Sanibonani! Siyakwamukela esifundweni sesithupha sesifundo . Kuvuliwe senze kahle izisekelo zokusebenza ngobuchwepheshe be-NAT ku , futhi sakhulula umsebenzisi wethu wokuhlola ku-inthanethi. Manje sekuyisikhathi sokunakekela ukuphepha komsebenzisi ezindaweni zakhe ezivulekile. Kulesi sifundo sizobheka amaphrofayili okuphepha alandelayo: Ukuhlunga Kwewebhu, Ukulawula Uhlelo Lokusebenza, kanye nokuhlolwa kwe-HTTPS.
Ukuze siqale ngamaphrofayela okuphepha, sidinga ukuqonda into eyodwa ngaphezulu: amamodi okuhlola.
Okuzenzakalelayo kuyimodi esekelwe ekugelezeni. Ihlola amafayela njengoba edlula ku-FortiGate ngaphandle kokubhafa. Uma iphakethe selifikile, liyacutshungulwa futhi lidluliselwe phambili, ngaphandle kokulinda ukuthi lonke ifayela noma ikhasi lewebhu lamukelwe. Idinga izinsiza ezimbalwa futhi inikeza ukusebenza okungcono kunemodi yommeleli, kodwa ngesikhathi esifanayo, akuwona wonke umsebenzi Wokuvikela otholakala kuyo. Isibonelo, i-Data Leak Prevention (DLP) ingasetshenziswa kuphela kumodi yommeleli.
Imodi ye-proxy isebenza ngokuhlukile. Idala ukuxhumana okubili kwe-TCP, okukodwa phakathi kweklayenti ne-FortiGate, okwesibili phakathi kwe-FortiGate neseva. Lokhu kuvumela ukuthi igcine kumthamo wethrafikhi, okungukuthi, ithole ifayela eliphelele noma ikhasi lewebhu. Ukuskena amafayela ezinsongo ezihlukahlukene kuqala kuphela ngemva kokuba lonke ifayela lifakwe kubhafa. Lokhu kukuvumela ukuthi usebenzise izici ezengeziwe ezingatholakali kumodi esekelwe ku-Flow. Njengoba ubona, le modi ibonakala iphambene ne-Flow Based - ukuphepha kudlala indima enkulu lapha, futhi ukusebenza kuthatha isihlalo esingemuva.
Abantu bavame ukubuza: iyiphi imodi engcono? Kodwa ayikho iresiphi evamile lapha. Yonke into ihlale ingumuntu ngamunye futhi incike ezidingweni zakho kanye nemigomo yakho. Kamuva esifundweni ngizozama ukukhombisa umehluko phakathi kwamaphrofayili okuphepha kumamodi we-Flow ne-Proxy. Lokhu kuzokusiza ukuthi uqhathanise ukusebenza futhi unqume ukuthi yikuphi okungcono kakhulu kuwe.
Masiqonde ngqo kumaphrofayili okuphepha futhi siqale sibheke Ukuhlunga Kwewebhu. Kuyasiza ukuqapha noma ukulandelela ukuthi yimaphi amawebhusayithi abasebenzisi abavakashelayo. Ngicabanga ukuthi asikho isidingo sokujula ekuchazeni isidingo sephrofayili enjalo kumaqiniso amanje. Ake siqonde kangcono ukuthi isebenza kanjani.
Uma uxhumano lwe-TCP selumisiwe, umsebenzisi usebenzisa isicelo se-GET ukuze acele okuqukethwe kuwebhusayithi ethile.
Uma iseva yewebhu iphendula kahle, ithumela ulwazi mayelana newebhusayithi emuva. Yilapho isihlungi sewebhu siqala ukusebenza khona. Iqinisekisa okuqukethwe kwale mpendulo. Ngesikhathi sokuqinisekisa, i-FortiGate ithumela isicelo sesikhathi sangempela ku-FortiGuard Distribution Network (FDN) ukuze inqume isigaba sewebhusayithi enikeziwe. Ngemva kokunquma isigaba sewebhusayithi ethile, isihlungi sewebhu, kuye ngezilungiselelo, senza isenzo esithile.
Kunezenzo ezintathu ezitholakalayo kumodi yokugeleza:
- Vumela - vumela ukufinyelela kuwebhusayithi
- Vimba - vimba ukufinyelela kuwebhusayithi
- Gada - vumela ukufinyelela kuwebhusayithi futhi uyirekhode kulogi
Kumodi ye-Proxy, izenzo ezimbili ezengeziwe zengezwa:
- Isexwayiso - nikeza umsebenzisi isexwayiso sokuthi uzama ukuvakashela insiza ethile futhi anikeze umsebenzisi ukukhetha - qhubeka noma shiya iwebhusayithi.
- Qinisekisa - Cela imininingwane yomsebenzisi - lokhu kuvumela amaqembu athile ukuthi afinyelele izigaba ezikhawulelwe zamawebhusayithi.
Esizeni ungabuka zonke izigaba nezigatshana zesihlungi sewebhu, futhi uthole ukuthi iwebhusayithi ethile ingeyasiphi isigaba. Futhi ngokuvamile, lesi isiza esihle kakhulu esiwusizo kubasebenzisi bezixazululo ze-Fortinet, ngikweluleka ukuthi uyazi kangcono ngesikhathi sakho samahhala.
Kuncane kakhulu okungashiwo mayelana ne-Application Control. Njengoba igama liphakamisa, likuvumela ukuthi ulawule ukusebenza kwezinhlelo zokusebenza. Futhi ukwenza lokhu esebenzisa amaphethini avela kuzinhlelo zokusebenza ezihlukahlukene, okuthiwa amasignesha. Esebenzisa lawa masignesha, angakwazi ukuhlonza uhlelo oluthile futhi asebenzise isenzo esithile kulo:
- Vumela - vumela
- Gada - vumela futhi ungene ngemvume lokhu
- Vimba - vimbela
- Ukuvalelwa - rekhoda umcimbi kulogi futhi uvimbe ikheli lasesizindeni se-inthanethi isikhathi esithile
Ungakwazi futhi ukubuka amasiginesha akhona kuwebhusayithi .
Manje ake sibheke indlela yokuhlola ye-HTTPS. Ngokwezibalo ekupheleni kuka-2018, isabelo sethrafikhi ye-HTTPS sidlule ama-70%. Okusho ukuthi, ngaphandle kokusebenzisa ukuhlola kwe-HTTPS, sizokwazi ukuhlaziya cishe u-30% wethrafikhi edlula kunethiwekhi. Okokuqala, ake sibheke ukuthi i-HTTPS isebenza kanjani ngokulinganisa okunzima.
Iklayenti liqala isicelo se-TLS kuseva yewebhu futhi lithola impendulo ye-TLS, futhi libona nesitifiketi sedijithali okufanele sithenjwe kulo msebenzisi. Lokhu ubuncane obuncane esidinga ukwazi ukuthi i-HTTPS isebenza kanjani; empeleni, indlela esebenza ngayo iyinkimbinkimbi kakhulu. Ngemva kokuxhawula i-TLS ngempumelelo, ukudluliswa kwedatha okubethelwe kuyaqala. Futhi lokhu kuhle. Akekho ongafinyelela idatha oyishintshayo neseva yewebhu.
Kodwa-ke, kubasebenzi bezokuphepha benkampani lokhu kuyinkinga yangempela, njengoba bengakwazi ukubona lesi sibalo futhi bahlole okuqukethwe kuyo nge-antivirus, noma uhlelo lokuvimbela ukungena, noma izinhlelo ze-DLP, nanoma yini. Lokhu kuphinde kuthinte kabi ikhwalithi yencazelo yezinhlelo zokusebenza nezisetshenziswa zewebhu ezisetshenziswa ngaphakathi kwenethiwekhi - lokho kanye okuhlobana nesihloko sesifundo sethu. Ubuchwepheshe bokuhlola i-HTTPS bakhelwe ukuxazulula le nkinga. Ingqikithi yayo ilula kakhulu - empeleni, idivayisi eyenza ukuhlolwa kwe-HTTPS ihlela ukuhlasela kwe-Man In The Middle. Kubukeka kanjena: I-FortiGate ibamba isicelo somsebenzisi, ihlele ukuxhumana kwe-HTTPS ngaso, bese ivula iseshini ye-HTTPS ngesisetshenziswa umsebenzisi afinyelelwe kuso. Kulesi simo, isitifiketi esikhishwe yi-FortiGate sizobonakala kukhompuyutha yomsebenzisi. Kufanele kuthenjwe ukuze isiphequluli sivumele ukuxhumana.
Eqinisweni, ukuhlolwa kwe-HTTPS kuyinto eyinkimbinkimbi futhi kunemikhawulo eminingi, kodwa ngeke sikucabangele lokhu kulesi sifundo. Ngizongeza nje ukuthi ukusebenzisa ukuhlolwa kwe-HTTPS akuyona indaba yamaminithi; ngokuvamile kuthatha inyanga. Kuyadingeka ukuqoqa ulwazi mayelana nokuhlukile okudingekayo, wenze izilungiselelo ezifanele, uqoqe impendulo kubasebenzisi, futhi ulungise izilungiselelo.
Ithiyori enikeziwe, kanye nengxenye esebenzayo, yethulwa kulesi sifundo sevidiyo:
Esifundweni esilandelayo sizobheka amanye amaphrofayili okuphepha: i-antivirus kanye nohlelo lokuvimbela ukungena. Ukuze ungaphuthelwa, landela izibuyekezo eziteshini ezilandelayo:
Source: www.habr.com