Kab lus no yog qhov thib peb hauv cov kab lus "Yuav Ua Li Cas Tswj Koj Cov Khoom Siv Hauv Network." Cov ntsiab lus ntawm tag nrho cov ntawv hauv koob thiab cov txuas tuaj yeem pom .
Tsis muaj ib qho ntsiab lus hais txog kev tshem tawm cov kev pheej hmoo ntawm kev nyab xeeb kiag li. Hauv txoj ntsiab cai, peb tsis tuaj yeem txo lawv mus rau xoom. Peb kuj yuav tsum nkag siab tias thaum peb siv zog ua kom lub network muaj kev ruaj ntseg ntau dua, peb cov kev daws teeb meem tau nce thiab kim dua. Koj yuav tsum nrhiav kev sib pauv ntawm tus nqi, qhov nyuaj, thiab kev ruaj ntseg uas ua rau muaj kev nkag siab zoo rau koj lub network.
Ntawm chav kawm, kev ruaj ntseg tsim yog organically koom ua ke rau hauv tag nrho cov architecture thiab kev ruaj ntseg cov kev daws teeb meem siv cuam tshuam rau scalability, kev cia siab, tswj, ... ntawm lub network infrastructure, uas kuj yuav tsum tau coj mus rau hauv tus account.
Tab sis cia kuv ceeb toom rau koj tias tam sim no peb tsis tau tham txog kev tsim lub network. Raws li peb peb twb tau xaiv tus tsim, xaiv cov cuab yeej, thiab tsim cov infrastructure, thiab nyob rau theem no, yog tias ua tau, peb yuav tsum "nyob" thiab nrhiav kev daws teeb meem hauv cov ntsiab lus ntawm txoj kev xaiv yav dhau los.
Peb txoj haujlwm tam sim no yog txhawm rau txheeb xyuas cov kev pheej hmoo cuam tshuam nrog kev ruaj ntseg ntawm qib network thiab txo lawv mus rau theem tsim nyog.
Network kev ruaj ntseg tshawb xyuas
Yog tias koj lub koom haum tau siv cov txheej txheem ISO 27k, tom qab ntawd kev tshuaj xyuas kev nyab xeeb thiab kev hloov pauv hauv lub network yuav tsum haum rau txhua tus txheej txheem hauv txoj hauv kev no. Tab sis cov qauv no tseem tsis tau hais txog cov kev daws teeb meem tshwj xeeb, tsis yog hais txog kev teeb tsa, tsis yog hais txog kev tsim qauv ... Tsis muaj cov lus qhia meej meej, tsis muaj cov qauv txiav txim kom meej tias koj lub network yuav tsum zoo li cas, qhov no yog qhov nyuaj thiab kev zoo nkauj ntawm txoj haujlwm no.
Kuv yuav hais txog ntau qhov kev tshawb xyuas kev ruaj ntseg network:
- khoom configuration audit (hardening)
- kev ruaj ntseg tsim tshuaj xyuas
- nkag mus kuaj
- kev tshuaj xyuas
Cov khoom siv configuration audit (hardening)
Nws zoo nkaus li tias feem ntau qhov no yog qhov pib zoo tshaj plaws rau kev tshuaj xyuas thiab txhim kho kev ruaj ntseg ntawm koj lub network. IMHO, qhov no yog ib qho kev qhia zoo ntawm Pareto txoj cai (20% ntawm kev siv zog ua rau 80% ntawm qhov tshwm sim, thiab qhov seem 80% ntawm kev siv zog ua rau 20% ntawm qhov tshwm sim).
Cov kab hauv qab yog tias peb feem ntau muaj cov lus pom zoo los ntawm cov neeg muag khoom txog "kev coj ua zoo tshaj" rau kev ruaj ntseg thaum teeb tsa cov khoom siv. Qhov no hu ua "hardening".
Koj tuaj yeem nrhiav tau ib daim ntawv nug (lossis tsim koj tus kheej) raws li cov lus pom zoo no, uas yuav pab koj txiav txim siab seb qhov kev teeb tsa ntawm koj cov cuab yeej ua tau raws li "kev coj ua zoo tshaj" thiab, raws li qhov tshwm sim, hloov pauv hauv koj lub network. . Qhov no yuav tso cai rau koj kom txo qis kev pheej hmoo ntawm kev nyab xeeb yooj yim heev, ntawm qhov tsis muaj nqi.
Ob peb piv txwv rau qee qhov Cisco operating systems.
Raws li cov ntaub ntawv no, ib daim ntawv teev cov kev xav tau ntawm txhua yam khoom siv tuaj yeem tsim tau. Piv txwv li, rau Cisco N7K VDC cov kev cai no yuav zoo li .
Ua li no, cov ntaub ntawv teeb tsa tuaj yeem tsim rau ntau hom khoom siv hauv koj lub network infrastructure. Tom ntej no, manually lossis siv automation, koj tuaj yeem "upload" cov ntaub ntawv teeb tsa. Yuav ua li cas rau automate cov txheej txheem no yuav tau tham nyob rau hauv kom meej nyob rau hauv lwm series ntawm cov kab lus ntawm orchestration thiab automation.
Kev ruaj ntseg tsim tshuaj xyuas
Feem ntau, kev lag luam network muaj cov ntu hauv qab no hauv ib daim ntawv lossis lwm qhov:
- DC (Kev pabcuam pej xeem DMZ thiab Intranet data center)
- Internet
- Chaw taws teeb nkag VPN
- WAN ntug
- Ncau ceg
- Campus (Office)
- Core
Cov npe muab los ntawm qauv, tab sis nws tsis tsim nyog, ntawm chav kawm, yuav tsum tau txuas precisely rau cov npe thiab cov qauv no. Tseem, kuv xav tham txog lub ntsiab lus thiab tsis tau bogged hauv formalities.
Rau txhua qhov ntawm cov ntu no, qhov yuav tsum tau muaj kev ruaj ntseg, kev pheej hmoo thiab, raws li, cov kev daws teeb meem yuav txawv.
Cia peb saib ntawm lawv txhua tus sib cais rau cov teeb meem uas koj yuav ntsib los ntawm kev tsim kev ruaj ntseg ntawm qhov pom. Tau kawg, kuv rov hais dua tias tsis muaj txoj hauv kev no tsab xov xwm ua piv txwv ua tiav, uas tsis yooj yim (yog tias tsis yooj yim sua) kom ua tiav hauv cov ncauj lus tob thiab ntau yam, tab sis nws qhia txog kuv tus kheej kev paub.
Tsis muaj kev daws teeb meem zoo tshaj plaws (tsawg kawg tseem tsis tau). Nws ib txwm muaj kev sib haum xeeb. Tab sis nws yog ib qho tseem ceeb uas kev txiav txim siab siv ib txoj hauv kev los yog lwm qhov yog ua kom paub meej, nrog kev nkag siab ntawm nws qhov zoo thiab qhov tsis zoo.
Data Center
Cov ntu tseem ceeb tshaj plaws los ntawm qhov pom kev nyab xeeb.
Thiab, raws li niaj zaus, tsis muaj kev daws teeb meem thoob ntiaj teb ntawm no ib yam nkaus. Nws tag nrho yog nyob ntawm qhov xav tau ntawm lub network.
Puas tsim nyog firewall lossis tsis?
Nws yuav zoo li tias cov lus teb yog qhov pom tseeb, tab sis txhua yam tsis meej npaum li nws yuav zoo li. Thiab koj qhov kev xaiv tuaj yeem cuam tshuam tsis yog xwb nqi.
1 piv txwv. Kev ncua.
Yog tias qis latency yog qhov tseem ceeb ntawm qee ntu ntawm lub network, uas yog, piv txwv li, muaj tseeb nyob rau hauv rooj plaub ntawm kev sib pauv, ces peb yuav tsis tuaj yeem siv firewalls ntawm cov ntu no. Nws yog ib qho nyuaj rau nrhiav kev tshawb fawb txog latency hauv firewalls, tab sis ob peb hloov qauv tuaj yeem muab latency tsawg dua lossis ntawm qhov kev txiav txim ntawm 1 mksec, yog li kuv xav tias yog microseconds tseem ceeb rau koj, ces firewalls tsis yog rau koj.
2 piv txwv. Kev ua tau zoo.
