Secure Remote Terminal

    In connection with the adoption of the 152 law on the protection of personal data, decisions periodically appear on the market that allow you to build an enterprise information system ready for certification.
    In this post I will describe one of these solutions, which was developed by employees of Aladdin, Citrix, S-Terra and TONK.


    So that the respected Habrauser does not look for a definition of what personal data is, I will provide a link to the wiki: en.wikipedia.org/wiki/%D0%9F%D0%B5%D1%80%D1%81%D0%BE%D0%BD % D0% B0% D0% BB% D1% 8C% D0% BD% D1% 8B% D0% B5_% D0% B4% D0% B0% D0% BD% D0% BD% D1% 8B% D0% B5

    First, I want to note that you should not certify the entire information system of the organization for processing personal data, because it is expensive and this is not required by documents. It is necessary to certify only that part of the information system in which personal data is stored or processed.

    In order to be able to certify the information system, it must be built from certified components, that is, from solutions that have certificates of state bodies, such as FSTEC - certification for the absence of undeclared capabilities in the solution, FSB - if cryptography is used in the product (we are talking about national cryptography )

    So, the described solution focused primarily on the financial and credit sector (banks, insurance companies, etc.), in general, on those organizations that have points of presence outside the organization and are engaged in the processing of personal data.

    Solution scheme:
    image

    The TONK 1211 thin client was used as the thin client that the remote user works for. The following software was additionally installed on this thin client:
    1. Citrix Online PligIn.
    2. CryptoPro CSP (cryptographic provider that provides GOST encryption algorithms),
    3. eToken PKI Client (driver for working with eToken keys)
    4. S-Terra VPN Client

    S-Terra CSP Gate 1000 was used as a VPN gateway to connect remote clients. The

    internal infrastructure of the organization is represented by:
    1. An Active Directory domain controller deployed on a certified version of Windows Server 2003 Std. Microsoft Certification Authority is installed on the domain controller in conjunction with CryptoPro CSP, which allows issuing GOST certificates. Certified eToken TMS 2.0 system for managing eToken keys and smart cards in an organization.
    2. Certified Citrix XenApp4.5 FP1, deployed on a certified Windows Server 2003 Std.

    Work scenario:
    1. The user turns on the thin client and starts loading the operating system. Before opening the desktop, S-Terra VPN Client asks to connect the eToken key with the certificate and enter the PIN. Certificate authentication is performed and IPSec VPN rises between the thin client and the S-Terra CSP Gate 1000 using GOST encryption algorithms.
    image
    It should be noted that the IPSec VPN tunnel is established before the desktop boots.

    2. After loading the desktop, Internet Explorer starts, in which the start page is the Citrix Web Interface, which is located inside the corporate network. The user authenticates to the Citrix Web Interface using another certificate located on the eToken key and gets access to the required applications.
    image

    Thus, the described solution covers the requirements for encrypting data transmission channels in the processing of personal data, and the use of certified products in the construction of the solution.
    the proposed solution consists of certified components and when built in the information system will not create problems with certification.

    This solution was presented at the Citrix Virtualization Conference on April 4, 2010, as well as at Aladdin events.

    PS For those interested, I’ll provide links to the websites of companies whose products were used in the solution:
    www.aladdin.ru - multi-factor authentication solutions
    www.citrix.ru - virtualization and application delivery
    solutions www.s-terra.com- solutions for building IPSec VPN using Russian cryptography
    www.tonk.ru - manufacturer of thin clients
    www.crypto-pro.ru - developer of a cryptographic provider providing Russian cryptography

    Also popular now: