We limit the load on the server. Cheap and angry
Earlier we wrote about the delimitation of information systems in the protection of personal data. The subject of this article is to limit the load on the server with a limited budget.
Imagine that we have a server (or group of servers) and several groups of clients. Need to regulate server load.
For example, we have a server (or a group of servers — not important) 1C and two categories of users — local and remote — that connect to the server via RDP. In turn, local users can be divided into at least two groups: accounting (which requires access to 1C) and all the rest. Everyone else can either block access to the server altogether or limit the access speed. This is the load control task.
How to solve the problem? If servers work under Linux (which is unlikely, since we initially mean 1C, but it is quite possible), then you can try to solve it with a little blood - iptables + squid. Such a solution will be absolutely free, but requires a certain administrator qualification; otherwise, a lot of time will be spent on setting up by trial and error with an uncertain result.
And what if the servers are running Windows Server? The first thing that comes to mind is to use TMG (Threat Management Gateway). However, there is a small problem - TMG sales were discontinued 3 years ago, and it never provided a decent replacement for Microsoft. There are solutions, but more focused on cloud technologies, quite expensive and not very suitable for our very modest task.
There are third-party solutions, for example, Sophos UTM & Next-Gen Firewall. However, the cost of such a decision will not please many companies. And the functionality is clearly redundant to solve our problem.
And there is an inexpensive and simple solution - Cybersafe Firewall . The cost of this solution will be quite acceptable, both for small and large companies, and administrators will surely like its simplicity. Yes, against the background of Sophos UTM & Next-Gen Firewall and the former TMG Cyber Saf Firewall looks like a Lada in the background of BMW. However, not everyone has the means and the need to buy a BMW, when the tasks set may well be solved with the help of Lada.
')
Fig. 1. Sophos UTM & Next-Gen Firewall
So that we are not accused of excessive advertising of our software, we proceed immediately to solving the problem, where you can evaluate the simplicity of the proposed solution.
Consider how you can solve the problem of bandwidth control. The first step is to deploy the program via ActiveDirectory to all computers on the network. How to do this is written in the manual . Note that you can create a transformation file (MST file) by means of the program, without resorting to third-party software, which is very convenient.
If ActiveDirectory is not used in your network, this is not a problem: to automate the installation of the program, a special deployment script is used, which can be created using the program itself.
After the program is installed on all computers on the network, you need to perform the following steps:
That's all. And you thought it would be more difficult?
CyberSafe Firewall program is a simple and inexpensive solution for a wide variety of companies for whom the budget issue is in the first place. In addition, the program has a certificate of the FSTEC of Russia (for the third class of security), which is also important if you need to bring the information system of the enterprise in compliance with the requirements of the legislation.
Problem statement and possible solutions
Imagine that we have a server (or group of servers) and several groups of clients. Need to regulate server load.
For example, we have a server (or a group of servers — not important) 1C and two categories of users — local and remote — that connect to the server via RDP. In turn, local users can be divided into at least two groups: accounting (which requires access to 1C) and all the rest. Everyone else can either block access to the server altogether or limit the access speed. This is the load control task.
How to solve the problem? If servers work under Linux (which is unlikely, since we initially mean 1C, but it is quite possible), then you can try to solve it with a little blood - iptables + squid. Such a solution will be absolutely free, but requires a certain administrator qualification; otherwise, a lot of time will be spent on setting up by trial and error with an uncertain result.
And what if the servers are running Windows Server? The first thing that comes to mind is to use TMG (Threat Management Gateway). However, there is a small problem - TMG sales were discontinued 3 years ago, and it never provided a decent replacement for Microsoft. There are solutions, but more focused on cloud technologies, quite expensive and not very suitable for our very modest task.
There are third-party solutions, for example, Sophos UTM & Next-Gen Firewall. However, the cost of such a decision will not please many companies. And the functionality is clearly redundant to solve our problem.
And there is an inexpensive and simple solution - Cybersafe Firewall . The cost of this solution will be quite acceptable, both for small and large companies, and administrators will surely like its simplicity. Yes, against the background of Sophos UTM & Next-Gen Firewall and the former TMG Cyber Saf Firewall looks like a Lada in the background of BMW. However, not everyone has the means and the need to buy a BMW, when the tasks set may well be solved with the help of Lada.
')
Fig. 1. Sophos UTM & Next-Gen Firewall
So that we are not accused of excessive advertising of our software, we proceed immediately to solving the problem, where you can evaluate the simplicity of the proposed solution.
Load restriction by means of CyberSafe Firewall
Consider how you can solve the problem of bandwidth control. The first step is to deploy the program via ActiveDirectory to all computers on the network. How to do this is written in the manual . Note that you can create a transformation file (MST file) by means of the program, without resorting to third-party software, which is very convenient.
If ActiveDirectory is not used in your network, this is not a problem: to automate the installation of the program, a special deployment script is used, which can be created using the program itself.
After the program is installed on all computers on the network, you need to perform the following steps:
- Log into CyberSafe Firewall as administrator (Figure 2).
Fig. 2. Login as an administrator - Run the menu command Firewall, Administration Panel . This command will be available only if you are logged in as an administrator.
- The Administration Panel window will open (fig. 3).
Fig. 3. Administration Panel - In the administration panel, define computer groups. To create a new group, right-click in the administration panel window and select the Create group command. After that just drag the computers into the created group.
- Place the server (or servers) in the SERVERS group (Fig. 4). Be sure to click the Apply button for the changes to take effect.
Fig. 4. Servers added to a separate group. - Select the group of workstations you want to limit. Click Set Rules . In fig. 5 The window for setting rules for the Lawyers group is open.
Fig. 5. Group Rules Setup Window - Go to the Shaper Rules section . Click the Add button.
- In the Add Shaper Rule window, set the speed limit (Fig. 6).
Fig. 6. Setting the speed limit - Go to the Source tab and select the Nickname option, and from the list that appears - the group that you want to restrict. Honestly, she will already be chosen, since we are creating a rule for her, but it will not be superfluous to make sure that the choice is correct.
Fig. 7. Select source group - On the Recipient tab, select the Alias option and select the SERVERS group (Fig. 8)
Fig. 8. Select the SERVERS group. - Click OK , close the group rules installation window.
- Repeat steps 6-11 for all computer groups whose access to the server you want to restrict.
- Click the Apply button in the Administration Panel .
- Close the admin panel window.
That's all. And you thought it would be more difficult?
findings
CyberSafe Firewall program is a simple and inexpensive solution for a wide variety of companies for whom the budget issue is in the first place. In addition, the program has a certificate of the FSTEC of Russia (for the third class of security), which is also important if you need to bring the information system of the enterprise in compliance with the requirements of the legislation.
Source: https://habr.com/ru/post/264059/
All Articles