PAK FPSU-IP and its buns
VPN hardware organization in the Russian Federation mainly rests on the following equipment: CSP VPN Gate (rVPN), FPSU, Continent, Check Point, Infotecs VipNet. In this article I will try to tell you about the FPSU - “Network-Level Packet Filter Software and Hardware Complex - Internet Protocol”, which is used in at least two very large corporations, and its buns spread even more widely across the territory of the Russian Federation.
In my humble taste, the name is not so hot, especially the 4 extreme letters, which easily transform into “2SU”, “2IP”, “2 * 3OSI” or something like that, because meaning the same thing. I don’t know why, but a video about KRYPO and their “Internet portal” immediately comes to my mind. Developed FPSU Russian company Amikon , and is intended for the organization of tunnels between the terminal network equipment.
PAC is a 2-din helios block.
The latest modifications were made in the blade style:
Supplied with: 2 patch cords, 2 tm-tablets, software, KSZI FORM (for regulators). This is where the question comes up: the practice of using hot backup PAK is correct, for this they have a third Ethernet interface for synchronization, but there is no crossover (until 2010, the adapters in the FPSU could not turn over). Well, okay, compress is not a problem, but the sediment remains. What is pleasing, unpacking the FPSU, you get a fully functional PAK, in which you just need to calibrate the DSSH, write the configuration and issue authenticators.
The OS currently uses linux components, earlier dos. Amusingly, the FPSU under dos control did not detect 95% of USB storage devices, but if such a media was found, then all the directories and files on it were available. After upgrading to linux, the flash began to be determined without problems, but only the root of the disk was visible. Which of the two evil lesser? It was necessary to use ingenuity in order to get the config and upgrade. Backward compatibility of versions and configurations one-sided: 2.50 does not accept the configuration from 2.53 - the reverse without problems. I advise you to update the OS after waiting some time, “measure 7 times, cut once”, it happened that there were more errors in OS updates than in the previous version. And yet, you can update the OS only after the new version has been certified by the FSB. The main stages of setting with 0, as well as mandatory before use in the operating mode are:
1. Verification of the ordinal numbering and MAC of network adapters (which one looks out, which one inside)
2. Setting the configuration and the correct version of the encryption keys
3. Registration of a remote administrator - issuance authenticator FPSU
4. Setting the hot backup mode.
I will describe what I came across most often:
1. For my region, the FPSU death was dust and heat, as a result, the power supply was used up in the scrap, it could not burn, but simply did not give the desired volt-ampere characteristics, because of this, the FPSU did not pass POST.
2. Damage to the statistics store, the FPSU is working, but there are no tunnels - only reinstalling the OS.
3. “OS Crashed” - the boot device has changed, check the order in the BIOS.
4. “* Accord” - check the BIOS settings, open the FPSU, rotate the Accord's PCI card.
5. “OS Starting ...” - PACK does not load, only reinstall the OS.
6. PACK is working, there is no tunnel - if everything is fine with the network, check the versions of the keys at the two ends of the tunnel, since symmetric encryption is applied.
7. From the point of view of the OS logic, there were never any problems in the FPSU except one. The number of nodes allowed for group access is equal to ... 84. Why not 256, 512, why is it generally limited?
The FPSU can be used as an ITU, it is not for nothing that its name contains the word “filter”. By default, the ACK discards all unencrypted packets, but it is possible to set up rules for the ports and protocols of the TCP stack, which, with a small load, will save money. Load in FPSU has a very large role in the star topology of the network infrastructure, because on the central node all keys from each transit FPSU will be used and it will be problematic to perform filtering and decryption functions at the same time (at least on the previous generation PAK, processor utilization is always around 100%).
Also, the presence of 2 network interfaces, allows you to use FPSU as a router. But this is a very extreme case.
Remote administrator and that says it all.
It shows the state of the tunnels, software versions, keys, site statistics, you can update, manage the ACU, there are various filters, in general, everything is fine. But, there is a very useful feature - “Ping from FPSU” and it does not work! Lost comments to remove the source code when building, probably ... Statistics, just incredibly not optimized, for 1 working day forms a file of 24 GB.
FPSU-IP client.
This is a USB token of this type:
It is initialized in a special snap-in, where the configuration, the group number and the FPSU key to which it is attached fit into it. At the same time, this group on the FPSU must be activated. Using a token allows you to build VPNs over the Internet and is also ITU:
In principle, it allows to replace HSM in payment systems, ATM and ODR.
To correctly configure the client computer, you must install the software. When installed on a purely software "FPSU-IP / Client" version 4.3, at the same moment the installer hangs (floating issue). This is solved in the following way: we install the older version 4.12, 4.2 and roll 4.3 above. Works!
Everything is in general quite a good level, but it seems to me that large contractual obligations do not allow developing products from Amikon more intensively, but it would be interesting. Perhaps this would help get rid of “childhood diseases”, although in 10 years it would be possible to solve them, because the OS versions for the FPSU are changing, and the legendary “Duplex” in the network adapter configuration modes everything remains. Stability is a sign of excellence in this case is not in favor of domestic products, worth from 100 thousand rubles for one piece of iron.
