Information security hardware solutions USB over IP

    Recently I shared my experience in finding a solution for organizing centralized access to electronic security keys in our organization. In the comments, a serious question was raised about the information security of USB over IP hardware solutions, which we are very concerned about.

    So, first, we still decide on the initial conditions.

    • A large number of electronic security keys.
    • Access to them is necessary from various geographical locations.
    • We consider only USB over IP hardware solutions and try to secure this solution by taking additional organizational and technical measures (we are not considering the issue of alternatives yet).
    • In the framework of the article, I will not fully describe the threat models that we are considering (a lot can be found in the publication ), but I will dwell on two points. We exclude from the model social engineering and illegal actions of the users themselves. We are considering the possibility of unauthorized access to USB devices from any of the networks without having regular credentials.


    To ensure the security of access to USB devices, organizational and technical measures have been taken:

    1. Organizational security measures.

    A USB over IP-controlled hub is installed in a server-cabinet that locks with high-quality keys. Physical access to it is streamlined (ACS in the room itself, video surveillance, keys and access rights for a strictly limited circle of people).

    All USB devices used in the organization are conditionally divided into 3 groups:

    • Critical. Financial EDS - used in accordance with the recommendations of banks (not via USB over IP)
    • The important ones. EDS for trading floors, services, EDI, reporting, etc., a number of keys for software - are used using a controlled USB over IP hub.
    • Not critical. A number of keys for software, a camera, a number of flash drives and disks with non-critical information, USB modems are used using a USB over IP-controlled hub.

    2. Technical safety measures.

    Network access to a managed USB over IP hub is provided only within an isolated subnet. Access to an isolated subnet is provided:

    • from the terminal server farm,
    • VPN (certificate and password) to a limited number of computers and laptops; VPNs give them permanent addresses,
    • VPN tunnels connecting regional offices.

    The following functions are configured on the DistKontrolUSB most managed USB over IP hub using its standard tools:

    • Encryption is used to access USB devices on a USB over IP hub (SSL encryption is enabled on the hub), although this may already be superfluous.
    • Configured "restricting access to USB devices by IP address." Depending on the IP address, the user is granted or not access to the assigned USB devices.
    • Configured "Restricting access to the USB port by login and password." Accordingly, users are assigned rights to access USB devices.
    • "Restricting access to a USB device by login and password" decided not to use, because all USB keys are permanently connected to the USB over IP hub and are not rearranged from port to port. For us it is more logical to provide users with access to a USB port with a USB device installed in it for a long time.
    • Physical turning on and off of USB ports is carried out:

      • For keys to software and EDI - with the help of the task scheduler and assigned tasks of the concentrator (a number of keys were programmed to be turned on at 9.00 and off at 18.00, a row from 13.00 to 16.00);
      • For keys to trading floors and a number of software - by authorized users through the WEB interface;
      • Cameras, a number of flash drives and disks with non-critical information are always included.

    We assume that such organization of access to USB devices ensures their safe use:

    • from regional offices (conditionally NET No. 1 ....... NET No. N),
    • for a limited number of computers and laptops connecting USB devices through the global network,
    • for users published on terminal application servers.

    In the comments, I would like to hear specific practical measures that increase the information security of providing global access to USB devices.

    Also popular now: