ProHoster > Блог > Gudanarwa > Yadda ake sarrafa kayan aikin sadarwar ku. Babi na uku. Tsaro na cibiyar sadarwa. Kashi na uku

Yadda ake sarrafa kayan aikin sadarwar ku. Babi na uku. Tsaro na cibiyar sadarwa. Kashi na uku

Wannan labarin shi ne na biyar a cikin jerin “Yadda Zaku Ci Gaba da Gudanar da Kayayyakin Sadarwar Sadarwar Ku.” Ana iya samun abubuwan da ke cikin duk labaran da ke cikin jerin da hanyoyin haɗin gwiwa a nan.

Wannan bangare za a keɓe ga Campus (Office) & sassan VPN mai nisa.

Yadda ake sarrafa kayan aikin sadarwar ku. Babi na uku. Tsaro na cibiyar sadarwa. Kashi na uku

Ƙirar hanyar sadarwar ofis na iya zama da sauƙi.

Lallai, muna ɗaukar maɓallan L2/L3 kuma muna haɗa su da juna. Na gaba, muna aiwatar da ainihin saitin ɓangarori da ƙofofin tsoho, saita hanya mai sauƙi, haɗa masu sarrafa WiFi, wuraren samun dama, shigar da saita ASA don samun dama mai nisa, muna farin ciki cewa komai yayi aiki. Ainihin, kamar yadda na riga na rubuta a cikin ɗayan da suka gabata labarai na wannan zagayowar, kusan kowane ɗalibi da ya halarci (kuma ya koyi) semesters biyu na kwas ɗin sadarwa na iya tsarawa da daidaita hanyar sadarwa ta ofis ta yadda “ko ta yaya yake aiki.”

Amma yayin da kuke koyo, ƙarancin sauƙin wannan aikin yana fara bayyana. A gare ni da kaina, wannan batu, batun ƙirar cibiyar sadarwa na ofis, ba ze zama mai sauƙi ba kwata-kwata, kuma a cikin wannan labarin zan yi ƙoƙarin bayyana dalilin da ya sa.

A taƙaice, akwai abubuwa kaɗan da za a yi la'akari da su. Yawancin lokaci waɗannan abubuwan suna cin karo da juna kuma dole ne a nemi sulhu mai ma'ana.
Wannan rashin tabbas shine babban wahala. Don haka, muna magana game da tsaro, muna da triangle tare da matakai uku: tsaro, dacewa ga ma'aikata, farashin mafita.
Kuma duk lokacin da za a nemi sulhu tsakanin wadannan ukun.

gine

A matsayin misali na gine-gine na waɗannan sassan biyu, kamar yadda a cikin labaran da suka gabata, ina ba da shawarar Cisco SAFE samfurin: Cibiyar Kasuwanci, Kasuwancin Intanet Edge.

Waɗannan wasu takardu ne na ɗan tsufa. Na gabatar da su a nan saboda mahimman tsare-tsare da tsarin ba su canza ba, amma a lokaci guda ina son gabatarwa fiye da a ciki sabon takardun.

Ba tare da ƙarfafa ku don amfani da mafita na Cisco ba, har yanzu ina tsammanin yana da amfani don nazarin wannan ƙirar a hankali.

Wannan labarin, kamar yadda aka saba, ba ta kowace hanya yana yin kamar ya cika ba, amma ƙari ne ga wannan bayanin.

A ƙarshen labarin, za mu bincika ƙirar ofishin Cisco SAFE dangane da ra'ayoyin da aka tsara a nan.

Janar ka'idodi

Zane na cibiyar sadarwa na ofis dole ne, ba shakka, ya gamsar da buƙatun gabaɗaya waɗanda aka tattauna a nan a cikin babin "Ma'auni don tantance ingancin ƙira". Bayan farashi da aminci, waɗanda muke son tattaunawa a cikin wannan labarin, har yanzu akwai sharuɗɗa guda uku waɗanda dole ne mu yi la'akari da su yayin zayyana (ko yin canje-canje):

  • scalability
  • sauƙin amfani (managability)
  • samuwa

Yawancin abin da aka tattauna akai cibiyoyin bayanai Wannan kuma gaskiya ne ga ofishin.

Amma duk da haka, sashin ofishin yana da nasa ƙayyadaddun bayanai, waɗanda ke da mahimmanci ta fuskar tsaro. Ma'anar wannan ƙayyadaddun shine cewa an halicci wannan sashi don samar da sabis na cibiyar sadarwa ga ma'aikata (da abokan tarayya da baƙi) na kamfanin, kuma, a sakamakon haka, a mafi girman matakin la'akari da matsalar muna da ayyuka guda biyu:

  • kare albarkatun kamfani daga munanan ayyukan da ka iya fitowa daga ma'aikata (baƙi, abokan hulɗa) da kuma daga software da suke amfani da su. Wannan kuma ya haɗa da kariya daga haɗin yanar gizo mara izini.
  • kare tsarin da bayanan mai amfani

Kuma wannan bangare ɗaya ne kawai na matsalar (ko kuma a maimakon haka, juzu'in triangle ɗaya). A gefe guda shine sauƙin mai amfani da farashin hanyoyin da aka yi amfani da su.

Bari mu fara da kallon abin da mai amfani ke tsammani daga hanyar sadarwar ofis na zamani.

Aminci

Ga abin da "abin jin daɗin hanyar sadarwa" ke kama da mai amfani da ofis a ra'ayina:

  • Motsi
  • Ikon amfani da cikakken kewayon sanannun na'urori da tsarin aiki
  • Sauƙaƙan dama ga duk albarkatun kamfanin da ake buƙata
  • Samar da albarkatun Intanet, gami da sabis na girgije iri-iri
  • "Aiki mai sauri" na hanyar sadarwa

Duk wannan ya shafi duka ma'aikata da baƙi (ko abokan tarayya), kuma aikin injiniyoyin kamfanin ne don bambanta damar yin amfani da ƙungiyoyin masu amfani daban-daban bisa ga izini.

Bari mu kalli kowanne daga cikin wadannan bangarori daki-daki kadan.

Motsi

Muna magana ne game da damar yin aiki da amfani da duk albarkatun kamfanin da ake bukata daga ko'ina cikin duniya (ba shakka, inda Intanet ke samuwa).

Wannan cikakke ya shafi ofis. Wannan ya dace lokacin da kake da damar ci gaba da aiki daga ko'ina cikin ofis, alal misali, karɓar wasiku, sadarwa a cikin manzo na kamfani, kasancewa don kiran bidiyo, ... Don haka, wannan yana ba ku damar, a gefe guda, don warware wasu batutuwan sadarwa “rayuwa” (misali, shiga cikin zanga-zangar), kuma a ɗaya ɓangaren, kasance koyaushe akan layi, ci gaba da yatsa a bugun jini da sauri warware wasu ayyuka masu fifiko na gaggawa. Wannan ya dace sosai kuma yana haɓaka ingancin sadarwa.

Ana samun wannan ta hanyar ƙirar hanyar sadarwar WiFi da ta dace.

Lura

Anan tambayar yawanci tana tasowa: shin ya isa a yi amfani da WiFi kawai? Wannan yana nufin za ku iya daina amfani da tashoshin Ethernet a ofis? Idan muna magana ne kawai game da masu amfani, kuma ba game da sabobin ba, waɗanda har yanzu suna da ma'ana don haɗawa tare da tashar tashar Ethernet ta yau da kullun, to gabaɗaya amsar ita ce: Ee, zaku iya iyakance kanku zuwa WiFi kawai. Amma akwai nuances.

Akwai mahimman ƙungiyoyin masu amfani waɗanda ke buƙatar wata hanya dabam. Waɗannan su ne, ba shakka, masu gudanarwa. A ka'ida, haɗin WiFi yana da ƙasa da abin dogara (dangane da asarar zirga-zirga) kuma a hankali fiye da tashar Ethernet na yau da kullum. Wannan na iya zama mahimmanci ga masu gudanarwa. Bugu da kari, masu gudanar da cibiyar sadarwa, alal misali, na iya, bisa manufa, suna da nasu cibiyar sadarwar Ethernet da aka kebe don hanyoyin sadarwa na waje.

Wataƙila akwai wasu ƙungiyoyi / sassan a cikin kamfanin ku waɗanda waɗannan abubuwan kuma suke da mahimmanci.

Akwai wani muhimmin batu - wayar tarho. Wataƙila saboda wasu dalilai ba kwa son amfani da Wireless VoIP kuma kuna son amfani da wayoyin IP tare da haɗin Ethernet na yau da kullun.

Gabaɗaya, kamfanonin da na yi aiki galibi suna da haɗin haɗin WiFi da tashar tashar Ethernet.

Ina son motsi kada a iyakance ga ofis kawai.

Don tabbatar da ikon yin aiki daga gida (ko kowane wuri tare da Intanet mai sauƙi), ana amfani da haɗin VPN. A lokaci guda kuma, yana da kyawawa cewa ma'aikata ba sa jin bambanci tsakanin aiki daga gida da aiki mai nisa, wanda ke ɗaukar damar iri ɗaya. Za mu tattauna yadda za a tsara wannan kadan daga baya a cikin babin "Tsarin tantancewa da ba da izini Haɗin kai."

Lura

Mafi mahimmanci, ba za ku iya samar da cikakkiyar ingancin sabis iri ɗaya don aikin nesa da kuke da shi a ofis ba. Bari mu ɗauka cewa kuna amfani da Cisco ASA 5520 azaman ƙofar VPN ɗin ku takardar bayanai wannan na'urar tana iya "narke" kawai 225 Mbit na zirga-zirgar VPN. Wato, ba shakka, dangane da bandwidth, haɗa ta VPN ya bambanta da aiki da ofis. Hakanan, idan, saboda wasu dalilai, latency, asara, jitter (misali, kuna son yin amfani da wayar IP ta ofishin) don ayyukan cibiyar sadarwar ku suna da mahimmanci, ba za ku sami inganci iri ɗaya kamar kuna cikin ofis ba. Don haka, lokacin da muke magana game da motsi, dole ne mu san iyakoki mai yiwuwa.

Sauƙi zuwa duk albarkatun kamfani

Ya kamata a magance wannan aikin tare da sauran sassan fasaha.
Yanayin da ya dace shine lokacin da mai amfani kawai yana buƙatar tabbatarwa sau ɗaya kawai, kuma bayan haka yana da damar yin amfani da duk albarkatun da ake bukata.
Samar da sauƙi mai sauƙi ba tare da sadaukar da tsaro ba zai iya inganta yawan aiki da rage damuwa tsakanin abokan aikinku.

