ProHoster > Blog > Utongi > Maitiro ekuita shamwari neGOST R 57580 uye mudziyo virtualization. Mhinduro yeCentral Bank (uye pfungwa dzedu panyaya iyi)

Maitiro ekuita shamwari neGOST R 57580 uye mudziyo virtualization. Mhinduro yeCentral Bank (uye pfungwa dzedu panyaya iyi)

Munguva pfupi yapfuura takaita imwe ongororo yekutevedzera zvinodiwa neGOST R 57580 (inozonzi GOST chete). Mutengi ikambani inogadzira nzira yekubhadhara yemagetsi. Iyo sisitimu yakakomba: vanopfuura mamirioni matatu vashandisi, vanopfuura zviuru mazana maviri zvekutengesa zuva nezuva. Vanotora ruzivo rwekuchengetedza zvakanyanya ipapo.

Munguva yekuongorora, mutengi akazivisa zvisina kujairika kuti dhipatimendi rekusimudzira, mukuwedzera kumakina chaiwo, rinoronga kushandisa midziyo. Asi neizvi, mutengi akawedzera, pane dambudziko rimwe chete: muGOST hapana izwi pamusoro peiyo Docker. Ndoita sei? Nzira yekuongorora kuchengetedzwa kwemidziyo?

Maitiro ekuita shamwari neGOST R 57580 uye mudziyo virtualization. Mhinduro yeCentral Bank (uye pfungwa dzedu panyaya iyi)

Ichokwadi, GOST inongonyora nezve hardware virtualization - nezve maitiro ekudzivirira chaiwo michina, hypervisor, uye sevha. Takabvunza Central Bank kuti ijekese. Mhinduro yacho yakatinetsa.

GOST uye virtualization

Kutanga, ngatiyeukei kuti GOST R 57580 chiyero chitsva chinotsanangura "zvinodiwa zvekuchengetedza ruzivo rwemasangano emari" (FI). Aya maFIs anosanganisira vashandisi uye vatori vechikamu vehurongwa hwekubhadhara, zvikwereti uye masangano asiri echikwereti, nzvimbo dzekushanda uye dzekuchenesa.

Kubva muna Ndira 1, 2021, maFIs anodiwa kuita kuongororwa kwekuenderana nezvinodiwa zveGOST itsva. Isu, ITGLOBAL.COM, ikambani yekuongorora inoita ongororo dzakadai.

GOST ine chikamu chechikamu chakatsaurirwa kune kuchengetedzwa kwemamiriro ezvinhu anowanikwa - Nhamba 7.8. Izwi rekuti "virtualization" harina kutaurwa ipapo; hapana kupatsanurwa muhardware uye mudziyo virtualization. Chero nyanzvi yeIT ichataura kuti kubva pahunyanzvi hwekuona izvi hazvina kunaka: muchina chaiwo (VM) nemudziyo nharaunda dzakasiyana, dzine misimboti yekuzviparadzanisa nevamwe. Kubva pakuona kwekusagadzikana kwemuenzi panoiswa VM neDocker midziyo, uyu zvakare musiyano mukuru.

Zvinoitika kuti ongororo yekuchengetedzwa kweruzivo rweVMs nemidziyo inofanirawo kunge yakasiyana.

Mibvunzo yedu kuCentral Bank

Takavatumira kuInformation Security Department yeCentral Bank (isu tinopa mibvunzo muchidimbu fomu).

  1. Maitiro ekufunga Docker-mhando chaiyo midziyo kana uchiongorora kutevedzera GOST? Zvakarurama here kuongorora tekinoroji maererano nechikamu 7.8 cheGOST?
  2. Nzira yekuongorora sei virtual container management maturusi? Zvinogoneka here kuvaenzanisa kune server virtualization zvikamu uye wozviongorora zvinoenderana nechikamu chimwe chete cheGOST?
  3. Ini ndinofanira kuongorora zvakasiyana chengetedzo yeruzivo mukati meDocker midziyo? Kana zvakadaro, ndedzipi dziviriro dzinofanirwa kutariswa pane izvi panguva yekuongorora?
  4. Kana midziyo yemidziyo yakaenzana neyakagadzirwa zvivakwa uye ichiongororwa zvinoenderana nechikamu 7.8, zvinodikanwa zveGOST zvekuitwa kwematurusi ekuchengetedza ruzivo anoitwa sei?

Mhinduro yeCentral Bank

Pazasi pane zvinyorwa zvikuru.

GOST R 57580.1-2017 inogadza zvinodiwa kuti zviitwe kuburikidza nekushandiswa kwematanho ehunyanzvi zvine chekuita neanotevera matanho ZI chikamu 7.8 cheGOST R 57580.1-2017, iyo, mukuona kweDhipatimendi, inogona kuendeswa kune nyaya dzekushandisa virtualization yemidziyo. tekinoroji, tichifunga zvinotevera:

  • kushandiswa kwezviyero ZSV.1 - ZSV.11 pakuronga kuzivikanwa, kutendeseka, mvumo (kusvika kwekutonga) paunenge uchishanda zvine musoro kuwana kumashini chaiwo uye virtualization server zvikamu zvinogona kusiyana nezviitiko zvekushandisa mudziyo virtualization teknolojia. Tichifunga izvi, kuitira kuti tiite matanho akawanda (somuenzaniso, ZVS.6 neZVS.7), tinotenda kuti zvinokwanisika kukurudzira kuti masangano ezvemari agadzire matanho ekubhadhara anozotevera zvinangwa zvakafanana;
  • kushandiswa kwezviyero ZSV.13 - ZSV.22 yesangano uye kutonga kwekudyidzana kweruzivo rwemakina chaiwo kunopa kupatsanurwa kwekombuta network yesangano rezvemari kuti isiyanise pakati pezvinhu zveinformatization zvinoshandisa tekinoroji yekuona uye ndezvezvikamu zvakasiyana zvekuchengetedza. Tichifunga izvi, tinotenda kuti zvinokurudzirwa kupa chikamu chakakodzera kana uchishandisa mudziyo virtualization tekinoroji (zvese zvine chekuita nemidziyo inotakurika uye zvine chekuita nemasisitimu ekuonana anoshandiswa padanho rekushandisa system);
  • kushandiswa kwezviyero ZSV.26, ZSV.29 - ZSV.31 kuronga kuchengetedzwa kwemifananidzo yemagetsi emagetsi kunofanira kuitwa nekuenzanisa zvakare kuitira kuchengetedza mifananidzo yakakosha uye yemazuva ano yemidziyo yemagetsi;
  • kuitwa kwezviyero ZVS.32 - ZVS.43 zvekurekodha zviitiko zvekuchengetedza ruzivo zvine chekuita nekuwana muchina chaiwo uye sevha virtualization zvikamu zvinofanirwa kuitwa nekuenzanisa zvakare maererano nezvikamu zvenzvimbo yekuonana zvinoshandisa tekinoroji yekuisa midziyo."

Zvinorevei

Mhedziso mbiri huru kubva mumhinduro yeCentral Bank Information Security department:

  • matanho ekudzivirira midziyo haana kusiyana nematanho ekudzivirira chaiwo michina;
  • Izvi zvinotevera kubva pane izvi kuti, mumamiriro ekuchengetedza ruzivo, Central Bank inofananidzira marudzi maviri e virtualization - Docker midziyo uye VMs.

Mhinduro yacho inotaurawo nezve "matanho ekubhadhara" anoda kushandiswa kuderedza kutyisidzira. Hazvinyatso kujeka kuti aya "matanho ekubhadhara" ndeapi uye kuti angayera sei kukwana kwavo, kukwana uye kushanda.

Chii chakashata nechinzvimbo cheCentral Bank?

Kana iwe ukashandisa kurudziro yeCentral Bank panguva yekuongorora (uye kuzviongorora wega), unofanirwa kugadzirisa akati wandei ehunyanzvi uye zvine musoro matambudziko.

  • Chigadziko chimwe nechimwe chinoitwa chinoda kuiswa kweruzivo rwekudzivirira software (IP) pairi: antivirus, kuvimbika kwekutarisa, kushanda nematanda, DLP masisitimu (Data Leak Prevention), zvichingodaro. Zvese izvi zvinogona kuiswa paVM pasina matambudziko, asi kana iri mudziyo, kuisa chengetedzo yeruzivo chinhu chisina musoro. Mugaba une hushoma hwe "body kit" inodiwa kuti sevhisi ishande. Kuisa SZI mairi kunopesana nezvainoreva.
  • Mifananidzo yemidziyo inofanirwa kuchengetedzwa zvinoenderana nemusimboti mumwe chete; maitiro ekuita izvi zvakare haana kujeka.
  • GOST inoda kurambidza kupinda kune server virtualization components, i.e., kune hypervisor. Chii chinonzi sevha chikamu munyaya yeDocker? Izvi hazvireve here kuti mudziyo wega wega unofanirwa kumhanyirwa pane imwe yakaparadzana?
  • Kana kune yakajairwa virtualization zvinogoneka kuganhura maVM nechengetedzo contours uye network zvikamu, saka mune yeDocker midziyo mukati memugamuchiri mumwechete, izvi handizvo.

Mukuita, zvinokwanisika kuti muongorori wega wega anoongorora kuchengetedzeka kwemidziyo nenzira yake, zvichibva paruzivo rwake uye ruzivo. Zvakanaka, kana kusazviongorora zvachose, kana pasina imwe kana imwe.

Zvingodaro, isu tichawedzera kuti kubva muna Ndira 1, 2021, zvibodzwa zvishoma hazvifanirwe kunge zvakaderera pane 0,7.

Nenzira, isu tinogara tichitumira mhinduro uye zvirevo kubva kune vanodzora zvinoenderana nezvinodiwa zveGOST 57580 uye Central Bank Regulations mune yedu. Telegraph channel.

Zvaunofanira kuita

Mune maonero edu, masangano emari ane nzira mbiri chete dzekugadzirisa dambudziko.

1. Dzivisa kushandisa midziyo

Mhinduro kune avo vakagadzirira kutenga kushandisa chete hardware virtualization uye panguva imwe chete vanotya yakaderera ratings maererano GOST uye faindi kubva Central Bank.

A plus: zviri nyore kutevedzera zvinodiwa nechikamu 7.8 cheGOST.

Minus: Tichafanirwa kusiya maturusi matsva ekusimudzira akavakirwa pamudziyo virtualization, kunyanya Docker uye Kubernetes.

2. Kuramba kutevedzera zvinodiwa nechikamu 7.8 cheGOST

Asi panguva imwecheteyo, shandisa maitiro akanakisa mukuchengetedza ruzivo rwekuchengetedza kana uchishanda nemidziyo. Iyi ndiyo mhinduro kune avo vanokoshesa matekinoroji matsva nemikana yavanopa. Ne "akanakisa maitiro" tinoreva indasitiri-inogamuchirwa tsika nemaitiro ekuona kuchengetedzeka kwemidziyo yeDocker:

  • kuchengetedzwa kweiyo OS inotambira, yakanyatso gadziridzwa kutema, kurambidzwa kwekuchinjana data pakati pemidziyo, zvichingodaro;
  • uchishandisa iyo Docker Trust basa rekutarisa kutendeseka kwemifananidzo uye kushandisa yakavakirwa-mukati vulnerability scanner;
  • Hatifanire kukanganwa nezve chengetedzo yekusvika kure uye netiweki modhi yakazara: kurwiswa kwakadai seARP-spoofing uye MAC-mafashamo hakuna kubviswa.

A plus: hapana zvirambidzo zvehunyanzvi pakushandiswa kwemudziyo virtualization.

Minus: pane mukana wepamusoro wekuti mutongi acharanga kusateerera kweGOST zvinodiwa.

mhedziso

Mutengi wedu akasarudza kusasiya midziyo. Panguva imwecheteyo, aifanira kunyatso funga nezve chiyero chebasa uye nguva yekuchinja kuenda kuDocker (yakagara kwemwedzi mitanhatu). Mutengi anonzwisisa njodzi zvakanyanya. Anonzwisisawo kuti panguva yekuongorora kunotevera kwekuteerera GOST R 57580, zvakawanda zvichaenderana nemuongorori.

Waizoita sei pakadai?

Source: www.habr.com

Voeg