Momwe Mungayesere Kuchita Bwino Kwa Kukonzekera kwa NGFW
Ntchito yodziwika bwino ndikuwunika momwe firewall yanu imapangidwira bwino. Kuti muchite izi, pali zida ndi ntchito zaulere zochokera kumakampani omwe amachita ndi NGFW.
Mwachitsanzo, mutha kuwona pansipa kuti Palo Alto Networks ali ndi kuthekera kochokera fufuzani ziwerengero za firewall - lipoti la SLR kapena kusanthula kutsatira njira zabwino kwambiri - lipoti la BPA. Izi ndi zida zaulere pa intaneti zomwe mungagwiritse ntchito osayika chilichonse.
CONTENT
Ulendo (Chida Chosamuka)
Njira yovuta kwambiri yowonera makonda anu ndikutsitsa pulogalamu yaulere (Poyamba Chida Chosamuka). Imatsitsidwa ngati Virtual Appliance ya VMware, palibe makonda omwe amafunikira nawo - muyenera kutsitsa chithunzicho ndikuchiyika pansi pa VMware hypervisor, yambitsani ndikupita ku mawonekedwe a intaneti. Izi zimafuna nkhani yosiyana, maphunziro okhawo amatenga masiku a 5, pali ntchito zambiri tsopano, kuphatikizapo Kuphunzira kwa Makina ndi kusamuka kwamasinthidwe osiyanasiyana a ndondomeko, NAT ndi zinthu za opanga Firewall osiyanasiyana. Ndilemba zambiri za Machine Learning pansipa m'malemba.
Policy Optimizer
Ndipo njira yabwino kwambiri (IMHO), yomwe ndikuuzeni mwatsatanetsatane lero, ndiye optimizer yomwe idapangidwa mu mawonekedwe a Palo Alto Networks. Kuti ndiwonetse, ndidayika chozimitsa moto kunyumba ndikulemba lamulo losavuta: lolani aliyense kwa aliyense. M'malo mwake, nthawi zina ndimawona malamulo otere ngakhale mumakampani. Mwachilengedwe, ndidathandizira mbiri yonse yachitetezo cha NGFW, monga mukuwonera pazithunzi:
Chithunzi chili m'munsichi chikuwonetsa chitsanzo cha nyumba yanga yosasinthika, pomwe pafupifupi maulumikizidwe onse amagwera mu lamulo lomaliza: Lolani Zonse, monga momwe zikuwonekera kuchokera ku ziwerengero za Hit Count.
Zero Kudalira
Pali njira yachitetezo yotchedwa . Izi zikutanthauza chiyani: tiyenera kulola anthu omwe ali pa intaneti ndendende kulumikizana komwe amafunikira ndikukana china chilichonse. Ndiko kuti, tifunika kuwonjezera malamulo omveka bwino a mapulogalamu, ogwiritsa ntchito, magulu a URL, mitundu ya mafayilo; yambitsani ma IPS onse ndi ma siginecha a antivayirasi, yambitsani sandboxing, chitetezo cha DNS, gwiritsani ntchito IoC kuchokera pazosunga zopezeka za Threat Intelligence. Mwambiri, pali ntchito zingapo zabwino pakukhazikitsa firewall.
Mwa njira, magawo ochepera ofunikira a Palo Alto Networks NGFW akufotokozedwa m'modzi mwazolemba za SANS: - Ndikupangira kuyamba ndi izo. Ndipo zowonadi, pali njira zabwino zokhazikitsira firewall kwa wopanga: .
Kotero, ndinali ndi firewall kunyumba kwa sabata. Tiyeni tiwone mtundu wanji wamagalimoto omwe ali pa netiweki yanga:
Ngati mumasankha ndi kuchuluka kwa magawo, ndiye kuti ambiri amapangidwa ndi bittorrent, ndiye amabwera SSL, ndiye QUIC. Izi ndi ziwerengero zamagalimoto obwera ndi otuluka: pali masikani ambiri akunja a rauta yanga. Pali mapulogalamu 150 osiyanasiyana pa netiweki yanga.
Kotero, zonsezi zinaphonya ndi lamulo limodzi. Tiyeni tiwone zomwe Policy Optimizer ikunena pa izi. Ngati munayang'ana pamwamba pa chithunzithunzi cha mawonekedwe ndi malamulo a chitetezo, ndiye pansi kumanzere munawona zenera laling'ono lomwe limandiwonetsa kuti pali malamulo omwe angathe kukonzedwa. Tiyeni tidule pamenepo.
Zomwe Policy Optimizer ikuwonetsa:
- Ndi ndondomeko ziti zomwe sizinagwiritsidwe ntchito konse, masiku 30, masiku 90. Izi zimathandiza kupanga chisankho kuchotsa kwathunthu.
- Ndi ntchito ziti zomwe zidafotokozedwa m'malamulo, koma palibe mapulogalamu omwe adapezeka pamagalimoto. Izi zimakupatsani mwayi wochotsa mapulogalamu osafunikira polola malamulo.
- Ndi mfundo ziti zomwe zimalola chilichonse, koma panali ntchito zomwe zikanakhala zabwino kufotokoza momveka bwino malinga ndi njira ya Zero Trust.
Tiyeni dinani Zosagwiritsidwa Ntchito.
Kuti ndiwonetse momwe zimagwirira ntchito, ndinawonjezera malamulo angapo ndipo mpaka pano sanaphonye paketi imodzi lero. Nawu mndandanda wawo:
Mwina m'kupita kwa nthawi padzakhala magalimoto kumeneko ndiyeno iwo adzasowa pa mndandanda. Ndipo ngati ali pamndandandawu kwa masiku 90, ndiye kuti mutha kusankha kuchotsa malamulowa. Kupatula apo, lamulo lililonse limapereka mwayi kwa owononga.
Pali vuto lenileni pokonzekera firewall: wogwira ntchito watsopano amabwera, akuyang'ana malamulo a firewall, ngati alibe ndemanga ndipo sakudziwa chifukwa chake lamuloli linalengedwa, ngati likufunikadi, kaya lingathe. zichotsedwe: mwadzidzidzi munthuyo ali patchuthi ndipo patatha masiku 30, magalimoto adzatulukanso kuchokera ku ntchito yomwe akufuna. Ndipo izi zimangomuthandiza kupanga chisankho - palibe amene amachigwiritsa ntchito - chotsani!
Dinani pa Unus App.
Timadina Pulogalamu Yosagwiritsidwa Ntchito mu optimizer ndikuwona kuti zambiri zosangalatsa zimatsegulidwa pawindo lalikulu.
Tikuwona kuti pali malamulo atatu, pomwe chiwerengero cha mapulogalamu ololedwa ndi chiwerengero cha mapulogalamu omwe adadutsa lamuloli ndi osiyana.
Titha kudina ndikuwona mndandanda wa mapulogalamuwa ndikufanizira mindandanda iyi.
Mwachitsanzo, dinani batani Fananizani pa lamulo la Max.
Apa mutha kuwona kuti ntchito za facebook, instagram, telegraph, vkontakte zidaloledwa. Koma zenizeni, magalimoto amangopita kuzinthu zina zazing'ono. Apa muyenera kumvetsetsa kuti pulogalamu ya facebook ili ndi mapulogalamu angapo.
Mndandanda wonse wa mapulogalamu a NGFW ukhoza kuwoneka pa portal ndipo mu mawonekedwe a firewall palokha, mu gawo la Zinthu-> Zofunsira ndipo posaka, lembani dzina la ntchito: facebook, mupeza zotsatirazi:
Chifukwa chake, zina mwazinthu zazing'onozi zidawonedwa ndi NGFW, koma zina sizinali. M'malo mwake, mutha kuletsa padera ndikulola magwiridwe antchito osiyanasiyana a Facebook. Mwachitsanzo, lolani kuwona mauthenga, koma letsani macheza kapena kusamutsa mafayilo. Chifukwa chake, Policy Optimizer imalankhula za izi ndipo mutha kupanga chisankho: osalola mapulogalamu onse a Facebook, koma zazikulu zokha.
Choncho, tinazindikira kuti ndandanda ndi zosiyana. Mutha kuwonetsetsa kuti malamulo amalola mapulogalamu okhawo omwe amayenda pa intaneti. Kuti muchite izi, dinani batani la MatchUsage. Zimakhala motere:
Ndipo mutha kuwonjezeranso mapulogalamu omwe mukuwona kuti ndi ofunikira - batani Onjezani kumanzere kwa zenera:
Ndiyeno lamuloli likhoza kugwiritsidwa ntchito ndikuyesedwa. Zabwino zonse!
Dinani Palibe Mapulogalamu Ofotokozedwa.
Pankhaniyi, zenera lofunika lachitetezo lidzatsegulidwa.
Pali malamulo ambiri otere pamanetiweki anu pomwe kugwiritsa ntchito kwa L7 sikunatchulidwe momveka bwino. Ndipo mumanetiweki anga pali lamulo lotere - ndiloleni ndikukumbutseni kuti ndidapanga pakukhazikitsa koyambirira, makamaka kuti ndiwonetse momwe Policy Optimizer imagwirira ntchito.
Chithunzichi chikuwonetsa kuti lamulo la AllowAll limalola 9 gigabytes ya traffic kuyambira pa Marichi 17 mpaka Marichi 220, omwe ndi 150 ntchito zosiyanasiyana pamaneti wanga. Ndipo izo sizokwanira. Nthawi zambiri, maukonde apakati pamakampani amakhala ndi mapulogalamu 200-300 osiyanasiyana.
Chifukwa chake, lamulo limodzi limalola kugwiritsa ntchito mpaka 150. Kawirikawiri izi zikutanthauza kuti chowotcha moto sichinakonzedwe bwino, chifukwa nthawi zambiri lamulo limodzi limalola kugwiritsa ntchito 1-10 pazifukwa zosiyanasiyana. Tiyeni tiwone zomwe mapulogalamuwa ali: dinani batani la Fananizani:
Chodabwitsa kwambiri kwa woyang'anira mu ntchito ya Policy Optimizer ndi batani la Match Usage - mutha kupanga lamulo ndikudina kamodzi, komwe mungalowetse mapulogalamu onse 150 mulamulo. Kuchita izi pamanja kungatenge nthawi yayitali. Chiwerengero cha ntchito zoti woyang'anira azigwira ntchito, ngakhale pa netiweki yanga ya zida 10, ndizazikulu.
Ndili ndi mapulogalamu osiyanasiyana a 150 omwe akuyenda kunyumba, kusamutsa magigabytes a traffic! Ndipo muli nazo zingati?
Koma chimachitika ndi chiyani pa intaneti ya zida 100 kapena 1000 kapena 10000? Ndawona ma firewall okhala ndi malamulo 8000 ndipo ndine wokondwa kwambiri kuti oyang'anira tsopano ali ndi zida zodzipangira zosavuta.
Zina mwazinthu zomwe gawo la L7 losanthula ntchito mu NGFW lidawona ndikuwonetsa kuti simudzafunikira pa netiweki, kotero mumangowachotsa pamndandanda wamalamulo olola, kapena kufananiza malamulowo pogwiritsa ntchito batani la Clone (mu mawonekedwe akulu) ndi aloleni mu lamulo limodzi logwiritsa ntchito, ndipo mu Mudzaletsa mapulogalamu ena chifukwa safunikira pa netiweki yanu. Ntchito zoterezi nthawi zambiri zimaphatikizapo bittorent, nthunzi, ultrasurf, tor, tunnel zobisika monga tcp-over-dns ndi ena.
Chabwino, tiyeni dinani lamulo lina ndikuwona zomwe mukuwona pamenepo:
Inde, pali mapulogalamu omwe amafanana ndi ma multicast. Tiyenera kuwalola kuti aziwonera makanema pa intaneti kuti agwire ntchito. Dinani Kugwiritsa Ntchito Match. Zabwino! Zikomo Policy Optimizer.
Nanga Bwanji Machine Learning?
Tsopano ndi yapamwamba kulankhula za automation. Zomwe ndafotokoza zidatuluka - zimathandiza kwambiri. Pali kuthekera kwinanso komwe ndiyenera kunena. Uwu ndiye magwiridwe antchito a Machine Learning omwe adapangidwa mu Expedition utility, yomwe idatchulidwa kale pamwambapa. Pachida ichi, ndizotheka kusamutsa malamulo kuchokera ku firewall yanu yakale kuchokera kwa wopanga wina. Palinso kuthekera kosanthula zipika zamagalimoto za Palo Alto Networks ndikuwonetsa malamulo oti alembe. Izi ndizofanana ndi magwiridwe antchito a Policy Optimizer, koma mu Expedition imakulitsidwa kwambiri ndipo mumapatsidwa mndandanda wamalamulo opangidwa okonzeka - muyenera kungowavomereza.
Kuti tiyese ntchitoyi, pali ntchito ya labotale - timayitcha kuti test drive. Mayesowa atha kuchitidwa polowera muzotchinga zozimitsa moto, zomwe ogwira ntchito kuofesi ya Palo Alto Networks ku Moscow adzayambitsa mwakufuna kwanu.
Pempho litha kutumizidwa kwa [imelo ndiotetezedwa] ndipo pempholo lembani: "Ndikufuna kupanga UTD ya Njira Yosamuka."
M'malo mwake, ntchito ya labotale yotchedwa Unified Test Drive (UTD) ili ndi zosankha zingapo ndipo zonsezo pambuyo pempho.
Ogwiritsa ntchito olembetsedwa okha ndi omwe angatenge nawo gawo pa kafukufukuyu. chonde.
Kodi mungafune kuti wina akuthandizeni kukonza ma firewall policy?
-
kuti
-
No
-
Ndizichita zonse ndekha
Palibe amene adavota. Palibe zodziletsa.
Source: www.habr.com