Kuv tau sau qhov kev tshuaj xyuas no (lossis, yog tias koj xav tau, phau ntawv qhia kev sib piv) thaum kuv tau ua haujlwm nrog kev sib piv ntau yam khoom siv los ntawm cov neeg muag khoom sib txawv. Tsis tas li ntawd, cov khoom siv no tau koom nrog cov chav kawm sib txawv. Kuv yuav tsum nkag siab txog cov qauv thiab cov yam ntxwv ntawm tag nrho cov cuab yeej no thiab tsim kom muaj "kev sib koom tes" rau kev sib piv. Kuv yuav zoo siab yog tias kuv qhov kev ntsuam xyuas pab ib tug neeg:
- Nkag siab cov lus piav qhia thiab kev qhia tshwj xeeb ntawm cov khoom siv encryption
- Paub qhov txawv "daim ntawv" yam ntxwv ntawm cov uas tseem ceeb hauv lub neej tiag tiag
- Mus dhau cov txheej txheem ntawm cov neeg muag khoom ib txwm muaj thiab suav nrog rau kev xav txog cov khoom lag luam uas tsim nyog los daws qhov teeb meem
- Nug cov lus nug uas yog thaum sib tham
- Kos cov kev xav tau kev sib tw (RFP)
- Nkag siab cov yam ntxwv zoo li cas yuav tsum tau txi yog xaiv ib qho qauv ntaus ntawv
Dab tsi tuaj yeem ntsuas tau
Raws li txoj cai, txoj hauv kev siv tau rau txhua yam khoom siv nyob ib leeg tsim nyog rau kev nkag mus hauv network ntawm cov chaw taws teeb Ethernet (cross-site encryption). Ntawd yog, "cov thawv" nyob rau hauv ib rooj plaub sib cais (ok, peb tseem yuav suav nrog cov hniav / cov qauv rau lub chassis ntawm no), uas txuas nrog ib lossis ntau qhov chaw nres nkoj Ethernet mus rau hauv zos (tsev kawm ntawv) Ethernet network nrog cov tsheb tsis sib xws, thiab dhau los. lwm qhov chaw nres nkoj mus rau channel / network los ntawm uas twb tau encrypted tsheb mus rau lwm yam, tej thaj chaw deb ntu. Xws li cov kev daws teeb meem encryption tuaj yeem xa mus rau hauv tus kheej lossis tus neeg teb xov tooj network los ntawm ntau hom "kev thauj mus los" (tsaus fiber ntau, cov khoom siv sib faib zaus, hloov Ethernet, nrog rau "pseudowires" nteg los ntawm lub network nrog sib txawv routing architecture, feem ntau MPLS ), nrog lossis tsis muaj VPN thev naus laus zis.
Network encryption nyob rau hauv ib tug faib Ethernet network
Cov cuab yeej lawv tus kheej tuaj yeem yog ib qho tshwj xeeb (khoom siv tshwj xeeb rau encryption), lossis ntau yam (hybrid, convergent), uas yog, kuj ua lwm yam haujlwm (piv txwv li, firewall lossis router). Cov neeg muag khoom sib txawv faib lawv cov khoom siv rau hauv cov chav kawm / pawg sib txawv, tab sis qhov no tsis muaj teeb meem - tsuas yog qhov tseem ceeb yog seb lawv puas tuaj yeem nkag mus rau qhov chaw sib txawv, thiab lawv muaj dab tsi.
Tsuas yog nyob rau hauv rooj plaub no, kuv ceeb toom koj tias "network encryption", "traffic encryption", "encryptor" yog cov lus tsis raug cai, txawm hais tias lawv tau siv ntau zaus. Koj feem ntau yuav tsis pom lawv hauv Lavxias txoj cai (nrog rau cov uas qhia GOSTs).
Qib encryption thiab kis tau tus mob
Ua ntej peb pib piav qhia txog cov yam ntxwv ntawm lawv tus kheej uas yuav siv rau kev ntsuam xyuas, peb yuav tsum xub to taub ib qho tseem ceeb, uas yog "theem encryption". Kuv pom tias nws tau hais ntau zaus hauv cov ntaub ntawv muag khoom (hauv cov lus piav qhia, phau ntawv qhia, thiab lwm yam) thiab hauv kev sib tham tsis raug cai (ntawm kev sib tham, kev cob qhia). Ntawd yog, txhua tus zoo li paub zoo tias peb tab tom tham txog dab tsi, tab sis kuv tus kheej tau pom qee qhov tsis meej pem.
Yog li dab tsi yog "theem encryption"? Nws yog qhov tseeb tias peb tab tom tham txog tus lej ntawm OSI / ISO siv network qauv txheej txheej txheej txheej txheej txheej txheej txheej txheej txheej. Peb nyeem GOST R ISO 7498-2-99 "Cov ntaub ntawv thev naus laus zis. Kev sib txuas ntawm cov tshuab qhib. Cov qauv siv yooj yim. Ntu 2. Cov ntaub ntawv kev ruaj ntseg architecture." Los ntawm cov ntaub ntawv no nws tuaj yeem nkag siab tias theem ntawm kev pabcuam tsis pub lwm tus paub (ib qho ntawm cov txheej txheem rau kev muab uas yog encryption) yog qib ntawm cov txheej txheem, cov ntaub ntawv kev pabcuam thaiv ("payload", cov ntaub ntawv neeg siv) uas yog encrypted. Raws li nws kuj tau sau rau hauv tus qauv, cov kev pabcuam tuaj yeem muab tau ob qho tib si ntawm tib theem, "ntawm nws tus kheej," thiab nrog kev pab ntawm qib qis (qhov no yog li cas, piv txwv li, feem ntau siv hauv MACsec) .
Hauv kev xyaum, ob hom kev xa cov ntaub ntawv encrypted nyob rau hauv lub network yog ua tau (IPsec tam sim ntawd los rau hauv siab, tab sis tib hom kuj pom nyob rau hauv lwm yam kev cai). IN thauj (qee zaum kuj hu ua haiv neeg) hom yog encrypted nkaus xwb kev pabcuam thaiv cov ntaub ntawv, thiab cov headers tseem "qhib", unencrypted (qee zaum ntxiv teb nrog kev pab cuam cov ntaub ntawv ntawm lub encryption algorithm yog ntxiv, thiab lwm yam teb yog hloov thiab rov xam). IN lub qhov tib hom tag nrho raws tu qauv cov ntaub ntawv thaiv (uas yog, pob ntawv nws tus kheej) yog encrypted thiab encapsulated nyob rau hauv ib tug kev pab cuam cov ntaub ntawv thaiv ntawm tib los yog siab dua, uas yog, nws yog surrounded los ntawm tshiab headers.
Qib encryption nws tus kheej ua ke nrog qee hom kev sib kis tsis zoo lossis tsis zoo, yog li nws tsis tuaj yeem hais tau, piv txwv li, L3 hauv kev thauj mus los zoo dua li L2 hauv hom qhov. Nws tsuas yog hais tias ntau tus yam ntxwv los ntawm cov cuab yeej ntsuas ntsuas nyob ntawm lawv. Piv txwv li, yooj yooj yim thiab compatibility. Txhawm rau ua haujlwm hauv lub network L1 (ntsis kwj relay), L2 (thav duab hloov pauv) thiab L3 (pob ntawv routing) hauv hom kev thauj mus los, koj xav tau cov kev daws teeb meem uas encrypted ntawm tib lossis siab dua qib ( txwv tsis pub cov ntaub ntawv chaw nyob yuav raug encrypted thiab cov ntaub ntawv yuav tsis ncav cuag nws lub hom phiaj xav tau), thiab lub qhov hauv hom overcomes qhov kev txwv no (txawm tias tau txi lwm yam tseem ceeb).
Thauj thiab qhov L2 encryption hom
Tam sim no cia peb mus rau kev txheeb xyuas cov yam ntxwv.
Tsim tau
Rau network encryption, kev ua tau zoo yog qhov nyuaj, ntau lub tswv yim. Nws tshwm sim tias ib qho qauv, thaum zoo tshaj hauv ib qho kev ua tau zoo, yog qhov qis dua hauv lwm qhov. Yog li ntawd, nws yog ib txwm muaj txiaj ntsig los txiav txim siab txhua yam ntawm kev ua haujlwm encryption thiab lawv qhov cuam tshuam rau kev ua haujlwm ntawm lub network thiab cov ntawv thov uas siv nws. Ntawm no peb tuaj yeem kos ib qho piv txwv nrog lub tsheb, uas tsis yog tsuas yog qhov siab tshaj plaws yog qhov tseem ceeb, tab sis kuj yog lub sijhawm nrawm rau "ntau pua", kev siv roj, thiab lwm yam. Cov tuam txhab muag khoom thiab lawv cov neeg siv khoom muaj peev xwm ua tib zoo saib xyuas cov yam ntxwv ua haujlwm. Raws li txoj cai, cov khoom siv encryption tau nyob qib raws li kev ua tau zoo hauv cov kab muag khoom.
Nws yog qhov tseeb tias kev ua tau zoo nyob ntawm ob qho tib si ntawm qhov nyuaj ntawm kev sib txuas lus thiab kev ua haujlwm cryptographic ua rau ntawm lub cuab yeej (nrog rau qhov ua tau zoo npaum li cas cov haujlwm no tuaj yeem sib npaug thiab xa mus), nrog rau kev ua haujlwm ntawm cov khoom siv kho vajtse thiab qhov zoo ntawm lub firmware. Yog li ntawd, cov qauv qub siv cov khoom tsim tau ntau dua; qee zaum nws muaj peev xwm muab nws nrog cov txheej txheem ntxiv thiab cov cim xeeb. Muaj ntau txoj hauv kev rau kev siv cryptographic functions: ntawm lub hom phiaj tseem ceeb hauv nruab nrab ua haujlwm (CPU), daim ntawv thov tshwj xeeb kev sib koom ua ke (ASIC), lossis thaj chaw-programmable logic integrated circuit (FPGA). Txhua txoj hauv kev muaj nws qhov zoo thiab qhov tsis zoo. Piv txwv li, CPU tuaj yeem dhau los ua qhov encryption bottleneck, tshwj xeeb tshaj yog tias lub processor tsis muaj cov lus qhia tshwj xeeb los txhawb kev encryption algorithm (los yog lawv tsis siv). Cov chips tshwj xeeb tsis muaj kev hloov pauv; nws tsis yog ib txwm ua tau "reflash" lawv los txhim kho kev ua tau zoo, ntxiv cov haujlwm tshiab, lossis tshem tawm qhov tsis zoo. Tsis tas li ntawd, lawv siv tau txais txiaj ntsig tsuas yog nrog cov khoom loj loj. Tias yog vim li cas "golden txhais tau tias" tau nrov heev - kev siv FPGA (FPGA hauv Lavxias). Nws yog ntawm FPGAs uas lub npe hu ua crypto accelerators yog tsim - built-in lossis plug-in tshwj xeeb kho vajtse modules rau kev txhawb nqa kev ua haujlwm cryptographic.
Txij li thaum peb tham txog network encryption, nws yog ib qho laj thawj uas qhov kev ua tau zoo ntawm cov kev daws teeb meem yuav tsum tau ntsuas tib yam li rau lwm cov khoom siv hauv network - throughput, feem pua ββββntawm cov ncej poob thiab latency. Cov txiaj ntsig no tau txhais hauv RFC 1242. Los ntawm txoj kev, tsis muaj dab tsi sau txog qhov feem ntau hais qeeb variation (jitter) hauv RFC no. Yuav ntsuas cov khoom no li cas? Kuv tsis tau pom ib txoj kev pom zoo nyob rau hauv ib qho qauv (kev cai lossis tsis raug cai xws li RFC) tshwj xeeb rau kev sib txuas hauv network. Nws yuav yog qhov tsim nyog los siv cov txheej txheem rau cov khoom siv hauv network uas tau teev tseg hauv RFC 2544 tus qauv. Ntau tus neeg muag khoom ua raws li nws - ntau, tab sis tsis yog tag nrho. Piv txwv li, lawv xa cov tsheb khiav hauv ib qho kev taw qhia xwb tsis yog ob qho tib si, zoo li pom zoo txheem. Txawm li cas los xij.
Kev ntsuas qhov kev ua tau zoo ntawm cov cuab yeej encryption network tseem muaj nws tus yam ntxwv. Ua ntej, nws yog qhov tseeb los ua txhua qhov kev ntsuas rau ib khub ntawm cov khoom siv: txawm hais tias encryption algorithms yog symmetrical, qeeb thiab pob ntawv poob thaum encryption thiab decryption yuav tsis tas yuav sib npaug. Qhov thib ob, nws ua rau kev txiav txim siab los ntsuas lub delta, qhov cuam tshuam ntawm kev sib txuas hauv network ntawm kev ua haujlwm hauv network kawg, sib piv ob qhov kev teeb tsa: tsis muaj cov khoom siv encryption thiab nrog lawv. Los yog, ib yam li cov khoom siv hybrid, uas ua ke ntau lub luag haujlwm ntxiv rau kev sib txuas hauv network, nrog rau kev kaw lus kaw thiab qhib. Qhov kev cuam tshuam no tuaj yeem sib txawv thiab nyob ntawm qhov kev sib txuas ntawm cov khoom siv encryption, ntawm kev ua haujlwm hom, thiab thaum kawg, ntawm qhov xwm txheej ntawm kev khiav tsheb. Hauv particular, ntau qhov kev ua tau zoo nyob ntawm qhov ntev ntawm cov pob ntawv, uas yog vim li cas, los sib piv cov kev ua tau zoo ntawm cov kev daws teeb meem sib txawv, cov duab ntawm cov kev txwv no nyob ntawm qhov ntev ntawm cov pob ntawv feem ntau siv, lossis IMIX yog siv - kev faib tawm ntawm cov tsheb los ntawm pob ntawv. lengths, uas kwv yees qhia qhov tseeb. Yog tias peb sib piv tib qhov kev teeb tsa yooj yim yam tsis muaj kev encryption, peb tuaj yeem sib piv cov kev daws teeb meem kev sib txuas hauv network tau siv sib txawv yam tsis tau nkag mus rau hauv qhov sib txawv no: L2 nrog L3, khw-thiab-forward) nrog txiav-dhau, tshwj xeeb nrog convergent, GOST nrog AES thiab lwm yam.
Daim duab sib txuas rau kev ntsuas kev ua haujlwm
Thawj tus yam ntxwv uas tib neeg tau saib xyuas yog "ceev" ntawm cov cuab yeej encryption, uas yog bandwidth (bandwidth) ntawm nws lub network interfaces, me ntsis ntws tus nqi. Nws yog txiav txim los ntawm cov qauv network uas tau txais kev txhawb nqa los ntawm cov interfaces. Rau Ethernet, tus lej ib txwm yog 1 Gbps thiab 10 Gbps. Tab sis, raws li peb paub, nyob rau hauv txhua lub network qhov siab tshaj plaws theoretical dhau los (throughput) ntawm txhua qib nws yeej ib txwm tsis tshua muaj bandwidth: ib feem ntawm bandwidth yog "noj" los ntawm interframe intervals, kev pabcuam headers, thiab lwm yam. Yog tias ib lub cuab yeej muaj peev xwm tau txais, ua haujlwm (hauv peb rooj plaub, encrypting lossis decrypting) thiab xa cov tsheb khiav ntawm qhov nrawm ntawm lub network interface, uas yog, nrog rau qhov siab tshaj plaws theoretical throughput rau qib ntawm cov qauv network, ces nws tau hais. ua haujlwm ntawm kab ceev. Txhawm rau ua qhov no, nws yog qhov tsim nyog kom lub cuab yeej tsis poob lossis pov tseg cov pob ntawv ntawm txhua qhov loj me thiab ntawm txhua zaus. Yog tias cov cuab yeej encryption tsis txhawb kev ua haujlwm ntawm kab nrawm, ces nws qhov kev nkag siab tshaj plaws feem ntau yog teev nyob rau hauv tib gigabits ib ob (qee zaum qhia qhov ntev ntawm cov pob ntawv - qhov luv ntawm cov pob ntawv, qhov qis dua feem ntau yog). Nws yog ib qho tseem ceeb heev kom nkag siab tias qhov siab tshaj plaws throughput yog qhov siab tshaj plaws tsis poob (txawm tias lub cuab yeej tuaj yeem "tswj" kev khiav tsheb los ntawm nws tus kheej ntawm qhov nrawm dua, tab sis tib lub sijhawm poob qee pob ntawv). Tsis tas li ntawd, nco ntsoov tias qee tus neeg muag khoom ntsuas tag nrho cov kev nkag mus ntawm txhua khub ntawm cov chaw nres nkoj, yog li cov lej no tsis txhais tau ntau npaum li cas yog tias txhua qhov kev nkag nkag nkag mus los ntawm ib qho chaw nres nkoj.
Qhov twg yog qhov tseem ceeb tshwj xeeb rau kev khiav lag luam ntawm kab nrawm (lossis, ua lwm yam lus, tsis muaj pob ntawv poob)? Nyob rau hauv high-bandwidth, high-latency links (xws li satellite), qhov twg lub qhov rais loj TCP yuav tsum tau teem kom muaj kev sib kis ceev ceev, thiab qhov twg pob ntawv poob dramatically txo lub network kev ua tau zoo.
Tab sis tsis yog tag nrho cov bandwidth yog siv los hloov cov ntaub ntawv muaj txiaj ntsig. Peb yuav tsum suav nrog lub npe hu ua cov nqi siv nyiaj (piv txwv li) bandwidth. Qhov no yog ib feem ntawm lub encryption ntaus ntawv lub throughput (raws li ib tug feem pua ββlos yog bytes ib pob ntawv) uas yog tiag nkim (tsis tuaj yeem siv los hloov cov ntaub ntawv thov). Cov nqi nyiaj siv ua haujlwm tshwm sim, thawj zaug, vim qhov nce ntawm qhov loj (ntxiv, "khoom") ntawm cov ntaub ntawv teb hauv cov pob ntawv encrypted network (nyob ntawm qhov encryption algorithm thiab nws txoj haujlwm ua haujlwm). Thib ob, vim qhov nce ntawm qhov ntev ntawm pob ntawv headers (tunnel hom, kev pabcuam kev nkag ntawm cov txheej txheem encryption, simulation insertion, thiab lwm yam. nyob ntawm cov txheej txheem thiab hom kev ua haujlwm ntawm lub cipher thiab hom kis tau tus mob) - feem ntau cov nqi nyiaj siv ua haujlwm yog qhov tseem ceeb tshaj plaws, thiab lawv them nyiaj rau thawj zaug. Thib peb, vim muaj kev tawg ntawm cov pob ntawv thaum lub siab tshaj plaws cov ntaub ntawv loj (MTU) tshaj (yog tias lub network muaj peev xwm faib cov pob ntawv uas tshaj MTU rau hauv ob, duplicating nws headers). Thib plaub, vim qhov pom ntawm cov kev pabcuam ntxiv (tswj) kev khiav tsheb ntawm lub network ntawm cov khoom siv encryption (rau kev sib pauv tseem ceeb, qhov kev teeb tsa, thiab lwm yam). Tsis tshua muaj nyiaj siv ua haujlwm yog qhov tseem ceeb uas muaj peev xwm channel txwv. Qhov no yog qhov tseeb tshwj xeeb hauv kev khiav tsheb los ntawm cov pob ntawv me me, piv txwv li, lub suab - qhov twg cov nqi nyiaj siv ua haujlwm tuaj yeem "noj" ntau dua li ib nrab ntawm cov channel ceev!
Bandwidth
Thaum kawg, muaj ntau dua qhia ncua - qhov sib txawv (hauv feem ntawm ib thib ob) hauv network ncua (lub sij hawm nws yuav siv sij hawm rau cov ntaub ntawv kom dhau los ntawm kev nkag mus rau hauv lub network mus rau tawm) ntawm cov ntaub ntawv kis tsis tau thiab nrog network encryption. Feem ntau hais lus, qhov qis dua qhov latency ("latency") ntawm lub network, qhov tseem ceeb tshaj qhov latency qhia los ntawm cov khoom siv encryption dhau los. Kev ncua yog qhia los ntawm kev ua haujlwm encryption nws tus kheej (nyob ntawm qhov encryption algorithm, thaiv ntev thiab hom kev ua haujlwm ntawm lub cipher, nrog rau qhov zoo ntawm nws qhov kev siv hauv software), thiab kev ua haujlwm ntawm lub network pob hauv lub cuab yeej . Lub latency qhia nyob ntawm ob qho tib si pob ntawv ua hom (dhau-los ntawm lossis khw-thiab-rau-mus) thiab kev ua haujlwm ntawm lub platform (kev siv kho vajtse ntawm FPGA lossis ASIC feem ntau nrawm dua li kev siv software ntawm CPU). L2 encryption yuav luag ib txwm muaj qis dua latency dua L3 lossis L4 encryption, vim qhov tseeb tias L3 / L4 encryption pab kiag li lawm feem ntau converged. Piv txwv li, nrog high-ceev Ethernet encryptors siv nyob rau hauv FPGAs thiab encrypting ntawm L2, qhov ncua sij hawm vim lub encryption ua hauj lwm yog vanishingly me me - tej zaum thaum encryption yog enabled ntawm ib tug khub ntawm pab kiag li lawm, tag nrho ncua sij hawm qhia los ntawm lawv txawm txo! Tsawg latency yog ib qho tseem ceeb uas nws yog piv rau tag nrho cov channel qeeb, suav nrog kev nthuav tawm qeeb, uas yog kwv yees li 5 ΞΌs ib mais. Qhov ntawd yog, peb tuaj yeem hais tias rau hauv nroog-scale tes hauj lwm (ntau txhiab mais thoob), microseconds tuaj yeem txiav txim siab ntau. Piv txwv li, rau synchronous database replication, high-frequency trading, tib blockchain.
Qhia ncua
Scalability
Cov kev faib loj loj tuaj yeem suav nrog ntau txhiab tus ntawm cov nodes thiab cov khoom siv hauv network, ntau pua pawg hauv zos. Nws yog ib qho tseem ceeb uas cov kev daws teeb meem encryption tsis txwv kev txwv ntxiv ntawm qhov loj thiab topology ntawm lub network faib. Qhov no feem ntau siv rau ntau tus tswv tsev thiab chaw nyob hauv network. Xws li cov kev txwv yuav raug ntsib, piv txwv li, thaum siv lub multipoint encrypted network topology (nrog rau kev ruaj ntseg kev sib txuas, los yog tunnels) los yog xaiv encryption (piv txwv li, raws tu qauv tooj los yog VLAN). Yog hais tias nyob rau hauv cov ntaub ntawv no network chaw nyob (MAC, IP, VLAN ID) yog siv raws li cov yuam sij nyob rau hauv ib lub rooj uas muaj pes tsawg tus kab txwv, ces cov kev txwv no tshwm sim ntawm no.
Tsis tas li ntawd, cov tes hauj lwm loj feem ntau muaj ntau txheej txheej txheej, nrog rau cov tub ntxhais network, txhua tus siv nws tus kheej qhov chaw nyob thiab nws txoj cai routing. Txhawm rau siv txoj hauv kev no, cov qauv tshwj xeeb (xws li Q-hauv-Q lossis MAC-hauv-MAC) thiab cov txheej txheem kev txiav txim siab feem ntau siv. Txhawm rau kom tsis txhob cuam tshuam kev tsim kho ntawm cov tes hauj lwm zoo li no, cov khoom siv encryption yuav tsum raug tswj xyuas cov thav ntawv zoo li no (uas yog, hauv qhov kev nkag siab no, scalability yuav txhais tau tias muaj kev sib raug zoo - ntau ntxiv rau hauv qab no).
Flexibility
Ntawm no peb tab tom tham txog kev txhawb nqa ntau yam kev teeb tsa, kev sib txuas schemes, topologies thiab lwm yam. Piv txwv li, rau kev sib txuas sib txuas raws li Carrier Ethernet thev naus laus zis, qhov no txhais tau tias kev txhawb nqa rau ntau hom kev sib txuas virtual (E-Line, E-LAN, E-Tree), ntau hom kev pabcuam (ob qho tib si los ntawm chaw nres nkoj thiab VLAN) thiab cov thev naus laus zis sib txawv. (lawv twb teev saum toj no). Ntawd yog, cov cuab yeej yuav tsum muaj peev xwm ua haujlwm hauv ob qho tib si linear ("point-to-point") thiab ntau hom, tsim cov qhov sib txawv rau cov VLANs sib txawv, thiab tso cai rau kev xa tawm ntawm cov pob ntawv hauv qhov chaw ruaj ntseg. Lub peev xwm los xaiv ntau hom cipher (xws li nrog lossis tsis muaj kev lees paub cov ntsiab lus) thiab cov pob ntawv sib txawv sib txawv tso cai rau koj los tawm tsam qhov sib npaug ntawm lub zog thiab kev ua haujlwm nyob ntawm cov xwm txheej tam sim no.
Nws tseem yog ib qho tseem ceeb rau kev txhawb nqa ob lub network ntiag tug, cov khoom siv uas yog los ntawm ib lub koom haum (lossis xauj rau nws), thiab cov neeg ua haujlwm sib koom tes, cov ntu sib txawv uas tswj hwm los ntawm cov tuam txhab sib txawv. Nws yog qhov zoo yog tias qhov kev daws teeb meem tso cai rau kev tswj hwm hauv tsev thiab los ntawm tus neeg thib peb (siv cov qauv kev pabcuam tswj hwm). Hauv cov neeg siv xov tooj, lwm txoj haujlwm tseem ceeb yog kev txhawb nqa rau ntau lub tsev xauj (sib koom los ntawm cov neeg siv khoom sib txawv) hauv daim ntawv ntawm kev sib cais cryptographic ntawm cov neeg siv khoom (cov neeg siv khoom) uas nws cov tsheb hla dhau los ntawm tib txheej txheej encryption. Qhov no feem ntau yuav tsum tau siv cais cov yuam sij thiab daim ntawv pov thawj rau txhua tus neeg siv khoom.
Yog tias ib lub cuab yeej yuav khoom rau ib qho xwm txheej, ces tag nrho cov nta no yuav tsis tseem ceeb heev - koj tsuas yog xav kom paub tseeb tias cov cuab yeej txhawb nqa yam koj xav tau tam sim no. Tab sis yog tias qhov kev daws teeb meem tau yuav "rau kev loj hlob", los txhawb cov xwm txheej yav tom ntej zoo li, thiab raug xaiv los ua "tus qauv lag luam", tom qab ntawd kev hloov pauv yuav tsis muaj txiaj ntsig - tshwj xeeb yog suav nrog kev txwv ntawm kev cuam tshuam ntawm cov khoom siv los ntawm cov neeg muag khoom sib txawv ( ntxiv rau hauv qab no).
Simplicity thiab yooj yim
Kev yooj yim ntawm kev pabcuam kuj yog ib lub tswv yim multifactorial. Kwv yees li, peb tuaj yeem hais tias qhov no yog tag nrho lub sijhawm siv los ntawm cov kws tshaj lij ntawm qee qhov kev tsim nyog yuav tsum tau txhawb nqa kev daws teeb meem ntawm ntau theem ntawm nws lub neej voj voog. Yog tias tsis muaj nqi, thiab kev teeb tsa, kev teeb tsa, thiab kev ua haujlwm tsis siv neeg kiag li, ces tus nqi yog xoom thiab qhov yooj yim yog kiag li. Tau kawg, qhov no tsis tshwm sim hauv lub ntiaj teb tiag. Qhov tsim nyog kwv yees yog tus qauv "knot on ib kab" (bump-in-the-wire), los yog kev sib txuas pob tshab, uas ntxiv thiab cuam tshuam cov khoom siv encryption tsis tas yuav muaj kev hloov pauv hloov pauv hauv lub network. Nyob rau tib lub sijhawm, kev tswj xyuas cov kev daws teeb meem yooj yim: koj tuaj yeem ua kom muaj kev nyab xeeb qhib thiab kaw, thiab yog tias tsim nyog, tsuas yog "bypass" lub cuab yeej nrog lub network cable (uas yog, txuas ncaj qha rau cov chaw nres nkoj ntawm cov khoom siv network. nws tau txuas). Muaj tseeb, muaj ib qho tsis zoo - tus neeg tawm tsam tuaj yeem ua tau zoo ib yam. Txhawm rau siv lub hauv paus ntsiab lus "node on a wire", nws yog ib qho tsim nyog yuav tsum tau coj mus rau hauv tus account tsis yog kev khiav tsheb xwb cov ntaub ntawv txheejTab sis tswj thiab tswj cov txheej txheem - cov khoom siv yuav tsum yog pob tshab rau lawv. Yog li ntawd, xws li kev khiav tsheb tuaj yeem raug encrypted tsuas yog thaum tsis muaj cov neeg tau txais cov hom kev tsheb khiav hauv lub network ntawm cov khoom siv encryption, vim tias nws raug muab pov tseg lossis encrypted, tom qab ntawd thaum koj qhib lossis kaw encryption, lub network teeb tsa yuav hloov pauv. Cov cuab yeej encryption kuj tuaj yeem ua pob tshab rau lub cev txheej txheej qhia. Tshwj xeeb, thaum lub teeb liab ploj lawm, nws yuav tsum xa qhov kev poob no (uas yog, tua nws cov transmitters) rov qab thiab tawm ("rau nws tus kheej") hauv kev taw qhia ntawm lub teeb liab.
Kev txhawb nqa hauv kev faib cov cai ntawm cov ntaub ntawv kev ruaj ntseg thiab IT department, tshwj xeeb tshaj yog lub network department, kuj tseem ceeb heev. Txoj kev daws teeb meem encryption yuav tsum txhawb nqa lub koom haum tswj kev nkag mus thiab kev tshuaj xyuas tus qauv. Qhov kev xav tau ntawm kev sib cuam tshuam ntawm cov tuam tsev sib txawv los ua cov haujlwm niaj hnub yuav tsum raug txo kom tsawg. Yog li ntawd, muaj qhov zoo dua ntawm kev yooj yim rau cov khoom siv tshwj xeeb uas tsuas yog txhawb nqa kev ua haujlwm encryption thiab pob tshab li qhov ua tau rau kev ua haujlwm hauv network. Qhov yooj yim, cov neeg ua haujlwm kev ruaj ntseg cov ntaub ntawv yuav tsum tsis muaj laj thawj hu rau "cov kws tshaj lij hauv lub network" los hloov cov kev teeb tsa network. Thiab cov, nyob rau hauv lem, yuav tsum tsis txhob yuav tsum tau hloov encryption nqis thaum tswj lub network.
Lwm qhov tseem ceeb yog qhov muaj peev xwm thiab yooj yim ntawm kev tswj hwm. Lawv yuav tsum yog qhov muag pom, muaj laj thawj, muab ntshuam-export ntawm qhov chaw, automation, thiab lwm yam. Koj yuav tsum tau xyuam xim tam sim ntawd rau qhov kev tswj hwm kev xaiv twg muaj (feem ntau lawv tus kheej kev tswj hwm ib puag ncig, web interface thiab kab hais kom ua) thiab cov haujlwm ntawm lawv txhua tus muaj (muaj kev txwv). Ib txoj haujlwm tseem ceeb yog kev txhawb nqa tawm ntawm pawg (out-of-band) tswj, uas yog, los ntawm kev tswj hwm kev sib koom tes, thiab hauv-band (in-band) tswj, uas yog, los ntawm ib qho kev sib koom tes los ntawm kev sib kis tau zoo. Cov cuab yeej tswj hwm yuav tsum taw qhia txhua qhov xwm txheej txawv txav, suav nrog cov ntaub ntawv kev nyab xeeb xwm txheej. Kev ua haujlwm niaj hnub, rov ua haujlwm dua yuav tsum tau ua tiav. Qhov no feem ntau cuam tshuam nrog kev tswj hwm qhov tseem ceeb. Lawv yuav tsum tau tsim / faib tawm. PKI kev txhawb nqa yog qhov loj ntxiv.
compatibility
Ntawd yog, cov cuab yeej siv tau nrog cov qauv hauv network. Tsis tas li ntawd, qhov no txhais tau tias tsis yog tsuas yog cov qauv kev lag luam tau txais los ntawm cov koom haum tso cai xws li IEEE, tab sis kuj tseem muaj cov txheej txheem ntawm cov thawj coj kev lag luam, xws li Cisco. Muaj ob txoj hauv kev los xyuas kom muaj kev sib haum xeeb: los ntawm pob tshab, los ntawm kev txhawb nqa raws tu qauv (thaum ib tug encryption ntaus ntawv dhau los ua ib qho ntawm lub network nodes rau ib tug tej yam raws tu qauv thiab cov txheej txheem tswj kev khiav tsheb ntawm no raws tu qauv). Kev sib raug zoo nrog cov tes hauj lwm nyob ntawm qhov ua tiav thiab qhov tseeb ntawm kev siv cov txheej txheem tswj. Nws yog ib qho tseem ceeb los txhawb cov kev xaiv sib txawv rau qib PHY (ceev, kis nruab nrab, cov txheej txheem encoding), Ethernet thav ntawv ntawm ntau hom nrog MTU, cov kev pabcuam L3 sib txawv (feem ntau yog tsev neeg TCP / IP).
Transparency yog ua kom ntseeg tau los ntawm cov txheej txheem ntawm kev hloov pauv (ib ntus hloov cov ntsiab lus ntawm qhib headers hauv kev khiav tsheb ntawm cov encryptors), hla (thaum ib lub pob ntawv tseem tsis tau encrypted) thiab indentation ntawm qhov pib ntawm encryption (thaum ib txwm encrypted teb ntawm pob ntawv tsis encrypted).
Yuav ua li cas kom pom tseeb
Yog li ntawd, nco ntsoov xyuas raws nraim li cas kev txhawb nqa rau ib qho kev cai tshwj xeeb tau muab. Feem ntau kev txhawb nqa hauv hom pob tshab yog yooj yim dua thiab txhim khu kev qha.
Kev sib koom tes
Qhov no kuj yog compatibility, tab sis nyob rau hauv ib tug txawv kev txiav txim, uas yog lub peev xwm los ua hauj lwm ua ke nrog rau lwm cov qauv ntawm encryption li, nrog rau cov los ntawm lwm manufacturers. Ntau yam nyob ntawm lub xeev ntawm standardization ntawm encryption raws tu qauv. Muaj tsuas yog tsis muaj feem ntau lees txais cov qauv encryption ntawm L1.
Muaj 2ae (MACsec) tus qauv rau L802.1 encryption ntawm Ethernet tes hauj lwm, tab sis nws tsis siv. kawg-rau-kawg (end-to-end), thiab interport, "hop-by-hop" encryption, thiab nyob rau hauv nws cov thawj version yog tsis tsim nyog rau siv nyob rau hauv kev sib koom tes, yog li nws proprietary extensions tau tshwm sim uas kov yeej qhov kev txwv no (tau kawg, vim muaj kev cuam tshuam nrog cov khoom siv los ntawm lwm cov tuam ntxhab). Muaj tseeb, hauv 2018, kev txhawb nqa rau kev sib koom tes tau ntxiv rau tus qauv 802.1ae, tab sis tseem tsis muaj kev txhawb nqa rau GOST encryption algorithm teeb. Yog li ntawd, proprietary, non-standard L2 encryption protocols, raws li txoj cai, yog txawv los ntawm ntau dua efficiency (tshwj xeeb tshaj yog, qis bandwidth overhead) thiab yooj (lub peev xwm los hloov encryption algorithms thiab hom).
Ntawm qib siab dua (L3 thiab L4) muaj cov qauv lees paub, feem ntau yog IPsec thiab TLS, tab sis ntawm no ib yam nkaus nws tsis yooj yim li. Qhov tseeb yog tias txhua yam ntawm cov qauv no yog cov txheej txheem kev cai, txhua tus muaj cov qauv sib txawv thiab txuas ntxiv xav tau lossis xaiv tau rau kev siv. Tsis tas li ntawd, qee cov tuam txhab lag luam nyiam siv lawv cov txheej txheem encryption ntawm L3 / L4. Yog li ntawd, nyob rau hauv feem ntau koj yuav tsum tsis txhob suav rau tag nrho interoperability, tab sis nws yog ib qho tseem ceeb uas tsawg kawg yog kev sib cuam tshuam ntawm cov qauv sib txawv thiab ntau tiam neeg ntawm tib lub chaw tsim tshuaj paus yog guaranteed.
Kev ntseeg tau
Txhawm rau sib piv cov kev daws teeb meem sib txawv, koj tuaj yeem siv lub sijhawm nruab nrab ntawm qhov tsis ua tiav lossis qhov muaj nyob. Yog tias cov lej no tsis muaj (lossis tsis muaj kev ntseeg siab rau lawv), ces qhov kev sib piv zoo tuaj yeem ua tau. Cov cuab yeej siv nrog kev tswj hwm yooj yim yuav muaj qhov zoo dua (tsawg dua kev pheej hmoo ntawm kev teeb tsa tsis raug), tshwj xeeb encryptors (rau tib lub laj thawj), nrog rau cov kev daws teeb meem nrog lub sijhawm tsawg los xyuas thiab tshem tawm qhov ua tsis tiav, suav nrog txhais tau tias "kub" thaub qab ntawm tag nrho cov nodes thiab khoom siv.
nqi ntawm
Thaum nws los txog rau tus nqi, zoo li nrog rau feem ntau cov kev daws teeb meem IT, nws ua rau kev txiav txim siab los sib piv tag nrho cov nqi ntawm cov tswv cuab. Txhawm rau xam nws, koj tsis tas yuav rov tsim lub log, tab sis siv cov txheej txheem tsim nyog (piv txwv li, los ntawm Gartner) thiab ib lub tshuab xam zauv (piv txwv li, ib qho uas twb tau siv hauv lub koom haum los xam TCO). Nws yog qhov tseeb tias rau kev daws teeb meem network encryption, tag nrho cov nqi ntawm cov tswv cuab muaj ncaj qha cov nqi ntawm kev yuav khoom lossis xauj qhov kev daws teeb meem nws tus kheej, kev tsim kho vaj tse rau cov cuab yeej siv thiab cov nqi ntawm kev xa tawm, kev tswj hwm thiab kev saib xyuas (xws li hauv tsev lossis hauv cov kev pabcuam thib peb), nrog rau los ntawm tsis ncaj cov nqi los ntawm kev daws teeb meem downtime (ua rau poob ntawm cov neeg siv khoom tsim khoom kawg). Tej zaum tsuas muaj ib qho subtlety xwb. Qhov kev ua tau zoo ntawm cov kev daws teeb meem tuaj yeem suav nrog ntau txoj hauv kev: xws li cov nqi tsis ncaj qha los ntawm cov khoom lag luam ploj, lossis "virtual" tus nqi ncaj qha ntawm kev yuav khoom / kho dua tshiab thiab tswj cov cuab yeej hauv network uas them rau qhov poob ntawm kev ua haujlwm hauv network vim kev siv. encryption. Txawm li cas los xij, cov nuj nqis uas nyuaj rau suav nrog qhov tseeb txaus yog qhov zoo tshaj plaws tawm ntawm kev suav: txoj kev no yuav muaj kev ntseeg siab ntau dua rau qhov kawg ntawm tus nqi. Thiab, raws li ib txwm, nyob rau hauv txhua rooj plaub, nws ua rau kev txiav txim siab los sib piv cov cuab yeej sib txawv los ntawm TCO rau ib qho xwm txheej tshwj xeeb ntawm lawv siv - tiag lossis raug.
