Strategy information analysis method and device for gateway equipment

Abstract

The invention discloses a strategy information analysis method and device for gateway equipment. The method comprises the steps of collecting the strategy information of all strategies in an action domain of the gateway equipment, and enabling the strategy information to comprise the protocol type, source address information, destination address information and port information of each strategy; splitting each strategy into a source address element, a destination address element and port elements of different protocol types according to the strategy information of each strategy; searching a father node strategy corresponding to each element based on the network address space, and recording a strategy identifier of the father node strategy corresponding to each element into a source addresselement, a destination address element and a port element of each strategy; and determining strategy relationship information between strategies in the action domain of the gateway equipment according to the strategy identifiers of the father node strategy recorded in the elements in the action domain of the gateway equipment and the priority information and action information of the strategies and the father node strategy. According to the invention, the analysis efficiency of the gateway equipment strategy can be greatly improved.

Description

technical field [0001] The invention relates to the field of gateways, in particular to a method and device for analyzing policy information of gateway equipment. Background technique [0002] This section is intended to provide a background or context to embodiments of the invention that are recited in the claims. The descriptions herein are not admitted to be prior art by inclusion in this section. [0003] At present, in existing gateway devices (including firewalls and routers, etc.), whitelist policies are used to achieve access to different security domains, that is, corresponding access control policies are issued between different security domains that allow access. As time goes by, more and more policies are stored on the gateway device, which greatly affects the performance of the device. [0004] In order to clean up or adjust some useless or redundant or conflicting policies on the gateway device, it is necessary to sort out and analyze the existing policy rela...

AI Technical Summary

Problems solved by technology

[0006] An embodiment of the present invention provides a method for analyzing policy information of a gateway device, which is used to solve the problem of analyzing the policy relationship between policies in the prior art by traversing the policy information of each policy on the gateway device, which takes a long time and when a policy occurs When changing, it is necessary to re-analyze the technical problem of the policy relationship between various policies. The method includes: collecting policy information of each policy within the scope of the gateway device, wherein the policy information of each policy includes: the protocol type of each policy, the source Address information, destination address information, and port information; according to the policy information of each policy, each policy is split into source address elements, destination address elements, and port elements of different protocol types, where the source address element contains: the policy to which it belongs The policy identifier and source address information of the policy, the destination address element contains: the policy identifier and destination address information of the strategy to which it belongs, and the port element contains: the policy identifier, protocol type and port information of the strategy to which it belongs; based on the network address space, find each strategy The source address element, destination address element, and port element of the corresponding parent node policy, the source address element, destination address element, and port element of each policy corresponding to the policy identifier of the parent node policy are recorded in the source address element, destination address element, and port element of each policy. In the destination address element and port element; according to the policy identification of the parent node policy recorded in the source address element, destination address element and port element of each policy within the scope of the gateway device, as well as the priority information and action information of each policy and the parent node policy , determine the policy relationship information between policies within the scope of the gateway device, where the priority information is used to determine the priority of policy execution, and the action information includes: allow action or deny action

[0007] The embodiment of the present invention also provides a policy information analysis device for a gateway device, which is used to solve the problem of analyzing the policy relationship between policies in the prior art by traversing the policy information of each policy on the gateway device, which takes a long time, and when the policy When a change occurs, it is necessary to re-analyze the technical problem of the policy relationship between various policies. The device includes: a policy information collection module, which is used to collect the policy information of each policy within the scope of the gateway device, wherein the policy information of each policy includes: The protocol type, source address information, destination address information and port information of each policy; the policy information processing module is used to split each policy into source address elements, destination address elements and different protocols according to the policy information of each policy type of port element, where the source address element includes: the policy ID and source address information of the policy to which it belongs, the destination address element includes: the policy ID and destination address information of the policy to which it belongs, and the port element includes: the policy ID of the policy to which it belongs, Protocol type and port information; the policy information recording module is used to find the parent node policy corresponding to the source address element, destination address element or port element of each policy based on the network address space, and store the source address element and destination address element of each policy The element or port element corresponds to the policy identifier of the parent node policy, which is recorded in the source address element, destination address element and port element of each policy; the policy information analysis module is used to analyze the source address element and destination address element of each policy within the scope of the gateway device. The policy identification of the parent node policy recorded in the address element and the port element, as well as the priority information and action information of each policy and the parent node policy, determine the policy relationship information between each policy within the scope of the gateway device, where the priority information is used To determine the priority of policy execution, the action information includes: allow action or deny action

[0008] The embodiment of the present invention also provides a computer device to solve the problem of analyzing the policy relationship between policies in the prior art by traversing the policy information of each policy on the gateway device. The technical problem of analyzing the policy relationship between various policies, the computer device includes a memory, a processor, and a computer program stored on the memory and operable on the processor, and the processor implements the policy information analysis of the above-mentioned gateway device when executing the computer program method

Images