Isoftware Yengqalasizinda Yokusebenza Kwenethiwekhi Yebhizinisi
Ulwazi Lomkhiqizo
Imininingwane
- Inguqulo yesofthiwe ye-NFVIS: 3.7.1 nakamuva
- Ukusayinda kwe-RPM nokuqinisekiswa kwesiginesha kuyasekelwa
- Ukuqalisa okuvikelekile kuyatholakala (kukhutshazwe ngokuzenzakalela)
- Secure Unique Device Identification (SUDI) indlela esetshenzisiwe
Ukucatshangelwa Kokuphepha
Isofthiwe ye-NFVIS iqinisekisa ukuphepha ngokusebenzisa okuhlukahlukene
izindlela:
- Isithombe Tamper Ukuvikelwa: Ukusayinda kwe-RPM nokuqinisekiswa kwesiginesha
kuwo wonke amaphakheji we-RPM ku-ISO futhi uthuthukise izithombe. - Ukusayinda kwe-RPM: Wonke amaphakheji we-RPM ku-Cisco Enterprise NFVIS ISO
futhi uthuthukise izithombe zisayinwe ukuze kuqinisekiswe ubuqotho be-cryptographic futhi
ubuqiniso. - Ukuqinisekiswa Kwesiginesha ye-RPM: Isiginesha yawo wonke amaphakheji we-RPM iyi
kuqinisekiswe ngaphambi kokufakwa noma ukuthuthukisa. - Ukuqinisekiswa Kwesithombe Sobuqotho: I-Hash yesithombe se-Cisco NFVIS ISO
futhi isithombe sokuthuthukisa sishicilelwe ukuze kuqinisekiswe ubuqotho bokwengeziwe
okungeyona i-RPM files. - I-ENCS Secure Boot: Ingxenye yezinga le-UEFI, iqinisekisa ukuthi
amabhuzu edivayisi esebenzisa isofthiwe ethembekile kuphela. - Vikela Ubunikazi Bedivayisi Eyingqayizivele (SUDI): Ihlinzeka ngedivayisi
enobunikazi obungaguquki ukuze kuqinisekiswe ubuqotho bayo.
Ukufakwa
Ukufaka isofthiwe ye-NFVIS, landela lezi zinyathelo:
- Qinisekisa ukuthi isithombe sesofthiwe asizange sibe tampibhalwe nge
iqinisekisa isiginesha nobuqotho bayo. - Uma usebenzisa i-Cisco Enterprise NFVIS 3.7.1 nakamuva, qinisekisa lokho
ukuqinisekiswa kwesiginesha kudlula ngesikhathi sokufakwa. Uma ihluleka,
ukufakwa kuzonqanyulwa. - Uma uthuthukela kusukela ku-Cisco Enterprise NFVIS 3.6.x kuya ekukhishweni
3.7.1, amasiginesha e-RPM ayaqinisekiswa ngesikhathi sokuthuthukiswa. Uma i
ukuqinisekiswa kwesiginesha kwehlulekile, iphutha lifakwe kodwa ukuthuthukiswa kunje
kuqediwe. - Uma ukuthuthukiswa ukusuka ekukhishweni okungu-3.7.1 kuye kokukhishwa kamuva, i-RPM
amasignesha aqinisekiswa uma isithombe sokuthuthukisa sibhalisiwe. Uma
ukuqinisekiswa kwesiginesha kwehluleka, ukuthuthukiswa kunqanyuliwe. - Qinisekisa i-hashi yesithombe se-Cisco NFVIS ISO noma uthuthukise isithombe
usebenzisa umyalo:/usr/bin/sha512sum. Qhathanisa i-hash nokushicilelwe
<image_filepath>
hash ukuqinisekisa ubuqotho.
Secure Boot
I-Secure boot isici esitholakala ku-ENCS (ikhutshazwe ngokuzenzakalelayo)
okuqinisekisa ukuthi idivayisi iqala kuphela isebenzisa isofthiwe ethembekile. Kuya
vumela i-boot evikelekile:
- Bheka imibhalo ku-Secure Boot of Host ukuze uthole okwengeziwe
ulwazi. - Landela imiyalelo enikeziwe ukuze unike amandla i-boot evikelekile kudivayisi yakho
idivayisi.
Vikela Ubunikazi Bedivayisi Eyingqayizivele (SUDI)
I-SUDI inikeza i-NFVIS umazisi ongaguquleki, iqinisekisa lokho
kungumkhiqizo wangempela weCisco futhi oqinisekisa ukuqashelwa kwawo ku
isistimu yokusungula yekhasimende.
FAQ
Umbuzo: Iyini i-NFVIS?
A: I-NFVIS imele i-Network Function Virtualization
Isoftware Yengqalasizinda. Kuyinkundla yesoftware esetshenziselwa ukuphakela
futhi uphathe imisebenzi yenethiwekhi ebonakalayo.
Q: Ngingakuqinisekisa kanjani ubuqotho besithombe se-NFVIS ISO noma
thuthukisa isithombe?
IMP: Ukuze uqinisekise ubuqotho, sebenzisa umyalo
/usr/bin/sha512sum <image_filepath> futhi uqhathanise
i-hashi ene-hashi eshicilelwe enikezwe i-Cisco.
Q: Ingabe ukuqalisa okuvikelekile kunikwe amandla ngokuzenzakalelayo ku-ENCS?
A: Cha, i-boot evikelekile ivaliwe ngokuzenzakalelayo ku-ENCS. Ikona
kunconyiwe ukunika amandla ukuqalisa okuvikelekile kokuvikeleka okuthuthukisiwe.
Q: Iyini inhloso ye-SUDI ku-NFVIS?
A: I-SUDI ihlinzeka nge-NFVIS ngobuwena obuyingqayizivele nobungenakuguquleka,
ukuqinisekisa ubuqotho bawo njengomkhiqizo weCisco kanye nokwenza lula kwawo
ukuqashelwa ohlelweni lokusungula lwekhasimende.
Ukucatshangelwa Kokuphepha
Lesi sahluko sichaza izici zokuphepha nokucatshangwayo ku-NFVIS. Inikeza izinga eliphezulu ngaphezuluview wezingxenye ezihlobene nokuvikeleka ku-NFVIS ukuze uhlele isu lokuvikeleka lokuphakelwa okuqondene nawe. Iphinde ibe nezincomo mayelana nezinqubo ezihamba phambili zokuphepha zokuphoqelela izici eziyinhloko zokuvikela inethiwekhi. Isofthiwe ye-NFVIS inokuvikeleka okushunyekiwe kusukela ekufakweni kuzo zonke izendlalelo zesofthiwe. Izahluko ezilandelayo zigxile kulezi zici zokuphepha ezingaphandle kwebhokisi njengokuphathwa kokuqinisekisa, ubuqotho kanye t.ampukuvikelwa, ukuphathwa kweseshini, ukufinyelela kwedivayisi okuvikelekile nokuningi.
· Ukufakwa, ekhasini 2 · Vikela Ubunikazi Bedivayisi Eyingqayizivele, ekhasini 3 · Ukufinyelela Kwedivayisi, ekhasini 4
Ukucatshangelwa Kwezokuphepha 1
Ukufakwa
Ukucatshangelwa Kokuphepha
· Infrastructure Management Network, ekhasini 22 · Ukuvikelwa Kwemininingwane Egcinwe Kwasendaweni, ekhasini 23 · File Ukudlulisa, ekhasini 24 · Ukugawulwa kwemithi, ekhasini 24 · Ukuvikeleka komshini obonakalayo, ekhasini 25 · I-VM Isolation and Resource provisioning, ekhasini 26 · Secure Development Lifecycle, ekhasini 29
Ukufakwa
Ukuqinisekisa ukuthi isofthiwe ye-NFVIS ayizange ibe tampefakwe , isithombe sesofthiwe siyaqinisekiswa ngaphambi kokufakwa kusetshenziswa izindlela ezilandelayo:
Isithombe Tamper Ukuvikelwa
I-NFVIS isekela ukusayinda kwe-RPM nokuqinisekiswa kwesiginesha kuwo wonke amaphakheji we-RPM ku-ISO futhi uthuthukise izithombe.
Ukusayina kwe-RPM
Wonke amaphakheji we-RPM ku-Cisco Enterprise NFVIS ISO kanye nezithombe ezithuthukisiwe zisayinwa ukuze kuqinisekiswe ubuqotho nobuqiniso be-cryptographic. Lokhu kuqinisekisa ukuthi amaphakheji e-RPM awazange abe tampered with kanye namaphakheji e-RPM avela ku-NFVIS. Ukhiye oyimfihlo osetshenziselwa ukusayina amaphakheji we-RPM uyadalwa futhi unakekelwa ngokuvikelekile yi-Cisco.
Ukuqinisekiswa Kwesiginesha ye-RPM
Isofthiwe ye-NFVIS iqinisekisa isiginesha yawo wonke amaphakheji we-RPM ngaphambi kokufakwa noma ukuthuthukisa. Ithebula elilandelayo lichaza ukuziphatha kwe-Cisco Enterprise NFVIS lapho ukuqinisekiswa kwesiginesha kwehluleka phakathi nokufakwa noma ukuthuthukisa.
Isimo
Incazelo
I-Cisco Enterprise NFVIS 3.7.1 kanye nokufakwa kwakamuva Uma ukuqinisekiswa kwesiginesha kwehluleka ngenkathi kufakwa i-Cisco Enterprise NFVIS, ukufakwa kuyanqanyulwa.
I-Cisco Enterprise NFVIS ithuthukisa isuka ku-3.6.x iye ku-Khishiwe 3.7.1
Amasiginesha e-RPM aqinisekiswa lapho ukuthuthukiswa kwenziwa. Uma ukuqinisekiswa kwesiginesha kwehluleka, iphutha lilogwa kodwa ukuthuthukiswa kuqediwe.
I-Cisco Enterprise NFVIS ithuthuka kusukela Ekukhishweni 3.7.1 Amasiginesha e-RPM ayaqinisekiswa uma kuthuthukiswa
ukukhishwa kamuva
isithombe sibhalisiwe. Uma ukuqinisekiswa kwesiginesha kwehluleka,
ukuthuthukiswa kuhoxisiwe.
Ukuqinisekiswa Kobuqotho Besithombe
Ukusayina kwe-RPM nokuqinisekiswa kwesiginesha kungenziwa kuphela kumaphakheji e-RPM atholakala ku-Cisco NFVIS ISO kanye nokuthuthukisa izithombe. Ukuqinisekisa ubuqotho bakho bonke okungeyona i-RPM eyengeziwe files itholakala esithombeni seCisco NFVIS ISO, ihashi lesithombe seCisco NFVIS ISO lishicilelwe kanye nesithombe. Ngokufanayo, i-hashi yesithombe sokuthuthukisa i-Cisco NFVIS ishicilelwe kanye nesithombe. Ukuze uqinisekise ukuthi i-hashi ye-Cisco
Ukucatshangelwa Kwezokuphepha 2
Ukucatshangelwa Kokuphepha
I-ENCS Secure Boot
Isithombe se-NFVIS ISO noma isithombe sokuthuthukisa sifana ne-hashi eshicilelwe i-Cisco, sebenzisa umyalo olandelayo bese uqhathanisa i-hashi ne-hashi eshicilelwe:
% /usr/bin/sha512sumFile> c2122783efc18b039246ae1bcd4eec4e5e027526967b5b809da5632d462dfa6724a9b20ec318c74548c6bd7e9b8217ce96b5ece93dcdd74fda5e01bb382ad607
<ImageFile>
I-ENCS Secure Boot
I-Secure boot boot iyingxenye yezinga le-Unified Extensible Firmware Interface (UEFI) eliqinisekisa ukuthi idivayisi iqalisa kuphela isofthiwe ethenjwa Umkhiqizi Wezinto Zoqobo (OEM). Lapho i-NFVIS iqala, i-firmware ihlola isiginesha yesoftware yokuqalisa kanye nesistimu yokusebenza. Uma amasiginesha evumelekile, idivayisi iyaqala, futhi i-firmware inikeza ukulawula kusistimu yokusebenza.
Ukuqalisa okuvikelekile kuyatholakala ku-ENCS kodwa kukhutshazwe ngokuzenzakalela. I-Cisco incoma ukuthi uvule i-boot evikelekile. Ukuze uthole ukwaziswa okwengeziwe, bheka I-Secure Boot of Host.
Vikela Ubunikazi Bedivayisi Eyingqayizivele
I-NFVIS isebenzisa indlela eyaziwa ngokuthi I-Secure Unique Device Identification (SUDI), eyihlinzeka ngobunikazi obungaguquleki. Lobu bunikazi busetshenziselwa ukuqinisekisa ukuthi idivayisi iwumkhiqizo wangempela we-Cisco, kanye nokuqinisekisa ukuthi idivayisi yaziwa kakhulu ohlelweni lokusungula lwekhasimende.
I-SUDI yisitifiketi se-X.509v3 kanye nokubhanqwa kokhiye abahlobene okuvikelwe kuhadiwe. Isitifiketi se-SUDI siqukethe isihlonzi somkhiqizo nenombolo ye-serial futhi sisekelwe ku-Cisco Public Key Infrastructure. Ipheya yokhiye nesitifiketi se-SUDI kufakwa kumojula yehadiwe ngesikhathi sokukhiqiza, futhi ukhiye oyimfihlo awusoze wathunyelwa ngaphandle.
Ubunikazi obususelwe ku-SUDI bungasetshenziswa ukwenza ukucushwa okuqinisekisiwe nokuzenzakalelayo kusetshenziswa i-Zero Touch Provisioning (ZTP). Lokhu kuvumela ukugibela okuvikelekile, okukude kwamadivayisi, futhi kuqinisekisa ukuthi iseva ye-orchestration ikhuluma nedivayisi yangempela ye-NFVIS. Isistimu ye-backend ingakhipha inselele kudivayisi ye-NFVIS ukuze iqinisekise ubunikazi bayo futhi idivayisi izophendula kunselelo isebenzisa ubunikazi bayo obusekelwe ku-SUDI. Lokhu kuvumela isistimu ye-backend ukuthi ingaqinisekisi ngokuqhathaniswa ne-inventory yayo kuphela ukuthi idivayisi elungile isendaweni efanele kodwa futhi inikeze ukulungiselelwa okubethelwe okungavulwa kuphela idivayisi ethile, ngaleyo ndlela kuqinisekiswe ukugcinwa kuyimfihlo kwezokuthutha.
Imidwebo elandelayo yokuhamba komsebenzi ibonisa indlela i-NFVIS esebenzisa ngayo i-SUDI:
Ukucatshangelwa Kwezokuphepha 3
Ukufinyelela Kudivayisi Umfanekiso 1: I-plug and Play (PnP) Ukuqinisekiswa kweseva
Ukucatshangelwa Kokuphepha
Umfanekiso 2: Ukuqinisekiswa Kwedivayisi Ye-plug kanye Ne-Google Play Nokugunyazwa
Ukufinyelela Kwedivayisi
I-NFVIS ihlinzeka ngezindlela ezahlukene zokufinyelela ezihlanganisa ikhonsoli kanye nokufinyelela kude okusekelwe kuzivumelwano ezifana ne-HTTPS ne-SSH. Indlela yokufinyelela ngayinye kufanele ivuselelwe ngokucophelelaviewed futhi imisiwe. Qinisekisa ukuthi izindlela zokufinyelela ezidingekayo kuphela ezivuliwe futhi zivikelwe ngendlela efanele. Izinyathelo ezibalulekile zokuvikela ukufinyelela kokubili okusebenzisanayo nokuphatha ku-NFVIS ukukhawulela ukufinyeleleka kwedivayisi, ukukhawulela amakhono abasebenzisi abavunyelwe kulokho okudingekayo, nokukhawulela izindlela ezivunyelwe zokufinyelela. I-NFVIS iqinisekisa ukuthi ukufinyelela kunikezwa kuphela kubasebenzisi abagunyaziwe futhi bangenza izenzo ezigunyaziwe kuphela. Ukufinyelela idivayisi kufakwe ukuze kuhlolwe futhi i-NFVIS iqinisekisa ukugcinwa kuyimfihlo kwedatha ebucayi egcinwe endaweni. Kubalulekile ukusungula izilawuli ezifanele ukuze kuvinjwe ukufinyelela okungagunyaziwe ku-NFVIS. Izigaba ezilandelayo zichaza izinqubo ezingcono kakhulu nezilungiselelo zokufeza lokhu:
Ukucatshangelwa Kwezokuphepha 4
Ukucatshangelwa Kokuphepha
Ukushintsha Kwephasiwedi Okuphoqelelwe Ekungeneni Kuqala
Ukushintsha Kwephasiwedi Okuphoqelelwe Ekungeneni Kuqala
Ukuqinisekisa okuzenzakalelayo kuwumthombo ovamile wezigameko zokuphepha komkhiqizo. Amakhasimende avame ukukhohlwa ukushintsha imininingwane yokungena ezenzakalelayo eshiya amasistimu awo evulekile ukuze ahlaselwe. Ukuvimbela lokhu, umsebenzisi we-NFVIS uyaphoqeleka ukuthi ashintshe iphasiwedi ngemuva kokungena kokuqala esebenzisa izifakazelo ezizenzakalelayo (igama lomsebenzisi: admin nephasiwedi Admin123#). Ukuze uthole ulwazi olwengeziwe, bona Ukufinyelela i-NFVIS.
Ikhawulela Ubungozi Bokungena
Ungavimbela ukuba sengozini ekuhlaselweni kwesichazamazwi kanye ne-Denial of Service (DoS) ngokusebenzisa izici ezilandelayo.
Ukusetshenziswa kwephasiwedi eqinile
Indlela yokuqinisekisa iqine njengokuqinisekisa kwayo. Ngalesi sizathu, kubalulekile ukuqinisekisa ukuthi abasebenzisi banamagama ayimfihlo aqinile. I-NFVIS ihlola ukuthi iphasiwedi eqinile imisiwe ngokwemithetho elandelayo: Iphasiwedi kumele iqukathe:
· Okungenani uhlamvu olulodwa lofeleba · Okungenani uhlamvu olulodwa oluncane · Okungenani inombolo eyodwa · Okungenani olulodwa lwalezi zinhlamvu ezikhethekile: hashi (#), underscore (_), hyphen (-), asterisk (*), noma umbuzo
maka (?) · Izinhlamvu eziyisikhombisa noma ngaphezulu · Ubude bephasiwedi kufanele bube phakathi kwezinhlamvu eziyi-7 neziyi-128.
Ilungiselela Ubuncane Bobude Bamagama Ayimfihlo
Ukushoda kwephasiwedi eyinkimbinkimbi, ikakhulukazi ubude bephasiwedi, kunciphisa kakhulu indawo yokusesha lapho abahlaseli bezama ukuqagela amagama ayimfihlo omsebenzisi, okwenza ukuhlasela kwe-brute-force kube lula kakhulu. Umsebenzisi ongumlawuli angamisa ubude obuncane obudingekayo bamagama-mfihlo abo bonke abasebenzisi. Ubude obuncane kufanele bube phakathi kwezinhlamvu eziyi-7 neziyi-128. Ngokuzenzakalelayo, ubude obuncane obudingekayo bamagama-mfihlo busethelwe kuzinhlamvu eziyi-7. I-CLI:
nfvis(config)# ukuqinisekiswa kwe-rbac min-pwd-ubude 9
I-API:
/api/config/rbac/authentication/min-pwd-length
Ilungiselela Ukuphila Kwephasiwedi
Isikhathi sempilo yephasiwedi sinquma ukuthi iphasiwedi ingasetshenziswa isikhathi esingakanani ngaphambi kokuthi umsebenzisi adingeke ukuthi ayiguqule.
Ukucatshangelwa Kwezokuphepha 5
Khawulela ukusetshenziswa kabusha kwephasiwedi kwangaphambilini
Ukucatshangelwa Kokuphepha
Umsebenzisi ophethe angamisa ubuncane kanye namanani aphezulu empilo yonke amaphasiwedi abo bonke abasebenzisi futhi asebenzise umthetho wokuhlola lawa manani. Ubuncane obuzenzakalelayo bevelu yesikhathi sempilo busethelwe osukwini olungu-1 futhi inani eliphakeme elizenzakalelayo lesikhathi sempilo lisethelwe ezinsukwini ezingama-60. Uma kulungiselelwa inani elincane lempilo yonke, umsebenzisi akakwazi ukushintsha iphasiwedi kuze kudlule inombolo eshiwo yezinsuku. Ngokufanayo, lapho kulungiselelwa inani eliphezulu lempilo yonke, umsebenzisi kufanele ashintshe iphasiwedi ngaphambi kokuthi kudlule inombolo eshiwo yezinsuku. Uma umsebenzisi engayishintshi iphasiwedi kanye nenani elishiwo lezinsuku selidlulile, isaziso sithunyelwa kumsebenzisi.
Qaphela Amanani aphansi futhi aphezulu wesikhathi sonke sokuphila kanye nomthetho wokuhlola lawa manani awusetshenziswa kumsebenzisi ophethe.
I-CLI:
lungisa iphasiwedi ye-terminal rbac-ukuphila konke phoqelela izinsuku ezincane ezi-2 30 max-day XNUMX commitment
I-API:
/api/config/rbac/ukuqinisekisa/password-lifetime/
Khawulela ukusetshenziswa kabusha kwephasiwedi kwangaphambilini
Ngaphandle kokuvimbela ukusetshenziswa kwemisho yokungena yangaphambilini, ukuphelelwa yisikhathi kwephasiwedi akusizi ngalutho njengoba abasebenzisi bangashintsha umushwana wokungena bese bewushintsha bawubuyisele kowasekuqaleni. I-NFVIS ihlola ukuthi iphasiwedi entsha ayifani yini neyodwa yamaphasiwedi angu-5 asetshenziswe ngaphambilini. Okunye okuhlukile kulo mthetho ukuthi umsebenzisi ophethe angashintsha iphasiwedi ibe yiphasiwedi emisiwe ngisho noma bekungenye yamaphasiwedi angu-5 asetshenziswe ngaphambilini.
Khawulela Imvamisa yemizamo yokungena ngemvume
Uma untanga okude evunyelwe ukungena ngemvume izikhathi ezingenamkhawulo, angakwazi ukuqagela imininingwane yokungena ngamandla anonya. Njengoba amagama okungena evame ukuqagelwa kalula, lokhu kuwukuhlasela okuvamile. Ngokukhawulela izinga lapho ontanga bengazama khona ukungena, sinqanda lokhu kuhlasela. Siphinde futhi sigweme ukusebenzisa izinsiza zesistimu ekuqinisekiseni ngokungadingekile le mizamo yokungena ngemvume enonya engadala ukuhlasela kwe-Denial of Service. I-NFVIS iphoqelela ukuvalwa komsebenzisi kwamaminithi angu-5 ngemva kwemizamo yokungena engu-10 ehlulekile.
Khubaza ama-akhawunti omsebenzisi angasebenzi
Ukwengamela umsebenzi wabasebenzisi kanye nokukhubaza ama-akhawunti omsebenzisi angasetshenzisiwe noma amadala kusiza ukuvikela isistimu ekuhlaselweni kwangaphakathi. Ama-akhawunti angasetshenzisiwe kufanele ekugcineni asuswe. Umsebenzisi ongumlawuli angasebenzisa umthetho wokumaka ama-akhawunti omsebenzisi angasetshenzisiwe njengangasebenzi futhi alungiselele inani lezinsuku lapho i-akhawunti yomsebenzisi engasetshenziswanga imakwa njengengasebenzi. Uma sekuphawulwe njengokungasebenzi, lowo msebenzisi akakwazi ukungena kusistimu. Ukuze uvumele umsebenzisi ukuthi angene kusistimu, umsebenzisi ophethe angavula i-akhawunti yomsebenzisi.
Qaphela Isikhathi sokungasebenzi kanye nomthetho wokuhlola isikhathi sokungasebenzi akusetshenziswa kumsebenzisi ongumlawuli.
Ukucatshangelwa Kwezokuphepha 6
Ukucatshangelwa Kokuphepha
Ivula I-akhawunti Yomsebenzisi Engasebenzi
I-CLI elandelayo ne-API ingasetshenziswa ukulungisa ukuphoqelelwa kokungasebenzi kwe-akhawunti. I-CLI:
lungiselela i-terminal rbac yokuqinisekisa i-akhawunti-ukungasebenzi phoqelela ukungasebenzi kweqiniso-izinsuku ezingama-30 zokuzibophezela
I-API:
/api/config/rbac/ukuqinisekisa/ukungasebenzi kwe-akhawunti/
Inani elizenzakalelayo lezinsuku zokungasebenzi lingu-35.
Ukwenza I-akhawunti Yomsebenzisi Engasebenzi Umsebenzisi ongumlawuli angavula i-akhawunti yomsebenzisi ongasebenzi esebenzisa i-CLI ne-API elandelayo: CLI:
lungisa i-terminal rbac yokuqinisekisa abasebenzisi umsebenzisi guest_user vula ukuzibophezela
I-API:
/api/operations/rbac/ubuqiniso/abasebenzisi/umsebenzisi/igama lomsebenzisi/cupha
Gcizelela Ukusetha kwe-BIOS kanye namaphasiwedi e-CIMC
Ithebula 1: Ithebula Lomlando Wesici
Igama Lesici
Khipha Ulwazi
Phoqelela Ukusethwa kwe-BIOS kanye ne-CIMC NFVIS 4.7.1 Amaphasiwedi
Incazelo
Lesi sici siphoqa umsebenzisi ukuthi aguqule iphasiwedi ezenzakalelayo ye-CIMC ne-BIOS.
Imikhawulo Yokuphoqelela Ukusethwa Kwe-BIOS Namagama Ayimfihlo E-CIMC
· Lesi sici sisekelwa kuphela kuzingxenyekazi ze-Cisco Catalyst 8200 UCPE kanye ne-Cisco ENCS 5400.
· Lesi sici sisekelwa kuphela ekufakweni okusha kwe-NFVIS 4.7.1 kanye nokukhishwa kamuva. Uma uthuthukela ku-NFVIS 4.6.1 ukuya ku-NFVIS 4.7.1, lesi sici asisekelwa futhi awutshelwa ukuthi usethe kabusha amaphasiwedi e-BIOS nawe-CIMS, ngisho noma amaphasiwedi e-BIOS nawe-CIMC angalungiswanga.
Ulwazi Ngokuphoqelela Ukusetha I-BIOS kanye Namagama Ayimfihlo E-CIMC
Lesi sici sibhekana negebe lokuvikeleka ngokuphoqelela ukusetha kabusha amaphasiwedi e-BIOS nawe-CIMC ngemva kokufaka okusha kwe-NFVIS 4.7.1. Iphasiwedi ezenzakalelayo ye-CIMC yiphasiwedi futhi iphasiwedi ezenzakalelayo ye-BIOS ayinayo iphasiwedi.
Ukuze ulungise igebe lezokuphepha, uyaphoqeleka ukuthi ulungise iphasiwedi ye-BIOS ne-CIMC ku-ENCS 5400. Ngesikhathi sokufakwa okusha kwe-NFVIS 4.7.1, uma iphasiwedi ye-BIOS ne-CIMC ingashintshiwe futhi isenawo.
Ukucatshangelwa Kwezokuphepha 7
Ukucushwa Examples yokusetha kabusha okuphoqelelwe kwe-BIOS kanye namaphasiwedi e-CIMC
Ukucatshangelwa Kokuphepha
amaphasiwedi azenzakalelayo, bese uyalwa ukuthi uguqule kokubili iphasiwedi ye-BIOS ne-CIMC. Uma eyodwa kuphela yazo idinga ukusetha kabusha, uyacelwa ukuthi usethe kabusha iphasiwedi yaleyo ngxenye kuphela. I-Cisco Catalyst 8200 UCPE idinga iphasiwedi ye-BIOS kuphela ngakho-ke ukusetha kabusha iphasiwedi ye-BIOS kuyacelwa, uma kungakasethwa.
Qaphela Uma uthuthukela kusuka kunoma yikuphi ukukhishwa kwangaphambilini kuya ku-NFVIS 4.7.1 noma okukhishwe kamuva, ungashintsha iphasiwedi ye-BIOS ne-CIMC usebenzisa i-hostage change-bios-password newpassword noma imiyalo yokushintsha-cimc-password newpassword.
Ukuze uthole ulwazi olwengeziwe mayelana namaphasiwedi e-BIOS nawe-CIMC, bheka i-BIOS kanye nephasiwedi ye-CIMC.
Ukucushwa Examples yokusetha kabusha okuphoqelelwe kwe-BIOS kanye namaphasiwedi e-CIMC
1. Uma ufaka i-NFVIS 4.7.1, kufanele uqale usethe kabusha iphasiwedi emisiwe yomqondisi.
I-Cisco Network Function Virtualization Infrastructure Software (NFVIS)
Inguqulo ye-NFVIS: 99.99.0-1009
I-Copyright (c) 2015-2021 yi-Cisco Systems, Inc. Ilogo ye-Cisco, Cisco Systems, ne-Cisco Systems yizimpawu zokuthengisa ezibhalisiwe ze-Cisco Systems, Inc. kanye/noma izinkampani eziphethwe yiyo e-US nakwamanye amazwe athile.
Amalungelo okushicilela emisebenzi ethile equkethwe kule softhiwe aphethwe ngabanye abantu besithathu futhi asetshenziswa futhi asatshalaliswa ngaphansi kwezivumelwano zamalayisensi ezinkampani zangaphandle. Izingxenye ezithile zale softhiwe zinelayisensi ngaphansi kwe-GNU GPL 2.0, GPL 3.0, LGPL 2.1, LGPL 3.0 kanye ne-AGPL 3.0.
admin uxhumeke ku-10.24.109.102 usebenzisa i-ssh kumphathi we-nfvis ofakwe ngemininingwane ezenzakalelayo Sicela unikeze igama-mfihlo elenelisa le mibandela elandelayo:
1.Okungenani uhlamvu olulodwa oluncane 2.Okungenani uhlamvu olulodwa olukhulu 3.Okungenani inombolo eyodwa 4.Okungenani uhlamvu olulodwa olukhethekile olusuka ku-# _ – * ? 5.Ubude kufanele bube phakathi kwezinhlamvu eziyi-7 neziyi-128 Sicela usethe kabusha igama-mfihlo : Sicela ufake kabusha igama-mfihlo :
Isetha kabusha iphasiwedi yomqondisi
2. Ezinkundleni zokuxhumana ze-Cisco Catalyst 8200 UCPE kanye ne-Cisco ENCS 5400 uma ufaka okusha kwe-NFVIS 4.7.1 noma ukukhishwa kwakamuva, kufanele uguqule iphasiwedi ezenzakalelayo ye-BIOS ne-CIMC. Uma amaphasiwedi e-BIOS nawe-CIMC engalungiswanga ngaphambilini, isistimu ikutshela ukuthi usethe kabusha iphasiwedi ye-BIOS ne-CIMC ye-Cisco ENCS 5400 kanye nephasiwedi ye-BIOS kuphela ye-Cisco Catalyst 8200 UCPE.
Iphasiwedi entsha yomphathi isethiwe
Sicela unikeze iphasiwedi ye-BIOS ezanelisa lezi zidingo ezilandelayo: 1. Okungenani uhlamvu olulodwa oluncane 2. Okungenani uhlamvu olulodwa olukhulu 3. Okungenani inombolo eyodwa 4. Okungenani uhlamvu olulodwa olukhethekile ukusuka ku-#, @ noma _ 5. Ubude kufanele bube phakathi 8 kanye nezinhlamvu ezingu-20 6. Akufanele iqukathe noma yiziphi iyunithi yezinhlamvu ezilandelayo (i-case sensitive): bios 7. Uhlamvu lokuqala alukwazi ukuba #
Ukucatshangelwa Kwezokuphepha 8
Ukucatshangelwa Kokuphepha
Qinisekisa amaphasiwedi e-BIOS kanye ne-CIMC
Sicela usethe kabusha iphasiwedi ye-BIOS : Sicela ufake kabusha iphasiwedi ye-BIOS : Sicela unikeze iphasiwedi ye-CIMC enelisa le mibandela elandelayo:
1. Okungenani uhlamvu olulodwa oluncane 2. Okungenani uhlamvu olulodwa olukhulu 3. Okungenani inombolo eyodwa 4. Okungenani uhlamvu olulodwa olukhethekile olusuka ku-#, @ noma _ 5. Ubude kufanele bube phakathi kwezinhlamvu ezingu-8 nezingu-20 6. Akufanele ziqukathe noma iyiphi yazo. amayunithi ezinhlamvu alandelayo (azwela kakhulu): admin Sicela usethe kabusha iphasiwedi ye-CIMC : Sicela ufake kabusha iphasiwedi ye-CIMC :
Qinisekisa amaphasiwedi e-BIOS kanye ne-CIMC
Ukuze uqinisekise ukuthi iphasiwedi ye-BIOS ne-CIMC ishintshwe ngempumelelo yini, sebenzisa ilogi yombukiso ethi nfvis_config.log | faka i-BIOS noma bonisa ilogi nfvis_config.log | faka imiyalo ye-CIMC:
nfvis# bonisa ilogi nfvis_config.log | zihlanganisa BIOS
2021-11-16 15:24:40,102 INFO
[ukusingathwa:/isistimu/izilungiselelo] [] Ukushintsha iphasiwedi ye-BIOSuphumelele
Ungakwazi futhi ukulanda ifayela elithi nfvis_config.log file futhi uqinisekise ukuthi amaphasiwedi asethwe kabusha ngempumelelo yini.
Ukuhlanganiswa namaseva e-AAA angaphandle
Abasebenzisi bangena ku-NFVIS nge-ssh noma i- Web I-UI. Kunoma ikuphi, abasebenzisi badinga ukuqinisekiswa. Okusho ukuthi, umsebenzisi udinga ukwethula imininingwane yephasiwedi ukuze athole ukufinyelela.
Uma umsebenzisi eseqinisekisiwe, yonke imisebenzi eyenziwa yilowo msebenzisi idinga ukugunyazwa. Okusho ukuthi, abasebenzisi abathile bangavunyelwa ukwenza imisebenzi ethile, kuyilapho abanye bengavunyelwa. Lokhu kubizwa ngokuthi ukugunyazwa.
Kunconywa ukuthi kusetshenziswe iseva ye-AAA emaphakathi ukuze kusetshenziswe umsebenzisi ngamunye, ukuqinisekiswa kokungena ngemvume okususelwe ku-AAA ukuze kufinyelele i-NFVIS. I-NFVIS isekela iphrothokholi ye-RADIUS ne-TACACS ukulamula ukufinyelela kwenethiwekhi. Kuseva ye-AAA, amalungelo amancane kuphela okufinyelela okufanele anikezwe abasebenzisi abagunyaziwe ngokuya ngezidingo zabo zokufinyelela ezithile. Lokhu kunciphisa ukuchayeka kuzo zombili izehlakalo zokuphepha ezinonya nezingahlosiwe.
Ukuze uthole ulwazi olwengeziwe mayelana nokuqinisekisa kwangaphandle, bheka Ukumisa i-RADIUS kanye nokulungiselela iseva ye-TACACS+.
Inqolobane Yokuqinisekisa Yeseva Yokuqinisekisa Yangaphandle
Igama Lesici
Khipha Ulwazi
Inqolobane Yokuqinisekisa Ye-NFVIS Yangaphandle 4.5.1 Iseva Yokuqinisekisa
Incazelo
Lesi sici sisekela ukuqinisekiswa kwe-TACACS nge-OTP kuphothali ye-NFVIS.
Ingosi ye-NFVIS isebenzisa iphasiwedi yesikhathi esisodwa (OTP) kuwo wonke amakholi we-API ngemva kokufakazela ubuqiniso kwasekuqaleni. Amakholi e-API ayahluleka ngokushesha nje lapho i-OTP iphelelwa yisikhathi. Lesi sici sisekela ukuqinisekiswa kwe-TACACS OTP ngephothali ye-NFVIS.
Ngemva kokuthi uqinisekise ngempumelelo ngeseva ye-TACACS usebenzisa i-OTP, i-NFVIS idala ukufakwa kwe-hashi isebenzisa igama lomsebenzisi ne-OTP futhi igcina leli nani le-hashi endaweni. Lelivelu le-hashi eligcinwe endaweni linakho
Ukucatshangelwa Kwezokuphepha 9
Ukulawula Ukufinyelela Okusekelwe Endimeni
Ukucatshangelwa Kokuphepha
isikhathi sokuphelelwa yisikhathi Stamp ehambisana nayo. Isikhathi Stamp inenani elifanayo nenani lokuvala lesikhathi sokungenzi lutho seseshini ye-SSH okungamaminithi angu-15. Zonke izicelo zokuqinisekisa ezilandelayo ezinegama lomsebenzisi elifanayo ziqinisekiswa ngokumelene naleli xabiso le-hashi lendawo kuqala. Uma ukuqinisekiswa kwehluleka nge-hashi yendawo, i-NFVIS iqinisekisa lesi sicelo ngeseva ye-TACACS futhi idale ukufakwa kwe-hashi okusha lapho ukuqinisekiswa kuphumelela. Uma ukufakwa kwe-hash sekuvele kukhona, isikhathi sako stamp isethwe kabusha ukuze ibe yimizuzu eyi-15.
Uma ukhishwa kuseva ye-TACACS ngemva kokungena ngempumelelo kuphothali, ungaqhubeka nokusebenzisa iphothali kuze kube yilapho ukufakwa kwe-hashi ku-NFVIS kuphelelwa yisikhathi.
Uma uphuma ngokucacile kuphothali ye-NFVIS noma uphumile ngenxa yesikhathi sokungenzi lutho, iphothali ibiza i-API entsha ukuze yazise i-NFVIS backend ukuze isuse okufakiwe kwe-hashi. Inqolobane yokuqinisekisa nakho konke okufakiwe kwayo kuyasulwa ngemva kokuba i-NFVIS iqalise, ukusetha kabusha kwasekuqaleni, noma ukuthuthukisa.
Ukulawula Ukufinyelela Okusekelwe Endimeni
Ukukhawulela ukufinyelela kwenethiwekhi kubalulekile ezinhlanganweni ezinezisebenzi eziningi, eziqasha osonkontileka noma zivumela ukufinyelela kubantu besithathu, njengamakhasimende nabathengisi. Esimeni esinjalo, kunzima ukuqapha ukufinyelela kwenethiwekhi ngempumelelo. Kunalokho, kungcono ukulawula lokho okufinyelelekayo, ukuze uvikele idatha ebucayi kanye nezinhlelo zokusebenza ezibucayi.
Ukulawulwa kokufinyelela okusekelwe kwindima (RBAC) kuyindlela yokukhawulela ukufinyelela kwenethiwekhi ngokusekelwe emisebenzini yabasebenzisi ngabanye ngaphakathi kwebhizinisi. I-RBAC ivumela abasebenzisi ukuthi bafinyelele ulwazi abaludingayo kuphela, futhi ibavimbele ekufinyeleleni ulwazi olungahlobene nabo.
Indima yesisebenzi ebhizinisini kufanele isetshenziselwe ukunquma izimvume ezinikeziwe, ukuze kuqinisekiswe ukuthi abasebenzi abanamalungelo aphansi abakwazi ukufinyelela ulwazi olubucayi noma benze imisebenzi ebalulekile.
Izindima zabasebenzisi ezilandelayo namalungelo achazwe ku-NFVIS
Umsebenzisi Indima
Ilungelo
Abaphathi
Ingakwazi ukumisa zonke izici ezitholakalayo futhi yenze yonke imisebenzi ehlanganisa nokushintsha izindima zabasebenzisi. Umlawuli akakwazi ukususa ingqalasizinda eyisisekelo eyisisekelo ku-NFVIS. Indima yomsebenzisi ongumlawuli ayikwazi ukushintshwa; njalo “kungabaphathi”.
Ama-operators
Ungaqala futhi umise i-VM, futhi view lonke ulwazi.
Abacwaningi mabhuku
Bangabasebenzisi abangenalo ilungelo elincane. Banemvume yokufunda kuphela ngakho-ke, abakwazi ukulungisa noma yikuphi ukucushwa.
Izinzuzo ze-RBAC
Kunezinzuzo eziningi zokusebenzisa i-RBAC ukukhawulela ukufinyelela kwenethiwekhi okungadingekile ngokusekelwe emisebenzini yabantu ngaphakathi kwenhlangano, okuhlanganisa:
· Ukwenza ngcono ukusebenza kahle.
Ukuba nezindima ezichazwe ngaphambilini ku-RBAC kwenza kube lula ukufaka abasebenzisi abasha abanezimvume ezifanele noma ukushintsha izindima zabasebenzisi abakhona. Futhi yehlisa amandla ephutha lapho izimvume zomsebenzisi zabiwa.
· Ukuthuthukisa ukuhambisana.
Ukucatshangelwa Kwezokuphepha 10
Ukucatshangelwa Kokuphepha
Ukulawula Ukufinyelela Okusekelwe Endimeni
Yonke inhlangano kufanele ihambisane nemithetho yendawo, yesifunda neyenhlangano. Izinkampani ngokuvamile zikhetha ukusebenzisa izinhlelo ze-RBAC ukuze zihlangabezane nezimfuneko zokulawula nezomthetho zokugcinwa kuyimfihlo nobumfihlo ngoba abaphathi neminyango ye-IT bangaphatha ngempumelelo indlela idatha efinyelelwa futhi isetshenziswe ngayo. Lokhu kubaluleke kakhulu ezikhungweni zezezimali nezinkampani zokunakekelwa kwezempilo eziphethe idatha ebucayi.
· Ukunciphisa izindleko. Ngokungavumeli ukufinyelela komsebenzisi ezinqubweni ezithile nezinhlelo zokusebenza, izinkampani zingase zilondoloze noma zisebenzise izinsiza ezifana nomkhawulokudonsa wenethiwekhi, inkumbulo nokugcina ngendlela eyongayo.
· Ukunciphisa ingozi yokuphulwa nokuvuza kwedatha. Ukusebenzisa i-RBAC kusho ukukhawulela ukufinyelela kulwazi olubucayi, ngaleyo ndlela kunciphisa amandla okuphulwa kwedatha noma ukuvuza kwedatha.
Izinqubo ezingcono kakhulu zokusetshenziswa kokulawula ukufinyelela okusekelwe endimeni · Njengomlawuli, nquma uhlu lwabasebenzisi futhi unikeze abasebenzisi izindima ezichazwe ngaphambilini. Okwesiboneloample, umsebenzisi "networkadmin" angadalwa futhi angezwe eqenjini labasebenzisi "abalawuli".
lungisa i-terminal rbac yokuqinisekisa abasebenzisi igama lomsebenzisi igama lenethiwekhi yomlawuli iphasiwedi Test1_pass indima yabaphathi
Qaphela Amaqembu abasebenzisi noma izindima zidalwa uhlelo. Awukwazi ukudala noma ukuguqula iqembu labasebenzisi. Ukuze uguqule iphasiwedi, sebenzisa umyalo we-rbac wokushintsha igama-password abasebenzisi bokuqinisekisa kumodi yomhlaba jikelele. Ukuze ushintshe indima yomsebenzisi, sebenzisa umyalo we-rbac wokuqinisekisa ukushintsha komsebenzisi kumodi yokucushwa komhlaba wonke.
· Vala ama-akhawunti abasebenzisi abangasadingi ukufinyelela.
lungiselela abasebenzisi bokuqinisekisa i-terminal rbac susa igama lomsebenzisi test1
• Ngezikhathi ezithile cwaninga ukuze uhlole izindima, abasebenzi abanikezwe bona kanye nokufinyelela okuvunyelwe endimeni ngayinye. Uma umsebenzisi etholakala enokufinyelela okungadingekile ohlelweni oluthile, shintsha indima yomsebenzisi.
Ukuze uthole imininingwane eyengeziwe bheka, Abasebenzisi, Izindima, Nokuqinisekisa
I-Granular Role-based Access Control Kusukela ku-NFVIS 4.7.1, kwethulwa isici sokulawula Ukufinyelela Okusekelwe Kwindima eyiGranular. Lesi sici sengeza inqubomgomo yeqembu lensiza entsha ephethe i-VM ne-VNF futhi ikuvumela ukuthi unikeze abasebenzisi eqenjini ukuze ulawule ukufinyelela kwe-VNF, ngesikhathi sokuthunyelwa kwe-VNF. Ukuze uthole ulwazi olwengeziwe, bheka Ukulawula Ukufinyelela Okusekelwe Endimeni Encane.
Ukucatshangelwa Kwezokuphepha 11
Khawulela Ukufinyeleleka Kwedivayisi
Ukucatshangelwa Kokuphepha
Khawulela Ukufinyeleleka Kwedivayisi
Abasebenzisi babanjwe kaningi bengalindele ukuhlaselwa kwezici abebengazivikelanga ngoba bebengazi ukuthi lezo zici zinikwe amandla. Amasevisi angasetshenzisiwe avame ukushiywa nokucushwa okuzenzakalelayo okungahlali kuvikelekile. Lezi zinsizakalo kungenzeka zisebenzisa amaphasiwedi azenzakalelayo. Amanye amasevisi anganikeza umhlaseli ukufinyelela okulula kulwazi lokuthi iseva isebenza kanjani noma ukuthi inethiwekhi isethwe kanjani. Izigaba ezilandelayo zichaza ukuthi i-NFVIS izigwema kanjani izingozi ezinjalo zokuphepha:
Ukuncishiswa kwe-vector yokuhlasela
Noma yiluphi ucezu lwesofthiwe lungaba namandla okuqukatha ubungozi bokuphepha. Isofthiwe eyengeziwe isho izindlela eziningi zokuhlasela. Ngisho noma kungekho ubungozi obaziwa esidlangalaleni ngesikhathi sokufakwa, ubungozi buzotholwa noma budalulwe ngokuzayo. Ukuze ugweme izimo ezinjalo, yilawo maphakheji we-software kuphela abalulekile ekusebenzeni kwe-NFVIS afakiwe. Lokhu kusiza ukukhawulela ubungozi besofthiwe, ukunciphisa ukusetshenziswa kwensiza, nokunciphisa umsebenzi owengeziwe uma izinkinga zitholwa ngalawo maphakheji. Yonke isofthiwe yenkampani yangaphandle efakwe ku-NFVIS ibhaliswe kusizindalwazi esimaphakathi e-Cisco ukuze i-Cisco ikwazi ukwenza impendulo ehlelekile yezinga lenkampani (Ezomthetho, Ezokuphepha, njll). Amaphakheji esofthiwe ayapeshwa ngezikhathi ezithile kukho konke ukukhishwa kwezinto ezaziwa ngokuthi I-Common Vulnerabilities and Exposures (CVEs).
Inika amandla izimbobo ezibalulekile kuphela ngokuzenzakalelayo
Yilawo masevisi adingekayo ukuze usethe futhi uphathe i-NFVIS atholakala ngokuzenzakalelayo. Lokhu kususa umzamo womsebenzisi odingekayo ukuze kumiswe izinqamuleli zomlilo futhi kwenqabele ukufinyelela kumasevisi angadingekile. Izinsizakalo kuphela ezinikwe amandla ngokuzenzakalela zibalwe ngezansi kanye nezimbobo ezizivulayo.
Vula Imbobo
Isevisi
Incazelo
22 / TCP
I-SSH
Vikela I-Socket Shell yokufinyelela okukude komugqa womyalo ku-NFVIS
80 / TCP
I-HTTP
I-Hypertext Transfer Protocol yokufinyelela ingosi ye-NFVIS. Yonke ithrafikhi ye-HTTP etholwe yi-NFVIS iqondiswe kabusha ku-port 443 ye-HTTPS
443 / TCP
I-HTTPS
I-Hypertext Transfer Protocol Ivikelekile ngokufinyelela okuphephile kwengosi ye-NFVIS
830 / TCP
I-NETCONF-ssh
Imbobo ivulelwe i-Network Configuration Protocol (NETCONF) nge-SSH. I-NETCONF iyiphrothokholi esetshenziselwa ukumisa okuzenzakalelayo kwe-NFVIS kanye nokwamukela izaziso zomcimbi ezingavumelanisi ezivela ku-NFVIS.
161/UDP
I-SNMP
I-Simple Network Management Protocol (SNMP). Isetshenziswa yi-NFVIS ukuxhumana nezinhlelo zokusebenza zokuqapha inethiwekhi ezikude. Ukuze uthole ulwazi olwengeziwe bheka, Isingeniso mayelana ne-SNMP
Ukucatshangelwa Kwezokuphepha 12
Ukucatshangelwa Kokuphepha
Khawulela Ukufinyelela Kumanethiwekhi Agunyaziwe Ngezinkonzo Ezigunyaziwe
Khawulela Ukufinyelela Kumanethiwekhi Agunyaziwe Ngezinkonzo Ezigunyaziwe
Abaqalisi abagunyaziwe kuphela okufanele bavunyelwe ukuthi bazame ukufinyelela ekuphathweni kwedivayisi, futhi ukufinyelela kufanele kube kuphela kumasevisi abagunyazwe ukuwasebenzisa. I-NFVIS ingalungiselelwa ngendlela yokuthi ukufinyelela kukhawulelwe emithonjeni eyaziwayo, ethenjwayo kanye nochwepheshe bethrafikhi yokuphatha.files. Lokhu kunciphisa ingcuphe yokufinyelela okungagunyaziwe kanye nokuchayeka kokunye ukuhlasela, okufana ne-brute force, isichazamazwi, noma ukuhlasela kwe-DoS.
Ukuze kuvikelwe izixhumanisi zokuphatha ze-NFVIS kuthrafikhi engadingekile nenamandla okuba yingozi, umsebenzisi ongumlawuli angadala Uhlu Lokulawula Ukufinyelela (ACLs) lwethrafikhi yenethiwekhi eyamukelwe. Lawa ma-ACL acacisa umthombo wamakheli/amanethiwekhi e-IP lapho i-traffic isuka khona, kanye nohlobo lwethrafikhi oluvunyelwe noma olunqatshiwe kusukela kule mithombo. Lezi zihlungi zethrafikhi ye-IP zisetshenziswa kusixhumi esibonakalayo sokuphatha ngasinye ku-NFVIS. Amapharamitha alandelayo alungiswa kuhlu lokulawula ukufinyelela kwe-IP (ip-receive-acl)
Ipharamitha
Inani
Incazelo
Umthombo wenethiwekhi/Netmask
Inethiwekhi/i-netmask. Okwesiboneloampinombolo: 0.0.0.0/0
172.39.162.0/24
Le nkambu icacisa ikheli le-IP/inethiwekhi okusuka kuyo ithrafikhi
Isenzo Sesevisi
https icmp netconf scpd snmp ssh yamukela ukwenqaba ukulahla
Uhlobo lwethrafikhi olusuka emthonjeni othile.
Isinyathelo esizothathwa ngethrafikhi evela kunethiwekhi yomthombo. Ngokwamukela , imizamo emisha yokuxhumana izonikezwa. Ngokwenqaba , imizamo yokuxhumana ngeke yamukelwe. Uma isimiso singokwesevisi esekelwe ku-TCP efana ne-HTTPS, NETCONF, SCP, SSH, umthombo uzothola iphakethe lokusetha kabusha i-TCP (RST). Ngemithetho engeyona eye-TCP efana ne-SNMP ne-ICMP, iphakethe lizokwehliswa. Ngokuwa, wonke amaphakethe azokwehliswa ngokushesha, alukho ulwazi oluthunyelwe kumthombo.
Ukucatshangelwa Kwezokuphepha 13
Ukufinyelela Okukhethekile Kokususa iphutha
Ukucatshangelwa Kokuphepha
Ipharamitha Okubalulekile
Inani Inani lenombolo
Incazelo
Okubalulekile kusetshenziselwa ukuphoqelela umyalelo emithethweni. Imithetho enenani eliphakeme lezinombolo ukuze ize kuqala izokwengezwa phansi ochungechungeni. Uma ufuna ukwenza isiqiniseko sokuthi umthetho uzokwengezwa ngemva komunye, sebenzisa inombolo ebalulekile ephansi kweyokuqala nephezulu inombolo ebalulekile kwalokhu okulandelayo.
Okulandelayo sampukulungiselelwa kubonisa ezinye izimo ezingalungiselelwa izimo ezithile zokusetshenziswa.
Ilungiselela i-IP Thola i-ACL
Uma i-ACL ikhawulela kakhulu, kukhawulela kakhulu ukuchayeka emizamweni yokufinyelela engagunyaziwe. Kodwa-ke, i-ACL ekhawulelwe kakhulu ingadala i-overhead yokuphatha, futhi ingathinta ukufinyeleleka ukuze kuxazululwe inkinga. Ngenxa yalokho, kukhona ukulingana okufanele kucatshangelwe. Okunye ukuyekethisa ukukhawulela ukufinyelela kumakheli e-IP enkampani yangaphakathi kuphela. Ikhasimende ngalinye kufanele lihlole ukusetshenziswa kwama-ACL ngokuphathelene nenqubomgomo yalo yokuphepha, ubungozi, ukuchayeka, nokwamukelwa kwakho.
Yenqaba ithrafikhi ye-ssh evela ku-subnet:
nfvis(config)# izilungiselelo zesistimu ip-receive-acl 171.70.63.0/24 isevisi ye-ssh isenzo yenqaba okubalulekile 1
Isusa ama-ACL:
Uma okufakiwe kususwa ku-ip-receive-acl, konke ukulungiselelwa kulowo mthombo kuyasuswa njengoba ikheli le-IP eliwumthombo liwukhiye. Ukuze ususe isevisi eyodwa kuphela, lungiselela amanye amasevisi futhi.
nfvis(config)# azikho izilungiselelo zesistimu ip-receive-acl 171.70.63.0/24
Ukuze uthole imininingwane eyengeziwe bheka, Ukumisa i-IP Yamukela i-ACL
Ukufinyelela Okukhethekile Kokususa iphutha
I-akhawunti yomsebenzisi omkhulu ku-NFVIS ivaliwe ngokuzenzakalelayo, ukuvimbela zonke izinguquko ezingakhawulelwe, okungenzeka zibe zimbi, uhlelo olubanzi futhi i-NFVIS ayivezi igobolondo lesistimu kumsebenzisi.
