The code was checked literally on the lines: how our firewall passed FSTEC certification

    On December 9, 2016, the Firewall Requirements approved in the FSTEC Newsletter dated April 28, 2016 entered into force . All MEs — produced, supplied, and developed — must be certified by the time the Requirements enter into force.

    A year has passed, and so what? Only a few companies can boast a certificate, among them Smart-Soft. Now that we have gone through all the thorns of certification, we are not at all surprised why there are so few who have reached the end. We will tell you how our product was mimicked under new conditions, share the features of the state’s verification and show whether the improvements were of use to the end user. However, first things first.

    surprise attack

    For ME manufacturers, the interest in certification is obvious: this is a “pass” to the B2G market (in other words, to state organizations - medical institutions, schools, universities, etc.). A number of experts, however, have already expressed doubts about the real benefits of the certificate to the consumer. In particular, it was noted that the manufacturer was not required to add a product update function. At the same time, malware is constantly evolving, and the initial certified version will lag behind the actual virus threats very quickly.

    So what's the use? It was unclear whether it would be more convenient for the administrator to work with the ME after certification: no requirements for centralized management, operating modes, etc. not expressed. There were also less critical questions: why require sending so many alerts? It was also obvious that certification was not easy: companies will need new expertise (for example, not all IT service providers have legal support).

    Features of certification of Traffic Inspector Next Generation ME


    A little bit about the object of verification.
    Traffic Inspector Next Generation - a software and hardware solution for network security. It is deployed as a gateway at the network boundary and serves as an entry point to the network. It is administered via a web interface over a secure HTTPS connection and over SSH using a terminal program. It uses the FreeBSD 10 operating system as the runtime.

    According to the classification, Gartner belongs to UTM (unified threat management), packet inspection and filtering allows it to be classified as NGFW, the next generation of firewalls. OPNsense open source project based .


    Passing test scripts


    In September 2016, we began interacting with the testing laboratory of Documentary Systems CJSC for certification, in December the laboratory began to analyze the distribution kit provided. FSTEC certification was rather scrupulous. We checked not only the program code of the product and its modules, but also the underlying operating system. Testing for passing test scripts took several months. Improvements were initially small: blocking specific traffic, creating alerts about various events.

    I had to implement an offline update installation, because in some installations the Traffic Inspector Next Generation is located inside a perimeter that is closed from the Internet.

    Hidden code verification


    Perhaps the most difficult part of the work was to prove that there are no undeclared features either in the BIOS or on the drives of the hardware platforms. And here is one of the reasons certification is a plus for the end user.

    The proof procedure took another four months: from May to August. This duration is understandable. In 2012, malicious code was found in a batch of microcircuits manufactured in China, which cost managers of one large brand of many nerve cells. Then they started talking seriously about “bookmarks”. The final word went to J. Brossard, who presented the report. " The hardware bekdoring - it's convenient » (Johnatan Brossard, Hardware Backdooring is practical) at the Black Hat conference. However, in our case, everything went pretty dull: no flaws and vulnerabilities were found.

    Code integrity verification, assembly audit


    To ensure that the user has guarantees that there will be no undesirable changes in the future, we had to add integrity control at the request of FSTEC. This includes checking the checksums of all immutable files and the configuration file, as well as automatically restoring the configuration that was changed in an unauthorized way.

    At the request of the regulatory authority, all events related to configuration changes are now logged in detail. A notification is sent to the administrator in case of critical security events (for example, a difference in checksums). Thus, unauthorized modification of the system is excluded - another plus.

    There were a lot of tasks associated with assembly auditing. For the control assembly, we even had to configure the server so that the specialists of the controlling body themselves could see for themselves: specific object files are collected from specific sources, and binary files, in turn, are from specific objects. The opportunity was also provided to fix the checksums of the source files.

    Certification Results


    Improvements at the request of the FSTEC commission concerned the event notification system, logging, updating, and integrity audit.

    By November 2017, we had the opportunity to test the solution on a real case: we provided the local network of Tsogu with a single point of access to the Internet. Information security experts evaluated the notification system and the ability to manage locks through a browser, gain access to statistics, and a simple interface.

    It took us a year to get certification. It was a big, difficult job, which we did not regret. The product is fully tested, aligned with the requirements. Does this mean that with our firewall network threats are not scary? Yes, with obvious safety precautions, and better, also train employees in the basic principles of network security. To date, no "bookmarks", "backdoors" and other vulnerabilities have been found in our product. We continue to monitor its quality so that everything will be in order in the future.

    There is much debate about whether end-user certification is useful. But the main thing seems to us, this: is the manufacturer ready to modify its product? Does he have the resources to correct the shortcomings found on time? Is he open to criticism?

    FSTEC certification in this context is a test showing the level of competence of the developer. We went through it, which makes us feel undisguised satisfaction. We respect our competitors who also passed this test - which means that we have worthy rivals (however, there are only a few of them). Well, for customers this is another reason to think - if the supplier does not have the FSTEC certificate, is it as good as it tells about itself? However, we do not insist on our opinion and are ready to discuss in the comments to the article :)

    Smart-Soft Team

    Also popular now: