I-ProHoster > Блог > Ukuphatha > I-Palo Alto Networks NGFW Security Policy Optimizer

I-Palo Alto Networks NGFW Security Policy Optimizer

Indlela Yokuhlola Ukusebenza Kokusethwa kwe-NGFW

Umsebenzi ovame kakhulu ukuhlola ukuthi i-firewall yakho imiswe ngempumelelo kangakanani. Ukwenza lokhu, kunezinsiza zamahhala kanye nezinsizakalo ezivela ezinkampanini ezisebenzelana ne-NGFW.

Isibonelo, ungabona ngezansi ukuthi i-Palo Alto Networks inamandla okusuka ngqo ingosi yokusekela sebenzisa ukuhlaziya izibalo ze-firewall - umbiko we-SLR noma ukuhlaziya ukuhambisana nezinqubo ezihamba phambili - umbiko we-BPA. Lezi yizinsiza zamahhala ze-inthanethi ongazisebenzisa ngaphandle kokufaka noma yini.
I-Palo Alto Networks NGFW Security Policy Optimizer

OKUQUKETHWE

I-Expedition (Ithuluzi Lokuthutha)
Isilungisi Senqubomgomo
I-Zero Trust
Chofoza Okungasetshenzisiwe
Chofoza kuhlelo lokusebenza olungasetshenzisiwe
Chofoza Azikho Izinhlelo Zokusebenza Ezicacisiwe
Kuthiwani Ngokufunda Ngomshini?
UTD

I-Expedition (Ithuluzi Lokuthutha)

I-Palo Alto Networks NGFW Security Policy Optimizer

Inketho eyinkimbinkimbi kakhulu yokuhlola izilungiselelo zakho ukulanda insiza yamahhala I-Expedition (okwakuyithuluzi lokufuduka phambilini). Ilandwa njenge-Virtual Appliance ye-VMware, azikho izilungiselelo ezidingekayo ngayo - udinga ukulanda isithombe futhi usifake ngaphansi kwe-VMware hypervisor, uyethule futhi uye esibonakalayo sewebhu. Lolu hlelo lokusebenza ludinga indaba ehlukile, isifundo esikuso kuphela esithatha izinsuku ezingu-5, kunemisebenzi eminingi kakhulu manje, ehlanganisa Ukufunda Ngomshini nokuthuthwa kokucushwa okuhlukahlukene kwezinqubomgomo, i-NAT nezinto zabakhiqizi abahlukene be-Firewall. Ngizobhala okwengeziwe mayelana Nokufunda Ngomshini ngezansi embhalweni.

Isilungisi Senqubomgomo

Futhi inketho elula kakhulu (i-IMHO), engizokutshela ngayo ngokuningiliziwe namuhla, i-optimizer yenqubomgomo eyakhelwe kusixhumi esibonakalayo sePalo Alto Networks uqobo. Ukuyibonisa, ngafaka i-firewall ekhaya futhi ngabhala umthetho olula: vumela noma yikuphi kunoma yimuphi. Empeleni, ngezinye izikhathi ngibona imithetho enjalo ngisho nakumanethiwekhi ezinkampani. Ngokwemvelo, nginike amandla wonke amaphrofayili wokuphepha we-NGFW, njengoba ubona esithombeni-skrini:
I-Palo Alto Networks NGFW Security Policy Optimizer

Isithombe-skrini esingezansi sibonisa isibonelo sohlelo lokuvikela olungalungisiwe lwasekhaya, lapho cishe konke ukuxhumeka kuwela emthethweni wokugcina: AllowAll, njengoba kungabonwa kwizibalo kukholomu ethi Hit Count.
I-Palo Alto Networks NGFW Security Policy Optimizer

I-Zero Trust

Kukhona indlela yokuphepha ebizwa I-Zero Trust. Kusho ukuthini lokhu: kufanele sivumele abantu abangaphakathi kwenethiwekhi ngqo lokho kuxhumana abakudingayo futhi siphike konke okunye. Okusho ukuthi, sidinga ukwengeza imithetho ecacile yezinhlelo zokusebenza, abasebenzisi, izigaba ze-URL, izinhlobo zamafayela; nika amandla wonke amasiginesha e-IPS nama-antivirus, nika amandla i-sandboxing, ukuvikelwa kwe-DNS, sebenzisa i-IoC kusuka kuzingosi zolwazi ezitholakalayo ze-Treat Intelligence. Ngokuvamile, kunenombolo ehloniphekile yemisebenzi lapho usetha i-firewall.

Ngendlela, isethi encane yezilungiselelo ezidingekayo ze-Palo Alto Networks NGFW ichazwe kwenye yemibhalo ye-SANS: I-Palo Alto Networks Security Configuration Benchmark - Ngincoma ukuqala ngayo. Futhi-ke, kunesethi yemikhuba engcono kakhulu yokusetha i-firewall evela kumkhiqizi: Umkhuba Ohamba phambili.

Ngakho, ngaba ne-firewall ekhaya isonto lonke. Ake sibone ukuthi hlobo luni lwethrafikhi ekhona kunethiwekhi yami:
I-Palo Alto Networks NGFW Security Policy Optimizer

Uma uhlela ngenani lamaseshini, iningi lawo lidalwa yi-bittorrent, bese kuza i-SSL, bese kuba QUIC. Lezi izibalo zakho kokubili ithrafikhi engenayo nephumayo: kunenqwaba yokuskena kwangaphandle kwerutha yami. Kunezinhlelo zokusebenza ezihlukene eziyi-150 kunethiwekhi yami.

Ngakho, konke lokhu kweqiwa umthetho owodwa. Manje ake sibone ukuthi i-Policy Optimizer ithini ngalokhu. Uma ubheke ngenhla isithombe-skrini se-interface esinemithetho yezokuphepha, ngezansi kwesokunxele ubone iwindi elincane elingibonisa ukuthi kunemithetho engathuthukiswa. Asichofoze lapho.

Lokho okubonisa i-Policy Optimizer:

  • Yiziphi izinqubomgomo ezingazange zisetshenziswe nhlobo, izinsuku ezingu-30, izinsuku ezingu-90. Lokhu kusiza ukwenza isinqumo sokuwasusa ngokuphelele.
  • Yiziphi izinhlelo zokusebenza ezicaciswe kuzinqubomgomo, kodwa azikho izicelo ezinjalo ezitholakele kuthrafikhi. Lokhu kukuvumela ukuthi ususe izinhlelo zokusebenza ezingadingekile ekuvumeleni imithetho.
  • Yiziphi izinqubomgomo ezivumela yonke into, kodwa empeleni bekunezinhlelo zokusebenza ebezingaba kuhle ukukhombisa ngokusobala ngokwendlela yokusebenza ye-Zero Trust.

I-Palo Alto Networks NGFW Security Policy Optimizer

Masichofoze Okungasetshenzisiwe.

Ukukhombisa ukuthi isebenza kanjani, ngengeze imithetho embalwa futhi kuze kube manje abakaze baphuthelwe nephakethe elilodwa namuhla. Nalu uhlu lwabo:
I-Palo Alto Networks NGFW Security Policy Optimizer
Mhlawumbe ngokuhamba kwesikhathi kuzoba nesiminyaminya lapho bese benyamalala kulolu hlu. Futhi uma zikulolu hlu izinsuku ezingu-90, unganquma ukususa le mithetho. Ngemuva kwakho konke, yonke imithetho inikeza ithuba ku-hacker.

Kunenkinga yangempela lapho kulungiswa i-firewall: isisebenzi esisha sifika, sibheka imithetho ye-firewall, uma bengenakho ukuphawula futhi engazi ukuthi kungani lo mthetho wadalwa, ukuthi uyadingeka ngempela, noma ngabe zisuswe: kungazelelwe umuntu useholidini futhi ngemva Phakathi kwezinsuku ezingu-30, ithrafikhi izophinde igeleze isuka enkonzweni ayidingayo. Futhi lo msebenzi uyamsiza ukuthi enze isinqumo - akekho osisebenzisayo - susa!

Chofoza kuhlelo lokusebenza olungasetshenzisiwe.

Sichofoza Uhlelo Lokusebenza Olungasetshenzisiwe ku-optimizer futhi sibone ukuthi imininingwane ethokozisayo ivuleka efasiteleni elikhulu.

