khangela indawo. Yintoni na, yintoni edliwayo, okanye ngokufutshane malunga neyona nto iphambili

Molweni, bafundi abathandekayo bakaHabr! Le yibhlog yenkampani TS Isisombululo. Singumdibanisi wenkqubo kwaye sigxile kakhulu kwizisombululo zokhuseleko lweziseko ezingundoqo ze-IT (Hlola indawo, Fortinet) kunye neenkqubo zokuhlalutya idatha yomatshini (I-Splunk). Siza kuqalisa ibhlog yethu ngentshayelelo emfutshane kwitekhnoloji yeCheck Point.

Sacinga ixesha elide malunga nokuba kufanelekile ukubhala eli nqaku, kuba... akukho nto intsha kuyo engafumanekiyo kwi-Intanethi. Nangona kunjalo, ngaphandle kolwazi oluninzi olunjalo, xa sisebenza nabathengi kunye namaqabane, sihlala siva imibuzo efanayo. Ke ngoko, kwagqitywa ekubeni kubhalwe uhlobo oluthile lwentshayelelo kwihlabathi letekhnoloji yeCheck Point kwaye iveze eyona nto iyiyo yoyilo lwezisombululo zabo. Kwaye konke oku kungaphakathi kwesakhelo sesithuba "esincinci", uhambo olukhawulezayo, ukuthetha. Ngaphezu koko, siya kuzama ukungangeni kwiimfazwe zentengiso, kuba... Asingomthengisi, kodwa ngokulula umdibanisi wenkqubo (nangona siyithanda ngokwenene i-Check Point) kwaye siya kujonga nje amanqaku aphambili ngaphandle kokuwathelekisa nabanye abavelisi (abanje ngePalo Alto, Cisco, Fortinet, njl.). Eli nqaku liye laba lide kakhulu, kodwa ligubungela uninzi lwemibuzo kwinqanaba lokuziqhelanisa neCheck Point. Ukuba unomdla, wamkelekile kwikati...

UTM/NGFW

Xa uqala incoko malunga neCheck Point, indawo yokuqala ungaqala ngengcaciso ye-UTM kunye ne-NGFW kunye nendlela eyahluke ngayo. Siza kukwenza oku ngokufutshane ukuze isithuba singabi side kakhulu (mhlawumbi kwixesha elizayo siza kuqwalasela lo mbandela ngeenkcukacha ezincinci)

I-UTM - Ulawulo lweNgozi oluManyeneyo

Ngamafutshane, undoqo we-UTM kukudityaniswa kwezixhobo ezininzi zokhuseleko kwisisombululo esinye. Ezo. yonke into kwibhokisi enye okanye uhlobo oluthile oluqukiweyo. Kuthetha ukuthini “amayeza amaninzi”? Inketho eqhelekileyo yile: I-Firewall, i-IPS, i-Proxy (i-URL yokucoca), i-Antivirus yokusakaza, i-Anti-Spam, i-VPN njalo njalo. Konke oku kudibaniswe ngaphakathi kwesisombululo se-UTM esinye, esilula ngokumalunga nokudibanisa, ukulungelelaniswa, ulawulo kunye nokubeka iliso, kwaye oku kube nefuthe elihle kukhuseleko jikelele lwenethiwekhi. Xa izisombululo ze-UTM zaqala ukubonakala, zaziqwalaselwa kuphela kwiinkampani ezincinci, kuba... Ii-UTM azikwazanga ukumelana nomthamo omkhulu wetrafikhi. Oku kwakungenxa yezizathu ezibini:

1. Indlela yokulungisa ipakethi. Iinguqulelo zokuqala zezisombululo ze-UTM zicutshungulwe ngokulandelelana, nganye "imodyuli". Umzekelo: okokuqala ipakethi icutshungulwa yi-firewall, emva koko i-IPS, emva koko ihlolwe yi-Anti-Virus, njalo njalo. Ngokwemvelo, indlela enjalo yazisa ukulibaziseka okunzulu kwi-traffic kwaye isetyenziswe kakhulu izixhobo zenkqubo (iprosesa, imemori).
2. Izixhobo ezibuthathaka. Njengoko kukhankanyiwe ngasentla, ukusetyenzwa ngokulandelelana kweepakethi kusetyenziswe kakhulu izixhobo kunye ne-hardware yaloo maxesha (1995-2005) ayinakukwazi ukujamelana netrafikhi enkulu.

Kodwa inkqubela ayimi ngxi. Ukususela ngoko, umthamo we-hardware uye wanda kakhulu, kwaye i-packet processing ishintshile (kufuneka ivunywe ukuba ayingabo bonke abathengisi abanayo) kwaye yaqala ukuvumela uhlalutyo oluphantse lube ngaxeshanye kwiimodyuli ezininzi ngaxeshanye (ME, IPS, AntiVirus, njl.). Izisombululo ze-UTM zanamhlanje "zinokugaya" amashumi kunye namakhulu eegigabhithi kwimodi yohlalutyo olunzulu, okwenza kube lula ukuzisebenzisa kwicandelo lamashishini amakhulu okanye namaziko edatha.

Ngezantsi i-Gartner Magic Quadrant eyaziwayo yezisombululo ze-UTM ngo-Agasti ka-2016:

Andiyi kuphawula kakhulu ngalo mfanekiso, ndiza kuthetha nje ukuba iinkokeli zikwikona ephezulu ngasekunene.

I-NGFW-I-Firewall yesiZukulwana esilandelayo

Igama lithetha ngokwalo - isizukulwana esilandelayo somlilo. Lo mbono uvele emva kwexesha kakhulu kune-UTM. Ingcamango ephambili ye-NGFW luhlalutyo lwepakethe enzulu (DPI) usebenzisa i-IPS eyakhelwe-ngaphakathi kunye nolawulo lokufikelela kwinqanaba lesicelo (uLawulo lweSicelo). Kule meko, i-IPS ngokuchanekileyo yintoni efunekayo ukuchonga oku okanye eso sicelo kwi-packet stream, evumela ukuba uyivumele okanye uyikhanyele. Umzekelo: Sinokuvumela i-Skype ukuba isebenze, kodwa thintela ukuhanjiswa kwefayile. Sinokukuthintela ukusetyenziswa kweTorrent okanye iRDP. Usetyenziso lwewebhu lukwaxhaswa: Unokuvumela ukufikelela kwi-VK.com, kodwa ukuthintela imidlalo, imiyalezo okanye ukubukela iividiyo. Ngokusisiseko, umgangatho we-NGFW uxhomekeke kwinani lezicelo enokuzibhaqa. Abaninzi bakholelwa ukuba ukuvela kwengcamango ye-NGFW yayiyindlela eqhelekileyo yokuthengisa ngokuchasene nemvelaphi apho inkampani yePalo Alto yaqala ukukhula kwayo ngokukhawuleza.

I-Gartner Magic Quadrant ye-NGFW ngoMeyi ka-2016:

UTM vs NGFW

Umbuzo oqhelekileyo ngowokuba, yeyiphi engcono? Akukho mpendulo iqinisekileyo apha kwaye ayinakubakho. Ngokukodwa ukuqwalasela into yokuba phantse zonke izisombululo ze-UTM zanamhlanje ziqulethe ukusebenza kwe-NGFW kwaye uninzi lwe-NGFWs luqulethe imisebenzi ehambelana ne-UTM (i-Antivirus, i-VPN, i-Anti-Bot, njl.). Njengamaxesha onke, "umtyholi usezinkcukacha," ngoko ke okokuqala kufuneka wenze isigqibo malunga nento oyifunayo kwaye wenze isigqibo malunga nohlahlo lwabiwo-mali lwakho. Ngokusekelwe kwezi zigqibo, iinketho ezininzi zinokukhethwa. Kwaye yonke into idinga ukuvavanywa ngokungathandabuzekiyo, ngaphandle kokukholelwa kwizinto zokuthengisa.

Thina ke, kwisakhelo samanqaku amaninzi, siya kuzama ukuxelela malunga ne-Check Point, ungazama njani kwaye yintoni, ngokomgaqo, ungazama (phantse yonke imisebenzi).

Amaqumrhu amathathu okuhlola

Xa usebenza ngeCheck Point, ngokuqinisekileyo uya kudibana namacandelo amathathu ale mveliso:

1. Isango loKhuseleko (SG) - isango lokhuseleko ngokwalo, elihlala lifakwe kwi-perimeter yenethiwekhi kwaye lenze imisebenzi ye-firewall, i-antivirus yokusakaza, i-antibot, i-IPS, njl.
2. Iseva yoLawulo loKhuseleko (SMS) - iseva yolawulo lwesango. Phantse zonke iisetingi kwisango (SG) zenziwa ngokusebenzisa le seva. I-SMS inokuthi isebenze njengeSeva ye-Log kwaye isebenze kunye nohlalutyo lwesiganeko esakhelwe ngaphakathi kunye nenkqubo yokulungelelanisa - Isiganeko esihlakaniphile (esifana ne-SIEM ye-Check Point), kodwa ngakumbi emva koko. I-SMS isetyenziselwa ulawulo oluphakathi kumasango amaninzi (inani lamasango lixhomekeke kwimodeli yeSMS okanye ilayisenisi), kodwa kufuneka uyisebenzise nokuba unesango elinye kuphela. Kufuneka kuqatshelwe apha ukuba i-Check Point yayiyeyokuqala ukusebenzisa inkqubo yolawulo oluphakathi, oluye lwaqatshelwa "njengomgangatho wegolide" ngokweengxelo zikaGartner iminyaka emininzi ngokulandelelana. Kukho neqhula: "Ukuba iCisco ibinenkqubo yolawulo eqhelekileyo, iCheck Point ibingasoze ivele."
3. I-Smart Console — ikhonsoli yomxhasi yokuqhagamshela kwiseva yolawulo (SMS). Ngokuqhelekileyo ifakwe kwikhompyuter yomlawuli. Lonke utshintsho kumncedisi wolawulo lwenziwa ngale console, kwaye emva koko unokusebenzisa izicwangciso kumasango okhuseleko (Faka iPolisi).

   

Jonga iNdlela yokuSebenza yeNdawo

Ukuthetha malunga nenkqubo yokusebenza ye-Check Point, sinokukhumbula ezintathu ngexesha elinye: IPSO, SPLAT kunye ne-GAIA.

1. IPSO -inkqubo yokusebenza ye-Ipsilon Networks, eyayiyeyakwaNokia. Ngo-2009, iCheck Point yathenga eli shishini. Azisekho ukuphuhlisa.
2. SPLAT - Khangela uphuhliso lweNdawo, ngokusekelwe kwi-kernel ye-RedHat. Azisekho ukuphuhlisa.
3. Gaia - inkqubo yokusebenza yangoku esuka kwi-Check Point, evele ngenxa yokuhlanganiswa kwe-IPSO kunye ne-SPLAT, ebandakanya konke okulungileyo. Ivele kwi-2012 kwaye iyaqhubeka nokuphuhlisa ngokusebenzayo.

Ukuthetha ngeGaia, kufuneka kuthiwe okwangoku inguqu eqhelekileyo yi-R77.30. Ngoku kutshanje, kwavela inguqulo ye-R80, eyahluke kakhulu kuleyo yangaphambili (zombini ngokwemigaqo yokusebenza kunye nokulawula). Siza kunikezela isithuba esahlukileyo kwisihloko sokungafani kwabo. Enye ingongoma ebalulekileyo kukuba okwangoku kuphela inguqulelo eyi-R77.10 enesatifikethi seFSTEC, kwaye inguqulelo eyi-R77.30 iyaqinisekiswa.

Iinketho zophumezo (Jonga iNdawo yeSixhobo, umatshini obonakalayo, i-OpenServer)

Akukho nto imangalisayo apha, njengabathengisi abaninzi, i-Check Point ineenketho ezininzi zemveliso:

1. zikagesi — ihardware kunye nesixhobo sesoftware, i.e. "iqhekeza lentsimbi" layo. Kukho iimodeli ezininzi ezahlukileyo ekusebenzeni, ukusebenza kunye noyilo (kukho iinketho zothungelwano lwamashishini).

   

2. Umshini ontle -Khangela umatshini wenyani oneGaia OS. Hypervisors ESXi, Hyper-V, KVM zixhaswa. Inikwe ilayisensi ngenani le processor cores.
3. I-OpenServer — ukufaka iGaia ngokuthe ngqo kumncedisi njengeyona ndlela iphambili yokusebenza (ebizwa ngokuba yi "Bare metal"). Kuphela ihardware ethile exhaswayo. Kukho iingcebiso zale hardware ekufuneka ilandelwe, kungenjalo iingxaki ngabaqhubi kunye nezixhobo zobugcisa zinokuvela. inkxaso inokwala ukukusebenzela.

Iinketho zophumezo (zisasazwe okanye zizimele)

Incinci encinci sele sixoxile ukuba yintoni isango (SG) kunye nomncedisi wolawulo (SMS). Ngoku makhe sixoxe ngeendlela zokuphunyezwa kwazo. Kukho iindlela ezimbini eziphambili:

1. Izimele (SG+SMS) - ukhetho xa zombini isango kunye nomncedisi wolawulo zifakwe ngaphakathi kwesixhobo esinye (okanye umatshini wenyani).

   
   
   Olu khetho lufanelekile xa unesango elinye kuphela elilayishwe kancinci ngetrafikhi yomsebenzisi. Olu khetho lolona lunoqoqosho kakhulu, kuba... akukho mfuneko yokuthenga iseva yolawulo (SMS). Nangona kunjalo, ukuba isango lilayishwe kakhulu, unokuphelisa inkqubo yokulawula "ecothayo". Ngoko ke, ngaphambi kokuba ukhethe isisombululo se-Standalone, kungcono ukubonisana okanye ukuvavanya olu khetho.

2. Ihanjisiwe — iseva yolawulo ifakwe ngokwahlukileyo kwisango.

   
   
   Olona khetho lungcono malunga nokulula kunye nokusebenza. Isetyenziswe xa kuyimfuneko ukulawula amasango amaninzi ngexesha elinye, umzekelo aphakathi kunye namasebe. Kule meko, kufuneka uthenge iseva yokulawula (i-SMS), enokuthi ibe luhlobo lwesixhobo okanye umatshini obonakalayo.

Njengoko benditshilo ngasentla, iNqaku lokuHlola linenkqubo yayo ye-SIEM-Isigigaba esiSmart. Ungayisebenzisa kuphela kwimeko yofako oluSasaziwe.

Iindlela zokusebenza (Ibhulorho, iKhokelwe)
ISango loKhuseleko (SG) linokusebenza ngeendlela ezimbini eziphambili:

• Indlela - olona khetho luqhelekileyo. Kule meko, isango lisetyenziswa njengesixhobo se-L3 kunye neendlela zokuhamba ngokwazo, okt. Indawo yokuKhangela lisango elimiselweyo lomsebenzi womnatha okhuselweyo.
• iblorho — imowudi ecacileyo. Kule meko, isango lifakwe njenge "bridge" eliqhelekileyo kwaye lidlula kwi-traffic kwinqanaba lesibini (OSI). Olu khetho luqhele ukusetyenziswa xa kungekho nto (okanye umnqweno) wokutshintsha isiseko esikhoyo. Akunyanzelekanga ukuba utshintshe i-topology yenethiwekhi kwaye akufuneki ucinge ngokutshintsha idilesi ye-IP.

Ndingathanda ukuqaphela ukuba kwimodi yeBridge kukho imida ngokwemigaqo yokusebenza, ngoko thina, njengomhlanganisi, sicebisa bonke abathengi bethu ukuba basebenzise imowudi ye-Routed, ngokuqinisekileyo, ukuba kunokwenzeka.

Jonga iiBleyi zeSoftware yeeNgcaciso

Siphantse safikelela kwisihloko esibaluleke kakhulu se-Check Point, ephakamisa imibuzo emininzi phakathi kwabathengi. Zeziphi ezi “software blades”? Amacwecwe abhekisa kwimisebenzi ethile yeNdawo yokuHlola.

Le misebenzi inokuvulwa okanye icinywe ngokuxhomekeke kwiimfuno zakho. Kwangaxeshanye, kukho iiblades ezivulwe ngokukodwa kwisango (uKhuseleko lweNethiwekhi) kwaye kuphela kumncedisi wolawulo. Imifanekiso engezantsi ibonisa imizekelo yazo zombini iimeko:

1) KuKhuseleko lweNethiwekhi (ukusebenza kwesango)

Masiyichaze ngokufutshane, kuba... blade nganye ifanelwe inqaku layo.

• I-Firewall - ukusebenza kwe-firewall;
• IPSec VPN - ukwakha uthungelwano lwabucala lwenyani;
• Ukufikelela kwiselula - ukufikelela kude kwizixhobo eziphathwayo;
• IPS - inkqubo yokuthintela ukungena;
• I-Anti-Bot - ukhuseleko kwiinethiwekhi ze-botnet;
• I-Antivirus - i-antivirus yokusakaza;
• I-AntiSpam kunye noKhuseleko lwe-imeyile - ukhuseleko lwe-imeyile yenkampani;
• Ukwazisa ngesazisi - ukudibanisa nenkonzo ye-Active Directory;
• Ukubeka iliso-esweni phantse zonke iiparamitha zesango (umthwalo, i-bandwidth, ubume beVPN, njl.njl.)
• Ulawulo lwesicelo - i-firewall yenqanaba lesicelo (umsebenzi we-NGFW);
• Uhluzo lwe-URL-Ukhuseleko lwewebhu (+umsebenzi wommeleli);
• UThintelo loLahleko lweDatha - ukhuseleko ekuvuzeni kolwazi (DLP);
• Ukoyikiswa koMsongelo-iteknoloji yebhokisi yesanti (i-SandBox);
• Ukutsalwa kwesongelo - iteknoloji yokucoca iifayile;
• I-QoS - ukubeka phambili i-traffic.

Kumanqaku ambalwa siza kujonga ngokuthe kratya kwi-Treat Emulation kunye ne-Treat Extraction blades, ndiqinisekile ukuba iya kuba nomdla.

2) KuLawulo (lawula ukusebenza kweseva)

• Ulawulo loMgaqo-nkqubo wothungelwano - ulawulo lomgaqo-nkqubo olubekwe kwindawo enye;
• Ulawulo loMgaqo-nkqubo we-Endpoint - ulawulo oluphakathi lwe-Check Point agents (ewe, i-Check Point ivelisa izisombululo kungekhona nje ukukhuselwa kwenethiwekhi, kodwa kunye nokukhusela iindawo zokusebenza (iiPC) kunye nee-smartphones);
• Ukuloga & Isimo - ingqokelela ephakathi kunye nokulungiswa kweelog;
• Ulawulo lwePortal - ulawulo lokhuseleko oluvela kwisikhangeli;
• Ukuhamba komsebenzi - ukulawula utshintsho lomgaqo-nkqubo, uphicotho lweenguqu, njl.;
• Uvimba weefayili woMsebenzisi- ukudibanisa ne-LDAP;
• Ukubonelela - ukuzenzekela kulawulo lwesango;
• Intatheli eSmart - inkqubo yokunika ingxelo;
• I-Smart Event - uhlalutyo kunye nokulungelelaniswa kweziganeko (SIEM);
• Ukuthobela - ngokuzenzekelayo ijonga izicwangciso kwaye wenze iingcebiso.

Asiyi kuqwalasela imiba yelayisensi ngokweenkcukacha ngoku, ukuze singabhubhisi inqaku kwaye singabhidanisi umfundi. Kunokwenzeka ukuba siza kuthumela oku kwindawo eyahlukileyo.

Ukwakhiwa kwee-blades kukuvumela ukuba usebenzise kuphela imisebenzi oyifunayo ngokwenene, echaphazela uhlahlo lwabiwo-mali lwesisombululo kunye nokusebenza ngokubanzi kwesixhobo. Kusengqiqweni ukuba okukhona uvula iiblade ezininzi, kokukhona i-traffic encinci onokuthi "uqhube ngayo". Yiyo loo nto itheyibhile yokusebenza ilandelayo incamathele kwimodeli nganye yokuHlola (sithathe iimpawu zemodeli ye-5400 njengomzekelo):

Njengoko ubona, kukho iindidi ezimbini zovavanyo apha: kwitrafikhi yokwenziwa kunye nakwitrafikhi yokwenyani - exutyiweyo. Ngokubanzi, ukujonga iNdawo kunyanzelekile ukuba kupapashe iimvavanyo zokwenziwa, kuba... abanye abathengisi basebenzisa iimvavanyo ezinjalo njengeebenchmarks, ngaphandle kokuhlola ukusebenza kwezisombululo zabo kwi-traffic yangempela (okanye bafihle ngamabomu idatha enjalo ngenxa yendalo yabo enganelisiyo).

Kuhlobo ngalunye lovavanyo, unokuqaphela iinketho ezininzi:

1. uvavanyo lweFirewall kuphela;
2. Uvavanyo lwe-Firewall+IPS;
3. Uvavanyo lwe-Firewall + IPS + NGFW (Ulawulo lwesicelo);
4. vavanya iFirewall+Application Control+URL Ukuhluza+IPS+Antivirus+Anti-Bot+SandBlast (sandbox)

Jonga ngononophelo ezi parameters xa ukhetha isisombululo sakho, okanye uqhagamshelane ukubonisana.

Ndicinga ukuba kulapho sinokugqiba inqaku lentshayelelo kwitekhnoloji yeCheck Point. Okulandelayo, siza kujonga indlela onokuthi uvavanye ngayo i-Check Point kunye nendlela yokujongana nezisongelo zokhuseleko lolwazi lwanamhlanje (iintsholongwane, i-phishing, i-ransomware, i-zero-day).

PS Inqaku elibalulekileyo. Nangona imvelaphi yayo yangaphandle (yakwaSirayeli), isisombululo siqinisekisiwe kwi-Russian Federation ngabasemagunyeni abalawulayo, ezenza ngokusemthethweni ubukho bayo kumaziko karhulumente (inkcazo ngu. Denyemall).

Ngabasebenzisi ababhalisiweyo kuphela abanokuthatha inxaxheba kuphando. Ngena, ndiyacela.

Zeziphi izixhobo ze-UTM/NGFW ozisebenzisayo?

• Hlola indawo

• Cisco Firepower

• Fortinet

• Palo Alto

• Sophos

• UDell SonicWALL

• Huawei

• Umlindi

• Juniper

• UserGate

• Umhloli wezithuthi

• IRubicon

• Ideco

• Isisombululo se-OpenSource

• Okunye

Bangama-134 abasebenzisi abavotileyo. Abasebenzisi abali-78 abakhange.

umthombo: www.habr.com