Pulogalamu ya ProHoster > Blog > Ulamuliro > Momwe mungapangire zibwenzi ndi GOST R 57580 ndi virtualization ya chidebe. Yankho la Central Bank (ndi malingaliro athu pankhaniyi)

Momwe mungapangire zibwenzi ndi GOST R 57580 ndi virtualization ya chidebe. Yankho la Central Bank (ndi malingaliro athu pankhaniyi)

Posachedwapa tidayesanso kutsata zofunikira za GOST R 57580 (zomwe zimatchedwa GOST). Makasitomala ndi kampani yomwe imapanga njira yolipira pakompyuta. Dongosololi ndi lalikulu: ogwiritsa ntchito oposa 3 miliyoni, opitilira 200 tsiku lililonse. Amawona chitetezo chazidziwitso mozama kwambiri pamenepo.

Panthawi yowunika, kasitomala adalengeza mwachisawawa kuti dipatimenti yachitukuko, kuphatikiza makina enieni, ikukonzekera kugwiritsa ntchito zotengera. Koma ndi izi, kasitomala anawonjezera, pali vuto limodzi: mu GOST palibe mawu okhudza Docker yemweyo. Kodi nditani? Momwe mungawunikire chitetezo cha muli?

Momwe mungapangire zibwenzi ndi GOST R 57580 ndi virtualization ya chidebe. Yankho la Central Bank (ndi malingaliro athu pankhaniyi)

Ndizowona, GOST imangolemba zaukadaulo waukadaulo - momwe mungatetezere makina enieni, hypervisor, ndi seva. Tidafunsa ku Central Bank kuti itidziwitse. Yankho lake linatidodometsa.

GOST ndi virtualization

Poyamba, tiyeni tikumbukire kuti GOST R 57580 ndi muyezo watsopano umene umatchula "zofunika kuonetsetsa chitetezo chidziwitso cha mabungwe zachuma" (FI). Ma FIs awa akuphatikizapo ogwira ntchito ndi otenga nawo mbali pamakina olipira, mabungwe angongole ndi omwe sali angongole, malo ogwirira ntchito ndi owongolera.

Kuyambira pa Januware 1, 2021, ma FI akuyenera kuchita kuwunika kutsata zofunikira za GOST yatsopano. Ife, ITGLOBAL.COM, ndi kampani yowunikira yomwe imayesa izi.

GOST ili ndi kachigawo kakang'ono koperekedwa ku chitetezo cha chilengedwe chokhazikika - No. 7.8. Mawu oti "virtualization" sanatchulidwe pamenepo; palibe magawidwe mu hardware ndi zotengera virtualization. Katswiri aliyense wa IT anganene kuti kuchokera pamalingaliro aukadaulo izi sizolondola: makina enieni (VM) ndi chidebe ndi malo osiyanasiyana, okhala ndi mfundo zodzipatula. Pakuwona kusatetezeka kwa wolandila pomwe zotengera za VM ndi Docker zimayikidwa, uku ndi kusiyana kwakukulu.

Zikuwonekeranso kuti kuwunika kwachitetezo cha chidziwitso cha ma VM ndi makontena kuyeneranso kukhala kosiyana.

Mafunso athu ku Central Bank

Tinawatumiza ku Dipatimenti Yachitetezo cha Information ya Banki Yaikulu (timapereka mafunso m'mawonekedwe achidule).

  1. Momwe mungaganizire zotengera zamtundu wa Docker poyesa kutsata kwa GOST? Kodi ndizolondola kuyesa ukadaulo molingana ndi ndime 7.8 ya GOST?
  2. Momwe mungawunikire zida zowongolera zotengera zenizeni? Kodi ndizotheka kuwafananitsa ndi magawo a seva ndikuwunika molingana ndi gawo lomwelo la GOST?
  3. Kodi ndiyenera kuwunika padera zachitetezo chazidziwitso mkati mwazotengera za Docker? Ngati ndi choncho, ndi zotetezedwa ziti zomwe ziyenera kuganiziridwa pa izi panthawi yowunika?
  4. Ngati zotengerazo zikufanana ndi zomangamanga zenizeni ndipo zimawunikidwa molingana ndi ndime 7.8, kodi zofunikira za GOST pakukhazikitsa zida zapadera zachitetezo zimakhazikitsidwa bwanji?

