Secure remote terminal
In connection with the adoption of 152 of the law on the protection of personal data, decisions periodically appear on the market that allow you to build an enterprise information system that is ready for certification.
In this post I will describe one of these solutions, which was developed by the employees of the companies Aladdin, Citrix, S-Terra and TONK.
So that the respected Habrauzer doesn’t look for a definition of what personal data is, I’ll give you a link to the wiki: ru.wikipedia.org/wiki/%D0%9F%D0%B5%D1%80% D1%81DD % D0% B0% D0% BB% D1% 8C% D0% BD% D1% 8B% D0% B5_% D0% B4% D0% B0% D0% BD% D0% BD% D1% 8B% D0% B5
First I want to note that it is not necessary to certify the entire information system of the organization for the processing of personal data, because it is expensive and this is not required by the documents. You only need to certify the part of the information system in which personal data is stored or processed.
')
To be able to certify an information system, it must be built from certified components, that is, from solutions that have certificates from government agencies, such as FSTEC - certification for the absence of an undeclared capability in the solution, the FSB - if the product uses cryptography (this is a national cryptography ).
So, the solution described was focused primarily on the financial and credit sector (banks, insurance companies, etc.), in general, for those organizations that have points of presence outside the organization and are engaged in the processing of personal data.
Solution scheme:
The TONK 1211 thin client was used as the thin client for which the remote user is working. The following software was additionally installed on this thin client:
1. Citrix Online PligIn.
2. CryptoPro CSP (crypto-provider providing GOST encryption algorithms),
3. eToken PKI Client (driver for working with eToken keys)
4. S-Terra VPN Client
The S-Terra CSP Gate 1000 software and hardware was used as a VPN gateway to connect remote clients.
The internal infrastructure of the organization is represented by:
1. An Active Directory domain controller deployed on a certified version of Windows Server 2003 Std. The Microsoft Certification Authority is installed on the domain controller in conjunction with the CryptoPro CSP, which allows issuing GOST certificates. The certified eToken TMS 2.0 system is designed to manage keys and smart cards eToken in the organization.
2. Certified Citrix XenApp4.5 FP1, deployed on a certified Windows Server 2003 Std.
Work scenario:
1. The user turns on the thin client and starts loading the operating system. Before opening the desktop, the S-Terra VPN Client asks you to connect the eToken key with a certificate and enter the PIN. The certificate is authenticated and IPSec VPN is lifted between the thin client and the S-Terra CSP Gate 1000 using GOST-based encryption algorithms.
It should be noted that the IPSec VPN tunnel is established before the desktop is loaded.
2. After the desktop is loaded, Internet Explorer starts, in which the start page contains the Citrix Web Interface, located inside the corporate network. The user is authenticated to Citrix Web Interface using another certificate located on the eToken key and gaining access to the required applications.
Thus, the described solution covers the requirements for encrypting data transmission channels when processing personal data, and using certified products when building a solution.
The proposed solution consists of certified components and, when built in an information system, will not create problems with certification.
This solution was presented at the Citrix Virtualization Conference on April 4, 2010, as well as at Aladdin events.
PS For those interested, I will provide links to the websites of companies whose products were used in the solution:
www.aladdin.ru - multifactor authentication solutions
www.citrix.ru - virtualization and application delivery solutions
www.s-terra.com - solutions for building IPSec VPN using Russian cryptography
www.tonk.ru - thin client manufacturer
www.crypto-pro.ru - developer of a crypto-provider providing Russian cryptography
In this post I will describe one of these solutions, which was developed by the employees of the companies Aladdin, Citrix, S-Terra and TONK.
So that the respected Habrauzer doesn’t look for a definition of what personal data is, I’ll give you a link to the wiki: ru.wikipedia.org/wiki/%D0%9F%D0%B5%D1%80% D1%81DD % D0% B0% D0% BB% D1% 8C% D0% BD% D1% 8B% D0% B5_% D0% B4% D0% B0% D0% BD% D0% BD% D1% 8B% D0% B5
First I want to note that it is not necessary to certify the entire information system of the organization for the processing of personal data, because it is expensive and this is not required by the documents. You only need to certify the part of the information system in which personal data is stored or processed.
')
To be able to certify an information system, it must be built from certified components, that is, from solutions that have certificates from government agencies, such as FSTEC - certification for the absence of an undeclared capability in the solution, the FSB - if the product uses cryptography (this is a national cryptography ).
So, the solution described was focused primarily on the financial and credit sector (banks, insurance companies, etc.), in general, for those organizations that have points of presence outside the organization and are engaged in the processing of personal data.
Solution scheme:
The TONK 1211 thin client was used as the thin client for which the remote user is working. The following software was additionally installed on this thin client:
1. Citrix Online PligIn.
2. CryptoPro CSP (crypto-provider providing GOST encryption algorithms),
3. eToken PKI Client (driver for working with eToken keys)
4. S-Terra VPN Client
The S-Terra CSP Gate 1000 software and hardware was used as a VPN gateway to connect remote clients.
The internal infrastructure of the organization is represented by:
1. An Active Directory domain controller deployed on a certified version of Windows Server 2003 Std. The Microsoft Certification Authority is installed on the domain controller in conjunction with the CryptoPro CSP, which allows issuing GOST certificates. The certified eToken TMS 2.0 system is designed to manage keys and smart cards eToken in the organization.
2. Certified Citrix XenApp4.5 FP1, deployed on a certified Windows Server 2003 Std.
Work scenario:
1. The user turns on the thin client and starts loading the operating system. Before opening the desktop, the S-Terra VPN Client asks you to connect the eToken key with a certificate and enter the PIN. The certificate is authenticated and IPSec VPN is lifted between the thin client and the S-Terra CSP Gate 1000 using GOST-based encryption algorithms.
It should be noted that the IPSec VPN tunnel is established before the desktop is loaded.
2. After the desktop is loaded, Internet Explorer starts, in which the start page contains the Citrix Web Interface, located inside the corporate network. The user is authenticated to Citrix Web Interface using another certificate located on the eToken key and gaining access to the required applications.
Thus, the described solution covers the requirements for encrypting data transmission channels when processing personal data, and using certified products when building a solution.
The proposed solution consists of certified components and, when built in an information system, will not create problems with certification.
This solution was presented at the Citrix Virtualization Conference on April 4, 2010, as well as at Aladdin events.
PS For those interested, I will provide links to the websites of companies whose products were used in the solution:
www.aladdin.ru - multifactor authentication solutions
www.citrix.ru - virtualization and application delivery solutions
www.s-terra.com - solutions for building IPSec VPN using Russian cryptography
www.tonk.ru - thin client manufacturer
www.crypto-pro.ru - developer of a crypto-provider providing Russian cryptography
Source: https://habr.com/ru/post/94476/
All Articles