Centralized access to EDS and other electronic protection keys using USB over IP hardware
I want to share our one-year experience in finding a solution for organizing centralized and orderly access to electronic protection keys in our organization (keys for access to trading sites, banking, software protection keys, etc.). Due to the presence of branches that are geographically very distant from each other, and the presence of several electronic protection keys in each of them, there is always a need for them, but in different branches. After the next fuss with the lost key, the management set the task - to solve this problem and assemble ALL USB protection devices in one place, and ensure work with them regardless of the location of the employee.
So, we need to collect in one office all the keys of our client bank, 1c (hasp), rutoken, ESMART Token USB 64K, etc. keys. for subsequent operation on remote physical and virtual machines Hyper-V. The number of usb devices is 50-60 and exactly that is not the limit. Location of virtualization servers outside the office (data center). The location of all USB devices in the office.
We studied the existing technologies of centralized access to USB devices and decided to focus on USB technology over IP (USB over IP). It turns out that very many organizations use this solution. There are both USB over IP hardware and software on the market, but they did not suit us. According to this, the following discussion will deal only with the choice of hardware USB over IP and first of all about our choice. Devices from China (unnamed), we also excluded from consideration.
The most described on the Internet spaces hardware solution USB over IP are devices manufactured in the USA and Germany. For detailed study, we purchased a large rack-mount version of this USB over IP, designed for 14 USB ports, with the possibility of mounting in a 19-inch rack and the German USB over IP, designed for 20 USB ports, and also with the possibility of mounting in a 19-inch rack. Unfortunately, these manufacturers did not have more USB over IP device ports.
')
The first device is very expensive and interesting (there are a lot of reviews on the Internet), but there is a very big minus - there are no authorization systems for connecting USB devices. Anyone who installs a USB connection application gets access to all keys. In addition, as practice has shown, the “esmart token est64u-r1” USB device is unsuitable for use with the device and, running ahead, with the “German” on Win7 OS — when a permanent BSOD is connected to it.
The second USB over IP device seemed more interesting to us. The device has a large set of settings related to network functions. The USB over IP interface is logically partitioned, so the initial setup was fairly simple and fast. But, as mentioned earlier, there were problems with connecting a number of keys.
Studying further hardware USB over IP came across domestic manufacturers. The model range includes 16, 32, 48 and 64 port versions with the possibility of mounting in a 19 inch rack. The functionality described by the manufacturer was even richer than that of previous acquired USB over IP. Initially, I liked the fact that the domestic managed USB over IP hub provides two-step protection for USB devices when sharing USB over the network:
We decided to check with the manufacturer how it is with the support of two types of smart tokens that have connection problems earlier. We were told that they did not give a 100% guarantee of support for absolutely all USB devices, but have not yet found a single device with which there were problems. We were not satisfied with such an answer and we offered the manufacturer to transfer the tokens for testing (the benefit of shipping by the transport company cost only 150 rubles, and we have enough old tokens). 4 days after sending the keys, we were given the connection data and we wonderfully connected to it with Windows 7, 10 and Windows Server 2008. Everything worked fine, we connected our tokens without any problems and had the opportunity to work with them.
We purchased a managed USB over IP hub with 64 USB ports. All 64 ports (32 keys and the rest - flash drives, hard disks and 3 USB cameras) were connected from 18 computers in different branches - all devices worked without problems. In general, the device was satisfied.
I do not cite the names and manufacturers of USB over IP devices (so that there is no advertising), they are easy to find on the Internet.
So, we need to collect in one office all the keys of our client bank, 1c (hasp), rutoken, ESMART Token USB 64K, etc. keys. for subsequent operation on remote physical and virtual machines Hyper-V. The number of usb devices is 50-60 and exactly that is not the limit. Location of virtualization servers outside the office (data center). The location of all USB devices in the office.
We studied the existing technologies of centralized access to USB devices and decided to focus on USB technology over IP (USB over IP). It turns out that very many organizations use this solution. There are both USB over IP hardware and software on the market, but they did not suit us. According to this, the following discussion will deal only with the choice of hardware USB over IP and first of all about our choice. Devices from China (unnamed), we also excluded from consideration.
The most described on the Internet spaces hardware solution USB over IP are devices manufactured in the USA and Germany. For detailed study, we purchased a large rack-mount version of this USB over IP, designed for 14 USB ports, with the possibility of mounting in a 19-inch rack and the German USB over IP, designed for 20 USB ports, and also with the possibility of mounting in a 19-inch rack. Unfortunately, these manufacturers did not have more USB over IP device ports.
')
The first device is very expensive and interesting (there are a lot of reviews on the Internet), but there is a very big minus - there are no authorization systems for connecting USB devices. Anyone who installs a USB connection application gets access to all keys. In addition, as practice has shown, the “esmart token est64u-r1” USB device is unsuitable for use with the device and, running ahead, with the “German” on Win7 OS — when a permanent BSOD is connected to it.
The second USB over IP device seemed more interesting to us. The device has a large set of settings related to network functions. The USB over IP interface is logically partitioned, so the initial setup was fairly simple and fast. But, as mentioned earlier, there were problems with connecting a number of keys.
Studying further hardware USB over IP came across domestic manufacturers. The model range includes 16, 32, 48 and 64 port versions with the possibility of mounting in a 19 inch rack. The functionality described by the manufacturer was even richer than that of previous acquired USB over IP. Initially, I liked the fact that the domestic managed USB over IP hub provides two-step protection for USB devices when sharing USB over the network:
- Remote physical switching on and off of USB devices;
- Authorization to connect USB devices by login, password and IP address.
- Authorization to connect USB ports by login, password and IP address.
- Logging of all inclusions and connections of USB devices by clients, as well as such attempts (incorrect password entry, etc.).
- Encryption of traffic (with which, in principle, it was not bad on the German model).
- In addition, it was appropriate that the device, although not cheap, but at times cheaper than those purchased earlier (the difference in terms of the port becomes especially significant, we considered 64-port USB over IP).
We decided to check with the manufacturer how it is with the support of two types of smart tokens that have connection problems earlier. We were told that they did not give a 100% guarantee of support for absolutely all USB devices, but have not yet found a single device with which there were problems. We were not satisfied with such an answer and we offered the manufacturer to transfer the tokens for testing (the benefit of shipping by the transport company cost only 150 rubles, and we have enough old tokens). 4 days after sending the keys, we were given the connection data and we wonderfully connected to it with Windows 7, 10 and Windows Server 2008. Everything worked fine, we connected our tokens without any problems and had the opportunity to work with them.
We purchased a managed USB over IP hub with 64 USB ports. All 64 ports (32 keys and the rest - flash drives, hard disks and 3 USB cameras) were connected from 18 computers in different branches - all devices worked without problems. In general, the device was satisfied.
I do not cite the names and manufacturers of USB over IP devices (so that there is no advertising), they are easy to find on the Internet.
Source: https://habr.com/ru/post/445094/
All Articles