Siyabona ukuthi kunemithetho emithathu, lapho inani lezicelo ezivunyelwe kanye nenani lezicelo eziphase ngempela lo mthetho zihlukile.
I-Palo Alto Networks NGFW Security Policy Optimizer
Singachofoza futhi sibone uhlu lwalezi zinhlelo zokusebenza futhi siqhathanise lolu hlu.
Isibonelo, chofoza inkinobho ethi Qhathanisa ukuze uthole umthetho omkhulu.
I-Palo Alto Networks NGFW Security Policy Optimizer
Lapha ungabona ukuthi izinhlelo zokusebenza ze-facebook, i-instagram, i-telegram, i-vkontakte zivunyelwe. Kodwa empeleni, ithrafikhi yaya kwezinye zezinhlelo zokusebenza ezingaphansi. Lapha udinga ukuqonda ukuthi isicelo facebook iqukethe sub-applications eziningana.

Lonke uhlu lwezinhlelo zokusebenza ze-NGFW lungabonakala kuphothali applipedia.paloaltonnetworks.com naku-firewall interface ngokwayo, ku-Objects->Izinhlelo zokusebenza futhi ekusesheni, bhala igama lesicelo: facebook, uzothola umphumela olandelayo:
I-Palo Alto Networks NGFW Security Policy Optimizer
Ngakho-ke, ezinye zalezi zinhlelo zokusebenza ezingaphansi zibonwe yi-NGFW, kodwa ezinye azizange zibonwe. Eqinisweni, ungakwazi ukwenqabela ngokuhlukile futhi uvumele imisebenzi engaphansi ehlukene ye-Facebook. Isibonelo, vumela ukubuka imilayezo, kodwa vimbela ingxoxo noma ukudluliswa kwefayela. Ngokufanelekile, i-Policy Optimizer ikhuluma ngalokhu futhi ungenza isinqumo: ungavumeli zonke izinhlelo zokusebenza ze-Facebook, kodwa eziyinhloko kuphela.

Ngakho-ke, saqaphela ukuthi izinhlu zihlukile. Ungaqiniseka ukuthi imithetho ivumela kuphela lezo zinhlelo zokusebenza ezihamba kunethiwekhi. Ukuze wenze lokhu, chofoza inkinobho ye-MatchUsage. Kuvela kanje:
I-Palo Alto Networks NGFW Security Policy Optimizer
Futhi ungangeza izinhlelo zokusebenza ozibona zifanelekile - inkinobho ethi Faka ngakwesokunxele kwewindi:
I-Palo Alto Networks NGFW Security Policy Optimizer
Bese-ke lo mthetho ungasetshenziswa futhi uhlolwe. Siyakuhalalisela!

Chofoza Azikho Izinhlelo Zokusebenza Ezicacisiwe.

Kulokhu, iwindi lokuphepha elibalulekile lizovuleka.
I-Palo Alto Networks NGFW Security Policy Optimizer
Cishe kunemithetho eminingi enjalo kunethiwekhi yakho lapho uhlelo lokusebenza lweleveli ye-L7 lungacaciswanga ngokusobala. Futhi kunethiwekhi yami kunomthetho onjalo - ake ngikukhumbuze ukuthi ngiwenze ngesikhathi sokusetha kokuqala, ikakhulukazi ukukhombisa ukuthi i-Policy Optimizer isebenza kanjani.

Isithombe sibonisa ukuthi umthetho we-AllowAll uvumele amagigabhayithi angu-9 wethrafikhi esikhathini esisuka ku-March 17 kuya ku-March 220, okuyizinhlelo zokusebenza ezihlukene ezingu-150 kunethiwekhi yami. Futhi lokho akwanele. Imvamisa, inethiwekhi yebhizinisi enosayizi omaphakathi inezinhlelo zokusebenza ezihlukene ezingama-200-300.

Ngakho-ke, umthetho owodwa uvumela izinhlelo zokusebenza ezingafika ku-150. Ngokuvamile lokhu kusho ukuthi i-firewall ayilungiswanga kahle, ngoba ngokuvamile umthetho owodwa uvumela izinhlelo zokusebenza ezingu-1-10 ngezinjongo ezihlukene. Ake sibone ukuthi lezi zinhlelo zokusebenza ziyini: chofoza inkinobho ethi Qhathanisa:
I-Palo Alto Networks NGFW Security Policy Optimizer
Into emangalisa kakhulu kumlawuli kumsebenzi we-Policy Optimizer inkinobho Yokusebenzisa Ukufanisa - ungakha umthetho ngokuchofoza okukodwa, lapho uzofaka khona zonke izinhlelo zokusebenza eziyi-150 emthethweni. Ukwenza lokhu mathupha kungathatha isikhathi eside. Inani lemisebenzi okumele umlawuli asebenze kuyo, ngisho nakunethiwekhi yami yamadivayisi ayi-10, likhulu kakhulu.

Nginezinhlelo zokusebenza ezihlukene eziyi-150 ezisebenza ekhaya, ezidlulisa amagigabhayithi ethrafikhi! Futhi unamalini?

Kodwa kwenzekani kunethiwekhi yamadivayisi ayi-100 noma i-1000 noma i-10000? Ngibone ama-firewall anemithetho engu-8000 futhi ngijabule kakhulu ukuthi abalawuli sebenamathuluzi anjalo wokuzenzakalela.

Ezinye zezinhlelo zokusebenza ezabonwa imojula yokuhlaziya uhlelo lwe-L7 ku-NGFW futhi yabonisa ukuthi ngeke uzidinge kunethiwekhi, ngakho-ke umane uzikhiphe ohlwini lwemithetho evumelayo, noma uhlanganise imithetho usebenzisa inkinobho ye-Clone (ku-interface enkulu) futhi zivumele emthethweni owodwa wohlelo, futhi kokuthi Uzovimba ezinye izinhlelo zokusebenza njengoba zingadingeki nakanjani kunethiwekhi yakho. Izicelo ezinjalo zivame ukufaka i-bittorent, umusi, i-ultrasurf, i-tor, imigudu efihliwe njenge-tcp-over-dns nabanye.
I-Palo Alto Networks NGFW Security Policy Optimizer
Hhayi-ke, ake sichofoze omunye umthetho futhi sibone ukuthi yini ongayibona lapho:
I-Palo Alto Networks NGFW Security Policy Optimizer
Yebo, kunezinhlelo zokusebenza ezijwayelekile zokusakaza okuningi. Kufanele sizivumele ukuthi zisebenze ukubukwa kwevidiyo ku-inthanethi. Chofoza okuthi Fanisa Ukusetshenziswa. Kuhle! Siyabonga Isikhuthazi Senqubomgomo.

Kuthiwani Ngokufunda Ngomshini?

Manje sekuyimfashini ukukhuluma nge-automation. Engikuchazile kwaphuma - kuyasiza kakhulu. Kukhona elinye ithuba okufanele ngikhulume ngalo. Lona umsebenzi Wokufunda Ngomshini owakhelwe kusisetshenziswa se-Expedition, esesishiwo ngenhla. Kulolu hlelo lokusebenza, kungenzeka ukudlulisa imithetho isuka ku-firewall yakho endala isuka komunye umkhiqizi. Kukhona nekhono lokuhlaziya izingodo zethrafikhi ze-Palo Alto Networks futhi uphakamise ukuthi yimiphi imithetho okufanele uyibhale. Lokhu kufana nokusebenza kwe-Policy Optimizer, kodwa ku-Expedition inwetshwa nakakhulu futhi unikezwa uhlu lwemithetho esele yenziwe - udinga nje ukuyigunyaza.
Ukuhlola lokhu kusebenza, kunomsebenzi waselabhorethri - sikubiza ngokuthi i-test drive. Lokhu kuhlolwa kungenziwa ngokungena kuma-firewall abonakalayo, abasebenzi basehhovisi le-Palo Alto Networks eMoscow abazokwethula ngesicelo sakho.
I-Palo Alto Networks NGFW Security Policy Optimizer
Isicelo singathunyelwa ku [i-imeyili ivikelwe] futhi esicelweni bhala: "Ngifuna ukwenza i-UTD yeNqubo Yokufuduka."

Eqinisweni, umsebenzi waselabhorethri obizwa ngokuthi i-Unified Test Drive (UTD) unezinketho eziningi futhi zonke itholakala ukude ngemva kwesicelo.

Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. Ngena ngemvume, wamukelekile.

Ungathanda ukuthi othile akusize ulungiselele izinqubomgomo zakho zohlelo lokuvikela?

  • Yebo

  • No

  • Ngizokwenza konke mina

Akekho osavotile. Azikho izithiyo.

Source: www.habr.com

Engeza amazwana