I-CISCO Khusela iNethiwekhi yokuHlalutywa kweMiyalelo yokuThunyelelwa kweMiyalelo

Imixholo fihla

1 I-CISCO eKhuselekileyo yoHlahlo lweNethiwekhi yokuBelwa

2 Ulwazi lweMveliso

3 Ukufakwa kwe-SMC

4 Ukufakela iNode yeDatha

5 Ukufakelwa koMqokeleli wokuHamba

6 Ukufakela iSensor Flow

7 Imigaqo-nkqubo yoGunyaziso ye-ISE

8 FAQ

9 Amaxwebhu / Izibonelelo

9.1 Iimbekiselo

I-CISCO eKhuselekileyo yoHlahlo lweNethiwekhi yokuBelwa

Ulwazi lweMveliso

Iinkcukacha:

Igama leMveliso: Cisco Secure Network Analytics Deployment
Udibaniso: I-Cisco ISE Integration ye-ANC

I-Cisco Secure Network Analytics Deployment kunye neCisco ISE Integration ye-ANC

Ukufakwa kwe-SMC

Ngena kwiconsole, chwetheza umyalelo SystemConfig. Ngenisa ubumbeko lwenethiwekhi yesixhobo.

Ukufakela iNode yeDatha

Ngena kwiconsole, chwetheza umyalelo SystemConfig. Ngenisa ubumbeko lwenethiwekhi yesixhobo.

Siye saqwalasela i-interface yolawulo, oku kulandelayo kunxibelelwano lwesibini lwenethiwekhi yonxibelelwano lwe-inter-Data Node (unxibelelwano kunye nezinye iindawo zedatha).

Ukufakelwa koMqokeleli wokuHamba

Ngena kwiconsole, chwetheza umyalelo SystemConfig. Qinisekisa ukuba zonke iinketho zetelemetry zikhethiwe.

Qwalasela izibuko ze telemetry.

I-Netflow: 2055
Imodyuli yokuBoneka kweNethiwekhi: 2030
I-Firewal Logs: 8514

Ngenisa ubumbeko lwenethiwekhi yesixhobo.

Ukufakela iSensor Flow

Ngena kwiconsole, chwetheza i-Comand SystemConfig. Ngenisa ubumbeko lwenethiwekhi yesixhobo.

Ukufakwa kwe-Cisco Telemetry Broker
Cisco Telemetry Brocker inxalenye engundoqo ye

I-Cisco Secure Network Analytics (eyayisakuba yiCisco Stealthwatch) kunye nesixhobo esinamandla sokwandisa i-telemetry, isetyenziswa ikakhulu:

Ukwenza lula ukuqokelelwa kunye nokudityaniswa kwe-Netflow, i-SNMP kunye ne-Syslog traffic.

Yenza lula ukuqwalasela kunye nokuthumela idatha ye-Netflow usebenzisa umthumeli omnye kwiZixhobo zakho zeNethiwekhi endaweni yabathengisi abahlukeneyo, ngakumbi xa unabahlalutyi be-netflow abahlukeneyo njengeCisco Secure Network Analytics, iSolarWinds okanye i-LiveAction, okanye ukuba unabaqokeleli abaninzi be-flow Cisco Secure Network Analytics.
Ukongeza ilula i-Telemetry Streams xa usebenzisa iindawo ezininzi kunye nokwahlula izisombululo zolawulo lwelogi.

Uyilo lweCisco Telemetry Broker lunamacandelo amabini:

INode yoMphathi
I-Broker Node.

I-Broker Nodes zonke zilawulwa ngumphathi omnye we-Cisco Telemetry Broker usebenzisa i-Management Interface. INode yoMphathi ifuna ujongano lwenethiwekhi enye yolawulo lwetrafikhi. I-Broker Node ifuna ujongano lwenethiwekhi ezimbini. Ujongano olulodwa lolawulo lonxibelelwano kunye nomphathi kunye neTelemetry interface ukuthumela iTelemetry kwiFlow Collector leyo ithumela kwiindawo ezicwangcisiweyo ezifana neSMC Management Console kwiCisco Secure Network Analytics isisombululo. I-Destination Flow Collector IP Address/Port ye-telemetry traffic kwi-Cisco Secure Network Analytics isisombululo yongezwa kwiNode yoMphathi kwaye iphoswe phantsi kwi-Broker Node ngokusebenzisa ujongano lolawulo ukuze ubafundise apho ukuya kwi-traffic ye-NetFlow.

Xa ufaka iNode yeBroker, kufuneka uyijoyine kumphathi weNode usebenzisa i-sudo ctb-manage command kwaye ibonelele ngedilesi ye-IP kunye neziqinisekiso zolawulo lweNode yoMphathi. Nje ukuba iNode yeBroker yongezwe kwiNode yoMphathi, i Web I-GUI yeNode yoMphathi ibonisa iNode yeBroker eyongeziweyo kunye nedilesi ye-IP yolawulo lwayo. Ukugqiba ukudibanisa phakathi kwe-Broker Node kunye neNode yoMphathi, kufuneka udibanise iDatha okanye iTelemetry Network Interface ye-Broker Node kwiNode yoMphathi. Ekugqibeleni iNethiwekhi iDevices ezifana ne-firewall, Routers kunye noTshintsho zisebenzisa idilesi ye-IP ye-Broker Node Telemetry njenge-Netflow Exporter.

Sebenzisa iNode yoMphathi
Qalisa i-sudo ctb-install -init umyalelo.

Faka ezi nkcukacha zilandelayo :

Igama lokugqithisa lomsebenzisi womlawuli
Igama lomamkeli
Idilesi ye-IPv4, i-subnet mask, kunye nedilesi yesango engagqibekanga yojongano loMnatha woLawulo
DNS nameserver IP idilesi

Sebenzisa iNode yeBroker
Qalisa i-sudo ctb-install -init umyalelo.

Faka ezi nkcukacha zilandelayo :

Igama lokugqithisa lomsebenzisi womlawuli
Igama lomamkeli
Idilesi ye-IPv4, i-subnet mask, kunye nedilesi yesango engagqibekanga yojongano loMnatha woLawulo
DNS nameserver IP idilesi

Sebenzisa i-sudo ctb-manage command.
Faka ezi nkcukacha zilandelayo :

Idilesi ye-IP yendawo yoMphathi
Igama lomsebenzisi leakhawunti yomlawuli yenodi yoMphathi

Ngena kwi-Cisco Telemetry Broker. Kwi web umkhangeli zincwadi, ngenisa idilesi yojongano loMphathi we IP yendawo yomphathi. Ukusuka kwimenyu ephambili, khetha iiNodi zeBroker.

Kwitheyibhile yeeNodi zeBroker, cofa indawo yomthengisi. Kwicandelo le-Telemetry Interface, Qwalasela i-Telemetry Interface kunye nesango elimiselweyo.

Ngoku izixhobo ze-SNA ziqulunqwe ngedilesi ye-IP yolawulo, kufuneka sizalise iSixhobo sokuSeta iSixhobo (AST) kumacandelo e-SNA nganye.

Isixhobo sokuSeta i-Appliance (AST) siya kumisela izixhobo ukuze zikwazi ukunxibelelana nazo zonke ezinye ii-SNA deployment.

SMC

Ukufikelela kwi SMC GUI.
Guqula iMigodlo eMiselweyo yolawulo, ingcambu, kunye nesysadmin.

Akukho lutshintsho lweNdibaniselwano yoLawulo lweNethiwekhi.
Qwalasela iGama lomamkeli kunye neeNdawo.
Qwalasela iiSeva zeDNS.
Qwalasela iseva ye-NTP.
Ekugqibeleni ubhalise i-SMC.
I-SMC iya kuqalisa kwakhona.

