ProHoster > Blog > Utongi > Maitiro ekutora kutonga kune yako network network. Chitsauko chetatu. Network kuchengetedza. Chikamu chechipiri

Maitiro ekutora kutonga kune yako network network. Chitsauko chetatu. Network kuchengetedza. Chikamu chechipiri

Chinyorwa ichi ndechechina munhevedzano inoti “Maitiro Ekutora Kudzora Kwenyutiweki Infrastructure.” Zviri mukati mezvinyorwa zvese munhevedzano uye zvinongedzo zvinogona kuwanikwa pano.

В kutanga chikamu Muchitsauko chino, takatarisa mamwe maficha ekuchengetedza network muchikamu cheData Center. Ichi chikamu chichapihwa kune "Internet Access" chikamu.

Maitiro ekutora kutonga kune yako network network. Chitsauko chetatu. Network kuchengetedza. Chikamu chechipiri

Access Internet

Musoro wekuchengetedza pasina mubvunzo ndeimwe yemisoro yakaoma kwazvo munyika yedata network. Sezvakaitika muzviitiko zvakapfuura, pasina kutaura kudzika uye kuzara, ini ndichafunga pano zvakapusa, asi, mumaonero angu, mibvunzo yakakosha, mhinduro dzayo, ndinovimba, dzichabatsira kusimudza mwero wekuchengetedza network yako.

Paunenge uchiongorora chikamu ichi, teerera kune zvinotevera zvinhu:

  • design
  • BGP marongero
  • DOS/DDOS dziviriro
  • traffic kusefa pane firewall

patani

Semuenzaniso wekugadzirwa kwechikamu ichi chebhizinesi network, ndingakurudzira gwara kubva kuCisco mukati SAFE modhi.

Ehe, pamwe mhinduro yevamwe vatengesi ichaita seyakanyanya kunaka kwauri (ona. Gartner Quadrant 2018), asi pasina kukukurudzira kuti uteedzere dhizaini iyi zvakadzama, ndichiri kuona zvichibatsira kunzwisisa misimboti uye mazano ari shure kwayo.

Cherechedza

Mune SAFE, chikamu che "Remote Access" chikamu che "Internet Access" chikamu. Asi munyaya dzino dzakatevedzana tichazviongorora zvakasiyana.

Iyo yakajairwa seti yemidziyo muchikamu ichi chebhizinesi network ndeye

  • border routers
  • firewalls

Mhinduro 1

Mune ino nhevedzano yezvinyorwa, kana ndichitaura nezve firewalls, ndinoreva NGFW.

Mhinduro 2

Ini ndinosiya kufunga kwemhando dzakasiyana dzeL2/L1 kana kufukidza L2 pamusoro peL3 mhinduro dzinodiwa kuti ndive nechokwadi chekubatana kweL1/L2 uye ndinogumira kuzvinhu padanho reL3 uye pamusoro. Zvishoma, nyaya dzeL1/L2 dzakakurukurwa muchitsauko "Kuchenesa uye Zvinyorwa".

Kana iwe usina kuwana firewall muchikamu ichi, saka haufanirwe kumhanyira kumhedzisiro.

Ngatiitei zvakafanana nemuna yapfuura chikamuNgatitangei nemubvunzo: zvakakosha here kushandisa firewall mune ino chikamu mune yako?

Ndinogona kutaura kuti iyi inoratidzika seyo inonyanya kurongeka nzvimbo yekushandisa firewall uye kushandisa yakaoma traffic kusefa algorithms. IN chikamu 1 Takataura zvinhu zvina zvinogona kudzivirira kushandiswa kwemagetsi muchikamu che data data. Asi pano havachisina kukosha.

Muenzaniso 1. Kunonoka

Nekuda kweInternet, hapana chikonzero chekutaura nezve kunonoka kwe 1 millisecond. Naizvozvo, kunonoka muchikamu ichi hakugone kuve chinhu chinodzikamisa kushandiswa kwefirewall.

Muenzaniso 2. Kubudirira

Mune zvimwe zviitiko ichi chinhu chinogona kunge chichiri chakakosha. Naizvozvo, ungangofanira kubvumira imwe traffic (semuenzaniso, traffic kubva kune mitoro mitoro) kuti ipfuure nefirewall.

Muenzaniso 3. Kuvimbika

Ichi chinhu chichiri kuda kuverengerwa, asi zvakadaro, zvichipihwa kusavimbika kweInternet pachayo, kukosha kwayo kwechikamu ichi hakuna kukosha senge data data.

Saka, ngatifungei kuti sevhisi yako inogara pamusoro pe http/https (nenguva pfupi). Muchiitiko ichi, unogona kushandisa mabhokisi maviri akazvimiririra (pasina HA) uye kana pane dambudziko rekufambisa nemumwe wavo, tumira motokari yose kune yechipiri.

Kana iwe unogona kushandisa firewall mune yakajeka modhi uye, kana ikatadza, bvumidza traffic kuti ipfuure nefirewall uchigadzirisa dambudziko.

Nokudaro, zvichida chete Цена inogona kunge iri iyo chinhu chinokumanikidza kuti usiye kushandiswa kwemafirewall muchikamu ichi.

Zvinokosha!

Pane muedzo wekubatanidza firewall iyi nedata center firewall (shandisa firewall imwe yezvikamu izvi). Mhinduro ndeye, mumusimboti, inogoneka, asi iwe unofanirwa kunzwisisa izvo nekuti Iyo Internet Access firewall iri kumberi kwekudzivirira kwako uye "inotora" zvimwe zvehuipi traffic, saka, hongu, iwe unofanirwa kufunga nezve njodzi yakawedzera yekuti firewall iyi ichave yakaremara. Ndiko kuti, nekushandisa michina yakafanana muzvikamu zviviri izvi, iwe uchadzikisa zvakanyanya kuwanikwa kwechikamu chako che data data.

Senguva dzose, iwe unofanirwa kunzwisisa kuti zvichienderana nebasa iro kambani inopa, dhizaini yechikamu ichi inogona kusiyana zvakanyanya. Senguva dzose, unogona kusarudza nzira dzakasiyana zvichienderana nezvaunoda.

Muenzaniso:

Kana iwe uri mupi wezvemukati, ane CDN network (ona, semuenzaniso, nhevedzano yezvinyorwa), ipapo iwe ungasada kugadzira zvivakwa kune gumi nemaviri kana kunyange mazana emapoinzi ekuvapo uchishandisa akaparadzana zvishandiso zvekufambisa uye kusefa traffic. Ichadhura, uye ingangove isingakoshi.

Kune BGP haufanirwe kuve neakazvitsaurira marouters, unogona kushandisa yakavhurika-sosi maturusi senge Quagga. Saka pamwe zvese zvaunoda iseva kana akati wandei maseva, switch uye BGP.

Muchiitiko ichi, sevha yako kana maseva akati wandei anogona kutamba kwete kwete chete CDN server, asiwo router. Ehezve, pachine zvakawanda zveruzivo (senge maitiro ekuita kuenzanisa), asi zvinogoneka, uye inzira yatakabudirira kushandisa kune mumwe wevatinoshanda navo.

Iwe unogona kuva nenzvimbo dzinoverengeka dzedata dzine dziviriro izere (firewalls, DDOS dziviriro masevhisi anopihwa nevako vanopa Internet) uye gumi nemaviri kana mazana e "akarerutswa" mapoinzi ekuvapo ane chete L2 switch uye maseva.

Asi zvakadini nekudzivirirwa munyaya iyi?

Ngatitarisei, semuenzaniso, iyo ichangobva kufarirwa DNS Amplification DDOS kurwisa. Ngozi yaro iri mukuti huwandu hukuru hwetraffic hunogadzirwa, hunongo "kuvhara" 100% yezvese uplinks dzako.

Chii chatinacho panyaya yekugadzira kwedu.

  • kana iwe ukashandisa AnyCast, ipapo traffic inogoverwa pakati penzvimbo dzako dzekuvapo. Kana yako yakazara bandwidth iri terabits, saka izvi pachazvo chaizvo (zvisinei, nguva pfupi yadarika kwave nekurwiswa kwakati wandei nemigwagwa yakaipa pahurongwa hweterabits) inokudzivirira kubva "kupfachukira" uplinks.
  • Kana, zvisinei, mamwe uplinks akavharwa, saka iwe unongobvisa iyi saiti kubva kubasa (mira kushambadza prefix)
  • iwe unogona zvakare kuwedzera chikamu chetraffic inotumirwa kubva kune yako "yakazara" (uye, maererano, yakadzivirirwa) nzvimbo dzedata, nekudaro uchibvisa chikamu chakakosha chetraffic yakaipa kubva kunzvimbo dzisina kudzivirirwa dzekuvapo.

Uye imwezve diki noti kumuenzaniso uyu. Kana iwe ukatumira traffic yakakwana kuburikidza neIXs, saka izvi zvakare zvinoderedza kusadzivirirwa kwako pakurwiswa kwakadaro

Kugadzika BGP

Pane misoro miviri pano.

  • Kubatana
  • Kugadzika BGP

Takatotaura zvishoma nezve yekubatanidza mukati chikamu 1. Iyo poindi ndeyekuona kuti traffic kune vatengi vako inotevera nzira yakakwana. Kunyange zvazvo optimality isiri nguva dzose nezve latency, low latency inowanzova chiratidzo chikuru chekugadzirisa. Kune mamwe makambani izvi zvakanyanya kukosha, kune vamwe zvishoma. Zvose zvinoenderana nebasa raunopa.

muenzaniso 1

Kana iwe uri wekuchinjana, uye nguva dzenguva dzisingasviki milliseconds dzakakosha kune vatengi vako, saka, hongu, hapangave nekutaura kwechero mhando yeInternet zvachose.

muenzaniso 2

Kana iwe uri kambani yemitambo uye makumi emamilliseconds akakosha kwauri, saka, hongu, kubatana kwakakosha kwauri.

muenzaniso 3

Iwe unofanirwawo kunzwisisa kuti, nekuda kwezvivakwa zveTCP protocol, chiyero chekufambisa data mukati mechikamu chimwe cheTCP chinoenderanawo neRTT (Round Trip Time). MaCDN network ari kuvakwawo kugadzirisa dambudziko iri nekufambisa maseva ekugovera zvemukati pedyo nemutengi wezvirimo.

Chidzidzo chekubatanidza inyaya inonakidza pachayo, yakakodzera chinyorwa chayo kana nhevedzano yezvinyorwa, uye inoda kunzwisisa kwakanaka kwekuti Internet "inoshanda" sei.

Zvishandiso zvinobatsira:

ripe.net
bgp.he.net

Muenzaniso:

Ndichangopa muenzaniso mudiki.

Ngatifungei kuti nzvimbo yako yedata iri muMoscow, uye une imwe uplink - Rostelecom (AS12389). Muchiitiko ichi (imba isina murume) haudi BGP, uye iwe unowanzo shandisa kero dziva kubva kuRostelecom sekero dzevanhu.

Ngatifungei kuti iwe unopa imwe sevhisi, uye une nhamba yakakwana yevatengi kubva kuUkraine, uye vanonyunyuta nekunonoka kunonoka. Munguva yekutsvaga kwako, wakaona kuti IP kero dzevamwe vavo dziri mugridi ye37.52.0.0/21.

Nekumhanyisa traceroute, wakaona kuti traffic yaipfuura neAS1299 (Telia), uye nekumhanyisa ping, wakawana avhareji RTT ye70 - 80 milliseconds. Unogonawo kuona izvi pa kutarisa girazi Rostelecom.

Uchishandisa iyo whois utility (pa ripe.net kana yemuno utility), unogona kuona zviri nyore kuti block 37.52.0.0/21 ndeye AS6849 (Ukrtelecom).

Tevere, nekuenda ku bgp.he.net iwe unoona kuti AS6849 haina hukama neAS12389 (ivo havasi vatengi kana uplinks kune mumwe nemumwe, uye havana kutarisisa). Asi kana wakatarisa runyorwa rwevezera yeAS6849, uchaona, semuenzaniso, AS29226 (Mastertel) uye AS31133 (Megafon).

Kana ukangowana girazi rinotarisa revanopa ava, unogona kuenzanisa nzira uye RTT. Semuenzaniso, yeMastertel RTT ichave inosvika makumi matatu milliseconds.

Saka, kana musiyano uripo pakati pe80 ne30 milliseconds wakakosha pasevhisi yako, saka pamwe unofanirwa kufunga nezve kubatana, tora yako AS nhamba, yako kero dziva kubva kuRIPE uye ubatanidze ekuwedzera uplinks uye/kana kugadzira mapoinzi ekuvapo paIXs.

Paunoshandisa BGP, haungove nemukana wekuvandudza kubatana, asi iwe zvakare unochengetedza yako Internet kubatana.

Gwaro iri ine mazano ekugadzirisa BGP. Kunyangwe chokwadi chekuti kurudziro iyi yakagadziridzwa zvichibva pane "yakanakisa tsika" yevanopa, zvisinei (kana yako BGP marongero asiri echokwadi) iwo anobatsira uye chokwadi anofanira kunge ari chikamu chekuomeswa kwatakakurukura mukati. kutanga chikamu.

DOS/DDOS dziviriro

Ikozvino kurwiswa kweDOS/DDOS kwave chinhu chemazuva ese kumakambani mazhinji. Muchokwadi, iwe unorwiswa kazhinji mune imwe nzira kana imwe. Icho chokwadi chekuti iwe hausati waona izvi zvinongoreva kuti kurwiswa kwakanangwa hakusati kwarongwa pamusoro pako, uye kuti matanho ekudzivirira aunoshandisa, kunyangwe pamwe usingazvizive (akasiyana akavakirwa-mukati ekudzivirira ekushandisa masisitimu), akakwana ive nechokwadi chekuti kuderedzwa kwesevhisi yakapihwa kunodzikiswa iwe nevatengi vako.

Kune zviwanikwa zveInternet izvo, zvichibva pamatanda emidziyo, zvinodhirowa mamepu akanaka ekurwisa munguva chaiyo.

zviri unogona kuwana zvinongedzo kwavari.

Zvandinoda kadhi kubva CheckPoint.

Dziviriro kubva kuDDOS/DOS inowanzoiswa. Kuti unzwisise kuti sei, iwe unofanirwa kunzwisisa kuti ndeapi marudzi ekurwiswa kweDOS/DDOS aripo (ona, semuenzaniso, pano kana pano)

Kureva kuti, tine marudzi matatu ekurwisa:

  • volumetric kurwisa
  • protocol kurwisa
  • application kurwisa

Kana iwe uchigona kuzvidzivirira kubva kumarudzi maviri ekupedzisira ekurwiswa uchishandisa, semuenzaniso, firewall, saka haugone kuzvidzivirira kubva kurwiswa kwakanangana ne "kuremedza" uplinks yako (zvechokwadi, kana yako yakazara chiteshi cheInternet chiteshi chisina kuverengerwa muterabits, kana zviri nani zvakadaro, mumakumi terabit).

Naizvozvo, mutsara wekutanga wedziviriro ndeyekudzivirira kubva ku "volumetric" kurwiswa, uye mupi wako kana vanopa vanofanirwa kukupa iyi dziviriro kwauri. Kana iwe usati wazviona izvi, saka une rombo rakanaka izvozvi.

Muenzaniso:

Ngatiti iwe une akati wandei uplinks, asi mumwe chete wevanopa anogona kukupa iyi dziviriro. Asi kana traffic yese ichipfuura nemupi mupi, ko zvakadii nezve yekubatanidza iyo yatakakurukura muchidimbu zvishoma yapfuura?

Muchiitiko ichi, iwe uchafanirwa kupa chikamu chekubatanidza panguva yekurwiswa. Asi

  • izvi ndezvenguva chete yekurwisa. Muchiitiko chekurwiswa, iwe unogona nemaoko kana kugadzirisa otomatiki BGP kuitira kuti traffic iende chete kuburikidza nemupi anokupa iwe ne "amburera". Mushure mekunge kurwiswa kwapera, unogona kudzosera nzira kune yayo yapfuura mamiriro
  • Hazvina kudikanwa kutamisa traffic yese. Kana, semuenzaniso, iwe ukaona kuti hapana kurwiswa kuburikidza nekumwe uplinks kana peerings (kana traffic haina kukosha), unogona kuramba uchishambadzira prefixes neanokwikwidza hunhu kune ava vavakidzani veBGP.

Iwe unogona zvakare kupa dziviriro kubva ku "protocol kurwisa" uye "application kurwisa" kune vako vaunoshanda navo.
pano pano unogona kuverenga chidzidzo chakanaka (kududzira) Ichokwadi, chinyorwa chine makore maviri, asi chinokupa iwe pfungwa yemaitiro ekuti iwe ungazvidzivirira sei kubva kuDDOS kurwiswa.

Muchidimbu, iwe unogona kuzviganhurira kune izvi, uchibvisa zvachose kudzivirira kwako. Pane zvakanakira nezvechisarudzo ichi, asi panewo kuipa kuri pachena. Icho chokwadi ndechekuti isu tinogona kutaura (zvakare, zvichienderana nezvinoitwa nekambani yako) nezvekupona kwebhizinesi. Uye vimba nezvinhu zvakadaro kune vechitatu mapato ...

Naizvozvo, ngatitarisei nzira yekuronga mitsara yechipiri neyechitatu yekudzivirira (sekuwedzera kune kudzivirirwa kubva kune mupi).

Saka, mutsara wechipiri wekudzivirira ndeye kusefa uye traffic limiters (mapurisa) pamusuwo wetiweki yako.

muenzaniso 1

Ngatifungei kuti wakazvifukidza neamburera inopesana neDDOS nerubatsiro rwemumwe wevanopa. Ngatifungei kuti mupi uyu anoshandisa Arbor kusefa traffic uye mafirita pamucheto wetiweki yayo.

Iyo bandwidth iyo Arbor inogona "kugadzirisa" ishoma, uye mupi, hongu, haagone kugara achipfuura traffic yevose vanobatana navo vanoodha sevhisi iyi kuburikidza nekusefa michina. Naizvozvo, pasi pemamiriro akajairika, traffic haina kusefa.

Ngatifungei kuti kune SYN mafashama ekurwisa. Kunyangwe iwe ukaraira sevhisi inochinja otomatiki traffic kune kusefa kana pakaitika kurwiswa, izvi hazviitiki ipapo ipapo. Kweminiti kana kupfuura unoramba uchirwiswa. Uye izvi zvinogona kutungamira mukutadza kwemidziyo yako kana kuderedzwa kwesevhisi. Muchiitiko ichi, kudzikisira traffic pamucheto wenzira, kunyangwe zvichizotungamira kune chokwadi chekuti mamwe maTCP masesheni haagadzirwe panguva ino, achachengetedza zvivakwa zvako kubva kumatambudziko makuru.

muenzaniso 2

Huwandu husina kujairika hwemaSYN mapaketi anogona kunge asiri iwo chete mhedzisiro yeSYN mafashama ekurwisa. Ngatifungei kuti iwe unopa sevhisi iyo iwe unogona panguva imwe chete kuva ne100 zviuru TCP yekubatanidza (kune imwe data data).

