Pulogalamu ya ProHoster > Blog > Ulamuliro > Momwe mungayang'anire zida zanu zamanetiweki. Mutu wachitatu. Network chitetezo. Gawo lachiwiri

Momwe mungayang'anire zida zanu zamanetiweki. Mutu wachitatu. Network chitetezo. Gawo lachiwiri

Nkhaniyi ndi yachinayi pamutu wakuti, “Momwe Mungayang'anire Zinthu Zogwiritsa Ntchito Paintaneti Yanu.” Zomwe zili m'nkhani zonse pamndandanda ndi maulalo zitha kupezeka apa.

В gawo loyamba Mu mutu uno, tawona mbali zina za chitetezo cha intaneti mu gawo la Data Center. Gawoli lidzaperekedwa ku gawo la "Internet Access".

Momwe mungayang'anire zida zanu zamanetiweki. Mutu wachitatu. Network chitetezo. Gawo lachiwiri

Kupeza intaneti

Mutu wachitetezo mosakayikira ndi imodzi mwamitu yovuta kwambiri padziko lonse lapansi yama data. Monga momwe zinalili kale, popanda kunena zakuya ndi kukwanira, ndikulingalira apa mophweka, koma, m'malingaliro mwanga, mafunso ofunika, mayankho omwe, ndikuyembekeza, adzakuthandizani kukweza chitetezo cha intaneti yanu.

Mukawunika gawo ili, samalani ndi izi:

  • kupanga
  • Zokonda za BGP
  • Chitetezo cha DOS/DDOS
  • kusefa magalimoto pa firewall

kamangidwe

Monga chitsanzo cha kapangidwe ka gawo ili la network yamakampani, ndingapangire kalozera kuchokera ku Cisco mkati Zithunzi zotetezedwa.

Zachidziwikire, mwina yankho la ogulitsa ena likuwoneka ngati lokopa kwa inu (onani. Gartner Quadrant 2018), koma popanda kukulimbikitsani kuti mutsatire ndondomekoyi mwatsatanetsatane, ndimapezabe zothandiza kumvetsetsa mfundo ndi malingaliro kumbuyo kwake.

Zindikirani

Mu SAFE, gawo la "Remote Access" ndi gawo la "Internet Access". Koma m’nkhani zotsatizanazi tikambirana zimenezi mosiyana.

Muyezo wa zida mu gawo ili la network yamakampani ndi

  • ma routers
  • zozimitsa moto

Ndemanga 1

M'nkhani zotsatizanazi, ndikakamba za ma firewall, ndikutanthauza NGFW.

Ndemanga 2

Ndimasiya kulingalira zamitundu yosiyanasiyana ya L2/L1 kapena kuphimba L2 pamwamba pa L3 mayankho ofunikira kuti nditsimikizire kulumikizana kwa L1/L2 ndikungodzipatula kuzinthu zomwe zili pamlingo wa L3 ndi kupitilira apo. Pang'ono, nkhani za L1 / L2 zidakambidwa m'mutu "Kuyeretsa ndi Zolemba".

Ngati simunapeze firewall mu gawo ili, ndiye kuti musathamangire kuganiza.

Tichite chimodzimodzi monga in gawo lapitaloTiyeni tiyambe ndi funso: kodi ndikofunikira kugwiritsa ntchito firewall mu gawo ili kwa inu?

Ndikhoza kunena kuti awa akuwoneka ngati malo oyenera kwambiri ogwiritsira ntchito zozimitsa moto komanso kugwiritsa ntchito zovuta zosefera magalimoto. MU gawo 1 Tatchula zinthu za 4 zomwe zingasokoneze kugwiritsa ntchito ma firewall mu gawo la data center. Koma pano salinso ofunika kwambiri.

Chitsanzo cha 1. Kuchedwa

Pankhani ya intaneti, palibe chifukwa cholankhula za kuchedwa ngakhale pafupifupi 1 millisecond. Chifukwa chake, kuchedwa kwa gawoli sikungakhale chinthu cholepheretsa kugwiritsa ntchito chowotchera moto.

