PAK FPSU-IP and its buns

    The hardware VPN organization in the Russian Federation mainly relies on the following equipment: CSP VPN Gate (rVPN), FPSU, Continent, Check Point, Infotecs VipNet. In this article I’ll try to talk about FPSU - “Software and hardware complex“ Filter Packets of the Network Layer - Internet Protocol ”, which is used in at least two very large corporations, and its buns have spread even wider across the territory of the Russian Federation.
    For my humble taste, the name is not so hot, especially the 4 extreme letters, which can easily be transformed into "2СУ", "2IP", "2 * 3OSI" or something like that, because meaning mean the same thing. I don’t know why, but a video about CRIPO and their “Internet portal” immediately comes to my mind . Developed by FPSU by the Russian company Amikon, and is intended for the organization of tunnels between the terminal network equipment.

    Supply

    PAC is a 2-din helios block.
    image
    The latest modifications were made in blade style: Included in
    image
    delivery: 2 patch cords, 2 tm tablets, software, KSZI FORMULAR (for regulators). Here the question is raised: the practice of using hot backup of the PAC is true, for this they have a third Ethernet interface for synchronization, but there is no crossover (until 2010 the adapters in the FPSU could not turn over). Well, squeezing is not a problem, but the sediment is still there. What is accepted, when unpacking the FPSU, you get a fully functional ready-made PAC, in which it is only necessary to calibrate the DSP, record the configuration and issue authenticators.
    Exploitation

    As the OS, linux components are used now, before dos. The funny thing is that the FPSU running dos did not detect 95% of USB media, but if such a media was found, then all the directories and files on it were accessible. After upgrading to linux, the flash began to be detected without problems, but only the root of the disk was visible. Which of the 2 evils is the lesser? I had to use my wit so that I could get and update the config. Backward compatibility of versions and configurations is one-way: 2.50 will not accept a configuration from 2.53 - the opposite is without problems. I advise you to update the OS after waiting a while, “Measure 7 times, cut 1 time”, it happened that in OS updates, there were more errors than in the previous version. And yet, you can update the OS only after the new version has been certified by the FSB. The main setup steps from 0,
    1. Check the serial numbering and MAC of the network adapters (which looks out, which looks inside)
    2. Configuring the configuration and the correct version of the encryption keys
    3. Registering the remote administrator - issuing the FPSU authenticator
    4. Setting up the hot standby mode.
    Classic problems

    I will describe what I most often encountered:
    1. For my region, the death of the FPSU was dust and heat, as a result, the PSU wasted, it could not burn out, but simply did not give the necessary volt-ampere characteristics, because of this the FPSU did not pass POST .
    2. Damage to the statistics store, the FPSU is working, but there are no tunnels - only reinstalling the OS.
    3. "OS Crashed" - the boot device has changed, check the order in the BIOS.
    4. "* Accord" - check the BIOS parameters, open the FPSU, distort the PCI card of the Chord.
    5. "OS Starting ..." - PAK does not load, only reinstalling the OS.
    6.PAK works, there is no tunnel - if everything is OK with the network, check the version of the keys at the two ends of the tunnel, because symmetric encryption is applied.
    7. From the point of view of the logic of the OS, there have never been any problems in the FPSU, except for one. The number of nodes allowed to access the group is ... 84. Why not 256, 512, why is it generally limited?
    Additional features

    FPSU can be used as an ITU, it is not for nothing that the word “filter” is in its name. By default, the PAC drops all non-encrypted packets, but it is possible to configure rules for the ports and protocols of the TCP stack, which can save money with a small load. The load in the FPSU has a very large role in the star-shaped topology of the network infrastructure, because on the central node, all the keys from each transit FPSU will be used and it will be problematic to perform filtering and decryption functions at the same time (at least on the previous generation PAK, the processor load is constantly around 100%).
    Also, the presence of 2 network interfaces allows you to use FPSU as a router. But this is a very extreme case.
    The remote administrator and that’s it.
    image
    It shows the status of tunnels, software versions, keys, node statistics, you can update, manage the PAC, there are various filters, in general, everything is fine. But, there is a very useful feature - “Ping from the Federal Security Service” and it does not work! I forgot to remove comments in the source code during assembly, probably ... Statistics, it’s just incredibly not optimized, it creates a 24 GB file in 1 business day.
    Buns

    FPSU-IP client.
    This is a USB token of this kind: It is
    image
    initialized in a special snap-in, where the configuration, group number and FPSU key to which it is attached fit into it. Moreover, this group on the FPSU must be activated. Using a token allows you to build a VPN on top of the Internet and is also an ITU:
    image
    In principle, it allows you to replace HSM in payment systems, ATM and USO.
    For the correct configuration on the client computer, you must install the software. When installing on purely “FPSU-IP / Client” software version 4.3, the installer hangs at the same moment (the problem is floating). It is solved this way: we put the older version 4.12, 4.2 and roll 4.3 on top. Works!
    Eventually

    In general, everything is quite good at a good level, but it seems to me that large contractual obligations do not allow the development of products from Amikon more intensively, but it would be interesting. Perhaps this would help get rid of “childhood diseases”, although in 10 years, it would be possible to solve them, because the OS versions for the FPSU are changing, and the legendary “PoDuplex” remains in the settings for network adapters. Stability is a sign of mastery in this case in no way in favor of domestic products, costing from 100 thousand rubles per piece of iron.

    Also popular now: