Flow control device and network configuration method and device security strategy thereof

摘要

A method of setting security policy implemented by a control network traffic, comprising: identifying (S101) a source, a destination and a type of applying a flow of input data, wherein the origin indicates a user sending the data stream or a user address from which the data stream is sent, the destination of the data stream indicates a user address, server address or public network address in which he received the data stream, and the application type indicating what kind of application whose data are included in the data stream; if the data stream does not match an existing policy, to match the data stream with a policy of allowing anyone to allow access to all users; executing (S102), based on an organizational structure default enterprise, the first processing ascending screening to obtain a first point upstream traceback and a first point upstream tracking target when the data stream matches the policy allow any, where the first point upstream traceback is a department to which the user belongs indicated by the source when the source indicates a user, the first point upstream traceback is a first network segment to which belongs the user address indicated by the source of the data flow when the origin indicates a user address from which the data stream is sent, the first network segment comprises multiple IP (Internet Protocol) addresses, and the first trace point ascending target is set in any direction when the destination indicates a public network address, the first trace point ascende nte target is set to a server when the destination indicates a server address; the first point upstream tracking target is a second network segment to which the user address in which the data stream is received belongs when the destination indicates a user address in which the data stream is received, the second network segment comprises multiple IP addresses; and generating (S103) a first security policy, where an origin in a condition of coincidence of the first security policy is set to the first point upstream traceback and a destination in the match condition of the first security policy is set to the first point upstream tracking target, and an application condition of coincidence of the first security policy is configured to application type of the data stream, the first security policy is used to match a data stream later.