ProHoster > Блог > Gudanarwa > Yadda ake sarrafa kayan aikin sadarwar ku. Babi na uku. Tsaro na cibiyar sadarwa. Kashi na daya

Yadda ake sarrafa kayan aikin sadarwar ku. Babi na uku. Tsaro na cibiyar sadarwa. Kashi na daya

Wannan labarin ita ce ta uku a cikin jerin kasidu mai taken “Yadda ake Sarrafa Sana’ar Sadarwar Sadarwar ku.” Ana iya samun abubuwan da ke cikin duk labaran da ke cikin jerin da hanyoyin haɗin gwiwa a nan.

Yadda ake sarrafa kayan aikin sadarwar ku. Babi na uku. Tsaro na cibiyar sadarwa. Kashi na daya

Babu ma'ana a magana game da kawar da haɗarin tsaro gaba ɗaya. A ka'ida, ba za mu iya rage su zuwa sifili ba. Muna kuma bukatar mu fahimci cewa yayin da muke ƙoƙarin tabbatar da hanyar sadarwar yanar gizo da aminci, hanyoyinmu suna ƙara tsada. Kuna buƙatar nemo ciniki tsakanin farashi, rikitarwa, da tsaro wanda ke da ma'ana ga hanyar sadarwar ku.

Tabbas, ƙirar tsaro an haɗa ta ta zahiri cikin tsarin gine-ginen gabaɗaya kuma hanyoyin tsaro da aka yi amfani da su suna shafar haɓakawa, dogaro, sarrafa aiki, ... na hanyoyin sadarwa, wanda kuma yakamata a yi la'akari da su.

Amma bari in tunatar da ku cewa yanzu ba maganar samar da hanyar sadarwa ba ne. A cewar mu yanayin farko mun riga mun zabi zane, zabar kayan aiki, da kuma samar da kayan aiki, kuma a wannan mataki, idan ya yiwu, ya kamata mu "rayu" kuma mu sami mafita a cikin mahallin da aka zaba a baya.

Ayyukanmu yanzu shine gano haɗarin da ke tattare da tsaro a matakin cibiyar sadarwa da rage su zuwa matakin da ya dace.

Binciken tsaro na hanyar sadarwa

Idan ƙungiyar ku ta aiwatar da tsarin ISO 27k, to, binciken tsaro da canje-canjen hanyar sadarwa yakamata su dace da tsarin gaba ɗaya cikin wannan hanyar. Amma waɗannan ka'idodin har yanzu ba game da takamaiman mafita ba ne, ba game da daidaitawa ba, ba game da ƙira ba ... Babu wani takamaiman yanke shawara, babu ƙa'idodi da ke faɗi dalla-dalla yadda hanyar sadarwar ku ta kasance, wannan shine rikitarwa da kyawun wannan aikin.

Zan haskaka da dama yiwuwar duba tsaro na cibiyar sadarwa:

  • Na'urar tantance kayan aiki (hardening)
  • tsaro zane duba
  • samun damar dubawa
  • tsari duba

Binciken daidaita kayan aiki (hardening)

Da alama a mafi yawan lokuta wannan shine mafi kyawun wurin farawa don dubawa da inganta tsaro na hanyar sadarwar ku. IMHO, wannan kyakkyawan nuni ne na dokar Pareto (20% na ƙoƙari yana samar da 80% na sakamakon, kuma sauran 80% na ƙoƙarin yana samar da 20% kawai na sakamakon).

Ƙarshen ƙasa shine yawanci muna samun shawarwari daga masu siyarwa game da "mafi kyawun ayyuka" don tsaro lokacin daidaita kayan aiki. Ana kiran wannan "hardening".

Hakanan zaka iya sau da yawa samun takardar tambaya (ko ƙirƙirar ɗaya da kanka) bisa waɗannan shawarwarin, wanda zai taimaka maka sanin yadda tsarin kayan aikin ku ya dace da waɗannan “mafi kyawun ayyuka” kuma, daidai da sakamakon, yin canje-canje a cikin hanyar sadarwar ku. . Wannan zai ba ku damar rage haɗarin tsaro sosai cikin sauƙi, ba tare da tsada ba.

Misalai da yawa don wasu tsarin aiki na Cisco.

Cisco IOS Kanfigareshan Hardening
Cisco IOS-XR Kanfigareshan Hardening
Cisco NX-OS Kanfigareshan Hardening
Cisco Baseline Security Check List

Dangane da waɗannan takaddun, ana iya ƙirƙirar jerin buƙatun sanyi don kowane nau'in kayan aiki. Misali, don Cisco N7K VDC waɗannan buƙatun na iya yi kama haka.

Ta wannan hanyar, ana iya ƙirƙira fayilolin daidaitawa don nau'ikan kayan aiki daban-daban a cikin kayan aikin cibiyar sadarwar ku. Na gaba, da hannu ko ta amfani da aiki da kai, zaku iya “ɗorawa” waɗannan fayilolin sanyi. Yadda za a sarrafa wannan tsari za a tattauna dalla-dalla a cikin wani jerin labaran kan ƙungiyar ƙira da sarrafa kansa.

Binciken ƙira na tsaro

Yawanci, cibiyar sadarwar kasuwanci ta ƙunshi ɓangarori masu zuwa a cikin nau'i ɗaya ko wani:

  • DC (Sabis na Jama'a DMZ da Cibiyar bayanan Intanet)
  • internet access
  • VPN mai nisa
  • WAN gaba
  • Branch
  • Harabar (Office)
  • core

Taken da aka ɗauka daga Cisco SAFE samfurin, amma ba lallai ba ne, ba shakka, a haɗa daidai da waɗannan sunaye da wannan samfurin. Duk da haka, ina so in yi magana game da ainihin kuma kada in shiga cikin tsari.

Ga kowane ɗayan waɗannan ɓangarori, buƙatun tsaro, haɗari kuma, saboda haka, mafita za su bambanta.

Bari mu kalli kowannensu daban don matsalolin da za ku iya fuskanta ta fuskar ƙirar tsaro. Tabbas, na sake maimaita cewa ba ta wata hanya wannan labarin ya zama cikakke, wanda ba shi da sauƙi (idan ba zai yiwu ba) a cimma a cikin wannan batu mai zurfi da yawa, amma yana nuna kwarewa ta kaina.

Babu cikakkiyar mafita (akalla ba tukuna). Kullum sulhu ne. Amma yana da mahimmanci cewa an yanke shawarar yin amfani da hanya ɗaya ko wata a hankali, tare da fahimtar fa'ida da rashin amfaninta.

data Center

Mafi mahimmancin sashi daga mahangar aminci.
Kuma, kamar yadda aka saba, babu wata mafita ta duniya a nan ma. Duk ya dogara sosai akan buƙatun hanyar sadarwa.

Shin Firewall ya zama dole ko a'a?

Zai yi kama da cewa amsar a bayyane take, amma komai bai cika bayyana ba kamar yadda ake gani. Kuma zaɓinku na iya rinjayar ba kawai ba Farashin.

Misali 1. Jinkiri.

Idan ƙananan latency shine muhimmin abin da ake buƙata tsakanin wasu sassan cibiyar sadarwa, wanda shine, alal misali, gaskiya a cikin yanayin musayar, to ba za mu iya amfani da wuta tsakanin waɗannan sassan ba. Yana da wuya a sami karatu a kan latency a cikin Firewalls, amma 'yan ƙirar canzawa za su iya ba da latency na kasa da ko a kan tsari na 1 mksec, don haka ina tsammanin idan microseconds suna da mahimmanci a gare ku, to, firewalls ba na ku ba ne.

Misali 2. Aiki.

Abubuwan da aka samar na manyan maɓalli na L3 yawanci tsari ne na girma sama da yadda ake fitar da wuta mafi ƙarfi. Don haka, a cikin yanayin zirga-zirgar ababen hawa mai ƙarfi, za ku kuma yi yuwuwa ku ƙyale wannan zirga-zirgar ta ketare shingen wuta.

Misali 3. Dogara

Firewalls, musamman NGFW na zamani (FW na gaba) sune na'urori masu rikitarwa. Sun fi rikitarwa fiye da masu sauya L3/L2. Suna samar da adadi mai yawa na ayyuka da zaɓuɓɓukan daidaitawa, don haka ba abin mamaki bane cewa amincin su ya ragu sosai. Idan ci gaban sabis yana da mahimmanci ga hanyar sadarwar, to ƙila za ku zaɓi abin da zai haifar da mafi kyawun samuwa - tsaro tare da bangon wuta ko sauƙi na hanyar sadarwa da aka gina akan maɓalli (ko nau'ikan masana'anta) ta amfani da ACL na yau da kullun.

A cikin misalin waɗannan misalan da ke sama, mai yiwuwa (kamar yadda kuka saba) dole ne ku sami sulhu. Duba ga mafita masu zuwa:

  • idan kun yanke shawarar kada ku yi amfani da firewalls a cikin cibiyar bayanai, to kuna buƙatar yin tunani game da yadda za ku iya iyakance damar shiga kewayen gwargwadon iko. Misali, zaku iya buɗe tashoshin da ake buƙata kawai daga Intanet (don zirga-zirgar abokin ciniki) da damar gudanarwa zuwa cibiyar bayanai kawai daga masu tsalle tsalle. A kan masu tsalle-tsalle, yi duk abubuwan da suka dace (tabbatacce/izni, riga-kafi, shiga, ...)
  • Kuna iya amfani da ɓangaren ma'ana na cibiyar sadarwar bayanan zuwa sassa, mai kama da tsarin da aka bayyana a cikin PSEFABRIC misali p002. A wannan yanayin, dole ne a daidaita hanyar zirga-zirga ta hanyar da jinkiri-m ko zirga-zirgar zirga-zirgar ababen hawa ke tafiya "a cikin" kashi ɗaya (a cikin yanayin p002, VRF) kuma baya wucewa ta Tacewar zaɓi. Za a ci gaba da zirga-zirga tsakanin sassa daban-daban ta hanyar Tacewar zaɓi. Hakanan zaka iya amfani da yoyon hanya tsakanin VRFs don gujewa karkatar da zirga-zirga ta hanyar Tacewar zaɓi
  • Hakanan zaka iya amfani da bangon wuta a cikin yanayin bayyane kuma kawai ga waɗancan VLANs inda waɗannan abubuwan (latency/aiki) ba su da mahimmanci. Amma kuna buƙatar yin nazarin hane-hane da ke da alaƙa da amfani da wannan mod ɗin a hankali don kowane mai siyarwa
  • kuna iya yin la'akari da yin amfani da gine-ginen sarkar sabis. Wannan zai ba da damar zirga-zirgar ababen hawa kawai su wuce ta Tacewar zaɓi. Yayi kyau a ka'idar, amma ban taba ganin wannan mafita a samarwa ba. Mun gwada sarkar sabis don Cisco ACI / Juniper SRX/F5 LTM kimanin shekaru 3 da suka wuce, amma a lokacin wannan maganin ya zama "danye" a gare mu.

Matsayin kariya

Yanzu kuna buƙatar amsa tambayar irin kayan aikin da kuke son amfani da su don tace zirga-zirga. Anan akwai wasu fasalulluka waɗanda galibi ke kasancewa a cikin NGFW (misali, a nan):

  • firewalling na jiha (default)
  • aikace-aikace firewalling
  • rigakafin barazanar (antivirus, anti-spyware, da rauni)
  • URL tace
  • tace bayanai (tace abun ciki)
  • toshe fayil (nau'in fayil blocking)
  • yi kariya

Kuma ba komai ya fito fili ba. Zai zama alama cewa mafi girman matakin kariya, mafi kyau. Amma kuma kuna buƙatar la'akari da hakan

  • Yawancin ayyukan tacewar zaɓi na sama da kuke amfani da su, mafi tsada zai kasance (lasisi, ƙarin kayayyaki)
  • Yin amfani da wasu algorithms na iya rage yawan aikin tacewar wuta da kuma ƙara jinkiri, duba misali a nan
  • kamar kowane hadadden bayani, amfani da hadaddun hanyoyin kariya na iya rage amincin maganin ku, misali, lokacin amfani da firewalling na aikace-aikacen, na ci karo da toshe wasu madaidaitan aikace-aikacen aiki (dns, smb)

Kamar koyaushe, kuna buƙatar nemo mafi kyawun mafita don hanyar sadarwar ku.

Ba shi yiwuwa a tabbatacciyar amsa tambayar waɗanne ayyukan kariya za a iya buƙata. Na farko, saboda ba shakka ya dogara da bayanan da kuke aikawa ko adanawa da ƙoƙarin kare su. Abu na biyu, a gaskiya, sau da yawa zaɓin kayan aikin tsaro shine batun bangaskiya da amincewa ga mai siyarwa. Ba ku san algorithms ba, ba ku san yadda suke da tasiri ba, kuma ba za ku iya gwada su cikakke ba.

Don haka, a cikin sassa masu mahimmanci, mafita mai kyau na iya zama yin amfani da tayi daga kamfanoni daban-daban. Misali, zaku iya kunna riga-kafi akan Tacewar zaɓi, amma kuma amfani da kariya ta riga-kafi (daga wani masana'anta) a cikin gida akan runduna.

Rabewa

Muna magana ne game da ɓangaren ma'ana na cibiyar sadarwar bayanai. Misali, rarraba zuwa VLANs da subnets shima kashi ne na ma'ana, amma ba za mu yi la'akari da shi ba saboda bayyanannen sa. Bangaren ban sha'awa yin la'akari da irin waɗannan ƙungiyoyi kamar yankunan tsaro na FW, VRFs (da analogues ɗin su dangane da dillalai daban-daban), na'urori masu ma'ana (PA VSYS, Cisco N7K VDC, Cisco ACI Tenant, ...), ...

Misali na irin wannan rarrabuwar hankali da ƙirar cibiyar bayanan da ake buƙata a halin yanzu an ba da su a ciki p002 na aikin PSEFABRIC.

Bayan da aka ayyana sassan ma'ana na hanyar sadarwar ku, zaku iya bayyana yadda zirga-zirga ke tafiya tsakanin sassa daban-daban, akan waɗanne na'urori za a yi tacewa da kuma ta wace hanya.

Idan cibiyar sadarwar ku ba ta da madaidaicin bangare mai ma'ana kuma ba a tsara ka'idodin aiwatar da manufofin tsaro don kwararar bayanai daban-daban ba, wannan yana nufin cewa lokacin da kuka buɗe wannan ko waccan hanyar shiga, an tilasta muku magance wannan matsalar, kuma tare da babban yuwuwar ku. zai warware shi kowane lokaci daban.

Yawancin lokaci rarrabuwa yana dogara ne kawai akan yankunan tsaro na FW. Sannan kuna buƙatar amsa tambayoyi masu zuwa:

  • wane yankunan tsaro kuke bukata
  • wane matakin kariya kuke so ku yi amfani da su ga kowane ɗayan waɗannan yankuna
  • za a ba da izinin zirga-zirgar intra-zone ta tsohuwa?
  • idan ba haka ba, menene manufofin tace zirga-zirga za a yi amfani da su a cikin kowane yanki
  • waɗanne manufofin tace zirga-zirga za a yi amfani da su don kowane yanki guda biyu (tushen/wuri)

TCAM

Matsala ta gama gari ita ce rashin isassun TCAM (Ƙwaƙwalwar Ƙwaƙwalwar Abun Ciki na Ƙarshe), duka don kewayawa da shiga. IMHO, wannan shine ɗayan batutuwa masu mahimmanci yayin zabar kayan aiki, don haka kuna buƙatar magance wannan batun tare da matakin kulawa da ya dace.

Misali 1. Teburin Gabatarwa TCAM.

bari muyi la’akari Palo Alto 7k Tacewar zaɓi
Muna ganin girman tebur mai isar da IPv4* = 32K
Haka kuma, wannan adadin hanyoyin ya zama gama gari ga duk VSYSs.

Bari mu ɗauka cewa bisa ga ƙirar ku kuna yanke shawarar amfani da 4 VSYS.
Kowane ɗayan waɗannan VSYSs yana haɗa ta BGP zuwa MPLS PEs guda biyu na girgije waɗanda kuke amfani da su azaman BB. Don haka, 4 VSYS suna musayar kowane takamaiman hanyoyi tare da juna kuma suna da tebur na turawa tare da kusan nau'ikan hanyoyin guda ɗaya (amma NHs daban-daban). Domin kowane VSYS yana da zaman BGP 2 (tare da saituna iri ɗaya), sannan kowace hanya da aka karɓa ta MPLS tana da 2 NH kuma, don haka, shigarwar FIB 2 a cikin Teburin Gabatarwa. Idan muka ɗauka cewa wannan ita ce kawai Tacewar zaɓi a cikin cibiyar bayanai kuma dole ne ya san game da duk hanyoyin, to wannan yana nufin cewa jimlar yawan hanyoyin da ke cikin cibiyar bayananmu ba za su iya zama fiye da 32K/(4 * 2) = 4K ba.

Yanzu, idan muka ɗauka cewa muna da cibiyoyin bayanai guda 2 (tare da ƙira iri ɗaya), kuma muna so mu yi amfani da VLANs "miƙewa" tsakanin cibiyoyin bayanai (misali, vMotion), to don magance matsalar tuƙi, dole ne mu yi amfani da hanyoyin masaukin baki. . Amma wannan yana nufin cewa don cibiyoyin bayanan 2 ba za mu sami fiye da 4096 masu yuwuwar runduna ba kuma, ba shakka, wannan bazai isa ba.

Misali 2. ACL TCAM.

Idan kuna shirin tace zirga-zirga akan maɓallan L3 (ko wasu mafita waɗanda ke amfani da maɓallan L3, misali, Cisco ACI), to lokacin zabar kayan aiki yakamata ku kula da TCAM ACL.

Ace kana so ka sarrafa damar yin amfani da SVI musaya na Cisco Catalyst 4500. Sa'an nan, kamar yadda za a iya gani daga. wannan labarin, don sarrafa zirga-zirga masu fita (da kuma masu shigowa) akan musaya, zaku iya amfani da layin TCAM 4096 kawai. Wanda lokacin amfani da TCAM3 zai baka kusan 4000 dubu ACE (Layin ACL).

Idan kun fuskanci matsalar rashin isasshen TCAM, to, da farko, ba shakka, kuna buƙatar la'akari da yiwuwar haɓakawa. Don haka, idan akwai matsala tare da girman Teburin Gabatarwa, kuna buƙatar la'akari da yiwuwar tara hanyoyin. Idan akwai matsala tare da girman TCAM don samun damar shiga, duba damar shiga, cire bayanan da suka gabata da masu jere, da yuwuwar sake fasalin hanyar buɗe hanyoyin shiga (za a tattauna dalla-dalla a cikin babin duba damar shiga).

high Availability

Tambayar ita ce: Shin zan yi amfani da HA don wutan wuta ko shigar da akwatuna masu zaman kansu guda biyu "a layi daya" kuma, idan ɗayansu ya kasa, hanyar zirga-zirga ta hanyar na biyu?

Zai yi kama da cewa amsar a bayyane take - amfani da HA. Dalilin da ya sa har yanzu wannan tambayar ta taso shi ne, abin takaici, ka'idar da talla 99 da yawancin kaso na goma na samun dama a aikace sun zama nesa da ja. HA a hankali abu ne mai rikitarwa, kuma akan kayan aiki daban-daban, kuma tare da dillalai daban-daban (babu wasu keɓancewa), mun kama matsaloli da kwari da tsayawa sabis.

Idan kun yi amfani da HA, za ku sami damar kashe kowane nodes, canza tsakanin su ba tare da dakatar da sabis ɗin ba, wanda yake da mahimmanci, alal misali, lokacin haɓakawa, amma a lokaci guda kuna da nisa daga yiwuwar sifili cewa duka nodes. zai karye a lokaci guda, kuma kuma na gaba haɓakawa ba zai tafi daidai ba kamar yadda mai siyarwa ya yi alkawari (za a iya guje wa wannan matsala idan kuna da damar gwada haɓakawa akan kayan aikin dakin gwaje-gwaje).

Idan ba ku yi amfani da HA ba, to daga mahangar gazawar sau biyu haɗarinku ya ragu sosai (tun da kuna da 2 masu zaman kansu ta wuta), amma tunda ... Ba a daidaita zaman, to duk lokacin da kuka canza tsakanin waɗannan tawul ɗin za ku rasa zirga-zirga. Kuna iya, ba shakka, yin amfani da wutan wuta mara jiha, amma sai an rasa ma'anar amfani da tacewar zaɓi.

Don haka, idan a sakamakon binciken da kuka yi, kun gano ɓangarorin wuta na kaɗaici, kuma kuna tunanin haɓaka amincin hanyar sadarwar ku, to HA, ba shakka, yana ɗaya daga cikin hanyoyin da aka ba da shawarar, amma kuma yakamata ku yi la'akari da rashin amfanin da ke tattare da hakan. tare da wannan hanyar kuma, watakila, musamman don hanyar sadarwar ku, wani bayani zai fi dacewa.

Gudanarwa

A ka'ida, HA kuma game da sarrafawa. Maimakon daidaita akwatunan 2 daban da magance matsalar kiyaye tsarin daidaitawa, kuna sarrafa su sosai kamar kuna da na'ura ɗaya.

Amma watakila kuna da cibiyoyin bayanai da yawa da yawa ta wuta, to wannan tambaya ta taso a sabon matakin. Kuma tambayar ba kawai game da sanyi ba, amma har ma game da

  • madadin saituna
  • sabuntawa
  • haɓakawa
  • saka idanu
  • shiga

Kuma duk waɗannan za a iya warware su ta hanyar tsarin gudanarwa na tsakiya.

Don haka, alal misali, idan kuna amfani da Palo Alto Firewalls, to panorama shine irin wannan mafita.

Don ci gaba.

source: www.habr.com

Add a comment