Ngatitii semhedzisiro yedambudziko renguva pfupi nemumwe wevanopa vako vakuru, hafu yezvikamu zvako zvinokandwa. Kana application yako ikagadzirwa nenzira yekuti, pasina kufunga kaviri, pakarepo (kana mushure menguva yenguva yakafanana kune ese masesheni) inoedza kumisazve kubatana, ipapo iwe unogashira angangoita zviuru makumi mashanu eSYN mapaketi angangoita. panguva imwe chete.

Kana, semuenzaniso, iwe unofanirwa kumhanya ssl/tls handshake pamusoro pezvirongwa izvi, izvo zvinosanganisira kuchinjanisa zvitupa, zvino kubva pakuona kwekupedza zviwanikwa zvemutoro wako wemutoro, iyi ichava yakasimba kwazvo "DDOS" pane iri nyore. SYN mafashamo. Zvingaita sekuti vaenzanisi vanofanira kubata zviitiko zvakadaro, asi ... zvinosuruvarisa, takatarisana nedambudziko rakadaro.

Uye, hongu, mupurisa ari pamucheto router achachengetedza midziyo yako munyaya iyi zvakare.

Yechitatu nhanho yekudzivirira kubva kuDDOS/DOS ndiyo yako firewall marongero.

Pano iwe unogona kumisa kurwiswa kwese kwechipiri uye kwechitatu mhando. Kazhinji, zvese zvinosvika pafirewall zvinogona kusefa pano.

Tip

Edza kupa firewall sebasa diki sezvinobvira, kusefa kunze zvakanyanya sezvinobvira pamitsetse miviri yekutanga yekudzivirira. Uye ndosaka.

Zvakamboitika kwauri here kuti nemukana, uchigadzira traffic kuti utarise, semuenzaniso, kurwisa sei sisitimu yekushandisa yemaseva ako kurwiswa kweDDOS, "wakauraya" firewall yako, uchiiisa ku100 muzana, netraffic payakajairika. ? Kana zvisina kudaro, pamwe imhaka yekuti hauna kumboedza?

Kazhinji, firewall, sezvandakataura, chinhu chakaoma, uye chinoshanda zvakanaka nekusagadzikana kunozivikanwa uye yakaedzwa mhinduro, asi kana ukatumira chimwe chinhu chisina kujairika, mamwe marara kana mapaketi ane misoro isiriyo, ipapo iwe une vamwe, kwete Na. mukana diki wakadaro (zvichibva pane yangu ruzivo), unogona stupefy kunyange yepamusoro-yekupedzisira michina. Naizvozvo, pachinhanho chechipiri, uchishandisa akajairwa ACLs (paiyo L2/L3 nhanho), ingobvumira traffic kupinda munetiweki yako inofanirwa kupinda ipapo.

Kusefa traffic pane firewall

Ngatienderere mberi nenhaurirano nezve firewall. Iwe unofanirwa kunzwisisa kuti DOS/DDOS kurwiswa ingori imwe mhando yecyber kurwisa.

Pamusoro pekudzivirira kweDOS/DDOS, isu tinogona zvakare kuve nechimwe chinhu senge inotevera runyorwa rwezvinhu:

  • application firewalling
  • kudzivirira kudzivirira (antivirus, anti-spyware, uye kusagadzikana)
  • URL kusefa
  • data kusefa (kusefa zvirimo)
  • kuvharira faira (mhando dzemafaira kuvharira)

Zviri kwauri kuti usarudze zvaunoda kubva pane iyi runyorwa.

Zvichaenderera mberi

Source: www.habr.com

Voeg