Haeba k'hamphani ea hau e fetisetsa kapa e amohela lintlha tsa hau le lintlha tse ling tsa lekunutu holim'a marang-rang a tlas'a tšireletso ho ea ka molao, ho hlokahala hore u sebelise encryption ea GOST. Kajeno re tla u joetsa hore na re kentse ts'ebetsong mokhoa o joalo oa encryption joang ho latela S-Terra crypto gateway (CS) ho e mong oa bareki. Pale ena e tla khahla litsebi tsa ts'ireletso ea tlhahisoleseling, hammoho le baenjiniere, baqapi le litsebi tsa meralo. Re ke ke ra ikakhela ka setotsoana ka har'a li-nuances tsa tlhophiso ea tekheniki posong ena; re tla tsepamisa maikutlo lintlheng tsa bohlokoa tsa setupong sa mantlha. Litokomane tse ngata tse mabapi le ho theha li-daemone tsa Linux OS, tseo S-Terra CS e thehiloeng ho tsona, li fumaneha mahala Marang-rang. Litokomane tsa ho theha software ea proprietary S-Terra le tsona li fumaneha phatlalatsa ho moetsi.
Mantsoe a seng makae ka morero
Topology ea marang-rang ea bareki e ne e le e tloaelehileng - letlooeng le tletseng pakeng tsa setsi le makala. Ho ne ho hlokahala ho kenyelletsa encryption ea liteishene tsa phapanyetsano ea tlhahisoleseling lipakeng tsa libaka tsohle, tseo ho tsona ho neng ho e-na le tse 8.
Hangata mererong e joalo ntho e 'ngoe le e' ngoe e tsitsitse: litsela tse tsitsitseng ho marang-rang a sebaka sa sebaka sa marang-rang li behiloe ho li-crypto gateways (CGs), lethathamo la liaterese tsa IP (ACLs) bakeng sa encryption li ngolisitsoe. Leha ho le joalo, tabeng ena, libaka tsa marang-rang ha li na taolo e bohareng, 'me ntho leha e le efe e ka etsahala ka har'a marang-rang a sebaka sa bona: marang-rang a ka eketsoa, a hlakoloa,' me a fetoloa ka litsela tsohle tse ka khonehang. E le hore ho qoba reconfiguring routing le ACL ka KS ha ho fetola aterese ya marangrang a sebaka ka libaka, ho ile ha etsoa qeto ea ho sebelisa GRE tunneling le OSPF matla routing, e akarelletsang tsohle KS le routers ka ho fetisisa boemong ba netweke konokono libakeng tse. libakeng tse ling, batsamaisi ba litšebeletso tsa motheo ba khetha ho sebelisa SNAT ho ea ho KS ho li-routers tsa kernel).
GRE tunneling e re lumelletse ho rarolla mathata a mabeli:
1. Sebelisa aterese ea IP ea segokanyimmediamentsi sa sebolokigolo sa CS bakeng sa taetsitshireletso ho ACL, e encapsulates bohle sephethephethe romeloa ho libaka tse ling.
2. Hlophisa lithanele tsa ppt lipakeng tsa CSs, tse u lumellang hore u lokise litsamaiso tse matla (ho rona, MPLS L3VPN ea mofani e hlophisitsoe lipakeng tsa libaka).
Moreki o laetse hore ho kenngoe ts'ebetsong ea encryption joalo ka ts'ebeletso. Ho seng joalo, o ne a tla tlameha hore a se ke a boloka li-gateways tsa crypto feela kapa a li hlahise mokhatlong o mong, empa hape o tla hlahloba ka boithatelo bophelo ba litifikeiti tsa ho ngolisa, ho li nchafatsa ka nako le ho kenya tse ncha.
Mme joale memo ea 'nete - joang le hore na re hlophisitse eng
Tlhokomeliso ho sehlooho sa CII: ho theha heke ea crypto
Tlhophiso ea mantlha ea marang-rang
Pele ho tsohle, re qala CS e ncha mme re kena ka har'a console ea tsamaiso. U lokela ho qala ka ho fetola phasewete ea molaoli e hahelletsoeng - taelo fetola molaoli oa password ea mosebelisi. Ebe o hloka ho etsa ts'ebetso ea ho qala (command qalisa) nakong eo data ea laesense e kenngoeng ka eona mme sensor ea nomoro e sa reroang (RNS) e qalisoa.
Ela hloko! Ha S-Terra CC e qalisoa, leano la ts'ireletso le thehoa moo li-interfaces tsa ts'ireletso ea tšireletso li sa lumelle lipakete ho feta. U tlameha ho iketsetsa pholisi ea hau kapa u sebelise taelo matha csconf_mgr activate kenya tshebetsong leano le dumelletsweng esale pele.
Ka mor'a moo, o hloka ho lokisa aterese ea li-interfaces tsa ka ntle le tsa ka hare, hammoho le tsela ea kamehla. Ho molemo ho sebetsa le tlhophiso ea marang-rang ea CS le ho hlophisa encryption ka Cisco-like console. Consolese ena e etselitsoe ho kenya litaelo tse tšoanang le tsa Cisco IOS. Tlhophiso e hlahisoang ho sebelisoa Cisco-like console, le eona, e fetoloa ho ba lifaele tse tsamaellanang tseo li-daemone tsa OS li sebetsang ka tsona. U ka ea ho Cisco-like console ho tloha tsamaisong ea tsamaiso ka taelo lokisa.
Fetola li-password bakeng sa li-cscons tsa mosebelisi tse hahelletsoeng 'me u li nolofalletse:
> nolofalletsa
Password: csp (e kentsoe pele)
# lokisa terminal
#username cscons tokelo 15 lekunutu 0 #etsa sephiri 0 Ho theha tlhophiso ea mantlha ea marang-rang:
#interface GigabitEthernet0/0
#ip aterese 10.111.21.3 255.255.255.0
#ha ho na shutdown
#interface GigabitEthernet0/1
#ip aterese 192.168.2.5 255.255.255.252
#ha ho na shutdown
#ip tsela 0.0.0.0 0.0.0.0 10.111.21.254
GRE
Tloha ho "Cisco-like console" 'me u ee ho khetla ea debian ka taelo tsamaiso. Ipehele phasewete ea hau bakeng sa mosebelisi motso sehlopha passwd.
Kamoreng e 'ngoe le e' ngoe ea taolo, kotopo e arohaneng e lokiselitsoe sebaka ka seng. Sehokelo sa kotopo se lokiselitsoe faeleng / etc / network / likarolo. Ts'ebeliso ea IP tunnel, e kenyellelitsoeng ho sete ea iproute2 e kentsoeng, e na le boikarabello ba ho theha sebopeho ka boeona. Taelo ea pōpo ea li-interface e ngotsoe ho khetho ea pre-up.
Mohlala oa tlhophiso ea sebopeho se tloaelehileng sa tunnel:
sebaka sa likoloi1
iface site1 inet static
aterese 192.168.1.4
letlooa 255.255.255.254
pele ho ip kotopo eketsa site1 mode gre local 10.111.21.3 remote 10.111.22.3 key hfLYEg^vCh6p
Ela hloko! Hoa lokela ho hlokomeloa hore litlhophiso tsa li-interface tsa lithanele li tlameha ho beoa kantle ho karolo
###netifcfg-qala###
*****
###netifcfg-end###
Ho seng joalo, litlhophiso tsena li tla ngoloa ha u fetola litlhophiso tsa marang-rang tsa li-interfaces tsa 'mele ka Cisco-like console.
Tsela e matla
Ho S-Terra, ho tsamaisoa ka matla ho sebelisoa ho sebelisoa sephutheloana sa software sa Quagga. Ho configure OSPF re lokela ho thusa le configure daemone liqoaha и ospfd. Zebra daemon e ikarabella bakeng sa puisano lipakeng tsa li-daemon tse tsamaisang le OS. Daemon ea ospfd, joalo ka ha lebitso le fana ka maikutlo, e na le boikarabello ba ho kenya tšebetsong protocol ea OSPF.
OSPF e configured e ka ba ka daemon tšelisa kapa ka ho toba ka faele ya phetolo /etc/quagga/ospfd.conf. Likhokahano tsohle tsa 'mele le tsa kotopo tse kenyang letsoho ho tsamaiseng ka matla li kentsoe faeleng,' me marang-rang a tla phatlalatsoa le ho amohela liphatlalatso le ona a phatlalatsoa.
Mohlala oa tlhophiso e lokelang ho eketsoa ho ospfd.conf:
interface eth0
!
interface eth1
!
sebaka sa marang-rang1
!
sebaka sa marang-rang2
router ospf
ospf router-id 192.168.2.21
marang-rang 192.168.1.4/31 sebaka sa 0.0.0.0
marang-rang 192.168.1.16/31 sebaka sa 0.0.0.0
marang-rang 192.168.2.4/30 sebaka sa 0.0.0.0
Tabeng ena, liaterese tsa 192.168.1.x/31 li boloketsoe marang-rang a ptp pakeng tsa libaka, liaterese 192.168.2.x/30 li abeloa marang-rang a lipalangoang pakeng tsa CS le kernel routers.
Ela hloko! Ho fokotsa tafole ea ho tsamaisa lits'ebetsong tse kholo, o ka sefa lipapatso tsa marang-rang a lipalangoang ka botsona o sebelisa meaho. ha ho phetiso e hokahaneng kapa abela hape 'mapa oa litsela o hokahaneng.
Kamora ho hlophisa li-daemone, o hloka ho fetola boemo ba ho qala ba li-daemone ho /etc/quagga/daemons. Likhethong liqoaha и ospfd ha ho phetoho ho e. Qala daemon ea quagga 'me u e behe ho autorun ha u qala taelo ea KS update-rc.d quagga nolofalletsa.
Haeba ho hlophisoa ha lithanele tsa GRE le OSPF ho etsoa ka nepo, joale litsela tsa marang-rang a libaka tse ling li lokela ho hlaha ho li-routers tsa KSh le tsa mantlha, ka hona, khokahano ea marang-rang lipakeng tsa marang-rang ea lehae e hlaha.
Re encrypt transmitted traffic
Joalo ka ha ho se ho ngotsoe, hangata ha re ngolla marang-rang lipakeng tsa libaka, re hlakisa libaka tsa liaterese tsa IP (ACLs) tseo sephethephethe se kentsoeng lipakeng tsa tsona: haeba liaterese tsa mohloli le tsa sebaka li oela ka har'a mekhahlelo ena, joale sephethephethe se pakeng tsa bona se patiloe. Leha ho le joalo, morerong ona sebopeho se matla 'me liaterese li ka fetoha. Kaha re se re hlophisitse tonelo ea GRE, re ka hlakisa liaterese tsa KS tsa kantle e le mohloli le liaterese tsa sebaka sa ho patala sephethephethe - ka mor'a moo, sephethephethe se seng se kentsoe ke protocol ea GRE se fihla bakeng sa encryption. Ka mantsoe a mang, ntho e 'ngoe le e' ngoe e kenang ho CS ho tloha marang-rang a sebaka sa sebaka se le seng ho ea ho marang-rang a phatlalalitsoeng ke libaka tse ling li patiloe. 'Me ka hare ho e' ngoe le e 'ngoe ea libaka tsa marang-rang ho ka etsoa. Ka hona, haeba ho e-na le phetoho leha e le efe marang-rang a libaka, mookameli o hloka feela ho fetola liphatlalatso tse tsoang ho marang-rang a hae ho ea ho marang-rang, 'me e tla fumaneha libakeng tse ling.
