New customs rules or how to live on? Cisco workshop
On March 11, 2010, in the Moscow office of cisco, Misha Kader held an exciting seminar on new customs rules in the territory of the customs union of Russia, Belarus and Kazakhstan. And about what cisco is doing so that the importation of new equipment will finally again delight both sellers and buyers.
The article was published on 11.03 here, but at the request of the speaker was sent for revision. Misha made a number of necessary references and comments, correcting me in those points that were not precisely stated. For which he thanks a lot!
Now published amended version.
For a start, look at the history:
1. The customs rules for importation into the territory of the Russian Federation were first written as much in 1995 and there was about encryption and coordination with FAPSI (now the FSB) and the Ministry of Industry and Trade. Just nobody did them. Here is a link to the decree for those interested.
2. In 2006, for accession to the WTO, a new, more flexible document was developed, removing a part of cryptography from import licensing. The document was never agreed
3. At the end of 2009, taking as a basis the 2006 document, the FSB quickly agreed on new rules for importation into the territory of the single customs union. So from 01/01/2010, we just got something that should have worked a long time ago. Here again, a link to these rules.
')
Under the new rules, part of the encryption functions is derived from licensing (a full list can be found in the regulatory documents):
1. “Weak” encryption (symmetric encryption with a key length less than or equal to 56 bits, asymmetric encryption - 128 bits)
2. Channel encryption for management (ssh, https for management)
3. Encryption by wireless access points (with integrated antennas) of traffic transmitted over a distance of 400 m.
4.If encryption is an integral part of a software product (operating system).
Inside, Cisco classifies its products as follows :
C1 - equipment that does not contain encryption at all. Determined by the manufacturer or importer. There is a series of ambushes about which later
C2 - equipment containing encryption, but derived from licensing by filing notifications
C3 - equipment containing strong encryption. It requires an FSB import permit, an import license from the Ministry of Industry and Trade, as well as an FSB license for distribution and maintenance.
C4 is equipment that is not yet classified and will switch from C2 or C3.
What are the conditions of importation for a particular class:
C1 - does not require permits, free import. But there is one subtlety: the customs officers - the guys are corrosive. They may well say: “How do I know if it is there or not? I do not trust these bourgeois ”. In this clarification case, Cisco writes a letter to customs, confirming the lack of encryption. If this is not enough for the customs officer, then he should write an official request to the FSB, which will send an official conclusion.
C2 - for the importation of this equipment, it is necessary that there be a document at customs - a notification. This document on the line of equipment (part-numbers) is a manufacturer or a trusted organization. These lists are submitted to the FSB, and within 2-3 weeks these documents are registered there. Further, this document is transmitted to the customs and after this equipment goes quietly. You can see the existing notifications on the customs website. After that, the importer can safely import the specified iron without additional documents. If there is already a notification, and they are slowing down at customs and have not yet published it, cisco is ready to provide a copy up to notarial, for submission to customs (checked at Moscow and St. Petersburg customs).
Here is a link to the list of customs notifications already published.
C3 - for the importation and sale of this equipment, the company must have the appropriate license of the FSB (valid for a year), and also obtain permission from the Ministry of Industry and Trade to import for each delivery. Permission can make unpredictable time. The position of the FSB is simple: we do not have the resources to track strict import encryption, therefore we want to see only GOST in the territory of the Russian Federation. Especially in state institutions, as well as in personal data protection systems. If the customer does not intend to use encryption of the transmitted data (VPN), but wants to use equipment of class C3, then he can make an official letter to the FSB and there were precedents when C3 hardware was imported into such a letter for a specific customer (for example).
C4 - wait until they are transferred to C2 or C3
The cisco company was one of the first to submit lists for notification and at the moment a lot of hardware and software has already been notified. This gives some competitive advantages.
In particular:
Many switches, access points, wireless controllers, ACS, IPS are notified.
The ISR G2 (19xx / 29xx / 39xx) routers are notified with NPE OS (Non Payload Encryption: there are all security features except encrypted tunnels). The problem with security bundles has not been solved yet: IOS with encryption of data goes by default. When replacing it - the bandl begins to cost more. Therefore, now it is necessary to order not ready-made security bundles, but to assemble the configuration using a new one.
Soon they promise the appearance of IOS NPE for the series 860-880-890 (they are architecturally similar to ISR G2) and they can also be imported by notification
The document is already ready and the ISR G2 + RVPN solution (STerra GOST encryption module) for the protection of personal data of a class up to and including class 1 will be certified.
They promise to settle the situation with ASA in April. Now you cannot import ASA-K8 (56 bits), because it turns into K9 by simply entering the ASA serial number on the cisco site. They promise that it will be possible to import ASA-K8 by notification, if there is a method to block the receipt of licenses for strong encryption.
Threat Not very literary happened, but I hope I helped a little to understand the current mess. In any case, this seminar helped me to dot the "e". If there are comments - do not hesitate: the topic is not entirely mine, I write what I heard. If you need contacts for the manufacture of FSTEK certificates in-line, write to 4u@anticisco.ru. I will try to connect you with responsible people from Moscow cisco, and they promise all-round assistance (but not with money :)).
