ProHoster > Блог > Gudanarwa > Muna ɓoyewa bisa ga GOST: jagora don kafa hanyoyin zirga-zirgar ababen hawa

Muna ɓoyewa bisa ga GOST: jagora don kafa hanyoyin zirga-zirgar ababen hawa

Muna ɓoyewa bisa ga GOST: jagora don kafa hanyoyin zirga-zirgar ababen hawa
Idan kamfanin ku ya aika ko karɓar bayanan sirri da sauran bayanan sirri akan hanyar sadarwar da ke ƙarƙashin kariya bisa ga doka, ana buƙatar amfani da ɓoyayyen GOST. Yau za mu gaya muku yadda muka aiwatar da irin wannan boye-boye dangane da S-Terra crypto gateway (CS) a ɗayan abokan ciniki. Wannan labarin zai kasance mai ban sha'awa ga ƙwararrun tsaro na bayanai, da injiniyoyi, masu zane-zane da masu gine-gine. Ba za mu nutse cikin zurfi ba cikin nuances na tsarin fasaha a cikin wannan post ɗin; za mu mai da hankali kan mahimman abubuwan saitin asali. Manyan ɗimbin takardu akan kafa Linux OS daemons, waɗanda S-Terra CS suka dogara akan su, ana samun su kyauta akan Intanet. Takaddun bayanai don kafa software na S-Terra kuma ana samunsu a bainar jama'a da portal masana'anta.

Kalmomi kaɗan game da aikin

Topology na cibiyar sadarwar abokin ciniki ya kasance daidaitaccen - cikakken raga tsakanin tsakiya da rassan. Ya zama dole a gabatar da ɓoyayyen tashoshi na musayar bayanai tsakanin dukkan rukunin yanar gizon, waɗanda akwai 8.

Yawancin lokaci a cikin irin waɗannan ayyukan duk abin da ke tsaye: a tsaye hanyoyin zuwa cibiyar sadarwar gida na rukunin yanar gizon an saita su akan ƙofofin crypto (CGs), jerin adiresoshin IP (ACLs) don ɓoyewa suna rajista. Koyaya, a wannan yanayin, rukunin yanar gizon ba su da ikon sarrafawa, kuma komai na iya faruwa a cikin cibiyoyin sadarwar su: ana iya ƙara cibiyoyin sadarwa, sharewa, da kuma gyara ta kowace hanya mai yiwuwa. Don guje wa sake fasalin hanyar sadarwa da ACL akan KS lokacin canza adireshin cibiyoyin sadarwa na gida a rukunin yanar gizon, an yanke shawarar yin amfani da tunneling na GRE da OSPF dynamic routing, wanda ya haɗa da duk KS da galibin masu amfani da hanyoyin sadarwa a matakin cibiyar sadarwa a rukunin yanar gizon ( a wasu rukunin yanar gizon, masu gudanar da ababen more rayuwa sun gwammace amfani da SNAT zuwa KS akan hanyoyin sadarwa na kernel).

Tunneling na GRE ya ba mu damar magance matsaloli guda biyu:
1. Yi amfani da adireshin IP na waje na CS don ɓoyewa a cikin ACL, wanda ke ɗaukar duk zirga-zirgar da aka aika zuwa wasu shafuka.
2. Tsara p-t-p tunnels tsakanin CBs, wanda ke ba ku damar saita tsarin zirga-zirga mai ƙarfi (a cikin yanayinmu, ana shirya mai bada MPLS L3VPN tsakanin rukunin yanar gizon).

Abokin ciniki ya ba da umarnin aiwatar da ɓoyewa azaman sabis. In ba haka ba, ba dole ba ne kawai ya kula da ƙofofin crypto ko fitar da su ga wasu ƙungiyoyi, amma kuma da kansa ya saka idanu kan yanayin rayuwar takaddun shaida, sabunta su akan lokaci kuma shigar da sababbi.
Muna ɓoyewa bisa ga GOST: jagora don kafa hanyoyin zirga-zirgar ababen hawa
Kuma yanzu ainihin memo - yadda da abin da muka saita

Lura ga batun CII: kafa ƙofar crypto

Saitin hanyar sadarwa na asali

Da farko, mun ƙaddamar da sabon CS kuma mu shiga cikin na'ura wasan bidiyo na gudanarwa. Ya kamata ku fara da canza ginannen kalmar sirrin mai gudanarwa - umarni canza mai amfani da kalmar wucewa. Sannan kuna buƙatar aiwatar da tsarin farawa (umurni ƙaddamarwa) lokacin da aka shigar da bayanan lasisi kuma aka fara firikwensin lambar bazuwar (RNS).

Kula! Lokacin da aka fara S-Terra CC, an kafa tsarin tsaro wanda hanyoyin haɗin ƙofar tsaro ba sa barin fakiti su wuce. Dole ne ku ƙirƙiri manufofin ku ko amfani da umarnin gudu csconf_mgr kunna kunna ƙayyadaddun tsarin ba da izini.
Na gaba, kuna buƙatar saita adireshin adireshin waje da na ciki, da kuma hanyar da ta dace. Zai fi dacewa a yi aiki tare da saitin hanyar sadarwa na CS da kuma saita ɓoyewa ta hanyar na'ura mai kama da Cisco. An tsara wannan na'ura mai kwakwalwa don shigar da umarni kama da umarnin Cisco IOS. Tsarin da aka samar ta amfani da na'ura mai kama da na'ura na Sisiko, bi da bi, ana jujjuya shi zuwa fayilolin daidaitawa masu dacewa waɗanda OS daemons ke aiki da su. Kuna iya zuwa Cisco-like console daga na'ura wasan bidiyo na gudanarwa tare da umarni saita.

Canja kalmomin shiga don ginanniyar cscon mai amfani kuma kunna:

> ba da damar
Kalmar wucewa: csp (wanda aka riga aka shigar)
#tsarin tashar tashar
#username cscons gata 15 sirri 0 # kunna sirrin 0 Saita ainihin tsarin cibiyar sadarwa:

#Interface GigabitEthernet0/0
Adireshin IP: 10.111.21.3 255.255.255.0
#babu rufewa
#Interface GigabitEthernet0/1
Adireshin IP: 192.168.2.5 255.255.255.252
#babu rufewa
#IP hanyar 0.0.0.0 0.0.0.0 10.111.21.254

GRE

Fita daga na'ura mai kama da Cisco kuma je zuwa harsashi na debian tare da umarni tsarin. Saita kalmar sirrin ku don mai amfani tushen tawaga passwd.
A kowane ɗakin sarrafawa, an saita rami daban don kowane rukunin yanar gizon. An saita ƙirar rami a cikin fayil ɗin / Sauransu / cibiyar sadarwa / musaya. Mai amfani da rami na IP, wanda aka haɗa a cikin saitin iproute2 da aka riga aka shigar, shine ke da alhakin ƙirƙirar ƙirar da kanta. An rubuta umarnin ƙirƙirar mu'amala a cikin zaɓin riga-kafi.

Misalin ƙayyadaddun ƙayyadaddun ƙa'idodin rami:
saitin auto1
iface site1 inet a tsaye
adireshin 192.168.1.4
255.255.255.254 shafin yanar gizo
tunnel ip pre-up ƙara yanayin site1 gre local 10.111.21.3 nesa 10.111.22.3 key hfLYEg^vCh6p

Kula! Ya kamata a lura cewa saituna don musaya na rami dole ne su kasance a waje da sashin

###netifcfg-fara###
*****
###netifcfg-karshen###

In ba haka ba, waɗannan saitunan za a sake rubuta su yayin canza saitunan cibiyar sadarwa na musaya ta zahiri ta hanyar na'ura mai kama da Cisco.

Hanyar hanya mai ƙarfi

A cikin S-Terra, ana aiwatar da hanyar tafiya mai ƙarfi ta amfani da fakitin software na Quagga. Don saita OSPF muna buƙatar kunna da daidaita daemons Zebra и ospfd. Zebra daemon ne ke da alhakin sadarwa tsakanin daemons masu tuƙi da kuma OS. Ospfd daemon, kamar yadda sunan ke nunawa, shine ke da alhakin aiwatar da yarjejeniyar OSPF.
An saita OSPF ko dai ta hanyar daemon console ko kai tsaye ta fayil ɗin sanyi /etc/quagga/ospfd.conf. Ana ƙara duk hanyoyin mu'amala na zahiri da na rami waɗanda ke shiga cikin ƙwaƙƙwaran routing a cikin fayil ɗin, kuma cibiyoyin sadarwar da za'a yi talla da karɓar sanarwa kuma ana bayyana su.

Misali na daidaitawar da ake buƙatar ƙarawa zuwa ospfd.conf:
dubawa eth0
!
dubawa eth1
!
wurin dubawa1
!
wurin dubawa2
na'ura mai ba da hanya tsakanin hanyoyin sadarwa ospf
ospf na'ura mai ba da hanya tsakanin hanyoyin sadarwa-ID 192.168.2.21
cibiyar sadarwa 192.168.1.4/31 yanki 0.0.0.0
cibiyar sadarwa 192.168.1.16/31 yanki 0.0.0.0
cibiyar sadarwa 192.168.2.4/30 yanki 0.0.0.0

A wannan yanayin, an tanadi adireshi 192.168.1.x/31 don hanyoyin sadarwa na ptp na rami tsakanin shafuka, adireshi 192.168.2.x/30 an ware su don hanyoyin sadarwa tsakanin CS da kernel routers.

Kula! Don rage tebur na tuƙi a cikin manyan kayan aiki, zaku iya tace tallan hanyoyin sadarwar zirga-zirga da kansu ta amfani da ginin. babu sake rarrabawa da aka haɗa ko sake rarraba taswirar hanya da aka haɗa.

Bayan saita daemons, kuna buƙatar canza matsayin farawa na daemons a ciki /etc/quagga/daemons. A cikin zaɓuɓɓuka Zebra и ospfd babu canji zuwa eh. Fara quagga daemon kuma saita shi zuwa atomatik lokacin da kuka fara umarnin KS update-rc.d quagga kunna.

Idan an yi daidaitaccen tsarin tunnels na GRE da OSPF, to, hanyoyin da ke cikin hanyar sadarwar sauran rukunin yanar gizon yakamata su bayyana akan KSh da manyan hanyoyin sadarwa kuma, don haka, haɗin yanar gizo tsakanin cibiyoyin sadarwa na gida ya taso.

Muna ɓoye bayanan da aka watsa

Kamar yadda aka riga aka rubuta, yawanci lokacin ɓoyewa tsakanin shafuka, muna ƙididdige jeri na adireshin IP (ACLs) tsakanin abin da ke ɓoye zirga-zirga: idan tushen da adiresoshin inda aka nufa sun faɗi cikin waɗannan jeri, to zirga-zirgar da ke tsakanin su tana ɓoye. Koyaya, a cikin wannan aikin tsarin yana da ƙarfi kuma adireshi na iya canzawa. Tun da mun riga mun tsara hanyar tunnel ɗin GRE, za mu iya ƙididdige adiresoshin KS na waje a matsayin tushen da adireshin inda za a ɓoye zirga-zirga - bayan haka, zirga-zirgar da aka riga aka ɓoye ta hanyar GRE yarjejeniya ta isa don ɓoyewa. A wasu kalmomi, duk abin da ke shiga cikin CS daga cibiyar sadarwar gida na wani rukunin yanar gizon zuwa cibiyoyin sadarwar da wasu shafuka suka sanar an ɓoye su. Kuma a cikin kowane rukunin yanar gizon ana iya aiwatar da kowane juyawa. Don haka, idan akwai wani canji a cikin cibiyoyin sadarwa na gida, mai gudanarwa kawai yana buƙatar gyara sanarwar da ke fitowa daga hanyar sadarwarsa zuwa cibiyar sadarwar, kuma za ta kasance ga wasu shafuka.

Ana yin ɓoyayyen ɓoyewa a cikin S-Terra CS ta amfani da ka'idar IPSec. Muna amfani da algorithm "Grasshopper" daidai da GOST R 34.12-2015, kuma don dacewa da tsofaffin nau'ikan za ku iya amfani da GOST 28147-89. Ana iya aiwatar da tabbaci ta fasaha akan maɓallan da aka riga aka ƙayyade (PSKs) da takaddun shaida. Duk da haka, a cikin aikin masana'antu ya zama dole don amfani da takaddun shaida da aka bayar daidai da GOST R 34.10-2012.

Ana yin aiki tare da takaddun shaida, kwantena da CRLs ta amfani da mai amfani tabbatar_mgr. Da farko, amfani da umarnin cert_mgr ƙirƙirar wajibi ne don samar da babban akwati mai zaman kansa da buƙatun takaddun shaida, wanda za a aika zuwa Cibiyar Gudanar da Takaddun Shaida. Bayan karɓar takardar shaidar, dole ne a shigo da shi tare da tushen CA takardar shaidar da CRL (idan an yi amfani da shi) tare da umarnin cert_mgr shigo da. Kuna iya tabbatar da cewa an shigar da duk takaddun shaida da CRLs tare da umarnin nuna_mgr.

Bayan shigar da takaddun shaida cikin nasara, je zuwa na'ura mai kama da Cisco don saita IPSec.
Mun ƙirƙiri manufar IKE wanda ke ƙayyade algorithms da ake so da sigogi na amintaccen tashar da ake ƙirƙirar, wanda za a ba da shi ga abokin tarayya don amincewa.

#crypto isakmp manufofin 1000
#encr gost341215k
#hash gost341112-512-tc26
# alamar tabbatarwa
#rukunin vko2
#rayuwa 3600

Ana amfani da wannan manufar lokacin gina kashi na farko na IPSec. Sakamakon nasarar nasarar kashi na farko shine kafa SA (Ƙungiyar Tsaro).
Na gaba, muna buƙatar ayyana jerin tushen da adireshin IP na gaba (ACL) don ɓoyewa, samar da saitin canji, ƙirƙirar taswirar cryptographic (taswirar crypto) kuma ɗaure shi zuwa keɓancewar waje na CS.

Saita ACL:
#IP access-jerin fadada rukunin yanar gizo1
# izinin gre mai watsa shiri 10.111.21.3 mai masaukin baki 10.111.22.3

Saitin sauye-sauye (daidai da na kashi na farko, muna amfani da algorithm boye-boye na "Grasshopper" ta amfani da yanayin saka simintin):

#crypto ipsec canza-saitin GOST esp-gost341215k-mac

Mun ƙirƙiri taswirar crypto, ƙididdige ACL, saiti na canzawa da adireshin tsara:

#crypto map MAIN 100 ipsec-isakmp
# adireshin shafin 1
# saita canza-saitin GOST
# saita tsara 10.111.22.3

Muna ɗaure katin crypto zuwa waje na waje na rajistar kuɗi:

#Interface GigabitEthernet0/0
Adireshin IP: 10.111.21.3 255.255.255.0
#crypto map MAIN

Don rufaffen tashoshi tare da wasu rukunin yanar gizon, dole ne ku maimaita tsarin ƙirƙirar ACL da katin crypto, canza sunan ACL, adiresoshin IP da lambar katin crypto.

Kula! Idan ba a yi amfani da tabbacin takaddun shaida ta CRL ba, dole ne a bayyana wannan a sarari:

#crypto pki trustpoint s-terra_technological_trustpoint
# sokewa - duba babu

A wannan gaba, ana iya ɗaukar saitin ya cika. A cikin fitowar umarni na kamar Cisco nuna crypto isakmp sa и nuna crypto ipsec sa Ya kamata a nuna matakan farko da na biyu na IPSec da aka gina. Ana iya samun wannan bayanin ta amfani da umarnin sa_mgr nuna, an kashe shi daga harsashi na debian. A cikin fitarwar umarni nuna_mgr Takaddun shaida na rukunin nesa yakamata su bayyana. Matsayin irin waɗannan takaddun shaida zai kasance M. Idan ba a gina ramuka ba, kuna buƙatar duba log ɗin sabis na VPN, wanda aka adana a cikin fayil ɗin /var/log/cspvpngate.log. Ana samun cikakken jerin fayilolin log tare da bayanin abubuwan da ke cikin su a cikin takaddun.

Kula da "lafiya" na tsarin

S-Terra CC tana amfani da daidaitaccen snmpd daemon don saka idanu. Baya ga sigogin Linux na yau da kullun, daga cikin akwatin S-Terra yana goyan bayan ba da bayanai game da ramukan IPSec daidai da CISCO-IPSEC-FLOW-MONITOR-MIB, wanda shine abin da muke amfani da shi lokacin lura da matsayin IPSec tunnels. Ayyukan OID na al'ada waɗanda ke fitar da sakamakon aiwatar da rubutun a matsayin ƙima kuma ana tallafawa. Wannan fasalin yana ba mu damar waƙa da kwanakin ƙarewar satifiket. Rubutun da aka rubuta yana rarraba fitar da umarni nuna_mgr kuma a sakamakon haka yana ba da adadin kwanakin har sai takaddun gida da tushen su ƙare. Wannan dabarar tana da mahimmanci yayin gudanar da babban adadin CABGs.
Muna ɓoyewa bisa ga GOST: jagora don kafa hanyoyin zirga-zirgar ababen hawa

Menene fa'idar irin wannan boye-boye?

Duk ayyukan da aka kwatanta a sama ana tallafawa daga cikin akwatin ta S-Terra KSh. Wato, babu buƙatar shigar da wasu ƙarin kayayyaki waɗanda zasu iya shafar takaddun shaida na ƙofofin crypto da takaddun takaddun tsarin duka. Ana iya samun kowace tashoshi tsakanin shafuka, ko da ta Intanet.

Saboda gaskiyar cewa lokacin da kayan aikin ciki suka canza, babu buƙatar sake saita ƙofofin crypto, tsarin yana aiki azaman sabis, wanda ya dace sosai ga abokin ciniki: yana iya sanya ayyukansa (abokin ciniki da uwar garken) a kowane adireshi, kuma duk canje-canje za a canza su cikin ƙarfi tsakanin kayan ɓoyewa.

Tabbas, boye-boye saboda farashin da ya wuce (sama) yana rinjayar saurin canja wurin bayanai, amma dan kadan kawai - tashar tashar tashar zata iya raguwa da matsakaicin 5-10%. A lokaci guda, an gwada fasahar kuma an nuna sakamako mai kyau har ma a kan tashoshin tauraron dan adam, waɗanda ba su da ƙarfi sosai kuma suna da ƙarancin bandwidth.

Igor Vinokhodov, injiniya na 2nd line na gwamnati na Rostelecom-Solar

source: www.habr.com

Add a comment