Yuav ua li cas feem ntau koj yuav ib yam dab tsi spontaneously, succumbing rau ib tug txias advertisement, thiab ces qhov no thawj yam khoom uas koj xav tau sib sau ua ke plua plav nyob rau hauv lub txee dai khaub ncaws, pantry los yog chaw nres tsheb mus txog rau thaum lub caij nplooj ntoos hlav tom ntej no tu los yog txav mus? Qhov tshwm sim yog kev poob siab vim qhov kev cia siab tsis raug cai thiab cov nyiaj nkim. Nws yog qhov phem dua thaum qhov no tshwm sim rau kev lag luam. Feem ntau, kev lag luam gimmicks yog qhov zoo heev uas cov tuam txhab yuav cov tshuaj kim kim yam tsis pom daim duab tag nrho ntawm nws daim ntawv thov. Lub caij no, kev sim sim ntawm lub kaw lus pab kom nkag siab yuav ua li cas npaj cov txheej txheem rau kev sib koom ua ke, kev ua haujlwm zoo li cas thiab seb yuav tsum ua li cas. Txoj kev no koj tuaj yeem zam ntau yam teeb meem vim xaiv cov khoom "dig muag". Tsis tas li ntawd, kev siv tom qab muaj peev xwm "pilot" yuav coj cov engineers tsawg dua cov paj hlwb thiab cov plaub hau grey. Cia peb xav seb yog vim li cas kev sim ntsuas tseem ceeb heev rau txoj haujlwm ua tiav, siv qhov piv txwv ntawm cov cuab yeej nrov rau kev tswj xyuas kev nkag mus rau cov tuam txhab network - Cisco ISE. Cia peb xav txog ob qho tib si tus qauv thiab tsis yog tus qauv kev xaiv rau kev siv cov kev daws teeb meem uas peb tau ntsib hauv peb qhov kev coj ua.
Cisco ISE - "Radius server ntawm steroids"
Cisco Identity Services Engine (ISE) yog lub platform tsim kom muaj kev tswj xyuas kev nkag mus rau lub koom haum hauv cheeb tsam network. Hauv zej zog kws tshaj lij, cov khoom lag luam muaj npe menyuam yaus "Radius server ntawm steroids" rau nws cov khoom. Yog vim li cas? Qhov tseem ceeb, qhov kev daws teeb meem yog Radius server, uas muaj ntau cov kev pabcuam ntxiv thiab "cov lus qhia" tau txuas nrog, tso cai rau koj kom tau txais ntau cov ntaub ntawv ntawm cov ntsiab lus thiab siv cov txiaj ntsig ntawm cov ntaub ntawv hauv cov cai nkag.
Zoo li lwm yam Radius neeg rau zaub mov, Cisco ISE cuam tshuam nrog cov cuab yeej siv hauv network, sau cov ntaub ntawv hais txog txhua qhov kev sim txuas mus rau cov tuam txhab network thiab, raws li kev lees paub thiab kev tso cai cov cai, tso cai lossis tsis lees paub cov neeg siv rau LAN. Txawm li cas los xij, qhov muaj peev xwm ntawm profileing, tshaj tawm, thiab kev koom ua ke nrog lwm cov ntaub ntawv kev nyab xeeb kev daws teeb meem ua rau nws muaj peev xwm ua rau muaj kev cuam tshuam loj ntawm txoj cai ntawm kev tso cai thiab yog li daws teeb meem nyuaj thiab nthuav.
Kev nqis tes ua tsis tuaj yeem sim: vim li cas koj thiaj xav tau kev sim?
Tus nqi ntawm kev sim ntsuas yog ua kom pom tag nrho cov peev txheej ntawm cov kab ke hauv cov txheej txheem tshwj xeeb ntawm ib lub koom haum tshwj xeeb. Kuv ntseeg tias kev sim Cisco ISE ua ntej kev siv tau zoo rau txhua tus neeg koom nrog hauv qhov project, thiab ntawm no yog vim li cas.
Qhov no ua rau cov neeg koom ua ke kom paub meej lub tswv yim ntawm cov neeg siv khoom xav tau thiab pab tsim kom muaj qhov tseeb kev qhia tshwj xeeb uas muaj cov ntsiab lus ntau dua li cov kab lus "kom paub tseeb tias txhua yam zoo." "Pilot" tso cai rau peb hnov ββββtxhua yam kev mob ntawm tus neeg siv khoom, kom nkag siab txog cov haujlwm twg yog qhov tseem ceeb rau nws thiab qhov twg yog qhov thib ob. Rau peb, qhov no yog lub sijhawm zoo los txiav txim siab ua ntej yam khoom siv twg siv hauv lub koom haum, kev siv yuav ua li cas, ntawm qhov chaw twg, lawv nyob qhov twg, thiab lwm yam.
Thaum lub sij hawm kev sim, cov neeg siv khoom pom qhov system tiag tiag hauv kev nqis tes ua, paub txog nws qhov cuam tshuam, tuaj yeem tshawb xyuas seb nws puas haum nrog lawv cov khoom siv uas twb muaj lawm, thiab tau txais kev nkag siab zoo txog qhov kev daws teeb meem yuav ua haujlwm li cas tom qab siv tag nrho. "Pilot" yog lub sijhawm thaum koj tuaj yeem pom tag nrho cov pitfalls uas koj yuav tau ntsib thaum lub sijhawm sib koom ua ke, thiab txiav txim siab seb koj yuav tsum tau yuav daim ntawv tso cai ntau npaum li cas.
Dab tsi tuaj yeem "pop up" thaum lub sijhawm "pilot"
Yog li, koj yuav npaj li cas rau kev siv Cisco ISE? Los ntawm peb qhov kev paub dhau los, peb tau suav 4 lub ntsiab lus tseem ceeb uas tseem ceeb rau kev txiav txim siab thaum lub sijhawm sim ua haujlwm ntawm qhov system.
Qhov zoo tshaj yuav daim ntawv
Ua ntej, koj yuav tsum tau txiav txim siab nyob rau hauv dab tsi daim ntawv tseem ceeb ntawm lub system yuav raug siv: lub cev los yog virtual upline. Txhua qhov kev xaiv muaj qhov zoo thiab qhov tsis zoo. Piv txwv li, lub zog ntawm lub cev upline yog nws qhov kev ua tau zoo, tab sis peb yuav tsum tsis txhob hnov ββββqab tias cov khoom siv no dhau los dhau sijhawm. Virtual uplines tsis tshua xav tau vim ... nyob ntawm seb lub hardware uas lub virtualization ib puag ncig yog deployed, tab sis lawv muaj ib tug loj kom zoo dua: yog muaj kev txhawb nqa, lawv tuaj yeem hloov kho mus rau qhov tseeb version.
Puas yog koj cov khoom siv network sib xws nrog Cisco ISE?
Ntawm chav kawm, qhov zoo tshaj plaws scenario yuav yog txuas tag nrho cov khoom siv rau lub kaw lus ib zaug. Txawm li cas los xij, qhov no tsis yog ib txwm ua tau raws li ntau lub koom haum tseem siv cov kev tswj tsis tau hloov lossis hloov pauv uas tsis txhawb qee cov thev naus laus zis uas khiav Cisco ISE. Los ntawm txoj kev, peb tsis yog tham txog cov keyboards xwb, nws tuaj yeem yog wireless network controllers, VPN concentrators thiab lwm yam khoom siv uas cov neeg siv txuas. Hauv kuv qhov kev coj ua, muaj cov xwm txheej thaum, tom qab ua kom pom qhov system rau kev siv tag nrho, cov neeg siv khoom tau hloov kho yuav luag tag nrho cov nkoj nkag mus rau qib hloov mus rau cov cuab yeej Cisco niaj hnub. Txhawm rau kom tsis txhob muaj kev xav tsis thoob, nws tsim nyog nrhiav kev ua ntej ntawm cov khoom siv tsis txaus siab.
Puas yog tag nrho koj cov cuab yeej txheem?
Txhua lub network muaj cov khoom siv uas yuav tsum tsis txhob nyuaj rau kev txuas mus rau: chaw ua haujlwm, IP xov tooj, Wi-Fi nkag mus, cov koob yees duab video, thiab lwm yam. Tab sis nws kuj tshwm sim tias cov khoom siv tsis yog tus qauv yuav tsum tau txuas nrog LAN, piv txwv li, RS232 / Ethernet tsheb npav teeb liab converters, tsis muaj kev cuam tshuam cov khoom siv hluav taws xob, ntau yam khoom siv thev naus laus zis, thiab lwm yam. Nws yog ib qho tseem ceeb los txiav txim siab cov npe ntawm cov khoom siv ua ntej. , yog li ntawd nyob rau theem kev siv koj twb muaj kev nkag siab tias lawv yuav ua haujlwm li cas nrog Cisco ISE.
Kev sib tham nrog cov kws tshaj lij IT
Cisco ISE cov neeg siv khoom feem ntau yog cov chaw saib xyuas kev ruaj ntseg, thaum lub tuam tsev IT feem ntau yog lub luag haujlwm rau kev teeb tsa cov txheej txheem nkag mus thiab Active Directory. Yog li ntawd, kev sib raug zoo ntawm cov kws paub txog kev ruaj ntseg thiab IT cov kws tshaj lij yog ib qho tseem ceeb rau kev siv tsis zoo ntawm qhov system. Yog tias tom kawg pom kev koom ua ke nrog kev ua siab phem, nws tsim nyog piav qhia rau lawv tias qhov kev daws teeb meem yuav pab tau li cas rau IT department.
Sab saum toj 5 Cisco ISE siv rooj plaub
Hauv peb qhov kev paub dhau los, qhov yuav tsum tau ua ntawm lub kaw lus tseem raug txheeb xyuas nyob rau theem kev sim ntsuas. Hauv qab no yog qee qhov nrov tshaj plaws thiab siv tsawg dua rau kev daws teeb meem.
Ruaj ntseg LAN nkag mus hla ib lub xaim nrog EAP-TLS
Raws li cov txiaj ntsig ntawm peb cov pentesters 'kev tshawb fawb qhia, feem ntau nkag mus rau lub tuam txhab network, cov neeg tawm tsam siv cov khoom siv zoo tib yam rau cov tshuab luam ntawv, xov tooj, IP koob yees duab, Wi-Fi cov ntsiab lus thiab lwm yam khoom siv tsis yog tus kheej txuas nrog. Yog li ntawd, txawm tias kev nkag mus rau hauv network yog raws li dot1x thev naus laus zis, tab sis lwm txoj kev cai siv tsis tau siv daim ntawv pov thawj ntawm tus neeg siv, muaj qhov ua tau zoo ntawm kev tawm tsam nrog kev sib tham cuam tshuam thiab brute-force passwords. Nyob rau hauv rooj plaub ntawm Cisco ISE, nws yuav nyuaj dua los nyiag daim ntawv pov thawj - rau qhov no, hackers yuav xav tau ntau lub tshuab xam zauv ntau dua, yog li rooj plaub no zoo heev.
Dual-SSID wireless nkag
Lub ntsiab lus ntawm qhov xwm txheej no yog siv 2 tus cim network (SSIDs). Ib tug ntawm lawv tuaj yeem raug hu ua "tus qhua". Los ntawm nws, cov qhua thiab cov neeg ua haujlwm hauv tuam txhab tuaj yeem nkag mus rau lub wireless network. Thaum lawv sim sib txuas, cov tom kawg raug xa mus rau lub portal tshwj xeeb qhov chaw muab khoom siv. Ntawd yog, tus neeg siv tau muab daim ntawv pov thawj thiab nws tus kheej lub cuab yeej tau teeb tsa kom rov txuas mus rau SSID thib ob, uas twb tau siv EAP-TLS nrog txhua qhov zoo ntawm thawj rooj plaub.
MAC Authentication Bypass thiab Profileing
Lwm qhov kev siv nrov tshaj plaws yog kom pom cov khoom siv txuas nrog thiab siv cov kev txwv kom raug rau nws. Vim li cas nws thiaj nthuav? Qhov tseeb yog tias tseem muaj ntau yam khoom siv uas tsis txhawb kev lees paub siv 802.1X raws tu qauv. Yog li ntawd, cov khoom siv no yuav tsum tau tso cai rau hauv lub network siv MAC chaw nyob, uas yooj yim heev rau kev dag. Qhov no yog qhov uas Cisco ISE los cawm: nrog kev pab ntawm lub kaw lus, koj tuaj yeem pom tias lub cuab yeej ua haujlwm li cas hauv lub network, tsim nws qhov profile thiab muab nws rau ib pab pawg ntawm lwm cov khoom siv, piv txwv li, tus xov tooj IP thiab chaw ua haujlwm. . Yog tias tus neeg tawm tsam sim ua qhov tsis lees paub qhov chaw nyob MAC thiab txuas rau lub network, lub kaw lus yuav pom tias cov cuab yeej profile tau hloov pauv, yuav teeb tsa tus cwj pwm tsis txaus ntseeg thiab yuav tsis tso cai rau tus neeg siv tsis txaus ntseeg hauv lub network.
EAP-Chaining
EAP-Chaining thev naus laus zis suav nrog kev txheeb xyuas qhov tseeb ntawm lub PC ua haujlwm thiab tus neeg siv nyiaj. Cov ntaub ntawv no tau dhau los ua thoob plaws vim ... Ntau lub tuam txhab tseem tsis txhawb kev sib txuas cov neeg ua haujlwm tus kheej gadgets rau lub tuam txhab LAN. Siv txoj hauv kev no rau kev lees paub, nws tuaj yeem tshawb xyuas seb qhov chaw ua haujlwm tshwj xeeb yog tus tswv cuab ntawm lub npe, thiab yog tias qhov tshwm sim tsis zoo, tus neeg siv yuav tsis raug tso cai rau hauv lub network, lossis yuav nkag mus, tab sis muaj qee yam. txwv.
Posturing
Cov ntaub ntawv no yog hais txog kev ntsuam xyuas kev ua raws li qhov chaw ua haujlwm software nrog cov ntaub ntawv kev ruaj ntseg cov cai. Siv cov thev naus laus zis no, koj tuaj yeem tshawb xyuas seb lub software ntawm lub chaw ua haujlwm puas tau hloov kho, seb qhov kev ntsuas kev nyab xeeb puas tau teeb tsa rau ntawm nws, seb tus tswv tsev firewall puas tau teeb tsa, thiab lwm yam. Qhov zoo siab, cov cuab yeej no tseem tso cai rau koj los daws lwm yam haujlwm tsis cuam tshuam txog kev ruaj ntseg, piv txwv li, tshawb xyuas cov ntaub ntawv tsim nyog lossis txhim kho cov software thoob plaws.
Cov teeb meem siv tsawg dua rau Cisco ISE suav nrog kev nkag mus rau qhov kawg-rau-kawg sau ntawv lees paub (Passive ID), SGT-based micro-segmentation thiab lim, nrog rau kev koom ua ke nrog kev tswj hwm lub xov tooj ntawm tes (MDM) thiab Vulnerability Scanners.
Cov haujlwm uas tsis yog tus qauv: vim li cas lwm tus koj yuav xav tau Cisco ISE, lossis 3 qhov tsis tshua muaj tshwm sim los ntawm peb qhov kev coj ua
Kev tswj kev nkag mus rau Linux-based servers
Thaum peb tau daws qhov teeb meem tsis tseem ceeb rau ib qho ntawm cov neeg siv khoom uas twb tau siv Cisco ISE system: peb yuav tsum nrhiav txoj hauv kev los tswj cov neeg siv kev ua (feem ntau yog cov thawj coj) ntawm cov servers nrog Linux ntsia. Hauv kev tshawb nrhiav cov lus teb, peb tau los nrog lub tswv yim ntawm kev siv dawb PAM Radius Module software, uas tso cai rau koj nkag mus rau hauv servers khiav Linux nrog kev lees paub ntawm lub voj voog sab nraud. Txhua yam hauv qhov no yuav yog qhov zoo, yog tias tsis yog rau ib qho "tab sis": lub vojvoog server, xa cov lus teb rau qhov kev thov kev lees paub, tsuas yog muab lub npe ntawm tus account thiab cov txiaj ntsig - ntsuas lees txais lossis ntsuas tsis lees paub. Lub caij no, rau kev tso cai hauv Linux, koj yuav tsum tau muab tsawg kawg ib qho ntxiv - cov npe hauv tsev, kom tus neeg siv tsawg kawg tau txais qhov chaw. Peb tsis tau nrhiav txoj hauv kev los muab qhov no ua lub vojvoog cwj pwm, yog li peb tau sau ib tsab ntawv tshwj xeeb rau kev tsim cov nyiaj hauv cov tswv hauv hom semi-automatic. Txoj haujlwm no tau ua tau zoo heev, txij li peb tau ua haujlwm nrog tus thawj tswj hwm tus account, tus naj npawb ntawm cov uas tsis loj heev. Tom ntej no, cov neeg siv nkag mus rau hauv lub cuab yeej xav tau, tom qab ntawd lawv tau muab qhov tsim nyog nkag. Cov lus nug tsim nyog tshwm sim: nws puas tsim nyog siv Cisco ISE hauv cov xwm txheej zoo li no? Qhov tseeb, tsis muaj - txhua lub vojvoog server yuav ua, tab sis txij li cov neeg siv khoom twb muaj cov kab ke no, peb tsuas yog ntxiv qhov tshiab rau nws.
Cov khoom muag ntawm hardware thiab software ntawm LAN
Peb ib zaug ua haujlwm ntawm ib qhov project los muab Cisco ISE rau ib tus neeg siv khoom yam tsis muaj "pilot" ua ntej. Tsis muaj qhov yuav tsum tau ua kom pom tseeb rau kev daws teeb meem, ntxiv rau peb tau cuam tshuam nrog lub tiaj tus, tsis muaj segmented network, uas nyuaj rau peb txoj haujlwm. Thaum lub sijhawm ua haujlwm, peb tau teeb tsa txhua txoj hauv kev ua tau zoo uas lub network txhawb nqa: NetFlow, DHCP, SNMP, AD kev koom ua ke, thiab lwm yam. Raws li qhov tshwm sim, MAR nkag tau raug teeb tsa nrog lub peev xwm nkag mus rau hauv lub network yog tias kev lees paub ua tsis tiav. Ntawd yog, txawm tias kev lees paub tsis tiav, lub kaw lus tseem yuav tso cai rau tus neeg siv mus rau hauv lub network, sau cov ntaub ntawv hais txog nws thiab sau rau hauv ISE database. Kev saib xyuas lub network no ntau lub lis piam pab peb txheeb xyuas cov kab ke sib txuas thiab cov khoom siv tsis yog tus kheej thiab txhim kho txoj hauv kev los faib lawv. Tom qab ntawd, peb kuj tau teeb tsa kev tshaj tawm rau nruab tus neeg sawv cev ntawm chaw ua haujlwm txhawm rau txhawm rau sau cov ntaub ntawv hais txog software ntsia rau lawv. Qhov tshwm sim yog dab tsi? Peb tuaj yeem faib lub network thiab txiav txim siab cov npe ntawm cov software uas yuav tsum tau muab tshem tawm ntawm chaw ua haujlwm. Kuv yuav tsis zais tias cov hauj lwm ntxiv ntawm kev faib cov neeg siv rau hauv pawg sau npe thiab delineating cov cai nkag tau siv sijhawm ntau rau peb, tab sis nyob rau hauv txoj kev no peb tau txais daim duab tiav ntawm cov khoom siv dab tsi uas cov neeg siv khoom muaj nyob hauv lub network. Los ntawm txoj kev, qhov no tsis yog qhov nyuaj vim kev ua haujlwm zoo ntawm profileing tawm ntawm lub thawv. Zoo, qhov twg profileing tsis pab, peb ntsia peb tus kheej, qhia txog qhov hloov chaw nres nkoj uas cov cuab yeej txuas nrog.
Kev teeb tsa chaw taws teeb ntawm software ntawm chaw ua haujlwm
Cov ntaub ntawv no yog ib qho txawv tshaj plaws hauv kuv qhov kev coj ua. Muaj ib hnub, ib tus neeg siv khoom tuaj rau peb nrog kev thov kev pab - ib yam dab tsi tshwm sim thaum siv Cisco ISE, txhua yam tawg, thiab tsis muaj leej twg tuaj yeem nkag mus rau hauv lub network. Peb pib saib rau hauv nws thiab pom cov hauv qab no. Lub tuam txhab muaj 2000 lub khoos phis tawj, uas, thaum tsis muaj tus tswj hwm sau npe, tau tswj hwm raws li tus thawj tswj hwm tus account. Rau lub hom phiaj ntawm peering, lub koom haum tau siv Cisco ISE. Nws yog ib qho tsim nyog yuav tsum nkag siab tias qhov kev tiv thaiv kab mob puas tau nruab rau ntawm PCs uas twb muaj lawm, txawm tias qhov software ib puag ncig tau hloov kho, thiab lwm yam. Thiab txij li cov thawj coj IT tau teeb tsa cov khoom siv hauv network rau hauv lub system, nws yog qhov laj thawj uas lawv tau nkag mus rau nws. Tom qab pom nws ua haujlwm li cas thiab poshering lawv cov PCs, cov thawj coj tuaj nrog lub tswv yim ntawm kev txhim kho cov software ntawm cov neeg ua haujlwm chaw ua haujlwm nyob deb yam tsis muaj kev mus ntsib tus kheej. Cia li xav txog seb koj yuav txuag tau ntau npaum li cas hauv ib hnub li no! Cov thawj coj tau ua ntau qhov kev kuaj xyuas ntawm lub chaw ua haujlwm kom pom muaj cov ntaub ntawv tshwj xeeb hauv C: Program Files directory, thiab yog tias nws tsis tuaj, kev kho tsis siv neeg tau pib los ntawm kev ua raws li qhov txuas ua rau cov ntaub ntawv khaws cia rau lub installation .exe file. Qhov no tso cai rau cov neeg siv zoo tib yam mus rau cov ntaub ntawv sib qhia thiab rub tawm cov software tsim nyog los ntawm qhov ntawd. Hmoov tsis zoo, tus thawj tswj hwm tsis paub ISE system zoo thiab ua rau cov txheej txheem tshaj tawm - nws tau sau txoj cai tsis raug, uas ua rau muaj teeb meem uas peb tau koom nrog hauv kev daws teeb meem. Tus kheej, Kuv xav tsis thoob los ntawm txoj kev muaj tswv yim zoo li no, vim tias nws yuav pheej yig dua thiab siv zog tsawg dua los tsim tus tswj hwm. Tab sis raws li Kev Pov Thawj ntawm lub tswv yim nws ua haujlwm.
Nyeem ntxiv txog cov kev qhia tshwj xeeb uas tshwm sim thaum siv Cisco ISE hauv kuv cov npoj yaig tsab xov xwm .
Artem Bobrikov, tus tsim qauv engineer ntawm Information Security Center ntawm Jet Infosystems
Tom qab ntawd:
Txawm hais tias qhov tseeb hais tias tsab xov xwm no tham txog Cisco ISE system, cov teeb meem tau piav qhia yog cuam tshuam rau tag nrho cov chav kawm ntawm NAC cov kev daws teeb meem. Nws tsis yog qhov tseem ceeb heev uas tus neeg muag khoom txoj kev daws teeb meem tau npaj rau kev siv - feem ntau ntawm cov saum toj no yuav tseem siv tau.
Tau qhov twg los: www.hab.com