ProHoster > Ibhulogi > Ulawulo > Uluthatha njani ulawulo lweziseko zonxibelelwano zakho. Isahluko sesithathu. Ukhuseleko lwenethiwekhi. Icandelo lokuqala

Uluthatha njani ulawulo lweziseko zonxibelelwano zakho. Isahluko sesithathu. Ukhuseleko lwenethiwekhi. Icandelo lokuqala

Eli nqaku lelesithathu kungcelele lwamanqaku athi “Uluthatha Njani Ulawulo Lweziseko Zokusebenza Kwenethiwekhi Yakho.” Imixholo yawo onke amanqaku kuthotho kunye namakhonkco anokufunyanwa apha.

Uluthatha njani ulawulo lweziseko zonxibelelwano zakho. Isahluko sesithathu. Ukhuseleko lwenethiwekhi. Icandelo lokuqala

Akukho sizathu sokuthetha malunga nokuphelisa ngokupheleleyo iingozi zokhuseleko. Ngokomgaqo, asikwazi ukuwanciphisa abe ngu-zero. Kwakhona kufuneka siqonde ukuba njengoko sizama ukwenza uthungelwano lukhuseleke ngakumbi nangakumbi, izisombululo zethu ziya ziba zibiza kakhulu. Kufuneka ufumane urhwebo phakathi kweendleko, ubunzima, kunye nokhuseleko olunengqiqo kwinethiwekhi yakho.

Ngokuqinisekileyo, uyilo lokhuseleko ludityaniswe ngokusemthethweni kwi-architecture yonke kwaye izisombululo zokhuseleko ezisetyenzisiweyo zichaphazela ukulinganisa, ukuthembeka, ukulawulwa, ... kweziseko zenethiwekhi, ekufuneka nazo zithathelwe ingqalelo.

Kodwa mandikukhumbuze ukuba ngoku asithethi ngokwenza inethiwekhi. Ngokutsho kwethu iimeko zokuqala sele sikhethe ukuyila, sikhethe izixhobo, kwaye senze isiseko, kwaye ngeli nqanaba, ukuba kunokwenzeka, kufuneka "siphile" kwaye sifumane izisombululo kumxholo wendlela ekhethiweyo ngaphambili.

Umsebenzi wethu ngoku kukuchonga imingcipheko ehambelana nokhuseleko kwinqanaba lothungelwano kunye nokunciphisa ukuya kwinqanaba elifanelekileyo.

Uphicotho lokhuseleko lwenethiwekhi

Ukuba umbutho wakho uphumeze iinkqubo ze-ISO 27k, ke uphicotho lokhuseleko kunye notshintsho lwenethiwekhi kufuneka lungenamthungo kwiinkqubo ziphelele kule ndlela. Kodwa le migangatho ayisekho malunga nezisombululo ezithile, kungekhona malunga nokucwangciswa, kungekhona malunga noyilo ... Akukho ngcebiso ecacileyo, akukho migangatho echaza ngokucacileyo ukuba inethiwekhi yakho kufuneka ibe njani, oku kuyinkimbinkimbi kunye nobuhle balo msebenzi.

Ndingagxininisa uphicotho oluninzi olunokwenzeka lokhuseleko lwenethiwekhi:

  • uphicotho loqwalaselo lwezixhobo (ukuqina)
  • uphicotho loyilo lokhuseleko
  • ukufikelela kuphicotho
  • inkqubo yophicotho

Uphicotho lolungiselelo lwezixhobo (ukuqina)

Kubonakala ngathi kwiimeko ezininzi le yeyona ndawo ilungileyo yokuqalisa uphicotho kunye nokuphucula ukhuseleko lwenethiwekhi yakho. I-IMHO, oku kubonakaliswa kakuhle komthetho wePareto (i-20% yomzamo ivelisa i-80% yesiphumo, kwaye i-80% eseleyo yomgudu ivelisa kuphela i-20% yesiphumo).

Eyona nto ibalulekileyo kukuba sihlala sineengcebiso ezivela kubathengisi malunga "neendlela ezilungileyo" zokhuseleko xa sicwangcisa izixhobo. Oku kubizwa ngokuba “kukuqiniswa”.

Unokufumana kwakhona iphepha lemibuzo (okanye uzenzele ngokwakho) ngokusekwe kwezi ngcebiso, eziya kukunceda ubone ukuba ulungelelwaniso lwesixhobo sakho luhambelana njani nezi "ndlela zilungileyo" kwaye, ngokuhambelana nesiphumo, wenze utshintsho kwinethiwekhi yakho. . Oku kuya kukuvumela ukuba unciphise kakhulu imingcipheko yokhuseleko ngokulula, phantse akukho ndleko.

Imizekelo emininzi kwezinye iinkqubo zokusebenza Cisco.

Cisco IOS Configuration Ukuqina
Cisco IOS-XR Configuration Ukuqina
Cisco NX-OS Configuration Ukuqina
Cisco Baseline Security Check List

Ngokusekelwe kula maxwebhu, uluhlu lweemfuno zoqwalaselo kuhlobo ngalunye lwezixhobo lunokwenziwa. Umzekelo, kwiCisco N7K VDC ezi mfuno zinokujongeka ngathi kunjalo.

Ngale ndlela, iifayile zoqwalaselo zinokudalwa kwiindidi ezahlukeneyo zezixhobo ezisebenzayo kwisiseko sothungelwano sakho. Okulandelayo, ngesandla okanye usebenzisa i-automation, unako "ukulayisha" ezi fayile zoqwalaselo. Indlela yokwenza ngokuzenzekelayo le nkqubo iya kuxutyushwa ngokubanzi kolunye uchungechunge lwamanqaku kwi-orchestration kunye ne-automation.

Uphicotho loyilo lokhuseleko

Ngokuqhelekileyo, inethiwekhi yeshishini iqulethe la macandelo alandelayo ngendlela enye okanye enye:

  • I-DC (Iinkonzo zoluntu iDMZ kunye neziko ledatha ye-Intanethi)
  • Ukufikelela kwi-Intanethi
  • Ukufikelela kude kwi-VPN
  • Umgca we-WAN
  • Branch
  • Ikhampasi (Ofisi)
  • umbilini

Izihloko zithathwe kwi Cisco SAFE imodeli, kodwa akuyomfuneko, ngokuqinisekileyo, ukuba iqhotyoshelwe ngokuchanekileyo kula magama kunye nale modeli. Sekunjalo, ndifuna ukuthetha ngokubaluleka kwaye ndingagxininisi kwizinto ezisesikweni.

Kwicandelo ngalinye lala macandelo, iimfuno zokhuseleko, imingcipheko kwaye, ngokufanelekileyo, izisombululo ziya kwahluka.

Makhe sijonge nganye kuzo ngokwahlukileyo kwiingxaki onokuhlangabezana nazo ukusuka kwindawo yoyilo lokhuseleko. Ngokuqinisekileyo, ndiphinda kwakhona ukuba akukho ndlela eli nqaku lizenza ngathi ligqibekile, akulula (ukuba akunakwenzeka) ukufezekisa kwesi sihloko esinzulu ngokwenene kunye nesininzi, kodwa sibonisa amava am.

Akukho sisombululo sigqibeleleyo (ubuncinci okwangoku). Kuhlala kuvumelana. Kodwa kubalulekile ukuba isigqibo sokusebenzisa enye indlela okanye enye senziwe ngokuqonda, kunye nokuqonda kokubili okulungileyo kunye nokubi.

Umbindi data

Elona candelo libaluleke kakhulu kwimbono yokhuseleko.
Kwaye, njengesiqhelo, akukho sisombululo siphela apha. Konke kuxhomekeke kakhulu kwiimfuno zenethiwekhi.

Ngaba i-firewall iyimfuneko okanye akunjalo?

Kubonakala ngathi impendulo icacile, kodwa yonke into ayicacanga njengoko ibonakala. Kwaye ukhetho lwakho lunokuphenjelelwa kungekuphela nje ixabiso.

Umzekelo 1. Ukulibazisa.

Ukuba i-latency ephantsi iyimfuneko ebalulekileyo phakathi kwamanye amacandelo enethiwekhi, oko kukuthi, umzekelo, yinyani kwimeko yotshintshiselwano, ngoko asiyi kukwazi ukusebenzisa i-firewall phakathi kwala macandelo. Kunzima ukufumana izifundo kwi-latency kwi-firewall, kodwa iimodeli zokutshintsha ezimbalwa zinokubonelela nge-latency engaphantsi okanye kwi-odolo ye-1 mksec, ngoko ke ndicinga ukuba i-microseconds ibalulekile kuwe, ngoko ke i-firewall ayiyona eyeyakho.

Umzekelo 2. Intsebenzo.

I-output yokutshintsha kwe-L3 ephezulu idla ngokuba ngumyalelo wobukhulu obuphezulu kunokukhutshwa kwezona firewall zinamandla. Ke ngoko, kwimeko yoxinzelelo oluphezulu lwetrafikhi, kuya kufuneka ukuba uvumele le traffic ukuba idlule kwiifirewall.

Umzekelo 3. Ukuthembeka

Iifirewall, ngakumbi i-NGFW yanamhlanje (i-Next-Generation FW) zizixhobo ezintsonkothileyo. Zinzima kakhulu kunokutshintsha kwe-L3/L2. Banikezela ngenani elikhulu leenkonzo kunye neenketho zokucwangcisa, ngoko akumangalisi ukuba ukuthembeka kwabo kuphantsi kakhulu. Ukuba ukuqhubela phambili kwenkonzo kubalulekile kuthungelwano, ngoko kusenokufuneka ukhethe okuya kukhokelela ekufumanekeni okungcono - ukhuseleko ngefirewall okanye ubulula bothungelwano olwakhiwe kwiiswitshi (okanye iintlobo ngeentlobo zamalaphu) usebenzisa ii-ACLs eziqhelekileyo.

Kwimeko yale mizekelo ingasentla, kuya kufuneka ukuba (njengesiqhelo) ufumane ulungelelaniso. Jonga kwezi zisombululo zilandelayo:

  • ukuba uthatha isigqibo sokungasebenzisi firewall ngaphakathi kwiziko ledatha, kufuneka ucinge malunga nendlela yokunciphisa ufikelelo malunga nomjikelezo kangangoko kunokwenzeka. Umzekelo, unokuvula kuphela izibuko eziyimfuneko kwi-Intanethi (kwi-traffic yabathengi) kunye nofikelelo lolawulo kwiziko ledatha kuphela kwi-jump host hosts. Xa utsiba iinginginya, yenza zonke iitshekhi eziyimfuneko (ubuqinisekiso/ugunyaziso, iantivirus, ukugawulwa, ...)
  • ungasebenzisa ulwahlulo olunengqiqo lwenethiwekhi yeziko ledatha ibe ngamacandelo, afana nenkqubo echazwe kwi PSEFABRIC umzekelo p002. Kule meko, indlela kufuneka iqwalaselwe ngendlela yokuba ukulibaziseka-obuthathaka okanye ukuxinana kwetrafikhi kungene "ngaphakathi" kwecandelo elinye (kwimeko ka-p002, VRF) kwaye ingangeni kwi-firewall. I-traffic phakathi kwamacandelo ahlukeneyo iya kuqhubeka idlula kwi-firewall. Unokusebenzisa indlela evuzayo phakathi kweVRFs ukunqanda ukuphinda uqondise itrafikhi ngefirewall
  • Ungasebenzisa kwakhona i-firewall kwimowudi ecacileyo kwaye kuphela ezo VLAN apho ezi zinto (i-latency / ukusebenza) zingabalulekanga. Kodwa kufuneka ufunde ngononophelo izithintelo ezinxulumene nokusetyenziswa kwale mod kumthengisi ngamnye
  • ungafuna ukuqwalasela ukusebenzisa ulwakhiwo lwekhonkco lenkonzo. Oku kuya kuvumela i-traffic eyimfuneko kuphela ukuba idlule kwi-firewall. Ijongeka intle kwithiyori, kodwa andizange ndisibone esi sisombululo kwimveliso. Sivavanye ikhonkco lenkonzo yeCisco ACI/Juniper SRX/F5 LTM malunga neminyaka eyi-3 eyadlulayo, kodwa ngelo xesha esi sisombululo sasibonakala “sikrwada” kuthi.

Inqanaba lokhuseleko

Ngoku kufuneka uphendule umbuzo wokuba zeziphi izixhobo ofuna ukuzisebenzisa ukucoca itrafikhi. Nazi ezinye zeempawu ezidla ngokubakho kwi-NGFW (umzekelo, apha):

  • i-firewalling esemthethweni (ehlala ikho)
  • isicelo firewalling
  • uthintelo lwesisongelo (i-antivirus, i-anti-spyware, kunye nokuba sesichengeni)
  • Uhluzo lwe-URL
  • ukuhluzwa kwedatha (uhluzo lomxholo)
  • uthintelo lwefayile (uhlobo lwefayile luyavalwa)
  • ukhuseleko dos

Kwaye akusiyo yonke into ecacileyo. Kubonakala ngathi inqanaba eliphezulu lokukhusela, lingcono. Kodwa kwakhona kufuneka uyiqwalasele loo nto

  • Okukhona kule misebenzi ingentla yomlilo oyisebenzisayo, kokukhona ibiza kakhulu ngokwendalo (iilayisensi, iimodyuli ezongezelelweyo)
  • Ukusetyenziswa kwezinye ii-algorithms kunokunciphisa kakhulu i-firewall throughput kwaye kwandise ukulibaziseka, bona umzekelo apha
  • njengaso nasiphi na isisombululo esintsonkothileyo, ukusetyenziswa kweendlela zokhuseleko ezintsonkothileyo kunokunciphisa ukuthembeka kwesisombululo sakho, umzekelo, xa usebenzisa i-firewalling yesicelo, ndiye ndadibana nokuthintela usetyenziso oluqhelekileyo olusebenzayo (dns, smb)

Njengesiqhelo, kufuneka ufumane esona sisombululo silungileyo kwinethiwekhi yakho.

Akunakwenzeka ukuba uphendule ngokuqinisekileyo umbuzo wokuba yeyiphi imisebenzi yokukhusela enokufunwa. Okokuqala, kuba ngokuqinisekileyo kuxhomekeke kwidatha oyithumelayo okanye oyigcinayo kwaye uzama ukuyikhusela. Okwesibini, enyanisweni, ngokufuthi ukhetho lwezixhobo zokhuseleko luyinto yokholo nokuthembela kumthengisi. Awuzazi ii-algorithms, awuyazi ukuba zisebenza kangakanani, kwaye awukwazi ukuzivavanya ngokupheleleyo.

Ke ngoko, kumacandelo abalulekileyo, isisombululo esihle sinokuba kukusebenzisa unikezelo oluvela kwiinkampani ezahlukeneyo. Ngokomzekelo, unokwenza i-antivirus kwi-firewall, kodwa usebenzise ukhuseleko lwe-antivirus (ukusuka komnye umenzi) ekuhlaleni kwimikhosi.

Ukwahlulahlula

Sithetha ngolwahlulo olunengqiqo lwenethiwekhi yeziko ledatha. Umzekelo, ukwahlulahlula kwii-VLAN kunye nee-subnets kukwahlulahlula okunengqiqo, kodwa asiyi kuyiqwalasela ngenxa yokucaca kwayo. Ukwahlulahlula okunomdla kuthathela ingqalelo amaqumrhu anje ngemimandla yokhuseleko ye-FW, ii-VRF (kunye nemilinganiselo yazo ngokunxulumene nabathengisi abahlukeneyo), izixhobo ezinengqiqo (PA VSYS, Cisco N7K VDC, Cisco ACI Tenant, ...), ...

Umzekelo wokwahlulahlula okusengqiqweni kunye noyilo olufunwayo kwiziko ledatha lunikezelwe p002 yeprojekthi yePSEFABRIC.

Emva kokuba uchaze iindawo ezinengqiqo zenethiwekhi yakho, unokuchaza indlela ukuhamba kwetrafikhi phakathi kwamacandelo ahlukeneyo, apho ukucoca izixhobo kuya kwenziwa kwaye ngaziphi iindlela.

Ukuba inethiwekhi yakho ayinalo ulwahlulo olucacileyo olucacileyo kunye nemigaqo yokusebenzisa imigaqo-nkqubo yokhuseleko lokuhamba kwedatha eyahlukeneyo ayilungiswanga ngokusemthethweni, oku kuthetha ukuba xa uvula le okanye ukufikelela, unyanzeliswa ukuba uyisombulule le ngxaki, kwaye ngokusemandleni aphezulu. iya kusombulula ngalo lonke ixesha ngokwahlukileyo.

