Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method and device for matching security policy

A security policy and matching technology, applied in the field of network security, can solve the problems of low efficiency of security policy matching, construction of dictionary trees, accelerated matching of communication messages, etc.

Active Publication Date: 2019-04-12
NEW H3C SECURITY TECH CO LTD
View PDF6 Cites 18 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, when the address object group of an IP address matching item in the security policy contains non-consecutive wildcard mask objects, the network device cannot construct a dictionary tree based on the non-consecutive wildcard mask objects, and thus cannot perform accelerated matching on communication packets. The matching efficiency of security policies is low

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for matching security policy
  • Method and device for matching security policy
  • Method and device for matching security policy

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0080] The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

[0081] The embodiment of the present application provides a method for matching security policies, which can be applied to network devices. Wherein, the network device may be a firewall, an intrusion prevention system (English: Intrusion Prevention System, IPS for short) device, and the like. Currently, when a network device receives a communication packet, it can filter the communication packet based on a pre-configured security policy. The security policy m...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The embodiment of the invention provides a method and device for matching a security policy, and relates to the technical field of the network security. The method comprises the following steps: receiving a communication message; performing accelerated matching processing on the communication message according to a dictionary tree corresponding to various pre-stored matching items, thereby obtaining a first matching result of various matching items of various matching rules; in various matching rules, determining that the first matching result of other matching items except the IP address matching item is the matched first matching rule; if the condition that the first matching result is an unmatched target IP address matching item is existent in the IP address matching item of the first matching rule, performing matching processing on the communication message according to discontinuous wildcard character mask objects in an address object group of the target IP address matching item,thereby obtaining a second matching result of the target IP address matching item, and determining the first matching result of the first matching rule according to the second matching result of the target IP address matching item. The matching efficiency of the safety policy can be improved by adopting the method disclosed by the application.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a method and device for matching security policies. Background technique [0002] Currently, when a network device receives a communication packet, it can filter the communication packet based on a pre-configured security policy. The security policy can include at least one matching rule (rule), and each matching rule can include at least one matching item. For example, the matching item can include a source Internet Protocol (English: Internet Protocol, referred to as: IP) address matching item, a destination IP address matching item, and a matching item. item, source port matching item, destination port matching item, protocol type matching item and Svr (sever, service) matching item, etc. [0003] For any matching rule, the network device can match the communication packet (such as source IP address, destination IP address, source port number, etc.) according to the ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L29/12
CPCH04L61/2503H04L61/2557H04L63/0236H04L63/0263
Inventor 仇宏迪
Owner NEW H3C SECURITY TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products