Pulogalamu ya ProHoster > Blog > Ulamuliro > Momwe mungayang'anire zida zanu zamanetiweki. Mutu wachitatu. Chitetezo pa intaneti. Gawo lachitatu

Momwe mungayang'anire zida zanu zamanetiweki. Mutu wachitatu. Chitetezo pa intaneti. Gawo lachitatu

Nkhaniyi ndi yachisanu pamutu wakuti, “Momwe Mungayang'anire Ma Network Infrastructure yanu.” Zomwe zili m'nkhani zonse pamndandanda ndi maulalo zitha kupezeka apa.

Gawoli liziperekedwa kugawo la Campus (Ofesi) & Remote access VPN magawo.

Momwe mungayang'anire zida zanu zamanetiweki. Mutu wachitatu. Chitetezo pa intaneti. Gawo lachitatu

Mapangidwe a netiweki yamaofesi angawoneke ngati osavuta.

Zowonadi, timatenga masiwichi a L2/L3 ndikulumikiza wina ndi mnzake. Kenako, timakhazikitsa makonzedwe oyambira a villans ndi zipata zosasinthika, kukhazikitsa njira zosavuta, kulumikiza owongolera a WiFi, malo olowera, kukhazikitsa ndikusintha ASA kuti ifike kutali, ndife okondwa kuti zonse zidayenda bwino. Kwenikweni, monga ndidalemba kale m'mbuyomu zolemba Panjira iyi, pafupifupi wophunzira aliyense yemwe adaphunzirapo (ndipo adaphunzira) ma semesita awiri a maphunziro a telecom akhoza kupanga ndi kukonza maukonde aofesi kuti "agwire ntchito."

Koma mukamaphunzira zambiri, ntchitoyi imayamba kuwoneka ngati yosavuta. Kwa ine ndekha, mutu uwu, mutu wa mapangidwe a maofesi a maofesi, sukuwoneka ngati wophweka, ndipo m'nkhaniyi ndiyesera kufotokoza chifukwa chake.

Mwachidule, pali zinthu zingapo zofunika kuziganizira. Nthawi zambiri zinthuzi zimasemphana maganizo ndipo payenera kufunidwa kumvana koyenera.
Kusatsimikizika uku ndiye vuto lalikulu. Chifukwa chake, kunena za chitetezo, tili ndi makona atatu okhala ndi ma vertices atatu: chitetezo, zosavuta kwa ogwira ntchito, mtengo wa yankho.
Ndipo nthawi zonse muyenera kuyang'ana kugwirizana pakati pa atatuwa.

zomangamanga

Monga chitsanzo cha zomangamanga za magawo awiriwa, monga m'nkhani zam'mbuyomu, ndikupangira Cisco SAFE chitsanzo: Kampasi ya Enterprise, Enterprise Internet Edge.

Izi ndi zolemba zakale. Ndikuwapereka pano chifukwa ziwembu zoyambira ndi njira zake sizinasinthe, koma nthawi yomweyo ndimakonda ulalikiwo kuposa zolemba zatsopano.

Popanda kukulimbikitsani kugwiritsa ntchito njira za Cisco, ndikuganiza kuti ndizothandiza kuphunzira mosamala kapangidwe kake.

Nkhaniyi, monga mwachizolowezi, simadziyerekezera kuti ndi yathunthu, koma ndi yowonjezera ku chidziwitsochi.

Pamapeto pa nkhaniyi, tisanthula kapangidwe ka ofesi ya Cisco SAFE malinga ndi zomwe tafotokozazi.

Mfundo zambiri

Mapangidwe a maukonde aofesi ayenera, ndithudi, kukwaniritsa zofunikira zomwe zakambidwa apa m'mutu wakuti "Zomwe mungayesere khalidwe lapangidwe". Kupatula mtengo ndi chitetezo, zomwe tikufuna kukambirana m'nkhaniyi, pali zinthu zitatu zomwe tiyenera kuziganizira popanga (kapena kusintha):

  • scalability
  • kusavuta kugwiritsa ntchito (kuwongolera)
  • kupezeka

Zambiri zomwe zidakambidwa malo opangira data Izi ndizoonanso ku ofesi.

Koma komabe, gawo la ofesiyo lili ndi zenizeni zake, zomwe ndizofunika kwambiri pachitetezo. Chofunikira cha izi ndikuti gawo ili lidapangidwa kuti lipereke mautumiki apaintaneti kwa ogwira ntchito (komanso okondedwa ndi alendo) a kampaniyo, ndipo, chifukwa chake, pamlingo wapamwamba kwambiri wavuto tili ndi ntchito ziwiri:

  • tetezani zinthu zakampani kuzinthu zoyipa zomwe zingabwere kuchokera kwa ogwira ntchito (alendo, mabwenzi) ndi mapulogalamu omwe amagwiritsa ntchito. Izi zikuphatikizanso chitetezo ku kulumikizana kosaloledwa ndi netiweki.
  • kuteteza machitidwe ndi deta ya ogwiritsa ntchito

Ndipo iyi ndi mbali imodzi yokha ya vuto (kapena kani, vertex imodzi ya makona atatu). Kumbali ina ndikosavuta kwa ogwiritsa ntchito komanso mtengo wamayankho omwe amagwiritsidwa ntchito.

Tiyeni tiyambe ndikuyang'ana zomwe wogwiritsa ntchito akuyembekezera kuchokera kuofesi yamakono.

Zinthu

Izi ndi zomwe "zothandizira pa intaneti" zimawonekera kwa ogwiritsa ntchito muofesi m'malingaliro mwanga:

  • Kuyenda
  • Kutha kugwiritsa ntchito zida zonse zodziwika bwino komanso makina ogwiritsira ntchito
  • Kufikira mosavuta kuzinthu zonse zofunika za kampani
  • Kupezeka kwazinthu zapaintaneti, kuphatikiza mautumiki osiyanasiyana amtambo
  • "Kugwira ntchito mwachangu" kwa intaneti

Zonsezi zimagwira ntchito kwa onse ogwira ntchito ndi alendo (kapena othandizana nawo), ndipo ndi ntchito ya akatswiri a kampaniyo kuti asiyanitse mwayi wopezeka kwa magulu osiyanasiyana ogwiritsa ntchito potengera chilolezo.

Tiyeni tione mbali iliyonse ya izi mwatsatanetsatane.

Kuyenda

Tikukamba za mwayi wogwira ntchito ndi kugwiritsa ntchito zofunikira zonse za kampani kuchokera kulikonse padziko lapansi (zowona, kumene intaneti ilipo).

Izi zikugwira ntchito ku ofesi. Izi ndi zabwino mukakhala ndi mwayi kupitiriza ntchito kuchokera kulikonse mu ofesi, mwachitsanzo, kulandira makalata, kulankhulana ndi mthenga wamakampani, kupezeka kwa kanema kanema, ... Choncho, izi zimakupatsani inu, kumbali imodzi, Kuthetsa nkhani zina "zamoyo" kulankhulana (mwachitsanzo, kutenga nawo mbali pamisonkhano), ndipo kumbali ina, khalani pa intaneti nthawi zonse, sungani chala chanu pamtima ndikuthetsa mwamsanga ntchito zofunika kwambiri. Izi ndizothandiza kwambiri ndipo zimathandizira kwambiri kulumikizana.

Izi zimatheka ndi mapangidwe oyenera a netiweki ya WiFi.

Zindikirani

Apa funso limadza nthawi zambiri: ndikwanira kugwiritsa ntchito WiFi yokha? Kodi izi zikutanthauza kuti mutha kusiya kugwiritsa ntchito madoko a Ethernet muofesi? Ngati tikukamba za ogwiritsa ntchito okha, osati ma seva, omwe akadali omveka kuti agwirizane ndi doko la Efaneti wamba, ndiye kuti yankho ndilo: inde, mukhoza kudziletsa ku WiFi kokha. Koma pali ma nuances.

Pali magulu ofunikira omwe amafunikira njira yosiyana. Awa, ndithudi, ndi oyang'anira. M'malo mwake, kulumikizana kwa WiFi sikudali kodalirika (potengera kutayika kwa magalimoto) komanso pang'onopang'ono kuposa doko la Ethernet lanthawi zonse. Izi zitha kukhala zofunikira kwa oyang'anira. Kuphatikiza apo, oyang'anira maukonde, mwachitsanzo, amatha kukhala ndi netiweki yawo yodzipatulira ya Ethernet yolumikizira kunja kwa gulu.

Pakhoza kukhala magulu ena/madipatimenti ena mukampani yanu omwe zinthuzi ndizofunikiranso.

Palinso mfundo ina yofunika - telefoni. Mwina pazifukwa zina simukufuna kugwiritsa ntchito Wireless VoIP ndipo mukufuna kugwiritsa ntchito mafoni a IP okhala ndi kulumikizana kwa Efaneti nthawi zonse.

Nthawi zambiri, makampani omwe ndimagwira nawo ntchito nthawi zambiri amakhala ndi kulumikizana kwa WiFi komanso doko la Ethernet.

Ndikufuna kuyenda kusangokhala muofesi yokha.

Kuonetsetsa kuti mutha kugwira ntchito kunyumba (kapena malo ena aliwonse omwe ali ndi intaneti yofikira), kulumikizana kwa VPN kumagwiritsidwa ntchito. Panthawi imodzimodziyo, ndizofunikira kuti ogwira ntchito asamve kusiyana pakati pa kugwira ntchito kunyumba ndi ntchito zakutali, zomwe zimatengera mwayi womwewo. Tikambirana momwe tingakonzekere izi pambuyo pake mumutu wakuti "Unified centralized authentication and authorization system."

Zindikirani

Mwachidziwikire, simungathe kupereka ntchito zomwezo zantchito zakutali zomwe muli nazo muofesi. Tiyerekeze kuti mukugwiritsa ntchito Cisco ASA 5520 ngati chipata chanu cha VPN tsamba lazambiri chipangizochi amatha "kugaya" kokha 225 Mbit wa VPN magalimoto. Izi, ndithudi, ponena za bandwidth, kulumikiza kudzera pa VPN ndikosiyana kwambiri ndi kugwira ntchito kuchokera ku ofesi. Komanso, ngati, pazifukwa zina, latency, imfa, jitter (mwachitsanzo, mukufuna kugwiritsa ntchito ofesi ya IP telephony) pa mautumiki anu apakompyuta ndi ofunika, simudzalandiranso khalidwe lomwelo ngati muli mu ofesi. Choncho, polankhula za kuyenda, tiyenera kuzindikira zofooka zotheka.

Kufikira mosavuta kuzinthu zonse zamakampani

Ntchitoyi iyenera kuthetsedwa limodzi ndi madipatimenti ena aukadaulo.
Mkhalidwe wabwino ndi pamene wogwiritsa ntchito amangofunika kutsimikizira kamodzi, ndipo pambuyo pake ali ndi mwayi wopeza zofunikira zonse.
Kupereka mwayi wosavuta popanda kupereka chitetezo kumatha kukulitsa zokolola ndikuchepetsa kupsinjika pakati pa anzanu.

Ndemanga 1

Kupeza mosavuta sikungokhudza kangati muyenera kulowa mawu achinsinsi. Ngati, mwachitsanzo, molingana ndi ndondomeko yanu ya chitetezo, kuti mugwirizane kuchokera ku ofesi kupita ku data center, muyenera choyamba kugwirizanitsa ndi chipata cha VPN, ndipo panthawi imodzimodziyo mumataya mwayi wopita ku ofesi, ndiye kuti izi ndizovuta kwambiri. , zovuta kwambiri.

Ndemanga 2

Pali mautumiki (mwachitsanzo, kupeza zipangizo zamakina) komwe nthawi zambiri timakhala ndi ma seva athu odzipatulira a AAA ndipo izi ndizozoloŵera pamene mu nkhani iyi tiyenera kutsimikizira kangapo.

Kupezeka kwa zothandizira pa intaneti

Intaneti si zosangalatsa zokha, komanso mndandanda wa mautumiki omwe angakhale othandiza kwambiri kuntchito. Palinso zinthu zongoganiza chabe. Munthu wamakono amalumikizidwa ndi anthu ena kudzera pa intaneti kudzera mu ulusi wambiri, ndipo, mwa lingaliro langa, palibe cholakwika ngati akupitiriza kumverera kugwirizana uku ngakhale akugwira ntchito.

Kuchokera pakuwona kuwononga nthawi, palibe cholakwika ngati wogwira ntchito, mwachitsanzo, ali ndi Skype akuthamanga ndipo amathera mphindi 5 kulankhulana ndi wokondedwa ngati kuli kofunikira.

Kodi izi zikutanthauza kuti intaneti iyenera kupezeka nthawi zonse, kodi izi zikutanthauza kuti ogwira ntchito atha kukhala ndi zida zonse ndikulephera kuzilamulira mwanjira iliyonse?

Ayi sizikutanthauza zimenezo, ndithudi. Mlingo wa kutseguka kwa intaneti ukhoza kusiyana kwa makampani osiyanasiyana - kuyambira kutsekedwa kwathunthu mpaka kutseguka kwathunthu. Tidzakambirana njira zowongolera magalimoto pambuyo pake m'magawo achitetezo.

Kutha kugwiritsa ntchito zida zonse zodziwika bwino

Ndikosavuta ngati, mwachitsanzo, muli ndi mwayi wopitiliza kugwiritsa ntchito njira zonse zolankhulirana zomwe mumazolowera kuntchito. Palibe vuto pakukhazikitsa izi mwaukadaulo. Kwa ichi muyenera WiFi ndi wilan alendo.

Ndibwinonso ngati muli ndi mwayi wogwiritsa ntchito makina omwe munazolowera. Koma, mukuwona kwanga, izi nthawi zambiri zimaloledwa kwa oyang'anira, olamulira ndi omanga.

Chitsanzo:

Mukhoza, ndithudi, kutsata njira zoletsedwa, kuletsa njira zakutali, kuletsa kulumikiza kuzipangizo zam'manja, kuchepetsa chirichonse ku kugwirizana kwa Ethernet static, kuchepetsa mwayi wopezeka pa intaneti, mokakamiza kulanda mafoni a m'manja ndi zipangizo zamakono poyang'ana ... ndi njira iyi. kwenikweni amatsatiridwa ndi mabungwe ena omwe ali ndi zofunikira zowonjezera chitetezo, ndipo mwinamwake nthawi zina izi zingakhale zomveka, koma ... muyenera kuvomereza kuti izi zikuwoneka ngati kuyesa kuletsa kupita patsogolo mu bungwe limodzi. Inde, ndikufuna kuphatikiza mwayi umene matekinoloje amakono amapereka ndi chitetezo chokwanira.

"Kugwira ntchito mwachangu" kwa intaneti

Kuthamanga kwa data mwaukadaulo kumakhala ndi zinthu zambiri. Ndipo kuthamanga kwa doko lanu lolumikizira nthawi zambiri sikofunika kwambiri. Kugwira ntchito pang'onopang'ono kwa pulogalamuyo sikumalumikizidwa nthawi zonse ndi mavuto a netiweki, koma pakadali pano timangokonda gawo la netiweki. Vuto lofala kwambiri ndi "kuchedwa" kwa netiweki limagwirizana ndi kutayika kwa paketi. Izi zimachitika nthawi zambiri pakakhala vuto la botolo kapena L1 (OSI). Nthawi zambiri, ndi mapangidwe ena (mwachitsanzo, ma subnets anu akakhala ndi chotchingira ngati chipata chokhazikika ndipo motero magalimoto onse amadutsamo), magwiridwe antchito a Hardware atha kusowa.

Chifukwa chake, posankha zida ndi zomangamanga, muyenera kugwirizanitsa kuthamanga kwa madoko, mitengo ikuluikulu ndi magwiridwe antchito.

Chitsanzo:

Tiyerekeze kuti mukugwiritsa ntchito masiwichi okhala ndi madoko a 1 gigabit ngati masiwichi ofikira. Amalumikizidwa wina ndi mnzake kudzera pa Etherchannel 2 x 10 gigabits. Monga chipata chosasinthika, mumagwiritsa ntchito chozimitsa moto chokhala ndi madoko a gigabit, kuti mulumikizane ndi netiweki yaofesi ya L2 mumagwiritsa ntchito madoko a 2 gigabit kuphatikiza Etherchannel.

Zomangamangazi ndizabwino kwambiri pakuwona magwiridwe antchito, chifukwa ... Magalimoto onse amadutsa paziwopsezo zamoto, ndipo mutha kuyendetsa bwino njira zopezera, ndikugwiritsa ntchito njira zovuta zowongolera magalimoto ndikuletsa kuukira komwe kungachitike (onani m'munsimu), koma kuchokera pamawonekedwe ndi magwiridwe antchito mapangidwe awa, ndithudi, ali ndi mavuto omwe angakhalepo. Kotero, mwachitsanzo, 2 makamu otsitsa deta (ndi liwiro la doko la 1 gigabit) akhoza kukweza kulumikiza kwa 2 gigabit ku firewall, motero kumabweretsa kuwonongeka kwa ntchito kwa gawo lonse la ofesi.

Tayang'ana pa vertex ya katatu, tsopano tiyeni tiwone momwe tingatsimikizire chitetezo.

Njira zoteteza

Kotero, ndithudi, kawirikawiri chikhumbo chathu (kapena kani, chikhumbo cha oyang'anira athu) ndikukwaniritsa zosatheka, ndiko kuti, kupereka mwayi waukulu ndi chitetezo chokwanira komanso mtengo wochepa.

Tiyeni tiwone njira zomwe tili nazo zoperekera chitetezo.

Kwa ofesi, ndingasonyeze zotsatirazi:

  • zero trust njira yopanga
  • chitetezo chokwanira
  • mawonekedwe a netiweki
  • mgwirizano wapakati wotsimikizika ndi chilolezo
  • kuyang'anira alendo

Kenako, tikambirana mwatsatanetsatane mbali iliyonse ya izi.

Zero Kudalira

Dziko la IT likusintha mwachangu kwambiri. Pazaka zapitazi za 10, kutuluka kwa matekinoloje atsopano ndi zinthu zatsopano zapangitsa kukonzanso kwakukulu kwa mfundo zachitetezo. Zaka khumi zapitazo, kuchokera kumbali ya chitetezo, tinagawa maukonde kukhala madera odalirika, dmz ndi osadalirika, ndikugwiritsa ntchito zomwe zimatchedwa "chitetezo chozungulira", pomwe panali mizere iwiri ya chitetezo: kusakhulupirira -> dmz ndi dmz -> kudalira. Komanso, chitetezo nthawi zambiri chinkangopezeka pamndandanda wotengera mitu ya L2/L3 (OSI) (IP, madoko a TCP/UDP, mbendera za TCP). Chilichonse chokhudzana ndi milingo yapamwamba, kuphatikiza L4, idasiyidwa ku OS ndi zinthu zachitetezo zomwe zidayikidwa pamapeto omaliza.

Tsopano zinthu zasintha kwambiri. Lingaliro lamakono zero trust zimachokera ku mfundo yakuti sikungathekenso kulingalira machitidwe amkati, ndiko kuti, omwe ali mkati mwa kuzungulira, monga odalirika, ndipo lingaliro la kuzungulira palokha lakhala losokonezeka.
Kuphatikiza pa intaneti tilinso

  • ogwiritsa ntchito akutali a VPN
  • zida zosiyanasiyana zamunthu, zobweretsa laputopu, zolumikizidwa kudzera pa WiFi yaofesi
  • Maofesi ena (nthambi).
  • kuphatikiza ndi zomangamanga zamtambo

Kodi njira ya Zero Trust imawoneka bwanji pochita?

Momwemo, magalimoto okhawo omwe amafunikira ayenera kuloledwa ndipo, ngati tikukamba za zoyenera, ndiye kuti kulamulira kuyenera kukhala osati pa mlingo wa L3 / L4, koma pa mlingo wa ntchito.

Ngati, mwachitsanzo, muli ndi mwayi wodutsa magalimoto onse kudzera pa firewall, ndiye kuti mutha kuyesa kuyandikira kwabwino. Koma njira iyi imatha kuchepetsa kuchuluka kwa bandwidth ya maukonde anu, komanso, kusefa ndikugwiritsa ntchito sikumagwira ntchito bwino nthawi zonse.

Mukawongolera kuchuluka kwa magalimoto pa rauta kapena chosinthira cha L3 (pogwiritsa ntchito ma ACL wamba), mumakumana ndi zovuta zina:

  • Uku ndikusefa kwa L3/L4 kokha. Palibe chomwe chimaletsa wowukira kugwiritsa ntchito madoko ololedwa (mwachitsanzo TCP 80) pazogwiritsa ntchito (osati http)
  • kasamalidwe ka ACL (zovuta kufotokoza ma ACL)
  • Iyi si firewall yokhazikika, kutanthauza kuti muyenera kulola momveka bwino kuchuluka kwa magalimoto
  • ndi masiwichi nthawi zambiri mumakhala molimba kwambiri ndi kukula kwa TCAM, zomwe zimatha kukhala vuto ngati mutatenga njira "zokhazo zomwe mukufuna"

Zindikirani

Ponena za magalimoto obwerera kumbuyo, tiyenera kukumbukira kuti tili ndi mwayi wotsatira (Cisco)

kuloleza tcp chilichonse chokhazikitsidwa

Koma muyenera kumvetsetsa kuti mzerewu ndi wofanana ndi mizere iwiri:
lolani tcp ack iliyonse
lolani tcp chilichonse choyamba

Zomwe zikutanthauza kuti ngakhale panalibe gawo loyamba la TCP ndi mbendera ya SYN (ndiko kuti, gawo la TCP silinayambe kukhazikitsa), ACL iyi idzalola paketi yokhala ndi mbendera ya ACK, yomwe wotsutsa angagwiritse ntchito kusamutsa deta.

Ndiye kuti, mzerewu susintha rauta yanu kapena L3 kusintha kukhala chowotcha moto.

Mulingo wapamwamba wachitetezo

В nkhani Mu gawo la malo opangira deta, tawona njira zotsatirazi zotetezera.

  • zozimitsa moto (zosakhazikika)
  • ddos/dos chitetezo
  • ntchito firewalling
  • kupewa kuwopseza (antivirus, anti-spyware, ndi chiopsezo)
  • Kusefa ulalo
  • kusefa deta (sefa zomwe zili)
  • kuletsa mafayilo (mitundu yamafayilo ikutsekereza)

Pankhani ya ofesi, zinthu ndi zofanana, koma zofunikira ndizosiyana pang'ono. Kupezeka kwa ofesi (kupezeka) nthawi zambiri sikofunikira kwambiri monga momwe zilili ndi malo osungiramo data, pomwe mwayi wa "m'kati" wa magalimoto oyipa ndi malamulo okwera kwambiri.
Chifukwa chake, njira zotsatirazi zodzitetezera pagawoli zimakhala zovuta:

  • ntchito firewalling
  • kupewa kuwopseza (anti-virus, anti-spyware, ndi kusatetezeka)
  • Kusefa ulalo
  • kusefa deta (sefa zomwe zili)
  • kuletsa mafayilo (mitundu yamafayilo ikutsekereza)

Ngakhale njira zonsezi zodzitetezera, kupatula zowotcha moto, zakhala zikuthetsedwa ndipo zikupitilizabe kuthetsedwa kumapeto kwa makamu (mwachitsanzo, pakukhazikitsa mapulogalamu a antivayirasi) ndikugwiritsa ntchito ma proxies, ma NGFW amakono amaperekanso izi.

Ogulitsa zida zotetezera amayesetsa kupanga chitetezo chokwanira, kotero pamodzi ndi chitetezo cham'deralo, amapereka matekinoloje osiyanasiyana amtambo ndi mapulogalamu a kasitomala a makamu (chitetezo cha mapeto / EPP). Kotero, mwachitsanzo, kuchokera 2018 Gartner Magic Quadrant Tikuwona kuti Palo Alto ndi Cisco ali ndi ma EPP awo (PA: Misampha, Cisco: AMP), koma ali kutali ndi atsogoleri.

Kupatsa chitetezo izi (nthawi zambiri pogula zilolezo) pa firewall yanu sikofunikira (mutha kupita njira yachikhalidwe), koma kumapereka zabwino zina:

  • pamenepa, pali mfundo imodzi yogwiritsira ntchito njira zotetezera, zomwe zimapangitsa kuti ziwoneke bwino (onani mutu wotsatira).
  • Ngati pali chipangizo chosatetezedwa pamanetiweki anu, ndiye kuti chikugwerabe pansi pa "ambulera" yachitetezo cha firewall.
  • Pogwiritsa ntchito chitetezo cha firewall molumikizana ndi chitetezo cha obwera kumapeto, timakulitsa mwayi wozindikira kuchuluka kwa magalimoto oyipa. Mwachitsanzo, kugwiritsa ntchito kupewa ziwopsezo kwa omwe akukhala m'dera lanu komanso pachitetezo chozimitsa moto kumawonjezera mwayi wodziwikiratu (ngati mayankhowa akuchokera pamapulogalamu osiyanasiyana)

Zindikirani

Ngati, mwachitsanzo, mumagwiritsa ntchito Kaspersky ngati antivayirasi onse pa firewall komanso kumapeto kwa makamu, ndiye kuti izi sizikuwonjezera mwayi wanu wopewa kuukira kwa ma virus pamaneti anu.

Mawonekedwe a netiweki

Lingaliro lalikulu ndizosavuta - "onani" zomwe zikuchitika pa netiweki yanu, munthawi yeniyeni komanso mbiri yakale.

Ndikanagawa "masomphenya" awa m'magulu awiri:

Gulu loyamba: zomwe dongosolo lanu lowunikira nthawi zambiri limakupatsirani.

  • zida potsegula
  • kutsegula ma channels
  • kugwiritsa ntchito kukumbukira
  • kugwiritsa ntchito disk
  • kusintha tebulo lanjira
  • link status
  • kupezeka kwa zida (kapena makamu)
  • ...

Gulu lachiwiri: zokhudzana ndi chitetezo.

  • mitundu yosiyanasiyana ya ziwerengero (mwachitsanzo, pogwiritsa ntchito, ndi kuchuluka kwa magalimoto a URL, ndi mitundu yanji ya data yomwe idatsitsidwa, data ya ogwiritsa)
  • zomwe zidaletsedwa ndi ndondomeko zachitetezo komanso chifukwa chanji, chomwe ndi
    • ntchito yoletsedwa
    • zoletsedwa kutengera ip/protocol/port/flags/zones
    • kupewa ziwopsezo
    • kusefa url
    • kusefa deta
    • kutsekereza mafayilo
    • ...
  • ziwerengero pa DOS/DDOS kuukira
  • kulephera kuzindikira ndi kuyesa chilolezo
  • ziwerengero za zochitika zonse zomwe zaphwanya mfundo zachitetezo pamwambapa
  • ...

M’mutu uno wonena za chitetezo, tili ndi chidwi ndi gawo lachiwiri.

Ma firewall amakono (kuchokera ku Palo Alto) amapereka mawonekedwe abwino. Koma, zowonadi, kuchuluka kwa magalimoto omwe mumawakonda kuyenera kudutsa pa firewall iyi (pamenepo mutha kuletsa magalimoto) kapena kuyang'ana pa firewall (yomwe imagwiritsidwa ntchito poyang'anira ndi kusanthula), ndipo muyenera kukhala ndi zilolezo kuti zonse zitheke. ntchito izi.

