises a computer program, which implements the steps of the data processing method according to any one of claims 1 to 9 when executed by a processor.