IJuniper NETWORKS MX240Junos OS Amadivayisi anekhadi lezinsizakalo
Ulwazi Lomkhiqizo
Igama Lomkhiqizo: I-Common Criteria Configuration Guide ye-MX240, MX480, kanye namadivayisi e-MX960 anekhadi lezinsizakalo le-MX-SPC3
Usuku Lokushicilela: 2023-12-25
Inguqulo yokukhishwa: 22.2R1
Umkhiqizi: Inkampani Juniper Networks, Inc.
Ikheli Lomkhiqizi: 1133 Innovation Way Sunnyvale, California 94089 USA
Othintana Naye Nomkhiqizi: 408-745-2000
Umkhiqizi Webindawo: https://www.juniper.net
Uphawu lokuhweba: Juniper Networks, Junos
Imiyalo yokusetshenziswa komkhiqizo
Kuphelileview
Imibandela Ejwayelekile Ehloliwe Ukucushwa Kuphelileview:
Ukucushwa kwe-Common Criteria ehlolwayo kunikeza i-overview izici zokuphepha nokucushwa okudingekayo kumadivayisi e-MX240, MX480, kanye ne-MX960 ane-MX-SPC3 Services Card. Lesi sigaba sichaza inhloso kanye nobubanzi bokucushwa okuhloliwe.
I-Junos OS kuNqubo Ye-FIPS Yokusebenza Kuphelileview:
I-Junos OS kumodi yokusebenza ye-FIPS iqinisekisa ukuhambisana ne-Federal Information Processing Standards (FIPS) kumamojula we-cryptographic. Lesi sigaba sinikeza i-overview yemodi ye-FIPS kanye nezinzuzo zayo.
Kuphelileview ye-FIPS Terminology kanye nama-Cryptographic Algorithms Asekelwe:
Lesi sigaba sichaza amagama asetshenziswa kumodi ye-FIPS futhi sihlinzeka ngolwazi mayelana nama-cryptographic algorithms asekelwe.
Khomba Ukulethwa Komkhiqizo Ovikelekile:
Lesi sigaba sihlinzeka ngemihlahlandlela yokuthi ungaqinisekisa kanjani ukulethwa okuphephile komkhiqizo, okuhlanganisa nokuqinisekisa ubuqotho bamaphakheji esofthiwe alethiwe.
Management Interfaces Overview:
Funda mayelana nezindawo zokuphatha ezihlukene ezitholakalayo kumadivayisi e-MX240, MX480, kanye ne-MX960 nge-MX-SPC3 Services Card. Lesi sigaba sichaza inhloso nokusetshenziswa kwesixhumi esibonakalayo ngasinye.
Lungiselela Izindima kanye Nezindlela Zokuqinisekisa
Kuphelileview Yezindima Nezinkonzo ze-Junos OS:
Lesi sigaba sinikeza i-overview yezindima namasevisi ahlukene atholakala ku-Junos OS futhi ichaza indlela yokuwalungiselela ukuze kucushwe okuhloliwe.
Kuphelileview Yendawo Esebenzayo Ye-Junos OS Kumodi Ye-FIPS:
Qonda izidingo zemvelo zokusebenza ukuze usebenzise i-Junos OS ngemodi ye-FIPS. Lesi sigaba sihlanganisa ukucushwa okudingekayo nokucatshangelwa.
Kuphelileview Yezicaciso Zephasiwedi Nemihlahlandlela ye-Junos OS kumodi ye-FIPS:
Funda mayelana nokucaciswa kwephasiwedi nemihlahlandlela ye-Junos OS kumodi ye-FIPS. Lesi sigaba sinikeza izincomo zokudala amaphasiwedi aqinile navikelekile.
Landa amaphakheji eSoftware kusuka kuJuniper Networks:
Imiyalo yesinyathelo ngesinyathelo sendlela yokulanda amaphakheji esoftware kusuka kuJuniper Networks' webindawo. Lesi sigaba siqinisekisa ukuthi unezibuyekezo zakamuva ze-firmware namapeshi okuvikela.
Faka i-Junos Software Packages:
Umhlahlandlela onemininingwane wokuthi ungawafaka kanjani amaphakheji esoftware ye-Junos kudivayisi yakho ye-MX240, MX480, noma i-MX960. Lesi sigaba sihlanganisa kokubili ukufakwa kokuqala kanye nezinqubo zokuthuthukisa.
Kuphelileview Yokwenza Iqanda Ukuze Usule Idatha Yesistimu Yemodi Ye-FIPS:
Qonda inqubo yokumisa isistimu ukuze usule idatha ebucayi lapho usebenza kumodi ye-FIPS. Lesi sigaba sichaza izinyathelo nokucatshangelwa okuhilelekile.
Zeroze Uhlelo:
Imiyalelo yesinyathelo ngesinyathelo yokuthi ungamisa kanjani isistimu kuqanda ukuze kususwe yonke idatha ebucayi. Lesi sigaba siqinisekisa ukusulwa okufanele kwedatha ngaphambi kokulahlwa noma ukulungiswa kabusha.
Nika amandla Imodi ye-FIPS:
Funda indlela yokunika amandla imodi ye-FIPS kudivayisi yakho ye-MX240, MX480, noma i-MX960. Lesi sigaba sinikeza ukucushwa okudingekayo kanye nokucatshangelwa.
Lungiselela Umlawuli Wokuvikela kanye Nokuhlonza Umsebenzisi we-FIPS kanye Nokufinyelela:
Lesi sigaba sichaza indlela yokumisa umlawuli wezokuphepha kanye nokuhlonza umsebenzisi we-FIPS kanye nokufinyelela. Ihlanganisa izinyathelo ezidingekayo zokuqinisekisa nokugunyazwa okufanele.
Lungiselela Ukufinyelela Komlawuli Wokuphepha:
Umhlahlandlela onemininingwane ekulungiseni ukufinyelela komlawuli wezokuphepha ekucushweni okuhloliwe. Lesi sigaba sihlanganisa ukucushwa okudingekayo kanye nezinqubo ezihamba phambili.
Lungiselela Ukufinyelela Ngemvume Komsebenzisi Kwe-FIPS:
Imiyalelo yesinyathelo nesinyathelo ekulungiseni ukufinyelela kokungena ngemvume komsebenzisi kwe-FIPS kokucushwa okuhloliwe. Lesi sigaba siqinisekisa ukuqinisekiswa komsebenzisi okuvikelekile nokulawula ukufinyelela.
Lungiselela Ukuqinisekisa Kokuphatha Namalungelo
Ukuqonda Imithetho Yephasiwedi Ehlobene Yomlawuli Ogunyaziwe:
Lesi sigaba sinikeza ukuqonda kwemithetho yephasiwedi ehlotshaniswa nomlawuli ogunyaziwe. Ihlanganisa ubunkimbinkimbi bephasiwedi, ukuphelelwa yisikhathi, nokunye okucatshangelwayo okuhlobene.
Ilungiselela i-Network Device Collaborative Protection Profile Umlawuli Ogunyaziwe:
Umhlahlandlela onemininingwane ekulungiseni uchwepheshe wokuvikela ukuhlanganyela kwedivayisi yenethiwekhifile umlawuli ogunyaziwe. Lesi sigaba siqinisekisa ukulawulwa kokufinyelela kokuqondisa okufanele kokucushwa okuhloliwe.
Hlela Isikhathi Ngokwezifiso:
Funda ukwenza ngokwezifiso izilungiselelo zesikhathi kudivayisi yakho ye-MX240, MX480, noma i-MX960. Lesi sigaba sihlanganisa izilungiselelo ezidingekayo zokuvumelanisa isikhathi esinembile.
Ukulungiselelwa Kwenkathi Yokuphela Komsebenzi, kanye Nokunqanyulwa Kweseshini Yendawo Nesilawuli kude:
Lungiselela isikhathi sokuvala sokungasebenzi kanye nokunqanyulwa kweseshini yokungenzi lutho yasendaweni/ekude ekucushweni okuhloliwe. Lesi sigaba sinikeza imiyalelo yokusetha ukuphela kwesikhathi seseshini.
Lungiselela Ukunqanyulwa Kweseshini:
Isinyathelo ngesinyathelo imiyalelo yokuthi ungamisa kanjani ukunqanyulwa kweseshini ekucushweni okuhloliwe. Lesi sigaba siqinisekisa ukuphathwa kweseshini efanele nokuphepha.
Sample Output for Local Administrative Session Termination:
Sample okukhiphayo kanye exampukunqanyulwa kweseshini yokuphatha yendawo ukuze kusetshenziswe ireferensi. Lesi sigaba sikusiza ukuthi uqonde ukuziphatha okulindelekile kanye nokuphumayo.
SampUmphumela Wokunqanyulwa Kweseshini Yokuphatha Ekude:
Sample okukhiphayo kanye exampizingcaphuno zokunqanyulwa kweseshini yokulawula ukuze kusetshenziswe ireferensi. Lesi sigaba sikusiza ukuthi uqonde ukuziphatha okulindelekile kanye nokuphumayo.
Sample Okukhiphayo Kokunqanyulwa Okuqaliswe Ngumsebenzisi:
Sample okukhiphayo kanye exampokumbalwa kokunqanyulwa kweseshini eqalwe ngumsebenzisi ukuze kusetshenziswe ireferensi. Lesi sigaba sikusiza ukuthi uqonde ukuziphatha okulindelekile kanye nokuphumayo.
Lungiselela i-SSH ne-Console Connection
Lungiselela Umlayezo Wokungena Kwesistimu kanye Nesimemezelo:
Lesi sigaba sichaza ukuthi ungawumisa kanjani umlayezo wokungena ohlelweni nesimemezelo sokucushwa okuhloliwe. Inikeza imiyalelo yokwenza ngendlela oyifisayo ukuzizwisa kokungena ngemvume.
Lungiselela i-SSH Ekucushweni Okuhloliwe kwe-NDcPPv2.2e:
Imiyalelo yesinyathelo ngesinyathelo yokuthi ungayilungisa kanjani i-SSH ekucushweni okuhloliwe kokuthobelana kwe-NDcPPv2.2e. Lesi sigaba siqinisekisa ukufinyelela okukude okuvikelekile kudivayisi.
Khawulela Inombolo Yemizamo Yokungena Ngemvume Yabasebenzisi Yezikhathi Ze-SSH:
Funda ukuthi ungakhawulela kanjani inani lemizamo yokungena ngemvume yomsebenzisi ngezikhathi ze-SSH ekucushweni okuhloliwe. Lesi sigaba sinikeza imiyalelo yokuthuthukisa ukuvikeleka ekuhlaselweni ngenkani.
Imininingwane
Umhlahlandlela Wokucushwa Kwemibandela Ejwayelekile: Amadivayisi e-MX240, MX480, kanye ne-MX960 anekhadi lezinsizakalo le-MX-SPC3
Usuku Lokushicilela: 2023-12-25
Inguqulo yokukhishwa: 22.2R1
Imibuzo Evame Ukubuzwa (FAQ)
Q: Ingabe i-Juniper Networks hardware nemikhiqizo yesofthiwe Unyaka 2000 iyahambisana?
A: Yebo, i-Juniper Networks hardware nemikhiqizo yesofthiwe iyahambisana noNyaka ka-2000. I-Junos OS ayinayo imikhawulo eyaziwayo ehlobene nesikhathi phakathi nonyaka ka-2038.
Q: Ngingasitholaphi Isivumelwano Selayisense Yomsebenzisi Wokugcina (EULA) sa Isoftware yeJuniper Networks?
A: Isivumelwano Selayisense Yomsebenzisi Wokugcina (i-EULA) yesofthiwe ye-Juniper Networks ingatholakala kokuthi https://support.juniper.net/support/eula/. Ngokulanda, ukufaka, noma ukusebenzisa isofthiwe, uyavumelana nemigomo nemibandela ye-EULA.
I-Junos® OS
I-Common Criteria Configuration Guide ye-MX240, MX480, kanye namadivayisi e-MX960 anekhadi lezinsizakalo le-MX-SPC3
Ishicilelwe
2023-12-25
KHULULA
22.2R1
ii
Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net
I-Juniper Networks, ilogo ye-Juniper Networks, i-Juniper, ne-Junos yizimpawu zokuthengisa ezibhalisiwe ze-Juniper Networks, Inc. e-United States nakwamanye amazwe. Zonke ezinye izimpawu zokuthengisa, izimpawu zesevisi, amamaki abhalisiwe, noma izimpawu zesevisi ezibhalisiwe ziyimpahla yabanikazi bazo.
IJuniper Networks ayinaso isibopho sanoma yikuphi ukungalungi kulo mbhalo. I-Juniper Networks igodla ilungelo lokushintsha, ukulungisa, ukudlulisa, noma ukubuyekeza lokhu kushicilelwa ngaphandle kwesaziso.
I-Junos® OS Common Criteria Configuration Guide ye-MX240, MX480, kanye ne-MX960 Devices ane-MX-SPC3 Services Card 22.2R1 Copyright © 2023 Juniper Networks, Inc. Wonke amalungelo agodliwe.
Ulwazi olukule dokhumenti olwamanje kusukela ngosuku osekhasini lesihloko.
UNYAKA KA-2000 ISAZISO
I-Juniper Networks hardware nemikhiqizo yesofthiwe ihambisana noNyaka ka-2000. I-Junos OS ayinakho ukulinganiselwa okuhlobene nesikhathi okwaziwayo ngonyaka ka-2038. Nokho, uhlelo lokusebenza lwe-NTP lwaziwa ngokuba nobunzima obuthile ngonyaka ka-2036.
QEDA ISIVUMELWANO SELAYISENSI YOMSEBENZISI
Umkhiqizo weJuniper Networks okuyisihloko salo mbhalo wobuchwepheshe uqukethe (noma ohloselwe ukusetshenziswa) nesoftware yeJuniper Networks. Ukusetshenziswa kwesofthiwe enjalo kungaphansi kwemigomo nemibandela Yesivumelwano Selayisense Yomsebenzisi Wokugcina (“EULA”) esithunyelwe kokuthi https://support.juniper.net/support/eula/. Ngokulanda, ukufaka noma ukusebenzisa isofthiwe enjalo, uyavumelana nemigomo nemibandela yaleyo EULA.
Mayelana nalo mhlahlandlela
Sebenzisa lo mhlahlandlela ukuze ulungiselele futhi uhlole i-MX240, MX480, kanye ne-MX960 amadivayisi wokuthobela i-Common Criteria (CC). Umbandela Ojwayelekile wobuchwepheshe bolwazi isivumelwano samazwe ngamazwe esisayinwe amazwe amaningana esivumela ukuhlolwa kwemikhiqizo yokuvikela ngokumelene nesethi yamazinga afanayo.
IMIBHALO EHLOBENEYO Imibandela Ejwayelekile kanye Nezitifiketi Ze-FIPS
1 ISAHLUKO
Kuphelileview
Imibandela Ejwayelekile Ehloliwe Ukucushwa Kuphelileview | 2 Junos OS ku-FIPS Mode of Operation Overview | 3 Phezuview ye-FIPS Terminology kanye nama-Cryptographic Algorithms Asekelwe | 5 Thola Ukulethwa Komkhiqizo Okuvikelekile | 8 Management Interfaces Overview | 9
Imibandela Ejwayelekile Ehloliwe Ukucushwa Kuphelileview
KULESI sigaba Imibandela Ejwayelekile Iphelileview | 2 Amapulatifomu Asekelwe | 3
Lo mbhalo uchaza izinyathelo ezidingekayo ukuze kuphindwe ukucushwa kwedivayisi esebenzisa i-Junos OS lapho idivayisi ihlolwa. Lokhu kubizwa ngokuthi ukucushwa okuhloliwe. Uhlu olulandelayo luchaza izindinganiso lapho idivayisi ihlolwe khona: · NDcPPv2.2e–https://www.niap-ccevs.org/MMO/PP/CPP_ND_V2.2E.pdf · MOD_VPN–https://www.niap -ccevs.org/Profile/Info.cfm?PPID=449 I-Archived Protection Profiles amadokhumenti ayatholakala ku https://www.niap-ccevs.org/Profile/PP.cfm? okugciniwe=1.
QAPHELA: Amadivayisi e-MX240, MX480, kanye ne-MX960 ane-Junos OS Release 22.2R1 agunyazwe Imibandela Evamile enemodi ye-FIPS enikwe amandla kumadivayisi.
Umbandela Ojwayelekile Uphelileview
Umbandela Ojwayelekile wobuchwepheshe bolwazi isivumelwano samazwe ngamazwe esisayinwe amazwe amaningana esivumela ukuhlolwa kwemikhiqizo yokuvikela ngokumelene nesethi yamazinga afanayo. Kuhlelo Olujwayelekile Lokuqashelwa Kwemibandela (CCRA) ku https://www.commoncriteriaportal.org/ccra/, ababambiqhaza bayavuma ukuqaphela ukuhlolwa kwemikhiqizo eyenziwa kwamanye amazwe. Konke ukuhlola kwenziwa kusetshenziswa indlela efanayo yokuhlola ukuphepha kobuchwepheshe bolwazi. Ukuze uthole ulwazi olwengeziwe Ngemibandela Ejwayelekile, bheka ku-https://www.commoncriteriaportal.org/.
3
Amapulatifomu asekelwe
Ezicini ezichazwe kulo mbhalo, izinkundla ezilandelayo zisekelwa nge-MX-SPC3 Services Card. I-NDcPPv2.2e ne-MOD_VPN zisebenza ku-: · MX240 (https://www.juniper.net/us/en/products/routers/mx-series/mx240-universal-routing-
platform.html) · MX480 (https://www.juniper.net/us/en/products/routers/mx-series/mx480-universal-routing-
platform.html) · MX960 (https://www.juniper.net/us/en/products/routers/mx-series/mx960-universal-routing-
platform.html)
IMIBHALO EHLOBENEYO Thola Ukulethwa Komkhiqizo Ovikelekile | 8
I-Junos OS kuNqubo Ye-FIPS Yokusebenza Kuphelileview
KULESI SIGCAWU Mayelana Nomngcele WokuCryptographic Kudivayisi Yakho | 4 Ihluke Kangakanani Indlela Yokusebenza Ye-FIPS Kuleyo Indlela Yokusebenza Engagxilile | 4 Inguqulo Eqinisekisiwe Ye-Junos OS Kumodi Yokusebenza Ye-FIPS | 5
I-Federal Information Processing Standards (FIPS) 140-3 ichaza amazinga okuphepha ezingxenyekazi zekhompuyutha nesofthiwe eyenza imisebenzi ye-cryptographic. I-Junos-FIPS inguqulo yohlelo lokusebenza lwe-Junos (Junos OS) oluthobelana ne-Federal Information Processing Standard (FIPS) 140-3. Ukusebenzisa amadivayisi akho okuvikela endaweni ye-FIPS 140-3 Level 2 kudinga ukunika amandla nokumisa indlela yokusebenza ye-FIPS kudivayisi kusukela kusixhumi esibonakalayo somugqa womyalo we-Junos OS (CLI).
4
Umlawuli Wezokuphepha unika amandla imodi ye-FIPS ku-Junos OS Release 22.2R1 futhi usethe okhiye namaphasiwedi ohlelo nabanye abasebenzisi be-FIPS abakwazi view ukumisa. Zombili izinhlobo zabasebenzisi zingaphinda zenze imisebenzi evamile yokumisa kudivayisi (efana nokuguqula izinhlobo zokusebenzelana) njengoba ukulungiselelwa komsebenzisi ngamunye kuvumela.
UMSEBENZI OMUHLE: Qiniseka ukuthi uqinisekisa ukulethwa okuphephile kwedivayisi yakho futhi usebenzise tampizimpawu ezisobala ezikhumulweni zayo ezisengozini.
Mayelana Nomngcele We-Cryptographic Kudivayisi Yakho
Ukuhambisana kwe-FIPS 140-3 kudinga umngcele ochaziwe we-cryptographic ozungeze imojuli ye-cryptographic ngayinye kudivayisi. I-Junos OS kumodi yokusebenza ye-FIPS ivimbela imojuli ye-cryptographic ekusebenziseni noma iyiphi isofthiwe engeyona ingxenye yokusabalalisa okuqinisekisiwe kwe-FIPS, futhi ivumela kuphela ama-cryptographic algorithms agunyazwe yi-FIPS ukuthi asetshenziswe. Awekho amapharamitha okuvikela abalulekile (ama-CSP), njengamagama ayimfihlo nokhiye, angawela umngcele we-cryptographic wemojula ngokuthi, ngokwesiboneloample, eboniswa kukhonsoli noma ebhalwe kulogi yangaphandle file.
ISEXWAYISO: Izici ze-Virtual Chassis azisekelwa kumodi yokusebenza ye-FIPS. Ungayimisi i-Virtual Chassis kumodi ye-FIPS yokusebenza.
Ukuze uvikele ngokomzimba imodyuli ye-cryptographic, wonke amadivayisi we-Juniper Networks adinga kuamper-evident seal kumachweba we-USB kanye ne-mini-USB.
Ihluke Kangakanani Indlela Yokusebenza Ye-FIPS Kuleyo Indlela Yokusebenza Okungeyona I-FIPS
Ngokungafani ne-Junos OS kumodi yokusebenza okungeyona i-FIPS, i-Junos OS kumodi yokusebenza ye-FIPS iyindawo yokusebenza engalungiseki. Ukwengeza, i-Junos OS kumodi ye-FIPS yokusebenza ihluka ngezindlela ezilandelayo ku-Junos OS kumodi yokusebenza okungeyona ye-FIPS: · Ukuzihlola ngokwakho kwawo wonke ama-cryptographic algorithms kwenziwa ekuqaleni. · Ukuzihlola kwenombolo okungahleliwe kanye nesizukulwane esibalulekile kwenziwa ngokuqhubekayo. · Ama-algorithms e-cryptographic abuthakathaka njenge-Data Encryption Standard (DES) kanye ne-MD5 akhutshaziwe. · Uxhumano lokuphatha olubuthakathaka, olukude, noma olungabethelwe akumele lumiswe. Nokho, TOE
ivumela ukufinyelela kwekhonsoli yendawo nengabetheliwe kuzo zonke izindlela zokusebenza.
5
· Amagama ayimfihlo kumele abethelwe ngama-algorithms aqinile wendlela eyodwa angakuvumeli ukuqanjwa kwekhodi. · Amaphasiwedi omlawuli we-Junos-FIPS kumele okungenani abe nezinhlamvu eziyi-10 ubude. · Okhiye beCryptographic kumele babethelwe ngaphambi kokudluliselwa. Izinga le-FIPS 140-3 liyatholakala ukuze lilandwe ku-National Institute of Standards and Technology (NIST) kokuthi http://csrc.nist.gov/publications/fips/fips140-3/fips1402.pdf.
Inguqulo Eqinisekisiwe Ye-Junos OS Kumodi Yokusebenza Ye-FIPS
Ukuze unqume ukuthi ingabe ukukhishwa kwe-Junos OS kuqinisekisiwe yi-NIST, bheka ikhasi lokuthobela kuJuniper Networks Web indawo (https://apps.juniper.net/compliance).
IMIBHALO EHLOBENEYO Thola Ukulethwa Komkhiqizo Ovikelekile | 8
Kuphelileview ye-FIPS Terminology kanye neCryptographic Algorithms Asekelwe
KULESI SIGCAWU Amagama Amagama E-FIPS | 6 Ama-Cryptographic Algorithms Asekelwe | 7
Sebenzisa izincazelo zamagama e-FIPS, nama-algorithms asekelwe ukukusiza uqonde i-Junos OS kumodi ye-FIPS.
6
I-FIPS Terminology
Ipharamitha yokuphepha ebucayi (CSP)
Ulwazi oluhlobene nokuphepha-ngokwesiboneloample, okhiye abayimfihlo nabayimfihlo be-cryptographic kanye nedatha yokuqinisekisa efana namagama-mfihlo nezinombolo zikamazisi womuntu (ama-PIN)– ukudalulwa kwawo noma ukuguqulwa kwawo kungase kuphazamise ukuphepha kwemojuli ye-cryptographic noma ulwazi oluvikelayo.
Imojula ye-Cryptographic
Isethi yezingxenyekazi zekhompuyutha, isofthiwe, ne-firmware esebenzisa imisebenzi yokuvikela egunyaziwe (okuhlanganisa ama-cryptographic algorithms kanye nokukhiqizwa kokhiye) futhi iqukethwe ngaphakathi komngcele we-cryptographic.
Umlawuli Wezokuphepha
Umuntu onezimvume ezifanele onomthwalo wemfanelo wokunika amandla ngokuphephile, ukulungisa, ukuqapha, nokugcina i-Junos OS ikumodi ye-FIPS kudivayisi. Ukuze uthole imininingwane, bheka “I-Junos OS ku-FIPS Mode of Operation Overview” ekhasini 3.
ESP
Iphrothokholi ye-Ecapsulating Security Payload (ESP). Ingxenye yephrothokholi ye-IPsec ukuthi
iqinisekisa ukugcinwa kuyimfihlo kwamaphakethe ngokubethela. Iphrothokholi iyaqinisekisa
ukuthi uma iphakethe le-ESP lisuswe ukubethela ngempumelelo, futhi alikho elinye iqembu olaziyo imfihlo
ukhiye ontanga babelane, iphakethe alizange lixhunywe ngocingo endleleni yokuhamba.
FIPS
I-Federal Information Processing Standards. I-FIPS 140-3 icacisa izidingo ze
ukuphepha kanye namamojula we-cryptographic. I-Junos OS kumodi yokusebenza ye-FIPS iyahambisana
nge-FIPS 140-3 Level 2.
I-IKE
I-Internet Key Exchange (IKE) iyingxenye ye-IPsec futhi inikeza izindlela zokuphepha
xoxisana ngokhiye ababiwe abayimfihlo okusekhanda lokufakazela ubuqiniso (AH) kanye ne-ESP
izingxenye ze-IPsec zidinga ukusebenza kahle. I-IKE isebenzisa ukhiye we-Diffie-Hellman-
izindlela zokushintshana futhi kuyakhethwa ku-IPsec. (Okhiye ababiwe bangafakwa mathupha
ekugcineni.)
IPsec
Iphrothokholi Yokuphepha kwe-IP (IPsec). Indlela ejwayelekile yokwengeza ukuvikeleka ekuxhumaneni kwe-inthanethi. Inhlangano yezokuphepha ye-IPsec (SA) isungula ukuxhumana okuphephile nemojula ye-cryptographic ye-FIPS ngokusebenzisa ukuqinisekiswa okuhambisanayo nokubethela.
KATs
Izivivinyo zempendulo ezaziwayo. Ukuzihlola ngokwakho kwesistimu okuqinisekisa okukhiphayo kwama-algorithms e-cryptographic agunyazelwe i-FIPS futhi ahlole ubuqotho bamanye amamojula we-Junos OS. Ukuze uthole imininingwane, bheka “i-FIPS Self-Tests Overview” ekhasini 122.
SA
Inhlangano Yezokuphepha (SA). Ukuxhumana phakathi kwabasingathi okubavumela ukuthi benze kanjalo
ukuxhumana ngokuphephile ngokuchaza, isiboneloample, ukuthi bashintsha kanjani okhiye abayimfihlo. Njengoba
Umphathi Wezokuphepha, kufanele ulungiselele mathupha i-SA yangaphakathi kumadivayisi
7
SPI SSH Zeroization
isebenzisa i-Junos OS kumodi yokusebenza ye-FIPS. Wonke amanani, okuhlanganisa okhiye, kufanele acaciswe ngokwezibalo ekucushweni.
Inkomba yepharamitha yokuphepha (SPI). Inkomba yezinombolo esetshenziswa nekheli lendawo kanye nephrothokholi yokuvikela ku-IPsec ukuze kuhlonzwe i-SA. Ngenxa yokuthi ulungiselela mathupha i-SA ye-Junos OS kumodi yokusebenza ye-FIPS, i-SPI kufanele ifakwe njengepharamitha kunokuba ithathwe ngokungahleliwe.
Iphrothokholi esebenzisa ukuqinisekiswa okuqinile nokubethela ukuze uthole ukufinyelela ukude kunethiwekhi yonkana engavikelekile. I-SSH inikeza ukungena ngemvume okukude, ukusebenza kohlelo olukude, file ikhophi, neminye imisebenzi. Ihloselwe ukumiselela okuvikelekile kwe-rlogin, i-rsh, ne-rcp endaweni ye-UNIX. Ukuze uvikele ulwazi oluthunyelwe ngoxhumo lokuphatha, sebenzisa i-SSHv2 yokucushwa kwe-CLI. Ku-Junos OS, i-SSHv2 inikwa amandla ngokuzenzakalelayo, futhi i-SSHv1, engabhekwa njengevikelekile, ivaliwe.
Ukusulwa kwawo wonke ama-CSP nenye idatha edalwe umsebenzisi kudivayisi ngaphambi kokusebenza kwayo njengemojula ye-cryptographic FIPS–noma ukulungiselela ukuphinda kusetshenziswe idivayisi ukuze isebenze ngaphandle kwe-FIPS. Umlawuli Wezokuphepha angakwazi ukumisa isistimu ngomyalo wokusebenza we-CLI. Ukuze uthole imininingwane, bheka okuthi “Overview Yokwenza I-Zeroization Ukuze Usule Idatha Yesistimu Yemodi Ye-FIPS” ekhasini 23.
Ama-Cryptographic Algorithms asekelwe
Ukuqaliswa ngakunye kwe-algorithm kuhlolwa uchungechunge lwempendulo eyaziwayo (KAT) ukuzihlola ngokwakho. Noma yikuphi ukwehluleka ukuzihlola kuphumela esimweni sephutha le-FIPS.
UMSEBENZI OMUHLE: Ngokuhambisana ne-FIPS 140-3, sebenzisa kuphela ama-cryptographic algorithms agunyazwe yi-FIPS ku-Junos OS kumodi yokusebenza ye-FIPS.
Ama-algorithms alandelayo e-cryptographic asekelwa kumodi yokusebenza ye-FIPS. Izindlela ze-Symmetric zisebenzisa ukhiye ofanayo ekubetheleni nasekususeni ukubethela, kuyilapho izindlela ze-asymmetric (ezikhethwayo) zisebenzisa okhiye abahlukene ukubethela nokususa ukubethela.
I-AES
I-Advanced Encryption Standard (AES), echazwe ku-FIPS PUB 197. I-algorithm ye-AES isebenzisa
okhiye be-128, 192, noma 256 bits ukuze ubethele futhi uguqule idatha kumabhulokhi wamabhithi angu-128.
DiffieHellman
Indlela yokushintshisana ngokhiye endaweni engavikelekile (njenge-inthanethi). I-algorithm ye-Diffie-Hellman ixoxisana ngokhiye weseshini ngaphandle kokuthumela ukhiye ngokwawo kunethiwekhi yonkana ngokuvumela iqembu ngalinye ukuthi likhethe ukhiye oyinxenye ngokuzimela futhi lithumele ingxenye yalowo khiye.
8
ECDH ECDSA HMAC
komunye. Uhlangothi ngalunye lube selubala inani elivamile lokhiye. Lena indlela elinganayo, futhi okhiye ngokuvamile basetshenziswa isikhathi esifushane kuphela, balahlwa, futhi benziwa kabusha.
I-Elliptic Curve Diffie-Hellman. Okuhlukile kwe-algorithm yokushintshanisa ukhiye we-Diffie-Hellman esebenzisa i-cryptography esekelwe esakhiweni se-algebraic samajika ayi-elliptic phezu kwezinkambu ezinomkhawulo. I-ECDH ivumela izinhlangothi ezimbili, ngayinye enokhiye oyijikayo oyi-elliptic public-private key, ukusungula imfihlo eyabiwe ngesiteshi esingavikelekile. Imfihlo eyabiwe ingasetshenziswa njengokhiye noma ukuthola omunye ukhiye wokubethela ukuxhumana okulandelayo kusetshenziswa i-symmetric key cipher.
I-Elliptic Curve Digital Signature Algorithm. Okuhlukile kwe-Digital Signature Algorithm (DSA) esebenzisa i-cryptography esekelwe esakhiweni se-algebraic samajika ayi-elliptic phezu kwezinkambu ezinomkhawulo. Usayizi omncane wejika eliyi-elliptic unquma ubunzima bokukhipha ukubethela kokhiye. Ukhiye osesidlangalaleni okukholakala ukuthi uyadingeka ku-ECDSA usayizi ophindwe kabili wezinga lezokuphepha, ngamabhithi. I-ECDSA isebenzisa i-P-256, P-384, noma ijika le-P-521 ingalungiselelwa ngaphansi kwe-OpenSSH.
Ichazwa njengokuthi “Keyed-Hashing for Message Authentication” ku-RFC 2104, i-HMAC ihlanganisa i-hashing algorithms nokhiye be-cryptographic ukuze kuqinisekiswe umlayezo. Ku-Junos OS kumodi yokusebenza ye-FIPS, i-HMAC isebenzisa umsebenzi we-cryptographic hashi ophindaphindekayo othi SHA-1 (okhethwe njenge-HMAC-SHA1) kanye nokhiye oyimfihlo.
IMIBHALO EHLOBENE IMIBHALO YOKUZIHLOLA FIPS Sekuphelileview | 122 Phezuview Ye-Zeroization Ukuze Usule Idatha Yesistimu Yemodi Ye-FIPS | 23
Khomba Ukulethwa Komkhiqizo Okuvikelekile
Kunezindlela eziningana ezihlinzekiwe ohlelweni lokudiliva ukuze kuqinisekiswe ukuthi ikhasimende lithola umkhiqizo obungazange tampenziwe nge. Ikhasimende kufanele lenze ukuhlola okulandelayo lapho lithola idivayisi ukuze liqinisekise ubuqotho benkundla. · Ilebula lokuthumela izimpahla–Qinisekisa ukuthi ilebula yokuthumela iveza kahle igama lekhasimende elilungile futhi
ikheli kanye nedivayisi. · Ngaphandle kokupakishwa–Hlola ibhokisi lokuthumela elingaphandle kanye netheyiphu. Qinisekisa ukuthi i-tape yokuthumela ayinayo
inqunyiwe noma ibekwe engcupheni. Qinisekisa ukuthi ibhokisi alikanqunywa noma alilinyaziwe ukuze uvumele ukufinyelela kudivayisi.
9
· Ngaphakathi emaphaketheni–Hlola isikhwama sepulasitiki bese uyavala. Qinisekisa ukuthi isikhwama asikanqunywa noma asikhishwa. Qinisekisa ukuthi uphawu luhlala lunjalo.
Uma ikhasimende lihlonza inkinga ngesikhathi sokuhlolwa, kufanele lithinte umphakeli ngokushesha. Nikeza inombolo ye-oda, inombolo yokulandelela, kanye nencazelo yenkinga ekhonjiwe kumphakeli. Ukwengeza, kukhona amasheke amaningana angenziwa ukuze kuqinisekiswe ukuthi ikhasimende lithole ibhokisi elithunyelwe yiJuniper Networks hhayi inkampani ehlukile ezenza iJuniper Networks. Ikhasimende kufanele lihlole okulandelayo lapho lithola idivayisi ukuze liqinisekise ubuqiniso bedivayisi: · Qinisekisa ukuthi idivayisi i-odwe kusetshenziswa i-oda lokuthenga. Amadivayisi weJuniper Networks awakaze
ithunyelwe ngaphandle kwe-oda lokuthenga. · Uma idivayisi ithunyelwa, isaziso sokuthumela sithunyelwa ekhelini le-imeyili elinikezwe yi-
ikhasimende uma i-oda lithathwa. Qinisekisa ukuthi lesi saziso se-imeyili samukelwe. Qinisekisa ukuthi i-imeyili iqukethe ulwazi olulandelayo: · Inombolo ye-oda lokuthenga · Inombolo ye-oda ye-Juniper Networks esetshenziselwa ukulandelela ukuthunyelwa · Inombolo yokulandelela yenkampani yenethiwekhi esetshenziselwa ukulandelela ukuthunyelwa · Uhlu lwezinto ezithunyelwe ezihlanganisa izinombolo ze-serial · Ikheli kanye noxhumana nabo bobabili umphakeli kanye ikhasimende · Qinisekisa ukuthi ukuthunyelwa kwaqalwa yiJuniper Networks. Ukuze uqinisekise ukuthi ukuthunyelwa kwaqalwa yiJuniper Networks, kufanele wenze le misebenzi elandelayo: · Qhathanisa inombolo yokulandelela yenkampani yenethiwekhi yenombolo ye-oda ye-Juniper Networks esohlwini lweJuniper.
Isaziso sokuthumela samanethiwekhi esinenombolo yokulandelela kuphakheji etholiwe. · Ngena ngemvume kusizindalwazi se-Juniper Networks sokusekelwa kwamakhasimende eku-inthanethi ku-https://support.juniper.net/
ukweseka/ kuya view isimo se-oda. Qhathanisa inombolo yokulandelela yenkampani yenethiwekhi noma inombolo ye-oda ye-Juniper Networks esohlwini lwesaziso sokuthumela se-Juniper Networks nenombolo yokulandelela kuphakheji etholiwe.
Management Interfaces Overview
Lezi zixhumanisi zokuphatha ezilandelayo zingasetshenziswa ekucushweni okuhloliwe:
10
· I-Local Management Interfaces–Imbobo yekhonsoli ye-RJ-45 kudivayisi ilungiselelwe njenge-RS-232 data terminal equipment (DTE). Ungasebenzisa isixhumi esibonakalayo somugqa womyalo (i-CLI) phezu kwaleli chweba ukuze ulungiselele idivayisi kusukela kutheminali.
· Izinqubo Zokuphatha Isilawuli kude–Idivayisi ingaphathwa ukude ngaphezu kwanoma yisiphi isixhumi esibonakalayo se-Ethernet. I-SSHv2 ukuphela kwephrothokholi evunyelwe yokuphatha kude engasetshenziswa ekucushweni okuhloliwe. I-remote management protocols J-Web kanye ne-Telnet azitholakali ukuthi zisetshenziswe ocingweni.
2 ISAHLUKO
Lungiselela Izindima kanye Nezindlela Zokuqinisekisa
Kuphelileview Yezindima Nezinkonzo ze-Junos OS | 12 Phezuview Yendawo Esebenzayo Ye-Junos OS Kumodi Ye-FIPS | 14 Phezuview Yezicaciso Zephasiwedi Nemihlahlandlela ye-Junos OS kumodi ye-FIPS |
18 Landa amaPhakheji eSoftware avela kuJuniper Networks | 19 Faka i-Junos Software Packages | 20 Phezuview Ye-Zeroization Ukuze Usule Idatha Yesistimu Yemodi Ye-FIPS | 23 Zeroze Uhlelo | 24 Nika amandla Imodi Ye-FIPS | 26 Lungiselela Umlawuli Wezokuphepha kanye Nokuhlonza Umsebenzisi We-FIPS Nokufinyelela | 28
12
Kuphelileview Yezindima Nezinkonzo ze-Junos OS
KULESI sigaba Iqhaza Lomlawuli Wezokuphepha Nezibopho | 12 FIPS Iqhaza Nezibophezelo Zomsebenzisi | 13 Yini Okulindeleke Kubo Bonke Abasebenzisi Abasebenzisa I-FIPS | 13
Umlawuli Wezokuphepha uhlotshaniswa nomqondisi wokuphepha wekilasi lokungena elichaziwe, onemvume edingekayo esethwe ukuze avumele umlawuli enze yonke imisebenzi edingekayo ukuze aphathe i-Junos OS. Abasebenzisi bokulawula (Umlawuli Wokuvikela) kufanele banikeze ukuhlonza okuyingqayizivele nedatha yokuqinisekisa ngaphambi kokuthi kunikezwe ukufinyelela kokulawula ohlelweni. Imisebenzi yoMlawuli Wezokuphepha kanye nezibopho zimi kanje: 1. Umlawuli Wezokuphepha angaphatha endaweni kanye nokude. 2. Dala, lungisa, susa ama-akhawunti omlawuli, okuhlanganisa ukucushwa kokwehluleka kokuqinisekisa
imingcele. 3. Nika amandla kabusha i-akhawunti yomlawuli. 4. Unomthwalo wemfanelo wokucushwa nokugcinwa kwezakhi ze-cryptographic ezihlobene
ukusungulwa kokuxhumana okuphephile okuya noma okuvela kumkhiqizo ohloliwe. Uhlelo lokusebenza lweJuniper Networks Junos (Junos OS) olusebenza ngemodi engeyona ye-FIPS luvumela inhlobonhlobo yamakhono kubasebenzisi, futhi ukuqinisekiswa kusekelwe kubunikazi. Umlawuli Wezokuphepha wenza yonke imisebenzi yokumisa ehlobene ne-FIPS-mode futhi akhiphe zonke izitatimende nemiyalo ye-Junos OS ngemodi ye-FIPS.
Iqhaza Lomlawuli Wezokuphepha kanye Nezibopho
Umlawuli Wezokuphepha ngumuntu onesibopho sokuvumela, ukulungisa, ukuqapha, nokugcina i-Junos OS ikumodi ye-FIPS kudivayisi. Umlawuli Wokuvikela ufaka ngokuphephile i-Junos OS kudivayisi, anike amandla imodi ye-FIPS, asungule okhiye namaphasiwedi kwabanye abasebenzisi namamojula esofthiwe, futhi aqalise idivayisi ngaphambi kokuxhumeka kwenethiwekhi.
13
UMSEBENZI OMUHLE: Sincoma ukuthi uMlawuli Wezokuphepha alawule isistimu ngendlela evikelekile ngokugcina amagama ayimfihlo evikelekile futhi ahlole ukucwaningwa kwamabhuku. files.
Izimvume ezihlukanisa Umlawuli Wezokuphepha kwabanye abasebenzisi be-FIPS ziyimfihlo, ukuphepha, ukunakekelwa, nokulawula. Yabela Umlawuli Wezokuphepha ekilasini lokungena eliqukethe zonke lezi zimvume. Phakathi kwemisebenzi ehlobene ne-Junos OS kumodi ye-FIPS, uMlawuli Wezokuphepha ulindeleke ukuba: · Setha iphasiwedi yokuqala yempande. Ubude bephasiwedi kufanele okungenani bube izinhlamvu eziyi-10. · Setha kabusha amaphasiwedi omsebenzisi ngama-algorithms agunyazwe yi-FIPS. · Hlola log kanye nokucwaninga files okwezehlakalo ezithakaselwayo. · Sula okukhiqizwa umsebenzisi files, okhiye, kanye nedatha ngokumisa idivayisi.
I-FIPS Indima Yomsebenzisi Nezibopho
Bonke abasebenzisi be-FIPS, kuhlanganise noMlawuli Wezokuphepha, bangakwazi view ukumisa. Umsebenzisi onikezwe njengoMlawuli Wokuvikela kuphela ongashintsha ukucushwa. Umsebenzisi we-FIPS angakwazi view okukhiphayo isimo kodwa ayikwazi ukuqalisa phansi noma yenze uziro idivayisi.
Yini Elindelwe Kubo Bonke Abasebenzisi Be-FIPS
Bonke abasebenzisi be-FIPS, okuhlanganisa noMlawuli Wezokuphepha, kufanele bagcine imihlahlandlela yezokuphepha ngaso sonke isikhathi. Bonke abasebenzisi be-FIPS kumele: · Gcina wonke amagama ayimfihlo eyimfihlo. · Gcina amadivaysi kanye nemibhalo endaweni evikelekile. · Faka amadivaysi ezindaweni ezivikelekile. · Hlola ukuhlolwa files ngezikhathi ezithile. · Ukuhambisana nayo yonke eminye imithetho yezokuphepha ye-FIPS 140-3. · Landela le mihlahlandlela:
14
· Abasebenzisi bayathenjwa. · Abasebenzisi bathobela yonke imihlahlandlela yezokuphepha. · Abasebenzisi abafaki ukuphepha engozini ngamabomu. · Abasebenzisi baziphatha ngokuzibophezela ngaso sonke isikhathi.
IMIBHALO EHLOBANE KHIPHA Isistimu | 24
Kuphelileview Yendawo Esebenzayo Ye-Junos OS Kumodi Ye-FIPS
KULESI sigaba Imvelo Yezingxenyekazi zekhompuyutha ye-Junos OS Kumodi ye-FIPS | 14 Imvelo Yesofthiwe Ye-Junos OS Kumodi Ye-FIPS | I-15 Imingcele Yokuphepha Ebalulekile | 16
Idivayisi yeJuniper Networks esebenzisa uhlelo lokusebenza lweJuniper Networks Junos (Junos OS) kwimodi ye-FIPS yakha uhlobo olukhethekile lwezingxenyekazi zekhompuyutha kanye nemvelo yokusebenza kwesofthiwe ehlukile endaweni yedivayisi ekwimodi enga-FIPS:
I-Hardware Environment ye-Junos OS Kumodi ye-FIPS
I-Junos OS kumodi ye-FIPS isungula umngcele we-cryptographic kudivayisi okungekho amapharamitha abalulekile okuvikela (ama-CSP) angaweqa kusetshenziswa umbhalo ongenalutho. Ingxenye ngayinye yezingxenyekazi zekhompuyutha zedivayisi edinga umngcele we-cryptographic wokuthobela i-FIPS 140-3 iyimojuli ehlukile ye-cryptographic. Kunezinhlobo ezimbili zehadiwe enemingcele ye-cryptographic ku-Junos OS kumodi ye-FIPS: eyodwa ku-Routing Engine ngayinye kanye neyodwa ye-chassis yonke.
15
Izindlela ze-Cryptographic azithathi indawo yokuphepha ngokomzimba. Izingxenyekazi zekhompuyutha kumele zibe endaweni ephephile. Abasebenzisi bazo zonke izinhlobo akumele baveze okhiye noma amagama ayimfihlo, noma bavumele amarekhodi abhaliwe noma amanothi ukuthi abonwe izisebenzi ezingagunyaziwe.
I-Software Environment ye-Junos OS ku-FIPS Mode
Idivayisi yeJuniper Networks esebenzisa i-Junos OS ngemodi ye-FIPS yakha uhlobo olukhethekile lwendawo yokusebenza engalungiseki. Ukufeza le ndawo kudivayisi, isistimu ivimbela ukwenziwa kwanoma iyiphi kanambambili file ebingeyona ingxenye ye-Junos OS eqinisekisiwe ekusabalaliseni kwemodi ye-FIPS. Uma idivayisi ikumodi ye-FIPS, ingasebenzisa i-Junos OS kuphela. I-Junos OS endaweni yesofthiwe yemodi ye-FIPS isungulwa ngemva kokuthi Umlawuli Wezokuphepha enike amandla ngempumelelo imodi ye-FIPS kudivayisi. Isithombe se-Junos OS esihlanganisa imodi ye-FIPS siyatholakala ku-Juniper Networks webindawo futhi ingafakwa kudivayisi esebenzayo. Ngokuhambisana ne-FIPS 140-3, sincoma ukuthi ususe konke okudalwe ngabasebenzisi files nedatha ngokumisa idivayisi ngaphambi kokunika amandla imodi ye-FIPS. Ukunika amandla imodi ye-FIPS kukhubaza izivumelwano namasevisi amaningi we-Junos OS evamile. Ikakhulukazi, awukwazi ukumisa lezi zinsizakalo ezilandelayo ku-Junos OS ngemodi ye-FIPS: · umunwe
ftp
· ukungena
· telnet
· tftp
· xnm-clear-text
Imizamo yokumisa lawa masevisi, noma ukulayisha ukucupha ngalawa masevisi amisiwe, kubangela iphutha le-syntax yokumisa. Ungasebenzisa kuphela i-SSH njengesevisi yokufinyelela ukude. Wonke amagama ayimfihlo asungulwe abasebenzisi ngemva kokuthuthukela ku-Junos OS kumodi ye-FIPS kufanele ahambisane ne-Junos OS ezicacisweni zemodi ye-FIPS. Amagama okungenamfihlo kufanele abe phakathi kwezinhlamvu eziyi-10 neziyi-20 ubude futhi adinga ukusetshenziswa okungenani kwamasethi ezinhlamvu ezintathu kwezihlanu (osonhlamvukazi abakhulu nabancane, amadijithi, izimpawu zokubhala, nezinhlamvu zekhibhodi, njenge-% kanye & &, ezingafakiwe kwezinye. izigaba ezine). Imizamo yokumisa amagama ayimfihlo angahambisani nale mithetho iphumela ephutheni. Wonke amagama ayimfihlo nokhiye abasetshenziselwa ukufakazela ubuqiniso ontanga kumele okungenani babe nezinhlamvu ezingu-10 ubude, futhi kwezinye izimo ubude kufanele bufane nosayizi wenhlabamkhosi.
16
QAPHELA: Unganamathiseli idivayisi kunethiwekhi kuze kube yilapho Umlawuli Wezokuphepha eqeda ukulungisa kusuka kuxhumo lwekhonsoli yendawo.
Ukuze uthole ukuthobela okuqinile, ungahloli ulwazi lokulahla okuyinhloko kanye nokuphahlazeka kukhonsoli yasendaweni ku-Junos OS ngemodi ye-FIPS ngoba amanye ama-CSP angase aboniswe ngombhalo ongenalutho.
Amapharamitha Okuphepha Abalulekile
Amapharamitha abalulekile okuphepha (ama-CSP) awulwazi oluhlobene nokuphepha olufana nokhiye be-cryptographic kanye namagama ayimfihlo angafaka engcupheni ukuphepha kwemojuli ye-cryptographic noma ukuvikeleka kolwazi oluvikelwe imojula uma zivezwa noma zilungiswa.
Ukumisa isistimu kususa yonke iminonjana ye-CSPs ukulungiselela ukusebenzisa idivayisinoma Injini Yokuthungatha njengemojula ye-cryptographic.
Ithebula 1 ekhasini 16 libala ama-CSP kumadivayisi asebenzisa i-Junos OS.
Ithebula 1: Amapharamitha Okuphepha Abalulekile
I-CSP
Incazelo
Zeroze
Sebenzisa
Ukhiye wokubamba oyimfihlo we-SSHv2
Ukhiye we-ECDSA / RSA osetshenziselwa ukukhomba umsingathi, okhiqizwa okokuqala ngqa lapho i-SSH ilungiswa.
Zeroze umyalo.
Isetshenziselwa ukukhomba umsingathi.
Okhiye beseshini ye-SSHv2
Ukhiye wesikhathi osetshenziswa ne-SSHv2 nanjengomjikelezo wamandla kanye
Ukhiye oyimfihlo we-Diffie-Hellman.
qeda iseshini.
Ukubethela: AES-128, AES-256.
Ukhiye we-Symmetric usetshenziselwa ukubethela idatha phakathi komsingathi neklayenti.
Ama-MAC: HMAC-SHA-1, HMACSHA-2-256, HMAC-SHA2-512.
Ukushintshaniswa okubalulekile: dh-group14-sha1, ECDH-sha2-nistp256, ECDH-sha2nistp384, kanye ECDH-sha2-nistp521.
17
Ithebula 1: Amapharamitha Okuphepha Abalulekile (Kuyaqhubeka)
I-CSP
Incazelo
Zeroze
Sebenzisa
Ukufakazela ubuqiniso komsebenzisi I-Hash yephasiwedi yomsebenzisi: SHA256, umyalo we-Zeroize.
ukhiye
I-SHA512.
Isetshenziselwa ukuqinisekisa umsebenzisi kumojuli ye-cryptographic.
Ukhiye wokuqinisekisa we-Crypto Officer
I-Hash yephasiwedi Yesikhulu se-Crypto: SHA256, SHA512.
Zeroze umyalo.
Isetshenziselwa ukuqinisekisa Umlawuli Wokuphepha kumojuli ye-cryptographic.
Imbewu ye-HMAC DRBG
Imbewu ye-deterministic randon bit generator (DRBG).
Imbewu ayigcinwa yimojuli ye-cryptographic.
Isetshenziselwa imbewu DRBG.
Inani le-HMAC DRBG V
Inani (V) lobude bebhulokhi yokuphumayo (outlen) kumabhithi, elibuyekezwayo isikhathi ngasinye lapho kukhiqizwa amanye amabhithi okukhiphayo.
Umjikelezo wamandla.
Inani elibalulekile lesimo sangaphakathi se-DRBG.
Inani lokhiye we-HMAC DRBG
Inani lamanje lokhiye we-outlen-bit, obuyekezwayo okungenani kanye isikhathi ngasinye lapho indlela ye-DRBG ikhiqiza izingcezu ze-pseudorandom.
Umjikelezo wamandla.
Inani elibalulekile lesimo sangaphakathi se-DRBG.
I-NDRNG entropy
Isetshenziswa njengeyunithi yezinhlamvu yokufaka ye-entropy ku-HMAC DRBG.
Umjikelezo wamandla.
Inani elibalulekile lesimo sangaphakathi se-DRBG.
Ku-Junos OS kumodi ye-FIPS, wonke ama-CSP kufanele angene futhi ashiye imojula ye-cryptographic ngendlela ebethelwe. Noma iyiphi i-CSP ebethelwe nge-algorithm engagunyaziwe ithathwa njengombhalo ongenalutho nge-FIPS.
Amaphasiwedi endawo asheshisiwe nge-algorithm ye-SHA256 noma i-SHA512. Ukuthola kabusha iphasiwedi akunakwenzeka ku-Junos OS kumodi ye-FIPS. I-Junos OS kumodi ye-FIPS ayikwazi ukuqalisa kumodi yomsebenzisi oyedwa ngaphandle kwephasiwedi eyimpande.
IMIBHALO EHLOBANE Iphelileview Ye-Zeroization Ukuze Usule Idatha Yesistimu Yemodi Ye-FIPS | 23
18
Kuphelileview Yezicaciso Zephasiwedi Nemihlahlandlela ye-Junos OS kumodi ye-FIPS
Wonke amagama ayimfihlo asungulwe abasebenzisi nguMphathi Wezokuphepha kufanele ahambisane ne-Junos OS elandelayo ezimfuneko zemodi ye-FIPS. Imizamo yokumisa amagama ayimfihlo angahambisani nokucaciswa okulandelayo kubangela iphutha. Ubude: Amagama-mfihlo kufanele aqukathe izinhlamvu eziphakathi kwezi-10 nezingu-20. · Izidingo zokusethwa kwezinhlamvu: Amagama-mfihlo kufanele aqukathe okungenani okuthathu kokuhlanu okulandelayo okuchaziwe
amasethi ezinhlamvu: · Ofeleba abakhulu · Ofeleba abancane · Izinombolo · Izimpawu zokubhala · Izinhlamvu zekhibhodi azifakiwe kwamanye amasethi amane–njengophawu lwephesenti (%) kanye
ampersand (&) · Izidingo zokuqinisekisa: Wonke amagama ayimfihlo kanye nokhiye abasetshenziselwa ukufakazela ubuqiniso ontanga kumele baqukathe kokuthi
okungenani izinhlamvu eziyi-10, futhi kwezinye izimo inani lezinhlamvu kufanele lifane nosayizi wenhlabamkhosi. · Ukubethela kwephasiwedi: Ukushintsha indlela yokubhala ngokuzenzakalelayo (SHA512) faka ifomethi
isitatimende ku-[hlela iphasiwedi yokungena kwisistimu] ileveli yesigaba. Imihlahlandlela yamagama ayimfihlo aqinile: Amagama ayimfihlo aqinile, asebenziseka kabusha angase asekelwe ezinhlamvwini zegama eliyintandokazi noma igama abese ehlanganiswa namanye amagama angahlobene, kanye namadijithi engeziwe nezimpawu zokuloba. Ngokuvamile, igama eliyimfihlo eliqinile lithi: · Kulula ukulikhumbula ukuze abasebenzisi bangalingeka ukulibhala phansi. · Yakhiwe ngezinhlamvu zamagama nezinombolo ezixutshwe nezimpawu zokuloba. Ukuthobela i-FIPS kufaka okungenani
ukushintsha kwekesi okukodwa, idijithi eyodwa noma ngaphezulu, kanye nophawu olulodwa noma ngaphezulu. · Kushintshwe ngezikhathi ezithile. · Ayidalulwanga kunoma ubani. Izimpawu zamaphasiwedi abuthakathaka: Ungasebenzisi amagama ayimfihlo alandelayo abuthakathaka: · Amagama angatholakala noma akhona njengefomu elivunyelwe ohlelweni. files njengokuthi /etc/passwd.
19
· Igama lomethuleli wesistimu (njalo ukuqagela kokuqala). · Noma yiliphi igama noma ibinzana elivela kusichazamazwi noma komunye umthombo owaziwayo, kuhlanganisa nezichazamazwi
kanye namathesorasi kwezinye izilimi ngaphandle kwesiNgisi; isebenza ngababhali bakudala noma abadumile; noma amagama ajwayelekile nemishwana evela kwezemidlalo, izisho, amamuvi noma izinhlelo zethelevishini. · Izimvume kunoma yikuphi kwalokhu okungenhla–ngokwesiboneloample, igama lesichazamazwi elinezinhlamvu ezifakwe amadijithi (r00t) noma amadijithi angezwe ekugcineni. · Noma iyiphi iphasiwedi ekhiqizwa umshini. Ama-algorithms anciphisa isikhala sokusesha sezinhlelo zokuqagela iphasiwedi ngakho-ke akufanele asetshenziswe.
IMIBHALO EHLOBANE Iphelileview Yendawo Esebenzayo Ye-Junos OS Kumodi Ye-FIPS | 14
Landa Amaphakheji Wesoftware kusuka kuJuniper Networks
Ungalanda iphakheji yesofthiwe ye-Junos OS kusuka ku-Juniper Networks webindawo. Ngaphambi kokuthi uqale ukulanda isoftware, qiniseka ukuthi uneJuniper Networks Web i-akhawunti kanye nenkontileka yosekelo evumelekile. Ukuze uthole i-akhawunti, gcwalisa ifomu lokubhalisa kuJuniper Networks webindawo: https://usregistration.juniper.net/. Ukulanda amaphakheji wesofthiwe kusuka ku-Juniper Networks: 1. Ukusebenzisa a Web isiphequluli, landela izixhumanisi ukulanda URL kuJuniper Networks webikhasi.
https://support.juniper.net/support/downloads/ 2. Log in to the Juniper Networks authentication system using the username (generally your e-mail
ikheli) kanye nephasiwedi enikezwe abamele iJuniper Networks. 3. Landa isofthiwe. Bona Ukulanda Isofthiwe.
IMIBHALO EPHATHELENE Ukufaka kanye Nokuthuthukisa Umhlahlandlela
Faka i-Junos Software Packages
Ungasebenzisa le nqubo ukuthuthukisa i-Junos OS kudivayisi ngeNjini Yomzila eyodwa. Ukufaka ukuthuthukiswa kwesofthiwe kudivayisi eneNjini Yomzila eyodwa: 1. Dawuniloda iphakheji yesofthiwe njengoba kuchazwe kokuthi “Landa Amaphakheji Esofthiwe kusuka kuJuniper
Amanethiwekhi” ekhasini 19. 2. Uma ungakakwenzi lokho, xhuma embobeni ye-console kudivayisi evela kubaphathi bakho.
idivayisi, bese ungena ngemvume ku-Junos OS CLI. 3. (Ongakukhetha) Yenza isipele ukucushwa kwesofthiwe yamanje kunketho yesibili yokugcina. Bona Isoftware
Umhlahlandlela Wokufaka Nokuthuthukisa ukuze uthole imiyalelo yokwenza lo msebenzi. 4. (Ngokuzithandela) Kopisha iphakheji yesofthiwe kudivayisi. Sincoma ukuthi usebenzise i-FTP ukukopisha ifayela
file ku /var/tmp/ directory. Lesi sinyathelo singokuzithandela ngoba i-Junos OS ingabuye ithuthukiswe uma isithombe sesofthiwe sigcinwe endaweni ekude. Le miyalo ichaza inqubo yokuthuthukisa isofthiwe yazo zombili izimo. 5. Faka iphakheji entsha kudivayisi:
umsebenzisi@host> cela isoftware ye-vmhost engeza
Shintsha iphakheji ngenye yalezi zindlela ezilandelayo: · Ukuze uthole iphakheji yesofthiwe kunkomba yendawo kudivayisi, sebenzisa /var/tmp/package.tgz. · Ukuze uthole iphakethe lesofthiwe kuseva eqhelile, sebenzisa enye yalezi zindlela ezilandelayo, esikhundleni sokuguquguquka
iphakheji yenketho enegama lephakheji yesofthiwe. · ftp://hostname/pathname/package.tgz · http://hostname/pathname/package.tgz 6. Qalisa kabusha idivayisi ukuze ulayishe ukufaka:
user@host> cela i-vmhost iqalise kabusha 7. Ngemuva kokuthi ukuqalisa kabusha sekuqediwe, ngena futhi usebenzise umyalo wenguqulo yombukiso ukuze uqinisekise ukuthi entsha
inguqulo yesofthiwe ifakwe ngempumelelo.
umsebenzisi@host> inguqulo ye-Hostname: igama lomethuleli Imodeli: mx240
21
I-Junos: 22.2R1.10 JUNOS OS Kernel 64-bit [20210529.2f59a40_builder_stable_12] I-JUNOS OS libs [20210529.2f59a40_builder_stable_12] JUNOStable_20210529.2 i-runtime_59 Ulwazi lwendawo yesikhathi ye-OS OS [40f12a20210529.2_builder_stable_59] isitaki senethiwekhi ye-JUNOS kanye nezinsiza [40_builder_junos_12_r20210622.124332] JUNOS libs [212_builder_junos_1_r20210622.124332] I-JUNOS OS libs compat212 [1f32a20210529.2_builder_stable_59] I-JUNOS OS 40-bit compatibility [12table J32f20210529.2f59 40_builder_junos_12_r32] Isikhathi sokusebenza se-JUNOS [20210622.124332_builder_junos_212_r1] Junos vmguest package [20210622.124332_builder J212 UN_junos1] 20210622.124332_builder_junos_212_r1] JUNOS py izandiso [20210622.124332_builder_junos_212_r1] I-JUNOS py base [20210622.124332_builder_junos_212_r1] I-JUNOS OS vmguest [20210622.124332f212f1a20210529.2f59a40f12a20210529.2f59 .40f12aXNUMX_builder_stable_XNUMX] I-JUNOS OS boot-ve files [20210529.2f59a40_builder_stable_12] I-JUNOS ne-telemetry [22.2R1.10] I-JUNOS Security Intelligence [20210622.124332_builder_junos_212_r1] JUNOS mx32lderi20210622.124332_212 compat1. 20210621.124332_r212] I-JUNOS mx isikhathi sokusebenza [1_builder_junos_22.2_r1.10] I-JUNOS RPD Telemetry Isicelo [20210621.124332R212] I-JUNOS Routing mpls- i-oam-basic [1_builder_junos_20210621.124332_r212] I-JUNOS Umzila mpls-oam-advanced [1_builder_junos_20210621.124332_r212] I-JUNOS Umzila 1_20210621.124332_212ss1_20210621.124332. 212] I-JUNOS Isilawuli Somzila-kwangaphakathi [1_builder_junos_32_r20210621.124332] I-JUNOS Isilawuli Somzila-yangaphandle [212_builder_junos_1_r20210621.124332] I-JUNOS Routing 212 Version [1 _bunos_20210621.124332_212_1_r20210621.124332] junos Routing aggregaded [212_Buder_Junos_1_r20210621.124332] Redis [212 1_r22.2] I-junos Common Flatform Support [1.10_Buder_Junos_20210621.124332_r212] junos OpenConfig [1r20210621.124332] shos MTX amamojula [212] shos MTX amamojula [1R20210621.124332_Buder_Junos_212 1_builder_junos_20210621.124332_r212] amamojula e-JUNOS mx [1_builder_junos_20210621.124332_r212] JUNOS mx libs [1_builder] 20210621.124332_builder_junos_212_r1] I-JUNOS mtx Data Plane Crypto Support [20210621.124332_builder_junos_212_r1] JUNOS daemons [20210621.124332_212_sbur 1_builder_junos_22.2_r1.10] I-JUNOS Broadband I-Egde User Plane Apps [XNUMXRXNUMX]
22
I-JUNOS appidd-mx i-daemon yokuhlonza isicelo [20210621.124332_builder_junos_212_r1] JUNOS TPM2 [20210621.124332_builder_junos_212_r1] Amasevisi we-JUNOS URL Hlunga iphakheji [20210621.124332_builder_junos_212_r1] Iphakheji ye-JUNOS Services TLB Service PIC [20210621.124332_builder_junos_212_r1] I-JUNOS Services Telemetry [20210621.124332jus_212. [1_builder_junos_20210621.124332_r212] I-JUNOS Services SSL [1_builder_junos_20210621.124332_r212] I-JUNOS Services SOFTWIRE [1_Builder_junos_20210621.124332_r212] I-JUNOS Services SOFTWIRE [1_State_State] [20210621.124332_builder_junos_212_r1] I-JUNOS Services RTCOM [20210621.124332_builder_junos_212_r1] I-JUNOS Services RPM [20210621.124332_builder_junos_212_r1] I-JUNOS Services RPM [20210621.124332_212 iphakheji ye-PC1 iphakheji ye-PC 20210621.124332_builder_junos_212_r1] I-JUNOS Services NAT [20210621.124332_builder_junos_212_r1] I-JUNOS Services Mobile Subscriber Container package [20210621.124332_builder_UNOS_Builder] 212_builder_junos_1_r20210621.124332] Iphakheji Yohlaka Lombiko Wokungena Kwezinsizakalo Ze-JUNOS [212_builder_junos_1_r20210621.124332] I-JUNOS Services LL-PDF Container package [212jus_1. Iphakheji yesiqukathi [20210621.124332_builder_junos_212_r1] Iphakheji le-JUNOS Services Deep Packet Inspection [20210621.124332_builder_junos_212_r1] I-JUNOS Services IPSec [20210621.124332. I-JUNOS Services IDS [212_builder_junos_1_r20210621.124332] I-JUNOS IDP Services [212_builder_junos_1_r20210621.124332] I-JUNOS Services HTTP Content Management package [212. lter iphakheji (i1) [20210621.124332_builder_junos_212_r1] I-JUNOS Services Crypto [386_builder_junos_20210621.124332_r212] I-JUNOS Services Captive Portal kanye Nokulethwa Kokuqukethwe Iphakheji yesiqukathi [1_builder_junos_20210621.124332_r212] I-JUNOS Services COS [1_builder_junos_20210621.124332_r212] I-JUNOS AppId Services [1 Isevisi ye-JUNOS_Builder20210621.124332_Izinkonzo ze-JUNOS212 1_builder_junos_20210621.124332_r212] Iphakheji le-JUNOS Services AACL Container [1_builder_junos_20210621.124332_r212] I-JUNOS SDN Software Suite [1_Express_Tools] 20210621.124332 nos_212_r1] Usekelo Lwenjini Yokudlulisa Iphakethe le-JUNOS (M/T Common) [20210621.124332_builder_junos_212_r1] Usekelo Lwenjini Yokudlulisa Iphakethe le-JUNOS (aft) [20210621.124332_builder_junos_212_r1] I-JUNOS Packet Forwarding Engine Support (MX Common) [9_builder_junos_20210621.124332_r212] I-JUNOS Juniper Malware Removal Tool.1 I-Juniper Malware Removal 92.JMRT20210621.124332+212 Tool1 (JMRT20210621.124332 Tool)212. builder_junos_1_r20210621.124332] I-JUNOS J-Insight [212_builder_junos_1_r20210621.124332] I-JUNOS jfirmware [212_builder_junos_1_r1.0.0]
23
Ukubhalwa Kwe-inthanethi kwe-JUNOS [20210621.124332_builder_junos_212_r1] I-JUNOS isikhathi sokusebenza kwejele [20210529.2f59a40_builder_stable_12] IMIBHALO EHLOBENE Ukufakwa Nokuthuthukisa Umhlahlandlela
Kuphelileview Yokwenza Iqanda Ukuze Usule Idatha Yesistimu Yemodi Ye-FIPS
KULESI SIGCAWU Kungani Ungenzi Izero? | 24 Kufanele Uzeroze nini? | 24
I-Zeroization isula ngokuphelele lonke ulwazi lokucushwa kudivayisi, okuhlanganisa wonke amagama ayimfihlo ayimfihlo, izimfihlo, nokhiye abayimfihlo be-SSH, ukubethela kwendawo, ukufakazela ubuqiniso kwasendaweni, kanye ne-IPsec. Ukuze uphume kumodi ye-FIPS udinga ukumisa idivayisi. Umlawuli Wezokuphepha uqala inqubo yokumisa iqanda ngokufaka isicelo sokuthi i-vmhost ithize umyalo wokungadluliseli phambili. Ngokubhekisela ekubhujisweni kokhiye we-cryptographic, i-TOE ayisekeli ukubhujiswa kokhiye obambezelekile.
ISEXWAYISO: Yenza i-zeroization yesistimu ngokucophelela. Ngemuva kokuthi inqubo yokumisa uziro isiqediwe, ayikho idatha esele kudivayisi. I-zeroization ingadla isikhathi. Nakuba konke ukulungiselelwa kususwa emizuzwaneni embalwa, inqubo yokumisa iqanda iyaqhubeka nokubhala phezu kwayo yonke imidiya, okungathatha isikhathi eside kuye ngosayizi wemidiya.
24
Kungani Zeroize?
Idivayisi yakho ayibhekwa njengemojuli ye-cryptographic evumelekile ye-FIPS kuze kube yilapho isifakiwe yonke imingcele yokuvikela (CSPs)–noma ifakwe kabusha–ngenkathi idivayisi ikumodi ye-FIPS. Ngokuhambisana ne-FIPS 140-3, kufanele umise isistimu ukuze ususe imininingwane ebucayi ngaphambi kokuvala imodi ye-FIPS kudivayisi.
Kufanele Uzeroze nini?
NjengoMphathi Wezokuphepha, yenza i-zeroization kulezi zimo ezilandelayo: · Ngaphambi kokuvumela indlela yokusebenza ye-FIPS: Ukulungiselela idivayisi yakho ukuthi isebenze njenge-FIPS.
imojuli ye-cryptographic, yenza i-zeroization ngaphambi kokunika amandla imodi ye-FIPS. Ngaphambi kokukhubaza ukusebenza kwe-FIPS: Ukuqala ukulungisa kabusha idivayisi yakho ukuze isebenze okungeyona i-FIPS,
yenza iqanda ngaphambi kokukhubaza imodi ye-FIPS kudivayisi.
QAPHELA: I-Juniper Networks ayikusekeli ukufakwa kwesofthiwe engeyona i-FIPS endaweni ye-FIPS, kodwa ukwenza kanjalo kungase kudingeke ezindaweni ezithile zokuhlola. Qiniseka ukuthi umisa isistimu kuqala.
IMIBHALO EHLOBANE KHIPHA Isistimu | 24
Zeroze Uhlelo
Ukuze wenze idivayisi yakho uziro, landela le nqubo engezansi:
25
1. Ngena ngemvume kudivayisi njenge-Crypto Officer futhi usuka ku-CLI, ngena
crypto-officer@host> cela i-vmhost yenza iqanda lingadluliseli i-VMHost Zeroization : Sula yonke idatha, okuhlanganisa ukumisa nokungena files ? [yebo, cha] (cha) yebo
2. Ukuze uqalise inqubo yokwenza uziro, thayipha yebo emyalweni:
Sula yonke idatha, okuhlanganisa ukumisa nokungena files? [yebo, cha] (cha) yebo I-VMHost Zeroization : Sula yonke idatha, okuhlanganisa ukumisa nokungena files ? [yebo, cha] (cha) yebo
isixwayiso: I-Vmhost izoqalisa kabusha futhi ingase ingaqalisi ngaphandle kwesexwayiso sokumisa: Iqhubeka nge-vmhost yenza zeroze i-Zeroise idiski yangaphakathi yesibili … Iqhubeka ngokuthi zeroze kudiski yesibili Ukukhweza idivayisi kulungiselelwa ukumisa uziro… Ihlanza idiski eqondiwe ukuze wenze uziro … Ukumisa uziro kwenziwa kudiski eqondiwe. Ukukhipha idiski yesibili kuqediwe Khipha idiski yangaphakathi eyinhloko … Iqhubeka ngokuthi zeroze kudiski eyinhloko /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_etsac_host_host_host .pub /etc/ssh/ssh_host_rsa_key Idivayisi yokukhweza ilungiselela uziro… Ihlanza idiski eqondiwe ukuze imise uziro … Ukumisa qanda kwenziwe kudiski eqondiwe. Ukukhipha idiski eyinhloko kuqediwe Isexwayiso sokuthi Zeroize isiqedile: Iqhubeka ne-vmhost iqalisa kabusha Iqalisa kabusha i-vmhost...
Wonke umsebenzi ungathatha isikhathi eside kuye ngosayizi wemidiya, kodwa zonke izinhlaka zokuphepha ezibucayi (CSPs) ziyasuswa phakathi nemizuzwana embalwa. Indawo ebonakalayo kufanele ihlale ivikelekile kuze kuqedwe inqubo yokususa iqanda.
26
Nika amandla Imodi ye-FIPS
NjengoMphathi Wezokuphepha, kufanele usungule impande yephasiwedi ehambisana nezidingo zephasiwedi ye-FIPS kokuthi “Overview Ukucaciswa Kwephasiwedi Nemihlahlandlela ye-Junos OS Kwimodi Ye-FIPS” ekhasini 18. Uma uvumela imodi ye-FIPS ku-Junos OS kudivayisi, awukwazi ukumisa amagama ayimfihlo ngaphandle uma ehlangabezana naleli zinga.
Amaphasiwedi endawo abethelwe nge-algorithm ye-hashi evikelekile ethi SHA256 noma i-SHA512. Ukuthola kabusha iphasiwedi akunakwenzeka ku-Junos OS kumodi ye-FIPS. I-Junos OS kumodi ye-FIPS ayikwazi ukuqalisa kumodi yomsebenzisi oyedwa ngaphandle kwephasiwedi eyimpande.
Ukuze unike amandla imodi ye-FIPS ku-Junos OS kudivayisi:
1. Misa idivayisi ukuze ususe wonke ama-CSP ngaphambi kokungena kumodi ye-FIPS. Bheka kokuthi “Zeroze Uhlelo” ekhasini 24 isigaba ukuze uthole imininingwane.
2. Ngemva kokuthi idivayisi ivele 'ngemodi ye-Amnesiac', ngena ngemvume usebenzisa igama lomsebenzisi nephasiwedi "" (akunalutho).
Ukungena ngemvume kwe-FreeBSD/amd64 (Amnesiac) (ttyu0): impande — JUNOS 22.2R1.10 Kernel 64-bit root@:~ # cli root>
JNPR-12.1-20210529.2f59a40_build
3. Lungiselela ukuqinisekiswa kwezimpande ngephasiwedi okungenani izinhlamvu eziyi-10 noma ngaphezulu.
impande> hlela Ifaka imodi yokumisa [hlela] impande# setha uhlelo lwempande-ukufakazela ubuqiniso ngokucacile-umbhalo-iphasiwedi Iphasiwedi entsha: Thayipha kabusha iphasiwedi entsha: [hlela] impande# bophezela ukuthi uqedile
4. Layisha ukucushwa kudivayisi bese wenza ukumisa okusha. Lungiselela Umlawuli Wokuphepha kanye
ngena ngemvume ngemininingwane Yomlawuli Wezokuphepha.
27
5. I-fips-mode kanye ne-jpfe-fips amaphakheji okuzithandela adingekayo ukuze kunikwe amandla i-FIPS. Lawa maphakheji ayingxenye yesofthiwe ye-Junos OS. Ukuze unike amandla lawa maphakheji, sebenzisa imiyalo engezansi:
security-administrator@hostname> cela isofthiwe yesistimu engeza ngokuzithandela://fips-mode.tgz I-fips-mode eqinisekisiwe esayinwe yi-PackageDevelopmentECP256_2020 indlela ECDSA256+SHA256cryptoofficer@hostname> cela isofthiwe yesistimu engeza ngokuzithandela://jpfe-fips.tgz /usr/sbin /pkg: iphakheji jpfe-fips-x86-32-20.3I-20200610_dev_common.0.0743 isivele ifakiwe
6. Lungiselela i-chassis boundary fips ngokusetha isistimu ye-fips chassis ileveli 1 futhi uzibophezele.
Idivayisi ingase ibonise Iphasiwedi Ebethelwe kufanele iphinde imiswe ukuze isebenzise isixwayiso se-hash esithobelana ne-FIPS ukuze kususwe ama-CSP amadala ekucushweni okulayishiwe.
7. Ngemva kokususa nokulungisa kabusha ama-CSP, ukuzibophezela kuzodlula futhi idivayisi idinga ukuqalisa kabusha ukuze ingene kumodi ye-FIPS.
[hlela] security-administrator@hostname# bophezela [hlela] ukuqalisa kabusha uhlelo kuyadingeka ukuze udlulele ku-FIPS ileveli 1 ukwenza okuphelele [hlela] security-administrator@hostname# sebenzisa isicelo vmhost qala kabusha
8. Ngemva kokuqalisa kabusha idivayisi, ukuzihlola kwe-FIPS kuzosebenza futhi idivayisi ingena kumodi ye-FIPS.
security-administrator@hostname:fips>
28
Lungiselela Umlawuli Wokuphepha kanye Nokuhlonza Umsebenzisi we-FIPS kanye Nokufinyelela
KULESI sigaba Lungiselela Ukufinyelela Komlawuli Wezokuphepha | 28 Lungiselela Ukungena Ngemvume Komsebenzisi Kwe-FIPS | 30
Umlawuli Wezokuphepha kanye nabasebenzisi be-FIPS benza yonke imisebenzi yokumisa ye-Junos OS ngemodi ye-FIPS futhi bakhiphe yonke i-Junos OS ngezitatimende nemiyalo yemodi ye-FIPS. Umlawuli Wezokuphepha kanye nezilungiselelo zabasebenzisi be-FIPS kufanele zilandele i-Junos OS kuzinkombandlela zemodi ye-FIPS.
Lungiselela Ukufinyelela Komlawuli Wezokuphepha
I-Junos OS kumodi ye-FIPS inikeza ubumbudumbudu obungcono bezimvume zabasebenzisi kunalezo ezigunyazwe i-FIPS 140-3. Ngokuhambisana ne-FIPS 140-3, noma yimuphi umsebenzisi we-FIPS onemfihlo, ukuphepha, ukugcinwa, kanye nezingcezu zemvume yokulawula unguMphathi Wezokuphepha. Ezimweni eziningi isigaba sabasebenzisi abakhulu sanele kuMphathi Wokuphepha. Ukuze ulungiselele ukufinyelela kokungena kuMphathi Wokuvikela: 1. Ngena kudivayisi ngephasiwedi yempande uma ungakenzi kanjalo, bese ufaka ukumisa.
imodi:
root@hostname# hlela Ifaka imodi yokumisa [hlela] root@hostname# 2. Yisho umlawuli wokuphepha komsebenzisi bese unikeza Umlawuli Wezokuphepha i-ID yomsebenzisi (ngokwesiboneloample, 6400, okumele kube inombolo ehlukile ehlotshaniswa ne-akhawunti yokungena ebangeni lika-100
29
64000) kanye nekilasi (isibample, umsebenzisi omkhulu). Uma wabela ikilasi, unikeza izimvume- ngokwesiboneloample, imfihlo, ukuphepha, ukugcinwa, kanye nokulawula.
[hlela] impande@igama lomethuleli# setha igama lomsebenzisi lokungena ohlelweni inani lekilasi igama lekilasi
Okwesiboneloample:
[hlela] impande@igama lomphathi# setha ukuphepha komsebenzisi wesistimu u-uid 6400 class-super-user
3. Ukulandela imihlahlandlela kokuthi “Overview Kwezicaciso Zephasiwedi Neziqondiso ze-Junos OS Kumodi Ye-FIPS” ekhasini 18, yabela Umlawuli Wezokuphepha igama eliyimfihlo elinombhalo ongenalutho ukuze uqinisekise ukungena ngemvume. Setha iphasiwedi ngokuthayipha iphasiwedi ngemuva kokwaziswa Iphasiwedi entsha bese uthayipha kabusha iphasiwedi entsha.
[hlela] impande@igama lomethuleli# setha ukuqinisekiswa kwegama lomsebenzisi wesistimu yekilasi-igama lomsebenzisi (i-plain-testpassword |-encrypted-password)
Okwesiboneloample:
[hlela] impande@igama lomphathi# setha ukungena ngemvume kwesistimu yomsebenzisi ukuphepha-ikilasi lomlawuli ukuqinisekiswa komsebenzisi omkhulu okucacile-umbhalo-yimfihlo
4. Ngokuzithandela, bonisa ukumisa:
[hlela] impande@hostname#hlela uhlelo [hlela uhlelo] root@hostname#bonisa ukungena ngemvume {
umlawuli wokuphepha komsebenzisi {uid 6400; ukufakazela ubuqiniso {encrypted-password “ ”; ## SECRET-DATA } isigaba somsebenzisi omkhulu;
30
}}
5. Uma usuqedile ukumisa idivayisi, yenza ukumisa bese uphuma:
[hlela] i-root@hostname# bophezela ukuthi uphume i-completeroot@hostname#
Lungiselela Ukufinyelela Ngemvume Komsebenzisi kwe-FIPS
Umsebenzisi we-fips uchazwa njenganoma yimuphi umsebenzisi we-FIPS ongenayo imfihlo, ukuphepha, ukugcinwa, kanye nezingcezu zemvume yokulawula. NjengoMphathi Wezokuphepha usetha abasebenzisi be-FIPS. Abasebenzisi be-FIPS abanakunikwa izimvume ngokuvamile ezigcinelwe Umlawuli Wezokuphepha–ngokwesiboneloample, imvume yokumisa isistimu. Ukumisa ukufinyelela kokungena ngemvume kumsebenzisi we-FIPS: 1. Ngena kudivayisi ngephasiwedi yakho Yomlawuli Wezokuphepha uma ungakenzi kanjalo, futhi
faka imodi yokumisa:
security-administrator@hostname:fips> hlela Ifaka imodi yokumisa [edit] security-administrator@hostname:fips# 2. Nikeza umsebenzisi, igama lomsebenzisi, futhi unikeze umsebenzisi i-ID yomsebenzisi (ngokwesiboneloample, 6401, okumele kube inombolo ehlukile kububanzi obusuka ku-1 kuye ku-64000) kanye nekilasi. Uma wabela ikilasi, unikeza izimvume-ngokwesiboneloample, cacile, inethiwekhi, setha kabushaview, futhi view-ukumisa.
[hlela] security-administrator@hostname:fips# setha isistimu yokungena igama lomsebenzisi igama lekilasi le-uid value classname
31
Okwesiboneloample:
[hlela]security-administrator@hostname:fips# setha ukungena ngemvume komsebenzisi we-fips-user1 uid 6401 class funda kuphela
3. Ukulandela imihlahlandlela kokuthi “Overview Kwezicaciso Zephasiwedi Neziqondiso ze-Junos OS Kumodi Ye-FIPS” ekhasini 18, nikeza umsebenzisi we-FIPS igama-mfihlo elinombhalo ongenalutho ukuze aqinisekise ukungena ngemvume. Setha iphasiwedi ngokuthayipha iphasiwedi ngemuva kokwaziswa Iphasiwedi entsha bese uthayipha kabusha iphasiwedi entsha.
[hlela] security-administrator@hostname:fips# setha ukungena ngemvume kwesistimu yomsebenzisi isigaba sokuqinisekisa igama-igama (i-plain-text-password | encrypted-password)
Okwesiboneloample:
[hlela] security-administrator@hostname:fips# setha ukungena ngemvume komsebenzisi
4. Ngokuzithandela, bonisa ukumisa:
[hlela] security-administrator@hostname:fips# hlela uhlelo [hlela uhlelo] security-administrator@hostname:fips# show login {
umsebenzisi fips-user1 {uid 6401; ukufakazela ubuqiniso {encrypted-password “ ”; ## SECRET-DATA } ikilasi lokufunda kuphela;
}}
32
5. Uma usuqedile ukumisa idivayisi, yenza ukumisa bese uphuma:
[hlela] security-administrator@hostname:fips# commit security-administrator@hostname:fips# exit
IMIBHALO EHLOBANE Iphelileview Yezindima Nezinkonzo ze-Junos OS | 12
3 ISAHLUKO
Lungiselela Ukuqinisekisa Kokuphatha Namalungelo
Ukuqonda Imithetho Yephasiwedi Ehlobene Yomlawuli Ogunyaziwe | 34
Ilungiselela i-Network Device Collaborative Protection Profile Umlawuli Ogunyaziwe | 36 Hlela Isikhathi | 37 Ukucushwa Kwenkathi Yokuphela Kokungasebenzi, Nokunqanyulwa Kweseshini Yendawo Nesikude Ukungasebenzi | 38
34
Ukuqonda Imithetho Yephasiwedi Ehlobene Yomlawuli Ogunyaziwe
Umlawuli ogunyaziwe uhlotshaniswa nekilasi lokungena elichaziwe, futhi umlawuli unikezwe zonke izimvume. Idatha igcinwa endaweni ukuze kuqinisekiswe iphasiwedi egxilile.
QAPHELA: Sincoma ukuthi ungasebenzisi izinhlamvu zokulawula kumaphasiwedi.
Sebenzisa imihlahlandlela elandelayo nezinketho zokumisa zamaphasiwedi nalapho ukhetha amagama ayimfihlo kuma-akhawunti omlawuli agunyaziwe. Amagama ayimfihlo kufanele abe: · Kulula ukuwakhumbula ukuze abasebenzisi bangalingeke ukuwabhala phansi. · Kushintshwe ngezikhathi ezithile. · Iyimfihlo futhi ayabiwa nanoma ubani. · Iqukethe ubuncane bezinhlamvu eziyi-10. Ubude bephasiwedi obuncane yizinhlamvu eziyi-10.
[ hlela ] security-administrator@host# setha iphasiwedi yokungena yesistimu ubuncane-ubude obungu-10
· Ifaka kokubili izinhlamvu zamagama nezinombolo nezimpawu zokubhala, ezakhiwe nganoma iyiphi inhlanganisela yezinhlamvu ezinkulu nezincane, izinombolo, nezinhlamvu ezikhethekile njengokuthi, “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, kanye “)”. Okungenani kufanele kube noshintsho esimweni esisodwa, idijithi eyodwa noma ngaphezulu, kanye nophawu olulodwa noma ngaphezulu.
· Iqukethe amasethi abalingiswa. Amasethi ezinhlamvu avumelekile ahlanganisa izinhlamvu ezingosonhlamvukazi, izinhlamvu ezincane, izinombolo, izimpawu zokubhala, nezinye izinhlamvu ezikhethekile.
[ hlela ] security-administrator@host# setha iphasiwedi yokungena ohlelweni shintsha uhlobo-amasethi wezinhlamvu
35
· Iqukethe inani elincane lamasethi ezinhlamvu noma izinguquko zesethi yezinhlamvu. Inombolo encane yamasethi ezinhlamvu adingekayo kumaphasiwedi anombhalo ongenalutho ku-Junos FIPS ngu-3.
[ hlela ] security-administrator@host# setha iphasiwedi yokungena yesistimu ubuncane-ushintsho 3
· I-algorithm ye-hashing yamaphasiwedi omsebenzisi ingaba i-SHA256 noma i-SHA512 (i-SHA512 i-algorithm ye-hashing ezenzakalelayo).
[ hlela ] security-administrator@host# setha ifomethi yephasiwedi yokungena ohlelweni sha512
QAPHELA: Idivayisi isekela i-ECDSA (P-256, P-384, ne-P-521) kanye ne-RSA (2048, 3072, kanye ne-4092 modulus bit length) izinhlobo zokhiye.
QAPHELA: I-algorithm ye-hashi entsha ithinta kuphela lawo magama ayimfihlo akhiqizwa ngemva kokuzibophezela.
Amagama ayimfihlo abuthakathaka yilawa: · Amagama angatholakala noma akhona njengefomu elivunyelwe ohlelweni file njenge /etc/passwd. · Igama lomethuleli wesistimu (njalo ukuqagela kokuqala). · Noma yimaphi amagama avela kusichazamazwi. Lokhu kufaka phakathi izichazamazwi ngaphandle kwesiNgisi, namagama atholakele
emisebenzini efana noShakespeare, Lewis Carroll, Roget's Thesaurus, njalonjalo. Lokhu kwenqatshelwa kubandakanya amagama ajwayelekile nemishwana evela kwezemidlalo, izisho, amamuvi, nezinhlelo zethelevishini. · Izimvume kunoma yikuphi kokungenhla. Okwesiboneloample, igama lesichazamazwi elinonkamisa abathathelwa indawo ngamadijithi (isibample f00t) noma ngamadijithi engezwe ekugcineni. · Noma yimaphi amaphasiwedi akhiqizwa umshini. Ama-algorithms anciphisa isikhala sokusesha sezinhlelo zokuqagela iphasiwedi ngakho-ke akufanele asetshenziswe. Amagama ayimfihlo anamandla asebenziseka kabusha angase asekelwe ezinhlamvini zebinzana eliyintandokazi noma igama, bese ehlanganiswa namanye, amagama angahlobene, kanye namadijithi engeziwe nezimpawu zokuloba.
36
Ilungiselela i-Network Device Collaborative Protection Profile Umlawuli Ogunyaziwe
I-akhawunti ye-root ihlala ikhona ekucushweni futhi ayihloselwe ukusetshenziswa ekusebenzeni okuvamile. Ekucushweni okuhloliwe, i-akhawunti yempande ikhawulelwe ekufakweni kokuqala nasekulungiseni idivayisi ehloliwe. Umlawuli ogunyaziwe we-NDcPPv2.2e kufanele abe nazo zonke izimvume, kuhlanganise nekhono lokushintsha ukucushwa kwedivayisi. Ukumisa umlawuli ogunyaziwe: 1. Dala ikilasi lokungena eliqanjwe ukuphepha-admin nazo zonke izimvume.
[hlela] impande@host# setha izimvume zekilasi lokungena lesistimu-zokuphatha zonke 2. Lungiselela i-algorithm esheshayo yamaphasiwedi anombhalo ongenalutho njenge-sha512.
[hlela] impande@host# setha ifomethi yephasiwedi yokungena ohlelweni sha512 3. Yenza izinguquko.
[hlela] root@host# bophezela 4. Chaza umsebenzisi wakho ogunyaziwe we-NDcPPv2.2e umlawuli.
[hlela] impande@host# setha umsebenzisi wesistimu yokungena NDcPPv2-ukuqinisekiswa kwekilasi lomsebenzisi lokuphepha-ukuqinisekiswa kwephasiwedi ebethelwe
OR
[hlela] impande@host# setha umsebenzisi wesistimu yokungena NDcPPv2-ikilasi lomsebenzisi ukuphepha-admin ukuqinisekiswa okucacile-igama-password
37
5. Layisha ukhiye we-SSH file eyakhiwe ngaphambilini kusetshenziswa i-ssh-keygen. Lo myalo ulayisha i-RSA (SSH version 2), noma i-ECDSA (inguqulo 2 ye-SSH).
[hlela] impande@host# setha i-root-authentication load-key-file url:fileigama 6. Setha isitatimende sokumisa ukhiye-ukushintsha ukuze ungene lapho okhiye bokuqinisekisa be-SSH bengezwa noma bekhishwa.
[hlela] root@host# setha izinsiza zesistimu ssh log-key-changes
QAPHELA: Lapho isitatimende sokucushwa kokhiye we-log-key sinikwe amandla futhi sizibophezela (ngomyalo wokuzibophezela kwimodi yokumisa), i-Junos OS ifaka izinguquko kusethi yokhiye abagunyaziwe be-SSH kumsebenzisi ngamunye (kuhlanganise nokhiye abengeziwe noma abasusiwe) . I-Junos OS ibhala umehluko kusukela ngesikhathi sokugcina isitatimende sokumisa sokushintsha ukhiye welogi sinikwe amandla. Uma isitatimende sokumisa sokushintsha ukhiye welogi singakaze sinikwe amandla, i-Junos OS ifaka bonke okhiye be-SSH abagunyaziwe.
7. Yenza izinguquko.
[hlela] impande@host# bophezela
QAPHELA: Iphasiwedi yempande kufanele isethwe kabusha kulandela ushintsho ku-sha256 / sha512 yefomethi yokugcina iphasiwedi. Lokhu kuqinisekisa ukuthi iphasiwedi entsha ivikelwe kusetshenziswa i-sha256 / sha512 hash. Ukuze usethe kabusha igama eliyimfihlo le-root, sebenzisa umyalo wephasiwedi we-root-athentication plain-textpassword, futhi uqinisekise iphasiwedi entsha lapho utshelwa.
Hlela Isikhathi
Ukuze wenze ngokwezifiso isikhathi, khubaza i-NTP bese usetha idethi.
38
1. Khubaza i-NTP.
[hlela] security-administrator@hostname:fips# vala amaqembu uhlelo lomhlaba jikelele ntp security-administrator@hostname:fips# vala uhlelo ntp security-administrator@hostname:fips# commit security-administrator@hostname:fips# exit 2. Ukusetha usuku kanye isikhathi. Ifomethi yosuku nesikhathi ithi YYYYMMMDDHHMM.ss.
[hlela] security-administrator@hostname:fips# set date 201803202034.00 security-administrator@hostname:fips# set cli timesamp
Ukulungiswa Kwenkathi Yokuphela Komsebenzi, kanye Nokunqanyulwa Kweseshini Yendawo Nesilawuli kude
KULESI sigaba Lungiselela Ukunqanyulwa Kweseshini | 38Sample Umphumela Wokunqanyulwa Kweseshini Yokuphatha Yasendaweni | 40 Sample Umphumela Wokunqanyulwa Kweseshini Yokuphatha Esikude | 40 Sample Okukhiphayo Kokunqanyulwa Okuqaliswe Ngumsebenzisi | 41
Lungiselela Ukunqanyulwa Kweseshini
Qeda iseshini ngemuva kokuthi umlawuli wezokuvikela ecacise isikhathi sokuvala esingasebenzi.
39
1. Setha isikhathi sokuvala sokungenzi lutho.
[hlela] security-administrator@host:fips# set system class security-admin Idle-timeout 2 2. Lungiselela amalungelo okufinyelela kokungena.
[hlela] security-administrator@host:fips# setha ikilasi lokungena ngemvume izimvume zokuphatha zonke 3. Yenza ukumisa.
[hlela] security-administrator@host:fips# commit
bophezela okuphelele 4. Setha iphasiwedi.
[hlela] security-administrator@host:fips# setha umsebenzisi wokungena ohlelweni NDcPPv2-ubuqiniso bomsebenzisi bombhalo osobala-iphasiwedi Iphasiwedi entsha: Thayipha kabusha iphasiwedi entsha: 5. Chaza ikilasi lokungena.
[hlela] security-administrator@host:fips# setha umsebenzisi wokungena ohlelweni NDcPPv2-class security-admin yomsebenzisi 6. Yenza ukumisa.
[hlela] security-administrator@host:fips# commit
ukwenza okuphelele
40
Sample Umphumela Wokunqanyulwa Kweseshini Yokuphatha Yasendaweni
con host Izama abcd… 'atologin': impikiswano engaziwa ('setha ?' ukuze uthole usizo). Ixhunywe ku-device.exampI-le.com Uhlamvu lwe-Escape luthi '^]'.
Thayipha ukhiye oshisayo ukuze umise ukuxhumana: Z FreeBSD/amd64 (host) (ttyu0) ukungena: NDcPPv2-Iphasiwedi yomsebenzisi: Ukungena ngemvume kokugcina: Sun Jun 23 22:42:27 kusuka ku-10.224.33.70
— JUNOS 22.2R1.4 Kernel 64-bit JNPR-11.0-20190316.df99236_buil NDcPPv2-user@host> Isexwayiso: iseshini izovalwa eminithini elingu-1 uma ungekho umsebenzi Isexwayiso: iseshini izovalwa kumasekhondi angu-10 uma ungekho Isikhathi sokuvala sokungenzi lutho sidluliwe: isikhathi sokuvala
I-FreeBSD/amd64 (umsingathi) (ttyu0)
Sample Umphumela Wokunqanyulwa Kweseshini Yokuphatha Ekude
ssh NDcPPv2-user@host Password: Ukungena ngemvume kokugcina: Sun Jun 23 22:48:05 2019 — JUNOS 22.2R1.4 Kernel 64-bit JNPR-11.0-20190316.df99236_buil NDcPPv2-exiter
Uxhumano kumsingathi luvaliwe. ssh NDcPPv2-user@host Password: Ukungena ngemvume kokugcina: Sun Jun 23 22:50:50 2019 kusukela ngo-10.224.33.70 - JUNOS 22.2R1.6 Kernel 64-bit JNPR-11.0-20190316.dfbuil99236.dfbuil2 izovalwa eminithini elingu-1 uma ungekho umsebenzi Isexwayiso: iseshini izovalwa kumasekhondi angu-10 uma ungekho umsebenzi wesikhathi sokungenzi lutho esidluliwe: isikhathi sokuvala
41
Uxhumano kumsingathi luvaliwe.
Sample Okukhiphayo Kokunqanyulwa Okuqaliswe Ngumsebenzisi
ssh NDcPPv2-user@host Password: Ukungena ngemvume kokugcina: Sun Jun 23 22:48:05 2019 - JUNOS 22.2R1.4 Kernel 64-bit JNPR-11.0-20190316.df99236_buil NDcPPv2host host> exiter.
4 ISAHLUKO
Lungiselela i-SSH ne-Console Connection
Lungiselela Umlayezo Wokungena Kwesistimu kanye Nesimemezelo | 43 Lungiselela i-SSH Ekucushweni Okuhloliwe kwe-NDcPPv2.2e | 44 Khawulela Inombolo Yemizamo Yokungena Ngemvume Yabasebenzisi Yezikhathi Ze-SSH | 45
43
Lungiselela Umlayezo Wokungena Kwesistimu kanye Nesimemezelo
Umlayezo wokungena ohlelweni uvela ngaphambi kokuthi umsebenzisi angene futhi isimemezelo sokungena kwesistimu sivela ngemva kokuba umsebenzisi engene. Ngokuzenzakalelayo, awukho umlayezo wokungena ngemvume noma isimemezelo esiboniswa kudivayisi. Ukuze ulungiselele umlayezo wokungena ohlelweni usebenzisa ikhonsoli noma isixhumi esibonakalayo sokuphatha, sebenzisa umyalo olandelayo:
[hlela] security-administrator@host:fips# setha umlayezo wokungena ohlelweni lokungena-umlayezo-isibhengezo-umbhalo Ukuze ulungiselele isimemezelo sohlelo, sebenzisa umyalo olandelayo:
[hlela] security-administrator@host:fips# setha isimemezelo sokungena kwesistimu-isimemezelo-umbhalo
QAPHELA: · Uma umbhalo womyalezo uqukethe izikhala, wufake ezimpawu zokucaphuna. · Ungafometha umlayezo usebenzisa izinhlamvu ezikhethekile ezilandelayo:
· n–Umugqa omusha · t–ithebhu evundlile · '–Uphawu olulodwa lokucaphuna · “–Uphawu lokucaphuna olukabili · \–Backslash
44
Lungiselela i-SSH Ekucushweni Okuhloliwe kwe-NDcPPv2.2e
I-SSH ngokusebenzisa isixhumi esibonakalayo sokuphatha esikude esivunyelwe ekucushweni okuhloliwe. Lesi sihloko sichaza indlela yokumisa i-SSH yokuphatha okukude kwe-TOE. Ama-algorithms alandelayo adinga ukulungiswa ukuze kuqinisekiswe i-SSH ye-NDcPPv2.2e. Ukuze ulungiselele i-SSH ku-TOE: 1. Cacisa ama-algorithms okhiye wokusingatha we-SSH avumelekile kumasevisi esistimu.
[hlela] security-administrator@host:fips# setha amasevisi esistimu ssh hostkey-algorithm ssh-ecdsa security-administrator@host:fips# setha amasevisi esistimu ssh hostkey-algorithm no-ssh-dss security-administrator@host:fips# set amasevisi esistimu ssh hostkey-algorithm ssh-rsa security-administrator@host:fips# setha amasevisi esistimu ssh hostkey-algorithm no-ssh-ed25519
2. Cacisa ukushintshisana kokhiye we-SSH kokhiye be-Diffie-Hellman kumasevisi esistimu.
[hlela] security-administrator@host:fips# setha amasevisi esistimu ssh key-exchange dh-group14-sha1 security-administrator@host:fips# setha amasevisi esistimu ssh key-exchange ecdh-sha2-nistp256 security-administrator@host:fips # setha izinsiza zesistimu ssh key-exchange ecdh-sha2-nistp384 security-administrator@host:fips# setha amasevisi esistimu ssh key-exchange ecdh-sha2-nistp521
3. Cacisa wonke amakhodi okuqinisekisa umlayezo ovumelekile we-SSHv2
[hlela] security-administrator@host:fips# setha izinsiza zesistimu ssh macs hmac-sha1 security-administrator@host:fips# setha izinsiza zesistimu ssh macs hmac-sha2-256 security-administrator@host:fips# setha amasevisi esistimu ssh macs hmac-sha2-512
4. Cacisa ama-cipher avunyelwe enguqulweni yesi-2 yephrothokholi.
[hlela] security-administrator@host:fips# setha izinsiza zesistimu ssh ciphers aes128-cbc security-administrator@host:fips# setha amasevisi esistimu ssh ciphers aes256-cbc
45
security-administrator@host:fips# setha izinsiza zesistimu ssh ciphers aes128-ctr security-administrator@host:fips# setha izinsiza zesistimu ssh ciphers aes256-ctr
I-algorithm ye-hostkey ye-SSH esekelwe:
ssh-ecdsa ssh-rsa
Vumela ukukhiqizwa kokhiye wokusingatha we-ECDSA Vumela ukukhiqizwa kokhiye wokusingatha we-RSA
I-algorithm yokushintshanisa ukhiye we-SSH esekelwe:
dh-group14-sha1 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
Iqembu eligunyazwe i-RFC 4253 eline-SHA14 hash I-EC Diffie-Hellman ku-nistp1 ne-SHA256-2 I-EC Diffie-Hellman ku-nistp256 no-SHA384-2 I-EC Diffie-Hellman ku-nistp384 nge-SHA521-2
I-algorithm yama-MAC asekelwe:
hmac-sha1 hmac-sha2-256 hmac-sha2-512
I-MAC esekelwe ku-Hash isebenzisa i-Secure Hash Algorithm (SHA1) Hash-based MAC isebenzisa i-Secure Hash Algorithm (SHA2) Hash-based MAC isebenzisa i-Secure Hash Algorithm (SHA2)
I-algorithm ye-ciphers ye-SSH esekelwe:
aes128-cbc aes128-ctr aes256-cbc aes256-ctr
I-128-bit AES ene-Cipher Block Chaining 128-bit AES ene-Counter Mode 256-bit AES ene-Cipher Block Chaining 256-bit AES ene-Counter Mode
Khawulela Inombolo Yemizamo Yokungena Ngemvume Yabasebenzisi Yezikhathi Ze-SSH
Umlawuli angase angene ngemvume ekude kudivayisi nge-SSH. Ukuqinisekisa komlawuli kugcinwa endaweni kudivayisi. Uma umlawuli oqhelile ethula igama lomsebenzisi nephasiwedi evumelekile, ukufinyelela ku-TOE kunikezwa. Uma imininingwane ingavumelekile, i-TOE ivumela ukuqinisekiswa ukuthi kuzanywe kabusha ngemva kwesikhashana esiqala ngemva kwesekhondi elingu-1 futhi sikhuphuke kakhulu. Uma inombolo yemizamo yokuqinisekisa
46
yeqa umkhawulo omisiwe, ayikho imizamo yokuqinisekisa eyamukelwayo ngesikhathi esimisiwe. Uma isikhawu siphelelwa yisikhathi, imizamo yokuqinisekisa iyamukelwa futhi.
Ulungiselela inani lesikhathi lapho idivayisi ikhiywa khona ngemva kwemizamo ehlulekile. Inani lesikhathi emaminithini ngaphambi kokuthi umsebenzisi azame ukungena ngemvume kudivayisi ngemva kokuvalelwa ngaphandle ngenxa yenani lemizamo ehlulekile yokungena ecaciswe esitatimendeni sokuzama ngaphambi kokunqamula. Uma umsebenzisi ehluleka ukungena ngendlela efanele ngemva kwenombolo yemizamo evunyelwe ecaciswe isitatimende sokuzama ngaphambi kokunqamula, umsebenzisi kufanele alinde inani elimisiwe lemizuzu ngaphambi kokuzama ukungena futhi kudivayisi.
Isikhathi sokukhiya kumele sibe sikhulu kunoziro. Ibanga lapho ongamisa khona isikhathi sokukhiya ukuphuma kumaminithi angu-43,200.
[hlela ukungena kwesistimu] security-administrator@host:fips# setha isikhathi sokuvala izinketho zokuzama futhi
Ungamisa idivayisi ukuthi ikhawulele inombolo yemizamo yokufaka iphasiwedi ngenkathi ungena nge-SSH. Ukusebenzisa umyalo olandelayo, uxhumano.
[hlela ukungena kwesistimu] security-administrator@host:fips# setha izinketho zokuzama kabusha zama-ngaphambi-ukunqamula
Lapha, ukuzama-ngaphambi-ukunqamula inombolo yezikhathi umsebenzisi angazama ngazo ukufaka iphasiwedi lapho engena. Uxhumano luyavalwa uma umsebenzisi ehluleka ukungena ngemva kwenombolo ecacisiwe. Ububanzi busuka ku-1 kuye ku-10, futhi inani elizenzakalelayo lingu-10.
Ukufinyelela komlawuli wendawo kuzogcinwa ngisho noma ukuphatha okukude kwenziwa unaphakade noma kungatholakali okwesikhashana ngenxa yemizamo eminingi ehlulekile yokungena ngemvume. Ukungena ngemvume kwekhonsoli kokuphatha kwendawo kuzotholakala kubasebenzisi ngesikhathi sokuvala.
Ungaphinda ulungiselele ukubambezeleka, ngemizuzwana, ngaphambi kokuthi umsebenzisi azame ukufaka iphasiwedi ngemva komzamo ohlulekile.
[hlela ukungena kwesistimu] security-administrator@host:fips# setha izinketho zokuphinda uzame backoff-threshold
Lapha, i-backoff-threshold iwumkhawulo wenombolo yemizamo yokungena ehlulekile ngaphambi kokuthi umsebenzisi ahlangabezane nokubambezeleka ekukwazini ukufaka iphasiwedi futhi. Sebenzisa inketho ye-backoff-factor ukuze ucacise ubude bokubambezeleka ngamasekhondi. Ububanzi busuka ku-1 kuye ku-3, futhi inani elizenzakalelayo liyimizuzwana emi-2.
47
Ngaphezu kwalokho, idivayisi ingalungiselelwa ukucacisa umkhawulo wenombolo yemizamo ehlulekile ngaphambi kokuthi umsebenzisi ahlangabezane nokubambezeleka ekufakeni iphasiwedi futhi.
[hlela ukungena kwesistimu] security-administrator@host:fips# setha izinketho zokuphinda uzame backoff-factor
Lapha, i-backoff-factor ubude besikhathi, kumasekhondi, ngaphambi kokuthi umsebenzisi azame ukungena ngemva komzamo ohlulekile. Ukubambezeleka kukhuphuka ngevelu elishiwo emzamweni ngamunye olandelayo ngemva komkhawulo. Ububanzi busuka ku-5 kuye ku-10, futhi inani elizenzakalelayo liyimizuzwana emi-5. Ungakwazi ukulawula ukufinyelela komsebenzisi nge-SSH. Ngokumisa i-ssh root-login deny, ungaqinisekisa ukuthi i-akhawunti yempande ihlala isebenza futhi iyaqhubeka nokuba namalungelo okuphatha endawo ku-TOE ngisho noma abanye abasebenzisi berimothi bevaliwe.
[hlela uhlelo] security-administrator@host:fips# set services ssh root-login deny
Iphrothokholi ye-SSH2 inikeza izikhathi zokugcina ezivikelekile kusetshenziswa ukubethela okuvikelekile. Iphrothokholi ye-SSH2 iphoqelela ukusebenzisa isigaba sokushintshisana ngokhiye futhi iguqule okhiye bokubethela nobuqotho beseshini. Ukushintshanisa ngokhiye kwenziwa ngezikhathi ezithile, ngemva kwamasekhondi athile noma ngemva kokuba amabhayithi acacisiwe edatha edlulile ekuxhumekeni. Ungakwazi ukumisa amathreshold ekukhiyeni kabusha kwe-SSH, FCS_SSHS_EXT.1.8 kanye ne-FCS_SSHC_EXT.1.8. I-TSF iqinisekisa ukuthi phakathi kokuxhumeka kwe-SSH okhiye beseshini abafanayo basetshenziselwa umkhawulo ongekho ngaphezu kwehora elilodwa, futhi kungabi ngaphezu kwegigabhayithi eyodwa yedatha edlulisiwe. Uma kufinyelelwa noma yimuphi umkhawulo, kufanele kwenziwe ukukhiya kabusha.
[hlela uhlelo] security-administrator@host:fips# set services ssh rekey time-limit
Umkhawulo wesikhathi ngaphambi kokuphinda uxoxisane nokhiye beseshini ngumzuzu ongu-1 kuye kwengama-1440.
[hlela uhlelo] security-administrator@host:fips# set services ssh rekey data-limit
Umkhawulo wedatha ngaphambi kokuphinda uxoxisane nokhiye beseshini ngu-51200 ukuya ku-4294967295 byte.
QAPHELA: Udinga ukuqalisa kabusha uxhumano lwe-SSH uma kwenzeka uxhumo luphuka kungahlosiwe.
5 ISAHLUKO
Lungiselela Iseva Ekude ye-Syslog
Sample Syslog Server Configuration Kusistimu ye-Linux | 49
49
Sample Syslog Server Configuration Kusistimu ye-Linux
Indawo evikelekile ye-Junos OS idinga ukucutshungulwa kwemicimbi futhi igcinwe ekucwaningweni kwasendaweni file. Izehlakalo ezirekhodiwe zithunyelwa kanyekanye kuseva ye-syslog yangaphandle. Iseva ye-syslog ithola imilayezo ye-syslog esakazwa kusuka kudivayisi. Iseva ye-syslog kufanele ibe neklayenti le-SSH elinosekelo lwe-NETCONF olulungiselelwe ukwamukela imilayezo ye-syslog esakazwayo. Sebenzisa imininingwane yokumisa futhi usungule iseshini phakathi kwethagethi yokuhlola (TOE) kanye neseva yokuhlola. Hlola ithrafikhi edlula phakathi kweseva yocwaningo kanye ne-TOE phakathi nemisebenzi embalwa, kanye nedatha yokuhlola ekhiqiziwe ezodluliselwa kuseva yokuhlola. Hlola I-TOE Summary Specification (TSS) ukuze uqiniseke ukuthi icacisa izindlela idatha yokucwaninga idluliselwa kuseva yokucwaninga yangaphandle nokuthi isiteshi esithenjwayo sinikezwa kanjani. Amalogi e-NDcPP athwebula imicimbi elandelayo: · Izinguquko ezizibophezele · Ukuqaliswa kwesistimu · Ukungena ngemvume nokuphuma kwabasebenzisi · Ukwehluleka ukusungula iseshini ye-SSH · Ukusungulwa noma ukuqedwa kweseshini ye-SSH · Izinguquko esikhathini sesistimu · Ukuqaliswa kwesibuyekezo sohlelo Ukuze ulungiselele umcimbi ukungena kuseva ekude lapho uxhumano lwe-SSH ku-ToE luqaliswa kusuka kuseva yelogi yesistimu ekude. 1. Khiqiza ukhiye wasesidlangalaleni we-RSA kuseva ye-syslog ekude.
$ ssh-keygen -b 2048 -t rsa -C 'ipheya yokhiye we-syslog-monitor' -f ~/.ssh/syslog-monitor
Uzocelwa ukuthi ufake umushwana wokudlula owufunayo. Izindawo zokugcina ze-syslog-monitor key ziyaboniswa.
50
2. Ku-TOE, dala ikilasi eliqanjwe ngokuqapha elinemvume yokulandelela imicimbi.
[hlela ukungena kwesistimu] security-administrator@host:fips# set class monitor izimvume trace
3. Dala umsebenzisi oqanjwe i-syslog-mon ngemonitha yekilasi, futhi ngokufakazela ubuqiniso obusebenzisa ipheya yokhiye we-syslogmonitor kusukela kukhiye ohamba ngakubili. file itholakala kuseva ye-syslog ekude.
[hlela ukungena kwesistimu] security-administrator@host:fips# setha umsebenzisi i-syslog-mon class qapha ukuqinisekiswa kwe-ssh-rsa ukhiye wasesidlangalaleni we-syslog-monitor key pair
4. Setha i-NETCONF nge-SSH.
[hlela amasevisi esistimu] security-administrator@host:fips# set netconf ssh
5. Lungiselela i-syslog ukuze ungene kuyo yonke imilayezo ku-/var/log/messages.
[hlela amasevisi esistimu] security-administrator@host:fips# set syslog file imiyalezo noma yikuphi ukuzibophezela
6. Kuseva yelogi yesistimu, qalisa umenzeli we-SSH ssh-ejenti. Ukuqalisa kuyadingeka ukuze kube lula ukuphatha ukhiye we-syslog-monitor.
$ eval `ssh-ejenti -s`
7. Kuseva ye-syslog ekude, engeza ipheya yokhiye we-syslog-monitor ku-ejenti ye-ssh.
$ ssh-add ~/.ssh/syslog-monitor Uzocelwa ukuthi ufake umushwana wokungena owufunayo. Faka umushwana wokungena ofanayo osetshenziswe kusinyathelo soku-1.
51
8. Ngemva kokungena kuseshini yangaphandle_syslog_server, sungula umhubhe kudivayisi bese uqala i-NETCONF.
security-administrator@host:fips# $ssh syslog-mon@NDcPP_TOE -s netconf > test.out
9. Ngemva kokuthi i-NETCONF isimisiwe, lungiselela ukusakaza komlayezo welogi yemicimbi. Le RPC izobangela isevisi ye-NETCONF ukuthi iqale ukudlulisa imilayezo ngoxhumo lwe-SSH olusunguliwe.
imiyalezo
10. Exampi-les yemilayezo ye-syslog ibalwe ngezansi. Gada irekhodi lomcimbi elenzelwe izenzo zomlawuli ku-TOE ezitholwa kuseva ye-syslog. Hlola ithrafikhi edlula phakathi kweseva yocwaningo kanye ne-TOE, uqaphele ukuthi le datha ayiyona viewed ngesikhathi salokhu kudlulisa, nokuthi zamukelwe ngempumelelo iseva yocwaningo. Qondanisa amalogi phakathi kokuloga komcimbi wendawo kanye nesehlakalo esikude esifakwe kuseva ye-syslog futhi urekhode isofthiwe ethile (igama, inguqulo) esetshenziswe kuseva yokuhlola phakathi nokuhlolwa.
Okuphumayo okulandelayo kubonisa imiphumela yelogi yokuhlola ye-syslog-server.
host@ssh-keygen -b 2048 -t rsa -C 'syslog-monitor key pair' -f ~/.ssh/syslog-monitor
Ikhiqiza ipheya yokhiye we-rsa yomphakathi/oyimfihlo.
Faka umushwana wokungena (awunalutho ngaphandle komushwana wokungena):
Faka umushwana wokungena ofanayo futhi:
Ukuhlonza kwakho kulondolozwe kokuthi /home/host/.ssh/syslog-monitor.
Ukhiye wakho osesidlangalaleni ulondolozwe kokuthi /home/host/.ssh/syslog-monitor.pub.
Izigxivizo zeminwe eziyinhloko yilezi:
ef:75:d7:68:c5:ad:8d:6f:5e:7a:7e:9b:3d:f1:4d:3f syslog-monitor key pair
Isithombe sikakhiye esingahleliwe sithi:
+–[ RSA 2048]—-+
|
|
|
|
|
|
|
..|
|
S
+|
|
. Bo|
|
. . *.X|
|
. . o E@|
|
. .BX|
+——————–+
[host@nms5-vm-linux2 ~]$ cat /home/host/.ssh/syslog-monitor.pubssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCrUREJUBpjwAoIgRrGy9zgt+
52
D2pikk3Q/Wdf8I5vr+njeqJhCx2bUAkrRbYXNILQQAZbg7kLfi/8TqqL eon4HOP2e6oCSorKdx/GrOTzLONL4fh0EyuSAk8bs5JuwWNBUokV025 gzpkJCjfsGss Wb6m8/A1YjOFT+9esw+6S tF9Gbg+VpbYYk/Oday6z+z4tQHRFSrxj7G2aoliVDBLJparEMBc92w LdSUDxmgBTM8oadOmm+kreBUQjrmr2RJn6775Hx9GlVlZWLWI 9K4wXEHzAzNZ4oLmaAVqT syslog-monitor ipheya [host@nms9-vm-linux2 ~ ]$ eval `ssh-agent -s` Umenzeli pid 34 [host@nms0-vm-linux01 ~]$ ssh-add ~/.ssh/syslog-monitor Faka umushwana wokungena we /home/host/.ssh/syslog-monitor: Ubunikazi bengeziwe: /home/host/.ssh/syslog-monitor (/home/host/.ssh/syslog-monitor)
Isiteshi sokucushwa siphelele
host@nms5-vm-linux2 ~]$ ssh syslog-mon@starfire -s netconf
lena idivayisi yokuhlola ye-NDcPP
urn:ietf:params:xml:ns:netconf:base:1.0 urn:ietf:params:xml:ns:netconf:capability:candidate:1.0 urn:ietf:params:xml:ns:netconf:capability:confirmed-commit:1.0 urn:ietf:params:xml:ns:netconf:ikhono:qinisekisa:1.0 urn:ietf:params:xml:ns:netconf:ikhono:url:1.0?protocol=http,ftp,file</
ikhono> http://xml.juniper.net/netconf/junos/1.0 http://xml.juniper.net/dmi/system/1.0
]]>]]>
Okuphumayo okulandelayo kubonisa amalogi omcimbi akhiqizwe ku-TOE atholwa kuseva ye-syslog.
Jan 20 17:04:51 Jan 20 17:04:51 Jan 20 17:04:53 55571 ssh2
i-starfire sshd[4182]: iphutha: Ayikwazanga ukulayisha ukhiye wokubamba: /etc/ssh/ssh_host_dsa_key starfire sshd[4182]: iphutha: Ayikwazanga ukulayisha ukhiye wokusingatha: /etc/ssh/ssh_host_ecdsa_key starfire sshd[4182]: Yamukelwe iphasiwedi ye-se -admin kusuka ku-10.209.11.24 port
53
Jan 20 17:04:53 starfire mgd[4186]: UI_AUTH_EVENT: Umsebenzisi oqinisekisiwe 'sec-admin' ezingeni lemvume 'j-administrator' Jan 20 17:04:53 starfire mgd[4186]: UI_LOGIN_EVENT: User 'sec-admin ' login, class 'jadministrator' [4186], ssh-connection '10.209.11.24 55571 10.209.14.92 22', client-mode 'cli'
Isiteshi sokucushwa siphelele
host@nms5-vm-linux2 ~]$ ssh syslog-mon@starfire -s netconf lena idivayisi yokuhlola ye-NDcPP
urn:ietf:params:xml:ns:netconf:base:1.0 urn:ietf:params:xml:ns:netconf:capability:candidate:1.0 urn:ietf:params:xml:ns:netconf:capability:confirmed-commit:1.0 urn:ietf:params:xml:ns:netconf:ikhono:qinisekisa:1.0 urn:ietf:params:xml:ns:netconf:ikhono:url:1.0?protocol=http,ftp,file</
ikhono> http://xml.juniper.net/netconf/junos/1.0 http://xml.juniper.net/dmi/system/1.0
]]>]]>
Okuphumayo okulandelayo kubonisa ukuthi ama-syslog endawo nama-syslogs akude awamukelwe ayefana.
Local : an 20 17:09:30 starfire mgd[4186]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: Inqubo yokuphatha isixhumi esibonakalayo esingasebenzi ihlola ukucushwa okusha Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_START: Ingane eqalayo '/usr/ sbin/rdd' Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_STATUS: Hlanza ingane '/usr/sbin/rdd', PID 4317, isimo 0 Jan 20 17:09:30 starfire mgd[4186]: UI_COMMIT Umsebenzi wokuzibophezela uyaqhubeka: Isevisi yokuthwebula okugeleza ngamandla ihlola ukucushwa okusha Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_START: Ingane eqalayo '/usr/sbin/dfcd' Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_STATUS: Ingane yokuhlanza '/usr/sbin/dfcd', PID 4318, isimo 0 Jan 20 17:09:30 starfire mgd[4186]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: Inqubo yokulawula iphutha yokuxhumana ihlola ukulungiselelwa okusha
54
Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_START: Ingane eqalayo '/usr/sbin/cfmd' Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_STATUS: Hlanza ingane '/usr/sbin/cfmd' , PID 4319, isimo 0 Jan 20 17:09:30 starfire mgd[4186]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: Ikheli lesendlalelo sesi-2 ligcwele amanzi kanye nenqubo yokufunda ihlola ukucushwa okusha Jan 20 17:09:30 starfire mgd[4186]: : Ingane eqalayo '/usr/sbin/l2ald' Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_STATUS: Hlanza ingane '/usr/sbin/l2ald', PID 4320, isimo 0 Jan 20 17:09:30 starfire mgd[4186]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: Inqubo ye-Layer 2 Control Protocol ihlola ukucushwa okusha Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_START: Ingane eqalayo '/usr/sbin/l2cpd' Jan 20 17: :09 starfire l30cp[2]: Kuqalwa imishini yesimo se-PNAC Jan 4321 20:17:09 starfire l30cp[2]: Ukuqalisa imishini yesifunda se-PNAC kuqedela uJan 4321 20:17:09 starfire l30cp[2X] kanye ne-state modules engu-4321. 802.1 20:17:09 starfire l30cp[2]: Funda i-acess profile () lungiselela Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_STATUS: Hlanza ingane '/usr/sbin/l2cpd', PID 4321, isimo 0 Jan 20 17:09:30 starfire mgd[4186]: UIGESS_COMMIT umsebenzi uyaqhubeka: Inqubo ye-Multicast Snooping ihlola ukucushwa okusha Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_START: Ingane eqalayo '/usr/sbin/mcsnoopd' Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_STA Ingane yokuhlanza '/usr/sbin/mcsnoopd', PID 4325, isimo 0 Jan 20 17:09:30 starfire mgd[4186]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: ukugoqa... Jan 20 17:09:30 starfire mgd[4186] ]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: ivula i-'/var/etc/ntp.conf' Jan 20 17:09:30 starfire mgd[4186]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: qala i-ffp yenza kusebenze Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_START: Ingane eqalayo '/usr/sbin/ffp' Jan 20 17:09:30 starfire ffp[4326]: “dynamic-profiles”: Alukho ushintsho ku-profiles ………………
Kude : an 20 17:09:30 starfire mgd[4186]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: Inqubo yokuphatha isixhumi esibonakalayo esingasebenzi ihlola ukucushwa okusha Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_START: Iqala ingane '/usr sbin/rdd' Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_STATUS: Hlanza ingane '/usr/sbin/rdd', PID 4317, isimo 0 Jan 20 17:09:30 starfire mgd[4186]: UI_COMMIT Umsebenzi wokuzibophezela uyaqhubeka: Isevisi yokuthwebula okugeleza ngamandla ihlola ukucushwa okusha Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_START: Ingane eqalayo '/usr/sbin/dfcd'
55
Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_STATUS: Hlanza ingane '/usr/sbin/dfcd', PID 4318, isimo 0 Jan 20 17:09:30 starfire mgd[4186]: Umsebenzi we-UI_COMMIT_PROGRESS : Inqubo yokulawula iphutha lokuxhumana ihlola ukucushwa okusha Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_START: Ingane eqalayo '/usr/sbin/cfmd' Jan 20 17:09:30 starfire mgd[4186]: UI_CHILDup_STATUS: '/usr/sbin/cfmd', PID 4319, isimo 0 Jan 20 17:09:30 starfire mgd[4186]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: Ikheli lesendlalelo sesi-2 ligcwele amanzi kanye nenqubo yokufunda ihlola ukumiswa okusha Jan 20 17:09: 30 starfire mgd[4186]: UI_CHILD_START: Ingane eqalayo '/usr/sbin/l2ald' Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_STATUS: Hlanza ingane '/usr/sbin/l2ald', PID 4320, isimo Jan 0 20:17:09 starfire mgd[30]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: Inqubo ye-Layer 4186 Control Protocol ihlola ukucushwa okusha Jan 2 20:17:09 starfire mgd[30]: UI_CHILD_START: Iqala ingane '/usr/ /l4186cpd' Jan 2 20:17:09 starfire l30cp[2]: Iqalisa imishini yezwe ye-PNAC Jan 4321 20:17:09 starfire l30cp[2]: Ukuqalisa imishini yesimo se-PNAC kuqeda uJan 4321 20:17:09 inkanyezi engu-30c : Imojuli ye-2X eqaliswe kanye nemishini yezweJan 4321 802.1:20:17 starfire l09cp[30]: Funda i-acess profile () lungiselela Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_STATUS: Hlanza ingane '/usr/sbin/l2cpd', PID 4321, isimo 0 Jan 20 17:09:30 starfire mgd[4186]: UIGESS_COMMIT umsebenzi uyaqhubeka: Inqubo ye-Multicast Snooping ihlola ukucushwa okusha Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_START: Ingane eqalayo '/usr/sbin/mcsnoopd' Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_STA Ingane yokuhlanza '/usr/sbin/mcsnoopd', PID 4325, isimo 0 Jan 20 17:09:30 starfire mgd[4186]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: ukugoqa... Jan 20 17:09:30 starfire mgd[4186] ]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: ivula i-'/var/etc/ntp.conf' Jan 20 17:09:30 starfire mgd[4186]: UI_COMMIT_PROGRESS: Umsebenzi wokuzibophezela uyaqhubeka: qala i-ffp yenza kusebenze Jan 20 17:09:30 starfire mgd[4186]: UI_CHILD_START: Ingane eqalayo '/usr/sbin/ffp' Jan 20 17:09:30 starfire ffp[4326]: “dynamic-profiles”: Alukho ushintsho ku-profiles ………………
6 ISAHLUKO
Lungiselela Izinketho Zelogi Yokuhlola
Lungiselela Izinketho Zelogi Yokuhlola Ekucushweni Okuhloliwe | 57Sample Ikhodi Ukucutshungulwa Kwezinguquko Zokucushwa | 58
57
Lungiselela Izinketho Zelogi Yokuhlola Ekucushweni Okuhloliwe
KULESI sigaba Lungiselela Izinketho Zelogi Yokuhlola | 57
Isigaba esilandelayo sichaza indlela yokulungiselela izinketho zelogi yokuhlola ekucushweni okuhloliwe.
