Kukangaphi uthenga into ngokuzenzekelayo, unikezela kwintengiso epholileyo, kwaye le nto ibinqweneleka ekuqaleni iqokelela uthuli kwigunjana, i-pantry okanye igaraji kude kube yintlakohlaza elandelayo yokucoca okanye uhambe? Isiphumo kukuphoxeka ngenxa yolindelo olungafanelekanga kunye nenkcitho yemali. Kubi kakhulu xa oku kusenzeka kwishishini. Rhoqo, ii-gimmicks zentengiso zilungile kangangokuba iinkampani zithenga isisombululo esibiza kakhulu ngaphandle kokubona umfanekiso opheleleyo wesicelo saso. Ngeli xesha, uvavanyo lovavanyo lwesistim lunceda ukuqonda indlela yokulungiselela ukuhlanganiswa kweziseko zophuhliso, ukuba yeyiphi indlela yokusebenza kunye nokuba kungakanani na ekufuneka kuphunyezwe. Ngale ndlela unokunqanda inani elikhulu leengxaki ngenxa yokukhetha imveliso "ngokungaboniyo". Ukongeza, ukuphunyezwa emva kokuba "umqhubi wenqwelomoya" onobuchule uya kuzisa iinjineli ezingatshatyalaliswanga kakhulu iiseli zemithambo-luvo kunye neenwele ezingwevu. Masibone ukuba kutheni uvavanyo lokulinga lubaluleke kangaka kwiprojekthi eyimpumelelo, sisebenzisa umzekelo wesixhobo esidumileyo sokulawula ukufikelela kuthungelwano lwenkampani - Cisco ISE. Masithathele ingqalelo zombini iindlela ezisemgangathweni kunye nezingengomgangatho ngokupheleleyo wokusebenzisa isisombululo esiye sadibana naso kwindlela yethu yokusebenza.
ICisco ISE- "Iseva yeRadius kwi-steroids"
I-Cisco Identity Services Engine (ISE) liqonga lokudala inkqubo yokulawula ukufikelela kwinethiwekhi yendawo yombutho. Kuluntu lweengcali, imveliso yayibizwa ngegama elithi "Radius server kwi-steroids" kwiipropati zayo. Kutheni kunjalo? Eyona nto, isisombululo ngumncedisi weRadius, apho inani elikhulu leenkonzo ezongezelelweyo kunye "namaqhinga" aqhotyoshelweyo, okukuvumela ukuba ufumane ulwazi oluninzi lweemeko kwaye usebenzise isethi esisiphumo sedatha kwimigaqo-nkqubo yokufikelela.
Njengaye nawuphi na omnye umncedisi we-Radius, i-Cisco ISE isebenzisana nezixhobo zenethiwekhi zokufikelela, iqokelela ulwazi malunga nazo zonke iinzame zokuxhuma kwinethiwekhi yenkampani kwaye, ngokusekelwe kwimigaqo-nkqubo yokuqinisekisa kunye nokugunyaziswa, ivumela okanye iyala abasebenzisi kwi-LAN. Nangona kunjalo, ukuba nokwenzeka kokwenza iprofayili, ukuthunyelwa, kunye nokudityaniswa nezinye izisombululo zokhuseleko lolwazi kwenza kube lula ukwenza nzima umgaqo-nkqubo wogunyaziso kwaye ngaloo ndlela kusonjululwe iingxaki ezinzima nezinomdla.
Ukuphunyezwa akunakulingwa: kutheni ufuna uvavanyo?
Ixabiso lovavanyo lokulinga kukubonisa zonke izakhono zenkqubo kwiziseko ezithile zombutho othile. Ndiyakholelwa ukuba ukulinga iCisco ISE ngaphambi kokuphunyezwa kuzuzisa wonke umntu obandakanyekayo kwiprojekthi, kwaye nantsi isizathu.
Oku kunika abadibanisi umbono ocacileyo wolindelo lomthengi kwaye kunceda ukwenza ubuchwephesha obuchanekileyo obuqulethe iinkcukacha ezininzi kunebinzana eliqhelekileyo elithi "qiniseka ukuba yonke into ilungile." "I-Pilot" ivumela ukuba sizive zonke iintlungu zomthengi, ukuqonda ukuba yeyiphi imisebenzi ephambili kuye kwaye yeyiphi yesibini. Kithina, eli lithuba elihle kakhulu lokuqonda kwangaphambili ukuba zeziphi izixhobo ezisetyenziswa kwintlangano, ukuba ukuphunyezwa kuya kwenzeka njani, kweziphi iindawo, apho zikhoyo, njalo njalo.
Ngexesha lovavanyo lokulinga, abathengi babona inkqubo yokwenyani isebenza, baqhelane ne-interface yayo, banokujonga ukuba iyahambelana ne-hardware yabo ekhoyo, kwaye bafumane ukuqonda okupheleleyo malunga nendlela isisombululo esiya kusebenza ngayo emva kokuphunyezwa ngokupheleleyo. βUmqhubi wenqwelo-moyaβ ngulo mzuzu kanye xa unokubona yonke imigibe onokuthi udibane nayo ngexesha lokudityaniswa, kwaye uthathe isigqibo sokuba zingaphi iilayisensi ekufuneka uzithenge.
Yintoni enokuthi "ivele" ngexesha "lomqhubi"
Ke, ulungiselela njani ngokufanelekileyo ukuphumeza iCisco ISE? Ukususela kumava ethu, siye sabala iingongoma ezi-4 eziphambili ezibalulekileyo ukuba ziqwalaselwe ngexesha lokuvavanywa kovavanyo lwenkqubo.
Into yefom
Okokuqala, kufuneka wenze isigqibo malunga nokuba yeyiphi ifom yenkqubo eya kuphunyezwa: umgca womzimba okanye wenyani. Inketho nganye ineenzuzo kunye nokungonakali. Ngokomzekelo, amandla omgangatho womzimba kukusebenza kwawo okuqikelelweyo, kodwa asimele silibale ukuba ezo zixhobo ziphelelwa lixesha. Ii-uplines ezibonakalayo aziqikeleleki kancinci kuba... zixhomekeke kwi-hardware apho indawo ye-virtualization isetyenziswe khona, kodwa banenzuzo enkulu: ukuba inkxaso ikhona, inokuhlala ihlaziywa kwinguqu yamva nje.
Ngaba izixhobo zakho zenethiwekhi ziyahambelana neCisco ISE?
Ngokuqinisekileyo, imeko efanelekileyo iya kuba kukudibanisa zonke izixhobo kwisistim kanye. Nangona kunjalo, oku akusoloko kusenzeka njengoko imibutho emininzi isasebenzisa iiswitshi ezingalawulwayo okanye iiswitshi ezingaxhasi ezinye zeetekhnoloji eziqhuba iCisco ISE. Ngendlela, asithethi nje malunga nokutshintsha, kunokuba ngabalawuli benethiwekhi ezingenazintambo, i-VPN concentrators kunye naziphi na ezinye izixhobo apho abasebenzisi baxhuma khona. Kwimeko yam, kukho iimeko xa, emva kokubonisa inkqubo yokuphunyezwa ngokupheleleyo, umthengi waphucula phantse yonke inqanawa yokufikelela kwinqanaba lokutshintshela kwizixhobo zanamhlanje zeCisco. Ukuze ugweme ukumangalisa okungathandekiyo, kuyafaneleka ukufumanisa kwangaphambili umlinganiselo wezixhobo ezingaxhaswanga.
Ngaba zonke izixhobo zakho zisemgangathweni?
Nayiphi na inethiwekhi inezixhobo eziqhelekileyo akufanele kube nzima ukuxhuma kuzo: iindawo zokusebenza, iifowuni ze-IP, iindawo zokufikelela kwi-Wi-Fi, iikhamera zevidiyo, njalo njalo. Kodwa kwakhona kwenzeka ukuba izixhobo ezingezizo ezisemgangathweni kufuneka ziqhagamshelwe kwi-LAN, umzekelo, i-RS232 / Ethernet iziguquli zomqondiso webhasi, i-interfaces yonikezelo lwamandla olungaphazamisekiyo, izixhobo ezahlukeneyo zobuchwepheshe, njl. Kubalulekile ukumisela uluhlu lwezixhobo ezinjalo kwangaphambili. , ukwenzela ukuba kwinqanaba lokuphunyezwa sele unokuqonda ukuba ngobuchule baya kusebenza njani kunye neCisco ISE.
Ingxoxo eyakhayo kunye neengcali ze-IT
Abathengi be-Cisco ISE badla ngokuba ngamasebe okhuseleko, ngelixa amasebe e-IT ahlala enoxanduva lokuqwalasela iiswitshi zofikelelo kunye ne-Active Directory. Ke ngoko, intsebenziswano enemveliso phakathi kweengcali zokhuseleko kunye neengcali ze-IT yenye yeemeko ezibalulekileyo zokuphunyezwa okungenabuhlungu kwenkqubo. Ukuba aba bamva babona ukudibanisa kunye nobutshaba, kuyafaneleka ukubachazela ukuba isisombululo siya kuba luncedo njani kwisebe le-IT.
Top 5 Cisco ISE iimeko ukusetyenziswa
Kumava ethu, umsebenzi ofunekayo wenkqubo uchongiwe kwinqanaba lokuvavanya. Ngezantsi ezinye zezona ziganeko zidumileyo kunye nezingaphantsi kokusetyenziswa kwesisombululo.
Khusela ukufikelela kwi-LAN ngocingo nge-EAP-TLS
Njengoko iziphumo zophando lwe-pentesters zethu zibonisa, rhoqo ukungena kwinethiwekhi yenkampani, abahlaseli basebenzisa iisokethi eziqhelekileyo apho abashicileli, iifowuni, iikhamera ze-IP, iindawo ze-Wi-Fi kunye nezinye izixhobo zenethiwekhi ezingezozamntu ziqhagamshelwe. Ke ngoko, nokuba ufikelelo lwenethiwekhi lusekwe kwitekhnoloji ye-dot1x, kodwa ezinye iiprothokholi zisetyenziswa ngaphandle kokusebenzisa izatifikethi zoqinisekiso lomsebenzisi, kukho amathuba aphezulu ohlaselo oluyimpumelelo kunye neseshini yokunqanda kunye namagama ayimfihlo anamandla. Kwimeko yeCisco ISE, kuya kuba nzima kakhulu ukuba isatifikethi - ngenxa yoko, abahlaseli baya kufuna amandla amaninzi ekhompyutheni, ngoko le meko iyasebenza kakhulu.
Ukufikelela kwi-wireless ezimbini-SSID
Undoqo walo mzekelo kukusebenzisa izazisi zenethiwekhi ezi-2 (SSIDs). Omnye wabo unokubizwa ngokuba "yindwendwe". Ngayo, zombini iindwendwe kunye nabasebenzi benkampani banokufikelela kwinethiwekhi engenazingcingo. Xa bezama ukudibanisa, aba bamva bathunyelwa kwi-portal ekhethekileyo apho ukubonelela kwenzeka khona. Oko kukuthi, umsebenzisi ukhutshwe isatifikethi kwaye isixhobo sakhe somntu siqwalaselwe ukuba sidibanise ngokuzenzekelayo kwi-SSID yesibini, esele isebenzisa i-EAP-TLS kunye nazo zonke iingenelo zemeko yokuqala.
I-Bypass yoQinisekiso lwe-MAC kunye neProfayili
Enye imeko yokusetyenziswa ethandwayo kukubona ngokuzenzekelayo uhlobo lwesixhobo esiqhagamshelwe kwaye sisebenzise izithintelo ezichanekileyo kuyo. Kutheni enomdla nje? Inyani yeyokuba kusekho izixhobo ezininzi ezingaxhasi ukuqinisekiswa kusetyenziswa iprotocol ye802.1X. Ke ngoko, ezo zixhobo kufuneka zivunyelwe kwinethiwekhi zisebenzisa idilesi ye-MAC, ekulula ukuyenza inkohliso. Kulapho iCisco ISE isiza khona: ngoncedo lwenkqubo, unokubona indlela isixhobo esiziphatha ngayo kwinethiwekhi, yenza iprofayili yayo kwaye uyinike iqela lezinye izixhobo, umzekelo, ifowuni ye-IP kunye nendawo yokusebenza. . Ukuba umhlaseli uzama ukonakalisa idilesi ye-MAC kwaye aqhagamshele kuthungelwano, inkqubo iya kubona ukuba iprofayile yesixhobo itshintshile, iya kubonisa ukuziphatha okukrokrisayo kwaye ayizukuvumela umsebenzisi okrokrelayo ukuba angene kwinethiwekhi.
EAP-Chaining
Itekhnoloji ye-EAP-Chaining ibandakanya ukuqinisekiswa okulandelelanayo kwePC esebenzayo kunye neakhawunti yomsebenzisi. Elityala sele lixhaphakile kuba... Iinkampani ezininzi azikakhuthazi ukuqhagamshela izixhobo zobuqu zabasebenzi kwi-LAN yeshishini. Ukusebenzisa le ndlela yokuqinisekisa, kuyenzeka ukujonga ukuba indawo yokusebenzela ethile lilungu ledomeyini, kwaye ukuba isiphumo sibi, umsebenzisi akayi kuvunyelwa ukuba angene kuthungelwano, okanye uya kuba nako ukungena, kodwa ngokuthe ngqo. izithintelo.
Ukuthumela
Eli tyala limalunga nokuvavanya ukuthotyelwa kwesoftware yendawo yokusebenza kunye neemfuno zokhuseleko lolwazi. Ukusebenzisa le teknoloji, unokujonga ukuba isofthiwe kwindawo yokusebenza ihlaziywa, ingaba amanyathelo okhuseleko afakwe kuyo, nokuba i-firewall yomkhosi iqwalaselwe, njl. Okubangel 'umdla kukuba, obu buchwepheshe bukuvumela ukuba usombulule eminye imisebenzi engahambelani nokhuseleko, umzekelo, ukujonga ubukho beefayile eziyimfuneko okanye ukufaka isoftware ebanzi.
Amatyala angaphantsi okusetyenziswa okuqhelekileyo kwe-Cisco ISE abandakanya ulawulo lokufikelela kunye nokuqinisekiswa kokuphela kwe-domain (Passive ID), i-SGT-based micro-segmentation kunye nokucoca, kunye nokudityaniswa nolawulo lwesixhobo esiphathwayo (MDM) kunye ne-Vulnerability Scanners.
Iiprojekthi ezingekho mgangathweni: kutheni enye into unokufuna iCisco ISE, okanye iimeko ezi-3 ezinqabileyo kwindlela yethu
Ulawulo lofikelelo kwiiseva ezisekwe kwiLinux
Sakuba sisombulula ityala elingeyonto encinci komnye wabathengi ababesele benenkqubo yeCisco ISE ephunyeziweyo: bekufuneka sifumane indlela yokulawula izenzo zabasebenzisi (ubukhulu becala abalawuli) kwiiseva ezineLinux efakiweyo. Ukukhangela impendulo, size nombono wokusebenzisa isoftware ye-PAM yeRadius yeModyuli yasimahla, ekuvumela ukuba ungene kwiiseva eziqhuba iLinux ngokuqinisekiswa kwiseva yerediyasi yangaphandle. Yonke into ephathelele kulo mba iya kuba yinto enhle, ukuba kungekhona enye "kodwa": i-server ye-radius, ithumela impendulo kwisicelo sokuqinisekisa, inika kuphela igama le-akhawunti kunye nesiphumo - uvavanyo olwamkelweyo okanye uvavanyo lwaliwe. Okwangoku, ugunyaziso kwiLinux, kufuneka unikeze ubuncinci ipharamitha enye ngaphezulu - ulawulo lwasekhaya, ukuze umsebenzisi afike kwindawo ethile. Asifumananga ndlela yokunika oku njengophawu lweradiyasi, ngoko ke sibhale iscript esikhethekileyo sokwenza ukude iiakhawunti kwiinginginya kwimowudi ezenzekelayo. Lo msebenzi wawunokwenzeka, ekubeni sasijongene neeakhawunti zomlawuli, inani labo lalingekho likhulu kangako. Emva koko, abasebenzisi bangene kwisixhobo esifunekayo, emva koko babelwa ukufikelela okuyimfuneko. Umbuzo onengqiqo uyavela: ngaba kuyimfuneko ukusebenzisa iCisco ISE kwiimeko ezinjalo? Ngokwenyani, hayi - nayiphi na iseva yerediyasi iya kwenza, kodwa kuba umthengi sele enale nkqubo, songeze nje into entsha kuyo.
