Pulogalamu ya ProHoster > Blog > Ulamuliro > Momwe mungayang'anire zida zanu zamanetiweki. Mutu wachitatu. Network chitetezo. Gawo loyamba

Momwe mungayang'anire zida zanu zamanetiweki. Mutu wachitatu. Network chitetezo. Gawo loyamba

Nkhaniyi ndi yachitatu pamutu wakuti, “Momwe Mungasamalire Zida Zanu za Network.” Zomwe zili m'nkhani zonse pamndandanda ndi maulalo zitha kupezeka apa.

Momwe mungayang'anire zida zanu zamanetiweki. Mutu wachitatu. Network chitetezo. Gawo loyamba

Palibe chifukwa cholankhula za kuchotsa kwathunthu zoopsa zachitetezo. Kwenikweni, sitingathe kuwachepetsa mpaka ziro. Tiyeneranso kumvetsetsa kuti pamene tikuyesetsa kuti maukonde azikhala otetezeka, mayankho athu akukhala okwera mtengo. Muyenera kupeza malonda pakati pa mtengo, zovuta, ndi chitetezo zomwe zimakhala zomveka pa intaneti yanu.

Zoonadi, mapangidwe a chitetezo amaphatikizidwa muzomangamanga zonse ndipo njira zotetezera zomwe zimagwiritsidwa ntchito zimakhudza scalability, kudalirika, kusamalira, ...

Koma ndikukumbutseni kuti tsopano sitikunena za kupanga network. Malingana ndi athu mikhalidwe yoyamba tasankha kale mapangidwewo, tasankha zida, ndikupanga zomangamanga, ndipo panthawiyi, ngati n'kotheka, tiyenera "kukhala" ndikupeza njira zothetsera njira zomwe tasankha kale.

Ntchito yathu tsopano ndikuzindikira zoopsa zomwe zimagwirizanitsidwa ndi chitetezo pa intaneti ndikuzichepetsa mpaka pamlingo woyenera.

Network security audit

Ngati bungwe lanu lakhazikitsa njira za ISO 27k, ndiye kuti kuwunika kwachitetezo ndi kusintha kwa maukonde kuyenera kukwanirana ndi njira zonse zomwe zili mkati mwa njirayi. Koma mfundozi sizinali zokhudzana ndi zothetsera zenizeni, osati za kasinthidwe, osati za mapangidwe ... Palibe malangizo omveka bwino, palibe mfundo zomwe zimalongosola mwatsatanetsatane momwe maukonde anu ayenera kukhalira, izi ndizo zovuta komanso zokongola za ntchitoyi.

Ndikuwonetsa zambiri zowunikira chitetezo pamanetiweki:

  • makina kasinthidwe audit (hardening)
  • chitetezo design audit
  • kupeza audit
  • ndondomeko audit

Equipment configuration audit (kuumitsa)

Zikuwoneka kuti nthawi zambiri iyi ndiye poyambira bwino pakuwunika ndikuwongolera chitetezo cha maukonde anu. IMHO, ichi ndi chisonyezero chabwino cha lamulo la Pareto (20% ya khama limapanga 80% ya zotsatira, ndipo 80% yotsalayo imapanga 20% yokha ya zotsatira).

Chofunikira ndichakuti nthawi zambiri timakhala ndi malingaliro kuchokera kwa ogulitsa okhudzana ndi "njira zabwino" zachitetezo pokonza zida. Izi zimatchedwa "kuuma".

Mutha kupezanso mafunso nthawi zambiri (kapena kupanga nokha) kutengera malingaliro awa, omwe angakuthandizeni kudziwa momwe kasinthidwe ka zida zanu kumayendera ndi "njira zabwino" izi ndipo, molingana ndi zotsatira zake, pangani zosintha pamaneti anu. . Izi zikuthandizani kuti muchepetse zoopsa zachitetezo mosavuta, popanda mtengo uliwonse.

Zitsanzo zingapo zamakina ogwiritsira ntchito Cisco.

Cisco IOS Configuration Harding
Cisco IOS-XR Configuration Harding
Cisco NX-OS Configuration Harding
Cisco Baseline Security Check List

Malingana ndi zolembazi, mndandanda wa zofunikira zokonzekera mtundu uliwonse wa zida zikhoza kupangidwa. Mwachitsanzo, pa Cisco N7K VDC zofunika izi zitha kuwoneka ngati kotero.

Mwanjira iyi, mafayilo osinthika amatha kupangidwa amitundu yosiyanasiyana yazida zogwira ntchito pamanetiweki anu. Kenako, pamanja kapena pogwiritsa ntchito zokha, mutha "kukweza" mafayilo osinthira awa. Momwe mungasinthire njirayi tidzakambirana mwatsatanetsatane munkhani zina za orchestration ndi automation.

Security design audit

Nthawi zambiri, maukonde abizinesi amakhala ndi magawo awa mwanjira imodzi kapena imzake:

  • DC (Public services DMZ ndi Intranet data center)
  • Kupeza intaneti
  • VPN yofikira kutali
  • Mphepete mwa WAN
  • nthambi
  • Kampasi (Ofesi)
  • pakati

Maina otengedwa kuchokera Cisco SAFE chitsanzo, koma sikoyenera, ndithudi, kuti agwirizane ndendende ndi mayina awa ndi chitsanzo ichi. Komabe, ndikufuna kulankhula za chiyambi chake osati kutanganidwa ndi zochitika.

Pagawo lililonse la magawo awa, zofunikira zachitetezo, zoopsa komanso, molingana, zothetsera zidzakhala zosiyana.

Tiyeni tiyang'ane pa aliyense wa iwo padera pazovuta zomwe mungakumane nazo kuchokera pamawonekedwe achitetezo. Zachidziwikire, ndikubwerezanso kuti palibe njira iliyonse yomwe nkhaniyi imadzinenera kukhala yokwanira, zomwe sizophweka (ngati sizingatheke) kukwaniritsa mumutu wakuya komanso wosiyanasiyana, koma zikuwonetsa zomwe ndakumana nazo.

Palibe yankho langwiro (osachepera panobe). Nthawi zonse ndi kunyengerera. Koma ndikofunikira kuti chisankho chogwiritsa ntchito njira imodzi kapena chimzake chipangidwe mozindikira, ndikumvetsetsa zabwino ndi zoyipa zake.

Data Center

Gawo lofunikira kwambiri pakuwona chitetezo.
Ndipo, mwachizolowezi, palibe yankho lachilengedwe pano. Zonse zimadalira kwambiri zofunikira pa intaneti.

Kodi firewall ndiyofunikira kapena ayi?

Zingawoneke ngati yankho ndilodziwikiratu, koma zonse sizowoneka bwino monga momwe zingawonekere. Ndipo kusankha kwanu kungakhudzidwe osati kokha mtengo.

Chitsanzo cha 1. Kuchedwa.

Ngati kutsika kwapang'onopang'ono ndikofunikira pakati pa magawo ena amtaneti, zomwe, mwachitsanzo, zowona pakusinthana, ndiye kuti sitingathe kugwiritsa ntchito ma firewall pakati pa magawo awa. Ndizovuta kupeza maphunziro okhudzana ndi latency mu ma firewall, koma ma switch ochepa amatha kupereka latency yochepera kapena pa dongosolo la 1 mksec, ndiye ndikuganiza ngati ma microseconds ali ofunikira kwa inu, ndiye kuti ma firewall si anu.

Chitsanzo cha 2. Magwiridwe.

Kutulutsa kwa masiwichi apamwamba a L3 nthawi zambiri kumakhala kuyitanitsa kwakukulu kuposa kutulutsa kwa ma firewall amphamvu kwambiri. Chifukwa chake, pankhani ya kuchuluka kwa magalimoto ambiri, mudzalolanso kuti magalimotowa adutse ma firewall.

Chitsanzo cha 3. Kudalirika

Zozimitsa moto, makamaka NGFW yamakono (Next-Generation FW) ndi zida zovuta. Ndizovuta kwambiri kuposa masiwichi a L3/L2. Amapereka mautumiki ambiri ndi zosankha zokonzekera, kotero n'zosadabwitsa kuti kudalirika kwawo kuli kochepa kwambiri. Ngati kupitiliza kwautumiki ndikofunikira pamaneti, ndiye kuti mungafunike kusankha zomwe zingatsogolere kupezeka bwino - chitetezo chokhala ndi firewall kapena kuphweka kwa netiweki yomangidwa pa masiwichi (kapena mitundu yosiyanasiyana ya nsalu) pogwiritsa ntchito ma ACL okhazikika.

Pazitsanzo zomwe zili pamwambazi, mutha kukhala (monga mwachizolowezi) kuti mupeze kunyengerera. Yang'anani njira zotsatirazi:

  • ngati mwaganiza kuti musagwiritse ntchito ma firewall mkati mwa data center, ndiye kuti muyenera kuganizira momwe mungachepetsere mwayi wofikira kuzungulira kuzungulira momwe mungathere. Mwachitsanzo, mutha kutsegula madoko ofunikira okha kuchokera pa intaneti (pazambiri zamakasitomala) ndi mwayi wowongolera malo opangira data pokhapokha kuchokera kwa omwe akudumpha. Podumphira makamu, chitani zonse zofunikira (kutsimikizira / kuvomereza, antivayirasi, kudula mitengo, ...)
  • mutha kugwiritsa ntchito gawo lomveka la netiweki ya data center kukhala magawo, ofanana ndi chiwembu chofotokozedwa mu PSEFABRIC chitsanzo p002. Pamenepa, njira iyenera kukonzedwa m'njira yoti magalimoto ochedwa kapena othamanga kwambiri apite "mkati" gawo limodzi (pankhani ya p002, VRF) ndipo sadutsa pa firewall. Magalimoto pakati pa magawo osiyanasiyana apitiliza kudutsa paziwopsezo. Mutha kugwiritsanso ntchito njira yodumphira pakati pa ma VRF kuti mupewe kulondolera magalimoto kudzera pa firewall
  • Mutha kugwiritsanso ntchito chozimitsa moto munjira yowonekera komanso kwa ma VLAN okhawo pomwe zinthu izi (latency/performance) sizofunika. Koma muyenera kuphunzira mosamala zoletsa zokhudzana ndi kugwiritsa ntchito mod iyi kwa wogulitsa aliyense
  • mungafune kuganizira kugwiritsa ntchito unyolo zomangamanga zomangamanga. Izi zidzalola magalimoto ofunikira okha kudutsa pa firewall. Zikuwoneka zabwino mwamalingaliro, koma sindinawonepo yankho ili popanga. Tidayesa unyolo wautumiki wa Cisco ACI/Juniper SRX/F5 LTM pafupifupi zaka 3 zapitazo, koma panthawiyo yankholi linkawoneka ngati "lopanda pake" kwa ife.

Chitetezo mlingo

Tsopano muyenera kuyankha funso la zida zomwe mukufuna kugwiritsa ntchito kusefa magalimoto. Nazi zina mwazinthu zomwe zimapezeka mu NGFW (mwachitsanzo, apa):

  • zozimitsa moto (zosakhazikika)
  • ntchito firewalling
  • kupewa kuwopseza (antivirus, anti-spyware, ndi chiopsezo)
  • Kusefa ulalo
  • kusefa deta (sefa zomwe zili)
  • kuletsa mafayilo (mitundu yamafayilo ikutsekereza)
  • chitetezo

Komanso si zonse zomveka. Zingawonekere kuti chitetezo chapamwamba kwambiri, ndibwino. Koma inunso muyenera kuganizira zimenezo

  • Kuchulukirachulukira komwe mumagwiritsa ntchito pa firewall, ndikokwera mtengo kwambiri mwachilengedwe (malayisensi, ma module owonjezera)
  • kugwiritsa ntchito ma aligorivimu ena kumatha kuchepetsa kwambiri ma firewall throughput ndikuwonjezeranso kuchedwa, onani mwachitsanzo apa
  • monga yankho lililonse lovuta, kugwiritsa ntchito njira zovuta zodzitetezera kumatha kuchepetsa kudalirika kwa yankho lanu, mwachitsanzo, mukamagwiritsa ntchito zozimitsa moto, ndidakumana ndi kutsekeka kwa mapulogalamu ena omwe amagwira ntchito (dns, smb)

Monga nthawi zonse, muyenera kupeza yankho labwino kwambiri pa intaneti yanu.

Sizingatheke kuyankha motsimikizika kuti ndi ntchito ziti zachitetezo zomwe zingafunike. Choyamba, chifukwa zimatengera deta yomwe mukutumiza kapena kusunga ndikuyesera kuteteza. Kachiwiri, zenizeni, nthawi zambiri kusankha zida zotetezera ndi nkhani ya chikhulupiriro ndi kudalira wogulitsa. Simukudziwa ma aligorivimu, simukudziwa momwe angagwiritsire ntchito bwino, ndipo simungathe kuwayesa mokwanira.

Chifukwa chake, m'magawo ovuta, yankho labwino lingakhale kugwiritsa ntchito zoperekedwa kuchokera kumakampani osiyanasiyana. Mwachitsanzo, mutha kuloleza antivayirasi pa chowotcha moto, komanso gwiritsani ntchito chitetezo cha antivayirasi (kuchokera kwa wopanga wina) kwanuko kwa omwe ali nawo.

