Pulogalamu ya ProHoster > Blog > Ulamuliro > Momwe Mungayesere ndi Kufananiza Zida Zakubisa za Ethernet

Momwe Mungayesere ndi Kufananiza Zida Zakubisa za Ethernet

Ndinalemba ndemanga iyi (kapena, ngati mukufuna, chiwongolero chofananitsa) pamene ndinapatsidwa ntchito yofanizira zipangizo zingapo kuchokera kwa ogulitsa osiyanasiyana. Kuphatikiza apo, zida izi zinali zamagulu osiyanasiyana. Ndinayenera kumvetsetsa kamangidwe ndi makhalidwe a zipangizo zonsezi ndikupanga "dongosolo logwirizanitsa" lofananitsa. Ndidzakhala wokondwa ngati ndemanga yanga ithandiza wina:

  • Mvetsetsani kufotokozera ndi kutsimikizika kwa zida zobisa
  • Siyanitsani makhalidwe a "pepala" ndi omwe ali ofunika kwambiri pamoyo weniweni
  • Pitani kupyola mavenda anthawi zonse ndikuphatikizanso zinthu zilizonse zomwe zili zoyenera kuthetsa vutoli
  • Funsani mafunso oyenera pokambirana
  • Kupanga zofunikira zama tender (RFP)
  • Mvetserani zomwe ziyenera kutayidwa ngati chipangizo china chasankhidwa

Zomwe zingayesedwe

M'malo mwake, njirayo imagwira ntchito pazida zilizonse zoyimirira zomwe zimayenera kubisala magalimoto apaintaneti pakati pa magawo akutali a Ethernet (kubisala pamasamba). Ndiko kuti, "mabokosi" munjira ina (chabwino, tidzaphatikizanso masamba / ma module a chassis apa), omwe amalumikizidwa kudzera pa doko limodzi kapena angapo a Ethernet kupita ku netiweki ya (campus) Ethernet network yokhala ndi magalimoto osadziwika, komanso kudzera madoko ena kupita ku tchanelo/netiweki yomwe magalimoto osungidwa kale amatumizidwa kumadera ena akutali. Njira yotsekera yotereyi imatha kutumizidwa pa intaneti kapena pa intaneti kudzera pamitundu yosiyanasiyana ya "mayendedwe" (chingwe chakuda, zida zogawa pafupipafupi, ma switched Ethernet, komanso "pseudowires" omwe amayikidwa pamaneti okhala ndi mapangidwe osiyanasiyana, nthawi zambiri MPLS. ), ndiukadaulo wa VPN kapena wopanda.

Momwe Mungayesere ndi Kufananiza Zida Zakubisa za Ethernet
Kubisa kwa netiweki mu netiweki ya Ethernet yogawidwa

Zida zomwezo zingakhale mwina apadera (zopangidwira kubisa), kapena multifunctional (hybrid, convergent), ndiko kuti, kuchitanso ntchito zina (mwachitsanzo, firewall kapena rauta). Ogulitsa osiyanasiyana amayika zida zawo m'magulu / magulu osiyanasiyana, koma izi zilibe kanthu - chofunikira chokha ndikuti atha kubisa momwe magalimoto amayendera, komanso mawonekedwe omwe ali nawo.

Zikatero, ndikukumbutsani kuti "network encryption", "traffic encryption", "encryptor" ndi mawu osakhazikika, ngakhale amagwiritsidwa ntchito nthawi zambiri. Simungawapeze m'malamulo aku Russia (kuphatikiza omwe amayambitsa GOSTs).

Miyezo ya encryption ndi njira zotumizira

Tisanayambe kufotokoza makhalidwe omwe adzagwiritsidwe ntchito pounika, choyamba tiyenera kumvetsetsa chinthu chimodzi chofunikira, chomwe ndi "encryption level". Ndinazindikira kuti nthawi zambiri amatchulidwa m'mabuku ovomerezeka ogulitsa (m'mafotokozedwe, zolemba, ndi zina zotero) komanso pazokambirana zachisawawa (pazokambirana, maphunziro). Ndiye kuti, aliyense akuwoneka kuti akudziwa bwino zomwe tikukamba, koma ine ndekha ndidawona chisokonezo.

Ndiye kodi "encryption level" ndi chiyani? Zikuwonekeratu kuti tikukamba za chiwerengero cha OSI / ISO reference network model layer pomwe kubisa kumachitika. Timawerenga GOST R ISO 7498-2-99 "Tekinoloje yachidziwitso. Kulumikizana kwa machitidwe otseguka. Basic reference model. Gawo 2. Zomangamanga zachitetezo chazidziwitso." Kuchokera m'chikalata ichi zikhoza kumveka kuti mlingo wa utumiki wachinsinsi (imodzi mwa njira zoperekera zomwe ndi kubisa) ndi mlingo wa protocol, chipika deta utumiki ("payload", wosuta deta) amene encrypted. Monga momwe zalembedweranso muyeso, ntchitoyi ikhoza kuperekedwa pamlingo womwewo, "paokha," komanso mothandizidwa ndi mlingo wotsika (umu ndi momwe, mwachitsanzo, umagwiritsidwa ntchito nthawi zambiri mu MACsec) .

M'malo mwake, njira ziwiri zotumizira zidziwitso zobisika pamaneti ndizotheka (IPsec nthawi yomweyo imabwera m'maganizo, koma njira zomwezo zimapezekanso muma protocol ena). MU transport (nthawi zina amatchedwanso native) mode ndi encrypted yokha utumiki chipika cha data, ndipo mitu imakhalabe "yotseguka", yosalembetsedwa (nthawi zina minda yowonjezera yokhala ndi chidziwitso chautumiki wa algorithm ya encryption imawonjezeredwa, ndipo magawo ena amasinthidwa ndikuwerengedwanso). MU ngalande njira yomweyo onse protocol chipika cha data (ndiko kuti, paketi yokha) imasungidwa ndi kusungidwa mu chipika cha data chautumiki cha mlingo womwewo kapena wapamwamba, ndiye kuti, wazunguliridwa ndi mitu yatsopano.

Mulingo wa encryption wokha kuphatikiza ndi njira zina zopatsira sizabwino kapena zoyipa, kotero sizinganenedwe, mwachitsanzo, kuti L3 mumayendedwe oyendera ndiabwino kuposa L2 munjira. Kungoti zambiri zomwe zida zimawunikiridwa zimadalira iwo. Mwachitsanzo, kusinthasintha ndi kugwirizana. Kuti mugwire ntchito mu netiweki L1 (bit stream relay), L2 (frame switching) ndi L3 (packet routing) mumayendedwe, mufunika mayankho omwe amabisa pamlingo womwewo kapena wapamwamba (kupanda kutero zidziwitso za adilesi zidzasungidwa ndipo deta idzasungidwa. osafika komwe akufuna) , ndipo mawonekedwe a ngalandeyo amagonjetsa izi (ngakhale ataya makhalidwe ena ofunika).

Momwe Mungayesere ndi Kufananiza Zida Zakubisa za Ethernet
Mayendedwe ndi ma tunnel L2 encryption modes

Tsopano tiyeni tipitirire kusanthula mawonekedwe.

Kukonzekera

Kwa kubisa kwa netiweki, magwiridwe antchito ndizovuta, malingaliro ambiri. Zimachitika kuti chitsanzo china, pamene chiri chopambana mu khalidwe limodzi la machitidwe, ndi otsika mwa ena. Chifukwa chake, ndizothandiza nthawi zonse kuganizira magawo onse a kabisidwe kachinsinsi komanso momwe zimakhudzira magwiridwe antchito a netiweki ndi mapulogalamu omwe amagwiritsa ntchito. Apa tingathe kujambula fanizo ndi galimoto, amene osati pazipita liwiro n'kofunika, komanso mathamangitsidwe nthawi "mazana", mafuta, ndi zina zotero. Makampani ogulitsa ndi makasitomala awo omwe angakhale nawo amasamala kwambiri machitidwe ogwirira ntchito. Monga lamulo, zida zama encryption zimayikidwa potengera magwiridwe antchito pamizere ya ogulitsa.

Zikuwonekeratu kuti magwiridwe antchito amatengera zovuta za maukonde ndi ma cryptographic omwe amachitidwa pa chipangizocho (kuphatikiza momwe ntchitozi zitha kufananizira ndi mapaipi), komanso momwe ma hardware amagwirira ntchito komanso mtundu wa firmware. Chifukwa chake, mitundu yakale imagwiritsa ntchito zida zopangira zambiri; nthawi zina ndizotheka kuziyika ndi ma processor owonjezera ndi ma module amakumbukiro. Pali njira zingapo zoyendetsera ntchito za cryptographic: pa general-purpose central processing unit (CPU), application-specific integrated circuit (ASIC), kapena field-programmable logic integrated circuit (FPGA). Njira iliyonse ili ndi ubwino ndi kuipa kwake. Mwachitsanzo, CPU ikhoza kukhala cholepheretsa kubisa, makamaka ngati purosesa ilibe malangizo apadera othandizira ma algorithm obisala (kapena ngati sagwiritsidwa ntchito). Tchipisi zapadera sizitha kusinthasintha; sizotheka nthawi zonse "kuwawunikiranso" kuti muwongolere magwiridwe antchito, kuwonjezera ntchito zatsopano, kapena kuchotsa zofooka. Kuphatikiza apo, kugwiritsa ntchito kwawo kumakhala kopindulitsa kokha ndi kuchuluka kwakukulu kopanga. Ndicho chifukwa chake "golide wagolide" wakhala wotchuka kwambiri - kugwiritsa ntchito FPGA (FPGA mu Russian). Ndi pa FPGAs omwe amatchedwa ma crypto accelerators amapangidwa - omangidwa kapena ophatikiza ma module apadera a hardware kuti athandizire ntchito za cryptographic.

Popeza tikukamba za network kubisa, ndizomveka kuti magwiridwe antchito ayesedwe mumiyeso yofanana ndi zida zina zamanetiweki - kutulutsa, kuchuluka kwa kuwonongeka kwa chimango ndi latency. Miyezo iyi imatanthauzidwa mu RFC 1242. Mwa njira, palibe chomwe chalembedwa ponena za kuchedwa komwe kumatchulidwa kawirikawiri (jitter) mu RFC iyi. Kodi mungayeze bwanji izi? Sindinapeze njira yovomerezeka mumiyezo ina iliyonse (yovomerezeka kapena yosavomerezeka ngati RFC) makamaka yosunga netiweki. Zingakhale zomveka kugwiritsa ntchito njira ya zipangizo zamakono zomwe zili mu RFC 2544. Ogulitsa ambiri amatsatira - ambiri, koma osati onse. Mwachitsanzo, amatumiza magalimoto oyesa njira imodzi yokha m'malo mwa onse awiri, monga analimbikitsa muyezo. Komabe.

Kuyeza magwiridwe antchito a zida zama netiweki kubisa kumakhalabe ndi mawonekedwe ake. Choyamba, ndikoyenera kuchita miyeso yonse pazida ziwiri: ngakhale ma aligorivimu achinsinsi ndi ofanana, kuchedwa ndi kutayika kwa paketi pakubisa ndi kubisa sikungakhale kofanana. Kachiwiri, ndizomveka kuyeza delta, zotsatira za kubisa kwa maukonde pa ntchito yomaliza ya netiweki, kufananiza masanjidwe awiri: popanda zida zolembera komanso nazo. Kapena, monga momwe zilili ndi zida zosakanizidwa, zomwe zimaphatikiza ntchito zingapo kuwonjezera pa kubisa kwa netiweki, ndikuzimitsa ndikuyatsa. Chikokachi chikhoza kukhala chosiyana ndipo chimadalira kugwirizana kwa zipangizo zolembera, pamayendedwe ogwiritsira ntchito, ndipo potsiriza, pa chikhalidwe cha magalimoto. Makamaka, magawo ambiri ogwirira ntchito amadalira kutalika kwa mapaketi, chifukwa chake, kufananizira magwiridwe antchito osiyanasiyana, ma graph a magawowa malinga ndi kutalika kwa mapaketi amagwiritsidwa ntchito nthawi zambiri, kapena IMIX imagwiritsidwa ntchito - kugawa kwa magalimoto ndi paketi. utali, womwe pafupifupi umasonyeza weniweniwo. Tikayerekeza kusinthika koyambira komweko popanda kubisa, titha kufananiza njira zolumikizira maukonde zomwe zimayendetsedwa mosiyana popanda kulowa muzosiyana izi: L2 ndi L3, sitolo-ndi-mtsogolo ) ndi kudula-kudutsa, odziwika ndi convergent, GOST ndi AES ndi zina zotero.

Momwe Mungayesere ndi Kufananiza Zida Zakubisa za Ethernet
Chithunzi cholumikizira cha kuyesa magwiridwe antchito

Khalidwe loyamba lomwe anthu amalabadira ndi "liwiro" la chipangizo chobisa, ndiko kuti bandwidth (bandwidth) yolumikizira maukonde ake, kutsika pang'ono. Zimatsimikiziridwa ndi miyezo ya intaneti yomwe imathandizidwa ndi ma interfaces. Kwa Ethernet, manambala wamba ndi 1 Gbps ndi 10 Gbps. Koma, monga tikudziwira, mu maukonde aliyense pazipita ongolankhula matulukidwe (kudutsa) pamlingo wake uliwonse nthawi zonse kumakhala kocheperako: gawo la bandwidth "amadyedwa" ndi interframe intervals, mitu yautumiki, ndi zina zotero. Ngati chipangizo amatha kulandira, processing (kwa ife, encrypting kapena decrypting) ndi kufalitsa magalimoto pa liwiro lonse la maukonde mawonekedwe, ndiko kuti, ndi pazipita zongopeka throughput pa mlingo uwu wa chitsanzo maukonde, ndiye akuti kukhala ntchito pa liwiro la mzere. Kuti tichite izi, ndikofunikira kuti chipangizocho chisataye kapena kutaya mapaketi pakukula kulikonse komanso pafupipafupi. Ngati chipangizo cha encryption sichikuthandizira kugwira ntchito pa liwiro la mzere, ndiye kuti kutulutsa kwake kwakukulu kumatchulidwa mu gigabits yomweyo pamphindi (nthawi zina kusonyeza kutalika kwa mapaketi - afupikitsa mapaketiwo, kutsika kwake kumakhala kocheperako). Ndikofunika kwambiri kumvetsetsa kuti kutulutsa kwakukulu ndikokwanira palibe kutaya (ngakhale chipangizocho chingathe "kupopera" magalimoto kupyolera mwawokha pa liwiro lapamwamba, koma nthawi yomweyo kutaya mapaketi). Komanso, dziwani kuti mavenda ena amayesa kuchuluka konse pakati pa madoko onse, kotero manambalawa satanthauza zambiri ngati magalimoto onse obisika akudutsa padoko limodzi.

Ndi kuti komwe kuli kofunika kwambiri kugwiritsa ntchito liwiro la mzere (kapena, mwa kuyankhula kwina, popanda kutayika kwa paketi)? M'malo othamanga kwambiri, maulalo apamwamba kwambiri (monga satellite), pomwe mawindo akuluakulu a TCP ayenera kukhazikitsidwa kuti asunge maulendo othamanga kwambiri, komanso pamene kutayika kwa paketi kumachepetsa kwambiri ntchito za intaneti.

Koma si bandwidth yonse yomwe imagwiritsidwa ntchito kusamutsa deta yothandiza. Tiyenera kulingalira ndi zomwe zimatchedwa mtengo wapamwamba (pamwamba) bandwidth. Ili ndi gawo la chipangizo chobisalira (monga kuchuluka kapena ma byte pa paketi) yomwe yawonongeka (sangagwiritsidwe ntchito kusamutsa deta ya pulogalamu). Mtengo wapakatikati umabwera, choyamba, chifukwa chakuwonjezeka kwa kukula (kuwonjezera, "kuyika") kwa gawo la data mu mapaketi otetezedwa a netiweki (kutengera algorithm ya encryption ndi mawonekedwe ake ogwiritsira ntchito). Kachiwiri, chifukwa cha kuchuluka kwa mitu ya paketi (njira ya tunnel, kuyika kwa ma encryption protocol, kuyika kayeseleledwe, ndi zina zambiri, malingana ndi ndondomeko ndi kagwiritsidwe ntchito ka cipher ndi njira yopatsira) - nthawi zambiri ndalamazi ndizokwera mtengo. chofunika kwambiri, ndipo amamvetsera poyamba. Chachitatu, chifukwa cha kugawikana kwa mapaketi pamene pazipita deta unit kukula (MTU) ndi kuposa (ngati maukonde amatha anagawa paketi kuti kuposa MTU mu awiri, kubwereza mitu yake). Chachinayi, chifukwa cha mawonekedwe a ntchito zowonjezera (zowongolera) magalimoto pamaneti pakati pa zida zobisa (zosinthana makiyi, kukhazikitsa ngalande, ndi zina). Kutsika kwapang'onopang'ono ndikofunikira pomwe mphamvu ya tchanelo ndi yochepa. Izi zikuwonekera makamaka mumsewu wochokera ku mapaketi ang'onoang'ono, mwachitsanzo, mawu - kumene mtengo wamtengo wapatali ukhoza "kudya" kuposa theka la liwiro la njira!

Momwe Mungayesere ndi Kufananiza Zida Zakubisa za Ethernet
Bandwidth

Pomaliza, pali zinanso adayambitsa kuchedwa - kusiyana (m'tigawo ting'onoting'ono ta sekondi) pakuchedwa kwa maukonde (nthawi yomwe imatengera kuti deta idutse kuchokera pakulowa mu netiweki mpaka kuyisiya) pakati pa kufalitsa kwa data popanda komanso kubisa kwa netiweki. Nthawi zambiri, kutsika kwa latency ("latency") ya netiweki, m'pamenenso kuchedwa komwe kumayambitsidwa ndi zida zama encryption kumakhala kovuta. Kuchedwa kumayambitsidwa ndi ntchito yolembera yokha (malingana ndi algorithm ya encryption, kutalika kwa block ndi njira yogwiritsira ntchito cipher, komanso mtundu wa kukhazikitsidwa kwake mu pulogalamuyo), komanso kukonza paketi ya netiweki mu chipangizocho. . Latency yomwe idayambitsidwa imadalira njira yopangira paketi (kudutsa kapena sitolo-ndi-kutsogolo) komanso magwiridwe antchito a nsanja (kukhazikitsa zida pa FPGA kapena ASIC nthawi zambiri kumakhala mwachangu kuposa kukhazikitsa mapulogalamu pa CPU). Kubisa kwa L2 pafupifupi nthawi zonse kumakhala ndi latency yotsika kuposa L3 kapena L4 encryption, chifukwa chakuti L3/L4 encryption zida nthawi zambiri zimasinthidwa. Mwachitsanzo, ndi ma encryptor othamanga kwambiri a Efaneti omwe akhazikitsidwa pa FPGAs ndikubisa pa L2, kuchedwa chifukwa cha kubisala kumakhala kochepa kwambiri - nthawi zina kubisa kumalumikizidwa pazida ziwiri, kuchedwa kwathunthu komwe kumayambitsidwa nawo kumachepa! Kuchedwetsa kocheperako ndikofunikira komwe kungafanane ndi kuchedwa konse kwa tchanelo, kuphatikiza kuchedwa kufalitsa, komwe kumakhala pafupifupi 5 ΞΌs pa kilomita. Ndiko kuti, titha kunena kuti pamanetiweki amtawuni (makilomita khumi kudutsa), ma microseconds amatha kusankha zambiri. Mwachitsanzo, kubwereza kwa database ya synchronous, kugulitsa pafupipafupi, blockchain yomweyo.

Momwe Mungayesere ndi Kufananiza Zida Zakubisa za Ethernet
Kuchedwa kunayambitsa

Scalability

Maukonde akulu omwe amagawidwa angaphatikizepo masauzande ambiri a ma node ndi zida zama netiweki, mazana a magawo amtaneti amderali. Ndikofunikira kuti mayankho a encryption asakhazikitse zoletsa zina pakukula ndi topology ya netiweki yogawidwa. Izi zikugwira ntchito makamaka pa kuchuluka kwa ma adilesi olandila ndi netiweki. Zoletsa zotere zitha kukumana, mwachitsanzo, mukakhazikitsa ma network obisika ambiri (okhala ndi maulumikizidwe otetezedwa odziyimira pawokha, kapena ma tunnel) kapena kubisa kosankha (mwachitsanzo, ndi nambala ya protocol kapena VLAN). Ngati munkhaniyi ma adilesi a netiweki (MAC, IP, VLAN ID) amagwiritsidwa ntchito ngati makiyi patebulo momwe mizere ili ndi malire, ndiye kuti zoletsa izi zimawonekera apa.

Kuphatikiza apo, ma netiweki akuluakulu nthawi zambiri amakhala ndi zigawo zingapo zomangika, kuphatikiza ma network oyambira, omwe amagwiritsa ntchito njira yake yolumikizirana ndi njira yakeyake. Kuti mugwiritse ntchito njirayi, mawonekedwe apadera (monga Q-in-Q kapena MAC-in-MAC) ndi njira zowunikira njira zimagwiritsidwa ntchito nthawi zambiri. Kuti zisasokoneze kumangidwa kwa maukonde oterowo, zida zolembera ziyenera kugwira bwino mafelemu oterowo (ndiko kuti, m'lingaliro ili, scalability itanthauza kuyanjana - zambiri pamunsimu).

Kusintha

Apa tikukamba za kuthandizira masanjidwe osiyanasiyana, makonzedwe olumikizirana, ma topology ndi zinthu zina. Mwachitsanzo, pamakina osinthika otengera matekinoloje a Carrier Ethernet, izi zikutanthauza kuthandizira mitundu yosiyanasiyana yolumikizirana (E-Line, E-LAN, E-Tree), mitundu yosiyanasiyana ya mautumiki (onse ndi doko ndi VLAN) ndi matekinoloje osiyanasiyana oyendera. (adazilemba kale pamwambapa). Ndiko kuti, chipangizocho chiyenera kugwira ntchito muzitsulo zonse ziwiri ("point-to-point") ndi njira zambiri, kukhazikitsa tunnel zosiyana za VLAN zosiyanasiyana, ndi kulola kuti mapaketi atuluke mkati mwa njira yotetezeka. Kutha kusankha mitundu yosiyanasiyana ya cipher (kuphatikiza ndi kapena popanda kutsimikizika kwazomwe zili) ndi mitundu yosiyanasiyana yotumizira paketi kumakupatsani mwayi woti muzitha kuwongolera mphamvu ndi magwiridwe antchito malinga ndi momwe zilili pano.

Ndikofunikiranso kuthandizira maukonde onse achinsinsi, zida zomwe zili ndi bungwe limodzi (kapena kubwereketsa), ndi maukonde oyendetsa, magawo osiyanasiyana omwe amayendetsedwa ndi makampani osiyanasiyana. Ndibwino ngati yankho limaloleza kasamalidwe kunyumba ndi munthu wina (pogwiritsa ntchito chitsanzo choyendetsedwa). Mu ma netiweki opangira, ntchito ina yofunika ndikuthandizira kubwereketsa kwamitundu yambiri (kugawana ndi makasitomala osiyanasiyana) mwanjira yakudzipatula kwamakasitomala payekhapayekha (olembetsa) omwe magalimoto awo amadutsa pazida zomwezo za encryption. Izi zimafuna kugwiritsa ntchito makiyi osiyanasiyana ndi ziphaso kwa kasitomala aliyense.

Ngati chipangizo chagulidwa pazochitika zinazake, ndiye kuti zonsezi sizingakhale zofunika kwambiri - muyenera kuonetsetsa kuti chipangizochi chikuthandizira zomwe mukufuna tsopano. Koma ngati yankho ligulidwa "chifukwa chakukula", kuthandizira zochitika zamtsogolo komanso, ndikusankhidwa ngati "muyezo wamakampani", ndiye kuti kusinthasintha sikudzakhala kopanda pake - makamaka poganizira zoletsa kusagwirizana kwa zida kuchokera kwa ogulitsa osiyanasiyana ( zambiri pa izi pansipa).

Zosavuta komanso zosavuta

Kumasuka kwa utumiki ndi lingaliro la multifactorial. Pafupifupi, titha kunena kuti iyi ndi nthawi yonse yomwe akatswiri oyenerera amafunikira kuti athandizire yankho pamagawo osiyanasiyana a moyo wake. Ngati palibe ndalama, ndipo kukhazikitsa, kasinthidwe, ndi ntchito ndizodziwikiratu, ndiye kuti mtengo wake ndi ziro ndipo kuphweka kwake ndikokwanira. Ndithudi, zimenezi sizichitika m’dziko lenileni. Kuyerekeza koyenera ndi chitsanzo "mfundo pa waya" (bump-in-the-waya), kapena kulumikizidwa kowonekera, komwe kuwonjezera ndi kuyimitsa zida zachinsinsi sikufuna kusintha kwapamanja kapena zodziwikiratu pakusintha kwamaneti. Nthawi yomweyo, kusunga yankho kumakhala kosavuta: mutha kuyatsa ndikuyimitsa ntchito yotsekera, ndipo ngati kuli kofunikira, "kulambalala" chipangizocho ndi chingwe cha netiweki (ndiko kuti, kulumikizana mwachindunji ndi madoko a netiweki omwe amalumikizana nawo. zinali zogwirizana). Zowona, pali drawback imodzi - wowukira atha kuchita chimodzimodzi. Kuti mugwiritse ntchito mfundo ya "node pa waya", m'pofunika kuganizira osati magalimoto okha deta wosanjikizakoma zigawo zowongolera ndi kasamalidwe - zida ziyenera kukhala zowonekera kwa iwo. Chifukwa chake, magalimoto otere amatha kubisidwa pokhapokha ngati palibe olandila mitundu iyi yamagalimoto pamaneti pakati pa zida zobisa, chifukwa ngati zitatayidwa kapena kubisidwa, ndiye kuti mukamatsegula kapena kuletsa kubisa, kasinthidwe ka netiweki kangasinthe. Chipangizo cha encryption chingakhalenso chowonekera ku chizindikiro cha thupi. Makamaka, chizindikiro chikatayika, chiyenera kufalitsa kutayika uku (ndiko kuti, kuzimitsa ma transmitter ake) mmbuyo ndi mtsogolo ("payokha") polowera chizindikiro.

Thandizo pakugawa kwaulamuliro pakati pa chitetezo chazidziwitso ndi ma dipatimenti a IT, makamaka dipatimenti yapaintaneti, ndikofunikiranso. Yankho la encryption liyenera kuthandizira kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe kake. Kufunika kolumikizana pakati pa madipatimenti osiyanasiyana kuti agwire ntchito zanthawi zonse kuyenera kuchepetsedwa. Chifukwa chake, pali mwayi wokhudzana ndi kusavuta kwa zida zapadera zomwe zimangothandizira ntchito zachinsinsi komanso zowonekera bwino momwe zingathere pakugwiritsa ntchito maukonde. Mwachidule, ogwira ntchito zachitetezo azidziwitso sayenera kukhala ndi chifukwa cholumikizana ndi "akatswiri pamaneti" kuti asinthe makonzedwe apakanema. Ndipo iwo nawonso, sayenera kukhala ndi kufunikira kosintha makonda akamasunga maukonde.

Chinthu china ndi kuthekera komanso kusavuta kwa zowongolera. Ziyenera kukhala zowoneka bwino, zomveka, zotumiza kunja kwa zoikamo, zosintha zokha, ndi zina zotero. Muyenera tcheru nthawi yomweyo kuti ndi zosankha zotani zomwe zilipo (nthawi zambiri malo awo oyang'anira, mawonekedwe a intaneti ndi mzere wolamula) ndi ntchito zanji zomwe aliyense waiwo ali nazo (pali zolepheretsa). Ntchito yofunikira ndi chithandizo kunja kwa gulu (out-of-band) control, ndiye kuti, kudzera pa intaneti yodzipatulira, ndi mu-band (in-band) control, ndiye kuti, kudzera pa intaneti wamba momwe magalimoto ofunikira amafalikira. Zida zowongolera ziyenera kuwonetsa zochitika zonse zachilendo, kuphatikiza zochitika zachitetezo chazidziwitso. Zochita zachizolowezi, zobwerezabwereza ziyenera kuchitika zokha. Izi makamaka zikugwirizana ndi kasamalidwe kofunikira. Ayenera kupangidwa / kugawidwa mwachisawawa. Thandizo la PKI ndilothandiza kwambiri.

ngakhale

Ndiye kuti, chipangizocho chimagwirizana ndi miyezo yapaintaneti. Kuphatikiza apo, izi sizikutanthauza miyezo yamakampani yokhayo yomwe imatengedwa ndi mabungwe ovomerezeka monga IEEE, komanso ma protocol omwe ali ndi atsogoleri amakampani, monga Cisco. Pali njira ziwiri zazikulu zowonetsetsa kuti zikugwirizana: mwina kudzera kuwonetseredwa, kapena kupyolera chithandizo chowonekera ma protocol (pamene chipangizo chobisalira chimakhala chimodzi mwazinthu zapaintaneti za protocol inayake ndikuwongolera kuchuluka kwamayendedwe a protocol iyi). Kugwirizana ndi maukonde kumadalira kukwanira ndi kulondola kwa kukhazikitsidwa kwa ma protocol olamulira. Ndikofunikira kuthandizira zosankha zosiyanasiyana pamlingo wa PHY (liwiro, sing'anga yotumizira, dongosolo la encoding), mafelemu a Efaneti amitundu yosiyanasiyana ndi MTU iliyonse, ma protocol osiyanasiyana a L3 (makamaka banja la TCP/IP).

Kuwonekera kumatsimikiziridwa kudzera m'machitidwe osinthika (kusintha kwakanthawi zomwe zili pamitu yotseguka pamsewu pakati pa encryptors), kudumpha (pamene mapaketi amunthu amakhala osalembetsedwa) ndi kuyika kwa chiyambi cha kubisa (pamene madera osungidwa amapaketi sali obisika).

Momwe Mungayesere ndi Kufananiza Zida Zakubisa za Ethernet
Momwe kuwonekera kumatsimikizirika

Chifukwa chake, nthawi zonse fufuzani momwe kuthandizira kwa protocol inayake kumaperekedwa. Nthawi zambiri kuthandizira mumawonekedwe owonekera kumakhala kosavuta komanso kodalirika.

Kugwilizana

Izi ndizogwirizana, koma mwanjira ina, ndiko kuthekera kogwirira ntchito limodzi ndi mitundu ina yazida zobisika, kuphatikiza za opanga ena. Zambiri zimadalira mkhalidwe wa kukhazikika kwa ma protocol achinsinsi. Palibe milingo yovomerezeka yovomerezeka pa L1.

Pali muyezo wa 2ae (MACsec) wa kubisa kwa L802.1 pamanetiweki a Ethernet, koma sagwiritsa ntchito kumapeto mpaka kumapeto (kumapeto-kumapeto), ndi kulumikizana, "hop-by-hop" encryption, ndipo m'mawonekedwe ake oyambirira ndi osayenera kugwiritsidwa ntchito pamagulu ogawidwa, kotero kuti zowonjezera zake zowonjezera zawoneka zomwe zimagonjetsa izi (zowona, chifukwa cha kugwirizana ndi zipangizo kuchokera kwa opanga ena). Zowona, mu 2018, chithandizo chamanetiweki adawonjezedwa ku 802.1ae muyezo, koma palibe chithandizo cha GOST encryption algorithm sets. Chifukwa chake, ma protocol achinsinsi a L2, omwe sali okhazikika, amasiyanitsidwa ndi kuthekera kwakukulu (makamaka, kutsika kwa bandwidth) komanso kusinthasintha (kutha kusintha ma aligorivimu ndi ma modes).

Pamiyezo yapamwamba (L3 ndi L4) pali miyezo yodziwika, makamaka IPsec ndi TLS, koma apanso sizophweka. Chowonadi ndi chakuti iliyonse mwamiyezo iyi ndi ma protocol, iliyonse ili ndi mitundu yosiyanasiyana ndi zowonjezera zomwe zimafunikira kapena zosankhidwa kuti zichitike. Kuphatikiza apo, opanga ena amakonda kugwiritsa ntchito ma protocol awo achinsinsi pa L3/L4. Chifukwa chake, nthawi zambiri simuyenera kudalira kuyanjana kwathunthu, koma ndikofunikira kuti kulumikizana pakati pamitundu yosiyanasiyana ndi mibadwo yosiyana ya wopanga yemweyo kutsimikizike.

Kudalirika

Kuti mufananize mayankho osiyanasiyana, mutha kugwiritsa ntchito nthawi yayitali pakati pa zolephera kapena kupezeka. Ngati manambalawa sapezeka (kapena palibe chidaliro mwa iwo), ndiye kuti kufananitsa kwabwino kungapangidwe. Zipangizo ndi kasamalidwe yabwino adzakhala ndi mwayi (zochepa chiopsezo zolakwa kasinthidwe), encryptors apadera (chifukwa chomwechi), komanso zothetsera ndi nthawi yochepa kuti azindikire ndi kuthetsa kulephera, kuphatikizapo njira "yotentha" kubwerera kamodzi mfundo zonse ndi zipangizo.

mtengo

Zikafika pamtengo, monga momwe zilili ndi mayankho ambiri a IT, ndizomveka kufananiza mtengo wonse wa umwini. Kuti muwerengere, simuyenera kubwezeretsanso gudumu, koma gwiritsani ntchito njira iliyonse yoyenera (mwachitsanzo, kuchokera ku Gartner) ndi chowerengera chilichonse (mwachitsanzo, chomwe chimagwiritsidwa ntchito kale m'bungwe kuwerengera TCO). N'zoonekeratu kuti kwa netiweki kubisa njira, mtengo okwana umwini imakhala mwachindunji ndalama zogulira kapena kubwereka yankho lokha, zopangira zida zogwirira ntchito ndi ndalama zotumizira, kuyang'anira ndi kukonza (kaya m'nyumba kapena ngati ntchito za anthu ena), komanso mosalunjika mtengo kuchokera pakutha kwa njira (chifukwa cha kuchepa kwa zokolola za ogwiritsa ntchito). Pali mwina chimodzi chokha chochenjera. Zotsatira za yankho zitha kuganiziridwa m'njira zosiyanasiyana: monga ndalama zosalunjika chifukwa cha kutayika kwa ntchito, kapena ngati "mtengo wokhazikika" wogulira / kukweza ndi kusunga zida zama netiweki zomwe zimalipira kutayika kwa maukonde chifukwa chogwiritsa ntchito kubisa. Mulimonsemo, ndalama zomwe zimakhala zovuta kuziwerengera ndi kulondola kokwanira zimasiyidwa bwino pakuwerengera: mwanjira iyi padzakhala chidaliro chochulukirapo pamtengo womaliza. Ndipo, monga mwachizolowezi, mulimonsemo, ndizomveka kufanizitsa zipangizo zosiyanasiyana ndi TCO pazochitika zenizeni za ntchito - zenizeni kapena zenizeni.

Mphamvu

Ndipo khalidwe lomaliza ndi kulimbikira kwa yankho. Nthawi zambiri, kulimba kungayesedwe moyenera poyerekezera mayankho osiyanasiyana. Tiyenera kukumbukira kuti zida zolembera si njira yokhayo, komanso chinthu choteteza. Akhoza kukhala pangozi zosiyanasiyana. Kutsogolo kuli zoopseza za kuphwanya chinsinsi, kufalitsa ndi kusinthidwa kwa mauthenga. Ziwopsezozi zitha kuchitika kudzera pachiwopsezo cha cipher kapena mitundu yake, kudzera pachiwopsezo cha ma protocol achinsinsi (kuphatikiza pamagawo okhazikitsa makiyi olumikizirana ndi kupanga/kugawa). Ubwino udzakhala wa mayankho omwe amalola kusintha ma aligorivimu wa encryption kapena kusintha mawonekedwe a cipher (osachepera kudzera pakusintha kwa firmware), mayankho omwe amapereka kubisa kwathunthu, kubisala kwa wowukirayo osati deta ya ogwiritsa ntchito, komanso ma adilesi ndi zidziwitso zina zautumiki. , komanso mayankho aukadaulo omwe samangobisa, komanso amateteza mauthenga kuti asapangidwe ndikusintha. Kwa ma aligorivimu onse amakono a encryption, siginecha zamagetsi, m'badwo wofunikira, ndi zina zambiri, zomwe zimayikidwa mumiyezo, mphamvu zimatha kuganiziridwa kuti ndizofanana (kupanda kutero mutha kutayika m'nkhalango za cryptography). Kodi izi ziyenera kukhala ma algorithms a GOST? Chilichonse ndi chophweka apa: ngati zochitika zogwiritsira ntchito zimafuna chiphaso cha FSB cha CIPF (ndipo ku Russia izi zimakhala choncho nthawi zambiri; pazochitika zambiri zachinsinsi izi ndizowona), ndiye timasankha pakati pa ovomerezeka. Ngati sichoncho, ndiye kuti palibe chifukwa chochotsera zida popanda ziphaso kuti ziganizidwe.

Chiwopsezo china ndikuwopseza kubera, mwayi wopezeka pazida (kuphatikiza kudzera panjira yakunja ndi mkati mwamilandu). Chiwopsezocho chingathe kuchitidwa
zofooka pakukhazikitsa - mu hardware ndi code. Chifukwa chake, mayankho okhala ndi "malo owukira" pang'ono kudzera pa netiweki, okhala ndi zotchingira zotetezedwa kuti asapezeke mwakuthupi (zokhala ndi masensa olowera, zoyeserera zodzitchinjiriza komanso kukonzanso kwachidziwitso chofunikira pomwe mpanda watsegulidwa), komanso omwe amalola zosintha za firmware. ubwino ngati chiwopsezo cha code chidziwika. Palinso njira ina: ngati zida zonse zomwe zikufaniziridwa zili ndi ziphaso za FSB, ndiye kuti gulu la CIPF lomwe satifiketiyo idaperekedwa likhoza kuwonedwa ngati chizindikiro chokana kubera.

Pomaliza, chiwopsezo chamtundu wina ndi zolakwika pakukhazikitsa ndikugwira ntchito, chinthu chaumunthu mu mawonekedwe ake oyera. Izi zikuwonetsa mwayi wina wa akatswiri odziyimira pawokha pa mayankho ophatikizidwa, omwe nthawi zambiri amangoyang'ana "akatswiri apaintaneti" ndipo angayambitse zovuta kwa "wamba", akatswiri odziwa zambiri zachitetezo.

Mwachidule

M'malo mwake, apa zitha kukhala zotheka kupereka chizindikiro chamtundu wina wofananira zida zosiyanasiyana, monga

$$kuwonetsa$$K_j=βˆ‘p_i r_{ij}$$kuwonetsa$$

kumene p ndi kulemera kwa chizindikiro, ndipo r ndi udindo wa chipangizo malinga ndi chizindikiro ichi, ndipo makhalidwe onse omwe atchulidwa pamwambapa akhoza kugawidwa mu zizindikiro za "atomiki". Ndondomeko yotereyi ingakhale yothandiza, mwachitsanzo, poyerekezera malingaliro achikondi malinga ndi malamulo omwe adagwirizana kale. Koma mutha kudutsa ndi tebulo losavuta ngati

mbali
Chipangizo 1
Chipangizo 2
...
Chipangizo N

Bandwidth
+
+

+++

Zowonjezera
+
++

+++

Kuchedwa
+
+

++

Scalability
+++
+

+++

Kusintha
+++
++

+

Kugwilizana
++
+

+

ngakhale
++
++

+++

Zosavuta komanso zosavuta
+
+

++

kulekerera zolakwika
+++
+++

++

mtengo
++
+++

+

Mphamvu
++
++

+++

Ndidzakhala wokondwa kuyankha mafunso ndi kutsutsa kolimbikitsa.

Source: www.habr.com

Kuwonjezera ndemanga