4. NGFW yemabhizimisi maduku. VPN

Isu tinoenderera mberi nenyaya yedu yezvinyorwa nezve NGFW zvemabhizinesi madiki, rega ndikuyeuchidze kuti tiri kuongorora iyo itsva 1500 yakatevedzana modhi renji. IN 1 parts kutenderera, ndakataura imwe yeanonyanya kubatsira sarudzo kana uchitenga SMB mudziyo - kupihwa kwemagedhi ane akavakirwa-mukati Mobile Access rezinesi (kubva pazana kusvika mazana maviri vashandisi, zvichienderana nemuenzaniso). Muchikamu chino tichatarisa kumisikidza VPN ye100 akateedzana magedhi anouya neGaia 200 Embedded pre-yakaiswa. Heino pfupiso:

1. VPN kugona kweSMB.
2. Sangano reRemote Access yehofisi diki.
3. Maclients aripo ekubatanidza.

1. VPN sarudzo dzeSMB

Kuti agadzirire zvinhu zvanhasi, mukuru admin mutungamiri shanduro R80.20.05 (ikozvino panguva yekubudiswa kwechinyorwa). Saizvozvo, maererano neVPN neGaia 80.20 Yakamisikidzwa kune rutsigiro rwe:

1. Site-To-Site. Kugadzira VPN tunnel pakati pemahofisi ako, uko vashandisi vanogona kushanda sekunge vari pane imwechete "yenzvimbo" network.

   

2. Remote Access. Remote yekubatanidza kune yako hofisi zviwanikwa uchishandisa mushandisi ekupedzisira zvishandiso (PC, nharembozha, nezvimwewo). Pamusoro pezvo, kune SSL Network Extender, inobvumidza iwe kuburitsa maapplication ega uye woamhanyisa uchishandisa Java Applet, ichibatanidza kuburikidza neSSL. Cherechedza: kwete kuvhiringika neMobile Access Portal (hapana rutsigiro rweGaia Embedded).
   
   

Mukuwedzera Ini ndinokurudzira zvikuru kosi yemunyori TS Solution - Tarisa Point Remote Access VPN inoburitsa Check Point tekinoroji maererano neVPN, inobata nyaya dzerezinesi uye ine yakadzama yekuseta mirairo.

2. Remote Access yehofisi diki

Tichatanga kuronga yekubatanidza kure kuhofisi yako:

1. Kuti vashandisi vavake VPN tunnel ine gedhi, iwe unofanirwa kuve neruzhinji IP kero. Kana iwe watopedza kuseta kwekutanga (2 chinyorwa kubva kutenderera), saka, sekutonga, Yekunze Link yatoshanda. Ruzivo runogona kuwanikwa nekuenda kuGaia Portal: Chishandiso → Network → Internet

   
   

   Kana kambani yako ikashandisa ine simba yeruzhinji IP kero, saka unogona kuseta Dynamic DNS. Enda ku mudziyo → DDNS & Device Access

   
   

   Parizvino pane rutsigiro kubva kune vaviri vanopa: DynDns uye no-ip.com. Kuti uite sarudzo yaunoda kuisa zvitupa zvako (login, password).

2. Tevere, ngatigadzirei mushandisi account, ichave inobatsira pakuyedza marongero: VPN → Remote Access → Remote Access Users

   
   

   Muboka (semuenzaniso: remoteaccess) isu tichagadzira mushandisi achitevera mirairo iri pascreenshot. Kumisikidza account kwakajairika, kuseta yekupinda uye password, uye nekuwedzera gonesa iyo Remote Access mvumo sarudzo.

   
   

   Kana iwe wakabudirira kushandisa marongero, zvinhu zviviri zvinofanirwa kuoneka: mushandisi wenzvimbo, boka renzvimbo yevashandisi.

   

3. Nhanho inotevera ndeye kuenda VPN → Remote Access → Blade Control. Ita shuwa kuti blade yako yakavhurwa uye traffic kubva kune vashandisi vari kure inobvumidzwa.

   

4. *Iyo iri pamusoro yaive yakaderera seti yematanho ekumisikidza Remote Access. Asi tisati tayedza kubatana, ngationgororei zvigadziriso zvepamberi nekuenda kune iyo tab VPN → Remote Access → Yepamberi

   
   

   Zvichienderana nezvirongwa zvazvino, tinoona kuti kana vashandisi vari kure vabatana, vanogamuchira IP kero kubva kune network 172.16.11.0/24, nekuda kweiyo Office Mode sarudzo. Izvi zvakakwana nechengetedzo yekushandisa mazana maviri emakwikwi marezinesi (akaratidzwa 200 NGFW Check Point).

   Sarudzo "Route Internet traffic kubva kune vatengi vakabatana kuburikidza negedhi iri" ndeyekusarudza uye ine basa rekufambisa traffic yese kubva kumushandisi ari kure kuburikidza negedhi (kusanganisira Internet yekubatanidza). Izvi zvinokutendera kuti utarise traffic yemushandisi uye kudzivirira nzvimbo yake yekushandira kubva kune dzakasiyana siyana kutyisidzira uye malware.

5. *Kushanda nemitemo yekuwana yeRemote Access

   Mushure mekunge tagadzirisa Remote Access, mutemo wekuwana otomatiki wakagadzirwa paFirewall level, kuti uuone unofanirwa kuenda kune iyo tab: Kupinda Policy → Firewall → Policy

   
   

   Muchiitiko ichi, vashandisi vari kure vari nhengo dzeboka rakambogadzirwa vachakwanisa kuwana zvese zvemukati zvekambani zviwanikwa; cherechedza kuti mutemo uri muchikamu chese. "Inouya, Yemukati uye VPN traffic". Kuti ubvumire VPN mushandisi traffic kuInternet, iwe unozofanirwa kugadzira mutemo wakasiyana muchikamu chese "Kubuda kuenda kuInternet".

6. Chekupedzisira, isu tinongoda kuve nechokwadi chekuti mushandisi anogona kubudirira kugadzira mugero weVPN kune yedu NGFW gedhi uye kuwana mukana wezviwanikwa zvemukati zvekambani. Kuti uite izvi, unofanirwa kuisa VPN mutengi pane muenzi ari kuedzwa, rubatsiro runopiwa ссылка Zvekurodha. Mushure mekuisa, iwe unozofanirwa kuita yakajairwa maitiro ekuwedzera saiti nyowani (ratidza iyo yeruzhinji IP kero yegedhi rako). Kuti zvive nyore, maitiro acho anoratidzwa muGIF fomu

   
   
   Kana iyo yekubatanidza yatosimbiswa, ngatitarise iyo yakagamuchirwa IP kero pamushini wekutambira tichishandisa murairo muCMD: ipconfig

   
   

   Isu takava nechokwadi chekuti chaiyo network adapta yakagamuchira IP kero kubva kuHofisi Modhi yeNGFW yedu, mapaketi akatumirwa zvinobudirira. Kupedzisa, tinogona kuenda kuGaia Portal: VPN → Remote Access → Yakabatanidzwa Kure Vashandisi

   
   

   Mushandisi "ntuser" inoratidzwa seyakabatana, ngatitarisei chiitiko chekutema nekuenda Marogi & Monitoring → Chengetedza Logs

   
   

   Kubatana kwacho kunoshandiswa uchishandisa IP kero senzvimbo: 172.16.10.1 - iyi ndiyo kero yakagamuchirwa nemushandisi wedu kuburikidza neHofisi Mode.

   3. Vanotsigirwa vatengi veRemote Access

   Mushure mekunge taongorora maitiro ekumisikidza chinongedzo chiri kure kuhofisi yako uchishandisa NGFW Check Point yemhuri yeSMB, ndinoda kunyora nezverutsigiro rwevatengi kune akasiyana midziyo:

   • Endpoint VPN yeWindows/Mac OS
   • Mobile Client (Android / IOS)
   • L2TP Native Client (Tarisa Poindi inotsigira tsigiro yeMicrosoft yemuno VPN app).

   Iwo akasiyana-siyana anotsigirwa masisitimu anoshanda uye zvishandiso zvinokutendera iwe kutora mukana wakazara werezinesi rako rinouya neNGFW. Kuti ugadzirise mudziyo wakasiyana pane sarudzo yakanakira "Kubatana sei"

   

   Iyo inongogadzira nhanho zvinoenderana neako marongero, ayo anozobvumira vatariri kuisa vatengi vatsva pasina matambudziko.

   Mhedziso: Kupfupisa chinyorwa ichi, takatarisa kugona kweVPN kweNGFW Check Point SMB mhuri. Tevere, takatsanangura matanho ekumisikidza Remote Access, kana iri kure kubatana kwevashandisi kuhofisi, uye ndokudzidza maturusi ekutarisa. Pakupera kwechinyorwa takataura nezve vatengi varipo uye sarudzo dzekubatanidza dzeRemote Access. Nekudaro, hofisi yako yebazi ichakwanisa kuve nechokwadi kuenderera uye chengetedzo yebasa revashandi vachishandisa VPN matekinoroji, kunyangwe akasiyana ekunze kutyisidzira uye zvinhu.

   Yakakura kusarudzwa kwezvinhu paCheck Point kubva kuTS Solution. Ramba wakatarisa (teregiramu, Facebook, VK, TS Solution Blog, Yandex Zen).

Source: www.habr.com