Manongedzo kune zvimwe zvikamu zvechidzidzo
- (Uri pano here)
Ichi chinyorwa chinopedzisa nhevedzano yezvinyorwa zvakatsaurirwa kuve nechokwadi chekuchengetedza ruzivo rwebhangi risiri mari kubhadhara. Pano isu tichatarisa kune akajairwa maitiro ekutyisidzira anotaurwa mukati :
- .
- .
- .
- .
HABRO-YAMBIRO!!! Vanodiwa Khabrovites, iyi haisi nyaya yekuvaraidza.
Iwo 40+ mapeji emidziyo yakavanzwa pasi pekuchekwa anoitirwa batsira nebasa kana kudzidza vanhu vane hunyanzvi hwekubhenga kana kuchengetedza ruzivo. Zvishandiso izvi ndizvo chibereko chekupedzisira chetsvagurudzo uye zvakanyorwa nezwi rakaoma, rakarongeka. Muchidimbu, aya ma blanks emukati ekuchengetedza ruzivo zvinyorwa.Zvakanaka, zvechinyakare - "kushandiswa kweruzivo kubva muchinyorwa nekuda kwezvikonzero zvisiri pamutemo kunorangwa nemutemo". Kuverenga kunobudirira!
Mashoko evaverengi vanojairana nechidzidzo kutanga nebhuku rino.
Chidzidzo chacho chiri pamusoro pei?
Uri kuverenga gwara renyanzvi ine basa rekuona kuchengetedza ruzivo rwekubhadhara mubhangi.
Logic yemharidzo
Pakutanga in ΠΈ tsananguro yechinhu chakachengetedzwa inopiwa. Wobva wapinda inotsanangura nzira yekuvaka chengetedzo system uye inotaura nezve kukosha kwekugadzira yekutyisidzira modhi. IN inotaura nezvemhando dzekutyisidzira dziripo uye kuti dzinoumbwa sei. IN ΠΈ Kuongororwa kwekurwiswa kwechokwadi kunopiwa. ΠΈ ine tsananguro yemhando yekutyisidzira, yakavakwa uchifunga nezveruzivo kubva kune ese apfuura zvikamu.
TYPICAL THREAT MODEL. NETWORK CONNECTION
Chidziviriro chinhu icho chinotyisidzira modhi (chiyero) chinoshandiswa
Chinhu chedziviriro ndeye data inofambiswa kuburikidza netiweki yekubatanidza inoshanda mumatanho network yakavakirwa pahwaro hweTCP / IP stack.
akitekicha
Tsanangudzo yezvivakwa:
- "End Nodes" - nodes kupanana ruzivo rwakachengetedzwa.
- "Intermediate nodes" - zvinhu zve data data network: ma routers, switch, maseva ekupinda, proxy maseva uye zvimwe zvishandiso - iyo network yekubatanidza traffic inofambiswa. Kazhinji, network yekubatanidza inogona kushanda pasina epakati node (zvakananga pakati pekupedzisira node).
Kutyisidzira kwepamusoro-soro kwekuchengetedza
Kuora
U1. Kuwanikwa kusina mvumo kune data yakatumirwa.
U2. Kushandurwa kusingatenderwi kwe data yakatumirwa.
U3. Kutyorwa kweunyori hwe data yakafambiswa.
U1. Kuwanikwa kusina mvumo kune data yakatumirwa
Kuora
U1.1. <β¦>, inoitwa panzvimbo yekupedzisira kana yepakati node:
U1.1.1. <β¦> nekuverenga data ichiri mumidziyo yekuchengetedza:
U1.1.1.1. <β¦> mu RAM.
Tsananguro dzeU1.1.1.1.
Semuenzaniso, panguva yekugadziriswa kwedata neiyo host network stack.
U1.1.1.2. <β¦> mundangariro isiri-inotenderera.
Tsananguro dzeU1.1.1.2.
Semuenzaniso, kana uchichengeta data rakafambiswa mune cache, mafaira enguva pfupi kana chinjanisa mafaera.
U1.2. <β¦>, inoitwa pane wechitatu-bato node yedata network:
U1.2.1. <...> nenzira yekutora mapaketi ese anosvika kune iyo host network interface:
Tsananguro dzeU1.2.1.
Kutorwa kwemapaketi ese kunoitwa nekuchinja network kadhi kuita unzenza (yakashata maitiro e wired adapter kana yekutarisa maitiro e wi-fi adapter).
U1.2.2. <β¦> nekuita man-in-the-pakati (MiTM) kurwisa, asi pasina kushandura data yakatumirwa (kwete kuverenga network protocol service data).
U1.2.2.1. Link: .
U1.3. <β¦>, inoitwa nekuda kwekudonha kweruzivo kuburikidza nehunyanzvi chiteshi (TKUI) kubva kumuviri node kana mitsara yekutaurirana.
U1.4. <β¦>, inoitwa nekuisa yakakosha tekinoroji nzira (STS) kumagumo kana epakati node, inoitirwa kuunganidzwa kwakavanzika kweruzivo.
U2. Kushandurwa kusingatenderwi kwe data yakatumirwa
Kuora
U2.1. <β¦>, inoitwa panzvimbo yekupedzisira kana yepakati node:
U2.1.1. <β¦> nekuverenga uye kuita shanduko kune iyo data ichiri mumidziyo yekuchengetedza yemanodhi:
U2.1.1.1. <β¦> mu RAM:
U2.1.1.2. <β¦> mundangariro isiri-inotenderera:
U2.2. <β¦>, inoitwa pane wechitatu-bato node yedata data network:
U2.2.1. <β¦> nekuita man-in-the-pakati (MiTM) kurwisa uye kuendesa traffic kune vanorwisa node:
U2.2.1.1. Kubatana kwemuviri kwemidziyo yevanorwisa kunoita kuti network yekubatanidza iparadzwe.
U2.2.1.2. Kuita kurwisa kune network protocol:
U2.2.1.2.1. <β¦> manejimendi echokwadi emunharaunda network (VLAN):
U2.2.1.2.1.1. .
U2.2.1.2.1.2. Kushandurwa kusingatenderwe kweVLAN marongero pane switch kana ma router.
U2.2.1.2.2. <β¦> traffic routing:
U2.2.1.2.2.1. Kusatenderwa kugadziridzwa kwematafura e static routing emarouter.
U2.2.1.2.2.2. Kuziviswa kwenzira dzenhema nevanorwisa kuburikidza neakasimba nzira dzemaprotocol.
U2.2.1.2.3. <β¦> otomatiki gadziriso:
U2.2.1.2.3.1. .
U2.2.1.2.3.2. .
U2.2.1.2.4. <β¦> kero uye kugadzirisa zita:
U2.2.1.2.4.1. .
U2.2.1.2.4.2. .
U2.2.1.2.4.3. Kuita shanduko dzisina kutenderwa kumafaira emazita emunharaunda (mahosts, lmhosts, nezvimwewo)
U3. Kutyorwa kwekodzero yedata rinofambiswa
Kuora
U3.1. Neutralization yemaitiro ekuona kunyorwa kweruzivo nekuratidza ruzivo rwenhema nezvemunyori kana kunobva data:
U3.1.1. Kushandura ruzivo pamusoro pemunyori ari mumashoko akatumirwa.
U3.1.1.1. Neutralization yekuchengetedzwa kwekrisptographic kwekuvimbika uye kunyorwa kweiyo data inotumirwa:
U3.1.1.1.1. Link: .
U3.1.1.2. Neutralization yekuchengetedzwa kwekodzero yedata rinofambiswa, rinoitwa uchishandisa imwe-nguva yekusimbisa makodhi:
U3.1.1.2.1. .
U3.1.2. Kuchinja ruzivo nezve kwakabva ruzivo rwunofambiswa:
U3.1.2.1. .
U3.1.2.2. .
TYPICAL THREAT MODEL. SYSTEM YERUZIVO RAKAVAKWA PABASI RECLIENT-SERVER ARCHITECTURE
Chidziviriro chinhu icho chinotyisidzira modhi (chiyero) chinoshandiswa
Chinhu chekudzivirira inzira yeruzivo yakavakirwa pahwaro hwemutengi-server architecture.
akitekicha
Tsanangudzo yezvivakwa:
- "Mutengi" - mudziyo unoshanda nawo mutengi chikamu chehurongwa hwemashoko.
- "Sevha" - mudziyo unoshanda sevha chikamu chehurongwa hwemashoko.
- "Data store" - chikamu che server server yeruzivo system, yakagadzirirwa kuchengetedza data yakagadziriswa neiyo ruzivo system.
- "Network connection" - chiteshi chekuchinjana ruzivo pakati peMutengi neSevha ichipfuura nenetiweki yedata. Imwe tsananguro yakadzama yeiyo element modhi inopihwa mukati .
Zvibvumirano
Paunenge uchigadzira chinhu, zvinotemerwa zvinotevera zvinoiswa:
- Mushandisi anodyidzana nehurongwa hweruzivo mukati menguva dzinogumira dzenguva, dzinodaidzwa kuti nguva dzebasa.