Encryption ho S-Terra CS e etsoa ho sebelisoa protocol ea IPSec. Re sebelisa algorithm ea "Grasshopper" ho latela GOST R 34.12-2015, 'me bakeng sa ho lumellana le liphetolelo tsa khale u ka sebelisa GOST 28147-89. Netefatso e ka etsoa ka botekgeniki ho linotlolo tse boletsoeng esale pele (li-PSK) le litifikeiti. Leha ho le joalo, ts'ebetsong ea indasteri ho hlokahala ho sebelisa litifikeiti tse fanoeng ho latela GOST R 34.10-2012.
Ho sebetsa ka setifikeiti, lijana le li-CRL ho etsoa ho sebelisoa ts'ebeliso cert_mgr. Pele ho tsohle, sebelisa taelo cert_mgr theha hoa hlokahala ho hlahisa setshelo sa senotlolo sa poraefete le kopo ea setifikeiti, e tla romelloa Setsing sa Tsamaiso ea Setifikeiti. Kamora ho fumana setifikeiti, se tlameha ho romelloa kantle ho naha hammoho le setifikeiti sa motso oa CA le CRL (haeba se sebelisitsoe) ka taelo cert_mgr ho kenya. U ka etsa bonnete ba hore li-certification le li-CRL kaofela li kentsoe ka taelo cert_mgr pontšo.
Kamora ho kenya litifikeiti ka katleho, e-ea ho Cisco-like console ho lokisa IPSec.
Re theha leano la IKE le hlalosang li-algorithms le litekanyetso tse lakatsehang tsa mocha o sireletsehileng o entsoeng, o tla fuoa molekane hore a amoheloe.
#crypto isakmp policy 1000
#enncr gost341215k
#hash gost341112-512-tc26
# lets'oao la netefatso
# sehlopha vko2
# bophelo bohle 3600
Leano lena le sebelisoa ha ho etsoa mohato oa pele oa IPSec. Sephetho sa ho phethela ka katleho mokhahlelo oa pele ke ho thehoa ha SA (Mokhatlo oa Tšireletso).
Ka mor'a moo, re hloka ho hlalosa lethathamo la liaterese tsa IP tsa mohloli le sebaka sa ho etela (ACL) bakeng sa ho kenyelletsa, ho hlahisa sete sa phetoho, ho etsa 'mapa oa cryptographic (crypto' mapa) le ho o tlama ho sebopeho sa ka ntle sa CS.
Hlophisa ACL:
#ip-lethathamo la phihlello ea sebaka se atolositsoeng1
#permit gre host 10.111.21.3 moamoheli 10.111.22.3
Liphetoho tse ngata (tse tšoanang le tsa mohato oa pele, re sebelisa "Grasshopper" encryption algorithm re sebelisa mokhoa oa ho etsa tlhahiso ea ho kenya letsoho):
#crypto ipsec fetola-set GOST esp-gost341215k-mac
Re theha 'mapa oa crypto, hlalosa ACL, fetola sete le aterese ea lithaka:
#crypto mapa MAIN 100 ipsec-isakmp
#match address site1
#set fetola-seta GOST
#set thaka 10.111.22.3
Re tlama karete ea crypto ho sebopeho sa kantle sa ngoliso ea chelete:
#interface GigabitEthernet0/0
#ip aterese 10.111.21.3 255.255.255.0
#mmapa oa crypto MAIN
Ho patala liteishene le libaka tse ling, u tlameha ho pheta mokhoa oa ho theha karete ea ACL le crypto, ho fetola lebitso la ACL, liaterese tsa IP le nomoro ea karete ea crypto.