Bayanan kula 1

Sauƙin shiga ba shine kusan sau nawa zaka shigar da kalmar sirri ba. Idan, alal misali, daidai da manufofinka na tsaro, don haɗawa daga ofis zuwa cibiyar bayanai, dole ne ka fara haɗawa zuwa ƙofar VPN, kuma a lokaci guda ka rasa damar yin amfani da kayan ofis, to wannan shima yana da yawa. , sosai m.

Bayanan kula 2

Akwai ayyuka (alal misali, samun damar yin amfani da kayan aikin cibiyar sadarwa) inda yawanci muke da sabar AAA da aka keɓe kuma wannan shine ka'ida lokacin da a wannan yanayin dole ne mu tantance sau da yawa.

Samuwar albarkatun Intanet

Intanit ba kawai nishaɗi ba ne, har ma da saitin ayyukan da zai iya zama da amfani sosai ga aiki. Hakanan akwai abubuwan tunani zalla. Mutum na zamani yana da alaƙa da wasu mutane ta hanyar Intanet ta hanyar zaren kama-da-wane da yawa, kuma, a ganina, babu wani laifi idan ya ci gaba da jin wannan haɗin koda yayin aiki.

Daga ra'ayi na ɓata lokaci, babu wani abu mara kyau idan ma'aikaci, alal misali, yana gudana Skype kuma yana ciyar da minti 5 don sadarwa tare da ƙaunataccen idan ya cancanta.

Shin wannan yana nufin cewa Intanet ya kamata ya kasance koyaushe, wannan yana nufin cewa ma'aikata na iya samun damar yin amfani da duk albarkatun kuma ba su sarrafa su ta kowace hanya?

A'a ba yana nufin haka ba, ba shakka. Matsayin buɗewar Intanet na iya bambanta ga kamfanoni daban-daban - daga cikakken rufewa zuwa cikakken buɗewa. Za mu tattauna hanyoyin sarrafa zirga-zirga daga baya a cikin sassan kan matakan tsaro.

Ikon amfani da cikakken kewayon na'urorin da aka sani

Yana da dacewa lokacin da, alal misali, kuna da damar ci gaba da amfani da duk hanyoyin sadarwar da kuka saba da ku a wurin aiki. Babu wahala wajen aiwatar da wannan ta hanyar fasaha. Don wannan kuna buƙatar WiFi da wilan baƙo.

Hakanan yana da kyau idan kuna da damar yin amfani da tsarin aiki da kuka saba da shi. Amma, a cikin lurata, yawanci ana ba da izini ga manajoji, masu gudanarwa da masu haɓakawa.

Alal misali:

Kuna iya, ba shakka, bin hanyar haramun, hana shiga nesa, hana haɗawa daga na'urorin hannu, iyakance komai zuwa haɗin haɗin Ethernet na tsaye, iyakance damar shiga Intanet, kwace wayoyi da na'urori tilas a wurin bincike...da wannan hanyar. wasu kungiyoyi suna biye da su tare da ƙarin bukatun tsaro, kuma watakila a wasu lokuta wannan yana iya zama barata, amma ... dole ne ku yarda cewa wannan yana kama da ƙoƙari na dakatar da ci gaba a cikin ƙungiya ɗaya. Tabbas, Ina so in haɗa damar da fasahar zamani ke bayarwa tare da isasshen matakin tsaro.

"Aiki mai sauri" na hanyar sadarwa

Gudun canja wurin bayanai a fasaha ya ƙunshi abubuwa da yawa. Kuma saurin tashar tashar ku yawanci ba shine mafi mahimmanci ba. Jinkirin aiki na aikace-aikacen ba koyaushe yana haɗuwa da matsalolin hanyar sadarwa ba, amma a yanzu muna sha'awar ɓangaren cibiyar sadarwa ne kawai. Matsalolin da aka fi sani da cibiyar sadarwa ta gida "slowdown" tana da alaƙa da asarar fakiti. Wannan yawanci yana faruwa ne lokacin da aka sami matsalar kwalabe ko L1 (OSI). Da wuya, tare da wasu ƙira (misali, lokacin da rukunin gidajen yanar gizon ku ke da Tacewar zaɓi azaman tsohuwar ƙofa kuma ta haka duk zirga-zirgar ababen hawa ke bi ta cikinta), aikin kayan aikin na iya rasa.

Sabili da haka, lokacin zabar kayan aiki da gine-gine, kuna buƙatar daidaita saurin tashar tashar jiragen ruwa, kututturewa da aikin kayan aiki.

Alal misali:

Bari mu ɗauka cewa kuna amfani da maɓalli tare da tashar jiragen ruwa 1 gigabit azaman masu sauyawa Layer damar shiga. An haɗa su da juna ta hanyar Etherchannel 2 x 10 gigabits. A matsayin tsohuwar ƙofa, kuna amfani da tacewar wuta mai tashar gigabit, don haɗawa da cibiyar sadarwar L2 kuna amfani da tashar jiragen ruwa gigabit 2 a haɗe zuwa Etherchannel.

Wannan gine-ginen ya dace sosai daga yanayin aiki, saboda ... Duk zirga-zirgar ababen hawa suna shiga cikin Tacewar zaɓi, kuma zaku iya sarrafa manufofin samun dama cikin nutsuwa, kuma kuyi amfani da hadaddun algorithms don sarrafa zirga-zirgar zirga-zirgar zirga-zirga da hana yiwuwar harin (duba ƙasa), amma daga ra'ayi na kayan aiki da yanayin aikin wannan ƙirar, ba shakka, yana da matsaloli masu yuwuwa. Don haka, alal misali, runduna 2 masu saukar da bayanai (tare da saurin tashar jiragen ruwa na 1 gigabit) na iya ɗaukar haɗin gigabit 2 gabaɗaya zuwa bangon wuta, don haka haifar da lalata sabis ga duka sashin ofis.

Mun kalli gefe guda na triangle, yanzu bari mu ga yadda za mu tabbatar da tsaro.

Ma'anar kariya

Don haka, ba shakka, yawanci sha'awarmu (ko kuma a maimakon haka, sha'awar gudanar da mu) shine cimma abin da ba zai yiwu ba, wato, samar da mafi girman dacewa tare da matsakaicin tsaro da mafi ƙarancin farashi.

Bari mu dubi hanyoyin da muke da su don samar da kariya.

Ga ofishin, zan haskaka masu zuwa:

  • sifili dogara tsarin kula
  • babban matakin kariya
  • gani na cibiyar sadarwa
  • ingantaccen tsarin tantancewa da ba da izini
  • duba mai masaukin baki

Na gaba, za mu dan dakata dalla-dalla kan kowannen wadannan bangarorin.

Zero Dogara

Duniyar IT tana canzawa da sauri. Kawai a cikin shekaru 10 da suka gabata, fitowar sabbin fasahohi da kayayyaki sun haifar da babban bita na dabarun tsaro. Shekaru goma da suka gabata, ta fuskar tsaro, mun raba hanyar sadarwa zuwa ga amana, dmz da yankunan rashin aminci, kuma mun yi amfani da abin da ake kira "kariyar kariya", inda akwai layukan tsaro guda 2: rashin aminci -> dmz da dmz -> amana. Hakanan, yawanci ana iyakance kariya ga lissafin samun dama bisa kan L3/L4 (OSI) masu kai (IP, TCP/UDP tashar jiragen ruwa, tutocin TCP). Duk abin da ke da alaƙa da matakan girma, gami da L7, an bar su zuwa OS da samfuran tsaro da aka shigar akan runduna ta ƙarshe.

Yanzu lamarin ya canza sosai. Tunani na zamani sifilin dogara ya zo ne daga gaskiyar cewa ba zai yiwu a yi la'akari da tsarin ciki ba, wato, waɗanda ke cikin kewaye, kamar yadda aka amince da su, kuma ra'ayi na kewayen kanta ya zama duhu.
Baya ga haɗin Intanet kuma muna da

  • masu amfani da VPN masu nisa
  • na'urori daban-daban na sirri, sun kawo kwamfyutocin tafi-da-gidanka, an haɗa su ta WiFi na ofis
  • sauran ofisoshin (reshe).
  • haɗin kai tare da kayan aikin girgije

Menene tsarin Zero Trust yayi kama da aiki?

Da kyau, kawai zirga-zirgar da ake buƙata ya kamata a ba da izini kuma, idan muna magana game da manufa, to sarrafawa ya kamata ba kawai a matakin L3 / L4 ba, amma a matakin aikace-aikacen.

Idan, alal misali, kuna da ikon wuce duk zirga-zirga ta hanyar bangon wuta, to zaku iya ƙoƙarin kusanci ga manufa. Amma wannan tsarin zai iya rage jimillar bandwidth na hanyar sadarwar ku, kuma baya ga haka, tacewa ta aikace-aikace ba koyaushe yana aiki da kyau ba.

Lokacin sarrafa zirga-zirga akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa ko L3 (ta amfani da daidaitattun ACLs), kuna fuskantar wasu matsaloli:

  • Wannan shine tacewa L3/L4 kawai. Babu wani abu da zai hana maharin yin amfani da tashoshin jiragen ruwa da aka yarda (misali TCP 80) don aikace-aikacen su (ba http ba)
  • hadaddun gudanarwa na ACL (mai wahala don tantance ACLs)
  • Wannan ba cikakken Tacewar zaɓi ba ne, ma'ana kuna buƙatar ba da izinin jujjuya zirga-zirga
  • tare da sauyawa yawanci ana iyakance ku ta girman TCAM, wanda zai iya zama matsala da sauri idan kun ɗauki hanyar "ba da izinin abin da kuke buƙata kawai".

Lura

Da yake magana game da zirga-zirgar ababen hawa, dole ne mu tuna cewa muna da dama mai zuwa (Cisco)

izini tcp kowane kafa

Amma kuna buƙatar fahimtar cewa wannan layin yana daidai da layi biyu:
izinin tcp kowane ack
izinin tcp kowane rst

Wanda ke nufin cewa ko da ba a sami sashin farko na TCP mai alamar SYN ba (wato zaman TCP bai ma fara kafawa ba), wannan ACL zai ba da izinin fakiti mai alamar ACK, wanda maharin zai iya amfani da shi don canja wurin bayanai.

Wato, wannan layi ba ta wata hanya ta juya na'ura mai ba da hanya tsakanin hanyoyin sadarwa ko L3 canza zuwa cikin cikakken Tacewar zaɓi.

Babban matakin kariya

В labarin A cikin sashin cibiyoyin bayanai, mun yi la'akari da hanyoyin kariya masu zuwa.

