Any business seeks to reduce costs. The same applies to IT infrastructure.
When opening a new office, someone's hair starts to move. After all, you need to organize:
- local network;
- Internet access. Even better with a reservation through a second provider;
- VPN to the central office (or to all branches);
- HotSpot for clients with SMS authorization;
- traffic filtering so that employees do not sit in social networks and do not crackle on Skype;
- protect your network from viruses and attacks. Provide intrusion protection (IDS/IPS);
- your mail server (if you do not trust any pdd.yandex.ru) with antivirus and antispam;
- file dump;
- Probably you need telephony, ie. organize a PBX, connect to a SIP provider and other goodies ...
But an enikey worker will not be able to raise an enterprise network with such requirements ... Hire an expensive system administrator?
A very large, in terms of future costs, ruble number emerges.
But these costs can be significantly reduced if you pay attention to UTM solutions, of which there are now many. And since I adhere to the strategy βthe simpler the betterβ in solving my problems, my eyes fell on UTM
How this system will help save the company's budget and why an expensive system administrator is not needed for its maintenance - I will tell below.
But looking ahead, Iβll say that this is a specific product and has its limitations. You can evaluate the capabilities of the gateway in more detail
I set up for the article βin Russianβ, that is, without looking into the mana, in order to understand how intuitive everything is.
Initial installation
ICS can be installed both on real hardware and in a hypervisor. You can use any fanless PC.For example this.
The system is based on
The installation is done on a blank disk. More precisely, if there was something, then you can safely say goodbye to it.Unfortunately, the installer only supports English. But after installation, the main interface can be in Russian.
Don't forget about resiliency either.If there are several disks in the system, then they can be combined into a raid using ZFS.
Select the network interface and assign ip from the selected network.
Specify a real domain name if you plan to raise, for example, a mail server. If there is no such need now, then you can write from the bulldozer. Further in the interface it will be possible to correct.
All! You can access the web interface using the ip specified in the settings and port 81. DHCP is not yet enabled at this stage, so you will have to manually assign an ip from the same network on your PC.
We connect to the Internet and connect offices.
The first time you log in, a wizard is launched that makes you to set a strong password.
Master
Next, we climb into the network settings
and configure the connection to our provider and the role of all network interfaces.
You can set up several providers and organize balancing.
By the way, if the English interface language is not convenient for you, you can easily change it here.
If you want to connect an office, for example, to the head office. Then we create a new connection
and set up routes to resources on a remote network.
You can only forget about dynamic routing - it is not here.
Maybe I'm picking a lot, but IMHO this is a big drawback ...
Internet access for employees
Most often, the main task of the gateway is to control the access of employees to the Internet.
Employees can be identified both by ip / mac, and by login / password through an agent or captive portal.
Also, if your organization uses Active Directory, then ICS can be integrated with it.
Filtering settings (where an employee can and cannot) are very extensive.
A huge number of ready-made rule templates:
You can allow youtube, but prohibit uploading videos there.
But you can not limit it, and ICS will still tell where someone went and where with their extensive reports:
What about guest Wi-Fi?
And guest Wi-Fi can be organized in compliance with the requirements of the laws of the Russian Federation on mandatory user identification.
ICS supports sending SMS via SMPP protocol through any SMS provider.
Telephony.
Yes Yes! No need to install a separate server with Asterisk. It's already on ICS.
I successfully connected SIP from Megafon (emotion, multiphone).
How to get SIP from Megafon at the cellular rates of individuals can be found in the article
Security.
ICS has many tools that will allow you to adjust the level of security according to your requirements: from free antiviruses ClamAV and
Even the same indispensable fail2Ban is configured in a few clicks
Also, ICS can monitor traffic via the netflow protocol from network equipment without passing traffic through itself.
Communication goodies
Communication of employees can be organized not only by telephony and mail
but also through jabber. True, few people remember such a protocol.
webserver:
IKS even has a web server with PHP support. You can install your own HTTPS certificate if you have one purchased, or specify that ICS receive a free Let's Encrypt.
This is enough to place a business card site or an advertising landing page. But you wonβt be able to cut a heavy portal with custom modules. And to me, it's stupid. Still, the gateway should remain a gateway.
Flexible configuration of monitoring and notifications.
Alarms can even be sent to Telegram. And in the realities of the Russian Federation, it is even possible to send messages through a proxy.
In custody
Internet gateway "X" contains almost all the components necessary for the functioning of a small office.
In this case, all this can be configured by a novice system administrator.
Although the system is not built by FreeBSD, there is no ssh access to it. That is, without crutches, you will not be able to install PHP modules. We'll have to be content with what we have... Or ask the support to finish it off.
In any scenario at the beginning
The license does not expire, but despite this, the cost is quite
On the stand in synthetic tests, the system proved to be adequate.
If the customer approves and you will be interested in how this system behaves in a βbattleβ, then in 3-6 months I will write a review with all the problems and difficulties that have arisen. If possible, we will check the quality of technical support.
In the comments, I expect questions from you that will need to be focused in detail in combat use.
Source: habr.com