Kugawikana

Tikukamba za magawo omveka a data center network. Mwachitsanzo, kugawa mu ma VLAN ndi ma subnets kulinso magawo omveka, koma sitingaganizire chifukwa chakuwonekera kwake. Magawo osangalatsa otengera mabungwe monga FW zone chitetezo, VRFs (ndi ma analogue awo pokhudzana ndi ogulitsa osiyanasiyana), zida zomveka (PA VSYS, Cisco N7K VDC, Cisco ACI Tenant, ...), ...

Chitsanzo cha magawo omveka bwino otere komanso kapangidwe kamene kakufunika pa data center kaperekedwa p002 ya polojekiti ya PSEFABRIC.

Mutafotokozera mbali zomveka za netiweki yanu, mutha kufotokozera momwe magalimoto amayendera pakati pa magawo osiyanasiyana, zomwe kusefa kwa zida kudzachitikire ndi njira zotani.

Ngati netiweki yanu ilibe magawo omveka bwino komanso malamulo ogwiritsira ntchito ndondomeko zachitetezo pamayendedwe osiyanasiyana a data sanakhazikitsidwe, izi zikutanthauza kuti mukatsegula izi kapena mwayiwo, mumakakamizika kuthetsa vutoli, ndipo ndizotheka kwambiri adzathetsa nthawi zonse mosiyana.

Nthawi zambiri magawo amangotengera magawo achitetezo a FW. Kenako muyenera kuyankha mafunso otsatirawa:

  • ndi madera achitetezo omwe mukufuna
  • ndi mulingo wanji wachitetezo womwe mukufuna kugwiritsa ntchito kumadera aliwonsewa
  • kodi magalimoto apakati pa zone adzaloledwa mwachisawawa?
  • ngati sichoncho, ndi ndondomeko ziti zosefera magalimoto zomwe zidzagwiritsidwe ntchito mdera lililonse
  • ndi ndondomeko zotani zosefera magalimoto zomwe zidzagwiritsidwe ntchito pagawo lililonse la magawo (gwero/kopita)

TCAM

Vuto lodziwika bwino ndi losakwanira TCAM (Ternary Content Addressable Memory), polowera komanso polowera. IMHO, iyi ndi imodzi mwazinthu zofunika kwambiri posankha zida, chifukwa chake muyenera kusamalira nkhaniyi mosamala.

Chitsanzo 1. Table Forwarding TCAM.

Tiyeni tiwone Palo Alto 7k firewall
Tikuwona kuti kukula kwa tebulo la IPv4 * = 32K
Kuphatikiza apo, kuchuluka kwa njira izi ndizofala kwa ma VSYS onse.

Tiyerekeze kuti malinga ndi kapangidwe kanu mwasankha kugwiritsa ntchito 4 VSYS.
Iliyonse mwa ma VSYS awa imalumikizidwa kudzera pa BGP ku ma MPLS PE awiri amtambo omwe mumagwiritsa ntchito ngati BB. Choncho, 4 VSYS kusinthanitsa njira zonse zenizeni wina ndi mzake ndikukhala ndi tebulo lodutsira ndi pafupifupi njira zofanana (koma NHs zosiyana). Chifukwa VSYS iliyonse ili ndi magawo a 2 a BGP (ndi zoikamo zomwezo), ndiye njira iliyonse yolandilidwa kudzera pa MPLS ili ndi 2 NH ndipo, motero, zolemba za 2 FIB mu Table Forwarding Table. Ngati tikuganiza kuti izi ndizo zokha zowotcha moto mu data center ndipo ziyenera kudziwa za misewu yonse, ndiye kuti izi zidzatanthawuza kuti chiwerengero cha misewu mu data yathu sichingakhale choposa 32K / (4 * 2) = 4K.

Tsopano, ngati tikuganiza kuti tili ndi ma data a 2 (omwe ali ndi mapangidwe ofanana), ndipo tikufuna kugwiritsa ntchito ma VLAN "otambasulidwa" pakati pa malo opangira deta (mwachitsanzo, kwa vMotion), ndiye kuti tithetse vuto la njira, tiyenera kugwiritsa ntchito njira zopezera alendo. . Koma izi zikutanthauza kuti kwa ma data a 2 sitidzakhala ndi makamu oposa 4096 ndipo, ndithudi, izi sizingakhale zokwanira.

Chitsanzo 2. ACL TCAM.

Ngati mukukonzekera zosefera magalimoto pa L3 masiwichi (kapena njira zina zimene amagwiritsa L3 masiwichi, mwachitsanzo, Cisco ACI), ndiye posankha zipangizo muyenera kulabadira TCAM ACL.

