7. I-NGFW yamabhizinisi amancane. Ukusebenza kanye nezincomo ezijwayelekile

Isikhathi sesifikile sokuqedela uchungechunge lwezihloko ezimayelana nesizukulwane esisha se-SMB Check Point (uchungechunge lwe-1500). Sithemba ukuthi lokhu kube okuhlangenwe nakho okuvuzayo kuwe nokuthi uzoqhubeka nokuba nathi kubhulogi ye-TS Solution. Isihloko se-athikili yokugcina asihlanganiswa kabanzi, kodwa futhi asibalulekile kangako - ukushuna ukusebenza kwe-SMB. Kuyo sizoxoxa ngezinketho zokucushwa kwehadiwe nesoftware ye-NGFW, sichaze imiyalo etholakalayo nezindlela zokuxhumana.

Zonke izindatshana ochungechungeni olumayelana ne-NGFW zamabhizinisi amancane:

1. I-CheckPoint 1500 Security Gateway Line entsha

2. Unboxing kanye nokusetha

3. Ukudluliswa kwedatha okungenantambo: i-WiFi ne-LTE

4. i-VPN

5. Ukuphathwa kwe-SMP yamafu

6. I-Smart-1 Cloud

Okwamanje, ayikho imithombo eminingi yolwazi mayelana nokushuna kokusebenza kwezixazululo ze-SMB ngenxa imikhawulo i-OS yangaphakathi - Gaia 80.20 Ishumekiwe. Esihlokweni sethu sizosebenzisa isakhiwo esinokuphathwa okumaphakathi (Iseva Yokuphatha ezinikele) - ikuvumela ukuthi usebenzise amathuluzi amaningi lapho usebenza ne-NGFW.

Hardware

Ngaphambi kokuthi uthinte ukwakheka komndeni kwe-Check Point SMB, ungahlala ucela uzakwenu ukuthi asebenzise insiza Ithuluzi Lokulinganisa Lomshini, ukukhetha isixazululo esifanelekile ngokuya ngezici ezishiwo (umphumela, inani elilindelekile labasebenzisi, njll.).

Amanothi abalulekile uma usebenzisana nehadiwe yakho ye-NGFW

1. Izixazululo ze-NGFW zomndeni we-SMB azinawo amandla okuthuthukisa izingxenye zesistimu (i-CPU, i-RAM, i-HDD); kuye ngokuthi imodeli, kukhona ukusekelwa kwamakhadi e-SD, lokhu kukuvumela ukuthi ukwandise umthamo wediski, kodwa hhayi kakhulu.

2. Ukusebenza kwezixhumi ezibonakalayo zenethiwekhi kudinga ukulawula. I-Gaia 80.20 Embedded ayinawo amathuluzi amaningi okuqapha, kodwa ungakwazi njalo ukusebenzisa umyalo owaziwa kakhulu ku-CLI nge-Expert mode. 

   #ifconfig

   

   Naka imigqa edwetshelwe, izokuvumela ukuthi ulinganise inani lamaphutha kusixhumi esibonakalayo. Kunconywa kakhulu ukuthi uhlole le mingcele phakathi nokuqaliswa kokuqala kwe-NGFW yakho, kanye nangezikhathi ezithile phakathi nokusebenza.

3. Ku-Gaia egcwele kukhona umyalo:

   > bonisa idayigi

   Ngosizo lwayo kungenzeka ukuthola ulwazi mayelana nokushisa kwe-hardware. Ngeshwa, le nketho ayitholakali kokuthi 80.20 Eshumekiwe; sizokhombisa izicupho ezidume kakhulu ze-SNMP:

   Isihloko 

   Incazelo

   Isixhumi esibonakalayo sinqanyuliwe

   Ikhubaza isixhumi esibonakalayo

   I-VLAN isusiwe

   Ukususa ama-Vlans

   Ukusetshenziswa okuphezulu kwenkumbulo

   Ukusetshenziswa okuphezulu kwe-RAM

   Isikhala sediski esiphansi

   Asikho isikhala esanele se-HDD

   Ukusetshenziswa okuphezulu kwe-CPU

   Ukusetshenziswa okuphezulu kwe-CPU

   Izinga lokuphazamiseka kwe-CPU ephezulu

   Izinga lokuphazamiseka okuphezulu

   Izinga eliphezulu lokuxhumana

   Ukugeleza okuphezulu kokuxhumana okusha

   Ukuxhumana okuphezulu ngesikhathi esisodwa

   Izinga eliphezulu lezikhathi zokuncintisana

   Ukufakwa kwe-Firewall ephezulu

   I-Firewall yokuphuma okuphezulu

   Izinga lephakethe elamukelekile eliphezulu

   Izinga eliphezulu lokwamukela iphakethe

   Izwe lelungu le-Cluster lishintshile

   Ukushintsha isimo seqoqo

   Uxhumano olunephutha leseva yelogi

   Kulahleke ukuxhumana ne-Log-Server

4. Ukusebenza kwesango lakho kudinga ukuqapha kwe-RAM. Ukuze i-Gaia (i-Linux-like OS) isebenze, lokhu kunjalo isimo esijwayelekilelapho ukusetshenziswa kwe-RAM kufinyelela ku-70-80% wokusetshenziswa.

   Ukwakheka kwezixazululo ze-SMB akuhlinzekeli ngokusetshenziswa kwememori ye-SWAP, ngokungafani namamodeli we-Check Point amadala. Nokho, kumafayela esistimu ye-Linux kwaqashelwa , okubonisa ukuthi kungenzeka ukuthi kushintshwe ipharamitha ye-SWAP.

Ingxenye yesoftware

Ngesikhathi kushicilelwa lesi sihloko kusesikhathini Inguqulo ye-Gaia - 80.20.10. Udinga ukwazi ukuthi kunemikhawulo lapho usebenza ku-CLI: eminye imiyalo ye-Linux isekelwa kumodi yochwepheshe. Ukuhlola ukusebenza kwe-NGFW kudinga ukuhlola ukusebenza kwamademoni namasevisi, imininingwane eyengeziwe mayelana nalokhu ingatholakala ku- isihloko uzakwethu. Sizobheka imiyalo okungenzeka ye-SMB.

Ukusebenza neGaia OS

1. Phequlula izifanekiso ze-SecureXL

   #fwaccelstat

   

2. Buka i-boot by core

   # fw ctl izibalo eziningi

   

3. Buka inani lamaseshini (ukuxhumana).

   # fw ctl pstat

   

4. *Buka isimo seqoqo

   #cphaprob izibalo

   

5. Umyalo we-Classic we-Linux TOP

Ukugawula

Njengoba wazi kakade, kunezindlela ezintathu zokusebenza ngamalogi we-NGFW (isitoreji, ukucubungula): endaweni, phakathi nendawo nasefwini. Izinketho ezimbili zokugcina zisho ukuba khona kwebhizinisi - Iseva Yokuphatha.

Izikimu zokulawula ze-NGFW ezingenzeka

Amafayela elogi abaluleke kakhulu

1. Imilayezo yesistimu (iqukethe ulwazi oluncane kune-Gaia egcwele)

   # umsila -f /var/log/messages2

   

2. Imilayezo yephutha ekusebenzeni kwama-blades (ifayela eliwusizo kakhulu lapho izinkinga zokuxazulula izinkinga)

   # umsila -f /var/log/log/sfwd.elg

   

3. Buka imilayezo evela kusigcinalwazi ezingeni le-kernel yesistimu.

   #dmesg

   

Ukucushwa kwe-blade

Lesi sigaba ngeke sibe nemiyalelo ephelele yokusetha Indawo Yokuhlola I-NGFW; iqukethe izincomo zethu kuphela, ezikhethwe ngolwazi.

Ukulawulwa kohlelo lokusebenza / Ukuhlunga kwe-URL

• Kunconywa ukuthi ugweme YILUPHI, NOMA YILUPHI (Umthombo, Indawo) izimo emithethweni.

• Uma ucacisa insiza ye-URL yangokwezifiso, kuzosebenza kahle kakhulu ukusebenzisa izinkulumo ezivamile ezifana nokuthi: (^|..)checkpoint.com

• Gwema ukusetshenziswa ngokweqile kokungena kwemithetho nokuboniswa kwamakhasi avinjiwe (UserCheck).

• Qiniseka ukuthi ubuchwepheshe busebenza ngendlela efanele "SecureXL". Iningi lethrafikhi kufanele lidlule indlela esheshisiwe/emaphakathi. Futhi, ungakhohlwa ukuhlunga imithetho ngabasetshenziswa kakhulu (inkambu Hits ).

Ukuhlolwa kwe-HTTPS

Akuyona imfihlo ukuthi u-70-80% wethrafikhi yomsebenzisi uvela ekuxhumekeni kwe-HTTPS, okusho ukuthi lokhu kudinga izinsiza kuphrosesa yakho yesango. Ngaphezu kwalokho, i-HTTPS-Inspection ibamba iqhaza emsebenzini we-IPS, Antivirus, Antibot.

Kusukela kunguqulo 80.40 kwakukhona ithuba ukuze usebenze ngemithetho ye-HTTPS ngaphandle Kwedeshibhodi Yefa, nali i-oda lomthetho elinconyiwe:

• I-Bypass yeqembu lamakheli namanethiwekhi (Indawo oya kuyo).

• I-Bypass yeqembu lama-URL.

• I-Bypass ye-IP yangaphakathi namanethiwekhi anokufinyelela okukhethekile (Umthombo).

• Hlola amanethiwekhi adingekayo, abasebenzisi

• I-Bypass yawo wonke umuntu.

* Kuhlala kungcono ukukhetha mathupha i-HTTPS noma izinsizakalo zommeleli we-HTTPS bese ushiya Noma yikuphi. Faka imicimbi ngokwemithetho yokuhlola.

I-IPS

I-IPS blade ingase yehluleke ukufaka inqubomgomo ku-NGFW yakho uma kusetshenziswa amasiginesha amaningi kakhulu. Ngokuvumelana ne isihloko kusuka ku-Check Point, i-architecture yedivayisi ye-SMB ayiklanyelwe ukusebenzisa iphrofayela egcwele yokucushwa ye-IPS enconyiwe.

Ukuze uxazulule noma uvimbele inkinga, landela lezi zinyathelo:

1. Vala iphrofayili Elungiselelwe ebizwa ngokuthi “Optimized SMB” (noma enye oyikhethayo).

2. Hlela iphrofayela, hamba ku-IPS → Pre R80.Izilungiselelo bese uvala Ukuvikelwa Kweseva.

   

3. Ngokubona kwakho, ungakhubaza ama-CVE amadala kuno-2010, lobu bungozi bungase bungavamile ukutholakala emahhovisi amancane, kodwa buthinte ukusebenza. Ukukhubaza ezinye zazo, yiya kuPhrofayela→IPS→Ukuqalisa Okwengeziwe→Izivikelo zokuvala uhlu

   

Esikhundleni isiphetho

Njengengxenye yochungechunge lwama-athikili mayelana nesizukulwane esisha se-NGFW yomndeni we-SMB (1500), sizame ukugqamisa amakhono ayinhloko esixazululo futhi sabonisa ukucushwa kwezingxenye ezibalulekile zokuphepha sisebenzisa izibonelo ezithile. Sizokujabulela ukuphendula noma yimiphi imibuzo mayelana nomkhiqizo kumazwana. Sihlala nawe, siyabonga ngokunaka kwakho!

Ukukhethwa okukhulu kwezinto zokwakha ku-Check Point kusuka ku-TS Solution. Ukuze ungaphuthelwa izincwadi ezintsha, landela izibuyekezo ezinkundleni zokuxhumana (yocingo, Facebook, VK, I-TS Solution Blog, I-Yandex.Zen).

Source: www.habr.com