- Pakutanga kwechikamu chega chega chebasa, mushandisi anozivikanwa, anotenderwa uye anotenderwa.
- Yese ruzivo rwakachengetedzwa rwakachengetwa pane sevha chikamu cheiyo ruzivo system.
Kutyisidzira kwepamusoro-soro kwekuchengetedza
Kuora
U1. Kuita zviito zvisina mvumo nevanorwisa panzvimbo yemushandisi ari pamutemo.
U2. Kugadziriswa kusingabvumirwe kweruzivo rwakachengetedzwa panguva yekugadziriswa kwayo neseva chikamu cheiyo ruzivo system.
U1. Kuita zviito zvisina mvumo nevanorwisa panzvimbo yemushandisi ari pamutemo
Tsananguro
Kazhinji mumasisitimu eruzivo, zviito zvine hukama nemushandisi akazviita achishandisa:
- system operation logs (logs).
- hunhu hwakakosha hwezvinhu zve data zvine ruzivo nezve mushandisi akazvigadzira kana kuzvigadzirisa.
Zvichienderana nechikamu chebasa, kutyisidzira uku kunogona kuderedzwa kuita:
- <β¦> yakaitwa mukati mechikamu chemushandisi.
- <β¦> yakaurayiwa kunze kwechikamu chemushandisi.
Sesheni yemushandisi inogona kutangwa:
- Nemushandisi pachake.
- Malefactors.
Panguva ino, kuparara kwepakati kwekutyisidzira uku kuchaita seizvi:
U1.1. Zviito zvisina mvumo zvakaitwa mukati mechikamu chemushandisi:
U1.1.1. <β¦> yakaiswa nemushandisi akarwiswa.
U1.1.2. <β¦> yakaiswa nevanorwisa.
U1.2. Zviito zvisina mvumo zvakaitwa kunze kwechikamu chemushandisi.
Kubva pakuona kweruzivo rwezvivakwa zvinhu zvinogona kukanganiswa nevanorwisa, kuparara kwekutyisidzira kwepakati kuchaita seizvi:
Zvinhu
Kutyisidzira Kuora
U1.1.1.
U1.1.2.
U1.2.
Mutengi
U1.1.1.1.
U1.1.2.1.
Network kubatana
U1.1.1.2.
Server
U1.2.1.
Kuora
U1.1. Zviito zvisina mvumo zvakaitwa mukati mechikamu chemushandisi:
U1.1.1. <β¦> yakaiswa nemushandisi akarwiswa:
U1.1.1.1. Varwi vakaita vakazvimirira kubva kuMutengi:
U1.1.1.1.1 Vapambi vakashandisa maturusi ekuwana ruzivo muhurongwa:
Π£1.1.1.1.1.1. Vapambi vakashandisa Mutengi wemuviri wekupinda / kubuda nzira (kiyibhodhi, mbeva, yekutarisa kana yekubata sikirini yenharembozha):
U1.1.1.1.1.1.1. Varwi vakashanda munguva dzenguva apo chikamu chaive chichishanda, zvivako zveI / O zvaivepo, uye mushandisi akanga asipo.
Π£1.1.1.1.1.2. Vapambi vakashandisa maturusi ekutonga ari kure (yakajairwa kana kupihwa nekodhi yakaipa) kubata Mutengi:
U1.1.1.1.1.2.1. Varwi vakashanda munguva dzenguva apo chikamu chaive chichishanda, zvivako zveI / O zvaivepo, uye mushandisi akanga asipo.
Π£1.1.1.1.1.2.2. Varwi vakashandisa maturusi ekutonga ari kure, mashandiro ayo asingaoneki kune anorwiswa mushandisi.
U1.1.1.2. Varwi vakatsiva iyo data mukubatana kwetiweki pakati peMutengi neSevha, vachiigadzirisa nenzira yekuti yakaonekwa senge zviito zvemushandisi ari pamutemo:
U1.1.1.2.1. Link: .
U1.1.1.3. Varwi vakamanikidza mushandisi kuita zviito zvavakataura vachishandisa nzira dzeinjiniya dzemagariro.
Π£1.1.2 <...> yakaiswa nevanorwisa:
U1.1.2.1. Varwi vakaita kubva kuMutengi (Π):
U1.1.2.1.1. Vapambi vakadzora nzira yekudzora yekuwana ruzivo system:
U1.1.2.1.1.1. Link: .
Π£1.1.2.1.2. Varwi vakashandisa maturusi akajairika ehurongwa hwekuwana ruzivo
U1.1.2.2. Vapambi vakashanda kubva kune dzimwe node dze data network, kubva paigona kugadzwa network network kune Server (Π):
U1.1.2.2.1. Vapambi vakadzora nzira yekudzora yekuwana ruzivo system:
U1.1.2.2.1.1. Link: .
U1.1.2.2.2. Varwi vakashandisa nzira dzisiri dzenguva dzekuwana hurongwa hweruzivo.
Tsanangudzo U1.1.2.2.2.
Vanorwisa vanogona kuisa mutengi wakajairwa weiyo ruzivo system pane yechitatu-bato node kana kushandisa isiri-yakajairwa software inoshandisa yakajairwa kuchinjanisa mapuroteni pakati peMutengi neSevha.
U1.2 Zviito zvisina mvumo zvakaitwa kunze kwechikamu chemushandisi.
U1.2.1 Varwi vakaita zviito zvisina kutenderwa ndokuzoita shanduko isina mvumo kune matanda ehurongwa hwekushandisa ruzivo kana hunhu hwakakosha hwezvinhu zve data, zvichiratidza kuti zviito zvavakaita zvakaitwa nemushandisi wepamutemo.
U2. Kugadziriswa kusingabvumirwe kweruzivo rwakachengetedzwa panguva yekugadziriswa kwayo neseva chikamu cheiyo ruzivo system
Kuora
U2.1. Vanorwisa vanogadzirisa ruzivo rwakachengetedzwa vachishandisa yakajairwa ruzivo system maturusi uye ita izvi pachinzvimbo chemushandisi ari pamutemo.
U2.1.1. Link: .
U2.2. Vanorwisa vanogadzirisa ruzivo rwakachengetedzwa vachishandisa nzira dzekuwana data dzisina kupihwa neakajairika mashandiro ehurongwa hweruzivo.
U2.2.1. Vanorwisa vanogadzirisa mafaira ane ruzivo rwakachengetedzwa:
U2.2.1.1. <β¦>, uchishandisa iyo faira yekubata nzira dzakapihwa neiyo inoshanda sisitimu.
U2.2.1.2. <β¦> nekukurudzira kudzoreredzwa kwemafaira kubva kune isina kutenderwa yakagadziridzwa backup kopi.
U2.2.2. Vanorwisa vanogadzirisa ruzivo rwakachengetedzwa rwakachengetwa mudhatabhesi (Π):
U2.2.2.1. Vanorwisa vanoderedza iyo DBMS yekuwana yekudzora system:
U2.2.2.1.1. Link: .
U2.2.2.2. Vanorwisa vanogadzirisa ruzivo vachishandisa yakajairwa DBMS interfaces kuti vawane data.
U2.3. Vanorwisa vanogadzirisa ruzivo rwakachengetedzwa nekugadziriswa kusingatenderwe kwealgorithms yekushanda kwesoftware inoigadzirisa.
U2.3.1. Iyo kodhi kodhi yesoftware inoenderana nekugadziriswa.
U2.3.1. Iyo kodhi yemuchina yesoftware inoenderana nekugadziriswa.
U2.4. Vanorwisa vanogadzirisa ruzivo rwakachengetedzwa nekushandisa kusavimbika mune ruzivo system software.
U2.5. Vanorwisa vanoshandura ruzivo rwakachengetedzwa kana rwatamiswa pakati pezvikamu zvesevha chikamu chehurongwa hweruzivo (semuenzaniso, sevha yedatabase uye sevha yekushandisa):
U2.5.1. Link: .
TYPICAL THREAT MODEL. ACCESS CONTROL SYSTEM
Chidziviriro chinhu icho chinotyisidzira modhi (chiyero) chinoshandiswa
Chinhu chekudzivirira chinoshandisirwa iyi modhi yekutyisidzira chinoenderana nechinhu chekudzivirira chemhando yekutyisidzira: "Yakajairika kutyisidzira modhi. Sisitimu yeruzivo yakavakirwa pane yevatengi-server architecture. "
Mune iyi modhi yekutyisidzira, mushandisi yekuwana yekudzora system inoreva chikamu cheruzivo system inoita mabasa anotevera:
- Kuzivikanwa kwemushandisi.
- User authentication.
- Mvumo yemushandisi.
- Kutema zviito zvemushandisi.
Kutyisidzira kwepamusoro-soro kwekuchengetedza
Kuora
U1. Kugadzwa kusingatenderwi kweseshini pachinzvimbo chemushandisi ari pamutemo.
U2. Kuwedzera kusingatenderwi kwekodzero dzevashandisi muhurongwa hweruzivo.
U1. Kugadzwa kusingatenderwi kweseshini pachinzvimbo chemushandisi ari pamutemo
Tsananguro
Kuparara kwekutyisidzira uku kunowanzoenderana nerudzi rwekuzivikanwa kwemushandisi uye masisitimu echokwadi anoshandiswa.
Mune iyi modhi, chete chiziviso chemushandisi uye chechokwadi sisitimu uchishandisa mameseji login uye password ndiyo inotariswa. Muchiitiko ichi, isu tichafungidzira kuti mushandisi wekupinda ruzivo rwunowanikwa pachena rwunozivikanwa kune vanorwisa.
Kuora
U1.1. <β¦> nekuda kwekukanganisa kwezvitupa:
U1.1.1. Varwi vacho vakakanganisa zvitupa zvemushandisi vachizvichengeta.
Tsanangudzo U1.1.1.
Semuyenzaniso, zvitupa zvinogona kunyorwa panoti inonamira yakanamira pamonitor.
U1.1.2. Mushandisi netsaona kana nehutsinye akapa ruzivo rwekuwana kune vanorwisa.
U1.1.2.1. Mushandisi akataura zvitupa zvinonzwika sezvavaipinda.
U1.1.2.2. Mushandisi akagovera magwaro ake nemaune:
U1.1.2.2.1. <β¦> kushanda vaunoshanda navo.
Tsanangudzo U1.1.2.2.1.
Semuenzaniso, kuitira kuti vagone kuitsiva panguva yekurwara.
U1.1.2.2.2. <β¦> kune vashandirwi vekondirakiti vanoita basa pane zveruzivo rwezvivakwa zvinhu.
U1.1.2.2.3. <β¦> kune vechitatu mapato.
Tsanangudzo U1.1.2.2.3.
Imwe, asi kwete yega sarudzo yekushandisa kutyisidzira uku kushandiswa kwesocial engineering nzira nevanorwisa.
U1.1.3. Vapambi vakasarudza magwaro vachishandisa nzira dzechisimba:
U1.1.3.1. <β¦> uchishandisa nzira dzakajairwa dzekuwana.
U1.1.3.2. <β¦> uchishandisa macode akambobatwa (semuenzaniso, password hashes) kuchengetedza magwaro.
U1.1.4. Vapambi vakashandisa kodhi yakaipa kubata magwaro evashandisi.
U1.1.5. Vapambi vakaburitsa magwaro kubva kunetiweki yekubatanidza pakati peMutengi neSevha:
U1.1.5.1. Link: .
U1.1.6. Vapambi vakaburitsa magwaro kubva kumarekodhi ehurongwa hwekutarisa basa:
U1.1.6.1. <β¦> vhidhiyo yekutarisa masisitimu (kana makiyi ekiyibhodhi akarekodhwa panguva yekushanda).
U1.1.6.2. <β¦> masisitimu ekutarisa zviito zvevashandi pakombuta
Tsanangudzo U1.1.6.2.
Muenzaniso wehurongwa hwakadaro .
U1.1.7. Varwi vakakanganisa magwaro emushandisi nekuda kwekukanganisa mukufambiswa kwekutapurirana.
Tsanangudzo U1.1.7.
Semuenzaniso, kutumira mapassword mumavara akajeka kuburikidza neemail.
U1.1.8. Vapambi vakawana magwaro nekutarisa musangano wemushandisi vachishandisa kure kure manejimendi masisitimu.
U1.1.9. Vapambi vakawana zvitupa semhedzisiro yekudonha kwavo kuburikidza nehunyanzvi nzira (TCUI):
U1.1.9.1. Varwi vakacherekedza kuti mushandisi akapinda sei zvitupa kubva kukhibhodi:
U1.1.9.1.1 Varwi vaive pedyo nepedyo nemushandisi uye vakaona kuiswa kwezvitupa nemaziso avo.
Tsanangudzo U1.1.9.1.1
Mhosva dzakadai dzinosanganisira zviito zvevanoshanda navo kana nyaya apo keyboard yemushandisi inoonekwa kune vashanyi kusangano.
U1.1.9.1.2 Varwi vakashandisa dzimwe nzira dzehunyanzvi, semabhainokura kana mota yemuchadenga isina munhu, uye vakaona kupinda kwezvitupa nepahwindo.
U1.1.9.2. Vapambi vakaburitsa magwaro kubva kunhepfenyuro yeredhiyo pakati pekhibhodi nekombuta system unit pavakange vabatana kuburikidza neredhiyo interface (semuenzaniso, Bluetooth).
U1.1.9.3. Varwi vacho vakabvuta magwaro nekuaburitsa kuburikidza negedhi renhema remagetsi emagetsi uye kupindira (PEMIN).
Tsanangudzo U1.1.9.3.
Mienzaniso yekurwisa ΠΈ .
U1.1.9.4. Murwi akabvuta kupinda kwezvitupa kubva kukhibhodi kuburikidza nekushandiswa kwehunyanzvi nzira (STS) yakagadzirirwa kuwana ruzivo muchivande.
Tsanangudzo U1.1.9.4.
mienzaniso .
U1.1.9.5. Vapambi vakabvuta kuiswa kwezvitupa kubva kukhibhodi vachishandisa
Ongororo yechiratidzo cheWi-Fi chakagadziridzwa nemakiyi emushandisi maitiro.
Tsanangudzo U1.1.9.5.
Muenzaniso: .
U1.1.9.6. Varwi vacho vakabvuta kupinza kwezvitupa kubva paibhodhi nekuongorora ruzha rwemakiyi.
Tsanangudzo U1.1.9.6.
Muenzaniso: .
U1.1.9.7. Vapambi vakadzora kupinda kwezvitupa kubva kukhibhodi yenharembozha nekuongorora kuverenga kwe accelerometer.
Tsanangudzo U1.1.9.7.
Muenzaniso: .
U1.1.10. <β¦>, yakambochengetwa paMutengi.
Tsanangudzo U1.1.10.
Semuenzaniso, mushandisi anogona kuchengetedza login uye password mubrowser kuti awane imwe saiti.
U1.1.11. Varwi vakakanganisa magwaro nekuda kwekukanganisa mukuita kwekukanzura mukana wevashandisi.
Tsanangudzo U1.1.11.
Semuenzaniso, mushure mekunge mushandisi adzingwa, maakaundi ake akaramba asina kuvharwa.
U1.2. <β¦> nekushandisa kusasimba mune yekuwana control system.
U2. Kukwidziridzwa kusingatenderwi kwekodzero dzevashandisi muhurongwa hweruzivo
Kuora
U2.1 <β¦> nekuita shanduko dzisina mvumo kune data rine ruzivo nezve kodzero dzevashandisi.
U2.2 <...> kuburikidza nekushandiswa kwekusagadzikana mune yekuwana control system.
U2.3. <β¦> nekuda kwekukanganisa mune yevashandisi yekuwana manejimendi maitiro.
Tsanangudzo U2.3.
Muenzaniso 1. Mushandisi akapiwa mukana wakawanda webasa kupfuura waaida nokuda kwezvikonzero zvebhizimisi.
Muenzaniso 2: Mushure mekunge mushandisi aendeswa kune imwe nzvimbo, yakambopihwa kodzero yekuwana haina kubviswa.
TYPICAL THREAT MODEL. KUSIMBISA MODULE
Chidziviriro chinhu icho chinotyisidzira modhi (chiyero) chinoshandiswa
Iyo yekubatanidza module seti yezvivakwa zveruzivo zvinhu zvakagadzirirwa kuronga kuchinjana kweruzivo pakati pehurongwa hweruzivo.
Tichifunga nezve chokwadi chekuti mumambure emakambani hazviitike nguva dzose kuparadzanisa imwe yeruzivo system kubva kune imwe, iyo yekubatanidza module inogona zvakare kutariswa sechibatanidza chinongedzo pakati pezvikamu mukati meimwe ruzivo system.
akitekicha
Iyo generalized dhizaini yekubatanidza module inotaridzika seizvi:
Tsanangudzo yezvivakwa:
- "Exchange Server (SO)" - node / sevhisi / chikamu cheiyo ruzivo system inoita basa rekuchinjana data neimwe system yeruzivo.
- "Murevereri" - node / sevhisi yakagadzirirwa kuronga kudyidzana pakati pehurongwa hwemashoko, asi kwete chikamu chavo.
Mienzaniso "Vamiriri" panogona kunge paine email masevhisi, bhizinesi sevhisi mabhazi (bhizinesi rebasa bhazi / SoA architecture), yechitatu-bato faira maseva, nezvimwe. Kazhinji, iyo yekubatanidza module inogona kunge isina "Intermediaries". - "Data processing software" - seti yezvirongwa zvinoshandisa maprotocol ekuchinjana data uye kushandurwa kwefomati.
Semuenzaniso, kushandura data kubva kuUFEBS fomati kuenda kuiyo ABS fomati, kushandura meseji mameseji panguva yekufambisa, nezvimwe. - "Network connection" inoenderana nechinhu chinotsanangurwa mune yakajairwa "Network yekubatanidza" modhi yekutyisidzira. Zvimwe zvekubatanidza netiweki zvinoratidzwa mudhayagiramu iri pamusoro zvinogona kunge zvisipo.
Mienzaniso yekubatanidza modules
Scheme 1. Kubatanidzwa kweABS neAWS KBR kuburikidza neyechitatu-bato faira server
Kuti aite mubhadharo, mushandi webhangi ane mvumo anodhawunirodha magwaro ekubhadhara emagetsi kubva kune yakakosha banking system uye anoachengeta kufaira (mune maitiro ayo, semuenzaniso dump yeSQL) pane network folda (... SHARE) pane sevha yefaira. Zvadaro faira iyi inoshandurwa uchishandisa script inoshandura kuita seti yemafaira muUFEBS fomati, anozoverengwa neCBD workstation.
Mushure meizvi, mushandi ane mvumo - mushandisi weiyo otomatiki yebasa KBR - encrypts uye kusaina mafaera akagamuchirwa uye anoatumira kune yekubhadhara system yeBhange reRussia.
Kana mubhadharo uchigamuchirwa kubva kuBhangi reRussia, iyo otomatiki yebasa yeKBR inovabvisa uye inotarisa siginecha yemagetsi, mushure mezvo inovanyora muchimiro cheseti yemafaira muUFEBS fomati pane faira server. Usati wapinza magwaro ekubhadhara muABS, anoshandurwa uchishandisa script inoshandura kubva kuUFEBS fomati kuenda kuABS fomati.
Isu tichafungidzira kuti muchirongwa ichi, iyo ABS inoshanda pane imwe sevha yemuviri, iyo KBR workstation inoshanda pakombuta yakatsaurirwa, uye inoshandura script inomhanya pane faira server.
Kunyorerana kwezvinhu zveiyo dhizaini yakatariswa kune zvinhu zvekubatanidza module modhi:
"Exchange server kubva kudivi reABS" - ABS server.
"Shandura sevha kubva kudivi reAWS KBR" - komputa yekushandira KBR.
"Murevereri" - yechitatu-bato faira server.
"Data processing software" - converter script.
Scheme 2. Kubatanidzwa kweABS neAWS KBR kana uchiisa yakagovaniswa network folda ine mubhadharo paAWS KBR.
Zvose zvakafanana neChirongwa 1, asi imwe faira yefaira haisi kushandiswa; pane kudaro, network network folder (... SHARE) ine zvinyorwa zvekubhadhara zvemagetsi inoiswa pakombiyuta ine nzvimbo yekushanda yeCBD. Iyo inoshandura script inoshandawo pane iyo CBD workstation.
Kunyorerana kwezvinhu zveiyo dhizaini yakatariswa kune zvinhu zvekubatanidza module modhi:
Zvakafanana neChirongwa 1, asi "Murevereri" isina kushandiswa.
Scheme 3. Kubatanidzwa kweABS uye otomatiki nzvimbo yebasa KBR-N kuburikidza neBM WebSphera MQ uye kusaina magwaro emagetsi "kudivi reABS"
ABS inoshanda papuratifomu isingatsigirwe neCIPF SCAD Siginecha. Kusaina magwaro emagetsi anobuda kunoitwa pane yakakosha yemagetsi siginecha server (ES Server). Iyo imwechete sevha inotarisa siginecha yemagetsi pane zvinyorwa zvinouya kubva kuBhange reRussia.
ABS inorodha faira rine magwaro ekubhadhara mune yaro fomati kuES Server.
Sevha yeES, ichishandisa script inoshandura, inoshandura faira kuita mameseji emagetsi muUFEBS fomati, mushure meiyo mameseji emagetsi anosainwa uye anotumirwa kuIBM WebSphere MQ.
Iyo KBR-N workstation inowana IBM WebSphere MQ uye inogamuchira yakasainwa mameseji ekubhadhara kubva ipapo, mushure mezvo mushandi ane mvumo - mushandisi weKBR workstation - anovharira ivo uye ovatumira kune yekubhadhara system yeBhangi reRussia.
Kana mubhadharo wagamuchirwa kubva kuBhangi reRussia, iyo otomatiki yebasa KBR-N inodzibvisa uye inosimbisa siginecha yemagetsi. Kubhadhara kwakanyatsogadziriswa nenzira yekudzikiswa uye kusainwa mameseji emagetsi muUFEBS fomati inoendeswa kuIBM WebSphere MQ, kubva kwainotambirwa neElectronics Signature Server.
Iyo yemagetsi siginecha server inosimbisa siginecha yemagetsi yemabhadharo akagamuchirwa uye anoachengeta mufaira mune ABS fomati. Mushure meizvi, mushandi ane mvumo - mushandisi weABS - anorodha faira rinobuda kuABS nenzira yakatemwa.
Kunyorerana kwezvinhu zveiyo dhizaini yakatariswa kune zvinhu zvekubatanidza module modhi:
"Exchange server kubva kudivi reABS" - ABS server.
"Shandura sevha kubva kudivi reAWS KBR" - komputa yekushandira KBR.
"Murevereri" - ES sevha uye IBM WebSphere MQ.
"Data processing software" - script converter, CIPF SCAD Siginecha paES Server.
Scheme 4. Kubatanidzwa kweRBS Server uye iyo core banking system kuburikidza neAPI inopihwa neakazvitsaurira shanduko server.
Isu tichafungidzira kuti bhangi rinoshandisa akati wandei kure mabhengi masisitimu (RBS):
- "Internet Client-Bhangi" kuvanhu (IKB FL);
- "Internet Client-Bhangi" yemasangano epamutemo (IKB LE).
Kuti uve nechokwadi chekuchengetedza ruzivo, kudyidzana kwese pakati peABS nemabhanga ari kure masystem kunoitwa kuburikidza neyakazvitsaurira yekutsinhana server inoshanda mukati meiyo ABS ruzivo system.
Tevere, isu tichatarisa maitiro ekudyidzana pakati peiyo RBS system yeIKB LE uye iyo ABS.
Iyo sevha yeRBS, yawana gwaro rekubhadhara rakasimbiswa kubva kumutengi, inofanirwa kugadzira gwaro rinoenderana muABS zvichibva pairi. Kuti uite izvi, uchishandisa API, inotumira ruzivo kune server yekutsinhana, iyo, zvakare, inopinda data muABS.
Kana zviyero zveakaundi yemutengi zvachinja, iyo ABS inogadzira zviziviso zvemagetsi, izvo zvinotumirwa kune iri kure yekubhengi sevha uchishandisa shanduko sevha.
Kunyorerana kwezvinhu zveiyo dhizaini yakatariswa kune zvinhu zvekubatanidza module modhi:
"Exchange server kubva kuRBS side" -RBS sevha yeIKB YUL.
"Exchange server kubva kudivi reABS" - exchange server.
"Murevereri" - ndisipo.
"Data processing software" -RBS Server zvikamu zvine basa rekushandisa iyo yekutsinhana server API, kuchinjanisa server zvikamu zvine basa rekushandisa iyo yakakosha banking API.
Kutyisidzira kwepamusoro-soro kwekuchengetedza
Kuora
U1. Jekiseni yeruzivo rwenhema nevanorwisa kuburikidza nekubatanidza module.
U1. Jekiseni yeruzivo rwenhema nevanorwisa kuburikidza nekubatanidza module
Kuora
U1.1. Kusatenderwa kugadziridzwa kwedata riri pamutemo kana richifambiswa nenetiweki yekubatanidza:
U1.1.1 Link: .
U1.2. Kufambiswa kwedata remanyepo kuburikidza nematanho ekutaurirana pachinzvimbo cheanotora chikamu chekuchinjana zviri pamutemo:
U1.1.2 Link: .
U1.3. Kugadziriswa kusingatenderwe kwedata riri pamutemo panguva yekugadziriswa kwayo paExchange Servers kana Intermediary:
U1.3.1. Link: .
U1.4. Kugadzira data remanyepo paExchange Servers kana Intermediary pachinzvimbo chemutori wechikamu ari pamutemo wekuchinjana:
U1.4.1. Link:
U1.5. Kugadziriswa kusingatenderwe kwedata kana ichigadziriswa uchishandisa data processing software:
U1.5.1. <...> nekuda kwevanorwisa vari kuita shanduko dzisina mvumo kune zvigadziriso (kugadziridza) yedata processing software.
U1.5.2. <β¦> nekuda kwevanorwisa vari kuita shanduko dzisina kutenderwa kumafaira anotepfenyurwa edata processing software.
U1.5.3. <β¦> nekuda kwekudyidzana kwekutonga kweiyo data yekugadzirisa software nevanorwisa.
TYPICAL THREAT MODEL. CRYPTOGRAPHIC INFORMATION PROTECTION SYSTEM
Chidziviriro chinhu icho chinotyisidzira modhi (chiyero) chinoshandiswa
Chinhu chekudzivirira ndeye cryptographic ruzivo rwekudzivirira sisitimu inoshandiswa kuve nechokwadi chekuchengetedzwa kweiyo ruzivo system.
akitekicha
Hwaro hwechero system yeruzivo iapplication software inoshandisa iyo chinangwa chekushanda kwayo.
Kudzivirirwa kweCryptographic kunowanzoitwa nekudaidza cryptographic primitives kubva kune bhizinesi logic yeapplication software, iyo iri mumaraibhurari akasarudzika - crypto cores.
Cryptographic primitives inosanganisira yakaderera-level cryptographic mabasa, akadai se:
- encrypt/decrypt block yedata;
- gadzira / simbisa siginecha yemagetsi yevhavha data;
- kuverenga iyo hash basa re data block;
- kugadzira / kurodha / kurodha ruzivo rwakakosha;
- uye zvakadaro.
Iyo bhizinesi pfungwa yesoftware yekushandisa inoshandisa yepamusoro-level mashandiro uchishandisa cryptographic primitives:
- encrypt iyo faira uchishandisa makiyi evakasarudzwa vagashiri;
- gadza yakachengeteka network yekubatanidza;
- zivisa nezvemhedzisiro yekutarisa siginecha yemagetsi;
- etc.
Kudyidzana kwebhizinesi logic uye crypto core inogona kuitwa:
- zvakananga, nebhizimusi logic inodana cryptographic primitives kubva kumaraibhurari ane simba e crypto kernel (.DLL yeWindows, .SO yeLinux);
- zvakananga, kuburikidza nekriptographic interfaces - wrappers, semuenzaniso, MS Crypto API, Java Cryptography Architecture, PKCS # 11, etc. Muchiitiko ichi, bhizinesi logic rinowana iyo crypto interface, uye inoshandura kudana kune inoenderana crypto core, iyo mu nyaya iyi inonzi crypto provider. Iko kushandiswa kwekriptographic interfaces kunobvumira application software kubvisa kure kubva kune chaiyo cryptographic algorithms uye kuve nyore kuchinjika.
Pane maviri akajairwa zvirongwa zvekuronga iyo crypto musimboti:
Scheme 1 - Monolithic crypto core
Scheme 2 - Kupatsanura crypto musimboti
Zvinhu zviri mumadhayagiramu ari pamusoro zvinogona kunge ari ega ega software modules inomhanya pane imwe komputa kana network masevhisi anodyidzana mukati metiweki yekombuta.
Paunenge uchishandisa masisitimu akavakirwa zvinoenderana neChirongwa 1, iyo software yekushandisa uye iyo crypto core inoshanda mukati meimwe nzvimbo yekushanda ye crypto tool (SFC), semuenzaniso, pane imwecheteyo komputa, inoshandisa imwechete yekushandisa system. Mushandisi wehurongwa, sekutonga, anogona kumhanyisa mamwe mapurogiramu, kusanganisira ayo ane yakaipa kodhi, mukati meiyo imwechete yekushanda nharaunda. Pasi pemamiriro akadai, pane njodzi yakakomba yekudonha kweyakavanzika cryptographic kiyi.
Kuti uderedze njodzi, chirongwa 2 chinoshandiswa, umo iyo crypto core yakakamurwa kuita zvikamu zviviri:
- Chikamu chekutanga, pamwe chete nepurogiramu yepurogiramu, inoshanda munzvimbo isina kuvimbika uko kune ngozi yehutachiona nekodhi yakaipa. Tichadaidza chikamu ichi "software chikamu".
- Chikamu chechipiri chinoshanda munzvimbo yakavimbika pane yakazvitsaurira mudziyo, iyo ine yakavanzika kiyi yekuchengetedza. Kubva zvino zvichienda mberi tichadaidza chikamu ichi "hardware".
Kupatsanurwa kweiyo crypto core kuita software uye hardware zvikamu zvinopokana. Kune masisitimu pamusika akavakirwa zvinoenderana nechirongwa chine yakakamurwa crypto core, asi iyo "hardware" chikamu chayo chinounzwa muchimiro chemufananidzo wemashini - chaiwo HSM ().
Kudyidzana kwemativi ese ari maviri eiyo crypto core kunoitika nenzira yekuti zvakavanzika cryptographic makiyi haambotamiswa kune chikamu chesoftware uye, nekudaro, haigone kubiwa uchishandisa yakaipa kodhi.
Iyo yekudyidzana interface (API) uye seti yekriptographic primitives yakapihwa kune application software neiyo crypto core yakafanana mune ese ari maviri kesi. Musiyano uri pamashandisirwo azvinoitwa.
Nekudaro, kana uchishandisa chirongwa chine yakakamurwa crypto core, kupindirana kwesoftware uye Hardware kunoitwa zvinoenderana neinotevera musimboti:
- Cryptographic primitives isingadi kushandiswa kwekiyi yakavanzika (somuenzaniso, kuverenga basa rehashi, kuongorora siginecha yemagetsi, nezvimwewo) inoitwa nesoftware.
- Cryptographic primitives inoshandisa kiyi yakavanzika (kugadzira siginecha yemagetsi, decrypting data, nezvimwewo) inoitwa nehardware.
Ngatienzanisirei basa reiyo yakakamurwa crypto core tichishandisa muenzaniso wekugadzira siginecha yemagetsi:
- Iyo software chikamu inoverengera hashi basa reiyo yakasainwa data uye inoendesa kukosha uku kune Hardware kuburikidza nekuchinjana chiteshi pakati pe crypto cores.
- Iyo hardware chikamu, uchishandisa yakavanzika kiyi uye hashi, inoburitsa kukosha kweiyo siginecha yemagetsi uye inoendesa kune chikamu chesoftware kuburikidza nechiteshi chekuchinjana.
- Chikamu chesoftware chinodzosera kukosha kwakagamuchirwa kune software yekushandisa.
Zvimiro zvekutarisa kurongeka kwemagetsi siginecha
Kana bato rinogamuchira richigamuchira data rakasainwa nemagetsi, rinofanirwa kuita akati wandei ekusimbisa matanho. Mhedzisiro yakanaka yekutarisa siginecha yemagetsi inowanikwa chete kana matanho ese ekusimbisa akazadzikiswa zvinobudirira.
Nhanho 1. Kudzora kwekutendeseka kwedata uye kunyoresa data.
Zviri mukati medariro. Iyo yemagetsi siginecha yedata inosimbiswa uchishandisa yakakodzera cryptographic algorithm. Kupedzwa kwakabudirira kweichi nhanho kunoratidza kuti data harina kugadziridzwa kubva panguva yayakasainwa, uye zvakare kuti siginicha yakaitwa nekiyi yakavanzika inoenderana nekiyi yeruzhinji yekusimbisa siginecha yemagetsi.
Nzvimbo yesiteji: crypto core.
Nhanho 2. Kudzora kwekuvimba mukiyi yeruzhinji yeakasaina uye kutonga kweiyo nguva yechokwadi yekiyi yakavanzika yemagetsi siginicha.
Zviri mukati medariro. Danho rine zvikamu zviviri zvepakati. Yekutanga ndeyekuona kana kiyi yeruzhinji yekusimbisa siginecha yemagetsi yakavimbwa panguva yekusaina data. Yechipiri inosarudza kana kiyi yega yega yemagetsi siginicha yaive inoshanda panguva yekusaina data. Kazhinji, nguva dzechokwadi dzemakiyi aya dzinogona kusapindirana (semuenzaniso, kune zvitupa zvinokwanisa zvemagetsi siginecha makiyi ekusimbisa). Nzira dzekumisa kuvimba mukiyi yeruzhinji yeanosaina inotemerwa nemitemo yemagetsi dhizaini manejimendi inogamuchirwa nemapato ari kudyidzana.
Nzvimbo yesiteji: application software / crypto core.
Danho 3. Kudzora kwesimba reanosaina.
Zviri mukati medariro. Zvinoenderana nemirairo yakagadzwa yemagetsi gwaro manejimendi, inotariswa kana iye akasaina aive nekodzero yekusimbisa iyo data yakachengetedzwa. Somuenzaniso, ngatipei mamiriro ezvinhu okuputswa kwechiremera. Ngatitii pane sangano apo vashandi vose vane siginicha yemagetsi. Iyo yemukati yemagetsi gwaro manejimendi system inogamuchira odha kubva kuna maneja, asi yakasainwa nemagetsi siginecha yewarehouse maneja. Naizvozvo, gwaro rakadaro haringanzi riri pamutemo.
Nzvimbo yesiteji: application software.
Mafungiro akaitwa pakutsanangura chinhu chedziviriro
- Nhepfenyuro dzekufambisa nzira, kunze kwemakiyi ekutsinhana chiteshi, zvakare inopfuura kuburikidza neapplication software, API uye crypto core.
- Ruzivo rwekuvimba nemakiyi eruzhinji uye (kana) zvitupa, pamwe neruzivo nezve masimba evaridzi makiyi eruzhinji, ari muchitoro cheruzhinji.
- Iyo software yekushandisa inoshanda neruzhinji kiyi chitoro kuburikidza neiyo crypto kernel.
Muenzaniso wehurongwa hweruzivo hwakachengetedzwa uchishandisa CIPF
Kuenzanisira dhayagiramu yakamboratidzwa, ngatitarisei fungidziro yeruzivo system uye tiratidze zvese zvimiro pairi.
Tsanangudzo yehurongwa hwemashoko
Masangano maviri aya akasarudza kuunza zviri pamutemo zvakakosha zvemagetsi gwaro manejimendi (EDF) pakati pavo. Kuti vaite izvi, vakapinda muchibvumirano chavakaronga kuti magwaro aizotumirwa neemail, uye panguva imwe chete iwo anofanirwa kuvharirwa uye kusainwa neakakodzera siginecha yemagetsi. Zvirongwa zveHofisi kubva kuMicrosoft Office 2016 package inofanirwa kushandiswa semidziyo yekugadzira nekugadzirisa magwaro, uye CIPF CryptoPRO uye encryption software CryptoARM inofanira kushandiswa senzira yekudzivirira yecryptographic.
Tsanangudzo yezvivakwa zvesangano 1
Sangano 1 rakafunga kuti raizoisa CIPF CryptoPRO uye CryptoARM software panzvimbo yebasa yemushandisi - komputa yemuviri. Encryption uye electronic siginecha makiyi achachengetwa pane ruToken kiyi midhiya, inoshanda mune inodzoreredzwa kiyi modhi. Mushandisi anogadzirira magwaro emagetsi munharaunda pakombuta yake, obva anyora, achisaina uye oatumira achishandisa mutengi weemail akaiswa munharaunda.
Tsanangudzo yezvivakwa zvesangano 2
Sangano 2 rakafunga kufambisa iyo encryption uye yemagetsi siginecha mabasa kumuchina wakatsaurirwa chaiwo. Muchiitiko ichi, ese cryptographic mashandiro anozoitwa otomatiki.
Kuti uite izvi, maforodha maviri etiweki akarongwa pamushini wakatsaurirwa chaiwo: "... Mu", "... Kunze". Mafaira akagashirwa kubva kune mumwe ari mufomu yakavhurika anozoiswa otomatiki munetiweki folda "... Mu". Aya mafaera achabviswa uye siginicha yemagetsi ichasimbiswa.
Mushandisi anoisa mafaera mu "... Out" folda inoda kuvharirwa, kusainwa uye kutumirwa kune mumwe. Mushandisi anogadzirira iwo mafaera pachawo pane yake yebasa.
Kuita encryption uye zvemagetsi siginecha mabasa, CIPF CryptoPRO, CryptoARM software uye email mutengi akaiswa pamushini chaiwo. Otomatiki manejimendi ezvese zvinhu zvemuchina chaiwo anozoitwa pachishandiswa zvinyorwa zvakagadziridzwa nevatariri vehurongwa. Basa rezvinyorwa rakaiswa mumafaira e log.
Cryptographic makiyi emagetsi siginicha achaiswa pachiratidzo chine isingadzokeri JaCarta GOST kiyi, iyo mushandisi achabatanidza kune yeko kombiyuta yake.
Chiratidzo chinozoendeswa kumuchina chaiwo uchishandisa yakasarudzika USB-pamusoro-IP software yakaiswa pane yebasa remushandisi uye pamushini chaiwo.
Iyo system clock pane yevashandisi nzvimbo yekushandira musangano 1 ichagadziriswa nemaoko. Iyo system wachi yemuchina wakatsaurirwa muSangano 2 ichave yakawiriraniswa neiyo hypervisor system wachi, iyo inozowiriraniswa paInternet nemaseva enguva yeruzhinji.
Kuzivikanwa kwezvimiro zveCIPF
Kubva pane tsananguro iri pamusoro peiyo IT zvivakwa, isu tinosimbisa zvimiro zveCIPF tozvinyora mutafura.
Tafura - Kunyorerana kweCIPF modhi zvinhu kune ruzivo system zvinhu
Element name
Sangano 1
Sangano 2
Application software
CryptoARM software
CryptoARM software
Software chikamu cheiyo crypto core
CIPF CryptoPRO CSP
CIPF CryptoPRO CSP
Crypto musimboti Hardware
asipo
JaCarta GOST
API
MS CryptoAPI
MS CryptoAPI
Public Key Store
Nzvimbo yevashandisi:
- HDD;
- standard Windows certificate store.
Hypervisor:
- HDD.
Virtual muchina:
- HDD;
- standard Windows certificate store.
Kuchengetera kiyi yega
ruToken kiyi inotakura inoshanda mune inodzoreredzwa kiyi modhi
JaCarta GOST kiyi inotakura inoshanda mune isingabvisike kiyi modhi
Public key exchange channel
Nzvimbo yevashandisi:
- RAM.
Hypervisor:
- RAM.
Virtual muchina:
- RAM.
Yakavanzika kiyi yekutsinhana chiteshi
Nzvimbo yevashandisi:
- USB bhazi;
- RAM.
asipo
Shandura chiteshi pakati pe crypto cores
chisipo (hapana crypto core hardware)
Nzvimbo yevashandisi:
- USB bhazi;
- RAM;
- USB-pamusoro-IP software module;
- network interface.
Corporate network yesangano 2.
Hypervisor:
- RAM;
- network interface.
Virtual muchina:
- network interface;
- RAM;
- USB-pamusoro-IP software module.
Vhura Data Channel
Nzvimbo yevashandisi:
β kupinza-kubuda zvinoreva;
- RAM;
- HDD.
Nzvimbo yevashandisi:
β kupinza-kubuda zvinoreva;
- RAM;
- HDD;
- network interface.
Corporate network yesangano 2.
Hypervisor:
- network interface;
- RAM;
- HDD.
Virtual muchina:
- network interface;
- RAM;
- HDD.
Chengetedza nzira yekuchinjana data
Internet.
Corporate network yesangano 1.
Nzvimbo yevashandisi:
- HDD;
- RAM;
- network interface.
Internet.
Corporate network yesangano 2.
Hypervisor:
- network interface;
- RAM;
- HDD.
Virtual muchina:
- network interface;
- RAM;
- HDD.
Nguva chiteshi
Nzvimbo yevashandisi:
β kupinza-kubuda zvinoreva;
- RAM;
- system timer.
Internet.
Corporate network yesangano 2,
Hypervisor:
- network interface;
- RAM;
- system timer.
Virtual muchina:
- RAM;
- system timer.
Dzora kuraira chiteshi chekufambisa
Nzvimbo yevashandisi:
β kupinza-kubuda zvinoreva;
- RAM.
(Graphical mushandisi interface ye CryptoARM software)
Virtual muchina:
- RAM;
- HDD.
(Automation zvinyorwa)
Channel yekugamuchira mhedzisiro yebasa
Nzvimbo yevashandisi:
β kupinza-kubuda zvinoreva;
- RAM.
(Graphical mushandisi interface ye CryptoARM software)
Virtual muchina:
- RAM;
- HDD.
(Log mafaera e otomatiki script)
Kutyisidzira kwepamusoro-soro kwekuchengetedza
Tsananguro
Kufungidzira kunoitwa pakuora kutyisidzira:
- Yakasimba cryptographic algorithms inoshandiswa.
- Cryptographic algorithms inoshandiswa zvakachengeteka munzira dzakakodzera dzekushanda (semuenzaniso. haishandiswe kuvharidzira mavhoriyamu makuru e data, mutoro unobvumidzwa pane kiyi unocherechedzwa, nezvimwewo).
- Vanorwisa vanoziva ese algorithms, maprotocol uye makiyi eruzhinji anoshandiswa.
- Vanorwisa vanogona kuverenga ese akavharidzirwa data.
- Vanorwisa vanokwanisa kuburitsa chero software zvinhu muhurongwa.
Kuora
U1. Kukanganisa kweyakavanzika cryptographic kiyi.
U2. Kuvharidzira data remanyepo pachinzvimbo cheanotumira zviri pamutemo.
U3. Decryption yedata yakavharidzirwa nevanhu vasiri kutambira zviri pamutemo data (vapambi).
U4. Kugadzira siginecha yemagetsi yeanosaina zviri pamutemo pasi pe data renhema.
U5. Kuwana mhedzisiro yakanaka kubva pakutarisa siginecha yemagetsi yedata rekunyepedzera.
U6. Kukanganisa kugamuchirwa kwemagwaro emagetsi ekuuraiwa nekuda kwezvinetso mukuronga kuyerera kwegwaro remagetsi.
U7. Kuwanikwa kusina mvumo kune data rakachengetedzwa panguva yekugadziriswa kwavo neCIPF.
U1. Kukanganisa kweyakavanzika cryptographic kiyi
U1.1. Kutora kiyi yakavanzika kubva muchitoro chekiyi.
U1.2. Kuwana kiyi yega kubva kune zvinhu zviri mu crypto-tool's operating environment, iyo inogona kugara kwenguva pfupi.
Tsanangudzo U1.2.
Zvinhu zvinogona kuchengetedza kiyi yakavanzika kwenguva zvinosanganisira:
- RAM,
- mafaira enguva pfupi,
- chinjanisa mafaera,
- Hibernation mafaira,
- snapshot mafaera eiyo "inopisa" mamiriro emakina chaiwo, kusanganisira mafaera ezviri mukati me RAM yemichina yakambomira.
U1.2.1. Kubvisa makiyi akavanzika kubva pakushanda RAM nekuomesa RAM module, uchiabvisa uye wobva waverenga iyo data (chando kurwisa).
Tsanangudzo U1.2.1.
Muenzaniso: .
U1.3. Kuwana kiyi yakavanzika kubva kune yakavanzika kiyi yekutsinhana chiteshi.
Tsanangudzo U1.3.
Muenzaniso wekushandiswa kwekutyisidzira uku uchapiwa .
U1.4. Kusatenderwa kushandurwa kweiyo crypto core, semhedzisiro makiyi ega ega anozivikanwa kune vanorwisa.
U1.5. Kukanganisa kwekiyi yakavanzika semhedzisiro yekushandiswa kwehunyanzvi ruzivo leakage channels (TCIL).
Tsanangudzo U1.5.
Muenzaniso: .
U1.6. Kukanganisa kwekiyi yakavanzika nekuda kwekushandiswa kwehunyanzvi nzira (STS) yakagadzirirwa kudzoreredza ruzivo muchivande ("bugs").
U1.7. Kukanganisa kwemakiyi akavanzika panguva yekuchengetera kwavo kunze kweCIPF.
Tsanangudzo U1.7.
Semuenzaniso, mushandisi anochengeta yake kiyi media mudhirowa yedesktop, mavanogona kutorwa nyore nyore nevanorwisa.
U2. Kunyora data remanyepo uchimiririra munhu anotumira zviri pamutemo
Tsananguro
Kutyisidzira uku kunotariswa chete kune data encryption zvirongwa zvine humbowo hweanotumira. Mienzaniso yezvirongwa zvakadaro inoratidzwa mukurudziro yekumira . Kune mamwe makriptographic schemes, kutyisidzira uku hakuna, sezvo encryption inoitwa pamakiyi eruzhinji emugamuchiri, uye anowanzo zivikanwa kune vanorwisa.
Kuora
U2.1. Kukanganisa kiyi yemunhu anotumira zvakavanzika:
U2.1.1. Link: .
U2.2. Kutsiviwa kwedata rekuisa mune yakavhurika data chiteshi.
Notes U2.2.
Mienzaniso yekushandiswa kwekutyisidzira uku inopiwa pasi apa. ΠΈ .
U3. Decryption yedata yakavharidzirwa nevanhu vasiri kutambira zviri pamutemo data (vapambi)
Kuora
U3.1. Kukanganisa makiyi akavanzika emunhu anogamuchira data rakavharidzirwa.
U3.1.1 Link: .
U3.2. Kutsiviwa kwedata rakavharidzirwa mune yakachengeteka data yekutsinhana chiteshi.
U4. Kugadzira siginecha yemagetsi yeanosaina zviri pamutemo pasi pe data renhema
Kuora
U4.1. Kukanganisa kwemakiyi epachivande emagetsi siginicha yeanosaina zviri pamutemo.
U4.1.1 Link: .
U4.2. Kutsiviwa kwedata rakasainwa muchiteshi chakavhurika chekuchinjana data.
Cherechedza U4.2.
Mienzaniso yekushandiswa kwekutyisidzira uku inopiwa pasi apa. ΠΈ .
U5. Kuwana mhedzisiro yakanaka kubva pakutarisa siginecha yemagetsi yedata rekunyepedzera
Kuora
U5.1. Vanorwisa vanobata meseji muchiteshi chekufambisa mhedzisiro yebasa nezvemhedzisiro yekutarisa siginecha yemagetsi voitsiva nemeseji ine mhedzisiro yakanaka.
U5.2. Vanorwisa vanorwisa kuvimba mukusaina zvitupa (SCRIPT - zvinhu zvese zvinodiwa):
U5.2.1. Vanorwisa vanogadzira kiyi yeruzhinji neyepachivande yekusaina yemagetsi. Kana iyo sisitimu ichishandisa zvitupa zvemagetsi siginecha kiyi, vanobva vagadzira chitupa chemagetsi siginecha yakafanana sezvinobvira kune chitupa cheanotumira data ane meseji yavanoda kugadzira.
U5.2.2. Vanorwisa vanoita shanduko dzisina mvumo kuchitoro cheveruzhinji, vachipa kiyi yeruzhinji ivo vanoburitsa nhanho inodiwa yekuvimba nechiremera.
U5.2.3. Vanorwisa vanosaina data renhema nekiyi yakambogadzirwa yemagetsi siginecha voiisa muchiteshi chekuchinjana data chakachengeteka.
U5.3. Vapambi vanoita kurwisa vachishandisa makiyi emagetsi akapera emagetsi anosaina zviri pamutemo (SCRIPT - zvinhu zvese zvinodiwa):
U5.3.1. Vanorwisa vakanganisa vapera nguva (hazvisiri kushanda parizvino) makiyi epachivande emagetsi siginicha yeanotumira zviri pamutemo.
U5.3.2. Vanorwisa vanotsiva nguva muchiteshi chekufambisa nguva nenguva iyo makiyi akakanganiswa aive achiri kushanda.
U5.3.3. Vanorwisa vanosaina data remanyepo nekiyi yakambokanganiswa yemagetsi siginecha voibaya muchiteshi chekuchinjana data chakachengeteka.
U5.4. Vapambi vanoita kurwisa vachishandisa makiyi emagetsi siginecha eakasaina zviri pamutemo (SCRIPT - zvinhu zvese zvinodiwa):
U5.4.1. Anorwisa anoita kopi yeruzhinji chitoro.
U5.4.2. Vanorwisa vanokanganisa makiyi epachivande emumwe wevanotumira zviri pamutemo. Anoona kuwirirana, anobvisa makiyi, uye ruzivo nezve kubviswa kwakakosha kunoiswa muchitoro chevanhu.
U5.4.3. Vapambi vanotsiva chitoro chemakiyi evoruzhinji nechakambokopwa.
U5.4.4. Vanorwisa vanosaina data remanyepo nekiyi yakambokanganiswa yemagetsi siginecha voibaya muchiteshi chekuchinjana data chakachengeteka.
U5.5. <β¦> nekuda kwekuvapo kwezvikanganiso mukuitwa kwe2nd uye 3rd nhanho yekusimbisa siginecha yemagetsi:
Tsanangudzo U5.5.
Muenzaniso wekushandiswa kwekutyisidzira uku unopiwa .
U5.5.1. Kutarisa kuvimba mune yemagetsi siginecha kiyi setifiketi chete nekuvapo kwekuvimba muchitupa chachakasainwa nacho, pasina CRL kana OCSP cheki.
Tsanangudzo U5.5.1.
Implementation muenzaniso .
U5.5.2. Paunenge uchivaka cheni yekuvimba yechitupa, zviremera zvekuburitsa zvitupa hazviongororwe
Tsanangudzo U5.5.2.
Muenzaniso wekurwisa zvitupa zveSSL/TLS.
Vapambi vakatenga chitupa chepamutemo chee-mail yavo. Vakabva vaita chitupa chehutsotsi chesaiti ndokusaina nechitupa chavo. Kana humbowo husina kutariswa, ipapo kana uchitarisa cheni yekuvimba ichave yakarurama, uye, maererano, chitupa chekubiridzira chichavawo chakarurama.
U5.5.3. Kana uchivaka chitupa chekuvimba cheni, zvitupa zvepakati hazvitariswe kuti zvibviswe.
U5.5.4. MaCRL anogadziridzwa zvishoma kazhinji pane zvaanopihwa nechiremera chetitifiketi.
U5.5.5. Sarudzo yekuvimba siginecha yemagetsi inoitwa mhinduro yeOCSP yemamiriro echitupa isati yatambirwa, yakatumirwa pachikumbiro chakaitwa gare gare pane nguva yakaitwa siginecha kana pamberi peCRL inotevera mushure mekunge siginicha yagadzirwa.
Tsanangudzo U5.5.5.
Mune mirairo yeakawanda maCA, nguva yekubvisirwa chitupa inoonekwa senguva yekuburitswa kweCRL iri pedyo ine ruzivo nezve kubvisirwa chitupa.
U5.5.6. Kana uchigamuchira data rakasainwa, chitupa ndechemutumiri hachitariswe.
Tsanangudzo U5.5.6.
Muenzaniso wekurwisa. Zvichienderana nezvitupa zveSSL: kuwirirana kweiyo inonzi server kero ine kukosha kwenzvimbo yeCN muchitupa inogona kusatariswa.
Muenzaniso wekurwisa. Vapambi vakakanganisa makiyi siginecha emagetsi emumwe wevaridzi vechikamu chekubhadhara. Mushure meizvozvo, vakabira kunetiweki yemumwe mubati uye, pachinzvimbo chake, vakatumira magwaro ekubhadhara akasainwa nemakiyi akakanganiswa kune sevhavha yegadziriro yekubhadhara. Kana sevha ichingoongorora kuvimba uye isingatarise kuteererwa, ipapo magwaro ehunyengeri anozoonekwa seari pamutemo.
U6. Kukanganisa kugamuchirwa kwemagwaro emagetsi ekuuraiwa nekuda kwezvinetso mukuronga kuyerera kwegwaro remagetsi.
Kuora
U6.1. Bato rinogamuchira harione kudzokorora kwemagwaro akagamuchirwa.
Tsanangudzo U6.1.
Muenzaniso wekurwisa. Vapambi vanogona kubata gwaro riri kuendeswa kune anorigamuchira, kunyangwe rakadzivirirwa nekriptographically, vobva vadzokorora kuritumira pamusoro penzira yakachengeteka yekufambisa data. Kana iye anogamuchira akasaratidza zvakapetwa, ipapo magwaro ese anogamuchirwa anozoonekwa uye anogadziriswa semagwaro akasiyana.
U7. Kuwanikwa kusina mvumo kune data rakachengetedzwa panguva yekugadziriswa kwavo neCIPF
Kuora
U7.1. <β¦> nekuda kwekubuda kweruzivo kuburikidza nematanho epadivi (padivi chiteshi kurwisa).
Tsanangudzo U7.1.
Muenzaniso: .
U7.2. .
U7.2.1. Kushanda kweCIPF kutyora zvinodiwa zvinotsanangurwa mugwaro reCIPF.
U7.2.2. <β¦>, inoitwa nekuda kwekuvapo kwekusagadzikana mu:
U7.2.2.1. <β¦> nzira dzekudzivirira kubva kune isina mvumo.
U7.2.2.2. <β¦> CIPF pachayo.
U7.2.2.3. <...> nharaunda yekushanda ye crypto-tool.
Mienzaniso yekurwisa
Mamiriro ari kukurukurwa pazasi sezviri pachena ane zvikanganiso zvekuchengetedza ruzivo uye anongoshanda kuratidza kurwiswa kunobvira.
Chiitiko 1. Muenzaniso wekushandiswa kwekutyisidzira U2.2 uye U4.2.
Tsanangudzo yechinhu
Iyo AWS KBR software uye CIPF SCAD Siginecha yakaiswa pakombuta yemuviri isina kubatana kune network yekombuta. FKN vdToken inoshandiswa sekiyi inotakura munzira yekushanda nekiyi isingabvisike.
Mitemo yekugadzirisa inofungidzira kuti nyanzvi yekugadzirisa kubva pakombuta yebasa inodhawunirodha mameseji emagetsi mumavara akajeka (chirongwa chekare cheKBR workstation) kubva kune yakachengeteka faira server, obva anyora pane inotakurika USB flash drive uye oiendesa kune KBR workstation, kwavanenge vakanyorwa uye zviratidzo. Mushure meizvi, nyanzvi inotamisa mameseji emagetsi akachengeteka kune yakasarudzika, uye ipapo, kuburikidza nekombuta yake yebasa, anoinyorera kune sevha yefaira, kubva kwavanoenda kuUTA uyezve kune yekubhadhara system yeBhange reRussia.
Muchiitiko ichi, nzira dzekutsinhana dzakavhurika uye dzakachengetedzwa data dzinosanganisira: sevha yefaira, komputa yebasa renyanzvi, uye midhiya yakaparadzaniswa.
Kurwisa
Varwi vasina mvumo vanoisa remote control system pakombuta yebasa renyanzvi uye, panguva yekunyora mirairo yekubhadhara (mameseji emagetsi) kune inochinjika svikiro, tsiva zviri mukati meimwe yacho mumagwaro akajeka. Nyanzvi inotamisa maodha ekubhadhara kune KBR otomatiki kubasa, anoisa chiratidzo uye encryption iwo asingacherechedze kutsiva (semuenzaniso, nekuda kwenhamba huru yekubhadhara maodha pakubhururuka, kuneta, nezvimwewo). Mushure meizvi, kurongeka kwekubhadhara kwenhema, kwapfuura neketani yetekinoroji, inopinda muhurongwa hwekubhadhara hweBhange reRussia.
Chiitiko 2. Muenzaniso wekushandiswa kwekutyisidzira U2.2 uye U4.2.
Tsanangudzo yechinhu
Komputa ine nzvimbo yekushandira yakaiswa KBR, SCAD Siginicha uye yakabatana kiyi inotakura FKN vdToken inoshanda mukamuri yakatsaurirwa isina mukana kubva kune vashandi.
Nyanzvi yekuverenga inobatanidza kune CBD workstation mune kure yekuwana modhi kuburikidza neRDP protocol.
Kurwisa
Vanorwisa vanobata izvo, vachishandisa iyo nyanzvi yekuverenga inobatanidza uye inoshanda neCBD workstation (semuenzaniso, kuburikidza nekodhi yakaipa pakombuta yake). Ipapo vanobatana panzvimbo yake uye vanotumira fake yekubhadhara odha kuBhange reRussia rekubhadhara system.
Mamiriro ezvinhu 3. Muenzaniso wekushandiswa kwekutyisidzira U1.3.
Tsanangudzo yechinhu
Ngatitarisei imwe yesarudzo dzekufungidzira dzekushandisa iyo ABS-KBR yekubatanidza mamodule echirongwa chitsva (AWS KBR-N), umo siginecha yemagetsi yemagwaro anobuda inoitika kudivi reABS. Muchiitiko ichi, isu tichafunga kuti iyo ABS inoshanda pahwaro hweiyo inoshanda sisitimu isingatsigirwe neCIPF SKAD Siginecha, uye, maererano, iyo cryptographic mashandiro anoendeswa kune wakasiyana chaiwo muchina - iyo "ABS-KBR" kubatanidzwa. module.
Yenguva dzose USB tokeni inoshanda mune inodzoreredzwa kiyi modhi inoshandiswa sekiyi inotakura. Pakubatanidza kiyi midhiya kune hypervisor, zvakazoitika kuti pakanga pasina emahara USB ports muhurongwa, saka zvakasarudzwa kubatanidza iyo USB chiratidzo kuburikidza netiweki USB hub, uye kuisa USB-pamusoro-IP mutengi pane chaiyo. muchina, waizotaurirana nehabhu.
Kurwisa
Varwi vacho vakabata kiyi yakavanzika ye siginecha yemagetsi kubva pachiteshi chekutaurirana pakati pe USB hub uye hypervisor (data yakatumirwa mumavara akajeka). Kuve nekiyi yakavanzika, vapambi vakagadzira yekunyepedzera yekubhadhara, vakaisaina nemagetsi siginicha ndokuitumira kuKBR-N otomatiki kubasa kunourayiwa.
Mamiriro ezvinhu 4. Muenzaniso wekushandiswa kwekutyisidzira U5.5.
Tsanangudzo yechinhu
Ngatitarisei dunhu rimwechete semuchiitiko chakapfuura. Tichafunga kuti mameseji emagetsi anobva kuKBR-N workstation anopedzisira ave muβ¦SHAREIn forodha, uye ayo anotumirwa kunzvimbo yekushandira yeKBR-N uyezve kubhanga reBhangi reRussia anoenda kuβ¦SHAREout.
Isu tichafunga zvakare kuti kana tichiita iyo yekubatanidza module, zvinyorwa zvezvitupa zvakabviswa zvinogadziridzwa chete kana makiyi e cryptographic aburitswa, uye zvakare kuti mameseji emagetsi anogamuchirwa muβ¦SHAREIn folda inotariswa chete kutonga kwekuvimbika uye kutonga kwekuvimba mukiyi yeruzhinji. siginecha yemagetsi.
Kurwisa
Vapambi, vachishandisa makiyi akabiwa muchiitiko chakapfuura, vakasaina gwaro rekubhadhara remanyepo rine ruzivo nezve kutambirwa kwemari muakaundi yemutengi anonyepedzera ndokuipinza muchiteshi chekuchinjana data chakachengeteka. Sezvo pasina humbowo hwekuti mubhadharo wekubhadhara wakasainwa neBhangi reRussia, unogamuchirwa kuti uurawe.
Source: www.habr.com