Tiyerekeze kuti mukufuna kulamulira mwayi pa SVI interfaces wa Cisco Catalyst 4500. Ndiye, monga tingaonere kuchokera Nkhani iyi, kuwongolera magalimoto otuluka (komanso omwe akubwera) pamawonekedwe, mutha kugwiritsa ntchito mizere ya 4096 TCAM yokha. Zomwe mukamagwiritsa ntchito TCAM3 zidzakupatsani pafupifupi 4000 zikwi za ACE (mizere ya ACL).

Ngati mukukumana ndi vuto la TCAM yosakwanira, ndiye kuti, choyamba, muyenera kulingalira za kuthekera kwa kukhathamiritsa. Chifukwa chake, pakakhala vuto ndi kukula kwa Table Forwarding, muyenera kuganizira za kuthekera kophatikiza njira. Pakakhala vuto ndi kukula kwa TCAM kwa zofikira, zofikira zowerengera, chotsani zolemba zakale komanso zodutsana, ndipo mwina kuwongoleranso njira yotsegulira zolowera (zidzakambidwa mwatsatanetsatane m'mutu wokhudza ma auditing accesses).

Kupezeka Kwambiri

Funso ndilakuti: kodi ndiyenera kugwiritsa ntchito HA paziwongolero zozimitsa moto kapena kukhazikitsa mabokosi awiri odziyimira pawokha "mofanana" ndipo, ngati imodzi ikalephera, njira yodutsamo yachiwiri?

Zikuwoneka kuti yankho ndilodziwikiratu - gwiritsani ntchito HA. Chifukwa chomwe funsoli limabukabe ndikuti, mwatsoka, zongopeka ndi zotsatsa 99 ndi maperesenti angapo opezeka muzochita amakhala kutali kwambiri. HA ndi chinthu chovuta kwambiri, komanso pazida zosiyanasiyana, komanso ndi ogulitsa osiyanasiyana (panalibe kuchotserapo), tidagwira zovuta ndi nsikidzi ndikuyimitsa ntchito.

Ngati mugwiritsa ntchito HA, mudzakhala ndi mwayi kuzimitsa mfundo payekha, kusinthana pakati pawo popanda kusiya utumiki, zomwe ziri zofunika, mwachitsanzo, popanga kukweza, koma nthawi yomweyo muli kutali zero Mwina kuti mfundo zonse ziwiri. idzasweka nthawi yomweyo, komanso kuti kukweza kotsatira sikungayende bwino monga momwe wogulitsa akulonjeza (vutoli likhoza kupewedwa ngati muli ndi mwayi woyesa kukweza pa zipangizo za labotale).

Ngati simugwiritsa ntchito HA, ndiye kuti kuchokera pakuwona kulephera kawiri kulephera kwanu kumakhala kotsika kwambiri (popeza muli ndi ma firewall awiri odziyimira pawokha), koma kuyambira ... magawo sanalumikizidwe, ndiye kuti nthawi iliyonse mukasintha pakati pa ma firewall awa mudzataya magalimoto. Mukhoza, ndithudi, kugwiritsa ntchito firewall yopanda malire, koma mfundo yogwiritsira ntchito firewall imatayika kwambiri.

Chifukwa chake, ngati chifukwa cha kafukufukuyu mwapeza ma firewall osungulumwa, ndipo mukuganiza zokulitsa kudalirika kwa maukonde anu, ndiye kuti HA, inde, ndi imodzi mwamayankho omwe alangizidwa, koma muyenera kuganiziranso zovuta zomwe zimagwirizanitsidwa ndi njira iyi ndipo, mwina, makamaka pa intaneti yanu, yankho lina lingakhale loyenera.

Kuwongolera

M'malo mwake, HA imakhudzanso kuwongolera. M'malo mokonza mabokosi a 2 padera ndikuthana ndi vuto losunga masinthidwewo, mumawawongolera ngati muli ndi chipangizo chimodzi.

Koma mwina muli ndi ma data ambiri ndi ma firewall ambiri, ndiye kuti funsoli limabuka pamlingo watsopano. Ndipo funso silimangokhudza kasinthidwe, komanso za

  • zosunga zobwezeretsera
  • zosintha
  • kukweza
  • kuyang'anira
  • kudula mitengo

Ndipo zonsezi zitha kuthetsedwa ndi machitidwe oyang'anira apakati.

Mwachitsanzo, ngati mukugwiritsa ntchito zozimitsa moto za Palo Alto, ndiye zithunzi zosiyanasiyana ndi yankho lotere.

Zipitilizidwa.

Source: www.habr.com

Kuwonjezera ndemanga