Kana kambani yako ikatumira kana kugamuchira ruzivo rwemunhu uye mamwe mashoko akavanzika pamusoro petiweki ari pasi pekuchengetedzwa maererano nemutemo, inodiwa kushandisa GOST encryption. Nhasi tichakuudza mashandisiro atakaita encryption yakadaro zvichibva paS-Terra crypto gedhi (CS) pane mumwe wevatengi. Iyi nyaya ichave inonakidza kune ruzivo rwekuchengetedza ruzivo, pamwe nevainjiniya, vagadziri uye vagadziri. Hatisi kuzonyura zvakadzika mumanuances eiyo tekinoroji kumisikidzwa mune ino positi; isu tichatarisa pane akakosha mapoinzi ekutanga kuseta. Mavhoriyamu makuru ezvinyorwa pakumisikidza Linux OS madhimoni, pakavakirwa S-Terra CS, anowanikwa pachena paInternet. Zvinyorwa zvekumisikidza proprietary S-Terra software inowanikwawo pachena pa mugadziri.
Mashoko mashoma pamusoro peprojekti
Mutengi's network topology yaive yakajairwa - yakazara mesh pakati pepakati nemapazi. Zvaive zvakakodzera kuunza encryption yeruzivo nzira dzekuchinjana pakati penzvimbo dzese, dzaive ne8.
Kazhinji mumapurojekiti akadaro zvese zvakamira: nzira dzakasimba kuenda kunetiweki yenzvimbo yesaiti dzakaiswa pa crypto magedhi (CGs), rondedzero yeIP kero (ACLs) ye encryption yakanyoreswa. Nekudaro, mune iyi nyaya, masayiti haana centralized control, uye chero chinhu chinogona kuitika mukati menzvimbo yavo network: network inogona kuwedzerwa, kubviswa, uye kugadziridzwa munzira dzese dzinogoneka. Kuitira kudzivirira reconfiguring routing uye ACL pamusoro KS pakuchinja kero yemunharaunda network panzvimbo nzvimbo, kwakasarudzwa kushandisa GRE tunneling uye OSPF dynamic routing, izvo zvinosanganisira zvose KS uye vakawanda routers panguva network core pamwero panzvimbo. kune dzimwe nzvimbo, vatariri vezvivakwa vanosarudza kushandisa SNAT yakanangana neKS pane kernel routers).
GRE tunneling yakatibvumira kugadzirisa matambudziko maviri:
1. Shandisa IP kero yekunze interface ye CS ye encryption mu ACL, iyo inovhara traffic yese inotumirwa kune dzimwe nzvimbo.
2. Rongedza ppt tunnels pakati peCSs, iyo inokutendera iwe kuti ugadzirise inochinja nzira (munyaya yedu, MPLS L3VPN yemupi yakarongeka pakati pesaiti).
Mutengi akaraira kuisirwa encryption sevhisi. Zvikasadaro, haafanire kungochengeta magedhi e-crypto kana kuti aabudise kune rimwe sangano, asi zvakare akazvimirira kutarisisa kutenderera kwehupenyu hwezvitupa zvekunyorera, kuvavandudza nenguva uye nekuisa zvitsva.
Uye ikozvino memo chaiyo - sei uye chii isu takagadzirisa
Cherechedza kune CII chinyorwa: kumisikidza crypto gedhi
Basic network setup
Chekutanga pane zvese, isu tinotangisa CS nyowani uye tipinde mune yekutonga console. Iwe unofanirwa kutanga nekushandura yakavakirwa-mukati maneja password - command chinja user password administrator. Ipapo iwe unofanirwa kuita iyo yekutanga maitiro (command initialize) panguva iyo data rezinesi inopinzwa uye iyo isina kujairika nhamba sensor (RNS) inotangwa.
Ngwarira! Kana S-Terra CC yatangwa, gwara rekuchengetedza rinotangwa umo nzira dzekuchengetedza gedhi dzisingabvumidze mapaketi kupfuura. Iwe unofanirwa kugadzira yako wega mutemo kana kushandisa rairo mhanya csconf_mgr activate shandisa iyo yakafanotaurwa inobvumira mutemo.
Tevere, iwe unofanirwa kugadzirisa iyo kero yekunze uye yemukati interfaces, pamwe neiyo default nzira. Zviri nani kushanda neCS network kumisikidza uye kugadzirisa encryption kuburikidza neCisco-like console. Iyi koni yakagadzirirwa kuisa mirairo yakafanana nemirairo yeCisco IOS. Iyo gadziriso inogadzirwa uchishandisa iyo Cisco-senge koni, zvakare, inoshandurwa kuita inoenderana mafaera ekugadzirisa ayo maOS daemons anoshanda nawo. Iwe unogona kuenda kuCisco-like console kubva kuhutungamiri console nemurairo configure.
Chinja mapassword eakavakirwa-mukati mushandisi cscons uye gonesa:
>gonesa
Password: csp (preinstalled)
#configure terminal
#username cscons ropafadzo 15 chakavanzika 0 #gonesa chakavanzika 0 Kumisikidza iyo yakakosha network kumisikidza:
#interface GigabitEthernet0/0
#ip kero 10.111.21.3 255.255.255.0
#hapana shutdown
#interface GigabitEthernet0/1
#ip kero 192.168.2.5 255.255.255.252
#hapana shutdown
#ip nzira 0.0.0.0 0.0.0.0 10.111.21.254
GRE
Buda kuCisco-like console uye enda kune debian shell nemurairo maitiro. Gadzirisa yako password yemushandisi mudzi team passwd.
Pakamuri yega yega yekudzora, tunnel yakaparadzana inogadzirirwa kune yega saiti. Iyo tunnel interface inogadziriswa mufaira / etc / network / interfaces. Iyo IP tunnel utility, inosanganisirwa mune preinstalled iproute2 set, ine basa rekugadzira iyo interface pachayo. Iyo interface yekugadzira yekuraira yakanyorwa mune yekutanga-up sarudzo.
Muenzaniso kumisikidzwa yeyakajairwa tunnel interface:
auto saiti1
iface saiti1 inet static
kero 192.168.1.4
netmask 255.255.255.254
pre-up ip tunnel wedzera saiti1 modhi gre yemuno 10.111.21.3 kure 10.111.22.3 kiyi hfLYEg^vCh6p
Ngwarira! Izvo zvinofanirwa kucherechedzwa kuti marongero etunnel interfaces anofanirwa kunge ari kunze kwechikamu
###netifcfg-kutanga###
*****
###netifcfg-end###
Zvikasadaro, aya marongero anozonyorwa pamusoro kana uchichinja maratidziro etiweki epamhepo interfaces kuburikidza neCisco-like console.
Dynamic routing
MuS-Terra, nzira ine simba inoshandiswa uchishandisa Quagga software package. Kugadzirisa OSPF tinoda kugonesa uye kugadzirisa madhimoni zebra ΠΈ ospfd. Iyo zebra daemon ine basa rekutaurirana pakati pemadhimoni ekufambisa neOS. Iyo ospfd daemon, sekureva kunoita zita, ine basa rekuita iyo OSPF protocol.
OSPF inogadziriswa kungave kuburikidza nedaemon console kana zvakananga kuburikidza nefaira rekugadzirisa /etc/quagga/ospfd.conf. Yese yemuviri uye tunnel inopindirana inotora chikamu mune ine simba nzira inowedzerwa kune iyo faira, uye network ichashambadzirwa uye kugamuchira zviziviso zvakare yakaziviswa.
Muenzaniso wekugadzirisa kunoda kuwedzerwa ospfd.conf:
interface eth0
!
interface eth1
!
interface saiti1
!
interface saiti2
router ospf
ospf router-id 192.168.2.21
network 192.168.1.4/31 nzvimbo 0.0.0.0
network 192.168.1.16/31 nzvimbo 0.0.0.0
network 192.168.2.4/30 nzvimbo 0.0.0.0
Muchiitiko ichi, kero 192.168.1.x/31 dzakachengeterwa tunnel ptp network pakati pemasaiti, kero 192.168.2.x/30 dzakagoverwa kunetiweki ekufambisa pakati peCS nekernel routers.
Ngwarira! Kuti uderedze tafura yenzira mumasimisheni makuru, unogona kusefa chiziviso chematanho ekufambisa pachako uchishandisa izvo zvinovaka. hapana redistribute yakabatana kana goverazve yakabatana nzira-mepu.