Ngokuqhelekileyo ulwahlulo lusekwe kuphela kwiizowuni zokhuseleko ze-FW. Emva koko kufuneka uphendule le mibuzo ilandelayo:

  • yeyiphi imimandla yokhuseleko oyifunayo
  • leliphi inqanaba lokhuseleko ofuna ukulisebenzisa kwindawo nganye kwezi
  • ingaba itrafikhi ye-intra-zone iya kuvunyelwa ngokungagqibekanga?
  • ukuba akunjalo, yeyiphi imigaqo-nkqubo yokucoca izithuthi ezakusetyenziswa ngaphakathi kwendawo nganye
  • yeyiphi imigaqo-nkqubo yohluzo lwetrafikhi ezakusetyenziswa kwiperi nganye yezowuni (umthombo/indawo yokufikela)

TCAM

Ingxaki eqhelekileyo ayiyonelanga i-TCAM (i-Ternary Content Addressable Memory), zombini kumzila kunye nokufikelela. I-IMHO, le yenye yezona zinto zibalulekileyo xa ukhetha izixhobo, ngoko ke kufuneka uphathe lo mbandela ngononophelo olufanelekileyo.

Umzekelo 1. Ukuhanjiswa kweThebhile ye-TCAM.

makhe siqwalasele Palo Alto 7k i-firewall
Siyabona ukuba IPv4 ubungakanani betafile yokugqithisela* = 32K
Ngaphezu koko, eli nani leendlela liqhelekile kuzo zonke ii-VSYS.

Makhe sicinge ukuba ngokoyilo lwakho uthatha isigqibo sokusebenzisa 4 VSYS.
Nganye kwezi VSYS ziqhagamshelwe nge-BGP ukuya kwiiMPLS ezimbini zelifu ozisebenzisayo njenge-BB. Ngaloo ndlela, i-4 VSYS itshintshiselana zonke iindlela ezithile kunye nomnye kwaye ibe netafile yokudlulisela malunga neeseti ezifanayo zeendlela (kodwa i-NHs eyahlukileyo). Ngokuba VSYS nganye ineeseshoni ezi-2 ze-BGP (kunye nezicwangciso ezifanayo), ngoko indlela nganye efunyenwe ngeMPLS ine-2 NH kwaye, ngokufanelekileyo, amangeno e-2 FIB kwiThebhile yoThutho. Ukuba sicinga ukuba le yodwa i-firewall kwiziko ledatha kwaye kufuneka ikwazi malunga nazo zonke iindlela, ngoko oku kuya kuthetha ukuba inani elipheleleyo leendlela kwiziko lethu ledatha alikwazi ukuba ngaphezu kwe-32K / (4 * 2) = 4K.

Ngoku, ukuba sicinga ukuba sinamaziko edatha ye-2 (ngoyilo olufanayo), kwaye sifuna ukusebenzisa iiVLAN "zoluliweyo" phakathi kwamaziko edatha (umzekelo, i-vMotion), emva koko ukusombulula ingxaki yomzila, kufuneka sisebenzise iindlela zokubamba. . Kodwa oku kuthetha ukuba kumaziko edatha ye-2 asiyi kuba neenginginya ezinokwenzeka ezingaphezu kwe-4096 kwaye, ngokuqinisekileyo, oku kusenokunganelanga.

Umzekelo 2. ACL TCAM.

Ukuba uceba ukucoca i-traffic kwi-L3 switch (okanye ezinye izisombululo ezisebenzisa i-L3 switch, umzekelo, i-Cisco ACI), ngoko xa ukhetha izixhobo kufuneka ubeke ingqalelo kwi-TCAM ACL.

Masithi ufuna ukulawula ukufikelela kwi-SVI ​​ujongano lweCisco Catalyst 4500. Emva koko, njengoko kunokubonwa ukusuka Oku kubhaliwe, ukulawula ukuphuma (kunye nokungenayo) i-traffic kwi-interfaces, ungasebenzisa kuphela i-4096 imigca ye-TCAM kuphela. Yiyiphi xa usebenzisa i-TCAM3 iya kukunika malunga ne-4000 lamawaka e-ACEs (imigca ye-ACL).