Uluhlu lwezixhobo zehardware kunye nesoftware kwiLAN
Sake sasebenza kwiprojekthi yokubonelela ngeCisco ISE kumthengi omnye ngaphandle "kokulingwa" lokuqala. Kwakungekho zidingo ezicacileyo zesisombululo, kunye nathi sasijongene nenethiwekhi yeflethi, engacalulwanga, enzima umsebenzi wethu. Ngexesha leprojekthi, siqwalasele zonke iindlela ezinokuthi zeprofayili ezixhaswe yinethiwekhi: i-NetFlow, i-DHCP, i-SNMP, ukuhlanganiswa kwe-AD, njl. Ngenxa yoko, ufikelelo lwe-MR luqwalaselwe ngokukwazi ukungena kwinethiwekhi ukuba uqinisekiso aluphumelelanga. Okokuthi, nokuba ukuqinisekiswa akuphumelelanga, inkqubo iya kuqhubeka ivumela umsebenzisi kwinethiwekhi, iqokelele ulwazi malunga naye kwaye irekhode kwi-database ye-ISE. Oku kubeka iliso kuthungelwano kwiiveki ezininzi kwasinceda ukuba sichonge iinkqubo eziqhagamshelweyo kunye nezixhobo ezingezizo ezomntu kwaye siphuhlise indlela yokuzahlula. Emva koku, siye saqwalasela ukuthunyelwa kokufaka i-arhente kwiindawo zokusebenza ukuze kuqokelelwe ulwazi malunga nesofthiwe efakwe kuzo. Uyintoni umphumo? Sikwazile ukwahlula inethiwekhi kwaye sigqibe uluhlu lwesoftware ekufuneka isuswe kwiindawo zokusebenza. Andiyi kufihla ukuba eminye imisebenzi yokusasaza abasebenzisi kumaqela esizinda kunye nokuchaza amalungelo okufikelela kusithathe ixesha elininzi, kodwa ngale ndlela sifumene umfanekiso opheleleyo wokuba yeyiphi ihardware umthengi anayo kwinethiwekhi. Ngendlela, oku kwakungekho nzima ngenxa yomsebenzi omhle wokwenza iprofayili ngaphandle kwebhokisi. Ewe, apho iprofayili ingazange incede, sazijonga, sigxininisa i-port yokutshintsha apho izixhobo zixhunyiwe.
Ufakelo olukude lwesoftware kwiindawo zokusebenza
Eli tyala lelinye lawona angaqhelekanga kwindlela yam. Ngenye imini, umthengi weza kuthi ngesikhalo sokucela uncedo-into engalunganga xa kuphunyezwa iCisco ISE, yonke into yaphuka, kwaye akukho mntu unokufikelela kwinethiwekhi. Saqala ukukhangela kuyo kwaye safumanisa oku kulandelayo. Inkampani yayineekhompyutheni ze-2000, apho, ngokungabikho komlawuli wesizinda, zilawulwa phantsi kwe-akhawunti yomlawuli. Ngenjongo yokujonga, umbutho uphumeze iCisco ISE. Kwakuyimfuneko ngandlela thile ukuqonda ukuba i-antivirus ifakiwe kwiiPC ezikhoyo, nokuba indawo yesoftware yahlaziywa, njl. Kwaye ekubeni abalawuli be-IT bafake izixhobo zenethiwekhi kwinkqubo, kuyaqondakala ukuba babenokufikelela kuyo. Emva kokubona indlela esebenza ngayo kunye nokujonga iiPC zabo, abalawuli beza nombono wokufaka isoftware kwiindawo zokusebenza zabasebenzi ukude ngaphandle kotyelelo lobuqu. Khawucinge nje ukuba mangaphi amanyathelo onokuwagcina ngosuku ngale ndlela! Abalawuli baqhube iitshekhi ezininzi kwindawo yokusebenzela ubukho befayile ethile kwi C: Inkqubo yeeFayile zolawulo, kwaye ukuba ibingekho, ukulungiswa okuzenzekelayo kwaqaliswa ngokulandela ikhonkco elikhokelela kugcino lwefayile kufakelo lwefayile .exe. Oku kwavumela abasebenzisi abaqhelekileyo ukuba baye kwisabelo sefayile kwaye bakhuphele isoftware eyimfuneko ukusuka apho. Ngelishwa, umlawuli wayengazi kakuhle inkqubo ye-ISE kwaye yonakalise iindlela zokuposa - wabhala umgaqo-nkqubo ngokungalunganga, okukhokelela kwingxaki esiye sabandakanyeka ekuyixazululeni. Ngokwam, ndimangaliswe ngokunyanisekileyo yile ndlela yokuyila, kuba iya kuba yindleko ephantsi kwaye ingabi nabasebenzi kakhulu ukwenza umlawuli wesizinda. Kodwa njengobungqina bengcamango yasebenza.
Funda ngakumbi malunga nee-nuances zobugcisa ezivela xa kuphunyezwa iCisco ISE kwinqaku lomlingane wam .
Artem Bobrikov, injineli yoyilo lweZiko loKhuseleko loLwazi kwiJet Infosystems
Emva kwegama:
Ngaphandle kwento yokuba esi sithuba sithetha ngenkqubo ye-Cisco ISE, iingxaki ezichazwe zifanelekile kwiklasi yonke yezisombululo ze-NAC. Akubalulekanga kangako ukuba isisombululo somthengisi sicwangciselwe ukuphunyezwa - uninzi lwezi zinto zingasentla ziya kuhlala zisebenza.
umthombo: www.habr.com