I-ProHoster > Блог > Ukuphatha > Ungayilawula kanjani ingqalasizinda yakho yenethiwekhi. Isahluko sesithathu. Ukuphepha kwenethiwekhi. Ingxenye yesithathu

Ungayilawula kanjani ingqalasizinda yakho yenethiwekhi. Isahluko sesithathu. Ukuphepha kwenethiwekhi. Ingxenye yesithathu

Lesi sihloko singesesihlanu ochungechungeni oluthi “Indlela Yokulawula Ingqalasizinda Yakho Yenethiwekhi.” Okuqukethwe kuzo zonke izihloko ochungechungeni nezixhumanisi zingatholakala lapha.

Le ngxenye izosebenza Ekhampasini (Ihhovisi) kanye namasegimenti e-VPN yokufinyelela kude.

Ungayilawula kanjani ingqalasizinda yakho yenethiwekhi. Isahluko sesithathu. Ukuphepha kwenethiwekhi. Ingxenye yesithathu

Idizayini yenethiwekhi yehhovisi ingase ibonakale ilula.

Ngempela, sithatha izishintshi ze-L2/L3 futhi sizixhume komunye nomunye. Okulandelayo, senza ukusetha okuyisisekelo kwama-villans namasango azenzakalelayo, simise umzila olula, sixhuma abalawuli be-WiFi, izindawo zokufinyelela, ukufaka nokulungisa i-ASA yokufinyelela kude, siyajabula ukuthi konke kusebenzile. Ngokuyisisekelo, njengoba ngike ngabhala kwenye yangaphambilini izihloko walo mjikelezo, cishe wonke umfundi oke wafunda (futhi wafunda) amasemester amabili esifundo se-telecom angaklama futhi alungise inethiwekhi yamahhovisi ukuze “ngandlela thize isebenze.”

Kodwa lapho ufunda okwengeziwe, lo msebenzi uqala ukubonakala ulula. Kimina uqobo, lesi sihloko, isihloko sokuklama inethiwekhi yehhovisi, asibonakali silula, futhi kulesi sihloko ngizozama ukuchaza ukuthi kungani.

Kafushane, kunezici ezimbalwa impela okufanele zicatshangelwe. Ngokuvamile lezi zici ziyangqubuzana futhi kufanele kufunwe ukuvumelana okunengqondo.
Lokhu kungaqiniseki kuwubunzima obukhulu. Ngakho-ke, sikhuluma ngokuphepha, sinonxantathu onama-vertices amathathu: ukuphepha, ukusebenziseka kalula kwabasebenzi, intengo yesixazululo.
Futhi ngaso sonke isikhathi kufanele ubheke ukuvumelana phakathi kwalaba abathathu.

bokwakha

Njengesibonelo sezakhiwo zalezi zingxenye ezimbili, njengakuzihloko ezedlule, ngincoma Cisco SAFE imodeli: Ikhampasi yebhizinisi, I-Enterprise Internet Edge.

Lawa ngamadokhumenti athi aphelelwe yisikhathi. Ngizethula lapha ngoba amasu ayisisekelo nendlela yokwenza akukashintshi, kodwa ngasikhathi sinye ngithanda isethulo ukwedlula amadokhumenti amasha.

Ngaphandle kokukukhuthaza ukuthi usebenzise izixazululo zeCisco, ngisacabanga ukuthi kuwusizo ukufunda ngokucophelela lo mklamo.

Lesi sihloko, njengenjwayelo, asizenzi ngandlela thize siphelele, kodwa sisengezo kulolu lwazi.

Ekupheleni kwe-athikili, sizohlaziya ukwakheka kwehhovisi le-Cisco SAFE ngokwemiqondo echazwe lapha.

Izimiso ezijwayelekile

Ukwakhiwa kwenethiwekhi yehhovisi kumele, vele, kwenelise izidingo ezijwayelekile osekuxoxwe ngazo lapha esahlukweni esithi “Imibandela yokuhlola ikhwalithi yokuklama”. Ngaphandle kwentengo nokuphepha, esihlose ukuxoxa ngakho kulesi sihloko, kusenemibandela emithathu okufanele siyicabangele lapho siklama (noma senza izinguquko):

  • scalability
  • ukusetshenziswa kalula (ukuphatha)
  • ukutholakala

Okuningi okwaxoxwa ngakho izikhungo zedatha Lokhu kuyiqiniso nasehhovisi.

Kodwa noma kunjalo, ingxenye yehhovisi inemininingwane yayo, ebucayi ngokombono wezokuphepha. Ingqikithi yalokhu kucaciswa ukuthi lesi sigaba senzelwe ukuhlinzeka ngezinsizakalo zenethiwekhi kubasebenzi (kanye nabalingani kanye nezivakashi) zenkampani, futhi, ngenxa yalokho, ezingeni eliphezulu lokucatshangelwa kwenkinga sinemisebenzi emibili:

  • vikela izinsiza zenkampani ezenzweni ezinonya ezingase zivele kubasebenzi (izivakashi, ozakwethu) naku-software abayisebenzisayo. Lokhu kubandakanya nokuvikelwa ekuxhumekeni okungagunyaziwe kunethiwekhi.
  • vikela amasistimu nedatha yomsebenzisi

Futhi lolu uhlangothi olulodwa kuphela lwenkinga (noma kunalokho, i-vertex eyodwa kanxantathu). Ngakolunye uhlangothi ukusebenziseka kalula kanye nentengo yezixazululo ezisetshenzisiwe.

Ake siqale ngokubheka lokho umsebenzisi akulindele kunethiwekhi yesimanje yamahhovisi.

Izinsiza

Nakhu ukuthi "izinsiza zenethiwekhi" zibukeka kanjani kumsebenzisi wehhovisi ngokubona kwami:

  • Ukuhamba
  • Ikhono lokusebenzisa uhla olugcwele lwamadivayisi ajwayelekile namasistimu okusebenza
  • Ukufinyelela kalula kuzo zonke izinsiza zenkampani ezidingekayo
  • Ukutholakala kwezinsiza ze-inthanethi, okuhlanganisa nezinsiza ezihlukahlukene zamafu
  • "Ukusebenza okusheshayo" kwenethiwekhi

Konke lokhu kusebenza kubo bobabili abasebenzi kanye nezivakashi (noma ozakwethu), futhi kuwumsebenzi wonjiniyela benkampani ukuhlukanisa ukufinyelela kwamaqembu ahlukene abasebenzisi ngokusekelwe ekugunyazweni.

Ake sibheke ngayinye yalezi zici ngokuningiliziwe okwengeziwe.

Ukuhamba

Sikhuluma ngethuba lokusebenza nokusebenzisa zonke izinsiza zenkampani ezidingekayo kusuka noma yikuphi emhlabeni (yebo, lapho i-intanethi itholakala khona).

Lokhu kusebenza ngokugcwele ehhovisi. Lokhu kulula uma unethuba lokuqhubeka nokusebenza kusuka noma yikuphi ehhovisi, isibonelo, ukuthola i-imeyili, ukuxhumana nesithunywa senkampani, kutholakale ikholi yevidiyo, ... Ngakho, lokhu kukuvumela, ngakolunye uhlangothi, ukuze uxazulule ezinye izinkinga zokuxhumana "bukhoma" (isibonelo, ukubamba iqhaza emibuthanweni), futhi ngakolunye uhlangothi, yiba ku-inthanethi ngaso sonke isikhathi, gcina umunwe wakho phezu kwenhliziyo futhi uxazulule ngokushesha eminye imisebenzi ephuthumayo ebaluleke kakhulu. Lokhu kulula kakhulu futhi kuthuthukisa ngempela ikhwalithi yokuxhumana.

Lokhu kufinyelelwa ngokuklama kwenethiwekhi ye-WiFi efanele.

Qaphela

Lapha umbuzo uvame ukuvela: ingabe kwanele ukusebenzisa i-WiFi kuphela? Ingabe lokhu kusho ukuthi ungayeka ukusebenzisa izimbobo ze-Ethernet ehhovisi? Uma sikhuluma kuphela ngabasebenzisi, hhayi ngamaseva, okusenengqondo ukuxhumana nechweba elivamile le-Ethernet, khona-ke ngokuvamile impendulo ithi: yebo, ungakwazi ukuzikhawulela ku-WiFi kuphela. Kodwa kukhona ama-nuances.

Kunamaqembu abasebenzisi abalulekile adinga indlela ehlukile. Yebo, laba bangabaphathi. Empeleni, uxhumano lwe-WiFi aluthembeki kancane (ngokuya kokulahleka kwethrafikhi) futhi luhamba kancane kunembobo ye-Ethernet evamile. Lokhu kungaba okubalulekile kubaphathi. Ngaphezu kwalokho, abaphathi benethiwekhi, ngokwesibonelo, bangakwazi, ngokuyisisekelo, babe nenethiwekhi yabo ye-Ethernet ezinikele ekuxhumekeni ngaphandle kwebhendi.

Kungase kube namanye amaqembu/iminyango enkampanini yakho lapho lezi zici nazo zibalulekile.

Kukhona elinye iphuzu elibalulekile - ucingo. Mhlawumbe ngesizathu esithile awufuni ukusebenzisa i-Wireless VoIP futhi ufuna ukusebenzisa amafoni we-IP anoxhumano oluvamile lwe-Ethernet.

Ngokuvamile, izinkampani engangizisebenzela ngokuvamile zazinakho kokubili ukuxhumana kwe-WiFi kanye nembobo ye-Ethernet.

Ngingathanda ukuhamba kungagcini nje ehhovisi.

Ukuqinisekisa ikhono lokusebenza usekhaya (noma iyiphi enye indawo ene-inthanethi efinyelelekayo), kusetshenziswa uxhumano lwe-VPN. Ngesikhathi esifanayo, kuyafiseleka ukuthi abasebenzi bangawuzwa umehluko phakathi kokusebenza ekhaya nomsebenzi okude, othatha ukufinyelela okufanayo. Sizoxoxa ngokuthi singakuhlela kanjani lokhu ngokuhamba kwesikhathi esahlukweni esithi “Ubunified centralized authentication system and authorisation system.”

Qaphela

Ngokunokwenzeka, ngeke ukwazi ukuhlinzeka ngokugcwele ngekhwalithi efanayo yezinsizakalo zomsebenzi okude onawo ehhovisi. Ake sicabange ukuthi usebenzisa i-Cisco ASA 5520 njengesango lakho le-VPN. Ngokusho ishidi le-data le divayisi iyakwazi "ukugaya" kuphela i-225 Mbit yethrafikhi ye-VPN. Okusho ukuthi, ngokwemibandela yomkhawulokudonsa, ukuxhuma nge-VPN kuhluke kakhulu ekusebenzeni ehhovisi. Futhi, uma, ngesizathu esithile, ukubambezeleka, ukulahlekelwa, i-jitter (isibonelo, ufuna ukusebenzisa i-office IP telephony) ezinsizeni zakho zenethiwekhi zibalulekile, ngeke futhi uthole ikhwalithi efanayo njengokuthi usehhovisi. Ngakho-ke, lapho sikhuluma ngokuhamba, kufanele siqaphele ukulinganiselwa okungenzeka.

Ukufinyelela kalula kuzo zonke izinsiza zenkampani

Lo msebenzi kufanele uxazululwe ngokuhlanganyela neminye iminyango yezobuchwepheshe.
Isimo esikahle yilapho umsebenzisi edinga ukufakazela ubuqiniso kanye kuphela, futhi ngemva kwalokho esekwazi ukufinyelela zonke izinsiza ezidingekayo.
Ukunikeza ukufinyelela okulula ngaphandle kokudela ukuphepha kungathuthukisa kakhulu umkhiqizo futhi kunciphise ingcindezi phakathi kosebenza nabo.

Amazwi 1

Ukufinyelela kalula akukhona nje ukuthi kufanele ufake kangaki iphasiwedi. Uma, ngokwesibonelo, ngokuhambisana nenqubomgomo yakho yokuphepha, ukuze uxhume usuka ehhovisi uye esikhungweni sedatha, kufanele uqale uxhume kusango le-VPN, futhi ngesikhathi esifanayo ulahlekelwa ukufinyelela ezinsizeni zehhovisi, khona-ke lokhu nakho kuhle kakhulu. , kuphazamiseke kakhulu.

Amazwi 2

Kukhona izinsiza (isibonelo, ukufinyelela emishinini yenethiwekhi) lapho sivame ukuba namaseva ethu e-AAA azinikele futhi lokhu kujwayelekile lapho kulokhu kufanele siqinisekise izikhathi ezimbalwa.

Ukutholakala kwezinsiza ze-inthanethi

I-inthanethi ayikona nje ukuzijabulisa, kodwa futhi isethi yezinsizakalo ezingaba usizo kakhulu emsebenzini. Kukhona futhi izici ezingokwengqondo kuphela. Umuntu wanamuhla uxhumeke nabanye abantu nge-inthanethi ngokusebenzisa izintambo eziningi ezibonakalayo, futhi, ngokubona kwami, akukho lutho olungalungile uma eqhubeka nokuzwa lokhu kuxhumana ngisho nalapho esebenza.

Ngokombono wokuchitha isikhathi, akukho lutho olungalungile uma isisebenzi, isibonelo, sine-Skype esebenzayo futhi sichitha imizuzu engu-5 ukuxhumana nomuntu othandekayo uma kunesidingo.

Ingabe lokhu kusho ukuthi i-inthanethi kufanele ihlale ikhona, ingabe lokhu kusho ukuthi abasebenzi bangakwazi ukufinyelela zonke izinsiza futhi bangazilawula nganoma iyiphi indlela?

Cha akusho lokho, kunjalo. Izinga lokuvuleka kwe-inthanethi lingahluka ezinkampanini ezahlukene - kusukela ekuvaleni okuphelele kuya ekuvulekeni okuphelele. Sizoxoxa ngezindlela zokulawula ithrafikhi kamuva ezigabeni ezimayelana nezinyathelo zokuphepha.

Ikhono lokusebenzisa uhla olugcwele lwamadivayisi ajwayelekile

Kuhle uma, ngokwesibonelo, unethuba lokuqhubeka nokusebenzisa zonke izindlela zokuxhumana ozijwayele emsebenzini. Abukho ubunzima ekusebenziseni lokhu ngokobuchwepheshe. Ukuze wenze lokhu udinga i-WiFi kanye ne-wilan yesivakashi.

Kuhle futhi uma unethuba lokusebenzisa isistimu yokusebenza oyijwayele. Kodwa, ngokubona kwami, lokhu kuvame ukuvunyelwa kuphela kubaphathi, abalawuli nabathuthukisi.

Isibonelo:

Yebo, ungakwazi ukulandela indlela yokwenqatshelwa, ukuvimbela ukufinyelela ukude, ukuvimbela ukuxhuma kumadivayisi eselula, ukhawule yonke into ekuxhumekeni kwe-Ethernet emile, ukhawule ukufinyelela ku-inthanethi, ushaqe omakhalekhukhwini namagajethi ngenkani endaweni yokuhlola... kanye nale ndlela. empeleni kulandelwa izinhlangano ezithile ezinezidingo ezengeziwe zokuphepha, futhi mhlawumbe kwezinye izimo lokhu kungase kuthethelelwe, kodwa... kumelwe uvume ukuthi lokhu kubukeka njengomzamo wokumisa intuthuko enhlanganweni eyodwa. Yiqiniso, ngingathanda ukuhlanganisa amathuba ubuchwepheshe besimanje obuhlinzeka ngezinga elanele lokuphepha.

"Ukusebenza okusheshayo" kwenethiwekhi

Isivinini sokudlulisa idatha ngokobuchwepheshe siqukethe izici eziningi. Futhi isivinini sembobo yakho yokuxhumana ngokuvamile akusona esibaluleke kakhulu. Ukusebenza okunensayo kohlelo lokusebenza akuhlali kuhlotshaniswa nezinkinga zenethiwekhi, kodwa okwamanje sinentshisekelo engxenyeni yenethiwekhi kuphela. Inkinga evame kakhulu ngenethiwekhi yendawo "yehlisa ijubane" ihlobene nokulahleka kwephakethe. Lokhu kuvame ukwenzeka lapho kune-bottleneck noma izinkinga ze-L1 (OSI). Akuvamile, ngemiklamo ethile (ngokwesibonelo, lapho ama-subnets akho enodonga lokuvikela njengesango elizenzakalelayo futhi ngaleyo ndlela yonke ithrafikhi idlula kuyo), ukusebenza kwezingxenyekazi zekhompuyutha kungase kungabikho.

Ngakho-ke, lapho ukhetha imishini kanye nezakhiwo, udinga ukuhlanganisa isivinini samachweba wokugcina, iziqu kanye nokusebenza kwemishini.

Isibonelo:

Ake sicabange ukuthi usebenzisa amaswishi anezimbobo zegigabit ezi-1 njengokushintshwa kwesendlalelo sokufinyelela. Axhunywe komunye nomunye nge-Etherchannel 2 x 10 gigabits. Njengesango elizenzakalelayo, usebenzisa i-firewall enezimbobo ze-gigabit, ukuxhuma ukuthi iyiphi kunethiwekhi yehhovisi le-L2 osebenzisa izimbobo ze-gigabit ezi-2 ezihlanganiswe ne-Etherchannel.

Lesi sakhiwo silula kakhulu ngokombono wokusebenza, ngoba ... Yonke i-traffic idlula ku-firewall, futhi ungakwazi ukuphatha izinqubomgomo zokufinyelela ngokunethezeka, futhi usebenzise ama-algorithms ayinkimbinkimbi ukuze ulawule ithrafikhi futhi uvimbele ukuhlaselwa okungase kube khona (bona ngezansi), kodwa ngombono wokusebenza nokusebenza lo mklamo, yiqiniso, unezinkinga ezingaba khona. Ngakho-ke, isibonelo, abasingathi abangu-2 abalanda idatha (ngejubane lechweba elingu-1 gigabit) bangalayisha ngokuphelele uxhumano lwamagigabhithi angu-2 ku-firewall, futhi ngaleyo ndlela kuholele ekulimaleni kwesevisi kuyo yonke ingxenye yehhovisi.

Sibheke i-vertex eyodwa kanxantathu, manje ake sibheke ukuthi singaqinisekisa kanjani ukuphepha.

Izindlela zokuzivikela

Ngakho-ke, vele, ngokuvamile isifiso sethu (noma kunalokho, isifiso sabaphathi bethu) ukufeza okungenakwenzeka, okungukuthi, ukuhlinzeka ngokukhululeka okukhulu ngokuphepha okuphezulu kanye nezindleko ezincane.

Ake sibheke ukuthi yiziphi izindlela esinazo zokunikeza isivikelo.

Ehhovisi, ngingagqamisa okulandelayo:

  • zero ukwethemba indlela design
  • izinga eliphezulu lokuvikela
  • ukubonakala kwenethiwekhi
  • uhlelo oluhlanganisiwe lokuqinisekisa kanye nokugunyazwa okumaphakathi
  • ukusingatha ukuhlola

Okulandelayo, sizogxila emininingwaneni eyengeziwe mayelana nalezi zici.

I-Zero Trust

Umhlaba we-IT ushintsha ngokushesha okukhulu. Kule minyaka eyi-10 edlule, ukuvela kobuchwepheshe obusha nemikhiqizo kuholele ekubuyekezweni okukhulu kwemiqondo yezokuphepha. Eminyakeni eyishumi edlule, ngokombono wezokuphepha, sahlukanisa inethiwekhi ezindaweni zokuthembana, i-dmz nezingathembeki, futhi sasebenzisa lokho okubizwa ngokuthi “ukuvikelwa kwepherimitha”, lapho kwakukhona imigqa yokuzivikela emi-2: ukungathembeki -> dmz kanye ne-dmz -> ukwethemba. Futhi, ukuvikela ngokuvamile bekunomkhawulo kuhlu lokufinyelela olususelwe kuzihloko ze-L3/L4 (OSI) (IP, izimbobo ze-TCP/UDP, amafulegi e-TCP). Yonke into ehlobene namaleveli aphezulu, okuhlanganisa i-L7, ishiywe ku-OS kanye nemikhiqizo yezokuphepha efakwe kubasingathi bokugcina.

Manje isimo sesishintshe kakhulu. Umqondo wesimanje zero trust livela eqinisweni lokuthi akusenakwenzeka ukucabangela izinhlelo zangaphakathi, okungukuthi, lezo ezitholakala ngaphakathi komngcele, njengoba zithenjwa, futhi umqondo we-perimeter ngokwawo usufiphele.
Ngaphezu uxhumano lwe-inthanethi siphinde sibe

  • ukufinyelela kude abasebenzisi be-VPN
  • amagajethi womuntu siqu ahlukahlukene, alethe amalaptop, axhunywe nge-WiFi yehhovisi
  • amanye amahhovisi (amagatsha).
  • ukuhlanganiswa nengqalasizinda yamafu

Ibukeka kanjani indlela yeZero Trust ekusebenzeni?

Ngokufanelekile, ithrafikhi edingekayo kuphela okufanele ivunyelwe futhi, uma sikhuluma ngokuhle, khona-ke ukulawula akufanele kube kuphela ezingeni le-L3/L4, kodwa ezingeni lesicelo.

Uma, ngokwesibonelo, unamandla okudlula yonke i-traffic ngokusebenzisa i-firewall, ungazama ukusondela kokuhle. Kodwa le ndlela inganciphisa kakhulu umkhawulokudonsa ophelele wenethiwekhi yakho, futhi ngaphandle kwalokho, ukuhlunga ngohlelo lokusebenza akusebenzi kahle ngaso sonke isikhathi.

Uma ulawula ithrafikhi kurutha noma iswishi ye-L3 (usebenzisa ama-ACL ajwayelekile), uhlangabezana nezinye izinkinga:

  • Lokhu ukuhlunga kwe-L3/L4 kuphela. Akukho lutho oluvimba umhlaseli ekusebenziseni izimbobo ezivunyelwe (isb i-TCP 80) ohlelweni lwakhe lokusebenza (hhayi i-http)
  • Ukuphathwa kwe-ACL okuyinkimbinkimbi (kunzima ukuhlukanisa ama-ACL)
  • Lena akuyona i-firewall eqinile, okusho ukuthi udinga ukuvumela ngokusobala ithrafikhi ehlehlayo
  • ngokushintsha ngokuvamile ukhawulelwa ngokuqinile ngosayizi we-TCAM, okungase kube inkinga ngokushesha uma uthatha indlela "yokuvumela kuphela okudingayo"

Qaphela

Uma sikhuluma ngethrafikhi ehlehlayo, kufanele sikhumbule ukuthi sinethuba elilandelayo (Cisco)

vumela i-tcp noma yikuphi okusunguliwe

Kodwa udinga ukuqonda ukuthi lo mugqa ulingana nemigqa emibili:
vumela i-tcp noma iyiphi i-ack
vumela i-tcp noma ikuphi

Okusho ukuthi noma ngabe ibingekho ingxenye yokuqala ye-TCP enefulegi le-SYN (okungukuthi, iseshini ye-TCP ayizange iqale ngisho nokusungulwa), le-ACL izovumela iphakethe elinefulegi le-ACK, umhlaseli angalisebenzisa ukuze adlulisele idatha.

Okusho ukuthi, lo mugqa awuguquli nakancane irutha yakho noma i-L3 switch ibe i-firewall eqinile.

Izinga eliphezulu lokuvikela

В isihloko Esigabeni sezikhungo zedatha, sicabangele izindlela zokuvikela ezilandelayo.

  • firewalling stateful (okuzenzakalelayo)
  • ukuvikelwa kwe-ddos/dos
  • uhlelo lokusebenza lwe-firewalling
  • ukuvimbela usongo (i-antivirus, i-anti-spyware, nokuba sengozini)
  • Ukuhlunga i-URL
  • ukuhlunga idatha (ukuhlunga okuqukethwe)
  • ukuvimbela ifayela (ukuvimbela izinhlobo zamafayela)

Endabeni yehhovisi, isimo siyefana, kodwa izinto ezibalulekile zihluke kancane. Ukutholakala kwehhovisi (ukutholakala) ngokuvamile akubalulekile njengasendaweni yesikhungo sedatha, kuyilapho amathuba ethrafikhi enonya “yangaphakathi” ama-oda obukhulu obuphezulu.
Ngakho-ke, izindlela zokuvikela ezilandelayo zalesi sigaba ziba bucayi:

  • uhlelo lokusebenza lwe-firewalling
  • ukuvimbela usongo (anti-virus, anti-spyware, nokuba sengozini)
  • Ukuhlunga i-URL
  • ukuhlunga idatha (ukuhlunga okuqukethwe)
  • ukuvimbela ifayela (ukuvimbela izinhlobo zamafayela)

Nakuba zonke lezi zindlela zokuvikela, ngaphandle kwe-firewalling yohlelo lokusebenza, bezilokhu zixazululwa futhi ziyaqhubeka nokuxazululwa ekugcineni (isibonelo, ngokufaka izinhlelo zokulwa namagciwane) nokusebenzisa ama-proxi, ama-NGFW anamuhla nawo ahlinzeka ngalezi zinsizakalo.

Abathengisi bezinto zokuphepha balwela ukudala ukuvikeleka okuphelele, ngakho kanye nokuvikelwa kwasendaweni, banikela ngobuchwepheshe obuhlukahlukene bamafu kanye nesoftware yamakhasimende kubasingathi (ukuvikelwa kwendawo yokugcina/i-EPP). Ngakho, isibonelo, kusukela 2018 Gartner Magic Quadrant Siyabona ukuthi uPalo Alto noCisco banama-EPP abo (PA: Traps, Cisco: AMP), kodwa bakude nabaholi.

Ukunika amandla lokhu kuvikela (imvamisa ngokuthenga amalayisensi) ku-firewall yakho akuphoqelekile (ungahamba ngendlela evamile), kodwa kunikeza izinzuzo ezithile:

  • kulokhu, kunephuzu elilodwa lokusetshenziswa kwezindlela zokuvikela, okuthuthukisa ukubonakala (bona isihloko esilandelayo).
  • Uma kunedivayisi engavikelekile kunethiwekhi yakho, isawela ngaphansi “kwesambulela” sokuvikela ngohlelo lokuvikela.
  • Ngokusebenzisa ukuvikela ngohlelo lokuvikela ngokuhambisana nokuvikela kosokhaya, sandisa amathuba okuthola ithrafikhi enonya. Isibonelo, ukusebenzisa ukuvimbela usongo kubasingathi basendaweni naku-firewall kukhulisa amathuba okutholwa (inqobo nje uma lezi zixazululo zisekelwe emikhiqizweni ehlukene yesofthiwe)

Qaphela

Uma, isibonelo, usebenzisa i-Kaspersky njenge-antivirus kokubili ku-firewall nakuma-host hosts, khona-ke lokhu, ngokuqinisekile, ngeke kwandise kakhulu amathuba akho okuvimbela ukuhlasela kwegciwane kunethiwekhi yakho.

Ukubonakala kwenethiwekhi

Umbono oyinhloko ilula - “bona” ukuthi kwenzekani kunethiwekhi yakho, ngesikhathi sangempela nedatha yomlando.

Ngingahlukanisa lo “mbono” ube ngamaqembu amabili:

Iqembu lokuqala: lokho isistimu yakho yokuqapha ngokuvamile ikuhlinzeka ngakho.

  • ukulayishwa kwemishini
  • ukulayisha amashaneli
  • ukusetshenziswa kwenkumbulo
  • ukusetshenziswa kwediski
  • ukushintsha itafula lomzila
  • isimo sesixhumanisi
  • ukutholakala kwezinto zokusebenza (noma abasingathi)
  • ...

Iqembu lesibili: ulwazi oluhlobene nokuphepha.

  • izinhlobo ezahlukahlukene zezibalo (isibonelo, ngohlelo lokusebenza, ngethrafikhi ye-URL, yiziphi izinhlobo zedatha ezilandiwe, idatha yomsebenzisi)
  • yini eyayivinjwe izinqubomgomo zokuphepha futhi ngasiphi isizathu, okungukuthi
    • isicelo esinqatshelwe
    • kunqatshelwe ngokusekelwe ku-ip/protocol/port/flags/zones
    • ukuvimbela usongo
    • ukuhlunga kwe-url
    • ukuhlunga idatha
    • ukuvinjwa kwefayela
    • ...
  • izibalo zokuhlaselwa kwe-DOS/DDOS
  • yehlulekile ukuhlonza kanye nemizamo yokugunyaza
  • izibalo zayo yonke imicimbi yokwephulwa kwenqubomgomo yezokuphepha engenhla
  • ...

Kulesi sahluko sokuphepha, sinentshisekelo engxenyeni yesibili.

Ezinye izindonga zomlilo zanamuhla (kusukela kokuhlangenwe nakho kwami ​​kwe-Palo Alto) zinikeza izinga elihle lokubonakala. Kodwa-ke, ithrafikhi onentshisekelo kukho kufanele idlule kulolu hlelo lokuvikela (lapho unamandla okuvimba ithrafikhi) noma ufakwe esibukweni ku-firewall (esetshenziselwa ukuqapha nokuhlaziya kuphela), futhi kufanele ube namalayisense ukuze unike amandla konke. lezi zinsizakalo.

Kukhona, yiqiniso, enye indlela, noma kunalokho indlela yendabuko, isibonelo,

  • Izibalo zeseshini zingaqoqwa nge-netflow bese kusetshenziswa izinsiza ezikhethekile zokuhlaziya ulwazi nokuboniswa kwedatha
  • ukuvimbela usongo - izinhlelo ezikhethekile (anti-virus, anti-spyware, firewall) kuma-host host
  • Ukuhlunga kwe-URL, ukuhlunga idatha, ukuvinjwa kwamafayela – kummeleli
  • kungenzeka futhi ukuhlaziya i-tcpdump usebenzisa isb. thimula

Ungakwazi ukuhlanganisa lezi zindlela ezimbili, ugcwalise izici ezingekho noma uziphindaphinde ukuze ukwandise amathuba okuthola ukuhlaselwa.

Iyiphi indlela okufanele ukhethe?
Kuncike kakhulu ezifundweni nasekukhethweni kweqembu lakho.
Kokubili kukhona okuhle nokubi.

Uhlelo oluhlanganisiwe lokufakazela ubuqiniso nendawo yokugunyaza

Uma kuklanywe kahle, ukuhamba esixoxile ngakho kulesi sihloko kuthatha ukuthi unokufinyelela okufanayo kungakhathaliseki ukuthi usebenza ehhovisi noma ekhaya, kusukela esikhumulweni sezindiza, kusuka esitolo sekhofi nanoma yikuphi kwenye indawo (kanye nemikhawulo esixoxe ngayo ngenhla). Kubukeka sengathi, yini inkinga?
Ukuze siqonde kangcono inkimbinkimbi yalo msebenzi, ake sibheke umklamo ojwayelekile.

Isibonelo:

  • Uhlukanise bonke abasebenzi ngamaqembu. Unqume ukunikeza ukufinyelela ngamaqembu
  • Ngaphakathi kwehhovisi, ulawula ukungena ku-firewall yehhovisi
  • Ulawula ithrafikhi esuka ehhovisi eya esikhungweni sedatha ku-firewall yesikhungo sedatha
  • Usebenzisa i-Cisco ASA njengesango le-VPN futhi ukuze ulawule ithrafikhi engena kunethiwekhi yakho ivela kumakhasimende akude, usebenzisa ama-ACL asendaweni (kuma-ASA)

Manje, ake sithi ucelwa ukuthi wengeze ukufinyelela okwengeziwe esisebenzini esithile. Kulesi simo, ucelwa ukuthi ungeze ukufinyelela kuye kuphela futhi akekho omunye eqenjini lakhe.

Kulokhu kufanele sakhe iqembu elihlukile lalesi sisebenzi, okungukuthi

  • dala i-IP pool ehlukile ku-ASA yalesi sisebenzi
  • engeza i-ACL entsha ku-ASA futhi uyibophe kulelo klayenti elikude
  • dala izinqubomgomo zokuphepha ezintsha kuma-firewall ehhovisi nesikhungo sedatha

Kuhle uma lo mcimbi uyivelakancane. Kodwa ekusebenzeni kwami ​​kwakukhona isimo lapho abasebenzi bebambe iqhaza kumaphrojekthi ahlukene, futhi leli sethi lamaphrojekthi abanye babo bashintsha kaningi, futhi kwakungewona abantu abangu-1-2, kodwa inqwaba. Yebo, kwakukhona okwakudingeka kushintshwe lapha.

Lokhu kwaxazululwa ngendlela elandelayo.

Sinqume ukuthi i-LDAP kuzoba ukuphela komthombo weqiniso onquma konke okungafinyelelwa yizisebenzi. Sidale zonke izinhlobo zamaqembu achaza amasethi okufinyelela, futhi sabela umsebenzisi ngamunye eqenjini elilodwa noma amaningi.

Ngakho-ke, isibonelo, ake sithi bekunamaqembu

  • isivakashi (ukufinyelela i-inthanethi)
  • ukufinyelela okujwayelekile (ukufinyelela ezinsizeni ezabiwe: imeyili, isisekelo solwazi, ...)
  • accounting
  • iphrojekthi 1
  • iphrojekthi 2
  • umlawuli wesizinda sedatha
  • umqondisi we-linux
  • ...

Futhi uma omunye wabasebenzi ehileleke kuzo zombili iphrojekthi 1 kanye nephrojekthi 2, futhi wayedinga ukufinyelela okudingekayo ukuze asebenze kulawa maphrojekthi, lesi sisebenzi sabelwa amaqembu alandelayo:

  • isivakashi
  • ukufinyelela okuvamile
  • iphrojekthi 1
  • iphrojekthi 2

Manje singaluguqula kanjani lolu lwazi lube ukufinyelela ezintweni zenethiwekhi?

I-Cisco ASA Dynamic Access Policy (DAP) (bona www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html) isixazululo silungele lo msebenzi.

Kafushane mayelana nokuqaliswa kwethu, phakathi nenqubo yokuhlonza/yokugunyaza, i-ASA ithola ku-LDAP iqoqo lamaqembu elihambisana nomsebenzisi othile futhi "iqoqa" kuma-ACL endawo amaningana (ngalinye lawo elihambisana neqembu) i-ACL enamandla enakho konke ukufinyelela okudingekayo. , evumelana ngokugcwele nezifiso zethu.

Kepha lokhu kungokuxhumana kwe-VPN kuphela. Ukwenza isimo sifane kubo bobabili abasebenzi abaxhunywe nge-VPN nalabo abasehhovisi, isinyathelo esilandelayo sithathwe.

Lapho bexhuma besuka ehhovisi, abasebenzisi abasebenzisa iphrothokholi ye-802.1x bagcina sebeyi-LAN yesivakashi (yezivakashi) noma i-LAN eyabelwe (yabasebenzi benkampani). Ngaphezu kwalokho, ukuze bathole ukufinyelela okuqondile (isibonelo, kumaphrojekthi esikhungweni sedatha), abasebenzi kwadingeka baxhume nge-VPN.

Ukuze kuxhunywe ehhovisi kanye nasekhaya, amaqembu emhubhe ahlukene asetshenziswa ku-ASA. Lokhu kuyadingeka ukuze labo abaxhuma kusuka ehhovisi, ithrafikhi eya ezinsizeni ezabiwe (esetshenziswa yibo bonke abasebenzi, njengeposi, amaseva wefayela, uhlelo lwamathikithi, i-dns, ...) ingadluli ku-ASA, kodwa ngenethiwekhi yendawo. . Ngakho-ke, asizange silayishe i-ASA ngethrafikhi engadingekile, kuhlanganise nethrafikhi ephezulu.

Ngakho, inkinga yaxazululeka.
Sithole

  • isethi efanayo yokufinyelela kukho kokubili ukuxhumana okuvela ehhovisi nokuxhumana okukude
  • ukungabi bikho kokwehliswa kwesevisi lapho usebenza ehhovisi elihlobene nokudluliswa kwethrafikhi ephezulu nge-ASA

Yiziphi ezinye izinzuzo zale ndlela?
Ekulawuleni ukufinyelela. Ukufinyelela kungashintshwa kalula endaweni eyodwa.
Isibonelo, uma isisebenzi sishiya inkampani, khona-ke umane simkhipha ku-LDAP, futhi ngokuzenzakalelayo silahlekelwa ukufinyelela.

Umsingathi uyahlola

Ngokunokwenzeka koxhumano olukude, sizifaka engcupheni yokungavumeli isisebenzi senkampani ukuthi singene kunethiwekhi kuphela, kodwa futhi nawo wonke ama-software anonya okungenzeka akhona kukhompyutha yakhe (isibonelo, ekhaya), futhi ngaphezu kwalokho, ngokusebenzisa le software kungenzeka ukuthi inikeza ukufinyelela kunethiwekhi yethu kumhlaseli osebenzisa lo msingathi njengommeleli.

Kunengqondo ngomsingathi oxhumeke ukude ukuthi asebenzise izimfuneko zokuphepha ezifanayo njengomsingathi ongaphakathi ehhovisi.

Lokhu kuphinda kuthathe inguqulo "elungile" ye-OS, isivikeli magciwane, isinqamuleli se-spyware, nesofthiwe yohlelo lokuvikela nezibuyekezo. Imvamisa, leli khono likhona esangweni le-VPN (ye-ASA bona, isibonelo, lapha).

Kuwukuhlakanipha futhi ukusebenzisa ukuhlaziya okufanayo kwethrafikhi kanye nezindlela zokuvimba (bona “Izinga eliphezulu lokuvikela”) lezo inqubomgomo yakho yokuphepha esebenza kuthrafikhi yasehhovisi.

Kunengqondo ukucabanga ukuthi inethiwekhi yehhovisi lakho ayisakhawulelwe esakhiweni samahhovisi kanye nabasingathi abangaphakathi kuso.

Isibonelo:

Isu elihle ukuhlinzeka umsebenzi ngamunye odinga ukufinyelela kude ngekhompuyutha ephathekayo enhle, elula futhi edinga ukuthi basebenze, kokubili ehhovisi nasekhaya, ukusuka kuyo kuphela.

Akugcini nje ngokuthuthukisa ukuphepha kwenethiwekhi yakho, kodwa futhi kulula ngempela futhi kuvame ukubukwa kahle ngabasebenzi (uma kuyikhompyutha ephathekayo enhle ngempela, esebenziseka kalula).

Mayelana nomuzwa wokulinganisa nokulinganisa

Ngokuyisisekelo, lena ingxoxo mayelana ne-vertex yesithathu kanxantathu wethu - mayelana nenani.
Ake sibheke isibonelo esicatshangelwayo.

Isibonelo:

Unehhovisi labantu abangu-200. Unqume ukukwenza kube lula futhi kuphephe ngangokunokwenzeka.

Ngakho-ke, unqume ukudlula yonke ithrafikhi ku-firewall futhi ngenxa yalokho kuwo wonke ama-subnets ehhovisi i-firewall iyisango elizenzakalelayo. Ngaphezu kwesofthiwe yezokuphepha efakwe kumsingathi ngamunye wokugcina (i-anti-virus, i-anti-spyware, nesofthiwe yohlelo lokuvikela), uphinde wanquma ukusebenzisa zonke izindlela zokuvikela okungenzeka ku-firewall.

Ukuze uqinisekise isivinini esikhulu sokuxhuma (konke ukuze kube lula), ukhethe amaswishi anezimbobo zokufinyelela ze-Gigabit eziyi-10 njengamaswishi okufinyelela, nezicishamlilo ze-NGFW ezisebenza kahle njengezicishamlilo, isibonelo, uchungechunge lwe-Palo Alto 7K (enezimbobo ze-Gigabit ezingu-40), ngokwemvelo enawo wonke amalayisensi. kufakiwe futhi, ngokwemvelo, ipheya Yokutholakala Okuphezulu.

Futhi, kunjalo, ukuze sisebenze nalo mugqa wezinto zokusebenza sidinga okungenani onjiniyela abambalwa bezokuphepha abaqeqesheke kakhulu.

Okulandelayo, unqume ukunikeza isisebenzi ngasinye ikhompuyutha ephathekayo ekahle.

Ingqikithi, cishe izigidi eziyishumi zamaRandi zokuqaliswa, amakhulu ezinkulungwane zamaRandi (ngicabanga ukuthi iseduze nesigidi) ukuze uthole ukwesekwa konyaka kanye namaholo onjiniyela.

Ihhovisi, abantu abangama-200...
Ukhululekile? Ngicabanga ukuthi yebo.

Uza nalesi siphakamiso kubaphathi bakho...
Mhlawumbe kunezinkampani eziningi emhlabeni okuyisixazululo esamukelekayo nesilungile sazo. Uma uyisisebenzi sale nkampani, ngiyakuhalalisela, kodwa ezikhathini eziningi, nginesiqiniseko sokuthi ulwazi lwakho ngeke luthokozelwe ngabaphathi.

Ingabe lesi sibonelo sinehaba? Isahluko esilandelayo sizophendula lo mbuzo.

Uma kunethiwekhi yakho ungaboni noma yikuphi kwalokhu okungenhla, khona-ke lokhu kuyinto evamile.
Esimeni ngasinye, udinga ukuthola ukuvumelana kwakho okunengqondo phakathi kokunethezeka, intengo nokuphepha. Ngokuvamile awudingi ngisho ne-NGFW ehhovisi lakho, futhi ukuvikelwa kwe-L7 ku-firewall akudingeki. Kwanele ukunikeza izinga elihle lokubonakala nezixwayiso, futhi lokhu kungenziwa ngokusebenzisa imikhiqizo yomthombo ovulekile, isibonelo. Yebo, ukusabela kwakho ekuhlaselweni ngeke kube ngokushesha, kodwa into eyinhloko ukuthi uzoyibona, futhi ngezinqubo ezifanele ezikhona emnyangweni wakho, uzokwazi ukuyiqeda ngokushesha.

Futhi ake ngikukhumbuze ukuthi, ngokomqondo walolu chungechunge lwezihloko, awuklami inethiwekhi, uzama nje ukuthuthukisa lokho onakho.

Ukuhlaziywa okuphephile kwezakhiwo zehhovisi

Naka lesi sikwele esibomvu engabele ngaso indawo kumdwebo osuka kuso I-SAFE Secure Campus Architecture Guideengingathanda ukuxoxa ngayo lapha.

Ungayilawula kanjani ingqalasizinda yakho yenethiwekhi. Isahluko sesithathu. Ukuphepha kwenethiwekhi. Ingxenye yesithathu

Lena enye yezindawo ezibalulekile zokwakhiwa kwezakhiwo futhi enye yezinto ezibaluleke kakhulu ukungaqiniseki.

Qaphela

Angikaze ngisethe noma ngisebenze nge-FirePower (kusukela kulayini wokuvikela umlilo we-Cisco - kuphela i-ASA), ngakho-ke ngizoyiphatha njenganoma iyiphi enye i-firewall, njengeJuniper SRX noma i-Palo Alto, ngicabanga ukuthi inamandla afanayo.

Emiklamo evamile, ngibona izinketho ezi-4 kuphela zokusebenzisa i-firewall ngalolu xhumo:

  • isango elizenzakalelayo le-subnet ngayinye liwukushintsha, kuyilapho i-firewall ikumodi esobala (okungukuthi, yonke ithrafikhi idlula kuyo, kodwa ayenzi i-L3 hop)
  • isango elizenzakalelayo le-subnet ngayinye yi-firewall sub-interfaces (noma i-SVI ​​interface), isishintshi sidlala indima ye-L2.
  • ama-VRF ahlukene asetshenziswa ekushintsheni, futhi ithrafikhi phakathi kwama-VRF idlula ku-firewall, ithrafikhi ngaphakathi kwe-VRF eyodwa ilawulwa yi-ACL emshinini.
  • yonke ithrafikhi iboniswa ku-firewall ukuze ihlaziywe futhi iqashwe; ithrafikhi ayidluli kuyo

Amazwi 1

Inhlanganisela yalezi zinketho zingenzeka, kodwa ukuze kube lula ngeke sizicabangele.

Qaphela2

Kukhona futhi ithuba lokusebenzisa i-PBR (i-architecture ye-service chain), kodwa okwamanje lokhu, nakuba isisombululo esihle ngokubona kwami, siyinto engavamile, ngakho-ke angikucabangi lapha.

Kusukela encazelweni yokugeleza kudokhumenti, sibona ukuthi ithrafikhi isadlula ku-firewall, okungukuthi, ngokuhambisana nomklamo weCisco, inketho yesine isusiwe.

Ake sibheke izindlela ezimbili zokuqala kuqala.
Ngalezi zinketho, yonke ithrafikhi idlula ku-firewall.

Manje ake sibheke ishidi le-data, bheka Cisco GPL futhi siyabona ukuthi uma sifuna umkhawulokudonsa ophelele wehhovisi lethu okungenani ube cishe amagigabhithi ayi-10 - 20, kufanele sithenge inguqulo ye-4K.

Qaphela

Uma ngikhuluma ngomkhawulokudonsa ophelele, ngiqonde ithrafikhi phakathi kwama-subnets (hhayi ngaphakathi kwe-villana eyodwa).

Kusuka ku-GPL sibona ukuthi ku-HA Bundle with Threat Defense, intengo kuye ngemodeli (4110 - 4150) iyahlukahluka kusuka ku- ~ 0,5 - 2,5 million dollar.

Okusho ukuthi, umklamo wethu uqala ukufana nesibonelo sangaphambilini.

Ingabe lokhu kusho ukuthi lo mklamo awulungile?
Cha, lokho akusho. I-Cisco ikunikeza ukuvikeleka okungcono kakhulu okusekelwe emugqeni womkhiqizo enawo. Kodwa lokho akusho ukuthi kumelwe ukwenzele wena.

Empeleni, lona umbuzo ovamile ophakamayo lapho uklama ihhovisi noma isikhungo sedatha, futhi kusho kuphela ukuthi kufanele kufunwe ukuvumelana.

Isibonelo, ungavumeli wonke amathrafikhi adlule ku-firewall, lapho inketho yesi-3 ibonakala iyinhle kimi, noma (bona isigaba sangaphambilini) mhlawumbe awudingi i-Treat Defense noma awudingi i-firewall nhlobo kulokho. ingxenye yenethiwekhi, futhi udinga nje ukuzikhawulela ekuqapheni okwenziwayo usebenzisa okukhokhelwayo (okungabizi) noma izixazululo zomthombo ovulekile, noma udinga i-firewall, kodwa evela kumthengisi ohlukile.

Ngokuvamile kuhlale kukhona lokhu kungaqiniseki futhi ayikho impendulo ecacile yokuthi yisiphi isinqumo esingcono kakhulu kuwe.
Lokhu kuyinkimbinkimbi nobuhle balo msebenzi.

Source: www.habr.com

Engeza amazwana