Ukuba ujongene nengxaki yokungonelanga kwe-TCAM, ngoko, okokuqala, ngokuqinisekileyo, kufuneka ucinge ukuba kunokwenzeka ukulungelelanisa. Ngoko ke, kwimeko yengxaki ngobungakanani beThebhile yoThutho, kufuneka ucinge ukuba kunokwenzeka ukudibanisa iindlela. Kwimeko yengxaki kunye nobukhulu be-TCAM bokufikelela, ukufikelela kuphicotho-zincwadi, ukususa iirekhodi ezidlulileyo kunye nokugqithisa, kwaye mhlawumbi uhlaziywe inkqubo yokuvula ukufikelela (iya kuxutyushwa ngokubanzi kwisahluko sokufikelela kuphicotho).

Ukufumaneka okukhulu

Umbuzo ngulo: ngaba kufuneka ndisebenzise i-HA kwii-firewalls okanye ndifake iibhokisi ezimbini ezizimeleyo "ngokuhambelanayo" kwaye, ukuba enye yazo iyasilela, i-traffic traffic ngeyesibini?

Kubonakala ngathi impendulo icacile - sebenzisa i-HA. Isizathu sokuba kutheni lo mbuzo usavela kukuba, ngelishwa, ithiyori kunye nentengiso 99 kunye neepesenti ezininzi zeedesimali zokufikeleleka ekusebenzeni zijike zibekude kakhulu. I-HA ngengqiqo yinto enzima kakhulu, kunye nezixhobo ezahlukeneyo, kunye nabathengisi abahlukeneyo (akukho ngaphandle), siye sabamba iingxaki kunye neebhugs kunye nokuyeka inkonzo.

Ukuba usebenzisa i-HA, uya kuba nethuba lokucima ii-nodes zomntu ngamnye, utshintshe phakathi kwabo ngaphandle kokumisa inkonzo, okubalulekileyo, umzekelo, xa uphucula, kodwa kwangaxeshanye unokude kwi-zero amathuba okuba zombini iindawo. iya kuphuka ngexesha elifanayo, kwaye kwakhona ukuba ukuphuculwa okulandelayo akuyi kuhamba kakuhle njengoko umthengisi ethembisa (le ngxaki inokuphetshwa ukuba unethuba lokuvavanya ukuphuculwa kwezixhobo zebhubhoratri).

Ukuba awusebenzisi i-HA, ngoko ke ukusuka kwindawo yokujonga ukungaphumeleli kabini imingcipheko yakho isezantsi kakhulu (ekubeni unama-firewall ama-2 azimeleyo), kodwa ukusukela... iiseshini azingqanyaniswanga, ngoko ngalo lonke ixesha uswitsha phakathi kwezi firewall uyakuphulukana netrafikhi. Unako, ngokuqinisekileyo, ukusebenzisa i-firewalling engapheliyo, kodwa ke indawo yokusebenzisa i-firewall ilahleka kakhulu.

Ngoko ke, ukuba ngenxa yophicotho-zincwadi ufumene i-firewall eyedwa, kwaye ucinga ngokunyusa ukuthembeka kwenethiwekhi yakho, ke, i-HA, ngokuqinisekileyo, sesinye sezisombululo ezicetyiswayo, kodwa kufuneka kwakhona uthathele ingqalelo izinto ezingeloncedo ezinxulumene nazo. ngale ndlela kwaye, mhlawumbi, ngokukodwa kwinethiwekhi yakho, esinye isisombululo siya kufaneleka ngakumbi.

Ukulawula

Ngokomgaqo, i-HA nayo imalunga nokulawulwa. Endaweni yokuqwalasela iibhokisi ezi-2 ngokwahlukeneyo kwaye ujongane nengxaki yokugcina ulungelelwaniso lukwi-sync, uyazilawula kakhulu ngokungathi unesixhobo esinye.

Kodwa mhlawumbi unamaziko amaninzi edatha kunye ne-firewall ezininzi, ngoko lo mbuzo uvela kwinqanaba elitsha. Kwaye umbuzo awukho nje malunga noqwalaselo, kodwa malunga

  • uqwalaselo backup
  • uhlaziyo
  • uphuculo
  • ukubeka esweni
  • ukugawulwa kwemithi

Kwaye konke oku kungasonjululwa ngeenkqubo zolawulo oluphakathi.

Ke, umzekelo, ukuba usebenzisa iPalo Alto firewall, ke Panorama sisisombululo esinjalo.

Ukuqhubeka.

umthombo: www.habr.com

Yongeza izimvo