Kangani iwe unotenga chimwe chinhu woga, uchibvuma kushambadza kunotonhorera, uyezve chinhu ichi chinodiwa pakutanga chinounganidza guruva muwadhiropu, pantry kana garaji kusvika chitubu chinotevera kuchenesa kana kufamba? Mhedzisiro yacho kuodzwa mwoyo nekuda kwetarisiro isina chikonzero uye kutambisa mari. Izvo zvakanyanya kuipa kana izvi zvikaitika kune bhizinesi. Kazhinji, magimmicks ekushambadzira akanaka zvekuti makambani anotenga mhinduro inodhura vasingaone mufananidzo uzere wekushandisa kwayo. Zvichakadaro, kuyedzwa kwekuyedzwa kweiyo system kunobatsira kunzwisisa nzira yekugadzirira zvivakwa zvekubatanidzwa, chii chinoshanda uye kusvika papi chinofanira kuitwa. Nenzira iyi iwe unogona kudzivirira huwandu hukuru hwematambudziko nekuda kwekusarudza chigadzirwa "upofu". Uye zvakare, kuita mushure meanokwanisa "mutyairi" kunounza mainjiniya zvakanyanya kuparadzwa masero etsinga uye grey bvudzi. Ngationei kuti nei kuyedzwa kwemutyairi kwakakosha kupurojekiti yakabudirira, tichishandisa muenzaniso wechishandiso chakakurumbira chekudzora kupinda kune network yemakambani - Cisco ISE. Ngatitarisei ese akajairwa uye akazara asiri-standard sarudzo dzekushandisa mhinduro yatakasangana nayo mukuita kwedu.
Cisco ISE - "Radius server pane steroids"
Cisco Identity Services Engine (ISE) ipuratifomu yekugadzira nzira yekudzora yekuwana yesangano renzvimbo yenzvimbo network. Munharaunda yenyanzvi, chigadzirwa chakatumidzwa zita rekuti "Radius server pane steroids" yezvivakwa zvayo. Nei zvakadaro? Chaizvoizvo, mhinduro iRadius server, iyo yakawanda yakawanda yekuwedzera masevhisi uye "manomano" akasungirirwa, achikutendera iwe kuti ugamuchire huwandu hukuru hweruzivo rwemamiriro ezvinhu uye kushandisa inoguma seti yedata mumatongerwo ekuwana.
Kufanana nechero imwe sevha yeRadius, Cisco ISE inodyidzana neyekusvika-level network network, inounganidza ruzivo nezve zvese zvinoedza kubatanidza kune network yekambani uye, zvichibva pakutendeseka uye mvumo yemitemo, inobvumira kana kuramba vashandisi kuLAN. Nekudaro, mukana wekunyora, kutumira, uye kusanganisa nedzimwe mhinduro dzekuchengetedza ruzivo kunoita kuti zvikwanise kuomesa zvakanyanya logic yegwaro remvumo uye nekudaro kugadzirisa matambudziko akaoma uye anonakidza.
Kuita hakugone kuyedzwa: nei uchida kuyedzwa?
Iko kukosha kwekuyedzwa kwemutyairi kuratidza kugona kwese kweiyo sisitimu mune yakananga zvivako zvesangano chairo. Ini ndinotenda kuti kuyedza Cisco ISE isati yaitwa inobatsira munhu wese ane chekuita neprojekiti, ndosaka.
Izvi zvinopa vanobatanidza pfungwa yakajeka yezvinotarisirwa nemutengi uye zvinobatsira kugadzira iyo chaiyo tekinoroji yekutaura iyo ine zvakawanda zvakadzama kupfuura mutsara wakajairika "ita shuwa kuti zvese zvakanaka." "Pilot" inotibvumira kunzwa marwadzo ose emutengi, kuti tinzwisise kuti ndeapi mabasa anonyanya kukosha kwaari uye ndeapi echipiri. Kwatiri, iyi ndiyo mukana wakanakisa wekufungidzira pachine nguva kuti zvii zvinoshandiswa musangano, kuti kuitiswa kuchaitika sei, pane nzvimbo dzipi, kwadziri, zvichingodaro.
Panguva yekuyedzwa kwemutyairi, vatengi vanoona iyo chaiyo hurongwa mukuita, kujairana neyayo interface, vanogona kutarisa kana ichienderana neyakagadzirwa hardware yavo, uye kuwana kunzwisisa kwakazara kwekuti mhinduro ichashanda sei mushure mekuita zvizere. "Pilot" ndiyo nguva chaiyo yaunokwanisa kuona zvipingaidzo zvese zvaungangosangana nazvo panguva yekubatanidzwa, uye sarudza kuti marezinesi mangani aunoda kutenga.
Chii chinogona "kubuda" panguva ye "pilot"
Saka, unogadzirira sei kuita Cisco ISE? Kubva pane zvakaitika kwatiri, takaverenga 4 pfungwa huru dzinokosha kufunga panguva yekuedzwa kwemutyairi wehurongwa.
Chinhu chinhu
Kutanga, iwe unofanirwa kusarudza kuti ndeipi fomu iyo system ichaitwa: yemuviri kana chaiyo upline. Imwe neimwe sarudzo ine zvakanakira nezvayakaipira. Semuyenzaniso, kusimba kwechimiro chepamusoro ndiko kuita kwaro kunofungidzirwa, asi hatifanire kukanganwa kuti michina yakadaro inopera nekufamba kwenguva. Virtual uplines haifungidzike zvishoma nekuti... zvinoenderana nehardware iyo iyo virtualization nharaunda inoiswa, asi ivo vane mukana wakakomba: kana rutsigiro rwuripo, vanogona kugara vachigadziridzwa kune yazvino vhezheni.
Yako network network inoenderana neCisco ISE?
Ehe, mamiriro akakodzera angave ekubatanidza ese midziyo kune sisitimu kamwechete. Nekudaro, izvi hazvigoneke nguva dzose sezvo masangano mazhinji achiri kushandisa ma switch asina kudzora kana ma switch asingatsigire mamwe matekinoroji anomhanyisa Cisco ISE. Nenzira, isu hatisi kungotaura nezve switch, inogona zvakare kuve isina waya network controllers, VPN concentrators uye chero imwe midziyo iyo vashandisi vanobatana nayo. Mukuita kwangu, pave paine zviitiko apo, mushure mekuratidzira sisitimu yekushandisa zvizere, mutengi akakwidziridza inenge yese yezvikepe zvekupinda level switch kune yemazuva ano Cisco michina. Kuti udzivise kushamisika kusingafadzi, zvakakosha kuti uzive pachine nguva chikamu chemidziyo isina kutsigirwa.
Zvishandiso zvako zvese zviri standard here?
Chero network ine zvakajairwa zvishandiso izvo zvisingafanirwe kuve zvakaoma kubatanidza kune: nzvimbo dzekushandira, IP mafoni, Wi-Fi yekuwana nzvimbo, vhidhiyo kamera, zvichingodaro. Asi zvinoitikawo kuti michina isiri-yakajairwa inoda kubatanidzwa neLAN, semuenzaniso, RS232 / Ethernet bhazi chiratidzo chekushandura, isingachinjiki magetsi ekupa nzvimbo, akasiyana-siyana michina michina, etc. Zvakakosha kuziva runyoro rwemidziyo yakadaro pachine nguva. , kuitira kuti padanho rekuita iwe unotove nekunzwisisa kuti tekinoroji vachashanda sei neCisco ISE.
Hurukuro inovaka nenyanzvi dzeIT
Vatengi veCisco ISE vanowanzove madhipatimendi ekuchengetedza, nepo IT madhipatimendi anowanzo kuita basa rekugadzirisa yekupinda layer switch uye Active Directory. Naizvozvo, kudyidzana kunobudirira pakati penyanzvi dzekuchengetedza uye nyanzvi dzeIT ndeimwe yemamiriro akakosha ekuitwa kusingarwadze kwehurongwa. Kana iyo yekupedzisira ikaona kubatanidzwa neruvengo, zvakakodzera kutsanangura kwavari kuti mhinduro ichave yakakosha sei kune IT department.
Pamusoro 5 Cisco ISE kushandisa makesi
Mune ruzivo rwedu, iyo inodiwa mashandiro eiyo sisitimu inotaridzwawo padanho rekuyedza mutyairi. Pazasi pane mamwe anonyanya kufarirwa uye asingawanzo shandiswa makesi emhinduro.
Chengetedza kupinda kweLAN pamusoro pewaya neEAP-TLS
Sezvo mhedzisiro yekutsvagisa kwepentester yedu inoratidza, kazhinji kupinda mukati mekambani network, vanorwisa vanoshandisa zvakajairwa zvigadziko izvo zvinodhinda, mafoni, IP kamera, maWi-Fi mapoinzi uye zvimwe zvisiri zvemunhu network zvishandiso zvakabatana. Naizvozvo, kunyangwe kuwana network kwakavakirwa pahunyanzvi hwedot1x, asi mamwe maprotocol anoshandiswa pasina kushandisa zvitupa zvekusimbisa mushandisi, pane mukana wakakura wekurwisa kwakabudirira nesesheni yekubira uye mapassword echisimba. Panyaya yeCisco ISE, zvichanyanya kuoma kuba chitupa - nekuda kweizvi, matsotsi anozoda rakawanda simba rekombuta, saka iyi kesi inoshanda zvakanyanya.
Dual-SSID isina waya yekuwana
Izvo zvakakosha zvechiitiko ichi kushandisa 2 network identifiers (SSIDs). Mumwe wavo anogona kunzi "muenzi". Kuburikidza nayo, vese vashanyi uye vashandi vekambani vanogona kuwana iyo isina waya network. Pavanoyedza kubatana, iyo yekupedzisira inotungamirwa kune yakakosha portal uko kupihwa kunoitika. Kureva kuti, mushandisi anopihwa chitupa uye mudziyo wake wega unogadziriswa kuti uzvibatanidze otomatiki kune yechipiri SSID, iyo inotoshandisa EAP-TLS nezvose zvakanakira kese yekutanga.
MAC Authentication Bypass uye Profileing
Imwe nyaya yekushandiswa yakakurumbira ndeyekuona otomatiki rudzi rwechishandiso chakabatana uye kushandisa zvirambidzo kwairi. Nei achinakidza? Chokwadi ndechekuti kuchine michina yakawanda isingatsigire huchokwadi uchishandisa iyo 802.1X protocol. Naizvozvo, zvishandiso zvakadaro zvinofanirwa kubvumidzwa kunetiweki uchishandisa kero yeMAC, iri nyore kuita manyepo. Apa ndipo panouya Cisco ISE kuzonunura: nerubatsiro rwehurongwa, unogona kuona maitiro anoita mudziyo panetiweki, gadzira chimiro chayo uye ugochipa kune rimwe boka remamwe maturusi, semuenzaniso, IP foni uye nzvimbo yekushanda. . Kana munhu anorwisa akaedza kukanganisa kero yeMAC nekubatanidza kunetiweki, sisitimu ichaona kuti chimiro chemudziyo chachinja, chinoratidza hunhu hwekufungira uye hachizobvumire mushandisi anofungidzirwa kupinda network.
EAP-Chaining
EAP-Chaining tekinoroji inosanganisira kutevedzana kwechokwadi kwePC inoshanda uye account yemushandisi. Nyaya iyi yatekeshera nekuti... Makambani mazhinji haasati akurudzira kubatanidza midziyo yevashandi kuLAN yekambani. Uchishandisa nzira iyi yehuchokwadi, zvinokwanisika kutarisa kana imwe nzvimbo yekushandira inhengo yedomasi, uye kana mhedzisiro isiriyo, mushandisi haabvumidzwe kupinda munetiweki, kana kuti achakwanisa kupinda, asi aine zvimwe. zvirambidzo.