In my humble taste, the name is not so hot, especially the 4 extreme letters, which easily transform into “2SU”, “2IP”, “2 * 3OSI” or something like that, because meaning the same thing. I don’t know why, but a video about KRYPO and their “Internet portal” immediately comes to my mind. Developed FPSU Russian company Amikon , and is intended for the organization of tunnels between the terminal network equipment.
Supply
PAC is a 2-din helios block.
The latest modifications were made in the blade style:
Supplied with: 2 patch cords, 2 tm-tablets, software, KSZI FORM (for regulators). This is where the question comes up: the practice of using hot backup PAK is correct, for this they have a third Ethernet interface for synchronization, but there is no crossover (until 2010, the adapters in the FPSU could not turn over). Well, okay, compress is not a problem, but the sediment remains. What is pleasing, unpacking the FPSU, you get a fully functional PAK, in which you just need to calibrate the DSSH, write the configuration and issue authenticators.
Exploitation
The OS currently uses linux components, earlier dos. Amusingly, the FPSU under dos control did not detect 95% of USB storage devices, but if such a media was found, then all the directories and files on it were available. After upgrading to linux, the flash began to be determined without problems, but only the root of the disk was visible. Which of the two evil lesser? It was necessary to use ingenuity in order to get the config and upgrade. Backward compatibility of versions and configurations one-sided: 2.50 does not accept the configuration from 2.53 - the reverse without problems. I advise you to update the OS after waiting some time, “measure 7 times, cut once”, it happened that there were more errors in OS updates than in the previous version. And yet, you can update the OS only after the new version has been certified by the FSB. The main stages of setting with 0, as well as mandatory before use in the operating mode are:
1. Verification of the ordinal numbering and MAC of network adapters (which one looks out, which one inside)
2. Setting the configuration and the correct version of the encryption keys
3. Registration of a remote administrator - issuance authenticator FPSU
4. Setting the hot backup mode.
Classic problems
I will describe what I came across most often:
1. For my region, the FPSU death was dust and heat, as a result, the power supply was used up in the scrap, it could not burn, but simply did not give the desired volt-ampere characteristics, because of this, the FPSU did not pass POST.
2. Damage to the statistics store, the FPSU is working, but there are no tunnels - only reinstalling the OS.
3. “OS Crashed” - the boot device has changed, check the order in the BIOS.
4. “* Accord” - check the BIOS settings, open the FPSU, rotate the Accord's PCI card.
5. “OS Starting ...” - PACK does not load, only reinstall the OS.
6. PACK is working, there is no tunnel - if everything is fine with the network, check the versions of the keys at the two ends of the tunnel, since symmetric encryption is applied.
7. From the point of view of the OS logic, there were never any problems in the FPSU except one. The number of nodes allowed for group access is equal to ... 84. Why not 256, 512, why is it generally limited?
Additional features
The FPSU can be used as an ITU, it is not for nothing that its name contains the word “filter”. By default, the ACK discards all unencrypted packets, but it is possible to set up rules for the ports and protocols of the TCP stack, which, with a small load, will save money. Load in FPSU has a very large role in the star topology of the network infrastructure, because on the central node all keys from each transit FPSU will be used and it will be problematic to perform filtering and decryption functions at the same time (at least on the previous generation PAK, processor utilization is always around 100%).
Also, the presence of 2 network interfaces, allows you to use FPSU as a router. But this is a very extreme case.
Remote administrator and that says it all.
It shows the state of the tunnels, software versions, keys, site statistics, you can update, manage the ACU, there are various filters, in general, everything is fine. But, there is a very useful feature - “Ping from FPSU” and it does not work! Lost comments to remove the source code when building, probably ... Statistics, just incredibly not optimized, for 1 working day forms a file of 24 GB.
Buns
FPSU-IP client.
This is a USB token of this type:
It is initialized in a special snap-in, where the configuration, the group number and the FPSU key to which it is attached fit into it. At the same time, this group on the FPSU must be activated. Using a token allows you to build VPNs over the Internet and is also ITU:
In principle, it allows to replace HSM in payment systems, ATM and ODR.
To correctly configure the client computer, you must install the software. When installed on a purely software "FPSU-IP / Client" version 4.3, at the same moment the installer hangs (floating issue). This is solved in the following way: we install the older version 4.12, 4.2 and roll 4.3 above. Works!
Eventually
Everything is in general quite a good level, but it seems to me that large contractual obligations do not allow developing products from Amikon more intensively, but it would be interesting. Perhaps this would help get rid of “childhood diseases”, although in 10 years it would be possible to solve them, because the OS versions for the FPSU are changing, and the legendary “Duplex” in the network adapter configuration modes everything remains. Stability is a sign of excellence in this case is not in favor of domestic products, worth from 100 thousand rubles for one piece of iron.
')
Source: https://habr.com/ru/post/168565/
All Articles