Mayankho amakono omanga makina otetezera zidziwitso - ma network packet broker (Network Packet Broker)

Chitetezo chazidziwitso chasiyanitsidwa ndi matelefoni kukhala makampani odziyimira pawokha omwe ali ndi zenizeni komanso zida zake. Koma pali gulu lodziwika bwino la zida zomwe zimayima pamzere wa telecom ndi infobez - network paketi broker (Network Packet Broker), alinso onyamula katundu, masiwichi apadera / owunikira, ophatikizira magalimoto, Security Delivery Platform, Network Visibility ndi zina zotero. Ndipo ife, monga wopanga mapulogalamu aku Russia komanso opanga zida zotere, tikufunadi kukuuzani zambiri za izo.

Kuchuluka ndi ntchito zomwe ziyenera kuthetsedwa

Network packet broker ndi zida zapadera zomwe zapeza kugwiritsidwa ntchito kwambiri pamakina oteteza zidziwitso. Momwemonso, kalasi ya chipangizocho ndi yatsopano komanso yocheperako pamanetiweki wamba poyerekeza ndi masiwichi, ma routers, ndi zina zotero. Mpainiya pa chitukuko cha mtundu uwu wa chipangizo anali American kampani Gigamon. Pakalipano, pali osewera ambiri pamsika uno (kuphatikiza mayankho ofanana ndi opanga odziwika bwino a machitidwe oyesera - IXIA), koma akatswiri ochepa okha amadziwa za kukhalapo kwa zida zotere. Monga tafotokozera pamwambapa, ngakhale ndi mawu akuti palibe chitsimikizo chodziwika bwino: mayina amachokera ku "network transparency system" mpaka "balancers" yosavuta.

Pomwe tikupanga ma packet broker a netiweki, tidakumana ndi mfundo yakuti, kuphatikiza pakuwunika momwe magwiridwe antchito amagwirira ntchito ndi kuyesa m'ma laboratories / madera oyesa, ndikofunikira kufotokozera nthawi imodzi kwa omwe angagulitse za kukhalapo kwa gulu ili la zida. , popeza si onse amene akudziwa za izo.

Ngakhale 15-20 zaka zapitazo, panali magalimoto ochepa pamanetiweki, ndipo makamaka anali osafunika deta. Koma Lamulo la Nielsen kwenikweni akubwereza Lamulo la Moore: Kuthamanga kwa intaneti kumawonjezeka ndi 50% pachaka. Kuchuluka kwa magalimoto kukukulanso pang'onopang'ono (chithunzichi chikuwonetsa kulosera kwa 2017 kuchokera ku Cisco, gwero la Cisco Visual Networking Index: Forecast and Trends, 2017-2022):

Pamodzi ndi liwiro, kufunikira kwa kufalitsa chidziwitso (izi ndi chinsinsi cha malonda komanso mbiri yaumwini yodziwika bwino) komanso ntchito yonse ya zomangamanga ikuwonjezeka.

Chifukwa chake, makampani achitetezo azidziwitso adawonekera. Makampaniwa adayankha izi ndi zida zambiri zowunikira magalimoto (DPI), kuchokera ku machitidwe oletsa kuukira kwa DDOS kupita ku machitidwe owongolera zochitika zachitetezo, kuphatikiza IDS, IPS, DLP, NBA, SIEM, Antimailware ndi zina zotero. Nthawi zambiri, chilichonse mwa zida izi ndi pulogalamu yomwe imayikidwa papulatifomu ya seva. Komanso, pulogalamu iliyonse (chida chowunikira) imayikidwa pa nsanja yake ya seva: opanga mapulogalamu ndi osiyana, ndipo zofunikira zambiri zamakompyuta zimafunika kuti zifufuzidwe pa L7.

Mukamapanga chitetezo chazidziwitso, ndikofunikira kuthetsa ntchito zingapo zofunika:

• momwe mungasamutsire magalimoto kuchokera ku zomangamanga kupita ku kachitidwe kakusanthula? (madoko a SPAN omwe adapangidwira izi m'magawo amakono sakukwanira kapena kuchuluka kapena momwe amagwirira ntchito)
• momwe mungagawire magalimoto pakati pa machitidwe osiyanasiyana owunikira?
• momwe mungakulitsire machitidwe pamene palibe ntchito yokwanira ya chitsanzo chimodzi cha analyzer kuti athetse kuchuluka kwa magalimoto omwe akulowamo?
• momwe mungayang'anire mawonekedwe a 40G/100G (ndipo posachedwa komanso 200G/400G), popeza zida zowunikira pano zimangothandizira 1G/10G/25G?

