ãã®èšäºã¯ãããããã¯ãŒã¯ ã€ã³ãã©ã¹ãã©ã¯ãã£ãå¶åŸ¡ããæ¹æ³ãã·ãªãŒãºã® XNUMX çªç®ã§ãã ã·ãªãŒãºã®ãã¹ãŠã®èšäºã®å
容ãšãªã³ã¯ãèŠã€ãããŸãã
ãã®éšåã¯ããã£ã³ãã¹ (ãªãã£ã¹) ããã³ãªã¢ãŒã ã¢ã¯ã»ã¹ VPN ã»ã°ã¡ã³ãã«å°å¿µããŸãã
ãªãã£ã¹ ãããã¯ãŒã¯ã®èšèšã¯ç°¡åã«æãããããããŸããã
å®éãL2/L3 ã¹ã€ããã䜿çšããŠçžäºã«æ¥ç¶ããŸãã 次ã«ããŽã£ã©ã³ãšããã©ã«ã ã²ãŒããŠã§ã€ã®åºæ¬ã»ããã¢ãããå®è¡ããç°¡åãªã«ãŒãã£ã³ã°ãèšå®ããWiFi ã³ã³ãããŒã©ãšã¢ã¯ã»ã¹ ãã€ã³ããæ¥ç¶ãããªã¢ãŒã ã¢ã¯ã»ã¹çšã« ASA ãã€ã³ã¹ããŒã«ããŠèšå®ããŸãããã¹ãŠãæ©èœããããšãããããæããŸãã åºæ¬çã«ã¯ã以åã«ãæžããããã«ã
ããããåŠã¹ã°åŠã¶ã»ã©ããã®äœæ¥ã¯åçŽã§ã¯ãªããªã£ãŠããŸãã ç§å人ã«ãšã£ãŠããã®ãããã¯ãã€ãŸããªãã£ã¹ ãããã¯ãŒã¯èšèšã®ãããã¯ã¯ãŸã£ããåçŽã§ã¯ãªãããã«æããŸãããã®èšäºã§ã¯ããã®çç±ã説æããããšæããŸãã
èŠããã«ãèæ
®ãã¹ãèŠçŽ ãããªãå€ããããŸãã å€ãã®å Žåããããã®èŠçŽ ã¯äºãã«ççŸãããããåççãªåŠ¥åç¹ãæ¢ãå¿
èŠããããŸãã
ãã®äžç¢ºå®æ§ãäž»ãªå°é£ã§ãã ã»ãã¥ãªãã£ã«ã€ããŠèšãã°ãã»ãã¥ãªãã£ãåŸæ¥å¡ã®å©äŸ¿æ§ããœãªã¥ãŒã·ã§ã³ã®äŸ¡æ Œãšãã XNUMX ã€ã®é ç¹ãæã€äžè§åœ¢ããããŸãã
ãããŠæ¯åãããã XNUMX ã€ã®éã®åŠ¥åç¹ãæ¢ãå¿
èŠããããŸãã
ã¢ãŒããã¯ãã£
ããã XNUMX ã€ã®ã»ã°ã¡ã³ãã®ã¢ãŒããã¯ãã£ã®äŸãšããŠã以åã®èšäºãšåæ§ã«ã次ããå§ãããŸãã
ãããã¯ããå€ãããã¥ã¡ã³ãã§ãã åºæ¬çãªã¹ããŒã ãšã¢ãããŒãã¯å€ãã£ãŠããªããããããã§ãããã玹ä»ããŸãããåæã«ãã¬ãŒã³ããŒã·ã§ã³ãããæ°ã«å
¥ã£ãŠããŸãã
ã·ã¹ã³ã®ãœãªã¥ãŒã·ã§ã³ã®äœ¿çšãæšå¥šããããã§ã¯ãããŸãããããã®èšèšã泚ææ·±ãæ€èšããããšã¯æçã ãšæããŸãã
ãã€ãã®ããã«ããã®èšäºã¯å®å šãªãµãããããã®ã§ã¯ãªããããããã®æ å ±ãžã®è¿œå ã§ãã
ãã®èšäºã®æåŸã§ã¯ãããã§æŠèª¬ããæŠå¿µã«åºã¥ã㊠Cisco SAFE ãªãã£ã¹ã®èšèšãåæããŸãã
äžè¬åå
ãªãã£ã¹ ãããã¯ãŒã¯ã®èšèšã¯ãåœç¶ã®ããšãªããããããŸã§ã«èª¬æããäžè¬èŠä»¶ãæºãããªããã°ãªããŸããã
- ã¹ã±ãŒã©ããªãã£
- 䜿ããããïŒç®¡çæ§ïŒ
- å¯çšæ§
è°è«ãããå
容ã®å€ãã¯
ãã ãããªãã£ã¹éšéã«ã¯ã»ãã¥ãªãã£ã®èŠ³ç¹ããéèŠãªç¬èªã®ç¹åŸŽããããŸãã ãã®ç¹æ®æ§ã®æ¬è³ªã¯ããã®ã»ã°ã¡ã³ããäŒç€Ÿã®åŸæ¥å¡ (ããã³ããŒãããŒãã²ã¹ã) ã«ãããã¯ãŒã¯ ãµãŒãã¹ãæäŸããããã«äœæãããŠããããã®çµæãåé¡ãæãé«ãã¬ãã«ã§èæ ®ããããšã§ã次㮠XNUMX ã€ã®ã¿ã¹ã¯ããããšããããšã§ãã
- åŸæ¥å¡ (ã²ã¹ããããŒãããŒ) ãåŸæ¥å¡ã䜿çšãããœãããŠã§ã¢ã«ããæªæã®ããè¡çºããäŒç€Ÿã®ãªãœãŒã¹ãä¿è·ããŸãã ããã«ã¯ããããã¯ãŒã¯ãžã®äžæ£ãªæ¥ç¶ã«å¯Ÿããä¿è·ãå«ãŸããŸãã
- ã·ã¹ãã ãšãŠãŒã¶ãŒããŒã¿ãä¿è·ãã
ãããŠãããã¯åé¡ã® XNUMX ã€ã®åŽé¢ (ããããäžè§åœ¢ã® XNUMX ã€ã®é ç¹) ã«ãããŸããã ãã XNUMX ã€ã¯ããŠãŒã¶ãŒã®å©äŸ¿æ§ãšã䜿çšããããœãªã¥ãŒã·ã§ã³ã®äŸ¡æ Œã§ãã
ãŸãããŠãŒã¶ãŒãææ°ã®ãªãã£ã¹ ãããã¯ãŒã¯ã«äœãæåŸ ããŠããããèŠãŠã¿ãŸãããã
èšå
ç§ã®æèŠã§ã¯ããªãã£ã¹ ãŠãŒã¶ãŒã«ãšã£ãŠã®ããããã¯ãŒã¯ ã¢ã¡ããã£ãã¯æ¬¡ã®ããã«ãªããŸãã
- ÐПбОлÑМПÑÑÑ
- 䜿ãæ £ããããã€ã¹ãšãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ããã¹ãŠäœ¿çšã§ããèœå
- å¿ èŠãªãã¹ãŠã®ç€Ÿå ãªãœãŒã¹ã«ç°¡åã«ã¢ã¯ã»ã¹
- åçš®ã¯ã©ãŠããµãŒãã¹ãå«ãã€ã³ã¿ãŒããããªãœãŒã¹ã®å©çšå¯èœæ§
- ãããã¯ãŒã¯ã®ãé«éåã
ããã¯ãã¹ãŠãåŸæ¥å¡ãšã²ã¹ã (ãŸãã¯ããŒãããŒ) ã®äž¡æ¹ã«åœãŠã¯ãŸããŸãããŸããæ¿èªã«åºã¥ããŠããŸããŸãªãŠãŒã¶ãŒ ã°ã«ãŒãã®ã¢ã¯ã»ã¹ãåºå¥ããã®ã¯ãäŒç€Ÿã®ãšã³ãžãã¢ã®ä»äºã§ãã
ãããã®ååŽé¢ãããå°ã詳ããèŠãŠã¿ãŸãããã
ÐПбОлÑМПÑÑÑ
ç§ãã¡ã¯ãäžçäžã®ã©ãããã§ãïŒãã¡ãããã€ã³ã¿ãŒããããå©çšã§ããå Žæã§ããã°ïŒä»äºãããå¿ èŠãªäŒç€Ÿã®ãªãœãŒã¹ããã¹ãŠå©çšã§ããæ©äŒã«ã€ããŠè©±ããŠããŸãã
ããã¯ãªãã£ã¹ã«ãå®å šã«åœãŠã¯ãŸããŸãã ããã¯ãã¡ãŒã«ã®åä¿¡ã瀟å ã¡ãã»ã³ãžã£ãŒã§ã®éä¿¡ããããªé話ãªã©ããªãã£ã¹å ã®ã©ãããã§ãäœæ¥ãç¶ããæ©äŒãããå Žåã«äŸ¿å©ã§ããã€ãŸããäžæ¹ã§ã¯ãäžéšã®åé¡ã解決ããã«ã¯ããã©ã€ããã³ãã¥ãã±ãŒã·ã§ã³ (éäŒãžã®åå ãªã©) ãå¿ èŠã§ããããã®äžæ¹ã§ãåžžã«ãªã³ã©ã€ã³ã§åžžã«ææ°ã®æ å ±ãææ¡ããç·æ¥ã§åªå 床ã®é«ãã¿ã¹ã¯ãè¿ éã«è§£æ±ºããå¿ èŠããããŸãã ããã¯éåžžã«äŸ¿å©ã§ãéä¿¡ã®å質ãå€§å¹ ã«åäžããŸãã
ããã¯ãé©å㪠WiFi ãããã¯ãŒã¯èšèšã«ãã£ãŠå®çŸãããŸãã
泚æïŒ
ããã§éåžžããWiFi ã ãã䜿çšããã ãã§ååã§ãã?ããšããçåãçããŸãã ããã¯ããªãã£ã¹å ã®ã€ãŒãµããã ããŒãã®äœ¿çšãåæ¢ããŠããããšããæå³ã§ãã? éåžžã®ã€ãŒãµããã ããŒãã«æ¥ç¶ããã®ã劥åœã§ãããµãŒããŒã§ã¯ãªãããŠãŒã¶ãŒã«ã€ããŠã®ã¿è©±ããŠããå Žåãäžè¬çã«çãã¯æ¬¡ã®ãšããã§ããã¯ããWi-Fi ã®ã¿ã«å¶éã§ããŸãã ãããããã¥ã¢ã³ã¹ããããŸãã
å¥ã®ã¢ãããŒããå¿ èŠãšããéèŠãªãŠãŒã¶ãŒ ã°ã«ãŒãããããŸãã ãã¡ããããããã¯ç®¡çè ã§ãã ååãšããŠãWiFi æ¥ç¶ã¯éåžžã®ã€ãŒãµããã ããŒãããã (ãã©ãã£ãã¯æ倱ã®ç¹ã§) ä¿¡é Œæ§ãäœããé床ãé ããªããŸãã ããã¯ç®¡çè ã«ãšã£ãŠéèŠãªæå³ãæã€å¯èœæ§ããããŸãã ããã«ããããã¯ãŒã¯ç®¡çè ã¯ãååãšããŠã垯åå€æ¥ç¶çšã«ç¬èªã®å°çšã€ãŒãµããã ãããã¯ãŒã¯ãæã€ããšãã§ããŸãã
瀟å ã«ã¯ããããã®èŠçŽ ãéèŠãªä»ã®ã°ã«ãŒã/éšéãååšããå¯èœæ§ããããŸãã
ãã XNUMX ã€éèŠãªç¹ããããŸããããã¯é»è©±ã§ãã ããããäœããã®çç±ã§ãã¯ã€ã€ã¬ã¹ VoIP ã䜿çšãããéåžžã®ã€ãŒãµãããæ¥ç¶ã§ IP é»è©±ã䜿çšããããšèããŠããã§ãããã
äžè¬ã«ãç§ãåããŠããäŒç€Ÿã«ã¯ãWiFi æ¥ç¶ãšã€ãŒãµããã ããŒãã®äž¡æ¹ãåãã£ãŠããŸããã
ã¢ããªãã£ããªãã£ã¹ã ãã«éå®ããªãã§ã»ããã
èªå® (ãŸãã¯ã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ã§ãããã®ä»ã®å Žæ) ã§äœæ¥ã§ããããã«ããããã«ãVPN æ¥ç¶ã䜿çšãããŸãã åæã«ãåãã¢ã¯ã»ã¹ãåæãšããåšå® å€åãšãªã¢ãŒãã¯ãŒã¯ã®éããåŸæ¥å¡ãæããªãããšãæãŸããã ãããã©ã®ããã«æŽçãããã«ã€ããŠã¯ãåŸã»ã©ãçµ±åãããéäžèªèšŒããã³èªå¯ã·ã¹ãã ãã®ç« ã§èª¬æããŸãã
泚æïŒ
ããããããªã¢ãŒãã¯ãŒã¯ã§ã¯ãªãã£ã¹ã§è¡ã£ãŠããã®ãšåãå質ã®ãµãŒãã¹ãå®å šã«æäŸããããšã¯ã§ããŸããã Cisco ASA 5520 ã VPN ã²ãŒããŠã§ã€ãšããŠäœ¿çšããŠãããšä»®å®ããŸãã
ããŒã¿ã·ãŒã ãã®ããã€ã¹ã¯ 225 Mbit ã® VPN ãã©ãã£ãã¯ã®ã¿ãããã€ãžã§ã¹ããã§ããŸãã ã€ãŸãã垯åå¹ ã®ç¹ã§ãVPN çµç±ã®æ¥ç¶ã¯ãªãã£ã¹ã§äœæ¥ããå Žåãšã¯å€§ããç°ãªããŸãã ãŸããäœããã®çç±ã§ããããã¯ãŒã¯ ãµãŒãã¹ã®é 延ãæ倱ããžãã¿ãŒ (ãªãã£ã¹ã® IP ãã¬ãã©ããŒã䜿çšããå Žåãªã©) ãé¡èãªå Žåãããªãã£ã¹ã«ããå Žåãšåãå質ã¯åŸãããŸããã ãããã£ãŠãã¢ããªãã£ã«ã€ããŠè©±ããšãã¯ãèµ·ããåŸãå¶éãèªèããŠããå¿ èŠããããŸãã
瀟å ã®ãã¹ãŠã®ãªãœãŒã¹ã«ç°¡åã«ã¢ã¯ã»ã¹
ãã®èª²é¡ã¯ä»ã®æè¡éšéãšååããŠè§£æ±ºããå¿
èŠããããŸãã
çæ³çãªç¶æ³ã¯ããŠãŒã¶ãŒã XNUMX åèªèšŒããã ãã§æžã¿ããã®åŸã¯å¿
èŠãªãã¹ãŠã®ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ã§ããããšã§ãã
ã»ãã¥ãªãã£ãç ç²ã«ããããšãªãç°¡åãªã¢ã¯ã»ã¹ãæäŸãããšãçç£æ§ã倧å¹
ã«åäžããååã®ã¹ãã¬ã¹ã軜æžãããŸãã
åè1
ã¢ã¯ã»ã¹ã®ããããã¯ããã¹ã¯ãŒããå ¥åããå¿ èŠãããåæ°ã ãã§ã¯ãããŸããã ããšãã°ãã»ãã¥ãªã㣠ããªã·ãŒã«åŸã£ãŠããªãã£ã¹ããããŒã¿ ã»ã³ã¿ãŒã«æ¥ç¶ããã«ã¯ããŸã VPN ã²ãŒããŠã§ã€ã«æ¥ç¶ããå¿ èŠããããåæã«ãªãã£ã¹ã®ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ã§ããªããªãå Žåããããéåžžã«å±éºã§ãã ãéåžžã«äžäŸ¿ã§ãã
åè2
éåžžãç¬èªã®å°çš AAA ãµãŒããŒã䜿çšãããµãŒãã¹ (ãããã¯ãŒã¯æ©åšãžã®ã¢ã¯ã»ã¹ãªã©) ãããããã®å Žåã¯è€æ°åèªèšŒããå¿ èŠãããã®ãäžè¬çã§ãã
ã€ã³ã¿ãŒããããªãœãŒã¹ã®å©çšå¯èœæ§
ã€ã³ã¿ãŒãããã¯åãªã嚯楜ã§ã¯ãªããä»äºã«ã圹ç«ã€ãµãŒãã¹ãæã£ãŠããŸãã çŽç²ã«å¿ççãªèŠå ããããŸãã çŸä»£äººã¯ã€ã³ã¿ãŒããããä»ããŠå€ãã®ä»®æ³ã¹ã¬ãããéããŠä»ã®äººã ãšã€ãªãã£ãŠãããä»äºãããªããããã®ã€ãªãããæãç¶ããã®ã¯äœãæªãããšã§ã¯ãªããšç§ã¯èããŠããŸãã
æéãç¡é§ã«ãããšãã芳ç¹ããèŠããšãããšãã°åŸæ¥å¡ã Skype ãå®è¡ããå¿ èŠã«å¿ããŠæãã人ãšéä¿¡ããã®ã« 5 åéè²»ãããŠãåé¡ã¯ãããŸããã
ããã¯ãã€ã³ã¿ãŒããããåžžã«å©çšã§ããå¿ èŠããããšããæå³ã§ãã? ããã¯ãåŸæ¥å¡ããã¹ãŠã®ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ã§ãããããªãæ¹æ³ã§ããªãœãŒã¹ãå¶åŸ¡ã§ããªãããšãæå³ããŸãã?
ãã¡ãããããããæå³ã§ã¯ãããŸããã ã€ã³ã¿ãŒãããã®ãªãŒãã³æ§ã®ã¬ãã«ã¯ãå®å šãªééæ§ããå®å šãªãªãŒãã³æ§ãŸã§ãäŒæ¥ã«ãã£ãŠç°ãªããŸãã ãã©ãã£ãã¯ãå¶åŸ¡ããæ¹æ³ã«ã€ããŠã¯ãåŸã®ã»ãã¥ãªãã£å¯Ÿçã®ã»ã¯ã·ã§ã³ã§èª¬æããŸãã
䜿ãæ £ããããã€ã¹ããã¹ãŠäœ¿çšã§ãã
ããšãã°ãä»äºã§äœ¿ãæ £ãããã¹ãŠã®ã³ãã¥ãã±ãŒã·ã§ã³æ段ãåŒãç¶ã䜿çšããæ©äŒãããå Žåã«äŸ¿å©ã§ãã ãããæè¡çã«å®è£ ããã®ã¯é£ããããšã§ã¯ãããŸããã ãã®ããã«ã¯ãWi-Fi ãšã²ã¹ãçš Wilan ãå¿ èŠã§ãã
䜿ãæ £ãããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã䜿çšããæ©äŒãããå Žåãè¯ãã§ãããã ããããç§ã®èŠ³å¯ã«ãããšãããã¯éåžžããããŒãžã£ãŒã管çè ãéçºè ã«ã®ã¿èš±å¯ãããŠããŸãã
äŸ
ãã¡ãããçŠæ¢ã®éããã©ãããšãã§ããŸãããªã¢ãŒã ã¢ã¯ã»ã¹ã®çŠæ¢ãã¢ãã€ã« ããã€ã¹ããã®æ¥ç¶ã®çŠæ¢ãéçã€ãŒãµãããæ¥ç¶ãžã®ãã¹ãŠã®å¶éãã€ã³ã¿ãŒããããžã®ã¢ã¯ã»ã¹ã®å¶éãæ€åæã§ã®æºåž¯é»è©±ãšã¬ãžã§ããã®åŒ·å¶æ²¡å...ãããŠãã®éã§ããå®éãäžéšã®çµç¹ã§ã¯ã»ãã¥ãªãã£èŠä»¶ã匷åãããŠãããããããå Žåã«ãã£ãŠã¯ãããæ£åœåããããããããŸããããããã¯åäžã®çµç¹ã®é²æ©ãæ¢ããããšããè©Šã¿ã§ããããšã«åæããå¿ èŠããããŸãã ãã¡ãããææ°ã®ãã¯ãããžãŒãæäŸããæ©äŒãšååãªã¬ãã«ã®ã»ãã¥ãªãã£ãçµã¿åãããããšèããŠããŸãã
ãããã¯ãŒã¯ã®ãé«éåã
ããŒã¿è»¢éé床ã¯æè¡çã«ã¯å€ãã®èŠçŽ ã§æ§æãããŸãã ãŸããæ¥ç¶ããŒãã®é床ã¯éåžžãæãéèŠãªãã®ã§ã¯ãããŸããã ã¢ããªã±ãŒã·ã§ã³ã®åäœã®é ãã¯å¿ ããããããã¯ãŒã¯ã®åé¡ã«é¢é£ããŠããããã§ã¯ãããŸããããçŸæç¹ã§ã¯ãããã¯ãŒã¯éšåã®ã¿ã«æ³šç®ããŸãã ããŒã«ã« ãããã¯ãŒã¯ã®ãé床äœäžãã«é¢ããæãäžè¬çãªåé¡ã¯ããã±ããæ倱ã«é¢é£ããŠããŸãã ããã¯éåžžãããã«ããã¯ãŸã㯠L1 (OSI) ã®åé¡ãããå Žåã«çºçããŸãã ãŸãã«ãäžéšã®èšèš (ããšãã°ããµããããã«ããã©ã«ã ã²ãŒããŠã§ã€ãšããŠãã¡ã€ã¢ãŠã©ãŒã«ãããããã¹ãŠã®ãã©ãã£ãã¯ããã¡ã€ã¢ãŠã©ãŒã«ãééããå Žå) ã§ã¯ãããŒããŠã§ã¢ã®ããã©ãŒãã³ã¹ãäžè¶³ããããšããããŸãã
ãããã£ãŠãæ©åšãšã¢ãŒããã¯ãã£ãéžæãããšãã¯ããšã³ã ããŒãããã©ã³ã¯ã®é床ãããã³æ©åšã®ããã©ãŒãã³ã¹ãçžé¢ãããå¿ èŠããããŸãã
äŸ
ã¢ã¯ã»ã¹ ã¬ã€ã€ ã¹ã€ãããšã㊠1 ã®ã¬ããã ããŒããæã€ã¹ã€ããã䜿çšããŠãããšä»®å®ããŸãã ãããã¯ãEtherchannel 2 x 10 ã®ã¬ããããä»ããŠçžäºã«æ¥ç¶ãããŠããŸãã ããã©ã«ã ã²ãŒããŠã§ã€ãšããŠã®ã¬ããã ããŒããåãããã¡ã€ã¢ãŠã©ãŒã«ã䜿çšããEtherChannel ã«çµåããã 2 ã€ã®ã®ã¬ããã ããŒãã䜿çšã㊠L2 ãªãã£ã¹ ãããã¯ãŒã¯ã«æ¥ç¶ããŸãã
ãã®ã¢ãŒããã¯ãã£ã¯ãæ©èœã®èŠ³ç¹ããèŠãŠéåžžã«äŸ¿å©ã§ãã ãã¹ãŠã®ãã©ãã£ãã¯ã¯ãã¡ã€ã¢ãŠã©ãŒã«ãééãããããã¢ã¯ã»ã¹ ããªã·ãŒãå¿«é©ã«ç®¡çããè€éãªã¢ã«ãŽãªãºã ãé©çšããŠãã©ãã£ãã¯ãå¶åŸ¡ããæ»æã®å¯èœæ§ãé²ãããšãã§ããŸã (äžèšãåç §)ããã ããã¹ã«ãŒããããšããã©ãŒãã³ã¹ã®èŠ³ç¹ããèŠããšããã®èšèšã«ã¯æœåšçãªåé¡ããããŸãã ãããã£ãŠãããšãã°ã2 å°ã®ãã¹ã (ããŒãé床 1 ã®ã¬ããã) ãããŒã¿ãããŠã³ããŒããããšããã¡ã€ã¢ãŠã©ãŒã«ãžã® 2 ã®ã¬ãããæ¥ç¶ãå®å šã«ããŒããããå¯èœæ§ãããããªãã£ã¹ ã»ã°ã¡ã³ãå šäœã®ãµãŒãã¹äœäžã«ã€ãªããå¯èœæ§ããããŸãã
äžè§åœ¢ã® XNUMX ã€ã®é ç¹ã«ã€ããŠèŠãŠããŸããã次ã«ãã»ãã¥ãªãã£ã確ä¿ããæ¹æ³ãèŠãŠã¿ãŸãããã
察ç
ãããã£ãŠãåœç¶ã®ããšãªãããéåžžãç§ãã¡ã®é¡æ (ãŸãã¯ãããçµå¶é£ã®é¡æ) ã¯äžå¯èœãéæããããšãã€ãŸããæ倧éã®ã»ãã¥ãªãã£ãšæå°éã®ã³ã¹ãã§æ倧éã®å©äŸ¿æ§ãæäŸããããšã§ãã
ä¿è·ãæäŸããããã«ã©ã®ãããªæ¹æ³ãå¿ èŠããèŠãŠã¿ãŸãããã
äºåå±ãšããŠã¯ã以äžã®ç¹ã匷調ããããšæããŸãã
- ãŒããã©ã¹ãèšèšã¢ãããŒã
- é«ãã¬ãã«ã®ä¿è·
- ãããã¯ãŒã¯ã®å¯èŠæ§
- çµ±åãããéäžèªèšŒããã³èªå¯ã·ã¹ãã
- ãã¹ããã§ãã¯
次ã«ããããã®ååŽé¢ã«ã€ããŠããå°ã詳ãã説æããŸãã
ãŒããã©ã¹ã
IT ã®äžçã¯æ¥éã«å€åããŠããŸãã ãã 10 幎ã»ã©ã§ãæ°ãããã¯ãããžãŒã補åã®ç»å Žã«ãããã»ãã¥ãªãã£ã®æŠå¿µãå€§å¹ ã«æ¹èšãããŸããã 2 幎åãã»ãã¥ãªãã£ã®èŠ³ç¹ããããããã¯ãŒã¯ã trustãdmzãããã³ untrust ãŸãŒã³ã«åå²ãããããããå¢çä¿è·ãã䜿çšããŸãããããã§ã¯ãuntrust -> dmz ããã³ dmz -> ã® 3 ã€ã®é²åŸ¡ç·ããããŸãããä¿¡é Œã ãŸããä¿è·ã¯éåžžãL4/L7 (OSI) ããã㌠(IPãTCP/UDP ããŒããTCP ãã©ã°) ã«åºã¥ãã¢ã¯ã»ã¹ ãªã¹ãã«éå®ãããŠããŸããã LXNUMX ãå«ãäžäœã¬ãã«ã«é¢é£ãããã®ã¯ãã¹ãŠããšã³ã ãã¹ãã«ã€ã³ã¹ããŒã«ãããŠãã OS ãšã»ãã¥ãªãã£è£œåã«ä»»ããããŠããŸããã
ä»ãç¶æ³ã¯åçã«å€åããŠããŸãã ã¢ãã³ãªã³ã³ã»ãã
ã€ã³ã¿ãŒãããæ¥ç¶ã«å ããŠã
- ãªã¢ãŒã ã¢ã¯ã»ã¹ VPN ãŠãŒã¶ãŒ
- ããŸããŸãªå人çšã¬ãžã§ãããæåããã©ãããããããªãã£ã¹ WiFi çµç±ã§æ¥ç¶
- ãã®ä»ïŒæ¯åºïŒ
- ã¯ã©ãŠãã€ã³ãã©ã¹ãã©ã¯ãã£ãšã®çµ±å
ãŒããã©ã¹ãã¢ãããŒãã¯å®éã«ã¯ã©ã®ãããªãã®ã§ãã?
çæ³çã«ã¯ãå¿ èŠãªãã©ãã£ãã¯ã®ã¿ãèš±å¯ãããã¹ãã§ãããçæ³ã«ã€ããŠèšãã°ãå¶åŸ¡ã¯ L3/L4 ã¬ãã«ã ãã§ãªããã¢ããªã±ãŒã·ã§ã³ ã¬ãã«ã§ãè¡ãããå¿ èŠããããŸãã
ããšãã°ããã¹ãŠã®ãã©ãã£ãã¯ããã¡ã€ã¢ãŠã©ãŒã«ãééãããæ©èœãããå Žåã¯ãçæ³ã«è¿ã¥ããããšãã§ããŸãã ãã ãããã®ã¢ãããŒãã§ã¯ãããã¯ãŒã¯ã®åèšåž¯åå¹ ãå€§å¹ ã«æžå°ããå¯èœæ§ããããããã«ãã¢ããªã±ãŒã·ã§ã³ã«ãããã£ã«ã¿ãªã³ã°ãåžžã«ããŸãæ©èœãããšã¯éããŸããã
ã«ãŒã¿ãŒãŸã㯠L3 ã¹ã€ããäžã®ãã©ãã£ãã¯ã (æšæº ACL ã䜿çšããŠ) å¶åŸ¡ããå Žåã次ã®åé¡ãçºçããŸãã
- ãã㯠L3/L4 ãã£ã«ã¿ãªã³ã°ã®ã¿ã§ãã æ»æè ãã¢ããªã±ãŒã·ã§ã³ (http ã§ã¯ãªã) ã«èš±å¯ãããããŒã (TCP 80 ãªã©) ã䜿çšããããšã劚ãããã®ã¯ãããŸããã
- è€é㪠ACL 管ç (ACL ã®è§£æãå°é£)
- ããã¯ã¹ããŒããã« ãã¡ã€ã¢ãŠã©ãŒã«ã§ã¯ãªãããããªããŒã¹ ãã©ãã£ãã¯ãæ瀺çã«èš±å¯ããå¿ èŠããããŸãã
- ã¹ã€ããã䜿çšããå Žåãé垞㯠TCAM ã®ãµã€ãºã«ãã£ãŠããªãå³å¯ã«å¶éãããããããå¿ èŠãªãã®ã ããèš±å¯ãããã¢ãããŒããåããšããã«åé¡ãçºçããå¯èœæ§ããããŸãã
泚æïŒ
éãã©ãã£ãã¯ã«ã€ããŠèšãã°ã次ã®ãããªæ©äŒãããããšãèŠããŠããå¿ èŠããããŸã (Cisco)
èš±å¯ TCP ä»»æã®ä»»æã®ç¢ºç«æžã¿
ãã ãããã®è¡ã¯æ¬¡ã® XNUMX è¡ã«çžåœããããšãç解ããå¿ èŠããããŸãã
tcp ä»»æã® ack ãèš±å¯ããŸã
tcp ä»»æã®ãããããæåã«èš±å¯ããŸãã€ãŸããSYN ãã©ã°ãæã€æåã® TCP ã»ã°ã¡ã³ãããªãã£ãå Žåã§ã (ã€ãŸããTCP ã»ãã·ã§ã³ã®ç¢ºç«ãéå§ãããŠããªãå Žåã§ã)ããã® ACL 㯠ACK ãã©ã°ãæã€ãã±ãããèš±å¯ããæ»æè ã¯ããã䜿çšããŠããŒã¿ã転éã§ããŸãã
ã€ãŸãããã®è¡ã«ãã£ãŠã«ãŒã¿ãŒã L3 ã¹ã€ãããã¹ããŒããã« ãã¡ã€ã¢ãŠã©ãŒã«ã«ãªãããã§ã¯ãããŸããã
é«ã¬ãã«ã®ä¿è·
Ð
- ã¹ããŒããã« ãã¡ã€ã¢ãŠã©ãŒã« (ããã©ã«ã)
- DDO/DOS ä¿è·
- ã¢ããªã±ãŒã·ã§ã³ãã¡ã€ã¢ãŠã©ãŒã«
- è åšã®é²æ¢ (ãŠã€ã«ã¹å¯Ÿçãã¹ãã€ãŠã§ã¢å¯Ÿçãè匱æ§)
- URLãã£ã«ã¿ãªã³ã°
- ããŒã¿ãã£ã«ã¿ãªã³ã°ïŒã³ã³ãã³ããã£ã«ã¿ãªã³ã°ïŒ
- ãã¡ã€ã«ã®ããã㯠(ãã¡ã€ã« ã¿ã€ãã®ãããã¯)
ãªãã£ã¹ã®å Žåãç¶æ³ã¯äŒŒãŠããŸãããåªå
é äœãå°ãç°ãªããŸãã ãªãã£ã¹ã®å¯çšæ§ (å¯çšæ§) ã¯éåžžãããŒã¿ã»ã³ã¿ãŒã®å Žåã»ã©éèŠã§ã¯ãããŸãããããå
éšãã®æªæã®ãããã©ãã£ãã¯ã®å¯èœæ§ã¯æ¡éãã«é«ããªããŸãã
ãããã£ãŠããã®ã»ã°ã¡ã³ãã«å¯Ÿãã次ã®ä¿è·æ¹æ³ãéèŠã«ãªããŸãã
- ã¢ããªã±ãŒã·ã§ã³ãã¡ã€ã¢ãŠã©ãŒã«
- è åšã®é²æ¢ (ãŠã€ã«ã¹å¯Ÿçãã¹ãã€ãŠã§ã¢å¯Ÿçãè匱æ§)
- URLãã£ã«ã¿ãªã³ã°
- ããŒã¿ãã£ã«ã¿ãªã³ã°ïŒã³ã³ãã³ããã£ã«ã¿ãªã³ã°ïŒ
- ãã¡ã€ã«ã®ããã㯠(ãã¡ã€ã« ã¿ã€ãã®ãããã¯)
ã¢ããªã±ãŒã·ã§ã³ ãã¡ã€ã¢ãŠã©ãŒã«ãé€ããããã®ä¿è·æ¹æ³ã¯ãã¹ãŠãåŸæ¥ããšã³ã ãã¹ãäžã§ (ãŠã€ã«ã¹å¯Ÿçããã°ã©ã ã®ã€ã³ã¹ããŒã«ãªã©)ããããã·ã䜿çšããŠè§£æ±ºãããŠããŸããããææ°ã® NGFW ããããã®ãµãŒãã¹ãæäŸããŸãã
ã»ãã¥ãªãã£æ©åšãã³ããŒã¯å
æ¬çãªä¿è·ã®æ§ç¯ã«åªããŠãããããããŒã«ã«ä¿è·ã«å ããŠãããŸããŸãªã¯ã©ãŠã ãã¯ãããžãŒããã¹ãåãã®ã¯ã©ã€ã¢ã³ã ãœãããŠã§ã¢ (ãšã³ããã€ã³ãä¿è·/EPP) ãæäŸããŠããŸãã ãããã£ãŠãããšãã°ããã
ãã¡ã€ã¢ãŠã©ãŒã«ã§ãããã®ä¿è·ãæå¹ã«ããããš (éåžžã¯ã©ã€ã»ã³ã¹ãè³Œå ¥ããããš) ã¯ããã¡ããå¿ é ã§ã¯ãããŸãã (åŸæ¥ã®æ¹æ³ãéžæããããšãã§ããŸã) ããããã€ãã®å©ç¹ããããŸãã
- ãã®å Žåãä¿è·æ¹æ³ã®é©çšãã€ã³ãã XNUMX ã€ã«ãªããããå¯èŠæ§ãåäžããŸã (次ã®ãããã¯ãåç §)ã
- ãããã¯ãŒã¯äžã«ä¿è·ãããŠããªãããã€ã¹ãããå Žåã§ãããã®ããã€ã¹ã¯ãã¡ã€ã¢ãŠã©ãŒã«ä¿è·ã®ãåãã«åé¡ãããŸãã
- ãã¡ã€ã¢ãŠã©ãŒã«ä¿è·ããšã³ããã¹ãä¿è·ãšçµã¿åãããŠäœ¿çšââããããšã§ãæªæã®ãããã©ãã£ãã¯ãæ€åºããå¯èœæ§ãé«ãŸããŸãã ããšãã°ãããŒã«ã« ãã¹ããšãã¡ã€ã¢ãŠã©ãŒã«ã§è åšé²åŸ¡ã䜿çšãããšãæ€åºã®å¯èœæ§ãé«ãŸããŸã (ãã¡ããããããã®ãœãªã¥ãŒã·ã§ã³ãç°ãªããœãããŠã§ã¢è£œåã«åºã¥ããŠãããšããæ¡ä»¶ã§)
泚æïŒ
ããšãã°ããã¡ã€ã¢ãŠã©ãŒã«ãšãšã³ããã¹ãã®äž¡æ¹ã§ Kaspersky ããŠã€ã«ã¹å¯ŸçãšããŠäœ¿çšããŠããå Žåããã¡ããããããã¯ãŒã¯äžã®ãŠã€ã«ã¹æ»æãé²ãå¯èœæ§ãå€§å¹ ã«é«ãŸãããã§ã¯ãããŸããã
ãããã¯ãŒã¯ã®å¯èŠæ§
ç§ã¯ãã®ãããžã§ã³ãã XNUMX ã€ã®ã°ã«ãŒãã«åé¡ããŸãã
ã°ã«ãŒã XNUMX: ç£èŠã·ã¹ãã ãéåžžæäŸãããã®ã
- æ©åšã®ç©èŒ
- ãã£ã³ãã«ã®èªã¿èŸŒã¿
- ã¡ã¢ãªäœ¿çšé
- ãã£ã¹ã¯ã®äœ¿çšç¶æ³
- ã«ãŒãã£ã³ã°ããŒãã«ãå€æŽãã
- ãªã³ã¯ã¹ããŒã¿ã¹
- æ©åšïŒãŸãã¯ãã¹ãïŒã®å¯çšæ§
- ...
ã°ã«ãŒã XNUMX: å®å šé¢é£ã®æ å ±ã
- ããŸããŸãªçš®é¡ã®çµ±èš (ã¢ããªã±ãŒã·ã§ã³å¥ãURL ãã©ãã£ãã¯å¥ãããŠã³ããŒããããããŒã¿ã®çš®é¡ããŠãŒã¶ãŒ ããŒã¿ãªã©)
- ã»ãã¥ãªã㣠ããªã·ãŒã«ãã£ãŠäœããããã¯ãããã©ã®ãããªçç±ã§ãããã¯ãããã®ã
- çŠæ¢ãããŠããã¢ããªã±ãŒã·ã§ã³
- IP/ãããã³ã«/ããŒã/ãã©ã°/ãŸãŒã³ã«åºã¥ããŠçŠæ¢ãããŠããŸã
- è åšã®é²æ¢
- URL ãã£ã«ã¿ãªã³ã°
- ããŒã¿ãã£ã«ã¿ãªã³ã°
- ãã¡ã€ã«ã®ãããã¯
- ...
- DOS/DDOS æ»æã«é¢ããçµ±èš
- 倱æããèå¥ãšèªå¯ã®è©Šè¡
- äžèšã®ãã¹ãŠã®ã»ãã¥ãªã㣠ããªã·ãŒéåã€ãã³ãã®çµ±èš
- ...
ã»ãã¥ãªãã£ã«é¢ãããã®ç« ã§ã¯ãXNUMX çªç®ã®éšåã«æ³šç®ããŸãã
äžéšã®ææ°ã®ãã¡ã€ã¢ãŠã©ãŒã« (ããã¢ã«ãã®çµéšãã) ã¯è¯å¥œãªã¬ãã«ã®å¯èŠæ§ãæäŸããŸãã ãã ãããã¡ããã察象ãšãªããã©ãã£ãã¯ã¯ãã®ãã¡ã€ã¢ãŠã©ãŒã«ãééããã (ãã®å Žåããã©ãã£ãã¯ããããã¯ã§ããŸã)ããŸãã¯ãã¡ã€ã¢ãŠã©ãŒã«ã«ãã©ãŒãªã³ã°ããã (ç£èŠãšåæã®ã¿ã«äœ¿çšãããŸã) å¿ èŠãããããã¹ãŠã®ãã©ãã£ãã¯ãæå¹ã«ããã©ã€ã»ã³ã¹ãå¿ èŠã§ãããããã®ãµãŒãã¹ã
ãã¡ãããå¥ã®æ¹æ³ãã€ãŸãäŒçµ±çãªæ¹æ³ããããŸããããšãã°ã
- ã»ãã·ã§ã³çµ±èšã¯ netflow çµç±ã§åéããæ å ±åæãšããŒã¿èŠèŠåã«ç¹å¥ãªãŠãŒãã£ãªãã£ã䜿çšã§ããŸãã
- è åšã®é²æ¢ - ãšã³ããã¹ãäžã®ç¹å¥ãªããã°ã©ã (ãŠã€ã«ã¹å¯Ÿçãã¹ãã€ãŠã§ã¢å¯Ÿçããã¡ã€ã¢ãŠã©ãŒã«)
- URL ãã£ã«ã¿ãªã³ã°ãããŒã¿ ãã£ã«ã¿ãªã³ã°ããã¡ã€ã« ããã㯠- ãããã·äž
- ããšãã°ã次ã®ã³ãã³ãã䜿çšã㊠tcpdump ãåæããããšãã§ããŸãã
錻ã鳎ãã
ããã XNUMX ã€ã®ã¢ãããŒããçµã¿åãããŠãæ¬ èœããŠããæ©èœãè£å®ãããè€è£œãããããŠãæ»æãæ€åºããå¯èœæ§ãé«ããããšãã§ããŸãã
ã©ã®ã¢ãããŒããéžæããå¿
èŠããããŸãã?
ããŒã ã®è³æ Œã奜ã¿ã«å€§ããäŸåããŸãã
ããã«ããããã«ããé·æãšçæããããŸãã
çµ±åãããéäžèªèšŒããã³èªå¯ã·ã¹ãã
ãã®èšäºã§èª¬æããã¢ããªãã£ã¯ãé©åã«èšèšãããŠããã°ããªãã£ã¹ããã§ãèªå®
ããã§ãã空枯ããã§ããã³ãŒããŒã·ã§ããããã§ãããã®ä»ã®å Žæããã§ãåãã¢ã¯ã»ã¹ãã§ããããšãåæãšããŠããŸã (ãã ããäžã§èª¬æããå¶éã¯ãããŸã)ã äœãåé¡ãªã®ã§ããããïŒ
ãã®ã¿ã¹ã¯ã®è€éããããããç解ããããã«ãå
žåçãªèšèšãèŠãŠã¿ãŸãããã
äŸ
- ãã¹ãŠã®åŸæ¥å¡ãã°ã«ãŒãã«åããŸããã ã°ã«ãŒãã«ããã¢ã¯ã»ã¹ãæäŸããããšã決å®ããŸãã
- ãªãã£ã¹å ã§ã¯ããªãã£ã¹ã®ãã¡ã€ã¢ãŠã©ãŒã«ã§ã¢ã¯ã»ã¹ãå¶åŸ¡ããŸã
- ãªãã£ã¹ããããŒã¿ã»ã³ã¿ãŒãžã®ãã©ãã£ãã¯ã¯ããŒã¿ã»ã³ã¿ãŒã®ãã¡ã€ã¢ãŠã©ãŒã«ã§å¶åŸ¡ããŸãã
- Cisco ASA ã VPN ã²ãŒããŠã§ã€ãšããŠäœ¿çšãããªã¢ãŒã ã¯ã©ã€ã¢ã³ããããããã¯ãŒã¯ã«å ¥ããã©ãã£ãã¯ãå¶åŸ¡ããã«ã¯ãããŒã«ã«ïŒASA äžã®ïŒACL ã䜿çšããŸãã
ããã§ãç¹å®ã®åŸæ¥å¡ã«è¿œå ã®ã¢ã¯ã»ã¹æš©ãè¿œå ããããã«æ±ãããããšããŸãã ãã®å Žåã圌ã®ã¿ã«ã¢ã¯ã»ã¹æš©ãè¿œå ãã圌ã®ã°ã«ãŒãã®ä»ã®ãŠãŒã¶ãŒã«ã¯ã¢ã¯ã»ã¹æš©ãè¿œå ããªãããã«æ±ããããŸãã
ãã®ããã«ã¯ããã®åŸæ¥å¡çšã«å¥ã®ã°ã«ãŒããäœæããå¿ èŠããããŸãã
- ãã®åŸæ¥å¡çšã« ASA äžã«å¥ã® IP ããŒã«ãäœæããŸã
- ASA ã«æ°ãã ACL ãè¿œå ãããã®ãªã¢ãŒã ã¯ã©ã€ã¢ã³ãã«ãã€ã³ãããŸãã
- ãªãã£ã¹ããã³ããŒã¿ã»ã³ã¿ãŒã®ãã¡ã€ã¢ãŠã©ãŒã«ã«æ°ããã»ãã¥ãªã㣠ããªã·ãŒãäœæãã
ãã®åºæ¥äºãçšã§ããã°è¯ãã®ã§ããã ããããç§ã®å®åã§ã¯ãåŸæ¥å¡ãããŸããŸãªãããžã§ã¯ãã«åå ããç¶æ³ããããäžéšã®åŸæ¥å¡ã®ãã®äžé£ã®ãããžã§ã¯ãã¯é »ç¹ã«å€æŽããã1ã2人ã§ã¯ãªãæ°å人ã§ããã ãã¡ãããããã§äœããå€æŽããå¿ èŠããããŸããã
ããã¯ä»¥äžã®æ¹æ³ã§è§£æ±ºããŸããã
ç§ãã¡ã¯ãLDAP ããã¹ãŠã®åŸæ¥å¡ã®ã¢ã¯ã»ã¹æš©ã決å®ããå¯äžã®ä¿¡é Œã§ããæ å ±æºã§ãããšå€æããŸããã ã¢ã¯ã»ã¹ã®ã»ãããå®çŸ©ããããããçš®é¡ã®ã°ã«ãŒããäœæããåãŠãŒã¶ãŒã XNUMX ã€ä»¥äžã®ã°ã«ãŒãã«å²ãåœãŠãŸããã
ããšãã°ãã°ã«ãŒãããã£ããšããŸãã
- ã²ã¹ãïŒã€ã³ã¿ãŒãããã¢ã¯ã»ã¹ïŒ
- å ±éã¢ã¯ã»ã¹ (å ±æãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹: ã¡ãŒã«ããã¬ããž ããŒã¹ãªã©)
- äŒèš
- ãããžã§ã¯ã1
- ãããžã§ã¯ã2
- ããŒã¿ããŒã¹ç®¡çè
- Linux管çè
- ...
ãŸããåŸæ¥å¡ã® 1 人ããããžã§ã¯ã 2 ãšãããžã§ã¯ã XNUMX ã®äž¡æ¹ã«é¢äžããŠããããããã®ãããžã§ã¯ãã§äœæ¥ããããã«å¿ èŠãªã¢ã¯ã»ã¹æš©ãå¿ èŠãªå Žåããã®åŸæ¥å¡ã¯æ¬¡ã®ã°ã«ãŒãã«å²ãåœãŠãããŸãã
- ã²ã¹ã
- å ±éã¢ã¯ã»ã¹
- ãããžã§ã¯ã1
- ãããžã§ã¯ã2
ãã®æ å ±ããããã¯ãŒã¯æ©åšãžã®ã¢ã¯ã»ã¹ã«å€æããã«ã¯ã©ãããã°ããã§ãããã?
Cisco ASA ãã€ããã㯠ã¢ã¯ã»ã¹ ããªã·ãŒ (DAP) (ã
www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html ) ãœãªã¥ãŒã·ã§ã³ã¯ãã®ã¿ã¹ã¯ã«æé©ã§ããå®è£ ã«ã€ããŠç°¡åã«èª¬æãããšãèå¥/èªå¯ããã»ã¹äžã«ãASA ã¯ç¹å®ã®ãŠãŒã¶ã«å¯Ÿå¿ããã°ã«ãŒãã®ã»ããã LDAP ããåä¿¡ããè€æ°ã®ããŒã«ã« ACLïŒãããããã°ã«ãŒãã«å¯Ÿå¿ïŒããå¿ èŠãªãã¹ãŠã®ã¢ã¯ã»ã¹ãå«ããã€ããã㯠ACL ããåéãããŸãã ãããã¯ç§ãã¡ã®åžæã«å®å šã«å¯Ÿå¿ããŸãã
ãã ãããã㯠VPN æ¥ç¶ã®ã¿ã«åœãŠã¯ãŸããŸãã VPN çµç±ã§æ¥ç¶ããŠããåŸæ¥å¡ãšãªãã£ã¹ã«ããåŸæ¥å¡ã®äž¡æ¹ã§ç¶æ³ãåãã«ããããã«ã次ã®æé ãå®è¡ããŸããã
ãªãã£ã¹ããæ¥ç¶ããå Žåã802.1x ãããã³ã«ã䜿çšãããŠãŒã¶ãŒã¯ãã²ã¹ã LAN (ã²ã¹ãçš) ãŸãã¯å ±æ LAN (äŒç€ŸåŸæ¥å¡çš) ã®ããããã«æ¥ç¶ããããšã«ãªããŸãã ããã«ãç¹å®ã®ã¢ã¯ã»ã¹ (ããŒã¿ã»ã³ã¿ãŒå ã®ãããžã§ã¯ããªã©) ãååŸããã«ã¯ãåŸæ¥å¡ã¯ VPN çµç±ã§æ¥ç¶ããå¿ èŠããããŸããã
ãªãã£ã¹ãšèªå® ããæ¥ç¶ããã«ã¯ãASA ã§ç°ãªããã³ãã« ã°ã«ãŒãã䜿çšãããŸããã ããã¯ããªãã£ã¹ããæ¥ç¶ãããŠãŒã¶ãŒã®å ±æãªãœãŒã¹ïŒã¡ãŒã«ããã¡ã€ã« ãµãŒãããã±ãã ã·ã¹ãã ãDNS ãªã©ããã¹ãŠã®åŸæ¥å¡ã䜿çšããïŒãžã®ãã©ãã£ãã¯ã ASA ãçµç±ãããããŒã«ã« ãããã¯ãŒã¯ãçµç±ããããã«ããããã«å¿ èŠã§ãã ã ãããã£ãŠãé«åŒ·åºŠã®ãã©ãã£ãã¯ãå«ãäžå¿ èŠãªãã©ãã£ãã¯ã§ ASA ã«è² è·ããããããšã¯ãããŸããã§ããã
ãããã£ãŠãåé¡ã¯è§£æ±ºãããŸããã
æã ã¯åŸã
- ãªãã£ã¹ããã®æ¥ç¶ãšãªã¢ãŒãæ¥ç¶ã®äž¡æ¹ã§åãã»ããã®ã¢ã¯ã»ã¹
- ãªãã£ã¹ã§å€åããŠããå Žåã§ããASA ãä»ããé«åŒ·åºŠãã©ãã£ãã¯ã®éä¿¡ã«äŒŽããµãŒãã¹ã®äœäžããããŸããã
ãã®ã¢ãããŒãã«ã¯ä»ã«ã©ã®ãããªå©ç¹ããããŸãã?
ã¢ã¯ã»ã¹ç®¡çã§ã ã¢ã¯ã»ã¹ã¯ XNUMX ãæã§ç°¡åã«å€æŽã§ããŸãã
ããšãã°ãåŸæ¥å¡ãéè·ããå Žåããã®åŸæ¥å¡ã LDAP ããåé€ããã ãã§ããã®åŸæ¥å¡ã¯èªåçã«ãã¹ãŠã®ã¢ã¯ã»ã¹æš©ã倱ããŸãã
ãã¹ãã®ãã§ãã¯
ãªã¢ãŒãæ¥ç¶ã®å¯èœæ§ããããããäŒç€Ÿã®åŸæ¥å¡ã ãã§ãªããåŸæ¥å¡ã®ã³ã³ãã¥ãŒã¿ (èªå® ãªã©) ã«ååšããå¯èœæ§ãéåžžã«é«ããã¹ãŠã®æªæã®ãããœãããŠã§ã¢ããããã¯ãŒã¯ã«äŸµå ¥ãããå±éºæ§ããããŸãããã®ãã¹ãããããã·ãšããŠäœ¿çšããŠãæ»æè ã«åœç€Ÿã®ãããã¯ãŒã¯ãžã®ã¢ã¯ã»ã¹ãæäŸããŠããå¯èœæ§ããããŸãã
ãªã¢ãŒãæ¥ç¶ããããã¹ãã«ãªãã£ã¹å ã®ãã¹ããšåãã»ãã¥ãªãã£èŠä»¶ãé©çšããããšã¯çã«ããªã£ãŠããŸãã
ããã¯ãOSããŠã€ã«ã¹å¯Ÿçãã¹ãã€ãŠã§ã¢å¯Ÿçããã¡ã€ã¢ãŠã©ãŒã« ãœãããŠã§ã¢ãšã¢ããããŒãã®ãæ£ãããããŒãžã§ã³ãåæãšããŠããŸãã éåžžããã®æ©èœã¯ VPN ã²ãŒããŠã§ã€ã«ååšããŸã (ASA ã«ã€ããŠã¯ãããšãã°ã次ãåç
§ããŠãã ãã)ã
ã»ãã¥ãªã㣠ããªã·ãŒããªãã£ã¹ã®ãã©ãã£ãã¯ã«é©çšããã®ãšåããã©ãã£ãã¯åæããã³ãããã¯æè¡ (ãé«ã¬ãã«ã®ä¿è·ããåç §) ãé©çšããããšãè³¢æã§ãã
ãªãã£ã¹ ãããã¯ãŒã¯ããªãã£ã¹ ãã«ãšãã®äžã®ãã¹ãã«éå®ãããªããªã£ããšèããã®ãèªç¶ã§ãã
äŸ
è¯ãææ³ã¯ããªã¢ãŒã ã¢ã¯ã»ã¹ãå¿ èŠãšããååŸæ¥å¡ã«åªãã䟿å©ãªã©ããããããæäŸãããªãã£ã¹ã§ãèªå® ã§ããã®ã©ãããããã®ã¿ã§äœæ¥ããããšãèŠæ±ããããšã§ãã
ããã¯ãããã¯ãŒã¯ã®ã»ãã¥ãªãã£ãåäžãããã ãã§ãªããéåžžã«äŸ¿å©ã§ãããéåžžãåŸæ¥å¡ãã奜æçã«èŠãããŠããŸã (ãããæ¬åœã«åªãããŠãŒã¶ãŒãã¬ã³ããªãŒãªã©ãããããã§ããã°)ã
æ¯çããã©ã³ã¹æèŠã«ã€ããŠ
åºæ¬çã«ãããã¯äžè§åœ¢ã® XNUMX çªç®ã®é ç¹ãã€ãŸãäŸ¡æ Œã«ã€ããŠã®äŒè©±ã§ãã
仮説çãªäŸãèŠãŠã¿ãŸãããã
äŸ
ããªã㯠200 人ãå容ã§ãããªãã£ã¹ãæã£ãŠããŸãã ã§ããã ã䟿å©ã§å®å šãªãã®ã«ããããšã«ããŸããã
ãããã£ãŠããã¹ãŠã®ãã©ãã£ãã¯ããã¡ã€ã¢ãŠã©ãŒã«çµç±ã§ééãããããšã決å®ãããã¹ãŠã®ãªãã£ã¹ã®ãµããããã«å¯ŸããŠãã¡ã€ã¢ãŠã©ãŒã«ãããã©ã«ã ã²ãŒããŠã§ã€ãšãªãããã«ããŸããã åãšã³ã ãã¹ãã«ã€ã³ã¹ããŒã«ãããŠããã»ãã¥ãªã㣠ãœãããŠã§ã¢ (ãŠã€ã«ã¹å¯Ÿçãã¹ãã€ãŠã§ã¢å¯Ÿçãããã³ãã¡ã€ã¢ãŠã©ãŒã« ãœãããŠã§ã¢) ã«å ããŠããã¡ã€ã¢ãŠã©ãŒã«ã«å¯èœãªãã¹ãŠã®ä¿è·æ¹æ³ãé©çšããããšã決å®ããŸããã
é«ãæ¥ç¶é床ã確ä¿ããããã« (ãã¹ãŠå©äŸ¿æ§ã®ãã)ãã¢ã¯ã»ã¹ ã¹ã€ãããšã㊠10 ã®ã¬ããã ã¢ã¯ã»ã¹ ããŒããåããã¹ã€ãããéžæãããã¡ã€ã¢ãŠã©ãŒã«ãšããŠé«æ§èœ NGFW ãã¡ã€ã¢ãŠã©ãŒã«ãéžæããŸãããããšãã°ãPalo Alto 7K ã·ãªãŒãº (40 ã®ã¬ããã ããŒããåãã) ããåœç¶ã®ããšãªãããã¹ãŠã®ã©ã€ã»ã³ã¹ã§éžæããŸãããããã«ã¯åœç¶ãé«å¯çšæ§ãã¢ãå«ãŸããŠããŸãã
ãŸããåœç¶ã®ããšãªããããã®äžé£ã®æ©åšãæäœããã«ã¯ãå°ãªããšã XNUMX 人ã®é«åºŠãªè³æ Œãæã€ã»ãã¥ãªã㣠ãšã³ãžãã¢ãå¿ èŠã§ãã
次ã«ãååŸæ¥å¡ã«åªããã©ããããããäžããããšã«ããŸããã
åèšãããšãå®è£ ã«çŽ 10 äžãã«ã幎éãµããŒããšãšã³ãžãã¢ã®çµŠäžã«æ°åäžãã« (XNUMX äžã«è¿ããšæããŸã) ãããããŸãã
ãªãã£ã¹ã200人...
å¿«é©ïŒ ããã ãšæããŸããããªãã¯ãã®ææ¡ãçµå¶é£ã«æåºããŸãã...
ããããããããåãå ¥ããããæ£ãããœãªã¥ãŒã·ã§ã³ã§ããäŒæ¥ãäžçäžã«æ°å€ãããã§ãããã ããªãããã®äŒç€Ÿã®åŸæ¥å¡ã§ããã°ãããã§ãšãããããŸããããããã»ãšãã©ã®å Žåãããªãã®ç¥èã¯çµå¶é£ã«ã¯è©äŸ¡ãããªãã§ãããã
ãã®äŸã¯èªåŒµãããŠããŸãã? 次ã®ç« ã§ã¯ãã®è³ªåã«çããŸãã
ãããã¯ãŒã¯äžã«äžèšã®ãããã衚瀺ãããªãå Žåã¯ããããæšæºã§ãã
ç¹å®ã®ã±ãŒã¹ããšã«ãå©äŸ¿æ§ãäŸ¡æ Œãå®å
šæ§ã®éã®åççãªåŠ¥åç¹ãç¬èªã«èŠã€ããå¿
èŠããããŸãã å€ãã®å Žåããªãã£ã¹ã«ã¯ NGFW ããå¿
èŠãªãããã¡ã€ã¢ãŠã©ãŒã«ã® L7 ä¿è·ãå¿
èŠãããŸããã é©åãªã¬ãã«ã®å¯èŠæ§ãšã¢ã©ãŒããæäŸã§ããã°ååã§ãããããã¯ãããšãã°ãªãŒãã³ãœãŒã¹è£œåã䜿çšããŠå®çŸã§ããŸãã ã¯ããæ»æã«å¯Ÿããåå¿ã¯ããã«ã¯çŸããŸããããéèŠãªããšã¯ãæ»æãç®ã«ããããšãã§ããéšéå
ã§é©åãªããã»ã¹ãå°å
¥ãããŠããã°ãæ»æãè¿
éã«ç¡ååã§ãããšããããšã§ãã
ãã®äžé£ã®èšäºã®ã³ã³ã»ããã«ããã°ããããã¯ãŒã¯ãèšèšããŠããã®ã§ã¯ãªããåŸããããã®ãæ¹åããããšããŠããã ãã§ããããšãæãåºããŠãã ããã
ãªãã£ã¹ã¢ãŒããã¯ãã£ã®SAFEåæ
ãã®èµ€ãåè§åœ¢ã«æ³šç®ããŠãã ãããããã䜿ã£ãŠå³äžã«å Žæãå²ãåœãŠãŸããã
ããã¯å»ºç¯ã®éèŠãªå Žæã® XNUMX ã€ã§ãããæãéèŠãªäžç¢ºå®æ§ã® XNUMX ã€ã§ãã
泚æïŒ
ç§ã¯ FirePower (Cisco ã®ãã¡ã€ã¢ãŠã©ãŒã« ã·ãªãŒãº - ASA ã®ã¿) ãã»ããã¢ããããããšãã䜿çšããããšããããŸããããã®ãããåãæ©èœããããšä»®å®ããŠãJuniper SRX ã Palo Alto ãªã©ã®ä»ã®ãã¡ã€ã¢ãŠã©ãŒã«ãšåæ§ã«æ±ããŸãã
éåžžã®èšèšã®ãã¡ããã®æ¥ç¶ã§ãã¡ã€ã¢ãŠã©ãŒã«ã䜿çšããå Žåã«èãããããªãã·ã§ã³ã¯ 4 ã€ã ãã§ãã
- åãµããããã®ããã©ã«ã ã²ãŒããŠã§ã€ã¯ã¹ã€ããã§ããããã¡ã€ã¢ãŠã©ãŒã«ã¯ãã©ã³ã¹ãã¢ã¬ã³ã ã¢ãŒãã§ã (ã€ãŸãããã¹ãŠã®ãã©ãã£ãã¯ã¯ãããééããŸãããL3 ãããã¯åœ¢æãããŸãã)ã
- åãµããããã®ããã©ã«ã ã²ãŒããŠã§ã€ã¯ãã¡ã€ã¢ãŠã©ãŒã« ãµãã€ã³ã¿ãŒãã§ã€ã¹ïŒãŸã㯠SVI ã€ã³ã¿ãŒãã§ã€ã¹ïŒã§ãããã¹ã€ãã㯠L2 ã®åœ¹å²ãæãããŸãã
- ã¹ã€ããäžã§ã¯ç°ãªã VRF ã䜿çšãããVRF éã®ãã©ãã£ãã¯ã¯ãã¡ã€ã¢ãŠã©ãŒã«ãééããXNUMX ã€ã® VRF å ã®ãã©ãã£ãã¯ã¯ã¹ã€ããäžã® ACL ã«ãã£ãŠå¶åŸ¡ãããŸãã
- ãã¹ãŠã®ãã©ãã£ãã¯ã¯åæãšç£èŠã®ããã«ãã¡ã€ã¢ãŠã©ãŒã«ã«ãã©ãŒãªã³ã°ããããã©ãã£ãã¯ã¯ãã¡ã€ã¢ãŠã©ãŒã«ãééããŸããã
åè1
ãããã®ãªãã·ã§ã³ãçµã¿åãããããšãå¯èœã§ãããç°¡åã«ããããã«èæ ®ããŸããã
泚2
PBR (ãµãŒãã¹ ãã§ãŒã³ ã¢ãŒããã¯ãã£) ã䜿çšããå¯èœæ§ããããŸãããçŸæç¹ã§ã¯ãããã¯ç§ã®æèŠã§ã¯çŸãããœãªã¥ãŒã·ã§ã³ã§ã¯ãããŸãããããªããšããŸããã¯ã§ãããããããã§ã¯æ€èšããŸããã
ãã®ææžå ã®ãããŒã®èª¬æããããã©ãã£ãã¯ã¯äŸç¶ãšããŠãã¡ã€ã¢ãŠã©ãŒã«ãééããŠããããšãããããŸããã€ãŸããã·ã¹ã³ã®èšèšã«åŸã£ãŠãXNUMX çªç®ã®ãªãã·ã§ã³ã¯åé€ãããŠããŸãã
ãŸãæåã® XNUMX ã€ã®ãªãã·ã§ã³ãèŠãŠã¿ãŸãããã
ãããã®ãªãã·ã§ã³ã䜿çšãããšããã¹ãŠã®ãã©ãã£ãã¯ããã¡ã€ã¢ãŠã©ãŒã«ãééããŸãã
ä»èŠãŠã¿ãŸããã
泚æïŒ
åèšåž¯åå¹ ã«ã€ããŠè©±ããšãã¯ããµããããéã®ãã©ãã£ãã¯ãæå³ããŸã (XNUMX ã€ã®ãã©ãå ã§ã¯ãããŸãã)ã
GPL ã«ãããšãThreat Defense ãåãã HA ãã³ãã«ã®äŸ¡æ Œã¯ãã¢ãã« (4110 ïœ 4150) ã«å¿ããŠãçŽ 0,5 ïœ 2,5 äžãã«ã®ç¯å²ã§ããããšãããããŸãã
ã€ãŸããèšèšã¯åã®äŸã«äŒŒãŠããŸãã
ãšããããšã¯ããã®èšèšã¯ééã£ãŠãããšããããšã§ããããïŒ
ããããããããæå³ã§ã¯ãããŸããã ã·ã¹ã³ã¯ãèªç€Ÿã®è£œåã©ã€ã³ã«åºã¥ããŠå¯èœãªéãæé«ã®ä¿è·ãæäŸããŸãã ããããããã¯ããªãã«ãšã£ãŠå¿
ãããªããã°ãªããªããšããæå³ã§ã¯ãããŸããã
åºæ¬çã«ãããã¯ãªãã£ã¹ãããŒã¿ã»ã³ã¿ãŒãèšèšãããšãã«çããäžè¬çãªè³ªåã§ããã劥åç¹ãæ¢ãå¿ èŠãããããšãæå³ããã ãã§ãã
ããšãã°ããã¹ãŠã®ãã©ãã£ãã¯ããã¡ã€ã¢ãŠã©ãŒã«ãééããªãããã«ããŸãããã®å Žåããªãã·ã§ã³ 3 ãéåžžã«è¯ãããã«æããŸãããŸãã¯ã(åã®ã»ã¯ã·ã§ã³ãåç §) è åšé²åŸ¡ãå¿ èŠãªããããã¡ã€ã¢ãŠã©ãŒã«ããŸã£ããå¿ èŠãªãå¯èœæ§ããããŸãããŸãã¯ãå¥ã®ãã³ããŒã®ãã¡ã€ã¢ãŠã©ãŒã«ãå¿ èŠãªå Žåã¯ãææ (é«äŸ¡ã§ã¯ãªã) ãŸãã¯ãªãŒãã³ãœãŒã¹ã®ãœãªã¥ãŒã·ã§ã³ã䜿çšããŠããã·ãç£èŠã«éå®ããå¿ èŠããããŸãã
éåžžããã®äžç¢ºå®æ§ã¯åžžã«ååšããã©ã®æ±ºå®ãèªåã«ãšã£ãŠæåã§ãããã«ã€ããŠæ確ãªçãã¯ãããŸããã
ããããã®ã¿ã¹ã¯ã®è€éããšçŸããã§ãã
åºæïŒ habr.com