ProHoster > Blog > Utongi > 3. UserGate Kutanga. Network Policies

3. UserGate Kutanga. Network Policies

3. UserGate Kutanga. Network Policies

Ndinogamuchira vaverengi kuchinyorwa chechitatu muMushandisiGate Getting Started chinyorwa chinyorwa, chinotaura nezve NGFW mhinduro kubva kukambani. UserGate. Muchikamu chekupedzisira, nzira yekuisa firewall yakatsanangurwa uye kugadzirisa kwayo kwekutanga kwakaitwa. Parizvino, tichanyatso tarisisa kugadzira mitemo muzvikamu zvakaita seFirewall, NAT uye Routing, uye Bandwidth.

Mafungiro eMushandisiGate anotonga, zvekuti mitemo inotevedzwa kubva kumusoro kusvika pasi, kusvika iyo yekutanga inoshanda. Kubva pane zvataurwa pamusoro apa, zvinotevera kuti mitemo yakananga inofanira kuva yakakwirira kudarika mitemo yakawanda. Asi zvinofanira kucherechedzwa, sezvo mitemo inotariswa zvakarongeka, zviri nani maererano nekushanda kugadzira mitemo yakawanda. Paunenge uchigadzira chero mutemo, mamiriro acho anoshandiswa maererano ne "AND" logic. Kana zvakakosha kushandisa pfungwa "OR", zvino izvi zvinowanikwa nekugadzira mitemo yakawanda. Saka izvo zvinotsanangurwa muchinyorwa ichi zvinoshanda kune mamwe UserGate marongero zvakare.

Firewall

Mushure mekuisa UserGate, patova nemutemo wakapfava muchikamu che "Firewall". Mitemo miviri yekutanga inorambidza traffic ye botnets. Iyi inotevera mienzaniso yemitemo yekuwana kubva munzvimbo dzakasiyana. Mutemo wekupedzisira unogara unonzi "Vimba zvese" uye wakanyorwa nechiratidzo chekuvhara (zvinoreva kuti mutemo haugone kubviswa, kuchinjwa, kutamiswa, kuremara, unogona chete kugoneswa sarudzo yekutema). Nokudaro, nekuda kwemurairo uyu, zvose zviri pachena zvisingabvumirwi kufamba zvichavharwa nemutemo wekupedzisira. Kana iwe uchida kubvumidza traffic yese kuburikidza neMushandisiGate (kunyangwe izvi zvichiodzwa mwoyo zvakanyanya), unogona kugara uchigadzira iyo penultimate mutemo "Bvumira Zvese".

3. UserGate Kutanga. Network Policies

Paunenge uchigadzirisa kana kugadzira mutemo we firewall, wekutanga General tab, iwe unofanirwa kuita zvinotevera: 

  • Checkbox "On" gonesa kana kudzima mutemo.

  • isa zita remutemo.

  • isa tsanangudzo yemutemo.

  • sarudza kubva pazviito zviviri:

    • Ramba - inovharira traffic (kana uchiisa mamiriro aya, zvinokwanisika kutumira ICMP host isingasvikike, iwe unongoda kuseta yakakodzera bhokisi).

    • Bvumira - inobvumira traffic.

  • Scenario chinhu - inokubvumira kuti usarudze mamiriro, inova mamiriro ekuwedzera ekuti mutemo upfute. Aya ndiwo mashandisiro anoita UserGate pfungwa yeSOAR (Security Orchestration, Automation uye Response).

  • Kutema - nyora ruzivo nezve traffic kune irogi kana mutemo watanga. Zvimwe zvingasarudzwa:

    • Nyora panotangira chikamu. Muchiitiko ichi, ruzivo chete nezvekutanga kwechikamu (yekutanga pakiti) ichanyorwa kune traffic traffic. Iyi ndiyo inokurudzirwa kutema sarudzo.

    • Log packet yega yega. Mune ino kesi, ruzivo nezve yega yega inofambiswa network packet icharekodhwa. Kune iyi modhi, zvinokurudzirwa kugonesa muganho wekucheka kudzivirira yakakwira mudziyo mutoro.

  • Shandisa mutemo ku:

    • Mapasuru ese

    • kumapaketi akatsemuka

    • kumapakeji asina kupatsanurwa

  • Paunenge uchigadzira mutemo mutsva, unogona kusarudza nzvimbo mumutemo.

Zvadaro Source tab. Pano isu tinoratidza kwainobva traffic, inogona kuve iyo zone iyo traffic inobva, kana iwe unogona kutsanangura rondedzero kana chaiyo ip-kero (Geoip). Munenge mitemo yese inogona kuiswa mumudziyo, chinhu chinogona kugadzirwa kubva kune mutemo, semuenzaniso, pasina kuenda kuchikamu che "Zones", unogona kushandisa "Gadzira uye wedzera chinhu chitsva" bhatani kugadzira iyo zone. Tinoda. Bhokisi re "Invert" rinowanikwawo rinowanzowanikwa, rinodzosera chiito mumamiriro emurairo, iyo yakafanana neyo logic action negation. Destination Tab yakafanana neiyo sosi tebhu, asi pachinzvimbo chetraffic sosi, isu tinoseta kwainoenda. Users tab - munzvimbo ino unogona kuwedzera runyoro rwevashandisi kana mapoka ayo mutemo uyu unoshanda. Service Tab - sarudza rudzi rwesevhisi kubva kune yakafanotsanangurwa imwe kana iwe unogona kuseta yako. Application Tab - chaiyo maapplication kana mapoka ezvikumbiro anosarudzwa pano. UYE Nguva tab tsanangura nguva iyo mutemo uyu unoshanda. 

Kubva pachidzidzo chekupedzisira, tine mutemo wekuwana Indaneti kubva kunzvimbo ye "Trust", ikozvino ini ndicharatidza semuenzaniso wekugadzira mutemo wekuramba we ICMP traffic kubva ku "Trust" zone kusvika kune "Untrusted" zone.

Kutanga, gadzira mutemo nekudzvanya pa "Wedzera" bhatani. Mufafitera rinovhurika, pane general tab, zadza zita (Dzora ICMP kubva kune yakavimbika kune isina kuvimbika), tarisa "On" cheki bhokisi, sarudza iyo yekudzima chiito, uye chinonyanya kukosha, sarudza chaiyo nzvimbo yemutemo uyu. Zvinoenderana negwara rangu, mutemo uyu unofanirwa kuiswa pamusoro pe "Bvumira kuvimbika kune kusavimbika" mutemo:

3. UserGate Kutanga. Network Policies

Pa "Source" tebhu yebasa rangu, pane maviri sarudzo:

  • Nekusarudza iyo "Yakavimbika" zone

  • Nekusarudza ese mazoni kunze kwe "Kuvimbwa" uye nekumaka iyo "Invert" cheki bhokisi

3. UserGate Kutanga. Network Policies3. UserGate Kutanga. Network Policies

Iyo Destination tab inogadziriswa zvakafanana kune Source tab.

Tevere, enda kune "Sevhisi" tebhu, sezvo UserGate ine sevhisi yakafanotsanangurwa yeICMP traffic, zvino nekudzvanya bhatani rekuti "Wedzera", tinosarudza sevhisi ine zita rekuti "Chero ICMP" kubva pane yakarongwa runyorwa:

3. UserGate Kutanga. Network Policies

Zvichida ichi chaive chinangwa chevagadziri veMushandisiGate, asi ndakakwanisa kugadzira akati wandei mitemo yakafanana. Kunyange zvazvo mutemo wekutanga kubva pane urongwa uchaitwa, ndinofunga kukwanisa kugadzira mitemo ine zita rimwechete iro rakasiyana mukushanda kunogona kukonzera nyonganiso kana vatariri vakati wandei vashanda.

NAT uye nzira

Kana tichigadzira mitemo yeNAT, tinoona akati wandei ma tabo, senge firewall. Munda we "Type" wakaonekwa pane "General" tab, inokubvumira kuti usarudze kuti mutemo uyu uchaita sei:

  • NAT - Netiweki Kero Dudziro.

  • DNAT - Redirect traffic kune yakataurwa IP kero.

  • Kuendesa Port - Inodzosera traffic kune yakatsanangurwa IP kero, asi inokutendera iwe kuti uchinje nhamba yechiteshi chebasa rakaburitswa

  • Policy-based routing - Inokutendera kuti uendese IP mapaketi zvichienderana neruzivo rwakawedzerwa, senge masevhisi, MAC kero, kana maseva (IP kero).

  • Network mepu - Inokutendera iwe kutsiva kwainobva kana kwekuenda IP kero yeimwe network neimwe network.

Mushure mekusarudza rudzi rwakakodzera rwekutonga, zvigadziriso zvezviri zvichave zviripo.

Muchikamu cheSNAT IP (kero yekunze), tinotsanangura zvakajeka kero yeIP iyo iyo kero inobva kwairi ichatsiviwa. Iyi ndima inodiwa kana paine akawanda ma IP kero akaiswa kune interfaces munzvimbo yekuenda. Kana iwe ukasiya munda uyu usina chinhu, sisitimu ichashandisa kero isina kurongeka kubva pane rondedzero yeanowanikwa IP kero yakagoverwa kunzvimbo yekuenda. UserGate inokurudzira kutsanangura SNAT IP yekuvandudza firewall performance.

Semuenzaniso, ini ndichaburitsa iyo SSH sevhisi yeWindows server iri munzvimbo ye "DMZ" ndichishandisa mutemo we "port-forwarding". Kuti uite izvi, tinya bhatani rekuti "Wedzera" uye zadza iyo "General" tab, tsanangura zita remutemo "SSH kuWindows" uye mhando "Port forwarding":

3. UserGate Kutanga. Network Policies

Pa "Source" tab, sarudza iyo "Isina kuvimbika" zone uye enda kune "Port yekuendesa" tebhu. Pano tinofanira kutsanangura protocol "TCP" (masarudzo mana aripo - TCP, UDP, SMTP, SMTPS). Yekutanga chiteshi chiteshi 9922 - nhamba yechiteshi iyo vashandisi vanotumira zvikumbiro (zviteshi: 2200, 8001, 4369, 9000-9100 hazvigone kushandiswa). Iyo nyowani yekuenda chiteshi (22) ndiyo nhamba yechiteshi iyo inokumbirwa nemushandisi kune yemukati yakaburitswa sevha inozoendeswa mberi.

3. UserGate Kutanga. Network Policies

Pa "DNAT" tab, isa ip-address yekombuta pane network yemunharaunda, iyo inobudiswa paInternet (192.168.3.2). Uye iwe unogona nesarudzo kugonesa SNAT, ipapo MushandisiGate inoshandura iyo sosi kero mumapakiti kubva kune yekunze network kuenda kune yayo IP kero.

3. UserGate Kutanga. Network Policies

Mushure mezvirongwa zvose, mutemo unowanikwa unobvumira kupinda kubva kune "Untrusted" zone kune server ne ip-address 192.168.3.2 kuburikidza neSSH protocol, uchishandisa kero yekunze UserGate paunobatanidza.

3. UserGate Kutanga. Network Policies

Bandwidth

Ichi chikamu chinotsanangura mitemo yekudzora bandwidth. Iwo anogona kushandiswa kudzikamisa chiteshi chevamwe vashandisi, mauto, masevhisi, maapplication.

3. UserGate Kutanga. Network Policies

Paunenge uchigadzira mutemo, mamiriro ari pamatebhu anosarudza traffic kune izvo zvinorambidzwa zvinoiswa. Iyo bandwidth inogona kusarudzwa kubva pane yakarongwa, kana kuseta yako. Paunenge uchigadzira bandwidth, unogona kutsanangura iyo DSCP traffic yekutanga label. Muenzaniso weapo matsamba eDSCP ashandiswa: nekutsanangura mumutemo mamiriro ekuti mutemo uyu unoshandiswa, saka mutemo uyu unogona kungochinja iwo mabhii. Mumwe muenzaniso wekuti script inoshanda sei: mutemo unozoshanda kumushandisi chete kana rwizi rwaonekwa kana huwandu hwetraffic hunodarika muganhu wakatarwa. Matebu akasara akazadzwa nenzira yakafanana mune mamwe mitemo, zvichienderana nerudzi rwemotokari iyo mutemo unofanirwa kushandiswa.

3. UserGate Kutanga. Network Policies

mhedziso

Muchinyorwa ichi, ndakafukidza kusikwa kwemitemo muFirewall, NAT uye Routing, uye Bandwidth zvikamu. Uye pakutanga kwechinyorwa chacho, akatsanangura mitemo yekugadzira UserGate mitemo, pamwe nemusimboti wemamiriro ezvinhu pakugadzira mutemo. 

Garai makamirirwa kuti muwane zvigadziriso mumachaneli edu (teregiramuFacebookVKTS Solution Blog)!

Source: www.habr.com

Voeg