Ngamukela abafundi esihlokweni sesithathu ochungechungeni lwesihloko se-UserGate Getting Started, esikhuluma ngesixazululo se-NGFW esivela enkampanini. . Esihlokweni sokugcina, inqubo yokufaka i-firewall yachazwa futhi ukucushwa kwayo kokuqala kwenziwa. Okwamanje, sizobhekisisa ukudala imithetho ezigabeni ezifana ne-Firewall, i-NAT kanye ne-Routing, kanye ne-Bandwidth.
Umbono wemithetho ye-UserGate, njengokuthi imithetho isetshenziswa ukusuka phezulu kuye phansi, kuze kube eyokuqala esebenzayo. Ngokusekelwe kulokhu okungenhla, kulandela ukuthi imithetho ethize kakhulu kufanele ibe phezulu kunemithetho ejwayelekile. Kodwa kufanele kuqashelwe, njengoba imithetho ihlolwe ngokulandelana, kungcono mayelana nokusebenza ukudala imithetho evamile. Lapho udala noma yimuphi umthetho, izimo zisetshenziswa ngokuya nge-logic ethi "AND". Uma kudingekile ukusebenzisa logic "NOMA", khona-ke lokhu kufezwa ngokudala imithetho eminingana. Ngakho-ke okuchazwe kulesi sihloko kusebenza nakwezinye izinqubomgomo ze-UserGate.
I-Firewall
Ngemva kokufaka i-UserGate, sekuvele kunenqubomgomo elula engxenyeni ethi "Firewall". Imithetho emibili yokuqala iyakwenqabela ukugcwala kwama-botnets. Okulandelayo yizibonelo zemithetho yokufinyelela evela ezindaweni ezahlukene. Umthetho wokugcina uhlale ubizwa ngokuthi "Vimba konke" futhi umakwe ngophawu lokukhiya (kusho ukuthi umthetho awukwazi ukususwa, ukuguqulwa, ukuhanjiswa, ukukhutshazwa, ungavunyelwa kuphela inketho yokungena). Ngakho, ngenxa yalo mthetho, yonke ithrafikhi engavunyelwe ngokusobala izovinjelwa umthetho wokugcina. Uma ufuna ukuvumela yonke ithrafikhi nge-UserGate (yize lokhu kudikibala kakhulu), ungahlala udala umthetho owandulela owedlule othi “Vumela Konke”.
Uma uhlela noma udala umthetho we-firewall, owokuqala Ithebhu evamile, udinga ukwenza okulandelayo:
-
Ibhokisi lokuhlola elithi "Vuliwe" vumela noma vala umthetho.
-
faka igama lomthetho.
-
setha incazelo yomthetho.
-
khetha ezenzweni ezimbili:
-
Yenqaba - ivimba ithrafikhi (uma usetha lesi simo, kungenzeka ukuthi uthumele umsingathi we-ICMP ongafinyeleleki, udinga nje ukusetha ibhokisi lokuhlola elifanele).
-
Vumela - ivumela ithrafikhi.
-
-
Into yesimo - ikuvumela ukuthi ukhethe isimo, okuyisimo esengeziwe sokuthi umthetho uqhume. Lena yindlela i-UserGate ewusebenzisa ngayo umqondo we-SOAR (I-Security Orchestration, Automation and Response).
-
Ukungena ngemvume — bhala imininingwane mayelana nethrafikhi kulogi lapho umthetho uqaliswa. Izinketho ezingenzeka:
-
Faka isiqalo seseshini. Kulesi simo, ulwazi kuphela mayelana nokuqala kweseshini (iphakethe lokuqala) lizobhalwa kulogi yethrafikhi. Lena inketho yokungena enconyiwe.
-
Ngena wonke amaphakethe. Kulokhu, ulwazi mayelana nephakethe lenethiwekhi ngayinye elidluliswayo lizorekhodwa. Kule modi, kuyanconywa ukunika amandla umkhawulo wokungena ukuze uvimbele ukulayisha okuphezulu kwedivayisi.
-
-
Sebenzisa umthetho kokuthi:
-
Wonke amaphakheji
-
emaphaketheni ahlukene
-
kumaphakheji angahlukanisiwe
-
-
Lapho udala umthetho omusha, ungakhetha indawo kunqubomgomo.
Okulandelayo Ithebhu yomthombo. Lapha sibonisa umthombo wethrafikhi, kungaba indawo okuvela kuyo ithrafikhi, noma ungacacisa uhlu noma ikheli le-ip elithile (Geoip). Cishe kuyo yonke imithetho engasethwa kudivayisi, into ingadalwa ngomthetho, ngokwesibonelo, ngaphandle kokuya esigabeni esithi "Zones", ungasebenzisa inkinobho ethi "Dala bese wengeza into entsha" ukuze udale indawo. sidinga. Ibhokisi lokuhlola elithi "Guqula" nalo livame ukutholakala, lihlehlisa isenzo esimeni somthetho, esifana nokuphika isenzo esinengqondo. Ithebhu yendawo efana nethebhu yomthombo, kodwa esikhundleni somthombo wethrafikhi, sibeka indawo yethrafikhi. Ithebhu yabasebenzisi - kule ndawo ungakwazi ukwengeza uhlu lwabasebenzisi noma amaqembu lapho lo mthetho usebenza khona. Ithebhu yesevisi - khetha uhlobo lwesevisi kule esivele ichazwe ngaphambilini noma ungasetha eyakho. Ithebhu yohlelo lokusebenza - izinhlelo zokusebenza ezithile noma amaqembu ezicelo akhethiwe lapha. KANYE Ithebhu yesikhathi cacisa isikhathi lapho lo mthetho usebenza.
Kusukela esifundweni sokugcina, sinomthetho wokufinyelela i-Inthanethi kusuka endaweni ethi "Trust", manje ngizobonisa njengesibonelo indlela yokudala umthetho wokuphika wethrafikhi ye-ICMP ukusuka endaweni ethi "Trust" kuya endaweni "Engathenjwa".
Okokuqala, dala umthetho ngokuchofoza inkinobho ethi "Engeza". Efasiteleni elivulayo, kuthebhu evamile, gcwalisa igama (Khawulela i-ICMP kusukela kokwethenjwayo kuya kokungathenjwa), khetha ibhokisi lokuhlola elithi "Vuliwe", khetha isenzo sokukhubaza, futhi okubaluleke kakhulu, khetha indawo efanele yalo mthetho. Ngokwenqubomgomo yami, lo mthetho kufanele ubekwe ngaphezu komthetho othi "Vumela okuthenjwayo kokungathenjiwe":
Kuthebhu "Umthombo" yomsebenzi wami, kunezinketho ezimbili:
-
Ngokukhetha indawo ethi “Othenjwayo”
-
Ngokukhetha zonke izindawo ngaphandle kokuthi “Othenjwayo” kanye nokumaka ibhokisi elithi “Guqula”
Ithebhu Indawo okuyiwa kuyo ilungiselelwe ngendlela efanayo nethebhu yomthombo.
Okulandelayo, iya kuthebhu ethi "Service", njengoba i-UserGate inesevisi echazwe ngaphambilini yethrafikhi ye-ICMP, bese ngokuchofoza inkinobho ethi "Engeza", sikhetha isevisi enegama elithi "Noma iyiphi i-ICMP" ohlwini oluhlongozwayo:
Mhlawumbe lena bekuyinhloso yabadali be-UserGate, kodwa ngikwazile ukudala imithetho embalwa efana ngokuphelele. Nakuba kuzosetshenziswa isimiso sokuqala kuphela sohlu, ngicabanga ukuthi ikhono lokudala imithetho enegama elifanayo elihlukile ekusebenzeni lingabangela ukudideka lapho abalawuli bedivayisi abambalwa besebenza.
I-NAT kanye nomzila
Lapho udala imithetho ye-NAT, sibona amathebhu amaningana afanayo, njenge-firewall. Inkambu ethi "Uhlobo" ivele kuthebhu ethi "Okuvamile", ikuvumela ukuthi ukhethe ukuthi lo mthetho uzoba nesibopho sani:
-
I-NAT - Ukuhumusha Ikheli Lenethiwekhi.
-
I-DNAT - Iqondisa kabusha ithrafikhi ekhelini le-IP elishiwo.
-
Ukudlulisela ngembobo - Iqondisa kabusha ithrafikhi ekhelini le-IP elishiwo, kodwa ikuvumela ukuthi uguqule inombolo yembobo yesevisi eshicilelwe
-
Umzila osuselwe kunqubomgomo - Ikuvumela ukuthi uhambise amaphakethe e-IP ngokusekelwe kulwazi olunwetshiwe, olufana namasevisi, amakheli e-MAC, noma amaseva (amakheli e-IP).
-
Imephu yenethiwekhi - Ikuvumela ukuthi umiselele umthombo noma amakheli e-IP wenethiwekhi eyodwa kwenye inethiwekhi.
Ngemva kokukhetha uhlobo olufanele lomthetho, izilungiselelo zalo zizotholakala.
Kunkambu ye-SNAT IP (ikheli langaphandle), sicacisa ngokusobala ikheli le-IP okuzoshintshwa kulo ikheli lomthombo. Le nkambu iyadingeka uma kunamakheli amaningi e-IP anikezwe ukuxhumana kundawo okuyiwa kuyo. Uma ushiya le nkambu ingenalutho, isistimu izosebenzisa ikheli elingahleliwe ohlwini lwamakheli e-IP atholakalayo anikezwe izixhumanisi zezoni okuyiwa kuyo. I-UserGate incoma ukucacisa i-SNAT IP ukuze kuthuthukiswe ukusebenza kwe-firewall.
Isibonelo, ngizoshicilela isevisi ye-SSH yeseva ye-Windows etholakala endaweni ye-“DMZ” ngisebenzisa umthetho “wokudlulisela imbobo”. Ukuze wenze lokhu, chofoza inkinobho ethi “Engeza” bese ugcwalisa ithebhu ethi “Okuvamile”, ucacise igama lomthetho othi “SSH to Windows” kanye nohlobo “Ukudlulisa imbobo”:
Kuthebhu ethi "Umthombo", khetha indawo "Engathenjwa" bese uya kuthebhu "Yokudlulisa imbobo". Lapha kufanele sicacise iphrothokholi "TCP" (izinketho ezine ziyatholakala - TCP, UDP, SMTP, SMTPS). Imbobo yendawo okuyiwa kuyo yoqobo engu-9922 — inombolo yembobo lapho abasebenzisi bathumela khona izicelo (izimbobo: 2200, 8001, 4369, 9000-9100 azikwazi ukusetshenziswa). Imbobo entsha okuyiwa kuyo (22) inombolo yembobo lapho izicelo zomsebenzisi eziya kuseva eshicilelwe yangaphakathi zizodluliselwa khona.
Kuthebhu "DNAT", setha i-ip-ikheli lekhompyutha kunethiwekhi yendawo, eshicilelwe ku-inthanethi (192.168.3.2). Futhi ungavumela i-SNAT ngokuzikhethela, bese i-UserGate izoshintsha ikheli lomthombo emaphaketheni ukusuka kunethiwekhi yangaphandle ukuya ekhelini layo le-IP.
Ngemuva kwazo zonke izilungiselelo, kutholwe umthetho ovumela ukufinyelela kusuka endaweni "Engathenjwa" kuya kuseva ngekheli le-ip 192.168.3.2 ngephrothokholi ye-SSH, kusetshenziswa ikheli langaphandle le-UserGate lapho uxhuma.
Umkhawulokudonsa
Lesi sigaba sichaza imithetho yokulawulwa komkhawulokudonsa. Angasetshenziselwa ukukhawulela isiteshi sabasebenzisi abathile, ababungazi, amasevisi, izinhlelo zokusebenza.
Lapho udala umthetho, izimo kumathebhu zinquma ithrafikhi lapho kusetshenziswa khona imikhawulo. Umkhawulokudonsa ungakhethwa kokuhlongozwayo, noma uzibekele owakho. Lapho udala umkhawulokudonsa, ungacacisa ilebula yokubeka kuqala ithrafikhi ye-DSCP. Isibonelo sokuthi amalebula e-DSCP asetshenziswa nini: ngokucacisa esimweni lapho lo mthetho usetshenziswa khona, lo mthetho ungawashintsha ngokuzenzakalelayo lawa malebula. Esinye isibonelo sendlela iskripthi esisebenza ngayo: umthetho uzosebenza kumsebenzisi kuphela uma kutholwa isifufula noma inani lethrafikhi leqa umkhawulo oshiwo. Amathebhu asele agcwaliswa ngendlela efanayo nakwezinye izinqubomgomo, ngokusekelwe ohlotsheni lwethrafikhi okufanele kusetshenziswe umthetho kuyo.
isiphetho
Kulesi sihloko, ngihlanganise ukudalwa kwemithetho esigabeni se-Firewall, NAT kanye Nomzila, kanye ne-Bandwidth. Futhi ekuqaleni kwesihloko, wachaza imithetho yokudala izinqubomgomo ze-UserGate, kanye nomgomo wemibandela lapho udala umthetho.
Hlala ubukele ukuze uthole izibuyekezo eziteshini zethu (, , , )!
Source: www.habr.com