Yankho la Central Bank

M'munsimu muli zolemba zazikulu.

"GOST R 57580.1-2017 imakhazikitsa zofunikira kuti zitheke pogwiritsa ntchito njira zaukadaulo molingana ndi njira zotsatirazi ZI ndime 7.8 ya GOST R 57580.1-2017, yomwe, malinga ndi lingaliro la dipatimenti, imatha kuperekedwa kumilandu yogwiritsa ntchito chidebecho. matekinoloje, poganizira zotsatirazi:

  • kukhazikitsidwa kwa miyeso ZSV.1 - ZSV.11 yokonza chizindikiritso, kutsimikizika, chilolezo (kuwongolera mwayi) pokhazikitsa mwayi wofikira pamakina enieni ndi zigawo za seva za virtualization zingasiyane ndi milandu yogwiritsa ntchito ukadaulo wogwiritsa ntchito chidebe. Poganizira izi, kuti tigwiritse ntchito njira zingapo (mwachitsanzo, ZVS.6 ndi ZVS.7), tikukhulupirira kuti n'zotheka kulangiza kuti mabungwe azachuma apange njira zolipirira zomwe zidzakwaniritse zolinga zomwezo;
  • kukhazikitsa miyeso ZSV.13 - ZSV.22 kwa bungwe ndi kulamulira zidziwitso mogwirizana makina pafupifupi amapereka kwa segmentation wa maukonde kompyuta ya bungwe ndalama kusiyanitsa pakati zinthu informatization kuti kukhazikitsa virtualization luso ndi a madera osiyanasiyana chitetezo. Poganizira izi, tikukhulupirira kuti ndikofunikira kupereka magawo oyenerera mukamagwiritsa ntchito ukadaulo wa chidebe (zonse zokhudzana ndi zotengera zomwe zitha kuchitidwa komanso zokhudzana ndi makina ogwiritsira ntchito makina ogwiritsira ntchito);
  • kukhazikitsidwa kwa miyeso ZSV.26, ZSV.29 - ZSV.31 kukonza chitetezo cha zithunzi zamakina owoneka bwino kuyenera kuchitidwa mofananiza komanso kuteteza zithunzi zoyambira ndi zamakono za zida zenizeni;
  • kukhazikitsidwa kwa njira ZVS.32 - ZVS.43 zojambulira zochitika zachitetezo chazidziwitso zokhudzana ndi mwayi wamakina ndi magawo a seva kuyenera kuchitidwa mofananizanso ndi zinthu za chilengedwe zomwe zimagwiritsa ntchito ukadaulo wogwiritsa ntchito makina opangira zinthu.

Zikutanthauza chiyani

Zotsatira ziwiri zazikulu kuchokera ku mayankho a Central Bank Information Security Department:

  • njira zotetezera zitsulo sizosiyana ndi njira zotetezera makina enieni;
  • Izi zimachokera ku izi kuti, pankhani yachitetezo chazidziwitso, Banki Yaikulu ikufanana ndi mitundu iwiri ya virtualization - zotengera za Docker ndi ma VM.

Yankho limatchulanso "njira zolipirira" zomwe ziyenera kugwiritsidwa ntchito kuti ziwopsezedwe. Sizikudziwika bwino kuti "njira zolipirira" izi ndi zotani komanso momwe mungayezere kukwanira kwawo, kukwanira komanso kuchita bwino.

Chavuta ndi chiyani ndi udindo wa Central Bank?

Ngati mugwiritsa ntchito malingaliro a Central Bank pakuwunika (ndi kudziyesa nokha), muyenera kuthana ndi zovuta zingapo zaukadaulo ndi zomveka.