Ndi ntchito zotsatirazi:

• momwe mungachepetsere magalimoto osayenera omwe safunikira kukonzedwa, koma amapita ku zida zowunikira ndikuwononga chuma chawo?
• momwe mungagwiritsire ntchito mapaketi ophatikizidwa ndi mapaketi okhala ndi zizindikiro zautumiki wa Hardware, kukonzekera komwe kuwunikira kumakhala kogwiritsa ntchito kwambiri kapena kosatheka konse?
• momwe mungachotsere kusanthula gawo la magalimoto omwe sali oyendetsedwa ndi ndondomeko ya chitetezo (mwachitsanzo, magalimoto amutu).

Monga aliyense akudziwa, kufunikira kumapanga kupezeka, poyankha zosowa izi, ma broker amapaketi amtaneti adayamba kupanga.

Kufotokozera Kwambiri kwa Network Packet Brokers

Ogulitsa mapaketi a netiweki amagwira ntchito pamlingo wa paketi, ndipo izi ndizofanana ndi masiwichi wamba. Kusiyanitsa kwakukulu kuchokera ku masinthidwe ndikuti malamulo ogawa ndi kuphatikizika kwa magalimoto mu maukonde packet broker amatsimikiziridwa kwathunthu ndi zoikamo. Network paketi broker alibe miyezo yomanga matebulo otumizira (matebulo a MAC) ndikusinthana ma protocol ndi masiwichi ena (monga STP), chifukwa chake makonda osiyanasiyana otheka ndi magawo omveka mwa iwo ndi okulirapo. Wogulitsa akhoza kugawa mofanana magalimoto kuchokera ku doko limodzi kapena angapo olowetsa ku madoko osiyanasiyana omwe amaperekedwa ndi ntchito yofananitsa katundu. Mutha kukhazikitsa malamulo okopera, kusefa, kusanja, kugawa ndikusintha magalimoto. Malamulowa angagwiritsidwe ntchito pamagulu osiyanasiyana a madoko olowera a broker packet network, komanso kugwiritsidwa ntchito motsatizanatsatizana mu chipangizocho. Ubwino wofunikira wa pakiti broker ndi kuthekera kokonza magalimoto pamlingo wothamanga komanso kusunga kukhulupirika kwa magawo (pakakhala kulinganiza magalimoto ku machitidwe angapo a DPI amtundu womwewo).

Kusunga umphumphu wa magawo ndikusamutsa mapaketi onse a gawo la gawo la zoyendera (TCP / UDP / SCTP) kupita ku doko limodzi. Izi ndizofunikira chifukwa machitidwe a DPI (nthawi zambiri mapulogalamu omwe amayenda pa seva yolumikizidwa ndi doko lotulutsa paketi) amasanthula zomwe zili mumsewu wofunsira, ndipo mapaketi onse omwe amatumizidwa / kulandilidwa ndi pulogalamu imodzi ayenera kufika nthawi yomweyo. analyzer. Ngati mapaketi a gawo limodzi atayika kapena kugawidwa pakati pa zida zosiyanasiyana za DPI, ndiye kuti chipangizo chilichonse cha DPI chidzakhala chofanana ndi kuwerenga osati mawu onse, koma mawu amodzi kuchokera pamenepo. Ndipo, mwinamwake, malembawo sangamvetse.

Chifukwa chake, poyang'ana kwambiri machitidwe achitetezo azidziwitso, otsatsa packet packet ali ndi magwiridwe antchito omwe amathandizira kulumikiza makina apulogalamu a DPI kumanetiweki othamanga kwambiri ndikuchepetsa katundu wawo: amasefa, kugawa ndikukonzekera magalimoto kuti achepetse kukonzanso kotsatira.

Kuphatikiza apo, popeza ma broker packet packet amakupatsirani ziwerengero zambiri ndipo nthawi zambiri amalumikizidwa kuzinthu zosiyanasiyana pamaneti, amapezanso malo awo pakuzindikira mavuto azaumoyo pamanetiweki pawokha.

Ntchito Zoyambira za Network Packet Brokers

Dzina loti "ma switch odzipatulira/owunika" adachokera pazifukwa zazikuluzikulu: kusonkhanitsa magalimoto kuchokera kuzipangizo (nthawi zambiri amagwiritsa ntchito matepi a TAP osawoneka bwino komanso / kapena madoko a SPAN) ndikugawa pakati pa zida zowunikira. Magalimoto amawonetsedwa (zobwerezedwa) pakati pa machitidwe amitundu yosiyana, ndi kulinganiza pakati pa machitidwe amtundu womwewo. Ntchito zoyambira nthawi zambiri zimaphatikizapo kusefa ndi magawo mpaka L4 (MAC, IP, TCP / UDP port, etc.) ndikuphatikiza njira zingapo zodzaza pang'ono kukhala imodzi (mwachitsanzo, pokonza pa DPI imodzi).

Kuchita uku kumapereka yankho ku ntchito yoyambira - kulumikiza machitidwe a DPI kuzinthu zama network. Ma broker ochokera kwa opanga osiyanasiyana, ochepera pazochita zoyambira, amapereka makonzedwe ofikira 32 100G pa 1U (malo olumikizirana ambiri samagwirizana ndi gulu lakutsogolo la 1U). Komabe, samalola kuchepetsa katundu pazida zowunikira, ndipo pazida zovutikira sangathe kupereka zofunikira pa ntchito yoyambira: gawo lomwe limagawidwa pamachubu angapo (kapena okhala ndi ma MPLS ma tag) litha kukhala lopanda malire pazosintha zosiyanasiyana. analyzer ndipo nthawi zambiri amasiya kusanthula.

Kuphatikiza pa kuwonjezera mawonekedwe a 40/100G ndipo, chifukwa chake, kuwongolera magwiridwe antchito, opanga ma packet packet akupanga mwachangu popereka zinthu zatsopano: kuyambira pakuyanjanitsa pamitu yamsewu mpaka kutsekeka kwa magalimoto. Tsoka ilo, zitsanzo zotere sizingadzitamande chifukwa chakuchita bwino, koma zimapangitsa kuti zikhale zotheka kupanga chitetezo chapamwamba kwambiri komanso mwaukadaulo "chokongola" chomwe chida chilichonse chowunikira chimatsimikizika kuti chidzangolandira zomwe zimafunikira mu mawonekedwe oyenera kwambiri. za kusanthula.

Ntchito zotsogola za ma network packet brokers

1. Zatchulidwa pamwambapa nested header balancing mu tunneled traffic.

Chifukwa chiyani kuli kofunikira? Ganizirani zinthu zitatu zomwe zingakhale zovuta limodzi kapena padera:

• kuonetsetsa kusanja kofananako pamaso pa machubu ochepa. Zikachitika kuti pali ma tunnel a 2 polumikizana ndi machitidwe achitetezo azidziwitso, ndiye kuti sikungatheke kuwasokoneza ndi mitu yakunja pamapulatifomu a seva ya 3 ndikusunga gawolo. Nthawi yomweyo, kuchuluka kwa magalimoto pamaneti kumapatsirana mosagwirizana, ndipo mayendedwe a ngalande iliyonse kupita kumalo opangirako amafunikira magwiridwe antchito ochulukirapo;
• kuwonetsetsa kukhulupirika kwa magawo ndi mitsinje ya ma protocol ambiri (mwachitsanzo, FTP ndi VoIP), mapaketi omwe adathera munjira zosiyanasiyana. Kuvuta kwa maukonde kumawonjezeka nthawi zonse: redundancy, virtualization, kuphweka kasamalidwe, ndi zina zotero. Kumbali imodzi, izi zimawonjezera kudalirika pankhani ya kutumiza deta, kumbali ina, zimasokoneza ntchito ya machitidwe otetezera chidziwitso. Ngakhale ndikuchita mokwanira kwa osanthula kuti akonze njira yodzipatulira yokhala ndi tunnel, vutoli limakhala losasinthika, chifukwa mapaketi ena ogwiritsira ntchito amatumizidwa panjira ina. Komanso, ngati ayesabe kusamalira kukhulupirika kwa magawo muzinthu zina, ndiye kuti ma protocol a multisession amatha kupita mosiyanasiyana;
• kugwirizanitsa pamaso pa MPLS, VLAN, ma tag a zida, etc. Osati ma tunnel, komabe, zida zomwe zimakhala ndi magwiridwe antchito zimatha kumvetsetsa kuchuluka kwa magalimotowa osati ngati IP komanso kulinganiza ndi ma adilesi a MAC, ndikuphwanyanso kufanana kwa kusanja kapena kukhulupirika kwa gawo.

Wogulitsa paketi ya netiweki amagawa mitu yakunja ndikutsatira motsatizana zolozera mpaka pamutu wa IP wokhala ndi zisa ndikuyikapo kale. Chotsatira chake, pali mitsinje yambiri (motsatira, ikhoza kukhala yosagwirizana kwambiri komanso pamagulu ochulukirapo), ndipo dongosolo la DPI limalandira mapaketi onse a gawo ndi magawo onse okhudzana ndi ma protocol ambiri.

2. Kusintha kwa magalimoto.
Imodzi mwa ntchito zazikulu kwambiri malinga ndi kuthekera kwake, kuchuluka kwa magawo ndi zosankha zomwe mungagwiritse ntchito ndizo:

• kuchotsa malipiro, momwemo mitu ya paketi yokha imaperekedwa kwa wofalitsa. Izi ndizofunikira pazida zowunikira kapena mitundu yamagalimoto momwe zomwe zili m'mapaketi sizikhala ndi gawo kapena sizingawunikidwe. Mwachitsanzo, pamagalimoto obisidwa, data yosinthana ndi parametric (ndani, ndi ndani, liti, ndi kuchuluka kwake) ingakhale yosangalatsa, pomwe kulipidwa ndi zinyalala zomwe zimatenga tchanelo ndi zida zamakompyuta za analyzer. Kusiyanasiyana kumatheka pamene malipiro akudulidwa kuyambira pamtengo woperekedwa - izi zimapereka zowonjezera zowonjezera zida zowunikira;
• kuchotsa, ndiko kuchotsa mitu yomwe imasonyeza ndi kuzindikira tunnel. Cholinga ndikuchepetsa katundu pazida zowunikira ndikuwonjezera luso lawo. Detunneling ikhoza kukhazikitsidwa pakusintha kokhazikika kapena kusanthula kwamutu kwamphamvu ndi kutsimikiza kwapaketi iliyonse;
• kuchotsa mitu ya paketi: ma tag a MPLS, VLAN, magawo apadera a zida za chipani chachitatu;
• masking mbali ya mitu, mwachitsanzo, masking IP maadiresi kuonetsetsa magalimoto anonymized;
• kuwonjezera zambiri zautumiki pa paketi: masitampu anthawi, doko lolowera, zilembo zamakalasi amgalimoto, ndi zina.

3. Kuchepetsa - kuyeretsa mapaketi obwerezabwereza omwe amatumizidwa ku zida zowunikira. Mapaketi obwereza nthawi zambiri amachitika chifukwa cha zomwe zimalumikizana ndi zomangamanga - kuchuluka kwa magalimoto kumatha kudutsa mfundo zingapo zowunikira ndikuwonetseredwa kuchokera kwa aliyense wa iwo. Palinso kutumiza kwa mapaketi osakwanira a TCP, koma ngati pali ambiri, ndiye kuti awa ndi mafunso ochulukirapo pakuwunika momwe maukonde amayendera, osati chitetezo chazidziwitso momwemo.

4. MwaukadauloZida zosefera mbali - kuyambira pakufufuza zamtengo wapatali pamlingo womwe wapatsidwa mpaka kusanthula siginecha pa phukusi lonse.

5. Mbadwo wa NetFlow/IPFIX - kusonkhanitsa ziwerengero zambiri zamagalimoto odutsa ndikusamutsira ku zida zowunikira.

6. Kuchepetsa kuchuluka kwa magalimoto a SSL, amagwira ntchito pokhapokha kuti satifiketi ndi makiyi alowetsedwa koyamba mu network packet broker. Komabe, izi zimakupatsani mwayi wotsitsa kwambiri zida zowunikira.

Pali ntchito zina zambiri, zothandiza komanso zotsatsa, koma zazikulu, mwina, zalembedwa.

Kupanga njira zodziwira (zolowera, kuukira kwa DDOS) kukhala machitidwe opewera, komanso kukhazikitsidwa kwa zida zogwira ntchito za DPI, zidafunikira kusintha kwakusintha kosintha kuchokera ku passive (kupyolera mu TAP kapena madoko a SPAN) kukhala yogwira ("panthawi yopuma" ). Izi zinawonjezera zofunikira zodalirika (chifukwa kulephera pankhaniyi kumabweretsa kusokonezeka kwa maukonde onse, osati kungotaya kuwongolera chitetezo chazidziwitso) ndikupangitsa kuti m'malo mwa ma couplers aziwoneka ndi ma bypasses optical (kuti kuthetsa vuto la kudalira ntchito maukonde pa ntchito ya kachitidwe chitetezo chidziwitso), koma ntchito yaikulu ndi zofunika kwa izo anakhalabe chimodzimodzi.

Tapanga DS Integrity Network Packet Brokers okhala ndi 100G, 40G ndi 10G zolumikizira kuchokera pakupanga ndi kuzungulira kupita ku mapulogalamu ophatikizidwa. Kuphatikiza apo, mosiyana ndi ma broker ena amapaketi, kusintha ndi kusanja kwa mitu ya tunnel kumayikidwa mu hardware yathu, pa doko lathunthu.

Source: www.habr.com