Enterprise Network Function Virtualization Infrastructure Software
Zambiri Zamalonda
Zofotokozera
- Mtundu wa mapulogalamu a NFVIS: 3.7.1 ndi kenako
- Kusaina kwa RPM ndikutsimikizira siginecha kumathandizidwa
- Boot yotetezedwa ikupezeka (yoyimitsidwa mwachisawawa)
- Njira yotetezedwa ya Unique Device Identification (SUDI) yogwiritsidwa ntchito
Malingaliro a Chitetezo
Pulogalamu ya NFVIS imatsimikizira chitetezo kudzera mumitundu yosiyanasiyana
njira:
- Chithunzi Tamper Chitetezo: Kusaina kwa RPM ndikutsimikizira siginecha
pamaphukusi onse a RPM mu ISO ndikukweza zithunzi. - Kusayina kwa RPM: Phukusi lonse la RPM mu Cisco Enterprise NFVIS ISO
ndi zithunzi zokweza zimasainidwa kuti zitsimikizire kukhulupirika kwa cryptographic ndi
zowona. - Kutsimikizira Siginecha ya RPM: Siginecha yamaphukusi onse a RPM ndi
zatsimikiziridwa musanayike kapena kukweza. - Kutsimikizira Kukhulupirika kwa Zithunzi: Hashi ya chithunzi cha Cisco NFVIS ISO
ndipo chithunzi chokweza chimasindikizidwa kuti chitsimikizire kukhulupirika kwa zowonjezera
osati RPM files. - ENCS Safe Boot: Gawo la muyezo wa UEFI, limatsimikizira kuti
nsapato za chipangizo pogwiritsa ntchito mapulogalamu odalirika. - Chidziwitso Chachidziwitso Chapadera (SUDI): Amapereka chipangizocho
ndi chizindikiritso chosasinthika kuti atsimikizire zowona.
Kuyika
Kuti muyike pulogalamu ya NFVIS, tsatirani izi:
- Onetsetsani kuti chithunzi cha pulogalamuyo sichinakhale tampyolembedwa ndi
kutsimikizira siginecha yake ndi kukhulupirika. - Ngati mukugwiritsa ntchito Cisco Enterprise NFVIS 3.7.1 ndipo kenako, onetsetsani kuti
kutsimikizira siginecha kumadutsa panthawi yoyika. Ngati zikanika,
kukhazikitsa kudzachotsedwa. - Ngati mukukweza kuchokera ku Cisco Enterprise NFVIS 3.6.x kupita ku Kutulutsidwa
3.7.1, siginecha za RPM zimatsimikiziridwa pakukweza. Ngati ndi
kutsimikizira siginecha sikulephera, cholakwika chalowetsedwa koma kukweza kuli
anamaliza. - Ngati kukwezedwa kuchokera ku Release 3.7.1 mpaka kutulutsidwa pambuyo pake, RPM
siginecha zimatsimikiziridwa pomwe chithunzi chokwezera chikulembetsedwa. Ngati
chitsimikiziro cha siginecha chikulephera, kukwezako kumathetsedwa. - Tsimikizirani hashi ya chithunzi cha Cisco NFVIS ISO kapena sinthani chithunzi
pogwiritsa ntchito lamulo:/usr/bin/sha512sum. Fananizani hashi ndi zomwe zasindikizidwa
<image_filepath>
hash kuonetsetsa kukhulupirika.
Boot Yotetezedwa
Boot yotetezedwa ndi gawo lomwe likupezeka pa ENCS (yoyimitsidwa mwachisawawa)
zomwe zimatsimikizira kuti chipangizocho chimangoyamba kugwiritsa ntchito mapulogalamu odalirika. Ku
yambitsani chitetezo:
- Onani zolembedwa pa Secure Boot of Host kuti mudziwe zambiri
zambiri. - Tsatirani malangizo omwe aperekedwa kuti mutsegule boot yanu
chipangizo.
Secure Unique Device Identification (SUDI)
SUDI imapereka NFVIS ndi chizindikiritso chosasinthika, kutsimikizira kuti
ndi chinthu chenicheni cha Cisco ndikuwonetsetsa kuzindikirika kwake mu
kasitomala kafufuzidwe dongosolo.
FAQ
Q: Kodi NFVIS ndi chiyani?
A: NFVIS imayimira Network Function Virtualization
Mapulogalamu a Infrastructure. Ndi pulogalamu yamapulogalamu yomwe imagwiritsidwa ntchito kutumiza
ndikuwongolera magwiridwe antchito a netiweki.
Q: Ndingatsimikizire bwanji kukhulupirika kwa chithunzi cha NFVIS ISO kapena
Sinthani chithunzi?
A: Kuti mutsimikizire kukhulupirika, gwiritsani ntchito lamulo
/usr/bin/sha512sum <image_filepath> ndi kufananiza
hashi yokhala ndi hashi yofalitsidwa yoperekedwa ndi Cisco.
Q: Kodi boot yotetezedwa imayatsidwa mwachisawawa pa ENCS?
A: Ayi, boot yotetezedwa imayimitsidwa mwachisawawa pa ENCS. Zili choncho
tikulimbikitsidwa kuti mutsegule boot yotetezedwa kuti mutetezeke.
Q: Kodi cholinga cha SUDI mu NFVIS ndi chiyani?
A: SUDI imapatsa NFVIS chizindikiritso chapadera komanso chosasinthika,
kuwonetsetsa kuwona kwake ngati chinthu cha Cisco ndikuwongolera
kuzindikira mu dongosolo la zinthu za kasitomala.
Malingaliro a Chitetezo
Mutuwu ukufotokoza zachitetezo ndi malingaliro mu NFVIS. Zimapereka mwayi wapamwamba kwambiriview Zazigawo zokhudzana ndi chitetezo mu NFVIS kukonza njira yachitetezo yotumizidwa kwa inu. Lilinso ndi malingaliro okhudza njira zabwino zachitetezo zokakamira mfundo zazikuluzikulu zachitetezo chamaneti. Pulogalamu ya NFVIS ili ndi chitetezo chokhazikika kuchokera pakukhazikitsa kudzera pamapulogalamu onse. Mitu yotsatila ikuyang'ana pa mbali za chitetezo cha kunja kwa bokosi monga kasamalidwe ka mbiri, kukhulupirika ndi t.ampchitetezo champhamvu, kasamalidwe ka gawo, chitetezo chazida ndi zina zambiri.
· Kuyika, patsamba 2 · Chidziwitso Chotetezedwa Chapadera cha Chipangizo, patsamba 3 · Kufikira kwa Chipangizo, patsamba 4
Malingaliro a Chitetezo 1
Kuyika
Malingaliro a Chitetezo
· Infrastructure Management Network, patsamba 22 · Kutetezedwa Kwachidziwitso Chosungidwa Kwawoko, patsamba 23 · File Transfer, patsamba 24 · Kudula mitengo, patsamba 24 · Virtual Machine chitetezo, patsamba 25 · VM Isolation and Resource provisioning, patsamba 26 · Secure Development Lifecycle, patsamba 29
Kuyika
Kuonetsetsa kuti pulogalamu ya NFVIS sinakhale tampndi , chithunzi cha pulogalamuyo chimatsimikiziridwa musanayike pogwiritsa ntchito njira zotsatirazi:
Chithunzi TampChitetezo
NFVIS imathandizira kusaina ndi kutsimikizira kwa RPM pamaphukusi onse a RPM mu ISO ndikukweza zithunzi.
Kusaina kwa RPM
Maphukusi onse a RPM mu Cisco Enterprise NFVIS ISO ndi zithunzi zokweza zimasainidwa kuti zitsimikizire kukhulupirika kwa cryptographic ndi kutsimikizika. Izi zimatsimikizira kuti phukusi la RPM silinakhale tampered with ndi mapaketi a RPM akuchokera ku NFVIS. Kiyi yachinsinsi yomwe imagwiritsidwa ntchito kusaina mapaketi a RPM imapangidwa ndikusungidwa bwino ndi Cisco.
RPM Signature Verification
Pulogalamu ya NFVIS imatsimikizira kusaina kwa mapaketi onse a RPM musanayike kapena kukweza. Gome lotsatirali likufotokoza machitidwe a Cisco Enterprise NFVIS pomwe chitsimikiziro cha siginecha chikulephera pakukhazikitsa kapena kukweza.
Zochitika
Kufotokozera
Cisco Enterprise NFVIS 3.7.1 ndikuyika pambuyo pake Ngati chitsimikiziro cha siginecha chikulephera pakukhazikitsa Cisco Enterprise NFVIS, kuyikako kumachotsedwa.
Cisco Enterprise NFVIS ikweza kuchokera ku 3.6.x kupita ku Release 3.7.1
Ma signature a RPM amatsimikiziridwa pamene kukweza kukuchitika. Ngati chitsimikiziro cha siginecha chikulephera, cholakwika chimalowetsedwa koma kukweza kumamalizidwa.
Cisco Enterprise NFVIS ikwezedwa kuchokera ku Kutulutsidwa 3.7.1 Siginecha za RPM zimatsimikiziridwa pakukweza
kutulutsa pambuyo pake
chithunzi chalembetsedwa. Ngati chitsimikiziro cha signature chikulephera,
kukweza kwathetsedwa.
Kutsimikizira Kukhulupirika kwa Zithunzi
Kusaina kwa RPM ndikutsimikizira siginecha kutha kuchitidwa pamaphukusi a RPM omwe amapezeka mu Cisco NFVIS ISO ndikukweza zithunzi. Kuonetsetsa kukhulupirika kwa onse owonjezera omwe si a RPM files likupezeka mu chithunzi cha Cisco NFVIS ISO, hashi ya chithunzi cha Cisco NFVIS ISO imasindikizidwa pamodzi ndi chithunzicho. Mofananamo, hashi ya chithunzi chokweza cha Cisco NFVIS imasindikizidwa pamodzi ndi chithunzicho. Kuti mutsimikizire kuti hashi ya Cisco
Malingaliro a Chitetezo 2
Malingaliro a Chitetezo
ENCS Safe Boot
Chithunzi cha NFVIS ISO kapena chithunzi chokweza chikufanana ndi hashi yofalitsidwa ndi Cisco, yendetsani lamulo ili ndikuyerekeza hashi ndi hashi yosindikizidwa:
% /usr/bin/sha512sumFile> c2122783efc18b039246ae1bcd4eec4e5e027526967b5b809da5632d462dfa6724a9b20ec318c74548c6bd7e9b8217ce96b5ece93dcdd74fda5e01bb382ad607
<ImageFile>
ENCS Safe Boot
Boot yotetezedwa ndi gawo la Unified Extensible Firmware Interface (UEFI) muyezo womwe umatsimikizira kuti chipangizochi chimangogwiritsa ntchito pulogalamu yomwe imakhulupirira ndi Original Equipment Manufacturer (OEM). NFVIS ikayamba, firmware imayang'ana siginecha ya pulogalamu ya boot ndi makina ogwiritsira ntchito. Ngati siginecha ili yolondola, chipangizocho chimayamba, ndipo firmware imapereka ulamuliro ku machitidwe opangira.
Boot yotetezedwa ikupezeka pa ENCS koma imayimitsidwa mwachisawawa. Cisco ikukulimbikitsani kuti mutsegule boot yotetezeka. Kuti mumve zambiri, onani Secure Boot of Host.
Sungani Chidziwitso Chapadera Chazida
NFVIS imagwiritsa ntchito makina omwe amadziwika kuti Secure Unique Device Identification (SUDI), omwe amapereka chidziwitso chosasinthika. Chidziwitsochi chimagwiritsidwa ntchito kutsimikizira kuti chipangizocho ndi chinthu chenicheni cha Cisco, ndikuwonetsetsa kuti chipangizocho chimadziwika bwino ndi makina osungira makasitomala.
SUDI ndi satifiketi ya X.509v3 ndi makiyi ogwirizana omwe amatetezedwa mu hardware. Satifiketi ya SUDI imakhala ndi chizindikiritso chazinthu ndi nambala ya serial ndipo idakhazikitsidwa mu Cisco Public Key Infrastructure. Magulu awiri ofunikira ndi satifiketi ya SUDI amalowetsedwa mu gawo la hardware panthawi yopanga, ndipo chinsinsi chachinsinsi sichingatumizedwe kunja.
