阅读说明：本技术 由防火墙设备执行的访问控制方法、装置、设备以及介质 (Access control method, apparatus, device and medium executed by firewall device ) 是由 左文建 武安祥 邓涛 于 2020-05-19 设计创作，主要内容包括：本公开提供了一种由防火墙设备执行的访问控制方法,包括：接收第一电子设备用于访问第二电子设备的访问数据；基于防火墙设备的访问控制规则处理访问数据,得到处理结果；以及基于处理结果,确定是否允许第一电子设备访问第二电子设备；其中,访问控制规则是基于以下方式获得的：获取配置输入数据,其中,配置输入数据包括防火墙设备的设备标识；基于设备标识处理配置输入数据,得到目标配置数据；以及将目标配置数据发送至防火墙设备,以便于防火墙设备基于目标配置数据配置访问控制规则。本公开还提供了一种访问控制装置、一种计算设备、一种计算机可读存储介质以及一种计算机程序产品。(The present disclosure provides an access control method performed by a firewall device, including: receiving access data used by a first electronic device to access a second electronic device; processing the access data based on the access control rule of the firewall equipment to obtain a processing result; and determining whether to allow the first electronic device to access the second electronic device based on the processing result; wherein the access control rule is obtained based on: acquiring configuration input data, wherein the configuration input data comprises an equipment identifier of firewall equipment; processing configuration input data based on the equipment identification to obtain target configuration data; and sending the target configuration data to the firewall device so that the firewall device configures the access control rules based on the target configuration data. The disclosure also provides an access control apparatus, a computing device, a computer-readable storage medium and a computer program product.)

1. An access control method performed by a firewall device, comprising:

receiving access data used by a first electronic device to access a second electronic device;

processing the access data based on the access control rule of the firewall equipment to obtain a processing result; and

determining whether to allow the first electronic device to access the second electronic device based on the processing result;

wherein the access control rule is obtained based on:

obtaining configuration input data, wherein the configuration input data comprises a device identifier of the firewall device;

processing the configuration input data based on the equipment identification to obtain target configuration data; and

and sending the target configuration data to the firewall equipment so that the firewall equipment configures the access control rule based on the target configuration data.

2. The method of claim 1, wherein said processing the configuration input data based on the device identification resulting in target configuration data comprises:

determining a data format of the data processed by the firewall equipment based on the equipment identification; and

and processing the configuration input data based on the data format to obtain target configuration data meeting the data format.

3. The method of claim 1, wherein the access control rule comprises a first rule that allows the access data to pass and/or a second rule that prohibits the access data from passing;

wherein, processing the access data based on the access control rule of the firewall equipment to obtain a processing result comprises:

in response to determining that the access data satisfies the first rule, obtaining a processing result that allows the access data to pass; and

in response to determining that the access data satisfies the second rule, a processing result that prohibits passage of the access data is obtained.

4. The method of claim 1, wherein the access control rule is configured as tree structured data comprising:

a plurality of nodes, at least one of the plurality of nodes comprising rule data; and

path information of the plurality of nodes via which the plurality of nodes are accessible.

5. The method of claim 4, wherein said processing said configuration input data based on said device identification resulting in target configuration data comprises:

determining a target node of the at least one node for which the configuration input data is intended;

accessing the target node based on the path information;

determining a configuration mode aiming at the target node;

configuring the rule data of the target node based on the configuration mode and the configuration input data to obtain a configuration result; and

and processing the configuration result based on the equipment identification to obtain target configuration data.

6. The method of claim 1, wherein the access control rule comprises at least one sub-rule; any sub-rule of the at least one sub-rule includes at least one of the following information:

security domain information, through which a user in a security domain corresponding to the security domain information can access the second electronic device;

address information, the first electronic device being capable of accessing the second electronic device through a gateway device including the address information;

protocol information, wherein the protocol of the access data satisfies that the first electronic device of the protocol information can access the second electronic device; and

time information, the access time of the access data satisfying the time information, the first electronic device being able to access the second electronic device.

7. An access control device comprising:

the receiving module is used for receiving access data used by the first electronic equipment for accessing the second electronic equipment;

the first processing module is used for processing the access data based on the access control rule of the firewall equipment to obtain a processing result; and

a determination module that determines whether to allow the first electronic device to access the second electronic device based on the processing result;

wherein the access control rule is obtained based on:

the acquisition module acquires configuration input data, wherein the configuration input data comprises an equipment identifier of the firewall equipment;

the second processing module is used for processing the configuration input data based on the equipment identification to obtain target configuration data; and

and the sending module is used for sending the target configuration data to the firewall equipment so as to facilitate the firewall equipment to configure the access control rule based on the target configuration data.

8. A computing device, comprising:

one or more processors;

a storage device for storing one or more programs,

wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-6.

9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 6.

10. A computer program product comprising computer executable instructions for implementing a method according to any one of claims 1 to 6 when executed.

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to an access control method performed by a firewall device, an access control apparatus, a computing device, and a computer-readable storage medium.

Background

In order to reduce the management difficulty of an Access Control List (ACL) rule of a firewall device, a manufacturer of each firewall device defines a configuration mode of the ACL rule of the firewall device, so that a user can configure the ACL rule. However, different vendors have different definition standards for configuration modes, which results in that a user needs to configure ACL rules of different firewall devices based on different configuration modes, which results in low configuration efficiency, difficulty in implementing centralized management of different firewall devices, and high management cost of firewall devices.

Disclosure of Invention

In view of the above, the present disclosure provides an optimized access control method performed by a firewall device, an access control apparatus, a computing device, and a computer-readable storage medium.

One aspect of the present disclosure provides an access control method performed by a firewall device, including: receiving access data used by first electronic equipment for accessing second electronic equipment, processing the access data based on an access control rule of the firewall equipment to obtain a processing result, and determining whether to allow the first electronic equipment to access the second electronic equipment based on the processing result. Wherein the access control rule is obtained based on: the method comprises the steps of obtaining configuration input data, wherein the configuration input data comprise equipment identification of the firewall equipment, processing the configuration input data based on the equipment identification to obtain target configuration data, and sending the target configuration data to the firewall equipment so that the firewall equipment configures the access control rule based on the target configuration data.

According to an embodiment of the present disclosure, the processing the configuration input data based on the device identifier to obtain target configuration data includes: and determining the data format of the data processed by the firewall equipment based on the equipment identification, and processing the configuration input data based on the data format to obtain target configuration data meeting the data format.

According to the embodiment of the disclosure, the access control rule includes a first rule that allows the access data to pass through and/or a second rule that prohibits the access data from passing through. Wherein, processing the access data based on the access control rule of the firewall equipment to obtain a processing result comprises: in response to determining that the access data satisfies the first rule, obtaining a processing result that allows the access data to pass through, and in response to determining that the access data satisfies the second rule, obtaining a processing result that prohibits the access data from passing through.

According to an embodiment of the present disclosure, the access control rule is configured as tree structure data, and the tree structure data includes: a plurality of nodes, at least one of the plurality of nodes comprising rule data, path information for the plurality of nodes, wherein the plurality of nodes are accessible via the path information.

According to an embodiment of the present disclosure, the processing the configuration input data based on the device identifier to obtain target configuration data includes: determining a target node in the at least one node to which the configuration input data is directed, accessing the target node based on the path information, determining a configuration mode for the target node, configuring rule data of the target node based on the configuration mode and the configuration input data to obtain a configuration result, and processing the configuration result based on the device identifier to obtain target configuration data.

According to an embodiment of the present disclosure, the access control rule includes at least one sub-rule. Any sub-rule of the at least one sub-rule includes at least one of the following information: the security domain information, users in the security domain corresponding to the security domain information can access the second electronic device through the first electronic device, address information, the first electronic device can access the second electronic device through a gateway device including the address information, protocol information, a protocol of the access data satisfies that the first electronic device of the protocol information can access the second electronic device, time information, and an access time of the access data satisfies that the first electronic device of the time information can access the second electronic device.

Another aspect of the present disclosure provides an access control apparatus including: the device comprises a receiving module, a first processing module and a determining module. The receiving module receives access data used by the first electronic device for accessing the second electronic device. And the first processing module is used for processing the access data based on the access control rule of the firewall equipment to obtain a processing result. A determination module that determines whether to allow the first electronic device to access the second electronic device based on the processing result. Wherein the access control rule is obtained based on: the device comprises an acquisition module, a second processing module and a sending module. The obtaining module obtains configuration input data, wherein the configuration input data includes an equipment identifier of the firewall equipment. And the second processing module is used for processing the configuration input data based on the equipment identification to obtain target configuration data. And the sending module is used for sending the target configuration data to the firewall equipment so as to facilitate the firewall equipment to configure the access control rule based on the target configuration data.

According to an embodiment of the present disclosure, the processing the configuration input data based on the device identifier to obtain target configuration data includes: and determining the data format of the data processed by the firewall equipment based on the equipment identification, and processing the configuration input data based on the data format to obtain target configuration data meeting the data format.

According to the embodiment of the disclosure, the access control rule includes a first rule that allows the access data to pass through and/or a second rule that prohibits the access data from passing through. Wherein, processing the access data based on the access control rule of the firewall equipment to obtain a processing result comprises: in response to determining that the access data satisfies the first rule, obtaining a processing result that allows the access data to pass through, and in response to determining that the access data satisfies the second rule, obtaining a processing result that prohibits the access data from passing through.

According to an embodiment of the present disclosure, the access control rule is configured as tree structure data, and the tree structure data includes: a plurality of nodes, at least one of the plurality of nodes comprising rule data, path information for the plurality of nodes, wherein the plurality of nodes are accessible via the path information.

According to an embodiment of the present disclosure, the processing the configuration input data based on the device identifier to obtain target configuration data includes: determining a target node in the at least one node to which the configuration input data is directed, accessing the target node based on the path information, determining a configuration mode for the target node, configuring rule data of the target node based on the configuration mode and the configuration input data to obtain a configuration result, and processing the configuration result based on the device identifier to obtain target configuration data.

According to an embodiment of the present disclosure, the access control rule includes at least one sub-rule. Any sub-rule of the at least one sub-rule includes at least one of the following information: the security domain information, users in the security domain corresponding to the security domain information can access the second electronic device through the first electronic device, address information, the first electronic device can access the second electronic device through a gateway device including the address information, protocol information, a protocol of the access data satisfies that the first electronic device of the protocol information can access the second electronic device, time information, and an access time of the access data satisfies that the first electronic device of the time information can access the second electronic device.

Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.

Another aspect of the disclosure provides a computer program product comprising computer executable instructions for implementing the method as described above when executed.

According to the embodiment of the disclosure, the access control method can be used for at least partially solving the problems that in the related art, the configuration efficiency of firewall equipment is low, centralized management of different firewall equipment is difficult to realize, and the management cost of the firewall equipment is high, so that the firewall equipment can be managed in a centralized manner, and the technical effect of reducing the management cost of the firewall equipment is achieved.

Drawings

The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:

fig. 1 schematically illustrates an application scenario of an access control method and an access control apparatus according to an embodiment of the present disclosure;

2A-2B schematically illustrate a flow chart of an access control method according to an embodiment of the disclosure;

FIG. 3A schematically illustrates a block diagram of an access control device according to an embodiment of the present disclosure;

FIG. 3B schematically illustrates a block diagram of a configuration device according to an embodiment of the disclosure; and

FIG. 4 schematically illustrates a block diagram of a computer system suitable for access control according to an embodiment of the present disclosure.

Detailed Description

Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.

Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

An embodiment of the present disclosure provides an access control method performed by a firewall device, including: access data is received for the first electronic device to access the second electronic device. And then processing the access data based on the access control rule of the firewall equipment to obtain a processing result. Next, based on the processing result, it is determined whether the first electronic device is allowed to access the second electronic device. Wherein the access control rule is obtained based on: the method comprises the steps of obtaining configuration input data, wherein the configuration input data comprise equipment identification of firewall equipment, processing the configuration input data based on the equipment identification to obtain target configuration data, and sending the target configuration data to the firewall equipment so that the firewall equipment can configure access control rules based on the target configuration data.

Fig. 1 schematically illustrates an application scenario of an access control method and an access control apparatus according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of an application scenario in which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, but does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.

As shown in fig. 1, the application scenario 100 according to this embodiment may include, for example, a first electronic device 110, a second electronic device 120, a firewall device 130, and a configuration device 140.

According to the disclosed embodiment, the first electronic device 110 and the second electronic device 120 may be, for example, various electronic devices having display screens and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.

In the disclosed embodiment, when the first electronic device 110 needs to access the second electronic device 120, the first electronic device 110 may determine whether to allow the first electronic device 110 to access the second electronic device 120 based on the access control rule by sending access data to the second electronic device 120, the access data being received by the firewall device 130, for example. If so, the firewall device 130 may forward the access data to the second electronic device 120.

According to embodiments of the present disclosure, the configuration device 140 may include, for example, but is not limited to, a smart phone, a tablet computer, a laptop portable computer, a desktop computer, and the like. The configuration device 140 may be used, for example, to obtain target configuration data and send the target configuration data to the firewall device 130, where the firewall device 130 may configure the access control rules based on the target configuration data.

Fig. 2A-2B schematically illustrate a flow chart of an access control method according to an embodiment of the disclosure.

As shown in fig. 2A, the access control method of the embodiment of the present disclosure may include, for example, the following operations S210 to S230.

In operation S210, access data for the first electronic device to access the second electronic device is received.

In operation S220, the access data is processed based on the access control rule of the firewall device, resulting in a processing result.

According to the embodiment of the disclosure, the interaction data between the first electronic device and the second electronic device needs to pass through the firewall device, for example, and the firewall device determines to pass or discard the interaction data based on the access control rule. For example, when a first electronic device wants to access a second electronic device, the first electronic device needs to send access data to the second electronic device, the access data first passes through a firewall device, the access data is processed by the firewall device based on an access control rule, and the obtained processing result represents whether the first electronic device is allowed to access the second electronic device.

Next, in operation S230, it is determined whether the first electronic device is allowed to access the second electronic device based on the processing result.

According to an embodiment of the disclosure, if the processing result characterizes that the first electronic device is allowed to access the second electronic device, the access data may be forwarded by the firewall device to the second electronic device. If the processing result indicates that the first electronic device is prohibited from accessing the second electronic device, the firewall device may discard the access data without forwarding the access data to the second electronic device.

According to the embodiment of the present disclosure, the Access Control rule may be, for example, an ACL (Access Control List) rule of the firewall device. The access control rule defines, for example, access conditions to be satisfied by a source and a destination that perform data access, and when both the source and the destination satisfy the access conditions, the firewall device allows the source to access the destination. In the embodiment of the present disclosure, when a first electronic device accesses a second electronic device, the first electronic device may serve as a source side, for example, and the second electronic device may serve as a destination side, for example.

According to an embodiment of the present disclosure, the access control rules may include, for example, a first rule that allows access data to pass and/or a second rule that prohibits access data from passing. The processing of the access data based on the access control rule of the firewall device includes, for example: if the access data is determined to satisfy the first rule, a processing result of allowing the access data to pass is obtained, and the access data can be forwarded to the second electronic device by the firewall device. If it is determined that the access data satisfies the second rule, a processing result is obtained that the access data is prohibited from passing, and the access data may be discarded by the firewall device without being forwarded to the second electronic device.

As shown in fig. 2B, the access control rule of the embodiment of the present disclosure may be obtained based on, for example, the following operations S240 to S260.

In operation S240, configuration input data is acquired, wherein the configuration input data includes a device identification of the firewall device.

According to an embodiment of the present disclosure, the configuration input data may be, for example, data entered by a user on a centralized management platform. The centralized management platform is used, for example, to centrally configure access control rules for a plurality of firewall devices. The configuration input data includes, for example, the device identification of the firewall device to which the configuration input data is directed. When access control rules of a plurality of firewall devices need to be centrally configured, the configuration input data may include, for example, device identifications of the plurality of firewall devices. Alternatively, the access control rules of multiple firewall devices may be configured in sequence, and in this case, the configuration input data may include the device identifier of the firewall device currently targeted.

In operation S250, the configuration input data is processed based on the device identification, resulting in target configuration data.

According to an embodiment of the disclosure, the firewall device may configure access control rules of the firewall device based on the target configuration data. Different firewall devices have different requirements on the data formats of the target configuration data, that is, different firewall devices can process the target configuration data in different data formats. Therefore, different processing modes can be adopted for processing the configuration input data for different firewall equipment to obtain target configuration data in different data formats. For example, after the configuration input data is obtained, it is necessary to determine the firewall device currently targeted according to the device identifier in the configuration input data, so as to process the configuration input data based on the processing manner corresponding to the firewall device currently targeted, thereby obtaining the target configuration data corresponding to the firewall device currently targeted.

According to the embodiment of the disclosure, since different firewall devices can process target configuration data in different data formats, the data format in which the firewall device processes data can be determined based on the device identifier. The configuration input data is then processed based on the data format in which the firewall device processes the data to obtain target configuration data that satisfies the data format.

In embodiments of the present disclosure, the different data formats may be, for example, different programming languages. That is, different firewall devices are capable of recognizing and processing different programming languages. Therefore, the configuration input data can be parsed into the programming language with the data format capable of being processed by the firewall device according to the device identifier of the firewall device, that is, the data format of the obtained target configuration data is the programming language capable of being processed by the firewall device.

In addition to being in different programming languages, data formats may include a rule format of access control rules, according to embodiments of the present disclosure. For example, when it is necessary to configure the access control rule of the firewall device to allow access data whose access time is 4pm to 6pm to pass, the configuration input data may be "4 pm to 6 pm", for example. Since the data formats that can be handled by different firewall devices are different, for example, the firewall device 1 can handle "16: 00-18: 00 ", the firewall device 2 can handle data formats of" 4pm to 6pm ". Thus, the configuration input data "4 pm to 6 pm" can be processed to have "16: 00-18: 00 "data format of target configuration data so that the firewall device 1 performs the firewall operation based on" 16: 00-18: 00' data format of target configuration data configuration access control rules. For the device identifier of the firewall device 2, the configuration input data "4 pm to 6 pm" may be processed into target configuration data having a data format of "4 pm to 6 pm", so that the firewall device 2 configures the access control rule based on the target configuration data having the data format of "4 pm to 6 pm".

It is understood that the data formats in which different firewall devices can process data are of different types, and the data formats of the disclosed embodiments include, but are not limited to, programming languages, and rule formats of access control rules.

According to the embodiment of the disclosure, when different firewall devices are configured, for example, the data formats of the input configuration input data are all the same, and then the configuration input data are automatically processed into the target configuration data corresponding to the different firewall devices, wherein the data format of the target configuration data is the data format which can be processed by the firewall devices.

Next, in operation S260, the target configuration data is transmitted to the firewall device, so that the firewall device configures the access control rule based on the target configuration data.

According to the embodiment of the disclosure, after the configuration input data is processed to obtain the target configuration data corresponding to the firewall device, the target configuration data may be sent to the corresponding firewall device, so that the firewall device configures the access control rule based on the target configuration data.

It can be understood that, according to different firewall devices, the embodiment of the present disclosure automatically processes configuration input data into a data format that the firewall device can process, so that the firewall device configures an access control rule based on target configuration data of a corresponding data format, thereby implementing centralized management on the firewall device. Moreover, when different firewall devices are configured, the data formats of configuration input data input by a user are the same, for example, so that the configuration efficiency of the firewall devices can be improved.

According to an embodiment of the disclosure, the access control rule of the firewall device includes, for example, at least one sub-rule. For example, when the access control rule is a rule for whether the first electronic device is allowed to access the second electronic device, the access control rule for example comprises a plurality of sub-rules, each of which for example defines different access requirements. For convenience of understanding, taking two sub-rules as an example, a first sub-rule of the two sub-rules defines, for example, address information of the first electronic device and address information of the second electronic device, and after the firewall device receives the access data from the first electronic device, the access data may be processed to obtain the address information of the first electronic device and the address information of the second electronic device, and determine whether the address information satisfies the address information defined in the first sub-rule, and if so, forward the access data to the second electronic device. In addition, the second of the two sub-rules defines, for example, an access time, and after the firewall device receives the access data from the first electronic device, the access data may be processed to obtain a time when the first electronic device is to access the second electronic device, and determine whether the time when the first electronic device is to access the second electronic device satisfies the access time defined in the second sub-rule, and if so, forward the access data to the second electronic device.

According to the embodiment of the present disclosure, any one of the at least one sub-rule of the access control rule may include, for example, at least one of security domain information, address information, protocol information, and time information.

For example, the security domain information defines a security domain that includes a plurality of users, and the users within the security domain can access the second electronic device through the first electronic device. A user not within the secure domain cannot access the second electronic device through the first electronic device.

For example, the address information includes address information of a plurality of gateway devices, and the first electronic device can access the second electronic device through the gateway device including the address information. If the address of a certain gateway device is not within the range of the address information, the first electronic device cannot access the second electronic device through the gateway device.

For example, the protocol information defines a data transfer protocol that the access data satisfies. When the first electronic device is to access the second electronic device, the firewall device receives the access data and determines whether the protocol of the access data meets the defined protocol information, and if the protocol of the access data meets the protocol information, the first electronic device can access the second electronic device, that is, the firewall device can forward the access data to the second electronic device.

For example, the time information defines an access time. When the first electronic device is to access the second electronic device, the firewall device receives the access data and determines whether the access time in the access data satisfies the defined time information, and if the access time in the access data satisfies the time information, the first electronic device can access the second electronic device.

In the embodiment of the present disclosure, the access control rule is configured as tree-structured data, for example, the access control rule of each firewall device is configured as tree-structured data, that is, each firewall device corresponds to one tree-structured data.

According to an embodiment of the present disclosure, the tree structured data includes, for example, a plurality of nodes, at least one of which includes rule data. That is, some of the plurality of nodes include rule data and some nodes do not have a specific value (i.e., no rule data). The plurality of nodes include, for example, a root node and a leaf node. The root node has no specific value, and includes, for example, a device identification node of the firewall device and a list information node. The list information nodes include, for example, a sub-rule list node, a security domain information list node, an address information list node, a protocol information list node, and a time information list node.

Any one of the sub-rule list node, the security domain information list node, the address information list node, the protocol information list node and the time information list node may include a leaf node, for example. Taking the security domain information list node as an example, for example, if a plurality of security domains are defined for the access control rule of the firewall device, the security domain information list node includes a plurality of leaf nodes, for example, and the leaf nodes correspond to the defined plurality of security domains one to one. The rule data in the leaf node includes, for example, a plurality of users defined within the security domain.

In one embodiment, the root node may also include, for example, a special node. The special node, for example, defines a mode node, which, for example, includes a plurality of alternatives, one of which may be selected to implement an access control rule to configure the firewall device. A number of alternatives include, for example, different input formats for the address information, which may be selected for different firewall devices to input the address information to derive the configuration input data.

According to an embodiment of the present disclosure, the tree structured data may further include, for example, path information of a plurality of nodes via which, for example, the plurality of nodes can be accessed. In the embodiment of the present disclosure, when an access control rule of a firewall device is to be configured, generally, an update operation is performed on rule data in a corresponding node, and at this time, the corresponding node may be found through path information, so as to update the rule data in the node. The update operation may include, for example, an overlay update operation, an incremental update operation, an overlay delete operation, a query overlay delete operation, and so on.

According to the embodiment of the present disclosure, processing the configuration input data based on the device identifier to obtain the target configuration data may include the following steps (1) to (5), for example.

(1) A target node of the at least one node for which the configuration input data is intended is determined. Wherein the target node is, for example, a node comprising rule data. The configuration input data characterizes for the target node, for example, that the configuration input data can be used to update rule data in the target node.

(2) Based on the path information, the target node is accessed. For example, a target node to which the configuration input data is directed is accessed according to the path information of the tree-structured data.

(3) And determining a configuration mode aiming at the target node. The configuration manner includes, for example, an update operation that needs to be performed on the target node, and the update operation may include, for example, an overlay update operation, an incremental update operation, an overlay delete operation, a query overlay delete operation, and the like.

(4) And configuring the rule data of the target node based on the configuration mode and the configuration input data to obtain a configuration result. For example, taking the configuration mode as an example of an incremental update operation, the configuration input data includes, for example, incremental data configuring a target node, and the incremental data is added to the rule data of the target node to obtain updated rule data, so as to implement configuration of the target node. The configuration result includes, for example, updated rule data in the target node.

(5) And processing the configuration result based on the equipment identification to obtain target configuration data. For example, target configuration data corresponding to the current firewall device may be obtained according to a device identifier processing configuration result of the firewall device for which the current configuration operation is performed, where a data format of the target configuration data is, for example, a format that can be recognized and processed by the current firewall device.

According to the embodiment of the disclosure, the access control rule of the firewall device is defined as tree-structured data, and when the target node is configured, the target node can be quickly found through the access path of the tree-structured data, so that the configuration efficiency of the access control rule is improved, and the centralized management of the firewall device is facilitated.

Fig. 3A schematically illustrates a block diagram of an access control device according to an embodiment of the present disclosure.

As shown in fig. 3A, the access control device 300A may include, for example, a receiving module 310, a first processing module 320, and a determining module 330.

The receiving module 310 may be used to receive access data used by a first electronic device to access a second electronic device. According to the embodiment of the present disclosure, the receiving module 310 may, for example, perform operation S210 described above with reference to fig. 2A, which is not described herein again.

The first processing module 320 may be configured to process the access data based on the access control rule of the firewall device to obtain a processing result. According to the embodiment of the present disclosure, the first processing module 320 may, for example, perform operation S220 described above with reference to fig. 2A, which is not described herein again.

The determining module 330 may be configured to determine whether to allow the first electronic device to access the second electronic device based on the processing result. According to the embodiment of the present disclosure, the determining module 330 may, for example, perform operation S230 described above with reference to fig. 2A, which is not described herein again.

Fig. 3B schematically illustrates a block diagram of a configuration device according to an embodiment of the disclosure.

As shown in fig. 3B, the configuration apparatus 300B may include, for example, an acquisition module 340, a second processing module 350, and a sending module 360.

The obtaining module 340 may be configured to obtain configuration input data, where the configuration input data includes a device identification of a firewall device. According to the embodiment of the present disclosure, the obtaining module 340 may, for example, perform the operation S240 described above with reference to fig. 2B, which is not described herein again.

The second processing module 350 may be configured to process the configuration input data based on the device identification, resulting in target configuration data. According to the embodiment of the present disclosure, the second processing module 350 may, for example, perform operation S250 described above with reference to fig. 2B, which is not described herein again.

The sending module 360 may be configured to send the target configuration data to the firewall device, so that the firewall device configures the access control rule based on the target configuration data. According to the embodiment of the present disclosure, the sending module 360 may perform, for example, operation S260 described above with reference to fig. 2B, which is not described herein again.

According to an embodiment of the present disclosure, processing configuration input data based on a device identifier, obtaining target configuration data includes: and determining the data format of the data processed by the firewall equipment based on the equipment identification, and processing and configuring the input data based on the data format to obtain target configuration data meeting the data format.

According to an embodiment of the present disclosure, the access control rules include a first rule that allows access data to pass and/or a second rule that prohibits access data from passing. Wherein, the access data is processed based on the access control rule of the firewall equipment, and the processing result is obtained by: in response to determining that the access data satisfies the first rule, a processing result is obtained that allows the access data to pass through, and in response to determining that the access data satisfies the second rule, a processing result is obtained that prohibits the access data from passing through.

According to an embodiment of the present disclosure, the access control rule is configured as tree-structured data including: a plurality of nodes, at least one of the plurality of nodes comprising rule data, path information of the plurality of nodes, wherein the plurality of nodes are accessible via the path information.

According to an embodiment of the present disclosure, processing configuration input data based on a device identifier, obtaining target configuration data includes: determining a target node in at least one node to which configuration input data aims, accessing the target node based on path information, determining a configuration mode aiming at the target node, configuring rule data of the target node based on the configuration mode and the configuration input data to obtain a configuration result, and processing the configuration result based on equipment identification to obtain target configuration data.

According to an embodiment of the present disclosure, the access control rule includes at least one sub-rule. Any sub-rule of the at least one sub-rule includes at least one of the following information: the method comprises the steps that security domain information is obtained, a user in a security domain corresponding to the security domain information can access second electronic equipment through first electronic equipment, address information is obtained, the first electronic equipment can access the second electronic equipment through gateway equipment comprising the address information, protocol information is obtained, the first electronic equipment with data access protocols meeting the protocol information can access the second electronic equipment, time information is obtained, and the first electronic equipment with data access times meeting the time information can access the second electronic equipment.

According to an embodiment of the present disclosure, the present disclosure also provides a computing device, including: one or more processors; a storage device to store one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method described in fig. 2A-2B. In particular, the computing device may include a firewall device that may perform the method described in fig. 2A and a configuration device that may perform the method described in fig. 2B.

Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.

For example, any number of the receiving module 310, the first processing module 320, the determining module 330, the obtaining module 340, the second processing module 350, and the sending module 360 may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the receiving module 310, the first processing module 320, the determining module 330, the obtaining module 340, the second processing module 350, and the sending module 360 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware, and firmware, or by a suitable combination of any several of them. Alternatively, at least one of the receiving module 310, the first processing module 320, the determining module 330, the obtaining module 340, the second processing module 350 and the sending module 360 may be at least partially implemented as a computer program module, which when executed, may perform a corresponding function.

FIG. 4 schematically illustrates a block diagram of a computer system suitable for access control according to an embodiment of the present disclosure. The computer system illustrated in FIG. 4 is only one example and should not impose any limitations on the scope of use or functionality of embodiments of the disclosure.

As shown in fig. 4, a computer system 400 according to an embodiment of the present disclosure includes a processor 401 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)402 or a program loaded from a storage section 408 into a Random Access Memory (RAM) 403. Processor 401 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 401 may also include onboard memory for caching purposes. Processor 401 may include a single processing unit or multiple processing units for performing the different actions of the method flows in accordance with embodiments of the present disclosure.

In the RAM 403, various programs and data necessary for the operation of the system 400 are stored. The processor 401, ROM 402 and RAM 403 are connected to each other by a bus 404. The processor 401 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 402 and/or the RAM 403. Note that the programs may also be stored in one or more memories other than the ROM 402 and RAM 403. The processor 401 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.

According to an embodiment of the present disclosure, system 400 may also include an input/output (I/O) interface 405, input/output (I/O) interface 405 also connected to bus 404. The system 400 may also include one or more of the following components connected to the I/O interface 405: an input section 406 including a keyboard, a mouse, and the like; an output section 407 including a display device such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 408 including a hard disk and the like; and a communication section 409 including a network interface card such as a LAN card, a modem, or the like. The communication section 409 performs communication processing via a network such as the internet. A driver 410 is also connected to the I/O interface 405 as needed. A removable medium 411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 410 as necessary, so that a computer program read out therefrom is mounted into the storage section 408 as necessary.

According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 409, and/or installed from the removable medium 411. The computer program, when executed by the processor 401, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.

The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a computer-non-volatile computer-readable storage medium, which may include, for example and without limitation: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

For example, according to embodiments of the present disclosure, a computer-readable storage medium may include ROM 402 and/or RAM 403 and/or one or more memories other than ROM 402 and RAM 403 described above.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.

The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.