Sannu, wannan shine labarin na biyu game da maganin NGFW daga kamfanin . Manufar wannan labarin shine don nuna yadda ake shigar da Tacewar zaɓi na UserGate akan tsarin kama-da-wane (Zan yi amfani da software na VMware Workstation virtualization) da kuma aiwatar da tsarin sa na farko (ba da damar shiga daga cibiyar sadarwar gida ta hanyar Ƙofar UserGate zuwa Intanet).
1. Gabatarwa
Da farko, zan bayyana hanyoyi daban-daban don aiwatar da wannan ƙofar cikin hanyar sadarwa. Ina so in lura cewa ya danganta da zaɓin haɗin da aka zaɓa, wasu ayyuka na ƙofa bazai samuwa ba. Maganin UserGate yana goyan bayan hanyoyin haɗi masu zuwa:
-
L3-L7 Tacewar zaɓi
-
L2 m gada
-
L3 m gada
-
Kusan cikin rata, ta amfani da ka'idar WCCP
-
Kusan a cikin rata, ta amfani da Hanyar Hanyar Hanyar Hanya
-
Na'ura mai ba da hanya tsakanin hanyoyin sadarwa
-
Ƙayyadadden wakili na WEB
-
UserGate a matsayin tsohuwar ƙofa
-
Mirror tashar jiragen ruwa saka idanu
UserGate yana goyan bayan nau'ikan tari guda biyu:
-
Tsarin tari. Nodes ɗin da aka haɗa cikin gungu na daidaitawa suna kiyaye daidaitattun saituna a cikin gungu.
-
Tarin gazawa. Za'a iya haɗa kuɗaɗɗen gungun harsashi guda 4 zuwa gungu mai gazawa wanda ke goyan bayan aiki a Yanayin Active-Active ko Active-Passive. Yana yiwuwa a haɗa gungu masu gazawa da yawa.
2. Shigarwa
Kamar yadda aka ambata a labarin da ya gabata, ana ba da UserGate azaman kayan masarufi da fakitin software ko an tura shi cikin mahalli mai kama-da-wane. Daga keɓaɓɓen asusun ku akan gidan yanar gizon zazzage hoton a cikin OVF (Open Virtualization Format), wannan tsari ya dace da VMWare da Oracle Virtualbox dillalai. Ana ba da hotunan faifai na injuna don Microsoft Hyper-v da KVM.
Dangane da shafin yanar gizon UserGate, don injin kama-da-wane ya yi aiki daidai, ana ba da shawarar yin amfani da aƙalla 8Gb na RAM da 2-core Virtual processor. Dole ne hypervisor ya goyi bayan tsarin aiki 64-bit.
Shigarwa yana farawa ta hanyar shigo da hoton cikin hypervisor da aka zaɓa (VirtualBox da VMWare). A cikin yanayin Microsoft Hyper-v da KVM, kuna buƙatar ƙirƙirar injin kama-da-wane kuma saka hoton da aka zazzage a matsayin faifai, sannan a kashe sabis ɗin haɗin kai a cikin saitunan injin da aka ƙirƙira.
Ta hanyar tsoho, bayan an shigo da shi cikin VMWare, ana ƙirƙira injin kama-da-wane tare da saitunan masu zuwa:
Kamar yadda aka rubuta a sama, dole ne a sami aƙalla 8Gb na RAM kuma ƙari ana buƙatar ƙara 1Gb ga kowane masu amfani 100. Matsakaicin girman rumbun kwamfutarka shine 100Gb, amma wannan yawanci bai isa ya adana duk logs da saituna ba. Girman shawarar shine 300Gb ko fiye. Saboda haka, a cikin kaddarorin na'ura mai mahimmanci, muna canza girman diski zuwa wanda ake so. Da farko, kama-da-wane UserGate UTM ya zo tare da musaya guda huɗu da aka ba shi zuwa yankuna:
Gudanarwa - farkon farkon na'urar kama-da-wane, yanki don haɗa amintattun cibiyoyin sadarwa waɗanda aka ba da izinin sarrafa UserGate.
Amintacce shine mu'amala ta biyu na injin kama-da-wane, yanki don haɗa amintattun cibiyoyin sadarwa, misali, cibiyoyin sadarwar LAN.
Untrusted shine mu'amala ta uku na na'ura mai mahimmanci, yanki don mu'amala da hanyoyin sadarwa marasa amana, misali, zuwa Intanet.
DMZ ita ce keɓance na huɗu na na'urar kama-da-wane, yanki don mu'amalar mu'amala da ke da alaƙa da cibiyar sadarwar DMZ.
Bayan haka, muna ƙaddamar da na'ura mai mahimmanci, kodayake littafin ya ce kuna buƙatar zaɓar Kayan aikin Tallafi kuma kuyi UTM na sake saitin Factory, amma kamar yadda kuke gani, zaɓi ɗaya ne kawai (UTM First Boot). A yayin wannan matakin, UTM yana daidaita adaftar hanyar sadarwa kuma yana ƙara girman ɓangaren rumbun kwamfutarka zuwa cikakken girman diski:
Don haɗawa zuwa mahaɗin yanar gizo na UserGate, dole ne ka shiga ta yankin Gudanarwa; wannan shine alhakin eth0 interface, wanda aka saita don samun adireshin IP ta atomatik (DHCP). Idan ba zai yiwu a sanya adireshi don dubawar Gudanarwa ta atomatik ta amfani da DHCP ba, to ana iya saita shi a sarari ta amfani da CLI (Command Line Interface). Don yin wannan, kuna buƙatar shiga cikin CLI ta amfani da sunan mai amfani da kalmar wucewa tare da cikakken haƙƙin gudanarwa (Admin tare da babban harafi ta tsohuwa). Idan na'urar UserGate ba ta fara farawa ba, to don samun damar CLI dole ne ku yi amfani da Admin azaman sunan mai amfani da utm azaman kalmar sirri. Kuma rubuta umarni kamar iface config –name eth0 –ipv4 192.168.1.254/24 –enable gaskiya –mode static. Daga baya mu je zuwa na'urar wasan bidiyo na UserGate a ƙayyadadden adireshin, yakamata yayi kama da wani abu kamar haka:https://UserGateIPaddress:8001:
A cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa muna ci gaba da shigarwa, muna buƙatar zaɓar yaren dubawa (a halin yanzu Rashanci ne ko Ingilishi), yankin lokaci, sannan karanta kuma mu yarda da yarjejeniyar lasisi. Saita shiga da kalmar wucewa don shiga cikin mahallin sarrafa gidan yanar gizo.
3. Daidaitawa
Bayan shigarwa, wannan shine abin da taga sarrafa dandamalin yanar gizo yayi kama:
Sannan kuna buƙatar saita hanyoyin sadarwa na cibiyar sadarwa. Don yin wannan, a cikin sashin "Interfaces" kuna buƙatar kunna su, saita adiresoshin IP daidai kuma sanya wuraren da suka dace.
Sashen "Interfaces" yana nuna duk hanyoyin sadarwa na zahiri da kama-da-wane da ke cikin tsarin, yana ba ku damar canza saitunan su kuma ƙara mu'amalar VLAN. Hakanan yana nuna duk musaya na kowane kumburin tari. Saitunan mu'amala sun keɓance ga kowane kumburi, wato, ba na duniya ba ne.
A cikin Properties:
-
Kunna ko kashe abin dubawa
-
Ƙayyade nau'in dubawa - Layer 3 ko Mirror
-
Sanya yankin zuwa wurin dubawa
-
Sanya bayanin martabar Netflow don aika bayanan ƙididdiga zuwa mai tarawar Netflow
-
Canja sigogi na zahiri na dubawa - adireshin MAC da girman MTU
-
Zaɓi nau'in aikin adireshin IP - babu adireshi, adreshin IP na tsaye ko samu ta hanyar DHCP
-
Saita gudun ba da sanda ta DHCP akan abin dubawa da aka zaɓa.
Maɓallin "Ƙara" yana ba ku damar ƙara nau'ikan mu'amala masu ma'ana masu zuwa:
-
VLANs
-
Bond
-
Gada
-
PPPoE
-
VPN
-
Ramin rami
Baya ga yankunan da aka jera a baya waɗanda hoton Usergate ke jigilar su, akwai ƙarin nau'ikan da aka ƙayyade guda uku:
Tari - yanki don musaya da ake amfani da shi don aikin tari
VPN don Yanar Gizo-zuwa-Shafi - yanki wanda duk abokan cinikin Office-Office ke da alaƙa da UserGate ta hanyar VPN ana sanya su.
VPN don samun nisa - yanki wanda ya haɗa da duk masu amfani da wayar hannu da aka haɗa zuwa UserGate ta VPN
Masu gudanar da UserGate na iya canza saitunan tsoffin yankuna kuma su ƙirƙiri ƙarin yankuna, amma kamar yadda aka bayyana a cikin sigar 5, ana iya ƙirƙira iyakar yankuna 15. Don canza ko ƙirƙirar su, kuna buƙatar zuwa sashin yanki. Ga kowane yanki, zaku iya saita madaidaicin fakiti; Ana goyan bayan SYN, UDP, ICMP. Hakanan ana daidaita ikon samun dama ga sabis na Usergate, kuma ana kunna kariya daga zubewa.
Bayan saita musaya, kuna buƙatar saita hanyar da ta dace a cikin sashin "Gateways". Wadancan. Don haɗa UserGate zuwa Intanet, dole ne ka saka adireshin IP na ƙofofin ɗaya ko fiye. Idan kayi amfani da masu samarwa da yawa don haɗawa da Intanet, dole ne ka saka ƙofofin da yawa. Tsarin ƙofa ya keɓanta don kowane kumburin tari. Idan an ayyana ƙofofin biyu ko fiye, zaɓuka 2 na yiwuwa:
-
Daidaita zirga-zirga tsakanin ƙofofin.
-
Babban ƙofa tare da canzawa zuwa kayan ajiya.
Matsayin ƙofa (akwai - kore, babu - ja) an ƙaddara kamar haka:
-
An kashe binciken hanyar sadarwa - ana ɗaukar ƙofar shiga idan UserGate zai iya samun adireshin MAC ta amfani da buƙatar ARP. Babu rajistan shiga Intanet ta wannan ƙofar. Idan ba za a iya tantance adireshin MAC na ƙofa ba, ana ɗaukar ƙofar ba za a iya isa ba.
-
An kunna duba hanyar sadarwa - ana ɗaukar ƙofa idan:
-
UserGate na iya samun adireshin MAC ta amfani da buƙatar ARP.
-
An kammala binciken shiga Intanet ta wannan hanyar cikin nasara.
In ba haka ba, ana ganin ƙofa ba ta samuwa.
A cikin sashin "DNS" kuna buƙatar ƙara sabobin DNS waɗanda UserGate zai yi amfani da su. An kayyade wannan saitin a yankin Sabar DNS na System. A ƙasa akwai saitunan don sarrafa buƙatun DNS daga masu amfani. UserGate yana ba ku damar amfani da wakili na DNS. Sabis na wakili na DNS yana ba ku damar kutse buƙatun DNS daga masu amfani da canza su dangane da bukatun mai gudanarwa. Ana iya amfani da dokokin wakili na DNS don tantance sabar DNS wanda ake tura buƙatun takamaiman yanki. Bugu da ƙari, ta amfani da wakili na DNS, za ku iya saita rikodin rikodi na nau'in mai watsa shiri (A rikodin).
A cikin sashin "NAT and Routing" kuna buƙatar ƙirƙirar ƙa'idodin NAT masu dacewa. Don samun damar Intanet ta hanyar masu amfani da hanyar sadarwar Trusted, an riga an ƙirƙiri ka'idar NAT - "Trusted-> Untrusted", abin da ya rage shi ne kunna shi. Ana amfani da dokoki daga sama zuwa ƙasa a cikin tsari da aka jera su a cikin na'ura wasan bidiyo. Ka'ida ta farko kawai wacce sharuɗɗan da aka kayyade a cikin ƙa'idar ta dace koyaushe ana aiwatar da su. Don kunna ƙa'idar, duk sharuɗɗan da aka ƙayyade a cikin sigogin ƙa'ida dole ne su dace. UserGate yana ba da shawarar ƙirƙirar ƙa'idodin NAT gabaɗaya, misali, ƙa'idar NAT daga cibiyar sadarwa ta gida (yawanci yankin Amintacce) zuwa Intanet (yawanci yankin Untrusted), da ƙuntata damar masu amfani, ayyuka, da aikace-aikace ta amfani da dokokin Tacewar zaɓi.
Hakanan yana yiwuwa a ƙirƙiri ka'idodin DNAT, isar da tashar jiragen ruwa, tukwici na tushen Manufofin, taswirar hanyar sadarwa.
Bayan haka, a cikin sashin "Firewall" kuna buƙatar ƙirƙirar ka'idodin Tacewar zaɓi. Don samun damar shiga Intanet mara iyaka ga masu amfani da hanyar sadarwar Amintacce, an riga an ƙirƙiri ka'idar Tacewar zaɓi - "Internet for Trusted" kuma dole ne a kunna. Amfani da dokokin Tacewar zaɓi, mai gudanarwa na iya ƙyale ko hana kowane nau'in zirga-zirgar hanyar sadarwa ta hanyar UserGate. Sharuɗɗan doka na iya haɗawa da yankuna da adiresoshin IP na tushen/makowa, masu amfani da ƙungiyoyi, ayyuka da aikace-aikace. Dokokin suna aiki kamar yadda suke a cikin sashin "NAT and Routing", watau. sama kasa. Idan ba a ƙirƙiri ƙa'idodi ba, to duk wani zirga-zirgar wucewa ta UserGate an haramta.
4. Kammalawa
Wannan ya ƙare labarin. Mun shigar da Tacewar zaɓi na UserGate akan na'ura mai kama-da-wane kuma mun sanya mafi ƙarancin saitunan da ake buƙata don Intanet don yin aiki akan Amintaccen cibiyar sadarwa. Za mu yi la'akari da ƙarin tsari a cikin labarai masu zuwa.
Ku kasance da mu domin samun labarai da dumi-duminsu a tashoshin mu (, , , )!
source: www.habr.com