Molweni! Wamkelekile kwisifundo sesithandathu sekhosi . Kulo siye safunda iziseko zokusebenza ngeteknoloji ye-NAT kwi , kwaye wakhulula umsebenzisi wethu wovavanyo kwi-Intanethi. Ngoku lixesha lokukhathalela ukhuseleko lomsebenzisi kwiindawo zakhe ezivulekileyo. Kwesi sifundo siza kujonga ezi nkcukacha zokhuseleko zilandelayo: Ukucoca iwebhu, uLawulo lweSicelo, kunye nokuhlolwa kwe-HTTPS.
Ukuqalisa ngeeprofayili zokhuseleko, kufuneka siqonde enye into: iindlela zokuhlola.
Ukungagqibeki yimowudi eSekwe ngokuQula. Ijonga iifayile njengoko zidlula kwi-FortiGate ngaphandle kokuphazamisa. Emva kokuba ipakethe ifike, icutshungulwa kwaye idluliselwe phambili, ngaphandle kokulinda ukuba ifayile yonke okanye iphepha lewebhu lifunyenwe. Ifuna izixhobo ezimbalwa kwaye ibonelela ngokusebenza okungcono kunemo ye-Proxy, kodwa ngexesha elifanayo, akusiyo yonke imisebenzi yoKhuseleko ekhoyo kuyo. Umzekelo, uThintelo lokuvuza kweDatha (DLP) lunokusetyenziswa kuphela kwimo yeProxy.
Imo yommeli isebenza ngokwahlukileyo. Yenza unxibelelwano lwe-TCP ezimbini, enye phakathi komxhasi kunye ne-FortiGate, okwesibini phakathi kwe-FortiGate kunye nomncedisi. Oku kuvumela ukuba ikhusele itrafikhi, o.k.t. ukufumana ifayile epheleleyo okanye iphepha lewebhu. Ukuskena iifayile zezoyikiso ezahlukeneyo kuqala kuphela emva kokuba yonke ifayile ikhuselwe. Oku kukuvumela ukuba usebenzise iimpawu ezongezelelweyo ezingafumanekiyo kwimowudi esekwe ngokuQula. Njengoko ubona, le mowudi ibonakala ichasene ne-Flow Based - ukhuseleko ludlala indima enkulu apha, kwaye ukusebenza kuthatha isitulo sangasemva.
Abantu bahlala bebuza: yeyiphi imowudi engcono? Kodwa akukho recipe eqhelekileyo apha. Yonke into ihlala ingumntu kwaye ixhomekeke kwiimfuno zakho kunye neenjongo. Kamva ekhosini ndiya kuzama ukubonisa umahluko phakathi kweeprofayili zokhuseleko kwiimowudi zokuQula kunye neProxy. Oku kuya kukunceda uthelekise ukusebenza kwaye wenze isigqibo sokuba yeyiphi eyona ilungileyo kuwe.
Makhe siye ngqo kwiiprofayile zokhuseleko kwaye siqale sijonge kuHluzo lweWebhu. Kuyanceda ukubeka iliso okanye ukulandelela ukuba zeziphi iiwebhusayithi ezityelelwa ngabasebenzisi. Ndicinga ukuba akukho mfuneko yokungena nzulu ekuchazeni imfuno yeprofayili enjalo kwizinto zangoku. Masiqonde ngcono ukuba isebenza njani.
Nje ukuba uqhagamshelo lwe-TCP lusekwe, umsebenzisi usebenzisa isicelo se-GET ukucela umxholo wewebhusayithi ethile.
Ukuba umncedisi wewebhu uphendula kakuhle, uthumela ulwazi malunga newebhusayithi emva. Apha kulapho isihluzo sewebhu singena khona. Iqinisekisa imixholo yale mpendulo Ngexesha lokuqinisekisa, i-FortiGate ithumela isicelo sexesha langempela kwi-FortiGuard Distribution Network (FDN) ukumisela udidi lwewebhusayithi enikeziweyo. Emva kokumisela udidi lwewebhusayithi ethile, isihluzo sewebhu, ngokuxhomekeke kwizicwangciso, senza isenzo esithile.
Kukho iintshukumo ezintathu ezikhoyo kwimowudi yokuQula:
- Vumela - vumela ufikelelo kwiwebhusayithi
- Block - block ukufikelela kwiwebhusayithi
- Ukubeka iliso - vumela ukufikelela kwiwebhusayithi kwaye uyirekhode kwiilogi
Kwimo yommeli, iintshukumo ezimbini ezongezelelekileyo zongezwa:
- Isilumkiso - nikeza umsebenzisi isilumkiso sokuba uzama ukutyelela isibonelelo esithile kwaye anike umsebenzisi ukhetho - qhubeka okanye ushiye iwebhusayithi.
- Qinisekisa - Cela iinkcukacha zomsebenzisi - oku kuvumela amaqela athile ukufikelela kwiindidi ezithintelweyo zeewebhusayithi.
Kwisiza ungajonga zonke iindidi kunye nezintlu ezincinci zesihluzo sewebhu, kwaye ufumanise nokuba loluphi udidi lwewebhusayithi ethile. Kwaye ngokubanzi, le yindawo entle eluncedo kubasebenzisi bezisombululo zeFortinet, ndikucebisa ukuba uyazi ngcono ngexesha lakho lasimahla.
Kuncinci kakhulu okunokuthethwa malunga noLawulo lweSicelo. Njengoko igama libonisa, ikuvumela ukuba ulawule ukusebenza kwezicelo. Kwaye wenza oku esebenzisa iipateni ezivela kwizicelo ezahlukeneyo, ezibizwa ngokuba ziisignesha. Esebenzisa le misayino, unokuchonga isicelo esithile kwaye asebenzise isenzo esithile kuso:
- Vumela - vumela
- Ukubeka iliso - vumela kwaye ubhale oku
- Block - thintela
- I-Quarantine-rekhoda isiganeko kwiilogi kwaye uvimbele idilesi ye-IP ngexesha elithile
Unako kwakhona ukujonga iisignesha ezikhoyo kwiwebhusayithi .
Ngoku makhe sijonge indlela yokuhlola ye-HTTPS. Ngokwezibalo ekupheleni kwe-2018, isabelo se-HTTPS traffic sidlule i-70%. Oko kukuthi, ngaphandle kokusebenzisa ukuhlolwa kwe-HTTPS, siya kukwazi ukuhlalutya kuphela malunga ne-30% yetrafikhi edlula kwinethiwekhi. Okokuqala, makhe sijonge indlela iHTTPS esebenza ngayo kuqikelelo olurhabaxa.
Umxhasi uqalisa isicelo se-TLS kwiseva yewebhu kwaye ufumana impendulo ye-TLS, kwaye ubona nesatifikethi sedijithali ekufuneka sithenjwe kulo msebenzisi. Obu bubuncinane obunqabileyo ekufuneka siyazi malunga nendlela i-HTTPS esebenza ngayo, enyanisweni, indlela esebenza ngayo inzima kakhulu. Emva kokubamba isandla kwe-TLS eyimpumelelo, ugqithiso lwedatha olufihliweyo luyaqala. Kwaye oku kulungile. Akukho mntu unokufikelela kwidatha oyitshintshisayo nge-server yewebhu.
Nangona kunjalo, kumagosa okhuseleko lwenkampani oku yintloko yokwenyani, kuba abanakuyibona le traffic kwaye bajonge imixholo yayo nokuba nge-antivirus, okanye inkqubo yokuthintela ukungena, okanye iinkqubo ze-DLP, okanye nantoni na. Oku kuchaphazela kakubi umgangatho wenkcazelo yezicelo kunye nemithombo yewebhu esetyenziswa ngaphakathi kuthungelwano - kanye yintoni ehambelana nesihloko sethu sesifundo. Itekhnoloji yokuhlola iHTTPS yenzelwe ukusombulula le ngxaki. Ubume bayo bulula kakhulu - enyanisweni, isixhobo esenza uhlolo lwe-HTTPS siququzelela iNdoda kuhlaselo oluphakathi. Kubonakala ngathi into efana nale: I-FortiGate ibamba isicelo somsebenzisi, iququzelele uxhulumaniso lwe-HTTPS kunye nayo, kwaye emva koko ivula iseshoni ye-HTTPS kunye nesixhobo esifunyenwe ngumsebenzisi. Kule meko, isatifikethi esikhutshwe yiFortiGate siya kubonakala kwikhompyuter yomsebenzisi. Kufuneka kuthenjwa ukuba isikhangeli sivumele umdibaniso.
Ngapha koko, uhlolo lwe-HTTPS yinto entsonkothileyo kwaye inemida emininzi, kodwa asizukuyiqwalasela le khosi. Ndiza kongeza nje ukuba ukuphumeza ukuhlolwa kwe-HTTPS akuyona into yemizuzu ngokuqhelekileyo kuthatha malunga nenyanga. Kuyimfuneko ukuqokelela ulwazi malunga nezinto eziyimfuneko, ukwenza izicwangciso ezifanelekileyo, ukuqokelela impendulo kubasebenzisi, kwaye ulungelelanise izicwangciso.
Ithiyori enikiweyo, kunye nenxalenye ebonakalayo, iboniswe kwesi sifundo sevidiyo:
Kwisifundo esilandelayo siza kujonga ezinye iiprofayili zokhuseleko: i-antivirus kunye nenkqubo yokuthintela ukungena. Ukuze ungaphoswa, landela uhlaziyo kula majelo alandelayo:
umthombo: www.habr.com