ProHoster > Blog > Utongi > Mhinduro dzemazuva ano dzekuvaka masisitimu ekuchengetedza ruzivo - network packet broker (Network Packet Broker)

Mhinduro dzemazuva ano dzekuvaka masisitimu ekuchengetedza ruzivo - network packet broker (Network Packet Broker)

Chengetedzo yeruzivo yakapatsanura kubva kunharembozha kuita indasitiri yakazvimirira ine zvayakananga uye nemidziyo yayo. Asi pane kirasi-inozivikanwa yemidziyo inomira pamharadzano yenharembozha uye kuchengetedza ruzivo - network packet brokers (Network Packet Broker), inozivikanwawo sezviyereso zvekutakura, nyanzvi / yekutarisa switch, traffic aggregators, Security Delivery Platform, Network Kuonekwa, zvichingodaro. Uye isu, semugadziri weRussia uye mugadziri wemidziyo yakadaro, tinoda chaizvo kukuudza zvakawanda nezvavo.

Mhinduro dzemazuva ano dzekuvaka masisitimu ekuchengetedza ruzivo - network packet broker (Network Packet Broker)

Chiyero uye mabasa anofanirwa kugadziriswa

Network packet broker zvishandiso zvine hunyanzvi zvakawana yakanyanya application mumasisitimu ekuchengetedza ruzivo. Saka nekudaro, iyi kirasi yemidziyo ichiri nyowani uye idiki mune yakakura network network zvichienzaniswa ne switch, routers, nezvimwe. Iyo piyona mukugadzirwa kwerudzi urwu rwechigadzirwa chaiva kambani yeAmerica Gigamon. Parizvino, kune vatambi vakawanda zvakanyanya mumusika uyu (kusanganisira anozivikanwa mugadziri webvunzo masisitimu, iyo IXIA kambani ine mhinduro dzakafanana), asi chete denderedzwa nhete yevashandi vachiri kuziva nezvekuvapo kwemidziyo yakadaro. Sezvakataurwa pamusoro apa, kunyange izwi racho harina kujeka: mazita anobva ku "network transparency systems" kusvika ku "balancers."

Tichiri kugadzira network packet broker, takatarisana nenyaya yekuti, pamusoro pekuongorora mafambiro ekuvandudza kwekushanda uye kuyedzwa mumarabhoritari / nzvimbo dzekuyedza, zvinofanirwa kutsanangura panguva imwe chete kune vangangove vatengi nezve kuvapo kwekirasi iyi yemidziyo, nekuti havasi vese vanoziva nezvazvo.

Kungori 15-20 makore apfuura kwaive kushoma traffic pane network, uye yaive yakanyanya kusakosha data. Asi Mutemo waNielsen anodzokorora Mutemo waMoore: Kumhanya kweInternet kunowedzera ne50% gore rega rega. Huwandu hwetraffic huri kukurawo zvishoma nezvishoma (iyo girafu inoratidza iyo 2017 fungidziro kubva kuCisco, sosi Cisco Visual Networking Index: Forecast uye Trends, 2017-2022):

Mhinduro dzemazuva ano dzekuvaka masisitimu ekuchengetedza ruzivo - network packet broker (Network Packet Broker)
Pamwe chete nekumhanya, kukosha kwekutenderera ruzivo (izvi zvese zvakavanzika zvekutengeserana uye ine mukurumbira wakashata data yemunhu) uye kushanda kwese kwezvivakwa kunowedzera.

Nekudaro, iyo indasitiri yezvekuchengetedza ruzivo yakabuda. Indasitiri yakapindura kune izvi nekubuda kwehuwandu hwehuwandu hwekuongorora kwakadzika kwemigwagwa (DPI) zvishandiso: kubva kuDDOS kudzivirira kurwisa masisitimu kune ruzivo rwekuchengetedza chiitiko manejimendi masisitimu, anosanganisira IDS, IPS, DLP, NBA, SIEM, Antimailware zvichingodaro. Kazhinji, chimwe nechimwe chezvishandiso izvi isoftware yakaiswa pane server platform. Uyezve, chirongwa chimwe nechimwe (chishandiso chekuongorora) chakaiswa pane yayo yega server platform: vagadziri vesoftware vakasiyana, uye kuongororwa paL7 kunoda zvakawanda zvekushandisa komputa.

Paunenge uchivaka ruzivo rwekuchengetedza sisitimu, zvinodikanwa kugadzirisa akati wandei matambudziko makuru:

  • nzira yekufambisa traffic kubva kune zvivakwa kuenda kuongororo masisitimu? (SPAN zviteshi zvakagadzirirwa chinangwa ichi muzvivakwa zvemazuva ano hazvina kukwana muhuwandu kana kuita)
  • nzira yekugovera traffic pakati peakasiyana ekuongorora masisitimu?
  • maitiro ekuyera masisitimu kana kuita kweimwe analyzer muenzaniso kusina kukwana kugadzirisa huwandu hwese hwetraffic inopinda mairi?
  • nzira yekutarisa 40G/100G interfaces (uye munguva pfupi iri kutevera 200G/400G), sezvo maturusi ekuongorora parizvino anongotsigira 1G/10G/25G nzvimbo?

Uye anotevera anoenderana mabasa:

  • Tingadzikisire sei traffic isina kutariswa iyo isingade kugadziriswa, asi inosvika kumaturusi ekuongorora uye kushandisa zviwanikwa zvavo?
  • Maitiro ekugadzirisa akafukidzwa mapaketi uye mapaketi ane masevhisi ma tag emidziyo, iyo gadziriro iyo yekuongorora inoshanduka kuve ingave ine simba-yakanyanya kana isingaite kuita zvachose?
  • nzira yekubvisa kubva pakuongorora mamwe emigwagwa isina kudzorwa nemutemo wekuchengetedza (semuenzaniso, traffic yemaneja).

Mhinduro dzemazuva ano dzekuvaka masisitimu ekuchengetedza ruzivo - network packet broker (Network Packet Broker)
Sekuziva kwemunhu wese, kudiwa kunogadzira kupihwa, uye network packet broker akatanga kukudziridza mukupindura kune izvi zvinodiwa.

Tsanangudzo yakazara ye network packet brokers

Network packet broker inoshanda pamwero wepacket, uye nenzira iyi iwo akafanana neanogara achichinja. Musiyano mukuru kubva kuchinjika ndewekuti mitemo yekugovera traffic uye kuunganidzwa mune network packet broker inotemerwa zvizere nezvirongwa. Network packet broker havana mipimo yekuvaka matafura ekutumira (MAC matafura) uye kuchinjanisa maprotocol nemamwe maswichi (akadai seSTP), uye nekudaro huwandu hwezvirongwa zvinogoneka uye minda inonzwisiswa mairi yakakura kwazvo. Iyo bhuroka inogona kugovera zvakaenzana traffic kubva kune imwe kana akawanda ekuisa madoko kune yakatsanangurwa siyana yezvinobuda ports ine inobuda mutoro wekuenzanisa chimiro. Iwe unogona kuseta mitemo yekukopa, kusefa, kupatsanura, kudzoreredza uye kugadzirisa traffic. Iyi mitemo inogona kushandiswa kumapoka akasiyana etiweki packet bhuroka yekupinza madoko, uye inogona zvakare kushandiswa zvakatevedzana imwe mushure meimwe mumudziyo pachawo. Mukana wakakosha wepaketi bhuroka kugona kugadzirisa traffic yakazara kuyerera uye kuchengetedza kutendeseka kwezvikamu (munyaya yekuenzanisa traffic kune akati wandei DPI masisitimu emhando imwechete).

Kuchengeta kutendeseka kwechikamu kunosanganisira kufambisa ese ekutakura layer sesheni mapaketi (TCP/UDP/SCTP) kune imwe chiteshi. Izvi zvakakosha nekuti maDPI masisitimu (kazhinji software inoshanda paserver yakabatana neapacket broker's inobuda port) inoongorora zvirimo mumigwagwa padanho rekushandisa, uye mapaketi ese anotumirwa/akagamuchirwa nechishandiso chimwe chete anofanira kusvika panguva imwe chete yekuongorora . Kana mapaketi kubva muchikamu chimwe chete akarasika kana kugoverwa pakati pemidziyo yakasiyana yeDPI, ipapo mumwe nemumwe weDPI mudziyo uchazviwana uri mumamiriro ezvinhu akafanana nekuverenga kwete zvinyorwa zvese, asi mazwi ega kubva mazviri. Uye, zvichida, chinyorwa hachizonzwisiswi.

Nekudaro, tichitariswa pane zvekuchengetedza ruzivo masisitimu, network packet broker ine mashandiro ayo anobatsira kubatanidza DPI software masisitimu kune yakakwirira-kumhanya nharembozha uye kuderedza mutoro pavari: vanoita yekutanga kusefa, kurongedza uye kugadzirira kwetraffic kurerutsa kunotevera kugadzirisa.

Uye zvakare, sezvo network packet broker inoburitsa huwandu hwakasiyana hwehuwandu uye inowanzobatanidzwa kune akasiyana mapoinzi pane network, ivo vanowanawo nzvimbo yavo kana vachiongorora matambudziko nekuita kweiyo network network pachayo.

Basa rekutanga retiweki packet broker

Iro zita rekuti "specialized/monitoring switch" rakabva pachinangwa chakakosha: kuunganidza traffic kubva kune zvivakwa (kazhinji uchishandisa passive optical couplers TAP uye/kana SPAN ports) uye kuigovera pakati pezvishandiso zvekuongorora. Traffic inoratidzirwa (yakadzokororwa) pakati pemasisitimu emhando dzakasiyana, uye yakaenzana pakati pemasisitimu emhando imwe chete. Mabasa ekutanga anowanzo sanganisira kusefa neminda kusvika kuL4 (MAC, IP, TCP/UDP chiteshi, nezvimwewo) uye kuunganidzwa kwematanho akati wandei akaremerwa mune imwe (semuenzaniso, yekugadzirisa pane imwe DPI system).

Kushanda uku kunopa mhinduro kune yekutanga basa rekubatanidza DPI masisitimu kune network network. Mabhuroka kubva kune vakasiyana-siyana vanogadzira, akaganhurirwa kune ekutanga mashandiro, anopa kugadzirisa kusvika ku32 100G interfaces pa1U (mamwe mainterfaces haakwane mumuviri pane 1U pamberi pepaneru). Nekudaro, ivo havaderedze mutoro pazvishandiso zvekuongorora, uye kune yakaoma zvivakwa havakwanise kana kupa izvo zvinodikanwa zvebasa rekutanga: chikamu chakagoverwa pamusoro pematanho akati wandei (kana akashongedzerwa neMPLS tag) inogona kuve isina kuenzana pakati peakasiyana analyzer zviitiko uye kazhinji. kudonha pakuongorora.

Pamusoro pekuwedzera 40/100G interfaces uye, semhedzisiro, kuwedzera kwekuita, network packet broker vari kushingaira kusimudzira maererano nekupa hunyowani hunyanzvi: kubva pakuenzanisa kwakavakirwa pane nested tunnel misoro kusvika kune traffic decryption. Nehurombo, mamodheru akadaro haagone kuzvitutumadza nekuita mumaterabits, asi anobvumidza iwe kuti uvake yechokwadi yemhando yepamusoro uye tekinoroji "yakanaka" yekuchengetedza ruzivo system, iyo yega yega chishandiso chekuongorora chinovimbiswa kugamuchira chete ruzivo rwainoda muchimiro chakakodzera. zvekuongorora.

Yepamberi Network Packet Broker Zvimiro

Mhinduro dzemazuva ano dzekuvaka masisitimu ekuchengetedza ruzivo - network packet broker (Network Packet Broker)
1. Ataurwa pamusoro apa kuenzanirana kwakavakirwa pamisoro yemusoro mune tunneled traffic.

Nei zvichikosha? Ngatitarisei zvinhu zvitatu zvinogona kutsoropodza pamwechete kana zvakasiyana:

  • kuve nechokwadi chekuenzanisa yunifomu pamberi pehuwandu hushoma hwematanho. Kana paine chete 2 tunnel panzvimbo yekubatanidza yeruzivo rwekuchengetedza masisitimu, saka hazvizogone kudzikamisa iwo maererano nekunze misoro pa3 server mapuratifomu uchichengetedza chikamu. Panguva imwecheteyo, traffic mune network inofambiswa zvisina kuenzana, uye kutungamira mugero wega wega kune yakaparadzana kugadzirisa nzvimbo kunoda kuita kwakanyanya kweyekupedzisira;
  • kuve nechokwadi chekutendeseka kwezvikamu uye kuyerera kwemaitiro akawanda (somuenzaniso, FTP neVoIP), mapaketi ayo akaguma mumatanho akasiyana. Iko kuomarara kweiyo network network kunoramba kuchiwedzera: redundancy, virtualization, kurerutsa manejimendi, zvichingodaro. Kune rimwe divi, izvi zvinowedzera kuvimbika maererano nekufambiswa kwedata, kune rimwe divi, zvinokanganisa kushanda kwemasisitimu ekuchengetedza ruzivo. Kunyangwe kana vanoongorora vaine mashandiro akakwana ekugadzirisa chiteshi chakatsaurirwa nematanho, dambudziko rinozoitika risingagadzirike, sezvo mamwe emapaketi emusangano wevashandisi achifambiswa pane imwe chiteshi. Uyezve, nepo zvimwe zvivakwa zvichiri kuyedza kutarisira kutendeseka kwezvikamu, multisession protocol inogona kutora nzira dzakasiyana zvachose;
  • kuenzanisa pamberi peMPLS, VLAN, tag yemidziyo yega, nezvimwe. Kwete chaizvo tunnels, asi zvakadaro, zvishandiso zvine basa rekutanga zvinogona kunzwisisa traffic iyi sechimwe chinhu kunze kweIP uye kuenzanisa iyo zvichibva pamakero eMAC, zvakare ichityora kufanana kwekuenzanisa kana kuvimbika kwezvikamu.

Iyo network packet broker inobvisa misoro yekunze uye inoteedzana inonongedza kusvika kune yakagara IP musoro uye zviyero pairi. Nekuda kweizvozvo, kune zvakanyanya kuyerera zvakanyanya (nekudaro, inogona kunge isina kuenzana zvakanyanya uye pane yakakura nhamba yemapuratifomu), uye iyo DPI system inogamuchira ese esesheni mapaketi uye ese anobatanidzwa zvikamu zve multisession protocol.

2. Kugadziriswa kweTraffic.
Rimwe remabasa akakura maererano nekugona kwayo, kune akawanda subfunctions uye sarudzo dzekushandisa kwavo:

  • kudzima payload, mune iyi nyaya chete packet misoro inotumirwa kune yekuongorora chishandiso. Izvi zvinoenderana nemidziyo yekuongorora kana yemhando dzetraffic umo zviri mukati memapakiti hazvina basa kana kuti hazvigone kuongororwa. Semuyenzaniso, kune encrypted traffic parametric exchange data (ndiani, nani, riinhi uye yakawanda sei) inogona kufarira, asi payload imarara anotora chiteshi uye zviwanikwa zvekombuta zveanalyzer. Misiyano inogoneka kana mubhadharo wakachekwa kutanga kubva kune yakapihwa offset - izvi zvinopa imwe chiyero chekuongorora maturusi;
  • detunneling, kureva kubviswa kwemisoro inoratidza uye kuona tunnel. Chinangwa ndechekuderedza mutoro pazvishandiso zvekuongorora uye kuwedzera kushanda kwavo. Detunneling inogona kuve yakavakirwa pane yakagadziriswa offset kana ine simba remusoro kuongororwa uye kumisa kutsunga kwepaketi yega yega;
  • kubvisa chikamu chemisoro yepakiti: MPLS tags, VLAN, minda chaiyo yemidziyo yechitatu;
  • masking chikamu chemisoro, semuenzaniso, masking IP kero kuve nechokwadi chetraffic anonymization;
  • kuwedzera ruzivo rwesevhisi pakiti: timestamp, yekuisa chiteshi, traffic kirasi label, nezvimwe.

3. Kubvisa -kucheneswa kwemapaketi etrafiki anotumirwa kune maturusi ekuongorora. Duplicate mapaketi anowanzo simuka nekuda kwechimiro chekubatanidza kune zvivakwa - traffic inogona kupfuura nepakati akati wandei mapoinzi ekuongorora uye kuratidzwa kubva kune yega yega. Kutumirazve kweakakundikana TCP packets kunowanikwawo, asi kana pane zvakawanda, zvino izvi zvinowanzova nyaya dzine chokuita nekutarisa kunaka kwetiweki, pane kuchengetedza ruzivo mairi.

4. Advanced kusefa zvinhu - kubva pakutsvaga chaiwo kukosha pane yakapihwa offset kusvika kusainira kuongororwa kwepaketi rese.

5. NetFlow / IPFIX chizvarwa - kuunganidzwa kwehuwandu hwakawanda hwehuwandu hwekupfuura traffic uye kuendesa kwayo kune maturusi ekuongorora.

6. Decryption yeSSL traffic, inoshanda zvakapihwa kuti chitupa nemakiyi zvinotanga kurodha munetwork packet broker. Zvakadaro, izvi zvinokutendera iwe kusunungura zvakanyanya maturusi ekuongorora.

Kune mamwe akawanda mabasa, anobatsira uye ekushambadzira, asi iwo makuru anogona kunge akanyorwa.

Kuvandudzwa kwemasisitimu ekuona (kupindira, kurwiswa kweDDOS) kuita masisitimu ekudzivirira, pamwe nekuunzwa kwezvishandiso zveDPI, zvaida shanduko muchirongwa chekuchinja kubva pane passive (kuburikidza neTAP kana SPAN ports) kuenda kunoshanda ("mugeji. ”). Mamiriro ezvinhu aya akawedzera zvinodiwa kuti avimbike (sezvo kukundikana munyaya iyi kunotungamirira kukuvhiringidza kwemambure ose, uye kwete chete kurasikirwa kwekutonga pamusoro pekuchengetedzwa kwemashoko) uye zvakakonzera kuchinjwa kwe optical couplers ne optical bypass (kugadzirisa dambudziko kutsamira kwekushanda kwetiweki pakushanda kwehurongwa hwekuchengetedza ruzivo), asi basa guru uye zvinodiwa pazviri zvinoramba zvakafanana.

Isu takagadzira DS Integrity Network Packet Brokers ine 100G, 40G uye 10G interfaces kubva pakugadzira uye dhizaini dhizaini kune firmware. Zvakare, kusiyana nemamwe mapakeji vatengesi, iyo shanduko uye kuenzanisa mabasa eiyo nested tunnel misoro inoiswa muhardware, nekuzara kwechiteshi kumhanya.

Mhinduro dzemazuva ano dzekuvaka masisitimu ekuchengetedza ruzivo - network packet broker (Network Packet Broker)

Source: www.habr.com

Voeg