Lungiselela Izinketho Zelogi Yokuhlola
Ukumisa izinketho zelogi yocwaningo: 1. Cacisa inombolo ye files izofakwa kungobo yomlando endaweni yokungena yesistimu.
[hlela i-syslog yesistimu] security-administrator@host:fips# setha ingobo yomlando files 2 2. Cacisa i file lapho uzongena khona idatha. [hlela i-syslog yesistimu] security-administrator@host:fips# set file syslog noma iyiphi 3. Cacisa usayizi we files izogcinwa kungobo yomlando. [hlela i-syslog yesistimu] security-administrator@host:fips# set file syslog usayizi wengobo yomlando 10000000
58
4. Cacisa okubalulekile kanye nendawo emilayezweni yesikhungo sokugawulwa kwesistimu.
[hlela i-syslog yesistimu] security-administrator@host:fips# set file Okubalulekile kwe-syslog
5. Faka imilayezo yesistimu ngefomethi ehlelekile.
[hlela i-syslog yesistimu] security-administrator@host:fips# set file idatha ye-syslog
Sample Ikhodi Ukucutshungulwa Kwezinguquko Zokucushwa
Lokhu sampIkhodi ihlola zonke izinguquko kudatha eyimfihlo yokucushwa bese ithumela izingodo ku file ebizwa ngokuthi Audit-File:.
[hlela uhlelo] i-syslog {
file Audit-File {ulwazi lokugunyazwa; shintsha-log ulwazi; ulwazi lwemiyalo esebenzisanayo;
}}
Lokhu sampi-le code inweba ububanzi bokucwaningwa kwamabhuku okuncane ukuze kuhlolwe zonke izinguquko ekucushweni, hhayi nje idatha eyimfihlo, futhi ithumela amalogi ku file ebizwa ngokuthi Audit-File:.
[hlela uhlelo] i-syslog {
file Audit-File {noma iyiphi; ulwazi lokugunyazwa; shintsha-log noma iyiphi; ulwazi lwemiyalo esebenzisanayo;
59
ulwazi lwe-kernel; pfe ulwazi; }}
Example: Ukungena Kwesistimu Kwezinguquko Zokucushwa
Lesi example sikhombisa njengeample ukucushwa futhi yenza izinguquko kubasebenzisi nedatha eyimfihlo. Ibe isikhombisa
ulwazi oluthunyelwe kuseva yokuhlola lapho idatha eyimfihlo yengezwa ekucushweni kwasekuqaleni futhi izinikele ngomyalo wokulayisha.
[hlela uhlelo] indawo {
Ikhodi yezwe yase-US; isakhiwo B1; } … ngena ngemvume {umlayezo “UKUSETSHENZISWA OKUNGAGUNYAZWA KWALO ROUTERntiKUVULELEKILE KAKHULU!”;
umlawuli womsebenzisi {uid 2000; isigaba somsebenzisi omkhulu;
ukufakazela ubuqiniso {i-encrypted-password “$ABC123”; # IMFIHLO-DATHA
} } } i-radius-server 192.0.2.15 {imfihlo “$ABC123” # I-SECRET-DATA } amasevisi {ssh; } i-syslog { umsebenzisi *{
noma yisiphi isimo esiphuthumayo; } file imilayezo {
noma yisiphi isaziso; ulwazi lokugunyazwa; }
60
file interactive-commands { interactive-commands any;
}} ……
Ukulungiselelwa okusha kushintsha izitatimende zokucushwa kwedatha eyimfihlo futhi kwengeze umsebenzisi omusha.
security-administrator@host:fips# show | qhathanisa
[hlela ukuqinisekiswa komsebenzisi wokungena ngemvume kwesistimu]igama-mfihlo elibethelwe “$ABC123”; # IMFIHLO-DATHA
+ iphasiwedi ebethelwe “$ABC123”; # IMFIHLO-DATHA
[hlela ukungena kwesistimu]+ umsebenzisi admin2 {
+
uid 2001;
+
umqhubi wekilasi;
+
ukufakazela ubuqiniso {
+
igama-mfihlo elibethelwe “$ABC123”;
# IMFIHLO-DATHA
+
}
+ }
[hlela i-radius-server yesistimu 192.0.2.15]imfihlo "$ABC123"; # IMFIHLO-DATHA
+ imfihlo “$ABC123″; # IMFIHLO-DATHA
7 ISAHLUKO
Lungiselela Ukuloga Komcimbi
Ukungena Kwemicimbi Kuphelileview | 62 Humusha Imiyalezo Yomcimbi | 79 Izinguquko Zelogi Kudatha Eyimfihlo | Imicimbi engu-80 yokungena nokuphuma usebenzisa i-SSH | 81 Ukugawulwa Kokuqala Kwamabhuku | 82
62
Ukungena Kwemicimbi Kuphelileview
Ukulungiselelwa okuhloliwe kudinga ukuhlolwa kwezinguquko zokucushwa ngelogi yesistimu. Ngaphezu kwalokho, i-Junos OS ingakwazi: · Ithumela izimpendulo ezizenzakalelayo ezenzakalweni zokucwaninga (ukudala ukungena kwe-syslog). · Vumela abaphathi abagunyaziwe ukuthi bahlole amalogi ocwaningo. · Thumela ukuhlolwa files kumaseva angaphandle. · Vumela abaphathi abagunyaziwe ukuthi babuyisele uhlelo esimweni esaziwayo. Ukungena ngemvume kokucushwa okuhloliwe kufanele kuthwebule imicimbi. Izehlakalo zokugawulwa kwemithi zibalwe ngezansi: Ithebula lesi-2 ekhasini 62 likhombisa sample yokuhlolwa kwe-syslog ye-NDcPPv2.2e: Ithebula 2: Imicimbi Ehlolekayo
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
FAU_GEN.1
Lutho
Lutho
FAU_GEN.2
Lutho
Lutho
FAU_STG_EXT.1
Lutho
Lutho
FAU_STG.1
Lutho
Lutho
FCS_CKM.1
Lutho
Lutho
FCS_CKM.2
Lutho
Lutho
FCS_CKM.4
Lutho
Lutho
63
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
FCS_COP.1/ DataEncryption
Lutho
Lutho
FCS_COP.1/SigGen None
Lutho
FCS_COP.1/Hash
Lutho
Lutho
FCS_COP.1/ KeyedHash
Lutho
Lutho
FCS_RBG_EXT.1
Lutho
Lutho
FDP_RIP.2
Lutho
Lutho
FIA_AFL.1
Umkhawulo wemizamo yokungena engaphumelelanga ufinyelelwe noma weqiwe.
Umsuka womzamo (isb, ikheli le-IP).
sshd SSHD_LOGIN_ATTEMPTS_THRESHOLD [junos@2636.1.1.1.2.164 limit=”3″ username=”root”] I-Threshold yemizamo yokuqinisekisa engaphumelelanga (3) efinyelelwe umsebenzisi 'root'
FIA_PMG_EXT.1
Lutho
Lutho
64
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
FIA_UIA_EXT.1
Konke ukusetshenziswa kokuhlonza kanye nendlela yokuqinisekisa.
Ubunikazi bomsebenzisi obunikeziwe, umsuka womzamo (isb, ikheli le-IP).
Kuphumelele Ukungena Kukude
mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” authentication-level=”super-user”] Umsebenzisi oqinisekisiwe 'impande' eyabelwe isigaba 'super-user'
mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” class-name=”super-user” local-peer=”” pid=”70652″ ssh-connection=”10.223.5.251 53476 10.204.134.54 22 70652. client-mode=”cli”] Ukungena 'kwempande' yomsebenzisi, isigaba 'super-user' [10.223.5.251], ssh-connection '53476 10.204.134.54 22 XNUMX', i-client-mode 'cli'
Akuphumelelanga Ukungena ngesilawuli kude
sshd – SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username=”root” source-address=”10.223.5.251″] Ukungena ngemvume kuhlulekile ku-'root' yomsebenzisi kusuka kumsingathi '10.223.5.251'
Ukungena Ngemvume Kwasendaweni Kuphumelele
ngena ngemvume 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” hostname=”[akwaziwa]” tty-name=”ttyu0″] Umsuka womsebenzisi ungene kumsingathi [ongaziwa] kudivayisi ttyu0
ngena ngemvume 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” hostname=”[akwaziwa]” tty-name=”ttyu0″] Umsuka womsebenzisi ungene njengempande evela kumsingathi [ongaziwa] kudivayisi ttyu0
Ukungena Ngemvume Kwasendaweni Akuphumelelanga
ngena ngemvume 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” error-message="iphutha kumojuli yesevisi”]
65
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
Ukwehluleka ngenkathi kuqinisekiswa impande yomsebenzisi: iphutha kumojula yesevisi
ngena ngemvume 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” source-address=”ttyu0″] Ukungena ngemvume kwehlulekile kumsuka womsebenzisi osuka kumsingathi u-ttyu0
66
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
FIA_UAU_EXT.2
Konke ukusetshenziswa kokuhlonza kanye nendlela yokuqinisekisa.
Umsuka womzamo (isb, ikheli le-IP).
Kuphumelele Ukungena Kukude
mgd 70652 UI_AUTH_EVENT [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” authentication-level=”super-user”] Umsebenzisi oqinisekisiwe 'impande' eyabelwe isigaba 'super-user'
mgd 70652 UI_LOGIN_EVENT [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” class-name=”super-user” local-peer=”” pid=”70652″ ssh-connection=”10.223.5.251 53476 10.204.134.54 22 70652. client-mode=”cli”] Ukungena 'kwempande' yomsebenzisi, isigaba 'super-user' [10.223.5.251], ssh-connection '53476 10.204.134.54 22 XNUMX', i-client-mode 'cli'
Akuphumelelanga Ukungena ngesilawuli kude
sshd – SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username=”root” source-address=”10.223.5.251″] Ukungena ngemvume kuhlulekile ku-'root' yomsebenzisi kusuka kumsingathi '10.223.5.251'
Ukungena Ngemvume Kwasendaweni Kuphumelele
ngena ngemvume 2671 LOGIN_INFORMATION [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” hostname=”[akwaziwa]” tty-name=”ttyu0″] Umsuka womsebenzisi ungene kumsingathi [ongaziwa] kudivayisi ttyu0
ngena ngemvume 2671 LOGIN_ROOT [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” hostname=”[akwaziwa]” tty-name=”ttyu0″] Umsuka womsebenzisi ungene njengempande evela kumsingathi [ongaziwa] kudivayisi ttyu0
Ukungena Ngemvume Kwasendaweni Akuphumelelanga
ngena ngemvume 70818 LOGIN_PAM_ERROR [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” error-message="iphutha kumojuli yesevisi”]
67
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
Ukwehluleka ngenkathi kuqinisekiswa impande yomsebenzisi: iphutha kumojula yesevisi
ngena ngemvume 70818 LOGIN_FAILED [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” source-address=”ttyu0″] Ukungena ngemvume kwehlulekile kumsuka womsebenzisi osuka kumsingathi u-ttyu0
FIA_UAU.7
Lutho
Lutho
FMT_MOF.1/ ManualUpdate
Noma yimuphi umzamo wokuqalisa isibuyekezo mathupha.
Lutho
UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 igama lomsebenzisi=”secofficer” command=”cela isoftware yesistimu engeza /var/tmp/junos-mx240-22.2R1.1.tgz novalidate “] Umsebenzisi 'sec-officer', umyalo 'uhlelo lwesicelo isoftware engeza /var/tmp/junos-mx240-22.2R1.1.tgz no-validate'
FMT_MTD.1/ CoreData
Yonke imisebenzi yokuphatha yedatha ye-TSF
Lutho
Bheka imicimbi yocwaningomabhuku ebhalwe kuleli thebula.
I-FMT_SMF.1/IPS
Lutho
Lutho
Lutho
I-FMT_SMF.1/ND
Lutho
Lutho
Lutho
I-FMT_SMR.2
Lutho
Lutho
FPT_SKP_EXT.1
Lutho
Lutho
FPT_APW_EXT.1
Lutho
Lutho
FPT_TST_EXT.1
Lutho
Lutho
68
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
FPT_TUD_EXT.1
Ukuqaliswa kokuvuselela; umphumela womzamo wokubuyekeza (impumelelo noma ukwehluleka)
Lutho
UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 igama lomsebenzisi=”secofficer” command=”cela isoftware yesistimu engeza /var/tmp/junos-mx240-22.2R1.1.tgz novalidate “] Umsebenzisi 'sec-officer', umyalo 'uhlelo lwesicelo isoftware engeza /var/tmp/junos-mx240-22.2R1.1.tgz no-validate'
FPT_STM_EXT.1
Izinguquko ezingaqhubeki esikhathini lapho umlawuli ecushiwe noma eshintshwa ngenqubo ezenzakalelayo.
Ngezinguquko ezingaqhubeki esikhathini: Amanani amadala namasha esikhathi. Umsuka womzamo wokushintsha isikhathi sempumelelo nokwehluleka (njengokuthi, ikheli le-IP).
mgd 71079 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username=”root” command=”setha idethi 202005201815.00 “] Umsebenzisi 'impande', umyalo 'setha idethi 202005201815.00'
mgd 71079 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.164 message=”signaling 'Network security daemon', pid 2641, signal 31, isimo 0 esinamaphutha ezaziso avuliwe”] Umsebenzi wokuzibophezela uyaqhubeka: isayinda 'Network security daemon, daemon ye-Network, daemon 2641' isignali 31, isimo 0 esinamaphutha ezaziso anikwe amandla nsd 2641 NSD_SYS_TIME_CHANGE - Isikhathi sesistimu sishintshile
FTA_SSL_EXT.1 (uma unqamula iseshini kukhethiwe)
Ukuqedwa kweseshini esebenzisanayo yasendaweni ngendlela yokukhiya iseshini.
Lutho
cli – UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root”] Isikhathi sokungenzi lutho se-'root' yomsebenzisi sidluliwe futhi isikhathi sinqanyuliwe
FTA_SSL.3
Ukunqanyulwa kweseshini yesilawuli kude ngomshini wokukhiya iseshini.
Lutho
cli – UI_CLI_IDLE_TIMEOUT [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root”] Isikhathi sokungenzi lutho se-'root' yomsebenzisi sidluliwe futhi isikhathi sinqanyuliwe
69
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
FTA_SSL.4
Ukuqedwa kweseshini yokuhlanganyela.
Lutho
mgd 71668 UI_LOGOUT_EVENT [junos@2636.1.1.1.2.164 igama lomsebenzisi=”impande”] Ukuphuma ngemvume komsebenzisi 'kwempande'
FTA_TAB.1
Lutho
Lutho
FCS_SSHS_EXT.1
Yehlulekile ukuthola Isizathu sokwehluleka iseshini ye-SSH
sshd 72404 – – Ayikwazi ukuxoxisana ne-1.1.1.2 port 42168: akukho sici esifanayo esitholiwe. Ukunikezwa kwabo: chacha20poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128gcm@openssh.com, aes256gcm@openssh.com, aes128-cbc, aes192-cbc256-aes
FTP_ITC.1
Ukuqaliswa kwesiteshi esithenjwayo. Ukunqanyulwa kwesiteshi esithenjwayo. Ukwehluleka kwemisebenzi yesiteshi esethembekile
Ukuhlonzwa komqalisi kanye nokuhlosiwe komzamo wokusungulwa kweziteshi ezethembekile ohlulekile
Ukuqaliswa kwendlela ethenjwayo
sshd 72418 - - Ikhibhodi eyamukelwe i-interactive/pam yezimpande kusuka ku-10.223.5.251 port 42482 ssh2
Ukunqanyulwa kwendlela ethenjwayo
sshd 72418 - - Inqanyuliwe kumpande womsebenzisi 10.223.5.251 port 42482 Ukwehluleka kwendlela ethembekile
sshd – SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username=”root” source-address=”10.223.5.251″] Ukungena ngemvume kuhlulekile ku-'root' yomsebenzisi kusuka kumsingathi '10.223.5.251'
70
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
FTP_TRP.1/Admin
Ukuqaliswa kwendlela ethenjwayo. Ukunqanyulwa kwendlela ethenjwayo. Ukuhluleka kwemisebenzi yendlela ethenjwayo.
Lutho
Ukuqaliswa kwendlela ethenjwayo
sshd 72418 - - Ikhibhodi eyamukelwe i-interactive/pam yezimpande kusuka ku-10.223.5.251 port 42482 ssh2
Ukunqanyulwa kwendlela ethenjwayo
sshd 72418 - - Inqanyuliwe kumsuka womsebenzisi 10.223.5.251 port 42482
Ukuhluleka kwendlela ethenjwayo
sshd – SSHD_LOGIN_FAILED [junos@2636.1.1.1.2.164 username=”root” source-address=”10.223.5.251″] Ukungena ngemvume kuhlulekile ku-'root' yomsebenzisi kusuka kumsingathi '10.223.5.251'
FCS_SSHS_EXT.1
Yehlulekile ukuthola Isizathu sokwehluleka iseshini ye-SSH
sshd 72404 – – Ayikwazi ukuxoxisana ne-1.1.1.2 port 42168: akukho sici esifanayo esitholiwe. Ukunikezwa kwabo: chacha20poly1305@openssh.com, aes128-ctr, aes192ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes128-cbc, aes192-cbc256-XNUMXcbc, aesXNUMX-cbcXNUMX-XNUMX
FIA_X509_EXT.1/Rev
Umzamo ongaphumelelanga wokuqinisekisa isitifiketi
Isizathu sokwehluleka
verify-sig 72830 – – ayikwazi ukuqinisekisa i-ecerts.pem: ukungafani komkhiphi wesihloko: /C=US/ ST=CA/L=Sunnyvale/O=Juniper Networks/ OU=Juniper CA/CN=PackageProduction TestEc_2017_NO_DEFECTS/emailAddress =ca@juniper. inetha
FIA_X509_EXT.2
Lutho
Lutho
FIA_X509_EXT.3
Lutho
Lutho
71
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
FMT_MOF.1/ Imisebenzi
Ukulungiswa kokuziphatha kokudluliswa kwedatha yocwaningomabhuku enkampanini ye-IT yangaphandle, ukuphathwa kwedatha yocwaningomabhuku, ukusebenza kocwaningomabhuku lapho Isikhala Sendawo Sokugcinwa Kwama-Audit Sendawo sigcwele.
Lutho
mgd 71891 UI_RESTART_EVENT [junos@2636.1.1.1.2.164 igama lomsebenzisi=”root” process-name=”Network security daemon” description=” ngokushesha”] Umsebenzisi 'impande' eqalisa kabusha i-daemon 'Network security daemon' init ngokushesha – – – networksecurity (PID 72907) inqanyulwe inombolo yesiginali 9! init – – – network-security (PID 72929) iqalile
FMT_MOF.1/ Amasevisi
Ukuqala nokumiswa kwezinsizakalo.
Lutho
FMT_MTD.1/ CryptoKeys
Ukuphathwa kokhiye be-cryptographic.
