For the first policy, because the source network object and the destination network object are both on the firewall F1, the policy is directly configured on the firewall F1, a default rejection policy is added, and after the configuration is completed, the network security policy on the current firewall F1 is as follows

Shown in Table 2:

TABLE 2

For the second policy, since the source network object and the destination network object are respectively on the firewalls F1 and F2, and the policy action is pass (allowed), a detailed policy is configured on the wall F1 where the source network object is located, a loose policy is configured on the wall F2 where the destination network object is located, and the policies of the firewalls F1 and F2 after configuration are shown in table 3:

TABLE 3

For the third policy, the source network object and the destination network object are respectively in the firewalls F1 and F3, and the action is rejection, so the rejection policy of the detail IP is configured on the firewall F1, the configuration of the policy is not performed on the firewall F3, and after the configuration is completed, as shown in table 4:

TABLE 4

For the fourth policy, because the IP in the source network object does not belong to the same firewall, the policy is preprocessed and split into two policies 4.1 and 4.2:

4.1：permit src host 1.2.1.1to host 1.2.10.1tcp port 22

4.2：permit src host 1.3.1.1to host 1.2.10.1tcp port 22

for 4.1, the source network object and the destination network object belong to the same firewall F2, so that the policy configuration only needs to be performed on F2 according to 4.1;

for 4.2, the source network object and the destination network object do not belong to the same firewall, so it is sufficient to configure a detailed policy on the wall F3 where the source and destination network objects are located, and to configure a rough policy on the wall F2 where the destination network object is located, and the configuration is completed as shown in table 5:

TABLE 5

The larger the policy ID is, the higher the priority is in this embodiment.

Through the ingenious design, the configuration of the network security policy has the characteristics of strong protection capability and convenient operation and maintenance management, and lays a good foundation for the subsequent management and optimization work efficiency of the network security policy. The scheme of the invention seems to be simple, is not easy to think of in fact, and can break through the limitation of the prior art by the simplest and most effective means only by deeply researching the network security characteristics and combining practice and theory, thereby realizing the maximization of the effect. Therefore, compared with the prior art, the invention has outstanding substantive features and remarkable progress.

The above-mentioned embodiments are only preferred embodiments of the present invention, and should not be construed as limiting the scope of the present invention, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.

Claims

1. A configuration method of network security policy is characterized by comprising the following steps:

(3) Configuring according to the detailed strategy on the network security equipment where the source network object is located, and simultaneously releasing the access of the IP from all internal network segments to the network segment controlled by the network security equipment where the target network object is located according to the loose strategy configured on the network security equipment where the target network object is located;

(4) And (4) recycling the steps (1) to (3).

2. The method of claim 1, wherein the higher the policy ID, the higher the priority when configuring each policy.

3. The method for configuring network security policy according to claim 1 or 2, wherein the preprocessing in step (1) is performed as follows: