Siqhubeka nothotho lwamanqaku okusebenza noluhlu olutsha lwemodeli ye-SMB yokujonga i-CheckPoint, masikukhumbuze ukuba ku sichaze iimpawu kunye nobuchule beemodeli ezintsha, iindlela zolawulo kunye nolawulo. Namhlanje siza kujonga imeko yokuhanjiswa kwemodeli yakudala kuthotho: I-CheckPoint 1590 NGFW. Nasi isishwankathelo sale nxalenye:
- Ukukhupha izixhobo (inkcazo yamacandelo, uqhagamshelwano olubonakalayo kunye nothungelwano).
- Ukuqaliswa kwesixhobo sokuqala.
- Ukusekwa kokuqala.
- Uvavanyo lomsebenzi.
Izixhobo zokukhulula
Ukwazi izixhobo kuqala ngokususa izixhobo kwibhokisi, ukuqhaqha amacandelo kunye nokufaka iinxalenye; cofa kwi-spoiler, apho inkqubo inikezelwa ngokufutshane.
Ukuhanjiswa kweNGFW 1590
Ngokufutshane malunga namacandelo:
- NGFW 1590;
- iadaptha yamandla;
- Ii-Antenna ze-Wifi ezi-2 (2.4 Hz kunye ne-5 Hz);
- Ii-eriyali ezi-2 ze-LTE;
- Iincwadana ezinamaxwebhu (isikhokelo esifutshane soqhagamshelwano lokuqala, isivumelwano selayisenisi, njl.njl.)
Ngokuphathelele izibuko zenethiwekhi kunye nojongano, kukho zonke izakhono zangoku zokuhanjiswa kwetrafikhi kunye nokunxibelelana, izibuko elahlukileyo lendawo ye-DMZ, i-USB 3.0 yongqamaniso nePC.
Inguqulo ye-1590 ifumene idizayini ehlaziyiweyo, iinketho zanamhlanje zonxibelelwano olungenacingo kunye nokwandiswa kwememori: i-2 slots yokusebenza kunye ne-Micro / Nano SIM kwimodi ye-LTE. (siceba ukubhala ngolu khetho ngokweenkcukacha kwelinye lamanqaku ethu alandelayo kuluhlu olunikezelwe kuqhagamshelwano olungenazingcingo); slot ikhadi le-SD.
Unokufunda ngakumbi malunga nezakhono ze-1590 NGFW kunye nezinye iimodeli ezintsha kwi ukusuka kuthotho lwamanqaku malunga nezisombululo ze-CheckPoint SMB. Siza kuqhubeka nokuqaliswa kokuqala kwesixhobo.
Ukuqaliswa kokuqala
Abafundi bethu abaqhelekileyo kufuneka baqaphele ukuba umgca we-SMB we-1500 Series usebenzisa i-80.20 Embedded OS entsha, ebandakanya i-interface ehlaziyiweyo kunye nezakhono eziphuculweyo.
Ukuqala ukuqalisa isixhobo kufuneka:
- Nika amandla kwisango.
- Qhagamshela intambo yenethiwekhi ukusuka kwiPC yakho ukuya kwi-LAN -1 kwisango.
- Ngokuzithandela, unokubonelela ngokukhawuleza isixhobo ngokufikelela kwi-Intanethi ngokuqhagamshela ujongano kwizibuko le-WAN.
- Yiya kwi-Gaia Embedded portal:
Ukuba ulandele amanyathelo achaziweyo ngaphambili, emva kokuya kwiphepha le-portal ye-Gaia, kuya kufuneka uqinisekise ukuvula iphepha ngesatifikethi esingathembekanga, emva koko iwizadi yezicwangciso ze-portal iya kuqalisa:
Uya kubuliswa liphepha elibonisa imodeli yesixhobo sakho, kufuneka uye kwicandelo elilandelayo:
Siya kucelwa ukuba senze i-akhawunti yokugunyazwa, kunokwenzeka ukuba ucacise iimfuno eziphezulu zephasiwedi kumlawuli, kwaye sibonisa ilizwe apho siya kusebenzisa isango.
Ifestile elandelayo ichaphazela umhla kunye noseto lwexesha; ungayiseta ngesandla okanye usebenzise iseva yeNTP yenkampani.
Isinyathelo esilandelayo sibandakanya ukuseta igama lesixhobo kunye nokucacisa isizinda senkampani ukwenzela ukuba iinkonzo zesango zisebenze ngokuchanekileyo kwi-Intanethi.
Inyathelo elilandelayo lichaphazela ukhetho lolawulo lwe-NGFW, apha kufuneka kuqatshelwe:
- Ulawulo lweNdawo. Olu lukhetho olukhoyo lokulawula isango ekuhlaleni usebenzisa iGaia Portal iphepha lewebhu.
- Ulawulo oluphakathi. Olu hlobo lolawulo lubandakanya ungqamaniso kunye neseva yoLawulo lwe-CheckPoint ezinikeleyo, ungqamaniso kunye nelifu le-Smart1-Cloud okanye nge-SMP (inkonzo yolawulo ye-SMB).
Kweli nqaku, siza kugxila kwindlela yoLawulo lweNdawo; ungacacisa indlela eyimfuneko. Ukuziqhelanisa nenkqubo yongqamaniso kunye neSeva yoLawulo oluzinikeleyo, sicebisa ukusuka kwi-CheckPoint Getting Started training series elungiselelwe yi-TS Solution.
Okulandelayo, iwindow iya kuboniswa ichaza indlela yokusebenza yojongano kwisango:
- Imowudi yokutshintsha ithetha ubukho be-subnet ukusuka kujongano olunye ukuya kwi-subnet yolunye ujongano.
- Ikhubaza imo yoTshintsho ngokufanelekileyo ivala imowudi yoTshintsho; izibuko lendlela nganye yetrafikhi njengeqhekeza lothungelwano elahlukileyo.
Kwakhona kucetywayo ukuba kucaciswe iqela leedilesi ze-DHCP eziya kusetyenziswa xa kudityaniswa nojongano lwasekhaya lwesango.
Inyathelo elilandelayo kukulungisa indlela yokungena kwimowudi engenazingcingo; siceba ukuxoxa ngalo mba ngokubanzi kwinqaku elinye kuthotho, ngoko ke sakuhlehlisa uqwalaselo lwezicwangciso. Unokwenza indawo entsha yokufikelela engenazingcingo, usete igama lokugqitha ukuze uqhagamshele kuyo kwaye umisele indlela yokusebenza yetshaneli engenazingcingo (2.4 Hz okanye 5 Hz).
Inyathelo elilandelayo liya kuba kukulungisa ukufikelela kwisango labalawuli benkampani. Ngokungagqibekanga, amalungelo ofikelelo avumelekile ukuba umdibaniso uvela:
- I-subnet yenkampani yangaphakathi
- Inethiwekhi engenazingcingo ethembekileyo
- Itonela yeVPN
Inketho yokudibanisa kwisango nge-Intanethi ikhutshaziwe ngokungagqibekanga, oku kuthwala imingcipheko enkulu kwaye kufuneka kuthethelelwe ukubandakanywa, ngaphandle koko kucetyiswa ukuba uyishiye njengomzekelo wethu.Kukwakhona ukucacisa ukuba yeyiphi idilesi ye-IP eya kuvunyelwa. ukudibanisa kwisango.
Ifestile elandelayo iphathelene nokusebenza kweelayisensi; ekuqalisweni kwesixhobo, uya kunikwa ixesha lovavanyo lweentsuku ezingama-30. Kukho iindlela ezimbini ezikhoyo zokuvula:
- Ukuba kukho uqhagamshelo lwe-Intanethi, iphepha-mvume livulwa ngokuzenzekelayo.
- Ukuba usebenzisa ilayisenisi ngaphandle kweintanethi, kufuneka wenze oku kulandelayo: Khuphela ilayisenisi kwiZiko loMsebenzisi, bhalisa isixhobo sakho kwindawo ekhethekileyo. . Okulandelayo, kuzo zombini iimeko, kuya kufuneka ungenise ilayisenisi ekhutshelweyo ngesandla.
Okokugqibela, iwindow yokugqibela kwiwizadi yesethingi ikukhuthaza ukuba ukhethe iiblades ekufuneka zivulwe; qaphela ukuba iblade ye-QOS ivulwa kuphela emva kokuqaliswa kokuqala. Kuya kufuneka ugqibezele ngefestile yokugqiba eshwankathela izicwangciso zakho.
Ukusekwa kokuqala
Okokuqala, sicebisa ukuba kujongwe ubume bamaphepha-mvume; uqwalaselo olongezelelweyo luya kuxhomekeka koku. Yiya kwindawo ethi βEKHAYAβ β βIlayisensiβ thebhu:
Ukuba iilayisenisi ziyasebenza, sincoma ukuhlaziya ngokukhawuleza kwi-firmware yangoku; ukwenza oku, yiya kwi-"DEVICE" β "Imisebenzi yeNkqubo" ithebhu:
Uhlaziyo lweSistim lubekwe kwindawo yoPhuculo lweFirmware. Kwimeko yethu, i-firmware yangoku kunye nenguqulo yakamuva ifakwe.
Emva koko, ndicebisa ukuba ndithethe ngokufutshane malunga nezakhono kunye nezicwangciso zeeblades zesistim. Ngokwengqiqo, zinokwahlulwa zibe kuFirewall (Firewall, Control Application, URL Filtering) kunye noThintelo lweTreat (IPS, Antivirus, Anti-Bot, Threat Emulation) imigaqo-nkqubo yenqanaba.
Masiyeni kuMgaqo-nkqubo woFikelelo β Ulawulo lwe-Blade tab:
Ngokungagqibekanga, imo ye-STANDARD isetyenzisiweyo, ivumela i-traffic ephumayo kwi-Intanethi, i-traffic ngaphakathi kwenethiwekhi yendawo, kodwa kwangaxeshanye ivimba i-traffic engenayo kwi-Intanethi.
Ngokumalunga ne-APPLICATIONS & URL FILTERING blades, ngokungagqibekanga zisetelwe ukubhloka iziza ezinezinga eliphezulu lengozi, izicelo zokutshintshiselana ibhloko (i-Torrent, i-File Storage, njl.). Ungaphinda uthintele iindidi zeesayithi ngesandla.
Makhe sijonge ukhetho lwetrafikhi yabasebenzisi "Ukunciphisa usetyenziso lwe-bandwidth esetyenziswayo" kunye nokukwazi ukunciphisa isantya setrafikhi ephumayo/engenayo yamaqela ezicelo.
Okulandelayo, vula icandelwana loMgaqo-nkqubo; ngokungagqibekanga, imithetho yenziwa ngokuzenzekelayo ngokweseto ezichazwe ngaphambili.
Ukwahlulahlula kwe-NAT ngokungagqibekanga kusebenza kwi-Global Fihla Nat Automatic, o.k.t. zonke iinginginya zangaphakathi ziya kuba nokufikelela kwi-Intanethi ngedilesi ye-IP yoluntu. Kuyenzeka ukuba usete ngesandla imithetho ye-NAT yokupapasha usetyenziso okanye iinkonzo zakho zewebhu.
Okulandelayo, icandelo elichaphazela uQinisekiso loMsebenzisi kwinethiwekhi linika iinketho ezimbini: Imibuzo yoLawulo oluSebenzayo (ukudibanisa neAD yakho), uQinisekiso oluSekwe kwiSikhangeli (umsebenzisi ufaka iziqinisekiso zesizinda kwi-portal).
Kuyafaneleka ukukhankanya ukuhlolwa kwe-SSL ngokwahlukileyo; isabelo se-HTTPS epheleleyo yetrafikhi kwiNethiwekhi yeGlobal sikhula ngenkuthalo. Makhe sijonge ukuba zeziphi iimpawu ezibonelela nge-CheckPoint kwizisombululo ze-SMB Ukwenza oku, yiya kuHlolo lwe-SSL β icandelo loMgaqo-nkqubo:
Kuseto unokuhlola itrafikhi ye-HTTPS; kuya kufuneka ungenise isatifikethi kwaye usifake kwiziko lesatifikethi elithembekileyo koomatshini bomsebenzisi wokugqibela.
Sithatha imo ye-BYPASS yeendidi ezichazwe kwangaphambili njengokhetho olufanelekileyo; oku konga kakhulu ixesha xa uvumela uhlolo.
Emva kokumisela imithetho kwinqanaba le-Firewall / Isicelo, kufuneka uqhubekele ekulungiseni imigaqo-nkqubo yokhuseleko (uThintelo loTsongo), ukwenza oku, yiya kwicandelo elifanelekileyo:
Kwiphepha elivuliweyo sibona ii-blades ezinikwe amandla, utyikityo kunye neemeko zohlaziyo lwedatha. Siphinde sicelwe ukuba sikhethe iphrofayili yokukhusela i-perimeter yenethiwekhi, kunye nezicwangciso ezihambelanayo ziboniswa.
Icandelo elahlukileyo "Ukhuseleko lwe-IPS" likuvumela ukuba uqwalasele isenzo sotyikityo oluthile lokhuseleko.
Kungekudala sabhala kwiblogi yethu yeWindows Server-SigRed. Makhe sijonge ubukho bayo kwi-Gaia Embekelwe i-80.20 ngokufaka umbuzo "CVE-2020-1350"
Irekhodi lichongiwe kolu tyikityo apho enye yezenzo inokusetyenziswa. (ngokungagqibekanga uThintelo lwenqanaba lengozi Lubalulekile). Ngokufanelekileyo, ukuba nesisombululo se-SMB, awuyi kushiywa ngaphandle malunga nohlaziyo kunye nenkxaso; esi sisisombululo esipheleleyo se-NGFW kwiiofisi zesebe eziya kuthi ga kwi-200 yabantu abavela kwi-CheckPoint.
Uvavanyo lomsebenzi
Ukuqukumbela inqaku, ndingathanda ukuqaphela ukufumaneka kwezixhobo zokusombulula iingxaki emva kokuqaliswa kokuqala kunye nokucwangciswa kwesisombululo se-SMB. Ungaya kwindawo ethi βIKHAYAβ β βIzixhoboβ icandelo. Ukhetho olunokwenzeka:
- izibonelelo zenkqubo yokubeka iliso;
- itafile yomzila;
- ukujonga ukufumaneka kweenkonzo zelifu ze-CheckPoint;
- ukuveliswa kweCPinfo;
Imiyalelo yothungelwano eyakhelwe-ngaphakathi iyafumaneka: Ping, Traceroute, Traffic Capture.
Ngaloo ndlela, namhlanje sihlolisise kwaye safunda uxhulumaniso lokuqala kunye noqwalaselo lwe-NGFW 1590, uya kwenza izenzo ezifanayo kulo lonke uchungechunge lwe-1500 SMB Checkpoint. Iinketho ezikhoyo zisibonise ukuhluka okuphezulu kwezicwangciso, inkxaso yeendlela zanamhlanje zokukhusela i-traffic kwi-perimeter yenethiwekhi.
Namhlanje, izisombululo ze-CheckPoint zokukhusela iiofisi ezincinci kunye namasebe (ukuya kubantu be-200) zinezixhobo ezininzi kunye nokusebenzisa iteknoloji yakutshanje (ulawulo lwamafu, inkxaso yeSIM khadi, ukwandiswa kwememori usebenzisa amakhadi e-SD, njl.). Qhubeka uhlale unolwazi kwaye ufunde amanqaku avela kwi-TS Solution, siceba ukukhutshwa okungakumbi malunga ne-NGFW CheckPoint yosapho lwe-SMB, siyakubona!
. Hla umamele (, , , , ).
umthombo: www.habr.com