ProHoster > Blog > Utongi > Maitiro ekutora kutonga kune yako network network. Chitsauko chetatu. Network kuchengetedza. Chikamu chekutanga

Maitiro ekutora kutonga kune yako network network. Chitsauko chetatu. Network kuchengetedza. Chikamu chekutanga

Chinyorwa ichi ndechechitatu munhevedzano yenyaya dzinoti “Maitiro Aunoita Kudzora Mafambisirwo Ako Netiweki.” Zviri mukati mezvinyorwa zvese munhevedzano uye zvinongedzo zvinogona kuwanikwa pano.

Maitiro ekutora kutonga kune yako network network. Chitsauko chetatu. Network kuchengetedza. Chikamu chekutanga

Hapana chikonzero chekutaura nezvekubvisa zvachose njodzi dzekuchengetedza. Muchidimbu, hatigone kudzidzikisa kusvika zero. Isu tinofanirawo kunzwisisa kuti sezvatinoedza kuita kuti network iwedzere kuchengeteka, mhinduro dzedu dziri kuwedzera uye dzinodhura. Iwe unofanirwa kutsvaga kutengeserana pakati pemutengo, kuomarara, uye chengetedzo zvine musoro kunetiweki yako.

Ehe, dhizaini yekuchengetedza inosanganiswa mune yakazara dhizaini uye zvigadziriso zvekuchengetedza zvinoshandiswa zvinokanganisa scalability, kuvimbika, manejimendi, ... ye network network, iyo inofanirwawo kuverengerwa.

Asi rega ndikuyeuchidze kuti ikozvino hatisi kutaura nezvekugadzira network. Maererano zvedu mamiriro ekutanga isu takatosarudza dhizaini, takasarudza midziyo, uye takagadzira zvigadzirwa, uye panguva ino, kana zvichibvira, tinofanira "kurarama" uye kuwana mhinduro mumamiriro ezvinhu ekutanga akasarudzwa.

Basa redu ikozvino nderekuona njodzi dzine chekuita nekuchengetedzeka padanho retiweki uye kudzidzikisa kusvika padanho rinonzwisisika.

Network security audit

Kana sangano rako rakaita ISO 27k maitiro, saka chengetedzo yekuongorora uye shanduko yetiweki inofanirwa kukwana mushe mune yese maitiro mukati meiyi nzira. Asi mitemo iyi haisati iri pamusoro pekugadzirisa kwakananga, kwete pamusoro pekugadzirisa, kwete pamusoro pekugadzira ... Hapana mazano akajeka, hapana mitemo inotsanangura zvakadzama kuti network yako inofanira kunge yakaita sei, uku ndiko kuoma uye kunaka kwebasa iri.

Ini ndaizoratidza akati wandei angangoita network kuchengetedza maodhisheni:

  • midziyo yekugadziriswa kwekuongorora (kuomesa)
  • security design audit
  • kuwana audit
  • process audit

Equipment configuration audit (kuomesa)

Zvinotaridza kuti muzviitiko zvakawanda iyi ndiyo yakanakisa yekutanga nzvimbo yekuongorora uye kugadzirisa kuchengetedzwa kwetiweki yako. IMHO, uku kuratidzwa kwakanaka kwemutemo waPareto (20% yekuedza inoburitsa makumi masere muzana emhedzisiro, uye yasara makumi masere muzana yekuedza inoburitsa makumi maviri muzana emhedzisiro).

Chinokosha ndechekuti isu tinowanzo kuve nekurudziro kubva kune vatengesi maererano ne "akanakisa maitiro" ekuchengetedza kana uchigadzira michina. Izvi zvinonzi "kuomesa".

Iwe unogona zvakare kuwana rondedzero yemibvunzo (kana kugadzira iwe pachako) zvichibva pane izvi kurudziro, izvo zvinokubatsira kuona kuti magadzirirwo emidziyo yako anowirirana sei neaya "akanakisa maitiro" uye, zvinoenderana nemhedzisiro, ita shanduko munetiweki yako. . Izvi zvinokutendera kuti uderedze zvakanyanya njodzi dzekuchengetedza zviri nyore, pasina muripo.

Mienzaniso yakati wandei yemamwe Cisco anoshanda masisitimu.

Cisco IOS Configuration Kuomesa
Cisco IOS-XR Configuration Hardening
Cisco NX-OS Configuration Kuomesa
Cisco Baseline Chengetedzo Chengetedza Rondedzero

Zvichienderana nemagwaro aya, runyoro rwekugadziriswa zvinodiwa kune yega yega mhando yemidziyo inogona kugadzirwa. Semuenzaniso, kune Cisco N7K VDC izvi zvinodiwa zvinogona kutaridzika saka.

Nenzira iyi, mafaera ekugadzirisa anogona kugadzirwa emhando dzakasiyana dzemidziyo inoshanda mune yako network network. Tevere, nemaoko kana kushandisa otomatiki, unogona "kuisa" aya mafaera ekugadzirisa. Maitiro ekuita otomatiki iyi maitiro achakurukurwa zvakadzama mune imwe nhevedzano yezvinyorwa pane orchestration uye otomatiki.

Security design audit

Kazhinji, network yebhizinesi ine zvinotevera zvikamu mune imwe nzira kana imwe:

  • DC (Public services DMZ uye Intranet data centre)
  • Access Internet
  • Remote yekuwana VPN
  • WAN muganhu
  • bazi
  • Campus (Hofisi)
  • moyo

Mazita akatorwa kubva Cisco SAFE modhi, asi hazvifanirwe, hongu, kuti ubatanidzwe chaizvo nemazita aya uye kune iyi modhi. Zvakadaro, ini ndoda kutaura nezve essence uye kusabatikana mumaitiro.

Kune chimwe nechimwe chezvikamu izvi, kuchengetedza zvinodiwa, njodzi uye, maererano, mhinduro dzichave dzakasiyana.

Ngatitarisei kune imwe neimwe yadzo zvakasiyana kune matambudziko aungasangana nawo kubva kune yekuchengetedza dhizaini yekuona. Hongu, ndinodzokorora zvakare kuti hapana nzira iyo chinyorwa ichi chinonyepedzera kuve chakakwana, izvo zvisiri nyore (kana zvisingagoneke) kuti zvibudirire mune iyi yechokwadi yakadzika uye yakawanda nyaya, asi inoratidza ruzivo rwangu pachangu.

Iko hakuna mhinduro yakakwana (zvichida kwete parizvino). Kunogara kuri kuwirirana. Asi zvakakosha kuti sarudzo yekushandisa imwe nzira kana imwe iitwe nekuziva, nekunzwisisa kwezvose zvayakanakira nezvayakaipira.

Data Center

Chikamu chinonyanya kukosha kubva pakuchengetedza maonero.
Uye, senguva dzose, hapana mhinduro yepasirese pano zvakare. Zvose zvinoenderana zvakanyanya nezvinodiwa netiweki.

Firewall inofanirwa here kana kuti kwete?

Zvingaita sekuti mhinduro iri pachena, asi zvese hazvina kujeka sezvazvingaite. Uye sarudzo yako inogona kukanganiswa kwete chete Цена.

Muenzaniso 1. Kunonoka.

Kana yakaderera latency chinhu chakakosha chinodiwa pakati pemamwe masegneti etiweki, izvo, semuenzaniso, ndezvechokwadi mune yekutsinhana, saka isu hatizokwanisi kushandisa firewall pakati pezvikamu izvi. Zvakaoma kuwana zvidzidzo zve latency mumafirewalls, asi mashoma ekuchinja modhi anogona kupa latency isingasviki kana pahurongwa hwe1 mksec, saka ndinofunga kana microseconds yakakosha kwauri, saka firewall haisi yako.

Muenzaniso 2. Performance.

Kuburikidza kwepamusoro L3 switch kazhinji kurongeka kwehukuru hwepamusoro kupfuura kubuda kwemagetsi ane simba zvakanyanya. Naizvozvo, kana iri high-intensity traffic, iwe zvakare uchafanirwa kubvumidza iyi traffic kudarika firewall.

Muenzaniso 3. Kuvimbika

Firewalls, kunyanya yemazuva ano NGFW (Next-Generation FW) michina yakaoma. Iwo akanyanya kuomarara kupfuura L3/L2 switch. Vanopa nhamba huru yebasa uye sarudzo dzekugadzirisa, saka hazvishamisi kuti kuvimbika kwavo kwakaderera zvikuru. Kana kuenderera mberi kwesevhisi kuchikosha kune network, saka iwe ungafanirwa kusarudza izvo zvinozoita kuti zvive nani kuwanikwa - chengetedzo ine firewall kana kureruka kwemambure akavakirwa pane switch (kana akasiyana marudzi emachira) uchishandisa nguva dzose ACLs.

Muchiitiko chemienzaniso iri pamusoro, iwe ungangove (semazuva ese) unofanirwa kuwana chibvumirano. Tarisa kune zvinotevera mhinduro:

  • kana ukafunga kusashandisa firewall mukati me data data, saka iwe unofanirwa kufunga nezve nzira yekudzikamisa kupinda kutenderedza perimeter zvakanyanya sezvinobvira. Semuenzaniso, unogona kuvhura chete madoko anodiwa kubva paInternet (yemutengi traffic) uye yekutonga kupinda kune data data chete kubva kusvetuka mauto. Pakusvetuka mauto, ita zvese zvinodiwa cheki (kutendesa / mvumo, antivirus, kutema miti, ...)
  • unogona kushandisa kupatsanurwa kunonzwisisika kweiyo data center network muzvikamu, zvakafanana nechirongwa chinotsanangurwa muPSEFABRIC. muenzaniso p002. Muchiitiko ichi, nzira inofanirwa kugadziridzwa nenzira yekuti kunonoka-kunzwa kana yakakwira-yakanyanya traffic inoenda "mukati" chikamu chimwe (munyaya ye p002, VRF) uye isingapinde nepa firewall. Traffic pakati pezvikamu zvakasiyana icharamba ichienda kuburikidza nefirewall. Iwe unogona zvakare kushandisa nzira inodonha pakati peVRFs kudzivirira kutungamira traffic kuburikidza nefirewall
  • Iwe unogona zvakare kushandisa firewall mune yakajeka modhi uye chete kune iwo maVLAN uko zvinhu izvi (latency / kuita) hazvina kukosha. Asi iwe unofanirwa kunyatsodzidza zvirambidzo zvine chekuita nekushandiswa kweiyi mod kune mumwe nemumwe mutengesi
  • iwe ungada kufunga nezvekushandisa sevhisi cheni yekuvaka. Izvi zvinobvumira chete traffic inodiwa kuti ipfuure nepafirewall. Inotaridzika zvakanaka mudzidziso, asi handisati ndamboona iyi mhinduro mukugadzira. Takaedza cheni yebasa yeCisco ACI/Juniper SRX/F5 LTM anenge makore matatu apfuura, asi panguva iyoyo mhinduro iyi yaiita se "isina kunaka" kwatiri.

Dziviriro level

Zvino iwe unofanirwa kupindura mubvunzo wekuti ndeapi maturusi aunoda kushandisa kusefa traffic. Heano mamwe maficha anowanzo kuwanikwa muNGFW (semuenzaniso, pano):

  • stateful firewalling (default)
  • application firewalling
  • kudzivirira kudzivirira (antivirus, anti-spyware, uye kusagadzikana)
  • URL kusefa
  • data kusefa (kusefa zvirimo)
  • kuvharira faira (mhando dzemafaira kuvharira)
  • dos protection

Uye hazvisi zvose zvakajeka zvakare. Zvingaita sekuti iyo yakakwirira yezinga rekudzivirira, zviri nani. Asi iwe unofanirwawo kufunga nezvazvo

  • Iyo yakawanda yeiyi pamusoro apa firewall mabasa aunoshandisa, iyo inodhura zvakanyanya inozove (marezinesi, ekuwedzera mamodule)
  • kushandiswa kweimwe algorithms kunogona kuderedza zvakanyanya firewall throughput uye zvakare kuwedzera kunonoka, ona semuenzaniso pano
  • senge chero mhinduro yakaoma, kushandiswa kwenzira dzakaomarara dzekudzivirira kunogona kuderedza kuvimbika kwemhinduro yako, semuenzaniso, kana uchishandisa application firewalling, ndakasangana nekuvharirwa kwemamwe akajairika ekushanda maapplication (dns, smb)

Senguva dzose, iwe unofanirwa kuwana yakanakisa mhinduro kunetiweki yako.

Hazvibviri kunyatsopindura mubvunzo wekuti ndeapi mabasa ekudzivirira angadiwa. Chekutanga, nekuti chokwadi zvinoenderana nedata rauri kuendesa kana kuchengeta uye kuyedza kudzivirira. Chechipiri, muchokwadi, kazhinji kusarudzwa kwemidziyo yekuchengetedza inyaya yekutenda uye kuvimba nemutengesi. Iwe hauzive maalgorithms, hauzive kuti anoshanda sei, uye haugone kuaedza zvizere.

Naizvozvo, muzvikamu zvakakosha, mhinduro yakanaka inogona kunge iri yekushandisa zvinopihwa kubva kumakambani akasiyana. Semuenzaniso, iwe unogona kugonesa antivirus pane firewall, asi zvakare shandisa antivirus kudzivirira (kubva kune mumwe mugadziri) munharaunda kune mauto.

Segmentation

Isu tiri kutaura nezve inonzwisisika segmentation yedata center network. Semuenzaniso, kupatsanura muVLAN uye subnets zvakare zvine musoro segmentation, asi isu hatizvifunge nekuda kwekujeka kwayo. Inonakidza segmentation ichifunga masangano akadai seFW chengetedzo nzvimbo, VRFs (uye analogues avo ane hukama nevatengesi vakasiyana), zvine musoro zvishandiso (PA VSYS, Cisco N7K VDC, Cisco ACI Tenant, ...), ...

Muenzaniso weiyo inonzwisisika segmentation uye parizvino iri kudiwa data center dhizaini inopihwa mukati p002 yePSEFABRIC chirongwa.

Watsanangura zvikamu zvine musoro zvetiweki yako, unogona kutsanangura mafambiro anoita traffic pakati pezvikamu zvakasiyana, pane zvigadziriso zvichaitwa uye nenzira dzipi.

Kana network yako isina kupatsanurwa kwakajeka uye mitemo yekushandisa chengetedzo yekuyerera kwakasiyana data haina kurongeka, izvi zvinoreva kuti kana iwe ukavhura ichi kana icho kuwana, iwe unomanikidzwa kugadzirisa dambudziko iri, uye uine mukana wakakura iwe. achazvigadzirisa nguva dzose zvakasiyana.

Kazhinji segmentation yakavakirwa chete paFW chengetedzo nzvimbo. Ipapo iwe unofanirwa kupindura mibvunzo inotevera:

  • ndedzipi nzvimbo dzekuchengetedza dzaunoda
  • Ndeipi level yedziviriro yaunoda kuisa kune imwe neimwe yenzvimbo idzi
  • ko traffic yemukati mezone inotenderwa nekusarudzika?
  • kana zvisiri, ndeapi marongero ekusefa kwetraffic achashandiswa mukati menzvimbo yega yega
  • ndeapi marongero ekusefa kwetraffic achashandiswa kune imwe neimwe yenzvimbo (mabviro / kwekuenda)

TCAM

Dambudziko rakajairika harikwani TCAM (Ternary Content Addressable Memory), zvese zvekufambisa uye zvekuwana. IMHO, iyi ndiyo imwe yenyaya dzinonyanya kukosha pakusarudza michina, saka unofanirwa kubata nyaya iyi nedhigirii rakakodzera rekutarisira.

Muenzaniso 1. Kutumira Tafura TCAM.

Ngatitarisei Palo Alto 7k firewall
Isu tinoona kuti IPv4 yekufambisa tafura saizi * = 32K
Uyezve, iyi nhamba yemakwara yakajairika kune ese maVSYS.

Ngatifungei kuti zvinoenderana nedhizaini yako unofunga kushandisa 4 VSYS.
Imwe neimwe yeaya maVSYS yakabatana neBGP kune maviri MPLS PEs egore aunoshandisa seBB. Saka, 4 VSYS inotsinhanisa nzira dzese dzakanangana neimwe uye iine tafura yekutumira ine dzinenge dzakafanana seti dzenzira (asi dzakasiyana NHs). Nokuti VSYS yega yega ine zvikamu zviviri zveBGP (nezvirongwa zvakafanana), zvino nzira yega yega inotambirwa kuburikidza neMPLS ine 2 NH uye, saizvozvo, maviri eFIB ekupinda muForwarding Tafura. Kana isu tichifunga kuti iyi ndiyo chete firewall iri munzvimbo yedata uye inofanirwa kuziva nezvese nzira, zvino izvi zvinoreva kuti nhamba yese yemigwagwa munzvimbo yedu yedata haigone kupfuura 2K / (2 * 32) = 4K.

Iye zvino, kana tichifunga kuti tine 2 data centers (ine dhizaini yakafanana), uye tinoda kushandisa VLANs "yakatambanudzwa" pakati pe data data (somuenzaniso, yevMotion), zvino kugadzirisa dambudziko rekufambisa, tinofanira kushandisa nzira dzevaenzi. . Asi izvi zvinoreva kuti kune 2 data nzvimbo isu hatizove neanopfuura 4096 anogoneka mauto uye, hongu, izvi zvinogona kunge zvisina kukwana.

Muenzaniso 2. ACL TCAM.

Kana ukaronga kusefa traffic paL3 switch (kana mamwe magadzirirwo anoshandisa L3 switch, semuenzaniso, Cisco ACI), saka pakusarudza michina unofanirwa kuterera kune TCAM ACL.

