Pulogalamu ya ProHoster > Blog > Ulamuliro > 2. UserGate Kuyamba. Zofunikira, kukhazikitsa

2. UserGate Kuyamba. Zofunikira, kukhazikitsa

2. UserGate Kuyamba. Zofunikira, kukhazikitsa

Moni, iyi ndi nkhani yachiwiri yokhudza yankho la NGFW kuchokera ku kampani UserGate. Cholinga cha nkhaniyi ndikuwonetsa momwe mungayikitsire UserGate firewall pa makina enieni (ndidzagwiritsa ntchito VMware Workstation virtualization software) ndikuchita makonzedwe ake oyambirira (lolani kuti mulowe kuchokera pa intaneti yanu kudzera pachipata cha UserGate kupita pa intaneti).   

1. Kuyamba

Poyambira, ndikufotokozerani njira zosiyanasiyana zogwiritsira ntchito chipata ichi mu netiweki. Ndikufuna kuzindikira kuti kutengera njira yolumikizira yosankhidwa, magwiridwe antchito ena apakhomo sangakhalepo. Yankho la UserGate limathandizira njira zolumikizira zotsatirazi: 

  • L3-L7 firewall

  • L2 mlatho wowonekera

  • L3 mlatho wowonekera

  • Pafupifupi kulowa kusiyana, pogwiritsa ntchito protocol ya WCCP

  • Pafupifupi pali kusiyana, pogwiritsa ntchito Policy Based Routing

  • Router pa Ndodo

  • Zoyimira pa WEB zotchulidwira

  • UserGate ngati njira yokhazikika

  • Kuwunika padoko lagalasi

UserGate imathandizira mitundu iwiri yamagulu:

  1. Kukonzekera kwamagulu. Ma Node ophatikizidwa kukhala gulu la kasinthidwe amasunga zoikamo zokhazikika pagulu lonselo.

  2. Gulu la failover. Kufikira 4 ma cluster cluster node amatha kuphatikizidwa kukhala gulu la failover lomwe limathandizira kugwira ntchito mu Active-Active kapena Active-Passive mode. Ndizotheka kusonkhanitsa magulu angapo a failover.

2. Kuyika

Monga tafotokozera m'nkhani yapitayi, UserGate imaperekedwa ngati phukusi la hardware ndi mapulogalamu kapena kutumizidwa kumalo enieni. Kuchokera ku akaunti yanu patsamba lanu UserGate tsitsani chithunzichi mu OVF (Open Virtualization Format), mtundu uwu ndi woyenera kwa ogulitsa VMWare ndi Oracle Virtualbox. Zithunzi za Virtual disk zimaperekedwa kwa Microsoft Hyper-v ndi KVM.

Malinga ndi tsamba la UserGate, kuti makina owoneka bwino azigwira ntchito moyenera, akulimbikitsidwa kugwiritsa ntchito osachepera 8Gb ya RAM ndi purosesa ya 2-core virtual. Hypervisor iyenera kuthandizira machitidwe a 64-bit.

Kukhazikitsa kumayamba ndikulowetsa chithunzicho mu hypervisor yosankhidwa (VirtualBox ndi VMWare). Pankhani ya Microsoft Hyper-v ndi KVM, muyenera kupanga makina enieni ndikutchula chithunzi chomwe chatsitsidwa ngati diski, kenako kuletsa ntchito zophatikizira pamakina omwe adapangidwa.

Mwachikhazikitso, mutalowetsa mu VMWare, makina enieni amapangidwa ndi makonda awa:

2. UserGate Kuyamba. Zofunikira, kukhazikitsa

Monga zinalembedwa pamwambapa, payenera kukhala osachepera 8Gb ya RAM ndipo kuwonjezera apo muyenera kuwonjezera 1Gb kwa ogwiritsa 100 aliwonse. Kukula kokhazikika kwa hard drive ndi 100Gb, koma izi nthawi zambiri sizokwanira kusunga zipika ndi zoikamo zonse. Kukula kovomerezeka ndi 300Gb kapena kupitilira apo. Chifukwa chake, muzinthu zamakina enieni, timasintha kukula kwa disk kukhala komwe tikufuna. Poyambirira, VirtualGate UTM imabwera ndi mawonekedwe anayi omwe amaperekedwa kumadera:

Management - mawonekedwe oyamba a makina enieni, chigawo cholumikizira maukonde odalirika omwe kasamalidwe ka UserGate amaloledwa.

Odalirika ndi mawonekedwe achiwiri a makina enieni, chigawo cholumikizira maukonde odalirika, mwachitsanzo, ma LAN.

Osadalirika ndi mawonekedwe achitatu a makina enieni, malo olumikizirana olumikizidwa ndi maukonde osadalirika, mwachitsanzo, pa intaneti.

DMZ ndi mawonekedwe achinayi a makina enieni, malo olumikizirana olumikizidwa ndi netiweki ya DMZ.

Kenako, timayambitsa makina enieni, ngakhale bukuli likunena kuti muyenera kusankha Zida Zothandizira ndikuchita Factory reset UTM, koma monga mukuonera, pali chisankho chimodzi (UTM First Boot). Pa sitepe iyi, UTM imakonza ma adapter network ndikuwonjezera kukula kwa hard drive partition mpaka kukula kwa disk:

2. UserGate Kuyamba. Zofunikira, kukhazikitsa

Kuti mulumikizane ndi mawonekedwe a tsamba la UserGate, muyenera kulowa mu Management zone; uwu ndi udindo wa mawonekedwe a eth0, omwe amakonzedwa kuti apeze adilesi ya IP yokha (DHCP). Ngati sizingatheke kupatsa adilesi ya mawonekedwe a Management pogwiritsa ntchito DHCP, ndiye kuti ikhoza kukhazikitsidwa momveka bwino pogwiritsa ntchito CLI (Command Line Interface). Kuti muchite izi, muyenera kulowa mu CLI pogwiritsa ntchito dzina lolowera ndi mawu achinsinsi omwe ali ndi ufulu Woyang'anira (Admin wokhala ndi Capital letter mwachisawawa). Ngati chida cha UserGate sichinayambe kuyambika, ndiye kuti mupeze CLI muyenera kugwiritsa ntchito Admin monga dzina lolowera ndi utm ngati mawu achinsinsi. Ndipo lembani lamulo ngati iface config -name eth0 -ipv4 192.168.1.254/24 -enable true -mode static. Pambuyo pake timapita ku UserGate web console pa adilesi yotchulidwa, iyenera kuwoneka motere: https://UserGateIPaddress:8001:

2. UserGate Kuyamba. Zofunikira, kukhazikitsa2. UserGate Kuyamba. Zofunikira, kukhazikitsa

Mu web console timapitiriza kukhazikitsa, tiyenera kusankha chinenero cha mawonekedwe (panthawiyi ndi Chirasha kapena Chingerezi), zone ya nthawi, kenako werengani ndikuvomereza mgwirizano wa chilolezo. Khazikitsani malowedwe ndi mawu achinsinsi kuti mulowe mu mawonekedwe a kasamalidwe ka intaneti.

3. Kukhazikitsa

Pambuyo kukhazikitsa, izi ndi momwe zenera la mawonekedwe a pulatifomu kasamalidwe amawonekera:

2. UserGate Kuyamba. Zofunikira, kukhazikitsa

Ndiye muyenera sintha zolumikizira netiweki. Kuti muchite izi, mu gawo la "Interfaces" muyenera kuwathandizira, ikani ma adilesi olondola a IP ndikugawa magawo oyenera.

Gawo la "Interfaces" likuwonetsa mawonekedwe onse akuthupi ndi owoneka bwino omwe amapezeka mudongosolo, amakulolani kusintha makonda awo ndikuwonjezera mawonekedwe a VLAN. Ikuwonetsanso zolumikizira zonse za node iliyonse yamagulu. Zokonda zachiyankhulo ndizokhazikika pa node iliyonse, ndiye kuti, sipadziko lonse lapansi.

Mu mawonekedwe a mawonekedwe:

  • Yambitsani kapena kuletsa mawonekedwe 

  • Tchulani mtundu wa mawonekedwe - Layer 3 kapena Mirror

  • Perekani zone ku mawonekedwe

  • Perekani mbiri ya Netflow kuti mutumize ziwerengero kwa wokhometsa Netflow

  • Sinthani magawo amtundu wa mawonekedwe - adilesi ya MAC ndi kukula kwa MTU

  • Sankhani mtundu wa adilesi ya IP - palibe adilesi, adilesi ya IP yokhazikika kapena yopezedwa kudzera pa DHCP

  • Konzani DHCP relay pa mawonekedwe osankhidwa.

Batani la "Add" limakupatsani mwayi wowonjezera mitundu yotsatirayi yolumikizira:

  • Zithunzi za VLAN

  • mgwirizano

  • Bridge

  • PPPoE

  • VPN

  • Ngalande

2. UserGate Kuyamba. Zofunikira, kukhazikitsa

Kuphatikiza pa madera omwe adalembedwa kale omwe chithunzi cha Usergate chimatumiza, pali mitundu itatu yodziwikiratu:

Cluster - zone yolumikizirana yomwe imagwiritsidwa ntchito pamagulu

VPN ya Site-to-Site - malo omwe makasitomala onse a Office-Office olumikizidwa ndi UserGate kudzera pa VPN amayikidwa

VPN yofikira kutali - chigawo chomwe chimaphatikizapo ogwiritsa ntchito mafoni onse olumikizidwa ndi UserGate kudzera pa VPN

Oyang'anira UserGate amatha kusintha makonda a madera osasinthika ndikupanganso madera owonjezera, koma monga tafotokozera m'buku la 5, magawo 15 amatha kupangidwa. Kuti musinthe kapena kuwapanga, muyenera kupita ku gawo lazone. Pagawo lililonse, mutha kukhazikitsa poyambira paketi; SYN, UDP, ICMP imathandizidwa. Kuwongolera kofikira ku ntchito za Usergate kumakonzedwanso, ndipo chitetezo ku spoofing chimayatsidwa.

2. UserGate Kuyamba. Zofunikira, kukhazikitsa

Pambuyo pokonza zolumikizira, muyenera kukonza njira yosasinthika mu gawo la "Gateways". Iwo. Kuti mulumikizane ndi UserGate pa intaneti, muyenera kufotokoza adilesi ya IP ya chipata chimodzi kapena zingapo. Ngati mugwiritsa ntchito angapo othandizira kuti mulumikizane ndi intaneti, muyenera kutchula zipata zingapo. Kukonzekera kwa zipata ndizosiyana ndi gulu lililonse lamagulu. Ngati zipata ziwiri kapena zingapo zatchulidwa, zosankha za 2 ndizotheka:

  1. Kulinganiza magalimoto pakati pa zipata.

  2. Chipata chachikulu chokhala ndi chosinthira.

Maonekedwe a pakhomo (omwe alipo - obiriwira, osapezeka - ofiira) amatsimikiziridwa motere:

  1. Kuyang'ana maukonde ndikoletsedwa - chipata chimawonedwa ngati chopezeka ngati UserGate atha kupeza adilesi yake ya MAC pogwiritsa ntchito pempho la ARP. Palibe cheke cholowera pa intaneti kudzera pachipata ichi. Ngati adilesi ya MAC ya pachipata sichingadziwike, chipatacho chimaonedwa kuti sichingafikike.

  2. Kuyang'ana kwa netiweki ndikoyatsidwa - chipata chimatengedwa ngati:

  • UserGate ikhoza kupeza adilesi yake ya MAC pogwiritsa ntchito pempho la ARP.

  • Cheke cholowera pa intaneti kudzera pachipatachi chamalizidwa bwino.

Apo ayi, chipatacho chimaonedwa kuti sichikupezeka.

2. UserGate Kuyamba. Zofunikira, kukhazikitsa

Mu gawo la "DNS" muyenera kuwonjezera ma seva a DNS omwe UserGate adzagwiritsa ntchito. Zokonda izi zafotokozedwa mu gawo la System DNS Servers. Pansipa pali zokonda zowongolera zopempha za DNS kuchokera kwa ogwiritsa ntchito. UserGate imakupatsani mwayi wogwiritsa ntchito projekiti ya DNS. DNS proxy service imakupatsani mwayi wolandila zopempha za DNS kuchokera kwa ogwiritsa ntchito ndikusintha malinga ndi zosowa za woyang'anira. Malamulo a proxy a DNS angagwiritsidwe ntchito kulongosola ma seva a DNS omwe zopempha za madera ena zimatumizidwa. Kuphatikiza apo, pogwiritsa ntchito projekiti ya DNS, mutha kukhazikitsa ma static ma rekodi amtundu wa host (A record).

2. UserGate Kuyamba. Zofunikira, kukhazikitsa

Mu gawo la "NAT ndi Routing" muyenera kupanga malamulo ofunikira a NAT. Kuti agwiritse ntchito intaneti ndi ogwiritsa ntchito Network Trusted, lamulo la NAT lakhazikitsidwa kale - "Wodalirika-> Wosadalirika", chomwe chatsala ndikupangitsa. Malamulo amatsatiridwa kuchokera pamwamba mpaka pansi monga momwe adalembedwera mu console. Lamulo loyamba lokha lomwe zikhalidwe zomwe zafotokozedwa mumasewera amachitidwe nthawi zonse zimachitidwa. Kuti lamulo liyambike, zikhalidwe zonse zomwe zafotokozedwa muzotsatira zalamulo ziyenera kufanana. UserGate imalimbikitsa kupanga malamulo onse a NAT, mwachitsanzo, lamulo la NAT kuchokera pa netiweki yakomweko (kawirikawiri Malo Odalirika) kupita pa intaneti (nthawi zambiri malo Osadalirika), ndikuletsa kugwiritsa ntchito kwa ogwiritsa ntchito, ntchito, ndi kugwiritsa ntchito malamulo oteteza moto.

Ndizothekanso kupanga malamulo a DNAT, kutumiza madoko, mayendedwe otengera mfundo, mapu a netiweki.

2. UserGate Kuyamba. Zofunikira, kukhazikitsa

Pambuyo pake, mu gawo la "Firewall" muyenera kupanga malamulo otetezera moto. Kuti mupeze intaneti yopanda malire kwa ogwiritsa ntchito Network Trusted, lamulo la firewall lakhazikitsidwa kale - "Internet for Trusted" ndipo liyenera kuyatsidwa. Pogwiritsa ntchito malamulo a firewall, woyang'anira akhoza kulola kapena kukana mtundu uliwonse wa magalimoto odutsa kudzera pa UserGate. Malamulo angaphatikizepo madera ndi ma adilesi a IP / kopita, ogwiritsa ntchito ndi magulu, ntchito ndi mapulogalamu. Malamulowa amagwira ntchito mofanana ndi gawo la "NAT ndi Routing", i.e. kuyambira pamwamba kutsika. Ngati palibe malamulo omwe adapangidwa, ndiye kuti magalimoto aliwonse odutsa kudzera pa UserGate ndi oletsedwa.

2. UserGate Kuyamba. Zofunikira, kukhazikitsa

4. Kutsiliza

Izi zikumaliza nkhaniyo. Tidayika firewall ya UserGate pamakina enieni ndikupanga zoikamo zofunika kuti intaneti igwire ntchito pa Network Trusted. M'nkhani zotsatirazi tikambirana za kasinthidwe.

Khalani tcheru kuti mumve zosintha zamakanema athu (uthengawoFacebookVKTS Solution Blog)!

Source: www.habr.com

Kuwonjezera ndemanga