Pulogalamu ya ProHoster > Blog > Ulamuliro > Timalemba molingana ndi GOST: chiwongolero chokhazikitsa njira zosinthira magalimoto

Timalemba molingana ndi GOST: chiwongolero chokhazikitsa njira zosinthira magalimoto

Timalemba molingana ndi GOST: chiwongolero chokhazikitsa njira zosinthira magalimoto
Ngati kampani yanu itumiza kapena kulandira zidziwitso zanu ndi zinsinsi zina pamaneti zomwe zimatetezedwa motsatira malamulo, zimayenera kugwiritsa ntchito kubisa kwa GOST. Lero tikuuzani momwe tidathandizira kubisa kotereku kutengera S-Terra crypto gateway (CS) pa m'modzi mwa makasitomala. Nkhaniyi idzakhala yosangalatsa kwa akatswiri achitetezo azidziwitso, komanso mainjiniya, okonza mapulani ndi omanga. Sitidzamira mozama muzosintha zaukadaulo mu positi iyi; tiyang'ana pa mfundo zazikuluzikulu zoyambira. Zolemba zambiri zakukhazikitsa ma daemoni a Linux OS, pomwe S-Terra CS idakhazikitsidwa, zimapezeka kwaulere pa intaneti. Zolemba zokhazikitsa pulogalamu ya S-Terra imapezekanso pagulu zipata wopanga.

Mawu ochepa okhudza polojekitiyi

Makasitomala a network topology anali okhazikika - mauna athunthu pakati pa likulu ndi nthambi. Zinali zofunikira kuyambitsa kubisa kwa njira zosinthira zidziwitso pakati pamasamba onse, omwe analipo 8.

Nthawi zambiri mumapulojekiti oterowo chilichonse chimakhala chokhazikika: njira zosasunthika zopita ku netiweki yakumaloko zimayikidwa pazipata za crypto (CGs), mndandanda wa ma adilesi a IP (ACLs) olembetsedwa. Komabe, pamenepa, malowa alibe ulamuliro wapakati, ndipo chirichonse chikhoza kuchitika mkati mwa maukonde awo am'deralo: maukonde akhoza kuwonjezeredwa, kuchotsedwa, ndi kusinthidwa mwanjira iliyonse. Pofuna kupewa reconfiguring routing ndi ACL pa KS pamene kusintha adiresi ya maukonde m'deralo pa malo, anaganiza ntchito GRE tunneling ndi OSPF zamphamvu yodutsa, zomwe zikuphatikizapo onse KS ndi rauta ambiri pa Intaneti pachimake mlingo pa malo ( pamasamba ena, oyang'anira zomangamanga amakonda kugwiritsa ntchito SNAT molunjika ku KS pa ma kernel routers).

GRE tunneling idatilola kuthetsa mavuto awiri:
1. Gwiritsani ntchito adilesi ya IP ya mawonekedwe akunja a CS kuti mubisike mu ACL, yomwe imaphatikiza magalimoto onse otumizidwa kumasamba ena.
2. Konzani ma tunnel a ppt pakati pa CSs, omwe amakulolani kuti musinthe mayendedwe osinthika (kwa ife, MPLS L3VPN ya woperekayo imapangidwa pakati pamasamba).

Wogulayo adalamula kukhazikitsidwa kwa encryption ngati ntchito. Kupanda kutero, sayenera kumangosunga zipata za crypto kapena kuzipereka ku bungwe lina, komanso kuyang'anira paokha moyo wa ziphaso zachinsinsi, kuzikonzanso panthawi yake ndikuyika zatsopano.
Timalemba molingana ndi GOST: chiwongolero chokhazikitsa njira zosinthira magalimoto
Ndipo tsopano memo weniweni - momwe ndi zomwe tidakonza

Chidziwitso ku mutu wa CII: kukhazikitsa chipata cha crypto

Kukhazikitsa ma network oyambira

Choyamba, timayambitsa CS yatsopano ndikulowa mu console console. Muyenera kuyamba ndikusintha mawu achinsinsi a administrator - command sinthani woyang'anira password. Kenako muyenera kuchita njira yoyambira (command yambitsani) pomwe chidziwitso cha layisensi chimalowetsedwa ndipo sensor ya nambala (RNS) imayambitsidwa.

