Sibhala ngokufihlakeleyo ngokweGOST: isikhokelo sokuseta umzila oguquguqukayo wetrafikhi

Ukuba inkampani yakho ithumela okanye ifumana iinkcukacha zobuqu kunye nolunye ulwazi oluyimfihlo kwinethiwekhi ephantsi kokhuseleko ngokuhambelana nomthetho, kuyafuneka ukuba kusetyenziswe ufihlo lweGOST. Namhlanje siza kukuxelela ukuba siphumeze njani uguqulelo olunjalo olusekwe kwi-S-Terra crypto gateway (CS) komnye wabathengi. Eli bali liya kuba nomdla kwiingcali zokhuseleko lolwazi, kunye neenjineli, abaqulunqi kunye nabakhi bezakhiwo. Asiyi kuntywila nzulu kwii-nuances zokucwangciswa kobugcisa kwesi sithuba; siya kugxila kumanqaku aphambili okuseta okusisiseko. Imithamo emikhulu yamaxwebhu ekusekweni iidaemoni ze-Linux OS, apho i-S-Terra CS isekwe khona, ifumaneka simahla kwi-Intanethi. Amaxwebhu okuseta isoftware yeS-Terra yobunini ikwafumaneka esidlangalaleni i-portal umenzi.

Amagama ambalwa malunga neprojekthi

I-topology yenethiwekhi yomthengi yayisemgangathweni - i-mesh epheleleyo phakathi kweziko kunye namasebe. Kwakuyimfuneko ukwazisa ukubethelwa kweendlela zokutshintshiselana ngolwazi phakathi kwazo zonke iisayithi, apho kwakukho i-8.

Ngokuqhelekileyo kwiiprojekthi ezinjalo yonke into i-static: iindlela ze-static kwinethiwekhi yendawo yesayithi zibekwe kwii-crypto gateways (CGs), uluhlu lweedilesi ze-IP (ACLs) zokubethelwa zibhalisiwe. Nangona kunjalo, kulo mzekelo, iisayithi azinalo ulawulo oluphakathi, kwaye nantoni na inokwenzeka ngaphakathi kuthungelwano lwasekhaya: uthungelwano lunokongezwa, lucinywe, kwaye lulungiswe ngandlela zonke. Ukuze kuthintelwe ukuphinda kuqwalaselwe indlela kunye ne-ACL kwi-KS xa utshintsha idilesi yothungelwano lwasekhaya kwiindawo, kwagqitywa ekubeni kusetyenziswe i-GRE tunneling kunye ne-OSPF dynamicing, ebandakanya zonke ii-KS kunye neerouters ezininzi kwinqanaba le-network core kwiziza. kwezinye iisayithi, abalawuli beziseko ezingundoqo bakhetha ukusebenzisa i-SNAT ukuya kwi-KS kwiirotha zekernel).

I-GRE tunneling yasivumela ukuba sisombulule iingxaki ezimbini:
1. Sebenzisa idilesi ye-IP ye-interface yangaphandle ye-CS yoguqulelo oluntsonkothileyo kwi-ACL, edibanisa zonke izithuthi ezithunyelwa kwezinye iisayithi.
2. Lungiselela iitonela ze-ptp phakathi kwe-CSs, ekuvumela ukuba uqwalasele umzila oguquguqukayo (kwimeko yethu, i-MPLS L3VPN yomnikezeli ihlelwe phakathi kweesayithi).

Umxhasi uyalele ukuphunyezwa kofihlo njengenkonzo. Ngaphandle koko, kuya kufuneka ukuba angagcini nje ngokugcina amasango e-crypto okanye akhuphe ngaphandle kumbutho othile, kodwa aphinde abeke iliso ngokuzimeleyo umjikelo wobomi bezatifikethi ze-encryption, azihlaziye ngexesha kwaye afake ezintsha.

Kwaye ngoku eyona memo - njani kwaye yintoni esiyiqwalaseleyo

Qaphela kwisihloko seCII: ukuseta i-crypto gateway

Ukuseta inethiwekhi esisiseko

Okokuqala, sisungula i-CS entsha kwaye singene kwikhonsoli yolawulo. Kufuneka uqale ngokutshintsha igama eliyimfihlo lomlawuli elakhelwe ngaphakathi - umyalelo tshintsha umlawuli wephasiwedi yomsebenzisi. Emva koko kufuneka uqhube inkqubo yokuqalisa (command qalisa) ngexesha apho idatha yelayisensi ifakiwe kwaye i-random number sensor (RNS) iqaliswe.

Thabatha ingqalelo! Xa i-S-Terra CC iqaliswa, umgaqo-nkqubo wokhuseleko usekwe apho ujongano lwesango lokhuseleko lungavumeli iipakethi ukuba zidlule. Kuya kufuneka wenze eyakho ipolisi okanye usebenzise umyalelo sebenzisa csconf_mgr vula vula umgaqo-nkqubo ovumela ochazwe kwangaphambili.
Okulandelayo, kufuneka uqwalasele idilesi yojongano lwangaphandle kunye lwangaphakathi, kunye nendlela engagqibekanga. Kukhethwa ukuba usebenze kunye noqwalaselo lwenethiwekhi ye-CS kwaye uqwalasele ufihlo ngokusebenzisa ikhonsoli efana neCisco. Le console yenzelwe ukufaka imiyalelo efana nemiyalelo yeCisco IOS. Uqwalaselo oluveliswe kusetyenziswa i-Cisco-like console, nayo, iguqulelwa kwiifayile ezihambelanayo zoqwalaselo apho ii-daemons ze-OS zisebenza khona. Ungaya kwi-console efana neCisco ukusuka kwikhonsoli yolawulo ngomyalelo configures.

Guqula amagama agqithisiweyo kwi-cscons eyakhelweyo kwaye uvule:

>vumela
Igama lokugqithisa: csp(ifakwe ngaphambili)
# qwalasela i-terminal
#igama lomsebenzisi cscons ilungelo 15 imfihlo 0 #vula imfihlo 0 Ukumisela uqwalaselo olusisiseko lomsebenzi womnatha:

# interface GigabitEthernet0/0
#idilesi ye-ip 10.111.21.3 255.255.255.0
#akukho kuvalwa
# interface GigabitEthernet0/1
#idilesi ye-ip 192.168.2.5 255.255.255.252
#akukho kuvalwa
#ip indlela 0.0.0.0 0.0.0.0 10.111.21.254

GRE

Phuma kwi-console efana neCisco kwaye uye kwiqokobhe ledebian ngomyalelo isixokelelwano. Cwangcisa elakho igama lokugqitha kumsebenzisi Ingcambu Iqela passwd.
Kwigumbi ngalinye lolawulo, itonela eyahlukileyo ilungiselelwe indawo nganye. Ujongano lwetonela luqwalaselwe kwifayile / njl / inethiwekhi / ujongano. Usetyenziso lwetonela ye-IP, ebandakanyiwe kwiseti ye-iproute2 efakwe ngaphambili, inoxanduva lokudala ujongano ngokwalo. Umyalelo wokudala ujongano ubhalwe kukhetho lwangaphambili.

Umzekelo woqwalaselo lojongano oluqhelekileyo lwetonela:
indawo yemoto1
I-iface site1 inet static
idilesi 192.168.1.4
Umnatha 255.255.255.254
Itonela ye-ip yangaphambili yongeza indawo1 imowudi ye-gre yendawo 10.111.21.3 ikude 10.111.22.3 isitshixo hfLYEg^vCh6p

Thabatha ingqalelo! Kufuneka kuqatshelwe ukuba imimiselo yojongano lwetonela kufuneka ibekwe ngaphandle kwecandelo

###netifcfg-qala###
*****
###netifcfg-end###

Ngaphandle koko, ezi zicwangciso ziya kubhalwa ngaphezulu xa utshintsha useto lwenethiwekhi yojongano lomzimba ngeCisco-like console.

Indlela enamandla

Kwi-S-Terra, umzila oguquguqukayo uphunyezwa kusetyenziswa iphakheji yesoftware yeQuagga. Ukuqwalasela i-OSPF kufuneka senze kwaye siqwalasele iidaemon idiza и ospfd. I-zebra daemon inoxanduva lonxibelelwano phakathi kwe-daemons ezijikelezayo kunye ne-OS. I-ospfd daemon, njengoko igama libonisa, inoxanduva lokuphumeza iprotocol ye-OSPF.
I-OSPF iqwalaselwe nokuba nge-daemon console okanye ngokuthe ngqo ngefayile yoqwalaselo /etc/quagga/ospfd.conf. Lonke unxibelelwano olubonakalayo kunye netonela elithatha inxaxheba kumzila oguquguqukayo zongezwa kwifayile, kwaye uthungelwano oluya kupapashwa kwaye lufumane izibhengezo luyabhengezwa.

Umzekelo woqwalaselo olufuna ukongezwa kulo ospfd.conf:
ujongano eth0
!
ujongano eth1
!
indawo yojongano1
!
indawo yojongano2
umzila ospf
ospf umzila-id 192.168.2.21
inethiwekhi 192.168.1.4/31 indawo 0.0.0.0
inethiwekhi 192.168.1.16/31 indawo 0.0.0.0
inethiwekhi 192.168.2.4/30 indawo 0.0.0.0

Kule meko, iidilesi 192.168.1.x/31 zigcinelwe uthungelwano lwe-ptp yetonela phakathi kweesayithi, iidilesi ezi-192.168.2.x/30 zabelwe uthungelwano lokuhamba phakathi kwe-CS kunye ne-kernel routers.

Thabatha ingqalelo! Ukunciphisa itafile yomzila kufakelo olukhulu, ungahluza intengiso yothungelwano lothutho ngokwalo usebenzisa ulwakhiwo. akukho kwabiwe ngokutsha okuqhagamshelweyo okanye ukusasaza kwakhona imephu yendlela eqhagamshelweyo.

Emva kokuqwalasela iidaemon, kufuneka utshintshe imeko yokuqalisa yeedemon /etc/quagga/daemons. Kwiinketho idiza и ospfd akukho tshintsho ku-ewe. Qala i-quagga daemon kwaye uyibeke kwi-autorun xa uqala umyalelo we-KS uhlaziyo-rc.d quagga vumela.

Ukuba uqwalaselo lweetonela ze-GRE kunye ne-OSPF zenziwe ngokuchanekileyo, ngoko ke iindlela kuthungelwano lwezinye iisayithi kufuneka zivele kwi-KSh kunye neerotha ezingundoqo kwaye, ngoko, uqhagamshelwano lwenethiwekhi phakathi kothungelwano lwasekhaya luvela.

Sibhala ngokuntsonkothileyo itrafikhi ethunyelwayo

Njengoko sele kubhaliwe, ngokuqhelekileyo xa uguqulelo oluntsonkothileyo phakathi kweesayithi, sicacisa uluhlu lweedilesi ze-IP (ACLs) phakathi kwe-traffic efihliweyo: ukuba umthombo kunye needilesi zendawo ziwela phakathi kwezi ntlobo, ngoko i-traffic phakathi kwabo ifihliwe. Nangona kunjalo, kule projekthi isakhiwo siguquguqukayo kwaye iidilesi zinokutshintsha. Ekubeni sele siqwalasele i-GRE tunneling, sinokukhankanya iidilesi ze-KS zangaphandle njengomthombo kunye needilesi zokusingwa zokufihla i-traffic - emva kwayo yonke into, i-traffic esele ifakwe kwi-protocol ye-GRE ifika ukuze iguqulelwe. Ngamanye amazwi, yonke into engena kwi-CS ukusuka kuthungelwano lwendawo kwindawo enye ukuya kuthungelwano oluye lwabhengezwa ngamanye amanxuwa lufihliwe. Kwaye kwisiza ngasinye nakuphi na ukuhanjiswa kwakhona kunokwenziwa. Ke, ukuba kukho naluphi na utshintsho kuthungelwano lwasekhaya, umlawuli kufuneka aguqule kuphela izibhengezo ezivela kwinethiwekhi yakhe ukuya kwinethiwekhi, kwaye iya kufumaneka kwezinye iisayithi.

Uguqulelo oluntsonkothileyo kwi-S-Terra CS lwenziwa kusetyenziswa iprotocol ye-IPSec. Sisebenzisa i-algorithm ethi "Grasshopper" ngokuhambelana neGOST R 34.12-2015, kunye nokuhambelana neenguqulelo ezindala ungasebenzisa iGOST 28147-89. Ungqinisiso lunokwenziwa ngobuchule kuzo zombini izitshixo ezichazwe kwangaphambili (iiPSK) kunye nezatifikethi. Nangona kunjalo, ekusebenzeni kwamashishini kuyimfuneko ukusebenzisa izatifikethi ezikhutshwe ngokuhambelana neGOST R 34.10-2012.

Ukusebenza ngezatifikethi, izikhongozeli kunye neeCRL kwenziwa kusetyenziswa usetyenziso cert_mgr. Okokuqala, sebenzisa umyalelo cert_mgr yenza Kuyimfuneko ukuba kwenziwe isingxobo esizitshixo sabucala kunye nesicelo sesatifikethi, esiya kuthunyelwa kwiZiko loLawulo lweSatifikethi. Emva kokufumana isatifikethi, kufuneka singeniswe ngaphandle kunye nengcambu yesatifikethi se-CA kunye ne-CRL (ukuba isetyenziswe) kunye nomyalelo cert_mgr ngaphandle. Ungaqiniseka ukuba zonke izatifikethi kunye neeCRL zifakwe kunye nomyalelo cert_mgr umboniso.

Emva kokufaka ngempumelelo izatifikethi, yiya kwi-console efana neCisco ukuze uqwalasele i-IPSec.
Senza umgaqo-nkqubo we-IKE ochaza ii-algorithms ezifunwayo kunye neeparamitha zejelo elikhuselekileyo elenziwayo, eliya kunikwa iqabane ukuze lamkelwe.

#crypto isakmp umgaqo-nkqubo 1000
#encr gost341215k
#hash gost341112-512-tc26
# uphawu lokuqinisekisa
#iqela vko2
#ubomi 3600

Lo mgaqo-nkqubo usetyenziswa xa kusakhiwa isigaba sokuqala se-IPSec. Isiphumo sokuqukunjelwa ngempumelelo kwesigaba sokuqala kukusekwa koMzantsi Afrika (uMbutho woKhuseleko).
Emva koko, kufuneka sichaze uluhlu lomthombo kunye needilesi ze-IP (i-ACL) yokubhaliweyo, ukuvelisa isethi yokuguqula, ukudala imephu ye-cryptographic (imephu ye-crypto) kwaye uyibophe kwi-interface yangaphandle ye-CS.

Seta i-ACL:
#ip ukufikelela-uluhlu olwandisiweyo site1
#permit gre host 10.111.21.3 umamkeli 10.111.22.3

Iseti yotshintsho (efanayo nenqanaba lokuqala, sisebenzisa i-algorithm yoguqulelo lwe-"Grasshopper" sisebenzisa imowudi yokulinganisa yokufaka isizukulwana):

#crypto ipsec inguqu-seti GOST esp-gost341215k-mac

Senza imephu ye-crypto, sicacise i-ACL, siguqule isethi kunye nedilesi yontanga:

#Imephu yecrypto MAIN 100 ipsec-isakmp
#idilesi yomdlalo1
#seta inguqu-seti yeGOST
#seta ntanga 10.111.22.3

Sibopha ikhadi le-crypto kwi-interface yangaphandle yerejista yemali:

# interface GigabitEthernet0/0
#idilesi ye-ip 10.111.21.3 255.255.255.0
#Imephu yecrypto MAIN

Ukubethela iziteshi kunye nezinye iisayithi, kufuneka uphinde inkqubo yokwenza i-ACL kunye nekhadi le-crypto, ukutshintsha igama le-ACL, iidilesi ze-IP kunye nenombolo yekhadi le-crypto.

Thabatha ingqalelo! Ukuba uqinisekiso lwesatifikethi yi-CRL alusetyenziswanga, oku kufuneka kucaciswe ngokuthe gca:

#crypto pki trustpoint s-terra_technological_trustpoint
#urhoxiso-jonga akukho nanye

Ngeli xesha, ukuseta kunokuqwalaselwa ngokupheleleyo. Kwimveliso yomyalelo we-console yeCisco bonisa i-crypto isakmp sa и bonisa i-crypto ipsec sa Izigaba ezakhiweyo zokuqala nezesibini ze-IPSec kufuneka zibonakaliswe. Ulwazi olufanayo lunokufunyanwa ngokusebenzisa umyalelo sa_mgr bonisa, yenziwe kwiqokobhe ledebian. Kwisiphumo somyalelo cert_mgr umboniso Izatifikethi zesayithi ezikude kufuneka zivele. Ubume bezatifikethi ezinjalo buya kuba Kude. Ukuba i-tunnels ayikhiwanga, kufuneka ujonge i-log yenkonzo ye-VPN, egcinwe kwifayile /var/log/cspvpngate.log. Uluhlu olupheleleyo lweefayile zelog ezinenkcazo yeziqulatho zazo ziyafumaneka kumaxwebhu.

Ukubeka iliso “kwimpilo” yenkqubo

I-S-Terra CC isebenzisa i-daemon esemgangathweni ye-snmpd ukubeka iliso. Ukongeza kwiiparameters eziqhelekileyo ze-Linux, ngaphandle kwebhokisi i-S-Terra ixhasa ukukhupha idatha malunga neetonela ze-IPSec ngokuhambelana ne-CISCO-IPSEC-FLOW-MONITOR-MIB, eyona nto siyisebenzisayo xa sibeka esweni isimo se-IPSec tunnels. Ukusebenza kwee-OID zesiko ezikhupha iziphumo zokwenziwa kweskripthi njengamaxabiso nazo ziyaxhaswa. Eli nqaku lisivumela ukuba silandele imihla yokuphelelwa kwesatifikethi. Umbhalo obhaliweyo ucalula imveliso yomyalelo cert_mgr umboniso kwaye ngenxa yoko inika inani leentsuku de izatifikethi zasekhaya kunye neengcambu ziphelelwe lixesha. Obu buchule buyimfuneko xa kulawulwa inani elikhulu le-CABGs.

Iyintoni inzuzo yoguqulelo olunjalo?

Yonke imisebenzi echazwe ngasentla ixhaswa ngaphandle kwebhokisi yi-S-Terra KSh. Okokuthi, kwakungekho mfuneko yokufaka naziphi na iimodyuli ezongezelelweyo ezinokuchaphazela ukuqinisekiswa kwamasango e-crypto kunye nokuqinisekiswa kwenkqubo yonke yolwazi. Kunokubakho nawaphi na amajelo phakathi kweesayithi, nkqu nange-Intanethi.

Ngenxa yokuba xa utshintsho lwangaphakathi lwangaphakathi lutshintsha, akukho mfuneko yokuphinda uqwalasele amasango e-crypto, inkqubo isebenza njengenkonzo, ekulungele kakhulu umthengi: unokubeka iinkonzo zakhe (umxhasi kunye nomncedisi) nakweyiphi na idilesi, kwaye zonke iinguqu ziya kudluliselwa ngamandla phakathi kwezixhobo zokubethela.

Kakade ke, uguqulelo oluntsonkothileyo ngenxa yeendleko eziphezulu (i-overhead) ichaphazela isantya sokudluliselwa kwedatha, kodwa kancinane kuphela - i-output yeshaneli inokuncipha ngobuninzi be-5-10%. Kwangaxeshanye, itekhnoloji ivavanyiwe kwaye yaboniswa iziphumo ezilungileyo nakwiziteshi zesathelayithi, ezingazinzanga kwaye zine-bandwidth ephantsi.

U-Igor Vinokhodov, injineli yomgca we-2 wolawulo lwe-Rostelecom-Solar

umthombo: www.habr.com