I-ProHoster > Блог > Ukuphatha > Ungayilawula kanjani ingqalasizinda yakho yenethiwekhi. Isahluko sesithathu. Ukuphepha kwenethiwekhi. Ingxenye yokuqala

Ungayilawula kanjani ingqalasizinda yakho yenethiwekhi. Isahluko sesithathu. Ukuphepha kwenethiwekhi. Ingxenye yokuqala

Lesi sihloko singesesithathu ochungechungeni lwezihloko ezithi “Indlela Yokulawula Ingqalasizinda Yakho Yenethiwekhi.” Okuqukethwe kuzo zonke izihloko ochungechungeni nezixhumanisi zingatholakala lapha.

Ungayilawula kanjani ingqalasizinda yakho yenethiwekhi. Isahluko sesithathu. Ukuphepha kwenethiwekhi. Ingxenye yokuqala

Asikho isidingo sokukhuluma ngokuqeda ngokuphelele izingozi zokuphepha. Empeleni, asikwazi ukuwehlisa aze afike kuziro. Kudingeka futhi siqonde ukuthi njengoba silwela ukwenza inethiwekhi ivikeleke kakhulu, izixazululo zethu ziya ngokuya zibiza kakhulu. Udinga ukuthola ukuhwebelana phakathi kwezindleko, inkimbinkimbi, nokuvikeleka okunengqondo kunethiwekhi yakho.

Yiqiniso, umklamo wokuphepha uhlanganiswe ngokuhlelekile ekwakhiweni okuphelele futhi izixazululo zokuphepha ezisetshenzisiwe zithinta ukulinganisa, ukwethembeka, ukuphathwa, ... kwengqalasizinda yenethiwekhi, okufanele futhi kucatshangelwe.

Kodwa ake ngikukhumbuze ukuthi manje asisakhulumi ngokwenza inethiwekhi. Ngokusho kwethu izimo zokuqala sesivele sakhetha ukuklama, sakhetha imishini, futhi sakha ingqalasizinda, futhi kulesi sigaba, uma kungenzeka, kufanele "siphile" futhi sithole izixazululo kumongo wendlela ekhethiwe ngaphambilini.

Umsebenzi wethu manje uwukubona ubungozi obuhlobene nokuvikeleka ezingeni lenethiwekhi futhi bube sezingeni elifanele.

Ukuhlolwa kokuphepha kwenethiwekhi

Uma ngabe inhlangano yakho isebenzise izinqubo ze-ISO 27k, khona-ke ukuhlola kokuphepha kanye nezinguquko zenethiwekhi kufanele kungene ngaphandle komthungo kuzo zonke izinqubo ezingaphakathi kwale ndlela. Kodwa lezi zindinganiso namanje azikho mayelana nezixazululo ezithile, hhayi mayelana nokucushwa, hhayi mayelana nokuklama ... Azikho izeluleko ezicacile, azikho izindinganiso ezichaza ngokuningiliziwe ukuthi inethiwekhi yakho kufanele ibe njani, lokhu kuyinkimbinkimbi nobuhle balo msebenzi.

Ngingaqokomisa ukuhlolwa okumbalwa kokuphepha kwenethiwekhi okungenzeka:

  • ukuhlolwa kokucushwa kwemishini (ukuqina)
  • ukuhlolwa komklamo wokuphepha
  • finyelela ukuhlolwa
  • inqubo audit

Ukuhlolwa kokucushwa kwezisetshenziswa (ukuqina)

Kubonakala sengathi ezimeni eziningi lesi kuyisiqalo esingcono kakhulu sokuhlola nokuthuthukisa ukuphepha kwenethiwekhi yakho. I-IMHO, lokhu kuwukubonakaliswa okuhle komthetho kaPareto (u-20% womzamo ukhiqiza amaphesenti angama-80 womphumela, kanti u-80% osele wemizamo ukhiqiza kuphela u-20% womphumela).

Okubalulekile ukuthi sivame ukuba nezincomo ezivela kubathengisi mayelana "nezinqubo ezihamba phambili" zokuvikela lapho silungiselela okokusebenza. Lokhu kubizwa ngokuthi "ukuqina".

Ungakwazi futhi ukuthola uhlu lwemibuzo (noma uzenzele ngokwakho) ngokusekelwe kulezi zincomo, ezizokusiza ukuthi unqume ukuthi ukumiswa kwemishini yakho kuhambisana kanjani nalezi "zindlela ezihamba phambili" futhi, ngokuhambisana nomphumela, wenze izinguquko kunethiwekhi yakho. . Lokhu kuzokuvumela ukuthi unciphise kakhulu ubungozi bezokuphepha kalula, ngaphandle kwezindleko.

Izibonelo ezimbalwa zezinye izinhlelo zokusebenza zeCisco.

Cisco IOS Configuration Hardening
I-Cisco IOS-XR Configuration Hardening
I-Cisco NX-OS Configuration Hardening
Cisco Baseline Security Check List

Ngokusekelwe kule mibhalo, uhlu lwezidingo zokucushwa zohlobo ngalunye lwesisetshenziswa lungadalwa. Isibonelo, kuCisco N7K VDC lezi zidingo zingase zibukeke kanjalo.

Ngale ndlela, amafayela okumisa angadalelwa izinhlobo ezahlukene zemishini esebenzayo kungqalasizinda yenethiwekhi yakho. Okulandelayo, ngokwenza noma usebenzisa i-automation, ungakwazi "ukulayisha" lawa mafayela okumisa. Indlela yokwenza le nqubo ngokuzenzakalelayo kuzoxoxwa ngayo ngokuningiliziwe kolunye uchungechunge lwama-athikili mayelana ne-orchestration ne-automation.

Ukuhlolwa komklamo wokuphepha

Ngokuvamile, inethiwekhi yebhizinisi iqukethe amasegimenti alandelayo ngendlela eyodwa noma enye:

  • I-DC (Izinkonzo zomphakathi i-DMZ kanye nesikhungo sedatha ye-inthanethi)
  • Ukufinyelela kwe-intanethi
  • I-VPN yokufinyelela kude
  • Unqenqema lwe-WAN
  • Yegatsha
  • Ikhampasi (Ihhovisi)
  • Core

Izihloko ezithathwe kuyo Cisco SAFE imodeli, kodwa akudingekile, yebo, ukunamathiselwa ngokunembile kulawa magama nakule modeli. Noma kunjalo, ngisafuna ukukhuluma ngengqikithi futhi ngingagxili ezintweni ezisemthethweni.

Kulezi zingxenye, izidingo zokuphepha, ubungozi kanye, ngokufanele, izixazululo zizohluka.

Ake sibheke ngayinye yazo ngokwehlukana ngezinkinga ongahlangabezana nazo ngokombono wedizayini yezokuphepha. Kunjalo, ngiyaphinda futhi ukuthi lesi sihloko asenzeli neze ukuthi siphelele, okungelula (uma kungenzeki) ukufeza kulesi sihloko esijule ngempela futhi esinezici eziningi, kodwa sibonisa okuhlangenwe nakho kwami ​​​​komuntu siqu.

Asikho isixazululo esiphelele (okungenani okwamanje). Kuhlala kuvumelana. Kodwa kubalulekile ukuthi isinqumo sokusebenzisa indlela eyodwa noma enye senziwe ngokuqaphela, ngokuqonda kokubili okuhle nokubi.

Isikhungo sedatha

Ingxenye ebaluleke kakhulu ngokubuka kwezokuphepha.
Futhi, njengenjwayelo, asikho isixazululo sasemhlabeni wonke lapha. Konke kuncike kakhulu ezidingweni zenethiwekhi.

Ingabe i-firewall iyadingeka noma cha?

Kubonakala sengathi impendulo isobala, kodwa yonke into ayicacile njengoba kungase kubonakale. Futhi ukukhetha kwakho kungathonywa kuphela Intengo.

Isibonelo se-1. Ukubambezeleka.

Uma ukubambezeleka okuphansi kuyisidingo esibalulekile phakathi kwamasegimenti athile enethiwekhi, okuwukuthi, isibonelo, kuyiqiniso esimweni sokushintshisana, lapho-ke ngeke sikwazi ukusebenzisa izindonga zomlilo phakathi kwalezi zingxenye. Kunzima ukuthola izifundo nge-latency kuma-firewall, kodwa amamodeli ashintshiwe ambalwa anganikeza ukubambezeleka okungaphansi noma nge-oda lika-1 mksec, ngakho-ke ngicabanga ukuthi uma ama-microseconds abalulekile kuwe, khona-ke izindonga zomlilo azizona ezakho.

Isibonelo se-2. Ukusebenza.

Ukuphuma kokushintsha kwe-L3 okuphezulu kuvame ukuhleleka kobukhulu obungaphezulu kokuphuma kwama-firewall anamandla kakhulu. Ngakho-ke, esimweni sethrafikhi ephezulu kakhulu, kuzodingeka futhi uvumele le thrafikhi ukuthi idlule izindonga zomlilo.

Isibonelo se-3. Ukuthembeka

I-firewall, ikakhulukazi i-NGFW yesimanje (i-Next-Generation FW) ingamadivayisi ayinkimbinkimbi. Ziyinkimbinkimbi kakhulu kunokushintsha kwe-L3/L2. Bahlinzeka ngenani elikhulu lezinsizakalo nezinketho zokucushwa, ngakho-ke akumangazi ukuthi ukwethembeka kwabo kuphansi kakhulu. Uma ukuqhubeka kwesevisi kubalulekile kunethiwekhi, kungase kudingeke ukhethe okuzoholela ekutholakaleni okungcono - ukuphepha ngodonga lokuvikela noma ubulula benethiwekhi eyakhelwe kumaswishi (noma izinhlobo ezihlukahlukene zezindwangu) usebenzisa ama-ACL avamile.

Endabeni yezibonelo ezingenhla, cishe uzodinga (njengokujwayelekile) ukuthola ukuvumelana. Bheka izixazululo ezilandelayo:

  • uma unquma ukungasebenzisi ama-firewall ngaphakathi kwesikhungo sedatha, kuzomele ucabange ukuthi ungakukhawulela kanjani ukufinyelela eduze komjikelezo ngangokunokwenzeka. Isibonelo, ungavula kuphela izimbobo ezidingekayo kusukela ku-inthanethi (yethrafikhi yamakhasimende) kanye nokufinyelela kokuphatha esikhungweni sedatha kuphela kusuka kubasingathi abagxumayo. Ekugxumeni abasingathi, yenza konke ukuhlola okudingekayo (ukufakazela ubuqiniso/ukugunyaza, ukuvikela amagciwane, ukugawulwa kwemithi, ...)
  • ungasebenzisa ukwahlukanisa okunengqondo kwenethiwekhi yesikhungo sedatha ibe amasegimenti, afana nohlelo oluchazwe ku-PSEFABRIC isibonelo p002. Kulokhu, umzila kufanele ulungiswe ngendlela yokuthi ithrafikhi ezwelayo ukubambezeleka noma ephezulu kakhulu ingene “ngaphakathi” kwesegimenti eyodwa (esimweni sika-p002, VRF) futhi ingangeni ku-firewall. Ithrafikhi phakathi kwamasegimenti ahlukene izoqhubeka idlula ku-firewall. Ungasebenzisa futhi ukuvuza komzila phakathi kwama-VRF ukugwema ukuqondisa kabusha ithrafikhi ngohlelo lokuvikela
  • Ungasebenzisa futhi i-firewall kwimodi esobala futhi kuphela kulawo ma-VLAN lapho lezi zici (ukubambezeleka/ukusebenza) zingabalulekile. Kodwa udinga ukufunda ngokucophelela imikhawulo ehambisana nokusetshenziswa kwalesi mod kumthengisi ngamunye
  • ungase uthande ukucabanga ukusebenzisa i-architecture ye-service chain. Lokhu kuzovumela ithrafikhi edingekayo kuphela ukuthi idlule ku-firewall. Kubukeka kukuhle ngombono, kodwa angikaze ngisibone lesi sixazululo ekukhiqizeni. Sihlole uchungechunge lwesevisi lwe-Cisco ACI/Juniper SRX/F5 LTM cishe eminyakeni emi-3 edlule, kodwa ngaleso sikhathi lesi sixazululo sasibonakala “singenangqondo” kithi.

Izinga lokuvikela

Manje udinga ukuphendula umbuzo wokuthi yimaphi amathuluzi ofuna ukuwasebenzisa ukuhlunga ithrafikhi. Nazi ezinye izici ezivame ukuba khona ku-NGFW (isibonelo, lapha):

  • firewalling stateful (okuzenzakalelayo)
  • uhlelo lokusebenza lwe-firewalling
  • ukuvimbela usongo (i-antivirus, i-anti-spyware, nokuba sengozini)
  • Ukuhlunga i-URL
  • ukuhlunga idatha (ukuhlunga okuqukethwe)
  • ukuvimbela ifayela (ukuvimbela izinhlobo zamafayela)
  • dos ukuvikelwa

Futhi akuyona yonke into ecacile futhi. Kungase kubonakale sengathi ukuphakama kwezinga lokuvikela, kungcono. Kodwa futhi udinga ukucabangela lokho

  • Uma usebenzisa i-firewall engaphezulu, izobiza kakhulu ngokwemvelo (amalayisensi, amamojula engeziwe)
  • ukusetshenziswa kwamanye ama-algorithms kunganciphisa kakhulu ukuphuma kwe-firewall futhi kwandise ukubambezeleka, bheka isibonelo lapha
  • njenganoma yisiphi isisombululo esiyinkimbinkimbi, ukusetshenziswa kwezindlela zokuvikela eziyinkimbinkimbi kunganciphisa ukuthembeka kwesixazululo sakho, isibonelo, lapho usebenzisa uhlelo lokusebenza, ngihlangabezane nokuvinjwa kwezinye izinhlelo zokusebenza ezijwayelekile (dns, smb)

Njengenjwayelo, udinga ukuthola isixazululo esingcono kakhulu senethiwekhi yakho.

Akunakwenzeka ukuphendula ngokuqondile umbuzo wokuthi yimiphi imisebenzi yokuvikela engadingeka. Okokuqala, ngoba kuncike kudatha oyidluliselayo noma oyigcinayo futhi ozama ukuyivikela. Okwesibili, empeleni, ngokuvamile ukukhetha kwamathuluzi okuphepha kuyindaba yokholo nokuthembela kumthengisi. Awuwazi ama-algorithms, awazi ukuthi asebenza kanjani, futhi awukwazi ukuwahlola ngokugcwele.

Ngakho-ke, ezigabeni ezibucayi, isisombululo esihle singase sibe ukusebenzisa izinhlinzeko ezivela ezinkampanini ezahlukene. Isibonelo, ungavumela isivikeli magciwane ku-firewall, kodwa futhi usebenzise isivikelo se-antivirus (komunye umkhiqizi) endaweni kubasingathi.

Ukuhlukaniswa

Sikhuluma ngokuhlukaniswa okunengqondo kwenethiwekhi yesikhungo sedatha. Isibonelo, ukuhlukaniswa kuma-VLAN nama-subnets nakho kuwukuhlukaniswa okunengqondo, kodwa ngeke sikucabangele ngenxa yokubonakala kwakho. Ukuhlukaniswa okuthakazelisayo kucabangela amabhizinisi afana nezindawo zokuphepha ze-FW, ama-VRF (kanye nezifaniso zawo maqondana nabathengisi abahlukahlukene), amadivayisi anengqondo (PA VSYS, Cisco N7K VDC, Cisco ACI Tenant, ...), ...

Isibonelo sokuhlukaniswa okunjalo okunengqondo kanye nomklamo wesikhungo sedatha odingeka njengamanje unikezwe p002 yephrojekthi ye-PSEFABRIC.

Ngemva kokuchaza izingxenye ezinengqondo zenethiwekhi yakho, ungachaza ukuthi ithrafikhi ihamba kanjani phakathi kwamasegimenti ahlukene, lapho ukuhlunga kwamadivayisi kuzokwenziwa khona futhi ngaziphi izindlela.

Uma inethiwekhi yakho ingenakho ukwahlukanisa okunengqondo okucacile futhi nemithetho yokusebenzisa izinqubomgomo zokuphepha zokugeleza kwedatha okuhlukile akwenziwa ngokusemthethweni, lokhu kusho ukuthi uma uvula lokhu noma lokho kufinyelela, uphoqeleka ukuthi uxazulule le nkinga, futhi maningi amathuba okuba uxazulule le nkinga. izoyixazulula njalo ngokuhlukile.

Ngokuvamile ukuhlukaniswa kusekelwe kuphela ezindaweni zokuvikela ze-FW. Khona-ke udinga ukuphendula imibuzo elandelayo:

  • yiziphi izindawo zokuphepha ozidingayo
  • yiliphi izinga lokuvikela ofuna ukulisebenzisa endaweni ngayinye kulezi
  • ingabe ithrafikhi ye-intra-zone izovunyelwa ngokuzenzakalela?
  • uma kungenjalo, yiziphi izinqubomgomo zokuhlunga ithrafikhi ezizosetshenziswa ngaphakathi kwendawo ngayinye
  • yiziphi izinqubomgomo zokuhlunga ithrafikhi ezizosetshenziswa ku-pair ngayinye yezindawo (umthombo/indawo)

I-TCAM

Inkinga evamile i-TCAM eyanele (i-Ternary Content Addressable Memory), kokubili umzila nokufinyelela. I-IMHO, lena enye yezindaba ezibaluleke kakhulu lapho ukhetha imishini, ngakho-ke udinga ukuphatha lolu daba ngezinga elifanele lokunakekela.

Isibonelo 1. Ithebula Lokudlulisa I-TCAM.

Ake sibheke I-Palo Alto 7k i-firewall
Siyabona ukuthi usayizi wethebula lokudlulisa i-IPv4* = 32K
Ngaphezu kwalokho, leli nani lemizila livamile kuwo wonke ama-VSYS.

Ake sicabange ukuthi ngokuya ngomklamo wakho unquma ukusebenzisa 4 VSYS.
Ngayinye yalawa ma-VSYS ixhunywe nge-BGP kuma-MPLS PE amabili efu owasebenzisa njenge-BB. Ngakho-ke, i-4 VSYS ishintshanisa yonke imizila ethize enye kwenye futhi ibe netafula lokudlulisela elicishe libe namasethi afanayo emizila (kodwa ama-NH ahlukene). Ngoba I-VSYS ngayinye inezikhathi ezingu-2 ze-BGP (nezilungiselelo ezifanayo), bese umzila ngamunye owamukelwe nge-MPLS une-2 NH futhi, ngokufanele, okufakiwe okungu-2 kwe-FIB Kuthebula Lokudlulisela. Uma sicabanga ukuthi lena ukuphela kwe-firewall esikhungweni sedatha futhi kufanele yazi ngayo yonke imizila, khona-ke lokhu kuzosho ukuthi inani eliphelele lemizila esikhungweni sethu sedatha alikwazi ukuba ngaphezu kuka-32K/(4 * 2) = 4K.

Manje, uma sicabanga ukuthi sinezikhungo zedatha ezi-2 (ezinomklamo ofanayo), futhi sifuna ukusebenzisa ama-VLAN "anwetshiwe" phakathi kwezikhungo zedatha (isibonelo, i-vMotion), bese ukuxazulula inkinga yomzila, kufanele sisebenzise imizila yabasingathi. . Kodwa lokhu kusho ukuthi ezikhungweni zedatha ze-2 ngeke sibe nabasingathi abangaba ngaphezu kwe-4096 futhi, yiqiniso, lokhu kungase kungenele.

Isibonelo 2. I-ACL TCAM.

Uma uhlela ukuhlunga ithrafikhi ekushintsheni kwe-L3 (noma ezinye izixazululo ezisebenzisa ukushintshwa kwe-L3, isibonelo, i-Cisco ACI), lapho-ke ukhetha imishini kufanele unake i-TCAM ACL.

Ake sithi ufuna ukulawula ukufinyelela ku-SVI ye-Cisco Catalyst 4500. Bese, njengoba kungabonwa kusukela Lesi sihloko, ukuze ulawule ithrafikhi ephumayo (kanye nengenayo) kuma-interfaces, ungasebenzisa imigqa ye-TCAM engu-4096 kuphela. Okuthi uma usebenzisa i-TCAM3 izokunikeza cishe ama-ACE ayizinkulungwane ezingama-4000 (imigqa ye-ACL).

