Yadda ake Auna Tasirin Saitin NGFW
Babban aikin gama gari shine duba yadda aka tsara aikin Tacewar zaɓinku yadda ya kamata. Don yin wannan, akwai abubuwan amfani da sabis na kyauta daga kamfanonin da ke hulɗa da NGFW.
Misali, zaku iya gani a ƙasa cewa Palo Alto Networks yana da ikon kai tsaye daga
TARIHI
Balaguro (Kayan Hijira)
Wani zaɓi mai rikitarwa don bincika saitunanku shine sauke kayan aiki kyauta
Manufar ingantawa
Kuma mafi dacewa zaɓi (IMHO), wanda zan gaya muku dalla-dalla a yau, shine ingantaccen manufofin da aka gina a cikin hanyar sadarwar Palo Alto Networks kanta. Don nuna shi, na shigar da bangon wuta a gida kuma na rubuta ƙa'ida mai sauƙi: ba da izini ga kowa. A ka'ida, wasu lokuta ina ganin irin waɗannan dokoki har ma a cikin hanyoyin sadarwar kamfanoni. A zahiri, na kunna duk bayanan bayanan tsaro na NGFW, kamar yadda kuke gani a cikin hoton:
Hoton da ke ƙasa yana nuna misalin gidana na Tacewar zaɓi wanda ba a tsara shi ba, inda kusan duk haɗin gwiwa ya faɗi cikin ƙa'idar ƙarshe: AllowAll, kamar yadda ake iya gani daga ƙididdiga a cikin Hit Count ginshiƙi.
Zero Dogara
Akwai hanyar tsaro da ake kira
Af, mafi ƙarancin saiti na saitunan da ake buƙata don Palo Alto Networks NGFW an bayyana shi a cikin ɗayan takaddun SANS:
Don haka, ina da bangon wuta a gida har tsawon mako guda. Bari mu ga irin zirga-zirgar ababen hawa a cibiyar sadarwa ta:
Idan kun daidaita ta adadin zaman, to yawancin su an ƙirƙira su ta bittorent, sannan SSL ta zo, sannan QUIC. Waɗannan ƙididdiga ne na zirga-zirga masu shigowa da masu fita: akwai da yawa na sikanin na'ura mai ba da hanya tsakanin hanyoyin sadarwa na. Akwai aikace-aikace daban-daban guda 150 akan hanyar sadarwa ta.
Don haka, duk wannan doka ɗaya ta ɓace. Bari yanzu mu ga abin da Policy Optimizer ya ce game da wannan. Idan ka duba a sama a hoton da ke cikin dubawa tare da dokokin tsaro, to a ƙasan hagu ka ga wata karamar taga da ke nuna min cewa akwai dokoki da za a iya inganta su. Mu danna can.
Abin da Ma'auni na ingantawa ya nuna:
- Wadanne manufofin ba a yi amfani da su kwata-kwata, kwanaki 30, kwanaki 90. Wannan yana taimakawa wajen yanke shawarar cire su gaba daya.
- Waɗanne aikace-aikacen da aka ƙayyade a cikin manufofin, amma ba a gano irin waɗannan aikace-aikacen a cikin zirga-zirga ba. Wannan yana ba ku damar cire aikace-aikacen da ba dole ba a cikin izinin ƙa'idodi.
- Waɗanne manufofi ne suka ba da izinin komai, amma akwai ainihin aikace-aikacen da zai yi kyau a nuna su a sarari bisa ga hanyar Zero Trust.
Bari mu danna kan Unsed.
Don nuna yadda yake aiki, na ƙara ƴan ƙa'idodi kuma ya zuwa yanzu ba su rasa fakiti ɗaya ba a yau. Ga jerin su:
Wataƙila bayan lokaci za a sami zirga-zirga a can sannan za su ɓace daga wannan jerin. Kuma idan suna cikin wannan jerin na kwanaki 90, to, zaku iya yanke shawarar share waɗannan dokoki. Bayan haka, kowace doka tana ba da dama ga dan gwanin kwamfuta.