Indawo yokugcina idatha
Landela inkqubo efanayo, umahluko kuphela kukucwangciswa kweSetingi zoLawulo oluPhakathi. Kweli candelo Ngenisa idilesi ye-IP ye-SMC 198.19.20.136 kunye negama lomsebenzisi/igama lokugqitha.

Flow Collector
Landela inkqubo efanayo, umahluko kuphela kukucwangciswa kweSetingi zoLawulo oluPhakathi. Kweli candelo Ngenisa idilesi ye-IP ye-SMC 198.19.20.136 kunye negama lomsebenzisi/igama lokugqitha.

Ukuhamba kwesandi

Landela inkqubo efanayo, umahluko kuphela kukucwangciswa kweSetingi zoLawulo oluPhakathi. Kweli candelo Ngenisa idilesi ye-IP ye-SMC 198.19.20.136 kunye negama lomsebenzisi/igama lokugqitha.
Ukugqiba ukucwangciswa, Qalisa i-node yeDataStore.
SSH ukuya kwindawo yeDataStore kwaye usebenzise umyalelo weSystemConfig.

Landela incoko yababini esebenzayo ukuze uqalise indawo yeDataStore.
Ukufikelela kwi-SMC GUI, kuLawulo oluPhakathi sinokubona zonke izixhobo ze-Cisco SNA zixhunyiwe kwi-SMC.

Cisco Telemetry Broker Configuration
Ukufikelela kwi Cisco Telemetry Broker Manager node GUI. Cofa Yongeza indawo yokuFikela kwaye ukhethe i-UDP Destination. Qwalasela ezi parameters zilandelayo.

Indawo ekuyiwa kuyo: SNA-FC
Indawo yokufikela Idilesi yeIP: 198.19.20.137
Indawo yokufikela kwizibuko le-UDP: 2055
Cofa Yongeza uMthetho.
Ngena kwi-2055 njenge-UDP Port yokuFumana.

Cofa Yongeza indawo yokuFikela kwaye ukhethe i-UDP Destination.
Qwalasela ezi parameters zilandelayo.

Igama Lendawo: Umphathi
Indawo yokufikela Idilesi yeIP: 198.19.20.136
Indawo yokufikela kwizibuko le-UDP: 514
Cofa Yongeza uMthetho.
Ngena kwi-2055 njenge-UDP Port yokuFumana.

Cisco ISE Identity Iinkonzo Engine Integration
Yiya kuLawulo > pxGrid > Izatifikethi.

Gcwalisa ifom ngolu hlobo lulandelayo:

Cofa kwindawo endifuna ukuya kuyo kwaye ukhethe Khuphela ikhonkco leSatifikethi seNgcambu
Cofa kwindawo yamaGama omamkeli kwaye ukhethe admin
Cofa kwindawo yeSitifiketi sokuKhutshelwa kweFomathi kwaye ukhethe ukhetho lwePEM
Cofa Yenza
Khuphela i file njenge-ISE-CA-ROOT-CHAIN.zip.
Kwi-SMC GUI, cofa i-Central Management. Kwiphepha loLawulo oluPhakathi, fumana isixhobo soMphathi we-SMC, emva koko ukhethe Hlela ubumbeko lwesiXhobo.
Cofa ngokubanzi.
Skrolela ezantsi kwiTrust Store kwaye ucofe Yongeza Entsha. Khetha i-CertificateServicesRootCA-admin_.cer file. Cofa Yongeza isatifikethi.
I-SMC ngoku iya kuthemba izatifikethi ezikhutshwe yi-ISE CA.
Cofa ithebhu yesixhobo. Skrolela ezantsi kwi-SSL eyongezelelweyo/i-TLS yeZazisi zoMxumi icandelo kwaye ucofe Yongeza Entsha.
Iyakubuza ukuba ufuna ukuvelisa i-CSR, khetha Ewe kwaye ucofe Okulandelayo.

Gcwalisa i-CSR ngolu hlobo lulandelayo:

Ubude obuphambili be-RSA
Umbutho
ICandelo loMbutho
Indawo okanye iSixeko
Urhulumente okanye iPhondo
Ikhowusi yelizwe
Idilesi yemeyile

Cofa ukuvelisa i-CSR, emva koko Khuphela i-CSR.

Ukufikelela kwi Cisco ISE GUI. Yiya kuLawulo > pxGrid > Izatifikethi.

Sebenzisa olu lwazi lulandelayo :

Kwi endifuna ukuyibala, khetha Yenza isatifikethi esinye (ngesicelo sokusayina isatifikethi)
Kwixesha elidlulileyo i-CSR kwindawo yeeNkcukacha zokuSayina iSiqinisekiso
Chwetheza i-SMC kwindawo yeNkcazelo
Khetha idilesi ye-IP kwindawo ye-SAN kwaye ungenise 198.19.20.136 njengedilesi ye-IP enxulumeneyo.
Khetha ifomathi ye-PKCS12 njengokhetho lweFomathi yokuKhutshelwa kweSatifikethi
Faka igama lokugqithisa
Cofa Yenza
Gcina isiqinisekiso esenziwe ngegama SMC-PXGRID.

Phawula :
Kolunye ubhengezo olukhoyo lweCisco ISE, usenokuba unezatifikethi zenkqubo eziphelelwe lixesha ezisetyenziselwa ulawulo, iinkonzo zeep kunye nepxGrid njengoko kubonisiwe ngezantsi.

Oku kungenxa yokuba izatifikethi ze-Cisco ISE zangaphakathi ze-CA ezityikitya iziqinisekiso zenkqubo ziphelelwe lixesha.

Ukuhlaziya izatifikethi zesistim. Yiya kuLawulo > Iziqinisekiso > Izicelo zokuSayina iSatifikethi. Kwindawo yosetyenziso, khetha i-ISE Root CA, emva koko ucofe ku Buyisela i-ISE Root CA Certificate Chain.

I-Cisco ISE ivelisa izatifikethi ze-CA zangaphakathi. Ungalibali ukunyenyisa i-The Trusted For field kwiinkonzo ezifanelekileyo ezifana ne-pxGrid.

Ngoku izatifikethi zesistim ziyasebenza.

Ukufikelela kwi SMC GUI. Yiya kuLawulo oluphakathi. Kwisithuba soqwalaselo lweSixhobo se-SMC, skrolela ezantsi ukuze Yongeza i-SSL/TLS ifomu yeSazisi soMxumi, emva koko ucofe Khetha File, khetha isatifikethi se-SMC-PXGRID.

Kwi-SMC GUI, yiya kwi-Deploy> Cisco ISE Configuration.

Qwalasela Uqwalaselo lwe-ISE ngezi parameters zilandelayo:

Igama leqela: ISE-CLUSTER
Isatifikethi: SMC-PXGRID
IPxGrid Node ephambili: 198.19.20.141
Igama loMthengi: SMC-PXGRID

Yiya kuJonga > Abasebenzisi.
Qaphela ukuba sinokubona idatha yoMsebenzisi kwi-SMC.

Imigaqo-nkqubo ye-ISE Adaptive Network Control (ANC).
Khetha Imisebenzi > Ulawulo Lothungelwano oluLungelelayo > Uluhlu loMgaqo-nkqubo > Yongeza kwaye ufake i-SW_QUARANTINE yeGama lePolisi kunye ne-Quarantine for the Action.

Ukufikelela kwi SMC GUI. Khetha idilesi ye-IP kwideshibhodi, siyabona ukuba uMgaqo-nkqubo we-ISE ANC unabantu.

Imigaqo-nkqubo yoGunyaziso ye-ISE

Imigaqo-nkqubo engaphandle yogunyaziso lwehlabathi yenza ukuba uchaze imithetho engaphezulu kwayo yonke imigaqo yogunyaziso kuzo zonke iiseti zepolisi yakho. Nje ukuba uqwalasele umgaqo-nkqubo ongaphandle wogunyaziso, uyongezwa kuzo zonke iiseti zomgaqo-nkqubo.

Umthetho wangaphandle wogunyaziso wasekhaya ubhala phezu kwemithetho yangaphandle yehlabathi. Ngoko ke umgaqo okhethekileyo wendawo uqhutyelwa phambili kuqala, ngoko umthetho wehlabathi jikelele, kwaye ekugqibeleni, umgaqo oqhelekileyo womgaqo-nkqubo wokugunyazwa.
Enye yemeko yokusetyenziswa enomdla kule Mithetho ye-Exception kuxa uqwalasela i-Cisco Secure Network Analytics (iwotshi ye-Stealth) kunye ne-Cisco ISE yoLawulo lweeMpendulo usebenzisa i-Adaptive Network Policy (ANC) ukwenzela ukuba xa i-alamu iphakanyisiwe, i-Cisco Secure Network Analytics (i-Stealth watch) iya kucela i-Cisco ISE ukuba ivalele umninimzi nge-Adaptive Network Control Policy ngokusebenzisa i-Px Grid.
Olona qheliselo lulungileyo lokumisela uMgaqo-nkqubo woGunyaziso kwiCisco ISE ukuvalela umamkeli nokuba kuKwahlukileyo kwiNdawo okanye kwiHlabathi liphela.

Ukuba ufuna ukusebenzisa uMgaqo-nkqubo we-ANC kuzo zonke iiseti zomgaqo-nkqubo wakho, i-VPN, i-wireless aka yonke i-VPN enentambo kunye nabasebenzisi abangenazingcingo. Sebenzisa i-Global Exception.
Ukuba ufuna ukusebenzisa uMgaqo-nkqubo we-ANC kuphela kubasebenzisi beVPN okanye abasebenzisi be-Wired. Sebenzisa iPolisi yeNgingqi ngaphakathi kweeSeti zoMgaqo-nkqubo weVPN okanye iSeti yoMgaqo-nkqubo oXwebhu ngokulandelanayo.

Isenzo esizenzekelayo kunye neeMpendulo ne-ANC
Imeko : Inkampani isebenzisa i-Cisco Umbrella njengeseva ye-DNS ukuthintela izoyikiso ze-intanethi. Sifuna i-alam yesiko ukwenzela ukuba xa abasebenzisi bangaphakathi basebenzisa ezinye iiseva ze-DNS zangaphandle, i-alarm iyaqaliswa ukunqanda uxhulumaniso kwiiseva ze-DNS ezinobuqhetseba ezinokuthi zibuyisele i-traffic kwiindawo zangaphandle ngeenjongo ezikhohlakeleyo. Xa i-alam iphakanyisiwe, i-Cisco Secure Network Analytics iya kucela i-Cisco ISE ukuba ivalele umamkeli osebenzisa iiSeva ze-DNS ezinobuqhophololo ezinoMgaqo-nkqubo woLawulo lweNethiwekhi ye-Adaptive Network nge-PxGrid. Khangela kuLungiselelo> Ulawulo lomamkeli. Kwiqela labamkeli abangabazali Ngaphakathi kobumkeli, yenza iQela lomamkeli obizwa ngokuba yiNxibelelwano yeNkampani yenethiwekhi yakho yangaphakathi.

Kwiqela labazali abangabamkeli abaNgaphandle, yenza iQela lomamkeli obizwa ngokuba zii-Umbrella DNS Servers zeedilesi ze-IP ze-Umbrella.

Abasebenzisi bangaphakathi basebenzisa i-Cisco Umbrella njengeseva ye-DNS ukuthintela izoyikiso ze-intanethi. Qwalasela i-alam yesiko ukuze xa abasebenzisi bangaphakathi basebenzisa ezinye iiseva ze-DNS zangaphandle, i-alam iqaliswa ukunqanda uxhulumaniso kwiseva ye-DNS ekhohlakeleyo enokuthi iphinde iqondise i-traffic kwiindawo zangaphandle ngeenjongo ezikhohlakeleyo. Xa i-alam iphakanyisiwe, i-Cisco Secure Network Analytics iya kucela i-Cisco ISE ukuba ivalele umamkeli osebenzisa iiSeva ze-DNS ezinobuqhophololo ezinoMgaqo-nkqubo woLawulo lweNethiwekhi ye-Adaptive Network nge-PxGrid.

Khangela kuLungiselelo> Ulawulo loMgaqo-nkqubo.
Yenza imisitho yeSiko ngolu lwazi lulandelayo :

Igama : Izithuthi zeDNS ezingagunyaziswanga
Amaqela aBamkeli beSifundo : Uthungelwano lweNkampani
Amaqela aBamkeli abaNtanga : Ngaphandle kobumkeli be-Umbrella yeDNS
I-Peer Port / Protocols : 53 / UDP 53 / TCP

Ngokusisiseko esi siganeko siqaliswa xa nayiphi na inginginya engaphakathi kweQela loMamkeli weeNethiwekhi zeNkampani inxibelelana nayo nayiphi na inginginya ngaphakathi kweQela loMamkeli waNgaphandle ngaphandle kwabo bangaphakathi kweQela loMamkeli weeSeva ze-Umbrella ze-DNS, nge-53/UDP okanye i-53/TCP, i-alam iyaphakanyiswa.

Khangela kuLungiselelo> Ulawulo lweeMpendulo. Cofa kwi-Actions.

Khetha i-ISE ANC Policy Action. Nika igama kwaye ukhethe iqela le-Cisco ISE ekufuneka kuqhagamshelwane nalo ukuze kuqhagamshelwane nalo ukuze kufakwe umgaqo-nkqubo wokuvalelwa kuyo nayiphi na intshukumo yolwaphulo-mthetho okanye uqhagamshelo kwiiseva ezikhohlakeleyo.

Phantsi kwecandelo leMithetho. Yenza uMthetho omtsha. Lo mgaqo uza kusebenzisa iSenzo yangaphambili xa nayiphi na inginginya ngaphakathi kuthungelwano lwangaphakathi izama ukuthumela i-DNS traffic kwiiSeva zeDNS ezikhohlakeleyo. Kwicandelo Umgaqo uyacutshungulwa ukuba, khetha Chwetheza, skrolela ezantsi kwaye ukhethe isiganeko sesiko esenziwe ngaphambili. Ngaphantsi kweZenzo eziNxulunyanisiweyo, khetha isenzo se-ISE ANC esenziwe ngaphambili.

Ukusuka kumamkeli wangaphakathi, vula ikhonsoli yeCMD. Yenza umyalelo we-nslookup, emva koko iseva 8.8.8.8 umyalelo. Chwetheza kwiidilesi ezimbalwa ze-8.8.8.8 iseva ye-DNS ukusombulula.

Yiya kuHlola > Izabelo zoMgaqo-nkqubo we-ISE ANC. Kuya kufuneka ubone ukuba iCisco Secure Network Analytics isebenzise i-Adaptive Network Control Policy nge-PxGrid kunye ne-ISE ukuvalela umamkeli.

FAQ

Umbuzo: Ndisigcwalisa njani isiXhobo sokuSeta iSixhobo (AST) kwicandelo ngalinye le-SNA?
A: Nje ukuba izixhobo zombane ze-SNA ziqwalaselwe ngedilesi ye-IP yolawulo, ungazalisa i-AST kwicandelo ngalinye ngokulandela imiyalelo ethile enikwe elo candelo ngaphakathi kwencwadana yomsebenzisi okanye isikhokelo sokuseta.

Amaxwebhu / Izibonelelo

I-CISCO eKhuselekileyo yoHlahlo lweNethiwekhi yokuBelwa [pdf] Incwadi Yomyalelo
Ukusasazwa koHlalutyilo lweNethiwekhi ekhuselekileyo, ukusasazwa koHlalutyo lweNethiwekhi, ukusasazwa kohlalutyo, ukuhanjiswa

Iimbekiselo

Incwadi yokusebenzisa