Isicabucabu sewebhu noma inodi emaphakathi yenethiwekhi esabalalisiwe

Yini okufanele uyibheke lapho ukhetha irutha ye-VPN yenethiwekhi esabalalisiwe? Futhi yimiphi imisebenzi okufanele ibe nayo? Yilokhu okunikezwa ukubuyekezwa kwethu kwe-ZyWALL VPN1000.

Isingeniso

Ngaphambilini, okuningi kokushicilelwe kwethu bekunikezelwe kumadivayisi we-VPN asezingeni eliphansi ukuze uthole ukufinyelela kwenethiwekhi kusuka kumasayithi aseduze. Isibonelo, ukuxhuma amagatsha ahlukahlukene nendlunkulu, ukufinyelela ku-Network yezinkampani ezincane ezizimele, noma ngisho nezindlu ezizimele. Isikhathi sokukhuluma nge-node emaphakathi yenethiwekhi esabalalisiwe.

Kuyacaca ukuthi ngeke kwenzeke ukwakha inethiwekhi yesimanje yebhizinisi elikhulu kuphela ngesisekelo samadivayisi asezingeni lomnotho. Futhi uhlele isevisi yefu ukuze unikeze amasevisi kubathengi, futhi. Endaweni ethile kufanele kufakwe imishini ekwazi ukusiza inqwaba yamakhasimende ngesikhathi esisodwa. Lesi sikhathi sizokhuluma ngedivayisi eyodwa enjalo - Zyxel VPN1000.

Kubo bobabili ababambiqhaza abakhulu nabancane ekushintshisaneni kwenethiwekhi, kungenzeka ukuhlonza imibandela lapho kuhlolwa khona ukufaneleka kwedivayisi ethile ekuxazululeni inkinga.

Ngezansi kukhona okuyinhloko:

• amakhono ezobuchwepheshe kanye nokusebenza;
• ukulawula;
• ukuphepha;
• ukubekezelelana kwamaphutha.

Kunzima ukunquma ukuthi yini ebaluleke kakhulu nokuthi yini engenziwa ngaphandle kwayo. Kudingeka konke. Uma idivayisi ingahlangabezani nezidingo ngokuya ngemibandela ethile, lokhu kugcwele izinkinga ngokuzayo.

Kodwa-ke, izici ezithile zamadivayisi aklanyelwe ukuqinisekisa ukusebenza kwamayunithi amaphakathi nemishini esebenza ikakhulukazi emaphethelweni angase ahluke kakhulu.

Ku-node ephakathi, amandla e-computing eza kuqala - lokhu kuholela ekupholiseni okuphoqelekile, futhi, ngenxa yalokho, umsindo ovela ku-fan. Kumadivayisi aseduze, ngokuvamile atholakala emahhovisi nasezindlini, ukusebenza okunomsindo cishe akwamukeleki.

Elinye iphuzu elithakazelisayo ukusatshalaliswa kwamachweba. Emishinini eseceleni kuyacaca kancane ukuthi izosetshenziswa kanjani nokuthi mangaki amaklayenti azoxhunywa. Ngakho-ke, ungasetha ukuhlukaniswa okuqinile kwamachweba ku-WAN, LAN, DMZ, ukubopha ngokuqinile kuphrothokholi, njalonjalo. Asikho isiqiniseko esinjalo endaweni emaphakathi. Isibonelo, sengeze ingxenye yenethiwekhi entsha edinga uxhumano ngokusebenzisa isixhumi esibonakalayo sayo - nokuthi ungakwenza kanjani lokhu? Lokhu kudinga isixazululo esisebenza emhlabeni wonke esinekhono lokulungisa kalula ukuxhumana.

I-nuance ebalulekile ukuthi idivayisi inothile emisebenzini ehlukahlukene. Yiqiniso, indlela yokuba nesisetshenziswa esisodwa senza umsebenzi owodwa kahle inezinzuzo zayo. Kodwa isimo esithakazelisa kakhulu siqala lapho udinga ukuthatha isinyathelo kwesokunxele, isinyathelo sokuya kwesokudla. Kunjalo, ngomsebenzi omusha ngamunye ungakwazi ngaphezu kwalokho ukuthenga enye idivayisi target. Futhi njalo kuze kube yilapho isabelomali noma indawo yokubeka iphelile.

Ngokuphambene, isethi enwetshiwe yemisebenzi ikuvumela ukuthi uphumelele ngedivayisi eyodwa lapho uxazulula izinkinga ezimbalwa. Isibonelo, i-ZyWALL VPN1000 isekela izinhlobo eziningi zokuxhumeka kwe-VPN, okuhlanganisa i-SSL ne-IPsec VPN, kanye nokuxhumana okukude kwabasebenzi. Okusho ukuthi, ucezu olulodwa lwehadiwe luhlanganisa izindaba zakho kokubili ukuxhumana kwe-cross-site kanye namaklayenti. Kodwa kukhona oyedwa "kodwa". Ukuze lokhu kusebenze, udinga ukuba nendawo yokugcina ukusebenza. Isibonelo, endabeni ye-ZyWALL VPN1000, i-IPsec VPN hardware core inikeza ukusebenza okuphezulu komhubhe we-VPN, futhi ukulinganisa kwe-VPN / ukungasasebenzi nge-SHA-2 kanye ne-IKEv2 algorithms kunikeza ukwethembeka okuphezulu nokuvikeleka kwebhizinisi.

Kufakwe ohlwini ngezansi ezinye izici eziwusizo ezihlanganisa indawo eyodwa noma ngaphezulu kwezichazwe ngenhla.

I-SD-WAN inikeza inkundla yokuphathwa kwamafu, ukuthola izinzuzo zokuphatha okumaphakathi kokuxhumana phakathi kwamasayithi anekhono lokulawula nokugada ukude. I-ZyWALL VPN1000 iphinde isekele imodi yokusebenza ehambisanayo lapho kudingeka khona imisebenzi ethuthukisiwe ye-VPN.

Usekelo lwezinkundla zamafu zezinsizakalo ezibalulekile zenjongo. I-ZyWALL VPN1000 ihlolelwe ukusetshenziswa ne-Microsoft Azure ne-AWS. Ukusetshenziswa kwamadivayisi ahlolwe ngaphambilini kuyancomeka enhlanganweni yanoma yiliphi izinga, ikakhulukazi uma ingqalasizinda ye-IT isebenzisa inhlanganisela yenethiwekhi yendawo namafu.

Ukuhlunga okuqukethwe Iqinisa ukuphepha ngokuvimba ukufinyelela kumawebhusayithi anonya noma angafuneki. Ivimbela uhlelo olungayilungele ikhompuyutha ukuthi lungalandwa kumasayithi angathenjwa noma agqekeziwe. Endabeni ye-ZyWALL VPN1000, ilayisense yonyaka yale sevisi isivele ifakiwe kuphakheji.

I-Geo-politiki (Geo IP) ikuvumela ukuthi uqaphe ithrafikhi futhi uhlaziye indawo yamakheli e-IP, unqabele ukufinyelela ezindaweni ezingadingekile noma ezingaba yingozi. Ilayisense yaminyaka yonke yale sevisi nayo ifakiwe uma uthenga idivayisi.

Ukuphathwa Kwenethiwekhi Okungenantambo I-ZyWALL VPN1000 ifaka phakathi isilawuli senethiwekhi engenantambo esikuvumela ukuthi uphathe amaphoyinti okufinyelela afinyelela kwangu-1032 usebenzisa isixhumi esibonakalayo somsebenzisi esimaphakathi. Amabhizinisi angasebenzisa noma andise inethiwekhi ye-Wi-Fi ephethwe ngomzamo omncane. Kuyaphawuleka ukuthi inombolo 1032 ngempela okuningi. Ngokusekelwe esibalweni sokuthi abasebenzisi abangafika kwabayi-10 bangaxhuma endaweni eyodwa yokufinyelela, lesi yisibalo esihle kakhulu.

Ukulinganisa nokungadingeki. Uchungechunge lwe-VPN lusekela ukulinganisa kokulayisha kanye nokuphindaphindeka ezindaweni eziningi zangaphandle. Okungukuthi, ungakwazi ukuxhuma iziteshi eziningana ezivela kubahlinzeki abaningana, ngaleyo ndlela uzivikele ezinkingeni zokuxhumana.

Amathuba okuphelelwa yisikhathi kwedivayisi (Idivayisi HA) ngoxhumano olungami, nanoma enye yamadivayisi ihluleka. Kunzima ukwenza ngaphandle kwalokhu uma udinga ukuhlela umsebenzi 24/7 nge-downtime encane.

I-Zyxel Device HA Pro isebenza kuyo esebenzayo/enziwayo, engadingi inqubo yokusetha eyinkimbinkimbi. Lokhu kukuvumela ukuthi wehlise i-threshold yokungena bese uqala ngokushesha ukusebenzisa ukubhukha. Ngokungafani iyasebenza/esebenzayo, lapho umlawuli wesistimu edinga ukuqeqeshwa okwengeziwe, akwazi ukulungisa umzila oguquguqukayo, aqonde ukuthi ayini amaphakethe asymmetric, njll. — ukusetha imodi esebenzayo/enziwayo Isebenza kalula kakhulu futhi idinga isikhathi esincane.

Uma usebenzisa i-Zyxel Device HA Pro, amadivayisi ashintshanisa amasignali ukushaya kwenhliziyo ngechweba elizinikele. Izimbobo zedivayisi ezisebenzayo nezingenzi lutho ze ukushaya kwenhliziyo ixhunywe ngentambo ye-Ethernet. I-passive device ivumelanisa ngokuphelele ulwazi nedivaysi esebenzayo. Ikakhulukazi, zonke izikhathi, imigudu, nama-akhawunti abasebenzisi avunyelaniswa phakathi kwamadivayisi. Ngaphezu kwalokho, i-passive device igcina ikhophi eyisipele yefayela lokumisa uma kwenzeka idivayisi esebenzayo yehluleka. Lokhu kuqinisekisa uguquko olungenazihibe esimweni lapho idivayisi ihluleka khona.

Kuyaphawuleka ukuthi ezinhlelweni ezisebenzayo/esebenzayo kusamele ugcine u-20-25% wezinsiza zesistimu ukuze uthole i-failover. Ngo esebenzayo/enziwayo idivayisi eyodwa isesimweni sokulinda ngokuphelele, futhi isilungele ukucubungula ithrafikhi yenethiwekhi ngokushesha futhi igcine ukusebenza kwenethiwekhi okuvamile.

Ngamagama alula: “Lapho usebenzisa i-Zyxel Device HA Pro futhi unesiteshi esiyisipele, ibhizinisi livikelekile kokubili ekulahlekelweni kokuxhumana ngenxa yephutha lomhlinzeki, nasezinkingeni ezibangelwa ukuhluleka komzila.

Ifinyeza konke okungenhla

Ku-node emaphakathi yenethiwekhi esabalalisiwe, kungcono ukusebenzisa idivayisi enokunikezwa okuthile kwamachweba (izixhumanisi zokuxhuma). Kulokhu, kuyinto efiselekayo ukuba nakho kokubili ukusebenzelana kwe-RJ45 ukuze kube lula nokuxhumeka okungabizi, kanye ne-SFP yokukhetha phakathi koxhumano lwe-fiber-optic kanye nokupheya okusontekile.

Le divayisi kufanele ibe:

• ekhiqizayo, evumelaniswe nezinguquko ezingazelelwe emthwalweni;
• nge-interface ecacile;
• enenani elicebile, kodwa elingeqile lemisebenzi eyakhelwe ngaphakathi, kuhlanganise naleyo ehlobene nokuvikeleka;
• enekhono lokwakha izifunda ezibekezelela amaphutha - ukuphindaphinda kwesiteshi nokuphindaphinda idivayisi;
• ukusekela ukuphathwa ukuze yonke ingqalasizinda enamagatsha ngendlela ye-node emaphakathi kanye nemishini yocingo ingaphathwa ukusuka endaweni eyodwa;
• njengoba "i-cherry on the cake" isekela izitayela zanamuhla ezifana nokuhlanganiswa nezinsiza zamafu nokunye.

I-ZyWALL VPN1000 njengendawo emaphakathi yenethiwekhi

Uma uthi nhlá i-ZyWALL VPN1000, kuyacaca ukuthi i-Zyxel ayizange igcine amachweba.

Sine:

• 12 izimbobo ze-RJ‑45 (GBE) ezilungisekayo;

• 2 izimbobo ze-SFP ezilungisekayo (GBE);

• 2 Izimbobo ze-USB 3.0 ezisekelwa amamodemu e-3G/4G.

Umfanekiso 1. Ukubuka okujwayelekile kwe-ZyWALL VPN1000.

Kufanele kuqashelwe ngokushesha ukuthi idivayisi akuyona ihhovisi lasekhaya, ngokuyinhloko ngenxa yabalandeli abanamandla. Zine lapha.

Umfanekiso 2. Iphaneli yangemuva ye-ZyWALL VPN1000.

Ake sibone ukuthi i-interface ibukeka kanjani.

Kufanele unake ngokushesha isimo esibalulekile. Kunemisebenzi eminingi, futhi ngeke kwenzeke ukuyichaza ngokuningiliziwe esihlokweni esisodwa. Kodwa okuhle ngemikhiqizo ye-Zyxel ukuthi kunemibhalo enemininingwane eminingi, okokuqala, imanuwali yomsebenzisi (yomphathi). Ngakho-ke, ukuze uthole umbono wengcebo yemisebenzi, ake sidlule kumathebhu.

Ngokuzenzakalelayo, imbobo 1 kanye nechweba 2 kwabelwa i-WAN. Kusukela embobeni yesithathu kukhona ukuxhumana kwenethiwekhi yendawo.

Imbobo yesithathu ene-IP 3 ezenzakalelayo ifaneleka impela ukuxhuma.

Sixhuma i-patchcord, hamba ekhelini https://192.168.1.1 futhi ungabuka iwindi lokubhalisa lomsebenzisi le-interface yewebhu.

Ukubhala. Ukuphatha, ungasebenzisa isistimu yokuphatha amafu ye-SD-WAN.

Umfanekiso 3. Iwindi lokungena ngemvume nephasiwedi

Sidlula inqubo yokufaka ukungena ngemvume nephasiwedi bese sithola iwindi ledeshibhodi esikrinini. Empeleni, njengoba kufanele kube kuDeshibhodi - ulwazi oluphezulu lokusebenza kuwo wonke ucezu lwesikhala sesikrini.

Umfanekiso 4. ZyWALL VPN1000 - Ideshibhodi.

Ithebhu Yokusetha Okusheshayo (Abathakathi)

Kukhona abasizi ababili kusixhumi esibonakalayo: ukusetha i-WAN nokusetha i-VPN. Eqinisweni, abasizi bayinto enhle; bakuvumela ukuthi wenze izilungiselelo zesifanekiso ngaphandle kokuba nolwazi lokusebenza ngedivayisi. Nokho, kulabo abafuna okwengeziwe, njengoba kushiwo ngenhla, kunemibhalo enemininingwane.

Umfanekiso 5. Ithebhu yokusetha okusheshayo.

Ithebhu yokuqapha

Ngokusobala, onjiniyela abavela ku-Zyxel banqume ukulandela isimiso: siqapha konke esingakwenza. Yebo, kudivayisi esebenza njengehabhu elimaphakathi, ukulawula okuphelele ngeke kulimale nakancane.

Ngisho nokwandisa zonke izinto kubha eseceleni, ingcebo yokuzikhethela iba sobala.

Umfanekiso 6. Ithebhu yokuqapha enezinto ezincane ezinwetshiwe.

