June 9, 2011 at 05:20Personal data protection practice
Hello, Habr!
July 1 is approaching, and with it is approaching the need to implement FZ-152 “On personal data”. In this regard, I want to share my experience in this area. The Information Security blog already has a series of posts on writing documents, however, in addition to paper, it may be necessary to use some technical means of information protection. To which this topic is dedicated.
The first thing to keep in mind is that we only have the means of information protection that have a valid FSTEC certificate (for protection against unauthorized access - unauthorized access) and the FSB (for cryptography and firewalling). Unfortunately, the certificates periodically expire, and if the manufacturer does not bother to renew the certificate, then verification may cause problems. There are two ways to avoid them:
1) Before purchasing protective equipment, consult with the manufacturer, or with the supplier, when the current certificate ends, and whether the manufacturer intends to renew it. It’s also worth looking at the manufacturer’s website - there is a newer version, then the old one may not be extended.
2) If the equipment has already been purchased, and the manufacturer is not going to renew the certificate - you can contact the certification body yourself and get a certificate for your copy (only your own). For a certain amount of money, as you understand.
In addition, it is necessary to decide what, in fact, means of protection we need? If your ISPD is a typical one, then the requirements for the protection of personal data are described in the appendix to the order of the FSTEC No. 58, which can be found here. If your ISPD is special, then the protection requirements are described in the “Private Threat Model ...”, which is compiled from the ISPD survey. Let me explain right away - a typical ISPD is an information system, to which requirements are made only for the confidentiality of personal data, and accessibility and integrity are left aside. Why can I make ISPD special? This is relevant, in my opinion, only for ISPDn 1st class (K1), since the requirements include protection from PEMIN (secondary electromagnetic radiation and interference). Creating a “Private Threat Model ...” helps get away from PEMIN and greatly simplify life. The essence of the protection is reduced to the installation of an electromagnetic noise generator and fixing the location and composition of both ISPD hardware and of all hardware, located in the same rooms. That is, you can make changes only by agreement with the authority that performed the certification tests. Changes in the composition of ISPDn can result in a verification check or recertification.
We will assume that we have left PEMIN, now let's look at information security tools and typical options for their application. In general, all remedies can be divided into several groups:
SZI NSD is an abbreviation for a means of protecting information from unauthorized access. Used to prevent unauthorized actions of users who have access to ISPD workstations. They include mechanisms such as controlling boot from removable media (CD / DVDs, flash drives), device control (so that you couldn’t connect a left USB flash drive and merge information), and implementation of mandatory access control (for ISPD is not required). I will give only those tools that I personally worked with:
1) Secret Net. It can be supplied with or without a load control board. It works through secpol.msc, so it may not work on Home versions (on Windows XP Home it doesn’t work for sure, but Vista and Windows 7 haven’t tested it yet). It is quite simple to operate, has the best, from the seen, mechanism for controlling devices. There is a network version designed for integration into a domain structure.
2) Guard NT. The best mechanism for mandatory access control. It is more difficult to operate (due to the fact that part of the protective mechanisms cannot be turned off). There is no network version.
3) Dallas Lock. Loses in all parameters considered earlier, except for the possibility of normal deployment of the network option in a homeless network.
As the name implies, these tools are used on local machines. There is nothing to add here.
The purpose, I think, is clear. In addition, if one ISPD is divided into two parts by the firewall, then we can rightfully call them two different ISPD. For what? If you fall into the first class precisely by the number of processed personal data subjects, then by dividing the ISPD in two parts, you will reduce the number of entities processed in each ISPD and you will no longer receive K1, but K2. Now on the market there are several certified firewalls:
1) VipNet Personal Firewall. Just a personal firewall, without any frills. It is managed only locally. There is no centralized management mechanism. It requires a password to start, if it is not entered, it does not start.
2) VipNet Office Firewall. The same thing, but supports several network cards, which allows you to install it on the gateway, and use it to segment ISDN.
3) SSPT-2. The hardware-software complex runs on FreeBSD, however no one will give you access to the OS itself. It works quickly, supports filtering by many parameters. It has an unpleasant feature - the rules are applied from top to bottom in the list, and the rules located at the top have a higher priority. This is not reflected in the documentation, it was identified empirically. It is controlled both from the local console and through the web interface.
4) APKSH "Continent". In general, this is not a firewall, but a crypto router, but with ITU functions. It is architecturally similar to SSPT-2, but there is no control from the local console - only through a special administrator console. At what, during initial setup, you must specify the interface to which the administrator's computer will be connected.
In addition, Security Code released two more products - ITU + HIPS Security Studio Endpoint Protection and Trust Access distributed firewall system combining firewalling and segmentation using Kerberos authentication. Since I did not have to work with these products, I will provide only links to their description:
TrustAccess
SSEP
In addition, another product was certified - Stonegate Firewall / VPN. Product of the Finnish company Stonesoft. It also comes with the CryptoPRO encryption module bolted to it, which allows you to use it as a certified VPN solution.
They are also means of cryptographic protection. In addition to the already mentioned Stonegate Firewall / VPN, there are two more VPN solutions:
1) VipNet Custom. It is a complex of VipNet Administrator - management program, VipNet Coordinator - VPN server with ITU functions, and VipNet Client - VPN client and ITU. The management program is used only for generating keys and certificates; managing firewall settings is possible only locally. Only built-in RDP can help with administration. This includes an internal messenger and internal mail. The advantages can only be attributed to the fact that this is a purely software solution that can be easily integrated into an existing infrastructure.
2) APKKS "Continent". In principle, I already spoke about him. I will only add that in the latest version of the client (Continent-AP) firewall functions have appeared, and even there is a client for Linux. Cryptographic gateways themselves are managed only from the administrator’s console, but remotely. The features also include the fact that the start-up setup (that is, the transfer of the network configuration and keys to the crypto-gateway) is done locally, by feeding him a flash drive with all the necessary information. If you made a mistake when creating the configuration and already sent the crypto-gateway to the remote point, then you won’t be able to remotely pick it up and have something to fix, you will have to generate the configuration again and somehow transfer it to the remote point.
Basically, here is a brief description of all the certified protective equipment I know. I hope this information will be useful to the community.
July 1 is approaching, and with it is approaching the need to implement FZ-152 “On personal data”. In this regard, I want to share my experience in this area. The Information Security blog already has a series of posts on writing documents, however, in addition to paper, it may be necessary to use some technical means of information protection. To which this topic is dedicated.
The first thing to keep in mind is that we only have the means of information protection that have a valid FSTEC certificate (for protection against unauthorized access - unauthorized access) and the FSB (for cryptography and firewalling). Unfortunately, the certificates periodically expire, and if the manufacturer does not bother to renew the certificate, then verification may cause problems. There are two ways to avoid them:
1) Before purchasing protective equipment, consult with the manufacturer, or with the supplier, when the current certificate ends, and whether the manufacturer intends to renew it. It’s also worth looking at the manufacturer’s website - there is a newer version, then the old one may not be extended.
2) If the equipment has already been purchased, and the manufacturer is not going to renew the certificate - you can contact the certification body yourself and get a certificate for your copy (only your own). For a certain amount of money, as you understand.
In addition, it is necessary to decide what, in fact, means of protection we need? If your ISPD is a typical one, then the requirements for the protection of personal data are described in the appendix to the order of the FSTEC No. 58, which can be found here. If your ISPD is special, then the protection requirements are described in the “Private Threat Model ...”, which is compiled from the ISPD survey. Let me explain right away - a typical ISPD is an information system, to which requirements are made only for the confidentiality of personal data, and accessibility and integrity are left aside. Why can I make ISPD special? This is relevant, in my opinion, only for ISPDn 1st class (K1), since the requirements include protection from PEMIN (secondary electromagnetic radiation and interference). Creating a “Private Threat Model ...” helps get away from PEMIN and greatly simplify life. The essence of the protection is reduced to the installation of an electromagnetic noise generator and fixing the location and composition of both ISPD hardware and of all hardware, located in the same rooms. That is, you can make changes only by agreement with the authority that performed the certification tests. Changes in the composition of ISPDn can result in a verification check or recertification.
We will assume that we have left PEMIN, now let's look at information security tools and typical options for their application. In general, all remedies can be divided into several groups:
Local SZI NSD
SZI NSD is an abbreviation for a means of protecting information from unauthorized access. Used to prevent unauthorized actions of users who have access to ISPD workstations. They include mechanisms such as controlling boot from removable media (CD / DVDs, flash drives), device control (so that you couldn’t connect a left USB flash drive and merge information), and implementation of mandatory access control (for ISPD is not required). I will give only those tools that I personally worked with:
1) Secret Net. It can be supplied with or without a load control board. It works through secpol.msc, so it may not work on Home versions (on Windows XP Home it doesn’t work for sure, but Vista and Windows 7 haven’t tested it yet). It is quite simple to operate, has the best, from the seen, mechanism for controlling devices. There is a network version designed for integration into a domain structure.
2) Guard NT. The best mechanism for mandatory access control. It is more difficult to operate (due to the fact that part of the protective mechanisms cannot be turned off). There is no network version.
3) Dallas Lock. Loses in all parameters considered earlier, except for the possibility of normal deployment of the network option in a homeless network.
As the name implies, these tools are used on local machines. There is nothing to add here.
Firewalls
The purpose, I think, is clear. In addition, if one ISPD is divided into two parts by the firewall, then we can rightfully call them two different ISPD. For what? If you fall into the first class precisely by the number of processed personal data subjects, then by dividing the ISPD in two parts, you will reduce the number of entities processed in each ISPD and you will no longer receive K1, but K2. Now on the market there are several certified firewalls:
1) VipNet Personal Firewall. Just a personal firewall, without any frills. It is managed only locally. There is no centralized management mechanism. It requires a password to start, if it is not entered, it does not start.
2) VipNet Office Firewall. The same thing, but supports several network cards, which allows you to install it on the gateway, and use it to segment ISDN.
3) SSPT-2. The hardware-software complex runs on FreeBSD, however no one will give you access to the OS itself. It works quickly, supports filtering by many parameters. It has an unpleasant feature - the rules are applied from top to bottom in the list, and the rules located at the top have a higher priority. This is not reflected in the documentation, it was identified empirically. It is controlled both from the local console and through the web interface.
4) APKSH "Continent". In general, this is not a firewall, but a crypto router, but with ITU functions. It is architecturally similar to SSPT-2, but there is no control from the local console - only through a special administrator console. At what, during initial setup, you must specify the interface to which the administrator's computer will be connected.
In addition, Security Code released two more products - ITU + HIPS Security Studio Endpoint Protection and Trust Access distributed firewall system combining firewalling and segmentation using Kerberos authentication. Since I did not have to work with these products, I will provide only links to their description:
TrustAccess
SSEP
In addition, another product was certified - Stonegate Firewall / VPN. Product of the Finnish company Stonesoft. It also comes with the CryptoPRO encryption module bolted to it, which allows you to use it as a certified VPN solution.
Csci
They are also means of cryptographic protection. In addition to the already mentioned Stonegate Firewall / VPN, there are two more VPN solutions:
1) VipNet Custom. It is a complex of VipNet Administrator - management program, VipNet Coordinator - VPN server with ITU functions, and VipNet Client - VPN client and ITU. The management program is used only for generating keys and certificates; managing firewall settings is possible only locally. Only built-in RDP can help with administration. This includes an internal messenger and internal mail. The advantages can only be attributed to the fact that this is a purely software solution that can be easily integrated into an existing infrastructure.
2) APKKS "Continent". In principle, I already spoke about him. I will only add that in the latest version of the client (Continent-AP) firewall functions have appeared, and even there is a client for Linux. Cryptographic gateways themselves are managed only from the administrator’s console, but remotely. The features also include the fact that the start-up setup (that is, the transfer of the network configuration and keys to the crypto-gateway) is done locally, by feeding him a flash drive with all the necessary information. If you made a mistake when creating the configuration and already sent the crypto-gateway to the remote point, then you won’t be able to remotely pick it up and have something to fix, you will have to generate the configuration again and somehow transfer it to the remote point.
Basically, here is a brief description of all the certified protective equipment I know. I hope this information will be useful to the community.