Chidziwitso chochokera ku SUDI chitha kugwiritsidwa ntchito kupanga zotsimikizika komanso zokhazikika pogwiritsa ntchito Zero Touch Provisioning (ZTP). Izi zimathandizira kuti zida zotetezedwa, ziziyenda patali, ndikuwonetsetsa kuti seva ya orchestration ikulankhula ndi chipangizo chenicheni cha NFVIS. Dongosolo lakumbuyo litha kubweretsa zovuta ku chipangizo cha NFVIS kuti chitsimikizire kuti ndi ndani ndipo chipangizocho chidzayankha zovutazo pogwiritsa ntchito SUDI yake. Izi zimalola dongosolo la backend kuti litsimikizire kuti chipangizocho chili pamalo abwino komanso kupereka makonzedwe obisika omwe angatsegulidwe ndi chipangizo chenichenicho, potero kuonetsetsa chinsinsi paulendo.
Zithunzi zotsatirazi zikuwonetsa momwe NFVIS imagwiritsira ntchito SUDI:
Malingaliro a Chitetezo 3
Kufikira kwa Chipangizo Chithunzi 1: Pulagi ndi Sewerani (PnP) Kutsimikizika kwa Seva
Malingaliro a Chitetezo
Chithunzi 2: Pulagi ndi Play Chipangizo Kutsimikizika ndi Chilolezo
Kufikira Chipangizo
NFVIS imapereka njira zosiyanasiyana zolumikizira kuphatikiza kutonthoza komanso mwayi wofikira kutali kutengera ma protocol monga HTTPS ndi SSH. Njira iliyonse yofikira iyenera kuchitidwa mosamalaviewed ndi kukonzedwa. Onetsetsani kuti njira zokhazo zomwe zimafunikira ndizoyatsidwa komanso kuti ndizotetezedwa bwino. Njira zazikulu zopezera mwayi wolumikizana ndi kasamalidwe ku NFVIS ndikuletsa kupezeka kwa chipangizocho, kuletsa kuthekera kwa ogwiritsa ntchito pazomwe akufunikira, ndikuletsa njira zololedwa zofikira. NFVIS imawonetsetsa kuti mwayiwo umaperekedwa kwa ogwiritsa ntchito ovomerezeka okha ndipo amatha kuchita zomwe zaloledwa. Kufikira pazidazo kumalowetsedwa kuti awonedwe ndipo NFVIS imatsimikizira chinsinsi cha data yomwe yasungidwa kwanuko. Ndikofunikira kukhazikitsa zowongolera zoyenera kuti mupewe mwayi wopezeka ku NFVIS mosaloledwa. Magawo otsatirawa akufotokoza machitidwe ndi masinthidwe abwino kwambiri kuti akwaniritse izi:
Malingaliro a Chitetezo 4
Malingaliro a Chitetezo
Kulimbikitsa Kusintha kwa Mawu Achinsinsi Polowera Koyamba
Kulimbikitsa Kusintha kwa Mawu Achinsinsi Polowera Koyamba
Zidziwitso zosasinthika nthawi zambiri zimakhala gwero la zochitika zachitetezo chazinthu. Makasitomala nthawi zambiri amaiwala kusintha zidziwitso zolowera ndikusiya makina awo otseguka kuti aukire. Pofuna kupewa izi, wogwiritsa ntchito NFVIS amakakamizika kusintha mawu achinsinsi atatha kulowa koyamba pogwiritsa ntchito zidziwitso zosasinthika (dzina lolowera: admin ndi password Admin123 #). Kuti mumve zambiri, onani Kupeza NFVIS.
Kuletsa Zowonongeka Zolowera
Mutha kupewa kuwopsa kwa dikishonale ndi Denial of Service (DoS) pogwiritsa ntchito zotsatirazi.
Kukhazikitsa Mawu achinsinsi Olimba
Njira yotsimikizira ndi yolimba ngati zidziwitso zake. Pachifukwa ichi, ndikofunikira kuonetsetsa kuti ogwiritsa ntchito ali ndi mawu achinsinsi amphamvu. NFVIS imayang'ana kuti mawu achinsinsi akhazikitsidwa motsatira malamulo awa: Achinsinsi ayenera kukhala:
· zilembo zazikulu m'modzi · Zilembo zazing'ono m'modzi · Nambala imodzi · Chimodzi mwa zilembo zapaderazi: hashi (#), underscore (_), hyphen (-), asterisk (*), kapena funso
chizindikiro (?) · Zilembo zisanu ndi ziwiri kapena kupitilira apo.
Kukonza Utali Wochepa Wamachinsinsi
Kusavutikira kwa mawu achinsinsi, makamaka kutalika kwa mawu achinsinsi, kumachepetsa kwambiri malo osakira pomwe owukira ayesa kulosera mawu achinsinsi a ogwiritsa ntchito, zomwe zimapangitsa kuukira kwankhanza kukhala kosavuta. Wogwiritsa ntchito admin amatha kukonza kutalika kocheperako komwe kumafunikira mapasiwedi a ogwiritsa ntchito onse. Kutalika kochepa kukuyenera kukhala pakati pa zilembo 7 ndi 128. Mwachikhazikitso, utali wochepera wofunikira pama passwords umayikidwa kukhala zilembo 7. CLI:
nfvis(config)# rbac kutsimikizika min-pwd-utali 9
API:
/api/config/rbac/authentication/min-pwd-length
Kukonza Mawu Achinsinsi Nthawi Zonse
Moyo wachinsinsi umatsimikizira kuti mawu achinsinsi angagwiritsidwe ntchito nthawi yayitali bwanji asanafunikire kusintha.
Malingaliro a Chitetezo 5
Chepetsani kugwiritsanso ntchito mawu achinsinsi am'mbuyomu
Malingaliro a Chitetezo
Wogwiritsa ntchito admin amatha kukonza zinsinsi zochepa komanso zazitali zamoyo zonse zachinsinsi kwa ogwiritsa ntchito onse ndikukhazikitsa lamulo loyang'ana izi. Mtengo wochepera wochepera wa moyo umakhazikitsidwa kukhala tsiku limodzi ndipo mtengo wokhazikika wa moyo wonse wakhazikitsidwa kukhala masiku 1. Pamene mtengo wocheperako wa moyo umakhazikitsidwa, wogwiritsa ntchito sangathe kusintha mawu achinsinsi mpaka masiku omwe atchulidwa adutsa. Mofananamo, pamene mtengo wochuluka wa moyo umakonzedwa, wogwiritsa ntchito ayenera kusintha mawu achinsinsi asanadutse masiku omwe atchulidwa. Ngati wogwiritsa ntchito sasintha mawu achinsinsi ndipo masiku omwe atchulidwa adutsa, chidziwitso chimatumizidwa kwa wogwiritsa ntchito.
Zindikirani Zomwe zili zochepa komanso zopambana za moyo wonse ndi lamulo loti mufufuze zamtengo wapatalizi silikugwiritsidwa ntchito kwa wogwiritsa ntchito admin.
CLI:
khazikitsani terminal rbac kutsimikizira mawu achinsinsi-moyo wonse khazikitsani masiku ochepera 2 masiku 30 max-masiku XNUMX kudzipereka
API:
/api/config/rbac/authentication/password-lifetime/
Chepetsani kugwiritsanso ntchito mawu achinsinsi am'mbuyomu
Popanda kuletsa kugwiritsa ntchito mawu achinsinsi am'mbuyomu, kutha kwa mawu achinsinsi kumakhala kopanda phindu chifukwa ogwiritsa ntchito amatha kungosintha mawu achinsinsi ndikusintha kuti akhale oyamba. NFVIS imayang'ana kuti mawu achinsinsi atsopano si ofanana ndi amodzi mwa 5 omwe amagwiritsidwa ntchito kale. Chosiyana ndi lamuloli ndikuti wogwiritsa ntchito admin amatha kusintha mawu achinsinsi kukhala achinsinsi osakhazikika ngakhale atakhala amodzi mwa mawu achinsinsi 5 omwe amagwiritsidwa ntchito kale.
Chepetsani Kuchuluka kwa kuyesa kulowa
Ngati mnzako wakutali ataloledwa kulowa kangapo kosawerengeka, pamapeto pake amatha kuganiza zoloweretsa mwankhanza. Popeza kuti mawu achinsinsi nthawi zambiri amakhala osavuta kuganiza, izi ndizovuta kwambiri. Pochepetsa kuchuluka komwe anzawo angayesere kulowa, timapewa izi. Timapewanso kugwiritsa ntchito zida zamakina potsimikizira mosafunikira zoyeserera zolowera mwankhanza zomwe zitha kuyambitsa kuwukira kwa Denial of Service. NFVIS imakakamiza kutseka kwa mphindi 5 pambuyo poyesa 10 kulephera kulowa.
Zimitsani maakaunti a ogwiritsa ntchito omwe sakugwira ntchito
Kuyang'anira zochitika za ogwiritsa ntchito ndikuyimitsa maakaunti osagwiritsidwa ntchito kapena osagwiritsidwa ntchito kale kumathandiza kuteteza dongosolo kuti lisawonongeke. Maakaunti osagwiritsidwa ntchito ayenera kuchotsedwa. Wogwiritsa ntchito woyang'anira atha kuyika lamulo loti alembe maakaunti osagwiritsidwa ntchito ngati osagwira ntchito ndikusintha kuchuluka kwa masiku omwe akaunti yosagwiritsidwa ntchito imalembedwa kuti sinagwire ntchito. Akadziwika kuti sakugwira ntchito, wogwiritsa ntchitoyo sangathe kulowa mudongosolo. Kuti alole wosuta kulowa mudongosolo, wogwiritsa ntchito admin akhoza kuyambitsa akaunti ya wosuta.
Zindikirani Nthawi yosagwira ntchito ndi lamulo loyang'ana nthawi yosagwira ntchito sizikugwiritsidwa ntchito kwa wogwiritsa ntchito.
Malingaliro a Chitetezo 6
Malingaliro a Chitetezo
Kutsegula Akaunti Yosagwiritsa Ntchito
CLI ndi API zotsatirazi zitha kugwiritsidwa ntchito kukonza kukhazikitsidwa kwa kusagwira ntchito kwa akaunti. CLI:
konzani terminal rbac kutsimikizika kwa akaunti-kusachita kulimbikitsa kusachita kwenikweni-masiku 30 kudzipereka
API:
/api/config/rbac/authentication/account-inactivity/
Mtengo wokhazikika wamasiku osagwira ntchito ndi 35.
Kutsegula Akaunti Yogwiritsa Ntchito Wogwiritsa Ntchito Woyang'anira atha kuyambitsa akaunti ya wosuta pogwiritsa ntchito CLI ndi API zotsatirazi: CLI:
sinthani zotsimikizira za terminal rbac user guest_user activate commit
API:
/api/operations/rbac/authentication/users/username/activate
Yambitsani Kukhazikitsa kwa BIOS ndi CIMC Passwords
Gulu 1: Table History Table
Dzina lachinthu
Kutulutsa Zambiri
Tsimikizirani Kukhazikitsa kwa BIOS ndi CIMC NFVIS 4.7.1 Passwords
Kufotokozera
Izi zimakakamiza wogwiritsa ntchito kusintha mawu achinsinsi a CIMC ndi BIOS.
Zoletsa pakukhazikitsa kwa BIOS ndi CIMC Passwords
· Izi zimangothandizidwa pa Cisco Catalyst 8200 UCPE ndi Cisco ENCS 5400 nsanja.
· Izi zimangothandizidwa pakukhazikitsa kwatsopano kwa NFVIS 4.7.1 ndi kutulutsidwa pambuyo pake. Ngati mukweza kuchokera ku NFVIS 4.6.1 kupita ku NFVIS 4.7.1, izi sizimathandizidwa ndipo simukuuzidwa kukonzanso ma passwords a BIOS ndi CIMS, ngakhale ma passwords a BIOS ndi CIMC sanakonzedwe.
Zambiri Zokhudza Kukhazikitsa Kwa BIOS ndi Ma Password a CIMC
Izi zimathetsa kusiyana kwa chitetezo pokakamiza kukonzanso kwa BIOS ndi mapasiwedi a CIMC pambuyo pa kukhazikitsa kwatsopano kwa NFVIS 4.7.1. Mawu achinsinsi a CIMC ndi achinsinsi ndipo mawu achinsinsi a BIOS alibe mawu achinsinsi.
Kuti mukonze kusiyana kwa chitetezo, mumakakamizika kukonza ma passwords a BIOS ndi CIMC mu ENCS 5400. Pakuyika kwatsopano kwa NFVIS 4.7.1, ngati BIOS ndi CIMC passwords sanasinthidwe ndipo akadali nawo.
Malingaliro a Chitetezo 7
Kusintha Examples kwa Kulimbikitsa Kukhazikitsanso kwa BIOS ndi CIMC Passwords
Malingaliro a Chitetezo
mawu achinsinsi osasintha, ndiye mumalimbikitsidwa kusintha ma passwords a BIOS ndi CIMC. Ngati imodzi yokha ikufuna kukonzanso, mumauzidwa kuti mukhazikitsenso mawu achinsinsi a gawoli. Cisco Catalyst 8200 UCPE imafuna mawu achinsinsi a BIOS ndipo chifukwa chake kukonzanso kwachinsinsi kwa BIOS kumalimbikitsidwa, ngati sikunakhazikitsidwe kale.
Zindikirani Ngati mukweza kuchokera ku NFVIS 4.7.1 kapena kutulutsidwa pambuyo pake, mutha kusintha mawu achinsinsi a BIOS ndi CIMC pogwiritsa ntchito mawu achinsinsi a hostaction-bios-password kapena malamulo akusintha-cimc-password newpassword.
Kuti mumve zambiri za ma passwords a BIOS ndi CIMC, onani BIOS ndi CIMC Password.
Kusintha Examples kwa Kulimbikitsa Kukhazikitsanso kwa BIOS ndi CIMC Passwords
1. Mukayika NFVIS 4.7.1, muyenera kukonzanso mawu achinsinsi a admin.
Cisco Network Function Virtualization Infrastructure Software (NFVIS)
Mtundu wa NFVIS: 99.99.0-1009
Ufulu (c) 2015-2021 wa Cisco Systems, Inc. Cisco, Cisco Systems, ndi Cisco Systems logo ndi zizindikiro za Cisco Systems, Inc. ndi/kapena mabungwe ake ku US ndi mayiko ena.
Zokopera za ntchito zina zomwe zili mu pulogalamuyi ndi za anthu ena ndipo zimagwiritsidwa ntchito ndikugawidwa pansi pa mapangano a laisensi ya gulu lina. Zigawo zina za pulogalamuyi zili ndi chilolezo pansi pa GNU GPL 2.0, GPL 3.0, LGPL 2.1, LGPL 3.0 ndi AGPL 3.0.
admin yolumikizidwa kuchokera ku 10.24.109.102 pogwiritsa ntchito ssh pa nfvis admin yomwe ili ndi mbiri yokhazikika Chonde perekani mawu achinsinsi omwe amakwaniritsa izi:
1.Ang'ono zilembo zing'onozing'ono 2.Ang'ono zilembo zazikulu m'modzi 3.Osachepera nambala imodzi 4.Osachepera munthu mmodzi wapadera kuchokera ku # _ - * ? 5.Utali ukhale pakati pa zilembo 7 ndi 128 Chonde yambitsaninso mawu achinsinsi : Chonde lowetsaninso mawu achinsinsi :
Kukhazikitsanso password ya admin
2. Pa nsanja za Cisco Catalyst 8200 UCPE ndi Cisco ENCS 5400 mukakhazikitsa mwatsopano NFVIS 4.7.1 kapena kutulutsa pambuyo pake, muyenera kusintha ma passwords a BIOS ndi CIMC. Ngati ma passwords a BIOS ndi CIMC sanakhazikitsidwe kale, makinawa amakupangitsani kuti mukhazikitsenso mapasiwedi a BIOS ndi CIMC a Cisco ENCS 5400 komanso achinsinsi a BIOS a Cisco Catalyst 8200 UCPE.
Nyuzipepala yatsopano ya admin yakhazikitsidwa
Chonde perekani mawu achinsinsi a BIOS omwe amakwaniritsa izi: 1. zilembo zazing'ono 2. Zocheperako zilembo zazikulu m'modzi 3. Nambala imodzi 4. Osachepera chilembo chimodzi chapadera kuchokera #, @ kapena _ 5. Utali ukhale pakati Zilembo 8 ndi 20
Malingaliro a Chitetezo 8
Malingaliro a Chitetezo
Tsimikizirani BIOS ndi CIMC Passwords
Chonde yambitsaninso password ya BIOS : Chonde lowetsaninso password ya BIOS : Chonde perekani mawu achinsinsi a CIMC omwe amakwaniritsa izi:
1. Zilembo zing'onozing'ono zimodzi 2. Zilembo zazikuluzimodzi 3. Nambala imodzi 4. Chilembo chimodzi chapadera kuchokera pa #, @ kapena _ 5. Utali ukhale pakati pa zilembo 8 ndi 20 6. Zisakhale ndi zina mwa zilembo. zingwe zotsatirazi (zovuta kwambiri): admin Chonde yambitsaninso mawu achinsinsi a CIMC : Chonde lowetsaninso mawu achinsinsi a CIMC :
Tsimikizirani BIOS ndi CIMC Passwords
Kuti mutsimikizire ngati ma passwords a BIOS ndi CIMC asinthidwa bwino, gwiritsani ntchito chipika chawonetsero nfvis_config.log | phatikizani BIOS kapena onetsani chipika nfvis_config.log | Phatikizani malamulo a CIMC:
nfvis# onetsani chipika nfvis_config.log | kuphatikiza BIOS
2021-11-16 15:24:40,102 INFO
[hostaction:/system/settings] [] Kusintha mawu achinsinsi a BIOSyapambana
Mukhozanso kutsitsa nfvis_config.log file ndikutsimikizira ngati mawu achinsinsi akhazikitsidwa bwino.
Kuphatikiza ndi ma seva akunja a AAA
Ogwiritsa amalowa ku NFVIS kudzera pa ssh kapena Web UI. Mulimonsemo, ogwiritsa ntchito ayenera kutsimikiziridwa. Ndiko kuti, wogwiritsa ntchito ayenera kupereka zidziwitso zachinsinsi kuti apeze mwayi.
Wogwiritsa ntchito akatsimikiziridwa, ntchito zonse zochitidwa ndi wogwiritsa ntchitoyo ziyenera kuvomerezedwa. Izi zikutanthauza kuti, ena ogwiritsa ntchito amatha kuloledwa kuchita ntchito zina, pomwe ena saloledwa. Izi zimatchedwa chilolezo.
Ndikofunikira kuti seva yapakati ya AAA itumizidwe kuti ikakamize wogwiritsa ntchito aliyense, kutsimikizika kwa kulowa kwa AAA kwa NFVIS. NFVIS imathandizira ma protocol a RADIUS ndi TACACS kuti athandizire kulumikizana ndi netiweki. Pa seva ya AAA, mwayi wocheperako wokha uyenera kuperekedwa kwa ogwiritsa ntchito ovomerezeka malinga ndi zomwe akufuna. Izi zimachepetsa kuwonekera kuzochitika zonse zachiwembu komanso zotetezedwa mwangozi.
Kuti mudziwe zambiri za kutsimikizika kwakunja, onani Kukonza RADIUS ndi Kukonza Seva ya TACACS+.
Cache Yotsimikizika ya Seva Yotsimikizira Zakunja
Dzina lachinthu
Kutulutsa Zambiri
Cache Yotsimikizika ya Seva Yakunja ya NFVIS 4.5.1
Kufotokozera
Izi zimathandizira kutsimikizika kwa TACACS kudzera mu OTP pa NFVIS portal.
Tsamba la NFVIS limagwiritsa ntchito mawu achinsinsi a One-Time (OTP) pama foni onse a API pambuyo potsimikizira koyambirira. Mafoni a API amalephera nthawi ya OTP ikatha. Izi zimathandizira kutsimikizika kwa TACACS OTP ndi portal ya NFVIS.
Mukatsimikizira bwino kudzera pa seva ya TACACS pogwiritsa ntchito OTP, NFVIS imapanga malo olowera pogwiritsa ntchito dzina lolowera ndi OTP ndikusunga mtengo wa hashiwu kwanuko. Mtengo wa hashi wosungidwa kwanuko uli nawo
Malingaliro a Chitetezo 9
Ulamuliro Wofikira pa Maudindo
Malingaliro a Chitetezo
nthawi yotsiriza Stamp kugwirizana nazo. Nthawi ya Stamp ili ndi mtengo wofanana ndi mtengo wanthawi yopuma wa SSH womwe ndi mphindi 15. Zopempha zonse zotsimikizira zomwe zili ndi dzina lolowera lomwelo zimatsimikiziridwa motsutsana ndi mtengo wa hashi wamderalo poyamba. Ngati kutsimikizika kukulephera ndi hashi yakomweko, NFVIS imatsimikizira pempholi ndi seva ya TACACS ndikupanga cholowa chatsopano pomwe kutsimikizika kwapambana. Ngati cholowa cha hashi chilipo kale, nthawi yake ndi stamp imasinthidwa kukhala mphindi 15.
Ngati mwachotsedwa pa seva ya TACACS mutalowa bwino pa portal, mutha kupitiliza kugwiritsa ntchito portal mpaka nthawi yolowera mu NFVIS itatha.
Mukatuluka mwatsatanetsatane pakhoma la NFVIS kapena mutatuluka chifukwa cha nthawi yopanda ntchito, portal imayitanitsa API yatsopano kuti idziwitse NFVIS backend kuti iwononge kulowa kwa hashi. Cache yotsimikizira ndi zolemba zake zonse zimachotsedwa NFVIS ikayambiranso, kukonzanso fakitale, kapena kukweza.
Ulamuliro Wofikira pa Maudindo
Kuchepetsa mwayi wopezeka pa netiweki ndikofunikira kwa mabungwe omwe ali ndi antchito ambiri, omwe amalemba ntchito makontrakitala kapena amalola mwayi wopezeka ndi anthu ena, monga makasitomala ndi ogulitsa. Muzochitika zotere, zimakhala zovuta kuyang'anira momwe intaneti ikuyendera bwino. M'malo mwake, ndi bwino kulamulira zomwe zingapezeke, kuti muteteze deta yowonongeka ndi ntchito zovuta.
Role-based access control (RBAC) ndi njira yochepetsera mwayi wopezeka pa netiweki kutengera udindo wa ogwiritsa ntchito pakampani. RBAC imalola ogwiritsa ntchito kupeza zomwe akufuna, ndikuwalepheretsa kupeza zomwe sizikukhudza iwo.
Udindo wa wogwira ntchito m'bizinesi uyenera kugwiritsidwa ntchito kudziwa zilolezo zomwe zaperekedwa, pofuna kuwonetsetsa kuti ogwira ntchito omwe ali ndi mwayi wocheperako sangathe kupeza zidziwitso zodziwika bwino kapena kuchita ntchito zovuta.
Maudindo otsatirawa ndi mwayi wawo akufotokozedwa mu NFVIS
Ntchito Yogwiritsa Ntchito
Mwayi
Oyang'anira
Ikhoza kukonza zonse zomwe zilipo ndikuchita ntchito zonse kuphatikizapo kusintha maudindo a ogwiritsa ntchito. Woyang'anira sangathe kuchotsa maziko omwe ali ofunikira ku NFVIS. Udindo wa wogwiritsa ntchito Admin sungasinthidwe; nthawi zonse amakhala "oyang'anira".
Othandizira
Mutha Kuyamba ndikuyimitsa VM, ndi view chidziwitso chonse.
Auditors
Iwo ndi ochepera mwayi ogwiritsa ntchito. Iwo ali ndi chilolezo cha Kuwerenga-chokha choncho, sangathe kusintha kasinthidwe kalikonse.
Ubwino wa RBAC
Pali maubwino angapo ogwiritsira ntchito RBAC kuletsa kulumikizana kosafunikira pamaneti kutengera maudindo a anthu mgulu, kuphatikiza:
· Kupititsa patsogolo magwiridwe antchito.
Kukhala ndi maudindo ofotokozedweratu mu RBAC kumapangitsa kuti zikhale zosavuta kuphatikiza ogwiritsa ntchito atsopano omwe ali ndi mwayi woyenera kapena kusintha maudindo a ogwiritsa ntchito omwe alipo. Imachepetsanso kuthekera kwa cholakwika pamene zilolezo za ogwiritsa ntchito zikuperekedwa.
· Kupititsa patsogolo kutsata.
Malingaliro a Chitetezo 10
Malingaliro a Chitetezo
Ulamuliro Wofikira pa Maudindo
Bungwe lililonse liyenera kutsatira malamulo amderali, aboma komanso aboma. Makampani nthawi zambiri amakonda kugwiritsa ntchito machitidwe a RBAC kuti akwaniritse zofunikira zoyendetsera chinsinsi komanso zachinsinsi chifukwa oyang'anira ndi madipatimenti a IT amatha kuyendetsa bwino momwe deta imafikira ndikugwiritsidwira ntchito. Izi ndizofunikira makamaka kwa mabungwe azachuma ndi makampani azachipatala omwe amayendetsa zinthu zachinsinsi.
· Kuchepetsa ndalama. Posalola ogwiritsa ntchito njira zina ndi mapulogalamu, makampani amatha kusunga kapena kugwiritsa ntchito zinthu monga bandwidth ya netiweki, kukumbukira ndi kusungirako m'njira yotsika mtengo.
· Kuchepa kwachiwopsezo chakuphwanyidwa ndi kutayikira kwa data. Kukhazikitsa RBAC kumatanthauza kuletsa mwayi wodziwa zambiri, motero kuchepetsa kuthekera kwa kuphwanya kwa data kapena kutayikira kwa data.
Njira zabwino zoyendetsera njira zoyendetsera mwayi wopezekapo · Monga woyang'anira, fufuzani mndandanda wa ogwiritsa ntchito ndikugawira ogwiritsa ntchito maudindo omwe adawafotokozeratu. Za example, wosuta "networkadmin" akhoza kupangidwa ndi kuwonjezeredwa ku gulu la ogwiritsa "olamulira".
sinthani ogwiritsa ntchito otsimikizika a terminal rbac pangani-user name networkadmin password Test1_pass role administrators
Zindikirani Magulu ogwiritsira ntchito kapena maudindo amapangidwa ndi dongosolo. Simungathe kupanga kapena kusintha gulu la ogwiritsa ntchito. Kuti musinthe mawu achinsinsi, gwiritsani ntchito lamulo la rbac lotsimikizira ogwiritsa ntchito kusintha-password mumayendedwe apadziko lonse lapansi. Kuti musinthe gawo la ogwiritsa ntchito, gwiritsani ntchito lamulo lakusintha kwa ogwiritsa ntchito a rbac pamasinthidwe apadziko lonse lapansi.
· Chotsani maakaunti a ogwiritsa ntchito omwe sakufunanso mwayi wofikira.
sinthani ogwiritsa ntchito otsimikizika a terminal rbac chotsani-user name test1
• Nthawi ndi nthawi fufuzani kuti muwone maudindo, ogwira ntchito omwe apatsidwa ndi mwayi wololedwa pa gawo lililonse. Ngati wogwiritsa ntchito apezeka kuti ali ndi mwayi wosafunikira ku dongosolo linalake, sinthani ntchito ya wogwiritsa ntchito.
Kuti mumve zambiri onani, Ogwiritsa, Maudindo, ndi Kutsimikizika
Granular Role-Based Access Control Kuyambira pa NFVIS 4.7.1, gawo la Granular Role-Based Access Control limayambitsidwa. Izi zimawonjezera ndondomeko yatsopano yamagulu yomwe imayang'anira VM ndi VNF ndikukulolani kuti mugawire ogwiritsa ntchito ku gulu kuti ayang'anire mwayi wa VNF, panthawi ya VNF. Kuti mudziwe zambiri, onani Granular Role-Based Access Control.
Malingaliro a Chitetezo 11
Chepetsani Kupezeka kwa Chipangizo
Malingaliro a Chitetezo
Chepetsani Kupezeka kwa Chipangizo
Ogwiritsa ntchito adagwidwa mobwerezabwereza mosazindikira ndikuwukiridwa ndi zinthu zomwe sanaziteteze chifukwa samadziwa kuti zidazo zidayatsidwa. Ntchito zosagwiritsidwa ntchito nthawi zambiri zimasiyidwa ndi masinthidwe osakhazikika omwe sakhala otetezeka nthawi zonse. Ntchitozi zithanso kugwiritsa ntchito mawu achinsinsi osakhazikika. Ntchito zina zitha kupatsa wowukira mwayi wosavuta kuti adziwe zambiri pazomwe seva ikugwira kapena momwe netiweki imapangidwira. Magawo otsatirawa akufotokoza momwe NFVIS imapewera ngozi zoterezi:
Kuchepetsa vekitala ya Attack
Pulogalamu iliyonse imatha kukhala ndi zovuta zachitetezo. Mapulogalamu ochulukirapo amatanthauza njira zambiri zowukira. Ngakhale palibe zovuta zomwe zimadziwika pagulu panthawi yophatikizidwa, zowopsa zitha kupezeka kapena kuwululidwa mtsogolomo. Kuti mupewe izi, mapulogalamu okhawo omwe ali ofunikira pakugwira ntchito kwa NFVIS amayikidwa. Izi zimathandiza kuchepetsa kuwonongeka kwa mapulogalamu, kuchepetsa kugwiritsa ntchito zipangizo, ndi kuchepetsa ntchito yowonjezera pamene mavuto apezeka ndi mapepalawo. Mapulogalamu onse a chipani chachitatu omwe akuphatikizidwa mu NFVIS amalembetsedwa ku database yapakati ku Cisco kuti Cisco athe kuchitapo kanthu pakampani (Lamulo, Chitetezo, ndi zina). Maphukusi a mapulogalamu amasinthidwa nthawi ndi nthawi pamtundu uliwonse wa Common Vulnerabilities and Exposures (CVEs).
Kutsegula madoko ofunikira okha mwa kusakhazikika
Ndi ntchito zokhazo zomwe ndizofunikira kukhazikitsa ndikuwongolera NFVIS zomwe zimapezeka mwachisawawa. Izi zimachotsa zoyesayesa za wogwiritsa ntchito kuti akonze zozimitsa moto ndikukana kupeza ntchito zosafunikira. Ntchito zokhazo zomwe zimayatsidwa mwachisawawa zalembedwa pansipa pamodzi ndi madoko omwe amatsegula.
Tsegulani Port
Utumiki
Kufotokozera
22 / TCP
SSH
Sungani Socket Shell kuti mufikire pamzere wamalamulo akutali ku NFVIS
80 / TCP
HTTP
Hypertext Transfer Protocol ya NFVIS portal access. Magalimoto onse a HTTP olandiridwa ndi NFVIS amatumizidwa ku doko 443 la HTTPS
443 / TCP
HTTPS
Hypertext Transfer Protocol Yotetezedwa kuti mupeze mwayi wotetezedwa wa NFVIS
830 / TCP
NETCONF-ssh
Doko linatsegulidwa kwa Network Configuration Protocol (NETCONF) pa SSH. NETCONF ndi ndondomeko yogwiritsidwa ntchito pokonzekera NFVIS komanso kulandira zidziwitso za zochitika zosasinthika kuchokera ku NFVIS.
161/UDP
Chithunzi cha SNMP
Simple Network Management Protocol (SNMP). Amagwiritsidwa ntchito ndi NFVIS kulumikizana ndi mapulogalamu akutali owunikira maukonde. Kuti mudziwe zambiri onani, Mau oyamba a SNMP
Malingaliro a Chitetezo 12
Malingaliro a Chitetezo
Letsani Kufikira Ma Networks Ovomerezeka Pazantchito Zovomerezeka
Letsani Kufikira Ma Networks Ovomerezeka Pazantchito Zovomerezeka
Oyambitsa okha ovomerezeka ndi omwe ayenera kuloledwa kuyesanso kugwiritsa ntchito kasamalidwe kachipangizo, ndipo mwayi uyenera kukhala wa mautumiki omwe aloledwa kugwiritsa ntchito. NFVIS ikhoza kukhazikitsidwa kotero kuti mwayi wopezeka ndi wodziwika, magwero odalirika komanso oyembekezeka oyang'anira magalimotofiles. Izi zimachepetsa mwayi wopezeka mosaloledwa komanso kukhudzidwa ndi zina, monga brute force, dikishonale, kapena kuwukira kwa DoS.
Kuteteza mawonekedwe a kasamalidwe a NFVIS kumayendedwe osafunikira komanso omwe angakhale ovulaza, wogwiritsa ntchito atha kupanga Access Control Lists (ACLs) pama traffic omwe amalandiridwa. Ma ACL awa amatchula ma adilesi a IP/manetiweki komwe kuchuluka kwa magalimoto kumayambira, komanso mtundu wamagalimoto omwe amaloledwa kapena kukanidwa kuchokera kumaderawa. Zosefera zamtundu wa IP izi zimagwiritsidwa ntchito pamawonekedwe aliwonse owongolera pa NFVIS. Magawo otsatirawa amakonzedwa mu IP kulandira Access Control List (ip-receive-acl)
Parameter
Mtengo
Kufotokozera
Source network/Netmask
Network/netmask. Za exampLemba: 0.0.0.0/0
172.39.162.0/24
Gawoli limatchula adilesi ya IP/netiweki komwe magalimoto amachokera
Service Action
https icmp netconf scpd snmp ssh kuvomereza kukana kugwa
Mtundu wa kuchuluka kwa magalimoto kuchokera komwe mwatchulidwa.
Zoyenera kuchita pamagalimoto ochokera ku netiweki yamagwero. Ndi kuvomereza, kuyesa kwatsopano kulumikizana kudzaperekedwa. Ndi kukana , kuyesa kulumikizana sikungavomerezedwe. Ngati lamuloli ndi la ntchito ya TCP monga HTTPS, NETCONF, SCP, SSH, gwero lidzapeza paketi ya TCP reset (RST). Kwa malamulo omwe si a TCP monga SNMP ndi ICMP, paketi idzagwetsedwa. Ndi dontho, mapaketi onse adzagwetsedwa nthawi yomweyo, palibe chidziwitso chotumizidwa ku gwero.
Malingaliro a Chitetezo 13
Mwayi Wopezako Debug Access
Malingaliro a Chitetezo
Parameter Chofunika Kwambiri
Mtengo A nambala
Kufotokozera
Chofunika kwambiri chimagwiritsidwa ntchito kukakamiza lamulo pamalamulo. Malamulo okhala ndi manambala apamwamba kwambiri kuti akhale patsogolo adzawonjezedwanso pansi pamndandandawu. Ngati mukufuna kuonetsetsa kuti lamulo lidzawonjezedwa pambuyo pa lina, gwiritsani ntchito nambala yotsika kwambiri pa nambala yoyamba ndi yapamwamba pa zotsatirazi.
Zotsatirazi sampmasanjidwe akuwonetsa zochitika zina zomwe zitha kusinthidwa kuti zigwiritsidwe ntchito.
Kukonza IP Receive ACL
ACL ikakhala yoletsa kwambiri, m'pamenenso amachepetsera kukhudzana ndi zoyesayesa zosaloleka. Komabe, ACL yoletsa kwambiri imatha kupanga chiwongolero cha kasamalidwe, ndipo imatha kukhudza mwayi wothana ndi mavuto. Chifukwa chake, pali kulinganizika koyenera kuganiziridwa. Kunyengerera kumodzi ndikuletsa mwayi wopeza ma adilesi a IP amakampani okha. Makasitomala aliyense ayenera kuwunika kukhazikitsidwa kwa ma ACL mogwirizana ndi mfundo zawo zachitetezo, zoopsa, kuwonekera, ndi kuvomereza kwake.
Kanani kuchuluka kwa ssh kuchokera ku subnet:
nfvis(config)# zoikamo dongosolo ip-receive-acl 171.70.63.0/24 service ssh action kukana 1
Kuchotsa ma ACL:
Cholowa chikachotsedwa ku ip-receive-acl, masinthidwe onse ku gwerolo amachotsedwa popeza magwero a IP adilesi ndiye chinsinsi. Kuchotsa ntchito imodzi yokha, konzaninso mautumiki ena.
nfvis(config)# palibe zoikamo dongosolo ip-receive-acl 171.70.63.0/24
Kuti mumve zambiri onani, Kukonza IP Receive ACL
Mwayi Wopezako Debug Access
Akaunti yogwiritsa ntchito kwambiri pa NFVIS imayimitsidwa mwachisawawa, kuteteza zonse zopanda malire, zomwe zingakhale zovuta, kusintha kwadongosolo lonse ndipo NFVIS sichiwonetsa chipolopolo chadongosolo kwa wogwiritsa ntchito.
Komabe, pazovuta zina zovuta kukonza dongosolo la NFVIS, gulu la Cisco Technical Assistance Center (TAC) kapena gulu lachitukuko lingafunike mwayi wofikira ku NFVIS yamakasitomala. NFVIS ili ndi malo otsegulira otetezedwa kuti awonetsetse kuti mwayi wochotsa cholakwika pazida zomwe zili m'mundawu ungoperekedwa kwa ogwira ntchito ovomerezeka a Cisco. Kuti mupeze chipolopolo cha Linux motetezeka pamtundu woterewu, njira yotsimikizira kuyankha pazovuta imagwiritsidwa ntchito pakati pa NFVIS ndi seva ya Interactive debugging yosungidwa ndi Cisco. Mawu achinsinsi a wogwiritsa ntchito woyang'anira amafunikiranso kuwonjezera pa kuyankha kwazovuta kuti atsimikizire kuti chipangizocho chikufikiridwa ndi chilolezo cha kasitomala.
Njira zopezera chipolopolo cha Interactive Debugging:
1. Wogwiritsa ntchito admin amayambitsa njirayi pogwiritsa ntchito lamulo lobisika ili.
nfvis# system shell-access
Malingaliro a Chitetezo 14
Malingaliro a Chitetezo
Zolumikizana Zotetezedwa
2. Chophimbacho chidzawonetsa chingwe chotsutsa, mwachitsanzoampLe:
Challenge String (Chonde lembani chilichonse pakati pa mizere ya asterisk yokha):
******************************************************************************** SPH//wkAAABORlZJU0VOQ1M1NDA4L0s5AQAAABt+dcx+hB0V06r9RkdMMjEzNTgw RlHq7BxeAAA= DONE. ********************************************************************************
3. Membala wa Cisco akulowa mu chingwe cha Challenge pa seva ya Interactive Debug yosungidwa ndi Cisco. Seva iyi imatsimikizira kuti wogwiritsa ntchito Cisco amaloledwa kusokoneza NFVIS pogwiritsa ntchito chipolopolo, ndikubwezera chingwe choyankha.
4. Lowetsani zingwe zoyankhira pa sikirini ili m'munsimu: Lowetsani yankho lanu mukakonzeka:
5. Mukafunsidwa, kasitomala ayenera kuyika chinsinsi cha admin. 6. Mumapeza chipolopolo ngati mawu achinsinsi ndi omveka. 7. Gulu lachitukuko kapena TAC limagwiritsa ntchito chipolopolo kuti lipitilize kukonza. 8. Kuti mutuluke mumtundu wa chipolopolo Cholowa.
Zolumikizana Zotetezedwa
Kufikira kasamalidwe ka NFVIS kumaloledwa kugwiritsa ntchito zolumikizira zomwe zikuwonetsedwa pachithunzichi. Magawo otsatirawa akufotokoza njira zabwino zotetezera zolumikizira izi ku NFVIS.
Kusintha kwa SSH
Doko la console ndi doko la asynchronous serial lomwe limakupatsani mwayi wolumikizana ndi NFVIS CLI kuti muyambe kukonzekera. Wogwiritsa ntchito amatha kupeza kontrakitala ndi mwayi wofikira ku NFVIS kapena kulowera kutali pogwiritsa ntchito seva yomaliza. Ngati console port access ikufunika kudzera pa seva yolumikizira, sinthani mindandanda yofikira pa seva yolowera kuti mulole kulowa kuchokera pamaadilesi ofunikira.
Ogwiritsa ntchito amatha kupeza NFVIS CLI pogwiritsa ntchito SSH ngati njira yotetezeka yolowera kutali. Kukhulupirika ndi chinsinsi cha NFVIS oyang'anira magalimoto ndizofunikira pachitetezo chamaneti omwe amayendetsedwa chifukwa ma protocol a utsogoleri nthawi zambiri amakhala ndi chidziwitso chomwe chingagwiritsidwe ntchito kulowa kapena kusokoneza maukonde.
Malingaliro a Chitetezo 15
Nthawi ya CLI Session yatha
Malingaliro a Chitetezo
NFVIS imagwiritsa ntchito SSH version 2, yomwe ndi Cisco's and the Internet's de facto protocol for interactive logins ndipo imathandizira ma encryption amphamvu, hashi, ndi ma aligorivimu ofunika kusinthana ndi Security and Trust Organization mkati mwa Cisco.
Nthawi ya CLI Session yatha
Mwa kulowa kudzera pa SSH, wogwiritsa ntchito amakhazikitsa gawo ndi NFVIS. Ngakhale wogwiritsa ntchito alowetsedwa, ngati wogwiritsa ntchito asiya gawo lolowera mosayang'aniridwa, izi zitha kuyika netiweki pachiwopsezo chachitetezo. Chitetezo cha gawolo chimachepetsa chiwopsezo cha kuukira kwamkati, monga wogwiritsa ntchito wina kuyesa kugwiritsa ntchito gawo la wogwiritsa ntchito wina.
Kuti muchepetse ngoziyi, NFVIS imachotsa magawo a CLI pambuyo pa mphindi 15 osachita chilichonse. Nthawi yomaliza ya gawo ikafika, wogwiritsa ntchito amatulutsidwa.
NETCONF
Network Configuration Protocol (NETCONF) ndi Network Management protocol yomwe idapangidwa ndikuyimitsidwa ndi IETF kuti izipanga makina azida zamtaneti.
Protocol ya NETCONF imagwiritsa ntchito ma encoding a data a Extensible Markup Language (XML) pazosintha zamasinthidwe komanso mauthenga a protocol. Mauthenga a protocol amasinthidwa pamwamba pa protocol yotetezedwa yoyendera.
NETCONF imalola NFVIS kuwulula API yochokera ku XML yomwe wogwiritsa ntchito netiweki angagwiritse ntchito kukhazikitsa ndikupeza zosintha ndi zidziwitso za zochitika motetezeka pa SSH.
Kuti mudziwe zambiri onani, NETCONF Event Notifications.
REST API
NFVIS ikhoza kukhazikitsidwa pogwiritsa ntchito RESTful API pa HTTPS. REST API imalola machitidwe opempha kuti apeze ndikusintha kasinthidwe ka NFVIS pogwiritsa ntchito yunifolomu ndi ndondomeko yokonzedweratu ya ntchito zopanda malire. Zambiri pa REST APIs zitha kupezeka mu NFVIS API Reference guide.
Wogwiritsa ntchito akatulutsa REST API, gawo limakhazikitsidwa ndi NFVIS. Pofuna kuchepetsa ziwopsezo zokhudzana ndi kukana kuchitiridwa nkhanza, NFVIS imachepetsa kuchuluka kwa magawo a REST anthawi imodzi kukhala 100.
NFVIS Web Portal
Tsamba la NFVIS ndi web-based Graphical User Interface yomwe imawonetsa zambiri za NFVIS. Khomo limapatsa wogwiritsa ntchito njira yosavuta yosinthira ndikuwunika NFVIS pa HTTPS popanda kudziwa NFVIS CLI ndi API.
Kuwongolera Gawo
Mkhalidwe wopanda malire wa HTTP ndi HTTPS umafunikira njira yotsatirira ogwiritsa ntchito mwapadera pogwiritsa ntchito ma ID ndi makeke apadera.
NFVIS imabisa gawo la wogwiritsa ntchito. Cipher ya AES-256-CBC imagwiritsidwa ntchito kubisa zomwe zili mugawoli ndi kutsimikizika kwa HMAC-SHA-256. tag. 128-bit Initialization Vector mwachisawawa imapangidwa pa ntchito iliyonse yobisa.
Mbiri ya Audit imayambika pomwe gawo la portal lipangidwa. Zambiri za gawolo zimachotsedwa wogwiritsa ntchito akatuluka kapena nthawi yatha.
Nthawi yokhazikika yosagwira ntchito pamagawo a portal ndi mphindi 15. Komabe, izi zitha kukhazikitsidwa pagawo lapano kukhala mtengo pakati pa 5 ndi 60 mphindi patsamba la Zikhazikiko. Kutuluka modzidzimutsa kudzayambitsidwa pambuyo pa izi
Malingaliro a Chitetezo 16
Malingaliro a Chitetezo
HTTPS
HTTPS
nthawi. Magawo angapo saloledwa mumsakatuli umodzi. Chiwerengero chachikulu cha magawo anthawi imodzi ndi 30. Khomo la NFVIS limagwiritsa ntchito makeke kugwirizanitsa deta ndi wogwiritsa ntchito. Imagwiritsa ntchito ma cookie otsatirawa powonjezera chitetezo:
· ephemeral kuwonetsetsa kuti cookie imatha nthawi yomwe msakatuli watsekedwa · httpPokhapokha kuti cookie isapezeke kuchokera ku JavaScript · secureProxy kuonetsetsa kuti cookie ikhoza kutumizidwa pa SSL.
Ngakhale zitatsimikiziridwa, kuukira monga Cross-Site Request Forgery (CSRF) ndi kotheka. Munthawi imeneyi, wogwiritsa ntchito amatha kuchita zinthu zosafunikira mosadziwa pa a web ntchito zomwe zatsimikiziridwa pano. Pofuna kupewa izi, NFVIS imagwiritsa ntchito ma tokeni a CSRF kutsimikizira REST API iliyonse yomwe imaperekedwa pagawo lililonse.
URL Redirection Mwachindunji web ma seva, pamene tsamba silipezeka pa web seva, wosuta amalandira uthenga 404; pamasamba omwe alipo, amapeza tsamba lolowera. Chitetezo cha izi ndikuti wowukira amatha kupanga sikani yamphamvu ndikuwona mosavuta masamba ndi zikwatu zomwe zilipo. Kuti mupewe izi pa NFVIS, zonse kulibe URLs omwe ali ndi chipangizo cha IP amatumizidwa kutsamba lolowera patsamba lomwe lili ndi code 301 yoyankha. Izi zikutanthauza kuti mosasamala kanthu za URL atafunsidwa ndi wowukira, nthawi zonse adzapeza tsamba lolowera kuti adzitsimikizire okha. Zopempha zonse za seva ya HTTP zimatumizidwa ku HTTPS ndipo zili ndi mitu yotsatirayi:
· X-Content-Type-Options · X-XSS-Protection · Content-Security-Policy · X-Frame-Options · Strict-Transport-Security · Cache-Control
Kuletsa Portal Kufikira kwa portal ya NFVIS kumayatsidwa mwachisawawa. Ngati simukukonzekera kugwiritsa ntchito portal, ndikulimbikitsidwa kuti muyimitse mwayi wolowera pa portal pogwiritsa ntchito lamulo ili:
Konzani terminal System portal access yoyimitsidwa
Deta yonse ya HTTPS kupita ndi kuchokera ku NFVIS imagwiritsa ntchito Transport Layer Security (TLS) kulumikizana ndi netiweki. TLS ndiye wolowa m'malo mwa Secure Socket Layer (SSL).
Malingaliro a Chitetezo 17
HTTPS
Malingaliro a Chitetezo
Kugwirana chanza kwa TLS kumaphatikizapo kutsimikizira nthawi yomwe kasitomala amatsimikizira satifiketi ya SSL ya seva ndi omwe adapereka satifiketiyo. Izi zimatsimikizira kuti sevayo ndi yomwe imanena kuti ili, komanso kuti kasitomala akugwirizana ndi mwiniwake wa malowo. Mwachikhazikitso, NFVIS imagwiritsa ntchito satifiketi yodzisainira yokha kutsimikizira kuti ndi ndani kwa makasitomala ake. Satifiketi iyi ili ndi kiyi yapagulu ya 2048-bit kuti muwonjezere chitetezo chachinsinsi cha TLS, popeza mphamvu yakubisa ikugwirizana mwachindunji ndi kukula kwa kiyi.
Certificate Management NFVIS imapanga satifiketi yodzilembera yokha ya SSL ikayikidwa koyamba. Ndi njira yabwino kwambiri yachitetezo kulowetsa satifiketi iyi ndi satifiketi yovomerezeka yosainidwa ndi Compliant Certificate Authority (CA). Gwiritsani ntchito njira zotsatirazi kuti mulowe m'malo mwa satifiketi yodzisainira yokha: 1. Pangani Chikalata Chosaina Satifiketi (CSR) pa NFVIS.
Pempho Losayina Satifiketi (CSR) ndi file ndi chipika cha mawu osungidwa omwe amaperekedwa kwa Wolamulira Satifiketi akamafunsira Satifiketi ya SSL. Izi file ili ndi chidziwitso chomwe chiyenera kuphatikizidwa mu satifiketi monga dzina la bungwe, dzina lodziwika bwino (dzina la domain), malo, ndi dziko. The file ilinso ndi kiyi yapagulu yomwe iyenera kuphatikizidwa mu satifiketi. NFVIS imagwiritsa ntchito kiyi yapagulu ya 2048-bit popeza mphamvu yakubisa ndiyokwera kwambiri ndi makiyi apamwamba. Kuti mupange CSR pa NFVIS, yesani lamulo ili:
nfvis# pempho la kusaina satifiketi ya dongosolo [dzina lodziwika bwino ladziko-code malo bungwe bungwe-unit-name state] The CSR file imasungidwa monga /data/intdatastore/download/nfvis.csr. . 2. Pezani satifiketi ya SSL kuchokera ku CA pogwiritsa ntchito CSR. Kuchokera kwa wolandira wakunja, gwiritsani ntchito lamulo la scp kutsitsa Pempho Losaina Satifiketi.
[myhost:/tmp] > scp -P 22222 admin@ :/data/intdatastore/download/nfvis.csrfile-dzina>
Lumikizanani ndi akuluakulu a Sitifiketi kuti apereke satifiketi yatsopano ya seva ya SSL pogwiritsa ntchito CSR iyi. 3. Ikani Chiphaso Chosainidwa ndi CA.
Kuchokera pa seva yakunja, gwiritsani ntchito lamulo la scp kuti mukweze satifiketi file mu NFVIS kupita ku data/intdatastore/uploads/ directory.
[myhost:/tmp] > scp -P 22222 file> admin@ :/data/intdatastore/uploads
Ikani satifiketi mu NFVIS pogwiritsa ntchito lamulo ili.
nfvis# satifiketi ya system install-cert njira file///data/intdatastore/uploads/<certificate file>
4. Sinthani kugwiritsa ntchito Sitifiketi Yosaina CA. Gwiritsani ntchito lamulo ili kuti muyambe kugwiritsa ntchito satifiketi yosainidwa ndi CA m'malo mwa satifiketi yodzisainira yokha.
Malingaliro a Chitetezo 18
Malingaliro a Chitetezo
Kufikira kwa SNMP
nfvis(config)# satifiketi yogwiritsira ntchito-cert-mtundu wa ca-saina
Kufikira kwa SNMP
Simple Network Management Protocol (SNMP) ndi Internet Standard protocol yosonkhanitsa ndi kukonza zidziwitso za zida zoyendetsedwa pamanetiweki a IP, ndikusintha chidziwitsocho kuti musinthe machitidwe a chipangizocho.
Mitundu itatu yofunikira ya SNMP yapangidwa. NFVIS imathandizira SNMP mtundu 1, mtundu 2c ndi mtundu 3. Mitundu ya SNMP 1 ndi 2 imagwiritsa ntchito zingwe zamagulu kutsimikizira, ndipo izi zimatumizidwa m'mawu osavuta. Chifukwa chake, ndichitetezo chabwino kugwiritsa ntchito SNMP v3 m'malo mwake.
SNMPv3 imapereka mwayi wopezeka pazida pogwiritsa ntchito zinthu zitatu: - ogwiritsa ntchito, kutsimikizira, ndi kubisa. SNMPv3 imagwiritsa ntchito USM (User-based Security Module) kuwongolera mwayi wopeza zambiri kudzera pa SNMP. Wogwiritsa ntchito wa SNMP v3 amakonzedwa ndi mtundu wotsimikizika, mtundu wachinsinsi komanso mawu achinsinsi. Ogwiritsa ntchito onse omwe amagawana gulu amagwiritsa ntchito mtundu womwewo wa SNMP, komabe, zoikamo zachitetezo (achinsinsi, mtundu wa encryption, ndi zina zambiri) zimatchulidwira wogwiritsa ntchito aliyense.
Gome lotsatirali likufotokozera mwachidule zosankha zachitetezo mkati mwa SNMP
Chitsanzo
Mlingo
Kutsimikizira
Chizindikiro
Zotsatira
v1
palibeAuthNoPriv
Community String No
Amagwiritsa ntchito gulu
string match kwa
kutsimikizika.
v2c
palibeAuthNoPriv
Community String No
Amagwiritsa ntchito zingwe za anthu ammudzi potsimikizira.
v3
palibeAuthNoPriv
Dzina lolowera
Ayi
Amagwiritsa ntchito dzina lolowera
kufanana kwa
kutsimikizika.
v3
AuthNoPriv
Message Digest 5 No
Amapereka
(MD5)
kutsimikizika motengera
or
pa HMAC-MD5-96 kapena
Chitetezo cha Hash
HMAC-SHA-96
Algorithm (SHA)
ma aligorivimu.
Malingaliro a Chitetezo 19
Zidziwitso Zazamalamulo
Malingaliro a Chitetezo
Mtundu v3
Level authPriv
Kutsimikizira MD5 kapena SHA
Chizindikiro
Zotsatira
Kubisa kwa Data Kumapereka
Standard (DES) kapena kutsimikizika kutengera
Zapamwamba
pa
Kubisa Standard HMAC-MD5-96 kapena
(AES)
HMAC-SHA-96
ma aligorivimu.
Amapereka DES Cipher algorithm mu Cipher Block Chaining Mode (CBC-DES)
or
AES encryption aligorivimu ntchito Cipher FeedBack Mode (CFB), ndi 128-bit kiyi kukula (CFB128-AES-128)
Chiyambireni kukhazikitsidwa ndi NIST, AES yakhala njira yodziwika bwino yosinthira ma encryption pamakampani onse. Kutsatira kusamuka kwamakampaniwo kuchoka ku MD5 kupita ku SHA, ndi njira yabwino kwambiri yachitetezo kukhazikitsa SNMP v3 protocol yotsimikizika ngati SHA ndi chinsinsi ngati AES.
Kuti mumve zambiri pa SNMP onani, Mau oyamba a SNMP
Zidziwitso Zazamalamulo
Ndikoyenera kuti chikwangwani chazidziwitso chazamalamulo chikhalepo pazokambirana zonse kuti zitsimikizire kuti ogwiritsa ntchito akudziwitsidwa zachitetezo chomwe chikutsatiridwa komanso zomwe akuyenera kutsata. M'madera ena, kuimbidwa mlandu wamba ndi/kapena wophwanya malamulo ndikosavuta, kapenanso kofunika, ngati chikwangwani chazidziwitso chiperekedwa, kudziwitsa anthu osaloledwa kuti kugwiritsa ntchito kwawo sikuloledwa. M'madera ena, zingakhalenso zoletsedwa kuyang'anira ntchito za munthu wosaloledwa pokhapokha atadziwitsidwa cholinga chake.
Zofunikira pazidziwitso zamalamulo ndizovuta ndipo zimasiyana muulamuliro uliwonse ndi zochitika. Ngakhale m'magawo, malingaliro azamalamulo amasiyana. Kambiranani za nkhaniyi ndi woweruza wanu kuti muwonetsetse kuti zidziwitso zikukwaniritsa zofunikira pazamalamulo pakampani, mdera lanu, komanso zapadziko lonse lapansi. Izi nthawi zambiri zimakhala zofunikira kuti munthu achitepo kanthu moyenera pakagwa chitetezo. Mothandizana ndi woweruza milandu wa kampani, mawu omwe angaphatikizidwe pazidziwitso zalamulo ndi awa:
· Chidziwitso choti kulowa ndi kugwiritsa ntchito dongosolo kumaloledwa ndi ogwira ntchito ovomerezeka okha, ndipo mwina zambiri za omwe angalole kugwiritsa ntchito.
• Chidziwitso choti kugwiritsa ntchito mosaloleka ndikugwiritsa ntchito dongosololi sikuloledwa, ndipo akhoza kupatsidwa zilango za boma kapena zaupandu.
· Chidziwitso chakuti kupeza ndi kugwiritsa ntchito kachitidwe kachitidwe kakhoza kulowetsedwa kapena kuyang'aniridwa popanda chidziwitso, ndipo zotsatira zake zikhoza kugwiritsidwa ntchito ngati umboni kukhoti.
• Zidziwitso zina zofunikila ndi malamulo akumaloko.
Malingaliro a Chitetezo 20
Malingaliro a Chitetezo
Yambitsaninso Factory Default
Kuchokera ku chitetezo osati malo ovomerezeka view, zidziwitso zamalamulo zisakhale ndi zidziwitso zilizonse zokhudzana ndi chipangizocho, monga dzina, mtundu, mapulogalamu, malo, wogwiritsa ntchito kapena mwini wake chifukwa zambiri zamtunduwu zitha kukhala zothandiza kwa wachiwembu.
Zotsatirazi ndi mongaample zidziwitso zalamulo zomwe zitha kuwonetsedwa musanalowe:
KULIKIRA CHIYAMBI CHOSACHOKEDWA NDIKOLEDWA Muyenera kukhala ndi chilolezo chololedwa kulowa kapena kukonza chipangizochi. Kuyesera kosavomerezeka ndi zochita kuti mupeze kapena kugwiritsa ntchito
dongosololi likhoza kubweretsa zilango zapachiweniweni ndi/kapena zolakwa. Zochita zonse zomwe zimachitika pa chipangizochi zimalowetsedwa ndikuwunikidwa
Zindikirani Perekani chikwangwani chazidziwitso zazamalamulo chovomerezedwa ndi woweruza wakampani.
NFVIS imalola kusintha kwa mbendera ndi Uthenga wa Tsiku (MOTD). Banner imawonetsedwa wogwiritsa ntchito asanalowe. Wogwiritsa ntchito akalowa mu NFVIS, banner yofotokozedwa ndi dongosolo imapereka chidziwitso cha Copyright chokhudza NFVIS, ndipo uthenga wa tsiku (MOTD), ngati utakonzedwa, udzawonekera, kenako mzere wolamula mwachangu kapena portal view, kutengera njira yolowera.
Ndibwino kuti chikwangwani cholowera chikhazikitsidwe pofuna kuwonetsetsa kuti zidziwitso zalamulo zaperekedwa pa magawo onse okhudzana ndi kasamalidwe kachipangizo kalowidwe kachipangizo kasanaperekedwe. Gwiritsani ntchito lamulo ili kukonza banner ndi MOTD.
nfvis(config)# banner-motd banner motd
Kuti mumve zambiri za lamulo lachikwangwani, onani Konzani Banner, Uthenga watsiku ndi Nthawi Yadongosolo.
Yambitsaninso Factory Default
Factory Reset imachotsa deta yonse yamakasitomala yomwe yawonjezeredwa ku chipangizocho kuyambira nthawi yomwe idatumizidwa. Zomwe zafufutidwa zikuphatikiza masinthidwe, log files, zithunzi za VM, zambiri zamalumikizidwe, ndi zotsimikizira zolowera.
Imapereka lamulo limodzi kuti mukhazikitsenso chipangizocho ku zoikamo za fakitale, ndipo ndizothandiza pazotsatira zotsatirazi:
· Return Material Authorization (RMA) pa chipangizo–Ngati mukuyenera kubweza chipangizo ku Cisco pa RMA, gwiritsani ntchito Factory Default reset kuti muchotse data yonse ya kasitomala.
· Kupezanso chipangizo chosokonekera- Ngati zinthu zofunika kwambiri kapena zidziwitso zomwe zasungidwa pachipangizo zasokonezedwa, yambitsaninso chipangizocho kuti chisamangidwenso ndi fakitale ndikukonzanso chipangizocho.
· Ngati chipangizo chomwechi chikuyenera kugwiritsidwanso ntchito pamalo ena ndi kasinthidwe katsopano, pangani Factory Default reset kuti muchotse kasinthidwe komwe kadalipo ndikubweretsa pamalo oyera.
