ProHoster > Блог > Gudanarwa > Palo Alto Networks NGFW Tsaro Manufofin Tsaro

Palo Alto Networks NGFW Tsaro Manufofin Tsaro

Yadda ake Auna Tasirin Saitin NGFW

Babban aikin gama gari shine duba yadda aka tsara aikin Tacewar zaɓinku yadda ya kamata. Don yin wannan, akwai abubuwan amfani da sabis na kyauta daga kamfanonin da ke hulɗa da NGFW.

Misali, zaku iya gani a ƙasa cewa Palo Alto Networks yana da ikon kai tsaye daga tashar tallafi gudanar da bincike na kididdigar bangon wuta - Rahoton SLR ko nazarin yarda da mafi kyawun ayyuka - Rahoton BPA. Waɗannan kayan aikin kan layi kyauta ne waɗanda zaku iya amfani da su ba tare da shigar da komai ba.
Palo Alto Networks NGFW Tsaro Manufofin Tsaro

TARIHI

Balaguro (Kayan Hijira)
Manufar ingantawa
Zero Dogara
Danna kan Mara amfani
Danna kan App ɗin da ba a yi amfani da shi ba
Danna Babu Ƙayyadaddun Ayyuka
Koyon Inji fa?
UTD

Balaguro (Kayan Hijira)

Palo Alto Networks NGFW Tsaro Manufofin Tsaro

Wani zaɓi mai rikitarwa don bincika saitunanku shine sauke kayan aiki kyauta Balaguro (Tsohon Kayan Aikin Hijira). Ana zazzage shi azaman Kayan aikin Virtual don VMware, ba a buƙatar saiti tare da shi - kuna buƙatar zazzage hoton kuma saka shi a ƙarƙashin VMware hypervisor, ƙaddamar da shi kuma je zuwa mahaɗin yanar gizo. Wannan mai amfani yana buƙatar wani labari daban, kawai darasi akan shi yana ɗaukar kwanaki 5, akwai ayyuka da yawa a yanzu, gami da Koyon Injin da ƙaura na daban-daban na manufofi, NAT da abubuwa don masana'antun Firewall daban-daban. Zan rubuta ƙarin game da Koyon Injin da ke ƙasa a cikin rubutu.

Manufar ingantawa

Kuma mafi dacewa zaɓi (IMHO), wanda zan gaya muku dalla-dalla a yau, shine ingantaccen manufofin da aka gina a cikin hanyar sadarwar Palo Alto Networks kanta. Don nuna shi, na shigar da bangon wuta a gida kuma na rubuta ƙa'ida mai sauƙi: ba da izini ga kowa. A ka'ida, wasu lokuta ina ganin irin waɗannan dokoki har ma a cikin hanyoyin sadarwar kamfanoni. A zahiri, na kunna duk bayanan bayanan tsaro na NGFW, kamar yadda kuke gani a cikin hoton:
Palo Alto Networks NGFW Tsaro Manufofin Tsaro

Hoton da ke ƙasa yana nuna misalin gidana na Tacewar zaɓi wanda ba a tsara shi ba, inda kusan duk haɗin gwiwa ya faɗi cikin ƙa'idar ƙarshe: AllowAll, kamar yadda ake iya gani daga ƙididdiga a cikin Hit Count ginshiƙi.
Palo Alto Networks NGFW Tsaro Manufofin Tsaro

Zero Dogara

Akwai hanyar tsaro da ake kira Zero Dogara. Abin da wannan ke nufi: Dole ne mu ƙyale mutane a cikin hanyar sadarwar daidai waɗancan haɗin da suke buƙata kuma mu musun komai. Wato, muna buƙatar ƙara takamaiman dokoki don aikace-aikace, masu amfani, nau'ikan URL, nau'ikan fayil; ba da damar duk sa hannun IPS da riga-kafi, kunna sandboxing, kariya ta DNS, yi amfani da IoC daga bayanan bayanan Barazana. Gabaɗaya, akwai ingantattun ayyuka yayin kafa bangon wuta.