Uma ubhekene nenkinga ye-TCAM enganele, khona-ke, okokuqala, yiqiniso, udinga ukucabangela ukuthi kungenzeka yini ukwenza kahle. Ngakho-ke, uma kunenkinga ngosayizi weThebula Lokudlulisela, udinga ukucabangela ukuthi kungenzeka yini ukuhlanganisa imizila. Uma kunenkinga ngosayizi we-TCAM wokufinyelela, ukucwaningwa kwamabhuku okufinyelela, ukususa amarekhodi adlulelwe yisikhathi nadlulelanayo, futhi ngokunokwenzeka ubuyekeze inqubo yokuvula ukufinyelela (kuzoxoxwa ngokuningiliziwe esahlukweni sokufinyelela kokucwaninga).

Ukutholakala Okuphezulu

Umbuzo uwukuthi: ingabe kufanele ngisebenzise i-HA kuma-firewall noma ngifake amabhokisi amabili azimele “ngokufanayo” futhi, uma elinye lawo lehluleka, ngisebenzisa ithrafikhi yomzila ngeyesibili?

Kubonakala sengathi impendulo isobala - sebenzisa i-HA. Isizathu sokuthi kungani lo mbuzo usaphakama ukuthi, ngeshwa, ithiyori neyokukhangisa 99 kanye namaphesenti amadesimali amaningana okufinyeleleka ekusebenzeni avele akude kakhulu kangako. I-HA ngokunengqondo iyinto eyinkimbinkimbi, futhi kumishini ehlukene, futhi nabathengisi abahlukene (abekho okuhlukile), sibambe izinkinga nezimbungulu kanye nokuma kwesevisi.

Uma usebenzisa i-HA, uzoba nethuba lokuvala ama-node ngamanye, ushintshe phakathi kwabo ngaphandle kokumisa isevisi, okubalulekile, isibonelo, lapho wenza ukuthuthukiswa, kodwa ngesikhathi esifanayo unethuba elikude le-zero ukuthi ama-node womabili. izophuka ngesikhathi esifanayo, futhi nokuthi okulandelayo ukuthuthukiswa ngeke kuhambe kahle njengoba umthengisi ethembisa (le nkinga ingagwenywa uma unethuba lokuhlola ukuthuthukiswa kwemishini yaselabhorethri).

Uma ungasebenzisi i-HA, khona-ke ngokombono wokwehluleka kabili ubungozi bakho buphansi kakhulu (njengoba unezicishamlilo ezizimele ezi-2), kodwa kusukela... izikhathi azivumelaniswanga, ngakho-ke ngaso sonke isikhathi uma ushintsha phakathi kwalezi zibhulamlilo uzolahlekelwa yi-traffic. Yiqiniso, ungasebenzisa i-firewall engapheli, kodwa iphuzu lokusebenzisa i-firewall lilahleka kakhulu.

Ngakho-ke, uma ngenxa yocwaningomabhuku uthole i-firewall enesizungu, futhi ucabanga ngokwandisa ukuthembeka kwenethiwekhi yakho, khona-ke i-HA, yebo, ingenye yezixazululo ezinconyiwe, kodwa kufanele futhi ucabangele ukuntula okuhlobene. ngale ndlela futhi, mhlawumbe, ikakhulukazi inethiwekhi yakho, esinye isisombululo sizofaneleka kakhulu.

Ukuphatha

Empeleni, i-HA imayelana nokulawulwa. Esikhundleni sokumisa amabhokisi angu-2 ngokuhlukana nokubhekana nenkinga yokugcina ukulungiselelwa kuvumelana, uwaphatha njengokungathi unedivayisi eyodwa.

Kodwa mhlawumbe unezikhungo eziningi zedatha nama-firewall amaningi, khona-ke lo mbuzo uvela ezingeni elisha. Futhi umbuzo awukona nje mayelana nokucushwa, kodwa futhi mayelana

  • ukucupha isipele
  • izibuyekezo
  • ukuthuthukiswa
  • ukuqapha
  • ukugawula

Futhi konke lokhu kungaxazululwa yizinhlelo zokuphatha ezimaphakathi.

Ngakho-ke, isibonelo, uma usebenzisa i-Palo Alto firewalls, ke Uhlolojikelele yisixazululo esinjalo.

Ukuze uqhubeke.

Source: www.habr.com

Engeza amazwana