Pali, ndithudi, njira ina, kapena m'malo mwachikhalidwe, mwachitsanzo,

  • Ziwerengero zagawo zitha kusonkhanitsidwa kudzera mu netflow ndiyeno zida zapadera zitha kugwiritsidwa ntchito kusanthula zambiri ndikuwona zomwe zili.
  • kupewa kuwopseza - mapulogalamu apadera (anti-virus, anti-spyware, firewall) pamakina omaliza
  • Kusefa kwa URL, kusefa kwa data, kutsekereza mafayilo - pa proxy
  • ndizothekanso kusanthula tcpdump pogwiritsa ntchito mwachitsanzo. fufuta

Mutha kuphatikiza njira ziwirizi, ndikuwonjezera zomwe zikusowa kapena kuzibwereza kuti muwonjezere mwayi wozindikira kuwukira.

Kodi muyenera kusankha njira iti?
Zimadalira kwambiri ziyeneretso ndi zokonda za gulu lanu.
Onse apo ndi apo pali ubwino ndi kuipa.

Uniified centralized kutsimikizika ndi chilolezo dongosolo

Mukapangidwa bwino, kuyenda komwe takambirana m'nkhaniyi kumatengera kuti muli ndi mwayi womwewo kaya mumagwira ntchito kuchokera ku ofesi kapena kunyumba, kuchokera ku eyapoti, kuchokera kumalo ogulitsira khofi kapena kwina kulikonse (ndi zolephera zomwe takambirana pamwambapa). Zikuwoneka, vuto ndi chiyani?
Kuti timvetsetse zovuta za ntchitoyi, tiyeni tiwone kapangidwe kake.

Chitsanzo:

  • Mwagawa antchito onse m'magulu. Mwaganiza zopereka mwayi mwamagulu
  • Mkati mwa ofesi, mumawongolera mwayi wolowera paofesi yaofesi
  • Mumawongolera magalimoto kuchokera ku ofesi kupita ku data center pa data center firewall
  • Mumagwiritsa ntchito Cisco ASA ngati chipata cha VPN ndikuwongolera kuchuluka kwa magalimoto omwe amalowa pamaneti anu kuchokera kwamakasitomala akutali, mumagwiritsa ntchito ma ACL am'deralo (pa ASA)

Tsopano, tinene kuti mwafunsidwa kuti muwonjezere mwayi wowonjezera kwa wogwira ntchito wina. Pachifukwa ichi, mukufunsidwa kuti muwonjezere mwayi kwa iye yekha osati wina aliyense wa gulu lake.

Kwa ichi tiyenera kupanga gulu lapadera la wogwira ntchito uyu, ndiko kuti

  • pangani dziwe lapadera la IP pa ASA la wogwira ntchito uyu
  • onjezani ACL yatsopano pa ASA ndikumanga kwa kasitomala wakutali
  • pangani ndondomeko zatsopano zachitetezo paofesi ndi ma data center firewall

Ndibwino ngati chochitika ichi sichichitika kawirikawiri. Koma muzochita zanga panali zinthu pamene antchito nawo ntchito zosiyanasiyana, ndi seti ya ntchito ena a iwo anasintha nthawi zambiri, ndipo sanali 1-2 anthu, koma ambiri. Zoonadi, chinachake chinafunika kusinthidwa apa.

Izi zidathetsedwa motere.

Tinaganiza kuti LDAP ikhala gwero lokhalo la chowonadi lomwe limatsimikizira zonse zomwe wogwira ntchito angapeze. Tidapanga magulu amitundu yonse omwe amatanthauzira magawo ofikira, ndipo tidapereka wogwiritsa ntchito ku gulu limodzi kapena angapo.

Mwachitsanzo, tiyerekeze kuti panali magulu

  • mlendo (kufikira pa intaneti)
  • mwayi wamba (kufikira pazogawana: makalata, chidziwitso, ...)
  • akawunti
  • polojekiti 1
  • polojekiti 2
  • woyang'anira database
  • woyang'anira linux
  • ...

Ndipo ngati mmodzi wa antchito anali nawo ntchito zonse 1 ndi pulojekiti 2, ndipo anafunika mwayi woti agwire ntchito imeneyi, ndiye wantchitoyo anapatsidwa magulu otsatirawa:

  • mlendo
  • mwayi wamba
  • polojekiti 1
  • polojekiti 2

Kodi tsopano tingasinthe bwanji chidziwitsochi kukhala chofikira pazipangizo zamaukonde?

Cisco ASA Dynamic Access Policy (DAP) www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html) yankho ndiloyenera pa ntchitoyi.

Mwachidule za kukhazikitsa kwathu, panthawi yozindikiritsa / kuvomereza, ASA imalandira kuchokera ku LDAP magulu amagulu ofanana ndi wogwiritsa ntchito wina ndipo "amasonkhanitsa" kuchokera ku ma ACL angapo a m'deralo (iliyonse ikugwirizana ndi gulu) ACL yamphamvu yokhala ndi zofunikira zonse. , zomwe zimagwirizana kwathunthu ndi zofuna zathu.

Koma izi ndizongolumikizana ndi VPN. Kuti zinthu zikhale zofanana kwa onse ogwira ntchito omwe adalumikizidwa kudzera pa VPN ndi omwe ali muofesi, njira yotsatirayi idatengedwa.

Mukalumikiza kuchokera ku ofesi, ogwiritsa ntchito 802.1x protocol amatha kukhala LAN ya alendo (kwa alendo) kapena LAN yogawana (ya ogwira ntchito pakampani). Komanso, kuti apeze mwayi wodziwika (mwachitsanzo, kumapulojekiti omwe ali pamalo opangira data), ogwira ntchito adayenera kulumikizana kudzera pa VPN.

Kuti mulumikizane kuchokera ku ofesi komanso kunyumba, magulu osiyanasiyana amsewu adagwiritsidwa ntchito pa ASA. Izi ndizofunikira kuti omwe akulumikizana kuchokera ku ofesi, magalimoto kupita kuzinthu zogawana (zogwiritsidwa ntchito ndi antchito onse, monga makalata, ma seva, matikiti, dns, ...) samadutsa mu ASA, koma kudzera pa intaneti. . Chifukwa chake, sitinanyamule ASA ndi magalimoto osafunikira, kuphatikiza magalimoto okwera kwambiri.

Motero, vutolo linathetsedwa.
Ife tiri nazo

  • seti yofanana ya zolumikizira zonse ziwiri kuchokera ku ofesi ndi kulumikizana kwakutali
  • kusowa kwa kuwonongeka kwa ntchito pogwira ntchito kuchokera ku ofesi yokhudzana ndi kufalitsa kwa magalimoto okwera kwambiri kudzera ku ASA

Ubwino wina uti wa njira imeneyi?
Mu access administration. Zofikira zitha kusinthidwa mosavuta pamalo amodzi.
Mwachitsanzo, ngati wogwira ntchito achoka pakampani, ndiye kuti mumangomuchotsa ku LDAP, ndipo amangotaya mwayi.

Kuwunika kolandira

Ndi kuthekera kwa kulumikizana kwakutali, timakhala pachiwopsezo chololeza wogwira ntchito pakampani kuti alowe pa intaneti, komanso mapulogalamu onse oyipa omwe amapezeka pakompyuta yake (mwachitsanzo, kunyumba), komanso kupitilira apo, kudzera pa pulogalamu iyi. mwina akupereka mwayi kwa netiweki yathu kwa wowukira pogwiritsa ntchito wolandila ngati woyimira.

Ndizomveka kuti wolandila wolumikizidwa patali agwiritse ntchito zofunikira zachitetezo zofanana ndi zomwe zili muofesi.

Izi zimatengeranso mtundu "wolondola" wa OS, anti-virus, anti-spyware, ndi mapulogalamu a firewall ndi zosintha. Nthawi zambiri, kuthekera uku kumakhalapo pachipata cha VPN (kwa ASA onani, mwachitsanzo, apa).

Ndikwanzerunso kugwiritsa ntchito kusanthula komweko kwa magalimoto ndi njira zotsekereza (onani "Chitetezo Chapamwamba") chomwe ndondomeko yanu yachitetezo ikugwira ntchito pamayendedwe aofesi.

Ndizomveka kuganiza kuti maukonde amaofesi anu salinso kuofesi yamaofesi ndi omwe ali mkati mwake.

Chitsanzo:

Njira yabwino ndikupatsa wogwira ntchito aliyense amene amafunikira laputopu yabwino, yabwino komanso yothandiza kuti agwire ntchito, muofesi komanso kunyumba, kuchokera pamenepo.

Sikuti zimangowonjezera chitetezo cha netiweki yanu, komanso ndizosavuta ndipo nthawi zambiri zimawonedwa bwino ndi ogwira ntchito (ngati ndi laputopu yabwino kwambiri, yosavuta kugwiritsa ntchito).

Za lingaliro la kuchuluka ndi kulinganiza

Kwenikweni, uku ndi kukambirana za vertex yachitatu ya makona atatu - za mtengo.
Tiyeni tione chitsanzo chongopeka.

Chitsanzo:

Muli ndi ofesi ya anthu 200. Munaganiza kuti izi zikhale zosavuta komanso zotetezeka momwe mungathere.

Chifukwa chake, mudaganiza zodutsa magalimoto onse kudzera pa firewall ndipo chifukwa chake pamaofesi onse aofesi, firewall ndiye chipata chokhazikika. Kuphatikiza pa pulogalamu yachitetezo yomwe imayikidwa pamakina aliwonse (anti-virus, anti-spyware, ndi pulogalamu yachitetezo chamoto), munaganizanso kugwiritsa ntchito njira zonse zodzitetezera paziwopsezo.

Kuti muwonetsetse kuthamanga kwambiri (zonse kuti zitheke), mudasankha masiwichi okhala ndi ma doko 10 a Gigabit ngati zosinthira zolowera, ndi zowotcha zowotcha za NGFW zogwira ntchito kwambiri ngati zozimitsa moto, mwachitsanzo, mndandanda wa Palo Alto 7K (okhala ndi madoko 40 a Gigabit), mwachilengedwe okhala ndi zilolezo zonse. kuphatikizidwa ndipo, mwachilengedwe, Kupezeka Kwapamwamba.

Komanso, kuti tigwire ntchito ndi zida izi timafunikira akatswiri angapo odziwa zachitetezo.

Kenako, mudaganiza zopatsa wogwira ntchito aliyense laputopu yabwino.

Total, pafupifupi madola 10 miliyoni kukhazikitsa, mazana masauzande a madola (ndikuganiza pafupi miliyoni) kuthandizira pachaka ndi malipiro a mainjiniya.

Ofesi, anthu 200 ...
Womasuka? Ndikuganiza kuti inde.

Mwabwera ndi lingaliro ili kwa oyang'anira anu ...
Mwina pali makampani angapo padziko lapansi omwe ili ndi yankho lovomerezeka komanso lolondola. Ngati ndinu wogwira ntchito ku kampaniyi, zikomo kwambiri, koma nthawi zambiri, ndikutsimikiza kuti chidziwitso chanu sichidzayamikiridwa ndi oyang'anira.

Kodi chitsanzo ichi ndi chokokomeza? Mutu wotsatira uyankha funso limeneli.

Ngati pamaneti anu simukuwona chilichonse mwazomwe zili pamwambapa, ndiye kuti izi ndizokhazikika.
Pankhani iliyonse, muyenera kupeza kugwirizana kwanu koyenera pakati pa kumasuka, mtengo ndi chitetezo. Nthawi zambiri simusowa NGFW muofesi yanu, ndipo chitetezo cha L7 pa firewall sichifunikira. Ndikokwanira kupereka mawonekedwe abwino ndi machenjezo, ndipo izi zikhoza kuchitika pogwiritsa ntchito zinthu zotseguka, mwachitsanzo. Inde, zomwe mukuchita pakuwukira sizidzakhala nthawi yomweyo, koma chachikulu ndichakuti mudzaziwona, ndipo ndi njira zoyenera zomwe zili mu dipatimenti yanu, mutha kuziletsa mwachangu.

Ndipo ndiroleni ndikukumbutseni kuti, malinga ndi lingaliro la mndandanda wankhani uno, simukupanga maukonde, mukungoyesa kukonza zomwe muli nazo.

Kusanthula kwa SAFE kwa zomangamanga zaofesi

Samalani ndi bwalo lofiyirali lomwe ndidagawirapo malo pachithunzichi Upangiri wa Zomangamanga Wotetezeka wa Campuszomwe ndikufuna tikambirane apa.

Momwe mungayang'anire zida zanu zamanetiweki. Mutu wachitatu. Chitetezo pa intaneti. Gawo lachitatu

Awa ndi amodzi mwa malo ofunikira kwambiri pakumanga komanso chimodzi mwazinthu zosatsimikizika zofunika kwambiri.

Zindikirani

Sindinayambe ndakhazikitsapo kapena kugwira ntchito ndi FirePower (kuchokera ku Cisco's firewall line - ASA yokha), kotero ndizichita ngati zozimitsa moto, monga Juniper SRX kapena Palo Alto, poganiza kuti ili ndi mphamvu zomwezo.

Mwa mapangidwe wamba, ndikuwona zosankha 4 zokha zogwiritsira ntchito chowotcha moto ndi kulumikizana uku:

  • chipata chosasinthika cha subnet iliyonse ndikusintha, pomwe chowotcha moto chimakhala chowonekera (ndiko kuti, magalimoto onse amadutsamo, koma sapanga L3 hop)
  • chipata chosasinthika cha subnet iliyonse ndi ma firewall sub-interfaces (kapena mawonekedwe a SVI), kusinthaku kumasewera gawo la L2.
  • ma VRF osiyanasiyana amagwiritsidwa ntchito posinthira, ndipo magalimoto pakati pa VRF amadutsa pawotchingira moto, magalimoto mkati mwa VRF imodzi amayendetsedwa ndi ACL pa switch.
  • magalimoto onse amawonetsedwa pa firewall kuti awonedwe ndikuwunika; magalimoto samadutsamo

Ndemanga 1

Zosakaniza za zosankhazi ndizotheka, koma kuti zikhale zosavuta sitidzaziganizira.

Note2

Palinso mwayi wogwiritsa ntchito PBR (zomangamanga zamakina othandizira), koma pakadali pano izi, ngakhale yankho lokongola m'malingaliro mwanga, ndilachilendo, kotero sindikulingalira apa.

Kuchokera ku kufotokozera kwa kayendedwe ka chikalatacho, tikuwona kuti magalimoto akudutsabe pamoto, ndiko kuti, molingana ndi mapangidwe a Cisco, njira yachinayi imachotsedwa.

Tiyeni tione njira ziwiri zoyambirira poyamba.
Ndi zosankha izi, magalimoto onse amadutsa pa firewall.

Tsopano tiyeni tione tsamba lazambiri, onani Cisco GPL ndipo tikuwona kuti ngati tikufuna kuti bandwidth yonse ya ofesi yathu ikhale pafupifupi 10 - 20 gigabits, ndiye tiyenera kugula 4K version.

Zindikirani

Ndikalankhula za bandwidth yonse, ndikutanthauza magalimoto pakati pa subnets (osati mkati mwa vilana imodzi).

Kuchokera ku GPL tikuwona kuti kwa HA Bundle ndi Threat Defense, mtengo wotengera chitsanzo (4110 - 4150) umasiyana ndi ~ 0,5 - 2,5 miliyoni madola.

Ndiko kuti, mapangidwe athu amayamba kufanana ndi chitsanzo chapitachi.

Kodi izi zikutanthauza kuti mapangidwe ake ndi olakwika?
Ayi, izo sizikutanthauza izo. Cisco imakupatsani chitetezo chabwino kwambiri chotengera mzere wazinthu zomwe zili nazo. Koma izi sizikutanthauza kuti muyenera kuchita kwa inu.

Kwenikweni, ili ndi funso lodziwika bwino lomwe limakhalapo popanga ofesi kapena malo opangira deta, ndipo zimangotanthauza kuti kusagwirizana kumafunika kufunidwa.

Mwachitsanzo, musalole kuti magalimoto onse adutse pa firewall, pomwe njira ya 3 ikuwoneka ngati yabwino kwa ine, kapena (onani gawo lapitalo) mwina simukufuna Chitetezo cha Threat kapena simukusowa chowotcha moto konse pamenepo. gawo la ma network, ndipo muyenera kungodziletsa kuwunika mosasamala pogwiritsa ntchito zolipira (zosakwera mtengo) kapena mayankho otseguka, kapena mukufuna chozimitsa moto, koma kuchokera kwa ogulitsa ena.

Nthawi zambiri pamakhala kusatsimikizika uku ndipo palibe yankho lomveka bwino la chisankho chomwe chili chabwino kwa inu.
Izi ndizovuta komanso kukongola kwa ntchitoyi.

Source: www.habr.com

Kuwonjezera ndemanga