The article was published on 11.03 here, but at the request of the speaker was sent for revision. Misha made a number of necessary references and comments, correcting me in those points that were not precisely stated. For which he thanks a lot!
Now published amended version.
For a start, look at the history:
1. The customs rules for importation into the territory of the Russian Federation were first written as much in 1995 and there was about encryption and coordination with FAPSI (now the FSB) and the Ministry of Industry and Trade. Just nobody did them. Here is a link to the decree for those interested.
2. In 2006, for accession to the WTO, a new, more flexible document was developed, removing a part of cryptography from import licensing. The document was never agreed
3. At the end of 2009, taking as a basis the 2006 document, the FSB quickly agreed on new rules for importation into the territory of the single customs union. So from 01/01/2010, we just got something that should have worked a long time ago. Here again, a link to these rules.
')
Under the new rules, part of the encryption functions is derived from licensing (a full list can be found in the regulatory documents):
1. “Weak” encryption (symmetric encryption with a key length less than or equal to 56 bits, asymmetric encryption - 128 bits)
2. Channel encryption for management (ssh, https for management)
3. Encryption by wireless access points (with integrated antennas) of traffic transmitted over a distance of 400 m.
4.If encryption is an integral part of a software product (operating system).
Inside, Cisco classifies its products as follows :
C1 - equipment that does not contain encryption at all. Determined by the manufacturer or importer. There is a series of ambushes about which later
C2 - equipment containing encryption, but derived from licensing by filing notifications
C3 - equipment containing strong encryption. It requires an FSB import permit, an import license from the Ministry of Industry and Trade, as well as an FSB license for distribution and maintenance.
C4 is equipment that is not yet classified and will switch from C2 or C3.
What are the conditions of importation for a particular class:
C1 - does not require permits, free import. But there is one subtlety: the customs officers - the guys are corrosive. They may well say: “How do I know if it is there or not? I do not trust these bourgeois ”. In this clarification case, Cisco writes a letter to customs, confirming the lack of encryption. If this is not enough for the customs officer, then he should write an official request to the FSB, which will send an official conclusion.
C2 - for the importation of this equipment, it is necessary that there be a document at customs - a notification. This document on the line of equipment (part-numbers) is a manufacturer or a trusted organization. These lists are submitted to the FSB, and within 2-3 weeks these documents are registered there. Further, this document is transmitted to the customs and after this equipment goes quietly. You can see the existing notifications on the customs website. After that, the importer can safely import the specified iron without additional documents. If there is already a notification, and they are slowing down at customs and have not yet published it, cisco is ready to provide a copy up to notarial, for submission to customs (checked at Moscow and St. Petersburg customs).
Here is a link to the list of customs notifications already published.
C3 - for the importation and sale of this equipment, the company must have the appropriate license of the FSB (valid for a year), and also obtain permission from the Ministry of Industry and Trade to import for each delivery. Permission can make unpredictable time. The position of the FSB is simple: we do not have the resources to track strict import encryption, therefore we want to see only GOST in the territory of the Russian Federation. Especially in state institutions, as well as in personal data protection systems. If the customer does not intend to use encryption of the transmitted data (VPN), but wants to use equipment of class C3, then he can make an official letter to the FSB and there were precedents when C3 hardware was imported into such a letter for a specific customer (for example).
C4 - wait until they are transferred to C2 or C3
The cisco company was one of the first to submit lists for notification and at the moment a lot of hardware and software has already been notified. This gives some competitive advantages.
In particular:
Many switches, access points, wireless controllers, ACS, IPS are notified.
The ISR G2 (19xx / 29xx / 39xx) routers are notified with NPE OS (Non Payload Encryption: there are all security features except encrypted tunnels). The problem with security bundles has not been solved yet: IOS with encryption of data goes by default. When replacing it - the bandl begins to cost more. Therefore, now it is necessary to order not ready-made security bundles, but to assemble the configuration using a new one.
Soon they promise the appearance of IOS NPE for the series 860-880-890 (they are architecturally similar to ISR G2) and they can also be imported by notification
The document is already ready and the ISR G2 + RVPN solution (STerra GOST encryption module) for the protection of personal data of a class up to and including class 1 will be certified.
They promise to settle the situation with ASA in April. Now you cannot import ASA-K8 (56 bits), because it turns into K9 by simply entering the ASA serial number on the cisco site. They promise that it will be possible to import ASA-K8 by notification, if there is a method to block the receipt of licenses for strong encryption.
Threat Not very literary happened, but I hope I helped a little to understand the current mess. In any case, this seminar helped me to dot the "e". If there are comments - do not hesitate: the topic is not entirely mine, I write what I heard. If you need contacts for the manufacture of FSTEK certificates in-line, write to 4u@anticisco.ru. I will try to connect you with responsible people from Moscow cisco, and they promise all-round assistance (but not with money :)).
Source: https://habr.com/ru/post/87176/
All Articles