Ina maraba da masu karatu zuwa labarin na uku a cikin jerin abubuwan Farawa na UserGate, wanda yayi magana game da maganin NGFW daga kamfanin. . A cikin labarin da ya gabata, an bayyana tsarin shigar da bangon wuta kuma an yi tsarin sa na farko. A yanzu, za mu yi nazari sosai kan ƙirƙirar dokoki a sassan kamar Firewall, NAT da Routing, da Bandwidth.
Akidar UserGate, kamar yadda ake aiwatar da ka'idojin daga sama zuwa kasa, har zuwa na farko da ke aiki. Dangane da abin da ke sama, yana biye da ƙayyadaddun ƙayyadaddun ƙa'idodi ya kamata su kasance mafi girma fiye da ƙa'idodi na gaba ɗaya. Amma ya kamata a lura, tun lokacin da aka bincika ƙa'idodin a cikin tsari, yana da kyau a cikin yanayin aiki don ƙirƙirar ƙa'idodi na gaba ɗaya. Lokacin ƙirƙirar kowace doka, ana amfani da yanayin bisa ga ma'anar "AND". Idan ya cancanta don amfani da ma'anar "OR", to ana samun wannan ta hanyar ƙirƙirar dokoki da yawa. Don haka abin da aka bayyana a cikin wannan labarin ya shafi sauran manufofin UserGate kuma.
Firewall
Bayan shigar da UserGate, akwai riga mai sauƙi manufa a cikin sashin "Firewall". Dokokin biyu na farko sun hana zirga-zirga don botnets. Wadannan su ne misalan dokokin shiga daga yankuna daban-daban. Ƙa'idar ƙarshe ana kiranta koyaushe "Block All" kuma ana yiwa alama da alamar kullewa (yana nufin cewa ba za a iya share ƙa'idar ba, gyara, motsawa, kashewa, za'a iya kunna ta kawai don zaɓin shiga). Don haka, saboda wannan ka'ida, duk zirga-zirgar da ba a yarda da ita ba za a toshe ta hanyar doka ta ƙarshe. Idan kuna son ba da izinin duk zirga-zirga ta hanyar UserGate (ko da yake wannan yana da ƙarfi sosai), koyaushe kuna iya ƙirƙirar ƙa'idar doka "Ba da izini duka".
Lokacin gyara ko ƙirƙirar ƙa'idar Tacewar zaɓi, na farko Gabaɗaya tab, kuna buƙatar yin haka:
-
Duba akwatin "A Kunna" kunna ko kashe ƙa'idar.
-
shigar da sunan mulkin.
-
saita bayanin mulkin.
-
zabi daga ayyuka biyu:
-
Ƙin - yana toshe zirga-zirga (lokacin saita wannan yanayin, yana yiwuwa a aika mai watsa shiri na ICMP wanda ba za a iya kaiwa ba, kawai kuna buƙatar saita akwati mai dacewa).
-
Bada - damar zirga-zirga.
-
-
Abun yanayi - yana ba ku damar zaɓar yanayi, wanda shine ƙarin yanayi don ƙa'idar ta kunna wuta. Wannan shine yadda UserGate ke aiwatar da manufar SOAR (Tsaro Orchestration, Automation and Response).
-
Shiga - rubuta bayanai game da zirga-zirga zuwa log ɗin lokacin da aka kunna ƙa'idar. Zaɓuɓɓuka masu yiwuwa:
-
Shiga farkon zaman. A wannan yanayin, kawai bayanai game da farkon zaman (fakitin farko) za a rubuta su zuwa log log. Wannan shine shawarar yin rajistan zaɓi.
-
Shiga kowane fakiti. A wannan yanayin, za a yi rikodin bayanai game da kowane fakitin hanyar sadarwa da aka watsa. Don wannan yanayin, ana ba da shawarar don kunna iyakar shiga don hana babban nauyin na'urar.
-
-
Aiwatar da doka zuwa:
-
Duk fakiti
-
zuwa fakiti masu gutsuttsura
-
zuwa unfragmented kunshe-kunshe
-
-
Lokacin ƙirƙirar sabuwar doka, zaku iya zaɓar wuri a cikin manufofin.
Na gaba Tushen tab. Anan muna nuna tushen zirga-zirga, yana iya zama yankin da zirga-zirgar ya fito, ko zaku iya tantance jerin ko takamaiman adireshin IP (Geoip). A kusan dukkanin ka'idojin da za a iya saitawa a cikin na'urar, ana iya ƙirƙirar abu daga ka'ida, alal misali, ba tare da zuwa sashin "Zones" ba, zaka iya amfani da maɓallin "Ƙirƙiri kuma ƙara sabon abu" don ƙirƙirar yankin. muna bukata. Akwatin rajistan "Invert" shima na kowa ne, yana jujjuya aikin a cikin yanayin ƙa'ida, wanda yayi kama da rashin aikin ma'ana. Manufa tab kama da tushen shafin, amma maimakon hanyar zirga-zirga, muna saita wurin da zirga-zirga. Masu amfani tab - a wannan wuri zaku iya ƙara jerin masu amfani ko ƙungiyoyi waɗanda wannan doka ta shafi. Sabis tab - zaɓi nau'in sabis ɗin daga wanda aka riga aka ayyana ko zaka iya saita naka. Aikace-aikace tab - takamaiman aikace-aikace ko ƙungiyoyin aikace-aikacen an zaɓi anan. KUMA Lokaci tab ƙayyade lokacin da wannan doka ke aiki.
Tun daga darasi na ƙarshe, muna da ka'ida don shiga Intanet daga yankin "Trust", yanzu zan nuna a matsayin misali yadda za a ƙirƙiri dokar hana zirga-zirgar zirga-zirgar ICMP daga yankin "Trust" zuwa yankin "Ba a amince da shi ba".
Da farko, ƙirƙirar doka ta danna maɓallin "Ƙara". A cikin taga da ke buɗewa, akan shafin gabaɗaya, cika suna (Ƙuntata ICMP daga amintattu zuwa waɗanda ba a amince da su ba), duba akwatin rajistan “Kuna”, zaɓi aikin kashe aiki, kuma mafi mahimmanci, zaɓi wurin da ya dace don wannan doka. Dangane da manufofina, wannan doka yakamata a sanya shi sama da dokar "Ba da izini ga waɗanda ba a amince da su ba":
A shafin "Source" don aiki na, akwai zaɓuɓɓuka biyu:
-
Ta zaɓi yankin "Amintattun".
-
Ta zaɓar duk yankuna ban da "Amintacce" da yin ticking akwatin "Invert".
An saita shafin Manufa kamar haka zuwa shafin Source.
Na gaba, je zuwa shafin "Service", tunda UserGate yana da takamaiman sabis don zirga-zirgar ICMP, sannan ta danna maɓallin "Ƙara", za mu zaɓi sabis mai suna "Kowane ICMP" daga jerin da aka tsara:
Wataƙila wannan ita ce manufar masu ƙirƙirar UserGate, amma na yi nasarar ƙirƙirar dokoki iri ɗaya. Kodayake kawai dokar farko daga jerin za a aiwatar da ita, Ina tsammanin ikon ƙirƙirar dokoki tare da suna iri ɗaya waɗanda suka bambanta a cikin aiki na iya haifar da rudani lokacin da masu sarrafa na'urori da yawa ke aiki.
NAT da routing
Lokacin ƙirƙirar ƙa'idodin NAT, muna ganin shafuka masu kama da juna, kamar na Tacewar zaɓi. Filin "Nau'i" ya bayyana akan shafin "Gabaɗaya", yana ba ku damar zaɓar abin da wannan doka za ta ɗauki alhakinsa:
-
NAT - Fassarar Adireshin Yanar Gizo.
-
DNAT - Yana tura zirga-zirga zuwa adireshin IP da aka ƙayyade.
-
Canza tashar tashar jiragen ruwa - Yana tura zirga-zirga zuwa adireshin IP da aka ƙayyade, amma yana ba ku damar canza lambar tashar tashar sabis ɗin da aka buga
-
Hanyar da ta dogara da manufofi - Yana ba ku damar tafiyar da fakitin IP dangane da ƙarin bayani, kamar sabis, adiresoshin MAC, ko sabobin (adiresoshin IP).
-
Taswirar hanyar sadarwa - Yana ba ku damar maye gurbin tushen ko adireshin IP na inda ake nufi na hanyar sadarwa ɗaya tare da wata hanyar sadarwa.
Bayan zaɓar nau'in ƙa'idar da ta dace, za a sami saitunan sa.
A cikin filin SNAT IP (adireshin waje), muna bayyana adireshin IP a sarari wanda za a maye gurbin adireshin tushen. Ana buƙatar wannan filin idan akwai adiresoshin IP da yawa da aka sanya zuwa musaya a yankin da ake nufi. Idan ka bar wannan filin babu komai, tsarin zai yi amfani da adireshin bazuwar daga jerin adiresoshin IP da aka ba su zuwa wuraren musaya na yanki. UserGate yana ba da shawarar ƙididdige SNAT IP don inganta aikin tacewar wuta.
Misali, zan buga sabis na SSH na uwar garken Windows da ke cikin yankin “DMZ” ta amfani da dokar “iko da tashar jiragen ruwa”. Don yin wannan, danna maɓallin "Ƙara" kuma cika shafin "Gaba ɗaya", saka sunan tsarin "SSH zuwa Windows" da nau'in "Tsarin tashar jiragen ruwa":
A shafin "Source", zaɓi yankin "Untrusted" kuma je zuwa shafin "Port forwarding". Anan dole ne mu saka ka'idar "TCP" (ana samun zaɓuɓɓuka huɗu - TCP, UDP, SMTP, SMTPS). Tashar tashar asali ta 9922 - lambar tashar tashar da masu amfani ke aika buƙatun zuwa gare ta (tashar jiragen ruwa: 2200, 8001, 4369, 9000-9100 ba za a iya amfani da su ba). Sabuwar tashar tashar jiragen ruwa (22) ita ce lambar tashar da za a tura buƙatun mai amfani zuwa sabar da aka buga ta ciki.
A shafin "DNAT", saita ip-address na kwamfuta akan cibiyar sadarwar gida, wanda aka buga akan Intanet (192.168.3.2). Kuma kuna iya ba da damar SNAT da zaɓi, sannan UserGate zai canza adireshin tushen a cikin fakiti daga cibiyar sadarwar waje zuwa adireshin IP ɗin ta.
Bayan duk saitunan, ana samun ka'ida wanda ke ba da damar shiga daga yankin "Ba a amince da shi ba" zuwa uwar garken tare da ip-address 192.168.3.2 ta hanyar ka'idar SSH, ta amfani da adireshin UserGate na waje lokacin haɗawa.
Bandwidth
Wannan sashe yana bayyana ƙa'idodin sarrafa bandwidth. Ana iya amfani da su don ƙuntata tashar wasu masu amfani, runduna, ayyuka, aikace-aikace.
Lokacin ƙirƙirar ƙa'ida, sharuɗɗan akan shafuka suna ƙayyade zirga-zirgar zirga-zirga zuwa waɗanne hane-hane. Ana iya zaɓar bandwidth ɗin daga abin da aka tsara, ko saita naku. Lokacin ƙirƙirar bandwidth, zaku iya ƙayyade alamar fifikon zirga-zirgar ababen hawa na DSCP. Misali na lokacin da aka yi amfani da alamun DSCP: ta hanyar ƙididdigewa a cikin ƙa'ida yanayin yanayin da aka yi amfani da wannan ƙa'idar, to wannan doka na iya canza waɗannan takubba ta atomatik. Wani misali na yadda rubutun ke aiki: ƙa'idar za ta yi aiki ga mai amfani kawai lokacin da aka gano rafi ko adadin zirga-zirga ya wuce ƙayyadaddun iyaka. Sauran shafuka suna cike kamar yadda a cikin wasu manufofi, dangane da nau'in zirga-zirgar da ya kamata a yi amfani da doka.
ƙarshe
A cikin wannan labarin, na rufe ƙirƙirar ƙa'idodi a cikin Firewall, NAT da Routing, da sassan Bandwidth. Kuma a farkon labarin, ya bayyana ƙa'idodin ƙirƙirar manufofin UserGate, da kuma ka'idodin yanayin lokacin ƙirƙirar doka.
Ku kasance da mu domin samun labarai da dumi-duminsu a tashoshin mu (, , , )!
source: www.habr.com