Kukangaki uthenga into ngokuzenzakalelayo, unqotshwa isikhangiso esipholile, bese le nto oyifisa ekuqaleni iqoqa uthuli ekhabetheni, i-pantry noma igaraji kuze kube intwasahlobo elandelayo yokuhlanza noma ukuhambisa? Umphumela uba ukudumala ngenxa yokulindela okungenasizathu nokumoshwa kwemali. Kubi kakhulu uma lokhu kwenzeka ebhizinisini. Kaningi, imigilingwane yokumaketha mihle kangangokuthi izinkampani zithenga isixazululo esibizayo ngaphandle kokubona isithombe esigcwele sokusebenza kwaso. Khonamanjalo, ukuhlolwa kwesilingo sohlelo kusiza ukuqonda ukuthi ingqalasizinda ingalungiswa kanjani ukuze ididiyelwe, yikuphi ukusebenza nokuthi kufanele kuqaliswe ngezinga elingakanani. Ngale ndlela ungagwema inani elikhulu lezinkinga ngenxa yokukhetha umkhiqizo "ngokungaboni". Ngaphezu kwalokho, ukuqaliswa ngemva βkomshayeliβ onekhono kuzoletha onjiniyela abacekela phansi amangqamuzana ezinzwa nezinwele ezimpunga. Ake sithole ukuthi kungani ukuhlola komshayeli kubaluleke kangaka kuphrojekthi eyimpumelelo, kusetshenziswa isibonelo sethuluzi elidumile lokulawula ukufinyelela kunethiwekhi yezinkampani - i-Cisco ISE. Ake sicabangele kokubili izinketho ezijwayelekile nezingezona ezejwayelekile ngokuphelele zokusebenzisa isixazululo esihlangabezane naso ekusebenzeni kwethu.
I-Cisco ISE - "Iseva ye-Radius kuma-steroids"
I-Cisco Identity Services Engine (ISE) iyinkundla yokwakha uhlelo lokulawula ukufinyelela lwenethiwekhi yendawo yenhlangano. Emphakathini ochwepheshe, umkhiqizo waqanjwa ngokuthi "Iseva ye-Radius ku-steroids" ngenxa yezakhiwo zayo. Kungani kunjalo? Empeleni, isisombululo iseva ye-Radius, lapho inani elikhulu lezinsizakalo ezengeziwe kanye "namaqhinga" anamathiselwe, okukuvumela ukuthi uthole inani elikhulu lolwazi lomongo futhi usebenzise isethi ewumphumela yedatha kuzinqubomgomo zokufinyelela.
Njenganoma iyiphi enye iseva ye-Radius, i-Cisco ISE isebenzisana nemishini yenethiwekhi yezinga lokufinyelela, iqoqa ulwazi mayelana nayo yonke imizamo yokuxhuma kunethiwekhi yezinkampani futhi, ngokusekelwe kuzinqubomgomo zokuqinisekisa nokugunyazwa, ivumela noma inqabele abasebenzisi ku-LAN. Kodwa-ke, ukuba nokwenzeka kokwenza iphrofayela, ukuthumela, nokuhlanganiswa nezinye izixazululo zokuphepha kolwazi kwenza kube lula ukwenza inkimbinkimbi enengqondo yenqubomgomo yokugunyaza futhi ngaleyo ndlela kuxazululwe izinkinga ezinzima nezithakazelisa kakhulu.
Ukuqaliswa akukwazi ukulingwa: kungani udinga ukuhlolwa?
Inani lokuhlola ukuhlola ukukhombisa wonke amakhono esistimu nengqalasizinda ethile yenhlangano ethile. Ngikholwa ukuthi ukuhlola i-Cisco ISE ngaphambi kokuqaliswa kuzuzisa wonke umuntu obambe iqhaza kuphrojekthi, yingakho.
Lokhu kunikeza abahlanganisi umbono ocacile walokho okulindelwe yikhasimende futhi kusiza ekwakheni ukucaciswa kobuchwepheshe okulungile okuqukethe imininingwane eminingi kunebinzana elivamile elithi βqinisekisa ukuthi konke kuhamba kahle.β βUmshayeli wendizaβ usivumela ukuthi sizwe bonke ubuhlungu bekhasimende, siqonde ukuthi yimiphi imisebenzi eza kuqala kuye nokuthi iyiphi engeyesibili. Kithina, leli yithuba elihle kakhulu lokuthola kusengaphambili ukuthi iyiphi imishini esetshenziswa enhlanganweni, ukuthi ukuqaliswa kuzokwenzeka kanjani, kuziphi iziza, lapho zitholakala khona, njalonjalo.
Ngesikhathi sokuhlolwa komshayeli, amakhasimende abona uhlelo lwangempela lusebenza, ajwayelane nesixhumi esibonakalayo, angabheka ukuthi iyahambisana yini ne-hardware ekhona, futhi athole ukuqonda okuphelele kokuthi isisombululo sizosebenza kanjani ngemva kokuqaliswa okuphelele. I-βPilotβ iwona kanye umzuzu lapho ungabona khona zonke izingibe okungenzeka ukuthi uzohlangabezana nazo ngesikhathi sokuhlanganisa, bese unquma ukuthi mangaki amalayisense okufanele uwathenge.
Yini "engavela" ngesikhathi "somshayeli"
Ngakho-ke, uzilungiselela kanjani kahle ukusebenzisa i-Cisco ISE? Kusukela kokuhlangenwe nakho kwethu, sibale amaphuzu angu-4 abalulekile abalulekile okufanele acatshangelwe ngesikhathi sokuhlolwa kokuhlolwa kwesistimu.
Isici sefomu
Okokuqala, udinga ukunquma ukuthi yiluphi uhlobo lwesici uhlelo oluzosetshenziswa: umugqa obonakalayo noma obonakalayo. Inketho ngayinye inezinzuzo nezinkinga. Isibonelo, amandla e-upline engokomzimba ukusebenza kwawo okubikezelwayo, kodwa akumele sikhohlwe ukuthi imishini enjalo iphelelwa yisikhathi ngokuhamba kwesikhathi. Ama-upline abonakalayo awabikezeleki kangako ngoba... zincike ku-hardware lapho imvelo ye-virtualization isetshenziswa khona, kodwa banenzuzo enkulu: uma ukusekelwa kutholakala, bangabuyekezwa njalo enguqulweni yakamuva.
Ingabe okokusebenza kwenethiwekhi yakho kuyahambisana ne-Cisco ISE?
Kunjalo, isimo esikahle kungaba ukuxhuma zonke izisetshenziswa ohlelweni ngesikhathi esisodwa. Nokho, lokhu akwenzeki ngaso sonke isikhathi njengoba izinhlangano eziningi zisasebenzisa amaswishi angaphethwe noma amaswishi angawasekeli obunye bobuchwepheshe obusebenzisa i-Cisco ISE. Ngendlela, asikhulumi nje ngokushintsha, kungase futhi kube izilawuli zenethiwekhi ezingenazintambo, ama-concentrator e-VPN nanoma yimuphi omunye umshini abasebenzisi abaxhuma kuwo. Ngokwenza kwami, kuye kwaba nezimo lapho, ngemva kokubonisa uhlelo ukuze lusetshenziswe ngokugcwele, ikhasimende lithuthukise cishe yonke imikhumbi yezinga lokufinyelela kumishini yesimanje yeCisco. Ukuze ugweme izimanga ezingajabulisi, kufanelekile ukuthola kusengaphambili inani lemishini engasekelwe.
Ingabe zonke izisetshenziswa zakho zisezingeni?
Noma iyiphi inethiwekhi inamadivayisi ajwayelekile okungafanele kube nzima ukuxhuma kuwo: iziteshi zokusebenza, amafoni we-IP, izindawo zokufinyelela ze-Wi-Fi, amakhamera wevidiyo, njalo njalo. Kodwa futhi kwenzeka ukuthi amadivaysi angewona ajwayelekile adinga ukuxhunywa ku-LAN, isibonelo, iziguquli zesiginali yebhasi ye-RS232/Ethernet, izixhumanisi zamandla angenakuphazamiseka, imishini ehlukahlukene yezobuchwepheshe, njll. Kubalulekile ukunquma uhlu lwamadivayisi anjalo kusengaphambili. , ukuze esigabeni sokuqalisa usuvele unokuqonda ukuthi ngobuchwepheshe bazosebenza kanjani ne-Cisco ISE.
Ingxoxo eyakhayo nochwepheshe be-IT
Amakhasimende e-Cisco ISE avame ukuba yiminyango yezokuphepha, kuyilapho iminyango ye-IT ivamise ukuba nesibopho sokumisa amaswishi engqimba yokufinyelela kanye ne-Active Directory. Ngakho-ke, ukusebenzisana okuphumelelayo phakathi kochwepheshe bezokuphepha kanye nochwepheshe be-IT kungenye yezimo ezibalulekile zokuqaliswa okungenabuhlungu kwesistimu. Uma laba bamuva bebona ukuhlanganiswa nobutha, kufanelekile ukubachazela ukuthi isisombululo sizoba usizo kanjani emnyangweni we-IT.