  • Chidebe chilichonse chomwe chingagwiritsidwe ntchito chimafuna kukhazikitsa pulogalamu yoteteza zidziwitso (IP) pamenepo: antivayirasi, kuyang'anira kukhulupirika, kugwira ntchito ndi zipika, machitidwe a DLP (Kuteteza kwa Data), ndi zina zotero. Zonsezi zitha kukhazikitsidwa pa VM popanda vuto lililonse, koma ngati chidebe, kukhazikitsa chitetezo chazidziwitso ndikusuntha kopanda nzeru. Chidebecho chimakhala ndi kuchuluka kwa "body kit" yomwe imafunikira kuti ntchitoyo igwire ntchito. Kuyika SZI mkati mwake kumatsutsana ndi tanthauzo lake.
  • Zithunzi za nkhokwe ziyenera kutetezedwa molingana ndi mfundo yomweyi; momwe angagwiritsire ntchito izi sizidziwikanso.
  • GOST imafuna kuletsa mwayi wopeza magawo a seva, mwachitsanzo, ku hypervisor. Kodi ndi chiyani chomwe chimatengedwa ngati gawo la seva pankhani ya Docker? Kodi izi sizikutanthauza kuti chidebe chilichonse chiyenera kuyendetsedwa pa gulu lapadera?
  • Ngati pazowoneka bwino ndizotheka kuyika malire ma VM ndi ma contour achitetezo ndi magawo a netiweki, ndiye ngati zotengera za Docker zomwe zili mkati mwa omwewo, sizili choncho.

M'malo mwake, ndizotheka kuti wowerengera aliyense aziwunika chitetezo chazotengera m'njira yakeyake, kutengera zomwe akudziwa komanso zomwe wakumana nazo. Chabwino, kapena musayese konse, ngati palibe chimodzi kapena chinacho.

Zikatero, tiwonjeza kuti kuyambira pa Januware 1, 2021, zochepera siziyenera kukhala zochepera 0,7.

Mwa njira, timatumiza nthawi zonse mayankho ndi ndemanga kuchokera kwa owongolera okhudzana ndi zofunikira za GOST 57580 ndi Central Bank Regulations Telegalamu njira.

Chochita

Malingaliro athu, mabungwe azachuma ali ndi njira ziwiri zokha zothetsera vutoli.

1. Pewani kugwiritsa ntchito zotengera

Yankho kwa iwo omwe ali okonzeka kukwanitsa kugwiritsa ntchito ma hardware virtualization ndipo nthawi yomweyo amawopa mavoti otsika malinga ndi GOST ndi chindapusa kuchokera ku Central Bank.

Kuphatikiza: ndikosavuta kutsatira zofunikira za ndime 7.8 ya GOST.

Kuchotsa: Tidzasiya zida zatsopano zachitukuko kutengera mawonekedwe a chidebe, makamaka Docker ndi Kubernetes.

2. Kukana kutsatira zofunikira za ndime 7.8 ya GOST

Koma nthawi yomweyo, gwiritsani ntchito njira zabwino zowonetsetsa chitetezo chazidziwitso mukamagwira ntchito ndi zotengera. Ili ndi yankho kwa iwo omwe amayamikira matekinoloje atsopano ndi mwayi womwe amapereka. Ndi "zabwino" timatanthawuza mayendedwe ovomerezeka ndi mafakitale powonetsetsa chitetezo cha zotengera za Docker:

  • chitetezo cha Os host host, kudula mitengo moyenera, kuletsa kusinthana kwa data pakati pa zotengera, ndi zina zotero;
  • kugwiritsa ntchito ntchito ya Docker Trust kuti muwone kukhulupirika kwa zithunzi ndikugwiritsa ntchito scanner yomwe ili pachiwopsezo;
  • Sitiyenera kuiwala za chitetezo chakutali komanso mawonekedwe amtundu wonse: kuukira monga ARP-spoofing ndi kusefukira kwa MAC sikunathe.

Kuphatikiza: palibe zoletsa luso pa ntchito virtualization chidebe.

Kuchotsa: pali mwayi waukulu kuti wolamulirayo adzalanga chifukwa chosatsatira zofunikira za GOST.

Pomaliza

Wogula wathu adaganiza kuti asasiye zotengera. Panthawi imodzimodziyo, adayenera kuganiziranso za kukula kwa ntchito ndi nthawi yosinthira ku Docker (zinatenga miyezi isanu ndi umodzi). Wofuna chithandizo amamvetsetsa zoopsa zake. Amamvetsetsanso kuti pakuwunika kotsatira kutsatira GOST R 57580, zambiri zidzadalira wowerengera.

Kodi mukanatani panthaΕ΅i imeneyi?

Source: www.habr.com

Kuwonjezera ndemanga