1. Isingeniso
Yonke inkampani, ngisho nencane kakhulu, inesidingo sokuqinisekisa, ukugunyazwa nokubalwa kwezimali komsebenzisi (umndeni we-AAA wamaphrothokholi). Esigabeni sokuqala, i-AAA isetshenziswa kahle kusetshenziswa imigomo efana ne-RADIUS, TACACS+ kanye ne-DIAMETER. Kodwa-ke, njengoba inani labasebenzisi kanye nenkampani likhula, inani lemisebenzi likhula: ukubonakala okuphezulu kwabasingathi namadivayisi we-BYOD, ukuqinisekiswa kwezinto eziningi, ukudala inqubomgomo yokufinyelela yamazinga amaningi nokunye okuningi.
Kuleyo misebenzi, isigaba sezixazululo se-NAC (Network Access Control) siphelele - ukulawula ukufinyelela kwenethiwekhi. Ochungechungeni lwezihloko ezinikezelwe (Injini Yezinkonzo Zomazisi) - Isixazululo se-NAC sokuhlinzeka ngokulawulwa kokufinyelela okuqaphela umongo kubasebenzisi kunethiwekhi yangaphakathi, sizobheka kabanzi ngesakhiwo, ukunikezwa, ukumisa kanye nokunikezwa kwelayisense kwesixazululo.
Ake ngikukhumbuze kafushane ukuthi i-Cisco ISE ikuvumela ukuthi:
-
Yakha ngokushesha futhi kalula ukufinyelela kwezivakashi ku-WLAN ezinikele;
-
Thola amadivayisi e-BYOD (ngokwesibonelo, ama-PC asekhaya abasebenzi abawalethe emsebenzini);
-
Faka phakathi futhi usebenzise izinqubomgomo zokuphepha kusizinda sonkana nabasebenzisi abangebona abesizinda usebenzisa amalebula eqembu lokuvikela le-SGT );
-
Hlola amakhompyutha ukuthola isofthiwe ethile efakiwe futhi iyahambisana nezindinganiso (ukuthunyelwa);
-
Hlela futhi uhlukanise iphrofayela kanye namadivayisi enethiwekhi;
-
Nikeza ukubonakala kwendawo yokugcina;
-
Thumela amalogi omcimbi we-logo/logoff yabasebenzisi, ama-akhawunti abo (ubunikazi) ku-NGFW ukuze bakhe inqubomgomo esekelwe kumsebenzisi;
-
Hlanganisa ngokomdabu ne-Cisco StealthWatch futhi uvalele ababungazi abasolisayo abathintekayo ezehlakalweni zokuphepha ();
-
Nezinye izici ezijwayelekile zamaseva we-AAA.
Ozakwethu embonini sebebhale kakade mayelana ne-Cisco ISE, ngakho ngikweluleka ukuthi ufunde: ,.
2. Izakhiwo
I-Identity Services Engine architecture inezinkampani ezi-4 (ama-node): indawo yokuphatha (I-Policy Administration Node), indawo yokusabalalisa inqubomgomo (I-Policy Service Node), indawo yokuqapha (I-Monitoring Node) kanye ne-PxGrid Node (PxGrid Node). I-Cisco ISE ingaba ekufakweni okuzimele noma okusatshalaliswe. Kunguqulo ezimele, zonke izinhlangano zitholakala emshinini owodwa obonakalayo noma iseva ebonakalayo (Secure Network Servers - SNS), kuyilapho enguqulweni ethi Distributed, amanodi asatshalaliswa kumadivayisi ahlukene.
I-Policy Administration Node (PAN) iyinodi edingekayo ekuvumela ukuthi wenze yonke imisebenzi yokuphatha ku-Cisco ISE. Iphatha konke ukucushwa kwesistimu okuhlobene ne-AAA. Ekucushweni okusabalalisiwe (amanodi angafakwa njengemishini ebonakalayo ehlukene), ungaba nomkhawulo wama-PAN amabili wokubekezelela amaphutha - Imodi esebenzayo/ebekwe eceleni.
I-Policy Service Node (PSN) iyindawo eyisibopho enikeza ukufinyelela kwenethiwekhi, izwe, ukufinyelela kwezivakashi, ukuhlinzekwa kwesevisi yeklayenti, kanye nokwenza iphrofayela. I-PSN ihlola inqubomgomo futhi iyisebenzise. Ngokuvamile, ama-PSN amaningi afakiwe, ikakhulukazi ekucushweni okusabalalisiwe, ukuze kwenziwe umsebenzi ongafuneki futhi osabalalisiwe. Yiqiniso, bazama ukufaka lawa ma-node ezigabeni ezihlukene ukuze bangalahlekelwa amandla okunikeza ukufinyelela okuqinisekisiwe nokugunyaziwe okwesibili.
I-Monitoring Node (MnT) iyindawo eyisibopho egcina amalogi omcimbi, amalogi amanye ama-node nezinqubomgomo kunethiwekhi. I-node ye-MnT ihlinzeka ngamathuluzi athuthukile okuqapha nokuxazulula izinkinga, iqoqa futhi ihlobanise idatha ehlukahlukene, futhi ihlinzeka ngemibiko ephusile. I-Cisco ISE ikuvumela ukuthi ube nomkhawulo wamanodi we-MnT amabili, ngaleyo ndlela udale ukubekezelelana kwamaphutha - Imodi esebenzayo/yokulinda. Kodwa-ke, amalogi aqoqwa yiwo womabili ama-node, kokubili asebenzayo kanye ne-passive.
I-PxGrid Node (PXG) iyinodi esebenzisa iphrothokholi ye-PxGrid futhi ivumela ukuxhumana phakathi kwamanye amadivaysi asekela i-PxGrid.
β iphrothokholi eqinisekisa ukuhlanganiswa kwe-IT kanye nemikhiqizo yengqalasizinda yezokuphepha yolwazi evela kubathengisi abahlukene: amasistimu okuqapha, amasistimu okuthola ukungena nokuvinjelwa, izinkundla zokuphatha inqubomgomo yezokuphepha nezinye izixazululo eziningi. I-Cisco PxGrid ikuvumela ukuthi wabelane ngokuqukethwe ngendlela engaqondile noma emibili namapulatifomu amaningi ngaphandle kwesidingo sama-API, ngaleyo ndlela unike amandla ubuchwepheshe. (amathegi e-SGT), shintsha futhi usebenzise inqubomgomo ye-ANC (Adaptive Network Control), kanye nokwenza iphrofayela - ukucacisa imodeli yedivayisi, i-OS, indawo, nokuningi.
Ekucushweni kokutholakala okuphezulu, amanodi e-PxGrid aphindaphinda ulwazi phakathi kwamanodi nge-PAN. Uma i-PAN ivaliwe, inodi ye-PxGrid iyayeka ukufakazela ubuqiniso, ukugunyaza, nokubala kwabasebenzisi.
Ngezansi ukumelwa okuhleliwe kokusebenza kwezinhlangano ezahlukene ze-Cisco ISE kunethiwekhi yebhizinisi.
Umfanekiso 1. I-Cisco ISE Architecture
3. Izidingo
I-Cisco ISE ingasetshenziswa, njengezixazululo eziningi zesimanje, cishe noma ngokomzimba njengeseva ehlukile.
Amadivayisi aphathekayo asebenzisa isoftware ye-Cisco ISE abizwa nge-SNS (Secure Network Server). Ziza ngamamodeli amathathu: SNS-3615, SNS-3655 kanye ne-SNS-3695 yamabhizinisi amancane, aphakathi nendawo namakhulu. Ithebula 1 libonisa ulwazi oluvela I-SNS.
Ithebula 1. Ithebula lokuqhathanisa le-SNS lezilinganiso ezihlukene
Ipharamitha
I-SNS 3615 (Encane)
I-SNS 3655 (Emaphakathi)
I-SNS 3695 (Enkulu)
Inombolo yamaphoyinti okugcina asekelwe ekufakweni Okuzimele
10000
25000
50000
Inombolo yamaphoyinti okugcina asekelwayo nge-PSN ngayinye
10000
25000
100000
I-CPU (Intel Xeon 2.10 GHz)
8 amakhora
12 amakhora
12 amakhora
RAM
32 GB (2 x 16 GB)
96 GB (6 x 16 GB)
256 GB (16 x 16 GB)
HDD
1 x 600 GB
4 x 600 GB
8 x 600 GB
I-Hardware RAID
No
I-RAID 10, ukuba khona kwesilawuli se-RAID
I-RAID 10, ukuba khona kwesilawuli se-RAID
Izindawo zokuxhumana zenethiwekhi
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
2 x 10Gbase-T
4 x 1Gbase-T
Mayelana nokusetshenziswa okubonakalayo, ama-hypervisors asekelwayo yi-VMware ESXi (ubuncane benguqulo ye-VMware 11 ye-ESXi 6.0 iyanconywa), i-Microsoft Hyper-V ne-Linux KVM (RHEL 7.0). Izinsiza kufanele zifane nezikuthebula elingenhla, noma ngaphezulu. Kodwa-ke, izidingo ezincane zomshini webhizinisi elincane yilezi: I-2 CPU imvamisa ye-2.0 GHz nangaphezulu, 16 GB RAM ΠΈ I-200 GB I-HDD.
Ngeminye imininingwane ye-Cisco ISE yokuthunyelwa, sicela uthinte noma ku , .
4. Ukufakwa
Njengeminye imikhiqizo eminingi yeCisco, i-ISE ingahlolwa ngezindlela eziningi:
-
- isevisi yefu yezakhiwo zaselabhorethri ezifakwe ngaphambili (i-akhawunti ye-Cisco iyadingeka);
-
β isicelo esivela ku I-Cisco yesofthiwe ethile (indlela yozakwethu). Udala ikesi elinencazelo elandelayo evamile: Uhlobo lomkhiqizo [ISE], Isofthiwe ye-ISE [ise-2.7.0.356.SPA.x8664], ISE Patch [ise-patchbundle-2.7.0.356-Patch2-20071516.SPA.x8664];
-
β thintana nanoma yimuphi uzakwethu ogunyaziwe ukuze enze iphrojekthi yokuhlola yamahhala.
1) Ngemuva kokudala umshini obonakalayo, uma ucele ifayela le-ISO hhayi isifanekiso se-OVA, kuzovela iwindi lapho i-ISE idinga ukuthi ukhethe ukufakwa. Ukuze wenze lokhu, esikhundleni sokungena kwakho nephasiwedi, kufanele ubhale βisethaphuβ!
Qaphela: uma usebenzise i-ISE kusuka kusifanekiso se-OVA, khona-ke imininingwane yokungena admin/MyIseYPass2 (lokhu nokunye okuningi kukhonjisiwe kulesi sikhulu ).
Umfanekiso 2. Ukufaka i-Cisco ISE
2) Ngemuva kwalokho kufanele ugcwalise izinkambu ezidingekayo njengekheli le-IP, i-DNS, i-NTP nezinye.
Umfanekiso 3. Ukuqalisa i-Cisco ISE
3) Ngemuva kwalokho, idivayisi izoqala kabusha, futhi uzokwazi ukuxhuma nge-interface yewebhu usebenzisa ikheli le-IP elishiwo ngaphambilini.
Umfanekiso 4. Cisco ISE Web Interface
4) Kuthebhu Ukuphatha > Uhlelo > Ukusetshenziswa ungakhetha ukuthi yimaphi ama-node (izinhlangano) anikwe amandla ocingweni oluthile. I-PxGrid node inikwe amandla lapha.
Umfanekiso 5. I-Cisco ISE Entity Management
5) Bese kuthebhu Ukuphatha > Isistimu > Ukufinyelela Komlawuli > Ukufakazela ubuqiniso Ngincoma ukusetha inqubomgomo yephasiwedi, indlela yokuqinisekisa (isitifiketi noma iphasiwedi), usuku lokuphelelwa yisikhathi kwe-akhawunti, nezinye izilungiselelo.
Umfanekiso 6. Ukulungiselelwa kohlobo lokufakazela ubuqinisoUmfanekiso 7. Izilungiselelo zenqubomgomo yephasiwediUmfanekiso 8. Ukusetha ukuvala i-akhawunti ngemva kokuphelelwa yisikhathiUmfanekiso 9. Ukusetha ukukhiya i-akhawunti
6) Kuthebhu Ukuphatha > Uhlelo > Ukufinyelela Komlawuli > Abalawuli > Abasebenzisi Bokulawula > Engeza ungakha umlawuli omusha.
Umfanekiso 10. Ukudala Umlawuli Wendawo Ye-Cisco ISE
7) Umlawuli omusha angenziwa ingxenye yeqembu elisha noma amaqembu achazwe ngaphambilini. Amaqembu omlawuli aphethwe kuphaneli efanayo kuthebhu Amaqembu Okuphatha. Ithebula 2 lifingqa ulwazi mayelana nabaphathi be-ISE, amalungelo abo kanye nezindima zabo.
