Siyakwamukela ku-anniversary - isifundo se-10. Futhi namuhla sizokhuluma ngenye i-Check Point blade - Ukuqwashisa ngobunikazi. Ekuqaleni, lapho sichaza i-NGFW, sinqume ukuthi kufanele ikwazi ukulawula ukufinyelela ngokusekelwe kuma-akhawunti, hhayi amakheli e-IP. Lokhu kungenxa yokwanda kokuhamba kwabasebenzisi kanye nokusabalala okusabalele kwemodeli ye-BYOD - letha idivayisi yakho. Kungase kube nabantu abaningi enkampanini exhuma nge-Wi-Fi, bathole i-IP eguquguqukayo, ngisho nakumasegimenti enethiwekhi ahlukene. Zama ukudala uhlu lokufinyelela olususelwe kuzinombolo ze-IP lapha. Lapha awukwazi ukwenza ngaphandle kobunikazi bomsebenzisi. Futhi icwecwe lokuqwashisa nge-Identity elizosisiza kulolu daba.
Kodwa okokuqala, ake sithole ukuthi ikuphi ukuhlonza abasebenzisi okuvame ukusetshenziselwa kona?
- Ukuze ukhawulele ukufinyelela kwenethiwekhi ngama-akhawunti omsebenzisi esikhundleni samakheli e-IP. Ukufinyelela kungalawulwa kokubili ku-inthanethi kanye nakunoma yiziphi ezinye izingxenye zenethiwekhi, isibonelo i-DMZ.
- Finyelela nge-VPN. Vuma ukuthi kulula kakhulu ukuthi umsebenzisi asebenzise i-akhawunti yakhe yesizinda ukuze agunyazwe, kunenye iphasiwedi esunguliwe.
- Ukuze ulawule Iphoyinti Lokuhlola, udinga futhi i-akhawunti okungenzeka ibe namalungelo ahlukahlukene.
- Futhi ingxenye engcono kakhulu ukubika. Kuhle kakhulu ukubona abasebenzisi abathile emibikweni kunamakheli abo e-IP.
Ngesikhathi esifanayo, i-Check Point isekela izinhlobo ezimbili zama-akhawunti:
- Abasebenzisi Bendawo Bangaphakathi. Umsebenzisi udalwa kusizindalwazi sendawo seseva yokuphatha.
- Abasebenzisi Bangaphandle. Isizinda somsebenzisi sangaphandle singaba I-Microsoft Active Directory noma enye iseva ye-LDAP.
Namuhla sizokhuluma ngokufinyelela kwenethiwekhi. Ukulawula ukufinyelela kwenethiwekhi, phambi kwe-Active Directory, okuthiwa Indima Yokufinyelela, okuvumela izinketho ezintathu zabasebenzisi:
- Network - i.e. inethiwekhi umsebenzisi azama ukuxhuma kuyo
- Umsebenzisi we-AD noma Iqembu lomsebenzisi β le datha idonswa ngokuqondile kuseva ye-AD
- Machine - indawo yokusebenza.
Kulokhu, ukuhlonza umsebenzisi kungenziwa ngezindlela eziningana:
- Umbuzo we-AD. Iphoyinti Lokuhlola lifunda amalogi eseva ye-AD kubasebenzisi abaqinisekisiwe namakheli abo e-IP. Amakhompyutha akusizinda se-AD akhonjwa ngokuzenzakalelayo.
- Ukuqinisekisa Okusekelwe Kwisiphequluli. Ukuhlonza ngesiphequluli somsebenzisi (Iphothali Ethunjiwe noma i-Transparent Kerberos). Okuvame ukusetshenziselwa amadivayisi angekho esizindeni.
- Amaseva weTheminali. Kulokhu, ukuhlonza kwenziwa kusetshenziswa i-ejenti ekhethekile yokugcina (efakwe kuseva yokugcina).
Lezi yizinketho ezintathu ezivame kakhulu, kodwa kunezinye ezintathu:
- Ama-Identity Agents. I-ejenti ekhethekile ifakwe kumakhompyutha abasebenzisi.
- Identity Collector. Isisetshenziswa esihlukile esifakwe ku-Windows Server futhi siqoqa amalogi okuqinisekisa esikhundleni sesango. Eqinisweni, inketho eyisibopho yamanani amakhulu abasebenzisi.
- I-RADIUS Accounting. Hhayi-ke, besingaba kuphi ngaphandle kwe-RADIUS endala enhle.
Kulesi sifundo ngizokhombisa inketho yesibili - Isekelwe kwisiphequluli. Ngicabanga ukuthi ithiyori yanele, asiqhubeke sizilolonge.
Isifundo sevidiyo
Hlala ubukele ukuze uthole okwengeziwe futhi ujoyine yethu π
Source: www.habr.com