Ukuqapha kwenethiwekhi nokutholwa komsebenzi wenethiwekhi ongaqondakali kusetshenziswa izixazululo ze-Flowmon Networks

Muva nje, ungathola inani elikhulu lezinto esihlokweni ku-inthanethi. ukuhlaziywa kwethrafikhi ku-perimeter yenethiwekhi. Ngesikhathi esifanayo, ngesizathu esithile wonke umuntu wakhohlwa ngokuphelele ukuhlaziywa kwethrafikhi yendawo, okungabalulekile kangako. Lesi sihloko sikhuluma ngokuqondile ngalesi sihloko. Ngokwesibonelo I-Flowmon Networks sizokhumbula i-Netflow yakudala enhle (kanye nezinye izindlela zayo), sibheke amacala athokozisayo, okungaqondakali okungenzeka kunethiwekhi futhi sithole izinzuzo zesixazululo lapho yonke inethiwekhi isebenza njengenzwa eyodwa. Futhi okubaluleke kakhulu, ungenza ukuhlaziya okunjalo kwethrafikhi yendawo mahhala ngokuphelele, ngaphakathi kohlaka lwelayisensi yesilingo (Izinsuku ze-45). Uma isihloko sithakazelisa kuwe, wamukelekile ekati. Uma uvilapha kakhulu ukufunda, khona-ke, ubheke phambili, ungabhalisa i-webinar ezayo, lapho sizokukhombisa khona futhi sikutshele konke (ungafunda futhi mayelana nokuqeqeshwa komkhiqizo okuzayo lapho).

Yini i-Flowmon Networks?

Okokuqala, u-Flowmon ungumdayisi we-IT waseYurophu. Le nkampani ingeyeCzech, nendlunkulu eBrno (indaba yezijeziso ayikaphakanyiswa nakancane). Ngendlela yayo yamanje, inkampani ibilokhu isemakethe kusukela ngo-2007. Phambilini, bekwaziwa ngaphansi kohlobo lwe-Invea-Tech. Ngakho-ke, sekuphelele, cishe iminyaka engama-20 yachithwa ekuthuthukiseni imikhiqizo nezisombululo.

I-Flowmon ibekwe njengophawu lwe-A-class. Ithuthukisa izixazululo ze-premium zamakhasimende ebhizinisi futhi ibonwa emabhokisini e-Gartner we-Network Performance Monitoring and Diagnostics (NPMD). Ngaphezu kwalokho, ngokuthakazelisayo, kuzo zonke izinkampani ezikulo mbiko, u-Flowmon ukuphela komthengisi ophawulwe nguGartner njengomkhiqizi wezixazululo kokubili ukuqapha kwenethiwekhi nokuvikelwa kolwazi (Ukuhlaziywa Kokuziphatha Kwenethiwekhi). Ayithathi indawo yokuqala okwamanje, kodwa ngenxa yalokhu ayimi njengophiko lwe-Boeing.

Yiziphi izinkinga ozixazululayo umkhiqizo?

Emhlabeni jikelele, singakwazi ukuhlukanisa inqwaba yemisebenzi exazululwe yimikhiqizo yenkampani:

1. ukwandisa ukuzinza kwenethiwekhi, kanye nezinsiza zenethiwekhi, ngokunciphisa isikhathi sabo sokuphumula nokungatholakali;
2. ukwandisa izinga lokusebenza kwenethiwekhi;
3. ukwandisa ukusebenza kahle kwabasebenzi bokuphatha ngenxa yalokhu:
   • kusetshenziswa amathuluzi esimanjemanje okuqapha inethiwekhi asuselwe olwazini olumayelana nokugeleza kwe-IP;
   • ukuhlinzeka ngokuhlaziywa okuningiliziwe mayelana nokusebenza kanye nesimo senethiwekhi - abasebenzisi nezinhlelo zokusebenza ezisebenza kunethiwekhi, idatha edlulisiwe, izinsiza ezisebenzisanayo, izinsizakalo namanodi;
   • ukuphendula izehlakalo ngaphambi kokuthi zenzeke, hhayi ngemuva kokuthi abasebenzisi namakhasimende belahlekelwe yisevisi;
   • ukunciphisa isikhathi nezinsiza ezidingekayo zokuphatha inethiwekhi nengqalasizinda ye-IT;
   • ukwenza lula imisebenzi yokuxazulula izinkinga.
4. ukwandisa izinga lokuphepha lenethiwekhi kanye nezinsiza zolwazi zebhizinisi, ngokusebenzisa ubuchwepheshe obungasayini ukuze kutholwe umsebenzi wenethiwekhi ongalungile nononya, kanye "nokuhlaselwa kwezinsuku eziyize";
5. ukuqinisekisa izinga elidingekayo le-SLA lezinhlelo zokusebenza zenethiwekhi kanye nesizindalwazi.

Iphothifoliyo yomkhiqizo we-Flowmon Networks

Manje ake sibheke ngqo kuphothifoliyo yomkhiqizo we-Flowmon Networks futhi sithole ukuthi yini ngempela inkampani eyenza. Njengoba abaningi sebeqagele kakade egameni, ukukhethekile okuyinhloko kusezisombululweni zokuqapha ukugeleza kwethrafikhi, kanye nenani lamamojula angeziwe anweba ukusebenza okuyisisekelo.

Eqinisweni, i-Flowmon ingabizwa ngokuthi inkampani yomkhiqizo owodwa, noma kunalokho, isisombululo esisodwa. Ake sithole ukuthi lokhu kuhle noma kubi.

Umnyombo wesistimu umqoqi, onesibopho sokuqoqa idatha esebenzisa amaphrothokholi ahlukahlukene okugeleza, njenge I-NetFlow v5/v9, i-jFlow, i-sFlow, i-NetStream, i-IPFIX... Kunengqondo ukuthi enkampanini engahlangene nanoma yimuphi umkhiqizi wemishini yenethiwekhi, kubalulekile ukunikeza imakethe umkhiqizo osebenza emhlabeni wonke ongaboshelwe kunoma iyiphi indinganiso noma iphrothokholi eyodwa.

Umqoqi we-Flowmon

Umqoqi utholakala kokubili njengeseva yehadiwe nanjengomshini obonakalayo (VMware, Hyper-V, KVM). Ngendlela, inkundla yehadiwe isetshenziswa kumaseva enziwe ngokwezifiso e-DELL, esusa ngokuzenzakalelayo iningi lezinkinga ngewaranti ne-RMA. Okuwukuphela kwezingxenye ze-Hardware eziphathelene namakhadi okuthwebula kwethrafikhi e-FPGA athuthukiswe inkampani ephethwe yi-Flowmon, evumela ukuqapha ngesivinini esingafika ku-100 Gbps.

Kodwa yini okufanele uyenze uma imishini yenethiwekhi ekhona ingakwazi ukukhiqiza ukugeleza kwekhwalithi ephezulu? Noma ingabe umthwalo wezinto zokusebenza uphakeme kakhulu? Ayikho inkinga:

I-Flowmon Prob

Kulokhu, i-Flowmon Networks iphakamisa ukusebenzisa ama-probes ayo (i-Flowmon Probe), exhunywe kunethiwekhi ngembobo ye-SPAN yeswishi noma kusetshenziswa izihlukanisi ze-TAP ezingenzi lutho.

SPAN (imbobo yesibuko) nezinketho zokusebenzisa i-TAP

Kulokhu, ithrafikhi eluhlaza efika ku-Flowmon Probe iguqulelwa ku-IPFIX enwetshiwe equkethe okwengeziwe. 240 amamethrikhi anolwazi. Ngenkathi iphrothokholi ejwayelekile ye-NetFlow ekhiqizwa okokusebenza kwenethiwekhi iqukethe amamethrikhi angaphezu kuka-80. Lokhu kuvumela ukubonakala kwephrothokholi hhayi kuphela ezingeni lesi-3 nelesi-4, kodwa nasezingeni lesi-7 ngokuya ngemodeli ye-ISO OSI. Ngenxa yalokho, abalawuli benethiwekhi bangakwazi ukuqapha ukusebenza kwezinhlelo zokusebenza kanye nezivumelwano ezifana ne-imeyili, i-HTTP, i-DNS, i-SMB...

