Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that, in the embodiments of the present application, there is a description of "first", "second", etc., which are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the invention. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The existing firewall management method requires research personnel to send mails to inform a network manager according to own policy requirements; according to the data and the network deployment diagram, the network administrator finds out a firewall list corresponding to the network administrator, logs in a web end corresponding to the corresponding firewall, inputs the corresponding data, executes changing operation, and replies a mail to inform the developer of the completion of processing. There are several disadvantages to this approach: if the demand change response is slow; the firewall is obtained, the time is consumed manually according to the experience of a network manager, and the error rate is high; for firewalls of a plurality of different manufacturers, multiple logins are needed, the operation of the different manufacturers is different, and the process is complicated.
In order to solve the defects in the prior art, the application provides a firewall management method, which is characterized in that when a firewall is required to be opened by unified management of a system operation and maintenance platform, the system operation and maintenance platform acquires a target network address of the firewall to be opened and a target firewall associated with the target network address, generates a corresponding access policy based on the target network address, and sends the access policy to the target firewall so that the target firewall executes the access policy to complete policy opening. By the method provided by the application, the system can generate the access strategy and send the access strategy to the target firewall without manually inputting the access strategy, so that errors caused by manual input are avoided, and time is saved.
Referring to fig. 1, fig. 1 is a flowchart of a first embodiment of a firewall management method according to the present application, where the method includes:
s110: and acquiring a target network address of the firewall to be opened and a target firewall associated with the target network address.
The firewall management method of the embodiment can be executed by a system operation and maintenance platform (also can be called sysops system), and the target network address of the firewall to be opened and the target firewall associated with the target network address can be sent to the system operation and maintenance platform by other systems or can be input by a user.
In one embodiment, obtaining a target network address of a firewall to be opened and a target firewall associated with the target network address includes: receiving data to be opened and identification information of a target firewall, which are sent by a data storage system, wherein the data to be opened is input by a user through a flow management system and comprises a target network address and protocol information, the target network address comprises a source IP address, a target IP address, a source port and a target port, the identification information of the target firewall is obtained by searching the data storage system based on the data to be opened, and the identification information of the target firewall can comprise: and information such as the manufacturer of the target firewall, the model of the firewall, the operation type and the like. The data storage system may be a configuration management database (Configuration Management Database, CMDB) or Mysql (relational database management system), but is not limited thereto. The configuration management database can be composed of a plurality of physical databases, wherein the physical databases form a logic entity, and the physical databases are required to be optimized when being integrated; the SQL language used by the relational database management system is the most commonly used standardized language for accessing databases, and MySQL is selected as a website database for the development of small and medium-sized websites because of the characteristics of small volume, high speed and low total possession cost, especially open source codes; the flow management system can introduce a flow engine to provide an automation service, so that a user can submit an application conveniently, and data can be processed and archived after approval.
Specifically, a user logs in the flow management system, selects a network opening flow, and fills corresponding data to be opened according to prompts of a form stored in the flow management system. And submitting the filled form to a corresponding superior leader, after examining and approving the superior leader, transferring to a network manager, and after checking that the application specification is free of problems, sending the data to be opened to a data storage system by the network manager. The flow management system is adopted to audit the data to be opened, and a plurality of users do not need to process the change through sending mails or other modes, so that timeliness and accuracy of the change processing can be ensured.
The data storage system acquires the pre-stored identification information of the target firewall which needs to pass through from the source IP address to the destination IP address according to the data to be opened. The target firewall through which the source IP address to the destination IP address need to pass can be set by a network administrator, where each IP corresponds to a server, and has two attributes of a data center and a network partition, for example, the source IP belongs to the first network partition of the a data center. The network administrator can set a target firewall which needs to pass through from a source IP address to a destination IP address according to the relationship of a source data center, a source network partition, a destination data center and a destination network partition in the machine room, the identification information of the target firewall is stored in the data storage system, and the data storage system acquires the identification information of the target firewall according to the data to be opened after receiving the data to be opened, which is input by a user through the flow management system. It will be appreciated that the destination firewall to be traversed from the source IP address to the destination IP address may be one or more. Further, the user can send the data to be opened to the data storage system through other platforms, or manually input the data to be opened into the data storage system, so that the data storage system can acquire the data to be opened, and the identification information of the target firewall is acquired based on the data to be opened.
S120: an access policy is generated for the target firewall with respect to the target network address.
In one embodiment, after the system operation and maintenance platform obtains the target firewall associated with the target network address, the system operation and maintenance platform can search whether corresponding target template data exist according to the manufacturer, model and related data of the operation type of the target firewall, if not, the system operation and maintenance platform can send prompt information to prompt a network administrator to add the target template data; if the target template data exist, executing the target template data to obtain a first execution result; and obtaining an access strategy based on the first execution result. Wherein, the target template data may be manually configured, the target template data may include at least one target instruction, each target instruction corresponds to at least one target command, and executing the target template data includes: sending each target command to a target firewall for execution, and obtaining a second execution result of each target command; based on the second execution result of the target command corresponding to the target instruction, the second execution result of the target command is combined in different ways by utilizing groovy codes to obtain a third execution result of the target instruction, and groovy codes are adopted to process (e.g. combine) the third execution results of all the target instructions to obtain the first execution result. The target template data may not include a target instruction, directly include at least one target command, execute each target command to obtain a second execution result of each target command, and process each second execution result to obtain a first execution result.
S130: and sending the access policy to the target firewall so that the target firewall executes the access policy.
And the system operation and maintenance platform sends the access strategy to the target firewall so that the target firewall executes the access strategy. It can be understood that multiple target firewalls may exist between the target network addresses, and then multiple access policies may be obtained through the system operation and maintenance platform, and the multiple access policies are respectively sent to the corresponding target firewalls, so that the multiple firewalls respectively execute the corresponding access policies.
In this embodiment, after the system operation and maintenance platform obtains the target network address of the firewall to be opened and the target firewall associated with the target network address, the access policy about the target network address may be automatically generated by means of groovy codes, and the access policy is sent to the target firewall, so that the target firewall executes the access policy, and then the target firewall is automatically opened. Furthermore, the operation inlets of the target protection wall are concentrated on the system operation and maintenance platform, so that unified batch management can be realized, a user is not required to log in the target firewall for processing, and the safety in the aspect of access is enhanced.
Referring to fig. 2-4, fig. 2 is a flowchart of an embodiment of step S120, fig. 3 is a schematic diagram of a target command setting page, fig. 4 is a schematic diagram of a target instruction setting page, and step S120 may include:
S121: and searching target template data corresponding to the target firewall.
In an embodiment, the target template data may be preset for a network manager and stored in the system operation and maintenance platform, and it is understood that the target template data may vary based on the manufacturer, model, etc. of the target firewall. The target template data may include only a plurality of target commands or may include a plurality of target instructions, each corresponding to at least one target command. The target template data, the target command and the target instruction may be represented by groovy codes, where the plurality of target commands include a command to obtain an interface corresponding to the target firewall and the source IP address, a command to obtain an interface corresponding to the target firewall and the destination IP address, a command to obtain an area corresponding to the target firewall and the source IP address, and a command to obtain an area corresponding to the target firewall and the destination IP address.
As shown in fig. 3, when setting a target command contained in target template data, a network manager may set a name of the target command, a content of the target command, an input check script, an output check script, and the like. The target command content may include a variable, where the variable may be a second execution result of the previous target command. The output check script indicates what operation needs to be performed on the second execution result after the execution of the target command is completed to obtain the corresponding second execution result, for example, the second execution result is in a context (which can be understood as a context, if an external variable is included in a section of program, the section of program is incomplete and cannot be independently run, and in order to enable the program to run, all values of the external variable need to be transmitted in, and a set of the values is called a context).
Further, after the target commands are set and completed, the target commands corresponding to the target instructions can be set through groovy codes, after the target commands corresponding to the target instructions are executed and completed, second execution results of the target commands are obtained from the context, and the second execution results are transmitted into groovy codes of the target instructions to be processed, so that third execution results of the target instructions are obtained. As shown in fig. 4, the target instruction may correspond to five target commands, which are juniper-traffic interfaces of the source IP, respectively, and are used to obtain interfaces of the target firewall corresponding to the source IP address; juniper-a traffic outlet interface of the destination IP, which is used for acquiring an interface of the destination firewall corresponding to the destination IP address; juniper-a region corresponding to the source IP, which is used for acquiring a region corresponding to the target firewall and the source IP address; juniper-a region corresponding to the destination IP, which is used for acquiring a region corresponding to the destination IP address of the target firewall; juniper-policy check to determine if the target firewall is open from the source IP address to the destination IP address. It will be appreciated that the target instruction may also contain other target commands, not limited herein.
S122: and executing the target template data to obtain a first execution result.
In one implementation, the target template data includes a number of target commands. The execution target template data is to execute a plurality of target commands contained in the target template data respectively, send each target command to a target firewall for execution to obtain a plurality of second execution results, and transmit the plurality of second execution results into groovy codes corresponding to the target template data to process each second execution result to obtain a first execution result.
In another embodiment, the target template data includes at least one target instruction, each target instruction corresponding to at least one target command. And sending each target command to a target firewall for execution to obtain a second execution result corresponding to each target command, and obtaining a third execution result of the target command based on the second execution result of the target command corresponding to the target command, wherein the first execution result comprises the third execution result of each target command. Specifically, after the second execution results corresponding to the target commands are obtained, each second execution result may be in a context. After the execution of the target command corresponding to one target instruction is completed, the second execution result of each target command is obtained from the context, and the second execution result is processed (e.g. combined) in groovy codes of the target instruction, so that a third execution result of the target instruction is obtained, and the third execution result also has the context. And acquiring third execution results corresponding to the target instructions from the context, aggregating the third execution results, and processing the third execution results in groovy codes corresponding to the target template data to acquire the first execution results.
Because the variables are often present in the target command, the firewall will first determine whether the target command has pre-command script processing (i.e. whether the target command content contains variables) before executing the target command, and if so, may use groovy codes to replace the variables in the target command with the data actually relied on by the target command. For example, if the execution of the current target command depends on the second execution result of the other target command, then groovy code may be used to obtain the second execution result of the other target command from the context before executing the current target command, replace the variable in the current target command with the second execution result of the other target command (e.g., replace targetlp in the command content of fig. 2 with the execution result of the other target command), and the other target command may be at least one of all target commands that have been executed.
S123: and obtaining an access strategy based on the first execution result.
In this embodiment, the system operation and maintenance platform may automatically obtain the corresponding target template data based on the manufacturer and model of the target firewall, further execute the target command and the target instruction included in the target template data based on the target network address, further obtain the first execution result, obtain the access policy based on the first execution result, and send the access policy to the target firewall, so that the target firewall executes the access policy to open the policy. The system operation and maintenance platform can automatically complete the steps by means of codes so as to open the target firewall, and a user only needs to upload the target network address without performing other operations.
Further, in this embodiment, the corresponding target template data is set according to the manufacturer and model of the target firewall, and the target template data may be represented by groovy codes, so that the manufacturer of the target firewall is different, and the groovy codes are also different. By using groovy codes, different vendors can be shielded. As groovy codes can be changed along with the change of firewall manufacturers, target firewalls of different manufacturers can be uniformly managed on a system operation and maintenance platform by means of different groovy codes, and the difference of firewall manufacturers is not needed to be considered. If a new target firewall needs to be accessed, only the corresponding target template data is configured at the web end. For example, requiring a new firewall plus a whitelist operation, the configuration process may include: corresponding command data can be configured, verification can be independently extracted, and if the command exists, multiplexing is needed; configuring instruction data, and acquiring a command corresponding to a screening instruction; and configuring strategy data, and finishing setting according to data such as manufacturer, model, instruction and the like. By means of groovy codes, commands can be quickly adjusted, new types of target firewalls can be quickly accessed, and the management efficiency of the firewalls is greatly improved.
Referring to fig. 5, fig. 5 is a flowchart of a second embodiment of a firewall management method according to the present application, where the method includes:
S510: and acquiring a target network address of the firewall to be opened and a target firewall associated with the target network address.
S520: an access policy is generated for the target firewall with respect to the target network address.
S530: and sending the access policy to the target firewall so that the target firewall executes the access policy.
S540: and acquiring a fourth execution result of the target firewall executing the access strategy, and sending the fourth execution result to the user.
The method of the embodiment can be executed by a system operation and maintenance platform, and the system operation and maintenance platform can comprise a command module, an instruction module and a template module, wherein the command module is used for setting a plurality of target commands contained in target template data, and before and after execution of the target commands, operations such as processing and replacing the data or a second execution result of the target commands which are depended on when the target commands are executed can be carried out through groovy codes; the instruction module is used for setting a plurality of target commands corresponding to the target instructions, and the plurality of target commands can be ordered according to the execution sequence of the target commands through groovy codes to form a target command set; the template module is used for setting target template data and integrating data such as target commands, target instructions, firewall manufacturers, firewall models, operation types and the like through groovy codes. The network administrator can preset target template data according to firewall manufacturer, firewall model, operation type and the like, wherein the target template data comprises at least one target instruction, and each target instruction corresponds to at least one target command.
When the target firewall is required to be opened from the source IP address to the destination IP address, the user can input the target network address of the firewall to be opened into the flow management system, send the flow management system after checking, send the flow management system to the data storage system, obtain the stored target firewall associated with the target network address according to the target network address, and send the target network address and the target firewall associated with the target network address to the system operation and maintenance platform.
The system operation and maintenance platform searches target template data corresponding to the target firewall based on manufacturer and model of the target firewall, the target template data can comprise a plurality of target instructions, the plurality of target instructions correspond to at least one target command, the firewall executes the plurality of target commands based on a target network address to obtain second execution results corresponding to the plurality of target commands, and groovy codes are adopted to enable the plurality of second execution results to be in context. After all the target commands contained in the target instruction are executed, a groovy code is adopted to obtain second execution results corresponding to the target commands contained in the target instruction from the context, the second execution results are transmitted into groovy codes of the corresponding target instruction to be processed, a third execution result of the target instruction is obtained, and the third execution result is stored in the context by adopting groovy codes. And after all the target instructions contained in the target template data are executed, adopting groovy codes to acquire third execution results corresponding to the target instructions contained in the target template data from the context, aggregating the second execution results, and then transmitting groovy codes corresponding to the target template data to process so as to acquire corresponding access strategies. And sending the access policy to the corresponding target firewall, so that the target firewall executes the access policy, a fourth execution result of the target firewall executing the access policy is obtained, and the fourth execution result is sent to the user.
Referring to fig. 6, fig. 6 is a flowchart of a third embodiment of a firewall management method according to the present application, where the method includes:
S610: and acquiring the data to be opened by using the flow management system, and sending the data to be opened to the data storage system.
In one embodiment, a user logs in the process management system, selects a network opening process, and fills in corresponding data to be opened according to prompts of a form stored in the process management system. The data to be opened comprises a target network address and protocol information, wherein the target network address comprises a source IP address, a target IP address, a source port and a target port. And after the data to be opened is checked by the superior leader and the network manager, the data is sent to the data storage system. Specifically, the data to be opened can be sent to the superior leader and the network administrator in a link mode, the superior leader and the network administrator can click on the link to view the data to be opened, if no problem exists, the data can be approved, and if the problem exists, the data can be returned to the user for modification.
Further, the flow management system may include a corresponding notification mechanism, for example, when the data to be opened is sent to the upper level leader, the flow management system may notify the upper level leader to perform approval through a short message or mail; when the data to be opened is sent to the data storage system, the user can be notified that the data to be opened is sent to the data storage system through a short message or mail.
S620: the data storage system acquires the identification information of the corresponding target firewall based on the data to be opened, and sends the data to be opened and the target firewall to the system operation and maintenance platform.
In an embodiment, the data storage system may search for a corresponding target firewall based on the data center and the network partition corresponding to the source IP address and the destination IP address in the data to be opened, and obtain the identification information of the target firewall. The identification information of the target firewall may include a manufacturer and a model of the target firewall. The specific implementation steps of searching the corresponding target firewall may refer to the description of the first embodiment of the firewall management method, which is not repeated herein.
S630: the system operation and maintenance platform receives the data to be opened and the identification information of the target firewall, which are sent by the data storage system, and generates an access strategy related to the target network address for the target firewall; and sending the access policy to the target firewall so that the target firewall executes the access policy.
In one embodiment, after receiving the data to be opened and the identification information of the target firewall sent by the data storage system, the system operation and maintenance platform searches the corresponding target template data based on the identification information of the target firewall, and obtains a plurality of target instructions contained in the target template data, wherein the target instructions correspond to at least one target command. And respectively executing a plurality of target commands based on the data to be opened to obtain a second execution result of the target commands. And further executing the target instruction based on the second execution result of the target instruction to obtain a third execution result of the target instruction. And combining third execution results of the target instructions according to the sequence of the target instructions contained in the target template data to obtain a first execution result, and generating an access strategy related to the target network address according to the first execution result. And sending the access policy to the target firewall so that the target firewall executes the access policy. And after the target firewall executes the access strategy, sending the obtained fourth execution result to the user.
In this embodiment, the specific implementation details of step S630 may refer to the descriptions related to steps S120 and S130 in the first embodiment of the firewall management method, which are not described herein.
Referring to fig. 7, fig. 7 is a schematic diagram of a firewall management system according to an embodiment of the present application. The firewall management system 70 includes a flow management system 71, a data storage system 72, and a system operation and maintenance platform 73. The flow management system 71 is configured to obtain data to be opened, and send the data to be opened to the data storage system, where the data to be opened includes a target network address; the data storage system 72 is configured to obtain identification information of a corresponding target firewall based on the data to be opened, and send the data to be opened and the target firewall to the system operation and maintenance platform 73; the system operation and maintenance platform 73 is used for obtaining a target network address of a firewall to be opened and a target firewall associated with the target network address; generating an access policy for the target firewall with respect to the target network address; and sending the access policy to the target firewall so that the target firewall executes the access policy.
Wherein generating an access policy for the target firewall with respect to the target network address comprises: searching target template data corresponding to a target firewall, wherein the target template data comprises a plurality of target commands; executing target template data to obtain a first execution result; and obtaining an access strategy based on the first execution result.
The target template data further comprises at least one target instruction, and each target instruction corresponds to at least one target command; executing the target template data, comprising: sending each target command to a target firewall for execution, and obtaining a second execution result of each target command; and obtaining a third execution result of the target instruction based on a second execution result of the target command corresponding to the target instruction, wherein the first execution result comprises the third execution result of each target instruction.
The target network address comprises a source IP address and a target IP address, and the target commands comprise commands for acquiring interfaces of the target firewall and the source IP address, commands for acquiring interfaces of the target firewall and the target IP address, commands for acquiring areas of the target firewall and the source IP address and commands for acquiring areas of the target firewall and the target IP address; and/or, the executing step of the target command comprises: judging whether the execution of the target command depends on the second execution result of other target commands; if yes, the target command is sent to the target firewall for execution based on the second execution result of other target commands.
The method for obtaining the target network address of the firewall to be opened and the target firewall associated with the target network address comprises the following steps: receiving data to be opened and identification information of a target firewall, wherein the data to be opened are input by a user through a flow management system and comprise a target network address and protocol information, the target network address comprises a source IP address, a target IP address, a source port and a target port, and the identification information of the target firewall is obtained by searching the data storage system based on the data to be opened.
Wherein after sending the access policy to the target firewall to cause the target firewall to execute the access policy, the method further comprises: and acquiring a fourth execution result of the target firewall executing the access strategy, and sending the fourth execution result to the user.
The flow management system 71, the data storage system 72 and the system operation and maintenance platform 73 included in the firewall management system 70 provided by the present application may be used to execute corresponding steps in the first embodiment of the firewall management method, and specific steps executed by the flow management system 71, the data storage system 72 and the system operation and maintenance platform 73 may refer to the first embodiment of the firewall management method and will not be described herein.
Referring to fig. 8, fig. 8 is a schematic diagram of a frame structure of an electronic device according to the present application.
The electronic device 80 comprises a memory 81 and a processor 82 coupled to each other, the memory 81 storing program instructions, the processor 82 being adapted to execute the program instructions stored in the memory 81 to carry out the steps of any of the method embodiments described above. In one particular implementation scenario, electronic device 80 may include, but is not limited to: the microcomputer and the server, and the electronic device 80 may also include a mobile device such as a notebook computer and a tablet computer, which is not limited herein.
In particular, the processor 82 is operative to control itself and the memory 81 to implement the steps of any of the organization architecture construction method embodiments described above. The processor 82 may also be referred to as a CPU (Central Processing Unit ). The processor 82 may be an integrated circuit chip having signal processing capabilities. The Processor 82 may also be a general purpose Processor, a digital signal Processor (DIGITAL SIGNAL Processor, DSP), an Application SPECIFIC INTEGRATED Circuit (ASIC), a Field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, a discrete gate or transistor logic device, a discrete hardware component. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. In addition, the processor 82 may be commonly implemented by an integrated circuit chip.
Referring to fig. 9, fig. 9 is a schematic diagram of a frame of an embodiment of a computer readable storage medium according to the present application.
The computer readable storage medium 90 stores program instructions 91 that when executed by a processor, perform the steps of any of the method embodiments described above.
The computer readable storage medium 90 may be a medium such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, which may store a computer program, or may be a server storing the computer program, where the server may send the stored computer program to another device for running, or may also run the stored computer program itself.
The foregoing description is only of embodiments of the present application, and is not intended to limit the scope of the application, and all equivalent structures or equivalent processes using the descriptions and the drawings of the present application or directly or indirectly applied to other related technical fields are included in the scope of the present application.