Personal data protection practice
Hi, Habr!
July 1 is approaching, and with it comes the need to implement the FZ-152 “On personal data”. In this regard, I want to share my experience in this area. In the Information Security blog , there is already a cycle of posts on writing documents, however, in addition to paper, it may be necessary to use some technical information protection tools. Which is dedicated to this topic.
The first thing that needs to be kept in memory is that we have only those tools that have a valid FSTEC certificate (for protection against unauthorized access — unauthorized access) and FSB (for cryptography and firewalling). Unfortunately, the certificates periodically run out, and if the manufacturing company does not bother to extend the certificate, then there may be problems with the verification. There are two ways to avoid them:
1) Before purchasing protective equipment, consult with the manufacturer, or with the supplier, when the current certificate ends, and whether the manufacturer intends to renew it. It is also worth a look at the manufacturer's website - there is a newer version, the old one may not be renewed.
2) If the equipment has already been purchased, and the manufacturer is not going to renew the certificate - you can contact the certification body yourself and get a certificate for your copy (only your own). For some amount of money, as you can imagine.
In addition, it is necessary to decide what, in fact, the means of protection we need? If your ISPDN is typical, then the requirements for the protection of personal data are described in the annex to the order of FSTEC No. 58, which can be found here . If your ISPDn is special, then the protection requirements are described in the “Private Threat Model ...”, which is compiled based on the results of the ISPDn survey. I will explain right away - a typical ISPD is an information system to which only the confidentiality of personal data is made, and accessibility and integrity are left aside. What can be made SPID special? Actually, in my opinion, this is only for ISPD 1 class (K1), since the requirements include also protection against PEMIN (side electromagnetic radiation and pickup). Creating a “Private Threat Model ...” helps to get away from PEMIN and make life much easier. The essence of protection is reduced to the installation of an electromagnetic noise generator and fixing the location and composition of both the ISPD equipment and all technical equipment located in the same premises. That is, you can make changes only in coordination with the body that performed the certification tests. Changes in the composition of ISPDn can result in a control check or re-certification.
From PEMIN, we will assume, gone, now let's consider the means of information protection and typical options for their use. In general, all remedies can be divided into several groups:
SZI NSD is an abbreviation of a means of protecting information from unauthorized access. Used to prevent unauthorized actions of users who have access to ISPD workstations. They include such mechanisms as loading control from removable media (CD / DVDs, flash drives), control devices (so that the left USB flash drive cannot be connected and the information is merged), implementation of mandatory access control (for ISPDn is not required). I will cite only those tools with which I worked personally:
1) Secret Net. It can be supplied both with a load control board and without it. It works through secpol.msc, so it may not work on the Home versions (it does not work on Windows XP for sure, but Vista and Windows 7 have not yet checked). It is quite easy to use, has the best, from what has been seen, the mechanism for controlling devices. There is a network version designed for integration into the domain structure.
2) Guardian NT. The best mechanism for mandatory access control. In operation it is more difficult (due to the fact that some of the protective mechanisms cannot be turned off). There is no network version.
3) Dallas Lock. It loses in all parameters considered earlier, except for the possibility of normal deployment of a network option in a homeless network.
As the name implies, these tools are used on local machines. There is nothing to add here.
The appointment, I think, is clear. In addition, if one ISPD is divided into two parts by a firewall, then you can rightfully call them two different ISPDs. For what? If you fall into the first class by the number of personal data subjects being processed, then by dividing the ISPDn into two parts, you will reduce the number of subjects processed in each ISPDn and you will receive not K1, but K2. Now there are several certified firewalls on the market:
1) VipNet Personal Firewall. Just a personal firewall, without any frills. Managed only locally. There is no centralized management mechanism. Requires a password to start, if not entered, it does not start.
2) VipNet Office Firewall. The same, but supports several network cards, which allows you to install it on the gateway, and use it for segmenting ISPD.
3) SSPT-2. A software and hardware system running on FreeBSD, but no one will get you to the OS itself. It works quickly, supports filtering in many ways. It has an unpleasant feature - the rules are applied from the top to the bottom of the list, and the rules located at the top have a higher priority. The documentation is not reflected, it was identified empirically. It is controlled both from the local console and via the web interface.
4) APKS Continent. In general, this is not a firewall, but a cryptographic router, but with ITU functions. It is architecturally similar to SSPT-2, but there is no control from the local console - only through a special administrator console. Moreover, during the initial configuration, you must specify the interface to which the administrator's computer will be connected.
In addition, the Security Code released two more products - ITU + HIPS Security Studio Endpoint Protection and the Trust Access distributed firewall system, combining firewalling and segmentation using Kerberos authentication. Since I did not have to work with these products, I will provide only links to their description:
Trustaccess
SSEP
In addition, the production of another product was certified - Stonegate Firewall / VPN. The product of the Finnish company Stonesoft. It is also delivered to the CryptoPRO encryption module bolted to it, which allows it to be used as a certified VPN solution.
')
They are the means of cryptographic protection. In addition to the already mentioned Stonegate Firewall / VPN, there are two more VPN solutions:
1) VipNet Custom. It is a complex of VipNet Administrator - management program, VipNet Coordinator - VPN server, with ITU functions, and VipNet Client - VPN client and ITU. The management program is used only for generating keys and certificates, firewall settings can only be managed locally. Help in administration can only built RDP. So includes the internal instant messenger and internal mail. The advantages can only be attributed to the fact that this is a purely software solution that can be easily integrated into an existing infrastructure.
2) APKS Continent. In principle, I have already spoken about him. I will add only that in the latest version of the client (“Continent-AP”) functions of the firewall appeared, and even there is a client for Linux. The management of the cryptoshluses themselves is performed only from the administrator console, but remotely. The special features also include the fact that the initial configuration (that is, the transfer of the network configuration and keys to the crypto-gateway) is done locally, by feeding it a flash drive with all the necessary information. If you make a mistake when creating a configuration and have already sent a crypto gateway to a remote point, then you can’t pick it up remotely and do something, you will have to generate the configuration again and transfer it to the remote point in some way.
Basically, here is a brief description of all certified security products I know. I hope this information will be useful to the community.
July 1 is approaching, and with it comes the need to implement the FZ-152 “On personal data”. In this regard, I want to share my experience in this area. In the Information Security blog , there is already a cycle of posts on writing documents, however, in addition to paper, it may be necessary to use some technical information protection tools. Which is dedicated to this topic.
The first thing that needs to be kept in memory is that we have only those tools that have a valid FSTEC certificate (for protection against unauthorized access — unauthorized access) and FSB (for cryptography and firewalling). Unfortunately, the certificates periodically run out, and if the manufacturing company does not bother to extend the certificate, then there may be problems with the verification. There are two ways to avoid them:
1) Before purchasing protective equipment, consult with the manufacturer, or with the supplier, when the current certificate ends, and whether the manufacturer intends to renew it. It is also worth a look at the manufacturer's website - there is a newer version, the old one may not be renewed.
2) If the equipment has already been purchased, and the manufacturer is not going to renew the certificate - you can contact the certification body yourself and get a certificate for your copy (only your own). For some amount of money, as you can imagine.
In addition, it is necessary to decide what, in fact, the means of protection we need? If your ISPDN is typical, then the requirements for the protection of personal data are described in the annex to the order of FSTEC No. 58, which can be found here . If your ISPDn is special, then the protection requirements are described in the “Private Threat Model ...”, which is compiled based on the results of the ISPDn survey. I will explain right away - a typical ISPD is an information system to which only the confidentiality of personal data is made, and accessibility and integrity are left aside. What can be made SPID special? Actually, in my opinion, this is only for ISPD 1 class (K1), since the requirements include also protection against PEMIN (side electromagnetic radiation and pickup). Creating a “Private Threat Model ...” helps to get away from PEMIN and make life much easier. The essence of protection is reduced to the installation of an electromagnetic noise generator and fixing the location and composition of both the ISPD equipment and all technical equipment located in the same premises. That is, you can make changes only in coordination with the body that performed the certification tests. Changes in the composition of ISPDn can result in a control check or re-certification.
From PEMIN, we will assume, gone, now let's consider the means of information protection and typical options for their use. In general, all remedies can be divided into several groups:
Local SZI NSD
SZI NSD is an abbreviation of a means of protecting information from unauthorized access. Used to prevent unauthorized actions of users who have access to ISPD workstations. They include such mechanisms as loading control from removable media (CD / DVDs, flash drives), control devices (so that the left USB flash drive cannot be connected and the information is merged), implementation of mandatory access control (for ISPDn is not required). I will cite only those tools with which I worked personally:
1) Secret Net. It can be supplied both with a load control board and without it. It works through secpol.msc, so it may not work on the Home versions (it does not work on Windows XP for sure, but Vista and Windows 7 have not yet checked). It is quite easy to use, has the best, from what has been seen, the mechanism for controlling devices. There is a network version designed for integration into the domain structure.
2) Guardian NT. The best mechanism for mandatory access control. In operation it is more difficult (due to the fact that some of the protective mechanisms cannot be turned off). There is no network version.
3) Dallas Lock. It loses in all parameters considered earlier, except for the possibility of normal deployment of a network option in a homeless network.
As the name implies, these tools are used on local machines. There is nothing to add here.
Firewalls
The appointment, I think, is clear. In addition, if one ISPD is divided into two parts by a firewall, then you can rightfully call them two different ISPDs. For what? If you fall into the first class by the number of personal data subjects being processed, then by dividing the ISPDn into two parts, you will reduce the number of subjects processed in each ISPDn and you will receive not K1, but K2. Now there are several certified firewalls on the market:
1) VipNet Personal Firewall. Just a personal firewall, without any frills. Managed only locally. There is no centralized management mechanism. Requires a password to start, if not entered, it does not start.
2) VipNet Office Firewall. The same, but supports several network cards, which allows you to install it on the gateway, and use it for segmenting ISPD.
3) SSPT-2. A software and hardware system running on FreeBSD, but no one will get you to the OS itself. It works quickly, supports filtering in many ways. It has an unpleasant feature - the rules are applied from the top to the bottom of the list, and the rules located at the top have a higher priority. The documentation is not reflected, it was identified empirically. It is controlled both from the local console and via the web interface.
4) APKS Continent. In general, this is not a firewall, but a cryptographic router, but with ITU functions. It is architecturally similar to SSPT-2, but there is no control from the local console - only through a special administrator console. Moreover, during the initial configuration, you must specify the interface to which the administrator's computer will be connected.
In addition, the Security Code released two more products - ITU + HIPS Security Studio Endpoint Protection and the Trust Access distributed firewall system, combining firewalling and segmentation using Kerberos authentication. Since I did not have to work with these products, I will provide only links to their description:
Trustaccess
SSEP
In addition, the production of another product was certified - Stonegate Firewall / VPN. The product of the Finnish company Stonesoft. It is also delivered to the CryptoPRO encryption module bolted to it, which allows it to be used as a certified VPN solution.
')
SKZI
They are the means of cryptographic protection. In addition to the already mentioned Stonegate Firewall / VPN, there are two more VPN solutions:
1) VipNet Custom. It is a complex of VipNet Administrator - management program, VipNet Coordinator - VPN server, with ITU functions, and VipNet Client - VPN client and ITU. The management program is used only for generating keys and certificates, firewall settings can only be managed locally. Help in administration can only built RDP. So includes the internal instant messenger and internal mail. The advantages can only be attributed to the fact that this is a purely software solution that can be easily integrated into an existing infrastructure.
2) APKS Continent. In principle, I have already spoken about him. I will add only that in the latest version of the client (“Continent-AP”) functions of the firewall appeared, and even there is a client for Linux. The management of the cryptoshluses themselves is performed only from the administrator console, but remotely. The special features also include the fact that the initial configuration (that is, the transfer of the network configuration and keys to the crypto-gateway) is done locally, by feeding it a flash drive with all the necessary information. If you make a mistake when creating a configuration and have already sent a crypto gateway to a remote point, then you can’t pick it up remotely and do something, you will have to generate the configuration again and transfer it to the remote point in some way.
Basically, here is a brief description of all certified security products I know. I hope this information will be useful to the community.
Source: https://habr.com/ru/post/120751/
All Articles