Amacala angu-5 aphezulu okusebenzisa i-Cisco ISE
Kokuhlangenwe nakho kwethu, ukusebenza okudingekayo kwesistimu nakho kukhonjwa esigabeni sokuhlola umshayeli. Ngezansi amanye amacala asetshenziswa kakhulu futhi angajwayelekile kakhulu esixazululo.
Vikela ukufinyelela kwe-LAN ngocingo nge-EAP-TLS
Njengoba imiphumela yocwaningo lwe-pentesters yethu ibonisa, ngokuvamile ukungena kunethiwekhi yenkampani, abahlaseli basebenzisa amasokhethi ajwayelekile lapho amaphrinta, amafoni, amakhamera we-IP, amaphuzu e-Wi-Fi namanye amadivaysi enethiwekhi okungewona awomuntu axhumeke kuwo. Ngakho-ke, ngisho noma ukufinyelela kwenethiwekhi kusekelwe kubuchwepheshe be-dot1x, kodwa ezinye izimiso eziyisisekelo zisetshenziswa ngaphandle kokusebenzisa izitifiketi zokuqinisekisa zomsebenzisi, maningi amathuba okuba kube nokuhlasela okuphumelelayo ngokuvinjwa kweseshini kanye namaphasiwedi anonya. Endabeni ye-Cisco ISE, kuzoba nzima kakhulu ukweba isitifiketi - ngenxa yalokhu, abaduni bazodinga amandla amaningi e-computing, ngakho-ke leli cala lisebenza kakhulu.
Ukufinyelela okungenantambo kwe-Dual-SSID
Umongo walesi simo ukusebenzisa izihlonzi zenethiwekhi (SSIDs) ezingu-2. Omunye wabo angabizwa ngokwemibandela ngokuthi "isivakashi". Ngayo, izivakashi nabasebenzi benkampani bangafinyelela inethiwekhi engenantambo. Lapho bezama ukuxhuma, lezi zokugcina ziqondiswa kabusha kuphothali ekhethekile lapho ukunikezwa kwenzeka khona. Okusho ukuthi, umsebenzisi unikezwa isitifiketi futhi idivayisi yakhe yomuntu siqu ilungiselelwe ukuthi ixhume kabusha ngokuzenzakalelayo ku-SSID yesibili, esevele isebenzisa i-EAP-TLS nazo zonke izinzuzo zecala lokuqala.
I-Bypass yokuqinisekisa ye-MAC kanye nokwenza iphrofayela
Esinye isimo sokusetshenziswa esidumile ukuthola ngokuzenzakalelayo uhlobo lwedivayisi exhunywe futhi usebenzise imikhawulo efanele kuyo. Kungani ethakazelisa? Iqiniso wukuthi kusenenqwaba yamadivayisi angakusekeli ukuqinisekiswa kusetshenziswa iphrothokholi ye-802.1X. Ngakho-ke, amadivaysi anjalo kufanele avunyelwe ukungena kunethiwekhi esebenzisa ikheli le-MAC, okulula kakhulu ukulikhohlisa. Yilapho i-Cisco ISE isiza khona: ngosizo lwesistimu, ungabona ukuthi idivayisi iziphatha kanjani kunethiwekhi, yakha iphrofayili yayo futhi yabela iqembu lamanye amadivaysi, isibonelo, ifoni ye-IP kanye nendawo yokusebenza. . Uma umhlaseli ezama ukukhohlisa ikheli le-MAC futhi axhume kunethiwekhi, isistimu izobona ukuthi iphrofayela yedivayisi ishintshile, izobonisa ukuziphatha okusolisayo futhi ngeke ivumele umsebenzisi osolisayo ukuthi angene kunethiwekhi.
I-EAP-Chaining
Ubuchwepheshe be-EAP-Chaining bubandakanya ukuqinisekiswa okulandelanayo kwe-PC esebenzayo kanye ne-akhawunti yomsebenzisi. Leli cala selisabalele ngoba... Izinkampani eziningi namanje azikukhuthazi ukuxhuma amagajethi omuntu siqu ezisebenzi ku-LAN yebhizinisi. Usebenzisa le ndlela yokuqinisekisa, kungenzeka ukuhlola ukuthi indawo yokusebenza ethile iyilungu lesizinda, futhi uma umphumela ungemuhle, umsebenzisi ngeke avunyelwe ukungena kunethiwekhi, noma uzokwazi ukungena, kodwa ngokuthile. imikhawulo.
Ukuthumela
Leli cala limayelana nokuhlola ukuhambisana kwesoftware yendawo yokusebenza nezidingo zokuphepha kolwazi. Usebenzisa lobu buchwepheshe, ungabheka ukuthi isofthiwe endaweni yokusebenza ibuyekeziwe yini, noma ngabe izinyathelo zokuphepha zifakiwe kuso, noma ngabe i-firewall yomsingathi imisiwe, njll. Kuyathakazelisa ukuthi lobu buchwepheshe bukuvumela ukuthi uxazulule eminye imisebenzi engahlobene nokuphepha, isibonelo, ukuhlola ukuba khona kwamafayela adingekayo noma ukufaka isofthiwe yohlelo olubanzi.
Izimo ezingajwayelekile zokusetshenziswa ze-Cisco ISE zifaka phakathi ukulawula ukufinyelela okunokuqinisekiswa kwesizinda ukusuka ekugcineni kuye ekupheleni (I-Passive ID), ukuhlukaniswa okuncane okususelwa ku-SGT nokuhlunga, kanye nokuhlanganiswa nezinhlelo zokuphatha idivayisi yeselula (MDM) kanye Nezikena Ezisengozini.
Amaphrojekthi angajwayelekile: kungani futhi ungadinga i-Cisco ISE, noma izehlakalo ezi-3 ezingavamile ekusebenzeni kwethu
Ukulawula ukufinyelela kumaseva asekelwe ku-Linux
Sake saxazulula icala elingelona elincane lelinye lamakhasimende ayesevele enohlelo lwe-Cisco ISE oluqalisiwe: kwakudingeka sithole indlela yokulawula izenzo zabasebenzisi (ikakhulukazi abalawuli) kumaseva afakwe i-Linux. Sifuna impendulo, siqhamuke nombono wokusebenzisa isoftware ye-PAM Radius Module yamahhala, ekuvumela ukuthi ungene kumaseva asebenzisa i-Linux enobuqiniso kuseva engaba yi-radius yangaphandle. Konke mayelana nalokhu kungaba kuhle, uma kungenjalo "kodwa" eyodwa: iseva yerediyasi, ithumela impendulo esicelweni sokuqinisekisa, inikeza igama le-akhawunti kuphela nomphumela - ukuhlola kwamukelwe noma ukuhlola kunqatshiwe. Phakathi naleso sikhathi, ukuze uthole ukugunyazwa ku-Linux, udinga ukunikeza okungenani ipharamitha eyodwa ngaphezulu - uhla lwemibhalo lwasekhaya, ukuze umsebenzisi okungenani athole ndawo. Asizange sithole indlela yokunikeza lokhu njengesibaluli serediyasi, ngakho-ke sibhale umbhalo okhethekile wokudala ukude ama-akhawunti kubasingathi ngemodi ezenzakalelayo. Lo msebenzi wawungenzeka ngempela, njengoba sasibhekene nama-akhawunti omlawuli, inani lawo lalingelikhulu kangako. Okulandelayo, abasebenzisi bangene kudivayisi edingekayo, ngemva kwalokho babelwa ukufinyelela okudingekile. Kuphakama umbuzo ophusile: ingabe kuyadingeka ukusebenzisa i-Cisco ISE ezimweni ezinjalo? Empeleni, cha - noma iyiphi iseva yerediyasi izokwenza, kodwa njengoba ikhasimende selivele linale sistimu, simane sengeze isici esisha kuyo.