Ngatiti iwe unoda kudzora kupinda paSVI interfaces yeCisco Catalyst 4500. Zvadaro, sezvinogona kuonekwa kubva chinyorwa ichi, kudzora kubuda (pamwe nekuuya) traffic pane interfaces, unogona kushandisa chete 4096 TCAM mitsetse. Iyo kana uchishandisa TCAM3 ichakupa iwe nezve 4000 zviuru zveACEs (ACL mitsetse).

Kana iwe wakatarisana nedambudziko rekusakwana kweTCAM, saka, kutanga kune zvese, hongu, iwe unofanirwa kufunga nezve mukana wekugadzirisa. Saka, kana paine dambudziko nehukuru hweiyo Forwarding Tafura, unofanirwa kufunga nezve mukana wekuunganidza nzira. Kana paine dambudziko nehukuru hweTCAM hwekuwanikwa, kuongororwa kwekuwana, kubvisa marekodhi echinyakare uye anopindirana, uye pamwe nekudzokorora maitiro ekuvhura masvikiro (ichakurukurwa zvakadzama muchitsauko chekuongorora kuwanikwa).

High Availability

Mubvunzo ndewokuti: ndinofanira kushandisa HA kumadziro emoto kana kuisa mabhokisi maviri akazvimirira "pamwe chete" uye, kana rimwe rawo rikatadza, nzira yekufambisa kuburikidza neyechipiri?

Zvingaita sekuti mhinduro iri pachena - shandisa HA. Chikonzero nei mubvunzo uyu uchiri kumuka ndechekuti, zvinosuruvarisa, iyo theoretical uye kushambadzira 99 uye akati wandei mapeji egumi ekuwanikidzwa mukuita anozove kure nekunaka. HA zvine musoro chinhu chakaoma kunzwisisa, uye pamidziyo yakasiyana, uye nevatengesi vakasiyana (pakanga pasina kunze), takabata matambudziko netsikidzi uye kumira kwesevhisi.

Kana iwe ukashandisa HA, iwe uchava nemukana wekudzima node dzega, shandura pakati pavo pasina kumisa basa, izvo zvinokosha, semuenzaniso, paunenge uchivandudza, asi panguva imwechete iwe une kure kure ne zero zvingangoitika kuti node mbiri. ichaputsika panguva imwe chete, uye zvakare kuti iyo inotevera yekuvandudza haizoendi zvakanaka sekuvimbisa kwemutengesi (dambudziko iri rinogona kudziviswa kana uine mukana wekuyedza kukwidziridzwa pamidziyo yerabhoritari).

Kana iwe usingashandise HA, saka kubva pakuona kwekukundikana kaviri njodzi dzako dzakadzikira (sezvo uine 2 yakazvimirira firewalls), asi kubvira... zvikamu hazvina kuwiriraniswa, saka pese paunochinja pakati pemafirewall aya unorasikirwa netraffic. Iwe unogona, hongu, kushandisa firewalling isina nyika, asi ipapo poindi yekushandisa firewall inorasika zvakanyanya.

Naizvozvo, kana semhedzisiro yekuongorora iwe wawana kusurukirwa firewall, uye iwe uri kufunga nezve kuwedzera kuvimbika kwetiweki yako, saka HA, hongu, ndeimwe yemhinduro dzakakurudzirwa, asi iwe unofanirwawo kufunga nezvekuipa kwakabatana. neiyi nzira uye, pamwe, zvakananga kune network yako, imwe mhinduro ingave yakakodzera.

Managability

Mumusimboti, HA iri zvakare nezve controllability. Panzvimbo pekugadzirisa 2 mabhokisi zvakasiyana uye kubata nedambudziko rekuchengeta zvigadziriso mukuwirirana, unozvibata zvakanyanya sekunge une mudziyo mumwe.

Asi pamwe une nzvimbo dzakawanda dzedata uye akawanda firewall, zvino mubvunzo uyu unomuka pane imwe nhanho. Uye mubvunzo hausi wekugadzirisa chete, asiwo nezve

  • backup zvigadziriso
  • updates
  • upgrades
  • monitoring
  • kutema miti

Uye izvi zvese zvinogona kugadziriswa ne centralized management system.

Saka, semuenzaniso, kana uri kushandisa Palo Alto firewalls, ipapo Panorama ndiyo mhinduro yakadaro.

Zvichaenderera mberi.

Source: www.habr.com

Voeg