ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Peb encrypt raws li GOST: ib qho kev qhia rau kev teeb tsa dynamic tsheb routing

Peb encrypt raws li GOST: ib qho kev qhia rau kev teeb tsa dynamic tsheb routing

Peb encrypt raws li GOST: ib qho kev qhia rau kev teeb tsa dynamic tsheb routing
Yog tias koj lub tuam txhab xa lossis tau txais cov ntaub ntawv tus kheej thiab lwm cov ntaub ntawv tsis pub lwm tus paub hauv lub network uas raug kev tiv thaiv raws li txoj cai, nws yuav tsum siv GOST encryption. Niaj hnub no peb yuav qhia koj seb peb tau siv li cas encryption raws li S-Terra crypto gateway (CS) ntawm ib qho ntawm cov neeg siv khoom. Zaj dab neeg no yuav txaus siab rau cov kws paub txog kev ruaj ntseg, nrog rau cov kws tshaj lij, cov tsim qauv thiab cov kws tsim vaj tsev. Peb yuav tsis nkag siab tob rau hauv cov nuances ntawm cov txheej txheem kev teeb tsa hauv qhov kev tshaj tawm no; peb yuav tsom mus rau cov ntsiab lus tseem ceeb ntawm kev teeb tsa yooj yim. Cov ntaub ntawv loj loj ntawm kev teeb tsa Linux OS daemons, uas S-Terra CS yog raws, muaj dawb hauv Is Taws Nem. Cov ntaub ntawv rau kev teeb tsa tus tswv S-Terra software kuj tseem muaj rau pej xeem lub portal tsim tawm.

Ob peb lo lus hais txog qhov project

Tus neeg siv khoom lub network topology yog tus qauv - tag nrho mesh ntawm nruab nrab thiab ceg. Nws yog tsim nyog los qhia txog encryption ntawm cov ntaub ntawv sib pauv raws ntawm txhua qhov chaw, uas muaj 8.

Feem ntau hauv cov haujlwm zoo li no txhua yam zoo li qub: txoj hauv kev zoo li qub mus rau lub network hauv zos ntawm lub xaib tau teeb tsa rau ntawm crypto gateways (CGs), cov npe ntawm IP chaw nyob (ACLs) rau encryption tau sau npe. Txawm li cas los xij, hauv qhov no, cov chaw tsis muaj kev tswj hwm hauv nruab nrab, thiab txhua yam tuaj yeem tshwm sim hauv lawv cov tes hauj lwm hauv zos: cov tes hauj lwm tuaj yeem ntxiv, tshem tawm, thiab hloov kho txhua txoj hauv kev. Txhawm rau kom tsis txhob rov teeb tsa kev teeb tsa thiab ACL ntawm KS thaum hloov qhov chaw nyob ntawm lub network hauv zos ntawm cov chaw, nws tau txiav txim siab siv GRE tunneling thiab OSPF dynamic routing, uas suav nrog tag nrho KS thiab feem ntau cov routers ntawm lub network core theem ntawm cov chaw ( ntawm qee qhov chaw, cov thawj tswj hwm kev tsim vaj tsev nyiam siv SNAT ntawm KS ntawm kernel routers).

GRE tunneling tso cai rau peb los daws ob qhov teeb meem:
1. Siv tus IP chaw nyob ntawm sab nraud interface ntawm CS rau encryption hauv ACL, uas encapsulates tag nrho cov tsheb xa mus rau lwm qhov chaw.
2. Npaj ptp tunnels ntawm CSs, uas tso cai rau koj los teeb tsa dynamic routing (hauv peb rooj plaub, tus kws kho mob MPLS L3VPN tau teeb tsa ntawm cov chaw).

