1.ã¯ããã«
ãã¹ãŠã®äŒæ¥ã¯ãããšãå°èŠæš¡ãªäŒæ¥ã§ãã£ãŠããèªèšŒãèªå¯ãããã³ãŠãŒã¶ãŒ ã¢ã«ãŠã³ãã£ã³ã° (AAA ãã¡ããªã®ãããã³ã«) ãå¿ èŠãšããŠããŸããåæ段éã§ã¯ãAAA 㯠RADIUSãTACACS+ãDIAMETER ãªã©ã®ãããã³ã«ã䜿çšããŠéåžžã«é©åã«å®è£ ãããŸãããã ãããŠãŒã¶ãŒãšäŒç€Ÿã®æ°ãå¢å ããã«ã€ããŠããã¹ããš BYOD ããã€ã¹ã®æ倧éã®å¯èŠæ§ãå€èŠçŽ èªèšŒããã«ãã¬ãã«ã®ã¢ã¯ã»ã¹ ããªã·ãŒã®äœæãªã©ãã¿ã¹ã¯ã®æ°ãå¢å ããŸãã
ãã®ãããªã¿ã¹ã¯ã«ã¯ãNAC (ãããã¯ãŒã¯ ã¢ã¯ã»ã¹ ã³ã³ãããŒã«) ã¯ã©ã¹ã®ãœãªã¥ãŒã·ã§ã³ãã€ãŸããããã¯ãŒã¯ ã¢ã¯ã»ã¹ ã³ã³ãããŒã«ãæé©ã§ããã«ç¹åããäžé£ã®èšäºã§ã
Cisco ISE ã§ã¯æ¬¡ã®ããšãå¯èœã§ããããšãç°¡åã«æãåºãããŠãã ããã
-
å°çš WLAN äžã§ã²ã¹ã ã¢ã¯ã»ã¹ãè¿ éãã€ç°¡åã«äœæããŸãã
-
BYOD ããã€ã¹ (åŸæ¥å¡ãè·å Žã«æã¡èŸŒãã èªå® ã® PC ãªã©) ãæ€åºããŸãã
-
SGT ã»ãã¥ãªã㣠ã°ã«ãŒã ã©ãã«ã䜿çšããŠããã¡ã€ã³ ãŠãŒã¶ãŒãšéãã¡ã€ã³ ãŠãŒã¶ãŒå šäœã«ã»ãã¥ãªã㣠ããªã·ãŒãäžå åããé©çšããŸãã
ãã©ã¹ãã»ã㯠); -
ã³ã³ãã¥ãŒã¿ãŒã«ç¹å®ã®ãœãããŠã§ã¢ãã€ã³ã¹ããŒã«ãããŠãããã©ãããããã³æšæºã«æºæ ããŠãããã©ãã (姿å¢) ã確èªããŸãã
-
ãšã³ããã€ã³ããšãããã¯ãŒã¯ããã€ã¹ãåé¡ããŠãããã¡ã€ãªã³ã°ããŸãã
-
ãšã³ããã€ã³ãã®å¯èŠæ§ãæäŸããŸãã
-
ãŠãŒã¶ãŒã®ãã°ãªã³/ãã°ãªãããã®ã¢ã«ãŠã³ã (ID) ã®ã€ãã³ã ãã°ã NGFW ã«éä¿¡ããŠããŠãŒã¶ãŒ ããŒã¹ã®ããªã·ãŒã圢æããŸãã
-
Cisco StealthWatch ãšãã€ãã£ãã«çµ±åããã»ãã¥ãªã㣠ã€ã³ã·ãã³ãã«é¢äžããäžå¯©ãªãã¹ããéé¢ããŸã (
ãã£ãš ); -
ãã®ä»ãAAA ãµãŒããŒã®æšæºæ©èœã
æ¥çã®ååããã§ã« Cisco ISE ã«ã€ããŠæžããŠããã®ã§ã以äžãèªãããšããå§ãããŸãã
2ã 建ç¯
Identity Services Engine ã¢ãŒããã¯ãã£ã«ã¯ã管çããŒã (ããªã·ãŒç®¡çããŒã)ãããªã·ãŒé åžããŒã (ããªã·ãŒ ãµãŒãã¹ ããŒã)ãã¢ãã¿ãªã³ã° ããŒã (ã¢ãã¿ãªã³ã° ããŒã)ãããã³ PxGrid ããŒã (PxGrid ããŒã) ã® 4 ã€ã®ãšã³ãã£ã㣠(ããŒã) ããããŸãã Cisco ISE ã¯ãã¹ã¿ã³ãã¢ãã³ãŸãã¯åæ£ã€ã³ã¹ããŒã«ã§äœ¿çšã§ããŸããã¹ã¿ã³ãã¢ãã³ ããŒãžã§ã³ã§ã¯ããã¹ãŠã®ãšã³ãã£ãã£ã XNUMX ã€ã®ä»®æ³ãã·ã³ãŸãã¯ç©çãµãŒã㌠(ã»ãã¥ã¢ ãããã¯ãŒã¯ ãµãŒã㌠- SNS) äžã«é 眮ãããŸãããåæ£ããŒãžã§ã³ã§ã¯ãããŒããããŸããŸãªããã€ã¹ã«åæ£ãããŸãã
ããªã·ãŒç®¡çããŒãïŒPANïŒã¯ãCisco ISE ã§ãã¹ãŠã®ç®¡çæäœãå®è¡ã§ããããã«ããå¿ é ã®ããŒãã§ãã AAA ã«é¢é£ãããã¹ãŠã®ã·ã¹ãã æ§æãåŠçããŸããåæ£æ§æ (ããŒããåå¥ã®ä»®æ³ãã·ã³ãšããŠã€ã³ã¹ããŒã«ã§ãã) ã§ã¯ããã©ãŒã«ã ãã¬ã©ã³ã¹ã®ããã«æ倧 XNUMX ã€ã® PAN (ã¢ã¯ãã£ã/ã¹ã¿ã³ã〠ã¢ãŒã) ã䜿çšã§ããŸãã
ããªã·ãŒ ãµãŒãã¹ ããŒã (PSN) ã¯ããããã¯ãŒã¯ ã¢ã¯ã»ã¹ãç¶æ ãã²ã¹ã ã¢ã¯ã»ã¹ãã¯ã©ã€ã¢ã³ã ãµãŒãã¹ ããããžã§ãã³ã°ãããã³ãããã¡ã€ãªã³ã°ãæäŸããå¿ é ã®ããŒãã§ãã PSN ã¯ããªã·ãŒãè©äŸ¡ããŠé©çšããŸããéåžžãç¹ã«åæ£æ§æã§ã¯ãããåé·ã§åæ£ããéçšãå®çŸããããã«ãè€æ°ã® PSN ãã€ã³ã¹ããŒã«ãããŸãããã¡ãããèªèšŒããã³èš±å¯ãããã¢ã¯ã»ã¹ãäžç¬ã§ãæäŸã§ããæ©èœã倱ããªãããã«ããããã®ããŒããç°ãªãã»ã°ã¡ã³ãã«ã€ã³ã¹ããŒã«ããããšããŸãã
ã¢ãã¿ãªã³ã° ããŒã (MnT) ã¯ãã€ãã³ã ãã°ãä»ã®ããŒãã®ãã°ãããã³ãããã¯ãŒã¯äžã®ããªã·ãŒãä¿åããå¿ é ã®ããŒãã§ãã MnT ããŒãã¯ãç£èŠãšãã©ãã«ã·ã¥ãŒãã£ã³ã°ã®ããã®é«åºŠãªããŒã«ãæäŸããããŸããŸãªããŒã¿ãåéããŠé¢é£ä»ããããã«ææ矩ãªã¬ããŒããæäŸããŸãã Cisco ISE ã§ã¯ãæ倧 XNUMX ã€ã® MnT ããŒãã䜿çšã§ããããããã©ãŒã«ã ãã¬ã©ã³ã¹ïŒã¢ã¯ãã£ã/ã¹ã¿ã³ã〠ã¢ãŒãïŒãäœæãããŸãããã ãããã°ã¯ã¢ã¯ãã£ããšããã·ãã®äž¡æ¹ã®ããŒãã«ãã£ãŠåéãããŸãã
PxGrid ããŒã (PXG) ã¯ãPxGrid ãããã³ã«ã䜿çšããPxGrid ããµããŒãããä»ã®ããã€ã¹éã®éä¿¡ãå¯èœã«ããããŒãã§ãã
é«å¯çšæ§æ§æã§ã¯ãPxGrid ããŒã㯠PAN ãä»ããŠããŒãéã§æ å ±ãè€è£œããŸãã PAN ãç¡å¹ã«ãªã£ãŠããå ŽåãPxGrid ããŒãã¯ãŠãŒã¶ãŒã®èªèšŒãèªå¯ãããã³ã¢ã«ãŠã³ãã£ã³ã°ãåæ¢ããŸãã
以äžã¯ãäŒæ¥ãããã¯ãŒã¯å ã®ããŸããŸãª Cisco ISE ãšã³ãã£ãã£ã®åäœãæŠç¥çã«è¡šãããã®ã§ãã
å³ 1. Cisco ISE ã¢ãŒããã¯ãã£
3. èŠä»¶
Cisco ISE ã¯ãã»ãšãã©ã®ææ°ã®ãœãªã¥ãŒã·ã§ã³ãšåæ§ã«ãä»®æ³çãŸãã¯ç©ççã«å¥åã®ãµãŒããšããŠå®è£ ã§ããŸãã
Cisco ISE ãœãããŠã§ã¢ãå®è¡ããç©çããã€ã¹ã¯ãSNS (Secure Network Server) ãšåŒã°ããŸããäžå°äŒæ¥åãã«ã¯ãSNS-3615ãSNS-3655ãSNS-3695 ã® 1 ã€ã®ã¢ãã«ããããŸããè¡š XNUMX ã«ã次ã®æ
å ±ã瀺ããŸãã
è¡š1. èŠæš¡å¥SNSæ¯èŒè¡š
ãã©ã¡ãŒã¿ãŒ
SNS 3615ïŒå°ïŒ
SNS 3655ïŒäžïŒ
SNS 3695ïŒå€§ïŒ
ã¹ã¿ã³ãã¢ãã³ ã€ã³ã¹ããŒã«ã§ãµããŒãããããšã³ããã€ã³ãã®æ°
10000
25000
50000
PSNããšã«ãµããŒãããããšã³ããã€ã³ãã®æ°
10000
25000
100000
CPUïŒã€ã³ãã«Xeon 2.10GHzïŒ
8ã³ã¢
12ã³ã¢
12ã³ã¢
RAM
32 GB (2 x 16 GB)
96 GB (6 x 16 GB)
256 GB (16 x 16 GB)
HDD
1Ã600GB
4Ã600GB
8Ã600GB
ããŒããŠã§ã¢RAID
ããŒ
RAID 10ãRAID ã³ã³ãããŒã©ã®ååš
RAID 10ãRAID ã³ã³ãããŒã©ã®ååš
ãããã¯ãŒã¯ã€ã³ã¿ãŒãã§ãŒã¹
2Ã10Gbase-T
4Ã1Gbase-T
2Ã10Gbase-T
4Ã1Gbase-T
2Ã10Gbase-T
4Ã1Gbase-T
ä»®æ³å®è£ ã«é¢ããŠããµããŒããããŠãããã€ããŒãã€ã¶ãŒã¯ãVMware ESXi (ESXi 11 ã®æå° VMware ããŒãžã§ã³ 6.0 ãæšå¥š)ãMicrosoft Hyper-Vãããã³ Linux KVM (RHEL 7.0) ã§ãããªãœãŒã¹ã¯äžã®è¡šãšã»ãŒåããããã以äžã§ããå¿ èŠããããŸãããã ããå°èŠæš¡ããžãã¹ä»®æ³ãã·ã³ã®æå°èŠä»¶ã¯æ¬¡ã®ãšããã§ãã CPU 2 2.0 GHz 以äžã®åšæ³¢æ°ã 16 GB RAM О 200 GB HDDã
ãã®ä»ã® Cisco ISE å°å
¥ã®è©³çŽ°ã«ã€ããŠã¯ããåãåãããã ããã
4. ã€ã³ã¹ããŒã«
ä»ã®ã»ãšãã©ã®ã·ã¹ã³è£œåãšåæ§ã«ãISE ã¯ããã€ãã®æ¹æ³ã§ãã¹ãã§ããŸãã
-
ã¯ã©ãŠã â ãã¬ã€ã³ã¹ããŒã«ãããå®éšå®€ã¬ã€ã¢ãŠãã®ã¯ã©ãŠã ãµãŒãã¹ (Cisco ã¢ã«ãŠã³ããå¿ èŠ)ã -
GVEãªã¯ãšã¹ã â ããã®ãªã¯ãšã¹ãÑайÑа Cisco ã®ç¹å®ã®ãœãããŠã§ã¢ (ããŒãããŒåãã®æ¹æ³)ã次ã®äžè¬çãªèª¬æãæã€ã±ãŒã¹ãäœæããŸãã補åã¿ã€ã [ISE]ãISE ãœãããŠã§ã¢ [ise-2.7.0.356.SPA.x86]64]ãISE ããã [ise-patchbundle-2.7.0.356-Patch2-20071516.SPA.x86]64]; -
ãã€ããããããžã§ã¯ã â ç¡æã®ãã€ããã ãããžã§ã¯ããå®æœããã«ã¯ãèªå®ããŒãããŒã«é£çµ¡ããŠãã ããã
1) ä»®æ³ãã·ã³ã®äœæåŸãOVA ãã³ãã¬ãŒãã§ã¯ãªã ISO ãã¡ã€ã«ãèŠæ±ããå Žåã¯ãISE ãã€ã³ã¹ããŒã«ãéžæããããæ±ãããŠã£ã³ããŠã衚瀺ãããŸãããããè¡ãã«ã¯ããã°ã€ã³åãšãã¹ã¯ãŒãã®ä»£ããã«ãã «ïŒ
泚æïŒ OVA ãã³ãã¬ãŒããã ISE ãå±éããå Žåããã°ã€ã³ã®è©³çŽ° 管çè
/MyIseYPass2 (ãããšããã«å€ãã®ããšãå
¬åŒã«ç€ºãããŠããŸã)
å³ 2. Cisco ISE ã®ã€ã³ã¹ããŒã«
2) 次ã«ãIP ã¢ãã¬ã¹ãDNSãNTP ãªã©ã®å¿ é ãã£ãŒã«ãã«å ¥åããå¿ èŠããããŸãã
å³ 3. Cisco ISE ã®åæå
3) ãã®åŸãããã€ã¹ãåèµ·åãã以åã«æå®ãã IP ã¢ãã¬ã¹ã䜿çšã㊠Web ã€ã³ã¿ãŒãã§ã€ã¹çµç±ã§æ¥ç¶ã§ããããã«ãªããŸãã
å³ 4. Cisco ISE Web ã€ã³ã¿ãŒãã§ã€ã¹
4) ã¿ãå ã管çã > ãã·ã¹ãã ã > ãå±éã ç¹å®ã®ããã€ã¹ã§ã©ã®ããŒã (ãšã³ãã£ãã£) ãæå¹ã«ããããéžæã§ããŸãããã㧠PxGrid ããŒããæå¹ã«ãªããŸãã
å³ 5. Cisco ISE ãšã³ãã£ãã£ç®¡ç
5) 次ã«ã¿ã㧠管ç > ã·ã¹ãã > 管çè ã¢ã¯ã»ã¹ > èªèšŒ ãã¹ã¯ãŒã ããªã·ãŒãèªèšŒæ¹æ³ (蚌ææžãŸãã¯ãã¹ã¯ãŒã)ãã¢ã«ãŠã³ãã®æå¹æéããã®ä»ã®èšå®ãèšå®ããããšããå§ãããŸãã
å³ 6. èªèšŒã¿ã€ãã®èšå®å³ 7. ãã¹ã¯ãŒã ããªã·ãŒèšå®å³ 8. æéãçµéããåŸã®ã¢ã«ãŠã³ãã®ã·ã£ããããŠã³ã®èšå®å³ 9. ã¢ã«ãŠã³ã ããã¯ã®èšå®
6) ã¿ãå [管ç] > [ã·ã¹ãã ] > [管çè ã¢ã¯ã»ã¹] > [管çè ] > [管çè ãŠãŒã¶ãŒ] > [è¿œå ] æ°ãã管çè ãäœæã§ããŸãã
å³ 10. ããŒã«ã« Cisco ISE 管çè ã®äœæ
7) æ°ãã管çè ã¯ãæ°ããã°ã«ãŒããŸãã¯äºåå®çŸ©ãããã°ã«ãŒãã®äžéšã«ããããšãã§ããŸãã管çè ã°ã«ãŒãã¯ã¿ãå ã®åãããã«ã§ç®¡çãããŸã 管çè ã°ã«ãŒãã è¡š 2 ã¯ãISE 管çè ããã®æš©éããã³åœ¹å²ã«é¢ããæ å ±ããŸãšãããã®ã§ãã
è¡š 2. Cisco ISE 管çè ã°ã«ãŒããã¢ã¯ã»ã¹ ã¬ãã«ãæš©éãããã³å¶é
管çè ã°ã«ãŒãå
èš±å¯
å¶é
ã«ã¹ã¿ãã€ãºç®¡çè
ã²ã¹ãããã³ã¹ãã³ãµãŒã·ããããŒã¿ã«ã®èšå®ã管çããã³ã«ã¹ã¿ãã€ãº
ããªã·ãŒã®å€æŽãã¬ããŒãã®è¡šç€ºãã§ããªã
ãã«ããã¹ã¯ç®¡çè
ã¡ã€ã³ ããã·ã¥ããŒãããã¹ãŠã®ã¬ããŒããã¢ã©ãŒã ããã©ãã«ã·ã¥ãŒãã£ã³ã° ã¹ããªãŒã ã衚瀺ããæ©èœ
ã¬ããŒããã¢ã©ãŒã ãèªèšŒãã°ãå€æŽãäœæãåé€ããããšã¯ã§ããŸãã
ã¢ã€ãã³ãã£ãã£ç®¡çè
ãŠãŒã¶ãŒãæš©éã圹å²ã®ç®¡çããã°ãã¬ããŒããã¢ã©ãŒã ã®è¡šç€ºæ©èœ
OS ã¬ãã«ã§ããªã·ãŒãå€æŽãããã¿ã¹ã¯ãå®è¡ãããããããšã¯ã§ããŸãã
MnT管çè
å®å šãªç£èŠãã¬ããŒããã¢ã©ãŒã ããã°ãšãã®ç®¡ç
ããªã·ãŒãå€æŽã§ããªã
ãããã¯ãŒã¯ããã€ã¹ç®¡çè
ISE ãªããžã§ã¯ããäœæããã³å€æŽããæš©éããã°ãã¬ããŒããã¡ã€ã³ ããã·ã¥ããŒãã衚瀺ããæš©é
OS ã¬ãã«ã§ããªã·ãŒãå€æŽãããã¿ã¹ã¯ãå®è¡ãããããããšã¯ã§ããŸãã
ããªã·ãŒç®¡çè
ãã¹ãŠã®ããªã·ãŒã®å®å šãªç®¡çããããã¡ã€ã«ã®å€æŽãèšå®ãã¬ããŒãã®è¡šç€º
èªèšŒæ å ±ãISE ãªããžã§ã¯ãã䜿çšããèšå®ãå®è¡ã§ããªã
RBAC管çè
[æäœ] ã¿ãã®ãã¹ãŠã®èšå®ãANC ããªã·ãŒèšå®ãã¬ããŒã管ç
ANC 以å€ã®ããªã·ãŒãå€æŽããããOS ã¬ãã«ã§ã¿ã¹ã¯ãå®è¡ãããããããšã¯ã§ããŸãã
ã¹ãŒããŒç®¡çè
ãã¹ãŠã®èšå®ãã¬ããŒãäœæããã³ç®¡çã«å¯Ÿããæš©éãããã管çè ã®è³æ Œæ å ±ãåé€ããã³å€æŽã§ããŸãã
å€æŽã§ããŸãããã¹ãŒããŒç®¡çè ã°ã«ãŒãããå¥ã®ãããã¡ã€ã«ãåé€ããŠãã ãã
ã·ã¹ãã 管ç
ãæäœãã¿ãã®ãã¹ãŠã®èšå®ãã·ã¹ãã èšå®ã®ç®¡çãANC ããªã·ãŒãã¬ããŒãã®è¡šç€º
ANC 以å€ã®ããªã·ãŒãå€æŽããããOS ã¬ãã«ã§ã¿ã¹ã¯ãå®è¡ãããããããšã¯ã§ããŸãã
å€éš RESTful ãµãŒãã¹ (ERS) 管çè
Cisco ISE REST API ãžã®å®å šãªã¢ã¯ã»ã¹
ããŒã«ã« ãŠãŒã¶ãŒããã¹ããã»ãã¥ãªã㣠ã°ã«ãŒã (SG) ã®æ¿èªã管çã®ã¿ãç®çãšããŠããŸãã
å€éš RESTful ãµãŒãã¹ (ERS) ãªãã¬ãŒã¿ãŒ
Cisco ISE REST API èªã¿åãæš©é
ããŒã«ã« ãŠãŒã¶ãŒããã¹ããã»ãã¥ãªã㣠ã°ã«ãŒã (SG) ã®æ¿èªã管çã®ã¿ãç®çãšããŠããŸãã
å³ 11. äºåå®çŸ©ããã Cisco ISE 管çè ã°ã«ãŒã
8) ã¿ãã®ãªãã·ã§ã³ èªå¯ > ã¢ã¯ã»ã¹èš±å¯ > RBAC ããªã·ãŒ äºåå®çŸ©ããã管çè ã®æš©éãç·šéã§ããŸãã
å³ 12. Cisco ISE 管çè ã®ããªã»ãã ãããã¡ã€ã«æš©é管ç
9) ã¿ãå ã管çã>ãã·ã¹ãã ã>ãèšå®ã ãã¹ãŠã®ã·ã¹ãã èšå®ãå©çšå¯èœã§ã (DNSãNTPãSMTP ãªã©)ãããã€ã¹ã®åæåæã«å ¥åãå¿ããå Žåã¯ãããã§å ¥åã§ããŸãã
5ã çµè«
ããã§æåã®èšäºã¯çµããã§ãã Cisco ISE NAC ãœãªã¥ãŒã·ã§ã³ã®æå¹æ§ããã®ã¢ãŒããã¯ãã£ãæå°èŠä»¶ãšå±éãªãã·ã§ã³ãããã³åæã€ã³ã¹ããŒã«ã«ã€ããŠèª¬æããŸããã
次ã®èšäºã§ã¯ãã¢ã«ãŠã³ãã®äœæãMicrosoft Active Directory ãšã®çµ±åãã²ã¹ã ã¢ã¯ã»ã¹ã®äœæã«ã€ããŠèª¬æããŸãã
ãã®ãããã¯ã«ã€ããŠã質åãããå ŽåããŸãã¯è£œåã®ãã¹ãã«é¢ãããµããŒããå¿
èŠãªå Žåã¯ããåãåãããã ããã
ç§ãã¡ã®ãã£ã³ãã«ã§ææ°æ
å ±ããã§ãã¯ããŠãã ããïŒ
åºæïŒ habr.com