ProHoster > Ibhulogi > Ulawulo > Uluthatha njani ulawulo lweziseko zonxibelelwano zakho. Isahluko sesithathu. Ukhuseleko lwenethiwekhi. Icandelo lesithathu

Uluthatha njani ulawulo lweziseko zonxibelelwano zakho. Isahluko sesithathu. Ukhuseleko lwenethiwekhi. Icandelo lesithathu

Eli nqaku lelesihlanu kungcelele oluthi “Uluthatha Njani Ulawulo lweZibonelelo zeNethiwekhi Yakho.” Imixholo yawo onke amanqaku kuthotho kunye namakhonkco anokufunyanwa apha.

Le nxalenye iya kunikezelwa kwiKhampasi (iOfisi) kunye necandelo le-VPN lokufikelela ukude.

Uluthatha njani ulawulo lweziseko zonxibelelwano zakho. Isahluko sesithathu. Ukhuseleko lwenethiwekhi. Icandelo lesithathu

Uyilo lwenethiwekhi yeofisi lunokubonakala lulula.

Ngokwenene, sithatha i-L2 / L3 ukutshintsha kwaye sidibanise omnye nomnye. Emva koko, siqhuba isiseko esisisiseko se-villans kunye namasango angagqibekanga, ukuseta umzila olula, ukudibanisa abalawuli be-WiFi, iindawo zokufikelela, ukufaka kunye nokuqwalasela i-ASA yokufikelela kude, siyavuya ukuba yonke into yasebenza. Ngokusisiseko, njengoko sele ndibhale kwenye yangaphambili amanqaku walo mjikelo, phantse wonke umfundi okhe waya (kwaye wafunda) iisemesta ezimbini zekhosi ye-telecom unokuyila kwaye alungise uthungelwano lweofisi ukuze “ngandlel’ ithile isebenze.”

Kodwa okukhona ufunda, kokukhona lo msebenzi uqala ukubonakala ulula. Kum ngokwam, esi sihloko, isihloko soyilo lwenethiwekhi yeofisi, asibonakali silula, kwaye kweli nqaku ndiya kuzama ukucacisa ukuba kutheni.

Ngokufutshane, kukho izinto ezimbalwa ekufuneka ziqwalaselwe. Amaxesha amaninzi ezi zinto ziyangqubana kwaye kufuneka kukhangelwe ukuvumelana okufanelekileyo.
Oku kungaqiniseki yeyona nto inzima. Ngoko, xa sithetha ngokhuseleko, sinonxantathu onama-vertices amathathu: ukhuseleko, lula kubasebenzi, ixabiso lesisombululo.
Kwaye ngalo lonke ixesha kufuneka ujonge ukuhambelana phakathi kwezi zintathu.

izakhiwo

Njengomzekelo woyilo lwala macandelo mabini, njengamanqaku angaphambili, ndincoma Cisco SAFE Umzekelo: Ikhampasi yoShishino, Umda we-Intanethi yeShishini.

La ngamaxwebhu aphelelwe lixesha. Ndiziveza apha ngenxa yokuba izikimu ezisisiseko kunye nendlela yokujonga ayitshintshanga, kodwa kwangaxeshanye ndiyithanda inkcazo-ntetho ngaphezu koku. amaxwebhu amatsha.

Ngaphandle kokukhuthaza ukuba usebenzise izisombululo zeCisco, ndicinga ukuba kuluncedo ukufunda ngononophelo olu yilo.

Eli nqaku, njengesiqhelo, alizenzi nangayiphi na indlela ukuba liphelele, kodwa lilongezelelo kolu lwazi.

Ekupheleni kwenqaku, siya kuhlalutya uyilo lweofisi yeCisco SAFE ngokwemigaqo echazwe apha.

Imigaqo jikelele

Uyilo lothungelwano lweofisi kufuneka, ngokuqinisekileyo, lwanelise iimfuno eziqhelekileyo ezixoxiwe apha kwisahluko "Iikhrayitheriya zokuvavanya umgangatho woyilo". Ngaphandle kwexabiso kunye nokhuseleko, esizimisele ukuxoxa ngalo kweli nqaku, kusekho iindlela ezintathu ekufuneka siziqwalasele xa uyila (okanye usenza utshintsho):

  • scalability
  • lula ukusetyenziswa (ukulawula)
  • ukufumaneka

Uninzi lwezinto ebezixoxiwe amaziko data Oku kuyinyaniso nakwiofisi.

Kodwa kunjalo, icandelo leofisi lineenkcukacha zalo, ezibaluleke kakhulu kwimbono yokhuseleko. Undoqo wolu lwazi kukuba eli candelo lidalwe ukubonelela ngeenkonzo zenethiwekhi kubasebenzi (kunye namaqabane kunye neendwendwe) zenkampani, kwaye, ngenxa yoko, kwinqanaba eliphezulu lokuqwalaselwa kwengxaki sinemisebenzi emibini:

  • khusela izixhobo zenkampani kwizenzo ezigwenxa ezinokuvela kubasebenzi (iindwendwe, amahlakani) nakwisoftware abayisebenzisayo. Oku kuquka ukukhuselwa kuqhagamshelwano olungagunyaziswanga kwinethiwekhi.
  • khusela iinkqubo kunye nedatha yomsebenzisi

Kwaye eli licala elinye kuphela lengxaki (okanye kunoko, i-vertex enye yonxantathu). Kwelinye icala kukusebenziseka lula kunye nexabiso lezisombululo ezisetyenzisiweyo.

Masiqale ngokujonga ukuba umsebenzisi ulindele ntoni kuthungelwano lweofisi lwale mihla.

Izixhobo

Nantsi into ethi "izinto zenethiwekhi" zijongeka njani kumsebenzisi weofisi ngokoluvo lwam:

  • Ukuhamba
  • Ukukwazi ukusebenzisa uluhlu olupheleleyo lwezixhobo eziqhelekileyo kunye neenkqubo zokusebenza
  • Ukufikelela ngokulula kuzo zonke izixhobo eziyimfuneko zenkampani
  • Ubukho bemithombo ye-Intanethi, kubandakanywa neenkonzo ezahlukeneyo zamafu
  • "Ukusebenza ngokukhawuleza" kwenethiwekhi

Konke oku kusebenza kubo bobabini abasebenzi kunye neendwendwe (okanye amaqabane), kwaye ngumsebenzi weenjineli zenkampani ukwahlula ukufikelela kumaqela ahlukeneyo abasebenzisi ngokusekelwe kugunyaziso.

Makhe sijonge kwinkalo nganye kwezi ngokweenkcukacha ngakumbi.

Ukuhamba

Sithetha ngethuba lokusebenza kunye nokusebenzisa zonke izixhobo eziyimfuneko zenkampani ukusuka naphi na kwihlabathi (ngokuqinisekileyo, apho i-Intanethi ifumaneka khona).

Oku kusebenza ngokupheleleyo kwiofisi. Oku kulungele xa unethuba lokuqhubeka nokusebenza ukusuka naphi na kwiofisi, umzekelo, ukufumana i-imeyile, ukunxibelelana nomthunywa wenkampani, ube khona kwifowuni yevidiyo, ... Ngaloo ndlela, oku kukuvumela, kwelinye icala, ukusombulula imiba ethile "bukhoma" unxibelelwano (umzekelo, ukuthatha inxaxheba kwiindibano), kwaye kwelinye icala, hlala ukwi-intanethi, gcina umnwe wakho kwi-pulse kwaye usombulule ngokukhawuleza imisebenzi engxamisekileyo ephambili. Oku kulula kakhulu kwaye kuphucula ngokwenene umgangatho wonxibelelwano.

Oku kuphunyezwa ngoyilo olululo lwenethiwekhi yeWiFi.

Qaphela

Apha umbuzo udla ngokuvela: ngaba kwanele ukusebenzisa WiFi kuphela? Ngaba oku kuthetha ukuba unokuyeka ukusebenzisa izibuko ze-Ethernet eofisini? Ukuba sithetha kuphela ngabasebenzisi, kwaye kungekhona malunga namaseva, asenengqiqo ukudibanisa ne-port ye-Ethernet eqhelekileyo, ngoko ngokubanzi impendulo ithi: ewe, unokuzikhawulela kwi-WiFi kuphela. Kodwa kukho ama-nuances.

Kukho amaqela abasebenzisi abalulekileyo afuna indlela eyahlukileyo. Aba, kunjalo, ngabalawuli. Ngokomgaqo, uxhulumaniso lwe-WiFi aluthembekanga (ngokwemiqathango yokulahleka kwezithuthi) kwaye lucotha kune-port ye-Ethernet eqhelekileyo. Oku kunokubaluleka kubalawuli. Ukongeza, abalawuli benethiwekhi, umzekelo, banokuthi, ngokwemigaqo, babe nenethiwekhi yabo enikezelweyo ye-Ethernet yoqhagamshelo olungaphandle kwebhendi.

Kusenokubakho amanye amaqela/amasebe kwinkampani yakho apho ezi zinto zikwabalulekile.

Kukho enye ingongoma ebalulekileyo - umnxeba. Mhlawumbi ngenxa yesizathu esithile awufuni ukusebenzisa i-Wireless VoIP kwaye ufuna ukusebenzisa iifowuni ze-IP ngoqhagamshelwano oluqhelekileyo lwe-Ethernet.

Ngokubanzi, iinkampani endizisebenzeleyo zihlala zine-WiFi zombini kunye ne-Ethernet port.

Ndingathanda ukuhamba kungapheleli kwiofisi kuphela.

Ukuqinisekisa ukukwazi ukusebenza ukusuka ekhaya (okanye nayiphi na enye indawo ene-Intanethi efikelelekayo), uxhumano lweVPN lusetyenziswa. Kwangaxeshanye, kunqweneleka ukuba abasebenzi bangawuva umahluko phakathi kokusebenza ukusuka ekhaya kunye nomsebenzi okude, othatha ukufikelela okufanayo. Siza kuxoxa ngendlela yokucwangcisa oku kamva kwisahluko esithi "Inkqubo yoqinisekiso edibeneyo kunye nenkqubo yogunyaziso."

Qaphela

Okunokwenzeka, awuyi kukwazi ukubonelela ngokugqibeleleyo umgangatho ofanayo weenkonzo zomsebenzi okude onawo eofisini. Makhe sicinge ukuba usebenzisa iCisco ASA 5520 njengesango lakho leVPN ishiti yedatha esi sixhobo siyakwazi "ukugaya" kuphela i-225 Mbit ye-VPN traffic. Oko kukuthi, ngokubhekiselele kwi-bandwidth, ukudibanisa nge-VPN kuhluke kakhulu ekusebenzeni kwiofisi. Kwakhona, ukuba, ngenxa yesizathu esithile, i-latency, ilahleko, i-jitter (umzekelo, ufuna ukusebenzisa i-ofisi ye-IP telephony) kwiinkonzo zakho zenethiwekhi zibalulekile, awuyi kufumana umgangatho ofanayo njengokuba useofisini. Ngoko ke, xa sithetha malunga nokuhamba, kufuneka siqaphele imida enokwenzeka.

Ukufikelela ngokulula kuzo zonke izixhobo zenkampani

Lo msebenzi kufuneka usonjululwe ngokubambisana namanye amasebe obugcisa.
Imeko efanelekileyo xa umsebenzisi efuna kuphela ukuqinisekiswa kube kanye, kwaye emva koko unokufikelela kuzo zonke izixhobo eziyimfuneko.
Ukubonelela ngokufikelela ngokulula ngaphandle kokuncama ukhuseleko kunokuphucula kakhulu imveliso kunye nokunciphisa uxinzelelo phakathi koogxa bakho.

Qaphela 1

Ukufikeleleka ngokulula akukho malunga nokuba mangaphi amaxesha kufuneka ufake igama eliyimfihlo. Ukuba, umzekelo, ngokuhambelana nomgaqo-nkqubo wakho wokhuseleko, ukuze udibanise kwiofisi ukuya kwiziko ledatha, kufuneka uqale udibanise kwisango le-VPN, kwaye ngexesha elifanayo ulahlekelwa ukufikelela kwizixhobo zeofisi, ngoko ke oku kukwabi kakhulu. , kunzima kakhulu.

Qaphela 2

Kukho iinkonzo (umzekelo, ukufikelela kwizixhobo zenethiwekhi) apho ngokuqhelekileyo sineeseva zethu ze-AAA ezizinikeleyo kwaye oku kuqhelekileyo xa kule meko kufuneka siqinisekise amaxesha amaninzi.

Ubukho bemithombo ye-Intanethi

I-Intanethi ayikona nje ukuzonwabisa, kodwa kunye neseti yeenkonzo ezinokuba luncedo kakhulu emsebenzini. Kukwakho nezinto ezingokwengqondo kuphela. Umntu wanamhlanje uqhagamshelwe nabanye abantu nge-Intanethi ngemisonto emininzi ebonakalayo, kwaye, ngokoluvo lwam, akukho nto iphosakeleyo ukuba uyaqhubeka nokuziva olu nxibelelwano ngelixa esebenza.

Ukusuka kwimbono yokuchitha ixesha, akukho nto iphosakeleyo ukuba umqeshwa, umzekelo, une-Skype esebenzayo kwaye uchitha imizuzu emi-5 enxibelelana nomntu othandekayo ukuba kuyimfuneko.

Ngaba oku kuthetha ukuba i-Intanethi kufuneka ihlale ikhona, ngaba oku kuthetha ukuba abasebenzi banokufikelela kuzo zonke izixhobo kwaye bangazilawuli nangayiphi na indlela?

Hayi ayithethi loo nto, kunjalo. Inqanaba lokuvuleka kwe-Intanethi lingahluka kwiinkampani ezahlukeneyo - ukusuka ekuvaleni ngokupheleleyo ukuya ekuvuleni ngokupheleleyo. Siza kuxubusha iindlela zokulawula i-traffic kamva kumacandelo ngamanyathelo okhuseleko.

Ukukwazi ukusebenzisa uluhlu olupheleleyo lwezixhobo eziqhelekileyo

Kukulungele xa, umzekelo, unethuba lokuqhubeka usebenzisa zonke iindlela zokunxibelelana oqhele ukuzisebenzisa emsebenzini. Akukho bunzima ekuphumezeni oku ngokobuchwepheshe. Kule nto ufuna i-WiFi kunye ne-wilan yeendwendwe.

Kukwalungile ukuba unethuba lokusebenzisa inkqubo yokusebenza oyiqhelileyo. Kodwa, ekuqwalaseleni kwam, oku kuhlala kuvunyelwa kuphela kubaphathi, abalawuli kunye nabaphuhlisi.

Umzekelo:

Unako, ngokuqinisekileyo, ukulandela umendo wothintelo, ukunqanda ukufikelela kude, ukunqanda ukudibanisa kwizixhobo eziphathwayo, ukunciphisa yonke into kwi-static Ethernet uxhumano, ukunciphisa ukufikelela kwi-Intanethi, ngokunyanzeliswa ukubamba iiselfowuni kunye negajethi kwindawo yokukhangela ... kunye nale ndlela. ngokwenene ilandelwa yiminye imibutho eneemfuno zokhuseleko ezongeziweyo, kwaye mhlawumbi kwezinye iimeko oku kunokulungiswa, kodwa ... kufuneka uvume ukuba oku kubonakala ngathi yinzame yokumisa inkqubela kwintlangano enye. Ngokuqinisekileyo, ndingathanda ukudibanisa amathuba ukuba iteknoloji yanamhlanje ibonelela ngezinga elaneleyo lokhuseleko.

"Ukusebenza ngokukhawuleza" kwenethiwekhi

Isantya sogqithiso lwedatha ngokobuchwephesha sinemiba emininzi. Kwaye isantya sezibuko loqhagamshelo lwakho siqhele ukuba asiyiyo eyona ibalulekileyo. Ukusebenza okucothayo kwesicelo akusoloko kunxulunyaniswa neengxaki zenethiwekhi, kodwa okwangoku sinomdla kuphela kwinxalenye yenethiwekhi. Eyona ngxaki ixhaphakileyo kuthungelwano lwasekhaya "lokucotha" inxulumene nokulahleka kwepakethi. Oku ngokuqhelekileyo kwenzeka xa kukho i-bottleneck okanye iingxaki ze-L1 (OSI). Ngakumbi kunqabile, ngoyilo oluthile (umzekelo, xa ii-subnets zakho zinefirewall njengesango elingagqibekanga kwaye ke yonke itrafikhi idlula kuyo), ukusebenza kwehardware kunokusilela.

Ngoko ke, xa ukhetha izixhobo kunye noyilo, kufuneka udibanise isantya samachweba okugqibela, iziqu kunye nokusebenza kwezixhobo.

Umzekelo:

Makhe sicinge ukuba usebenzisa iiswitshi ezinegigabhithi e-1 njengezibuko zofikelelo. Badityaniswe omnye komnye nge-Etherchannel 2 x 10 gigabits. Njengesango elingagqibekanga, usebenzisa i-firewall enezibuko zegigabit, ukudibanisa ukuba yeyiphi inethiwekhi yeofisi ye-L2 oyisebenzisayo i-2 gigabit port idityaniswe kwi-Etherchannel.

Olu lwakhiwo lufanelekile ukusuka kwindawo yokusebenza, kuba... Yonke i-traffic idlula kwi-firewall, kwaye unokulawula ngokukhululekileyo imigaqo-nkqubo yokufikelela, kwaye usebenzise i-algorithms eyinkimbinkimbi yokulawula i-traffic kunye nokuthintela ukuhlaselwa okunokwenzeka (jonga ngezantsi), kodwa ukusuka kwindawo yokujonga kunye nokusebenza kolu yilo, ngokuqinisekileyo, luneengxaki ezinokubakho. Ngoko, umzekelo, i-2 ibamba i-data yokukhuphela idatha (ngesantya se-port ye-gigabit ye-1) inokulayisha ngokupheleleyo i-2 gigabit uxhumano kwi-firewall, kwaye ngaloo ndlela ikhokelela ekuthotyweni kwenkonzo kuyo yonke icandelo leofisi.

Siye sajonga i-vertex kanxantathu, ngoku makhe sijonge indlela esinokuqinisekisa ngayo ukhuseleko.

Unyango

Ke, ewe, ngokuqhelekileyo umnqweno wethu (okanye kunoko, umnqweno wabaphathi bethu) kukufezekisa into engenakwenzeka, oko kukuthi, ukubonelela ngokulula kakhulu ngokhuseleko oluphezulu kunye neendleko ezincinci.

Makhe sijonge ukuba zeziphi iindlela esinazo zokubonelela ngokhuseleko.

Kwiofisi, ndingagxininisa oku kulandelayo:

  • zero trust indlela yoyilo
  • umgangatho ophezulu wokukhusela
  • ukubonakala kwenethiwekhi
  • inkqubo emanyeneyo yoqinisekiso olusembindini kunye nogunyaziso
  • jonga inginginya

Okulandelayo, siza kuhlala kwiinkcukacha ezithe vetshe kwinkalo nganye kwezi.

Ithemba leZero

Ihlabathi le-IT litshintsha ngokukhawuleza. Kwiminyaka nje eyi-10 edlulileyo, ukuvela kobuchwepheshe obutsha kunye neemveliso kuye kwakhokelela ekuhlaziyweni okukhulu kweengqikelelo zokhuseleko. Kwiminyaka elishumi edlulileyo, ukusuka kwindawo yokhuseleko, sahlula inethiwekhi kwiindawo zokuthembela, i-dmz kunye neendawo ezingathembekiyo, kwaye sasebenzisa oko kuthiwa "ukukhusela i-perimeter", apho kwakukho imigca ye-2 yokukhusela: ukungathembeki -> dmz kunye ne-dmz -> ithemba. Kwakhona, ukukhuselwa kwakuvame ukukhawulelwa kuluhlu lokufikelela olusekelwe kwi-L3 / L4 (OSI) iintloko (IP, TCP / UDP port, TCP flags). Yonke into enxulumene namanqanaba aphezulu, kuquka i-L7, ishiywe kwi-OS kunye neemveliso zokhuseleko ezifakwe kwimikhosi yokugqibela.

Ngoku imeko itshintshe ngokuphawulekayo. Ingcamango yanamhlanje zero trust ivela kwinto yokuba akusenakwenzeka ukuba kuqwalaselwe iinkqubo zangaphakathi, oko kukuthi, ezo zibekwe ngaphakathi komda, njengoko zithenjiweyo, kwaye ingqikelelo yomjikelezo ngokwayo iye yafiphala.
Ukongeza kuqhagamshelo lwe-intanethi sikwanayo

  • ukufikelela kude abasebenzisi beVPN
  • izixhobo zobuqu ezahlukeneyo, zisa iilaptops, eziqhagamshelwe nge-WiFi yeofisi
  • ezinye (zamasebe) ii-ofisi
  • ukudibanisa kunye neziseko zelifu

Ingaba indlela yeZero Trust ijongeka njani xa isebenza?

Ngokufanelekileyo, kuphela i-traffic efunekayo kufuneka ivunyelwe kwaye, ukuba sithetha ngokufanelekileyo, ngoko ukulawula akufanele kube kuphela kwinqanaba le-L3 / L4, kodwa kwinqanaba lesicelo.

Ukuba, umzekelo, unakho ukudlula yonke i-traffic kwi-firewall, ngoko unokuzama ukusondela kwindawo efanelekileyo. Kodwa le ndlela inokunciphisa kakhulu i-bandwidth epheleleyo yenethiwekhi yakho, kwaye ngaphandle koko, ukuhluza ngesicelo akusoloko kusebenza kakuhle.

Xa ulawula i-traffic kwi-router okanye i-L3 switch (usebenzisa i-ACLs eqhelekileyo), ufumana ezinye iingxaki:

  • Oku kuhluzo lwe-L3/L4 kuphela. Akukho nto ithintela umhlaseli ekusebenziseni izibuko ezivumelekileyo (umzekelo, i-TCP 80) kwisicelo sabo (hayi i-http)
  • ulawulo oluntsonkothileyo lwe-ACL (kunzima ukwahlula ii-ACLs)
  • Le ayisiyiyo i-firewall esemthethweni, okuthetha ukuba kufuneka uvumele ngokuthe gca umva itrafikhi
  • ngotshintsho uqhele ukuqingqwa ngokuqinileyo ngobungakanani be-TCAM, enokuthi ibe yingxaki ngokukhawuleza ukuba uthatha "vumela kuphela into oyifunayo" indlela.

Qaphela

Ukuthetha ngetrafikhi ebuyela umva, kufuneka sikhumbule ukuba sinalo eli thuba lilandelayo (Cisco)

vumela i-tcp nayiphi na into esekiweyo

Kodwa kufuneka uqonde ukuba lo mgca ulingana nemigca emibini:
vumela i-tcp nayiphi na i-ack
vumela i-tcp nakuphi na ukuqala

Oko kuthetha ukuba nangona bekungekho nxalenye yokuqala ye-TCP kunye neflegi ye-SYN (oko kukuthi, iseshoni ye-TCP ayizange iqalise ukuseka), le ACL iya kuvumela ipakethe kunye neflegi ye-ACK, umhlaseli angasebenzisa ukudlulisa idatha.

Oko kukuthi, lo mgca awujiki umzila wakho okanye iswitshi ye-L3 ibe yi-firewall.

Izinga eliphezulu lokhuseleko

В nqaku Kwicandelo kumaziko edatha, sithathele ingqalelo ezi ndlela zilandelayo zokhuseleko.

  • i-firewalling esemthethweni (ehlala ikho)
  • ukhuseleko lweddos/dos
  • isicelo firewalling
  • uthintelo lwesisongelo (i-antivirus, i-anti-spyware, kunye nokuba sesichengeni)
  • Uhluzo lwe-URL
  • ukuhluzwa kwedatha (uhluzo lomxholo)
  • uthintelo lwefayile (uhlobo lwefayile luyavalwa)

Kwimeko yeofisi, imeko iyafana, kodwa izinto eziphambili zihluke kancinane. Ubukho beOfisi (ubukho) abusoloko bubaluleka njengakwimeko yeziko ledatha, ngelixa ukunokwenzeka kwetrafikhi enobungozi "yangaphakathi" yimiyalelo yobukhulu obuphezulu.
Ke ngoko, ezi ndlela zilandelayo zokhuseleko kweli candelo zibaluleke kakhulu:

  • isicelo firewalling
  • uthintelo lokoyikiso (anti-virus, anti-spyware, kunye nokuba sesichengeni)
  • Uhluzo lwe-URL
  • ukuhluzwa kwedatha (uhluzo lomxholo)
  • uthintelo lwefayile (uhlobo lwefayile luyavalwa)

Nangona zonke ezi ndlela zokukhusela, ngaphandle kwe-firewalling yesicelo, ziye zahlala kwaye ziqhubeka zisonjululwa kwimikhosi yokugqibela (umzekelo, ngokufaka iinkqubo ze-antivirus) kunye nokusebenzisa i-proxies, ii-NGFW zanamhlanje zibonelela ngezi nkonzo.

Abathengisi bezixhobo zokhuseleko bazama ukudala ukhuseleko olubanzi, ngoko ke kunye nokukhuselwa kwendawo, banikezela ngetekhnoloji ehlukeneyo yelifu kunye nesoftware yabathengi kubamkeli (ukhuseleko lwamanqaku okugqibela / i-EPP). Ngoko ke, umzekelo, ukusuka 2018 Gartner Magic Quadrant Siyabona ukuba uPalo Alto kunye noCisco bane-EPP yabo (i-PA: Imigibe, iCisco: i-AMP), kodwa ikude neenkokeli.

Ukwenza olu khuseleko (oludla ngokuthenga iilayisensi) kwi-firewall yakho ngokuqinisekileyo akunyanzelekanga (ungahamba ngendlela yesintu), kodwa ibonelela ngeenzuzo ezithile:

  • kule meko, kukho inqaku elilodwa lokusetyenziswa kweendlela zokukhusela, eziphucula ukubonakala (jonga isihloko esilandelayo).
  • Ukuba kukho isixhobo esingakhuselekanga kwinethiwekhi yakho, ngoko siwela phantsi "kwesambulela" sokhuseleko lomlilo.
  • Ngokusebenzisa ukhuseleko lwefirewall ngokudibeneyo nokhuselo lwe-firewall, sonyusa amathuba okubona itrafikhi enobungozi. Umzekelo, ukusebenzisa uthintelo lwezoyikiso kwiinginginya zasekhaya kunye nakwi-firewall kwandisa ukubonwa (ngokubonelelwa, ngokuqinisekileyo, ukuba ezi zisombululo zisekwe kwiimveliso ezahlukeneyo zesoftware)

Qaphela

Ukuba, umzekelo, usebenzisa i-Kaspersky njenge-antivirus zombini kwi-firewall nakwi-host hosts, ke oku, ngokuqinisekileyo, akuyi kwandisa kakhulu amathuba okuthintela ukuhlaselwa kwentsholongwane kwinethiwekhi yakho.

Ukubonakala kwenethiwekhi

Ingcamango e phambili ilula - "bona" ​​okwenzekayo kwinethiwekhi yakho, ngexesha lokwenyani kunye nedatha yembali.

Ndingawahlula lo “mbono” ube ngamaqela amabini:

Iqela lokuqala: yintoni inkqubo yakho yokubeka iliso edla ngokukubonelela ngayo.

  • ukulayishwa kwezixhobo
  • ukulayisha amajelo
  • ukusetyenziswa kwememori
  • ukusetyenziswa kwediski
  • ukutshintsha itafile yendlela
  • ubume bekhonkco
  • ukufumaneka kwezixhobo (okanye iinginginya)
  • ...

Iqela lesibini: ulwazi olunxulumene nokhuseleko.

  • Iindidi ezahlukeneyo zamanani (umzekelo, ngesicelo, nge-URL yetrafikhi, zeziphi iindidi zedatha ezikhutshelweyo, idatha yomsebenzisi)
  • yintoni eyayithintelwe yimigaqo-nkqubo yokhuseleko kwaye ngasiphi isizathu, oko kukuthi
    • isicelo esithintelweyo
    • Ithintelwe ngokusekwe kwi-ip/protocol/port/flags/zones
    • uthintelo lwesisongelo
    • ukuhluza url
    • ukuhluzwa kwedatha
    • ukuvaleka kwefayile
    • ...
  • Uhlaselo lwe-DOS/DDOS
  • Ukuchongwa okusileleyo kunye nemizamo yogunyaziso
  • izibalo kuzo zonke ezi zingentla zokwaphulwa komgaqo-nkqubo wokhuseleko
  • ...

Kwesi sahluko sokhuseleko, sinomdla kwinxalenye yesibini.

Ezinye iifirewall zanamhlanje (ukusuka kumava am ePalo Alto) zibonelela ngenqanaba elihle lokubonakala. Kodwa, ewe, itrafikhi onomdla kuyo kufuneka idlule kule firewall (apho unakho ukubhloka itrafikhi) okanye uboniswe kwifirewall (esetyenziselwa ukubeka iliso kunye nohlalutyo kuphela), kwaye kufuneka ube neelayisensi ukwenza konke ezi nkonzo .

Kukho, ewe, enye indlela, okanye endaweni yemveli, umzekelo,

  • Izibalo zeseshoni zinokuqokelelwa nge-netflow kwaye emva koko zisetyenziswe izinto ezikhethekileyo zokuhlalutya ulwazi kunye nokubonwa kwedatha.
  • ukuthintela ukusongela - iinkqubo ezikhethekileyo (i-anti-virus, i-anti-spyware, i-firewall) kwimikhosi yokugqibela
  • Ukuhluzwa kwe-URL, ukuhluzwa kwedatha, ukuvala iifayile - kwiproxy
  • kuyenzeka kwakhona ukuhlalutya tcpdump usebenzisa umz. rhona

Ungazidibanisa ezi ndlela zimbini, uncedisana nezinto ezingekhoyo okanye uziphindaphinde ukuze ukwandise amathuba okubona uhlaselo.

Yeyiphi indlela ofanele ukhethe?
Kuxhomekeke kakhulu kwiziqinisekiso kunye nokukhethwa kweqela lakho.
Zombini apho kwaye kukho izinto ezilungileyo kunye nezingalunganga.

Inkqubo emanyeneyo yoqinisekiso olusembindini kunye nogunyaziso

Xa kuyilwe kakuhle, ukuhamba esixubushe kweli nqaku kuthatha ukuba unokufikelela okufanayo nokuba usebenza eofisini okanye ekhaya, ukusuka kwisikhululo seenqwelomoya, kwivenkile yekofu okanye naphi na (kunye nemida esixoxe ngayo ngasentla). Kubonakala ngathi, yintoni ingxaki?
Ukuqonda ngcono ukuntsonkotha kwalo msebenzi, makhe sijonge uyilo oluqhelekileyo.

Umzekelo:

  • Ubahlule bonke abasebenzi ngokwamaqela. Ugqibe ukunika ufikelelo ngokwamaqela
  • Ngaphakathi eofisini, ulawula ukufikelela kwi-firewall yeofisi
  • Ulawula i-traffic ukusuka kwiofisi ukuya kwiziko ledatha kwi-firewall yedatha
  • Usebenzisa iCisco ASA njengesango leVPN kunye nokulawula itrafikhi engena kwinethiwekhi yakho ukusuka kubathengi abakude, usebenzisa yasekhaya (kwi-ASA) ACLs.

Ngoku, masithi ucelwe ukuba wongeze ufikelelo olongezelelweyo kumsebenzi othile. Kule meko, uyacelwa ukuba wongeze ufikelelo kuye kuphela kwaye akukho mntu wumbi kwiqela lakhe.

Kule nto kufuneka senze iqela elahlukileyo kulo msebenzi, oko kukuthi

  • ukudala ichibi IP eyahlukileyo kwi ASA kulo msebenzi
  • yongeza i ACL entsha kwi ASA kwaye uyibophelele ukuba umxhasi ekude
  • yenza imigaqo-nkqubo emitsha yokhuseleko kwi-firewall yeofisi kunye neziko ledatha

Kulungile ukuba esi siganeko sinqabile. Kodwa ekusebenzeni kwam kwakukho imeko xa abasebenzi bathatha inxaxheba kwiiprojekthi ezahlukeneyo, kwaye le seti yeeprojekthi zabanye babo batshintsha rhoqo, kwaye kwakungekho abantu abayi-1-2, kodwa abaninzi. Kakade ke, kwakukho into eyayifuna ukutshintshwa apha.

Oku kwasonjululwa ngolu hlobo lulandelayo.

Siye sagqiba kwelokuba i-LDAP iyakuba kuphela komthombo wenyaniso omisela konke ukufikelela kwabasebenzi. Senze zonke iindidi zamaqela achaza iiseti zofikelelo, kwaye sabela umsebenzisi ngamnye kwiqela elinye okanye ngaphezulu.

Ngoko ke, umzekelo, masithi kukho amaqela

  • undwendwe (ukufikelela kwi-Intanethi)
  • ukufikelela okuqhelekileyo (ukufikelela kwizibonelelo ekwabelwana ngazo: iposi, isiseko solwazi, ...)
  • accounting
  • iprojekthi 1
  • iprojekthi 2
  • umlawuli wesiseko sedatha
  • umlawuli we-linux
  • ...

Kwaye ukuba omnye wabasebenzi wayebandakanyeka kuzo zombini iprojekthi 1 kunye neprojekthi yesi-2, kwaye wayefuna ukufikelela okuyimfuneko ukuze asebenze kwezi projekthi, ngoko lo msebenzi wabelwa kumaqela alandelayo:

  • guest
  • ukufikelela okuqhelekileyo
  • iprojekthi 1
  • iprojekthi 2

Singenza njani ngoku olu lwazi ukuba lufikelele kwisixhobo sothungelwano?

Cisco ASA Dynamic Access Policy (DAP) (bona www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html) isisombululo silungele lo msebenzi.

Ngokufutshane malunga nokuphunyezwa kwethu, ngexesha lenkqubo yokuchongwa / yogunyaziso, i-ASA ifumana kwi-LDAP iseti yamaqela ahambelana nomsebenzisi onikiweyo kwaye "iqokelela" kwii-ACL ezininzi zendawo (nganye ehambelana neqela) i-ACL eguquguqukayo kunye nazo zonke iingenelo eziyimfuneko. , ehambelana ngokupheleleyo neminqweno yethu.

Kodwa oku kuphela kunxibelelwano lweVPN. Ukwenza imeko ibe yinto efanayo kubo bobabini abasebenzi abaqhagamshelwe nge-VPN kunye nabo baseofisini, eli nyathelo elilandelayo lithathwe.

Xa udibanisa kwiofisi, abasebenzisi abasebenzisa iprotocol ye-802.1x baphelile nokuba yi-LAN yeendwendwe (kwiindwendwe) okanye i-LAN ekwabelwana ngayo (kubasebenzi benkampani). Ukongezelela, ukufumana ukufikelela okuthe ngqo (umzekelo, kwiiprojekthi kwiziko ledatha), abasebenzi kwafuneka badibanise nge-VPN.

Ukudibanisa kwiofisi kunye nasekhaya, amaqela ahlukeneyo etonela asetyenziswa kwi-ASA. Oku kuyimfuneko ukwenzela ukuba abo badibanisa kwiofisi, i-traffic kwizibonelelo ezabelwana ngazo (ezisetyenziswa ngabo bonke abasebenzi, njengeposi, abancedisi beefayile, inkqubo yetikiti, i-dns, ...) ayihambi nge-ASA, kodwa ngenethiwekhi yendawo. . Ngaloo ndlela, asizange silayishe i-ASA nge-traffic engadingekile, kubandakanywa ne-high-intensity traffic.

Ngaloo ndlela, ingxaki yasonjululwa.
Sifumene

  • iseti efanayo yofikelelo kuzo zombini iindibano ezisuka kwiofisi kunye noqhagamshelo olukude
  • ukungabikho kokuthotywa kwenkonzo xa usebenza kwi-ofisi eyayamene nokusasazwa kwezithuthi ezimandla nge-ASA

Ziziphi ezinye iingenelo zale ndlela?
Kulawulo lofikelelo. Ukufikelela kunokutshintshwa ngokulula kwindawo enye.
Umzekelo, ukuba umqeshwa ushiya inkampani, ngoko umsuse nje kwi-LDAP, kwaye ngokuzenzekelayo ulahlekelwa lufikelelo.

Ukujonga umamkeli

Ngokunokwenzeka koqhagamshelo olukude, sibeka umngcipheko wokuvumela kungekuphela nje umqeshwa wenkampani kwinethiwekhi, kodwa nayo yonke isoftware enobungozi enokuthi ibekhona kwikhompyuter yakhe (umzekelo, ekhaya), kwaye ngaphezu koko, ngokusebenzisa le software. inokuba ibonelela ngokufikelela kuthungelwano lwethu kumhlaseli osebenzisa lo mamkeli njengommeli.

Iyavakala ukuba umamkeli oqhagamshelwe ukude asebenzise iimfuno ezifanayo zokhuseleko njengomamkeli ongaphakathi e-ofisini.

Oku kwakhona kuthatha inguqulelo "echanekileyo" ye-OS, i-anti-virus, i-anti-spyware, kunye ne-firewall software kunye nohlaziyo. Ngokuqhelekileyo, obu buchule bukhona kwisango leVPN (kwi-ASA bona, umzekelo, apha).

Kwakhona kububulumko ukusebenzisa uhlalutyo olufanayo lwetrafikhi kunye neendlela zokuthintela (jonga "Izinga eliphezulu lokukhusela") ukuba umgaqo-nkqubo wakho wokhuseleko usebenza kwi-ofisi ye-ofisi.

Kusengqiqweni ukucinga ukuba uthungelwano lweofisi yakho alusekho kuphela kwisakhiwo seofisi kunye nababuki zindwendwe abangaphakathi kuyo.

Umzekelo:

Indlela elungileyo kukubonelela umqeshwa ngamnye ofuna ukufikelela kude nelaptop elungileyo, efanelekileyo kwaye afune ukuba basebenze, zombini eofisini nasekhaya, ukusuka kuyo kuphela.

Ayiphuculi nje ukhuseleko lwenethiwekhi yakho, kodwa iluncedo kakhulu kwaye ihlala ijongwa kakuhle ngabasebenzi (ukuba ilungile ngokwenene, ilaptop esebenziseka lula).

Malunga nengqiqo yomlinganiselo kunye nokulinganisela

Ngokwenene, le ngxoxo malunga ne-vertex yesithathu yonxantathu wethu - malunga nexabiso.
Makhe sijonge kumzekelo woqikelelo.

Umzekelo:

Uneofisi yabantu abangama-200. Ugqibe ekubeni wenze kube lula kwaye kukhuseleke kangangoko.

Ke ngoko, ugqibe kwelokuba ugqithise zonke iitrafikhi kwifirewall kwaye ngenxa yoko kuzo zonke ii-subnets zeofisi, i-firewall lisango elimiselweyo. Ukongeza kwi-software yokhuseleko efakwe kwi-host host nganye ekupheleni (i-anti-virus, i-anti-spyware, kunye ne-firewall software), uphinde wagqiba ekubeni usebenzise zonke iindlela zokukhusela kwi-firewall.

Ukuqinisekisa isantya esiphezulu uxhulumaniso (konke ukuze kube lula), ukhethe iiswitshi nge 10 amazibuko ukufikelela Gigabit njengoko utshintshelo ukufikelela, kwaye eliphezulu-ukusebenza NGFW firewalls njengoko firewall, umzekelo, Palo Alto 7K series (kunye 40 izibuko Gigabit), ngokwendalo zonke iilayisensi ifakiwe kwaye, ngokwendalo, iperi yokuFumana okuPhezulu.

Kwakhona, ewe, ukusebenza ngalo mgca wesixhobo sifuna ubuncinci iinjineli zokhuseleko eziqeqeshwe kakhulu.

Okulandelayo, uthathe isigqibo sokunika umqeshwa ngamnye ilaptop elungileyo.

Iyonke, malunga ne-10 yezigidi zeedola zokuphunyezwa, amakhulu amawaka eedola (ndicinga ukuba kufuphi nesigidi) ngenkxaso yonyaka kunye nemivuzo yeenjineli.

Iofisi, abantu abangama-200...
Ukhululekile? Ndicinga ukuba ewe.

Uza nesi siphakamiso kubaphathi bakho...
Mhlawumbi kukho inani leenkampani ehlabathini apho esi sisisombululo esamkelekileyo nesichanekileyo. Ukuba ungumqeshwa wale nkampani, ndiyavuyisana naye, kodwa kwiimeko ezininzi, ndiqinisekile ukuba ulwazi lwakho aluyi kuthakazelelwa ngabaphathi.

Ngaba lo mzekelo ubaxiwe? Isahluko esilandelayo siza kuwuphendula lo mbuzo.

Ukuba kwinethiwekhi yakho awuboni nanye kwezi zingasentla, ngoko oku kuqhelekileyo.
Kwimeko nganye ethile, kufuneka ufumane ulungelelwaniso lwakho olufanelekileyo phakathi kokulula, ixabiso kunye nokhuseleko. Rhoqo awufuni nokuba i-NGFW kwiofisi yakho, kwaye ukhuseleko lwe-L7 kwi-firewall alufuneki. Kwanele ukubonelela ngezinga elihle lokubonakala kunye nezilumkiso, kwaye oku kunokwenziwa ngokusebenzisa iimveliso zomthombo ovulekileyo, umzekelo. Ewe, ukusabela kwakho ekuhlaselweni akuyi kukhawuleza, kodwa into ephambili kukuba uya kuyibona, kwaye kunye neenkqubo ezifanelekileyo kwindawo yakho kwisebe lakho, uya kukwazi ukuyinciphisa ngokukhawuleza.

Kwaye mandikukhumbuze ukuba, ngokombono wolu ngcelele lwamanqaku, awuyila inethiwekhi, uzama nje ukuphucula oko unako.

Uhlalutyo olukhuselekileyo loyilo lweofisi

Nika ingqalelo kwesi sikwere sibomvu endabele ngaso indawo kumzobo ukusuka Isikhokelo se-SAFE Secure Campus Architectureendingathanda ukuxoxa ngayo apha.

Uluthatha njani ulawulo lweziseko zonxibelelwano zakho. Isahluko sesithathu. Ukhuseleko lwenethiwekhi. Icandelo lesithathu

Le yenye yeendawo eziphambili zoyilo kunye nenye yezona zinto zibalulekileyo zokungaqiniseki.

Qaphela

Andizange ndimise okanye ndisebenze ngeFirePower (ukusuka kumgca womlilo weCisco - kuphela i-ASA), ngoko ke ndiya kuyiphatha njengayo nayiphi na enye i-firewall, njengeJuniper SRX okanye iPalo Alto, ndicinga ukuba inamandla afanayo.

Kuyilo oluqhelekileyo, ndibona kuphela iinketho ezi-4 ezinokwenzeka zokusebenzisa i-firewall ngolu xhulumaniso:

  • isango elingagqibekanga lesubnet nganye lutshintsho, ngelixa i-firewall ikwimowudi ecacileyo (oko kukuthi, zonke iitrafikhi zidlula kuyo, kodwa ayenzi i-L3 hop)
  • isango elingagqibekanga kwi subnet nganye lukhuselo olusezantsi-ujongano (okanye ujongano lwe SVI), iswitshi idlala indima ye L2.
  • ezahlukeneyo VRFs zisetyenziswa kwi iswitshi, kwaye traffic phakathi VRFs uya kwi firewall, traffic ngaphakathi VRF enye ilawulwa yi ACL kwi iswitshi.
  • zonke itrafikhi ziboniswa kwifirewall ukuze zihlalutywe kwaye zibekwe esweni; itrafikhi ayihambi kuyo

Qaphela 1

Ukudibaniswa kwezi zikhetho zinokwenzeka, kodwa ukuze kube lula asiyi kuziqwalasela.

Qaphela2

Kukho ithuba lokusebenzisa i-PBR (i-architecture ye-service chain), kodwa okwangoku oku, nangona isisombululo esihle ngokombono wam, siyinto engaqhelekanga, ngoko andiyi kukuqwalasela apha.

Ukususela kwinkcazo yokuhamba kuxwebhu, sibona ukuba i-traffic isaqhubeka idlula kwi-firewall, oko kukuthi, ngokuhambelana noyilo lweCisco, ukhetho lwesine luyacinywa.

Makhe sijonge iindlela ezimbini zokuqala kuqala.
Ngolu khetho, zonke iitrafikhi zidlula kwi-firewall.

Ngoku makhe sijonge ishiti yedatha, khangela Cisco GPL kwaye siyabona ukuba sifuna ukuba i-bandwidth epheleleyo yeofisi yethu ibe ubuncinane malunga ne-10 - 20 gigabits, ngoko kufuneka sithenge inguqulo ye-4K.

Qaphela

Xa ndithetha nge-bandwidth epheleleyo, ndithetha i-traffic phakathi kwe-subnets (kwaye kungekhona ngaphakathi kwe-vilana enye).

Ukususela kwi-GPL sibona ukuba kwi-HA Bundle nge-Treat Defense, ixabiso elixhomekeke kwimodeli (4110 - 4150) lihluka ukusuka ~ ~ 0,5 - 2,5 yezigidi zeedola.

Oko kukuthi, uyilo lwethu luqala ukufana nomzekelo wangaphambili.

Ngaba oku kuthetha ukuba olu yilo alulunganga?
Hayi, ayithethi loo nto. I-Cisco ikunika ukhuseleko olungcono olusekwe kumgca wemveliso onayo. Kodwa oko akuthethi ukuba kufuneka wenze kuwe.

Ngokomgaqo, lo ngumbuzo oqhelekileyo ovelayo xa uyila iofisi okanye isikhungo sedatha, kwaye kuthetha kuphela ukuba kufuneka kufuneke ukulungelelaniswa.

Umzekelo, ungavumeli zonke iitrafikhi ziphumele kwi-firewall, kwimeko apho ukhetho 3 lubonakala lulungile kum, okanye (jonga icandelo langaphambili) mhlawumbi awufuni uKhuselo loTyala okanye awufuni firewall kwaphela kuloo nto. icandelo lomnatha, kwaye kufuneka nje uzithintele ekubekeni iliso okwenziwayo usebenzisa ihlawulwe (ingabizi kakhulu) okanye izisombululo zemithombo evulekileyo, okanye ufuna i-firewall, kodwa kumthengisi owahlukileyo.

Ngokuqhelekileyo kukho oku kungaqiniseki kwaye akukho mpendulo ecacileyo malunga nokuba sesiphi isigqibo esilungileyo kuwe.
Oku kuyinkimbinkimbi kunye nobuhle balo msebenzi.

umthombo: www.habr.com

Yongeza izimvo