Lutho
Ukhiye we-SSH
ssh-keygen 2706 – Kwenziwe ukhiye we-SSH file /root/.ssh/id_rsa.pub enezigxivizo zeminwe SHA256:EQotXjlahhlVplg + YBLbFR3TdmJMpm6D1FSjRo6lVE4 ssh-keygen 2714 – – Kwenziwe ukhiye we-SSH file /root/.ssh/id_ecdsa.pub enezigxivizo zeminwe SHA256:ubQWoesME9bpOT1e/ sYv871hwWUzSG8hNqyMUe1cNc0
IPSEC okhiye
pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1=”384″ argument2=”ECDSA” argument3="cert1″] A 384 bit ECDSA key-Pair yakhelwe cert1
pkid 2458 PKID_PV_KEYPAIR_GEN [junos@2636.1.1.1.2.164 argument1=”4096″ argument2=”RSA” argument3="cert2″] I-4096 bit RSA key-Pair yenzelwe cert2
72
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
FCS_IPSEC_EXT.1
Ukusungulwa kweseshini nontanga
Lonke okuqukethwe kwephakethe lamaphakethe adlulisiwe/amukelwe ngesikhathi sokusungulwa kweseshini
user@host:fips# run show log iked | akukho okunye | grep vpn
Jun 14 10:40:49.291712 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ukukhetha kwe-ipsec-sa kuphumelele ku-spi (0x8a45e874) local-ip (20.1.1.1) remote-ip (20.1.1.2. i-vpn (IPSEC_VPN)
user@host:fips# run show log iked | akukho okunye | impumelelo ye-grep
Jun 14 10:40:49.278061 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] i-ike-atec-dh-generate impendulo eyimpumelelo etholiwe ye-ipcindex=45109,local-ip=none,remote-ip=none
Jun 14 10:40:49.290742 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] atec-validate-migrate for ed (0x2c09028) impumelelo ekuqinisekiseni i-id eyirimothi
Jun 14 10:40:49.291392 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] TSi: traffic-selectormatch for ts-match Successful,C:ipv4(0.0.0.0-255.255.255.255. (4-10.1.1.0) N:ipv10.1.1.255(4-10.1.1.0)
Jun 14 10:40:49.291656 [EXT] [TUNL] [20.1.1.1 <-> 20.1.1.2] ike_tunnel_anchor_node_tunnel_add: Umhubhe wehange engeza emhubheni 500009: isamba sempumelelo singeza:9
Jun 14 10:40:49.291682 [DET] [TUNL] [20.1.1.1 <-> 20.1.1.2] impumelelo ye-tunnel-sadb-add nge-local-spi (0x8a45e874)
Jun 14 10:40:49.291712 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ukukhetha kwe-ipsec-sa kuphumelele ku-spi (0x8a45e874) local-ip
73
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
(20.1.1.1) remote-ip (20.1.1.2) vpn (IPSEC_VPN)
Jun 14 10:40:49.292404 [TER] [UTANGA] [20.1.1.1 <-> 20.1.1.2] IKE: Gateway N:IKE_GW L:20.1.1.1:500 R:20.1.1.2:500 I-ike ephumelele20.1.1.2:2-id. .XNUMX U:N/A IKE:IKEvXNUMX Iqhaza:R
Jun 14 10:40:49.294256 [DET] [DIST] [20.1.1.1 <-> 20.1.1.2] ike_dist_ipsec_tunnel_info_add: Ulwazi lomhubhe wokusabalalisa we-IPsec lwengeza ku-db eyimpumelelo I-Tunnel Id:500009 Client Id
Jun 14 10:40:49.295072 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Ithumele ngempumelelo umlayezo we-IPC tag 4 kusuka ku-iked kuya ku-SPU.0.20
Jun 14 10:40:49.295292 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Ithumele ngempumelelo umlayezo we-IPC tag 4 kusuka ku-iked kuya ku-SPU.0.21
Jun 14 10:40:49.296004 [DET] [STER] [20.1.1.1 <-> 20.1.1.2] Kulungiswe ngempumelelo idatha elandelayo ye-st0 ye-meta ye-hop kumhubhe 500009
Jun 14 10:40:49.297336 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Ithumele ngempumelelo umlayezo we-IPC tag 4 kusuka ku-iked kuya ku-SPU.0.20
Jun 14 10:42:24.328902 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] i-ike-atec-dh-generate impendulo eyimpumelelo etholiwe ye-ipcindex=45111,local-ip=none,remote-ip=none
Jun 14 10:42:24.332381 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] i-ike-atec-dh-compute impendulo eyimpumelelo yamukelwe ipc-index=0
74
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
Jun 14 10:42:24.333295 [DET] [PUBL] [20.1.1.1 <-> 20.1.1.2] ukushicilela-ike-sa kuphumelele i-ike-sa-index 11282 ike-sa 0x21dec24
Jun 14 10:42:29.316880 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] TSi: traffic-selectormatch for ts-match Successful,C:ipv4(0.0.0.0-255.255.255.255. (4-10.1.1.0) N:ipv10.1.1.255(4-10.1.1.0)
Jun 14 10:42:29.316889 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] TSr: traffic-selectormatch ye-ts-match Iphumelele,C:ipv4(0.0.0.0-255.255.255.255) R (4-30.1.1.0) N:ipv30.1.1.255(4-30.1.1.0)
Jun 14 10:42:29.317147 [DET] [TUNL] [20.1.1.1 <-> 20.1.1.2] impumelelo ye-tunnel-sadb-engeza nge-local-spi (0x80eeab18)
Jun 14 10:42:29.317178 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] ukukhetha kwe-ipsec-sa kuphumelele ku-spi (0x80eeab18) local-ip (20.1.1.1) remote-ip (20.1.1.2) i-vpn (IPSEC_VPN)
Jun 14 10:42:29.320369 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] i-ike-atec-dh-generate impendulo eyimpumelelo etholiwe ye-ipcindex=45113,local-ip=none,remote-ip=none
Jun 14 10:42:29.323800 [DET] [ATEC] [20.1.1.1 <-> 20.1.1.2] i-ike-atec-dh-compute impendulo eyimpumelelo yamukelwe ipc-index=0
Jun 14 10:42:29.325513 [EXT] [IPSC] [20.1.1.1 <-> 20.1.1.2] ipsec_common_msg_send: Ithumele ngempumelelo umlayezo we-IPC tag 4 kusuka ku-iked kuya ku-SPU.0.20
75
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
FIA_X509_EXT.1
Ukusungulwa kweseshini ne-CA
Lonke okuqukethwe kwephakethe lamaphakethe adlulisiwe/amukelwe ngesikhathi sokusungulwa kweseshini
kmd 7200 KMD_VPN_UP_ALARM_USER [junos@2636.1.1.1.2.164 vpname=””vpn1″” remote-address=””5.5.5.1″” local-address=””11.11.11.1″”g”g”g”g”w igama=””vpn1″” tunnelid=””1″” interface-name="”st131073″” internal-ip=”“Ayitholakali”” name="”0.0″” untanga-igama=” ”11.11.11.1″” client-name="”Ayisebenzi”” vrrp-groupid=””5.5.5.1″” traffic-selector-name= “””” trafficselector-cfg-local-id=””ipv0_subnet(noma yikuphi: 4, [0..0]=7/0.0.0.0)”” traffic-selector-cfgremote-id= “”ipv0_subnet(noma iyiphi: 4, [0..0]=7/0.0.0.0)”” argument0= “”Static”] I-VPN vpn1 evela ku-1 iphezulu. Local-ip: 5.5.5.1, igama lesango: gw11.11.11.1, vpn igama: vpn1, tunnel-id: 1, umhubhe wendawo-uma: st131073, i-tunnel-ip eyihlane: Ayitholakali, I-IKE-ID Yasendaweni: 0.0 , I-IKE-ID ekude: 11.11.11.1, igama lomsebenzisi le-AAA: Ayisebenzi, i-VR id: 5.5.5.1, Isikhethi-Traffic: , I-ID yasendaweni yesikhethi sethrafikhi: ipv0_subnet(noma yikuphi:4,[0..0]=7/ 0.0.0.0), i-ID yerimothi ye-Trafficselector: ipv0_subnet(noma iyiphi:4, [0..0]=7/0.0.0.0), Uhlobo lwe-SA: Static
76
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
FPF_RUL_EXT.1
Ukusetshenziswa kwemithetho elungiselelwe ngokusebenza `kwelogi'
Amakheli omthombo nawendawo. Izimbobo zomthombo nendawo. I-Transport Layer Protocol TOE Interface
[edit] root@host:fips# run show firewallIsihlungi: __default_bpdu_filter__
Isihlungi: fw_filter1 Izibali: Igama
Amabhayithi afaka1
0 inc2
840
Amaphakethe 0 10
[hlela] impande@host:fips# [hlela]impande@host:fips# run show firewall log
Ilogi :
Isikhathi
Isenzo sesihlungi
Isixhumi esibonakalayo
Iphrothokholi
Src
Addr
I-Dest Addr
11:05:31 pfe
R
eya st0.1
I-ICMP
30.1.1.1
10.1.1.1
11:05:30 pfe
R
eya st0.1
I-ICMP
30.1.1.1
10.1.1.1
11:05:29 pfe
R
eya st0.1
I-ICMP
30.1.1.1
10.1.1.1
11:05:28 pfe
R
eya st0.1
I-ICMP
30.1.1.1
10.1.1.1
impande@host:fips# run show firewall log
Ilogi :
Isikhathi
Isenzo sesihlungi
Isixhumi esibonakalayo
Iphrothokholi
Src
77
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
Engeza 11:19:59 pfe st0.1 30.1.1.1
I-Dest Addr R TCP
10.1.1.1
impande@host:fips# run show firewall log
Ilogi :
Isikhathi
Isenzo sesihlungi
Isixhumi esibonakalayo
Iphrothokholi
Src
Addr
I-Dest Addr
13:00:18 pfe
A
ge-0/0/4.0
I-ICMP
30.1.1.5
10.1.1.1
13:00:17 pfe
A
ge-0/0/4.0
I-ICMP
30.1.1.5
10.1.1.1
13:00:16 pfe
A
ge-0/0/4.0
I-ICMP
30.1.1.5
10.1.1.1
13:00:15 pfe
A
ge-0/0/4.0
I-ICMP
30.1.1.5
10.1.1.1
impande@host:fips# run show firewall log
Ilogi :
Isikhathi
Isenzo sesihlungi
Isixhumi esibonakalayo
Iphrothokholi
Src
Addr
I-Dest Addr
13:00:45 pfe
A
ge-0/0/4.0
I-TCP
30.1.1.5
10.1.1.1
78
Ithebula 2: Imicimbi Ehlolekayo (Iyaqhubeka)
Imfuneko
Imicimbi Efundekayo
Okuqukethwe Kwerekhodi Lokucwaningwa Kwezimali okwengeziwe
Wenziwa kanjani Umcimbi
Inkomba yamaphakethe ehlile ngenxa yethrafikhi yenethiwekhi enkulu
I-TOE interface engakwazi ukucubungula amaphakethe
RT_FLOW – RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.164 sourceaddress=” 1.1.1. 2″ umthombo-port="10001″ indawo-ikheli=”2.2.2.2″ destinationport=" 21″ uxhumano-tag=”0″ servicename="junos-ftp” protocol-id=”6″ icmptype=” 0″ policy-name=”p2″ source-zone-na me=”ZO_A” destination-zone-name=”ZO_B” isicelo =”OKUNGAZIWA” nestedapplication=” ONGAZIWAYO” igama lomsebenzisi=”N/A” roles=”N/A” packet-incominginterface=” ge-0/0/0.0″ encrypted=”Cha” reason=”D enied by policy” sessionid32 =”3″ application-category=”N/A” application-sub-category=”N/A” applicationrisk=”1″ application-characteristics=”N/A” src-vrf-grp=”N/A” dst -vrf-grp=” N/A”] iseshini inqatshelwe 1.1.1.2/10001->2.2.2.2/21 0x0 junos-ftp 6(0) p2 ZO_A ZO_B ONGAZIWAYO N/A(N/A) ge-0/ 0/0.0 Akukho Kunqatshelwe inqubomgomo 3 N/AN/A -1 N/AN/AN/A
Ngaphezu kwalokho, iJuniper Networks incoma: · Ukuze uthwebule zonke izinguquko ekucushweni. · Ukugcina imininingwane yokugawula ukude. Ukuze uthole ukwaziswa okwengeziwe ngemininingwane yelogi, bheka Ilogi Ecacisiwe File Usayizi, Inombolo, kanye Nezakhiwo Zokugcina Ingobo yomlando
79
Humusha Imiyalezo Yomcimbi
Okuphumayo okulandelayo kukhombisa njengeample umlayezo womcimbi.
Feb 27 02:33:04 bm-a mgd[6520]: UI_LOGIN_EVENT: Ukungena 'kwesikhulu sezokuvikela' somsebenzisi, isigaba 'j-superuser' [6520], ssh-connection ”, i-client-mode 'cli' Feb 27 02: 33:49 bm-a mgd[6520]: UI_DBASE_LOGIN_EVENT: Umsebenzisi 'isikhulu sezokuvikela' singena kumodi yokumisa Feb 27 02:38:29 bm-a mgd[6520]: UI_CMDLINE_READ_LINE: Umsebenzisi 'wesikhulu sokuphepha' sokubonisa 'isikhulu' log Audit_log | grep LOGIN
Ithebula lesi-3 ekhasini 79 lichaza izinkundla zomlayezo womcimbi. Uma insiza yokungena yesistimu ingakwazi ukunquma inani endaweni ethile, esikhundleni salokho kuvela ihayifeni ( - ).
Ithebula 3: Izinkambu Emilayezweni Yomcimbi
Inkambu
izikhathiamp
Incazelo
ExampLes
Isikhathi lapho umlayezo wenziwe khona, kokukodwa kwezethulo ezimbili:
· MMM-DD HH:MM:SS.MS+/-HH:MM, inyanga, usuku, ihora,
umzuzu, wesibili kanye ne-millisecond ngesikhathi sendawo. Ihora nomzuzu olandela uphawu lokuhlanganisa (+) noma uphawu lokususa (-) liwukusulwa kwendawo yesikhathi yasendaweni ukusuka ku-Coordinated Universal Time (UTC).
Feb 27 02:33:04 isikhathiamp kuchazwe njengesikhathi sendawo e-United States. 2012-02-27T09:17:15.719Z ingu-2:33 AM UTC ngomhla ka-27 Feb 2012.
· YYYY-MM-DDTHH:MM:SS.MSZ unyaka, inyanga, usuku, ihora,
umzuzu, owesibili kanye ne-millisecond ku-UTC.
igama lomethuleli
Igama lomsingathi okhiqize umlayezo ekuqaleni. umzila 1
inqubo
Igama lenqubo ye-Junos OS ekhiqize ifayela le-
umyalezo.
mgd
processID
I-ID yenqubo ye-UNIX (PID) yenqubo ye-Junos OS ukuthi
wakha umlayezo.
4153
80
Ithebula 3: Izinkambu Emilayezweni Yomcimbi (Kuyaqhubeka)
Inkambu
Incazelo
TAG
Umlayezo welogi yesistimu ye-Junos OS tag, okuyinto eyingqayizivele
ikhomba umlayezo.
igama lomsebenzisi
Igama lomsebenzisi lomsebenzisi oqala umcimbi.
umyalezo-umbhalo Incazelo yomcimbi ngolimi lwesiNgisi .
Exampngaphansi kwe-UI_DBASE_LOGOUT_EVENT
"admin"
setha: [i-system radius-server 1.2.3.4 imfihlo]
IMIBHALO EPHATHELENE Umcimbi Wokungena Ngemvumeview
Izinguquko Zelogi Kudatha Eyimfihlo
Okulandelayo yi-exampimininingwane yocwaningo lwamalogi emicimbi eshintsha idatha eyimfihlo. Noma nini lapho kukhona ushintsho ku-ex yokucushwaampNokho, umcimbi we-syslog kufanele uthwebule izingodo ezingezansi:
Jul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Isethi ethi 'admin' yomsebenzisi: [i-system radiusserver 1.2.3.4 secret] Jul 24 17:43:28 router1 mgd[4163]: UI_SETG_AUDIT setha: Umsebenzisi 'Usethiwe_SECRETIT_AUDIT' [ukuqinisekiswa komsebenzisi wokungena kwesistimu nge-encrypted-password] Jul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Isethi 'yomqondisi' yomsebenzisi: [ukungena ngemvume komsebenzisi wesistimu2 ukuqinisekiswa kwephasiwedi ebethelwe] Njalo lapho ukulungiselelwa kubuyekezwa noma kuguqulwa, I-syslog kufanele ithwebule lawa malogi:
Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Umsebenzisi 'admin' esikhundleni: [system radius-server 1.2.3.4 secret] Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT User 'admin' AUDIT buyisela: [ukungena kwesistimu
81
ukuqinisekiswa komlawuli womsebenzisi okubethelwe-iphasiwedi] Jul 24 18:29:09 irutha1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Faka esikhundleni sika-'admin' womsebenzisi: [ukuqinisekiswa komsebenzisi wokungena kwesistimu kubethelwe-iphasiwedi]
IMIBHALO EHLOBANE Ichaza Imilayezo Yomcimbi
Ngena ngemvume futhi Uphume Imicimbi usebenzisa i-SSH
Imilayezo yelogi yesistimu yenziwa noma nini lapho umsebenzisi ezama ngempumelelo noma engaphumeleli ukufinyelela i-SSH. Imicimbi yokuphuma nayo iyarekhodwa. OkwesiboneloampLe, amalogi alandelayo awumphumela wemizamo emibili yokuqinisekisa ehlulekile, bese kuba eyimpumelelo, futhi ekugcineni ukuphuma ngemvume:
Dec 20 23:17:35 Dis 20 23:17:42 Dec 20 23:17:53 Dec 20 23:17:53
Dec 20 23:17:53 Dec 20 23:17:56 Dec 20 23:17:56
bilbo sshd[16645]: Iphasiwedi ehlulekile ye-op isuka ku-172.17.58.45 port 1673 ssh2 bilbo sshd[16645]: Iphasiwedi ehlulekile ye-op kusuka ku-172.17.58.45 port 1673 ssh2 bil16645 ye-172.17.58.45 yamukelwe i-1673 sshd 2 iphasiwedi. 16648 ichweba XNUMX sshXNUMX bilbo mgd[XNUMX]: UI_AUTH_EVENT: Umsebenzisi oqinisekisiwe 'op' ezingeni lemvume
'j-operator' bilbo mgd[16648]: UI_LOGIN_EVENT: Umsebenzisi 'op' ukungena, isigaba 'j-operator' [16648] bilbo mgd[16648]: UI_CMDLINE_READ_LINE: Umsebenzisi 'op', umyalo 'quit' bilbo mgd[16648] : UI_LOGOUT_EVENT: Ukuphuma kwe-'op' komsebenzisi
IMIBHALO EHLOBANE Ichaza Imilayezo Yomcimbi
82
Ukugawulwa kwe-Audit Startup
Ulwazi lokucwaninga olufakiwe lufaka phakathi ukuqaliswa kwe-Junos OS. Lokhu kuphinde kuhlonze izehlakalo zokuqalisa zohlelo lokucwaninga, olungakwazi ukukhutshazwa ngokuzimele noma lunikwe amandla. Okwesiboneloampfuthi, uma i-Junos OS iqalwa kabusha, ilogi yokuhlola iqukethe ulwazi olulandelayo:
Dec 20 23:17:35 Dis 20 23:17:35 Dis 20 23:17:35 isimo=1 Dis 20 23:17:42 Dec 20 23:17:53
i-bilbo syslogd: iphuma kusiginali 14 bilbo syslogd: qala kabusha i-bilbo syslogd /kernel: Dec 20 23:17:35 init: syslogd (PID 19128) iphume nge
bilbo/kernel: init: syslogd (PID 19200) iqalile
IMIBHALO EPHATHELENE Ngena ngemvume bese Uphuma Imicimbi Usebenzisa i-SSH
8 ISAHLUKO
Lungiselela ama-VPN
MOD_VPN | 84
84
MOD_VPN
SUMMARY Lesi sigaba sichaza ukuthi i-MOD_VPN isebenza kanjani.
KULESI SIGABA
I-MOD_VPN iphelileview | 84 Ama-algorithms asekelwe we-IPsec-IKE | 85 Lungiselela i-VPN Kudivayisi Esebenzisa I-Junos OS | 88 Ilungiselela Imithetho Ye-Firewall | 111
I-MOD_VPN iphelileview
I-MOD_VPN ichaza izimfuneko zokuphepha ze-VPN Gateway. Lokhu kuchazwa njengedivayisi emaphethelweni enethiwekhi eyimfihlo enqamula umhubhe we-IPsec (usekelo lwe-IPsec kumodi yomhubhe), ohlinzeka ngobuqiniso bedivayisi, ukugcinwa kuyimfihlo, kanye nobuqotho bolwazi olunqamula inethiwekhi yomphakathi noma engathenjwa. Le modi ihloselwe ukunikeza isethi encane, eyisisekelo yezidingo eziqondiswe ekunciphiseni izinsongo ezichazwe kahle nezichazwe kubuchwepheshe be-VPN Gateway. Lesi sethulo sichaza izici ze-Target of Evaluation (TOE) ethobelanayo, futhi sixoxa ngendlela yokusebenzisa i-MOD_VPN ngokuhlanganyela ne-NDcPPv2.
QAPHELA: Ukuze uxhumano lwe-IPsec lwephuke ungahlosile, sula iseshini ye-IPsec ngemiyalo elandelayo. Iqala kabusha futhi isungula iseshini ye-IPsec.
umsebenzisi@host# sebenzisa ukuphepha okucacile kwe-ipsec security-associations user@host# sebenzisa ukuphepha okucacile kwe-ike security-associations
85
I-IPsec-IKE Algorithms esekelwe
KULESI sigaba Ama-algorithms wokubethela asekelwe we-IPsec | 85 Ama-algorithms wokubethela asekelwe we-IKE | Amaqembu e-IKE DH angama-86 | 86 I-algorithm yokuqinisekisa ye-IPsec | 87 Ama-algorithms wokuqinisekisa we-IKE | 87 Izindlela zokuqinisekisa ezisekelwayo | 87
Idivayisi yakho isekela ama-algorithms e-IPsec-IKE alandelayo:
Ama-algorithms wokubethela asekelwe we-IPsec
aes-128-cbc aes-128-gcm aes-192-cbc aes-192-gcm aes-256-cbc aes-256-gcm
I-algorithm ye-AES-CBC 128-bit encryption algorithm AES-GCM 128-bit encryption algorithm AES-CBC 192-bit encryption algorithm AES-GCM 192-bit 256-bit encryption algorithm AES-CBC 256-bit algorithm yokubethela AES-GCM XNUMX-bit algorithm yokubethela
[hlela] umsebenzisi@host# setha ukuphepha isiphakamiso se-ipsec ipsec-proposal1 encryption-algorithm aes-128-cbc user@host# setha isiphakamiso sezokuphepha se-ipsec ipsec-proposal1 encryption-algorithm aes-128-gcm user@host# setha isiphakamiso sezokuphepha se-ipsec ipsec -proposal1 encryption-algorithm aes-192-cbc user@host# set security ipsec proposal ipsec-proposal1 encryption-algorithm aes-192-gcm user@host# set security ipsec proposal ipsec-proposal1 encryption-algorithm aes-256-cbc user@ umphathi# setha isiphakamiso se-ipsec sokuphepha i-ipsec-proposal1 encryption-algorithm aes-256-gcm86
Ama-algorithms wokubethela asekelwe we-IKE
aes-128-cbc aes-128-gcm aes-192-cbc aes-256-cbc aes-256-gcm
I-algorithm ye-AES-CBC 128-bit encryption algorithm AES-GCM 128-bit encryption algorithm AES-CBC 192-bit 256-bit algorithm yokubethela AES-CBC 256-bit algorithm yokubethela AES-GCM XNUMX-bit algorithm yokubethela
[hlela] umsebenzisi@host# set security ike proposal ipsec-proposal1 encryption-algorithm aes-128-cbc user@host# set security ike proposal ipsec-proposal1 encryption-algorithm aes-128-gcm user@host# set security ike proposal ipsec -proposal1 encryption-algorithm aes-192-cbc user@host# set security ike proposal ipsec-proposal1 encryption-algorithm aes-256-cbc user@host# set security ike proposal ipsec-proposal1 encryption-algorithm aes-256-gcmAmaqembu e-IKE DH asekelwe
iqembu14 iqembu15 iqembu16 iqembu19 iqembu20 iqembu21 iqembu24
Iqembu le-Diffie-Hellman 14 Iqembu le-Diffie-Hellman 15 Iqembu le-Diffie-Hellman 16 Iqembu le-Diffie-Hellman 19 Iqembu le-Diffie-Hellman 20 Iqembu le-Diffie-Hellman 21 I-Diffie-Hellman Iqembu 24
[hlela] umsebenzisi@host# setha ukuphepha isiphakamiso se-ike ipsec-proposal1 dh-group group14 user@host# setha ukuphepha ike isiphakamiso ipsec-proposal1 dh-group group15 user@host# set security ike proposal ipsec-proposal1 dh-group group16 user@ umphathi# setha isiphakamiso se-like sezokuphepha i-ipsec-proposal1 dh-group19 user@host# setha isiphakamiso se-like sokuphepha i-ipsec-proposal1 dh-group group20 user@host# setha isiphakamiso sokuphepha se-ike ipsec-proposal1 dh-group group21 user@host# setha i-ike yokuphepha isiphakamiso ipsec-proposal1 dh-group2487
I-algorithm yokuqinisekisa ye-IPsec esekelwe
hmac-sha-256-128 hmac-sha-384 hmac-sha-512
I-algorithm yokuqinisekisa ye-HMAC-SHA-256-128 HMAC-SHA-384 i-algorithm yokuqinisekisa i-HMAC-SHA-512 i-algorithm yokuqinisekisa
[hlela] umsebenzisi@host# setha ukuphepha isiphakamiso se-ipsec ipsec-proposal1 ukuqinisekiswa-algorithm hmac-sha-256-128 user@host# setha isiphakamiso sezokuphepha se-ipsec ipsec-proposal1 ukuqinisekiswa-algorithm hmac-sha-384 user@host# setha i-ipsec yokuphepha isiphakamiso ipsec-proposal1 ukuqinisekiswa-algorithm hmac-sha-512Ama-algorithms wokuqinisekisa we-IKE asekelwe
sha-256 sha-384 sha-512
I-algorithm yokuqinisekisa ye-SHA 256-bit SHA 384-bit i-algorithm yokuqinisekisa ye-SHA 512-bit yokuqinisekisa
[hlela] umsebenzisi@host# set security ike proposal ipsec-proposal1 authentication-algorithm sha-256 user@host# set security ike proposal ipsec-proposal1 authentication-algorithm sha-384 user@host# set security ike proposal ipsec-proposal1 authentication- I-algorithm ye-sha-512Izindlela zokuqinisekisa ezisekelwe
izitifiketi
Ivumela izitifiketi ze-ECDSA, i-RSA ne-DSA, idinga i-IKEv2
amasiginesha e-ecdsa-256 ECDSA (256 bit modulus)
amasiginesha e-ecdsa-384 ECDSA (384 bit modulus)
amasiginesha e-ecdsa-521 ECDSA (521 bit modulus)
okhiye ababiwe ngaphambilini
Okhiye ababiwe ngaphambilini
rsa-amasignesha
Amasiginesha e-RSA
[hlela] umsebenzisi@host# setha ukuphepha isiphakamiso se-ike isiphakamiso i-ipsec-proposal1 izitifiketi zokuqinisekisa-indlela yomsebenzisi@host# setha ukuphepha ike isiphakamiso ipsec-proposal1 indlela yokuqinisekisa-ecdsa-signatures-256 user@host# set security ike proposal ipsec-proposal1 ubuqiniso- indlela ecdsa-amasignesha-38488
user@host# set security ike proposal ipsec-proposal1 authentication-method ecdsa-signatures-521 user@host# set security ike proposal ipsec-proposal1 authentication-method pre-shared-keys user@host# set security ike proposal ipsec-proposal1 ubuqiniso -indlela rsa-amasignesha
Lungiselela i-VPN Kudivayisi Esebenzisa I-Junos OS
KULESI SIGCAWU Ukumisa i-IPsec VPN Ngokhiye Owabiwe ngaphambilini wokuqinisekisa i-IKE | 91 Ilungiselela i-IPsec VPN Ngesiginesha ye-RSA Yokuqinisekisa i-IKE | 98 Ilungiselela i-IPsec VPN eneSiginesha ye-ECDSA yokuqinisekisa i-IKE | 104
Lesi sigaba sichaza ngokuthiample ukulungiselelwa kwe-IPsec VPN kudivayisi ye-Junos OS kusetshenziswa izindlela zokufakazela ubuqiniso ze-IKE ezilandelayo: · “Ukulungiselela i-IPsec VPN Ngokhiye Owabelwe Ngaphambili Wokuqinisekisa i-IKE” ekhasini 91 · “Ukulungiselela i-IPsec VPN eneSiginesha ye-RSA Yokuqinisekisa I-IKE” on ikhasi 98 · “Ukulungisa i-IPsec VPN ngeSiginesha ye-ECDSA yokuqinisekisa i-IKE” ekhasini 104 Umfanekiso 1 ekhasini 89 ukhombisa i-VPN topology esetshenziswa kuwo wonke ama-ex.ampokuchazwe kancane kulesi sigaba. Lapha, u-H0 no-H1 bangabasingathi, futhi u-R0 no-R1 yiziphetho ezimbili zomhubhe we-IPsec VPN.
89 Umfanekiso 1: I-VPN Topology
Ithebula lesi-4 ekhasini 89 lihlinzeka ngohlu oluphelele lwezivumelwano ezisekelwayo ze-IKE, izindlela zomhubhe, imodi yezingxoxo zeSigaba 1, indlela yokuqinisekisa noma i-algorithm, i-encryption algorithm, amaqembu e-DH asekelwa ukuqinisekiswa kwe-IKE nokubethela (Isigaba1, Isiphakamiso se-IKE), kanye ne-IPsec ukufakazela ubuqiniso nokubethela (Isigaba2, IPsec Proposal). Amaphrothokholi asohlwini, amamodi, nama-algorithms asekelwa futhi ayadingeka ku-21.2R2 Imibandela Ejwayelekile.
Ithebula 4: I-VPN Combination Matrix
I-IKE Protoc ol
Imodi yomhubhe
I-Phase1 Negotiation & Mode
Isiphakamiso Sesigaba 1 (P1, IKE) Indlela Yokuqinisekisa
Ukufakazela ubuqiniso kwe-DH Group Algorithm
I-algorithm yokubethela
I-IKEv1 Umzila Omkhulu
okhiye ababiwe ngaphambilini
nxa-256
iqembu14
i-es-128-cbc
I-IKEv2
ama-rsa-signatures-2048
nxa-384
iqembu15
isisindo - 128 g cm
ama-ecdsa-signatures-256
nxa-512
iqembu16
i-es-192-cbc
ama-ecdsa-signatures-384
iqembu19
i-es-256-cbc
ama-ecdsa-signatures-521
iqembu20
isisindo - 256 g cm
90
Ithebula 4: I-VPN Combination Matrix (Iyaqhubeka)
I-IKE Protoc ol
Imodi yomhubhe
I-Phase1 Negotiation & Mode
Isiphakamiso Sesigaba 1 (P1, IKE) Indlela Yokuqinisekisa
Ukufakazela ubuqiniso kwe-DH Group Algorithm
I-algorithm yokubethela
iqembu21
iqembu24
I-IKE Protoc ol
Tunne l Mode
I-Phase1 Negotiation & Mode
Isiphakamiso Sesigaba 2 (P2, IPsec) I-algorithm yokuqinisekisa
I-DH Group (PFS)
I-IKEv1 Umzila Omkhulu
hmac-sha-256-128
iqembu14
I-IKEv2
hmac-sha-384
iqembu15
hmac-sha-512
iqembu16
iqembu19
iqembu20
iqembu21
iqembu24
Indlela Yokubethela
I-algorithm yokubethela
ESP
i-es-128-cbc
isisindo - 128 g cm
i-es-192-cbc
isisindo - 192 g cm
i-es-256-cbc
isisindo - 256 g cm
QAPHELA: Izigaba ezilandelayo zihlinzeka sampukulungiselelwa kwe-IKEv1 IPsec VPN exampama-algorithms akhethiwe. Ama-algorithms okuqinisekisa angashintshwa ekucushweni kokuthi
91
ukufeza ukucupha okufunwa ngumsebenzisi. Sebenzisa isethi yokuphepha ye-ike gateway gw-name inguqulo v2-kuphela umyalo we-IKEv2 IPsec VPN.
Ilungiselela i-IPsec VPN ngokhiye owabiwe ngaphambilini wokuqinisekisa i-IKE
Kulesi sigaba, ulungiselela amadivayisi asebenzisa i-Junos OS ye-IPsec VPN usebenzisa ukhiye owabiwe kusengaphambili njengendlela yokuqinisekisa ye-IKE. Ama-algorithms asetshenziswa ekuqinisekiseni i-IKE noma kwe-IPsec, noma ukubethela kukhonjisiwe kuThebula lesi-5 ekhasini 91.
Ithebula 5: I-IKE noma i-IPsec Yokuqinisekisa Isibample
I-IKE Protoc ol
Imodi yomhubhe
I-Phase1 Negotiation & Mode
Isiphakamiso Sesigaba 1 (P1, IKE) Indlela Yokuqinisekisa
Ukufakazela ubuqiniso kwe-DH Group Algorithm
I-algorithm yokubethela
I-IKEv1 Umzila Omkhulu
okhiye ababiwe ngaphambilini
nxa-256
iqembu14
i-es-256-cbc
I-IKE Protoc ol
Tunne l Mode
I-Phase1 Negotiation & Mode
Isiphakamiso Sesigaba 2 (P2, IPsec) I-algorithm yokuqinisekisa
I-DH Group (PFS)
I-IKEv1 Umzila Omkhulu
hmac-sha-256-128
iqembu14
Indlela Yokubethela
I-algorithm yokubethela
ESP
i-es-256-cbc
QAPHELA: Idivayisi esebenzisa i-Junos OS isebenzisa ukuqinisekiswa okusekelwe kusitifiketi noma okhiye ababiwe kusengaphambili be-IPsec. I-TOE yamukela okhiye ababelwe ngaphambili be-ASCII noma abasuselwe kancane abangafika ezinhlamvini ezingu-255 (kanye nokulingana kwazo kanambambili) eziqukethe osonhlamvukazi nabancane, izinombolo, nezinhlamvu ezikhethekile ezinjengokuthi !, @, #, $, %, ^, &, *, ( , futhi). Idivayisi yamukela okhiye bombhalo ababiwe ngaphambili futhi iguqule iyunithi yezinhlamvu yombhalo ibe yinani lokuqinisekisa njenge-RFC 2409 ngayinye ye-IKEv1 noma i-RFC 4306 ye-IKEv2, isebenzisa i-PRF elungiselelwe njenge-algorithm ye-hashi yokuhwebelana kwe-IKE. I-Junos OS ayibeki ubuncane bezidingo eziyinkimbinkimbi zokhiye ababiwe kusengaphambili. Ngakho-ke, abasebenzisi bayelulekwa ukuthi bakhethe ngokucophelela okhiye abade ababiwe ngaphambili benkimbinkimbi eyanele.
92
Ilungiselela i-IPsec VPN ngokhiye owabiwe ngaphambilini njengokuqinisekisa kwe-IKE kusiqalisi 1. Lungiselela isiphakamiso se-IKE:
[hlela] umsebenzisi@host# setha ukuvikeleka kwesiphakamiso se-ike-proposal1 ukuqinisekiswa-indlela yokhiye owabiwe ngaphambili umsebenzisi@host# setha ukuphepha isiphakamiso se-ike-proposal1 dh-group group14 user@host# setha ukuphepha isiphakamiso se-ike-proposal1 ukuqinisekiswa -algorithm sha256 user@host# set security ike proposal1 encryption-algorithm aes-256-cbc
QAPHELA: Lapha, i-ike-proposal1 igama lesiphakamiso se-IKE esinikezwe umlawuli ogunyaziwe.
2. Lungiselela inqubomgomo ye-IKE:
[hlela] umsebenzisi@umsingathi# setha ukuphepha inqubomgomo ye-ike-inqubomgomo1 imodi yomsebenzisi oyinhloko@host# setha inqubomgomo ye-ike yezokuphepha i-ike-policy1 iziphakamiso ike-proposal1
QAPHELA: Lapha, i-ike-policy1 igama lenqubomgomo ye-IKE futhi i-ike-proposal1 yigama lesiphakamiso se-IKE elinikezwe umlawuli ogunyaziwe.
umsebenzisi@host# inqubomgomo yokuphepha ye-ike-inqubomgomo ye-ike-nqubomgomo yokhiye owabiwe ngaphambili we-ascii-umbhalo omusha we-ascii (imfihlo): Thayipha kabusha umbhalo we-ascii (imfihlo):
QAPHELA: Kufanele ufake futhi ufake kabusha ukhiye owabiwe ngaphambili lapho uyalwa. Okwesiboneloample, ukhiye owabelwe ngaphambili ungaba Modvpn@jnpr1234.
QAPHELA: Ukhiye owabelwe ngaphambilini ungafakwa ngefomethi ye-hexadecimal. Okwesiboneloample: [hlela] impande@host# inqubomgomo yokuphepha esheshayo ye-ike-policy1 i-hexadecimal yokhiye owabiwe ngaphambili
93
I-hexadecimal entsha (imfihlo): Thayipha kabusha i-hexadecimal entsha (imfihlo): Faka inani lokhiye owabelwe ngaphambili we-hexadecimal.
3. Lungiselela isiphakamiso se-IPsec:
[hlela] umsebenzisi@host# setha ukuvikeleka isiphakamiso sezokuphepha se-ipsec ipsec-proposal1 protocol esp user@host# setha isiphakamiso sezokuphepha se-ipsec ipsec-proposal1 ukuqinisekiswa-algorithm hmacsha-256-128 user@host# setha isiphakamiso sezokuphepha se-ipsec ipsec-proposal1 encryption- I-algorithm ye-aes-256-cbc
QAPHELA: Lapha, i-ipsec-proposal1 yigama lesiphakamiso se-IPsec elinikezwe umlawuli ogunyaziwe.
4. Lungiselela inqubomgomo ye-IPsec:
[hlela] umsebenzisi@host# setha inqubomgomo ye-ipsec yezokuphepha ipsec-policy1 okhiye bobumfihlo obuphelele-phambili-phambili-iqembu14 umsebenzisi@host# setha inqubomgomo ye-ipsec yokuvikeleka i-ipsec-policy1 iziphakamiso ipsec-proposal1
QAPHELA: Lapha, i-ipsec-policy1 yigama lenqubomgomo ye-IPsec futhi i-ipsec-proposal1 yigama lesiphakamiso se-IPsec elinikezwe umlawuli ogunyaziwe.
5. Lungiselela i-IKE:
[hlela] umsebenzisi@host# setha ukuphepha ike gateway gw1 ike-policy ike-policy1 user@host# set security ike gateway gw1 ikheli 20.1.1.2 user@host# set security ike gateway gw1 local-identity inet 20.1.1.1 user@host # set security ike gateway gw1 external-interface xe-0/0/2 user@host# set security ike gateway gw1 version v2-only
94
QAPHELA: Lapha, i-gw1 igama lesango le-IKE, i-20.1.1.2 iyi-IP yontanga ye-VPN endpoint, 20.1.1.1 iyi-IP yendawo yokugcina ye-VPN, futhi i-xe-0/0/2 iyisixhumi esibonakalayo esiphumayo sasendaweni njengesiphetho se-VPN. Ukucushwa okwengeziwe okulandelayo kuyadingeka esimweni se-IKEv2.
6. Lungiselela i-VPN:
[hlela] umsebenzisi@host# setha ukuphepha ipsec vpn vpn1 ike gateway gw1 user@host# setha ukuphepha ipsec vpn vpn1 ike ipsec-policy ipsec-policy1 user@host# setha ukuphepha ipsec vpn vpn1 bind-interface st0.0 user@host# setha ukuphepha i-ipsec vpn vpn1 sungula-imigudu ngokushesha
QAPHELA: Lapha, i-vpn1 igama lomhubhe we-VPN elinikezwe umlawuli ogunyaziwe.
7. Lungiselela isethi yesevisi:
[hlela] umsebenzisi@host# setha isevisi-setha i-IPSEC_SS_SPC3 next-hop-service inside-service-interface vms-5/0/0.1 umsebenzisi@host# setha isevisi-setha i-IPSEC_SS_SPC3 next-hop-service outside-service-interface vms-5/0/0.2 user@host# setha isevisi-setha i-IPSEC_SS_SPC3 ipsec-vpn vpn1
8. Lungiselela ukuxhumana kanye nokukhetha komzila:
[hlela] umsebenzisi@host# isethi yezixhumanisi xe-0/0/2 iyunithi 0 ikheli le-inet yomndeni 20.1.1.1/24 umsebenzisi@host# setha ukuxhumana vms-5/0/0 iyunithi 0 inet yomndeni user@host# setha ukuxhumana vms -5/0/0 iyunithi engu-1 yomsebenzisi we-inet yomndeni@ihostela# isethi ye-interfaces vms-5/0/0 iyunithi 1 inet yomndeni6 umsebenzisi@host# setha ukuxhumana vms-5/0/0 iyunithi 1 isizinda sesevisi ngaphakathi komsebenzisi@host# setha i-interface vms-5/0/0 iyunithi 2 umsebenzisi we-inet yomndeni@host# setha ukuxhumana vms-5/0/0 iyunithi 2 umndeni inet6 umsebenzisi@host# setha ukuxhumana vms-5/0/0 iyunithi 2 isizinda sesevisi umsebenzisi wangaphandle @host# setha izindawo zokuhlangana st0 iyunithi 1 inet yomndeni umsebenzisi@usokhaya# misa izindawo zokuhlangana st0 iyunithi 1 inet yomndeni6 umsebenzisi@host# setha ukuxhumana st0 iyunithi 2 inet yomndeni
95
umsebenzisi@host# setha ukuxhumana st0 iyunithi 2 yomndeni inet6 umsebenzisi@host# setha izinketho zomzila-umzila omile 30.1.1.0/24 next-hop st0.0
Ilungiselela i-IPsec VPN ngokhiye owabiwe ngaphambilini njengokuqinisekisa kwe-IKE kusiphenduli 1. Lungiselela isiphakamiso se-IKE:
[hlela] umsebenzisi@host# setha isiphakamiso sokuvikeleka se-ike-proposal1 ukufakazela ubuqiniso-indlela yokhiye owabiwe ngaphambili user@host# setha isiphakamiso se-like sokuphepha i-ike-proposal1 dh-group group14 user@host# setha isiphakamiso se-ike-proposal1 ukuqinisekiswa- i-algorithm sha256 user@host# set security ike proposal1 encryption-algorithm aes-128-cbc
QAPHELA: Lapha, i-ike-proposal1 igama lesiphakamiso se-IKE esinikezwe umlawuli ogunyaziwe.
2. Lungiselela inqubomgomo ye-IKE:
[hlela] umsebenzisi@umsingathi# setha ukuphepha inqubomgomo ye-ike-inqubomgomo1 imodi yomsebenzisi oyinhloko@host# setha inqubomgomo ye-ike yezokuphepha i-ike-policy1 iziphakamiso ike-proposal1
QAPHELA: Lapha, i-ike-policy1 igama lenqubomgomo ye-IKE futhi i-ike-proposal1 yigama lesiphakamiso se-IKE elinikezwe umlawuli ogunyaziwe.
umsebenzisi@host# inqubomgomo yokuphepha ye-ike-inqubomgomo ye-ike-nqubomgomo yokhiye owabiwe ngaphambili we-ascii-umbhalo omusha we-ascii (imfihlo): Thayipha kabusha umbhalo we-ascii (imfihlo):
QAPHELA: Kufanele ufake futhi ufake kabusha ukhiye owabiwe ngaphambili lapho uyalwa. Okwesiboneloample, ukhiye owabelwe ngaphambili ungaba Modvpn@jnpr1234.
96
QAPHELA: Ukhiye wokwabelana ngaphambilini ungase ufakwe ngefomethi ye-hexadecimal. OkwesiboneloampI-hexadecimal entsha ye-hexadecimal (imfihlo): Thayipha kabusha i-hexadecimal entsha (imfihlo): Lapha, ukhiye owabelwe ngaphambili we-hexadecimal ungaba cc1bae2014.
3. Lungiselela isiphakamiso se-IPsec:
[hlela] umsebenzisi@host# setha isiphakamiso sezokuphepha se-ipsec ipsec-proposal1 protocol esp user@host# setha isiphakamiso sezokuphepha se-ipsec ipsec-proposal1 ukuqinisekiswa-algorithm hmacsha-256-128 user@host# setha isiphakamiso sezokuphepha se-ipsec ipsec-proposal1 encryption-algorithm 3des -cbcaes-128cbc
QAPHELA: Lapha, i-ipsec-proposal1 yigama lesiphakamiso se-IPsec elinikezwe umlawuli ogunyaziwe.
4. Lungiselela inqubomgomo ye-IPsec:
[hlela] umsebenzisi@host# setha inqubomgomo ye-ipsec yezokuphepha ipsec-policy1 okhiye bobumfihlo obuphelele-phambili-phambili-iqembu14 umsebenzisi@host# setha inqubomgomo ye-ipsec yokuvikeleka i-ipsec-policy1 iziphakamiso ipsec-proposal1
QAPHELA: Lapha, i-ipsec-policy1 yigama lenqubomgomo ye-IPsec futhi i-ipsec-proposal1 yigama lesiphakamiso se-IPsec elinikezwe umlawuli ogunyaziwe.
5. Lungiselela i-IKE.
[hlela] umsebenzisi@host# setha ukuphepha ike gateway gw1 ike-policy ike-policy1 user@host# set security ike gateway gw1 ikheli 20.1.1.1 user@host# set security ike gateway gw1 local-identity inet 20.1.1.2
97
umsebenzisi@host# set security ike gateway gw1 external-interface xe-0/0/3 umsebenzisi@host# setha ukuphepha ike gateway gw1 inguqulo v2-kuphela
QAPHELA: Lapha, i-gw1 igama lesango le-IKE, i-20.1.1.1 iyi-IP yontanga ye-VPN endpoint, 20.1.1.2 iyi-IP yendawo yokugcina ye-VPN, futhi i-xe-0/0/3 iyisixhumi esibonakalayo esiphumayo sasendaweni njengesiphetho se-VPN. Ukucushwa okwengeziwe okulandelayo kuyadingeka esimweni se-IKEv2.
6. Lungiselela i-VPN:
[hlela] umsebenzisi@host# setha ukuphepha ipsec vpn vpn1 ike gateway gw1 user@host# setha ukuphepha ipsec vpn vpn1 ike ipsec-policy ipsec-policy1 user@host# setha ukuphepha ipsec vpn vpn1 bind-interface st0.0 user@host# setha ukuphepha i-ipsec vpn vpn1 sungula-imigudu ngokushesha
QAPHELA: Lapha, i-vpn1 igama lomhubhe we-VPN elinikezwe umlawuli ogunyaziwe.
7. Lungiselela isethi yesevisi:
[hlela] umsebenzisi@host# setha isevisi-setha i-IPSEC_SS_SPC3 next-hop-service inside-service-interface vms-4/0/0.1 umsebenzisi@host# setha isevisi-setha i-IPSEC_SS_SPC3 next-hop-service outside-service-interface vms-4/0/0.2 user@host# setha isevisi-setha i-IPSEC_SS_SPC3 ipsec-vpn vpn1
8. Lungiselela i-Interfaces kanye nenketho yomzila:
[hlela] umsebenzisi@host# isethi yezixhumanisi xe-0/0/3 iyunithi 0 ikheli le-inet yomndeni 20.1.1.2/24 umsebenzisi@host# setha ukuxhumana vms-4/0/0 iyunithi 0 inet yomndeni user@host# setha ukuxhumana vms -4/0/0 iyunithi 1 yomsebenzisi we-inet yomndeni@ihostela# isethi ye-interfaces vms-4/0/0 iyunithi 1 inet yomndeni6 umsebenzisi@host# setha ukuxhumana vms-4/0/0 iyunithi 1 isizinda sesevisi ngaphakathi komsebenzisi@host# setha ukuxhumana vms-4/0/0 iyunithi 2 inet yomndeni umsebenzisi@host# setha ukuxhumana vms-4/0/0 iyunithi 2 umndeni inet6
98
umsebenzisi@host# setha ukuxhumana vms-4/0/0 iyunithi 2 isizinda sesevisi ngaphandle komsebenzisi@host# setha ukuxhumana st0 iyunithi 1 inet yomndeni umsebenzisi@usokhaya# setha ukuxhumana st0 iyunithi 1 umndeni inet6 umsebenzisi@host# setha ukuxhumana st0 iyunithi 2 Umsebenzisi we-inet yomndeni@umsingathi# setha ukuxhumana st0 iyunithi 2 umndeni unet6 umsebenzisi@host# setha izinketho zomzila-umzila omile 10.1.1.0/24 next-hop st0.0
Ilungiselela i-IPsec VPN eneSiginesha ye-RSA yokuqinisekisa i-IKE
Isigaba esilandelayo sinikeza i-example ukuze ulungiselele amadivayisi we-Junos OS we-IPsec VPN usebenzisa Isiginesha ye-RSA njengendlela yokuqinisekisa ye-IKE, kuyilapho ama-algorithms asetshenziswa ekuqinisekiseni ubuqiniso be-IKE/IPsec/ukubethela njengoba kukhonjisiwe kuthebula elilandelayo. Kulesi sigaba, ulungiselela amadivayisi asebenzisa i-Junos OS ye-IPsec VPN usebenzisa isiginesha ye-RSA njengendlela yokuqinisekisa ye-IKE. Ama-algorithms asetshenziswe ku-IKE noma ekuqinisekiseni ubuqiniso be-IPsec noma ukubethela kukhonjiswe kuThebula lesi-6 ekhasini 98.
Ithebula 6: Ukuqinisekiswa Kwe-IKE/IPsec Nokubethela Example
I-IKE Protoc ol
Imodi yomhubhe
I-Phase1 Negotiation & Mode
Isiphakamiso Sesigaba 1 (P1, IKE) Indlela Yokuqinisekisa
Ukufakazela ubuqiniso kwe-DH Group Algorithm
I-algorithm yokubethela
I-IKEv1 Umzila Omkhulu
ama-rsa-signatures-2048
nxa-256
iqembu19
i-es-128-cbc
I-IKE Protoc ol
Tunne l Mode
I-Phase1 Negotiation & Mode
Isiphakamiso Sesigaba 2 (P2, IPsec) I-algorithm yokuqinisekisa
I-DH Group (PFS)
I-IKEv1 Umzila Omkhulu
hmac-sha-256-128
iqembu19
Indlela Yokubethela
I-algorithm yokubethela
ESP
i-es-128-cbc
Ilungiselela i-IPsec VPN ngeSiginesha ye-RSA Njengobuqiniso be-IKE kusiqalisi 1. Lungiselela i-PKI. Bheka Example: Ilungiselela i-PKI. 2. Khiqiza i-RSA key pair. Bheka Example: Ukukhiqiza Ipheya Ebalulekile Yomphakathi-Yangasese. 3. Khiqiza futhi ulayishe isitifiketi se-CA. Bheka Example: Ilayisha i-CA kanye Nezitifiketi Zasendaweni Mathupha.
99
4. Layisha i-CRL. Bheka Example: Ilayisha ngokwenza i-CRL kudivayisi . 5. Khiqiza futhi ulayishe isitifiketi sendawo. Bheka Example: Ilayisha i-CA kanye Nezitifiketi Zasendaweni Mathupha. 6. Lungiselela isiphakamiso se-IKE:
[hlela] umsebenzisi@host# setha isiphakamiso sokuvikeleka se-ike-proposal1 indlela yokuqinisekisa-indlela-rsa-signatures user@host# setha isiphakamiso se-like sokuphepha i-ike-proposal1 dh-group group19 user@host# setha ukuphepha isiphakamiso se-ike-proposal1 ukuqinisekiswa-algorithm sha -256 user@host# set security ike proposal1 encryption-algorithm aes-128-cbc
QAPHELA: Lapha, i-ike-proposal1 igama elinikezwe umlawuli ogunyaziwe.
7. Lungiselela inqubomgomo ye-IKE:
[hlela] umsebenzisi@host# setha inqubomgomo ye-ike yezokuphepha i-ike-inqubomgomo1 imodi enkulu yomsebenzisi@host# misa inqubomgomo ye-ike yezokuphepha i-ike-inqubomgomo1 iziphakamiso i-ike-proposal1 umsebenzisi@host# setha ukuphepha inqubomgomo ye-ike-inqubomgomo1 isitifiketi sendawo-isitifiketi1
QAPHELA: Lapha, i-ike-policy1 igama lenqubomgomo ye-IKE elinikezwe umlawuli ogunyaziwe.
8. Lungiselela isiphakamiso se-IPsec:
[hlela] umsebenzisi@host# setha ukuphepha isiphakamiso se-ipsec ipsec-proposal1 protocol esp user@host# setha isiphakamiso sezokuphepha se-ipsec ipsec-proposal1 ukuqinisekiswa-algorithm hmacsha-256-128 user@host# setha isiphakamiso sezokuphepha se-ipsec ipsec-proposal1 encryption-algorithm aes -128-cbc
QAPHELA: Lapha, i-ipsec-proposal1 igama elinikezwe umlawuli ogunyaziwe.
Lungiselela inqubomgomo ye-IPsec:
[hlela] umsebenzisi@host# setha inqubomgomo ye-ipsec yezokuphepha ipsec-policy1 okhiye bobumfihlo obuphelele-phambili-phambili-iqembu19 umsebenzisi@host# setha inqubomgomo ye-ipsec yokuvikeleka i-ipsec-policy1 iziphakamiso ipsec-proposal1
QAPHELA: Lapha, i-ipsec-policy1 igama elinikezwe umlawuli ogunyaziwe.
10. Lungiselela i-IKE:
[hlela] umsebenzisi@host# setha ukuphepha ike gateway gw1 ike-policy ike-policy1 user@host# set security ike gateway gw1 ikheli 20.1.1.2 user@host# set security ike gateway gw1 local-identity inet 20.1.1.1 user@host # set security ike gateway gw1 external-interface xe-0/0/3 user@host# set security ike gateway gw1 version v2-only
QAPHELA: Lapha, i-20.1.1.2 iyi-IP yontanga ye-VPN endpoint, i-20.1.1.1 iyi-IP yendawo yokugcina ye-VPN, futhi i-xe-0/0/3 iyisixhumi esibonakalayo esiphumayo sasendaweni njenge-VPN endpoint. Ukucushwa okulandelayo kuyadingeka ku-IKEv2.
11. Lungiselela i-VPN:
[hlela] umsebenzisi@host# setha ukuphepha ipsec vpn vpn1 ike isango gw1 user@host# setha ukuphepha ipsec vpn vpn1 ike ipsec-policy ipsec-policy1 user@host# setha ukuphepha i
Amadokhumenti / Izinsiza
 |
IJuniper NETWORKS MX240Junos OS Amadivayisi anekhadi lezinsizakalo [pdf] Umhlahlandlela Womsebenzisi Amadivayisi e-MX240Junos OS aneKhadi Lezinsizakalo, MX240Junos, Amadivayisi e-OS anekhadi Lezinsizakalo, Amadivayisi anekhadi Lezinsizakalo, Ikhadi Lezinsizakalo, Ikhadi |