  • firewalling na jiha (default)
  • ddos/dos kariya
  • aikace-aikace firewalling
  • rigakafin barazanar (antivirus, anti-spyware, da rauni)
  • URL tace
  • tace bayanai (tace abun ciki)
  • toshe fayil (nau'in fayil blocking)

Game da ofishi, yanayin yana da kama, amma abubuwan da suka fi dacewa sun ɗan bambanta. Samuwar ofis (samuwar) yawanci ba ta da mahimmanci kamar yanayin cibiyar bayanai, yayin da yuwuwar zirga-zirgar ɓarna "na ciki" ita ce umarni mafi girma.
Don haka, hanyoyin kariya masu zuwa don wannan sashin sun zama mahimmanci:

  • aikace-aikace firewalling
  • rigakafin barazanar (anti-virus, anti-spyware, da rauni)
  • URL tace
  • tace bayanai (tace abun ciki)
  • toshe fayil (nau'in fayil blocking)

Ko da yake duk waɗannan hanyoyin kariya, ban da aikace-aikacen Firewalling, sun kasance a al'ada kuma ana ci gaba da warware su a kan runduna ta ƙarshe (misali, ta hanyar shigar da shirye-shiryen riga-kafi) da amfani da proxies, NGFW na zamani kuma suna ba da waɗannan ayyuka.

Masu siyar da kayan aikin tsaro suna ƙoƙari don ƙirƙirar cikakkiyar kariya, don haka tare da kariyar gida, suna ba da fasahohin girgije daban-daban da software na abokin ciniki don runduna (kariyar ƙarshen ƙarshen / EPP). Don haka, misali, daga 2018 Gartner Magic Quadrant Mun ga cewa Palo Alto da Cisco suna da nasu EPPs (PA: Tarkuna, Cisco: AMP), amma sun yi nisa da shugabannin.

Ba da damar waɗannan kariyar (yawanci ta hanyar siyan lasisi) akan Tacewar zaɓi ba lallai bane (zaka iya zuwa hanyar gargajiya), amma yana ba da wasu fa'idodi:

  • a wannan yanayin, akwai batu guda ɗaya na aikace-aikacen hanyoyin kariya, wanda ke inganta hangen nesa (duba batu na gaba).
  • Idan akwai na'urar da ba ta da kariya akan hanyar sadarwar ku, to har yanzu tana faɗi ƙarƙashin "laima" na kariyar Tacewar zaɓi
  • Ta amfani da kariyar bangon wuta tare da kariyar ƙarshen runduna, muna ƙara yuwuwar gano cunkoson ababen hawa. Misali, yin amfani da rigakafin barazana a kan runduna na gida da kuma kan bangon wuta yana ƙara yuwuwar ganowa (idan ba shakka, waɗannan mafita sun dogara ne akan samfuran software daban-daban)

Lura

Idan, alal misali, kuna amfani da Kaspersky azaman riga-kafi duka akan Tacewar zaɓi da kuma a kan runduna ta ƙarshe, to wannan, ba shakka, ba zai ƙara yawan damar ku na hana harin ƙwayar cuta a hanyar sadarwar ku ba.

Ganin hanyar sadarwa

Babban ra'ayi abu ne mai sauƙi - "duba" abin da ke faruwa akan hanyar sadarwar ku, duka a ainihin lokaci da bayanan tarihi.

Zan raba wannan “hangen nesa” gida biyu:

Rukuni na daya: abin da tsarin sa ido yakan ba ku.

  • kayan aiki lodi
  • tashoshi masu lodi
  • amfani da ƙwaƙwalwar ajiya
  • amfani da diski
  • canza tsarin tuƙi
  • matsayin mahada
  • samuwar kayan aiki (ko runduna)
  • ...

Rukuni na biyu: bayanan da suka danganci aminci.

  • nau'ikan ƙididdiga daban-daban (misali, ta aikace-aikace, ta hanyar zirga-zirgar URL, waɗanne nau'ikan bayanai ne aka sauke, bayanan mai amfani)
  • abin da manufofin tsaro suka toshe kuma saboda wane dalili, wato
    • aikace-aikacen da aka haramta
    • haramta bisa ip/protocol/port/flags/ zones
    • rigakafin barazana
    • url tace
    • tace data
    • toshe fayil
    • ...
  • kididdiga akan harin DOS/DDOS
  • gaza tantancewa da yunƙurin ba da izini
  • kididdiga ga duk abubuwan da suka faru na keta manufofin tsaro na sama
  • ...

A cikin wannan babi na tsaro, muna sha'awar kashi na biyu.

Wasu firewalls na zamani (daga gwaninta na Palo Alto) suna ba da kyakkyawan matakin gani. Amma, ba shakka, zirga-zirgar da kuke sha'awar dole ne ta shiga cikin wannan Tacewar zaɓi (a cikin wannan yanayin kuna da ikon toshe zirga-zirgar zirga-zirga) ko kuma a yi la'akari da tacewar wuta (amfani da shi kawai don saka idanu da bincike), kuma dole ne ku sami lasisi don kunna duka. wadannan ayyuka .

Akwai, ba shakka, wata hanya dabam, ko kuma hanyar gargajiya, misali,

  • Za a iya tattara kididdigar zama ta hanyar netflow sannan a yi amfani da abubuwan amfani na musamman don nazarin bayanai da hangen nesa na bayanai.
  • rigakafin barazanar - shirye-shirye na musamman (anti-virus, anti-spyware, Firewall) akan runduna ta ƙarshe
  • Tacewar URL, tace bayanai, toshe fayil - akan wakili
  • Hakanan yana yiwuwa a bincika tcpdump ta amfani da misali. kunci

Kuna iya haɗa waɗannan hanyoyi guda biyu, haɗa abubuwan da suka ɓace ko kwafi su don ƙara yuwuwar gano harin.