Qhov kev nkag mus rau sab saum toj L3 keyboards feem ntau yog qhov kev txiav txim siab ntau dua li qhov kev xa tawm ntawm cov hluav taws xob muaj zog tshaj plaws. Yog li ntawd, nyob rau hauv cov ntaub ntawv ntawm high-siv tsheb khiav, koj kuj yuav feem ntau yuav tsum tau tso cai rau cov tsheb no hla lub firewalls.
3 piv txwv. Kev ntseeg
Firewalls, tshwj xeeb tshaj yog niaj hnub NGFW (Next-Generation FW) yog cov khoom siv nyuaj. Lawv muaj ntau qhov nyuaj dua li L3 / L2 keyboards. Lawv muab ntau cov kev pabcuam thiab kev xaiv kev teeb tsa, yog li nws tsis yog qhov xav tsis thoob tias lawv qhov kev ntseeg siab qis dua. Yog tias kev pabcuam txuas ntxiv yog qhov tseem ceeb rau lub network, ces koj yuav tsum xaiv yam uas yuav ua rau muaj qhov zoo dua - kev ruaj ntseg nrog firewall lossis qhov yooj yim ntawm lub network tsim ntawm cov keyboards (lossis ntau hom ntaub) siv ACLs li niaj zaus.
Nyob rau hauv cov ntaub ntawv ntawm cov piv txwv saum toj no, koj yuav feem ntau yuav (raws li ib txwm) yuav tsum tau nrhiav kev sib haum xeeb. Saib rau cov kev daws teeb meem hauv qab no:
- Yog tias koj txiav txim siab tsis siv firewalls hauv cov ntaub ntawv chaw, ces koj yuav tsum xav txog yuav ua li cas txwv kev nkag mus nyob ib puag ncig kom ntau li ntau tau. Piv txwv li, koj tuaj yeem qhib tsuas yog cov chaw nres nkoj tsim nyog los ntawm Is Taws Nem (rau cov neeg siv khoom siv) thiab kev tswj hwm kev nkag mus rau cov ntaub ntawv chaw tsuas yog los ntawm dhia hosts. Ntawm tus tswv tsev dhia, ua txhua yam kev kuaj xyuas tsim nyog (kev lees paub / kev tso cai, tshuaj tiv thaiv kab mob, kev nkag, ...)
- Koj tuaj yeem siv qhov kev faib tawm ntawm cov ntaub ntawv chaw network rau hauv ntu, zoo ib yam li cov txheej txheem tau piav qhia hauv PSEFABRIC . Nyob rau hauv cov ntaub ntawv no, routing yuav tsum tau configured nyob rau hauv xws li ib tug txoj kev uas ncua sij hawm-rhiab heev los yog high-siv tsheb mus "hauv" ib ntu (nyob rau hauv cov ntaub ntawv ntawm p002, VRF) thiab tsis mus los ntawm lub firewall. Kev tsheb khiav ntawm cov ntu sib txawv yuav txuas ntxiv mus dhau ntawm lub foob pob hluav taws. Koj tseem tuaj yeem siv txoj hauv kev xau ntawm VRFs kom tsis txhob cuam tshuam cov tsheb khiav los ntawm firewall
- Koj tseem tuaj yeem siv firewall hauv hom pob tshab thiab tsuas yog rau cov VLANs uas cov yam ntxwv no (latency / kev ua tau zoo) tsis tseem ceeb. Tab sis koj yuav tsum ua tib zoo kawm cov kev txwv cuam tshuam nrog kev siv cov mod no rau txhua tus neeg muag khoom
- Tej zaum koj yuav xav xav txog kev siv cov kev pabcuam saw hlau. Qhov no yuav tso cai rau tsuas yog tsim nyog tsheb thauj mus los ntawm firewall. Zoo li zoo hauv txoj kev xav, tab sis kuv tsis tau pom qhov kev daws teeb meem no hauv kev tsim khoom. Peb tau sim cov kev pabcuam rau Cisco ACI / Juniper SRX / F5 LTM txog 3 xyoos dhau los, tab sis lub sijhawm ntawd qhov kev daws teeb meem zoo li "crude" rau peb.
Kev tiv thaiv qib
Tam sim no koj yuav tsum tau teb cov lus nug ntawm cov cuab yeej twg koj xav siv los lim tsheb. Nov yog qee qhov nta uas feem ntau muaj nyob hauv NGFW (piv txwv li, ):
- stateful firewalling (default)
- daim ntawv thov firewalling
- Kev tiv thaiv kev hem thawj (antivirus, anti-spyware, thiab qhov tsis zoo)
- URL lim
- data filtering (cov ntsiab lus filtering)
- thaiv cov ntaub ntawv (cov ntaub ntawv hom thaiv)
- tiv thaiv
Thiab tsis yog txhua yam yog qhov tseeb. Nws yuav zoo li tias qhov siab dua ntawm kev tiv thaiv, qhov zoo dua. Tab sis koj kuj yuav tsum xav txog qhov ntawd
- Qhov ntau ntawm cov firewall saum toj no koj siv, qhov kim dua nws yuav ib txwm ua (daim ntawv tso cai, ntxiv modules)
- kev siv qee cov algorithms tuaj yeem txo qhov kev cuam tshuam ntawm firewall thiab tseem ua kom qeeb, saib piv txwv
- zoo li txhua txoj kev daws teeb meem, kev siv txoj kev tiv thaiv nyuaj tuaj yeem txo qhov kev ntseeg tau ntawm koj cov kev daws teeb meem, piv txwv li, thaum siv daim ntawv thov firewalling, kuv tau ntsib kev thaiv qee qhov kev ua haujlwm zoo heev (dns, smb)
Raws li ib txwm muaj, koj yuav tsum nrhiav kev daws teeb meem zoo tshaj plaws rau koj lub network.
Nws tsis yooj yim sua kom teb cov lus nug ntawm qhov kev tiv thaiv yuav tsum tau ua. Ua ntej, vim tias nws tau kawg nyob ntawm cov ntaub ntawv koj tau xa lossis khaws cia thiab sim tiv thaiv. Qhov thib ob, qhov tseeb, feem ntau qhov kev xaiv ntawm cov cuab yeej ruaj ntseg yog ib qho teeb meem ntawm kev ntseeg thiab kev ntseeg siab ntawm tus neeg muag khoom. Koj tsis paub cov algorithms, koj tsis paub tias lawv ua tau zoo npaum li cas, thiab koj tsis tuaj yeem sim lawv tag nrho.
Yog li ntawd, nyob rau hauv cov ntsiab lus tseem ceeb, ib qho kev daws teeb meem zoo yuav siv tau los ntawm cov tuam txhab sib txawv. Piv txwv li, koj tuaj yeem ua kom muaj kev tiv thaiv kab mob ntawm lub firewall, tab sis kuj siv kev tiv thaiv kab mob (los ntawm lwm lub chaw tsim khoom) hauv zos ntawm cov tswv.
Segmentation
Peb tab tom tham txog cov laj thawj segmentation ntawm cov ntaub ntawv chaw network. Piv txwv li, muab faib rau hauv VLANs thiab subnets kuj yog kev sib cais, tab sis peb yuav tsis xav txog vim nws qhov pom tseeb. Txaus siab rau segmentation coj mus rau hauv tus account xws li cov chaw xws li FW kev ruaj ntseg zones, VRFs (thiab lawv cov analogues nyob rau hauv kev sib raug zoo rau ntau yam neeg muag khoom), logical li (PA VSYS, Cisco N7K VDC, Cisco ACI Tenant, ...), ...
Ib qho piv txwv ntawm xws li kev sib cav sib ceg thiab qhov tam sim no xav tau cov ntaub ntawv chaw tsim khoom tau muab rau hauv .
Tom qab tau txiav txim siab qhov laj thawj ntawm koj lub network, koj tuaj yeem piav qhia yuav ua li cas tsheb khiav ntawm cov ntu sib txawv, ntawm cov cuab yeej lim dej yuav ua li cas thiab txhais tau li cas.
Yog tias koj lub network tsis muaj qhov sib cais meej meej thiab cov cai rau kev siv cov cai tswj kev ruaj ntseg rau cov ntaub ntawv sib txawv tsis raug cai, qhov no txhais tau tias thaum koj qhib qhov no lossis qhov kev nkag ntawd, koj raug yuam kom daws qhov teeb meem no, thiab muaj qhov tshwm sim siab koj. yuav daws nws txhua lub sijhawm sib txawv.
Feem ntau segmentation tsuas yog nyob ntawm FW chaw ruaj ntseg. Tom qab ntawd koj yuav tsum teb cov lus nug hauv qab no:
- koj xav tau qhov chaw ruaj ntseg dab tsi
- Koj xav tau kev tiv thaiv qib twg rau txhua thaj chaw no
- puas yuav tso cai nyob rau hauv ib cheeb tsam?
- yog tias tsis yog, yuav siv txoj cai tswj kev khiav tsheb li cas hauv txhua cheeb tsam
- dab tsi kev khiav tsheb lim cov cai yuav raug siv rau txhua khub ntawm ib cheeb tsam (qhov chaw / qhov chaw)
TCAM
Ib qho teeb meem tshwm sim yog tsis txaus TCAM (Ternary Content Addressable Memory), ob qho tib si rau kev khiav thiab kev nkag. IMHO, qhov no yog ib qho teeb meem tseem ceeb tshaj plaws thaum xaiv cov cuab yeej, yog li koj yuav tsum tau kho qhov teeb meem no nrog kev saib xyuas kom tsim nyog.
Piv txwv 1. Forwarding Table TCAM.
cia peb xav txog firewall
Peb pom tias IPv4 forwarding rooj loj * = 32K
Ntxiv mus, tus naj npawb ntawm txoj kev no muaj rau txhua tus VSYSs.Cia peb xav tias raws li koj tus qauv tsim koj txiav txim siab siv 4 VSYS.
Txhua VSYSs no txuas nrog BGP rau ob MPLS PEs ntawm huab uas koj siv los ua BB. Yog li, 4 VSYS pauv txhua txoj kev tshwj xeeb nrog ib leeg thiab muaj lub rooj xa khoom nrog kwv yees li tib txoj kev sib txawv (tab sis txawv NHs). Vim txhua VSYS muaj 2 BGP zaug (nrog rau tib qhov chaw), tom qab ntawd txhua txoj kev tau txais los ntawm MPLS muaj 2 NH thiab, raws li, 2 FIB nkag hauv Forwarding Table. Yog tias peb xav tias qhov no tsuas yog qhov hluav taws xob nkaus xwb hauv cov ntaub ntawv chaw thiab nws yuav tsum paub txog txhua txoj hauv kev, qhov no yuav txhais tau tias tag nrho cov kev hauv peb cov ntaub ntawv chaw tsis tuaj yeem ntau dua 32K / (4 * 2) = 4K.Tam sim no, yog tias peb xav tias peb muaj 2 lub chaw cov ntaub ntawv (nrog rau tus qauv tsim), thiab peb xav siv VLANs "stretched" ntawm cov chaw zov me nyuam (piv txwv li, rau vMotion), tom qab ntawd los daws qhov teeb meem routing, peb yuav tsum siv cov tswv tsev . Tab sis qhov no txhais tau tias rau 2 lub chaw cov ntaub ntawv peb yuav tsis muaj ntau tshaj 4096 tus tswv tsev thiab, tau kawg, qhov no yuav tsis txaus.
Piv txwv 2. ACL TCAM.
Yog tias koj npaj yuav lim tsheb khiav ntawm L3 keyboards (los yog lwm yam kev daws teeb meem uas siv L3 keyboards, piv txwv li, Cisco ACI), ces thaum xaiv cov cuab yeej koj yuav tsum xyuam xim rau TCAM ACL.
Piv txwv tias koj xav tswj kev nkag mus rau ntawm SVI interfaces ntawm Cisco Catalyst 4500. Ces, raws li tau pom los ntawm , txhawm rau tswj kev tawm mus (nrog rau kev nkag mus) ntawm kev sib tshuam, koj tuaj yeem siv 4096 TCAM kab nkaus xwb. Qhov twg thaum siv TCAM3 yuav muab rau koj txog 4000 txhiab ACEs (ACL kab).
Yog tias koj tab tom ntsib teeb meem ntawm TCAM tsis txaus, ces, ua ntej ntawm tag nrho cov, koj yuav tsum xav txog qhov ua tau zoo. Yog li, yog tias muaj teeb meem nrog qhov loj ntawm Forwarding Table, koj yuav tsum xav txog qhov muaj peev xwm ntawm kev sib sau ua ke. Yog tias muaj teeb meem nrog TCAM qhov loj me rau kev nkag mus, tshawb xyuas nkag, tshem tawm cov ntaub ntawv tsis tu ncua thiab sib tshooj, thiab tuaj yeem hloov kho cov txheej txheem rau kev qhib nkag (yuav tau tham kom ntxaws hauv tshooj ntawm kev nkag mus rau kev nkag).