Uhlu lwehadiwe nesoftware ku-LAN
Sake sasebenza kuphrojekthi yokuphakela i-Cisco ISE kukhasimende elilodwa ngaphandle βkomshayeliβ wokuqala. Bezingekho izidingo ezicacile zesixazululo, futhi besisebenzelana nenethiwekhi eyisicaba, engahlukanisiwe, okwenza umsebenzi wethu waba nzima. Ngesikhathi sephrojekthi, silungiselele zonke izindlela zokuphrofayili ezingaba khona ezisekelwa inethiwekhi: I-NetFlow, i-DHCP, i-SNMP, ukuhlanganiswa kwe-AD, njll. Ngenxa yalokho, ukufinyelela kwe-MAR kwalungiselelwa amandla okungena kunethiwekhi uma ukuqinisekiswa kwehlulekile. Okusho ukuthi, noma ukuqinisekiswa akuphumelelanga, uhlelo belusavumela umsebenzisi ukuthi angene kunethiwekhi, aqoqe ulwazi ngaye futhi aluqophe ku-database ye-ISE. Lokhu kuqapha kwenethiwekhi emavikini ambalwa kwasisiza ukuthi sibone amasistimu axhunyiwe namadivayisi okungewona awomuntu siqu futhi sakhe indlela yokuwahlukanisa. Ngemva kwalokhu, siphinde salungisa ukuthunyelwa kokufaka i-ejenti ezindaweni zokusebenza ukuze siqoqe ulwazi mayelana nesofthiwe efakwe kuzo. Uyini umphumela? Sikwazile ukuhlukanisa inethiwekhi futhi sanquma uhlu lwesofthiwe obekufanele lususwe ezindaweni zokusebenza. Ngeke ngifihle ukuthi eminye imisebenzi yokusabalalisa abasebenzisi emaqenjini esizinda kanye nokuchaza amalungelo okufinyelela kusithathe isikhathi esiningi, kodwa ngale ndlela sithole isithombe esiphelele sokuthi yiziphi izingxenyekazi zehadiwe ikhasimende elinazo kunethiwekhi. Ngendlela, lokhu akubanga nzima ngenxa yomsebenzi omuhle wokuphrofayili ngaphandle kwebhokisi. Hhayi-ke, lapho ukwenza iphrofayili kungazange kusize, sazibheka, sigqamisa indawo yokushintsha lapho imishini ixhumeke khona.
Ukufakwa kwesilawuli kude kwesofthiwe ezindaweni zokusebenza
Leli cala lingelinye elixakile ekusebenzeni kwami. Ngolunye usuku, ikhasimende lafika kithi likhala licela usizo - kukhona okungahambanga kahle ngenkathi kuqaliswa i-Cisco ISE, yonke into yaphuka, futhi akekho omunye owayekwazi ukufinyelela inethiwekhi. Saqala ukuyibheka futhi sathola okulandelayo. Le nkampani yayinamakhompiyutha angu-2000, okuthi, uma kungekho isilawuli sesizinda, ayephethwe ngaphansi kwe-akhawunti yomqondisi. Ngenhloso yokubuka, inhlangano isebenzise i-Cisco ISE. Kwakudingeka ngandlela thize ukuqonda ukuthi ingabe i-antivirus ifakiwe kuma-PC akhona, noma ngabe imvelo yesofthiwe ibuyekeziwe, njll. Futhi njengoba abaphathi be-IT befake imishini yenethiwekhi ohlelweni, kunengqondo ukuthi babekwazi ukuyifinyelela. Ngemuva kokubona ukuthi kusebenza kanjani kanye nokuqopha ama-PC abo, abaphathi baqhamuke nombono wokufaka isoftware ezindaweni zokusebenza zabasebenzi ukude ngaphandle kokuvakasha komuntu siqu. Cabanga nje ukuthi zingaki izinyathelo ongazigcina ngosuku ngale ndlela! Abalawuli bahlole kaningana indawo yokusebenza ukuze bathole ukuba khona kwefayela elithile ohlwini lwemibhalo C:Amafayela Ohlelo, futhi uma lingekho, ukulungisa okuzenzakalelayo kwaqaliswa ngokulandela isixhumanisi esiholela ekugcineni ifayela ekufakweni kwefayela elithi .exe. Lokhu kwavumela abasebenzisi abajwayelekile ukuthi baye ekwabelaneni kwefayela futhi balande isofthiwe edingekayo kusukela lapho. Ngeshwa, umlawuli ubengalwazi kahle uhlelo lwe-ISE futhi walimaza izindlela zokuthumela - wabhala inqubomgomo ngokungalungile, okuholele enkingeni ebesihileleke ekuyixazululeni. Ngokwami, ngimangele ngobuqotho indlela enjalo yokudala, ngoba kungaba ishibhile kakhulu futhi kungadingi abasebenzi abaningi ukudala isilawuli sesizinda. Kodwa njengobufakazi bomqondo kwasebenza.
Funda kabanzi mayelana nama-nuances wezobuchwepheshe avela lapho kusetshenziswa i-Cisco ISE esihlokweni sozakwethu .
Artem Bobrikov, unjiniyela wokuklama weSikhungo Sokuphepha Kolwazi kwaJet Infosystems
I-Afterword:
Naphezu kweqiniso lokuthi lokhu okuthunyelwe kukhuluma ngohlelo lwe-Cisco ISE, izinkinga ezichazwe zifanelekile kulo lonke ikilasi lezixazululo ze-NAC. Akubalulekile kangako ukuthi isiphi isisombululo somthengisi esihlelelwe ukuqaliswa - okuningi kwalokhu okungenhla kuzohlala kusebenza.
Source: www.habr.com