Ithebula 2. Amaqembu Omlawuli we-Cisco ISE, Amazinga Okufinyelela, Izimvume, Nemikhawulo
Igama leqembu lomlawuli
Izimvume
Izithibelo
Ukwenza ngokwezifiso Umlawuli
Ukusetha izingosi zezivakashi noxhaso, ukuphatha nokwenza ngokwezifiso
Ukungakwazi ukushintsha izinqubomgomo noma ukubuka imibiko
Umphathi wedeski losizo
Ikhono lokubuka ideshibhodi eyinhloko, yonke imibiko, ama-larms kanye nemifudlana yokuxazulula inkinga
Awukwazi ukushintsha, ukudala noma ukususa imibiko, ama-alamu namalogi okuqinisekisa
Umazisi Admin
Ukuphatha abasebenzisi, amalungelo nemisebenzi, ikhono lokubuka amalogi, imibiko nama-alamu
Awukwazi ukushintsha izinqubomgomo noma wenze imisebenzi ezingeni le-OS
MnT Admin
Ukuqapha okugcwele, imibiko, ama-alamu, izingodo kanye nokuphathwa kwazo
Ukungakwazi ukushintsha noma yiziphi izinqubomgomo
Umlawuli Wedivayisi Yenethiwekhi
Amalungelo okudala nokushintsha izinto ze-ISE, ukubuka izingodo, imibiko, ideshibhodi eyinhloko
Awukwazi ukushintsha izinqubomgomo noma wenze imisebenzi ezingeni le-OS
Umphathi Wenqubomgomo
Ukuphathwa okugcwele kwazo zonke izinqubomgomo, ukushintsha amaphrofayili, izilungiselelo, imibiko yokubuka
Ukungakwazi ukwenza izilungiselelo ngemininingwane, izinto ze-ISE
RBAC Admin
Zonke izilungiselelo kuthebhu yokusebenza, izilungiselelo zenqubomgomo ye-ANC, ukuphathwa kokubika
Awukwazi ukushintsha izinqubomgomo ngaphandle kwe-ANC noma wenze imisebenzi ezingeni le-OS
I-Super Admin
Amalungelo azo zonke izilungiselelo, ukubika nokuphatha, angasusa futhi ashintshe imininingwane yomlawuli
Awukwazi ukushintsha, susa enye iphrofayela eqenjini le-Super Admin
Ukulawulwa kwesistimu
Zonke izilungiselelo kuthebhu yokusebenza, ukuphatha izilungiselelo zesistimu, inqubomgomo ye-ANC, imibiko yokubuka
Awukwazi ukushintsha izinqubomgomo ngaphandle kwe-ANC noma wenze imisebenzi ezingeni le-OS
I-RESTful Services yangaphandle (ERS) Admin
Ukufinyelela okugcwele ku-Cisco ISE REST API
Okokugunyazwa kuphela, ukuphathwa kwabasebenzisi bendawo, ababungazi kanye namaqembu okuvikela (SG)
I-RESTful Services yangaphandle (ERS) Operator
I-Cisco ISE REST API Funda Izimvume
Okokugunyazwa kuphela, ukuphathwa kwabasebenzisi bendawo, ababungazi kanye namaqembu okuvikela (SG)
Umfanekiso 11. Amaqembu Omlawuli we-Cisco ISE achazwe ngaphambilini
8) Ongakukhetha kuthebhu Ukugunyazwa > Izimvume > Inqubomgomo ye-RBAC Ungahlela amalungelo abaphathi achazwe ngaphambilini.
Umfanekiso 12. Cisco ISE Administrator Preset Profile Rights Management
9) Kuthebhu Ukuphatha > Uhlelo > Izilungiselelo Zonke izilungiselelo zesistimu ziyatholakala (i-DNS, i-NTP, i-SMTP nezinye). Ungawagcwalisa lapha uma uwagejile ngesikhathi sokuqalisa idivayisi.
5. Isiphetho
Lokhu kuphetha isihloko sokuqala. Sixoxile ngokusebenza ngempumelelo kwesixazululo seCisco ISE NAC, ukwakheka kwaso, izidingo ezincane nezinketho zokusatshalaliswa, kanye nokufakwa kokuqala.
Esihlokweni esilandelayo, sizobheka ukudala ama-akhawunti, ukuhlanganisa ne-Microsoft Active Directory, nokudala ukufinyelela kwezivakashi.
Uma unemibuzo mayelana nalesi sihloko noma udinga usizo lokuhlola umkhiqizo, sicela uxhumane .
Hlala ubukele ukuze uthole izibuyekezo eziteshini zethu (, , , , ).
Source: www.habr.com