Centralized access to digital signatures and other keys of electronic protection using hardware USB over IP

I want to share our one-year experience in finding a solution for organizing a centralized and orderly access to electronic security keys in our organization (keys for accessing trading floors, banking keys, software security keys, etc.). In connection with our presence of branches, which are geographically quite separated from each other, and the presence in each of them of several keys of electronic protection - there is always a need for them, but in different branches. After another fuss with the lost key, the management set the task - to solve this problem and collect ALL USB protection devices in one place, and ensure that they work with them regardless of the location of the employee.

So, we need to collect in one office all the keys available in our company, customer bank, 1s licenses (hasp), rootkens, ESMART Token USB 64K, etc. for subsequent operation on remote Hyper-V physical and virtual machines. The number of usb devices is 50-60 and for sure that is not the limit. Location of virtualization servers outside the office (data center). The location of all USB devices in the office.

We studied the existing technologies for centralized access to USB devices and decided to dwell on USB technology over IP (USB over IP). It turns out that so many organizations use this particular solution. There are both USB over IP hardware and software on the market, but they did not suit us. Accordingly, further we will focus only on the choice of hardware USB over IP, and first of all on our choice. Devices from China (nameless), we also excluded from consideration.

The USB over IP hardware solution most described on the Internet is the device manufactured in the USA and Germany. For detailed study, we purchased a large rack-mount version of this USB over IP, designed for 14 USB ports, with the possibility of mounting in a 19 inch rack and German USB over IP, designed for 20 USB ports, also with the possibility of mounting in a 19 inch rack. Unfortunately, these manufacturers did not have a larger number of USB over IP device ports.

The first device is very expensive and interesting (the Internet is full of reviews), but there is a very big minus - there are no authorization systems for connecting USB devices. Anyone who installs an application for connecting USB gets access to all the keys. In addition, as practice has shown, the USB device “esmart token est64u-r1” is unsuitable for use with the device and, looking ahead, with the “German” on the Win7 OS - when a permanent BSOD is connected to it.

The second USB over IP device seemed more interesting to us. The device has a large set of settings related to network functions. The USB over IP interface is logically partitioned, so the initial setup was fairly simple and fast. But, as mentioned earlier, there were problems connecting a number of keys.

Studying further hardware USB over IP came across domestic manufacturers. The model range includes 16, 32, 48 and 64 port versions with the ability to mount in a 19 inch rack. The functionality described by the manufacturer was even richer than that of the previous USB over IP. Initially, I liked that the domestic controlled USB over IP hub provides two-step protection for USB devices when sharing USB over a network:

  1. Remote physical turning on and off USB devices;
  2. Authorization for connecting USB devices by login, password and IP address.
  3. Authorization for connecting USB ports by login, password and IP address.
  4. Logging of all inclusions and connections of USB devices by clients, as well as such attempts (incorrect password entry, etc.).
  5. Traffic encryption (which, in principle, was not bad on the German model).
  6. Additionally, it was suitable that the device, although not cheap, was several times cheaper than previously purchased ones (the difference when calculating for a port becomes especially significant, we considered a 64-port USB over IP).

We decided to clarify with the manufacturer how the matter is with the support of two types of smart tokens that have connection problems earlier. We were informed that they do not give a 100% guarantee of support for absolutely all USB devices, but have not yet found a single device that would have problems. We were not satisfied with such an answer and we suggested that the manufacturer transfer the tokens for testing (the benefit was that shipping by the transport company cost only 150 rubles, and we have enough old tokens). 4 days after the keys were sent, we were informed of the connection data and we had wonderful connections with Windows 7, 10 and Windows Server 2008. Everything worked fine, we connected our tokens without any problems and had the opportunity to work with them.
We purchased a controlled USB over IP hub with 64 USB ports. We connected all 64 ports from 18 computers in different branches (32 keys and the rest - flash drives, hard drives and 3 USB cameras) - all devices worked without problems. In general, the device was satisfied.

I don’t give names and manufacturers of USB over IP devices (so that there would be no advertising), they can simply be found on the Internet.

Also popular now: