ProHoster > Ibhulogi > Ulawulo > Izisombululo zangoku zokwakha iinkqubo zokhuseleko lolwazi - iibroker zeepakethe zenethiwekhi (i-Network Packet Broker)

Izisombululo zangoku zokwakha iinkqubo zokhuseleko lolwazi - iibroker zeepakethe zenethiwekhi (i-Network Packet Broker)

Ukhuseleko lolwazi luye lwahlula kunxibelelwano lwaba lishishini elizimeleyo elineenkcukacha zalo kunye nezixhobo zalo. Kodwa kukho iklasi eyaziwayo encinci yezixhobo ezimi ekudibaneni kwe-telecom kunye ne-infobez - abathengisi bepakethe yenethiwekhi (I-Network Packet Broker), nazo zingabalinganisi bomthwalo, ukutshintshwa okukhethekileyo / ukubeka iliso, i-aggregators ye-traffic, i-Security Delivery Platform, ukubonakala kweNethiwekhi kunye nokunye. Kwaye thina, njengomphuhlisi waseRashiya kunye nomvelisi wezixhobo ezinjalo, ngokwenene sifuna ukukuxelela ngakumbi malunga nabo.

Izisombululo zangoku zokwakha iinkqubo zokhuseleko lolwazi - iibroker zeepakethe zenethiwekhi (i-Network Packet Broker)

Ububanzi kunye nemisebenzi ekufuneka isonjululwe

Abathengisi bepakethe yenethiwekhi zizixhobo ezikhethekileyo ezifumene usetyenziso olukhulu kwiinkqubo zokhuseleko lolwazi. Ngaloo ndlela, iklasi yesixhobo isentsha kwaye imbalwa kwiziseko zonxibelelwano ezifanayo xa kuthelekiswa nokutshintsha, iirotha, njalo njalo. Uvulindlela ekuphuhlisweni kolu hlobo lwesixhobo yinkampani yaseMelika iGigamon. Okwangoku, kukho abadlali abaninzi kakhulu kule marike (kubandakanywa nezisombululo ezifanayo ezivela kumenzi owaziwayo weenkqubo zokuvavanya - i-IXIA), kodwa kuphela isangqa esincinci sabasebenzi abasaziyo malunga nobukho bezixhobo ezinjalo. Njengoko kuphawuliwe ngasentla, nangokwesigama akukho bungqina bucacileyo: amagama asusela kwi-"network transparency systems" ukuya kwi-"balancers" elula.

Ngelixa siphuhlisa abathengisi bepakethe yenethiwekhi, besijongene nenyaniso yokuba, ukongeza ekuhlalutyeni izikhokelo zophuhliso lokusebenza kunye novavanyo kwiilabhoratri / iindawo zovavanyo, kuyafuneka ukuba ngaxeshanye sicacisele abathengi abanokubakho malunga nobukho bolu didi lwezixhobo. , ekubeni ingenguye wonke umntu owaziyo ngayo.

Nangona i-15-20 kwiminyaka edlulileyo, kwakukho i-traffic encinci kwinethiwekhi, kwaye yayininzi idatha ingabalulekanga. Kodwa Umthetho kaNielsen uphinda-phinda Umthetho kaMoore: Isantya soqhagamshelo kwi-Intanethi sonyuka ngama-50% ngonyaka. Umthamo wetrafikhi nawo ukhula ngokuthe ngcembe (igrafu ibonisa i-2017 ye-forecast evela kwi-Cisco, umthombo we-Cisco Visual Networking Index: Forecast and Trends, 2017-2022):

Izisombululo zangoku zokwakha iinkqubo zokhuseleko lolwazi - iibroker zeepakethe zenethiwekhi (i-Network Packet Broker)
Kanye kunye nesantya, ukubaluleka kolwazi olujikelezayo (oku kubini imfihlo yorhwebo kunye nedatha yomntu eyaziwayo) kunye nokusebenza ngokubanzi kweziseko zophuhliso kuyanda.

Ngokufanelekileyo, imboni yokhuseleko lolwazi iye yavela. Ishishini liphendule kule nto kunye noluhlu olupheleleyo lokuhlalutya kwe-traffic (DPI), ukusuka kwiinkqubo zokuthintela ukuhlaselwa kweDDOS kwiinkqubo zolawulo lweziganeko zokhuseleko lolwazi, kuquka i-IDS, i-IPS, i-DLP, i-NBA, i-SIEM, i-Antimailware kunye nokunye. Ngokuqhelekileyo, nganye yezi zixhobo isoftware efakwe kwiqonga leseva. Ngaphezu koko, inkqubo nganye (isixhobo sokuhlalutya) ifakwe kwiqonga layo leseva: abavelisi besoftware bahluke, kwaye uninzi lwezixhobo zekhompyuter ziyafuneka ukuhlalutya kwi-L7.

Xa usakha inkqubo yokhuseleko lolwazi, kuyimfuneko ukusombulula inani lemisebenzi esisiseko:

  • indlela yokudlulisa i-traffic ukusuka kwiziseko ezingundoqo ukuya kwiinkqubo zokuhlalutya? (amazibuko e-SPAN ekuqaleni aphuhliselwe oku kwiziseko ezingundoqo zangoku ayonelanga nokuba ngokobungakanani okanye ekusebenzeni)
  • indlela yokuhambisa i-traffic phakathi kweenkqubo ezahlukeneyo zokuhlalutya?
  • indlela yokulinganisa iinkqubo xa kungekho ntsebenzo eyaneleyo yomzekelo omnye we-analyzer ukucubungula umthamo wonke wezithuthi ezingena kuwo?
  • indlela yokubeka iliso kwi-interfaces ye-40G / 100G (kwaye nakwixesha elizayo elisondeleyo kunye ne-200G / 400G), ekubeni izixhobo zokuhlalutya okwangoku zixhasa kuphela i-interfaces ye-1G / 10G / 25G?

Kwaye le misebenzi ilandelayo:

  • indlela yokunciphisa i-traffic engafanelekanga engafuneki ukuba iqhutywe, kodwa ifikelela kwizixhobo zokuhlalutya kwaye isebenzise izixhobo zabo?
  • indlela yokucubungula iipakethi ezifakwe kwi-encapsulated kunye neepakethi ezinamanqaku enkonzo ye-hardware, ukulungiswa apho uhlalutyo lujika lube luninzi lwemithombo okanye alunakwenzeka konke?
  • indlela yokungabandakanyi kwinxalenye yohlalutyo lwetrafikhi engalawulwa ngumgaqo-nkqubo wokhuseleko (umzekelo, i-traffic yentloko).

Izisombululo zangoku zokwakha iinkqubo zokhuseleko lolwazi - iibroker zeepakethe zenethiwekhi (i-Network Packet Broker)
Njengoko wonke umntu uyazi, imfuno idala ukubonelela, ekuphenduleni ezi mfuno, abathengisi bepakethe yenethiwekhi baqala ukuphuhlisa.

Inkcazo ngokubanzi ye-Network Packet Brokers

Abathengisi bepakethe yenethiwekhi basebenza kwinqanaba lepakethe, kwaye kule nto bafana nokutshintsha okuqhelekileyo. Umahluko ophambili osuka kutshintshiselwano kukuba imigaqo yokusasazwa kunye nokuhlanganiswa kwetrafikhi kwi-network packet brokers igqitywe ngokupheleleyo yimimiselo. Abathengisi bepakethe yenethiwekhi abanayo imigangatho yokwakha iitafile zokudlulisa (iitafile ze-MAC) kunye neeprotocol zokutshintshiselana kunye nezinye iiswitshi (ezifana ne-STP), kwaye ngoko ke uluhlu lwezicwangciso ezinokwenzeka kunye nemimandla eqondakalayo kuzo ibanzi kakhulu. Umthengisi angasasaza ngokulinganayo i-traffic ukusuka kwelinye okanye ngaphezulu izibuko zongeniso kuluhlu olunikiweyo lwamazibuko emveliso kunye nemveliso yokulinganisa umthwalo. Unokumisela imigaqo yokukopa, ukuhluza, ukuhlela, ukuphindaphinda kunye nokuguqula i-traffic. Le migaqo ingasetyenziswa kumaqela ahlukeneyo amazibuko eengeniso zomthengisi wepakethe yenethiwekhi, kwaye isetyenziswe ngokulandelelanayo enye emva kwenye kwisixhobo ngokwaso. Inzuzo ebalulekileyo ye-packet broker yikhono lokuqhuba i-traffic kwizinga lokuhamba okupheleleyo kunye nokugcina ingqibelelo yeeseshoni (kwimeko yokulinganisa i-traffic kwiinkqubo ezininzi ze-DPI zohlobo olufanayo).

Ukugcina ingqibelelo yeeseshoni kukudlulisa zonke iipakethi zeseshoni yoluhlu lwezothutho (TCP / UDP / SCTP) kwizibuko elinye. Oku kubalulekile kuba iinkqubo zeDPI (ngokuqhelekileyo isoftware esebenza kwiseva eqhagamshelwe kwizibuko lemveliso yepakethe yebroker) ihlalutya umxholo wetrafikhi kwinqanaba lesicelo, kwaye zonke iipakethi ezithunyelwe / ezifunyenwe ngesicelo esinye kufuneka zifike kwimeko efanayo yesicelo. umhlalutyi . Ukuba iipakethe zeseshoni enye zilahlekile okanye zisasazwe phakathi kwezixhobo ezahlukeneyo zeDPI, ngoko ke isixhobo ngasinye seDPI siya kuba kwimeko efana nokufunda kungekhona isicatshulwa esipheleleyo, kodwa amagama ngamanye avela kuyo. Kwaye, kunokwenzeka ukuba, isicatshulwa asiyi kuqonda.

Ke, kugxilwe kwiinkqubo zokhuseleko lolwazi, iibroker zepakethe zenethiwekhi zinokusebenza okunceda ukudibanisa iinkqubo zesoftware yeDPI kuthungelwano olukhawulezayo lonxibelelwano kunye nokunciphisa umthwalo kubo: bahluza kwangaphambili, bahlele kwaye balungiselele i-traffic ukwenza lula ukusetyenzwa okulandelayo.

Ukongeza, ekubeni iibroker ipakethe zenethiwekhi zibonelela ngoluhlu olubanzi lweenkcukacha-manani kwaye zihlala ziqhagamshelwe kumanqaku ahlukeneyo kwinethiwekhi, bafumana indawo yabo ekuxilongeni iingxaki zempilo zeziseko zonxibelelwano ngokwazo.

Imisebenzi eyiSiseko ye-Network Packet Brokers

Igama elithi "izitshixo ezinikezelweyo/zokubeka iliso" zivele kwinjongo esisiseko: ukuqokelela i-traffic kwiziseko ezingundoqo (ngokuqhelekileyo kusetyenziswa iimpompo ze-TAP kunye / okanye izibuko ze-SPAN) kwaye zisasazwe phakathi kwezixhobo zokuhlalutya. I-Traffic ibonakaliswe (iphindwe kabini) phakathi kweenkqubo zeentlobo ezahlukeneyo, kwaye zilinganiswe phakathi kweenkqubo zodidi olufanayo. Imisebenzi esisiseko idla ngokubandakanya ukuhluzwa ngamasimi ukuya kuthi ga kwi-L4 (MAC, IP, TCP / UDP port, njl. njl.) kunye nokuhlanganiswa kwamajelo alayishwe kancinci kwelinye (umzekelo, ukulungiselela inkqubo enye yeDPI).

Lo msebenzi ubonelela ngesisombululo kumsebenzi osisiseko - ukudibanisa iinkqubo zeDPI kwiziseko zonxibelelwano. Abarhwebi abavela kubakhiqizi abahlukeneyo, abakhawulelwe ekusebenzeni okusisiseko, babonelela ngokusebenza ukuya kuthi ga kwi-32 100G ujongano nge-1U (i-interfaces engaphezulu ayihambelani ngokwenyama kwiphaneli yangaphambili ye-1U). Nangona kunjalo, abavumeli ukunciphisa umthwalo kwizixhobo zokuhlalutya, kunye neziseko eziyinkimbinkimbi abanako ukubonelela ngeemfuno zomsebenzi osisiseko: iseshoni esasazwa kwiitonela ezininzi (okanye ixhotyiswe ngeethegi ze-MPLS) inokungalungelelani kwiimeko ezahlukeneyo. i-analyzer kwaye iphuma ngokubanzi kuhlalutyo.

Ukongeza ekongezeni ujongano lwe-40 / 100G kwaye, ngenxa yoko, ukuphucula ukusebenza, abathengisi bepakethe yenethiwekhi baphuhlisa ngokusebenzayo malunga nokubonelela ngezinto ezintsha ezisisiseko: ukusuka ekulinganiseni kwiintloko zetonela ezifakwe kwi-nested decryption. Ngelishwa, iimodeli ezinjalo azikwazi ukuqhayisa ngokusebenza kwii-terabits, kodwa zenza kube nokwenzeka ukwakha inkqubo yokhuseleko yolwazi olukumgangatho ophezulu ngokwenene "entle" apho isixhobo ngasinye sokuhlalutya siqinisekisiwe ukufumana kuphela ulwazi oludingayo kwifomu efanelekileyo kakhulu. uhlalutyo.

Imisebenzi ekwinqanaba eliphezulu labarhwebi bepakethe yenethiwekhi

Izisombululo zangoku zokwakha iinkqubo zokhuseleko lolwazi - iibroker zeepakethe zenethiwekhi (i-Network Packet Broker)
1. Kukhankanywe apha ngasentla ulungelelaniso olusentloko kwi-tunneling traffic.

Kutheni ibalulekile nje? Qwalasela imiba emi-3 enokuthi ibaluleke kunye okanye ngokwahlukeneyo:

  • ukuqinisekisa ukulingana okufanayo phambi kwenani elincinci lamatonela. Kwimeko apho kukho ii-tunnels ezi-2 kuphela kwindawo yokudityaniswa kweenkqubo zokhuseleko lolwazi, ngoko ke akuyi kuba nako ukungazilinganisi ngeentloko zangaphandle kwii-platform ze-3 zomncedisi ngelixa ugcina iseshoni. Ngelo xesha, i-traffic kwinethiwekhi ihanjiswa ngokungafaniyo, kwaye isalathiso setonela nganye kwindawo yokucubungula eyahlukileyo iya kufuna ukusebenza ngokugqithiseleyo kokugqibela;
  • ukuqinisekisa ukunyaniseka kweeseshoni kunye nemilambo yeeprotocol ze-multisession (umzekelo, i-FTP kunye ne-VoIP), iipakethi zazo eziphelile kwiitonela ezahlukeneyo. Ubunzima besiseko sothungelwano buhlala bukhula: ukuphindaphinda, ukuchithwa kwezinto ezibonakalayo, ukwenza lula ulawulo, njalo njalo. Ngakolunye uhlangothi, oku kwandisa ukuthembeka ngokwemigaqo yokuhanjiswa kwedatha, kwelinye icala, idibanisa umsebenzi weenkqubo zokhuseleko lolwazi. Nangona ukusebenza okwaneleyo kwabahlalutyi ukucubungula umjelo ozinikeleyo kunye neetonela, ingxaki ibonakala ingenakuxazululeka, kuba ezinye iipakethi zeseshoni yomsebenzisi zithunyelwa kwelinye ishaneli. Ngaphezu koko, ukuba basazama ukunyamekela ukuthembeka kweeseshoni kwezinye iziseko, ngoko iiprotocol ze-multisession zinokuhamba ngeendlela ezahlukeneyo;
  • ukulinganisa phambi kweMPLS, VLAN, iithegi zezixhobo zomntu ngamnye, njl. Ayizizo iitonela ngokwenene, kodwa nangona kunjalo, izixhobo ezinomsebenzi osisiseko zinokuqonda le traffic hayi njenge-IP kunye nebhalansi yeedilesi ze-MAC, kwakhona iphula ukufana kokulinganisa okanye ukuthembeka kweseshoni.

Umthengisi wepakethe yenethiwekhi ucazulula iiheader zangaphandle kwaye ulandele ngokulandelelana izikhombisi ukuya kwi-header ye-IP efakwe kwindlwane kunye neebhalansi esele zikuyo. Ngenxa yoko, kukho imilambo engaphezulu kakhulu (ngokulandelelanayo, inokungalingani ngokulinganayo kunye nenani elikhulu lamaqonga), kwaye inkqubo ye-DPI ifumana zonke iipakethi zeseshoni kunye nazo zonke iiseshoni ezihambelanayo zeprotocol ze-multisession.

2. Ukuguqulwa kwetrafikhi.
Omnye weyona misebenzi ibanzi ngokwezakhono zayo, inani lee-subfunctions kunye nokukhethwa kokusetyenziswa kwazo zininzi:

