Maitiro Ekuongorora Kubudirira kweiyo NGFW Setup
Basa rakajairika nderekutarisa kuti firewall yako yakagadziriswa sei. Kuita izvi, kune zvemahara zvekushandisa uye masevhisi kubva kumakambani anobata neNGFW.
Semuenzaniso, unogona kuona pazasi kuti Palo Alto Networks inokwanisa kubva zvakananga kubva mhanyisa ongororo yezviverengero zvefirewall - SLR mushumo kana ongororo yekutevedzera maitiro akanaka - BPA report. Aya ndiwo emahara ekushandisa epamhepo aunogona kushandisa pasina kuisa chero chinhu.
ZVIRI MUKATI
Expedition (Kutamisa Turusi)
Imwe yakanyanya kuomarara sarudzo yekutarisa zvigadziriso zvako kurodha zvemahara zvekushandisa (yaimbova Migration Tool). Inotorwa seVirtual Appliance yeVMware, hapana marongero anodiwa nayo - iwe unofanirwa kudhawunirodha mufananidzo uye wouisa pasi peVMware hypervisor, itange uye enda kuwebhu interface. Ichi chishandiso chinoda nyaya yakaparadzana, kosi chete pairi inotora mazuva mashanu, kune akawanda mabasa ikozvino, anosanganisira Machine Kudzidza uye kutama kweakasiyana magadzirirwo emitemo, NAT uye zvinhu zvevakasiyana Firewall vagadziri. Ini ndichanyora zvimwe nezve Machine Kudzidza pazasi mune zvinyorwa.
Policy Optimizer
Uye iyo yakanyanya nyore sarudzo (IMHO), iyo yandichakuudza nezvayo zvakadzama nhasi, ndiyo inogadzirisa mutemo yakavakirwa muPalo Alto Networks interface pachayo. Kuti ndizviratidze, ndakaisa firewall kumba uye ndakanyora mutemo wakapfava: bvumidza chero kune chero. Muchidimbu, ini dzimwe nguva ndinoona mitemo yakadai kunyange mumambureti emakambani. Nomuzvarirwo, ini ndakagonesa ese NGFW chengetedzo profiles, sezvauri kuona mune iyo skrini:
Iyo skrini iri pazasi inoratidza muenzaniso weimba yangu isina kugadziridzwa firewall, uko dzinenge zvese zvinongedzo zvinowira mumutemo wekupedzisira: BvumiraAll, sezvingaonekwa kubva kune manhamba muHit Count column.
Zero Vimbai
Pane nzira yekuchengetedza inonzi . Zvinorevei izvi: isu tinofanirwa kubvumidza vanhu mukati metiweki chaizvo izvo zvinongedzo zvavanoda uye kuramba zvese zvimwe. Ndiko kuti, tinoda kuwedzera mitemo yakajeka yezvikumbiro, vashandisi, mapoka e URL, mafaira emhando; gonesa ese IPS uye antivirus siginecha, gonesa sandboxing, DNS dziviriro, shandisa IoC kubva kune iripo Threat Intelligence dhatabhesi. Kazhinji, kune nhamba yakanaka yemabasa paunenge uchigadzira firewall.
Nenzira, iyo yakaderera seti yeinodiwa marongero ePalo Alto Networks NGFW inotsanangurwa mune imwe yeSANS zvinyorwa: - Ndinokurudzira kutanga nayo. Uye zvechokwadi, pane seti yeakanakisa maitiro ekumisikidza firewall kubva kumugadziri: .
Saka, ndaiva nefirewall pamba kwevhiki. Ngationei kuti imhandoi yetraffic iripo panetiweki yangu:
Kana iwe ukaronga nenhamba yezvikamu, saka mazhinji acho anogadzirwa ne bittorrent, wozouya SSL, wozoita QUIC. Aya ndiwo manhamba ezvese ari kuuya uye anobuda traffic: kune akawanda ekunze scans ye router yangu. Pane 150 akasiyana maapplication panetiweki yangu.
Saka, zvese izvi zvakapotsa nemutemo mumwechete. Ngationei zvino kuti Policy Optimizer inotii nezveizvi. Kana iwe wakatarisa kumusoro pane iyo skrini yeiyo interface ine mitemo yekuchengetedza, ipapo pazasi kuruboshwe wakaona diki hwindo rinoratidza kwandiri kuti kune mitemo inogona kugadziriswa. Ngatidzvanye ipapo.
Zvinoratidzwa nePolicy Optimizer:
- Ndeipi mitemo isina kushandiswa zvachose, mazuva makumi matatu, mazuva makumi mapfumbamwe. Izvi zvinobatsira kuita sarudzo yekuvabvisa zvachose.
- Ndezvipi zvikumbiro zvakatsanangurwa mumitemo, asi hapana zvikumbiro zvakadaro zvakaonekwa mumigwagwa. Izvi zvinokutendera kuti ubvise zvikumbiro zvisingakoshi mukubvumidza mitemo.
- Ndeapi marongero aibvumira zvese, asi pakanga paine maapplication angave akanaka kuratidza zvakajeka zvinoenderana neZero Trust maitiro.
Dzvanya pakasashandiswa.
Kuti ndiratidze kuti inoshanda sei, ndakawedzera mitemo mishoma uye kusvika ikozvino havasati vapotsa pakiti imwe chete nhasi. Heino rondedzero yavo:
Zvichida nekufamba kwenguva pachange paine traffic ipapo uye ivo vanobva vanyangarika kubva pane iyi runyorwa. Uye kana vari pachirongwa ichi kwemazuva makumi mapfumbamwe, saka unogona kusarudza kudzima iyi mitemo. Mushure mezvose, mutemo wega wega unopa mukana kune hacker.
Pane dambudziko rechokwadi pakugadzirisa firewall: mushandi mutsva anouya, anotarisa mitemo yefirewall, kana vasina mazano uye asingazivi kuti nei mutemo uyu wakasikwa, kana uchinyatsodiwa, kana uchikwanisa. kudzimwa: pakarepo munhu anenge ari pazororo uye mushure memazuva makumi matatu, traffic ichayerera zvakare kubva kubasa raanoda. Uye chete basa iri rinomubatsira kuita sarudzo - hapana anoishandisa - bvisa!
Dzvanya paIsina Kushandiswa App.
Isu tinodzvanya paIsina Kushandiswa App mune optimizer uye toona iyo inonakidza ruzivo inovhura muhwindo guru.
Tinoona kuti pane mitemo mitatu, apo nhamba yezvikumbiro zvinobvumirwa uye nhamba yezvikumbiro zvakapfuura mutemo uyu zvakasiyana.
Isu tinokwanisa kudzvanya nekuona runyorwa rwezvishandiso izvi uye toenzanisa aya rondedzero.
Semuenzaniso, tinya bhatani reCompare yemutemo weMax.
Pano iwe unogona kuona kuti zvikumbiro facebook, instagram, telegraph, vkontakte zvakabvumidzwa. Asi muchokwadi, traffic yaingoenda kune mamwe ma sub-application. Pano iwe unofanirwa kunzwisisa kuti iyo facebook application ine akati wandei-maapplication.
Rondedzero yese yeNGFW yekushandisa inogona kuoneka pane portal uye mune firewall interface pachayo, muZvinhu-> Zvishandiso chikamu uye mukutsvaga, nyora zita rekushandisa: facebook, iwe unowana inotevera mhedzisiro:
Saka, mamwe eaya ma-sub-application akaonekwa neNGFW, asi mamwe haana. Muchokwadi, iwe unogona kurambidza zvakasiyana uye kubvumira akasiyana madiki-mabasa eFacebook. Semuenzaniso, bvumidza kuona mameseji, asi rambidza kutaura kana kutumira faira. Saizvozvo, Policy Optimizer inotaura nezve izvi uye iwe unogona kuita sarudzo: kusatendera ese Facebook application, asi iwo makuru chete.
Saka, takaona kuti mazita akasiyana. Iwe unogona kuve nechokwadi chekuti mitemo inobvumira chete izvo zvikumbiro zvinonyatso famba pane network. Kuti uite izvi, unodzvanya bhatani reMatchUsage. Zvinoitika seizvi:
Uye iwe unogona zvakare kuwedzera maapplication aunoona akakosha - iyo Wedzera bhatani kuruboshwe rwehwindo:
Uye zvino mutemo uyu unogona kushandiswa uye kuedzwa. Makorokoto!
Dzvanya Hapana Mapurogiramu Akatsanangurwa.
Muchiitiko ichi, hwindo rakakosha rekuchengetedza richazaruka.
Iko kune kazhinji yakawanda yemitemo yakadai munetiweki yako uko iyo L7 level application haina kutsanangurwa zvakajeka. Uye mune yangu network pane mutemo wakadaro - rega ndikuyeuchidze kuti ndakazviita panguva yekutanga kuseta, kunyanya kuratidza kuti Policy Optimizer inoshanda sei.