Tus neeg siv khoom tau hais kom siv qhov encryption ua ib qho kev pabcuam. Txwv tsis pub, nws yuav tsum tsis tsuas yog tswj hwm crypto gateways lossis outsource lawv mus rau qee lub koom haum, tab sis nws tus kheej saib xyuas lub neej ntawm daim ntawv pov thawj encryption, txuas ntxiv lawv raws sijhawm thiab nruab cov tshiab.
Peb encrypt raws li GOST: ib qho kev qhia rau kev teeb tsa dynamic tsheb routing
Thiab tam sim no qhov tseeb memo - yuav ua li cas thiab qhov peb teeb tsa

Nco tseg rau CII cov ntsiab lus: teeb tsa lub rooj vag crypto

Basic kev teeb tsa network

Ua ntej tshaj plaws, peb tso tawm CS tshiab thiab nkag mus rau hauv kev tswj hwm console. Koj yuav tsum pib los ntawm kev hloov tus password tus thawj tswj hauv built-in - hais kom ua hloov tus neeg siv tus password tus thawj tswj hwm. Tom qab ntawd koj yuav tsum tau ua tiav cov txheej txheem pib (command pib dua) thaum lub sij hawm uas cov ntaub ntawv tso cai nkag mus thiab tus naj npawb random sensor (RNS) pib.

Them sai sai! Thaum S-Terra CC tau pib, txoj cai ruaj ntseg tau tsim nyob rau hauv uas lub rooj vag kev ruaj ntseg cuam tshuam tsis pub cov pob ntawv hla dhau. Koj yuav tsum tsim koj tus kheej txoj cai lossis siv cov lus txib khiav csconf_mgr qhib qhib ib txoj cai tso cai ua ntej.
Tom ntej no, koj yuav tsum tau teeb tsa qhov chaw nyob ntawm sab nraud thiab sab hauv interfaces, nrog rau txoj hauv kev. Nws yog qhov zoo dua los ua haujlwm nrog CS network teeb tsa thiab teeb tsa encryption los ntawm Cisco zoo li console. Lub console no yog tsim los sau cov lus txib zoo ib yam li Cisco IOS cov lus txib. Cov kev teeb tsa tsim los siv Cisco zoo li console yog, nyob rau hauv lem, hloov dua siab tshiab rau hauv cov ntaub ntawv configuration sib xws uas OS daemons ua hauj lwm. Koj tuaj yeem mus rau Cisco zoo li console los ntawm kev tswj hwm console nrog cov lus txib configure.

Hloov passwords rau cov neeg siv cscons built-in thiab pab:

> pab
Tus password: csp (preinstalled)
#configure lub davhlau ya nyob twg
#username cscons txoj cai 15 zais cia 0 #enable zais cia 0 Teeb tsa cov kev teeb tsa hauv lub network:

#interface GigabitEthernet0/0
#ip chaw nyob 10.111.21.3 255.255.255.0
# tsis kaw
#interface GigabitEthernet0/1
#ip chaw nyob 192.168.2.5 255.255.255.252
# tsis kaw
#ip txoj kev 0.0.0.0 0.0.0.0 10.111.21.254

GRE

Tawm ntawm Cisco-zoo li console thiab mus rau lub plhaub debian nrog cov lus txib system. Teem koj tus kheej lo lus zais rau tus neeg siv hauv paus pab passwd.
Ntawm txhua chav tswj, ib qhov av cais tau teeb tsa rau txhua qhov chaw. Lub qhov interface yog configured nyob rau hauv cov ntaub ntawv / Etc / network / interfaces. Tus IP qhov chaw siv hluav taws xob, suav nrog hauv qhov preinstalled iproute2 teeb, yog lub luag haujlwm tsim lub interface nws tus kheej. Cov lus txib tsim interface yog sau rau hauv qhov kev xaiv ua ntej.

Piv txwv configuration ntawm ib tug raug tunnel interface:
auto site1
iface site1 tsis zoo li qub
chaw nyob 192.168.1.4
netmask 255.255.255.254
pre-up ip qhov ntxiv site1 hom gre hauv zos 10.111.21.3 chaw taws teeb 10.111.22.3 tseem ceeb hfLYEg^vCh6p

Them sai sai! Nws yuav tsum tau muab sau tseg tias cov chaw rau tunnel interfaces yuav tsum tau nyob rau sab nraum cov seem

###netifcfg-begin###
*****
###netifcfg-end###

Txwv tsis pub, cov kev teeb tsa no yuav raug sau dua thaum hloov lub network teeb tsa ntawm lub cev cuam tshuam los ntawm Cisco zoo li console.