  • ukususa umthwalo, apho kuphela iiheader zeepakethi zigqithiselwa kwi-parser. Oku kufanelekileyo kwizixhobo zokuhlalutya okanye kwiintlobo zetrafikhi apho iziqulatho zeepakethi zingadlali indima okanye azinakuhlalutywa. Umzekelo, kwitrafikhi efihliweyo, idatha yokutshintshiselana ngeparametric (ngubani, nabani, nini, kwaye kangakanani) inokuba nomdla, ngelixa ukuhlawula kuyinkunkuma ehlala kwitshaneli kunye nezixhobo zekhompyutha ze-analyzer. Ukwahluka kunokwenzeka xa umthwalo wokuhlawula unqunyulwe ukuqala kwi-offset enikeziweyo - oku kunika umda owongezelelweyo wezixhobo zokuhlalutya;
  • ukususwa kweetonela, oko kukuthi, ukususwa kwezihloko ezichaza kwaye zichonge itonela. Injongo kukunciphisa umthwalo kwizixhobo zokuhlalutya kunye nokwandisa ukusebenza kwazo. Ukuchithwa kwe-detunneling kunokusekelwe kwi-offset esisigxina okanye uhlalutyo lwentloko oluguqukayo kunye nokuzimisela kwe-offset kwipakethi nganye;
  • ukususwa kwezinye iiheader zepakethe: iithegi zeMPLS, iVLAN, iindawo ezithile zezixhobo zomntu wesithathu;
  • ukufihla inxalenye yeentloko, umzekelo, ukufihla iidilesi ze-IP ukuqinisekisa ukungaziwa kwezithuthi;
  • Ukongeza ulwazi lwenkonzo kwipakethi: izitampu zexesha, izibuko lokufaka, iilebhile zeklasi yetrafikhi, njl.

3. Ukuphinda-phinda - ukucocwa kweepakethi zetrafikhi eziphindaphindiweyo ezithunyelwa kwizixhobo zokuhlalutya. Iipakethi eziphindwe kabini zidla ngokuvela ngenxa yezinto ezikhethekileyo zokuqhagamshela kwiziseko zophuhliso - itrafikhi inokudlula kwiindawo ezininzi zokuhlalutya kwaye ibonakaliswe nganye kuzo. Kukho kwakhona ukuthunyelwa kweepakethi ze-TCP ezingaphelelanga, kodwa ukuba zininzi zazo, ke le yimibuzo engaphezulu yokubeka iliso umgangatho wothungelwano, kwaye kungekhona ukhuseleko lolwazi kuyo.

4. Iimpawu zokucoca eziphucukileyo -ukusuka ekukhangeleni amaxabiso athile kwi-offset enikiweyo ukuya kuhlalutyo lokutyikitya kuyo yonke iphakheji.

5. Isizukulwana seNetFlow/IPFIX - ukuqokelela uluhlu olubanzi lwezibalo kwi-traffic edlulayo kunye nokudluliselwa kwayo kwizixhobo zokuhlalutya.

6. Ukucinywa kwetrafikhi ye-SSL, isebenza ngaphandle kokuba isatifikethi kunye nezitshixo zilayishwa kuqala kumthengisi wepakethe yenethiwekhi. Nangona kunjalo, oku kukuvumela ukuba ukhulule kakhulu izixhobo zokuhlalutya.

Kukho imisebenzi emininzi, eluncedo kunye nokuthengisa, kodwa eyona nto iphambili, mhlawumbi, zidweliswe.

Ukuphuhliswa kweenkqubo zokubona (ukungena, ukuhlaselwa kweDDOS) kwiinkqubo zokuthintela, kunye nokuqaliswa kwezixhobo zeDPI ezisebenzayo, zifuna utshintsho kwiskimu sokutshintsha ukusuka kwi-passive (ngokusebenzisa i-TAP okanye izibuko ze-SPAN) ukuba zisebenze ("kwikhefu" ). Le meko yandisa iimfuno zokuthembeka (kuba ukusilela kule meko kukhokelela ekuphazamisekeni kwenethiwekhi yonke, kwaye kungekuphela nje ekulahlekelweni kolawulo kukhuseleko lolwazi) kwaye kukhokelele ekutshintshweni kwee-couplers zamehlo kunye nee-bypasses zamehlo (ukuze ukusombulula ingxaki yokuxhomekeka ekusebenzeni kwenethiwekhi ekusebenzeni kweenkqubo zokhuseleko lolwazi), kodwa eyona nto iphambili kunye neemfuno zayo zahlala zifana.

Siye saphuhlisa i-DS Integrity Network Packet Brokers kunye ne-100G, 40G kunye ne-10G ujongano ukusuka kuyilo kunye neesekethe kwisoftware edibeneyo. Ngaphezu koko, ngokungafaniyo nabanye abadayisi bepakethe, uhlengahlengiso kunye nemisebenzi yokulungelelanisa yeentloko zetonela edibeneyo iphunyezwa kwi-hardware yethu, ngesantya esipheleleyo sezibuko.

Izisombululo zangoku zokwakha iinkqubo zokhuseleko lolwazi - iibroker zeepakethe zenethiwekhi (i-Network Packet Broker)

umthombo: www.habr.com

Yongeza izimvo