The code was checked literally by line: how our firewall was certified by FSTEC
On December 9, 2016, the Requirements for Firewalls, approved in the FSTEC Information Report dated April 28, 2016, came into force. All MEs - manufactured, supplied and developed - must be certified by the time the Requirements enter into force.
A year has passed, and so what? Only a few companies can boast a certificate, among them Smart-Soft. Now that we have gone through all the thorns of certification, we are not at all surprised why there are so few who have come to the end. We will tell you how we mimic our product under the new conditions, share the peculiarities of verification by the state and show whether there was any benefit to the end user from the improvements. However, first things first.
For manufacturers of DOEs, interest in certification is obvious: this is a “pass” to the B2G market (in other words, to state organizations — medical institutions, schools, universities, etc.). A number of experts, however, have already expressed doubts about the real benefits of the certificate for the consumer. In particular, it was noted that the manufacturer is not required to add the product update feature. At the same time, malware is constantly evolving, and the original certified version will lag behind the current virus threats very quickly.
')
So what's the use? It was unclear whether it would be easier for the administrator to work with the DOE after certification: no requirements for centralized management, modes of operation, etc. did not speak out. There were also less critical questions: why demand so many alerts? It was also obvious that certification is not easy: companies will need new expertise (for example, not all IT service providers have legal support).
Certification of Mee Traffic Inspector Next Generation
In September 2016, we began interaction with the testing laboratory of Documentary Systems CJSC for certification, in December, the laboratory began to analyze the distribution provided. Certification FSTEK was pretty scrupulous. We checked not only the program code of the product and its modules, but also the basic operating system. Testing for the passage of test scripts took several months. The modifications were initially small: blocking specific traffic, creating alerts about various events.
I had to implement an offline installation of updates, since in some installations Traffic Inspector Next Generation is located inside the perimeter closed from the Internet.
Check for hidden code
Perhaps the most difficult part of the work was to prove that there are no undeclared capabilities either in the BIOS or on the drives of the hardware platforms. And here's one of the reasons why certification is a plus for the end user.
The proof procedure took about four more months: from May to August. This duration is understandable. In 2012, the malicious code was found in the lot of chips manufactured in China, which cost the managers of a single large brand of many nerve cells. Then about the "bookmarks" and started talking seriously. The decisive word was given to J. Brossard, who presented the report “ Hardware backdooring is convenient ” (Johnatan Brossard, Hardware Backdooring is practical) at the Black Hat conference. However, in our case, everything went pretty boring: there were no flaws and vulnerabilities.
Check code integrity, build audit
So that the user has guarantees that there will be no undesirable changes for the future - we had to add self-control of integrity upon the request of FSTEC. This includes checking the checksums of all immutable files and the configuration file, as well as automatic restoration of the configuration that was changed in an unauthorized way.
At the request of the supervising authority, all events related to configuration changes are now logged in detail. Notification is sent to the administrator during critical security events (for example, checksum difference). Thus, unauthorized modification of the system is excluded - another plus.
A lot of tasks were associated with the build audit. For the control assembly, we even had to configure the server so that the experts of the controlling body could see for themselves: specific object files are collected from specific sources, and binary files, in turn, from specific object files. The opportunity to fix the checksums of the source files was also provided.
Certification results
Improvements at the request of the FSTEC Commission have affected the event notification, logging, updating, integrity audit.
By November 2017, we had the opportunity to test the solution on a real case: we provided the local network of Tyumen State Medical University with a single point of access to the Internet. Information security specialists have evaluated the alert system and the ability to control locks through the browser, access statistics, and have a simple interface.
It took us a year to get certified. It was a big, difficult job that we did not regret. The product is fully tested, aligned with the requirements. Does this mean that network threats are not terrible with our firewall? Yes, if you follow the obvious security measures , and it is better to also train employees in the basic principles of network security. To date, no “bookmarks”, “backdoors” and other vulnerabilities have been found in our product. We continue to monitor its quality so that everything will be fine in the future.
You can argue a lot about whether certification is beneficial to the end user. But the main thing that seems to us is this: is the manufacturer ready to refine its product? Does he have the resources to correct the defects found on time? Is it open to criticism?
FSTEC certification in this context is a test showing the level of developer competence. We have passed it, which is why we have undisguised satisfaction. We respect our competitors, who also passed this test - it means that we have worthy rivals (however, their units). Well, and customers are another reason to think - if the supplier does not have an FSTEC certificate, is he as good as he is telling about himself? However, we do not insist on our opinion and are ready to discuss in the comments to the article :)
Team "Smart Soft"
A year has passed, and so what? Only a few companies can boast a certificate, among them Smart-Soft. Now that we have gone through all the thorns of certification, we are not at all surprised why there are so few who have come to the end. We will tell you how we mimic our product under the new conditions, share the peculiarities of verification by the state and show whether there was any benefit to the end user from the improvements. However, first things first.