Nokho, kwezinye izinkinga okunzima ukuzilungisa kusistimu ye-NFVIS, ithimba le-Cisco Technical Assistance Center (TAC) noma ithimba lokuthuthukisa lingase lidinge ukufinyelela kwegobolondo ku-NFVIS yekhasimende. I-NFVIS inengqalasizinda yokuvula evikelekile yokuqinisekisa ukuthi ukufinyelela kokususa iphutha okukhethekile kudivayisi esendaweni kukhawulelwe kubasebenzi abagunyaziwe be-Cisco. Ukuze ufinyelele ngokuvikelekile igobolondo le-Linux lalolu hlobo lokulungisa iphutha okusebenzisanayo, indlela yokuqinisekisa impendulo yenselele isetshenziswa phakathi kwe-NFVIS neseva yokususa iphutha ye-Interactive egcinwe yi-Cisco. Iphasiwedi yomsebenzisi womlawuli nayo iyadingeka ngaphezu kokufakwayo kokuphendula inselele ukuze kuqinisekiswe ukuthi idivayisi ifinyelelwa ngemvume yekhasimende.
Izinyathelo zokufinyelela igobolondo le-Interactive Debugging:
1. Umsebenzisi ongumqondisi uqala le nqubo esebenzisa lo myalo ofihliwe.
nfvis# uhlelo lokufinyelela kwegobolondo
Ukucatshangelwa Kwezokuphepha 14
Ukucatshangelwa Kokuphepha
Secure Interfaces
2. Isikrini sizobonisa iyunithi yezinhlamvu zokuphonselwa inselelo, ngokwesiboneloample:
Challenge String (Sicela ukopishe yonke into phakathi kwemigqa yenkanyezi ngokukhethekileyo):
******************************************************************************** SPH//wkAAABORlZJU0VOQ1M1NDA4L0s5AQAAABt+dcx+hB0V06r9RkdMMjEzNTgw RlHq7BxeAAA= DONE. ********************************************************************************
3. Ilungu le-Cisco lingena kuchungechunge lwe-Challenge kuseva ye-Interactive Debug enakekelwa yi-Cisco. Le seva iqinisekisa ukuthi umsebenzisi we-Cisco ugunyazwe ukulungisa iphutha i-NFVIS esebenzisa igobolondo, bese ibuyisela iyunithi yezinhlamvu zokuphendula.
4. Faka iyunithi yezinhlamvu zokuphendula esikrinini ngezansi kwalo myalelo: Faka impendulo yakho uma isilungile:
5. Uma licelwa, ikhasimende kufanele lifake iphasiwedi yomqondisi. 6. Uthola ukufinyelela kwegobolondo uma iphasiwedi ivumelekile. 7. Ithimba lokuthuthukisa noma le-TAC lisebenzisa igobolondo ukuze liqhubeke nokulungisa iphutha. 8. Ukuphuma kuhlobo lokufinyelela kwegobolondo Phuma.
Secure Interfaces
Ukufinyelela kokuphatha kwe-NFVIS kuvunyelwe kusetshenziswa izixhumi ezibonakalayo eziboniswe kumdwebo. Izigaba ezilandelayo zichaza izinqubo ezihamba phambili zokuphepha zalezi zixhumanisi ku-NFVIS.
Ikhonsoli ye-SSH
Imbobo yekhonsoli iyimbobo ye-serial engavumelaniyo ekuvumela ukuthi uxhume ku-NFVIS CLI ukuze ucushwe okokuqala. Umsebenzisi angafinyelela ikhonsoli ngokufinyelela ngokomzimba ku-NFVIS noma ngokufinyelela kude ngokusebenzisa iseva yetheminali. Uma ukufinyelela kwembobo yekhonsoli kudingekile ngeseva yetheminali, lungiselela izinhlu zokufinyelela kuseva yetheminali ukuze uvumele ukufinyelela kuphela kumakheli omthombo adingekayo.
Abasebenzisi bangafinyelela i-NFVIS CLI ngokusebenzisa i-SSH njengendlela evikelekile yokungena ngemvume ukude. Ubuqotho nokugcinwa kuyimfihlo kwethrafikhi yokuphatha ye-NFVIS kubalulekile ekuvikelekeni kwenethiwekhi elawulwayo njengoba izivumelwano zokuphatha zivame ukuthwala ulwazi olungase lusetshenziselwe ukungena noma ukuphazamisa inethiwekhi.
Ukucatshangelwa Kwezokuphepha 15
Isikhathi sokuvala Seseshini ye-CLI
Ukucatshangelwa Kokuphepha
I-NFVIS isebenzisa inguqulo yesi-2 ye-SSH, okuyiphrothokholi esezingeni le-Cisco kanye ne-inthanethi ye-de facto yokungena okusebenzisanayo futhi isekela ukubethela okuqinile, i-hashi, nama-algorithms okushintshanisa okhiye anconywe Inhlangano Yezokuphepha Nokuthenjwa ngaphakathi kwe-Cisco.
Isikhathi sokuvala Seseshini ye-CLI
Ngokungena nge-SSH, umsebenzisi usungula iseshini ne-NFVIS. Ngenkathi umsebenzisi engenile, uma umsebenzisi eshiya iseshini yokungena ingagadiwe, lokhu kungadalula inethiwekhi engcupheni yokuvikeleka. Ukuvikeleka kweseshini kukhawulela ubungozi bokuhlaselwa kwangaphakathi, okufana nomsebenzisi oyedwa ozama ukusebenzisa isikhathi somunye umsebenzisi.
Ukunciphisa le ngozi, i-NFVIS iphinda ikhiphe izikhathi ze-CLI ngemva kwemizuzu engu-15 yokungasebenzi. Uma isikhathi sokuvala seseshini sifinyelelwa, umsebenzisi uphuma ngokuzenzakalelayo.
I-NETCONF
I-Network Configuration Protocol (NETCONF) iyiphrothokholi Yokulawulwa Kwenethiwekhi eyakhiwe futhi yamiswa i-IETF ukuze icushwe ngokuzenzakalelayo amadivayisi enethiwekhi.
Iphrothokholi ye-NETCONF isebenzisa umbhalo wedatha osekelwe ku-Extensible Markup Language (XML) kudatha yokucushwa kanye nemilayezo yephrothokholi. Imilayezo yephrothokholi ishintshaniswa phezu kwephrothokholi yezokuthutha evikelekile.
I-NETCONF ivumela i-NFVIS ukuthi idalule i-API esekwe ku-XML u-opharetha wenethiwekhi angayisebenzisa ukusetha nokuthola idatha yokucushwa nezaziso zomcimbi ngokuphephile nge-SSH.
Ukuze uthole ulwazi olwengeziwe bheka, Izaziso Zomcimbi ze-NETCONF.
I-REST API
I-NFVIS ingalungiselelwa kusetshenziswa i-RESTful API nge-HTTPS. I-REST API ivumela amasistimu acelayo ukuthi afinyelele futhi alawule ukucushwa kwe-NFVIS ngokusebenzisa umfaniswano kanye nesethi echazwe ngaphambilini yemisebenzi engenasimo. Imininingwane yawo wonke ama-REST APIs ingatholakala kumhlahlandlela wesithenjwa we-NFVIS API.
Uma umsebenzisi ekhipha i-REST API, iseshini iyasungulwa nge-NFVIS. Ukuze kukhawulwe ubungozi obuhlobene nokunqatshelwa kokuhlaselwa kwesevisi, i-NFVIS ikhawulela inani eliphelele lezikhathi ze-REST ngesikhathi esisodwa ku-100.
I-NFVIS Web Iphothali
Ingosi ye-NFVIS iyi-a web-based Graphical User Interface ebonisa ulwazi mayelana ne-NFVIS. Ingosi yethula umsebenzisi izindlela ezilula zokumisa nokuqapha i-NFVIS nge-HTTPS ngaphandle kokwazi i-NFVIS CLI ne-API.
Ukuphathwa Kweseshini
Isimo esingenasimo se-HTTP ne-HTTPS sidinga indlela yokulandelela ngokukhethekile abasebenzisi ngokusebenzisa ama-ID eseshini ehlukile namakhukhi.
I-NFVIS ibhala ngemfihlo iseshini yomsebenzisi. I-AES-256-CBC cipher isetshenziselwa ukubethela okuqukethwe kuseshini ngokufakazela ubuqiniso be-HMAC-SHA-256 tag. IVector Yokuqalisa engahleliwe engu-128-bit ikhiqizwa ngomsebenzi ngamunye wokubethela.
Irekhodi loCwaningo liqalwa lapho kwakhiwa iseshini yephothali. Ulwazi lweseshini luyasuswa lapho umsebenzisi ephuma noma uma isikhathi siphela.
Isikhathi esizenzakalelayo sokungenzi lutho sezikhathi zephothali imizuzu eyi-15. Nokho, lokhu kungalungiselelwa iseshini yamanje kunani eliphakathi kwemizuzu emi-5 nengama-60 ekhasini Lezilungiselelo. Ukuphuma ngokuzenzakalelayo kuzoqalwa ngemva kwalokhu
Ukucatshangelwa Kwezokuphepha 16
Ukucatshangelwa Kokuphepha
I-HTTPS
I-HTTPS
isikhathi. Amaseshini amaningi awavunyelwe esipheqululini esisodwa. Inombolo enkulu yezikhathi ezihambisanayo isethelwe ku-30. Iphothali ye-NFVIS isebenzisa amakhukhi ukuze ihlobanise idatha nomsebenzisi. Isebenzisa izici zekhukhi ezilandelayo ukuze uthole ukuphepha okuthuthukisiwe:
· I-ephemeral ukuqinisekisa ukuthi ikhukhi iphelelwa yisikhathi lapho isiphequluli sivaliwe · httpUkwenza kuphela ikhukhi lingafinyeleleki ku-JavaScript · secureProxy ukuze uqinisekise ukuthi ikhukhi lingathunyelwa kuphela nge-SSL.
Ngisho nangemva kokuqinisekisa, ukuhlaselwa okufana ne-Cross-Site Request Forgery (CSRF) kungenzeka. Kulesi simo, umsebenzisi angase enze ngokungaqondile izenzo ezingafunwa ku- web isicelo ezigunyazwe kulo njengamanje. Ukuze uvimbele lokhu, i-NFVIS isebenzisa amathokheni e-CSRF ukuze iqinisekise yonke i-REST API esetshenziswa phakathi neseshini ngayinye.
URL Ukuqondisa kabusha Ngokwejwayelekile web amaseva, uma ikhasi lingatholakali ku web iseva, umsebenzisi uthola umlayezo we-404; emakhasini akhona, athola ikhasi lokungena ngemvume. Umthelela wokuphepha walokhu ukuthi umhlaseli angakwazi ukwenza ukuskena kwamandla futhi abone kalula ukuthi yimaphi amakhasi namafolda akhona. Ukuze uvimbele lokhu ku-NFVIS, konke akukho URLama-prefix ne-IP yedivayisi aqondiswa kabusha ekhasini lokungena lephothali ngekhodi yokuphendula yesimo engu-301. Lokhu kusho ukuthi kungakhathaliseki ukuthi URL ecelwe umhlaseli, bazohlala bethola ikhasi lokungena ukuze baziqinisekise. Zonke izicelo zeseva ye-HTTP ziqondiswa kabusha ku-HTTPS futhi zinezihloko ezilandelayo ezilungiselelwe:
· X-Content-Type-Options · X-XSS-Protection · Content-Security-Policy · X-Frame-Options · Strict-Transport-Security · Cache-Control
Ukukhubaza Iphothali Ukufinyelela kuphothali ye-NFVIS kunikwe amandla ngokuzenzakalela. Uma ungahlelile ukusebenzisa ingosi, kuyanconywa ukuthi ukhubaze ukufinyelela kwengosi usebenzisa lo myalo:
Lungiselela itheminali yokufinyelela kuphothali yesistimu ivaliwe
Yonke idatha ye-HTTPS eya futhi isuka ku-NFVIS isebenzisa i-Transport Layer Security (TLS) ukuze ixhumane nenethiwekhi yonkana. I-TLS ilandela i-Secure Socket Layer (SSL).
Ukucatshangelwa Kwezokuphepha 17
I-HTTPS
Ukucatshangelwa Kokuphepha
Ukuxhawula i-TLS kubandakanya ukufakazela ubuqiniso ngesikhathi iklayenti liqinisekisa isitifiketi se-SSL seseva nesiphathimandla sesitifiketi esisikhiphile. Lokhu kuqinisekisa ukuthi iseva inguye ekushoyo, nokuthi iklayenti lisebenzisana nomnikazi wesizinda. Ngokuzenzakalelayo, i-NFVIS isebenzisa isitifiketi esizisayinele ukufakazela ubunikazi baso kumakhasimende ayo. Lesi sitifiketi sinokhiye osesidlangalaleni ongu-2048-bit wokwandisa ukuvikeleka kokubethela kwe-TLS, njengoba amandla okubethela ehlobene ngokuqondile nosayizi wokhiye.
Ukuphathwa Kwesitifiketi I-NFVIS ikhiqiza isitifiketi se-SSL esizisayinele lapho sifakwa okokuqala. Kuwumkhuba ongcono kakhulu wezokuphepha ukushintsha lesi sitifiketi ufake isitifiketi esivumelekile esisayinwe iCompliant Certificate Authority (CA). Sebenzisa lezi zinyathelo ezilandelayo ukuze ungene esikhundleni sesitifiketi esizenzakalelayo esizisayinele: 1. Dala Isicelo Sokusayina Isitifiketi (CSR) ku-NFVIS.
Isicelo sokusayinwa kwesitifiketi (CSR) yi- file ngebhlokhi yombhalo obhalwe ngekhodi onikezwa iziphathimandla zesitifiketi lapho ufaka isicelo sesitifiketi se-SSL. Lokhu file iqukethe ulwazi okufanele lufakwe esitifiketini njengegama lenhlangano, igama elivamile (igama lesizinda), indawo, nezwe. I file futhi iqukethe ukhiye osesidlangalaleni okufanele ufakwe kusitifiketi. I-NFVIS isebenzisa ukhiye osesidlangalaleni ongu-2048-bit njengoba amandla okubethela aphezulu ngosayizi wokhiye ophakeme. Ukukhiqiza i-CSR ku-NFVIS, sebenzisa umyalo olandelayo:
i-nfvis# isicelo sokusayina isitifiketi sohlelo [igama elivamile lekhodi yezwe inhlangano inhlangano-iyunithi-igama lesifunda] I-CSR file igcinwa njenge /data/intdatastore/download/nfvis.csr. . 2. Thola isitifiketi se-SSL ku-CA usebenzisa i-CSR. Kusokhaya wangaphandle, sebenzisa umyalo we-scp ukulanda Isicelo Sokusayina Isitifiketi.
[myhost:/tmp] > scp -P 22222 admin@ :/data/intdatastore/download/nfvis.csrfile-igama>
Xhumana nesiphathimandla sesitifiketi ukuze ukhiphe isitifiketi esisha seseva ye-SSL usebenzisa le CSR. 3. Faka Isitifiketi Esisayinwe yi-CA.
Kuseva yangaphandle, sebenzisa umyalo we-scp ukuze ulayishe isitifiketi file ku-NFVIS kudatha/intdatastore/uploads/ umkhombandlela.
[myhost:/tmp] > scp -P 22222 file> admin@ :/data/intdatastore/uploads
Faka isitifiketi ku-NFVIS usebenzisa umyalo olandelayo.
Indlela yokufaka yesitifiketi sesistimu ye-nfvis# file:///data/intdatastore/uploads/<certificate file>
4. Shintshela ekusebenziseni Isitifiketi Esisayinwe yi-CA. Sebenzisa umyalo olandelayo ukuze uqale ukusebenzisa isitifiketi esisayiniwe se-CA esikhundleni sesitifiketi esizenzakalelayo esizisayinele.
Ukucatshangelwa Kwezokuphepha 18
Ukucatshangelwa Kokuphepha
Ukufinyelela kwe-SNMP
I-nfvis(config)# isitifiketi sohlelo sebenzisa-isitifiketi-uhlobo lwe-ca-signed
Ukufinyelela kwe-SNMP
I-Simple Network Management Protocol (SNMP) iphrothokholi Yezinga Le-inthanethi yokuqoqa nokuhlela ulwazi mayelana namadivayisi aphethwe kumanethiwekhi e-IP, kanye nokulungisa lolo lwazi ukuze kushintshwe ukuziphatha kwedivayisi.
Izinguqulo ezintathu ezibalulekile ze-SNMP zenziwe. I-NFVIS isekela inguqulo 1 ye-SNMP, inguqulo 2c kanye nenguqulo 3. Izinguqulo ze-SNMP 1 no-2 zisebenzisa izintambo zomphakathi ukuze ziqinisekise ubuqiniso, futhi lezi zithunyelwa ngombhalo ongenalutho. Ngakho-ke, kuwumkhuba ongcono kakhulu wezokuphepha ukusebenzisa i-SNMP v3 esikhundleni salokho.
I-SNMPv3 inikeza ukufinyelela okuphephile kumadivayisi ngokusebenzisa izici ezintathu: - abasebenzisi, ukufakazela ubuqiniso, nokubethela. I-SNMPv3 isebenzisa i-USM (I-User-based Security Module) ukuze ilawule ukufinyelela olwazini olutholakala nge-SNMP. Umsebenzisi we-SNMP v3 ulungiselelwe ngohlobo lokuqinisekisa, uhlobo lobumfihlo kanye nomushwana wokungena. Bonke abasebenzisi ababelana ngeqembu basebenzisa inguqulo ye-SNMP efanayo, nokho, izilungiselelo ezithile zeleveli yokuphepha (iphasiwedi, uhlobo lokubethela, njll.) zicacisiwe ngomsebenzisi ngamunye.
Ithebula elilandelayo lifingqa izinketho zokuphepha ngaphakathi kwe-SNMP
Imodeli
Izinga
Ukuqinisekisa
Umbhalo
Umphumela
v1
akukhoAuthNoPriv
Inombolo Yentambo Yomphakathi
Isebenzisa umphakathi
ukufanisa intambo ye
ubuqiniso.
v2c
akukhoAuthNoPriv
Inombolo Yentambo Yomphakathi
Isebenzisa ukufaniswa kweyunithi yezinhlamvu zomphakathi ukuze kuqinisekiswe.
v3
akukhoAuthNoPriv
Igama lomsebenzisi
Cha
Isebenzisa igama lomsebenzisi
ukufanisa kwe
ubuqiniso.
v3
i-authNoPriv
I-Message Digest 5 No
Ihlinzeka
(MD5)
ukuqinisekiswa okusekelwe
or
ku-HMAC-MD5-96 noma
Vikela i-Hash
I-HMAC-SHA-96
I-Algorithm (SHA)
ama-algorithms.
Ukucatshangelwa Kwezokuphepha 19
Izibhengezo Zezaziso Zomthetho
Ukucatshangelwa Kokuphepha
Imodeli v3
Ileveli ye-authPriv
Ukufakazela ubuqiniso kwe-MD5 noma i-SHA
Umbhalo
Umphumela
Ukubethelwa Kwedatha Kuhlinzeka
Okujwayelekile (DES) noma ukuqinisekiswa okusekelwe
Okuthuthukile
use
Ukubethela Okujwayelekile kwe-HMAC-MD5-96 noma
(AES)
I-HMAC-SHA-96
ama-algorithms.
Ihlinzeka nge-algorithm ye-DES Cipher ku-Cipher Block Chaining Mode (CBC-DES)
or
I-algorithm yokubethela ye-AES esetshenziswa kumodi ye-Cipher FeedBack (CFB), enosayizi wokhiye ongu-128-bit(CFB128-AES-128)
Kusukela yamukelwa yi-NIST, i-AES isiphenduke i-algorithm yokubethela ehamba phambili kuyo yonke imboni. Ukuze ulandele ukufuduka komkhakha usuka ku-MD5 ubheke ku-SHA, kuwumkhuba ongcono kakhulu wezokuvikela ukulungisa iphrothokholi yokuqinisekisa ye-SNMP v3 njenge-SHA kanye nephrothokholi yobumfihlo njenge-AES.
Ukuze uthole imininingwane eyengeziwe nge-SNMP bheka, Isingeniso mayelana ne-SNMP
Izibhengezo Zezaziso Zomthetho
Kunconywa ukuthi isibhengezo sesaziso esisemthethweni sibe khona kuzo zonke izikhathi zokusebenzisana ukuze kuqinisekiswe ukuthi abasebenzisi bayaziswa ngenqubomgomo yokuphepha esetshenziswayo nokuthi bangaphansi kwayo. Kwezinye izindawo, ukushushiswa komphakathi kanye/noma ngobugebengu komhlaseli ogqekeza uhlelo kulula, noma kudingekile, uma kwethulwa isibhengezo sesaziso esisemthethweni, ukwazisa abasebenzisi abangagunyaziwe ukuthi ukusetshenziswa kwabo akugunyaziwe. Kwezinye izindawo, kungase futhi kwenqatshelwe ukuqapha umsebenzi womsebenzisi ongagunyaziwe ngaphandle uma azisiwe ngenhloso yokwenza kanjalo.
Izidingo zesaziso somthetho ziyinkimbinkimbi futhi ziyahlukahluka endaweni kanye nesimo ngasinye. Ngisho nangaphakathi kwezindawo, imibono yezomthetho iyahlukahluka. Xoxa ngalolu daba nomeluleki wakho wezomthetho ukuze uqinisekise ukuthi isibhengezo sesaziso sihlangabezana nezimfuneko zezomthetho zenkampani, zendawo, nezamazwe ngamazwe. Lokhu kuvame ukubalulekile ekuqinisekiseni isenzo esifanele uma kwenzeka kwephulwa ukuphepha. Ngokubambisana nomeluleki wezomthetho wenkampani, izitatimende ezingase zifakwe kusibhengezo sesaziso esisemthethweni zifaka phakathi:
· Isaziso sokuthi ukufinyelela nokusebenzisa uhlelo kuvunyelwe kuphela izisebenzi ezigunyaziwe, futhi mhlawumbe nolwazi mayelana nokuthi ubani ongagunyaza ukusetshenziswa.
· Isaziso sokuthi ukufinyelela okungagunyaziwe nokusebenzisa uhlelo akukho emthethweni, futhi kungase kube ngaphansi kwezijeziso zomphakathi kanye/noma zobugebengu.
· Isaziso sokuthi ukufinyelela kanye nokusetshenziswa kohlelo kungase kufakwe noma kugadwe ngaphandle kwesinye isaziso, futhi izingodo eziwumphumela zingasetshenziswa njengobufakazi enkantolo.
· Izaziso ezengeziwe ezengeziwe ezidingwa yimithetho ethile yendawo.
Ukucatshangelwa Kwezokuphepha 20
Ukucatshangelwa Kokuphepha
Ukusetha kabusha okuzenzakalelayo kwasefekthri
Kusukela endaweni yesibambiso kunephuzu elisemthethweni le view, isibhengezo sesaziso esisemthethweni akufanele siqukathe noma yiluphi ulwazi oluthile mayelana nedivayisi, njengegama layo, imodeli, isofthiwe, indawo, u-opharetha noma umnikazi ngoba lolu hlobo lolwazi lungaba usizo kumhlaseli.
Okulandelayo njengokuthiampIsibhengezo sesaziso esisemthethweni esingaboniswa ngaphambi kokungena ngemvume:
UKUFINYELELA OKUNGAKUGUNYAZIWE KULE DIVAYISI KUPHINDELWE Kumelwe ube nemvume ecacile, egunyaziwe ukuze ufinyelele noma ulungiselele le divayisi. Imizamo engagunyaziwe nezenzo zokufinyelela noma ukuzisebenzisa
lolu hlelo lungaholela ezijezisweni zomphakathi kanye/noma zobugebengu. Yonke imisebenzi eyenziwe kule divayisi ifakiwe futhi igadiwe
Qaphela Yethula isibhengezo sesaziso esisemthethweni esigunyazwe umeluleki wezomthetho wenkampani.
I-NFVIS ivumela ukucushwa kwesibhengezo kanye Nomlayezo Wosuku (MOTD). Isibhengezo siboniswa ngaphambi kokuthi umsebenzisi angene. Uma umsebenzisi esengene ku-NFVIS, isibhengezo esichazwe yisistimu sinikeza ulwazi lwe-Copyright mayelana ne-NFVIS, kanye nomlayezo wosuku (MOTD), uma umisiwe, uzovela, ulandelwe umyalo womugqa womyalo noma ingosi view, kuye ngendlela yokungena.
Kunconywa ukuthi kusetshenziswe isibhengezo sokungena ukuze kuqinisekiswe ukuthi isibhengezo esisemthethweni sesaziso sethulwa kuzo zonke izikhathi zokufinyelela zokuphatha idivayisi ngaphambi kokuthi kwethulwe umyalo wokungena. Sebenzisa lo myalo ukuze ulungiselele isibhengezo kanye ne-MOTD.
nfvis(config)# banner-motd banner i-motd
Ukuze uthole ulwazi olwengeziwe mayelana nomyalo wesibhengezo, bheka okuthi Lungiselela Isibhengezo, Umlayezo wosuku kanye nesikhathi Sesistimu.
Ukusetha kabusha okuzenzakalelayo kwasefekthri
Ukusetha kabusha kwasefekthri kususa yonke idatha ethile yekhasimende eye yangezwa kudivayisi kusukela ngesikhathi sokuthunyelwa kwayo. Idatha isuliwe ihlanganisa ukucupha, log files, izithombe ze-VM, ulwazi lokuxhumana, nemininingwane yokungena komsebenzisi.
Inikeza umyalo owodwa wokusetha kabusha idivayisi kuzilungiselelo zasekuqaleni, futhi iwusizo kuzimo ezilandelayo:
· Buyisela Ukugunyazwa Kwempahla (RMA) yedivayisi–Uma kufanele ubuyisele idivayisi ku-Cisco ye-RMA, sebenzisa ukusetha kabusha Okuzenzakalelayo Kwefekthri ukuze ususe yonke idatha eqondene nekhasimende.
· Ukuthola idivayisi eyonakele– Uma ukhiye noma izifakazelo ezigcinwe ocingweni zisengozini, setha kabusha idivayisi ekucushweni kwefekthri bese ulungisa kabusha idivayisi.
· Uma idivayisi efanayo idinga ukuphinda isetshenziswe endaweni ehlukile ngokucushwa okusha, yenza Ukusetha kabusha Okuzenzakalelayo Kwasefekthri ukuze ususe ukucushwa okukhona futhi ukulethe esimweni esihlanzekile.
I-NFVIS inikeza izinketho ezilandelayo ngaphakathi kokusetha kabusha okuzenzakalelayo kwe-Factory:
Inketho yokusetha kabusha njengasekuqaleni
Idatha isuliwe
Idatha igciniwe
konke
Konke ukucushwa, isithombe esilayishiwe I-akhawunti yomqondisi igcinwa futhi
files, ama-VM namalogi.
iphasiwedi izoshintshwa ibe yi-
Ukuxhumeka kudivayisi kuzoba yiphasiwedi ezenzakalelayo yasekuqaleni.
ilahlekile.
Ukucatshangelwa Kwezokuphepha 21
Inethiwekhi Yokulawulwa Kwengqalasizinda
Ukucatshangelwa Kokuphepha
Inketho yokusetha kabusha njengasekuqaleni konke-ngaphandle kwezithombe
konke-ngaphandle-kwezithombe-ukuxhumana
ukukhiqiza
Idatha isuliwe
Idatha igciniwe
Konke ukucushwa ngaphandle kokulungiswa kwesithombe, okubhalisiwe
ukucushwa, ama-VM, nezithombe ezilayishiwe namalogi
isithombe files.
I-akhawunti yomqondisi iyagcinwa futhi
Ukuxhumana kudivayisi kuzoba iphasiwedi izoshintshwa ibe yi-
ilahlekile.
iphasiwedi ezenzakalelayo yefekthri.
Konke ukucushwa ngaphandle kwesithombe, Izithombe, inethiwekhi nokuxhumana
inethiwekhi nokuxhumana
ukucushwa okuhlobene, okubhalisiwe
ukucushwa, ama-VM, nezithombe ezilayishiwe, namalogi.
isithombe files.
I-akhawunti yomqondisi iyagcinwa futhi
Ukuxhumana kudivayisi kuyinto
umlawuli omiswe ngaphambilini
etholakalayo.
iphasiwedi izogcinwa.
Konke ukulungiselelwa ngaphandle kokucushwa kwesithombe, ama-VM, isithombe esilayishiwe files, nezingodo.
Ukuxhumeka kudivayisi kuzolahleka.
Ukucushwa okuhlobene nesithombe nezithombe ezibhalisiwe
I-akhawunti yomqondisi iyagcinwa futhi iphasiwedi izoshintshwa ibe yiphasiwedi ezenzakalelayo yasekuqaleni.
Umsebenzisi kufanele akhethe inketho efanele ngokucophelela ngokusekelwe enjongweni yokusetha kabusha Okuzenzakalelayo Kwasefekthri. Ukuze uthole ulwazi olwengeziwe, bheka Ukusetha Kabusha Okuzenzakalelayo Kwafekthri.
Inethiwekhi Yokulawulwa Kwengqalasizinda
Inethiwekhi yokuphatha ingqalasizinda isho inethiwekhi ephethe ukulawula nokuphatha ithrafikhi yendiza (njenge-NTP, i-SSH, i-SNMP, i-syslog, njll.) yamadivayisi wengqalasizinda. Ukufinyelela idivayisi kungaba ngekhonsoli, kanye nangezixhumanisi ze-Ethernet. Lokhu kulawula nokuphatha ithrafikhi yendiza kubalulekile ekusebenzeni kwenethiwekhi, kuhlinzeka ngokubonakala nokulawula inethiwekhi. Ngenxa yalokho, inethiwekhi eklanywe kahle futhi evikelekile yokuphatha ingqalasizinda ibalulekile ekuvikelekeni kukonke kanye nokusebenza kwenethiwekhi. Esinye sezincomo eziyinhloko zenethiwekhi yokuphathwa kwengqalasizinda evikelekile ukuhlukaniswa kwabaphathi kanye nethrafikhi yedatha ukuze kuqinisekiswe ukuphathwa okukude ngisho nangaphansi komthwalo omkhulu kanye nezimo eziphezulu zethrafikhi. Lokhu kungafezwa ngokusebenzisa isikhombikubona sokuphatha esizinikele.
Okulandelayo izindlela zokusetshenziswa kwenethiwekhi yokuphathwa kwengqalasizinda:
Ukuphathwa Kwe-Out-of-band
Inethiwekhi yokuphatha ye-Out-of-band Management (OOB) iqukethe inethiwekhi ezimele ngokuphelele futhi ehluke ngokuphelele kunethiwekhi yedatha esiza ukuyiphatha. Lokhu futhi ngezinye izikhathi kubizwa ngokuthi i-Data Communications Network (DCN). Amadivayisi enethiwekhi angaxhuma kunethiwekhi ye-OOB ngezindlela ezahlukene: I-NFVIS isekela isixhumi esibonakalayo sokuphatha esakhelwe ngaphakathi esingasetshenziswa ukuxhuma kunethiwekhi ye-OOB. I-NFVIS ivumela ukucushwa kwesixhumi esibonakalayo esichazwe ngaphambilini, imbobo ye-MGMT ku-ENCS, njengesixhumi esibonakalayo sokuphatha esizinikele. Ukukhawulela amaphakethe okuphatha ezindaweni ezikhethiwe kunikeza ukulawula okukhulu phezu kokuphathwa kwedivayisi, ngaleyo ndlela kunikeze ukuvikeleka okwengeziwe kwaleyo divayisi. Ezinye izinzuzo zihlanganisa ukusebenza okuthuthukisiwe kwamaphakethe edatha kuzixhumi ezibonakalayo ezingaphathi, ukusekelwa kokukaleka kwenethiwekhi,
Ukucatshangelwa Kwezokuphepha 22
Ukucatshangelwa Kokuphepha
I-Pseudo out-of-band Management
isidingo sohlu olumbalwa lokulawula ukufinyelela (ama-ACL) ukuze kukhawulelwe ukufinyelela kudivayisi, nokuvimbela izikhukhula zephakethe lokuphatha ukuthi lifinyelele i-CPU. Amadivayisi enethiwekhi angaphinda axhumeke kunethiwekhi ye-OOB ngokusebenzisa ukuxhumana kwedatha okuzinikele. Kulesi simo, ama-ACL kufanele asetshenziswe ukuze kuqinisekiswe ukuthi ithrafikhi yokuphatha iphathwa kuphela yizindawo ezizinikele. Ukuze uthole ulwazi olwengeziwe, bheka Ukumisa i-IP Yamukela i-ACL nePort 22222 kanye ne-Management Interface ACL.
I-Pseudo out-of-band Management
Inethiwekhi yokuphatha engaphandle kwebhendi isebenzisa ingqalasizinda efanayo njengenethiwekhi yedatha kodwa inikeza ukuhlukana okunengqondo ngokuhlukaniswa okubonakalayo kwethrafikhi, ngokusebenzisa ama-VLAN. I-NFVIS isekela ukudala ama-VLAN namabhuloho abonakalayo ukusiza ukukhomba imithombo ehlukene yethrafikhi nokuhlukanisa ithrafikhi phakathi kwama-VM. Ukuba namabhuloho ahlukene kanye nama-VLAN ahlukanisa ithrafikhi yedatha yenethiwekhi yomshini obonakalayo kanye nenethiwekhi yokuphatha, ngaleyo ndlela kunikeze ukuhlukaniswa kwethrafikhi phakathi kwama-VM nomsingathi. Ukuze uthole ulwazi olwengeziwe bheka I-Configuring VLAN ye-NFVIS Management Traffic.
In-band Management
Inethiwekhi yokuphathwa kwe-in-band isebenzisa izindlela ezifanayo ezingokoqobo nezinengqondo njengethrafikhi yedatha. Ekugcineni, lo mklamo wenethiwekhi udinga ukuhlaziywa kwekhasimende ngalinye kwengozi uma iqhathaniswa nezinzuzo nezindleko. Okunye okucatshangelwayo okujwayelekile kuhlanganisa:
· Inethiwekhi yokuphatha ye-OOB engayodwa ikhulisa ukubonakala nokulawula inethiwekhi ngisho nangesikhathi semicimbi ephazamisayo.
· Ukudlulisa i-telemetry yenethiwekhi ngenethiwekhi ye-OOB kunciphisa ithuba lokuphazamiseka kolwazi olunikeza ukubonakala kwenethiwekhi okubalulekile.
· Ukufinyelela kokuphathwa kwe-in-band kungqalasizinda yenethiwekhi, ababungazi, njll. kusengozini yokulahlekelwa okuphelele uma kwenzeka kuba nesigameko senethiwekhi, kususwa konke ukubonakala nokulawula kwenethiwekhi. Izilawuli ezifanele ze-QoS kufanele zibekwe ukuze kuncishiswe lesi sigameko.
· I-NFVIS ifaka izixhumanisi zokusebenzelana ezinikezelwe ekuphathweni kwedivayisi, okuhlanganisa izimbobo ze-serial console kanye nezindawo zokuphatha ze-Ethernet.
· Inethiwekhi yokuphatha ye-OOB ngokuvamile ingafakwa ngenani elifanele, njengoba ithrafikhi yenethiwekhi yabaphathi ngokuvamile ayifuni umkhawulokudonsa ophezulu noma amadivaysi okusebenza okuphezulu, futhi idinga kuphela ukuminyana kwezimbobo ezanele ukusekela ukuxhuma kudivayisi ngayinye yengqalasizinda.
Ukuvikelwa Kolwazi Olugcinwe Endaweni
Ukuvikela Ulwazi Olubucayi
I-NFVIS igcina ulwazi oluthile olubucayi endaweni, okuhlanganisa amagama ayimfihlo nezimfihlo. Amaphasiwedi ngokuvamile kufanele agcinwe futhi alawulwe iseva ye-AAA ephakathi nendawo. Kodwa-ke, noma ngabe iseva ye-AAA ebekwe endaweni eyodwa isetshenziswa, amanye amagama ayimfihlo agcinwe endaweni ayadingeka ezimweni ezithile ezifana nokubuyela emuva kwendawo esimweni lapho amaseva e-AAA engatholakali, amagama abasebenzisi okusetshenziswa okukhethekile, njll. Lawa magama ayimfihlo endawo namanye azwelayo.
Ukucatshangelwa Kwezokuphepha 23
File Dlulisa
Ukucatshangelwa Kokuphepha
ulwazi lugcinwa ku-NFVIS njengamahhashi ukuze kungenzeki ukubuyisela izifakazelo zangempela ohlelweni. I-Hashing iyinkambiso yemboni eyamukelwa kabanzi.
File Dlulisa
Fileokungase kudingeke ukuthi kudluliselwe kumadivayisi e-NFVIS afaka isithombe se-VM kanye nokuthuthukiswa kwe-NFVIS files. Ukudluliswa okuphephile kwe files ibalulekile ekuvikelekeni kwengqalasizinda yenethiwekhi. I-NFVIS isekela i-Secure Copy (SCP) ukuze kuqinisekiswe ukuphepha kwe file ukudlulisa. I-SCP incike ku-SSH ukuze kuqinisekiswe okuphephile nezokuthutha, okuvumela ukukopishwa okuphephile nokuqinisekisiwe kwe files.
Ikhophi evikelekile evela ku-NFVIS iqalwa ngomyalo we-scp. Umyalo wekhophi evikelekile (scp) uvumela kuphela umsebenzisi ophethe ukuthi akopishe ngokuphephile files ukusuka ku-NFVIS ukuya ohlelweni lwangaphandle, noma kusuka ohlelweni lwangaphandle kuya ku-NFVIS.
I-syntax yomyalo we-scp ithi:
scp
Sisebenzisa i-port 22222 kuseva ye-NFVIS SCP. Ngokuzenzakalelayo, le mbobo ivaliwe futhi abasebenzisi abakwazi ukuvikela ikhophi files ibe yi-NFVIS isuka kuklayenti langaphandle. Uma kunesidingo se-SCP a file kusuka kuklayenti langaphandle, umsebenzisi angavula imbobo esebenzisa:
izilungiselelo zohlelo ip-receive-acl (ikheli)/(imask lenth) service scpd priority (inombolo) isenzo sokwamukela
bophezela
Ukuze uvimbele abasebenzisi ekufinyeleleni uhla lwemibhalo yesistimu, ikhophi evikelekile ingenziwa kuphela noma isuka ku-intdatastore:, extdatastore1:, extdatastore2:, usb: kanye ne-nfs:, uma ikhona. Ikhophi evikelekile ingenziwa futhi kusukela kulogi: kanye ne-techsupport:
Ukugawula
Ukufinyelela kwe-NFVIS nezinguquko zokumisa zilogwa njengamalogi okucwaninga ukuze kubhalwe imininingwane elandelayo: · Ubani ofinyelele idivayisi · Umsebenzisi ungene nini · Wenzani umsebenzisi mayelana nokucushwa komsingathi kanye nomjikelezo wempilo we-VM · Ungene nini umsebenzisi icishiwe · Imizamo yokufinyelela eyehlulekile · Izicelo zokuqinisekisa ezehlulekile · Izicelo zokugunyazwa ezehlulekile
Lolu lwazi lubalulekile ekuhlaziyweni kwe-forensic uma kwenzeka imizamo noma ukufinyelela okungagunyaziwe, kanye nezinkinga zokushintsha ukumisa nokusiza ukuhlela izinguquko zokuphatha iqembu. Kungase futhi kusetshenziswe isikhathi sangempela ukuhlonza imisebenzi exakile engase ibonise ukuthi ukuhlasela kuyenzeka. Lokhu kuhlaziya kungahlotshaniswa nolwazi oluvela emithonjeni eyengeziwe yangaphandle, njenge-IDS namalogi okuvikela umlilo.
Ukucatshangelwa Kwezokuphepha 24
Ukucatshangelwa Kokuphepha
Ukuvikeleka komshini obonakalayo
Yonke imicimbi ebalulekile ku-NFVIS ithunyelwa njengezaziso zomcimbi kwababhalisile be-NETCONF nanjengama-syslog kumaseva okugawula amaphakathi amisiwe. Ukuze uthole ulwazi olwengeziwe ngemilayezo ye-syslog nezaziso zomcimbi, bheka Isithasiselo.
Ukuvikeleka komshini obonakalayo
Lesi sigaba sichaza izici zokuphepha ezihlobene nokubhaliswa, ukusetshenziswa kanye nokusebenza Kwemishini Ebonakalayo ku-NFVIS.
I-VNF evikelekile ye-boot
I-NFVIS isekela i-Open Virtual Machine Firmware (OVMF) ukuze inike amandla ibhuthi evikelekile ye-UEFI yeMishini Ebonakalayo esekela ukuqalisa okuvikelekile. I-VNF Secure boot iqinisekisa ukuthi ungqimba ngalunye lwesofthiwe ye-VM yokuqalisa isayiniwe, okuhlanganisa i-bootloader, i-kernel yesistimu yokusebenza, nezishayeli zesistimu yokusebenza.
Ukuze uthole ukwaziswa okwengeziwe bheka, Secure Boot of VNFs.
I-VNC Console Access Protection
I-NFVIS ivumela umsebenzisi ukuthi adale iseshini ye-Virtual Network Computing (VNC) ukuze afinyelele kudeskithophu esetshenzisiwe ye-VM. Ukuze unike amandla lokhu, i-NFVIS ivula ngokunamandla imbobo lapho umsebenzisi angaxhuma khona esebenzisa yabo web isiphequluli. Le port ishiywa ivuliwe kuphela imizuzwana engama-60 ukuze iseva yangaphandle iqale iseshini ku-VM. Uma kungekho msebenzi obonakalayo phakathi nalesi sikhathi, imbobo ivaliwe. Inombolo yembobo yabelwe ngokushintshashintshayo futhi ngalokho ivumela ukufinyelela kwesikhathi esisodwa kuphela kukhonsoli ye-VNC.
nfvis# vncconsole qala ukuthunyelwa-igama 1510614035 vm-igama ROUTER vncconsole-url :6005/vnc_auto.html
Ikhomba isiphequluli sakho ku-https:// :6005/vnc_auto.html izoxhumeka kukhonsoli ye-VNC ye-ROUTER VM.
Ukucatshangelwa Kwezokuphepha 25
Okuguquguqukayo kwedatha ye-VM ebethelwe
Ukucatshangelwa Kokuphepha
Okuguquguqukayo kwedatha ye-VM ebethelwe
Ngesikhathi sokuthunyelwa kwe-VM, umsebenzisi uhlinzeka ngokucushwa kosuku-0 file kwe VM. Lokhu file ingaqukatha imininingwane ebucayi njengamaphasiwedi nokhiye. Uma lolu lwazi ludluliswa njengombhalo ocacile, luvela kulogi files kanye namarekhodi esizindalwazi sangaphakathi ngombhalo ocacile. Lesi sici sivumela umsebenzisi ukuthi ahlabe umkhosi ukuhlukahluka kwedatha yokulungisa njengokuzwela ukuze inani lakhona libethelwe kusetshenziswa ukubethela kwe-AES-CFB-128 ngaphambi kokuthi ligcinwe noma lidluliselwe kumasistimu angaphansi angaphakathi.
Ukuze uthole ulwazi olwengeziwe bheka, I-VM Deployment Parameters.
Ukuqinisekiswa kwe-Checksum Kokubhaliswa Kwesithombe Esikude
Ukuze ubhalise isithombe se-VNF esikude, umsebenzisi ucacisa indawo yaso. Isithombe sizodinga ukulandwa emthonjeni wangaphandle, njengeseva ye-NFS noma iseva ye-HTTPS ekude.
Ukuze wazi uma ilandiwe file iphephile ukufaka, kubalulekile ukuqhathanisa filei-checksum ngaphambi kokuyisebenzisa. Ukuqinisekisa i-checksum kusiza ukuqinisekisa ukuthi file ayonakaliswanga ngesikhathi sokudlulisa inethiwekhi, noma ilungiswe inkampani yangaphandle enonya ngaphambi kokuthi uyilande.
I-NFVIS isekela izinketho ze-checksum ne-checksum_algorithm ukuze umsebenzisi anikeze i-checksum elindelekile ne-algorithm ye-checksum (SHA256 noma i-SHA512) ezosetshenziswa ukuze kuqinisekiswe i-checksum yesithombe esilandiwe. Ukudalwa kwesithombe kwehlulekile uma i-checksum ingafani.
Ukuqinisekiswa Kwesitifiketi Sokubhaliswa Kwesithombe Esikude
Ukuze ubhalise isithombe se-VNF esitholakala kuseva ye-HTTPS, isithombe sizodinga ukulandwa kusuka kuseva ye-HTTPS ekude. Ukuze ulande ngokuphephile lesi sithombe, i-NFVIS iqinisekisa isitifiketi se-SSL seseva. Umsebenzisi udinga ukucacisa noma iyiphi indlela eya kusitifiketi file noma okuqukethwe kwesitifiketi sefomethi ye-PEM ukuze unike amandla lokhu kulanda okuvikelekile.
Imininingwane eyengeziwe ingatholakala eSigabeni sokuqinisekisa isitifiketi sokubhaliswa kwesithombe
Ukuhlukaniswa kwe-VM kanye nokuhlinzekwa kwezinsiza
I-Network Function Virtualization (NFV) yezakhiwo iqukethe:
· I-Virtualized network functions (VNFs), okuyiMishini eyi-Virtual eqhuba izinhlelo zesofthiwe eziletha ukusebenza kwenethiwekhi okufana nerutha, i-firewall, ibhalansi yokulayisha, nokunye.
· Inethiwekhi yenza ingqalasizinda ye-virtualization, ehlanganisa izingxenye zengqalasizinda-ikhompuyutha, inkumbulo, isitoreji, kanye nenethiwekhi, endaweni esekela isofthiwe edingekayo kanye ne-hypervisor.
Nge-NFV, imisebenzi yenethiwekhi yenziwa nge-virtual ukuze imisebenzi eminingi iqhutshwe kuseva eyodwa. Ngenxa yalokho, i-hardware encane ebonakalayo iyadingeka, okuvumela ukuhlanganiswa kwezinsiza. Kulesi simo, kubalulekile ukulingisa izinsiza ezizinikele zama-VNF amaningi kusuka ohlelweni olulodwa, lwehadiwe ebonakalayo. Ngokusebenzisa i-NFVIS, ama-VM angatshalwa ngendlela elawulwayo ukuze i-VM ngayinye ithole izinsiza ezidingayo. Izinsiza zihlukaniswa njengoba kudingeka ukusuka endaweni ebonakalayo kuye ezindaweni eziningi ezibonakalayo. Izizinda ezingazodwana ze-VM zihlukanisiwe ukuze zibe yizindawo ezihlukene, ezihlukile, nezivikelekile, ezingaqhudelani ngezinsiza ezabiwe.
Ama-VM awakwazi ukusebenzisa izinsiza eziningi kunezinikeziwe. Lokhu kugwema isimo Sokunqatshelwa Kwesevisi esivela ku-VM eyodwa sisebenzisa izinsiza. Ngenxa yalokho, i-CPU, inkumbulo, inethiwekhi nokugcinwa kuvikelwe.
Ukucatshangelwa Kwezokuphepha 26
Ukucatshangelwa Kokuphepha
Ukuhlukaniswa kwe-CPU
Ukuhlukaniswa kwe-CPU
Uhlelo lwe-NFVIS lugodla ama-cores wesofthiwe yengqalasizinda esebenza kumsingathi. Amanye ama-cores ayatholakala ukuze asetshenziswe i-VM. Lokhu kuqinisekisa ukuthi ukusebenza kwe-VM akuthinti ukusebenza komsingathi we-NFVIS. Ukubambezeleka okuphansi kwe-VMs NFVIS inika ngokusobala ama-cores azinikele kuma-VM aphansi asetshenziswe kuwo. Uma i-VM idinga ama-vCPU angu-2, inikezwa ama-cores angu-2 azinikele. Lokhu kuvimbela ukwabelana nokubhaliswa ngokweqile kwama-cores futhi kuqinisekisa ukusebenza kwama-VM anokubambezeleka okuphansi. Uma inani lama-cores atholakalayo lingaphansi kwenani lama-vCPU acelwe enye i-VM ebambezele kancane, ukuthunyelwa kuyavinjelwa njengoba singenazo izinsiza ezanele. Ama-VM angabambeki kancane i-NFVIS yabela ama-CPU ahlukanisekayo kuma-VM angabambeki aphansi. Uma i-VM idinga ama-vCPU angu-2, inikezwa ama-CPU angu-2. Lawa ma-CPU angu-2 ayabiwa phakathi kwamanye ama-VM angewona ama-latency aphansi. Uma inani lama-CPU atholakalayo lingaphansi kwenombolo yama-vCPU acelwe enye i-VM engeyona yokubambezeleka okuphansi, ukuthunyelwa kusavunyelwe ngoba le VM izokwabelana nge-CPU nama-VM akhona angewona aphansi.
Ukwabiwa Kwenkumbulo
Ingqalasizinda ye-NFVIS idinga inani elithile lenkumbulo. Uma i-VM isetshenziswa, kuba khona isheke lokuqinisekisa ukuthi inkumbulo etholakalayo ngemva kokugcina inkumbulo edingekayo engqalasizinda nama-VM asetshenziswe ngaphambilini, yanele i-VM entsha. Asikuvumeli ukubhaliswa kwememori ngokweqile kwama-VM.
Ukucatshangelwa Kwezokuphepha 27
Ukuhlukaniswa Kwesitoreji
Ama-VM awavunyelwe ukufinyelela ngokuqondile kumsingathi file uhlelo kanye nesitoreji.
Ukuhlukaniswa Kwesitoreji
Ukucatshangelwa Kokuphepha
Inkundla ye-ENCS isekela i-datastore yangaphakathi (M2 SSD) namadiski angaphandle. I-NFVIS ifakwe ku-datastore yangaphakathi. Ama-VNF nawo angasatshalaliswa kulesi sitolo sedatha sangaphakathi. Kuwumkhuba ongcono kakhulu wezokuphepha ukugcina idatha yekhasimende kanye nokuphakela uhlelo lwekhasimende Imishini Ebonakalayo kumadiski angaphandle. Ukuba namadiski ahlukene ngokomzimba ohlelo files vs uhlelo lokusebenza files isiza ukuvikela idatha yesistimu enkohlakalweni nasezindabeni zokuphepha.
·
Ukuhlukaniswa Kwe-interface
I-Single Root I/O Virtualization noma i-SR-IOV isicaciso esivumela ukuhlukaniswa kwezinsiza ze-PCI Express (PCIe) njengembobo ye-Ethernet. Kusetshenziswa i-SR-IOV imbobo ye-Ethernet eyodwa ingenziwa ukuthi ibonakale njengamadivayisi amaningi, ahlukene, aphathekayo aziwa ngokuthi Imisebenzi Ebonakalayo. Wonke amadivayisi e-VF kuleyo adaptha abelana ngembobo yenethiwekhi efanayo ebonakalayo. Isivakashi singasebenzisa eyodwa noma ngaphezulu kwale Misebenzi Ebonakalayo. I-Virtual Function ibonakala kusivakashi njengekhadi lenethiwekhi, ngendlela efanayo nekhadi lenethiwekhi elivamile elizovela ngayo ohlelweni lokusebenza. I-Virtual Functions inokusebenza okuseduze futhi ihlinzeka ngokusebenza okungcono kunabashayeli be-para-virtualized kanye nokufinyelela okulingiswayo. Imisebenzi ebonakalayo ihlinzeka ngokuvikeleka kwedatha phakathi kwezihambeli kusiphakeli esibonakalayo esifanayo njengoba idatha iphathwa futhi ilawulwa ihadiwe. I-NFVIS VNFs ingasebenzisa amanethiwekhi e-SR-IOV ukuze ixhume ku-WAN kanye nezimbobo ze-LAN Backplane.
Ukucatshangelwa Kwezokuphepha 28
Ukucatshangelwa Kokuphepha
Secure Development Lifecycle
I-VM ngayinye enjalo inomnikazi wesixhumi esibonakalayo kanye nezinsiza zayo ezihlobene ezizuza ukuvikelwa kwedatha phakathi kwama-VM.
Secure Development Lifecycle
I-NFVIS ilandela i-Secure Development Lifecycle (SDL) yesofthiwe. Lena inqubo ephindaphindwayo, elinganisekayo eklanyelwe ukunciphisa ubungozi futhi ithuthukise ukuvikeleka nokuqina kwezixazululo ze-Cisco. I-Cisco SDL isebenzisa izinqubo nobuchwepheshe obuhamba phambili embonini ukuze kwakhiwe izixazululo ezinokwethenjelwa ezinezehlakalo ezimbalwa zokuvikela umkhiqizo ezitholwe ensimini. Konke ukukhishwa kwe-NFVIS kuhamba ngezinqubo ezilandelayo.
· Ukulandela Izidingo Zokuphepha Komkhiqizo ze-Cisco zangaphakathi nezisekelwe emakethe · Ukubhalisa isofthiwe yenkampani yangaphandle enendawo yokugcina emaphakathi e-Cisco ukuze kulandelelwe ubungozi · Ukupeyishwa kwesofthiwe ngezikhathi ezithile nokulungiswa okwaziwayo kwama-CVE. · Ukuklama isofthiwe ngokuvikeleka emqondweni · Ukulandela izinqubo zokubhala ezivikelekile ezifana nokusebenzisa amamojula ajwayelekile okuphepha aqinisekisiwe njenge-CiscoSSL, esebenzayo
Ukuhlaziya okuqinile nokusebenzisa ukuqinisekiswa kokokufaka Kokuvimbela umjovo womyalo, njll. · Ukusebenzisa amathuluzi okuvikela ohlelo lokusebenza njenge-IBM AppScan, i-Nessus, namanye amathuluzi angaphakathi e-Cisco.
Ukucatshangelwa Kwezokuphepha 29
Secure Development Lifecycle
Ukucatshangelwa Kokuphepha
Ukucatshangelwa Kwezokuphepha 30
Amadokhumenti / Izinsiza
 |
I-CISCO Enterprise Network Function Virtualization Infrastructure Software [pdf] Umhlahlandlela Womsebenzisi Isofthiwe Yengqalasizinda Yokusebenza Kwenethiwekhi Yebhizinisi, Ibhizinisi, Isofthiwe Yengqalasizinda Yokusebenza Kwenethiwekhi, Isofthiwe Yengqalasizinda Yezinto ezibonakalayo, Isofthiwe Yengqalasizinda. |