Ela hloko! Haeba netefatso ea setifikeiti ke CRL e sa sebelisoe, sena se tlameha ho hlalosoa ka ho hlaka:
#crypto pki trustpoint s-terra_technological_trustpoint
#hlakolo-cheba letho
Mothating ona, ho seta ho ka nkoa ho phethehile. Ka tlhahiso ea taelo ea Cisco-like console bonts'a crypto isakmp sa и bonts'a crypto ipsec sa Mekhahlelo ea pele le ea bobeli e hahiloeng ea IPSec e lokela ho bontšoa. Boitsebiso bo tšoanang bo ka fumanoa ho sebelisoa taelo sa_mgr pontšo, e phethiloe ho tsoa ho khetla ea debian. Ka tlhahiso ea taelo cert_mgr pontšo Setifikeiti sa sebaka se hole se tlameha ho hlaha. Boemo ba litifikeiti tse joalo bo tla ba Hole. Haeba lithanele li sa hahoa, u lokela ho sheba lenane la tšebeletso ea VPN, e bolokiloeng faeleng /var/log/cspvpngate.log. Lethathamo le felletseng la lifaele tsa log tse nang le tlhaloso ea litaba tsa tsona le fumaneha litokomaneng.
Ho beha leihlo "bophelo bo botle" ba sistimi
S-Terra CC e sebelisa daemon e tloaelehileng ea snmpd bakeng sa ho beha leihlo. Ho phaella ho li-parameter tse tloaelehileng tsa Linux, ka ntle ho lebokose S-Terra e tšehetsa ho fana ka lintlha tse mabapi le lithapo tsa IPSec ho latela CISCO-IPSEC-FLOW-MONITOR-MIB, e leng seo re se sebelisang ha re hlahloba boemo ba lithanele tsa IPSec. Ts'ebetso ea li-OID tsa tloaelo tse hlahisang liphetho tsa ts'ebetso ea script joalo ka boleng le tsona lia tšehetsoa. Karolo ena e re lumella ho latela matsatsi a ho felloa ke nako ha setifikeiti. Mongolo o ngotsoeng o fetisa tlhahiso ea taelo cert_mgr pontšo 'me ka lebaka leo e fana ka palo ea matsatsi ho fihlela mangolo a sebaka le a metso a fela. Mokhoa ona ke oa bohlokoa haholo ha o tsamaisa palo e kholo ea li-CABG.
Molemo oa mokhoa ona oa ho ngola ke ofe?
Mesebetsi eohle e hlalositsoeng ka holimo e tšehetsoa ka ntle ho lebokose ke S-Terra KSh. Ke hore, ho ne ho se na tlhokahalo ea ho kenya li-modules tse ling tse eketsehileng tse ka amang setifikeiti sa li-crypto gateways le setifikeiti sa tsamaiso eohle ea tlhahisoleseding. Ho ka ba le likanale lipakeng tsa libaka, esita le ka Marang-rang.
Ka lebaka la 'nete ea hore ha lisebelisoa tsa ka hare li fetoha, ha ho hlokahale ho tsosolosa li-gateways tsa crypto, tsamaiso e sebetsa e le tšebeletso, e loketseng haholo bakeng sa moreki: a ka beha litšebeletso tsa hae (moreki le seva) ho liaterese leha e le life, 'me liphetoho tsohle li tla fetisetsoa ka matla pakeng tsa thepa ea ho kenyelletsa.
Ha e le hantle, ho kenyeletsa ka lebaka la litšenyehelo tse phahameng (ka holimo) ho ama lebelo la ho fetisa data, empa hanyenyane feela - phallo ea mocha e ka fokotseha ka boholo ba 5-10%. Ka nako e ts'oanang, theknoloji e 'nile ea lekoa' me ea bontšoa liphello tse ntle esita le liteishene tsa sathelaete, tse sa tsitsang haholo 'me li na le bandwidth e tlaase.
Igor Vinokhodov, moenjiniere oa tsamaiso ea 2nd ea Rostelecom-Solar
Source: www.habr.com