Samalani! S-Terra CC ikakhazikitsidwa, ndondomeko yachitetezo imakhazikitsidwa momwe zolumikizira zipata zachitetezo sizilola kuti mapaketi adutse. Muyenera kupanga ndondomeko yanu kapena kugwiritsa ntchito lamulo thamangani csconf_mgr yambitsani yambitsa ndondomeko yololeza yokonzedweratu.
Kenako, muyenera kukonza maadiresi a mawonekedwe akunja ndi amkati, komanso njira yosasinthika. Ndikwabwino kugwira ntchito ndi kasinthidwe ka netiweki ya CS ndikusintha kubisa kudzera pa Cisco-like console. Console iyi idapangidwa kuti ilowetse malamulo ofanana ndi malamulo a Cisco IOS. Kukonzekera komwe kumapangidwa pogwiritsa ntchito Cisco-like console kumasinthidwa kukhala mafayilo osinthika omwe ma daemoni a OS amagwira nawo ntchito. Mukhoza kupita ku Cisco-like console kuchokera ku console console ndi lamulo sungani.

Sinthani mawu achinsinsi a ma cscons omwe adamangidwa ndikuyatsa:

> thandiza
Achinsinsi: csp (yoyikiratu)
# sinthani terminal
#username cscons mwayi 15 chinsinsi 0 # yambitsani chinsinsi 0 Kukhazikitsa masinthidwe oyambira:

#interface GigabitEthernet0/0
#ip adilesi 10.111.21.3 255.255.255.0
#palibe shutdown
#interface GigabitEthernet0/1
#ip adilesi 192.168.2.5 255.255.255.252
#palibe shutdown
#ip njira 0.0.0.0 0.0.0.0 10.111.21.254

GRE

Tulukani pa Cisco-like console ndikupita ku chipolopolo cha debian ndi lamulo dongosolo. Khazikitsani mawu anu achinsinsi kwa wogwiritsa ntchito muzu gulu passwd.
Pachipinda chilichonse chowongolera, ngalande yosiyana imakonzedwa pa tsamba lililonse. Mawonekedwe a tunnel amakonzedwa mu fayilo / etc / network / interfaces. Pulogalamu ya IP tunnel, yophatikizidwa mu preinstalled iproute2 set, ili ndi udindo wopanga mawonekedwewo. Lamulo lopanga mawonekedwe limalembedwa muzosankha zoyambira.

Kapangidwe kachitsanzo kawonekedwe kangalande:
malo opangira 1
iface site1 inet static
Adilesi 192.168.1.4
mthunzi wa 255.255.255.254
pre-up ip tunnel onjezani site1 mode gre local 10.111.21.3 kutali 10.111.22.3 key hfLYEg^vCh6p

Samalani! Zindikirani kuti zoikidwiratu zolumikizira ngalande ziyenera kukhala kunja kwa gawolo

###netifcfg-kuyamba###
*****
###netifcfg-end###

Kupanda kutero, zosinthazi zidzalembedwanso posintha zosintha zapaintaneti zamawonekedwe akuthupi kudzera pa Cisco-like console.

Njira yamphamvu

Ku S-Terra, mayendedwe amphamvu akugwiritsidwa ntchito pogwiritsa ntchito pulogalamu ya Quagga. Kukonza OSPF tiyenera athe ndi sintha daemons zebra ΠΈ ospfd. Daemon ya mbidzi imayang'anira kulumikizana pakati pa ma daemon oyendetsa ndi OS. Daemon ya ospfd, monga momwe dzinalo likusonyezera, ili ndi udindo wogwiritsa ntchito protocol ya OSPF.
OSPF kukhazikitsidwa mwina kudzera daemon kutonthoza kapena mwachindunji kudzera wapamwamba kasinthidwe /etc/quagga/ospfd.conf. Mawonekedwe onse akuthupi ndi ma tunnel omwe akutenga nawo gawo pamayendedwe amawonjezedwa ku fayilo, ndipo maukonde omwe adzalengezedwa ndikulandila zolengeza amalengezedwanso.

Chitsanzo cha kasinthidwe koyenera kuwonjezeredwa ospfd.conf:
mawonekedwe eth0
!
mawonekedwe eth1
!
mawonekedwe tsamba1
!
mawonekedwe tsamba2
rauta ospf
ospf rauta-id 192.168.2.21
maukonde 192.168.1.4/31 dera 0.0.0.0
maukonde 192.168.1.16/31 dera 0.0.0.0
maukonde 192.168.2.4/30 dera 0.0.0.0

Pamenepa, maadiresi 192.168.1.x/31 amasungidwa pamanetiweki a ptp pakati pa masamba, ma adilesi 192.168.2.x/30 amasungidwa pamanetiweki odutsa pakati pa ma CS ndi ma kernel router.

Samalani! Kuti muchepetse tebulo lamayendedwe pamayikidwe akulu, mutha kusefa kutsatsa kwa ma netiweki omwewo pogwiritsa ntchito zomanga. palibe kugawanso kolumikizidwa kapena kugawanso mapu olumikizana nawo.

Mukakonza ma daemoni, muyenera kusintha momwe ma daemoni amayambira /etc/quagga/daemons. Mu zosankha zebra ΠΈ ospfd palibe kusintha kwa inde. Yambitsani daemon ya quagga ndikuyiyika kuti ikhale autorun mukayambitsa lamulo la KS update-rc.d quagga yambitsani.

Ngati kasinthidwe ka tunnels za GRE ndi OSPF zachitika molondola, ndiye kuti njira zapaintaneti zamasamba ena ziyenera kuwonekera pa KSh ndi ma routers apakatikati ndipo, motero, kulumikizana kwa maukonde pakati pa maukonde akomweko kumachitika.

Timabisa magalimoto otumizidwa

Monga momwe zalembedwera kale, nthawi zambiri tikabisala pakati pa masamba, timatchula ma adilesi a IP (ACLs) pakati pomwe magalimoto amasungidwa: ngati magwero ndi ma adilesi opita akugwera m'mizere iyi, ndiye kuti magalimoto pakati pawo amasungidwa. Komabe, mu pulojekitiyi mapangidwe ake ndi amphamvu ndipo ma adilesi angasinthe. Popeza takonza kale ma GRE tunneling, titha kufotokozera ma adilesi akunja a KS monga magwero ndi ma adilesi ofikira osungitsa magalimoto - pambuyo pake, magalimoto omwe ali kale ndi GRE protocol amafika kuti asungidwe. Mwanjira ina, chilichonse chomwe chimalowa mu CS kuchokera pa netiweki yapafupi ya tsamba limodzi kupita ku maukonde omwe adalengezedwa ndi masamba ena amasungidwa. Ndipo mkati mwa tsamba lililonse kuwongolera kulikonse kutha kuchitika. Chifukwa chake, ngati pali kusintha kulikonse pamanetiweki amderali, woyang'anira amangofunika kusintha zidziwitso zochokera ku netiweki yake kupita ku netiweki, ndipo zizipezeka kumasamba ena.

Kubisa mu S-Terra CS kumachitika pogwiritsa ntchito protocol ya IPSec. Timagwiritsa ntchito algorithm ya "Grasshopper" molingana ndi GOST R 34.12-2015, ndipo kuti mugwirizane ndi mitundu yakale mutha kugwiritsa ntchito GOST 28147-89. Kutsimikizira kumatha kuchitidwa mwaukadaulo pamakiyi omwe adafotokozedweratu (PSK) ndi masatifiketi. Komabe, mu ntchito mafakitale m`pofunika kugwiritsa ntchito satifiketi anapereka malinga ndi GOST R 34.10-2012.

Kugwira ntchito ndi satifiketi, zotengera ndi ma CRL kumachitika pogwiritsa ntchito zida cert_mgr. Choyamba, kugwiritsa ntchito lamulo cert_mgr pangani ndikofunikira kupanga chidebe chachinsinsi chachinsinsi ndi pempho la satifiketi, lomwe lidzatumizidwa ku Certificate Management Center. Mukalandira satifiketi, iyenera kutumizidwa kunja pamodzi ndi chiphaso cha CA ndi CRL (ngati itagwiritsidwa ntchito) ndi lamulo cert_mgr import. Mutha kuwonetsetsa kuti ma satifiketi onse ndi ma CRL ayikidwa ndi lamulo cert_mgr chiwonetsero.

Mukatha kukhazikitsa ziphaso, pitani ku Cisco-like console kuti mukonze IPSec.
Timapanga mfundo za IKE zomwe zimatchula ma aligorivimu ndi magawo omwe akufunidwa a tchanelo chotetezedwa chomwe chikupangidwa, chomwe chidzaperekedwa kwa ogwirizana nawo kuti avomereze.

#crypto isakmp policy 1000
#encr gost341215k
#hash gost341112-512-tc26
# chizindikiro chazidziwitso
#gulu vko2
# moyo 3600

Ndondomekoyi imagwiritsidwa ntchito pomanga gawo loyamba la IPSec. Zotsatira zakumaliza bwino gawo loyamba ndikukhazikitsidwa kwa SA (Security Association).
Chotsatira, tifunika kufotokozera mndandanda wa magwero ndi ma adilesi a IP (ACL) kwa kubisa, kupanga kusintha, kupanga mapu a cryptographic (crypto map) ndikumangirira ku mawonekedwe akunja a CS.

Ikani ACL:
#ip kupeza-mndandanda wowonjezera tsamba1
#permit gre host 10.111.21.3 host 10.111.22.3

Zosintha zingapo (zofanana ndi gawo loyamba, timagwiritsa ntchito "Grasshopper" encryption aligorivimu pogwiritsa ntchito njira yoyeserera yoyikapo):

#crypto ipsec kusintha-set GOST esp-gost341215k-mac

Timapanga mapu a crypto, tchulani ACL, sinthani seti ndi adilesi ya anzawo:

#crypto map MAIN 100 ipsec-isakmp
#match adilesi patsamba1
#set kusintha-kukhazikitsa GOST
#set peer 10.111.22.3

Timamanga khadi la crypto ku mawonekedwe akunja a kaundula wandalama:

#interface GigabitEthernet0/0
#ip adilesi 10.111.21.3 255.255.255.0
#crypto map MAIN

Kuti mubise mayendedwe ndi masamba ena, muyenera kubwereza njira yopangira ACL ndi crypto khadi, kusintha dzina la ACL, ma adilesi a IP ndi nambala yamakhadi a crypto.

Samalani! Ngati kutsimikizira satifiketi ndi CRL sikukugwiritsidwa ntchito, izi ziyenera kufotokozedwa momveka bwino:

#crypto pki trustpoint s-terra_technological_trustpoint
#kubweza-osayang'ana chilichonse

Pakadali pano, kukhazikitsa kungaganizidwe kokwanira. Mu Cisco-like console command linanena bungwe onetsani crypto isakmp sa ΠΈ onetsani crypto ipsec sa Magawo oyamba ndi achiwiri opangidwa a IPSec ayenera kuwonetsedwa. Zomwezo zitha kupezeka pogwiritsa ntchito lamulo sa_mgr chiwonetsero, kuphedwa kuchokera ku chipolopolo cha debian. Mu lamulo linanena bungwe cert_mgr chiwonetsero Ma satifiketi akutali akuyenera kuwonekera. Mkhalidwe wa ziphaso zotere udzakhala Kutali. Ngati ngalande sizikumangidwa, muyenera kuyang'ana chipika chautumiki wa VPN, chomwe chimasungidwa mufayilo /var/log/cspvpngate.log. Mndandanda wathunthu wa mafayilo olembera ndi kufotokozera zomwe zili mkati mwake ukupezeka muzolemba.

Kuyang'anira "thanzi" la dongosolo

S-Terra CC imagwiritsa ntchito daemon ya snmpd pakuwunika. Kuphatikiza pa magawo wamba a Linux, S-Terra kunja kwa bokosilo imathandizira kutulutsa zambiri za IPSec tunnel molingana ndi CISCO-IPSEC-FLOW-MONITOR-MIB, zomwe timagwiritsa ntchito powunika momwe IPSec tunnel. Kugwira ntchito kwa ma OID achizolowezi omwe amatulutsa zotsatira za script monga zikhalidwe zimathandizidwanso. Izi zimatithandiza kuti tizitsatira masiku otha ntchito ya satifiketi. Zolemba zolembedwa zimagawa zotuluka za lamulo cert_mgr chiwonetsero ndipo zotsatira zake zimapereka chiwerengero cha masiku mpaka ziphaso zakumaloko ndi mizu zitatha. Njirayi ndiyofunikira pakuwongolera ma CABG ambiri.
Timalemba molingana ndi GOST: chiwongolero chokhazikitsa njira zosinthira magalimoto

Ubwino wa kubisa koteroko ndi chiyani?

Ntchito zonse zomwe zafotokozedwa pamwambapa zimathandizidwa ndi S-Terra KSh. Ndiko kuti, panalibe chifukwa choyika ma modules owonjezera omwe angakhudze chitsimikiziro cha zipata za crypto ndi chitsimikiziro cha dongosolo lonse lachidziwitso. Pakhoza kukhala mayendedwe aliwonse pakati pamasamba, ngakhale kudzera pa intaneti.

Chifukwa chakuti zomangamanga zamkati zikasintha, palibe chifukwa chokonzanso zipata za crypto, dongosolo ntchito ngati utumiki, yomwe ili yabwino kwambiri kwa kasitomala: akhoza kuyika mautumiki ake (kasitomala ndi seva) pamaadiresi aliwonse, ndipo zosintha zonse zidzasamutsidwa mwamphamvu pakati pa zipangizo zolembera.

Zoonadi, kubisa chifukwa cha mtengo wapamwamba (pamutu) kumakhudza kuthamanga kwa deta, koma pang'ono - njira yodutsamo imatha kuchepa ndi 5-10%. Panthawi imodzimodziyo, luso lamakono layesedwa ndikuwonetsa zotsatira zabwino ngakhale pazitsulo za satana, zomwe zimakhala zosakhazikika komanso zimakhala zochepa.

Igor Vinokhodov, injiniya wa mzere 2 wa kayendetsedwe ka Rostelecom-Solar

Source: www.habr.com

Kuwonjezera ndemanga