I-ProHoster > Блог > Ukuphatha > Izixazululo zesimanje zokwakha izinhlelo zokuphepha kolwazi - abadayisi bephakethe lenethiwekhi (I-Network Packet Broker)

Izixazululo zesimanje zokwakha izinhlelo zokuphepha kolwazi - abadayisi bephakethe lenethiwekhi (I-Network Packet Broker)

Ukuvikeleka kolwazi kuhlukene nokuxhumana ngocingo kwaba imboni ezimele enemininingwane yayo kanye nezisetshenziswa zayo. Kepha kunesigaba samadivayisi esaziwa kancane emi ezimpambanweni ze-telecom kanye nokuphepha kolwazi - abathengisi bephakethe lenethiwekhi (I-Network Packet Broker), eyaziwa nangokuthi abalinganisi bomthwalo, amaswishi akhethekile/okuqapha, izihlanganisi zethrafikhi, I-Security Delivery Platform, Ukubonakala Kwenethiwekhi, njalo njalo. Futhi thina, njengonjiniyela waseRussia nomkhiqizi wamadivayisi anjalo, singathanda ngempela ukukutshela okwengeziwe ngawo.

Izixazululo zesimanje zokwakha izinhlelo zokuphepha kolwazi - abadayisi bephakethe lenethiwekhi (I-Network Packet Broker)

Ububanzi nemisebenzi okufanele ixazululwe

Abathengisi bephakethe lenethiwekhi bangamadivayisi akhethekile athole uhlelo lokusebenza olukhulu kumasistimu okuvikela ulwazi. Kanjalo, leli klasi lamadivayisi lisha futhi lincane kungqalasizinda yenethiwekhi evamile uma kuqhathaniswa namaswishi, amarutha, njll. Iphayona ekuthuthukisweni kwalolu hlobo lwedivayisi kwakuyinkampani yaseMelika iGigamon. Njengamanje, kunabadlali abaningi kakhulu kule makethe (kuhlanganise nomkhiqizi owaziwayo wezinhlelo zokuhlola, inkampani ye-IXIA, inezixazululo ezifanayo), kodwa yindilinga encane yochwepheshe esaziyo mayelana nokuba khona kwamadivayisi anjalo. Njengoba kuphawuliwe ngenhla, ngisho namagama asetshenziswayo awacacile: amagama asukela “kuzinhlelo zenethiwekhi ezibonisa izinto obala” kuya kumane “amabhalansi.”

Ngenkathi sithuthukisa ama-packet broker enethiwekhi, sasibhekene neqiniso lokuthi, ngaphezu kokuhlaziya izikhombisi-ndlela zokuthuthukiswa kokusebenza nokuhlola ezindaweni zokucwaninga/ezindaweni zokuhlola, kubalulekile ukuchazela abasebenzisi abangahle kanyekanye ukuba khona kwaleli klasi lemishini, ngoba akuwona wonke umuntu owaziyo ngakho.

Eminyakeni eyi-15-20 nje edlule bekune-traffic encane kunethiwekhi, futhi bekuyidatha engabalulekile kakhulu. Kodwa Umthetho kaNielsen uyaphinda Umthetho kaMoore: Isivinini sokuxhuma ku-inthanethi sikhuphuka minyaka yonke ngo-50%. Umthamo wethrafikhi nawo ukhula kancane kancane (igrafu ibonisa isibikezelo sezulu sango-2017 esivela ku-Cisco, umthombo we-Cisco Visual Networking Index: Forecast and Trends, 2017–2022):

Izixazululo zesimanje zokwakha izinhlelo zokuphepha kolwazi - abadayisi bephakethe lenethiwekhi (I-Network Packet Broker)
Kanye nesivinini, ukubaluleka kokusabalalisa ulwazi (lokhu kokubili imfihlo yezohwebo kanye nedatha yomuntu siqu edume kabi) kanye nokusebenza okuphelele kwengqalasizinda kuyanda.

Ngokuvumelana nalokho, imboni yezokuphepha yolwazi yavela. Imboni iphendule kulokhu ngokuvela kohlu olubanzi lwamadivayisi ajulile okuhlaziya i-traffic (DPI): kusukela ezinhlelweni zokuvimbela ukuhlasela kwe-DDOS kuya ezinhlelweni zokuphatha imicimbi yokuphepha kolwazi, okuhlanganisa i-IDS, i-IPS, i-DLP, i-NBA, i-SIEM, i-Antimailware njalonjalo. Ngokuvamile, ngalinye lalawa mathuluzi isofthiwe efakwe endaweni yeseva. Ngaphezu kwalokho, uhlelo ngalunye (ithuluzi lokuhlaziya) lufakwe endaweni yalo yesikhulumi seseva: abakhiqizi besofthiwe bahlukile, futhi ukuhlaziywa ku-L7 kudinga izinsiza eziningi zekhompiyutha.

Lapho wakha uhlelo lokuvikela ulwazi, kuyadingeka ukuxazulula izinkinga eziningi eziyinhloko:

  • indlela yokudlulisa ithrafikhi kusuka kungqalasizinda kuya ezinhlelweni zokuhlaziya? (Izimbobo ze-SPAN ezakhelwe le njongo ekuqaleni kwingqalasizinda yesimanje azanele ngobuningi noma ukusebenza)
  • indlela yokusabalalisa ithrafikhi phakathi kwezinhlelo ezihlukene zokuhlaziya?
  • kanjani ukukala amasistimu lapho ukusebenza kwesibonelo esisodwa sokuhlaziya kunganele ukucubungula yonke ivolumu yethrafikhi engena kuyo?
  • indlela yokuqapha ukuxhumana kwe-40G/100G (futhi esikhathini esizayo esiseduze i-200G/400G), njengoba amathuluzi okuhlaziya okwamanje asekela kuphela ukuxhumana kwe-1G/10G/25G?

Futhi imisebenzi elandelayo ehlobene:

  • Singakwazi kanjani ukunciphisa ithrafikhi engahlosiwe engadingi ukucutshungulwa, kodwa sifika kumathuluzi okuhlaziya futhi sisebenzise izinsiza zabo?
  • Ungacubungulwa kanjani amaphakethe namaphakethe ahlanganisiwe anamathegi wensiza wemishini, ukulungiswa kwawo lapho ukuhlaziya kuvele kusebenzise izinsiza noma akwenzeki nhlobo ukukusebenzisa?
  • ungakhipha kanjani ekuhlaziyweni enye yethrafikhi engalawulwa yinqubomgomo yezokuphepha (isibonelo, ithrafikhi yomphathi).

Izixazululo zesimanje zokwakha izinhlelo zokuphepha kolwazi - abadayisi bephakethe lenethiwekhi (I-Network Packet Broker)
Njengoba wonke umuntu azi, isidingo sidala ukunikezwa, futhi abathengisi bephakethe lenethiwekhi baqala ukuthuthukisa ngokuphendula lezi zidingo.

Incazelo evamile yabathengisi bephakethe lenethiwekhi

Abathengisi bephakethe lenethiwekhi basebenza ezingeni lephakethe, futhi ngale ndlela bafana nokushintsha okuvamile. Umehluko omkhulu ekushintsheni ukuthi imithetho yokusatshalaliswa kwethrafikhi kanye nokuhlanganisa kubathengi bephakethe lenethiwekhi inqunywa ngokuphelele izilungiselelo. Abadayisi bephakethe lenethiwekhi abanawo amazinga okwakha amathebula okudlulisela phambili (amathebula e-MAC) kanye nezivumelwano zokushintshisana nezinye izinguquko (ezifana ne-STP), ngakho-ke ububanzi bezilungiselelo ezingenzeka nezinkambu eziqondwa kuzo zibanzi kakhulu. Umdayiseli angakwazi ukusabalalisa ithrafikhi ngokulinganayo ukusuka embobeni yokufaka eyodwa noma ngaphezulu ukuya ebangeni elicacisiwe lembobo yokuphumayo enesici sokulinganisa ukulayisha. Ungasetha imithetho yokukopisha, ukuhlunga, ukuhlukanisa, ukuphindaphinda kanye nokuguqulwa kwethrafikhi. Le mithetho ingasetshenziswa emaqenjini ahlukene ezimbobo zokufaka umthengisi wephakethe lenethiwekhi, futhi ingasetshenziswa ngokulandelana ngokulandelana edivayisini ngokwayo. Inzuzo ebalulekile yomthengisi wephakethe yikhono lokucubungula ithrafikhi ngenani eligcwele lokugeleza nokugcina ubuqotho bezikhathi (endabeni yokulinganisa ithrafikhi kumasistimu amaningana e-DPI ohlobo olufanayo).

Ukugcina ubuqotho beseshini kuhlanganisa ukudlulisa wonke amaphakethe esendlalelo sezokuthutha (i-TCP/UDP/SCTP) embotsheni eyodwa. Lokhu kubalulekile ngoba amasistimu e-DPI (ngokuvamile isofthiwe esebenza kuseva exhunywe embobeni yokukhipha yomthengisi wephakethe) ahlaziya okuqukethwe kwethrafikhi ezingeni lohlelo lokusebenza, futhi wonke amaphakethe athunyelwe/amukelwe uhlelo lokusebenza olulodwa kufanele afike esimeni sokuhlaziya esifanayo . Uma amaphakethe avela kuseshini efanayo elahleka noma esatshalaliswa phakathi kwemishini ehlukene ye-DPI, idivayisi ngayinye ye-DPI izozithola isesimeni esifana nokufunda hhayi wonke umbhalo, kodwa amagama ngamanye asuka kuwo. Futhi, cishe, umbhalo ngeke uqondwe.

Ngakho-ke, ukugxila ezinhlelweni zokuphepha kolwazi, abadayisi bephakethe lenethiwekhi banokusebenza okusiza ukuxhuma izinhlelo zesoftware ye-DPI kumanethiwekhi okuxhumana ezokuxhumana anesivinini esikhulu futhi banciphise umthwalo kuwo: benza ukuhlunga kokuqala, ukuhlukaniswa nokulungiswa kwethrafikhi ukuze kube lula ukucubungula okulandelayo.

Ngaphezu kwalokho, njengoba abadayisi bephakethe lenethiwekhi bekhiqiza izibalo eziningi futhi bavame ukuxhunyaniswa namaphuzu ahlukahlukene kunethiwekhi, bathola indawo yabo lapho behlola izinkinga ngokusebenza kwengqalasizinda yenethiwekhi ngokwayo.

Imisebenzi eyisisekelo yabathengi bephakethe lenethiwekhi

Igama elithi “amaswishi akhethekile/okwengamela” livele enjongweni eyisisekelo: ukuqoqa ithrafikhi kusuka kungqalasizinda (ngokuvamile kusetshenziswa izixhumi ezibonakalayo ze-TAP kanye/noma izimbobo ze-SPAN) bese zisabalalisa phakathi kwamathuluzi okuhlaziya. Ithrafikhi iboniswa (yimpinda) phakathi kwamasistimu ezinhlobo ezahlukene, futhi ibhalansiswa phakathi kwamasistimu ohlobo olufanayo. Imisebenzi eyisisekelo ngokuvamile ihlanganisa ukuhlunga ngezinkambu ezifika ku-L4 (i-MAC, IP, imbobo ye-TCP/UDP, njll.) kanye nokuhlanganiswa kwamashaneli amaningana alayishwe kancane ibe yinye (isibonelo, ukucutshungulwa ohlelweni olulodwa lwe-DPI).

Lokhu kusebenza kunikeza isisombululo somsebenzi oyisisekelo wokuxhuma izinhlelo ze-DPI nengqalasizinda yenethiwekhi. Abathengi abavela kubakhiqizi abahlukahlukene, abanomkhawulo ekusebenzeni okuyisisekelo, bahlinzeka ngokucubungula kufikela ku-32 100G ukuxhumana nge-1U ngayinye (izixhumanisi ezengeziwe azilingani ngokomzimba kuphaneli yangaphambili ye-1U). Kodwa-ke, abawehlisi umthwalo kumathuluzi okuhlaziya, futhi kwingqalasizinda eyinkimbinkimbi abakwazi ngisho nokuhlinzeka ngezidingo zomsebenzi oyisisekelo: iseshini esatshalaliswa emhubheni amaningana (noma ifakwe omaka be-MPLS) ingaba engalingani phakathi kwezimo zokuhlaziya ezihlukene futhi ngokuvamile. aphume ekuhlaziyeni.

Ngaphezu kokwengeza ukuxhumana kwe-40/100G futhi, ngenxa yalokho, ukusebenza okwandayo, abathengisi bephakethe lenethiwekhi bathuthuka ngenkuthalo mayelana nokuhlinzeka ngamakhono amasha ayisisekelo: ukusuka ekulinganiseni okusekelwe kumaheda emhubhe esidlekeni kuya ekubhalweni kwethrafikhi. Ngeshwa, amamodeli anjalo awakwazi ukuziqhayisa ngokusebenza kwama-terabits, kodwa akuvumela ukuthi wakhe uhlelo lokuphepha lolwazi oluseqophelweni eliphezulu futhi “oluhle” ngokobuchwepheshe, lapho ithuluzi ngalinye lokuhlaziya liqinisekisiwe ukuthi lizothola kuphela ulwazi eliludingayo ngendlela elifaneleka kakhulu. ukuze kuhlaziywe.

Izici ze-Advanced Network Packet Broker

Izixazululo zesimanje zokwakha izinhlelo zokuphepha kolwazi - abadayisi bephakethe lenethiwekhi (I-Network Packet Broker)
1. Okukhulunywe ngenhla ukulinganisa okususelwe kuzihloko ezifakwe esidlekeni kuthrafikhi emhubhe.

Kungani ibalulekile? Ake sicabangele izici ezi-3 ezingagxeka ndawonye noma ngokwehlukana:

  • ukuqinisekisa ukulingana okufanayo phambi kwenani elincane lemigudu. Uma kukhona imihubhe emi-2 kuphela endaweni yokuxhumana yezinhlelo zokuphepha zolwazi, ngeke kwenzeke ukuthi ungalinganisi ngokwezihloko zangaphandle ezisekelweni zeseva ezi-3 ngenkathi ulondoloza iseshini. Ngesikhathi esifanayo, ithrafikhi kunethiwekhi idluliselwa ngokungalingani, futhi ukuqondisa umhubhe ngamunye endaweni yokucubungula ehlukile kuzodinga ukusebenza ngokweqile kwalokhu;
  • ukuqinisekisa ubuqotho bezikhathi nokugeleza kwamaphrothokholi e-multisession (isibonelo, i-FTP ne-VoIP), amaphakethe awo agcine engamathaneli ahlukene. Ubunkimbinkimbi bengqalasizinda yenethiwekhi bukhula njalo: ukuphindaphinda, ukwenziwa kwezinto ezibonakalayo, ukwenziwa lula kokuphatha, nokunye. Ngakolunye uhlangothi, lokhu kwandisa ukwethembeka mayelana nokudluliswa kwedatha, ngakolunye uhlangothi, kuhlanganisa ukusebenza kwezinhlelo zokuphepha kolwazi. Ngisho noma abahlaziyi benokusebenza okwanele ukuze bacubungule isiteshi esizinikele esinemigudu, inkinga ijika ingaxazululeki, njengoba amanye amaphakethe esikhathi somsebenzisi adluliselwa kwesinye isiteshi. Ngaphezu kwalokho, ngenkathi ezinye izingqalasizinda zisazama ukunakekela ubuqotho bezikhathi, izivumelwano ze-multisession zingathatha izindlela ezihluke ngokuphelele;
  • ukulinganisa phambi kwe-MPLS, i-VLAN, amathegi emishini ngayinye, njll. Akuwona amahubhu aqondile, kodwa nokho, okokusebenza okunokusebenza okuyisisekelo kungaqonda le thrafikhi njengokuthile okungeyona i-IP futhi ilinganisele ngokusekelwe kumakheli e-MAC, iphinde yephule ukufana kokulinganisa noma ubuqotho bezikhathi.

Umthengisi wephakethe lenethiwekhi ucoca izihloko zangaphandle futhi alandele ngokulandelana izikhombi kuze kufike kusihloko se-IP esidleke kanye namabhalansi kuso. Ngenxa yalokho, kunokugeleza okuningi ngokuphawulekayo (ngokuvumelana nalokho, kungase kungalinganisi ngokulinganayo futhi ngenani elikhulu lamapulatifomu), futhi uhlelo lwe-DPI luthola wonke amaphakethe weseshini kanye nazo zonke izikhathi ezihambisanayo zezivumelwano ze-multisession.

2. Ukuguqulwa kwethrafikhi.
Omunye wemisebenzi ebanzi ngokuya ngamakhono awo, kunemisebenzi eminingi engaphansi kanye nezinketho zokusetshenziswa kwazo:

  • ukususa umthwalo wokukhokha, kulokhu kuphela izihloko zephakethe ezidluliselwa ethuluzini lokuhlaziya. Lokhu kuhambisana namathuluzi okuhlaziya noma ezinhlotsheni zethrafikhi lapho okuqukethwe kwamaphakethe akunandaba noma kungakwazi ukuhlaziya. Isibonelo, ngedatha yokushintshisana ngethrafikhi ebethelwe (ubani, nobani, nini futhi kangakanani) engaba nenzalo, kodwa umthwalo okhokhelwayo empeleni uwudoti othatha isiteshi nezinsiza zekhompuyutha zomhlaziyi. Ukwehluka kungenzeka uma ukukhokhelwa kusikwa kusukela ku-offset enikeziwe - lokhu kunikeza ububanzi obungeziwe bamathuluzi okuhlaziya;
  • ukuqaqa, okuwukuthi ukususwa kwezihloko ezichaza kanye nokuhlonza imigudu. Umgomo uwukunciphisa umthwalo kumathuluzi okuhlaziya nokwandisa ukusebenza kahle kwawo. Ukukhipha i-detunneling kungase kusekelwe ku-offset engaguquki noma ngokuhlaziywa kwekhanda eliguqukayo kanye nokunqunywa kwe-offset yephakethe ngalinye;
  • ukususa ingxenye yezihloko zephakethe: amathegi e-MPLS, i-VLAN, izinkambu ezithile zemishini yezinkampani zangaphandle;
  • ukufihla ingxenye yezihloko, isibonelo, ukuvala amakheli e-IP ukuze kuqinisekiswe ukungaziwa kwethrafikhi;
  • ukwengeza ulwazi lwesevisi ephaketheni: isitembu sesikhathi, imbobo yokufaka, ilebula yesigaba sethrafikhi, njll.

3. Ukuphindaphinda - ukuhlanzwa kwamaphakethe ethrafikhi ayimpinda athunyelwa kumathuluzi okuhlaziya. Amaphakethe ayimpinda avame ukuvela ngenxa yesimo sokuxhumeka kwingqalasizinda - ithrafikhi ingadlula ezindaweni eziningana zokuhlaziya futhi iboniswe kusuka kwelinye ngalinye. Ukuthumela kabusha amaphakethe e-TCP ahlulekile nakho kuvamile, kodwa uma kukhona amaningi, khona-ke lezi yizinkinga ezingenzeka kakhulu ezihlobene nokuqapha ikhwalithi yenethiwekhi, kunokuphepha kolwazi kuyo.

4. Izici zokuhlunga ezithuthukisiwe - ukusuka ekufuneni amanani athile endaweni ethile kuya ekuhlaziyweni kwesiginesha kwalo lonke iphakethe.

5. Isizukulwane se-NetFlow/IPFIX - ukuqoqwa kwezibalo ezibanzi zethrafikhi edlulayo kanye nokudluliselwa kwayo kumathuluzi okuhlaziya.

6. Ukukhishwa kwemfihlo kwethrafikhi ye-SSL, isebenza ngaphandle kokuthi isitifiketi nokhiye kulayishwa kuqala kumthengisi wephakethe lenethiwekhi. Noma kunjalo, lokhu kukuvumela ukuthi ukhulule kakhulu amathuluzi okuhlaziya.

Kukhona imisebenzi eminingi eyengeziwe, ewusizo neyokuthengisa, kodwa eyinhloko cishe ibaliwe.

Ukuthuthukiswa kwamasistimu okubona (ukungena, ukuhlasela kwe-DDOS) kube amasistimu okuvinjelwa, kanye nokwethulwa kwamathuluzi e-DPI asebenzayo, kudinga ushintsho esikimini sokushintsha kusuka kokusetshenziswayo (nge-TAP noma izimbobo ze-SPAN) kuya ekusebenzeni (“esikhala ”). Lesi simo sandise izidingo zokuthembeka (njengoba ukwehluleka kuleli cala kuholela ekuphazanyisweni kwayo yonke inethiwekhi, futhi hhayi nje kuphela ekulahlekelweni kokulawula ukuphepha kolwazi) futhi kwaholela ekuthatheni indawo kwama-couplers optical nge-optical bypass (ukuxazulula inkinga ukuncika kokusebenza kwenethiwekhi ekusebenzeni kokuphepha kolwazi lwesistimu), kodwa ukusebenza okuyinhloko nezimfuneko zayo kuhlala kunjalo.

Senze i-DS Integrity Network Packet Brokers ene-100G, 40G kanye ne-10G yokusebenzelana kusukela ekwakhiweni nasekuklanyweni kwesekethe kuya ku-firmware. Ngaphezu kwalokho, ngokungafani nabanye abadayisi bephakethe, ukuguqulwa nokulinganisa imisebenzi yamaheda omhubhe afakwe esidlekeni asetshenziswa kuhadiwe, ngesivinini esigcwele sembobo.

Izixazululo zesimanje zokwakha izinhlelo zokuphepha kolwazi - abadayisi bephakethe lenethiwekhi (I-Network Packet Broker)

Source: www.habr.com

Engeza amazwana