Ngokomqondo, ukwakheka okunengqondo kwesistimu kubukeka kanje:

Ingxenye emaphakathi yayo yonke "i-ecosystem" ye-Flowmon Networks yi-Collector, ethola ithrafikhi evela kumishini yenethiwekhi ekhona noma ama-probes ayo (Probe). Kodwa ngesixazululo se-Enterprise, ukuhlinzeka ngokusebenza kokuqapha ithrafikhi yenethiwekhi kungaba lula kakhulu. Izixazululo ze-Open Source nazo zingakwenza lokhu, hhayi ngokusebenza okunjalo. Inani le-Flowmon amamojula engeziwe anweba ukusebenza okuyisisekelo:

• module Ukuphepha Kokuthola Okungaqondakali - ukuhlonza umsebenzi wenethiwekhi ongaqondakali, okuhlanganisa ukuhlaselwa kwezinsuku eziyiziro, okusekelwe ekuhlaziyweni kwethrafikhi kanye nephrofayili yenethiwekhi ejwayelekile;
• module Ukuqapha Ukusebenza Kokusebenza - ukuqapha ukusebenza kwezinhlelo zokusebenza zenethiwekhi ngaphandle kokufaka "ama-ejenti" kanye nokuthonya izinhlelo eziqondiwe;
• module Irekhoda yethrafikhi - ukurekhoda izingcezu zethrafikhi yenethiwekhi ngokuya ngesethi yemithetho echazwe ngaphambilini noma ngokuya nge-trigger evela kumojula ye-ADS, ukuze kuxazululwe izinkinga kanye/noma uphenyo lwezigameko zokuphepha kolwazi;
• module Ukuvikela i-DDoS - ukuvikelwa kwe-perimeter yenethiwekhi ekunqatshelweni kwe-volumetric DoS/DDoS ekuhlaselweni kwesevisi, okuhlanganisa nokuhlaselwa kwezinhlelo zokusebenza (OSI L3/L4/L7).

Kulesi sihloko, sizobheka ukuthi yonke into isebenza kanjani bukhoma sisebenzisa isibonelo samamojula ama-2 - Ukuqapha Ukusebenza Kwenethiwekhi Nokuxilongwa и Ukuphepha Kokuthola Okungaqondakali.
Idatha yokuqala:

• Iseva ye-Lenovo RS 140 ene-VMware 6.0 hypervisor;
• Isithombe somshini we-Flowmon Collector ongasisebenzisa landa lapha;
• amaswishi asekela amaphrothokholi agelezayo.

Isinyathelo 1. Faka i-Flowmon Collector

Ukuthunyelwa komshini obonakalayo ku-VMware kwenzeka ngendlela ejwayelekile ngokuphelele kusuka kusifanekiso se-OVF. Ngenxa yalokho, sithola umshini obonakalayo osebenzisa i-CentOS kanye nesofthiwe esilungele ukusetshenziswa. Izidingo zensiza zinobuntu:

Okusele nje ukwenza ukuqalisa okuyisisekelo usebenzisa umyalo sysconfig:

Silungiselela i-IP echwebeni lokuphatha, i-DNS, isikhathi, Igama lomethuleli futhi singaxhuma kusixhumi esibonakalayo seWEBH.

Isinyathelo 2. Ukufakwa kwelayisensi

Ilayisensi yesilingo yenyanga eyodwa nesigamu iyakhiqizwa futhi ilandwe kanye nesithombe somshini obonakalayo. Ilayishwe nge Isikhungo Sokucupha -> Ilayisensi. Ngenxa yalokho sibona:

Konke sekulungile. Ungaqala ukusebenza.

Isinyathelo sesi-3. Ukusetha umamukeli kumqoqi

Kulesi sigaba, udinga ukunquma ukuthi uhlelo luzothola kanjani idatha emithonjeni. Njengoba sishilo ekuqaleni, lokhu kungaba enye yezinqubo zokugeleza noma imbobo ye-SPAN ekushintsheni.

Esibonelweni sethu, sizosebenzisa ukwamukela idatha sisebenzisa amaphrothokholi I-NetFlow v9 ne-IPFIX. Kulokhu, sicacisa ikheli le-IP lesixhumi esibonakalayo Sokuphatha njengethagethi - 192.168.78.198. I-interface eth2 ne-eth3 (enohlobo lwesixhumi esibonakalayo Sokuqapha) isetshenziselwa ukuthola ikhophi yethrafikhi "engavuthiwe" evela embobeni ye-SPAN yeswishi. Siyabavumela badlule, hhayi icala lethu.
Okulandelayo, sibheka imbobo yokuqoqa lapho ithrafikhi kufanele ihambe khona.

Esimweni sethu, umqoqi ulalela ithrafikhi ku-port UDP/2055.

Isinyathelo sesi-4. Ukulungisa okokusebenza kwenethiwekhi ukuze kuthunyelwe ngaphandle

Ukusetha i-NetFlow kumishini ye-Cisco Systems cishe kungabizwa ngokuthi umsebenzi ojwayelekile ngokuphelele kunoma yimuphi umlawuli wenethiwekhi. Isibonelo sethu, sizothatha okuthile okungajwayelekile. Isibonelo, irutha ye-MikroTik RB2011UiAS-2HnD. Yebo, ngokuxakile, isisombululo esinjalo sesabelomali samahhovisi amancane nasekhaya futhi sisekela i-NetFlow v5/v9 kanye ne-IPFIX protocol. Kuzilungiselelo, setha okuqondisiwe (ikheli lomqoqi 192.168.78.198 kanye nembobo 2055):

Futhi engeza wonke amamethrikhi atholakalayo ukuze athunyelwe:

Kuleli qophelo singasho ukuthi ukusetha okuyisisekelo kuqedile. Sihlola ukuthi ithrafikhi iyangena yini ohlelweni.

Isinyathelo sesi-5: Ukuhlola nokusebenzisa i-Network Performance Monitoring and Diagnostics Module

Ungahlola ubukhona bethrafikhi emthonjeni osesigabeni I-Flowmon Monitoring Center -> Imithombo:

Siyabona ukuthi idatha ingena ohlelweni. Esikhathini esithile ngemva kokuba umqoqi eqongelele ithrafikhi, amawijethi azoqala ukubonisa ulwazi:

Isistimu yakhelwe phezu komgomo we-drill down. Okusho ukuthi, umsebenzisi, lapho ekhetha ucezu lwentshiseko kumdwebo noma igrafu, "uwela" ezingeni lokujula kwedatha ayidingayo:

Ngaphansi kolwazi mayelana nokuxhumeka kwenethiwekhi nokuxhumeka:

Isinyathelo 6. Imojuli Yokuphepha Yokuthola Okungaqondakali

Le mojula ingabizwa ngokuthi mhlawumbe enye yezithakazelisa kakhulu, ngenxa yokusetshenziswa kwezindlela ezingenasiginesha zokuthola okudidayo kuthrafikhi yenethiwekhi nomsebenzi wenethiwekhi enonya. Kodwa lokhu akuyona i-analogue yezinhlelo ze-IDS/IPS. Ukusebenza nemojula kuqala “ngokuqeqeshwa” kwayo. Ukuze wenze lokhu, iwizadi ekhethekile icacisa zonke izingxenye ezibalulekile nezinsizakalo zenethiwekhi, okuhlanganisa:

• amakheli esango, i-DNS, i-DHCP kanye namaseva e-NTP,
• ukukhuluma kumasegimenti wabasebenzisi neseva.

Ngemuva kwalokhu, uhlelo lungena kwimodi yokuqeqesha, ehlala ngokwesilinganiso kusuka kumaviki ama-2 kuya enyangeni engu-1. Ngalesi sikhathi, isistimu ikhiqiza ithrafikhi eyisisekelo eqondene nenethiwekhi yethu. Kalula nje, uhlelo lufunda:

• ikuphi ukuziphatha okuvamile kumanodi enethiwekhi?
• Imaphi amavolumu edatha ngokuvamile adluliswayo futhi ajwayelekile kunethiwekhi?
• Sithini isikhathi esijwayelekile sokusebenza sabasebenzisi?
• yiziphi izinhlelo zokusebenza ezisebenza kunethiwekhi?
• nokunye okuningi..

Njengomphumela walokho, sithola ithuluzi elihlonza noma yikuphi okudidayo kunethiwekhi yethu kanye nokuphambuka ekuziphatheni okujwayelekile. Nazi izibonelo ezimbalwa uhlelo olukuvumela ukuthi uzibone:

• ukusatshalaliswa kohlelo olungayilungele ikhompuyutha kunethiwekhi olungatholwa amasignesha e-antivirus;
• ukwakha i-DNS, i-ICMP noma eminye imigudu kanye nokudlulisa idatha ngokudlula i-firewall;
• ukubonakala kwekhompyutha entsha kunethiwekhi ezenza i-DHCP kanye/noma iseva ye-DNS.