Kutumira
Mhosva iyi ndeyekuongorora kutevedza kweiyo workstation software ine ruzivo rwekuchengetedza zvinodiwa. Uchishandisa tekinoroji iyi, unogona kutarisa kana software iri panzvimbo yebasa yakagadziridzwa, kana matanho ekuchengetedza akaiswa pairi, ingave iyo firewall yakagadziridzwa, nezvimwe. Sezvineiwo, tekinoroji iyi zvakare inobvumidza iwe kugadzirisa mamwe mabasa asina hukama nekuchengetedza, semuenzaniso, kutarisa kuvepo kwemafaira anodiwa kana kuisa system-wide software.
Makesi mashoma ekushandisa eCisco ISE anosanganisira kutonga kwekuwana nekuguma-kusvika-kumagumo domain authentication (Passive ID), SGT-based micro-segmentation uye kusefa, pamwe nekubatanidza nenharembozha manejimendi (MDM) masisitimu uye Vulnerability Scanners.
Zvisiri-yakajairwa mapurojekiti: nei zvimwe ungada Cisco ISE, kana 3 zvisingawanzo zviitiko kubva kune yedu maitiro
Kuwana kutonga kune Linux-yakavakirwa maseva
Pane imwe nguva isu taigadzirisa nyaya isiri-diki kune mumwe wevatengi vanga vatova neCisco ISE system yakaitwa: taida kutsvaga nzira yekudzora zviito zvemushandisi (kunyanya vatariri) pamaseva ane Linux akaiswa. Mukutsvaga mhinduro, takauya nepfungwa yekushandisa iyo yemahara PAM Radius Module software, iyo inokutendera iwe kuti upinde mumaseva anomhanyisa Linux nehuchokwadi pane yekunze radius server. Zvese zvine chekuita neizvi zvingave zvakanaka, kana zvisiri zveimwe "asi": iyo radius server, kutumira mhinduro kuchikumbiro chechokwadi, inopa chete zita reakaundi uye mhedzisiro - ongororo yakagamuchirwa kana yakarambwa. Zvichakadaro, kune mvumo muLinux, unofanirwa kugovera imwezve paramende - dhairekitori repamba, kuitira kuti mushandisi asvike kumwe kumwe. Hatina kuwana nzira yekupa izvi senge radius hunhu, saka takanyora yakakosha script yekugadzira kure kure maakaundi kune vanogamuchira mune semi-otomatiki modhi. Iri basa rakanga risingagoneki, sezvo takanga tichibata nemaakaundi emaneja, nhamba yacho yakanga isina kukura zvakanyanya. Tevere, vashandisi vakapinda pane inodiwa mudziyo, mushure mezvo vakapihwa mukana unodiwa. Mubvunzo unonzwisisika unomuka: zvakakosha here kushandisa Cisco ISE mumamiriro ezvinhu akadaro? Chaizvoizvo, kwete - chero radius server ichaita, asi sezvo mutengi agara aine iyi system, isu takangowedzera chinhu chitsva kwairi.