Mushure mekugadzirisa madhimoni, unofanirwa kushandura mamiriro ekutanga emadhimoni mukati /etc/quagga/daemons. Mune zvingasarudzwa zebra ΠΈ ospfd hapana shanduko yekuti hongu. Tanga iyo quagga daemon uye isa kuti iite autorun paunotanga iyo KS command update-rc.d quagga enable.
Kana iyo kumisikidzwa kweGRE tunnels uye OSPF yakaitwa nemazvo, saka nzira dziri munetwork yemamwe masaiti dzinofanirwa kuoneka paKSh uye core routers uye, nekudaro, network yekubatanidza pakati penzvimbo network inomuka.
Isu tinonyorera traffic transmitted traffic
Sezvatove zvakanyorwa, kazhinji kana encrypting pakati pemasaiti, tinotsanangura IP kero siyana (ACLs) pakati peiyo traffic yakavharidzirwa: kana kwainobva uye kero yekuenda inowira mukati meiyo mitsara, ipapo traffic pakati pavo yakavharidzirwa. Nekudaro, muchirongwa ichi chimiro chine simba uye kero dzinogona kuchinja. Sezvo isu takatogadzira GRE tunneling, tinogona kudoma ekunze kero dzeKS senzvimbo uye kero yekuenda kune encrypting traffic - mushure mezvose, traffic yakatovharirwa neGRE protocol inosvika pakuvharirwa. Mune mamwe mazwi, zvese zvinopinda muCS kubva kunetiweki yemuno yeimwe saiti kuenda kunetiweki akaziviswa nemamwe masayiti akavharidzirwa. Uye mukati meimwe neimwe yemasaiti chero redirection inogona kuitwa. Nekudaro, kana paine chero shanduko mumanetiweki emunharaunda, maneja anongoda kugadzirisa zviziviso zvinobva kunetiweki yake kuenda kunetiweki, uye inozowanikwa kune mamwe masaiti.
Encryption muS-Terra CS inoitwa uchishandisa IPSec protocol. Isu tinoshandisa "Grasshopper" algorithm maererano neGOST R 34.12-2015, uye kuti ienderane neshanduro dzekare unogona kushandisa GOST 28147-89. Kuvimbiswa kunogona kuitwa nehunyanzvi pane ese makiyi akafanotsanangurwa (PSKs) uye zvitupa. Zvisinei, mukushanda kwemaindasitiri zvakakosha kushandisa zvitupa zvakapihwa maererano neGOST R 34.10-2012.
Kushanda nezvitupa, midziyo uye CRLs kunoitwa uchishandisa utility cert_mgr. Chokutanga pane zvose, kushandisa murairo cert_mgr kugadzira zvinodikanwa kugadzira yakavanzika kiyi mudziyo uye chikumbiro chetifiketi, icho chinozotumirwa kuSitifiketi Management Center. Mushure mekugamuchira chitupa, chinofanira kuendeswa kunze kwenyika pamwe nemudzi weCA chitupa uye CRL (kana yakashandiswa) nemurairo cert_mgr import. Iwe unogona kuve nechokwadi chekuti zvese zvitupa uye maCRL akaiswa nemurairo cert_mgr show.
Mushure mekubudirira kuisa zvitupa, enda kuCisco-like console kugadzirisa IPSec.
Isu tinogadzira iyo IKE mutemo inotsanangura inodiwa algorithms uye maparamendi echiteshi chakachengeteka chiri kugadzirwa, icho chinozopihwa kune mumwe wake kuti atenderwe.
#crypto isakmp mutemo 1000
#encr gost341215k
#hash gost341112-512-tc26
#kusimbisa chiratidzo
#group vko2
# Hupenyu 3600
Iyi mutemo inoshandiswa pakuvaka chikamu chekutanga cheIPSec. Mhedzisiro yekupedzwa kwakabudirira kwechikamu chekutanga kugadzwa kweSA (Security Association).
Tevere, isu tinofanirwa kutsanangura rondedzero yekwakabva uye kwekuenda IP kero (ACL) yekuvharidzira, kugadzira shanduko seti, kugadzira cryptographic mepu (crypto mepu) uye kuisungira kune yekunze interface yeCS.
Seta ACL:
#ip yekuwana-rondedzero yakawedzera saiti1
#permit gre host 10.111.21.3 host 10.111.22.3
Seti yeshanduko (yakafanana neyechikamu chekutanga, isu tinoshandisa "Grasshopper" encryption algorithm tichishandisa simulation yekuisa chizvarwa modhi):
#crypto ipsec shandura-set GOST esp-gost341215k-mac
Isu tinogadzira mepu yecrypto, tsanangura iyo ACL, shandura seti uye kero yevezera:
#crypto mepu MAIN 100 ipsec-isakmp
#match kero saiti1
#set shandura-set GOST
#set peer 10.111.22.3
Isu tinosunga iyo crypto kadhi kune yekunze interface yerejista yemari:
#interface GigabitEthernet0/0
#ip kero 10.111.21.3 255.255.255.0
#crypto mepu MAIN
Kuti encrypt zviteshi nemamwe masaiti, unofanira kudzokorora maitiro ekugadzira ACL uye crypto kadhi, kuchinja ACL zita, IP kero uye crypto card nhamba.
Ngwarira! Kana ongororo yechitupa neCRL ikasashandiswa, izvi zvinofanirwa kujekeswa:
#crypto pki trustpoint s-terra_technological_trustpoint
#revocation-cheki hapana
Panguva ino, iyo setup inogona kunzi yakakwana. MuCisco-like console yekuraira kubuda ratidza crypto isakmp sa ΠΈ ratidza crypto ipsec sa Iyo yakavakwa yekutanga neyechipiri nhanho yeIPSec inofanirwa kuratidzwa. Mashoko akafanana anogona kuwanikwa uchishandisa murairo sa_mgr show, yakaurayiwa kubva kudebian shell. Mune yekuraira kubuda cert_mgr show Zvitupa zvesaiti zviri kure zvinofanirwa kuoneka. Mamiriro ezvitupa zvakadaro achave Kure. Kana migero isiri kuvakwa, unofanirwa kutarisa iyo VPN service log, iyo inochengetwa mufaira /var/log/cspvpngate.log. Rondedzero yakazara yemafaira elogi ine tsananguro yezviri mukati mavo inowanikwa mune zvinyorwa.
Kuongorora "hutano" hwehurongwa
Iyo S-Terra CC inoshandisa yakajairwa snmpd daemon yekutarisa. Pamusoro peyakajairwa Linux paramita, kunze kwebhokisi S-Terra inotsigira kuburitsa data nezve IPSec tunnel zvinoenderana neCISCO-IPSEC-FLOW-MONITOR-MIB, izvo zvatinoshandisa kana tichitarisa mamiriro eIPSec tunnel. Iko kushanda kwetsika OIDs iyo inoburitsa mhedzisiro yescript execution seyakakosha inotsigirwa zvakare. Ichi chimiro chinotibvumira kuronda mazuva ekupera kwechitupa. Chinyorwa chakanyorwa chinoparura chirevo chakabuda cert_mgr show uye semhedzisiro inopa huwandu hwemazuva kusvika zvitupa zvemuno nemidzi zvapera. Iyi tekinoroji yakakosha pakubata nhamba yakakura yeCABGs.
Chii chakanakira encryption yakadaro?
Kwese kushanda kwakatsanangurwa pamusoro kunotsigirwa kunze kwebhokisi neS-Terra KSh. Ndiko kuti, pakanga pasina chikonzero chekuisa mamwe mamodules anogona kukanganisa chiziviso chekristpto magedhi uye chiziviso chehurongwa hwose hwemashoko. Panogona kuve nechero chiteshi pakati pemasaiti, kunyangwe kuburikidza neInternet.
Nekuda kwekuti kana zvivakwa zvemukati zvachinja, hapana chikonzero chekugadzirisazve crypto magedhi, iyo system inoshanda sevhisi, iyo yakanakira mutengi: anogona kuisa masevhisi ake (mutengi uye sevha) pane chero kero, uye shanduko dzese dzichafambiswa zvine simba pakati pemidziyo yekunyorera.
Ehe, encryption nekuda kwemutengo wepamusoro (pamusoro) inokanganisa kukurumidza kwekufambisa data, asi zvishoma chete - nzira yekufambisa inogona kuderera nepamusoro pe5-10%. Panguva imwecheteyo, tekinoroji yakaedzwa uye yakaratidza mhedzisiro yakanaka kunyangwe pane satellite chiteshi, iyo isina kugadzikana uye ine yakaderera bandwidth.
Igor Vinokhodov, injiniya wemutsara wechipiri wekutonga weRostelecom-Solar
Source: www.habr.com