Method and system for distributed firewall security policy configuration based on overlay network

A distributed firewall and security policy technology, applied in the field of network security, can solve problems such as the inability to implement firewall policy configuration in the global network, the lack of network device bearer status awareness, and the inability to generate security policies, etc.

Inactive Publication Date: 2013-12-18
INST OF ACOUSTICS CHINESE ACAD OF SCI +1
View PDF5 Cites 18 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, most of this information is related to user identity, IP flow, and network static structure, and lacks awareness of the bearer status of network equipment. As a result, the system cannot quickly generate appropriate security policies for emergencies in the network.
[0014] 2. Centralized architecture generates security policies, often causing single-point bottlenecks
Therefore, the scope of each security policy c

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and system for distributed firewall security policy configuration based on overlay network
  • Method and system for distributed firewall security policy configuration based on overlay network
  • Method and system for distributed firewall security policy configuration based on overlay network

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0096] topology such as Figure 7 Shown:

[0097] In the experimental topology, logical domain 1 and logical domain 2 are two logical domains.

[0098] Smart node 1 (IP address 192.168.11.100, subnet mask 255.255.255.0) in logical domain 1 is the policy decision point of the firewall in the logical domain; firewall 1 (H3CF100S firewall) is host PC1 (IP address 192.168.1.1 , with a subnet mask of 255.255.255.0) can control the traffic and access behavior of the host PC1; the host PC1 uses the application program Scanport to perform port scanning on the host Server.

[0099] Intelligent node 2 (IP address 192.168.12.100, subnet mask 255.255.255.0) in logical domain 2 is the policy decision point of the firewall in the logical domain; firewall 2 (CISCOASA firewall) is host PC2 (IP address 192.168.2.1 , with a subnet mask of 255.255.255.0) can control the traffic and access behavior of the host PC2; the host PC2 uses the application program Scanport to perform port scanning on t...

Embodiment 2

[0136] topology such as Figure 13 Shown:

[0137] In the experimental topology, logical domain 1 and logical domain 2 are two logical domains.

[0138] Intelligent node 1 (IP address 192.168.11.100, subnet mask 255.255.255.0) in logical domain 1 is the policy decision point of the firewall in the logical domain; firewall 1 (H3CF100S firewall) is the PC-VOD host (IP address 192.168 .1.2, subnet mask is 255.255.255.0) and the egress firewall of PC-FTP1 host (IP address is 192.168.1.1, subnet mask is 255.255.255.0), can control PC-FTP1 host and PC-VOD host Traffic and access behavior; the PC-VOD host is installed with the application program VLC Media Player, which can obtain video-on-demand services from the Server host; the PC-FTP1 host runs the application program FlashFXP, which can download FTP data from the Server host;

[0139] Intelligent node 2 (IP address 192.168.12.100, subnet mask 255.255.255.0) in logical domain 2 is the policy decision point of the firewall in th...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a method and system for distributed firewall security policy configuration based on an overlay network. The method for distributed firewall security policy configuration based on the overlay network comprises the following steps that firstly, an intelligent node deployed in a certain region collects first reference information reflecting service flow information carried by the network in the region corresponding to the intelligent node, and security policies are generated according to the first reference information; secondly, the intelligent node in the first step simultaneously distributes the security policies generated by the intelligent node to a firewall in the region corresponding to the intelligent node and intelligent nodes in other regions; thirdly, the security policies received by the intelligent nodes in other regions from other nodes are used as second reference information by the intelligent nodes in other regions, security polices corresponding to the intelligent nodes in other regions are adjusted dynamically, the security polices generated by the intelligent nodes in other regions are distributed to the firewalls in the regions, and therefore security policy configuration between the regions is completed. The intelligent node in the first step generates the security policies according to the first reference information and firewall performance state information.

Description

technical field [0001] The present invention relates to the technical field of network security, more specifically to an overlay network-based distributed firewall security policy configuration method and system. Background technique [0002] Firewall (Firewall) is a device composed of software and hardware devices, which can construct a protective barrier between internal network and external network, between private network and public network. The firewall device can allow or restrict the passage of transmitted data according to the set rules. Firewalls are still an indispensable means of ensuring network security. In the case of a small network, traditional border firewalls are very effective. However, with the explosive growth of network scale, the defects of traditional firewall technology began to be revealed. Problems such as network single-point bottlenecks, limited new service support capabilities, and single security management model make traditional border fire...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
Inventor 覃毅芳周旭杨磊牛温佳慈松唐晖唐朝伟
Owner INST OF ACOUSTICS CHINESE ACAD OF SCI
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap