Ndi kangati mumagula china chake mwachisawawa, kutengera kutsatsa kozizira, ndiyeno chinthu chomwe mukufuna poyamba chimasonkhanitsa fumbi mu chipinda, pantry kapena garaja mpaka kumapeto kwa kasupe kuyeretsa kapena kusuntha? Chotsatira chake ndi kukhumudwa chifukwa cha ziyembekezo zosayenerera ndi kuwononga ndalama. Zimakhala zoyipa kwambiri izi zikachitika kubizinesi. Nthawi zambiri, zamatsenga zamalonda ndizabwino kwambiri kotero kuti makampani amagula njira yodula osawona chithunzi chonse chakugwiritsa ntchito. Pakadali pano, kuyesa koyeserera kwa dongosololi kumathandizira kumvetsetsa momwe angakonzekerere zida zophatikizira, ntchito zotani komanso momwe ziyenera kugwiritsidwira ntchito. Mwanjira iyi mutha kupewa mavuto ambiri chifukwa chosankha chinthu "mwakhungu". Kuphatikiza apo, kukhazikitsa pambuyo pa "woyendetsa ndege" wodziwa bwino kubweretsa mainjiniya ocheperako kuwononga maselo amitsempha ndi imvi. Tiyeni tiwone chifukwa chake kuyesa kwa oyendetsa kuli kofunika kwambiri pantchito yopambana, pogwiritsa ntchito chitsanzo cha chida chodziwika bwino chowongolera mwayi wopezeka pamakampani - Cisco ISE. Tiyeni tilingalire njira zonse zokhazikika komanso zosagwirizana ndikugwiritsa ntchito yankho lomwe takumana nalo muzochita zathu.
Cisco ISE - "Seva ya Radius pa steroids"
Cisco Identity Services Engine (ISE) ndi nsanja yopangira njira yolumikizirana ndi netiweki yakomweko. M'gulu la akatswiri, mankhwalawa adatchedwa "Seva ya Radius pa steroids" chifukwa cha katundu wake. Ndichoncho chifukwa chiyani? Kwenikweni, yankho lake ndi seva ya Radius, komwe kuchuluka kwakukulu kwa mautumiki owonjezera ndi "zanzeru" zalumikizidwa, kukulolani kuti mulandire chidziwitso chambiri ndikugwiritsa ntchito seti yotsatila muzolowera.
Monga seva ina iliyonse ya Radius, Cisco ISE imalumikizana ndi zida zapaintaneti zofikira, imasonkhanitsa zidziwitso zonse zoyesa kulumikizana ndi netiweki yamakampani ndipo, kutengera kutsimikizika ndi kuvomereza malamulo, imalola kapena kukana ogwiritsa ntchito ku LAN. Komabe, kuthekera kolemba mbiri, kutumiza, ndikuphatikiza ndi njira zina zotetezera zidziwitso kumapangitsa kuti zitheke kusokoneza malingaliro alamulo lovomerezeka ndikuthetsa mavuto ovuta komanso osangalatsa.
Kukhazikitsa sikungayesedwe: chifukwa chiyani mukufunikira kuyezetsa?
Phindu la kuyesa koyendetsa ndikuwonetsa kuthekera konse kwa dongosolo muzomangamanga za bungwe linalake. Ndikukhulupirira kuti kuyesa Cisco ISE isanakhazikitsidwe kumapindulitsa onse omwe akuchita nawo ntchitoyi, ndichifukwa chake.
Izi zimapatsa ophatikiza lingaliro lomveka bwino la zomwe kasitomala amayembekeza ndikuthandizira kupanga tsatanetsatane waukadaulo womwe uli ndi zambiri kuposa mawu omwe amanenedwa "onetsetsani kuti zonse zili bwino." "Pilot" imatilola kumva ululu wonse wa kasitomala, kumvetsetsa kuti ndi ntchito ziti zomwe zili zofunika kwambiri kwa iye komanso zomwe zili zachiwiri. Kwa ife, uwu ndi mwayi wabwino kwambiri wodziwiratu zida zomwe zimagwiritsidwa ntchito m'bungwe, momwe zidzakhalire, malo omwe ali, ndi zina zotero.
Panthawi yoyesa oyendetsa ndege, makasitomala amawona dongosolo lenileni likugwira ntchito, adziΕ΅e mawonekedwe ake, akhoza kuyang'ana ngati akugwirizana ndi hardware yawo yomwe ilipo, ndikumvetsetsa bwino momwe yankho lidzagwiritsire ntchito pambuyo pa kukhazikitsidwa kwathunthu. "Pilot" ndi nthawi yomwe mutha kuwona misampha yonse yomwe mungakumane nayo pakuphatikiza, ndikusankha malayisensi angati omwe muyenera kugula.
Zomwe zingatheke "kutuluka" panthawi ya "pilot"
Ndiye, mumakonzekera bwino bwanji kukhazikitsa Cisco ISE? Kuchokera pazomwe takumana nazo, tawerengera mfundo zazikulu za 4 zomwe ndi zofunika kuziganizira panthawi yoyesa makina oyendetsa ndege.
fomu Factor
Choyamba, muyenera kusankha momwe dongosololi lidzagwiritsire ntchito: mawonekedwe akuthupi kapena enieni. Njira iliyonse ili ndi ubwino ndi zovuta zake. Mwachitsanzo, kulimba kwa mzere wakuthupi ndi ntchito yake yodziwikiratu, koma tisaiwale kuti zida zotere zimatha kutha pakapita nthawi. Mawonekedwe apamwamba sadziwikiratu chifukwa ... zimadalira pa hardware yomwe chilengedwe cha virtualization chikugwiritsidwa ntchito, koma ali ndi ubwino waukulu: ngati chithandizo chilipo, akhoza kusinthidwa nthawi zonse ku mtundu waposachedwa.
Kodi zida zanu zapaintaneti zimagwirizana ndi Cisco ISE?
Zoonadi, zochitika zabwino zingakhale zogwirizanitsa zipangizo zonse ku dongosolo nthawi imodzi. Komabe, izi sizingatheke nthawi zonse chifukwa mabungwe ambiri amagwiritsabe ntchito masiwichi osayendetsedwa kapena ma switch omwe sagwirizana ndi matekinoloje ena omwe amayendetsa Cisco ISE. Mwa njira, sitikunena za masinthidwe, amathanso kukhala owongolera opanda zingwe, ma VPN concentrators ndi zida zina zilizonse zomwe ogwiritsa ntchito amalumikizana nazo. M'zochita zanga, pakhala pali zochitika pamene, atatha kusonyeza dongosolo la kukhazikitsidwa kwathunthu, kasitomala adakweza pafupifupi gulu lonse la masinthidwe a msinkhu wopita ku zipangizo zamakono za Cisco. Kuti mupewe zodabwitsa zosasangalatsa, ndikofunikira kudziwa pasadakhale kuchuluka kwa zida zosagwiritsidwa ntchito.
Kodi zida zanu zonse ndizoyenera?
Maukonde aliwonse ali ndi zida zomwe siziyenera kukhala zovuta kulumikizana nazo: malo ogwirira ntchito, mafoni a IP, malo ofikira pa Wi-Fi, makamera amakanema, ndi zina zotero. Koma zimachitikanso kuti zida zomwe sizili zoyenera ziyenera kulumikizidwa ndi LAN, mwachitsanzo, osinthira mabasi a RS232 / Efaneti, mawonekedwe osasunthika amagetsi, zida zosiyanasiyana zaukadaulo, ndi zina. Ndikofunikira kudziwa mndandanda wa zida zotere pasadakhale. , kotero kuti pakukhazikitsa mumamvetsetsa kale momwe angagwirire ntchito ndi Cisco ISE.
Kukambirana kolimbikitsa ndi akatswiri a IT
Makasitomala a Cisco ISE nthawi zambiri amakhala madipatimenti achitetezo, pomwe madipatimenti a IT nthawi zambiri amakhala ndi udindo wokonza masiwichi olowa ndi Active Directory. Chifukwa chake, kulumikizana kwabwino pakati pa akatswiri achitetezo ndi akatswiri a IT ndi chimodzi mwazinthu zofunika kwambiri pakukhazikitsa dongosololi mopanda ululu. Ngati omaliza awona kuphatikizika ndi chidani, ndi bwino kuwafotokozera momwe yankho lingakhalire lothandiza ku dipatimenti ya IT.
Milandu 5 yapamwamba ya Cisco ISE
Muzochitikira zathu, ntchito yofunikira ya dongosololi imadziwikanso pa siteji yoyesera yoyendetsa ndege. M'munsimu muli ena mwa anthu otchuka komanso ocheperapo omwe amagwiritsidwa ntchito pa yankho.
Tetezani mwayi wa LAN kudzera pawaya ndi EAP-TLS
Monga zotsatira za kafukufuku wa pentesters athu zikuwonetsa, nthawi zambiri kuti alowe pa intaneti ya kampani, owukira amagwiritsa ntchito socket wamba pomwe osindikiza, mafoni, makamera a IP, ma Wi-Fi ndi zida zina zomwe sizili zaumwini zimalumikizidwa. Chifukwa chake, ngakhale kugwiritsa ntchito maukonde kutengera ukadaulo wa dot1x, koma njira zina zimagwiritsidwa ntchito popanda kugwiritsa ntchito ziphaso zotsimikizika za ogwiritsa ntchito, pali kuthekera kwakukulu kwa kuwukira kopambana ndi kulowerera kwa gawo ndi mawu achinsinsi ankhanza. Pankhani ya Cisco ISE, zidzakhala zovuta kwambiri kuba satifiketi - chifukwa cha izi, obera adzafunika mphamvu zambiri zamakompyuta, ndiye kuti nkhaniyi ndi yothandiza kwambiri.
Kufikira opanda zingwe ziwiri-SSID
Chofunikira pankhaniyi ndikugwiritsira ntchito 2 network identifiers (SSIDs). Mmodzi wa iwo akhoza kutchedwa "mlendo". Kupyolera mu izo, alendo onse ndi ogwira ntchito pakampani amatha kupeza maukonde opanda zingwe. Akamayesa kulumikiza, omalizawo amatumizidwa ku portal yapadera komwe kupereka kumachitika. Ndiko kuti, wogwiritsa ntchito amapatsidwa satifiketi ndipo chipangizo chake chimakonzedwa kuti chigwirizanenso ndi SSID yachiwiri, yomwe imagwiritsa ntchito kale EAP-TLS ndi ubwino wonse wa mlandu woyamba.
MAC Authentication Bypass ndi Mbiri
Njira ina yotchuka yogwiritsira ntchito ndikuzindikira mtundu wa chipangizo chomwe chikulumikizidwa ndikugwiritsa ntchito zoletsa zolondola. Chifukwa chiyani ali wokondweretsa? Chowonadi ndi chakuti pali zida zambiri zomwe sizigwirizana ndi kutsimikizika pogwiritsa ntchito protocol ya 802.1X. Chifukwa chake, zida zotere ziyenera kuloledwa kulowa pa intaneti pogwiritsa ntchito adilesi ya MAC, yomwe ndiyosavuta kuyipanga. Apa ndipamene Cisco ISE imabwera kudzapulumutsa: mothandizidwa ndi dongosolo, mukhoza kuona momwe chipangizochi chimachitira pa intaneti, kupanga mbiri yake ndikuchipereka ku gulu la zipangizo zina, mwachitsanzo, foni ya IP ndi malo ogwira ntchito. . Ngati wowukira ayesa kuwononga adilesi ya MAC ndikulumikizana ndi netiweki, makinawo awona kuti mbiri ya chipangizocho yasintha, iwonetsa khalidwe lokayikitsa ndipo silingalole wokayikitsa kulowa pa intaneti.
EAP-Chaining
Ukadaulo wa EAP-Chaining umaphatikizapo kutsimikizika kotsatizana kwa PC yogwira ntchito ndi akaunti ya ogwiritsa ntchito. Mlanduwu wafala chifukwa... Makampani ambiri samalimbikitsabe kulumikiza zida za anthu ogwira ntchito ku LAN yamakampani. Pogwiritsa ntchito njira iyi yotsimikizira, ndizotheka kuyang'ana ngati malo ogwirira ntchito ndi membala wa derali, ndipo ngati zotsatira zake zili zoipa, wogwiritsa ntchitoyo sangaloledwe kulowa pa intaneti, kapena adzatha kulowa, koma ndi zina. zoletsa.
Kutumiza
Mlanduwu ndi wokhudza kutsatiridwa kwa pulogalamu yogwirira ntchito ndi zofunikira zachitetezo chazidziwitso. Pogwiritsa ntchito ukadaulo uwu, mutha kuyang'ana ngati pulogalamuyo pamalo ogwirira ntchito yasinthidwa, ngati njira zachitetezo zayikidwapo, ngati chowotchera chowotchera chakonzedwa, ndi zina zambiri. Chosangalatsa ndichakuti, ukadaulo uwu umakupatsaninso mwayi wothana ndi ntchito zina zosakhudzana ndi chitetezo, mwachitsanzo, kuyang'ana kupezeka kwa mafayilo ofunikira kapena kukhazikitsa mapulogalamu amtundu uliwonse.
Milandu yocheperako yogwiritsira ntchito Cisco ISE imaphatikizapo kuwongolera kolowera ndi kutsimikizika kwa domain-to-end (Passive ID), magawo ang'onoang'ono a SGT ndi kusefa, komanso kuphatikiza ndi kasamalidwe ka zida zam'manja (MDM) ndi Vulnerability Scanners.
Ma projekiti omwe sianthawi zonse: chifukwa chiyani mungafunikire Cisco ISE, kapena milandu itatu yosowa kwambiri pazomwe timachita
Kuwongolera kofikira ku maseva otengera Linux
Kamodzi tinali kuthetsa vuto losakhala laling'ono kwa m'modzi mwa makasitomala omwe anali kale ndi Cisco ISE system: tinkafunika kupeza njira yowongolera zochita za ogwiritsa (makamaka oyang'anira) pa maseva omwe ali ndi Linux. Posaka yankho, tidabwera ndi lingaliro logwiritsa ntchito pulogalamu yaulere ya PAM Radius Module, yomwe imakulolani kuti mulowe mu maseva omwe akuyendetsa Linux ndikutsimikizika pa seva yakunja. Chilichonse pankhaniyi chingakhale chabwino, ngati sichomwe "koma": seva ya radius, kutumiza yankho ku pempho lovomerezeka, imangopereka dzina la akaunti ndi zotsatira zake - kuwunika kuvomerezedwa kapena kuyesedwa kukanidwa. Pakadali pano, kuti muvomereze ku Linux, muyenera kupatsanso gawo limodzi - chikwatu chakunyumba, kuti wogwiritsa ntchito apite kwinakwake. Sitinapeze njira yoperekera izi ngati mawonekedwe a radius, kotero tidalemba script yapadera yopangira ma akaunti patali pa makamu mu semi-automatic mode. Ntchitoyi inali yotheka chifukwa tinali kuchita ndi maakaunti a oyang'anira, omwe chiwerengero chake sichinali chachikulu. Kenako, ogwiritsa adalowa pa chipangizo chofunika, pambuyo pake anapatsidwa mwayi zofunika. Funso lomveka limabuka: kodi ndikofunikira kugwiritsa ntchito Cisco ISE munthawi zotere? M'malo mwake, ayi - seva iliyonse ya radius idzachita, koma popeza kasitomala anali ndi dongosolo ili, tangowonjezera chinthu chatsopano kwa icho.
Kusanthula kwa hardware ndi mapulogalamu pa LAN
Tinagwirapo ntchito yopereka Cisco ISE kwa kasitomala m'modzi popanda "woyendetsa" woyamba. Panalibe zofunikira zomveka bwino zothetsera vutoli, kuphatikizapo tinali kulimbana ndi maukonde athyathyathya, osagawanika, zomwe zinasokoneza ntchito yathu. Pantchitoyi, tidakonza njira zonse zowonera zomwe netiweki imathandizira: NetFlow, DHCP, SNMP, kuphatikiza AD, ndi zina zambiri. Zotsatira zake, mwayi wa MAR unakonzedwa ndikutha kulowa mu netiweki ngati kutsimikizika kwalephera. Izi zikutanthauza kuti, ngakhale kutsimikizika sikunapambane, dongosololi limalola wogwiritsa ntchito pa netiweki, kusonkhanitsa zambiri za iye ndikuzilemba mu nkhokwe ya ISE. Kuwunika kwa netiweki kumeneku kwa milungu ingapo kunatithandiza kuzindikira makina olumikizidwa ndi zida zomwe si zathu ndikupanga njira yozigawa. Pambuyo pa izi, tidakonzanso zotumiza kuti tiyike wothandizirayo pazida zogwirira ntchito kuti titole zambiri za pulogalamu yomwe idayikidwapo. Chotsatira chake nchiyani? Tinatha kugawa maukonde ndikuzindikira mndandanda wa mapulogalamu omwe amayenera kuchotsedwa kumalo ogwirira ntchito. Sindibisala kuti ntchito zina zogawa ogwiritsa ntchito m'magulu azigawo ndikuwongolera ufulu wofikira zidatitengera nthawi yayitali, koma mwanjira iyi tidakhala ndi chithunzi chonse chazomwe kasitomala anali nazo pamaneti. Mwa njira, izi sizinali zovuta chifukwa cha ntchito yabwino yowonetsera kunja kwa bokosi. Chabwino, pomwe kufotokoza sikunathandize, tidadziyang'ana tokha, ndikuwunikira malo osinthira pomwe zida zidalumikizidwa.
Kukhazikitsa kwakutali kwa mapulogalamu pamalo ogwirira ntchito
Mlanduwu ndi umodzi mwazodabwitsa kwambiri m'machitidwe anga. Tsiku lina, kasitomala anabwera kwa ife ndi kulira kwa thandizo - chinachake chinalakwika pamene kukhazikitsa Cisco ISE, chirichonse chinasweka, ndipo palibe wina akanakhoza kupeza maukonde. Tinayamba kuyang'ana momwemo ndikupeza zotsatirazi. Kampaniyo inali ndi makompyuta a 2000, omwe, popanda woyang'anira dera, adayendetsedwa pansi pa akaunti ya woyang'anira. Pofuna kuyang'ana, bungwe lidakhazikitsa Cisco ISE. Zinali zofunikira kuti mumvetsetse ngati antivayirasi idayikidwa pama PC omwe analipo, ngakhale malo apulogalamu adasinthidwa, ndi zina. Ndipo popeza oyang'anira IT adayika zida zamtaneti mudongosolo, ndizomveka kuti anali ndi mwayi wozipeza. Ataona momwe zimagwirira ntchito ndikuyika ma PC awo, oyang'anira adabwera ndi lingaliro lakuyika pulogalamuyo pamalo ogwirira ntchito akutali popanda kuwayendera. Tangoganizani masitepe angati omwe mungapulumutse patsiku motere! Oyang'anirawo adafufuza kangapo pa malo ogwirira ntchito kuti apeze fayilo inayake mu C:Fayilo Yamafayilo a Pulogalamu, ndipo ngati palibe, kukonzanso kwadzidzidzi kunayambika potsatira ulalo womwe umatsogolera kusungidwe kwa fayilo ku fayilo ya .exe. Izi zidalola ogwiritsa ntchito wamba kupita kugawo lafayilo ndikutsitsa mapulogalamu ofunikira kuchokera pamenepo. Tsoka ilo, admin sanadziwe bwino dongosolo la ISE ndikuwononga njira zotumizira - adalemba molakwika ndondomekoyi, zomwe zidabweretsa vuto lomwe tidachita nawo. Payekha, ndikudabwa kwambiri ndi njira yolenga yotereyi, chifukwa zingakhale zotsika mtengo komanso zosagwira ntchito zambiri kuti mupange woyang'anira dera. Koma monga Umboni wa lingaliro linagwira ntchito.
Werengani zambiri zaukadaulo womwe umatuluka mukakhazikitsa Cisco ISE m'nkhani ya mnzanga .
Artem Bobrikov, wopanga makina a Information Security Center ku Jet Infosystems
Pambuyo pake:
Ngakhale kuti positiyi ikukamba za dongosolo la Cisco ISE, mavuto omwe akufotokozedwa ndi ofunika pamagulu onse a NAC. Sikofunikira kwambiri kuti yankho la ogulitsa likukonzedwa kuti likwaniritsidwe - zambiri zomwe zili pamwambazi zikugwirabe ntchito.
Source: www.habr.com