Mufananidzo wacho unoratidza kuti mutemo weAllowAll wakabvumira 9 gigabytes yetraffic munguva kubva munaKurume 17 kusvika Kurume 220, inova zana nemakumi mashanu akasiyana maapplication munetiweki yangu. Uye izvozvo hazvina kukwana. Kazhinji, avhareji saizi yemakambani network ine 150-200 akasiyana maapplication.
Saka, mutemo mumwechete unotendera kuburikidza neanosvika zana nemakumi mashanu ekunyorera. Kazhinji izvi zvinoreva kuti firewall haina kugadzirwa nenzira kwayo, nekuti kazhinji mutemo mumwe unobvumira 150-1 maapplication ezvinangwa zvakasiyana. Ngationei kuti maapplication aya ndeapi: tinya bhatani reCompare:
Chinhu chakanyanya kushamisa kune maneja muPolicy Optimizer basa ibhatani reMatch Usage - unogona kugadzira mutemo nekudzvanya kumwe chete, kwauchaisa ese zana nemakumi mashanu zvikumbiro mumutemo. Kuita izvi nemaoko kunotora nguva yakareba. Huwandu hwemabasa ekuti maneja ashande paari, kunyangwe pane network yangu yemidziyo gumi, yakakura.
Ndine zana nemakumi mashanu maapplication akasiyana ari kumba, achiendesa gigabytes etraffic! Uye une marii?
Asi chii chinoitika munetiweki yezana zvishandiso kana 100 kana 1000? Ndakaona mafirewall ane zviuru zvisere zvemitemo uye ndinofara zvikuru kuti maneja ave neakadaro ekushandisa otomatiki maturusi.
Zvimwe zvezvishandiso izvo L7 application yekuongorora module muNGFW yakaona uye yakaratidza kuti hauzoda panetiweki, saka unongozvibvisa kubva pane rondedzero yemitemo inobvumidza, kana kutevedzera mitemo uchishandisa bhatani reClone (mune main interface) uye vabvumire mumutemo mumwechete wekushandisa, uye mukati Unovhara mamwe maapplication sezvo asiri kudikanwa panetiweki yako. Zvishandiso zvakadaro zvinowanzo sanganisira bittorent, steam, ultrasurf, tor, tunnels dzakavanzwa senge tcp-over-dns nevamwe.
Zvakanaka, ngatitorei pane mumwe mutemo uye tione zvaunogona kuona ipapo:
Ehe, kune maapplication akajairwa kune multicast. Tinofanira kuvabvumira kuti vaone vhidhiyo yepamhepo kuti vashande. Dzvanya Match Usage. Hukuru! Ndatenda Policy Optimizer.
Zvakadini neKudzidza kweMichina?
Iye zvino zvave fashoni kutaura nezve otomatiki. Zvandakatsanangura zvakabuda - zvinobatsira zvakanyanya. Pane imwezve mukana wandinofanira kutaura nezvawo. Uku ndiko kushanda kweMuchina Kudzidza kwakavakirwa muExpedition utility, yakambotaurwa pamusoro apa. Mune izvi zvinoshandiswa, zvinokwanisika kutamisa mitemo kubva kune yako yekare firewall kubva kune mumwe mugadziri. Iko kune zvakare kugona kuongorora iripo Palo Alto Networks traffic logs uye kupa zano kuti ndeipi mitemo yekunyora. Izvi zvakafanana nekushanda kwePolicy Optimizer, asi muExpedition inotowedzerwa uye unopihwa runyoro rwemitemo yakagadzirwa - unongoda kuibvumidza.
Kuti uedze kushanda uku, kune basa re laboratori - tinoridaidza kuti test drive. Muedzo uyu unogona kuitwa nekupinda mune chaiwo firewalls, iyo Palo Alto Networks vashandi vehofisi muMoscow vanozovhura pakukumbira kwako.
Chikumbiro chinogona kutumirwa kune [email inodzivirirwa] uye muchikumbiro nyora kuti: "Ndinoda kugadzira UTD yeMigration process."
Muchokwadi, basa remurabhoritari rinonzi Unified Test Drive (UTD) rine sarudzo dzinoverengeka uye dzese mushure mekukumbira.
Vashandisi vakanyoresa chete ndivo vanogona kutora chikamu muongororo. , Munogamuchirwa.
Ungade here kuti mumwe munhu akubatsire kukwenenzvera mafirewall policy?
-
kuti
-
kwete
-
Ndichazviita zvese ini
Hapana ati avhotera. Iko hakuna abstentions.
Source: www.habr.com