ProHoster > Blog > Utongi > Maitiro ekuongorora uye Kuenzanisa Ethernet Encryption Devices

Maitiro ekuongorora uye Kuenzanisa Ethernet Encryption Devices

Ndakanyora wongororo iyi (kana, kana uchida, gwara rekuenzanisa) pandakapihwa basa rekuenzanisa michina yakati wandei kubva kune vakasiyana vatengesi. Pamusoro pezvo, midziyo iyi yaive yemakirasi akasiyana. Ini ndaifanira kunzwisisa magadzirirwo uye maitiro ezvishandiso izvi zvese uye kugadzira "coordinate system" yekuenzanisa. Ndichafara kana ongororo yangu ichibatsira mumwe munhu:

  • Nzwisisa tsananguro uye zvakatemwa zve encryption zvishandiso
  • Siyanisa "bepa" maitiro kubva kune ayo anonyanya kukosha muhupenyu chaihwo
  • Enda kupfuura zvakajairwa seti yevatengesi uye sanganisira mukufunga chero zvigadzirwa zvakakodzera kugadzirisa dambudziko
  • Bvunza mibvunzo yakakodzera panguva yenhaurirano
  • Gadzirira zvinodiwa nyoro (RFP)
  • Nzwisisa kuti ndeapi maitiro achafanira kubayirwa kana imwe modhi yemuchina yasarudzwa

Chii chinogona kuongororwa

Muchidimbu, nzira yacho inoshanda kune chero zvigadziriso zvakamira zvakakodzerwa encrypting network traffic pakati pekure Ethernet zvikamu (cross-saiti encryption). Kureva kuti, "mabhokisi" mune imwe kesi (zvakanaka, isu tichasanganisira blades/modules echassis pano), ayo akabatana neamwe kana anopfuura eEthernet ports kune yemunharaunda (campus) Ethernet network ine uncrypted traffic, uye kuburikidza. imwe chiteshi (s) kuenda kuchiteshi/netiweki kuburikidza iyo yakatovharirwa traffic inotumirwa kune mamwe, ari kure zvikamu. Yakadaro encryption mhinduro inogona kuiswa mune yakavanzika kana opareta network kuburikidza nemhando dzakasiyana dze "yekufambisa" (yakasviba fiber, frequency division midziyo, switched Ethernet, pamwe ne "pseudowires" akaiswa kuburikidza netiweki ine akasiyana routing architecture, kazhinji MPLS. ), ine kana isina VPN tekinoroji.

Maitiro ekuongorora uye Kuenzanisa Ethernet Encryption Devices
Network encryption mune yakagoverwa Ethernet network

Midziyo pachayo inogona kuva kana specialized (inoitirwa chete encryption), kana multifunctional (hybrid, convergent), kureva, kuitawo mamwe mabasa (somuenzaniso, firewall kana router). Vatengesi vakasiyana vanoisa zvishandiso zvavo mumakirasi akasiyana / mapoka, asi izvi hazvina basa - chinhu chakakosha ndechekuti vanogona encrypt cross-saiti traffic, uye maitiro api avanawo.

Chero zvikaitika, ndinokuyeuchidza kuti "network encryption", "traffic encryption", "encryptor" mazwi asina kurongeka, kunyange zvazvo anowanzoshandiswa. Iwe unogona kunge usingazviwani mumitemo yeRussia (kusanganisira iyo inosuma GOSTs).

Encryption mazinga uye nzira dzekutumira

Tisati tatanga kutsanangura hunhu pachahwo huchashandiswa kuongororwa, isu tichatanga tanzwisisa chinhu chimwe chakakosha, chinoti "encryption level". Ndakaona kuti inowanzotaurwa muzvinyorwa zvevatengesi zvepamutemo (mutsanangudzo, zvinyorwa, nezvimwewo) uye muhurukuro dzisina kurongwa (panhaurirano, kudzidziswa). Kureva kuti, munhu wese anoita seanonyatsoziva zvatiri kutaura nezvazvo, asi ini pachangu ndakaona kuvhiringidzika.

Saka chii chinonzi "encryption level"? Zviri pachena kuti tiri kutaura nezve nhamba yeOSI/ISO reference network model layer panoitika encryption. Isu tinoverenga GOST R ISO 7498-2-99 "Tekinoroji yeruzivo. Kubatana kweakavhurika masisitimu. Basic reference model. Chikamu 2. Ruzivo rwekuchengetedza ruzivo. " Kubva pagwaro iri zvinogona kunzwisiswa kuti nhanho yebasa rekuvanzika (imwe yenzira dzekupa iyo encryption) ndiyo nhanho yeprotocol, iyo sevhisi data block ("payload", data yemushandisi) iyo yakavharidzirwa. Sezvazvakanyorwawo muchiyero, sevhisi inogona kupihwa ese padanho rimwe chete, "pachayo," uye nerubatsiro rweyero yakaderera (iyi ndiyo nzira, semuenzaniso, inowanzoitwa muMACsec) .

Mukuita, nzira mbiri dzekutumira ruzivo rwakavharidzirwa pamusoro petiweki dzinogoneka (IPsec inokurumidza kuuya mupfungwa, asi mamodhi akafanana anowanikwawo mune mamwe maprotocol). IN kutakura (dzimwe nguva inonziwo chizvarwa) modhi inovharirwa chete service block yedata, uye misoro inoramba "yakavhurika", isina kunyorwa (dzimwe nguva minda yakawedzera ine ruzivo rwebasa reiyo encryption algorithm inowedzerwa, uye mimwe minda inogadziridzwa uye kuverengerwazve). IN mugero zvakafanana mode zvese protocol iyo data block (kureva, iyo packet pachayo) yakavharidzirwa uye yakavharidzirwa muvharo re data yebasa reiyo imwechete kana yepamusoro nhanho, ndiko kuti, yakakomberedzwa nemisoro mitsva.

Iyo encryption level pachayo musanganiswa neimwe nzira yekutapurirana haina kunaka kana yakaipa, saka hazvigone kutaurwa, semuenzaniso, kuti L3 mune yekufambisa modhi iri nani pane L2 mune tunnel mode. Ingori kuti mazhinji ehunhu ayo maturusi anoongororwa anoenderana nawo. Semuenzaniso, kuchinjika uye kugarisana. Kuti ushande mune network L1 (bit stream relay), L2 (frame switching) uye L3 (packet routing) mune yekufambisa modhi, iwe unoda mhinduro dzinovharira padanho rimwe chete kana repamusoro (zvikasadaro ruzivo rwekero ruchavharwa uye data richaita. kusasvika kwairi kuda kuenda), uye iyo tunnel modhi inokunda iyi miganhu (kunyangwe ichisiya mamwe akakosha maitiro).

Maitiro ekuongorora uye Kuenzanisa Ethernet Encryption Devices
Kutakura uye tunnel L2 encryption modes

Zvino ngatienderere mberi nekuongorora maitiro.

Kubudirira

Kune network encryption, kuita kwakaoma, multidimensional pfungwa. Izvo zvinoitika kuti imwe modhi, nepo yakakwirira mune imwe maitiro ekuita, yakaderera mune imwe. Naizvozvo, zvinogara zvichibatsira kufunga zvese zvikamu zve encryption performance uye maitiro avo pakuita kwetiweki uye maapplication anoishandisa. Pano tinogona kudhirowa mufananidzo nemotokari, iyo kwete chete kukurumidza kukurumidza yakakosha, asiwo nguva yekukurumidza kusvika ku "mazana", kushandiswa kwemafuta, nezvimwewo. Makambani evatengesi uye avo vangangove vatengi vanobhadhara zvakanyanya kune maitiro ekuita. Semutemo, zvidzitiro zvekunyorera zvinoiswa padanho zvichienderana nekuita mumitsara yevatengesi.

Zviri pachena kuti kuita kunoenderana nekuoma kwe networking uye cryptographic mashandiro anoitwa pachishandiso (kusanganisira kuti mabasa aya anogona kufananidzwa sei uye pombi), pamwe nekuita kwehardware uye kunaka kweiyo firmware. Naizvozvo, mamodheru ekare anoshandisa zvakanyanya kugadzira hardware; dzimwe nguva zvinokwanisika kuishongedza nekuwedzera processors uye memory module. Pane nzira dzakati wandei dzekushandisa cryptographic mabasa: pane general-chinangwa central processing unit (CPU), application-specific integrated circuit (ASIC), kana field-programmable logic integrated circuit (FPGA). Imwe neimwe nzira ine zvayakanakira nezvayakaipira. Semuenzaniso, iyo CPU inogona kuve yekuvharira bhodhoro, kunyanya kana processor isina mirairo yekutsigira encryption algorithm (kana ikasashandiswa). Nyanzvi dzechichipi dzinoshaya kuchinjika; hazvigoneke nguva dzose "kuvheneka" iwo kuti uvandudze mashandiro, kuwedzera mabasa matsva, kana kubvisa kusasimba. Mukuwedzera, kushandiswa kwavo kunobatsira chete nemavhoriyamu makuru ekugadzira. Ndokusaka "chirevo chegoridhe" chave chakakurumbira - kushandiswa kweFPGA (FPGA muchiRussia). Iri paFPGAs iyo inonzi inonzi crypto accelerators inogadzirwa - yakavakirwa-mukati kana plug-in specialized hardware modules yekutsigira cryptographic mashandiro.

