ProHoster > Blog > Utongi > Maitiro ekutora kutonga kune yako network network. Chitsauko chetatu. Network kuchengetedza. Chikamu chetatu

Maitiro ekutora kutonga kune yako network network. Chitsauko chetatu. Network kuchengetedza. Chikamu chetatu

Chinyorwa ichi ndechechishanu munhevedzano "Maitiro Ekutora Kudzora Kwenyumbururu yeNetwork." Zviri mukati mezvinyorwa zvese munhevedzano uye zvinongedzo zvinogona kuwanikwa pano.

Ichi chikamu chichapihwa kune Campus (Hofisi) & Remote yekuwana VPN zvikamu.

Maitiro ekutora kutonga kune yako network network. Chitsauko chetatu. Network kuchengetedza. Chikamu chetatu

Hofisi network dhizaini ingaite seyakapusa.

Chokwadi, isu tinotora L2 / L3 switch uye tinoabatanidza kune mumwe nemumwe. Tevere, isu tinoita iyo yekutanga kuseta yevakaipa uye yakasarudzika gedhi, kumisikidza yakapusa nzira, batanidza WiFi controller, nzvimbo dzekupinda, kuisa uye kugadzirisa ASA yekuwana kure, isu tinofara kuti zvese zvakashanda. Chaizvoizvo, sezvandakatonyora mune imwe yapfuura nyaya Yekutenderera uku, angangoita mudzidzi wese akambopinda (uye akadzidza) masemesita maviri ekosi yenharembozha anogona kugadzira nekugadzirisa network yehofisi kuitira kuti "neimwe nzira ishande."

Asi paunodzidza zvakawanda, basa iri rinotanga kuita serakapusa. Kwandiri pachangu, iyi musoro, musoro wehofisi network dhizaini, haiite seyakapusa zvachose, uye mune ino chinyorwa ndichaedza kutsanangura chikonzero nei.

Muchidimbu, pane zvinhu zvishoma zvekufunga nezvazvo. Kazhinji zvinhu izvi zvinopokana uye panofanirwa kutsvakwa kuwirirana kwakanaka.
Kusava nechokwadi uku ndiko kuoma kukuru. Saka, tichitaura nezvekuchengeteka, tine katatu ane vertices matatu: kuchengeteka, nyore kune vashandi, mutengo wemhinduro.
Uye pese paunofanirwa kutsvaga kuwirirana pakati pezvitatu izvi.

akitekicha

Semuenzaniso wezvivakwa zvezvikamu zviviri izvi, sezviri muzvinyorwa zvakapfuura, ndinokurudzira Cisco SAFE muenzaniso: Enterprise Campus, Enterprise Internet Edge.

Aya mamwe magwaro ekare. Ndinozvipa pano nekuti zvirongwa zvakakosha uye maitiro hazvina kushanduka, asi panguva imwechete ini ndinoda mharidzo kupfuura mu. zvinyorwa zvitsva.

Pasina kukukurudzira kushandisa Cisco mhinduro, ini ndichiri kufunga kuti zvinobatsira kunyatsodzidza dhizaini iyi.

Ichi chinyorwa, semazuva ese, hachiite senge chakazara, asi chiri kuwedzera kune iyi ruzivo.

Pakupera kwechinyorwa, isu tichaongorora iyo Cisco SAFE hofisi dhizaini maererano nemafungiro akatsanangurwa pano.

General mazano

Iyo dhizaini yehofisi network inofanirwa, hongu, kugutsa izvo zvinodikanwa zvakakurukurwa pano muchitsauko "Criteria yekuongorora dhizaini yemhando". Kunze kwemutengo uye kuchengetedzeka, izvo zvatiri kuda kukurukura muchinyorwa chino, kuchine nzira nhatu dzatinofanira kufunga nezvazvo pakugadzira (kana kuita shanduko):

  • scalability
  • nyore kushandisa (managability)
  • kuwanikwa

Zvizhinji zvezvaikurukurwa data centers Izvi ndezvechokwadiwo kuhofisi.

Asi zvakadaro, chikamu chehofisi chine zvinyorwa zvayo, izvo zvakakosha kubva pakuchengetedza maonero. Chinokosha cheichi chimiro ndechekuti chikamu ichi chakagadzirwa kuti chipe network masevhisi kuvashandi (pamwe nevabatikana nevaenzi) vekambani, uye, semhedzisiro, padanho repamusoro rekutarisisa dambudziko tine mabasa maviri:

  • chengetedza zviwanikwa zvekambani kubva kune zvakaipa zviito zvinogona kubva kuvashandi (vaenzi, vadyidzani) uye kubva kune software yavanoshandisa. Izvi zvinosanganisirawo dziviriro kubva kune isina mvumo yekubatanidza kune network.
  • chengetedza masisitimu uye data yemushandisi

Uye iri ndiro divi rimwe chete redambudziko (kana kuti, imwe vertex yekona). Kune rumwe rutivi ndiko kushandiswa kwevashandisi uye mutengo wemhinduro dzinoshandiswa.

Ngatitangei nekutarisa izvo mushandisi anotarisira kubva kune yemazuva ano hofisi network.

Facilities

Hezvino izvo "network zvinowanika" zvinotaridzika kune mushandisi wehofisi mumaonero angu:

  • Kufambisa
  • Kugona kushandisa huwandu hwakazara hwemidziyo inozivikanwa uye masisitimu anoshanda
  • Kuwana nyore kune zvese zvinodiwa zvekambani zviwanikwa
  • Kuwanikwa kweInternet zviwanikwa, kusanganisira akasiyana masevhisi emakore
  • "Kukurumidza kushanda" kwetiweki

Zvese izvi zvinoshanda kune vese vashandi nevaenzi (kana vadyidzani), uye ibasa revainjiniya vekambani kusiyanisa kuwana kwemapoka evashandisi akasiyana zvichienderana nemvumo.

Ngatitarisei pane chimwe nechimwe chezvikamu izvi zvakadzama.

Kufambisa

Tiri kutaura nezvemukana wekushanda uye kushandisa zvese zvinodiwa zvekambani zviwanikwa kubva kupi zvako munyika (zvechokwadi, uko Indaneti iripo).

Izvi zvinoshanda zvizere kuhofisi. Izvi zviri nyore kana iwe uine mukana wekuenderera mberi uchishanda kubva chero kupi zvako muhofisi, semuenzaniso, kugamuchira tsamba, kutaurirana mune yekambani mutumwa, kuwanikwa kwevhidhiyo kufona, ... Saka, izvi zvinokutendera iwe, kune rumwe rutivi, kugadzirisa dzimwe nyaya "kurarama" kutaurirana (semuenzaniso, kutora chikamu mumisangano), uye kune rumwe rutivi, iva uri online nguva dzose, chengeta chigunwe chako pamhepo uye nekukurumidza kugadzirisa mamwe mabasa ekukurumidzira ekutanga. Izvi zviri nyore uye zvinonyatso kuvandudza kunaka kwekutaurirana.

Izvi zvinowanikwa neiyo chaiyo WiFi network dhizaini.

Cherechedza

Pano mubvunzo unowanzoitika: zvakakwana here kushandisa WiFi chete? Izvi zvinoreva here kuti unogona kumira kushandisa Ethernet ports muhofisi? Kana isu tiri kutaura chete nezvevashandisi, uye kwete nezve maseva, ayo achiri ane musoro kuti abatanidze neyakajairwa Ethernet port, saka kazhinji mhinduro ndeyokuti: hongu, unogona kuzviganhurira iwe kuWiFi chete. Asi pane nuances.

Kune akakosha evashandisi mapoka anoda imwe nzira. Ava ndivo, hongu, vatungamiri. Muchidimbu, yeWiFi yekubatanidza haina kuvimbika (maererano nekurasikirwa kwetraffic) uye inononoka pane yakajairwa Ethernet port. Izvi zvinogona kuva zvakakosha kune vatungamiri. Mukuwedzera, vatariri venetiweki, semuenzaniso, vanogona, mukutanga, vane yavo yakatsaurirwa Ethernet network yekunze-kwe-bhendi yekubatanidza.

Panogona kunge paine mamwe mapoka / madhipatimendi mukambani yako izvo zvinhu izvi zvakakoshawo.

Pane imwe pfungwa inokosha - telephony. Zvichida nekuda kwechimwe chikonzero iwe haudi kushandisa Wireless VoIP uye unoda kushandisa IP mafoni ane yakajairwa Ethernet kubatana.

Kazhinji, makambani andaishandira aigara aine zvese zveWiFi yekubatanidza uye Ethernet port.

Ndinoda kufamba kusagumira kuhofisi chete.

Kuve nechokwadi chekugona kushanda kubva kumba (kana chero imwe nzvimbo ine inowanikwa Internet), VPN yekubatanidza inoshandiswa. Panguva imwecheteyo, zvinodikanwa kuti vashandi vasanzwe mutsauko pakati pekushanda kubva kumba uye kure kure kubasa, izvo zvinotora mukana wakafanana. Tichakurukura maitiro ekuronga izvi zvishoma gare gare muchitsauko "Unified centralized authentication uye mvumo system."

Cherechedza

Zvingangodaro, hauzokwanisi kupa zvizere mhando yemasevhisi ebasa rekure rauinaro muhofisi. Ngatifungei kuti uri kushandisa Cisco ASA 5520 seyako VPN gedhi data sheet mudziyo uyu unokwanisa "kugaya" chete 225 Mbit yeVPN traffic. Ndiko, hongu, maererano nebandwidth, yekubatanidza kuburikidza neVPN yakasiyana zvikuru nekushanda kubva kuhofisi. Zvakare, kana, nekuda kwechimwe chikonzero, latency, kurasikirwa, jitter (semuenzaniso, iwe unoda kushandisa hofisi IP telephony) kune yako network masevhisi akakosha, iwe hauzogamuchire mhando yakafanana sekunge uri muhofisi. Nokudaro, kana tichitaura pamusoro pekufamba, tinofanira kuziva zvingangogumira.

Kuwana nyore kune zvese zviwanikwa zvekambani

Basa iri rinofanira kugadziriswa pamwe chete nemamwe madhipatimendi ehunyanzvi.
Mamiriro ezvinhu akanaka ndeapo mushandisi anongoda kutendesa kamwe chete, uye mushure meizvozvo anokwanisa kuwana zvese zvinodiwa zviwanikwa.
Kupa kuwana nyore pasina kupa kuchengetedzwa kunogona kuvandudza zvakanyanya kugadzirwa uye kuderedza kushushikana pakati pevaunoshanda navo.

Mhinduro 1

Kusununguka kwekuwana hakusi kwekungoti kangani iwe unofanirwa kuisa password. Kana, semuenzaniso, maererano nemutemo wako wekuchengetedza, kuti ubatanidze kubva kuhofisi kuenda kunzvimbo yedata, iwe unofanirwa kutanga wabatanidza kune VPN gedhi, uye panguva imwechete iwe unorasikirwa nekuwana zviwanikwa zvehofisi, zvino izvi zvakare zvakanyanya. , zvisingaite.

Mhinduro 2

Kune masevhisi (semuenzaniso, kuwana kunetiweki zvishandiso) kwatinowanzo kuve neadu akazvitsaurira maseva eAAA uye izvi ndizvo zvinojairwa kana mune ino kesi isu tinofanirwa kutendesa kakawanda.

Kuwanikwa kweInternet zviwanikwa

IInternet haisi varaidzo chete, asiwo seti yemasevhisi anogona kubatsira zvakanyanya kubasa. Panewo zvinhu zvepfungwa chete. Munhu wemazuva ano akabatana nevamwe vanhu kuburikidza neInternet kuburikidza neshinda dzakawanda, uye, mumaonero angu, hapana chakaipa kana akaramba achinzwa kubatana uku kunyange achishanda.

Kubva pakuona kwekuparadza nguva, hapana chakaipa kana mushandi, semuenzaniso, ane Skype achimhanya uye anoshandisa 5 maminetsi achikurukura nemudiwa kana zvichidiwa.

Izvi zvinoreva here kuti Indaneti inofanira kugara iripo, zvinoreva here kuti vashandi vanogona kuwana zviwanikwa zvose uye vasingazvidzore nenzira ipi zvayo?

Kwete hazvirevi izvozvo, hongu. Chiyero chekuvhurika kweInternet chinogona kusiyanisa kumakambani akasiyana - kubva pakuvhara zvachose kusvika pakuzaruka. Tichakurukura nzira dzekudzora traffic gare gare muzvikamu zvekuchengetedza matanho.

Kugona kushandisa huwandu hwakazara hwemidziyo inozivikanwa

Zviri nyore kana, semuenzaniso, uine mukana wekuenderera mberi uchishandisa nzira dzese dzekutaurirana dzawajaira kubasa. Iko hakuna kuoma mukuita izvi nehunyanzvi. Nokuda kweizvi unoda WiFi uye wilan yevaenzi.

Zvakanaka zvakare kana iwe uine mukana wekushandisa sisitimu yekushandisa yawakajaira. Asi, mukuona kwangu, izvi zvinowanzobvumidzwa chete kune mamaneja, maneja uye vanogadzira.

Muenzaniso:

Iwe unogona, hongu, kutevera nzira yezvirambidzo, kurambidza kure kure, kurambidza kubatanidza kubva kune nharembozha, kudzikisira zvese kune static Ethernet yekubatanidza, kudzikisira kupinda paInternet, kumanikidzira kubvuta nharembozha nemidziyo panzvimbo yekutarisa ... uye iyi nzira. inonyatso kuteverwa nemamwe masangano ane kuwedzera kwekuchengetedza zvinodiwa, uye zvichida mune dzimwe nguva izvi zvingave zvakakodzera, asi ... unofanira kubvumirana kuti izvi zvinoratidzika sekuedza kumisa kufambira mberi mune rimwe sangano. Zvechokwadi, ndinoda kubatanidza mikana iyo teknolojia yemazuva ano inopa nehuwandu hwakakwana hwekuchengeteka.

"Kukurumidza kushanda" kwetiweki

Kumhanyisa data kwehunyanzvi zvine zvinhu zvakawanda. Uye kumhanya kwechiteshi chako chekubatanidza kazhinji haisi iyo inonyanya kukosha. Iko kunonoka kushanda kwechikumbiro hakugari kwakabatana nematambudziko etiweki, asi parizvino isu tiri kungofarira chikamu chetiweki. Dambudziko rinowanzoitika netiweki yemuno "slowdown" ine chekuita nekurasikirwa kwepaketi. Izvi zvinowanzoitika kana paine bhodhoro kana L1 (OSI) matambudziko. Kashoma, nemamwe madhizaini (semuenzaniso, kana ma subnets ako aine firewall seyakajairika gedhi uye nekudaro traffic yese inopinda mairi), kuita kwehardware kunogona kushaikwa.

Naizvozvo, kana uchisarudza zvishandiso uye zvivakwa, iwe unofanirwa kuwiriranisa kumhanya kwemagumo madoko, trunk uye mashandiro emidziyo.

Muenzaniso:

Ngatifungei kuti uri kushandisa ma switch ane 1 gigabit ports seyekupinda layer switch. Iwo akabatana kune mumwe nemumwe kuburikidza neEtherchannel 2 x 10 gigabits. Senzira yekugedhi, iwe unoshandisa firewall ine gigabit ports, kubatanidza iyo kune L2 hofisi network iwe unoshandisa 2 gigabit ports yakasanganiswa kuita Etherchannel.

Iyi dhizaini iri nyore kubva pakuita kwekuona, nekuti ... Yese traffic inoenda nepakati firewall, uye iwe unogona kugadzikana kutonga marongero ekupinda, uye kushandisa yakaoma algorithms kudzora traffic uye kudzivirira kurwiswa kunobvira (ona pazasi), asi kubva pane yekupinda uye maitiro ekuona dhizaini iyi, hongu, ine matambudziko anogona kuitika. Saka, semuenzaniso, 2 mauto ekudhawunirodha data (ine chiteshi chekumhanya che 1 gigabit) anogona kurodha zvachose 2 gigabit yekubatanidza kune firewall, uye nekudaro zvinotungamira mukuderedzwa kwebasa kwesese chikamu chehofisi.

Takatarisa kune imwe vertex yegonyonhatu, zvino ngatitarisei kuti tingaite sei kuchengetedzwa.

Mishonga

Saka, hongu, kazhinji chishuwo chedu (kana kuti, chishuwo chemanejimendi edu) ndechekuwana zvisingagoneke, kureva, kupa kurerukirwa kwakanyanya nekuchengetedza kwakanyanya uye kushoma mutengo.

Ngatitarisei nzira dzatinadzo dzekupa dziviriro.

Kuhofisi, ndaizosimbisa zvinotevera:

  • zero kuvimba nzira yekugadzira
  • yakakwirira yekudzivirira
  • network kuonekwa
  • yakabatana centralized authentication uye mvumo system
  • host checking

Tevere, isu tichagara mune zvishoma zvakadzama pane chimwe nechimwe chezvikamu izvi.

Zero Vimbai

Nyika yeIT iri kuchinja nekukurumidza. Achangopfuura makore gumi apfuura, kubuda kwematekinoroji matsva uye zvigadzirwa zvakakonzera kudzokororwa kukuru kwezvekuchengetedza pfungwa. Makore gumi apfuura, kubva pakuona kwekuchengetedza, takakamura network kuita nzvimbo dzekuvimba, dmz uye kusavimbika, uye takashandisa iyo inonzi "perimeter kudzivirira", pakanga paine mitsetse miviri yekudzivirira: kusavimba -> dmz uye dmz -> kuvimba. Zvakare, dziviriro yaiwanzoganhurirwa kuwana zvinyorwa zvichibva paL10/L2 (OSI) misoro (IP, TCP/UDP ports, TCP mireza). Zvese zvine chekuita nemazinga epamusoro, kusanganisira L3, zvakasiiwa kune OS uye zvigadzirwa zvekuchengetedza zvakaiswa pane ekupedzisira mauto.

Iye zvino mamiriro ezvinhu achinja zvikuru. Pfungwa yemazuva ano zero trust kunobva pakuti hazvichakwanisike kufunga zvemukati masisitimu, kureva, ayo ari mukati meiyo perimeter, seakavimbika, uye pfungwa yeiyo perimeter pachayo yave isina kujeka.
Pamusoro pekubatana kweinternet tinewo

  • vashandisi veVPN vari kure
  • akasiyana gadget ega, akaunza malaptop, akabatana nehofisi WiFi
  • mamwe mahofisi (mabazi).
  • kubatanidzwa ne cloud infrastructure

Maitiro eZero Trust anotaridzika sei mukuita?

Zvakanaka, chete traffic inodiwa inofanirwa kubvumidzwa uye, kana isu tichitaura nezve yakanaka, saka kutonga hakufanirwe kunge kuri paL3 / L4 level, asi padanho rekushandisa.

Kana, semuenzaniso, iwe uchikwanisa kupfuudza traffic yese kuburikidza nefirewall, saka unogona kuedza kuswedera kune yakanakira. Asi nzira iyi inogona kuderedza zvakanyanya bandwidth yetiweki yako, uye kunze, kusefa nekushandisa hakushande zvakanaka nguva dzose.

Paunenge uchidzora traffic pane router kana L3 switch (uchishandisa yakajairwa ACLs), unosangana nemamwe matambudziko:

  • Uku ndiko kusefa kweL3/L4 chete. Hapana chinomisa anorwisa kushandisa zviteshi zvinotenderwa (eg TCP 80) yekushandisa kwavo (kwete http)
  • yakaoma ACL manejimendi (yakaoma kusiyanisa ACLs)
  • Iyi haisi statefull firewall, zvichireva kuti iwe unofanirwa kubvumidza zvakajeka reverse traffic
  • nekuchinja, iwe unowanzo kusimba zvakasimba nehukuru hweTCAM, iyo inogona kukurumidza kuva dambudziko kana iwe ukatora "ingobvumira zvaunoda" nzira.

Cherechedza

Kutaura nezve reverse traffic, isu tinofanirwa kuyeuka kuti isu tine unotevera mukana (Cisco)

bvumira tcp chero ipi zvayo yakasimbiswa

Asi iwe unofanirwa kunzwisisa kuti mutsara uyu wakaenzana nemitsara miviri:
bvumidza tcp chero ack
bvumidza tcp chero yekutanga

Zvinoreva kuti kunyange dai pakanga pasina chikamu chekutanga cheTCP neSYN mureza (kureva kuti, sangano reTCP harina kumbotanga kutanga), iyi ACL ichabvumira pakiti ine ACK mureza, iyo munhu anorwisa anogona kushandisa kutumira data.

Ndokunge, uyu mutsetse haushandure router yako kana L3 switch kuita statefull firewall.

High level yekudzivirira

В chinyorwa Muchikamu che data data, takafunga nzira dzinotevera dzekudzivirira.

  • stateful firewalling (default)
  • ddos/dos kudzivirira
  • application firewalling
  • kudzivirira kudzivirira (antivirus, anti-spyware, uye kusagadzikana)
  • URL kusefa
  • data kusefa (kusefa zvirimo)
  • kuvharira faira (mhando dzemafaira kuvharira)

Panyaya yehofisi, mamiriro acho akafanana, asi zvakakosha zvakasiyana zvishoma. Kuvepo kweHofisi (kuwanikwa) hakuwanzo kunetsa senge pane data data, nepo mukana we "mukati" traffic yakaipa iri mirairo yehukuru hwepamusoro.
Naizvozvo, nzira dzinotevera dzekudzivirira dzechikamu ichi dzinove dzakakosha:

  • application firewalling
  • kudzivirira kutyisidzira (anti-virusi, anti-spyware, uye kusagadzikana)
  • URL kusefa
  • data kusefa (kusefa zvirimo)
  • kuvharira faira (mhando dzemafaira kuvharira)

Kunyangwe nzira dzese idzi dzekudzivirira, kunze kwekushandisa firewalling, dzagara dzichigadziriswa uye dzichiramba dzichigadziriswa pamagumo emauto (semuenzaniso, nekuisa zvirongwa zveantivirus) uye nekushandisa proxies, maNGFWs emazuva ano anopawo masevhisi aya.

Vatengesi vemidziyo yekuchengetedza vanoyedza kugadzira dziviriro yakazara, saka pamwe nekuchengetedzwa kwenzvimbo, vanopa akasiyana siyana matekinoroji uye software yemutengi kune vanotambira (yekupedzisira chengetedzo / EPP). Saka, semuenzaniso, kubva 2018 Gartner Magic Quadrant Tinoona kuti Palo Alto naCisco vane EPP yavo (PA: Traps, Cisco: AMP), asi vari kure nevatungamiri.

Kugonesa idzi dziviriro (kazhinji nekutenga marezinesi) pafirewall yako hazvisungirwe (iwe unogona kuenda nenzira yechinyakare), asi inopa mamwe mabhenefiti:

  • munyaya iyi, pane imwe pfungwa yekushandisa nzira dzekudzivirira, iyo inovandudza kuonekwa (ona musoro unotevera).
  • Kana paine mudziyo usina kudzivirirwa panetiweki yako, saka ichiri kuwira pasi pe "amburera" yekudzivirira firewall.
  • Nekushandisa firewall dziviriro pamwe chete ne end-host dziviriro, isu tinowedzera mukana wekuona hutsinye traffic. Semuyenzaniso, kushandisa kudzivirira kutyisidzira pavaridzi venzvimbo uye pafirewall kunowedzera mukana wekuonekwa (zvichipihwa, hongu, kuti mhinduro idzi dzinobva pane akasiyana software zvigadzirwa)

Cherechedza

Kana, semuenzaniso, iwe unoshandisa Kaspersky seantivirus zvese pafirewall uye pamagumo mauto, zvino izvi, hongu, hazvizowedzere zvakanyanya mikana yako yekudzivirira kurwisa kwehutachiona pane network yako.

Network kuonekwa

Pfungwa huru zviri nyore - "ona" zviri kuitika panetiweki yako, mune chaiyo nguva uye nhoroondo data.

Ini ndaizopatsanura "chiratidzo" ichi mumapoka maviri:

Group one: izvo yako monitoring system inowanzokupa iwe.

  • midziyo kurodha
  • loading channels
  • kushandiswa kwendangariro
  • dhisiki kushandiswa
  • kuchinja tafura yekufambisa
  • link status
  • kuwanikwa kwemidziyo (kana mauto)
  • ...

Boka rechipiri: mashoko ane chekuita nekuchengeteka.

  • marudzi akasiyana-siyana ehuwandu (semuenzaniso, nekushandisa, neURL traffic, ndeapi marudzi edata akatorwa, data remushandisi)
  • chii chakavharwa nemitemo yekuchengetedza uye nechikonzero chipi, kureva
    • application yakarambidzwa
    • zvinorambidzwa zvichibva pane ip/protocol/port/flags/zones
    • kudzivirira kutyisidzira
    • url kusefa
    • data kusefa
    • faira ichivharira
    • ...
  • nhamba dzeDOS/DDOS kurwisa
  • kutadza kuzivikanwa uye kuedza kwemvumo
  • nhamba dzezviitiko zvese zviri pamusoro pekutyorwa kwegwaro rekuchengetedza
  • ...

Muchitsauko chino chekuchengeteka, tinofarira chikamu chechipiri.

Mamwe mafirewall emazuva ano (kubva pachiitiko changu chePalo Alto) anopa mwero wakanaka wekuonekwa. Asi, hongu, traffic yauri kufarira inofanirwa kupfuura neino firewall (pakadaro iwe unokwanisa kuvharisa traffic) kana girazi kune firewall (inoshandiswa chete kutarisa nekuongorora), uye iwe unofanirwa kuve uine marezinesi ekugonesa zvese. masevhisi aya .

Iko kune, hongu, imwe nzira, kana kuti nzira yechinyakare, semuenzaniso,

  • Session statistics inogona kuunganidzwa kuburikidza netflow uye yobva yashandiswa zvakakosha zvinoshandiswa pakuongorora ruzivo uye kuona data.
  • kudzivirira kutyisidzira - mapurogiramu anokosha (anti-virus, anti-spyware, firewall) pamagumo ekupedzisira
  • URL kusefa, kusefa data, kuvharira faira - pane proxy
  • zvinogoneka zvakare kuongorora tcpdump uchishandisa e.g. zunza

Unogona kusanganisa nzira mbiri idzi, uchizadzisa zvisipo kana kuzvidzokorora kuti uwedzere mukana wekuona kurwiswa.

Ndeipi nzira yaunofanira kusarudza?
Zvakanyanya zvinoenderana nezvinodiwa uye zvaunofarira zvechikwata chako.
Zvose zviripo uye pane zvakanakira nezvazvakaipira.

Yakabatana centralized authentication uye mvumo system

Kana yakanyatsogadzirwa, mafambiro atakakurukura muchinyorwa chino anofungidzira kuti une mukana wakafanana ungave uchishanda kubva kuhofisi kana kubva kumba, kubva kunhandare yendege, kubva kuchitoro chekofi kana kupi zvako (nemipimo yatakurukura pamusoro). Zvingaita sekuti, dambudziko nderei?
Kuti tinzwisise zviri nani kuoma kwebasa iri, ngatitarisei pane yakajairika dhizaini.

Muenzaniso:

  • Iwe wakagovera vashandi vose mumapoka. Wafunga kupa mukana nemapoka
  • Mukati mehofisi, iwe unodzora kupinda pahofisi firewall
  • Iwe unodzora traffic kubva kuhofisi kuenda kunzvimbo yedata pane data center firewall
  • Iwe unoshandisa Cisco ASA seVPN gedhi uye kudzora traffic inopinda kunetiweki yako kubva kure vatengi, unoshandisa yemuno (paASA) ACLs.

Zvino, ngatiti iwe unokumbirwa kuwedzera imwe yekuwana kune mumwe mushandi. Muchiitiko ichi, unokumbirwa kuwedzera mukana kwaari chete uye hapana mumwe munhu kubva muboka rake.

Nokuda kweizvi tinofanira kugadzira boka rakasiyana remushandi uyu, kureva

  • gadzira yakasarudzika IP dziva paASA yemushandi uyu
  • wedzera ACL itsva pamusoro ASA uye sunga kuti kure mutengi
  • gadzira mitemo mitsva yekuchengetedza pahofisi uye data center firewalls

Zvakanaka kana chiitiko ichi chisingawanzoitiki. Asi mukuita kwangu kwaiva nemamiriro ezvinhu apo vashandi vakapinda mumapurojekiti akasiyana, uye iyi seti yezvirongwa zvevamwe vavo yakachinja kakawanda, uye yakanga isiri vanhu 1-2, asi akawanda. Chokwadi, chimwe chinhu chaifanira kuchinjwa pano.

Izvi zvakagadziriswa nenzira inotevera.

Takasarudza kuti LDAP ndiyo chete yaizova manyuko echokwadi anotema zvese zvinobvira kuwanikwa nevashandi. Isu takagadzira marudzi ese emapoka anotsanangura seti yekuwana, uye isu takapa mushandisi wega wega kune rimwe kana mamwe mapoka.

Saka, semuenzaniso, ngatiti pane mapoka

  • muenzi (Internet access)
  • kuwanikwa kwakajairika (kuwana zviwanikwa zvakagovaniswa: tsamba, hwaro hweruzivo, ...)
  • ndizvidavirire
  • chirongwa 1
  • chirongwa 2
  • data base administrator
  • linux administrator
  • ...

Uye kana mumwe wevashandi akabatanidzwa mune zvose chirongwa 1 uye chirongwa chechipiri, uye aida kuwana kwakakodzera kushanda mumapurojekiti aya, ipapo mushandi uyu akagoverwa kumapoka anotevera:

  • muenzi
  • common access
  • chirongwa 1
  • chirongwa 2

Isu toita sei ikozvino kushandura ruzivo urwu kuti ruwane pane network network?

Cisco ASA Dynamic Access Policy (DAP) (ona www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html) mhinduro inokodzera basa iri.

Muchidimbu nezvekushandisa kwedu, panguva yekuzivikanwa/kupihwa mvumo, ASA inogamuchira kubva kuLDAP seti yemapoka anoenderana nemushandisi akapihwa uye "inounganidza" kubva kune akati wandei emunharaunda ACLs (imwe neimwe inoenderana neboka) ine simba ACL ine zvese zvinodiwa. , iyo inonyatsoenderana nezvido zvedu.

Asi izvi ndezvekubatana kweVPN chete. Kuita kuti mamiriro acho ave akafanana kune vese vashandi vakabatana neVPN uye avo vari muhofisi, danho rinotevera rakatorwa.

Kana uchibatanidza kubva kuhofisi, vashandisi vanoshandisa iyo 802.1x protocol yakaguma mune imwe yevaenzi LAN (yevaenzi) kana yakagovaniswa LAN (yevashandi vekambani). Kupfuurirazve, kuti vawane mukana chaiwo (semuenzaniso, kumapurojekiti munzvimbo yedata), vashandi vaifanira kubatana kuburikidza neVPN.

Kuti ubatanidze kubva kuhofisi uye kubva kumba, mapoka akasiyana emugero akashandiswa paASA. Izvi zvinodikanwa kuitira kuti kune avo vanobatana kubva kuhofisi, traffic kune yakagovaniswa zviwanikwa (inoshandiswa nevashandi vese, senge mail, faira maseva, tikiti system, dns, ...) haipfuuri neASA, asi kuburikidza netiweki yenzvimbo. . Nekudaro, isu hatina kutakura iyo ASA netraffic isingakoshi, kusanganisira yakakwira-yakanyanya traffic.

Nokudaro, dambudziko rakagadziriswa.
Tawana

  • iyo imwechete seti yekuwana kune zvese zvinongedzo kubva kuhofisi uye kure kure
  • kusavapo kwekuderedzwa kwesevhisi kana uchishanda kubva kuhofisi yakabatana nekufambiswa kwepamusoro-kusimba traffic kuburikidza neASA

Ndezvipi zvimwe zvakanakira nzira iyi?
In access administration. Masvikiro anogona kuchinjika nyore munzvimbo imwechete.
Semuenzaniso, kana mushandi akasiya kambani, iwe unongomubvisa kubva kuLDAP, uye anobva arasikirwa nekuwana kwese.

Host kutarisa

Nemukana wekubatanidza kure, isu tinomhanyisa njodzi yekubvumidza kwete chete mushandi wekambani kupinda kunetiweki, asiwo ese akashata software angangove aripo pakombuta yake (semuenzaniso, kumba), uyezve, kuburikidza nesoftware iyi. inogona kunge iri kupa mukana kunetiweki yedu kune anorwisa achishandisa iyi host semumiriri.

Zvinoita zvine musoro kuti munhu ari kure akabatana anoshandisa izvo zvakafanana zvekuchengetedza zvinodiwa semu-muhofisi anotambira.

Izvi zvinotorawo "chaiyo" vhezheni yeOS, anti-virus, anti-spyware, uye firewall software uye zvigadziriso. Kazhinji, kugona uku kuripo pane VPN gedhi (yeASA ona, semuenzaniso, pano).

Izvo zvine hungwaru zvakare kushandisa iyo yakafanana kuongorora traffic uye kuvharira matekiniki (ona "High level yekudzivirira") iyo yako yekuchengetedza mutemo inoshanda kune traffic traffic.

Zvine musoro kufunga kuti hofisi yako network haisisiri inogumira kune hofisi chivakwa uye mauto mukati mayo.

Muenzaniso:

Unyanzvi hwakanaka kupa mushandi wega wega anoda kuwana kure kure neakanaka, iri nyore laptop uye inoda kuti vashande, muhofisi uye kubva kumba, kubva mairi chete.

Haisi kungovandudza chengetedzo yetiweki yako, asi zvakare yakanyatsokodzera uye inowanzoonekwa zvakanaka nevashandi (kana iri yakanaka chaizvo, mushandisi-inoshamwaridzika laptop).

Nezvekunzwa kwechiyero uye kuenzanisa

Chaizvoizvo, iyi inhaurirano nezve yechitatu vertex yetatu yedu - nezve mutengo.
Ngatitarisei muenzaniso wekufungidzira.

Muenzaniso:

Une hofisi yevanhu mazana maviri. Iwe wakasarudza kuita kuti zvive nyore uye zvakachengeteka sezvinobvira.

Naizvozvo, iwe wafunga kupfuudza traffic yese kuburikidza nefirewall uye nekudaro kune ese maoffice subnets firewall ndiyo yakasarudzika gedhi. Pamusoro pesoftware yekuchengetedza yakaiswa pane yega yega dhizaini (anti-virus, anti-spyware, uye firewall software), iwe wakafungawo kushandisa nzira dzese dzekudzivirira pane firewall.

Kuti uve nechokwadi chekumhanya kwekubatanidza (zvese kuti zvive nyore), wakasarudza maswichi ane gumi Gigabit yekupinda machiteshi seyekuchinjisa, uye yakakwirira-inoshanda NGFW firewalls semafirewall, semuenzaniso, Palo Alto 10K akateedzana (ane makumi mana maGigabit ports), zvakajairika nemarezinesi ese. inosanganisirwa uye, sezvazviri, a High Availability pair.

Zvakare, hongu, kushanda neiyi mutsara wemidziyo tinoda vangangoita vaviri vane hunyanzvi hwekuchengetedza mainjiniya.

Tevere, wakafunga kupa mushandi wega wega laptop yakanaka.

Zvose, zvinenge mamiriyoni gumi emadhora ekushandiswa, mazana ezviuru zvemadhora (ndinofunga pedyo nemiriyoni) yekutsigira kwegore negore uye mihoro yevanjiniya.

Hofisi, vanhu mazana maviri ...
Comfortable? Ndinofungidzira kuti hongu.

Iwe unouya nechikumbiro ichi kune yako manejimendi ...
Zvichida kune akati wandei emakambani munyika ayo iyi inogamuchirwa uye yakarurama mhinduro. Kana iwe uri mushandi wekambani ino, makorokoto angu, asi muhuwandu hwezviitiko, ndine chokwadi chekuti ruzivo rwako harungakosheswi nevatungamiriri.

Uyu muenzaniso wakawedzeredzwa here? Chitsauko chinotevera chichapindura mubvunzo uyu.