Fortitude
Thiab tus yam ntxwv kawg yog qhov kev pheej hmoo ntawm kev daws teeb meem. Feem ntau, durability tsuas yog ntsuas qhov zoo los ntawm kev sib piv cov kev daws teeb meem sib txawv. Peb yuav tsum nco ntsoov tias cov khoom siv encryption tsis yog tsuas yog txhais tau tias, tab sis kuj yog ib qho khoom tiv thaiv. Tej zaum lawv yuav raug ntau yam kev hem thawj. Nyob rau hauv pem hauv ntej yog kev hem ntawm kev ua txhaum ntawm kev tsis pub lwm tus paub, luam tawm thiab hloov kho cov lus. Cov kev hem thawj no tuaj yeem pom tau los ntawm qhov tsis muaj peev xwm ntawm tus lej cim lossis nws tus kheej hom, los ntawm qhov tsis zoo hauv cov txheej txheem encryption (suav nrog rau theem ntawm kev tsim kev sib txuas thiab tsim / faib cov yuam sij). Qhov kom zoo dua yuav yog rau cov kev daws teeb meem uas tso cai rau hloov pauv qhov encryption algorithm lossis hloov lub cipher hom (tsawg kawg los ntawm kev hloov kho firmware), cov kev daws teeb meem uas muab cov encryption tag nrho, zais los ntawm tus neeg tawm tsam tsis yog cov neeg siv cov ntaub ntawv nkaus xwb, tab sis kuj yog chaw nyob thiab lwm cov ntaub ntawv pabcuam. , nrog rau cov kev daws teeb meem uas tsis yog encrypt xwb, tab sis kuj tseem tiv thaiv cov lus los ntawm kev tsim tawm thiab hloov kho. Rau tag nrho cov niaj hnub encryption algorithms, hluav taws xob kos npe, tiam tseem ceeb, thiab lwm yam, uas yog enshrined nyob rau hauv cov qauv, lub zog yuav xav tias zoo ib yam (tsis li ntawd, koj yuav tau yooj yim poob rau hauv wilds ntawm cryptography). Cov no puas yuav tsum yog GOST algorithms? Txhua yam yog qhov yooj yim ntawm no: yog tias daim ntawv thov scenario xav tau FSB ntawv pov thawj rau CIPF (thiab hauv Russia qhov no feem ntau yog qhov teeb meem; rau feem ntau network encryption scenarios qhov no yog qhov tseeb), ces peb xaiv tsuas yog ntawm cov ntawv pov thawj. Yog tias tsis yog, ces tsis muaj qhov taw tes rau hauv kev tsis suav nrog cov khoom siv yam tsis muaj ntawv pov thawj los ntawm kev xav.
Lwm qhov kev hem thawj yog qhov kev hem thawj ntawm kev nyiag nkas, tsis muaj kev tso cai rau cov khoom siv (xws li kev nkag mus rau sab nraud thiab sab hauv rooj plaub). Qhov kev hem thawj tuaj yeem ua tiav los ntawm
vulnerabilities nyob rau hauv kev siv - nyob rau hauv hardware thiab code. Yog li ntawd, cov kev daws teeb meem nrog qhov tsawg kawg nkaus "qhov chaw tawm tsam" ntawm lub network, nrog cov ntaub thaiv npog tiv thaiv los ntawm kev nkag mus rau lub cev (nrog rau kev nkag mus rau lub cev, kev soj ntsuam kev tiv thaiv thiab tsis siv neeg rov pib dua cov ntaub ntawv tseem ceeb thaum lub kaw lus qhib), nrog rau cov uas tso cai rau hloov kho firmware yuav muaj. qhov kom zoo dua yog tias muaj qhov tsis zoo hauv cov cai tau paub. Muaj lwm txoj hauv kev: yog tias tag nrho cov cuab yeej raug muab piv nrog FSB daim ntawv pov thawj, ces CIPF chav kawm uas tau muab daim ntawv pov thawj tuaj yeem suav tias yog qhov qhia txog kev tiv thaiv kev nyiag.
Thaum kawg, lwm hom kev hem thawj yog qhov yuam kev thaum teeb tsa thiab ua haujlwm, tib neeg qhov tseem ceeb hauv nws daim ntawv purest. Qhov no qhia tau tias lwm qhov zoo dua ntawm cov encryptors tshwj xeeb tshaj cov kev daws teeb meem, uas feem ntau yog tsom rau "cov kws tshaj lij hauv lub network" thiab tuaj yeem ua rau muaj teeb meem rau "zoo tib yam", cov kws paub txog kev ruaj ntseg cov ntaub ntawv.
Saib lub ntsab lug
Nyob rau hauv txoj cai, ntawm no nws yuav muaj peev xwm los tawm tswv yim ib yam ntawm cov cim qhia rau kev sib piv cov khoom sib txawv, ib yam dab tsi zoo li
$$display$$K_j=βp_i r_{ij}$$display$$
qhov twg p yog qhov hnyav ntawm qhov ntsuas, thiab r yog qib ntawm cov cuab yeej raws li qhov ntsuas no, thiab ib qho ntawm cov yam ntxwv tau teev saum toj no tuaj yeem muab faib ua "atomic" ntsuas. Cov qauv zoo li no tuaj yeem siv tau, piv txwv li, thaum sib piv cov lus pom zoo raws li kev pom zoo ua ntej. Tab sis koj tuaj yeem tau txais nrog lub rooj yooj yim zoo li
Π₯Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠ°
Ntaus 1
Ntaus 2
...
Ntaus N
Bandwidth
+
+
+++
Nyiaj siv ua haujlwm
+
++
+++
Ncua
+
+
++
Scalability
+++
+
+++
Flexibility
+++
++
+
Kev sib koom tes
++
+
+
compatibility
++
++
+++
Simplicity thiab yooj yim
+
+
++
txhaum cai
+++
+++
++
nqi ntawm
++
+++
+
Fortitude
++
++
+++
Kuv yuav zoo siab los teb cov lus nug thiab tsim kev thuam.
Tau qhov twg los: www.hab.com