Af, mafi ƙarancin saiti na saitunan da ake buƙata don Palo Alto Networks NGFW an bayyana shi a cikin ɗayan takaddun SANS: Alamar Kanfigareshan Tsaro na Palo Alto Networks - Ina ba da shawarar farawa da shi. Kuma ba shakka, akwai tsarin mafi kyawun ayyuka don kafa bangon wuta daga masana'anta: Kyakkyawan iceabi'a.

Don haka, ina da bangon wuta a gida har tsawon mako guda. Bari mu ga irin zirga-zirgar ababen hawa a cibiyar sadarwa ta:
Palo Alto Networks NGFW Tsaro Manufofin Tsaro

Idan kun daidaita ta adadin zaman, to yawancin su an ƙirƙira su ta bittorent, sannan SSL ta zo, sannan QUIC. Waɗannan ƙididdiga ne na zirga-zirga masu shigowa da masu fita: akwai da yawa na sikanin na'ura mai ba da hanya tsakanin hanyoyin sadarwa na. Akwai aikace-aikace daban-daban guda 150 akan hanyar sadarwa ta.

Don haka, duk wannan doka ɗaya ta ɓace. Bari yanzu mu ga abin da Policy Optimizer ya ce game da wannan. Idan ka duba a sama a hoton da ke cikin dubawa tare da dokokin tsaro, to a ƙasan hagu ka ga wata karamar taga da ke nuna min cewa akwai dokoki da za a iya inganta su. Mu danna can.

Abin da Ma'auni na ingantawa ya nuna:

  • Wadanne manufofin ba a yi amfani da su kwata-kwata, kwanaki 30, kwanaki 90. Wannan yana taimakawa wajen yanke shawarar cire su gaba daya.
  • Waɗanne aikace-aikacen da aka ƙayyade a cikin manufofin, amma ba a gano irin waɗannan aikace-aikacen a cikin zirga-zirga ba. Wannan yana ba ku damar cire aikace-aikacen da ba dole ba a cikin izinin ƙa'idodi.
  • Waɗanne manufofi ne suka ba da izinin komai, amma akwai ainihin aikace-aikacen da zai yi kyau a nuna su a sarari bisa ga hanyar Zero Trust.

Palo Alto Networks NGFW Tsaro Manufofin Tsaro

Bari mu danna kan Unsed.

Don nuna yadda yake aiki, na ƙara ƴan ƙa'idodi kuma ya zuwa yanzu ba su rasa fakiti ɗaya ba a yau. Ga jerin su:
Palo Alto Networks NGFW Tsaro Manufofin Tsaro
Wataƙila bayan lokaci za a sami zirga-zirga a can sannan za su ɓace daga wannan jerin. Kuma idan suna cikin wannan jerin na kwanaki 90, to, zaku iya yanke shawarar share waɗannan dokoki. Bayan haka, kowace doka tana ba da dama ga dan gwanin kwamfuta.

Akwai matsala ta gaske lokacin da ake saita Tacewar zaɓi: sabon ma'aikaci ya zo, ya dubi ka'idodin Tacewar zaɓi, idan ba su da wani sharhi kuma bai san dalilin da yasa aka ƙirƙiri wannan doka ba, ko da gaske ake buƙata, ko zai iya. share: ba zato ba tsammani mutumin yana hutu kuma bayan A cikin kwanaki 30, zirga-zirgar zirga-zirga za ta sake gudana daga sabis ɗin da yake buƙata. Kuma kawai wannan aikin yana taimaka masa yanke shawara - babu wanda ke amfani da shi - share shi!

Danna kan App ɗin da ba a yi amfani da shi ba.

Mun danna App ɗin da ba a yi amfani da shi ba a cikin ingantawa kuma mu ga cewa bayanai masu ban sha'awa suna buɗewa a cikin babban taga.

Mun ga cewa akwai dokoki guda uku, inda adadin aikace-aikacen da aka yarda da kuma adadin aikace-aikacen da suka zartar da wannan doka sun bambanta.
Palo Alto Networks NGFW Tsaro Manufofin Tsaro
Za mu iya danna mu ga jerin waɗannan aikace-aikacen mu kwatanta waɗannan lissafin.
Misali, danna maɓallin Kwatanta don tsarin Max.
Palo Alto Networks NGFW Tsaro Manufofin Tsaro
Anan zaku iya ganin cewa an ba da izinin aikace-aikacen facebook, instagram, telegram, vkontakte. Amma a zahiri, zirga-zirga ya tafi zuwa wasu ƙananan aikace-aikacen. Anan kuna buƙatar fahimtar cewa aikace-aikacen facebook yana ɗauke da sub-applications da yawa.

Ana iya ganin duk jerin aikace-aikacen NGFW akan tashar applipedia.paloaltonetworks.com da kuma a cikin Firewall interface kanta, a cikin Objects->Applications section da kuma a cikin search, rubuta sunan aikace-aikace: facebook, za ka samu kamar haka sakamakon:
Palo Alto Networks NGFW Tsaro Manufofin Tsaro
Don haka, wasu daga cikin waɗannan ƙananan aikace-aikacen NGFW sun gani, amma wasu ba su gani ba. A zahiri, zaku iya hanawa da ba da izini daban-daban sub-ayyukan Facebook. Misali, ba da izinin duba saƙonni, amma hana taɗi ko canja wurin fayil. Dangane da haka, Manufofin Mahimmanci yayi magana game da wannan kuma zaku iya yanke shawara: kar ku ƙyale duk aikace-aikacen Facebook, amma kawai manyan.

Don haka, mun gane cewa lissafin sun bambanta. Kuna iya tabbatar da cewa dokokin sun ba da izini kawai waɗancan aikace-aikacen da ke tafiya a kan hanyar sadarwa. Don yin wannan, danna maɓallin MatchUsage. Ya kasance kamar haka:
Palo Alto Networks NGFW Tsaro Manufofin Tsaro
Hakanan zaka iya ƙara aikace-aikacen da kuke la'akari da zama dole - maɓallin Ƙara a gefen hagu na taga:
Palo Alto Networks NGFW Tsaro Manufofin Tsaro
Sannan ana iya amfani da wannan doka kuma a gwada. Taya murna!

Danna Babu Ƙayyadaddun Ayyuka.

A wannan yanayin, wani muhimmin taga tsaro zai buɗe.
Palo Alto Networks NGFW Tsaro Manufofin Tsaro
Akwai yuwuwar samun irin waɗannan dokoki da yawa a cikin hanyar sadarwar ku inda ba a fayyace matakin matakin L7 ba. Kuma a cikin hanyar sadarwa ta akwai irin wannan ka'ida - bari in tunatar da ku cewa na yi shi a lokacin saitin farko, musamman don nuna yadda Manufofin Manufofin ke aiki.

Hoton ya nuna cewa dokar AllowAll ta ba da izinin zirga-zirgar gigabytes 9 a cikin lokacin daga Maris 17 zuwa Maris 220, wanda shine aikace-aikacen 150 daban-daban a cikin hanyar sadarwa ta. Kuma hakan bai isa ba. Yawanci, matsakaicin girman cibiyar sadarwar kamfani yana da aikace-aikace daban-daban 200-300.

Don haka, doka ɗaya ta ba da damar yin amfani da aikace-aikacen da yawa kamar 150. Yawanci wannan yana nufin cewa ba'a saita Tacewar zaɓi daidai ba, saboda yawanci doka ɗaya ta ba da izinin aikace-aikacen 1-10 don dalilai daban-daban. Bari mu ga menene waɗannan aikace-aikacen: danna maɓallin Compare:
Palo Alto Networks NGFW Tsaro Manufofin Tsaro
Abu mafi ban mamaki ga mai gudanarwa a cikin Ayyukan Inganta Manufofin shine maɓallin Amfani da Match - zaku iya ƙirƙirar doka tare da dannawa ɗaya, inda zaku shigar da duk aikace-aikacen 150 a cikin ƙa'idar. Yin wannan da hannu zai ɗauki lokaci mai tsawo. Adadin ayyukan da mai gudanarwa zai yi aiki a kai, har ma akan hanyar sadarwa ta na'urori 10, suna da yawa.

Ina da aikace-aikace daban-daban 150 da ke gudana a gida, suna canja wurin gigabytes na zirga-zirga! Kuma nawa kuke da shi?

Amma menene ya faru a cikin hanyar sadarwa na na'urori 100 ko 1000 ko 10000? Na ga bangon wuta tare da dokoki 8000 kuma na yi farin ciki da cewa masu gudanarwa yanzu suna da irin waɗannan kayan aikin sarrafa kai masu dacewa.

Wasu daga cikin aikace-aikacen da tsarin nazarin aikace-aikacen L7 a cikin NGFW ya gani kuma ya nuna ba za ku buƙaci a kan hanyar sadarwar ba, don haka kawai ku cire su daga jerin ƙa'idodin ba da izini, ko rufe ƙa'idodin ta amfani da maɓallin Clone (a cikin babban dubawa) kuma ba da izini a cikin ƙa'idar aikace-aikacen guda ɗaya, kuma a cikin Za ku toshe wasu aikace-aikacen kamar yadda ba a buƙatar su a kan hanyar sadarwar ku. Irin waɗannan aikace-aikacen galibi sun haɗa da bittorent, tururi, ultrasurf, tor, ɓoyayyun tunnels kamar tcp-over-dn da sauransu.
Palo Alto Networks NGFW Tsaro Manufofin Tsaro
To, bari mu danna wata doka kuma mu ga abin da kuke iya gani a can:
Palo Alto Networks NGFW Tsaro Manufofin Tsaro
Ee, akwai aikace-aikace na yau da kullun don multicast. Dole ne mu ƙyale su don kallon bidiyo akan layi suyi aiki. Danna Amfani Match. Mai girma! Na gode Policy Optimizer.

Koyon Inji fa?

Yanzu yana da gaye don magana game da aiki da kai. Abin da na bayyana ya fito - yana taimakawa da yawa. Akwai ƙarin yuwuwar da ya kamata in yi magana akai. Wannan shine aikin Koyon Injin da aka gina a cikin Expedition utility, wanda aka riga aka ambata a sama. A cikin wannan kayan aiki, yana yiwuwa don canja wurin dokoki daga tsohon Tacewar zaɓi daga wani masana'anta. Har ila yau, akwai damar yin nazarin rajistan ayyukan hanyoyin sadarwa na Palo Alto Networks da kuma ba da shawarar abin da za a rubuta. Wannan yayi kama da ayyukan inganta Manufofin, amma a cikin Expedition an fi faɗaɗawa kuma ana ba ku jerin ƙa'idodin da aka shirya - kawai kuna buƙatar amincewa da su.
Don gwada wannan aikin, akwai aikin dakin gwaje-gwaje - muna kiran shi gwajin gwaji. Ana iya yin wannan gwajin ta hanyar shiga cikin tawul ɗin wuta, wanda ma'aikatan ofishin Palo Alto Networks a Moscow za su ƙaddamar da buƙatar ku.
Palo Alto Networks NGFW Tsaro Manufofin Tsaro
Ana iya aika buƙatar zuwa [email kariya] kuma a cikin buƙatar rubuta: "Ina so in yi UTD don Tsarin Hijira."

A zahiri, aikin dakin gwaje-gwaje da ake kira Unified Test Drive (UTD) yana da zaɓuɓɓuka da yawa kuma duka samuwa daga nesa bayan bukata.

Masu amfani da rajista kawai za su iya shiga cikin binciken. Shigadon Allah.

Kuna son wani ya taimake ku inganta manufofin Tacewar zaɓinku?

  • A

  • Babu

  • Zan yi shi duka da kaina

Babu wanda ya yi zabe tukuna. Ba a kauracewa zaben ba.

source: www.habr.com

Add a comment