ProHoster > Blog > Utongi > 2. UserGate Kutanga. Zvinodiwa, kuiswa

2. UserGate Kutanga. Zvinodiwa, kuiswa

2. UserGate Kutanga. Zvinodiwa, kuiswa

Mhoro, ichi ndicho chinyorwa chechipiri nezve NGFW mhinduro kubva kukambani UserGate. Chinangwa chechinyorwa chino ndechekuratidza nzira yekuisa iyo UserGate firewall pane chaiyo system (ini ndichashandisa VMware Workstation virtualization software) uye kuita gadziriro yayo yekutanga (kubvumira kupinda kubva kunetiweki yenzvimbo kuburikidza neMuserGate gedhi reInternet).   

1. Nhanganyaya

Kutanga, ini ndichatsanangura nzira dzakasiyana dzekushandisa iyi gedhi mune network. Ndinoda kuziva kuti zvichienderana nesarudzo yekubatanidza yakasarudzwa, mamwe maitiro egedhi anogona kunge asiri kuwanikwa. UserGate mhinduro inotsigira anotevera ekubatanidza modhi: 

  • L3-L7 firewall

  • L2 zambuko rakajeka

  • L3 zambuko rakajeka

  • Anenge ari mugedhi, uchishandisa iyo WCCP protocol

  • Anenge ari mugedhi, uchishandisa Policy Based Routing

  • Router paChimuti

  • Zvakanyatsotsanangurwa WEB proxy

  • UserGate senge default gedhi

  • Mirror port monitoring

UserGate inotsigira maviri marudzi emasumbu:

  1. Cluster configuration. Node dzakasanganiswa kuita dhizaini yekumisikidza inochengetedza zvigadziriso zvinoenderana musumbu rese.

  2. Failover cluster. Kusvikira ku4 gadziriro yemasumbu masumbu anogona kusanganiswa kuita failover cluster inotsigira kushanda muActive-Active kana Active-Passive mode. Izvo zvinokwanisika kuunganidza akawanda failover masumbu.

2. Kuiswa

Sezvambotaurwa muchinyorwa chakapfuura, UserGate inopihwa sehardware uye software package kana kuiswa munzvimbo chaiyo. Kubva pane yako account account pawebhusaiti UserGate dhawunirodha mufananidzo muOVF (Open Virtualization Format), iyi fomati yakakodzera kune VMWare uye Oracle Virtualbox vatengesi. Virtual muchina disk mifananidzo inopihwa yeMicrosoft Hyper-v uye KVM.

Sekureva kweWebhusaiti yeGate, kuti muchina ushande nemazvo, zvinokurudzirwa kushandisa ingangoita 8Gb ye RAM uye 2-core virtual processor. Iyo hypervisor inofanirwa kutsigira 64-bit masisitimu anoshanda.

Iko kuisirwa kunotanga nekupinza chifananidzo mune yakasarudzwa hypervisor (VirtualBox uye VMWare). Panyaya yeMicrosoft Hyper-v neKVM, unofanirwa kugadzira muchina chaiwo uye tsanangura mufananidzo wakatorwa sedhisiki, wobva wadzima masevhisi ekubatanidza muzvirongwa zvemuchina wakagadzirwa.

Nekumisikidza, mushure mekupinza muVMWare, muchina chaiwo unogadzirwa uine anotevera marongero:

2. UserGate Kutanga. Zvinodiwa, kuiswa

Sezvakanyorwa pamusoro, panofanira kunge paine inokwana 8Gb ye RAM uye nekuwedzera iwe unofanirwa kuwedzera 1Gb kune vese vashandisi zana. Iyo yakasarudzika hard drive saizi ndeye 100Gb, asi izvi kazhinji hazvina kukwana kuchengeta matanda ese uye marongero. Saizi inokurudzirwa ndeye 100Gb kana kupfuura. Naizvozvo, mumidziyo yemuchina chaiwo, tinoshandura saizi yedhisiki kune inodiwa. Pakutanga, chaiyo MushandisiGate UTM inouya neina mainterface akagoverwa kunzvimbo:

Management - yekutanga interface yemuchina chaiwo, nzvimbo yekubatanidza akavimbika network kubva iyo UserGate manejimendi inotenderwa.

Inovimbwa ndiyo yechipiri interface yemuchina chaiwo, nzvimbo yekubatanidza akavimbika network, semuenzaniso, LAN network.

Kusavimbika ndiyo yechitatu interface yemuchina chaiwo, nzvimbo yenzvimbo yakabatana kune isina kuvimbika network, semuenzaniso, kuInternet.

DMZ ndiyo yechina interface yemuchina chaiwo, nzvimbo yenzvimbo dzakabatana kune network yeDMZ.

Tevere, tinotangisa muchina chaiwo, kunyangwe bhuku racho richitaura kuti unofanirwa kusarudza Zvishandiso Zvekutsigira uye kuita Fekitori reset UTM, asi sezvauri kuona, pane sarudzo imwe chete (UTM Yekutanga Boot). Munguva iyi, UTM inogadzirisa maadapter etiweki uye inowedzera saizi yeiyo hard drive partition kune yakazara disk size:

2. UserGate Kutanga. Zvinodiwa, kuiswa

Kuti ubatanidze kune UserGate web interface, iwe unofanirwa kupinda mukati kuburikidza neManagement zone; iri ibasa reiyo eth0 interface, iyo inogadziriswa kuti uwane IP kero otomatiki (DHCP). Kana zvisingaite kugovera kero yeManagement interface otomatiki uchishandisa DHCP, zvino inogona kuiswa zvakajeka uchishandisa CLI (Command Line Interface). Kuti uite izvi, unofanirwa kupinda muCLI uchishandisa zita rekushandisa uye password ine Yakazara maneja kodzero (Admin ane Capital letter by default). Kana iyo UserGate mudziyo isati yatanga kutanga, saka kuti uwane iyo CLI unofanirwa kushandisa Admin sezita rekushandisa uye utm sepassword. Uye nyora murairo senge iface config -name eth0 -ipv4 192.168.1.254/24 -enable true -mode static. Gare gare tinoenda kune UserGate webhu console pane yakatsanangurwa kero, inofanirwa kutaridzika seizvi: https://UserGateIPaddress:8001:

2. UserGate Kutanga. Zvinodiwa, kuiswa2. UserGate Kutanga. Zvinodiwa, kuiswa

Muwebhu console isu tinoenderera mberi nekuisirwa, isu tinofanirwa kusarudza iyo interface mutauro (parizvino iRussia kana Chirungu), nguva yenguva, wozoverenga nekubvumirana nechibvumirano cherezinesi. Seta iyo yekupinda uye password kuti upinde muwebhu manejimendi interface.

3. Setup

Mushure mekuisa, izvi ndizvo zvinoita senge papuratifomu manejimendi web interface:

2. UserGate Kutanga. Zvinodiwa, kuiswa

Ipapo iwe unofanirwa kugadzirisa iyo network interfaces. Kuti uite izvi, muchikamu che "Interfaces" chaunoda kuvagonesa, gadzirisa kero dzakakodzera dzeIP uye upe nzvimbo dzakakodzera.

Chikamu che "Interfaces" chinoratidza zvese zvemuviri uye zvemukati zvinowanika muhurongwa, zvinokutendera kuti uchinje marongero avo uye nekuwedzera VLAN interfaces. Iyo zvakare inoratidza ese mainterfaces ega ega cluster node. Interface marongero akananga kune imwe neimwe node, kureva kuti, haisi yepasirese.

In interface properties:

  • Gonesa kana kudzima iyo interface 

  • Rondedzera chimiro chemhando - Layer 3 kana Mirror

  • Isa nzvimbo kune interface

  • Govera iyo Netflow mbiri yekutumira nhamba yedata kune Netflow muunganidzi

  • Shandura iwo emuviri maparamita eiyo interface - MAC kero uye saizi yeMTU

  • Sarudza rudzi rwe IP kero yekupihwa - hapana kero, static IP kero kana kuwanikwa kuburikidza neDHCP

  • Gadzirisa iyo DHCP relay pane yakasarudzwa interface.

Bhatani rekuti "Wedzera" rinokutendera kuti uwedzere anotevera marudzi ane musoro ekuonana:

  • VLANs

  • Bond

  • Bridge

  • PPPoE

  • VPN

  • Tunnel

2. UserGate Kutanga. Zvinodiwa, kuiswa

Pamusoro penzvimbo dzakambonyorwa dzinotakurwa neUsergate mufananidzo, kune mamwe matatu akafanotsanangurwa marudzi:

Cluster - zone yemainterfaces inoshandiswa kuita cluster

VPN yeSaiti-kune-Site - nzvimbo inoiswa vese vatengi veHofisi-Office vakabatana neMushandisiGate kuburikidza neVPN

VPN yekuwana kure - nzvimbo inosanganisira vese vashandisi venhare vakabatana neUserGate kuburikidza neVPN

UserGate maneja anogona kushandura marongero enzvimbo dzakasimukira uye zvakare kugadzira mamwe mazoni, asi sezvakataurwa muvhezheni yechishanu, nzvimbo inokwana gumi neshanu inogona kugadzirwa. Kuti uchinje kana kuzvigadzira, unofanirwa kuenda kune chikamu chezoni. Kune yega yega nzvimbo, unogona kuseta pakiti kudonhedza chikumbaridzo; SYN, UDP, ICMP inotsigirwa. Kupinda kwekutonga kuUsergate masevhisi kunogadziriswa zvakare, uye dziviriro kubva ku spoofing inogoneswa.

2. UserGate Kutanga. Zvinodiwa, kuiswa

Mushure mekugadzirisa mainterfaces, iwe unofanirwa kugadzirisa nzira yakasarudzika muchikamu che "Gateways". Avo. Kuti ubatanidze UserGate kuInternet, unofanirwa kutsanangura IP kero yegedhi rimwe kana akawanda. Kana iwe ukashandisa vapeji vakati wandei kuti ubatanidze kuInternet, unofanirwa kutsanangura akati wandei magedhi. Iyo gedhi kumisikidzwa yakasarudzika kune yega yega cluster node. Kana maviri kana anopfuura magedhi akatsanangurwa, 2 sarudzo dzinogoneka:

  1. Kuenzanisa traffic pakati pemagedhi.

  2. Iro gedhi guru nekuchinja kune imwe yakasara.

Nzvimbo yegedhi (inowanikwa - yegirini, isingawanikwe - tsvuku) inotarwa sezvinotevera:

  1. Kuongorora kwetiweki kwakadzimwa - gedhi rinoonekwa serinowanikwa kana UserGate ichikwanisa kuwana kero yayo yeMAC vachishandisa chikumbiro cheARP. Iko hakuna cheki yekuwana Internet kuburikidza negedhi iri. Kana kero yeMAC yegedhi isingagone kutsanangurwa, gedhi rinoonekwa serisingasvikike.

  2. Kuongorora kwetiweki kunogoneswa - gedhi rinoonekwa serinowanikwa kana:

  • UserGate inogona kuwana kero yayo yeMAC uchishandisa chikumbiro cheARP.

  • Cheki yekuwana Indaneti kuburikidza negedhi iri yakapedzwa zvinobudirira.

Zvikasadaro, gedhi rinoonekwa serisipo.

2. UserGate Kutanga. Zvinodiwa, kuiswa

Muchikamu che "DNS" unofanirwa kuwedzera maseva eDNS achashandiswa nemushandisi weGate. Kuseta uku kunotsanangurwa munzvimbo yeSystem DNS Servers. Pazasi pane marongero ekugadzirisa zvikumbiro zveDNS kubva kuvashandisi. UserGate inokutendera iwe kushandisa DNS proxy. Iyo DNS proxy sevhisi inokutendera kuti utore zvikumbiro zveDNS kubva kuvashandisi uye wozvishandura zvinoenderana nezvinodiwa nemutongi. DNS proxy mitemo inogona kushandiswa kududzira maseva eDNS uko zvikumbiro zvemadomasi chaiwo zvinotumirwa. Uye zvakare, uchishandisa DNS proxy, unogona kuseta static marekodhi emhando yekugamuchira (A rekodhi).

2. UserGate Kutanga. Zvinodiwa, kuiswa

Muchikamu che "NAT uye Routing" iwe unofanirwa kugadzira iyo inodiwa mitemo yeNAT. Kuti uwane kuInternet nevashandisi veTrusted network, mutemo weNAT wakatogadzirwa - "Kuvimbwa-> Kusavimbika", chasara kugonesa. Mitemo inoshandiswa kubva kumusoro kusvika pasi muhurongwa hwavanenge vakanyorwa mukoni. Chekutanga mutemo wekuti iyo mamiriro akatsanangurwa mumutambo wekutonga anogara achiitwa. Kuti mutemo utange, zvese zvinotsanangurwa mumutemo zvimiro zvinofanirwa kuenderana. UserGate inokurudzira kugadzira mitemo yeNAT, semuenzaniso, mutemo weNAT kubva kunetiweki yemuno (kazhinji inovimbwa nzvimbo) kuenda kuInternet (kazhinji nzvimbo isingavimbike), uye kurambidza kupinda kwevashandisi, masevhisi, uye maapplication vachishandisa firewall mitemo.

Izvo zvakare zvinogoneka kugadzira mitemo yeDNAT, kutumira kwechiteshi, Policy-based routing, Network mepu.

2. UserGate Kutanga. Zvinodiwa, kuiswa

Mushure meizvi, muchikamu che "Firewall" unofanirwa kugadzira mitemo ye firewall. Kuti uwane kusingagumi kuInternet kune vashandisi veTrusted network, mutemo we firewall wakatogadzirwa - "Internet for Trusted" uye inofanira kugoneswa. Uchishandisa mitemo yefirewall, maneja anogona kubvumira kana kuramba chero mhando yetraffic network ichipfuura nemuUserGate. Mamiriro ezvinhu emitemo anogona kusanganisira nzvimbo uye kwakabva / kwekuenda IP kero, vashandisi nemapoka, masevhisi uye maapplication. Mitemo inoshanda nenzira imwecheteyo se "NAT uye Routing" chikamu, i.e. kumusoro pasi. Kana pasina mitemo yakagadzirwa, saka chero traffic yekufambisa kuburikidza neUserGate inorambidzwa.

2. UserGate Kutanga. Zvinodiwa, kuiswa

4. Mhedziso

Izvi zvinopedzisa chinyorwa. Isu takaisa iyo UserGate firewall pamushini chaiwo uye takaita mashoma anodiwa marongero kuti Internet ishande pane Yakavimbika network. Tichafunga mamwe magadzirirwo munyaya dzinotevera.

Garai makamirirwa kuti muwane zvigadziriso mumachaneli edu (teregiramuFacebookVKTS Solution Blog)!

Source: www.habr.com

Voeg