Sezvo tiri kutaura nezvazvo network encryption, zvine musoro kuti kuita kwemhinduro kunofanirwa kuyerwa muhuwandu hwakafanana neyemamwe maturusi etiweki - throughput, percentage yekurasika furemu uye latency. Aya maitiro anotsanangurwa muRFC 1242. Nenzira, hapana chakanyorwa pamusoro peiyo inowanzotaurwa kunonoka kusiyanisa (jitter) muRFC iyi. Nzira yekuyera sei huwandu uhu? Handisati ndawana nzira inotenderwa mune chero zviyero (zvepamutemo kana zvisiri pamutemo senge RFC) zvakanangana netiweki encryption. Zvingave zvine musoro kushandisa nzira yemidziyo yetiweki yakanyorwa muRFC 2544. Vatengesi vazhinji vanoitevera - vazhinji, asi kwete vese. Semuyenzaniso, vanotumira bvunzo traffic munzira imwe chete pane ese ari maviri, senge yakakurudzirwa standard. Zvakadaro.

Kuyera mashandiro etiweki encryption madivayiri achiri ane maitiro ayo. Chekutanga, zvakaringana kuita zviyero zvese kune maviri emidziyo: kunyangwe iyo encryption algorithms ari symmetric, kunonoka uye kurasikirwa kwepakeji panguva yekuvharira uye decryption hazvifanirwe kunge zvakaenzana. Chechipiri, zvine musoro kuyera delta, kukanganisa kwetiweki encryption pane yekupedzisira network kuita, tichienzanisa maviri magadzirirwo: pasina encryption zvishandiso uye nazvo. Kana, sezvazvakaita nemidziyo yakasanganiswa, iyo inosanganisa akati wandei mabasa mukuwedzera kunetiweki encryption, ine encryption yakadzimwa uye ichibatidzwa. Iyi pesvedzero inogona kuve yakasiyana uye inotsamira pane yekubatanidza chirongwa cheiyo encryption madivayiri, pane anoshanda modes, uye pakupedzisira, pane chimiro chetraffic. Kunyanya, maitiro akawanda ekushanda anoenderana nehurefu hwemapakiti, ndicho chikonzero, kuenzanisa kushanda kwemhinduro dzakasiyana-siyana, magirafu emaparameter aya zvichienderana nehurefu hwepaketani anowanzoshandiswa, kana kuti IMIX inoshandiswa - kugoverwa kwemotokari nepakiti. hurefu, hunenge hunoratidza chaiyoiyo. Kana tikaenzanisa iyo yakafanana dhizaini yekumisikidza pasina encryption, tinogona kuenzanisa network encryption mhinduro dzinoitwa zvakasiyana pasina kupinda mune iyi misiyano: L2 neL3, chitoro-uye-mberi) nekucheka-kuburikidza, nyanzvi yekuchinjisa, GOST neAES zvichingodaro.

Maitiro ekuongorora uye Kuenzanisa Ethernet Encryption Devices
Kubatanidza dhayagiramu yekuyedzwa kwekuita

Chimiro chekutanga icho vanhu vanoteerera kune "kumhanya" kweiyo encryption mudziyo, ndiko bandwidth (bandwidth) yenetwork interfaces, bit flow rate. Inotemerwa neiyo network zviyero zvinotsigirwa nemainterfaces. PaEthernet, nhamba dzakajairika i1 Gbps uye 10 Gbps. Asi, sezvatinoziva, mune chero network iyo yakanyanya theoretical throughput (kuburikidza) pane imwe neimwe nhanho dzayo pane nguva dzose zvishoma bandwidth: chikamu chebhanwidth "chinodyiwa" ne interframe intervals, misoro yebasa, nezvimwe zvakadaro. Kana mudziyo uchikwanisa kugashira, kugadzirisa (kwedu, encrypting kana decrypting) uye kuendesa traffic nekumhanya kwakazara kweiyo network interface, ndiko kuti, nehupamhi hwetioretical throughput yeiyi nhanho yetiweki modhi, zvino zvinonzi. kushanda pa line speed. Kuti uite izvi, zvinodikanwa kuti mudziyo usarase kana kurasa mapaketi chero saizi uye chero frequency. Kana iyo encryption mudziyo isingatsigire kushanda pakumhanya kwemutsara, saka huwandu hwayo hwepamusoro hunowanzo kutsanangurwa mune imwechete gigabits pasekondi (dzimwe nguva inoratidza kureba kwemapaketi - mapfupi emapaketi, iyo yakaderera iyo throughput inowanzoita). Izvo zvakakosha kuti unzwisise kuti iyo yakanyanya throughput ndiyo yakanyanya hapana kurasikirwa (kunyangwe kana mudziyo unogona "kupomba" traffic kuburikidza pachayo nekumhanya kwepamusoro, asi panguva imwechete ichirasikirwa nemamwe mapaketi). Zvakare, ziva kuti vamwe vatengesi vanoyera huwandu hwese pakati pezvikepe zviviri zvezviteshi, saka nhamba idzi hadzireve zvakanyanya kana traffic yese yakavharidzirwa ichipfuura nepachiteshi chimwe chete.

Ndekupi kunonyanya kukosha kushanda nekumhanya kwemutsara (kana, nemamwe mazwi, pasina kurasikirwa kwepaketi)? Mu-high-bandwidth, high-latency links (yakadai se satellite), apo hukuru hwewindo reTCP hunofanira kuiswa kuti uchengetedze kukurumidza kwekufambisa, uye apo kurasikirwa kwepakiti kunoderedza zvakanyanya kushanda kwetiweki.

Asi haisi yese bandwidth inoshandiswa kuendesa data inobatsira. Tinofanira kuverenga nezvinonzi mutengo wepamusoro (pamusoro) bandwidth. Ichi ndicho chikamu cheiyo encryption mudziyo wekubuditsa (sezana muzana kana mabhaiti papakiti) inoraswa (haigone kushandiswa kuendesa data rekushandisa). Mutengo wepamusoro unomuka, chekutanga, nekuda kwekuwedzera kwehukuru (kuwedzera, "stuffing") yedata data mune encrypted network mapaketi (zvinoenderana neiyo encryption algorithm uye yayo yekushandisa maitiro). Chechipiri, nekuda kwekuwedzera kwehurefu hwemusoro wepacket (tunnel mode, kuiswa kwesevhisi kweiyo encryption protocol, simulation kuiswa, zvichingodaro zvichienderana neprotocol uye maitiro ekushanda kwecipher uye nzira yekutumira) - kazhinji iyi mari yepamusoro ndiyo ndiyo zvinonyanya kukosha, uye vanotanga kuteerera. Chechitatu, nekuda kwekutsemuka kwemapaketi kana iyo yakakura data unit saizi (MTU) yakapfuudzwa (kana network ichikwanisa kupatsanura pakiti inodarika MTU kuita maviri, ichidzokorora misoro yayo). Chechina, nekuda kwekuonekwa kwekuwedzera sevhisi (kutonga) traffic pane network pakati peiyo encryption zvishandiso (yekuchinjana kiyi, kuisirwa tunnel, nezvimwewo). Musoro wepamusoro wakaderera wakakosha uko huwandu hwechiteshi hushoma. Izvi zvinonyanya kuoneka mumotokari kubva pamapakiti maduku, semuenzaniso, izwi - uko mari yepamusoro inogona "kudya" inopfuura hafu yechiteshi chekumhanya!

Maitiro ekuongorora uye Kuenzanisa Ethernet Encryption Devices
Bandwidth

Pakupedzisira, pane zvakawanda yakaunza kunonoka - mutsauko (muzvikamu zvesekondi) mukunonoka kwetiweki (nguva inotora kuti data ipfuure kubva pakupinda kunetiweki kuenda kuisiya) pakati pekutumira data pasina uye netiweki encryption. Kazhinji kutaura, iyo yakadzika iyo latency ("latency") yetiweki, iyo inonyanya kukosha iyo latency yakaunzwa ne encryption zvishandiso inova. Iko kunonoka kunounzwa neiyo encryption oparesheni pachayo (zvichienderana neiyo encryption algorithm, block kureba uye maitiro ekushanda kwecipher, pamwe nemhando yekushandiswa kwayo musoftware), uye kugadziriswa kwetiweki packet mumudziyo. . Iyo latency yakaunzwa inotsamira pane ese ari maviri epaketi yekugadzirisa modhi (kupfuura-nepasi kana chitoro-uye-mberi) uye kuita kwepuratifomu (kushandiswa kwehardware paFPGA kana ASIC kunowanzo kukurumidza kupfuura kusetwa kwesoftware paCPU). L2 encryption inenge inogara ine yakaderera latency pane L3 kana L4 encryption, nekuda kwekuti L3/L4 encryption zvishandiso zvinowanzo shandurwa. Semuyenzaniso, neakakwira-kumhanya Ethernet encryptors akaiswa paFPGAs uye encrypting paL2, kunonoka nekuda kweiyo encryption oparesheni inonyangarika idiki - dzimwe nguva kana encryption ichigoneswa paviri yemidziyo, kunonoka kuzere kwakaunzwa navo kunotoderera! Low latency yakakosha painofananidzwa nekunonoka kwechiteshi, kusanganisira kunonoka kuparadzira, iyo ingangoita 5 ΞΌs pakiromita. Ndokunge, isu tinogona kutaura kuti kumadhorobha-scale network (makumi emakiromita mhiri), mamicroseconds anogona kusarudza zvakawanda. Semuenzaniso, kune synchronous dhatabhesi replication, yakakwirira-frequency kutengesa, yakafanana blockchain.

Maitiro ekuongorora uye Kuenzanisa Ethernet Encryption Devices
Kusuma kunonoka

Kukwanisika

Makuru akagovaniswa network anogona kusanganisira zviuru zvenode uye network zvishandiso, mazana emunharaunda network zvikamu. Izvo zvakakosha kuti encryption mhinduro haiise zvimwe zvirambidzo pahukuru uye topology yetiweki yakagoverwa. Izvi zvinonyanya kushanda kuhuwandu hwehuwandu hwekugamuchira uye network kero. Zvipingamupinyi zvakadaro zvinogona kusangana, semuenzaniso, paunenge uchishandisa multipoint encrypted network topology (ine yakazvimirira yakachengeteka yakabatana, kana tunnel) kana yakasarudzika encryption (semuenzaniso, neprotocol nhamba kana VLAN). Kana mune ino kesi network kero (MAC, IP, VLAN ID) inoshandiswa sekiyi mutafura umo nhamba yemitsara inogumira, zvino zvirambidzo izvi zvinoonekwa pano.

Pamusoro pezvo, mambure makuru anowanzo aine akati wandei zvimiro, kusanganisira iyo core network, imwe neimwe inoshandisa yayo kero kero chirongwa uye yayo yega nzira. Kuita iyi nzira, mafomati akasarudzika (akadai seQ-in-Q kana MAC-mu-MAC) uye nzira dzekutemesa nzira dzinowanzoshandiswa. Kuti usatadzise kuvakwa kwemanetiweki akadaro, zvidzitiro zvekunyorera zvinofanirwa kubata nemafuremu akadaro (kureva kuti, mupfungwa iyi, scalability zvinoreva kuenderana - zvimwe pane izvo pazasi).

Flexibility

Pano tiri kutaura nezve kutsigira kwakasiyana magadzirirwo, zvirongwa zvekubatanidza, topology nezvimwe zvinhu. Semuenzaniso, kune switched network yakavakirwa paCarrier Ethernet tekinoroji, izvi zvinoreva kutsigirwa kwemhando dzakasiyana dzekubatanidza chaiwo (E-Line, E-LAN, E-Tree), mhando dzakasiyana dzesevhisi (zvese nechiteshi uye VLAN) uye akasiyana tekinoroji. (vakatonyora pamusoro). Ndokunge, mudziyo unofanirwa kushanda mune ese ari maviri mutsara ("point-to-point") uye multipoint modes, gadzira mitsara yakaparadzana yeVLAN dzakasiyana, uye bvumidza kunze-kwe-kurongeka kuendesa mapaketi mukati mechiteshi chakachengeteka. Iko kugona kusarudza akasiyana cipher modes (kusanganisira kana isina kugutsikana kwemukati) uye akasiyana epaketi ekufambisa modhi inobvumidza iwe kurova chiyero pakati pesimba nekuita zvinoenderana nemamiriro azvino.

Izvo zvakakoshawo kutsigira ese ari maviri akavanzika network, iyo midziyo ine yesangano rimwe (kana kuirenda kwairi), uye opareta network, zvikamu zvakasiyana izvo zvinotungamirwa nemakambani akasiyana. Zvakanaka kana mhinduro ichibvumira manejimendi zvese mukati-mumba uye neyechitatu bato (uchishandisa yakachengetedzwa sevhisi modhi). Mune network network, rimwe basa rakakosha kutsigira akawanda-tenancy (kugovera nevatengi vakasiyana) nenzira yekriptografia yekuzviparadzanisa nevamwe vatengi (vanyoreri) vane traffic inopfuura nepakafanana seti ye encryption zvishandiso. Izvi zvinowanzoda kushandiswa kwemaseti akaparadzana emakiyi uye zvitupa kumutengi wega wega.

Kana mudziyo ukatengwa kune imwe mamiriro ezvinhu, saka ese aya maficha anogona kunge asina kunyanya kukosha - iwe unongoda kuve nechokwadi chekuti mudziyo unotsigira zvaunoda ikozvino. Asi kana mhinduro yakatengwa "yekukura", kutsigira mamiriro emangwana zvakare, uye yakasarudzwa se "corporate standard", ipapo kuchinjika hakuzove kwakanyanyisa - kunyanya tichifunga nezve zvirambidzo zvekudyidzana kwemidziyo kubva kune vakasiyana vatengesi ( zvakawanda pane izvi pazasi).

Zviri nyore uye nyore

Kureruka kwebasa zvakare ipfungwa yakawanda. Anenge, tinogona kutaura kuti iyi ndiyo nguva yakazara yakashandiswa nenyanzvi dzeimwe qualification inodiwa kutsigira mhinduro pamatanho akasiyana ehupenyu hwayo. Kana pasina muripo, uye kuisirwa, kumisikidzwa, uye kushanda zvakazara otomatiki, saka mitengo ndeye zero uye iko kurongeka kwacho kwakaperera. Zvechokwadi, izvi hazviitike munyika chaiyo. Kufungidzira kunonzwisisika muenzaniso "pfundo pawaya" (bump-in-the-waya), kana sparent connection, umo kuwedzera nekudzima ma encryption madivayiri hakudi chero manyorerwo kana otomatiki shanduko kune network kumisikidza. Panguva imwecheteyo, kuchengetedza mhinduro kunorerutswa: unogona kuvhura nekudzima basa rekunyorera zvakachengeteka, uye kana zvichidikanwa, ingo "bypass" mudziyo netambo yetiweki (kureva kuti, batanidza zvakananga iwo madoko etiweki michina iyo yakabatana). Ichokwadi, pane imwe drawback - munhu anorwisa anogona kuita zvakafanana. Kuti uise iyo "node pawaya" musimboti, zvinofanirwa kutarisisa kwete traffic chete data layerasi control and management layer - zvishandiso zvinofanirwa kuve pachena kwavari. Naizvozvo, traffic yakadaro inogona kuvharirwa chete kana pasina vanogamuchira emhando idzi dzetraffic munetiweki pakati pemidziyo yekuvharira, nekuti kana yakaraswa kana kuvharirwa, saka kana iwe uchigonesa kana kudzima encryption, network inogadziriswa inogona kuchinja. Iyo encryption mudziyo inogona zvakare kuve pachena kune yemuviri layer siginecha. Kunyanya, kana chiratidzo chikarasika, chinofanira kuendesa kurasikirwa uku (kureva kuti, kudzima vatakuri vayo) kumashure nekudzoka ("kwacho") munzira yechiratidzo.

Tsigiro mukugovaniswa kwechiremera pakati pekuchengetedza ruzivo uye madhipatimendi eIT, kunyanya dhipatimendi retiweki, yakakoshawo. Iyo encryption mhinduro inofanirwa kutsigira yesangano kutonga kwekuwana uye modhi yekuongorora. Kudiwa kwekudyidzana pakati pemadhipatimendi akasiyana kuita mabasa enguva dzose kunofanirwa kudzikiswa. Naizvozvo, pane mukana maererano nekureruka kwezvishandiso zvehunyanzvi zvinotsigira chete encryption mabasa uye zviri pachena sezvinobvira kune network mashandiro. Zvichitaurwa zviri nyore, vashandi vezvekuchengetedza ruzivo havafanirwe kuve nechikonzero chekubata "nyanzvi dzenetwork" kuti vachinje network. Uye izvo, zvakare, hazvifanirwe kuve nechido chekuchinja encryption marongero kana uchichengetedza network.

Chimwe chinhu kugona uye nyore kwezvinodzora. Iwo anofanirwa kunge ari ekuona, ane musoro, anopa kunze-kunze kwezvirongwa, otomatiki, zvichingodaro. Iwe unofanirwa kukurumidza kutarisisa kuti ndedzipi sarudzo dzekutonga dziripo (kazhinji yavo yega manejimendi nharaunda, webhu interface uye mutsara wekuraira) uye ndeapi seti yemabasa imwe neimwe yadzo ine (pane zvinogumira). Basa rinokosha itsigiro kunze-kwe-bhendi (kunze-kwe-bhendi) kutonga, ndiko kuti, kuburikidza neakazvitsaurira control network, uye in-band (in-band) control, kureva kuti, kuburikidza netiweki yakajairika iyo inobatsira traffic inofambiswa. Zvishandiso zvekutarisira zvinofanirwa kuratidza ese asina kujairika, kusanganisira zviitiko zvekuchengetedza ruzivo. Chimiro, kudzokorora mashandiro anofanira kuitwa otomatiki. Izvi zvine chekuita nekutungamira kwakakosha. Dzinofanirwa kugadzirwa/kugoverwa otomatiki. PKI tsigiro ndeyekuwedzera kukuru.

kugarisana

Kureva, kuenderana kwechigadzirwa netiweki zviyero. Zvakare, izvi hazvireve chete zviyero zveindasitiri zvakagamuchirwa nemasangano ane chiremera seIEEE, asiwo proprietary protocol evatungamiriri veindasitiri, seCisco. Pane nzira mbiri huru dzekuona kuenderana: chero kuburikidza pachena, kana kuti kuburikidza tsigiro yakajeka maprotocol (kana encryption mudziyo ikava imwe yetiweki node yeimwe protocol uye inogadzirisa kudzora traffic yeiyi protocol). Kuenderana nema network kunoenderana nekukwana uye kurongeka kwekuitwa kwekutonga maprotocol. Zvakakosha kutsigira sarudzo dzakasiyana dzeiyo PHY level (kumhanya, svikiro rekutumira, encoding scheme), Ethernet mafuremu emhando dzakasiyana nechero MTU, akasiyana L3 service protocol (kunyanya iyo TCP/IP mhuri).

Kujeka kunovimbiswa kuburikidza nemaitiro ekuchinja (kuchinjira kwechinguva zviri mukati memusoro wakavhurika mutraffic pakati pema encryptors), kusvetuka (kana mapaketi ega ega akasara asina kuvharwa) uye indentation yekutanga kwekuvharidzira (apo kazhinji encrypted minda yemapakiti isina kuvharirwa).

Maitiro ekuongorora uye Kuenzanisa Ethernet Encryption Devices
Kuti kujeka kunovimbika sei

Naizvozvo, gara uchitarisa kuti tsigiro yeimwe protocol inopihwa sei. Kazhinji kutsigirwa mune transparent mode kunowedzera nyore uye kwakavimbika.

Kudyidzana

Izvi zvakare kugarisana, asi neimwe nzira, iko kugona kushanda pamwe chete nemamwe mamodheru ezvinyorwa zvekunyorera, kusanganisira izvo kubva kune vamwe vanogadzira. Zvakawanda zvinoenderana nemamiriro ekumira kwe encryption protocol. Iko hakuna kungo wanzo kugamuchirwa encryption zviyero paL1.

Pane 2ae (MACsec) chiyero cheL802.1 encryption paEthernet network, asi haishandise. muchinjikwa-kucheka (kuguma-ku-kuguma), uye interport, "hop-by-hop" encryption, uye mushanduro yayo yepakutanga haina kukodzera kushandiswa mumatanho akagoverwa, saka mawedzero ayo epamhepo akaonekwa akakunda kuganhurirwa uku (zvechokwadi, nekuda kwekudyidzana nemidziyo kubva kune vamwe vanogadzira). Ichokwadi, muna 2018, tsigiro yemaseti akagoverwa akawedzerwa kune 802.1ae chiyero, asi hapasati paine tsigiro yeGOST encryption algorithm seti. Naizvozvo, proprietary, isiri-standard L2 encryption protocols, sekutonga, inosiyaniswa nekubudirira kukuru (kunyanya, yakaderera bandwidth kumusoro) uye kuchinjika (kukwanisa kushandura encryption algorithms uye modes).

Pamazinga epamusoro (L3 neL4) pane zvinozivikanwa zviyero, kunyanya IPsec neTLS, asi pano zvakare hazvisi nyore. Icho chokwadi ndechekuti chimwe nechimwe chezviyero izvi seti yemaprotocol, imwe neimwe iine akasiyana vhezheni uye mawedzero anodiwa kana sarudzo yekuitwa. Uye zvakare, vamwe vagadziri vanofarira kushandisa yavo proprietary encryption protocol paL3/L4. Naizvozvo, muzviitiko zvakawanda haufanirwe kuvimba nekudyidzana kwakazara, asi zvakakosha kuti kanenge kudyidzana pakati pemhando dzakasiyana uye zvizvarwa zvakasiyana zvemugadziri mumwe chete zvinovimbiswa.

Kuvimbika

Kuenzanisa mhinduro dzakasiyana, unogona kushandisa chero nguva yepakati pakati pekutadza kana kuwanikwa chinhu. Kana nhamba idzi dzisipo (kana kuti pasina kuvimba navo), ipapo kuenzanisa kwehutano kunogona kuitwa. Zvishandiso zvine manejimendi zviri nyore zvichave nemukana (mungozi shoma yekukanganisa zvikanganiso), nyanzvi encryptors (nekuda kwechikonzero chimwe chete), pamwe nemhinduro dzine nguva shoma yekuona uye kubvisa kutadza, kusanganisira nzira dze "kupisa" backup yemanode ese uye. zvishandiso.

mari

Kana zvasvika pamutengo, sekuwanda kwemhinduro dzeIT, zvine musoro kuenzanisa iyo yakazara mutengo wevaridzi. Kuti uiverenge, haufanirwe kudzorera vhiri, asi shandisa chero nzira yakakodzera (somuenzaniso, kubva kuGartner) uye chero karukureta (somuenzaniso, iyo yakatoshandiswa musangano kuverenga TCO). Zviri pachena kuti kune network encryption mhinduro, iyo yakazara mutengo wevaridzi inosanganisira kunanga mari yekutenga kana kuhaya mhinduro pachayo, zvivakwa zvekubatisa zvishandiso uye mutengo wekutumira, manejimendi uye kugadzirisa (ingave mumba kana muchimiro chechitatu-bato masevhisi), pamwe chete zvisina kunanga mari kubva pakupedza nguva yemhinduro (yakakonzerwa nekurasikirwa kwekupedzisira-mushandisi kubereka). Panogona kunge paine hunyengeri humwe chete. Kukanganisa kwekuita kwemhinduro kunogona kutariswa nenzira dzakasiyana: ingave mari isina kunanga inokonzerwa nekurasikirwa kwechigadzirwa, kana se "chaiyo" mutengo wakananga wekutenga / kusimudzira nekuchengetedza network zvishandiso zvinotsiva kurasikirwa kwekuita kwetiweki nekuda kwekushandiswa encryption. Chero zvazvingava, mari iyo yakaoma kuverenga nekururama kwakakwana inonyatsosiyiwa kunze kwekuverenga: nenzira iyi pachava nekuvimba kwakanyanya mumutengo wekupedzisira. Uye, senguva dzose, mune chero mamiriro ezvinhu, zvine musoro kuenzanisa zvishandiso zvakasiyana neTCO kune chaiyo mamiriro ekushandiswa kwavo - chaiwo kana chaiwo.