Ake sibone ukuthi ibukeka kanjani bukhoma. Ngemuva kokuthi isistimu yakho isiqeqeshiwe futhi yakha isisekelo sethrafikhi yenethiwekhi, iqala ukubona izigameko:

Ikhasi eliyinhloko lemojuli umugqa wesikhathi obonisa izigameko ezihlonziwe. Esibonelweni sethu, sibona i-spike ecacile, cishe phakathi kwamahora angu-9 no-16. Masiyikhethe futhi sibheke kabanzi.

Ukuziphatha okuxakile komhlaseli kunethiwekhi kubonakala ngokucacile. Konke kuqala ngeqiniso lokuthi umsingathi onekheli elithi 192.168.3.225 uqale ukuskena okuvundlile kwenethiwekhi ku-port 3389 (isevisi ye-Microsoft RDP) futhi wathola "izisulu" ezingaba ngu-14:

и

Isigameko esilandelayo esirekhodiwe - umsingathi 192.168.3.225 uqala ukuhlasela okunamandla ukuze asebenzise amagama ayimfihlo kusevisi ye-RDP (port 3389) kumakheli akhonjwe ngaphambilini:

Njengomphumela wokuhlasela, kutholwa okudidayo kwe-SMTP komunye wabasingathi abantshontshiwe. Ngamanye amazwi, i-SPAM isiqalile:

Lesi sibonelo siwukuboniswa okucacile kwamakhono esistimu kanye nemojula Yezokuphepha Kokutholwa Okungaziwa ikakhulukazi. Zihlulele ngokwakho ukusebenza ngempumelelo. Lokhu kuphetha ukubuka konke kokusebenza kwesixazululo.

isiphetho

Ake sifingqe ukuthi yiziphi iziphetho esingazithola nge-Flowmon:

• I-Flowmon iyisixazululo se-premium samakhasimende ezinkampani;
• ngenxa yokuguquguquka nokuhambisana kwayo, ukuqoqwa kwedatha kuyatholakala kunoma yimuphi umthombo: imishini yenethiwekhi (Cisco, Juniper, HPE, Huawei...) noma ama-probes akho (i-Flowmon Probe);
• Amandla okulinganisa esixazululo akuvumela ukuthi unwebe ukusebenza kohlelo ngokungeza amamojula amasha, kanye nokwandisa umkhiqizo ngenxa yendlela eguquguqukayo yokunikeza amalayisense;
• ngokusebenzisa ubuchwepheshe bokuhlaziya obungenasiginesha, uhlelo lukuvumela ukuthi uthole ukuhlaselwa kwezinsuku eziyiziro ngisho okungaziwa kuma-antivirus kanye nezinhlelo ze-IDS/IPS;
• sibonga "ukukhanya" okuphelele mayelana nokufakwa kanye nokuba khona kwesistimu kunethiwekhi - isisombululo asithinti ukusebenza kwamanye ama-node kanye nezingxenye zengqalasizinda yakho ye-IT;
• I-Flowmon iyisixazululo kuphela emakethe esisekela ukuqapha kwethrafikhi ngesivinini esifika ku-100 Gbps;
• I-Flowmon iyisixazululo samanethiwekhi anoma yisiphi isikali;
• isilinganiso esihle kakhulu samanani/sokusebenza phakathi kwezixazululo ezifanayo.

Kulesi sibuyekezo, sihlole ngaphansi kuka-10% wengqikithi yokusebenza kwesixazululo. Esihlokweni esilandelayo sizokhuluma ngamamojula asele we-Flowmon Networks. Sisebenzisa imojula Yokuqapha Ukusebenza Kwesicelo njengesibonelo, sizobonisa ukuthi abaphathi bezicelo zebhizinisi bangaqinisekisa kanjani ukutholakala ezingeni elinikeziwe le-SLA, kanye nokuxilonga izinkinga ngokushesha ngangokunokwenzeka.

Futhi, sithanda ukukumema ku-webinar yethu (10.09.2019/XNUMX/XNUMX) enikezelwe kuzixazululo zomthengisi we-Flowmon Networks. Ukuze ubhalise kusengaphambili, siyakucela bhalisa lapha.
Yilokho kuphela okwamanje, siyabonga ngentshisekelo yakho!

Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. Ngena ngemvume, wamukelekile.

Ingabe usebenzisa i-Netflow ukuqapha inethiwekhi?

• Yebo

• Cha, kodwa ngiyahlela

• No

Bangu-9 abasebenzisi abavotile. Abasebenzisi abangu-3 bayenqaba.

Source: www.habr.com