For manufacturers of DOEs, interest in certification is obvious: this is a “pass” to the B2G market (in other words, to state organizations — medical institutions, schools, universities, etc.). A number of experts, however, have already expressed doubts about the real benefits of the certificate for the consumer. In particular, it was noted that the manufacturer is not required to add the product update feature. At the same time, malware is constantly evolving, and the original certified version will lag behind the current virus threats very quickly.
')
So what's the use? It was unclear whether it would be easier for the administrator to work with the DOE after certification: no requirements for centralized management, modes of operation, etc. did not speak out. There were also less critical questions: why demand so many alerts? It was also obvious that certification is not easy: companies will need new expertise (for example, not all IT service providers have legal support).
Certification of Mee Traffic Inspector Next Generation
A little about the object of verification.
Traffic Inspector Next Generation is a software and hardware solution for network security. It is deployed as a gateway at the edge of the network and serves as an entry point to the network. Administered via a web interface over a secure HTTPS connection and over SSH using a terminal program. It uses FreeBSD 10 OS as the runtime environment.
According to the classification, Gartner belongs to the UTM (unified threat management), inspection and packet filtering make it possible to refer it to the next generation NGFW firewalls. Based decision on the open source project OPNsense .
According to the classification, Gartner belongs to the UTM (unified threat management), inspection and packet filtering make it possible to refer it to the next generation NGFW firewalls. Based decision on the open source project OPNsense .
Passing Test Scripts
In September 2016, we began interaction with the testing laboratory of Documentary Systems CJSC for certification, in December, the laboratory began to analyze the distribution provided. Certification FSTEK was pretty scrupulous. We checked not only the program code of the product and its modules, but also the basic operating system. Testing for the passage of test scripts took several months. The modifications were initially small: blocking specific traffic, creating alerts about various events.
I had to implement an offline installation of updates, since in some installations Traffic Inspector Next Generation is located inside the perimeter closed from the Internet.
Check for hidden code
Perhaps the most difficult part of the work was to prove that there are no undeclared capabilities either in the BIOS or on the drives of the hardware platforms. And here's one of the reasons why certification is a plus for the end user.
The proof procedure took about four more months: from May to August. This duration is understandable. In 2012, the malicious code was found in the lot of chips manufactured in China, which cost the managers of a single large brand of many nerve cells. Then about the "bookmarks" and started talking seriously. The decisive word was given to J. Brossard, who presented the report “ Hardware backdooring is convenient ” (Johnatan Brossard, Hardware Backdooring is practical) at the Black Hat conference. However, in our case, everything went pretty boring: there were no flaws and vulnerabilities.
Check code integrity, build audit
So that the user has guarantees that there will be no undesirable changes for the future - we had to add self-control of integrity upon the request of FSTEC. This includes checking the checksums of all immutable files and the configuration file, as well as automatic restoration of the configuration that was changed in an unauthorized way.
At the request of the supervising authority, all events related to configuration changes are now logged in detail. Notification is sent to the administrator during critical security events (for example, checksum difference). Thus, unauthorized modification of the system is excluded - another plus.
A lot of tasks were associated with the build audit. For the control assembly, we even had to configure the server so that the experts of the controlling body could see for themselves: specific object files are collected from specific sources, and binary files, in turn, from specific object files. The opportunity to fix the checksums of the source files was also provided.
Certification results
Improvements at the request of the FSTEC Commission have affected the event notification, logging, updating, integrity audit.
By November 2017, we had the opportunity to test the solution on a real case: we provided the local network of Tyumen State Medical University with a single point of access to the Internet. Information security specialists have evaluated the alert system and the ability to control locks through the browser, access statistics, and have a simple interface.
It took us a year to get certified. It was a big, difficult job that we did not regret. The product is fully tested, aligned with the requirements. Does this mean that network threats are not terrible with our firewall? Yes, if you follow the obvious security measures , and it is better to also train employees in the basic principles of network security. To date, no “bookmarks”, “backdoors” and other vulnerabilities have been found in our product. We continue to monitor its quality so that everything will be fine in the future.
You can argue a lot about whether certification is beneficial to the end user. But the main thing that seems to us is this: is the manufacturer ready to refine its product? Does he have the resources to correct the defects found on time? Is it open to criticism?
FSTEC certification in this context is a test showing the level of developer competence. We have passed it, which is why we have undisguised satisfaction. We respect our competitors, who also passed this test - it means that we have worthy rivals (however, their units). Well, and customers are another reason to think - if the supplier does not have an FSTEC certificate, is he as good as he is telling about himself? However, we do not insist on our opinion and are ready to discuss in the comments to the article :)
Team "Smart Soft"
Source: https://habr.com/ru/post/347666/
All Articles