Uyivavanya njani iNdlela yokuSebenza koSeto lwe-NGFW
Owona msebenzi uxhaphakileyo kukukhangela ukuba i-firewall yakho iqwalaselwe njani na. Ukwenza oku, kukho izinto eziluncedo kunye neenkonzo zasimahla ezivela kwiinkampani ezijongene ne-NGFW.
Umzekelo, ungabona ngezantsi ukuba iPalo Alto Networks inamandla okusuka ngokuthe ngqo qhuba uhlalutyo lweenkcukacha-manani zomlilo - ingxelo ye-SLR okanye uhlalutyo lokuthotyelwa kweendlela ezilungileyo - ingxelo ye-BPA. Ezi zizixhobo zasimahla ze-intanethi onokuzisebenzisa ngaphandle kokufaka nantoni na.
ISIGQUBO
Uhambo (Isixhobo sokuFudukela)
Olona khetho luntsokothileyo lokujonga useto lwakho kukukhuphela into eluncedo yasimahla (eyayisakuba sisixhobo sokuFudukela). Ikhutshelwa njengeSibonelelo esibonakalayo seVMware, akukho setingi ezifunekayo ngayo - kufuneka ukhuphele umfanekiso kwaye uwubeke phantsi kweVMware hypervisor, uyiqalise kwaye uye kujongano lwewebhu. Olu ncedo lufuna ibali elahlukileyo, kuphela ikhosi kuyo ithatha iintsuku ezi-5, kukho imisebenzi emininzi ngoku, kuquka ukuFunda koMatshini kunye nokufuduka koqwalaselo olwahlukeneyo lwemigaqo-nkqubo, i-NAT kunye nezinto zabenzi boMlilo abahlukeneyo. Ndiza kubhala ngakumbi malunga nokuFunda koMatshini ngezantsi kwisicatshulwa.
IsiXhomisi sePolisi
Kwaye olona khetho lufanelekileyo (IMHO), endiza kukuxelela ngalo ngeenkcukacha ezithe vetshe namhlanje, sisixhobo somgaqo-nkqubo esakhelwe kujongano lwePalo Alto Networks ngokwayo. Ukuyibonisa, ndifakele i-firewall ekhayeni lam kwaye ndabhala umthetho olula: vumela nayiphi na into. Ngokomgaqo, ngamanye amaxesha ndiyibona imithetho enjalo nakwiinethiwekhi zenkampani. Ngokwendalo, ndenze zonke iiprofayili zokhuseleko ze-NGFW, njengoko ubona kumfanekiso wesikrini:
Umfanekiso wekhusi ongezantsi ubonisa umzekelo wekhaya lam lomlilo olungamiselwanga, apho phantse lonke uqhagamshelo luwela kumgaqo wokugqibela: AllowAll, njengoko kunokubonwa kwizibalo ezikuluhlu lweHit Bala.
Ithemba leZero
Kukho indlela yokhuseleko ebizwa . Kuthetha ukuthini oku: kufuneka sivumele abantu abangaphakathi kwinethiwekhi ngqo olo nxibelelwano baludingayo kwaye bakhanyele yonke enye into. Oko kukuthi, kufuneka songeze imithetho ecacileyo yezicelo, abasebenzisi, iindidi ze-URL, iindidi zefayile; vumela zonke ii-IPS kunye neesignesha ze-antivirus, vumela i-sandboxing, ukhuseleko lwe-DNS, sebenzisa i-IoC kwi-database ye-Treat Intelligence ekhoyo. Ngokubanzi, kukho inani elifanelekileyo lemisebenzi xa useka i-firewall.
Hi ndlela leyi, iseti encinci yezicwangciso eziyimfuneko zePalo Alto Networks NGFW ichazwe kwelinye lamaxwebhu e-SANS: - Ndincoma ukuqala ngayo. Kwaye kunjalo, kukho iseti yeendlela ezilungileyo zokuseta i-firewall evela kumenzi: .
Ke, bendine-firewall ekhaya kangangeveki. Makhe sibone ukuba luhlobo luni lwetrafikhi olukhoyo kwinethiwekhi yam:
Ukuba uhlela ngenani leeseshini, ngoko uninzi lwazo lwenziwe yi-bittorrent, emva koko kuza i-SSL, emva koko QUIC. Ezi zizibalo zazo zombini iitrafikhi ezingenayo neziphumayo: zininzi izikena zangaphandle zomzila wam. Kukho izicelo ezahlukeneyo ezili-150 kwinethiwekhi yam.
Ke, konke oku kuphoswe ngumthetho omnye. Ngoku makhe sibone ukuba ithini iPolisi Optimizer malunga noku. Ukuba ujonge ngasentla kwi-screenshot ye-interface enemigaqo yokhuseleko, ngoko ezantsi ekhohlo ubone ifestile encinci ebonisa ukuba kukho imigaqo enokulungiswa. Masicofe apho.
Sibonisa ntoni isiPhumo sePolisi:
- Yeyiphi imigaqo-nkqubo engasetyenziswanga kwaphela, iintsuku ezingama-30, iintsuku ezingama-90. Oku kunceda ukwenza isigqibo sokuzisusa ngokupheleleyo.
- Zeziphi izicelo ezichazwe kwimigaqo-nkqubo, kodwa akukho zicelo ezinjalo zifunyenwe kwi-traffic. Oku kukuvumela ukuba ususe izicelo ezingeyomfuneko ekuvumeleni imithetho.
- Yeyiphi imigaqo-nkqubo evumele yonke into, kodwa eneneni bekukho izicelo ebezinokulunga ukubonisa ngokucacileyo ngokwendlela yokusebenza yeZero Trust.
Masicofe ku Engasetyenziswanga.
Ukubonisa indlela esebenza ngayo, ndongeze imithetho embalwa kwaye ukuza kuthi ga ngoku abaphoswanga ipakethi enye namhlanje. Nalu uluhlu lwabo:
Mhlawumbi ekuhambeni kwexesha kuya kubakho i-traffic apho kwaye ke baya kunyamalala kolu luhlu. Kwaye ukuba zikolu luhlu iintsuku ezingama-90, ngoko unokugqiba ukucima le migaqo. Emva koko, yonke imigaqo inika ithuba kwi-hacker.
Kukho ingxaki yokwenene xa kuqwalaselwe i-firewall: umqeshwa omtsha uza, ujonge imigaqo yomlilo, ukuba abanayo nayiphi na inkcazo kwaye akazi ukuba kutheni lo mgaqo udalwe, nokuba uyimfuneko ngokwenene, nokuba unako. zicinywe: ngequbuliso umntu usekhefini kwaye emva kweentsuku ezingama-30, itrafikhi iya kuphinda iphume kwinkonzo ayidingayo. Kwaye lo msebenzi umnceda enze isigqibo - akukho mntu uyisebenzisayo - cima!
Cofa kwi-App engasetyenziswanga.
Sicofa kwi-App engasetyenziswanga kwi-optimizer kwaye sibone ukuba ulwazi olunomdla luvula kwifestile enkulu.
Siyabona ukuba kukho imigaqo emithathu, apho inani lezicelo ezivunyelweyo kunye nenani lezicelo ezigqithise ngokwenene lo mgaqo zihluke.
Sinokucofa kwaye sibone uluhlu lwezi zicelo kwaye sithelekise olu luhlu.
Umzekelo, cofa kwi Thelekisa iqhosha lomthetho weMax.
Apha unokubona ukuba izicelo facebook, instagram, telegram, vkontakte zavunyelwa. Kodwa eneneni, itrafikhi yaya kuphela kwezinye zezicelo ezincinci. Apha kufuneka uqonde ukuba usetyenziso lwe-facebook lunezicelo ezincinci.
Uluhlu lonke lwezicelo ze-NGFW lunokubonwa kwi-portal kwaye kwi-firewall interface ngokwayo, kwi-IziNto->Icandelo lezicelo nakuphendlo, chwetheza igama lesicelo: facebook, uya kufumana iziphumo ezilandelayo:
Ke, ezinye zezi sub-applications zabonwa yi NGFW, kodwa ezinye azizange. Ngapha koko, unokwalela ngokwahlukeneyo kwaye uvumele ii-sub-functions ezahlukeneyo ze-Facebook. Umzekelo, vumela ukujongwa kwemiyalezo, kodwa uthintele incoko okanye ugqithiso lwefayile. Ngokufanelekileyo, iPolisi Optimizer ithetha ngale nto kwaye unokwenza isigqibo: ungavumeli zonke izicelo ze-Facebook, kodwa kuphela ezona ziphambili.
Ngoko ke, siye safumanisa ukuba izintlu zahlukile. Unokuqiniseka ukuba imithetho ivumela kuphela ezo zicelo ezihamba ngokwenene kuthungelwano. Ukwenza oku, ucofa iqhosha leMatchUsage. Ivela ngolu hlobo:
Kwaye unokongeza izicelo ozibona ziyimfuneko- i Faka iqhosha kwicala lasekhohlo lefestile:
Kwaye ke lo mgaqo ungasetyenziswa kwaye uvavanywe. Sivuyisana nawe!
Cofa Akukho Usetyenziso luchaziweyo.
Kule meko, iwindow ebalulekileyo yokhuseleko iya kuvula.
Kukho uninzi lwemithetho enjalo kuthungelwano lwakho apho usetyenziso lwenqanaba le-L7 lungachazwanga ngokucacileyo. Kwaye kwinethiwekhi yam kukho umgaqo onjalo-makhe ndikukhumbuze ukuba ndiyenzile ngexesha lokuseta okokuqala, ngokukodwa ukubonisa indlela iPolisi Optimizer esebenza ngayo.
Umfanekiso ubonisa ukuba umgaqo we-AllowAll uvumele i-9 gigabytes ye-traffic kwithuba ukusuka ngo-Matshi 17 ukuya ku-Matshi 220, okuyi-150 izicelo ezahlukeneyo kwinethiwekhi yam. Kwaye oko akwanelanga. Ngokuqhelekileyo, i-avareji yenethiwekhi yenkampani ine-200-300 yezicelo ezahlukeneyo.
Ke, umthetho omnye uvumela ukuba kungene izicelo ezimalunga ne-150. Ngokuqhelekileyo oku kuthetha ukuba i-firewall ayilungiswanga ngokuchanekileyo, kuba ngokuqhelekileyo umthetho omnye uvumela u-1-10 wezicelo ngeenjongo ezahlukeneyo. Makhe sibone ukuba ziyintoni na ezi zicelo: cofa i Thelekisa iqhosha:
Eyona nto imangalisayo yomlawuli kumsebenzi wePolisi ye-Optimizer yiqhosha lokuSebenzisa iqhosha - unokwenza umthetho ngonqakrazo olunye, apho uya kufaka zonke izicelo eziyi-150 kumgaqo. Ukwenza oku ngesandla kuya kuthatha ixesha elide. Inani lemisebenzi yomlawuli asebenze kuyo, nakwinethiwekhi yam yezixhobo ezili-10, inkulu kakhulu.
Ndine-150 yezicelo ezahlukeneyo ezisebenza ekhaya, ukuhambisa iigigabytes zetrafikhi! Kwaye unamalini?
Kodwa kwenzeka ntoni kuthungelwano lwezixhobo ezili-100 okanye i-1000 okanye i-10000? Ndibone i-firewall enemithetho ye-8000 kwaye ndivuya kakhulu ukuba abalawuli ngoku banezixhobo ezizenzekelayo ezizenzekelayo.
Ezinye zezicelo ezathi imodyuli yohlalutyo lwesicelo se-L7 kwi-NGFW yabona kwaye yabonisa ukuba awuyi kufuna kumsebenzi womnatha, ngoko ke ususa ngokulula kuluhlu lwemithetho evumelayo, okanye udibanise imithetho usebenzisa iqhosha le-Clone (kwi-interface engundoqo) kwaye zivumele kumgaqo omnye wesicelo, kwaye ngaphakathi Uya kuvala ezinye izicelo njengoko zingafuneki ngokuqinisekileyo kumsebenzi womnatha wakho. Ezo zicelo zihlala zibandakanya i-bittorrent, i-steam, i-ultrasurf, i-tor, iitonela ezifihliweyo ezifana ne-tcp-over-dns kunye nabanye.
Ewe, masicofe omnye umgaqo kwaye sibone oko unokukubona apho:
Ewe, kukho usetyenziso oluqhelekileyo lwe-multicast. Kufuneka sibavumele ukuba bajonge ividiyo kwi-intanethi ukuba basebenze. Cofa usetyenziso oluhambelanayo. Kakhulu! Enkosi iPolisi Optimizer.
Kuthekani ngokuFunda koomatshini?
Ngoku kuyimfashini ukuthetha nge-automation. Into endiyichazile yaphuma-inceda kakhulu. Kukho elinye ithuba endimele ndithethe ngalo. Lo ngumsebenzi wokuFunda koMatshini owakhelwe kwi-Expedition utility, esele ikhankanywe ngasentla. Kolu ncedo, kuyenzeka ukudlulisa imithetho kwifirewall yakho endala ukusuka komnye umenzi. Kukwakho ukukwazi ukuhlalutya iilog zetrafikhi zePalo Alto Networks ezikhoyo kwaye ucebise ukuba yeyiphi imigaqo enokuthi ibhalwe. Oku kufana nokusebenza kwePolisi ye-Optimizer, kodwa kwi-Expedition yandiswa ngakumbi kwaye unikezwa uluhlu lwemithetho esele ilungile - kufuneka nje uyivume.
Ukuvavanya lo msebenzi, kukho umsebenzi webhubhoratri - siyibiza ngokuba yi-test drive. Olu vavanyo lunokwenziwa ngokungena kwii-firewall, apho abasebenzi baseofisi ye-Palo Alto Networks eMoscow baya kuqalisa ngesicelo sakho.
Isicelo sinokuthunyelwa ku [imeyile ikhuselwe] kwaye kwisicelo bhala: "Ndifuna ukwenza i-UTD yeNkqubo yokuFuduka."
Ngapha koko, umsebenzi waselabhoratri obizwa ngokuba yi-Unified Test Drive (UTD) unokhetho oluninzi kwaye zonke emva kwesicelo.
Ngabasebenzisi ababhalisiweyo kuphela abanokuthatha inxaxheba kuphando. , ndiyacela.
Ngaba ungathanda umntu ukuba akuncede wenze imigaqo-nkqubo yakho yomlilo?
-
ukuba
-
akukho
-
Ndiya kuyenza yonke ngokwam
Akukho mntu uvotileyo okwangoku. Akukho zithintelo.
umthombo: www.habr.com