Akwai matsala ta gaske lokacin da ake saita Tacewar zaɓi: sabon ma'aikaci ya zo, ya dubi ka'idodin Tacewar zaɓi, idan ba su da wani sharhi kuma bai san dalilin da yasa aka ƙirƙiri wannan doka ba, ko da gaske ake buƙata, ko zai iya. share: ba zato ba tsammani mutumin yana hutu kuma bayan A cikin kwanaki 30, zirga-zirgar zirga-zirga za ta sake gudana daga sabis ɗin da yake buƙata. Kuma kawai wannan aikin yana taimaka masa yanke shawara - babu wanda ke amfani da shi - share shi!
Danna kan App ɗin da ba a yi amfani da shi ba.
Mun danna App ɗin da ba a yi amfani da shi ba a cikin ingantawa kuma mu ga cewa bayanai masu ban sha'awa suna buɗewa a cikin babban taga.
Mun ga cewa akwai dokoki guda uku, inda adadin aikace-aikacen da aka yarda da kuma adadin aikace-aikacen da suka zartar da wannan doka sun bambanta.
Za mu iya danna mu ga jerin waɗannan aikace-aikacen mu kwatanta waɗannan lissafin.
Misali, danna maɓallin Kwatanta don tsarin Max.
Anan zaku iya ganin cewa an ba da izinin aikace-aikacen facebook, instagram, telegram, vkontakte. Amma a zahiri, zirga-zirga ya tafi zuwa wasu ƙananan aikace-aikacen. Anan kuna buƙatar fahimtar cewa aikace-aikacen facebook yana ɗauke da sub-applications da yawa.
Ana iya ganin duk jerin aikace-aikacen NGFW akan tashar
Don haka, wasu daga cikin waɗannan ƙananan aikace-aikacen NGFW sun gani, amma wasu ba su gani ba. A zahiri, zaku iya hanawa da ba da izini daban-daban sub-ayyukan Facebook. Misali, ba da izinin duba saƙonni, amma hana taɗi ko canja wurin fayil. Dangane da haka, Manufofin Mahimmanci yayi magana game da wannan kuma zaku iya yanke shawara: kar ku ƙyale duk aikace-aikacen Facebook, amma kawai manyan.
Don haka, mun gane cewa lissafin sun bambanta. Kuna iya tabbatar da cewa dokokin sun ba da izini kawai waɗancan aikace-aikacen da ke tafiya a kan hanyar sadarwa. Don yin wannan, danna maɓallin MatchUsage. Ya kasance kamar haka:
Hakanan zaka iya ƙara aikace-aikacen da kuke la'akari da zama dole - maɓallin Ƙara a gefen hagu na taga:
Sannan ana iya amfani da wannan doka kuma a gwada. Taya murna!
Danna Babu Ƙayyadaddun Ayyuka.
A wannan yanayin, wani muhimmin taga tsaro zai buɗe.
Akwai yuwuwar samun irin waɗannan dokoki da yawa a cikin hanyar sadarwar ku inda ba a fayyace matakin matakin L7 ba. Kuma a cikin hanyar sadarwa ta akwai irin wannan ka'ida - bari in tunatar da ku cewa na yi shi a lokacin saitin farko, musamman don nuna yadda Manufofin Manufofin ke aiki.
Hoton ya nuna cewa dokar AllowAll ta ba da izinin zirga-zirgar gigabytes 9 a cikin lokacin daga Maris 17 zuwa Maris 220, wanda shine aikace-aikacen 150 daban-daban a cikin hanyar sadarwa ta. Kuma hakan bai isa ba. Yawanci, matsakaicin girman cibiyar sadarwar kamfani yana da aikace-aikace daban-daban 200-300.
Don haka, doka ɗaya ta ba da damar yin amfani da aikace-aikacen da yawa kamar 150. Yawanci wannan yana nufin cewa ba'a saita Tacewar zaɓi daidai ba, saboda yawanci doka ɗaya ta ba da izinin aikace-aikacen 1-10 don dalilai daban-daban. Bari mu ga menene waɗannan aikace-aikacen: danna maɓallin Compare:
Abu mafi ban mamaki ga mai gudanarwa a cikin Ayyukan Inganta Manufofin shine maɓallin Amfani da Match - zaku iya ƙirƙirar doka tare da dannawa ɗaya, inda zaku shigar da duk aikace-aikacen 150 a cikin ƙa'idar. Yin wannan da hannu zai ɗauki lokaci mai tsawo. Adadin ayyukan da mai gudanarwa zai yi aiki a kai, har ma akan hanyar sadarwa ta na'urori 10, suna da yawa.
Ina da aikace-aikace daban-daban 150 da ke gudana a gida, suna canja wurin gigabytes na zirga-zirga! Kuma nawa kuke da shi?
Amma menene ya faru a cikin hanyar sadarwa na na'urori 100 ko 1000 ko 10000? Na ga bangon wuta tare da dokoki 8000 kuma na yi farin ciki da cewa masu gudanarwa yanzu suna da irin waɗannan kayan aikin sarrafa kai masu dacewa.
Wasu daga cikin aikace-aikacen da tsarin nazarin aikace-aikacen L7 a cikin NGFW ya gani kuma ya nuna ba za ku buƙaci a kan hanyar sadarwar ba, don haka kawai ku cire su daga jerin ƙa'idodin ba da izini, ko rufe ƙa'idodin ta amfani da maɓallin Clone (a cikin babban dubawa) kuma ba da izini a cikin ƙa'idar aikace-aikacen guda ɗaya, kuma a cikin Za ku toshe wasu aikace-aikacen kamar yadda ba a buƙatar su a kan hanyar sadarwar ku. Irin waɗannan aikace-aikacen galibi sun haɗa da bittorent, tururi, ultrasurf, tor, ɓoyayyun tunnels kamar tcp-over-dn da sauransu.
To, bari mu danna wata doka kuma mu ga abin da kuke iya gani a can:
Ee, akwai aikace-aikace na yau da kullun don multicast. Dole ne mu ƙyale su don kallon bidiyo akan layi suyi aiki. Danna Amfani Match. Mai girma! Na gode Policy Optimizer.
Koyon Inji fa?
Yanzu yana da gaye don magana game da aiki da kai. Abin da na bayyana ya fito - yana taimakawa da yawa. Akwai ƙarin yuwuwar da ya kamata in yi magana akai. Wannan shine aikin Koyon Injin da aka gina a cikin Expedition utility, wanda aka riga aka ambata a sama. A cikin wannan kayan aiki, yana yiwuwa don canja wurin dokoki daga tsohon Tacewar zaɓi daga wani masana'anta. Har ila yau, akwai damar yin nazarin rajistan ayyukan hanyoyin sadarwa na Palo Alto Networks da kuma ba da shawarar abin da za a rubuta. Wannan yayi kama da ayyukan inganta Manufofin, amma a cikin Expedition an fi faɗaɗawa kuma ana ba ku jerin ƙa'idodin da aka shirya - kawai kuna buƙatar amincewa da su.
Ana iya aika buƙatar zuwa [email kariya] kuma a cikin buƙatar rubuta: "Ina so in yi UTD don Tsarin Hijira."
A zahiri, aikin dakin gwaje-gwaje da ake kira Unified Test Drive (UTD) yana da zaɓuɓɓuka da yawa kuma duka
Masu amfani da rajista kawai za su iya shiga cikin binciken.
Kuna son wani ya taimake ku inganta manufofin Tacewar zaɓinku?
-
A
-
Babu
-
Zan yi shi duka da kaina
Babu wanda ya yi zabe tukuna. Ba a kauracewa zaben ba.
source: www.habr.com