2. I-NGFW yamabhizinisi amancane. Unboxing kanye nokusetha

Siqhubeka nochungechunge lwama-athikili okusebenza ngebanga lemodeli entsha ye-SMB CheckPoint, ake sikukhumbuze ukuthi ku ingxenye yokuqala sichaze izici namakhono amamodeli amasha, izindlela zokuphatha nezindlela zokuphatha. Namuhla sizobheka isimo sokuthunyelwa kwemodeli endala ochungechungeni: I-CheckPoint 1590 NGFW. Nasi isifinyezo sale ngxenye:

1. Imishini yokukhipha izinto (incazelo yezingxenye, ukuxhumana ngokomzimba kanye nenethiwekhi).
2. Ukuqaliswa kwedivayisi kokuqala.
3. Ukusetha kokuqala.
4. Ukuhlolwa kokusebenza.

Ithulula Izinsiza kusebenza

Ukwazi imishini kuqala ngokukhipha okokusebenza ebhokisini, ukuqaqa izingxenye kanye nokufaka izingxenye; chofoza i-spoiler, lapho inqubo yethulwa kafushane.

Ukulethwa kwe-NGFW 1590

Kafushane mayelana nezingxenye:

• I-NGFW 1590;
• I-adaptha yamandla;
• 2 Ama-Antenna e-Wifi (2.4 Hz no-5 Hz);
• 2 LTE izinti;
• Amabhukwana anemibhalo (umhlahlandlela omfushane wokuxhumana kokuqala, isivumelwano selayisense, njll.)

Ngokuqondene nezimbobo zenethiwekhi nokuxhumana, akhona wonke amandla esimanje okudlulisa ithrafikhi nokusebenzisana, imbobo ehlukile yendawo ye-DMZ, i-USB 3.0 yokuvumelanisa ne-PC.

Inguqulo engu-1590 ithole idizayini ebuyekeziwe, izinketho zesimanje zokuxhumana okungenantambo nokwandisa inkumbulo: 2 Slots yokusebenza nge-Micro/Nano SIM kumodi ye-LTE. (sihlela ukubhala ngale nketho ngokuningiliziwe kwesinye sezindatshana zethu ezilandelayo ochungechungeni olunikezelwe ekuxhumekeni okungenantambo); I-slot yekhadi le-SD.

Ungafunda kabanzi mayelana namakhono e-1590 NGFW namanye amamodeli amasha ku Izingxenye ezi-1 kusukela ochungechungeni lwezihloko mayelana nezixazululo ze-CheckPoint SMB. Sizoqhubeka nokuqaliswa kokuqala kwedivayisi.

Ukuqaliswa okuyisisekelo

Abafundi bethu abavamile kufanele vele bazi ukuthi ulayini we-1500 Series SMB usebenzisa i-80.20 Embedded OS entsha, ehlanganisa isixhumi esibonakalayo esibuyekeziwe namandla athuthukisiwe.

Ukuze uqale ukuqalisa idivayisi udinga:

1. Nikeza amandla esangweni.
2. Xhuma intambo yenethiwekhi isuka ku-PC yakho iye ku-LAN -1 esangweni.
3. Uma uthanda, unganikeza idivayisi ngokushesha ukufinyelela kwe-inthanethi ngokuxhuma isixhumi esibonakalayo embobeni ye-WAN.
4. Iya kuphothali ye-Gaia Embedded: https://192.168.1.1:4434/

Uma ulandele izinyathelo ezishiwo ngaphambilini, khona-ke ngemuva kokungena ekhasini le-portal ye-Gaia, uzodinga ukuqinisekisa ukuvula ikhasi ngesitifiketi esingathenjwa, ngemuva kwalokho kuzokwethulwa isiwijethi sezilungiselelo zengosi:

Uzobingelelwa yikhasi elibonisa imodeli yedivayisi yakho, udinga ukuya esigabeni esilandelayo:

Sizocelwa ukuthi senze i-akhawunti yokugunyazwa, kungenzeka ukucacisa izidingo zephasiwedi ephezulu kumlawuli, futhi sibonisa izwe lapho sizosebenzisa khona isango.

Iwindi elilandelayo liphathelene nezilungiselelo zosuku nesikhathi; ungakwazi ukusetha mathupha noma usebenzise iseva ye-NTP yenkampani.

Isinyathelo esilandelayo sihlanganisa ukusetha igama ledivayisi nokucacisa isizinda senkampani ukuze izinsiza zesango zisebenze kahle ku-inthanethi.

Isinyathelo esilandelayo siphathelene nokukhethwa kohlobo lokulawula lwe-NGFW, lapha kufanele kuqashelwe:

1. Abaphathi Bendawo. Lena inketho etholakalayo yokuphatha isango endaweni usebenzisa ikhasi lewebhu le-Gaia Portal.
2. Ukuphatha Okumaphakathi. Lolu hlobo lokuphatha luhlanganisa ukuvumelanisa neseva ye-CheckPoint Management ezinikele, ukuvumelanisa nefu le-Smart1-Cloud noma ne-SMP (isevisi yokuphatha ye-SMB).

Kulesi sihloko, sizogxila endleleni yokuphatha kwendawo; ungacacisa indlela edingekayo. Ukuze uzijwayeze ngenqubo yokuvumelanisa Neseva Yokuphatha ezinikele, siphakamisa isixhumanisi kusukela ochungechungeni lokuqeqeshwa lwe-CheckPoint Getting Started olulungiselelwe i-TS Solution.

Okulandelayo, iwindi lizovezwa elichaza imodi yokusebenza yezindawo zokusebenzela esangweni:

• Imodi yokushintsha isikisela ukutholakala kwe-subnet kusuka kusixhumanisi esibonakalayo kuya kwe-subnet yesinye isixhumi esibonakalayo.
• Imodi yokukhubaza Ukushintsha ngokufanelekile ikhubaza imodi yokushintsha; imbobo ngayinye ihamba ngethrafikhi njengesiqephu senethiwekhi esihlukile.

Kuphinde kuphakanyiswe ukuthi kucaciswe iqoqo lamakheli e-DHCP azosetshenziswa lapho kuxhunywa ukuxhumana kwasendaweni kwesango.

Isinyathelo esilandelayo ukulungisa isango ukuze usebenze ngemodi engenantambo; sihlela ukuxoxa ngalesi sici ngokuningiliziwe esihlokweni esisodwa ochungechungeni, ngakho-ke sihlehlise ukucushwa kwezilungiselelo. Ungakha indawo entsha yokufinyelela engenantambo, usethe iphasiwedi ukuze uxhume kuyo futhi unqume imodi yokusebenza yesiteshi esingenantambo (2.4 Hz noma 5 Hz).

Isinyathelo esilandelayo kuzoba ukulungisa indlela yokufinyelela esangweni labaphathi benkampani. Ngokuzenzakalelayo, amalungelo okufinyelela avunyelwe uma uxhumano luvela ku:

1. I-subnet yenkampani yangaphakathi
2. Inethiwekhi engenantambo ethenjwayo
3. Umhubhe we-VPN

Inketho yokuxhuma esangweni nge-inthanethi ikhutshaziwe ngokuzenzakalela, lokhu kuthwala ubungozi obukhulu futhi kufanele kuthethelelwe ukufakwa, ngaphandle kwalokho kunconyelwa ukukushiya njengoba esibonelweni sethu. Kungenzeka futhi ukucacisa ukuthi imaphi amakheli e-IP azovunyelwa. ukuxhuma esangweni.

Iwindi elilandelayo liphathelene nokusebenza kwamalayisensi; ekuqalisweni kokuqala kwedivayisi, uzokwethulwa isikhathi sesilingo sezinsuku ezingama-30. Kunezindlela ezimbili ezitholakalayo zokuvula:

1. Uma kukhona uxhumano lwe-inthanethi, ilayisensi icushwa ngokuzenzakalelayo.
2. Uma usebenzisa ilayisense ungaxhunyiwe ku-inthanethi, udinga ukwenza lokhu okulandelayo: landa ilayisense ku-UserCenter, bhalisa idivayisi yakho endaweni ekhethekile. ingosi. Okulandelayo, kuzo zombili izimo, uzodinga ukungenisa ilayisense elandiwe mathupha.