Dynamic routing

Hauv S-Terra, dynamic routing yog siv los ntawm Quagga software pob. Txhawm rau teeb tsa OSPF peb yuav tsum tau pab thiab teeb tsa daemons nees nkaum ΠΈ ospfd. Lub zebra daemon yog lub luag haujlwm rau kev sib txuas lus ntawm routing daemons thiab OS. Lub ospfd daemon, raws li lub npe qhia, yog lub luag haujlwm rau kev siv OSPF raws tu qauv.
OSPF tau teeb tsa los ntawm daemon console lossis ncaj qha los ntawm cov ntaub ntawv teeb tsa /etc/quagga/ospfd.conf. Tag nrho lub cev thiab qhov sib cuam tshuam koom nrog hauv kev hloov pauv hloov pauv tau ntxiv rau hauv cov ntaub ntawv, thiab cov tes hauj lwm uas yuav tshaj tawm thiab tau txais kev tshaj tawm kuj tau tshaj tawm.

Ib qho piv txwv ntawm configuration uas yuav tsum tau ntxiv rau ospfd.conf:
interface eth0
!
interface eth1
!
interface site1
!
interface site2
ospf router
ospf router-id 192.168.2.21
network 192.168.1.4/31 cheeb tsam 0.0.0.0
network 192.168.1.16/31 cheeb tsam 0.0.0.0
network 192.168.2.4/30 cheeb tsam 0.0.0.0

Hauv qhov no, qhov chaw nyob 192.168.1.x/31 yog tshwj tseg rau qhov ptp networks ntawm cov chaw, chaw nyob 192.168.2.x/30 raug faib rau kev sib txuas ntawm CS thiab kernel routers.

Them sai sai! Txhawm rau txo cov rooj sib tham hauv kev teeb tsa loj, koj tuaj yeem lim cov kev tshaj tawm ntawm cov kev thauj mus los ntawm lawv tus kheej siv cov kev tsim kho. tsis muaj redistribute txuas los yog redistribute txuas txoj kev-map.

Tom qab teeb tsa lub daemon, koj yuav tsum hloov qhov pib txheej txheem ntawm daemons hauv /etc/quagga/daemons. Hauv kev xaiv nees nkaum ΠΈ ospfd tsis hloov rau muaj. Pib lub quagga daemon thiab teeb nws rau autorun thaum koj pib KS hais kom ua hloov tshiab-rc.d quagga pab.

Yog tias qhov kev teeb tsa ntawm GRE tunnels thiab OSPF tau ua tiav lawm, ces cov kev hauv lub network ntawm lwm qhov chaw yuav tsum tshwm sim ntawm KSh thiab cov tub ntxhais routers thiab, yog li, kev sib txuas ntawm cov network hauv zos tshwm sim.

Peb encrypt kis tau tus mob

Raws li twb tau sau tseg lawm, feem ntau yog thaum encrypting ntawm cov chaw, peb qhia qhov chaw nyob IP (ACLs) ntawm cov tsheb thauj mus los yog encrypted: yog tias qhov chaw nyob thiab qhov chaw nyob poob rau hauv cov kab no, ces cov tsheb khiav ntawm lawv yog encrypted. Txawm li cas los xij, hauv qhov project no tus qauv yog dynamic thiab chaw nyob yuav hloov. Txij li thaum peb twb tau teeb tsa GRE tunneling lawm, peb tuaj yeem teev cov chaw nyob sab nraud KS raws li qhov chaw thiab chaw nyob rau kev nkag mus nkag - tom qab tag nrho, cov tsheb khiav uas twb tau encapsulated los ntawm GRE raws tu qauv tuaj txog rau encryption. Hauv lwm lo lus, txhua yam uas nkag mus rau hauv CS los ntawm lub network hauv zos ntawm ib qhov chaw ntawm cov tes hauj lwm uas tau tshaj tawm los ntawm lwm qhov chaw yog encrypted. Thiab nyob rau hauv txhua qhov chaw muaj kev hloov pauv tuaj yeem ua tau. Yog li, yog tias muaj kev hloov pauv hauv lub network hauv zos, tus thawj coj tsuas yog yuav tsum hloov kho cov lus tshaj tawm los ntawm nws lub network mus rau lub network, thiab nws yuav dhau los ua rau lwm qhov chaw.

Encryption hauv S-Terra CS yog ua los ntawm IPSec raws tu qauv. Peb siv cov "Grassshopper" algorithm raws li GOST R 34.12-2015, thiab rau kev sib raug zoo nrog cov laus versions koj siv tau GOST 28147-89. Authentication tuaj yeem ua tiav ntawm ob qho tseem ceeb (PSKs) thiab daim ntawv pov thawj. Txawm li cas los xij, hauv kev lag luam kev lag luam nws yog ib qho tsim nyog yuav tsum siv cov ntawv pov thawj uas tau muab tso rau hauv raws li GOST R 34.10-2012.

Ua hauj lwm nrog daim ntawv pov thawj, ntim thiab CRLs yog ua tiav los ntawm kev siv hluav taws xob cert_mgr. Ua ntej tshaj plaws, siv cov lus txib cert_mgr tsim Nws yog ib qho tsim nyog los tsim ib lub thawv ntim khoom ntiag tug thiab daim ntawv thov daim ntawv pov thawj, uas yuav raug xa mus rau Lub Chaw Tswj Xyuas Daim Ntawv Pov Thawj. Tom qab tau txais daim ntawv pov thawj, nws yuav tsum tau import nrog rau hauv paus CA daim ntawv pov thawj thiab CRL (yog siv) nrog cov lus txib cert_mgr import. Koj tuaj yeem paub tseeb tias txhua daim ntawv pov thawj thiab CRLs tau nruab nrog cov lus txib cert_mgr qhia.

Tom qab ua tiav kev txhim kho cov ntawv pov thawj, mus rau Cisco-zoo li console los teeb tsa IPSec.
Peb tsim ib txoj cai IKE uas qhia txog qhov xav tau algorithms thiab tsis muaj kev ruaj ntseg channel raug tsim, uas yuav muab rau tus khub rau kev pom zoo.

#crypto isakmp txoj cai 1000
#encr gost341215k
#hash gost341112-512-tc26
#authentication kos npe
#group vko2
#Txiv neej 3600

Txoj cai no raug siv thaum tsim thawj theem ntawm IPSec. Qhov tshwm sim ntawm kev ua tiav ntawm thawj theem yog tsim los ntawm SA (Security Association).
Tom ntej no, peb yuav tsum tau txhais cov npe ntawm qhov chaw thiab qhov chaw nyob IP (ACL) rau encryption, tsim ib qho kev hloov pauv, tsim ib daim ntawv qhia cryptographic (crypto map) thiab khi rau sab nraud ntawm CS.

Teem ACL:
#ip access-list txuas ntxiv site1
#piv txwv gre host 10.111.21.3 party 10.111.22.3

Ib txheej ntawm kev hloov pauv (zoo ib yam li thawj theem, peb siv "Grassshopper" encryption algorithm siv lub simulation insert tiam hom):

#crypto ipsec transform-set GOST esp-gost341215k-mac

Peb tsim daim ntawv qhia crypto, qhia txog ACL, hloov chaw thiab chaw nyob:

#crypto daim ntawv qhia MAIN 100 ipsec-isakmp
#match chaw nyob site1
#set transform-set GOST
#set peer 10.111.22.3

Peb khi daim npav crypto rau sab nraud interface ntawm daim ntawv sau nyiaj ntsuab:

#interface GigabitEthernet0/0
#ip chaw nyob 10.111.21.3 255.255.255.0
#crypto daim ntawv qhia MAIN

Txhawm rau encrypt channel nrog rau lwm qhov chaw, koj yuav tsum rov ua cov txheej txheem tsim ACL thiab crypto daim npav, hloov lub npe ACL, IP chaw nyob thiab tus lej lej crypto.