Kev Siab Siab
Cov lus nug yog: Kuv puas yuav tsum siv HA rau firewalls los yog nruab ob lub thawv ywj pheej "nyob rau hauv parallel" thiab, yog tias ib qho ntawm lawv ua tsis tau, txoj kev tsheb mus los ntawm qhov thib ob?
Nws yuav zoo li cov lus teb yog pom tseeb - siv HA. Qhov laj thawj yog vim li cas cov lus nug no tseem tshwm sim yog tias, hmoov tsis, qhov kev xav thiab kev tshaj tawm 99 thiab ntau feem pua ntawm kev siv tau rau hauv kev xyaum ua kom deb ntawm rosy. HA yog qhov muaj txiaj ntsig zoo heev, thiab ntawm cov cuab yeej sib txawv, thiab nrog cov neeg muag khoom sib txawv (tsis muaj kev zam), peb ntes tau cov teeb meem thiab kab thiab kev pabcuam nres.
Yog tias koj siv HA, koj yuav muaj lub sijhawm los tua tus kheej cov nodes, hloov ntawm lawv yam tsis muaj kev cuam tshuam cov kev pabcuam, uas yog qhov tseem ceeb, piv txwv li, thaum hloov kho dua tshiab, tab sis tib lub sijhawm koj muaj qhov deb ntawm xoom qhov tshwm sim uas ob lub nodes. yuav tawg nyob rau tib lub sijhawm, thiab tseem tias qhov kev txhim kho tom ntej no yuav tsis mus raws li tus neeg muag khoom tau cog lus tseg (qhov teeb meem no tuaj yeem zam tau yog tias koj muaj sijhawm los ntsuas qhov hloov kho ntawm cov khoom siv hauv chav kuaj).
Yog tias koj tsis siv HA, ces los ntawm qhov pom ntawm ob qhov tsis ua haujlwm koj qhov kev pheej hmoo tsawg dua (vim koj muaj 2 lub firewalls), tab sis txij li thaum ... Cov kev sib tham tsis yog synchronized, ces txhua zaus koj hloov ntawm cov firewalls no koj yuav poob tsheb. Koj tuaj yeem, ntawm chav kawm, siv stateless firewalling, tab sis tom qab ntawd lub ntsiab lus ntawm kev siv firewall yog ploj lawm.
Yog li ntawd, yog hais tias raws li ib tug tshwm sim ntawm kev ntsuam xyuas koj tau nrhiav tau ib tug kho siab firewalls, thiab koj tab tom xav txog kev nce kev ntseeg siab ntawm koj lub network, ces HA, ntawm chav kawm, yog ib qho ntawm cov lus pom zoo, tab sis koj yuav tsum coj mus rau hauv tus account qhov tsis zoo cuam tshuam. nrog rau txoj hauv kev no thiab, tej zaum, tshwj xeeb rau koj lub network, lwm txoj kev daws teeb meem yuav tsim nyog dua.
Kev tswj hwm
Hauv txoj cai, HA kuj tseem hais txog kev tswj hwm. Es tsis txhob teeb tsa 2 lub thawv cais thiab daws teeb meem ntawm kev khaws cov teeb tsa hauv sync, koj tswj hwm lawv ntau npaum li koj muaj ib lub cuab yeej.
Tab sis tej zaum koj muaj ntau lub chaw cov ntaub ntawv thiab ntau lub firewalls, ces lo lus nug no tshwm sim nyob rau theem tshiab. Thiab cov lus nug tsis yog tsuas yog hais txog kev teeb tsa, tab sis kuj hais txog
- backup configurations
- tshiab
- hloov kho dua tshiab
- saib xyuas
- kaw lus
Thiab tag nrho cov no tuaj yeem daws tau los ntawm kev tswj hwm hauv nruab nrab.
Yog li, piv txwv li, yog tias koj siv Palo Alto firewalls, ces yog ib qho kev daws teeb meem zoo li no.
Kom txuas ntxiv.
Tau qhov twg los: www.hab.com