Pulogalamu ya ProHoster > Blog > Ulamuliro > 3. UserGate Kuyamba. Network Policy

3. UserGate Kuyamba. Network Policy

3. UserGate Kuyamba. Network Policy

Ndimalandira owerenga ku nkhani yachitatu mu UserGate Getting Started nkhani, yomwe ikukamba za yankho la NGFW kuchokera ku kampani. UserGate. M'nkhani yomaliza, ndondomeko yoyika firewall inafotokozedwa ndipo kasinthidwe kake koyambirira kunapangidwa. Pakalipano, tiyang'anitsitsa pakupanga malamulo m'magawo monga Firewall, NAT ndi Routing, ndi Bandwidth.

Lingaliro la malamulo a UserGate, kotero kuti malamulo amachitidwa kuchokera pamwamba mpaka pansi, mpaka yoyamba yomwe ikugwira ntchito. Malingana ndi zomwe zili pamwambazi, zikutsatira kuti malamulo enieni ayenera kukhala apamwamba kuposa malamulo ambiri. Koma ziyenera kudziwidwa, popeza malamulo amafufuzidwa mwadongosolo, ndi bwino ponena za ntchito kuti apange malamulo ambiri. Popanga lamulo lililonse, zinthuzo zimagwiritsidwa ntchito molingana ndi "AND" logic. Ngati kuli kofunikira kugwiritsa ntchito mfundo "OR", ndiye kuti izi zimatheka popanga malamulo angapo. Chifukwa chake zomwe zafotokozedwa m'nkhaniyi zikugwiranso ntchito ku mfundo zina za UserGate.

Zozimitsa moto

Pambuyo poyika UserGate, pali kale ndondomeko yosavuta mu gawo la "Firewall". Malamulo awiri oyambirira amaletsa magalimoto a botnets. Zotsatirazi ndi zitsanzo za malamulo olowera m'madera osiyanasiyana. Lamulo lomaliza nthawi zonse limatchedwa "Letsani zonse" ndipo limalembedwa ndi chizindikiro cha loko (kutanthauza kuti lamulo silingachotsedwe, kusinthidwa, kusuntha, kulemala, likhoza kutsegulidwa kokha pakusankha mitengo). Choncho, chifukwa cha lamuloli, magalimoto onse osaloledwa momveka bwino adzatsekedwa ndi lamulo lomaliza. Ngati mukufuna kulola magalimoto onse kudzera pa UserGate (ngakhale izi zimakhumudwitsidwa kwambiri), mutha kupanga lamulo lomaliza "Lolani Zonse".

3. UserGate Kuyamba. Network Policy

Mukakonza kapena kupanga lamulo la firewall, choyamba General tabu, muyenera kuchita izi: 

  • Bokosi loyang'ana "On" yambitsani kapena kuletsa lamuloli.

  • lowetsani dzina la lamulo.

  • khazikitsani kufotokozera kwa lamulo.

  • sankhani zochita ziwiri:

    • Kukana - kumatchinga magalimoto (pamene mukukhazikitsa chikhalidwechi, ndizotheka kutumiza ICMP Host osafikirika, muyenera kungoyika bokosi loyenera).

    • Lolani - kulola magalimoto.

  • Chinthu cha zochitika - chimakupatsani mwayi wosankha zochitika, zomwe ndi zina zowonjezera kuti lamulo liwotche. Umu ndi momwe UserGate amagwiritsira ntchito lingaliro la SOAR (Security Orchestration, Automation and Response).

  • Kudula mitengo - lowetsani zambiri zamagalimoto pamene lamulo layambika. Zosankha zotheka:

    • Lembani chiyambi cha gawo. Pankhaniyi, chidziwitso chokha chokhudza chiyambi cha gawolo (paketi yoyamba) chidzalembedwa ku chipika cha magalimoto. Iyi ndiye njira yovomerezeka yodula mitengo.

    • Lembani paketi iliyonse. Pachifukwa ichi, zambiri za paketi iliyonse yotumizira imalembedwa. Mwanjira iyi, tikulimbikitsidwa kuti muchepetse malire odula mitengo kuti mupewe kuchuluka kwa chipangizocho.

  • Tsatirani lamulo ku:

    • Paketi zonse

    • ku mapaketi ogawanika

    • ku mapaketi osagawanika

  • Popanga lamulo latsopano, mukhoza kusankha malo mu ndondomekoyi.

Chotsatira Source tabu. Apa tikuwonetsa gwero la magalimoto, zitha kukhala madera omwe magalimoto amachokera, kapena mutha kufotokoza mndandanda kapena adilesi ya IP (Geoip). Pafupifupi malamulo onse omwe angakhazikitsidwe mu chipangizocho, chinthu chikhoza kupangidwa kuchokera ku lamulo, mwachitsanzo, popanda kupita ku gawo la "Zones", mungagwiritse ntchito batani la "Pangani ndi kuwonjezera chinthu chatsopano" kuti mupange zone. tikusowa. Bokosi loyang'anira "Invert" ndilofalanso, limasintha zomwe zimachitika mu lamulo, zomwe zimakhala zofanana ndi kukana kuchitapo kanthu. Kopita Tabu zofanana ndi tsamba la gwero, koma mmalo mwa gwero la magalimoto, timayika malo opitako. Ogwiritsa tabu - kumalo ano mukhoza kuwonjezera mndandanda wa ogwiritsa ntchito kapena magulu omwe lamuloli likugwiritsidwa ntchito. Service tab - sankhani mtundu wa ntchito kuchokera kuzomwe zafotokozedwa kale kapena mutha kukhazikitsa zanu. Ntchito Tab - mapulogalamu apadera kapena magulu a mapulogalamu amasankhidwa apa. NDI Tabu ya nthawi tchulani nthawi yomwe lamuloli likugwira ntchito. 

Kuyambira phunziro lomaliza, tili ndi lamulo loti tipeze intaneti kuchokera ku "Trust" zone, tsopano ndikuwonetsani monga chitsanzo momwe mungapangire lamulo lokana kwa magalimoto a ICMP kuchokera ku "Trust" zone kupita ku "Osadalirika" zone.

Choyamba, pangani lamulo podina batani "Add". Pazenera lomwe limatsegulidwa, pa tabu yonse, lembani dzina (Letsani ICMP kuchokera ku odalirika mpaka osadalirika), yang'anani bokosi loyang'ana "On", sankhani cholepheretsa, ndipo, chofunikira kwambiri, sankhani molondola malo a lamuloli. Malinga ndi ndondomeko yanga, lamuloli liyenera kuyikidwa pamwamba pa lamulo la "Lolani kuti anthu odalirika asadalitsidwe":

3. UserGate Kuyamba. Network Policy

Pa "Source" tabu ya ntchito yanga, pali njira ziwiri:

  • Posankha zone "Odalirika".

  • Posankha madera onse kupatula "Wodalirika" ndikuyika bokosi la "Invert".

3. UserGate Kuyamba. Network Policy3. UserGate Kuyamba. Network Policy

The Destination tab imakonzedwa mofanana ndi tsamba la Source.

Kenako, pitani ku tabu ya "Service", popeza UserGate ili ndi ntchito yodziwikiratu ya ICMP, ndiye podina batani "Onjezani", timasankha ntchito yokhala ndi dzina "ICMP Iliyonse" pamndandanda womwe waperekedwa:

3. UserGate Kuyamba. Network Policy

Mwina ichi chinali cholinga cha omwe adalenga UserGate, koma ndidakwanitsa kupanga malamulo angapo ofanana. Ngakhale kuti lamulo lokhalo lokhalo lochokera pamndandanda lidzaperekedwa, ndikuganiza kuti luso lopanga malamulo omwe ali ndi dzina lomwelo lomwe ndi losiyana pakugwira ntchito lingayambitse chisokonezo pamene oyang'anira zipangizo zingapo amagwira ntchito.

NAT ndi njira

Popanga malamulo a NAT, timawona ma tabo angapo ofanana, monga a firewall. Gawo la "Mtundu" lidawonekera pa "General" tabu, limakupatsani mwayi wosankha zomwe lamuloli liyenera kuchita:

  • NAT - Network Address Translation.

  • DNAT - Imawongolera kuchuluka kwa magalimoto ku adilesi ya IP yomwe yatchulidwa.

  • Kutumiza kwa madoko - Kumawongolera kuchuluka kwa magalimoto ku adilesi ya IP yomwe mwatchulidwa, koma kumakupatsani mwayi wosintha nambala ya doko la ntchito yosindikizidwa

  • Mayendedwe otengera mfundo - Amakulolani kuti muyendetse mapaketi a IP potengera zambiri, monga mautumiki, ma adilesi a MAC, kapena maseva (ma adilesi a IP).

  • Mapu a netiweki - Amakulolani kuti musinthe ma adilesi a IP a netiweki imodzi ndi netiweki ina.