NFVIS imapereka njira zotsatirazi mkati mwa Factory default reset:
Kukhazikitsanso Factory Njira
Data Yafufutidwa
Zambiri Zasungidwa
zonse
Kusintha konse, chithunzi chokwezedwa Akaunti ya admin imasungidwa ndipo
files, VMs ndi zolemba.
mawu achinsinsi adzasinthidwa kukhala
Kulumikizana ndi chipangizo kudzakhala mawu achinsinsi afakitale.
kutayika.
Malingaliro a Chitetezo 21
Infrastructure Management Network
Malingaliro a Chitetezo
Kukhazikitsanso Factory Njira yonse-kupatula zithunzi
zonse-kupatula-zithunzi-kulumikizana
kupanga
Data Yafufutidwa
Zambiri Zasungidwa
Masinthidwe onse kupatula mawonekedwe azithunzi, olembetsedwa
kasinthidwe, ma VM, ndi zithunzi zokwezedwa ndi zipika
chithunzi files.
Akaunti ya admin imasungidwa ndipo
Kulumikizana kwa chipangizo kudzakhala mawu achinsinsi adzasinthidwa kukhala
kutayika.
Factory default password.
Zosintha zonse kupatula chithunzi, Zithunzi, maukonde ndi kulumikizana
network ndi kulumikizana
masinthidwe ogwirizana, olembetsedwa
kasinthidwe, ma VM, ndi zithunzi zokwezedwa, ndi zipika.
chithunzi files.
Akaunti ya admin imasungidwa ndipo
Kulumikizana kwa chipangizo ndi
admin wokhazikitsidwa kale
kupezeka.
password idzasungidwa.
Zosintha zonse kupatula masinthidwe azithunzi, ma VM, chithunzi chokwezedwa files, ndi mitengo.
Kulumikizika kwa chipangizocho kudzatayika.
Kusintha kogwirizana ndi zithunzi ndi zithunzi zolembetsedwa
Akaunti ya admin imasungidwa ndipo mawu achinsinsi adzasinthidwa kukhala mawu achinsinsi a fakitale.
Wogwiritsa ntchitoyo ayenera kusankha njira yoyenera mosamala kutengera cholinga cha Factory Default reset. Kuti mumve zambiri, onani Kukhazikitsanso ku Factory Default.
Infrastructure Management Network
Netiweki yoyang'anira zomangamanga imatanthawuza netiweki yomwe imanyamula zowongolera ndi kasamalidwe ka ndege (monga NTP, SSH, SNMP, syslog, ndi zina zambiri) pazida zamagetsi. Kufikira kwa chipangizo kungakhale kudzera pa console, komanso kudzera pa Ethernet interfaces. Kuwongolera ndi kuyang'anira kayendetsedwe ka ndege ndikofunika kwambiri pazochitika zapaintaneti, kupereka mawonekedwe ndi kulamulira pa intaneti. Chifukwa chake, maukonde opangidwa bwino komanso otetezedwa achitetezo ndi ofunikira pachitetezo chonse komanso magwiridwe antchito a netiweki. Chimodzi mwazofunikira pamaneti otetezedwa achitetezo achitetezo ndikulekanitsa kasamalidwe ndi kuchuluka kwa data kuti zitsimikizire kuwongolera kwakutali ngakhale pakulemedwa kwakukulu komanso kuchuluka kwa magalimoto. Izi zitha kutheka pogwiritsa ntchito mawonekedwe odzipereka owongolera.
Zotsatirazi ndi njira zoyendetsera netiweki ya Infrastructure management:
Out-of-band Management
Netiweki yoyang'anira Out-of-band Management (OOB) imakhala ndi netiweki yomwe ili yodziyimira pawokha komanso yosiyana ndi netiweki ya data yomwe imathandizira kuyang'anira. Izi nthawi zina zimatchedwanso Data Communications Network (DCN). Zida zamagetsi zimatha kulumikizana ndi netiweki ya OOB m'njira zosiyanasiyana: NFVIS imathandizira mawonekedwe owongolera omwe angagwiritsidwe ntchito kulumikiza netiweki ya OOB. NFVIS imalola kasinthidwe ka mawonekedwe a thupi, doko la MGMT pa ENCS, ngati mawonekedwe odzipatulira otsogolera. Kuletsa mapaketi oyang'anira kumalo osankhidwa kumapereka kuwongolera kwakukulu pa kasamalidwe ka chipangizocho, potero kumapereka chitetezo chochulukirapo pa chipangizocho. Ubwino wina ndikuwongolera magwiridwe antchito a mapaketi a data pamawonekedwe osayang'anira, kuthandizira pakuwongolera maukonde,
Malingaliro a Chitetezo 22
Malingaliro a Chitetezo
Pseudo out-of-band Management
kufunikira kwa mndandanda wocheperako wowongolera (ACLs) kuti aletse mwayi wogwiritsa ntchito chipangizo, komanso kupewa kusefukira kwa paketi yoyang'anira kuti ifike ku CPU. Zida zama netiweki zimathanso kulumikizidwa ku netiweki ya OOB kudzera pa intaneti yodzipereka ya data. Pachifukwa ichi, ma ACL akuyenera kutumizidwa kuti awonetsetse kuti kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe kake. Kuti mumve zambiri, onani Kukonza IP Receive ACL ndi Port 22222 ndi Management Interface ACL.
Pseudo out-of-band Management
Ma network a pseudo out-of-band management network amagwiritsa ntchito zida zofananira monga ma data network koma amapereka kulekanitsa koyenera kudzera pakupatukana kwenikweni kwa magalimoto, pogwiritsa ntchito ma VLAN. NFVIS imathandizira kupanga ma VLAN ndi milatho yeniyeni kuti ithandizire kuzindikira magwero osiyanasiyana amisewu ndikulekanitsa magalimoto pakati pa ma VM. Kukhala ndi milatho yosiyana ndi ma VLAN kumalekanitsa kuchuluka kwa data pamakina amakina ndi netiweki yoyang'anira, motero kumapereka magawo amagalimoto pakati pa ma VM ndi omwe akuchititsa. Kuti mumve zambiri onani Kukonza VLAN kwa NFVIS Management Traffic.
In-band Management
Netiweki yoyang'anira mu-band imagwiritsa ntchito njira zakuthupi komanso zomveka ngati kuchuluka kwa data. Pamapeto pake, kapangidwe ka netiweki kameneka kamafuna kuwunika kwa kasitomala aliyense za chiopsezo ndi phindu ndi ndalama. Zina mwazofunikira ndi izi:
· Netiweki yapayokha ya OOB yoyang'anira imakulitsa kuwonekera ndi kuwongolera pamaneti ngakhale pakachitika zosokoneza.
Kutumiza ma telemetry pa netiweki pa netiweki ya OOB kumachepetsa mwayi wosokoneza chidziwitso chomwe chimapereka mawonekedwe ofunikira a netiweki.
· In-band management management access to network networks, hosts, etc. ali pachiwopsezo cha kutayika kwathunthu pakachitika ngozi pamaneti, kuchotsa mawonekedwe onse a netiweki ndi kuwongolera. Kuwongolera koyenera kwa QoS kuyenera kukhazikitsidwa kuti izi zichepetse.
+ NFVIS imakhala ndi mawonekedwe omwe amaperekedwa ku kasamalidwe ka zida, kuphatikiza ma serial console ports ndi ma Ethernet management interfaces.
· Netiweki yoyang'anira OOB imatha kutumizidwa pamtengo wokwanira, popeza kuchuluka kwa magalimoto pamanetiweki nthawi zambiri sikufuna bandwidth kapena zida zogwirira ntchito kwambiri, ndipo zimangofunika kuchulukira kwamadoko kokwanira kuti zithandizire kulumikizana ndi chipangizo chilichonse.
Chitetezo Chachidziwitso Chosungidwa kwanuko
Kuteteza Chidziwitso Chachidziwitso
NFVIS imasunga zidziwitso zachinsinsi kwanuko, kuphatikiza mawu achinsinsi ndi zinsinsi. Mawu achinsinsi ayenera kusungidwa ndikuwongoleredwa ndi seva yapakati ya AAA. Komabe, ngakhale seva yapakati ya AAA itayikidwa, mawu achinsinsi osungidwa kwanuko amafunikira pazochitika zina monga kubweza kwanuko ngati ma seva a AAA sakupezeka, mayina ogwiritsa ntchito mwapadera, ndi zina zambiri.
Malingaliro a Chitetezo 23
File Kusamutsa
Malingaliro a Chitetezo
zambiri zimasungidwa pa NFVIS ngati ma hashes kotero kuti sizingatheke kubweza zidziwitso zoyambirira kuchokera kudongosolo. Hashing ndi chikhalidwe chovomerezeka chamakampani.
File Kusamutsa
Files omwe angafunikire kusamutsidwa ku zida za NFVIS akuphatikizapo chithunzi cha VM ndi kukweza kwa NFVIS files. Kusamutsa kotetezedwa kwa files ndiyofunikira pachitetezo chachitetezo cha maukonde. NFVIS imathandizira Secure Copy (SCP) kuonetsetsa chitetezo cha file kusamutsa. SCP imadalira SSH kuti itsimikizidwe motetezeka komanso mayendedwe, kupangitsa kukopera kotetezedwa ndi kovomerezeka kwa files.
Kope lotetezedwa kuchokera ku NFVIS limayambitsidwa kudzera mu lamulo la scp. Lamulo lotetezedwa (scp) limalola wogwiritsa ntchito admin kukopera motetezeka files kuchokera ku NFVIS kupita ku dongosolo lakunja, kapena kuchokera kudongosolo lakunja kupita ku NFVIS.
Syntax ya lamulo la scp ndi:
scp
Timagwiritsa ntchito port 22222 pa seva ya NFVIS SCP. Mwachisawawa, dokoli ndi lotsekedwa ndipo ogwiritsa ntchito sangathe kuteteza kukopera files mu NFVIS kuchokera kwa kasitomala wakunja. Ngati pakufunika SCP a file kuchokera kwa kasitomala wakunja, wogwiritsa ntchito amatha kutsegula doko pogwiritsa ntchito:
makonda a system ip-receive-acl (adilesi)/(mask lenth) service scpd priority (nambala) kuvomera
perekani
Kuletsa ogwiritsa ntchito kulowa muakalozera wamakina, kukopera kotetezedwa kumatha kuchitidwa kokha kapena kuchokera ku intdatastore:, extdatastore1:, extdatastore2:, usb: ndi nfs:, ngati ilipo. Kope lotetezedwa litha kuchitidwanso kuchokera ku zipika: ndi techsupport:
Kudula mitengo
Kusintha kwa NFVIS ndikusintha masinthidwe amalowetsedwa ngati zolemba zowerengera kuti mulembe izi: · Ndani adapeza chipangizocho · Kodi wogwiritsa ntchito adalowa liti · Kodi wogwiritsa ntchito adachita chiyani malinga ndi kasinthidwe ka host ndi moyo wa VM · Ndi liti pamene munthu adalowa kuzimitsa · Kulephera kupeza mwayi · Zopempha zotsimikizika zalephera · Zopempha zololeza sizinalephereke
Izi ndizofunika kwambiri pakuwunika kwazamazamalamulo ngati mutayesa kapena kupeza mwayi popanda chilolezo, komanso pankhani zosintha masinthidwe ndikuthandizira kukonza zosintha zoyendetsera gulu. Itha kugwiritsidwanso ntchito nthawi yeniyeni kuzindikira zochitika zosasangalatsa zomwe zingasonyeze kuti chiwembu chikuchitika. Kusanthula uku kumatha kulumikizidwa ndi chidziwitso chochokera kuzinthu zina zakunja, monga IDS ndi zipika za firewall.
Malingaliro a Chitetezo 24
Malingaliro a Chitetezo
Chitetezo cha Virtual Machine
Zochitika zonse zazikulu pa NFVIS zimatumizidwa ngati zidziwitso za zochitika kwa olembetsa a NETCONF komanso monga ma syslogs ku maseva odulidwa apakati. Kuti mudziwe zambiri za mauthenga a syslog ndi zidziwitso zazochitika, onani Zowonjezera.
Chitetezo cha Virtual Machine
Gawoli likufotokoza zachitetezo chokhudzana ndi kulembetsa, kutumiza ndi kugwiritsa ntchito Virtual Machines pa NFVIS.