Ekugcineni, iwindi lokugcina kusiwizadi sezilungiselelo likuvumela ukuthi ukhethe ama-blade azovulwa; qaphela ukuthi i-QOS blade ivulwa kuphela ngemuva kokuqaliswa kokuqala. Kufanele ugcine ngewindi lokuqeda elifingqa izilungiselelo zakho.

Ukusetha kokuqala

Okokuqala nje, sincoma ukuthi uhlole isimo samalayisensi; ukucushwa okwengeziwe kuzoncika kulokhu. Iya kuthebhu ethi “IKHAYA” → “Ilayisensi”:

Uma amalayisense evuliwe, sincoma ukuthi ubuyekeze ngokushesha ku-firmware yakamuva; ukwenza lokhu, hamba kuthebhu ethi “DEVICE” → “Imisebenzi Yesistimu”:

Izibuyekezo zesistimu zitholakala entweni yokuthuthukisa i-Firmware. Esimweni sethu, inguqulo yamanje neyakamuva ye-firmware ifakiwe.

Okulandelayo, ngiphakamisa ukukhuluma kafushane ngamakhono nezilungiselelo zama-blades wesistimu. Ngokunengqondo, zingahlukaniswa zibe izinqubomgomo zeleveli Yokufinyelela (I-Firewall, Ukulawulwa Kohlelo, Ukuhlunga kwe-URL) kanye Nokuvimbela (IPS, I-Antivirus, I-Anti-Bot, Ukulingiswa Kosongo).

Ake siye kokuthi Inqubomgomo Yokufinyelela → Ithebhu Yokulawula I-Blade:

Ngokuzenzakalelayo, imodi ye-STANDARD isetshenziswa, ivumela ithrafikhi ephumayo ku-inthanethi, ithrafikhi ngaphakathi kwenethiwekhi yendawo, kodwa ngesikhathi esifanayo ivimba ithrafikhi engenayo evela ku-inthanethi.

Ngokuqondene ne-APPLICATIONS & URL FILTERING blades, ngokuzenzakalelayo asethelwe ukuvimba amasayithi anezinga eliphezulu lengozi, vimba izinhlelo zokusebenza zokushintshanisa (Torrent, File Storage, njll.). Ungakwazi futhi ukuvimba izigaba zamasayithi mathupha.

Ake sihlole inketho yethrafikhi yomsebenzisi "Khawulela umkhawulokudonsa odla izinhlelo zokusebenza" ngokukwazi ukukhawulela isivinini sethrafikhi ephumayo/engenayo emaqenjini ezinhlelo zokusebenza.

Okulandelayo, vula isigatshana Senqubomgomo; ngokuzenzakalelayo, imithetho ikhiqizwa ngokuzenzakalelayo ngokuya ngezilungiselelo ezichazwe ngaphambilini.

Isigatshana se-NAT ngokuzenzakalelayo sisebenza ku-Global Hide Nat Automatic, okungukuthi bonke abasingathi bangaphakathi bazokwazi ukufinyelela ku-inthanethi ngekheli le-IP lomphakathi. Kungenzeka ukusetha ngokwakho imithetho ye-NAT yokushicilela izinhlelo zakho zokusebenza zewebhu noma amasevisi.

Okulandelayo, isigaba esithinta Ukuqinisekiswa Komsebenzisi kunethiwekhi sinikeza izinketho ezimbili: Imibuzo Yemibhalo Esebenzayo (ukuhlanganiswa ne-AD yakho), Ukuqinisekiswa Okusekelwe Kwisiphequluli (umsebenzisi ufaka izifakazelo zesizinda kuphothali).

Kufanelekile ukusho ukuhlolwa kwe-SSL ngokuhlukana; isabelo sengqikithi yethrafikhi ye-HTTPS ku-Global Network siyakhula. Ake sibheke ukuthi yiziphi izici ezinikezwa yi-CheckPoint ezixazululweni ze-SMB. Ukuze wenze lokhu, vakashela isigaba se-SSL-Inspection → Inqubomgomo:

Kuzilungiselelo ungahlola ithrafikhi ye-HTTPS; uzodinga ukungenisa isitifiketi futhi usifake esikhungweni sesitifiketi esithenjiwe emishinini yabasebenzisi.

Sibheka imodi ye-BYPASS yezigaba ezichazwe ngaphambilini njengenketho elula; lokhu kusindisa kakhulu isikhathi lapho kuvumela ukuhlola.

Ngemva kokumisa imithetho ezingeni le-Firewall / Isicelo, kufanele uqhubekele ekulungiseni izinqubomgomo zokuphepha (Ukuvimbela Usongo), ukwenza lokhu, hamba esigabeni esifanele:

Ekhasini elivuliwe sibona ama-blades anikwe amandla, isiginesha kanye nezimo zokubuyekeza isizindalwazi. Siyacelwa futhi ukuthi sikhethe iphrofayili yokuvikela i-perimeter yenethiwekhi, futhi izilungiselelo ezihambisanayo ziyaboniswa.

Isigaba esihlukile "I-IPS Protections" ikuvumela ukuthi ulungiselele isenzo sesiginesha ethile yokuvikela.

Esikhathini esingeside esidlule sabhala engosini yethu mayelana nokuba sengozini komhlaba yeWindows Server - SigRed. Ake sihlole ubukhona bayo ku-Gaia Embedded 80.20 ngokufaka umbuzo othi “CVE-2020-1350”

Kutholwe irekhodi lale siginesha lapho esinye sezenzo singasetshenziswa khona. (ngokuzenzakalelayo Vimbela izinga lengozi Kusemqoka). Ngokufanelekile, ukuba nesixazululo se-SMB, ngeke ushiywe ngaphandle mayelana nezibuyekezo nokusekelwa; lesi yisixazululo esiphelele se-NGFW samahhovisi egatsha abantu abangafika kwabangama-200 abavela ku-CheckPoint.

Ukuhlolwa kokusebenza

Sengiphetha isihloko, ngithanda ukuqaphela ukutholakala kwamathuluzi okuxazulula izinkinga ngemva kokuqaliswa kokuqala nokucushwa kwesixazululo se-SMB. Ungaya engxenyeni ethi “IKHAYA” → “Amathuluzi”. Izinketho ezingenzeka:

• ukuqapha izinsiza zesistimu;
• itafula lomzila;
• ukuhlola ukutholakala kwezinsizakalo zamafu ze-CheckPoint;
• Ukukhiqizwa kwe-CPinfo;

Imiyalo yenethiwekhi eyakhelwe ngaphakathi nayo iyatholakala: I-Ping, i-Traceroute, i-Traffic Capture.

Ngakho-ke, namuhla sibuyekeze futhi safunda ukuxhumana kokuqala nokucushwa kwe-NGFW 1590, uzokwenza izenzo ezifanayo kulo lonke uchungechunge lwe-1500 SMB Checkpoint. Izinketho ezitholakalayo zisibonise ukuhlukahluka okuphezulu kwezilungiselelo, ukusekelwa kwezindlela zesimanje zokuvikela ithrafikhi ku-perimeter yenethiwekhi.

Namuhla, izixazululo ze-CheckPoint zokuvikela amahhovisi amancane namagatsha (abantu abangafika ku-200) zinezinhlobonhlobo zamathuluzi futhi zisebenzisa ubuchwepheshe bamuva (ukuphathwa kwamafu, ukwesekwa kwekhadi le-SIM, ukunwetshwa kwememori kusetshenziswa amakhadi e-SD, njll.). Qhubeka uhlale unolwazi futhi ufunde izindatshana ezivela ku-TS Solution, sihlela ukukhishwa okwengeziwe kwezingxenye ezimayelana ne-NGFW CheckPoint yomndeni we-SMB, siyakubona!

Ukukhethwa okukhulu kwezinto zokwakha ku-Check Point kusuka ku-TS Solution. Hlala ubukele (yocingo, Facebook, VK, I-TS Solution Blog, I-Yandex.Zen).

Source: www.habr.com