Inventory yehardware uye software paLAN
Isu takamboshanda purojekiti yekupa Cisco ISE kune mumwe mutengi pasina yekutanga "pilot". Pakanga pasina zvinodikanwa zvakajeka zvemhinduro, uyezve isu taive tichibata netiweki, isina-segmented network, izvo zvakaomesa basa redu. Munguva yepurojekiti, takagadzirisa nzira dzese dzinogoneka dzekudhirowa dzakatsigirwa netiweki: NetFlow, DHCP, SNMP, AD kubatanidzwa, nezvimwe. Nekuda kweizvozvo, kuwana kwe MAR kwakagadziriswa nekugona kupinda mukati metiweki kana humbowo hwakatadza. Ndokunge, kunyangwe kana chokwadi chisina kubudirira, iyo sisitimu yaizongobvumira mushandisi kupinda kunetiweki, kuunganidza ruzivo nezvake uye kuirekodha muISE dhatabhesi. Iyi yekutarisa network kwemavhiki akati wandei yakatibatsira kuona masisitimu akabatana uye asiri ega zvishandiso uye kugadzira nzira yekuzvipatsanura. Mushure meizvi, isu takagadzirisawo kutumira kuti tiise mumiririri pane nzvimbo dzekushandira kuitira kuti titore ruzivo nezve software yakaiswa pavari. Chii chinoguma? Isu takakwanisa kupatsanura network uye kuona rondedzero yesoftware yaida kubviswa kubva kumabasa. Ini handisi kuvanza kuti mamwe mabasa ekugovera vashandisi mumapoka emadomasi uye kutsanangudza kodzero dzekuwana zvakatitorera nguva yakawanda, asi nenzira iyi takawana mufananidzo wakazara weiyo hardware yaive nemutengi pane network. Nenzira, izvi zvakanga zvisina kuoma nekuda kwebasa rakanaka rekunyora kunze kwebhokisi. Zvakanaka, uko kudhirowa hakuna kubatsira, isu takazvitarisa isu, tichiratidzira switch port uko michina yakabatana.
Remote kuisirwa software pane workstations
Iyi nyaya ndeimwe yezvinoshamisa mukuita kwangu. Rimwe zuva, mutengi akauya kwatiri nekuchemera rubatsiro - chimwe chinhu chakakanganisika pakuita Cisco ISE, zvese zvakaputsika, uye hapana mumwe munhu aigona kuwana network. Takatanga kuiongorora tikaona zvinotevera. Iyo kambani yaive nemakomputa e2000, ayo, pasina mutongi wedunhu, aitungamirwa pasi peakaundi yemutungamiriri. Nechinangwa chekutarisa, sangano rakaita Cisco ISE. Zvaive zvakakodzera kuti neimwe nzira unzwisise kana antivirus yakaiswa pamaPC aripo, ingave iyo software nharaunda yakagadziridzwa, nezvimwe. Uye sezvo vatariri veIT vakaisa network michina muhurongwa, zvine musoro kuti vaikwanisa kuiwana. Mushure mekuona mashandire ainoita uye nekupuruzira maPC avo, manejimendi akauya nepfungwa yekuisa software yacho pamabasa evashandi kure pasina kushanya kwemunhu. Chimbofungidzira kuti mangani matanho aunogona kuchengetedza pazuva nenzira iyi! Mamaneja akaita macheki akati wandei enzvimbo yekushandira kuvepo kweimwe faira muC:Program Files dhairekitori, uye kana yaive isipo, otomatiki kugadzirisa kwakatangwa nekutevera chinongedzo chinotungamira kukuchengetedza faira kune yekumisikidza .exe faira. Izvi zvakabvumira vashandisi vakajairwa kuenda kune faira kugovera uye kurodha inodiwa software kubva ipapo. Nehurombo, iyo admin aisaziva iyo ISE system zvakanaka uye akakuvadza nzira dzekutumira - akanyora mutemo zvisizvo, izvo zvakakonzera dambudziko ratakabatanidzwa mukugadzirisa. Ini pachangu, ndinoshamiswa nemoyo wese nemaitiro ekugadzira akadaro, nekuti zvingave zvakachipa uye zvisinganyanyi kushanda nesimba kugadzira domain controller. Asi seChipupuriro chepfungwa chakashanda.
Verenga zvakawanda nezve tekinoroji nuances inomuka pakuita Cisco ISE mune yangu chinyorwa chinyorwa .
Artem Bobrikov, dhizaini injinjini yeInformation Security Center paJet Infosystems
Afterword:
Pasinei nenyaya yekuti iyi positi inotaura nezveCisco ISE system, matambudziko anotsanangurwa akakodzera kirasi yese yeNAC mhinduro. Izvo hazvina kukosha zvakanyanya kuti mhinduro yemutengesi yakarongwa kuti iitwe - zvizhinji zviri pamusoro zvicharamba zviripo.
Source: www.habr.com