VNF chitetezo boot
NFVIS imathandizira Open Virtual Machine Firmware (OVMF) kuti mutsegule boot yotetezedwa ya UEFI ya Virtual Machines yomwe imathandizira boot yotetezedwa. VNF Safe boot imatsimikizira kuti gawo lililonse la pulogalamu ya boot ya VM yasainidwa, kuphatikiza bootloader, kernel ya opaleshoni, ndi madalaivala oyendetsa.
Kuti mumve zambiri onani, Safe Boot ya VNFs.
VNC Console Access Chitetezo
NFVIS imalola wogwiritsa ntchito kupanga gawo la Virtual Network Computing (VNC) kuti apeze kompyuta yakutali ya VM. Kuti izi zitheke, NFVIS imatsegula doko lomwe wogwiritsa ntchito angalumikizane nalo web msakatuli. Doko ili langosiyidwa lotseguka kwa masekondi 60 kuti seva yakunja iyambe gawo kupita ku VM. Ngati palibe ntchito yomwe ikuwoneka mkati mwa nthawiyi, doko latsekedwa. Nambala ya doko imaperekedwa mwamphamvu ndipo potero imalola mwayi umodzi wokha wa VNC console.
nfvis# vncconsole kuyamba kutumiza-dzina 1510614035 vm-name ROUTER vncconsole-url :6005/vnc_auto.html
Kulozera msakatuli wanu ku https:// :6005/vnc_auto.html ilumikizana ndi VNC ya ROUTER VM.
Malingaliro a Chitetezo 25
Zosintha za VM zosinthidwa
Malingaliro a Chitetezo
Zosintha za VM zosinthidwa
Pakutumizidwa kwa VM, wogwiritsa ntchito amapereka makonzedwe a tsiku-0 file za VM. Izi file ikhoza kukhala ndi zidziwitso zachinsinsi monga mawu achinsinsi ndi makiyi. Ngati chidziwitsochi chaperekedwa ngati mawu omveka bwino, chikuwonekera mu log files ndi zolemba zamkati zamkati mwamawu omveka bwino. Izi zimalola wogwiritsa ntchito kuyika chizindikiro chakusintha kwa data ngati tcheru kuti mtengo wake usungidwe pogwiritsa ntchito encryption ya AES-CFB-128 isanasungidwe kapena kuperekedwa kuzinthu zamkati.
Kuti mumve zambiri onani, VM Deployment Parameters.
Chitsimikizo cha Checksum cha Kulembetsa Zithunzi Zakutali
Kuti mulembetse chithunzi cha VNF chomwe chili kutali, wogwiritsa amatchula malo ake. Chithunzicho chiyenera kutulutsidwa kuchokera kunja, monga seva ya NFS kapena seva yakutali ya HTTPS.
Kuti mudziwe ngati dawunilodi file ndi otetezeka kukhazikitsa, m'pofunika kuyerekeza ndi filechecksum musanagwiritse ntchito. Kutsimikizira checksum kumathandiza kuonetsetsa kuti file sichinaipitsidwe panthawi yotumizira maukonde, kapena kusinthidwa ndi munthu wina woyipa musanachitsitse.
NFVIS imathandizira cheke ndi chequesum_algorithm zosankha kuti wogwiritsa ntchito apereke chequesum ndi checksum algorithm (SHA256 kapena SHA512) kuti zigwiritsidwe ntchito kutsimikizira cheke cha chithunzi chomwe chidatsitsidwa. Kupanga zithunzi sikulephera ngati cheke sichikufanana.
Chitsimikizo Chachiphaso cha Kulembetsa Zithunzi Zakutali
Kuti mulembetse chithunzi cha VNF chomwe chili pa seva ya HTTPS, chithunzicho chiyenera kutsitsidwa kuchokera pa seva yakutali ya HTTPS. Kuti mutsitse chithunzichi motetezeka, NFVIS imatsimikizira satifiketi ya SSL ya seva. Wogwiritsa akuyenera kufotokoza njira yopitira ku satifiketi file kapena za satifiketi ya mtundu wa PEM kuti mutsitse motetezedwa.
Zambiri zitha kupezeka pa Gawo lotsimikizira satifiketi kuti mulembetse zithunzi
VM Kudzipatula ndi Kupereka Zida
Zomangamanga za Network Function Virtualization (NFV) zili ndi:
· Virtualized network functions (VNFs), zomwe ndi Virtual Machines zomwe zimagwiritsa ntchito mapulogalamu omwe amapereka machitidwe a netiweki monga rauta, firewall, load balancer, ndi zina zotero.
· Netiweki imagwira ntchito zogwirira ntchito, zomwe zimakhala ndi zida zogwirira ntchito - compute, memory, storage, and networking, papulatifomu yomwe imathandizira pulogalamu yofunikira ndi hypervisor.
Ndi NFV, ntchito za netiweki zimasinthidwa kuti ntchito zingapo ziziyendetsedwa pa seva imodzi. Zotsatira zake, zida zochepa zakuthupi zimafunikira, zomwe zimalola kuphatikiza kwazinthu. M'malo awa, ndikofunikira kutsanzira zodzipatulira za ma VNF angapo kuchokera kudongosolo limodzi, lakuthupi. Pogwiritsa ntchito NFVIS, ma VM atha kutumizidwa mwanjira yolamulidwa kotero kuti VM iliyonse ilandire zofunikira zomwe ikufuna. Zothandizira zimagawidwa momwe zimafunikira kuchokera ku chilengedwe kupita kumadera ambiri. Madera amtundu wa VM ali paokha kotero kuti ndi osiyana, osiyana, komanso malo otetezeka, omwe satsutsana wina ndi mnzake pazachuma zomwe amagawana.
Ma VM sangagwiritse ntchito zinthu zambiri kuposa zomwe zaperekedwa. Izi zimapewa chikhalidwe cha Denial of Service kuchokera ku VM imodzi kugwiritsa ntchito zinthuzo. Zotsatira zake, CPU, kukumbukira, maukonde ndi kusungirako zimatetezedwa.
Malingaliro a Chitetezo 26
Malingaliro a Chitetezo
Kudzipatula kwa CPU
Kudzipatula kwa CPU
Dongosolo la NFVIS limasunga ma cores a pulogalamu yamapulogalamu yomwe imagwira ntchito pa wolandila. Ma cores ena akupezeka kuti atumizidwe kwa VM. Izi zimatsimikizira kuti magwiridwe antchito a VM sakhudza magwiridwe antchito a NFVIS. Low-latency VMs NFVIS imayika momveka bwino ma cores odzipatulira ku ma VM otsika omwe amayikidwa pamenepo. Ngati VM ikufuna 2 vCPUs, imapatsidwa ma cores awiri odzipereka. Izi zimalepheretsa kugawana ndi kulembetsa mochulukira kwa ma cores ndikutsimikizira magwiridwe antchito a VM otsika kwambiri. Ngati chiwerengero cha cores chomwe chilipo ndi chocheperapo kuposa chiwerengero cha vCPU chomwe chinafunsidwa ndi VM ina yotsika kwambiri, kutumizidwa kumalepheretsedwa chifukwa tilibe zinthu zokwanira. Non low latency VMs NFVIS imagawira ma CPU ogawana ku ma VM osatsika. Ngati VM ikufuna 2 vCPUs, imapatsidwa ma CPU awiri. Ma CPU awiriwa amatha kugawidwa pakati pa ma VM ena omwe si otsika latency. Ngati kuchuluka kwa ma CPU omwe alipo ndi ocheperapo kuchuluka kwa ma vCPU omwe adafunsidwa ndi VM ina yopanda latency, kutumizidwa kumaloledwabe chifukwa VM iyi idzagawana CPU ndi ma VM omwe sali otsika.
Memory Allocation
NFVIS Infrastructure imafuna kukumbukira pang'ono. VM ikagwiritsidwa ntchito, pali cheke kuti zitsimikizire kuti kukumbukira komwe kulipo pambuyo posungira kukumbukira komwe kumafunikira pazitukuko ndi ma VM omwe adatumizidwa kale, ndikokwanira kwa VM yatsopano. Sitilola kulembetsa mopitirira muyeso kwa ma VM.
Malingaliro a Chitetezo 27
Kupatula Kusungirako
Ma VM saloledwa kulowa nawo mwachindunji file dongosolo ndi kusunga.
Kupatula Kusungirako
Malingaliro a Chitetezo
Pulatifomu ya ENCS imathandizira sitolo yamkati (M2 SSD) ndi ma disks akunja. NFVIS imayikidwa pa datastore yamkati. Ma VNF amathanso kutumizidwa kumalo osungirako zinthuwa. Ndi njira yabwino kwambiri yachitetezo kusungira deta yamakasitomala ndikuyika makina ogwiritsira ntchito makasitomala a Virtual Machines pama disks akunja. Kukhala ndi ma disks osiyana a dongosolo files vs ntchito files imathandizira kuteteza deta yadongosolo kuzinthu zachinyengo ndi chitetezo.
·
Interface Kudzipatula
Single Root I/O Virtualization kapena SR-IOV ndi ndondomeko yomwe imalola kudzipatula kwa zinthu za PCI Express (PCIe) monga doko la Ethernet. Pogwiritsa ntchito SR-IOV doko limodzi la Efaneti likhoza kupangidwa kuti liwoneke ngati zida zingapo, zosiyana, zakuthupi zotchedwa Virtual Functions. Zida zonse za VF pa adaputalayo zimagawana doko lofanana la netiweki. Mlendo atha kugwiritsa ntchito imodzi kapena zingapo mwa Virtual Functions izi. A Virtual Function ikuwoneka kwa mlendo ngati khadi ya netiweki, monga momwe khadi yanthawi zonse imawonekera pakompyuta. Ma Virtual Functions ali ndi magwiridwe antchito apafupi ndipo amapereka magwiridwe antchito abwino kuposa madalaivala a para-virtualized ndi mwayi wotengera. Virtual Functions imapereka chitetezo cha data pakati pa alendo omwe ali pa seva yomweyi monga momwe deta imayendetsedwa ndikuyendetsedwa ndi hardware. Ma NFVIS VNF amatha kugwiritsa ntchito maukonde a SR-IOV kuti alumikizane ndi WAN ndi madoko a LAN Backplane.
Malingaliro a Chitetezo 28
Malingaliro a Chitetezo
Secure Development Lifecycle
VM iliyonse yotereyi ili ndi mawonekedwe owoneka bwino komanso zothandizira zomwe zimakwaniritsa chitetezo cha data pakati pa ma VM.
Secure Development Lifecycle
NFVIS imatsatira Secure Development Lifecycle (SDL) ya mapulogalamu. Iyi ndi njira yobwerezabwereza, yoyezeka yopangidwa kuti ichepetse kufooka ndikulimbikitsa chitetezo ndi kulimba kwa mayankho a Cisco. Cisco SDL imagwiritsa ntchito njira zotsogola zamakampani ndiukadaulo kuti apange mayankho odalirika omwe ali ndi zochitika zochepa zachitetezo chazinthu zomwe zapezedwa m'munda. Kutulutsidwa kulikonse kwa NFVIS kumadutsa m'njira zotsatirazi.
· Kutsatira Cisco-Internal and Market-based Product Security Requirements · Kulembetsa mapulogalamu a chipani chachitatu ndi malo apakati pa Cisco kuti afufuze za chiopsezo · Kumangirira mapulogalamu nthawi ndi nthawi ndi zodziwika bwino za CVEs. · Kupanga mapulogalamu omwe ali ndi Chitetezo m'malingaliro
Kusanthula kwa Static ndi kukhazikitsa zotsimikizira za Kupewa jekeseni wa malamulo, ndi zina zotero. · Kugwiritsa ntchito zida za Application Security monga IBM AppScan, Nessus, ndi zida zina zamkati za Cisco.
Malingaliro a Chitetezo 29
Secure Development Lifecycle
Malingaliro a Chitetezo
Malingaliro a Chitetezo 30
Zolemba / Zothandizira
 |
CISCO Enterprise Network Function Virtualization Infrastructure Software [pdf] Buku Logwiritsa Ntchito Enterprise Network Function Virtualization Infrastructure Software, Enterprise, Network Function Virtualization Infrastructure Software, Virtualization Infrastructure Software, Infrastructure Software |