Kana pane network yako iwe usingaone chero chepamusoro, saka izvi ndizvo zvakajairika.
Panyaya yega yega, iwe unofanirwa kutsvaga yako wega inonzwisisika pakati pekureruka, mutengo uye chengetedzo. Kazhinji hautombodi NGFW muhofisi yako, uye L7 kudzivirira pafirewall hakudiwi. Zvakakwana kupa hutano hwakanaka hwekuonekwa uye chenjedzo, uye izvi zvinogona kuitwa uchishandisa yakavhurika sosi zvigadzirwa, semuenzaniso. Hongu, maitiro ako pakurwiswa hakuzove nekukurumidza, asi chinhu chikuru ndechekuti iwe unozviona, uye nematanho akakodzera ari munzvimbo yako mudhipatimendi, iwe uchakwanisa kukurumidza kuimisa.

Uye rega ndikuyeuchidze kuti, maererano nepfungwa yeiyi nhevedzano yezvinyorwa, iwe hausi kugadzira network, uri kungoyedza kuvandudza izvo zvawawana.

SAFE kuongororwa kwemahofisi ekuvaka

Teerera kune iyi dzvuku square yandakagovera nzvimbo padhiyagiramu kubva SAFE Yakachengeteka Campus Architecture Guideizvo zvandinoda kukurukura pano.

Maitiro ekutora kutonga kune yako network network. Chitsauko chetatu. Network kuchengetedza. Chikamu chetatu

Iyi ndiyo imwe yenzvimbo dzakakosha dzezvivakwa uye imwe yeakanyanya kukosha kusavimbika.

Cherechedza

Ini handisati ndambomisa kana kushanda neFirePower (kubva kuCisco's firewall line - chete ASA), saka ndichaibata senge chero imwe firewall, seJuniper SRX kana Palo Alto, ndichifungidzira kuti ine hunyanzvi hwakafanana.

Pamagadzirirwo akajairwa, ini ndinoona chete 4 inogoneka sarudzo dzekushandisa firewall neichi chinongedzo:

  • iyo yekusarudzika gedhi kune yega yega subnet switch, nepo firewall iri mupachena modhi (kureva kuti, traffic yese inopfuura nayo, asi haigadziri L3 hop)
  • iyo yekusarudzika gedhi kune yega yega subnet ndiyo firewall sub-interfaces (kana SVI interfaces), switch inotamba basa reL2.
  • maVRF akasiyana anoshandiswa pane switch, uye traffic pakati peVRFs inoenda nepafirewall, traffic mukati meimwe VRF inodzorwa neACL pane switch.
  • traffic yese inotaridzwa kune firewall kuti iongororwe uye yekutarisa; traffic haipfuuri mairi

Mhinduro 1

Kusanganiswa kwezvisarudzo izvi zvinogoneka, asi kuti zvive nyore hatizozvifunga nezvazvo.

Note2

Pane zvakare mukana wekushandisa PBR (sevhisi chain architecture), asi ikozvino izvi, kunyangwe mhinduro yakanaka mumaonero angu, ndeye kunze kwenyika, saka handisi kuzvifunga pano.

Kubva pane tsananguro yezvinoyerera mugwaro, tinoona kuti traffic ichiri kupinda mufirewall, ndiko kuti, maererano neCisco dhizaini, sarudzo yechina inobviswa.

Ngatitarisei nzira mbiri dzekutanga kutanga.
Nezvisarudzo izvi, traffic yese inoenda nepafirewall.

Zvino ngatitarisei data sheet, tarira Cisco GPL uye tinoona kuti kana tichida kuti bandwidth yose yehofisi yedu ive inenge yakakomberedza 10 - 20 gigabits, saka tinofanira kutenga 4K version.

Cherechedza

Kana ndichitaura nezve bandwidth yakazara, ndinoreva traffic pakati pe subnets (uye kwete mukati meimwe vilana).

Kubva kuGPL tinoona kuti yeHA Bundle ine Threat Defense, mutengo unoenderana nemuenzaniso (4110 - 4150) unosiyana kubva ~ ~ 0,5 - 2,5 mamiriyoni emadhora.

Ndiko kuti, dhizaini yedu inotanga kufanana nemuenzaniso wekare.

Izvi zvinoreva here kuti dhizaini iyi haina kunaka?
Aiwa, hazvirevi hazvo. Cisco inokupa yakanakisa dziviriro yakavakirwa pamutsetse wechigadzirwa wainayo. Asi hazvirevi kuti unofanira-kuitira iwe.

Muchidimbu, uyu mubvunzo wakajairika unomuka pakugadzira hofisi kana data data, uye zvinongoreva kuti kuwirirana kunoda kutsvakwa.

Semuyenzaniso, usasiye traffic yese ichipfuura nepafirewall, pakadai sarudzo 3 inoita seyakanaka kwandiri, kana (ona chikamu chapfuura) pamwe haudi Threat Defense kana kusada firewall zvachose pane izvozvo. network segment, uye iwe unongoda kuzviganhurira pakutarisa chete uchishandisa yakabhadharwa (isina kudhura) kana yakavhurika sosi mhinduro, kana iwe unoda firewall, asi kubva kune akasiyana mutengesi.

Kazhinji pane nguva dzose kusava nechokwadi uku uye hapana mhinduro yakajeka yekuti ndeipi sarudzo yakakunakira iwe.
Uku ndiko kuoma uye kunaka kwebasa iri.

Source: www.habr.com

Voeg