Kudzikama

Uye chimiro chekupedzisira ndiko kuenderera kwemhinduro. Muzviitiko zvakawanda, kusimba kunogona kuongororwa chete nekuenzanisa mhinduro dzakasiyana. Tinofanira kuyeuka kuti encryption zvishandiso haisi nzira chete, asiwo chinhu chekudzivirira. Vanogona kusangana nekutyisidzira kwakasiyana-siyana. Kumberi kune kutyisidzira kwekutyorwa kwekuvanzika, kubereka uye kugadzirisa mameseji. Uku kutyisidzira kunogona kuitika kuburikidza nekusagadzikana kweiyo cipher kana modhi yayo yega, kuburikidza nekusagadzikana mune encryption protocol (kusanganisira pamatanho ekumisikidza yekubatanidza uye kugadzira / kugovera makiyi). Mukana uchange uri wemhinduro dzinobvumira kushandura encryption algorithm kana kushandura iyo cipher modhi (zvichida kuburikidza neiyo firmware update), mhinduro dzinopa iyo yakazara encryption, kuvanda kubva kune anorwisa kwete chete mushandisi data, asiwo kero uye rumwe ruzivo rwesevhisi. , pamwe chete nemhinduro dzehunyanzvi izvo kwete chete encrypt, asi zvakare kudzivirira mameseji kubva mukubereka uye kugadziridzwa. Kune ese emazuva ano encryption algorithms, masiginecha emagetsi, kiyi chizvarwa, nezvimwe, izvo zvakaverengerwa mumiyero, iyo simba rinogona kufungidzirwa kuti rakafanana (zvikasadaro unogona kungorasika mumasango ecryptography). Izvi zvinofanirwa kunge zviri GOST algorithms? Zvese zviri nyore pano: kana mamiriro ekushandisa achida FSB certification yeCIPF (uye muRussia izvi ndizvo zvinowanzoitika; kune akawanda network encryption scenarios ichi ichokwadi), saka isu tinosarudza chete pakati pevakasimbiswa. Kana zvisiri, saka hapana chikonzero chekusabvisa zvishandiso zvisina zvitupa kubva mukutarisisa.

Imwe kutyisidzira kutyisidzira kwekubira, kupinda kusingatenderwe kumidziyo (kusanganisira kuburikidza nekupinda mumuviri kunze uye mukati mekesi). Kutyisidzira kunogona kuitwa kuburikidza
kusasimba mukuita - mune Hardware uye kodhi. Naizvozvo, zvigadziriso zvine kushomeka "kurwiswa kwepasi" kuburikidza netiweki, ine zvivharo zvakachengetedzwa kubva pakuwanikwa kwemuviri (ine intrusion sensors, kuongorora kudzivirira uye otomatiki reset yeruzivo rwakakosha kana yakavharirwa yakavhurwa), pamwe neayo anobvumira firmware updates ichave iine. mukana muchiitiko chekuti kusagadzikana mukodhi kunozivikanwa. Pane imwe nzira: kana zvese zvishandiso zviri kuenzaniswa zvine FSB zvitupa, saka kirasi yeCIPF iyo yakapihwa chitupa inogona kutorwa sechiratidzo chekuramba kubira.

Chekupedzisira, imwe mhando yekutyisidzira kukanganisa panguva yekuseta uye kushanda, chinhu chemunhu muchimiro chayo chakachena. Izvi zvinoratidza imwe mukana weakasarudzika encryptors pamusoro pemhinduro dzakachinjika, dzinowanzo kutariswa "nyanzvi dzemambure" uye dzinogona kukonzera kuomerwa kwe "zvakajairika", general information security specialists.

Summing up

Muchidimbu, pano zvingave zvichikwanisika kupa imwe mhando yechiratidzo chekuenzanisa yekuenzanisa michina yakasiyana, chimwe chinhu chakadai

$$display$$K_j=βˆ‘p_i r_{ij}$$ratidza$$

uko p ndiyo huremu hwechiratidzo, uye r ndiyo chiyero chechishandiso zvinoenderana nechiratidzo ichi, uye chero yeayo maitiro akanyorwa pamusoro anogona kukamurwa kuita "atomic" zviratidzo. Fomula yakadaro inogona kubatsira, semuenzaniso, kana uchienzanisa zvikumbiro zvemanyoro maererano nemitemo yakatemerwa kare. Asi iwe unogona kupfuura netafura iri nyore senge

Mamiriro
Mudziyo 1
Mudziyo 2
...
Mudziyo N

Bandwidth
+
+

+++

Overheads
+
++

+++

Kunonoka
+
+

++

Kukwanisika
+++
+

+++

Flexibility
+++
++

+

Kudyidzana
++
+

+

kugarisana
++
++

+++

Zviri nyore uye nyore
+
+

++

kukanganisa kushivirira
+++
+++

++

mari
++
+++

+

Kudzikama
++
++

+++

Ndichafara kupindura mibvunzo uye kutsoropodza kunovaka.

Source: www.habr.com

Voeg