Them sai sai! Yog tias tsis siv daim ntawv pov thawj los ntawm CRL, qhov no yuav tsum tau qhia meej meej:

#crypto pki trustpoint s-terra_technological_trustpoint
#revocation-check tsis muaj

Lub sijhawm no, kev teeb tsa tuaj yeem suav tias ua tiav. Hauv Cisco-zoo li console hais kom ua cov zis qhia crypto isakmp sa ΠΈ qhia crypto ipsec sa Kev tsim ua thawj thiab theem ob ntawm IPSec yuav tsum tau xav txog. Tib cov ntaub ntawv tuaj yeem tau txais los ntawm kev hais kom ua sa_mgr ua, raug tua los ntawm debian plhaub. Nyob rau hauv cov lus txib tso zis cert_mgr qhia Daim ntawv pov thawj ntawm qhov chaw nyob deb yuav tsum tshwm sim. Cov xwm txheej ntawm cov ntawv pov thawj zoo li no yuav yog Tej thaj chaw deb. Yog tias qhov tunnels tsis tau tsim, koj yuav tsum tau saib ntawm qhov kev pabcuam VPN, uas yog khaws cia hauv cov ntaub ntawv /var/log/cspvpngate.log. Ib daim ntawv teev tag nrho cov ntaub ntawv teev tseg nrog cov lus piav qhia ntawm lawv cov ntsiab lus muaj nyob hauv cov ntaub ntawv.

Saib xyuas "kev noj qab haus huv" ntawm qhov system

S-Terra CC siv tus qauv snmpd daemon rau kev saib xyuas. Ntxiv rau qhov raug Linux tsis zoo, tawm ntawm lub thawv S-Terra txhawb nqa tawm cov ntaub ntawv hais txog IPSec tunnels raws li CISCO-IPSEC-FLOW-MONITOR-MIB, uas yog qhov peb siv thaum saib xyuas cov xwm txheej ntawm IPSec qhov. Kev ua haujlwm ntawm kev cai OIDs uas tso tawm cov txiaj ntsig ntawm tsab ntawv ua tiav raws li qhov tseem ceeb kuj tau txais kev txhawb nqa. Qhov no tso cai rau peb taug qab daim ntawv pov thawj hnub tas sij hawm. Cov ntawv sau parses cov lus txib tso zis cert_mgr qhia thiab yog li ntawd muab cov naj npawb ntawm cov hnub kom txog thaum cov ntawv pov thawj hauv zos thiab cov hauv paus hniav tas sij hawm. Cov txheej txheem no yog qhov tseem ceeb thaum tswj hwm ntau tus CABGs.
Peb encrypt raws li GOST: ib qho kev qhia rau kev teeb tsa dynamic tsheb routing

Dab tsi yog qhov txiaj ntsig ntawm xws li encryption?

Txhua qhov kev ua haujlwm tau piav qhia saum toj no yog txhawb nqa tawm ntawm lub thawv los ntawm S-Terra KSh. Ntawd yog, tsis tas yuav nruab ib qho ntxiv modules uas tuaj yeem cuam tshuam cov ntawv pov thawj ntawm crypto gateways thiab ntawv pov thawj ntawm tag nrho cov ntaub ntawv system. Nws tuaj yeem muaj kev sib txuas ntawm cov chaw, txawm tias hauv Internet.

Vim lub fact tias thaum lub internal infrastructure hloov, tsis muaj yuav tsum tau reconfigure crypto gateways, qhov system ua haujlwm raws li kev pabcuam, uas yooj yim heev rau cov neeg siv khoom: nws tuaj yeem tso nws cov kev pabcuam (tus neeg siv khoom thiab cov neeg siv khoom) ntawm txhua qhov chaw nyob, thiab txhua qhov kev hloov pauv yuav hloov pauv hloov pauv ntawm cov khoom siv encryption.

Tau kawg, encryption vim cov nqi nyiaj siv ua haujlwm (them nyiaj siv ua haujlwm) cuam tshuam cov ntaub ntawv hloov pauv ceev, tab sis tsuas yog me ntsis - cov channel throughput tuaj yeem txo qhov siab tshaj ntawm 5-10%. Nyob rau tib lub sijhawm, thev naus laus zis tau sim thiab pom tau zoo txawm tias nyob rau hauv satellite raws, uas tsis ruaj khov thiab muaj bandwidth tsawg.

Igor Vinokhodov, engineer ntawm 2nd kab ntawm kev tswj hwm ntawm Rostelecom-Solar

Tau qhov twg los: www.hab.com

Ntxiv ib saib