Wace hanya ya kamata ku zaɓa?
Ya dogara sosai akan cancanta da abubuwan da ƙungiyar ku ke so.
Duka can kuma akwai riba da rashin amfani.

Haɗaɗɗen tsarin tantancewa da tsarin ba da izini

Lokacin da aka tsara shi da kyau, motsin da muka tattauna a wannan labarin yana ɗauka cewa kuna da damar samun dama ko kuna aiki daga ofis ko daga gida, daga filin jirgin sama, daga kantin kofi ko kuma wani wuri (tare da iyakokin da muka tattauna a sama). Zai yi kama, menene matsalar?
Don ƙarin fahimtar sarkar wannan ɗawainiya, bari mu kalli ƙirar ƙira.

Alal misali:

  • Kun raba duk ma'aikata zuwa rukuni. Kun yanke shawarar samar da hanyar shiga ta ƙungiyoyi
  • A cikin ofis, kuna sarrafa shiga ta bangon ofis
  • Kuna sarrafa zirga-zirga daga ofis zuwa cibiyar bayanai akan gidan wuta na cibiyar bayanai
  • Kuna amfani da Cisco ASA azaman ƙofar VPN kuma don sarrafa zirga-zirgar shiga hanyar sadarwar ku daga abokan ciniki masu nisa, kuna amfani da ACL na gida (a kan ASA)

Yanzu, bari mu ce ana tambayarka don ƙara ƙarin dama ga wani ma'aikaci. A wannan yanayin, ana tambayar ku don ƙara damar zuwa gare shi kawai ba wani daga ƙungiyarsa ba.

Don wannan dole ne mu ƙirƙira rukuni daban don wannan ma'aikaci, wato

  • ƙirƙiri wani wurin ruwa na IP daban akan ASA don wannan ma'aikaci
  • ƙara sabon ACL akan ASA kuma ɗaure shi ga wannan abokin ciniki mai nisa
  • ƙirƙirar sabbin tsare-tsare na tsaro a kan ofisoshi da wuraren wuta na cibiyar bayanai

Yana da kyau idan wannan taron ba kasafai ba ne. Amma a cikin aikina akwai halin da ake ciki lokacin da ma'aikata suka shiga cikin ayyuka daban-daban, kuma wannan tsari na wasu daga cikinsu ya canza sau da yawa, kuma ba mutane 1-2 ba ne, amma da dama. Tabbas, akwai bukatar a canza wani abu a nan.

An warware wannan ta hanya mai zuwa.

Mun yanke shawarar cewa LDAP ita ce kawai tushen gaskiya wanda ke ƙayyade duk yiwuwar samun damar ma'aikata. Mun ƙirƙiri kowane nau'in ƙungiyoyi waɗanda ke ayyana saitin hanyoyin shiga, kuma mun sanya kowane mai amfani zuwa ƙungiyoyi ɗaya ko fiye.

Don haka, alal misali, a ce akwai ƙungiyoyi

  • bako (hanyar Intanet)
  • damar gama gari (samun damar raba albarkatu: wasiku, tushen ilimi, ...)
  • lissafin
  • aikin 1
  • aikin 2
  • data base admin
  • Linux administrator
  • ...

Kuma idan daya daga cikin ma'aikatan yana da hannu a cikin aikin 1 da na 2, kuma yana buƙatar samun damar yin aiki a cikin waɗannan ayyukan, to, an sanya wannan ma'aikaci zuwa ƙungiyoyi masu zuwa:

  • bako
  • gama gari
  • aikin 1
  • aikin 2

Ta yaya za mu iya juyar da wannan bayanin zuwa ga samun dama ga kayan aikin cibiyar sadarwa?

Sisiko ASA Tsare-tsare Tsare-tsare (DAP) (duba www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html) Magani yayi daidai ga wannan aikin.

A taƙaice game da aiwatar da mu, yayin tsarin ganowa / ba da izini, ASA yana karɓa daga LDAP jerin ƙungiyoyin da suka dace da mai amfani da aka ba da kuma “tattara” daga ACL da yawa na gida (kowannensu ya dace da rukuni) ACL mai ƙarfi tare da duk abubuwan da ake bukata. , wanda ya yi daidai da burin mu.

Amma wannan don haɗin VPN ne kawai. Don yin yanayin iri ɗaya ga ma'aikatan da aka haɗa ta hanyar VPN da waɗanda ke cikin ofis, an ɗauki mataki mai zuwa.

Lokacin haɗawa daga ofis, masu amfani da ke amfani da ka'idar 802.1x sun ƙare a cikin ko dai LAN baƙo (na baƙi) ko LAN da aka raba (na ma'aikatan kamfani). Bugu da ari, don samun takamaiman dama (misali, zuwa ayyuka a cibiyar bayanai), dole ne ma'aikata su haɗa ta hanyar VPN.

Don haɗawa daga ofis da daga gida, an yi amfani da ƙungiyoyin rami daban-daban akan ASA. Wannan ya zama dole don waɗanda ke haɗawa daga ofis, zirga-zirga zuwa albarkatun da aka raba (da duk ma'aikata ke amfani da su, kamar mail, sabar fayil, tsarin tikiti, dns, ...) ba ta hanyar ASA ba, amma ta hanyar hanyar sadarwa ta gida. . Don haka, ba mu loda ASA da zirga-zirgar da ba dole ba, gami da manyan zirga-zirga.