Chitsanzo cha 2. Kukonzekera

Nthawi zina izi zingakhalebe zazikulu. Chifukwa chake, mungafunike kulola magalimoto ena (mwachitsanzo, kuchuluka kwa magalimoto kuchokera pazitsulo zonyamula katundu) kuti alambalale chotchingira moto.

Chitsanzo cha 3. Kudalirika

Izi ziyenera kuganiziridwabe, komabe, chifukwa cha kusadalirika kwa intaneti yokha, kufunikira kwake kwa gawoli sikofunikira kwambiri ngati malo a data.

Chifukwa chake, tiyeni tiyerekeze kuti ntchito yanu imakhala pamwamba pa http/https (ndi magawo afupi). Pankhaniyi, mutha kugwiritsa ntchito mabokosi awiri odziyimira pawokha (popanda HA) ndipo ngati pali vuto lamayendedwe ndi amodzi mwa iwo, sinthani magalimoto onse kupita kwachiwiri.

Kapena mutha kugwiritsa ntchito zozimitsa moto munjira yowonekera ndipo, ngati zalephera, lolani kuchuluka kwa magalimoto kudutsa pakhoma pomwe mukuthetsa vutoli.

Choncho, mwina basi mtengo zitha kukhala zomwe zingakukakamizeni kusiya kugwiritsa ntchito zozimitsa moto mugawoli.

Zofunika!

Pali chiyeso chophatikiza firewall iyi ndi data center firewall (gwiritsani ntchito firewall imodzi pazigawo izi). Yankho ndi, mfundo, n'zotheka, koma muyenera kumvetsa chifukwa Firewall ya Internet Access imakhala patsogolo pa chitetezo chanu ndipo "imatenga" osachepera ena mwa magalimoto oyipa, ndiye, ndithudi, muyenera kuganizira za chiopsezo chowonjezereka chakuti firewall iyi idzayimitsidwa. Ndiko kuti, pogwiritsa ntchito zipangizo zomwezo m'magawo awiriwa, mudzachepetsa kwambiri kupezeka kwa gawo lanu la deta.

Monga nthawi zonse, muyenera kumvetsetsa kuti kutengera ntchito yomwe kampaniyo imapereka, mapangidwe a gawoli amatha kusiyana kwambiri. Monga nthawi zonse, mutha kusankha njira zosiyanasiyana malinga ndi zomwe mukufuna.

Chitsanzo:

Ngati ndinu opereka zinthu, okhala ndi netiweki ya CDN (onani, mwachitsanzo, mndandanda wa nkhani), ndiye kuti simungafune kupanga zomangira pazambiri kapena mazana a malo opezekapo pogwiritsa ntchito zida zapadera zowongolera ndi kusefa magalimoto. Zidzakhala zodula, ndipo zingakhale zosafunikira.

Kwa BGP simuyenera kukhala ndi ma router odzipereka, mutha kugwiritsa ntchito zida zotseguka monga Quagga. Chifukwa chake mwina chomwe mukufuna ndi seva kapena maseva angapo, chosinthira ndi BGP.

Pankhaniyi, seva yanu kapena ma seva angapo amatha kugwira ntchito osati seva ya CDN yokha, komanso rauta. Zachidziwikire, pali zambiri zambiri (monga momwe mungawonetsetse kukhazikika), koma ndizotheka, ndipo ndi njira yomwe tagwiritsa ntchito bwino kwa m'modzi mwa anzathu.

Mutha kukhala ndi ma data angapo okhala ndi chitetezo chokwanira (zotchingira moto, ntchito zoteteza DDOS zoperekedwa ndi omwe akukupatsani intaneti) ndi malo ambiri "osavuta" okhala ndi masiwichi a L2 okha ndi maseva.

Koma bwanji za chitetezo pankhaniyi?

Tiyeni tione, mwachitsanzo, otchuka posachedwapa DNS Amplification DDOS kuukira. Kuopsa kwake kuli chifukwa chakuti kuchuluka kwa magalimoto kumapangidwa, zomwe "zimatseka" 100% ya uplinks anu onse.