Ithebhu yokumisa

Lapha ingcebo yemisebenzi ibonakala nakakhulu.

Isibonelo, ukuphathwa kwembobo yedivayisi kuklanywe kahle kakhulu.

Umfanekiso 7. Ithebhu yokumisa enezinto ezincane ezinwetshiwe.

Ithebhu yesondlo

Iqukethe izigatshana zokubuyekeza i-firmware, ukuxilonga, imithetho yokubuka umzila kanye nokuvala shaqa.

Le misebenzi ingeyemvelo yokusiza futhi ikhona ngezinga elithile cishe kuwo wonke amadivaysi enethiwekhi.

Umfanekiso 8. Ithebhu yesondlo enezinto ezincane ezinwetshiwe.

Izici zokuqhathanisa

Ukubuyekeza kwethu bekungeke kuphelele ngaphandle kokuqhathaniswa namanye ama-analogue.

Ngezansi kunethebula lama-analogue aseduze kakhulu ne-ZyWALL VPN1000 kanye nohlu lwemisebenzi yokuqhathanisa.

Ithebula 1. Ukuqhathaniswa kwe-ZyWALL VPN1000 nama-analogue.

Izincazelo zeThebula 1:

*1: Ilayisensi iyadingeka

*2: Ilungiselelo Lokuthinta Okuphansi: Umlawuli kufanele aqale alungise idivayisi endaweni ngaphambi kwe-ZTP.

*3: Iseshini esekelwe: I-DPS izosebenza kuphela kuseshini entsha; lokhu ngeke kuthinte iseshini yamanje.

Njengoba ungabona, ngandlela thize ama-analogue athola iqhawe lokubuyekezwa kwethu, isibonelo, i-Fortinet FG-100E futhi ine-WAN eyakhelwe ngaphakathi, futhi i-Meraki MX100 ine-AutoVPN eyakhelwe ngaphakathi (indawo yokuya kuyo). -site) umsebenzi, kodwa ngokuvamile, i-ZyWALL VPN1000 icacile kusethi yayo ebanzi yemisebenzi ihamba phambili.

Izincomo lapho ukhetha amadivaysi e-node emaphakathi (hhayi i-Zyxel kuphela)

Lapho ukhetha amadivaysi okuhlela i-node emaphakathi yenethiwekhi ebanzi enamagatsha amaningi, kufanele ugxile enanini lemingcele: amakhono obuchwepheshe, ukuphatha kalula, ukuphepha nokubekezelelana kwamaphutha.

Uhlu olubanzi lwemisebenzi, inombolo enkulu yamachweba aphathekayo anokucushwa okuguquguqukayo: i-WAN, i-LAN, i-DMZ kanye nokuba khona kweminye imisebenzi emihle, njengesilawuli sokuphatha indawo yokufinyelela, ikuvumela ukuthi uqedele imisebenzi eminingi ngesikhathi esisodwa.

Indima ebalulekile idlalwa ukutholakala kwemibhalo kanye nesixhumi esibonakalayo sokuphatha.

Ukuba nezinto ezinjalo ezibonakala zilula eduze, akunzima kangako ukudala ingqalasizinda yenethiwekhi ehlanganisa amasayithi nezindawo ezahlukahlukene, futhi ukusetshenziswa kwefu le-SD-WAN kukuvumela ukuthi wenze lokhu ngokuguquguquka okukhulu nokuphepha.

Izixhumanisi eziwusizo

Ukuhlaziywa kwemakethe ye-SD-WAN: yiziphi izixazululo ezikhona nokuthi ubani ozidingayo

I-Zyxel Device HA Pro ithuthukisa ukuqina kwenethiwekhi

Kusetshenziswa isici se-GeoIP kumasango okuphepha ochungechunge lwe-ATP/VPN/Zywall/USG

Yini ezosala ekamelweni leseva?

Okubili kokukodwa, noma ukufuduka kwesilawuli sephoyinti lokufinyelela kusango

Ingxoxo yocingo Zyxel for ochwepheshe

Source: www.habr.com