Don haka, an magance matsalar.
Mun samu

  • saitin hanyoyin shiga guda ɗaya don haɗin haɗin gwiwa daga ofis da haɗin nesa
  • rashin lalacewar sabis lokacin aiki daga ofishin da ke da alaƙa da watsar da yawan zirga-zirga ta hanyar ASA

Wadanne fa'idodi ne na wannan hanyar?
A samun damar gudanarwa. Ana iya canza hanyar shiga cikin sauƙi a wuri ɗaya.
Misali, idan ma'aikaci ya bar kamfanin, to kawai ka cire shi daga LDAP, kuma ya rasa duk damar kai tsaye.

Duban mai watsa shiri

Tare da yuwuwar haɗin nesa, muna fuskantar haɗarin ba ma'aikacin kamfani kawai shiga cikin hanyar sadarwar ba, har ma da duk software mara kyau waɗanda ke da yuwuwar kasancewa akan kwamfutarsa ​​(misali, gida), ƙari kuma, ta hanyar wannan software ɗin. na iya ba da damar shiga hanyar sadarwar mu ga maharin ta amfani da wannan rundunar a matsayin wakili.

Yana da ma'ana ga mai haɗin gwiwa mai nisa don amfani da buƙatun tsaro iri ɗaya kamar mai masaukin ofis.

Wannan kuma yana ɗaukar nau'in "daidai" na OS, anti-virus, anti-spyware, da software na Firewall da sabuntawa. Yawanci, wannan damar tana kan ƙofar VPN (ga ASA duba, misali, a nan).

Hakanan yana da kyau a yi amfani da nazarin hanyoyin zirga-zirga iri ɗaya da dabarun toshewa (duba "Babban matakin kariya") wanda manufar tsaro ta shafi zirga-zirgar ofis.

Yana da kyau a ɗauka cewa cibiyar sadarwar ofis ɗin ku ba ta iyakance ga ginin ofis da rundunonin da ke cikinsa ba.

Alal misali:

Kyakkyawan dabara ita ce samar da kowane ma'aikacin da ke buƙatar samun damar nesa da kwamfutar tafi-da-gidanka mai kyau, mai dacewa kuma yana buƙatar su yi aiki, duka a ofis da daga gida, daga gare ta kawai.

Ba wai kawai yana inganta tsaro na cibiyar sadarwar ku ba, amma kuma yana da dacewa sosai kuma yawanci ma'aikata suna kallonsa da kyau (idan yana da kyau sosai, kwamfutar tafi-da-gidanka mai amfani).

Game da ma'anar daidaito da daidaituwa

Ainihin, wannan ita ce zance ne game da juzu'i na uku na alwatikanmu - game da farashi.
Bari mu kalli misali na hasashe.

Alal misali:

Kuna da ofis don mutane 200. Kun yanke shawarar sanya shi a matsayin dacewa kuma a matsayin amintaccen mai yiwuwa.

Don haka, kun yanke shawarar wuce duk zirga-zirga ta hanyar Tacewar zaɓi kuma don haka ga duk tashoshin ofis ɗin Tacewar zaɓi shine tsohuwar ƙofar. Baya ga software na tsaro da aka sanya akan kowane mai watsa shiri na ƙarshe (anti-virus, anti-spyware, da software ta wuta), kun yanke shawarar amfani da duk hanyoyin kariya masu yuwuwa akan Tacewar zaɓi.

Don tabbatar da saurin haɗi mai girma (duk don dacewa), kun zaɓi masu sauyawa tare da tashar jiragen ruwa na Gigabit 10 a matsayin masu sauyawa, da kuma manyan ayyuka na NGFW Firewalls kamar Firewalls, misali, jerin Palo Alto 7K (tare da 40 Gigabit tashar jiragen ruwa), ta halitta tare da duk lasisi. haɗe kuma, a zahiri, Haɗin Samfuran Biyu.

Hakanan, ba shakka, don yin aiki tare da wannan layin kayan aiki muna buƙatar aƙalla wasu injiniyoyin tsaro ƙwararrun ma'aurata.

Bayan haka, kun yanke shawarar ba kowane ma'aikaci kwamfutar tafi-da-gidanka mai kyau.

Jimlar, kusan dala miliyan 10 don aiwatarwa, dubban ɗaruruwan daloli (Ina tsammanin kusan miliyan ɗaya) don tallafin shekara-shekara da albashi ga injiniyoyi.

Ofis, mutane 200 ...
Dadi? Ina tsammanin eh.

Kun zo da wannan shawara ga masu gudanar da ku...
Wataƙila akwai kamfanoni da yawa a duniya waɗanda wannan abin karɓa ne kuma daidaitaccen bayani. Idan kai ma'aikaci ne na wannan kamfani, ina tayaka murna, amma a mafi yawan lokuta, na tabbata cewa iliminka ba zai yi godiya ga gudanarwa ba.

Shin wannan misalin an wuce gona da iri? Babi na gaba zai amsa wannan tambayar.

Idan akan hanyar sadarwar ku ba ku ga ɗayan abubuwan da ke sama ba, to wannan shine ka'ida.
Ga kowane takamaiman lamari, kuna buƙatar nemo naku sulhu mai ma'ana tsakanin dacewa, farashi da aminci. Sau da yawa ba kwa buƙatar NGFW a cikin ofishin ku, kuma ba a buƙatar kariya ta L7 akan tacewar zaɓi. Ya isa ya samar da kyakkyawan matakin gani da faɗakarwa, kuma ana iya yin wannan ta amfani da samfuran buɗe ido, alal misali. Eh, martanin ku game da harin ba zai kasance nan da nan ba, amma babban abu shine za ku gan shi, kuma tare da matakan da suka dace a cikin sashin ku, zaku iya kawar da shi cikin sauri.