Tili ndi chiyani pankhani ya mapangidwe athu.

  • ngati mugwiritsa ntchito AnyCast, ndiye kuti magalimoto amagawidwa pakati pa malo omwe mulipo. Ngati bandwidth yanu yonse ndi terabits, ndiye kuti izi zokha (komabe, posachedwa pakhala ziwopsezo zingapo ndi magalimoto oyipa pa dongosolo la terabits) zimakutetezani ku "zosefukira" zokwera.
  • Ngati, komabe, ma uplink ena atsekedwa, ndiye kuti mumangochotsa tsamba ili kuntchito (siyani kutsatsa choyambirira)
  • mutha kuonjezeranso kuchuluka kwa magalimoto omwe amatumizidwa kuchokera kumalo anu a "zambiri" (ndipo, motetezedwa), ndikuchotsa gawo lalikulu la magalimoto oyipa pamalo osatetezedwa.

Ndipo cholemba china chaching'ono ku chitsanzo ichi. Ngati mutumiza magalimoto okwanira kudzera mu ma IX, ndiye kuti izi zimachepetsanso chiopsezo chanu pakuwukira kotere

Kupanga BGP

Pali mitu iwiri apa.

  • Kulumikizana
  • Kupanga BGP

Takambirana kale pang'ono za kulumikizana mu gawo 1. Mfundo ndikuwonetsetsa kuti magalimoto opita kwa makasitomala anu akutsatira njira yabwino kwambiri. Ngakhale kuti kuchita bwino sikungokhala za latency, low latency nthawi zambiri ndiye chizindikiro chachikulu chakuchita bwino. Kwa makampani ena izi ndizofunikira kwambiri, kwa ena ndizochepa. Zonse zimatengera ntchito yomwe mumapereka.

Mwachitsanzo 1

Ngati ndinu kusinthana, ndipo nthawi zosachepera milliseconds ndizofunikira kwa makasitomala anu, ndiye, ndithudi, sipangakhale kuyankhula kwa mtundu uliwonse wa intaneti.

Mwachitsanzo 2

Ngati ndinu kampani yamasewera ndipo makumi a milliseconds ndi ofunikira kwa inu, ndiye kuti, kulumikizana ndikofunikira kwambiri kwa inu.

Mwachitsanzo 3

Muyeneranso kumvetsetsa kuti, chifukwa cha katundu wa TCP protocol, chiwerengero cha kutumiza deta mkati mwa gawo limodzi la TCP chimadaliranso RTT (Nthawi Yoyendayenda). Maukonde a CDN akumangidwanso kuti athetse vutoli posuntha ma seva ogawa zinthu pafupi ndi ogula zomwe zili.

Kuwerenga za kulumikizana ndi mutu wosangalatsa womwe uli woyenera, womwe uyenera kukhala ndi nkhani yakeyake kapena mndandanda wazolemba, ndipo umafunika kumvetsetsa bwino momwe intaneti "imagwirira ntchito".

Zothandiza:

ripe.net
bgp.he.net

Chitsanzo:

Ndipereka chitsanzo chimodzi chaching'ono.

Tiyerekeze kuti deta yanu ili ku Moscow, ndipo muli ndi uplink imodzi - Rostelecom (AS12389). Pankhaniyi (osakwatiwa) simukusowa BGP, ndipo nthawi zambiri mumagwiritsa ntchito ma adilesi ochokera ku Rostelecom ngati ma adilesi a anthu onse.

Tiyerekeze kuti mumapereka ntchito inayake, ndipo muli ndi makasitomala okwanira ochokera ku Ukraine, ndipo amadandaula chifukwa chochedwa. Mukufufuza kwanu, mudapeza kuti ma adilesi a IP a ena mwa iwo ali mu gridi ya 37.52.0.0/21.

Poyendetsa traceroute, mudawona kuti magalimoto akudutsa AS1299 (Telia), ndipo poyendetsa ping, mumapeza RTT yapakati pa 70 - 80 milliseconds. Mutha kuwonanso izi pa kuyang'ana galasi Rostelecom.

Kugwiritsa ntchito whois (pa ripe.net kapena zofunikira m'deralo), mukhoza kudziwa mosavuta kuti chipika 37.52.0.0/21 ndi AS6849 (Ukrtelecom).

Kenako, popita ku bgp.he.net mukuwona kuti AS6849 ilibe ubale ndi AS12389 (siomakasitomala kapena olumikizana wina ndi mnzake, komanso alibe kuyang'ana). Koma ngati muyang'ana mndandanda wa anzawo kwa AS6849, mudzawona, mwachitsanzo, AS29226 (Mastertel) ndi AS31133 (Megafon).

Mukapeza galasi loyang'ana la opereka awa, mukhoza kufananiza njira ndi RTT. Mwachitsanzo, kwa Mastertel RTT idzakhala pafupifupi 30 milliseconds.

Chifukwa chake, ngati kusiyana pakati pa 80 ndi 30 milliseconds kuli kofunikira pautumiki wanu, ndiye kuti mwina muyenera kuganizira za kulumikizana, pezani nambala yanu ya AS, dziwe la maadiresi anu kuchokera ku RIPE ndikulumikiza ma uplink owonjezera ndi/kapena pangani mfundo zopezeka pa ma IX.

Mukamagwiritsa ntchito BGP, simukhala ndi mwayi wongowonjezera kulumikizana, komanso mumasunganso intaneti yanu.

Chikalata ichi ili ndi malingaliro okonzekera BGP. Ngakhale kuti malingalirowa adapangidwa kutengera "zochita zabwino" za operekera, komabe (ngati zokonda zanu za BGP sizofunikira) mosakayika ndizothandiza ndipo ziyenera kukhala gawo la kuuma komwe tidakambirana. gawo loyamba.

Chitetezo cha DOS/DDOS

Tsopano kuwukira kwa DOS/DDOS kwakhala kochitika tsiku ndi tsiku kwamakampani ambiri. M'malo mwake, mumamenyedwa pafupipafupi mwanjira ina. Mfundo yakuti simunazindikire izi zimangotanthauza kuti kuukira komwe sikunakonzedwe sikunakonzedwe motsutsa inu, komanso kuti njira zotetezera zomwe mumagwiritsa ntchito, ngakhale osadziŵa (zotetezedwa zosiyanasiyana zopangira machitidwe), zokwanira onetsetsani kuti kunyozeka kwa ntchito zomwe zaperekedwa kwachepa kwa inu ndi makasitomala anu.

Pali zida zapaintaneti zomwe, kutengera matabwa a zida, zimajambula mamapu okongola owukira munthawi yeniyeni.

ndi mukhoza kupeza maulalo kwa iwo.

Ndimakonda kwambiri map kuchokera ku CheckPoint.

Chitetezo ku DDOS/DOS nthawi zambiri chimakhala chosanjikiza. Kuti mumvetse chifukwa chake, muyenera kumvetsetsa mitundu yanji ya DOS/DDOS yomwe ilipo (onani, mwachitsanzo, apa kapena apa)

Ndiye kuti, tili ndi mitundu itatu yowukira:

  • kuukira kwa volumetric
  • kuukira kwa protocol
  • ntchito kuukira

Ngati mutha kudziteteza ku mitundu iwiri yomaliza ya kuukira pogwiritsa ntchito, mwachitsanzo, zozimitsa moto, ndiye kuti simungathe kudziteteza ku ziwopsezo zomwe cholinga chake ndi "kuchulukitsira" ma uplinks anu (zowona, ngati mphamvu yanu yonse ya mayendedwe apaintaneti simawerengedwera munjira, kapena bwinobe, mu ten terabit).

Chifukwa chake, njira yoyamba yodzitchinjiriza ndikuteteza ku "volumetric", ndipo opereka anu kapena opereka chithandizo ayenera kukupatsani chitetezo ichi. Ngati simunazindikire izi, ndiye kuti muli ndi mwayi pakadali pano.

Chitsanzo:

Tiyerekeze kuti muli ndi ma uplink angapo, koma m'modzi yekha mwa omwe akukupatsani angakupatseni chitetezo ichi. Koma ngati magalimoto onse adutsa wopereka m'modzi, nanga bwanji za kulumikizana komwe tidakambirana mwachidule kale?

Pankhaniyi, muyenera kudzipereka pang'ono kulumikizidwa panthawi yakuukira. Koma

  • izi ndi zanthawi yonse yakuukira. Pakachitika chiwonongeko, mutha kukonzanso pamanja kapena kukonzanso BGP kuti magalimoto apite kudzera mwa wothandizira omwe amakupatsirani "ambulera". Kuwukira kukatha, mutha kubweza njirayo kuti ikhale momwe idakhalira
  • Sikoyenera kusamutsa magalimoto onse. Ngati, mwachitsanzo, muwona kuti palibe zowukira kudzera pazokwera kapena zowonera (kapena kuchuluka kwa magalimoto sikuli kofunikira), mutha kupitiliza kutsatsa ma prefixes okhala ndi mipikisano yampikisano kwa oyandikana nawo a BGP.

Muthanso kupereka chitetezo ku "protocol attack" ndi "application attack" kwa anzanu.
pano apa Mutha kuwerenga maphunziro abwino (kumasulira). Zowona, nkhaniyi ili ndi zaka ziwiri, koma ikupatsani lingaliro la njira zomwe mungadzitetezere ku DDOS.

M'malo mwake, mutha kudziletsa nokha ku izi, kutulutsa chitetezo chanu kwathunthu. Pali ubwino pa chisankho ichi, koma palinso zovuta zoonekeratu. Chowonadi ndi chakuti titha kulankhula (kachiwiri, kutengera zomwe kampani yanu imachita) za kupulumuka kwa bizinesiyo. Ndipo khulupirirani zinthu zotere kwa anthu ena ...

Choncho, tiyeni tiwone momwe tingakonzekerere mzere wachiwiri ndi wachitatu wa chitetezo (monga chowonjezera ku chitetezo kuchokera kwa wothandizira).

Chifukwa chake, mzere wachiwiri wodzitchinjiriza ndikusefa ndi zoletsa magalimoto (apolisi) pakhomo la netiweki yanu.

Mwachitsanzo 1

Tiyerekeze kuti mwadziphimba ndi ambulera yotsutsana ndi DDOS mothandizidwa ndi m'modzi wa othandizira. Tiyerekeze kuti wopereka uyu amagwiritsa ntchito Arbor kusefa magalimoto ndi zosefera m'mphepete mwa netiweki yake.

Bandwidth yomwe Arbor ingathe "kukonza" ndi yochepa, ndipo woperekayo, ndithudi, sangadutse nthawi zonse magalimoto a anzake onse omwe amayitanitsa ntchitoyi pogwiritsa ntchito zipangizo zosefera. Choncho, m'mikhalidwe yabwino, magalimoto samasefedwa.

Tiyerekeze kuti pali kusefukira kwa SYN. Ngakhale mutayitanitsa ntchito yomwe imangosintha magalimoto kuti azisefa pakachitika chiwembu, izi sizichitika nthawi yomweyo. Kwa mphindi imodzi kapena kuposerapo mumakhalabe mukuwukiridwa. Ndipo izi zitha kuyambitsa kulephera kwa zida zanu kapena kuwonongeka kwa ntchitoyo. Pankhaniyi, kuchepetsa kuchuluka kwa magalimoto m'mphepete mwa njira, ngakhale zidzatsogolera kuti magawo ena a TCP sangakhazikitsidwe panthawiyi, adzapulumutsa zowonongeka zanu ku zovuta zazikulu.

Mwachitsanzo 2

Chiwerengero chachikulu cha mapaketi a SYN sichingakhale chifukwa cha kusefukira kwa SYN. Tiyerekeze kuti mumapereka ntchito yomwe mutha kukhala nayo nthawi imodzi yolumikizana ndi TCP zikwi 100 (kumalo amodzi a data).

Tinene kuti chifukwa cha vuto lakanthawi kochepa ndi m'modzi mwa omwe akukuthandizani, theka la magawo anu amakankhidwa. Ngati ntchito yanu idapangidwa m'njira yoti, osaganizira kawiri, nthawi yomweyo (kapena pakapita nthawi yomwe imakhala yofanana ndi magawo onse) imayesa kukhazikitsanso kulumikizana, ndiye kuti mudzalandira mapaketi osachepera 50 zikwi za SYN pafupifupi. nthawi imodzi.

Ngati, mwachitsanzo, mukuyenera kuthamanga ssl/tls kugwirana chanza pamwamba pa magawowa, omwe amaphatikizapo kusinthanitsa ziphaso, ndiye kuti kuchokera pakuwona kuchotseratu zinthu zomwe mumagwiritsa ntchito posungira katundu wanu, izi zidzakhala "DDOS" yamphamvu kwambiri kuposa yosavuta. Mtengo wa SYN. Zingawoneke kuti olinganiza ayenera kuthana ndi zochitika zoterezi, koma ... mwatsoka, tikukumana ndi vuto loterolo.

Ndipo, zowona, wapolisi pa rauta ya m'mphepete adzapulumutsanso zida zanu pankhaniyi.

Mulingo wachitatu wachitetezo ku DDOS/DOS ndi makonda anu achitetezo.

Apa mutha kuyimitsa kuukira kwa mitundu yachiwiri ndi yachitatu. Nthawi zambiri, chilichonse chomwe chimafika pa firewall chikhoza kusefedwa pano.

Chizindikiro

Yesetsani kupatsa firewall ntchito yaying'ono momwe mungathere, kusefa momwe mungathere pamizere iwiri yoyambirira yachitetezo. Ndi chifukwa chake.

Kodi zinakuchitikiranipo kuti mwamwayi, mukupanga kuchuluka kwa magalimoto kuti muwone, mwachitsanzo, momwe makina ogwiritsira ntchito ma seva anu amalimbana ndi kuukira kwa DDOS, "munapha" firewall yanu, ndikuyiyika ku 100 peresenti, ndi kuchuluka kwa magalimoto pafupipafupi. ? Ngati sichoncho, mwina ndi chifukwa chakuti simunayesepo?

Nthawi zambiri, firewall, monga ndidanenera, ndi chinthu chovuta, ndipo imagwira ntchito bwino ndi zofooka zodziwika ndi mayankho oyesedwa, koma ngati mutumiza chinthu chachilendo, zinyalala kapena mapaketi okhala ndi mitu yolakwika, ndiye kuti muli ndi ena, osati Ndi. mwayi wawung'ono wotere (kutengera zomwe ndakumana nazo), mutha kubisa ngakhale zida zapamwamba. Chifukwa chake, pa siteji 2, kugwiritsa ntchito ma ACL okhazikika (pamlingo wa L3/L4), ingololani magalimoto kulowa mumaneti anu omwe akuyenera kulowa pamenepo.

Kusefa magalimoto pa firewall

Tiyeni tipitirize kukambirana za firewall. Muyenera kumvetsetsa kuti kuukira kwa DOS/DDOS ndi mtundu umodzi chabe wa kuwukira kwa cyber.

Kuphatikiza pa chitetezo cha DOS/DDOS, titha kukhalanso ndi zinthu monga izi:

  • ntchito firewalling
  • kupewa kuwopseza (antivirus, anti-spyware, ndi chiopsezo)
  • Kusefa ulalo
  • kusefa deta (sefa zomwe zili)
  • kuletsa mafayilo (mitundu yamafayilo ikutsekereza)

Zili ndi inu kusankha zomwe mukufuna kuchokera pamndandandawu.

Kuti apitirize

Source: www.habr.com

Kuwonjezera ndemanga