7. NGFW kwa mabizinesi ang'onoang'ono. Magwiridwe ndi malingaliro onse

Nthawi yakwana yoti amalize zolemba za m'badwo watsopano wa SMB Check Point (1500 series). Tikukhulupirira kuti izi zinali zopindulitsa kwa inu komanso kuti mupitiliza kukhala nafe pa blog ya TS Solution. Mutu wankhani yomaliza sunafotokozedwe kwambiri, koma chofunikiranso - kukonza magwiridwe antchito a SMB. M'menemo tidzakambirana zosankha za kasinthidwe ka hardware ndi mapulogalamu a NGFW, kufotokoza malamulo omwe alipo ndi njira zoyankhulirana.

Zolemba zonse pamndandanda wazokhudza NGFW zamabizinesi ang'onoang'ono:

1. New CheckPoint 1500 Security Gateway Line

2. Unboxing ndi Kukhazikitsa

3. Kutumiza kwa data opanda zingwe: WiFi ndi LTE

4. VPN

5. Cloud SMP Management

6. Smart-1 Cloud

Pakadali pano, palibe magwero ambiri azidziwitso pakukonza magwiridwe antchito a SMB chifukwa cha zoletsa OS yamkati - Gaia 80.20 Yophatikizidwa. M'nkhani yathu tidzagwiritsa ntchito masanjidwe okhala ndi centralized management (Dedicated Management Server) - imakupatsani mwayi wogwiritsa ntchito zida zambiri mukamagwira ntchito ndi NGFW.

Z Hardware

Musanakhudze kamangidwe ka banja la Check Point SMB, mutha kufunsa mnzanu nthawi zonse kuti agwiritse ntchito Chida Chakuyesa Chamagetsi, kusankha yankho loyenera malinga ndi zomwe zafotokozedwa (kupitilira, kuchuluka kwa ogwiritsa ntchito, ndi zina).

Zolemba zofunika mukamalumikizana ndi zida zanu za NGFW

1. Mayankho a NGFW a banja la SMB alibe kuthekera kokweza zida zamakina (CPU, RAM, HDD); kutengera chitsanzo, pali chithandizo cha makadi a SD, izi zimakulolani kukulitsa mphamvu ya disk, koma osati kwambiri.

2. Kugwira ntchito kwa maukonde ochezera kumafunika kuwongolera. Gaia 80.20 Embedded ilibe zida zambiri zowunikira, koma mutha kugwiritsa ntchito lamulo lodziwika bwino mu CLI kudzera pa Katswiri. 

   #inefconfig

   

   Samalani mizere yomwe ili pansi, ikulolani kuti muyese kuchuluka kwa zolakwika pa mawonekedwe. Ndikofunikira kwambiri kuyang'ana magawowa pakukhazikitsa koyamba kwa NGFW yanu, komanso nthawi ndi nthawi mukugwira ntchito.

3. Kwa Gaia wathunthu pali lamulo:

   > chiwonetsero chazithunzi

   Ndi chithandizo chake ndizotheka kupeza zambiri zokhudza kutentha kwa hardware. Tsoka ilo, chisankhochi sichikupezeka mu 80.20 Embedded; tiwonetsa misampha yotchuka kwambiri ya SNMP:

   Mutu 

   mafotokozedwe

   Chiyankhulo chalumikizidwa

   Kuyimitsa mawonekedwe

   VLAN yachotsedwa

   Kuchotsa Vlans

   Kugwiritsa ntchito kwambiri kukumbukira

   Kugwiritsa ntchito kwakukulu kwa RAM

   Malo otsika a disk

   Palibe malo okwanira a HDD

   Kugwiritsa ntchito kwakukulu kwa CPU

   Kugwiritsa ntchito kwakukulu kwa CPU

   High CPU imasokoneza mlingo

   Kusokoneza kwakukulu

   Mtengo wolumikizira wapamwamba

   Kuthamanga kwakukulu kwa maulumikizidwe atsopano

   Kulumikizana kwakukulu panthawi imodzi

   Mlingo wapamwamba wa magawo ampikisano

   High Firewall throughput

   High throughput Firewall

   Mtengo wapamwamba wovomerezeka wa paketi

   Mlingo wapamwamba wolandila paketi

   Dziko la membala wa Cluster lasintha

   Kusintha chikhalidwe chamagulu

   Kulumikizana ndi cholakwika cha seva ya log

   Kulumikizidwa kwatayika ndi Log-Server

4. Kugwiritsa ntchito pachipata chanu kumafuna kuwunika kwa RAM. Kuti Gaia (Linux-like OS) agwire ntchito, izi ndi mkhalidwe wabwinobwinopamene kugwiritsa ntchito RAM kufika pa 70-80% ya ntchito.

   Mapangidwe a mayankho a SMB sapereka kugwiritsa ntchito kukumbukira kwa SWAP, mosiyana ndi mitundu yakale ya Check Point. Komabe, mumafayilo amtundu wa Linux adawonedwa , zomwe zikuwonetsa kuthekera kwamalingaliro kosintha mawonekedwe a SWAP.

Mapulogalamu gawo

Panthawi yofalitsa nkhaniyo zaposachedwa Mtundu wa Gaia - 80.20.10. Muyenera kudziwa kuti pali zoletsa mukamagwira ntchito mu CLI: malamulo ena a Linux amathandizidwa mumachitidwe a Katswiri. Kuwunika momwe NGFW ikugwirira ntchito kumafuna kuwunika momwe ma daemoni ndi ntchito zikuyendera, zambiri za izi zitha kupezeka mu nkhani mnzanga. Tiwona malamulo omwe angatheke a SMB.

Kugwira ntchito ndi Gaia OS

1. Sakatulani ma tempuleti a SecureXL

   #fwaccelstat

   

2. Onani boot ndi core

   # fw ctl multik stat

   

3. Onani kuchuluka kwa magawo (malumikizidwe).

   # fw ctl pstat

   

4. * Onani mawonekedwe amagulu

   #cphaprob chiwerengero

   

5. Lamulo la Classic Linux TOP

Kudula mitengo

Monga mukudziwira kale, pali njira zitatu zogwirira ntchito ndi zipika za NGFW (kusungira, kukonza): kwanuko, pakati komanso mumtambo. Zosankha ziwiri zomaliza zikutanthawuza kukhalapo kwa bungwe - Management Server.

Njira zowongolera za NGFW zomwe zingatheke

Mafayilo amtengo wapatali kwambiri

1. Mauthenga pamakina (ali ndi zambiri zochepa kuposa Gaia wathunthu)

   # mchira -f /var/log/messages2

   

2. Mauthenga olakwika pakugwiritsa ntchito masamba (fayilo yothandiza mukathetsa mavuto)

   # mchira -f /var/log/log/sfwd.elg

   

3. Onani mauthenga ochokera ku buffer pa system kernel level.

   #dmesg

   

Kusintha kwa tsamba

Gawoli silikhala ndi malangizo athunthu okhazikitsa NGFW Check Point yanu; ili ndi malingaliro athu okha, osankhidwa ndi zomwe mwakumana nazo.

Kuwongolera Ntchito / Kusefa kwa URL

• Ndikoyenera kupewa ZINTHU ZILIZONSE, ZILIZONSE (Zochokera, Kopita) m'malamulo.

• Mukatchula gwero la ma URL, zidzakhala zothandiza kwambiri kugwiritsa ntchito mawu okhazikika monga: (^|..)checkpoint.com

• Pewani kugwiritsa ntchito kwambiri kudula mitengo ndikuwonetsa masamba otsekereza (UserCheck).

• Onetsetsani kuti teknoloji ikugwira ntchito bwino "SecureXL". Magalimoto ambiri ayenera kudutsa njira yofulumira/yapakatikati. Komanso, musaiwale kusefa malamulo ndi omwe amagwiritsidwa ntchito kwambiri (munda kumenya ).

HTTPS-Kuyendera

Si chinsinsi kuti 70-80% ya ogwiritsa ntchito amachokera ku HTTPS, kutanthauza kuti izi zimafuna zothandizira kuchokera pachipata chanu purosesa. Kuphatikiza apo, HTTPS-Inspection imagwira nawo ntchito ya IPS, Antivirus, Antibot.

Kuyambira pa version 80.40 panali mwayi kuti mugwire ntchito ndi malamulo a HTTPS popanda Legacy Dashboard, nayi malamulo ena oyenera:

• Kulambalala kwa gulu la ma adilesi ndi maukonde (Kopita).

• Dulani gulu la ma URL.

• Bypass ya IP yamkati ndi maukonde okhala ndi mwayi wapadera (Source).

• Yang'anirani maukonde ofunikira, ogwiritsa ntchito

• Kudutsa kwa wina aliyense.

* Nthawi zonse zimakhala bwino kusankha pamanja ntchito za HTTPS kapena HTTPS Proxy ndikusiya Iliyonse. Lowani zochitika molingana ndi malamulo a Onani.

IPS

Tsamba la IPS likhoza kulephera kukhazikitsa ndondomeko pa NGFW yanu ngati siginecha yambiri ikugwiritsidwa ntchito. Malinga ndi nkhani kuchokera ku Check Point, kamangidwe kachipangizo ka SMB sikunapangidwe kuti aziyendetsa mbiri yonse yovomerezeka ya IPS.

Kuti muthetse kapena kupewa vutoli, tsatirani izi:

1. Tsatanitsani Mbiri Yokhathamiritsa yotchedwa "Optimized SMB" (kapena ina yomwe mwasankha).

2. Sinthani mbiri yanu, pitani ku IPS → Pre R80.Zikhazikiko gawo ndikuzimitsa Chitetezo cha Seva.

   

3. Mwakufuna kwanu, mutha kuletsa ma CVE akale kuposa 2010, zofooka izi sizipezeka kawirikawiri m'maofesi ang'onoang'ono, koma zimakhudza magwiridwe antchito. Kuti mulepheretse zina mwazo, pitani ku Mbiri→IPS→Kuyambitsanso Zowonjezera→Zitetezo kuti mutseke mndandanda

   

M'malo mapeto

Monga gawo la mndandanda wa nkhani zokhudzana ndi mbadwo watsopano wa NGFW wa banja la SMB (1500), tinayesetsa kuwonetsa mphamvu zazikulu za yankho ndikuwonetsa kasinthidwe ka zigawo zofunika za chitetezo pogwiritsa ntchito zitsanzo zenizeni. Tidzakhala okondwa kuyankha mafunso aliwonse okhudza mankhwala mu ndemanga. Timakhala nanu, zikomo chifukwa cha chidwi chanu!

Zosankha zazikulu pa Check Point kuchokera ku TS Solution. Kuti musaphonye zofalitsa zatsopano, tsatirani zosintha pamasamba athu ochezera (uthengawo, Facebook, VK, TS Solution Blog, Yandex.Zen).

Source: www.habr.com