Kuma bari in tunatar da ku cewa, bisa ga manufar wannan jerin labaran, ba kuna tsara hanyar sadarwa ba, kuna ƙoƙarin inganta abin da kuka samu ne kawai.

SAFE bincike na gine-ginen ofis

Kula da wannan filin ja wanda da shi na ware wuri a kan zane daga Jagorar Gine-ginen Cibiyar Tsaro ta SAFEwanda zan so in tattauna anan.

Yadda ake sarrafa kayan aikin sadarwar ku. Babi na uku. Tsaro na cibiyar sadarwa. Kashi na uku

Wannan yana ɗaya daga cikin mahimman wuraren gine-gine kuma ɗayan mafi mahimmancin rashin tabbas.

Lura

Ban taba kafa ko aiki da FirePower (daga Cisco's Firewall line - kawai ASA), don haka zan bi da shi kamar kowane Firewall, kamar Juniper SRX ko Palo Alto, zaton yana da irin wannan damar.

Daga cikin ƙirar da aka saba, Ina ganin zaɓuɓɓuka 4 kawai masu yiwuwa don amfani da tacewar zaɓi tare da wannan haɗin:

  • ƙofa ta tsohuwa ga kowane gidan yanar gizo shine mai canzawa, yayin da tacewar zaɓi ke cikin yanayin gaskiya (wato, duk zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar ababen hawa ce, amma ba ta samar da hop na L3 ba.
  • ƙofa ta tsohuwa ga kowane rukunin yanar gizo shine ƙananan mu'amalar wuta (ko SVI musaya), mai sauyawa yana taka rawar L2.
  • Ana amfani da VRF daban-daban akan sauyawa, kuma zirga-zirga tsakanin VRFs yana wucewa ta hanyar wuta, zirga-zirgar zirga-zirgar cikin VRF ɗaya tana sarrafa ta ACL akan maɓalli.
  • duk zirga-zirgar ababen hawa ana misalta su zuwa ga bangon wuta don bincike da saka idanu; zirga-zirgar ababen hawa ba ya bi ta cikinsa

Bayanan kula 1

Haɗin waɗannan zaɓuɓɓukan suna yiwuwa, amma don sauƙi ba za mu yi la'akari da su ba.

Bayanan kula2

Hakanan akwai yuwuwar yin amfani da PBR (ginin sarkar sabis), amma a yanzu wannan, kodayake kyakkyawan bayani a ganina, yana da ban mamaki, don haka ban yi la'akari da shi anan ba.

Daga bayanin magudanar ruwa a cikin takaddar, mun ga cewa har yanzu zirga-zirgar ababen hawa suna tafiya ta hanyar Tacewar zaɓi, wato, daidai da ƙirar Cisco, an kawar da zaɓi na huɗu.

Bari mu fara duba zaɓuɓɓuka biyu na farko.
Tare da waɗannan zaɓuɓɓuka, duk zirga-zirga suna wucewa ta Tacewar zaɓi.

Yanzu bari mu duba takardar bayanai, duba Cisco GPL kuma mun ga cewa idan muna son jimlar bandwidth don ofishinmu ya zama akalla 10 - 20 gigabits, to dole ne mu sayi sigar 4K.

Lura

Lokacin da na yi magana game da jimlar bandwidth, Ina nufin zirga-zirga tsakanin subnets (kuma ba cikin vila ɗaya ba).

Daga GPL mun ga cewa don Haɗin HA tare da Tsaron Barazana, farashin dangane da samfurin (4110 - 4150) ya bambanta daga ~ 0,5 - 2,5 dala miliyan.

Wato, ƙirarmu ta fara kama da misalin da ya gabata.

Shin wannan yana nufin wannan ƙirar ba daidai ba ce?
A'a, hakan baya nufin hakan. Cisco yana ba ku mafi kyawun yuwuwar kariya bisa layin samfurin da yake da shi. Amma wannan ba yana nufin ya zama dole a yi muku ba.

A ka'ida, wannan tambaya ce gama gari da ke tasowa yayin zayyana ofis ko cibiyar bayanai, kuma hakan yana nufin kawai a nemi sasantawa.

Misali, kar ka bari duk zirga-zirgar ababen hawa su bi ta hanyar Tacewar zaɓi, wanda zaɓi na 3 yana da kyau a gare ni, ko (duba sashin da ya gabata) wataƙila ba kwa buƙatar Tsaron Barazana ko ba kwa buƙatar Tacewar zaɓi a kan hakan. sashin cibiyar sadarwa, kuma kawai kuna buƙatar iyakance kanku zuwa saka idanu mai ƙarfi ta amfani da biyan kuɗi (ba mai tsada ba) ko mafita mai buɗewa, ko kuna buƙatar Tacewar zaɓi, amma daga wani mai siyarwa daban.

Yawancin lokaci akwai wannan rashin tabbas kuma babu cikakkiyar amsa game da wane yanke shawara ya fi dacewa a gare ku.
Wannan shi ne sarkakiya da kyawun wannan aiki.

source: www.habr.com

Add a comment