Shin yana da wahala a ƙirƙira na'ura mai kama-da-wane (VM) a cikin gajimare? Babu wahala fiye da yin shayi. Amma idan ya zo ga babban kamfani, ko da irin wannan aiki mai sauƙi na iya zama mai tsayi mai raɗaɗi. Bai isa ya ƙirƙira injin kama-da-wane ba; Hakanan kuna buƙatar samun damar da ake buƙata don aiki daidai da duk ƙa'idodi. Sannun ciwo ga kowane mai haɓakawa? A cikin babban banki ɗaya, wannan hanya ta ɗauki daga sa'o'i da yawa zuwa kwanaki da yawa. Kuma tun da akwai ɗaruruwan ayyuka iri ɗaya a kowane wata, yana da sauƙi a yi tunanin girman wannan makirci na cin ƙwazo. Don kawo ƙarshen wannan, mun sabunta girgije mai zaman kansa na banki kuma mun sarrafa ba kawai tsarin ƙirƙirar VMs ba, har ma da ayyukan da ke da alaƙa.
Aiki Na 1. Cloud tare da haɗin Intanet
Bankin ya ƙirƙiri gajimare mai zaman kansa ta amfani da ƙungiyar IT ta ciki don yanki ɗaya na hanyar sadarwa. A tsawon lokaci, gudanarwa ya yaba da fa'idodinsa kuma ya yanke shawarar ƙaddamar da ra'ayin girgije mai zaman kansa zuwa wasu wurare da sassan bankin. Wannan yana buƙatar ƙarin ƙwararru da ƙwarewa mai ƙarfi a cikin gajimare masu zaman kansu. Don haka, an ba ƙungiyarmu amanar sabunta girgijen.
Babban rafi na wannan aikin shine ƙirƙirar injuna masu kama-da-wane a cikin ƙarin ɓangaren tsaro na bayanai - a cikin yankin da aka lalata (DMZ). Wannan shi ne inda aka haɗa ayyukan bankin tare da tsarin waje da ke waje da kayan aikin banki.
Amma wannan lambar yabo kuma tana da gefe. Ana samun sabis daga DMZ "a waje" kuma wannan ya haɗa da duk haɗarin tsaro na bayanai. Da farko, wannan shine barazanar tsarin hacking, fadada filin harin a cikin DMZ, sa'an nan kuma shiga cikin kayan aikin banki. Don rage wasu daga cikin waɗannan haɗari, mun ba da shawarar yin amfani da ƙarin ma'aunin tsaro - maganin ƙananan sassa.
Kariyar ƙananan sassa
Bangaren gargajiya yana gina iyakoki masu kariya a iyakokin cibiyoyin sadarwa ta amfani da bangon wuta. Tare da microsegmentation, kowane mutum VM za a iya raba shi zuwa keɓaɓɓen yanki, keɓe.
Wannan yana haɓaka tsaro ga tsarin gaba ɗaya. Ko da maharan sun yi kutse na sabar DMZ guda ɗaya, zai yi musu wahala sosai don yada harin a kan hanyar sadarwar - dole ne su shiga cikin "kofofin kulle" da yawa a cikin hanyar sadarwar. Tacewar zaɓi na kowane VM ya ƙunshi nasa dokoki game da shi, waɗanda ke ƙayyade haƙƙin shiga da fita. Mun bayar da ƙananan yanki ta amfani da VMware NSX-T Firewall Rarraba. Wannan samfurin a tsakiya yana ƙirƙira ƙa'idodin bangon wuta don VMs kuma yana rarraba su cikin kayan aikin haɓakawa. Ba kome ko wane OS baƙo aka yi amfani da shi, ana amfani da ƙa'idar a matakin haɗa na'urori masu kama da hanyar sadarwa.
Matsala N2. A cikin neman sauri da dacewa
Sanya injin kama-da-wane? Sauƙi! Dannawa guda biyu kuma kun gama. Amma sai tambayoyi da yawa sun taso: yadda ake samun dama daga wannan VM zuwa wani ko tsarin? Ko daga wani tsarin baya zuwa VM?
Alal misali, a cikin banki, bayan yin odar VM akan tashar girgije, ya zama dole don buɗe tashar tallafin fasaha kuma gabatar da buƙatun samar da damar da ake bukata. Kuskure a aikace-aikacen ya haifar da kira da wasiku don gyara halin da ake ciki. A lokaci guda, VM na iya samun damar shiga 10-15-20 da sarrafa kowane ɗayan ya ɗauki lokaci. Tsarin shaidan.
Bugu da ƙari, alamun "tsaftacewa" na ayyukan rayuwa na injuna masu nisa suna buƙatar kulawa ta musamman. Bayan an cire su, dubban ka'idojin shiga sun kasance a kan bangon wuta, suna loda kayan aiki. Wannan duka ƙarin nauyi ne da ramukan tsaro.
Ba za ku iya yin wannan tare da dokoki a cikin gajimare ba. Ba shi da daɗi kuma mara lafiya.
Don rage lokacin da ake ɗauka don samar da damar yin amfani da VMs da kuma sanya shi dacewa don sarrafa su, mun ƙirƙiri sabis ɗin sarrafa hanyar sadarwa don VMs.
Mai amfani a matakin injin kama-da-wane a cikin mahallin mahallin yana zaɓar abu don ƙirƙirar ka'idar samun dama, sannan a cikin hanyar da ta buɗe yana ƙayyade sigogi - daga ina, inda, nau'ikan yarjejeniya, lambobin tashar jiragen ruwa. Bayan cikawa da ƙaddamar da fom, ana ƙirƙira tikiti masu dacewa ta atomatik a cikin tsarin tallafin fasaha na mai amfani bisa Manajan Sabis na HP. Suna da alhakin amincewa da wannan ko waccan damar kuma, idan an yarda da damar shiga, ga ƙwararrun ƙwararrun waɗanda ke yin wasu ayyukan da ba su kasance masu sarrafa kansu ba tukuna.
Bayan mataki na tsarin kasuwanci wanda ya haɗa da ƙwararrun ƙwararru ya yi aiki, ɓangaren sabis ɗin yana farawa wanda ke haifar da dokoki ta atomatik akan firewalls.
A matsayin maƙallan ƙarshe, mai amfani yana ganin buƙatun da aka kammala cikin nasara akan tashar. Wannan yana nufin cewa an ƙirƙiri ƙa'idar kuma zaku iya aiki tare da shi - duba, canza, sharewa.
Sakamakon fa'ida na ƙarshe
Mahimmanci, mun sabunta ƙananan sassa na gajimare masu zaman kansu, amma bankin ya sami sakamako mai ban mamaki. Masu amfani yanzu suna samun damar hanyar sadarwa ta hanyar portal, ba tare da yin mu'amala da Teburin Sabis kai tsaye ba. Filayen nau'i na tilas, ingancin su don daidaitattun bayanan da aka shigar, jerin da aka riga aka tsara, ƙarin bayanai - duk wannan yana taimakawa wajen tsara buƙatun samun dama, wanda tare da babban matakin yuwuwar za a yi la'akari da shi kuma ba a ƙi shi ta hanyar ma'aikatan tsaro na bayanai ba. don shigar da kurakurai. Na'urori masu kama-da-wane ba baƙar fata ba ne - za ku iya ci gaba da aiki tare da su ta hanyar yin canje-canje a kan tashar.
A sakamakon haka, a yau ƙwararrun IT na banki suna da kayan aiki mafi dacewa don samun damar shiga, kuma kawai waɗancan mutane ne ke shiga cikin tsarin, wanda ba tare da wanda ba shakka ba za su iya yi ba tare da. Gabaɗaya, dangane da farashin aiki, wannan sakin ne daga cikakken nauyin yau da kullun na aƙalla mutum 1, da kuma sa'o'i da yawa da aka adana don masu amfani. Ƙirƙirar tsarin mulki ta atomatik ya sa ya yiwu a aiwatar da wani tsari na micro-segmentation wanda ba ya haifar da nauyi a kan ma'aikatan banki.
Kuma a ƙarshe, "mulkin shiga" ya zama sashin lissafin girgije. Wato, yanzu girgije yana adana bayanai game da ka'idoji don duk VMs kuma yana tsaftace su lokacin da aka goge injunan kama-da-wane.
Ba da daɗewa ba fa'idodin zamani za su yadu zuwa ga girgijen bankin gaba ɗaya. Yin aiki da kai na tsarin ƙirƙirar VM da ƙananan yanki sun wuce DMZ kuma sun kama wasu sassan. Kuma hakan ya kara tsaro ga girgijen baki daya.
Har ila yau, maganin da aka aiwatar yana da ban sha'awa a cikin cewa yana ba da damar banki don hanzarta ayyukan ci gaba, yana kawo shi kusa da samfurin kamfanonin IT bisa ga wannan ma'auni. Bayan haka, idan yazo da aikace-aikacen wayar hannu, portals, da sabis na abokin ciniki, kowane babban kamfani a yau yana ƙoƙarin zama "masana'anta" don samar da samfuran dijital. A wannan ma'anar, bankuna a zahiri suna wasa daidai da mafi ƙarfi kamfanonin IT, suna ci gaba da ƙirƙirar sabbin aikace-aikace. Kuma yana da kyau lokacin da damar kayan aikin IT da aka gina akan ƙirar girgije mai zaman kansa ya ba ku damar ware albarkatun da ake buƙata don wannan a cikin 'yan mintuna kaɗan kuma a cikin aminci kamar yadda zai yiwu.
Mawallafa:
Vyacheslav Medvedev, Shugaban Sashen Kwamfuta na Cloud, Jet Infosystems,
Ilya Kuikin, babban injiniyan sashen lissafin girgije na Jet Infosystems
source: www.habr.com