Mukasankha mtundu waulamuliro woyenera, zosintha zake zidzapezeka.

Mugawo la SNAT IP (adilesi yakunja), timafotokozera momveka bwino adilesi ya IP yomwe adilesi yoyambira idzasinthidwa. Gawoli likufunika ngati pali ma adilesi angapo a IP omwe atumizidwa kumayiko omwe akupita. Mukasiya malowa opanda kanthu, makinawa adzagwiritsa ntchito adilesi yomwe mwasankha kuchokera pamndandanda wa ma adilesi a IP omwe aperekedwa kumalo komwe mukupita. UserGate imalimbikitsa SNAT IP kuti ipititse patsogolo magwiridwe antchito a firewall.

Mwachitsanzo, ndisindikiza ntchito ya SSH ya seva ya Windows yomwe ili m'dera la "DMZ" pogwiritsa ntchito lamulo la "port-forwarding". Kuti muchite izi, dinani batani la "Add" ndikulemba "General", tchulani dzina laulamuliro "SSH to Windows" ndi mtundu wa "Port forwarding":

3. UserGate Kuyamba. Network Policy

Pa tabu "Source", sankhani "Zone Wosadalirika" ndikupita ku tabu "Port-forwarding". Apa tiyenera kufotokoza ndondomeko ya "TCP" (zosankha zinayi zilipo - TCP, UDP, SMTP, SMTPS). Doko loyambira 9922 - nambala ya doko komwe ogwiritsa ntchito amatumiza zopempha (madoko: 2200, 8001, 4369, 9000-9100 sangathe kugwiritsidwa ntchito). Doko latsopano (22) ndi nambala ya doko yomwe zopempha za ogwiritsa ntchito zidzatumizidwa ku seva yosindikizidwa mkati.

3. UserGate Kuyamba. Network Policy

Pa "DNAT" tabu, ikani ip-adiresi ya kompyuta pa netiweki wamba, amene amafalitsidwa pa Intaneti (192.168.3.2). Ndipo mutha kuloleza SNAT mwasankha, ndiye UserGate isintha magwero ake pamapaketi kuchokera pa netiweki yakunja kupita ku adilesi yake ya IP.

3. UserGate Kuyamba. Network Policy

Pambuyo pa zoikika zonse, lamulo limapezeka lomwe limalola kupeza kuchokera ku "Zone Wosadalirika" kupita ku seva ndi ip-address 192.168.3.2 kudzera pa SSH protocol, pogwiritsa ntchito adilesi yakunja ya UserGate pamene mukugwirizanitsa.

3. UserGate Kuyamba. Network Policy

Bandwidth

Gawoli limatanthauzira malamulo oyendetsera bandwidth. Atha kugwiritsidwa ntchito kuletsa njira ya ogwiritsa ntchito ena, makamu, mautumiki, mapulogalamu.

3. UserGate Kuyamba. Network Policy

Popanga lamulo, zikhalidwe pa ma tabo zimatsimikizira kuchuluka kwa magalimoto omwe ziletso zimayikidwa. Bandwidth ikhoza kusankhidwa kuchokera ku zomwe mukufuna, kapena kukhazikitsa zanu. Mukapanga bandwidth, mutha kutchula chizindikiro cha DSCP choyambirira. Chitsanzo cha pamene malemba a DSCP akugwiritsidwa ntchito: potchula mulamulo momwe lamuloli likugwiritsidwira ntchito, ndiye kuti lamuloli likhoza kusintha malembawa. Chitsanzo china cha momwe script imagwirira ntchito: lamulo lidzagwira ntchito kwa wogwiritsa ntchito pokhapokha ngati mtsinje udziwika kapena kuchuluka kwa magalimoto kumadutsa malire omwe atchulidwa. Ma tabu otsala amadzazidwa mofanana ndi ndondomeko zina, kutengera mtundu wa magalimoto omwe lamuloli liyenera kugwiritsidwa ntchito.

3. UserGate Kuyamba. Network Policy

Pomaliza

M'nkhaniyi, ndidafotokoza za kupanga malamulo mu magawo a Firewall, NAT ndi Routing, ndi Bandwidth. Ndipo kumayambiriro kwa nkhaniyi, adalongosola malamulo opangira ndondomeko za UserGate, komanso mfundo za chikhalidwe popanga lamulo. 

Khalani tcheru kuti mumve zosintha zamakanema athu (uthengawoFacebookVKTS Solution Blog)!

Source: www.habr.com

Kuwonjezera ndemanga