Gigabit GOST VPN. Tss diamond

VPN channel is a necessity for almost all companies that have remote branches or just remote employees. For the organization of these same channels there is a large number of technologies and protocols (IPSec, GRE. L2TP, etc.) that are supported by most modern equipment. However, there is a certain category of organizations that are forced (namely forced) to use solutions that support domestic cryptographic algorithms - GOST VPN . At the same time, implementing this GOST on Linux-like systems is not difficult. However, obtaining an FSB certificate (as a means of cryptographic information protection) is practically impossible for foreign solutions (Cisco, Check Point , Fortinetetc.). In this regard, the choice of equipment is sharply narrowing. So far, in such cases, the following options have been considered:

• S-terra
• APKS Continent
• Ideco MagPro GOST-VPN
• Vipnet
• Outpost

However, at the moment it is very difficult to find a solution that would support the Gigabit GOST VPN . There are various “tricky” ways to get around this problem, for example, putting several devices on each side and using balancing to increase the total bandwidth of the channel using several VPN tunnels.
Example from S-terra :

This solution is not always applicable and not always affordable. In search of a compromise, we learned about the existence of another very interesting solution - TSS Diamond . TSS Company Announces the Possibility of Its Hardware to Organize a VPN Channel with Bandwidth Even More Than Gigabit. And this is from one piece of iron, without aggregation ... We decided not to believe marketing materials and test everything on our own. For this, the vendor kindly provided us with two “pieces of iron” for testing - Diamond VPN / FW Enterprise 5111 .


Then we quickly put together the simplest circuit for the test:


i.e. two devices are connected directly to each other (by optical links). To test the throughput of the VPN tunnel, Cisco Trex was used .

Customization

We briefly describe the setup procedure. All configuration is done through an intuitive web interface. In this case, the first gateway acts as a VPN server, the second as a VPN client.

Configuring the server
1) Configuring network interfaces:



2) Adding certificates (install new PKI ...):



result:



3) VPN connection settings: The



status should be in Running status



4) Now you need to register a route to “wrap” the traffic in the VPN tunnel:



Configuring the client

1) Configuring network interfaces:



2) Add a certificate:



3) VPN connection settings:



Check that the Running status:



4) “Wrap up” the traffic using a static route:



After that, in the event log you can find a log about a successful VPN connection:

Bandwidth check

As mentioned earlier, Cisco Trex was used to test the throughput of the VPN tunnel. We tested both small and large packages, with duplex, i.e. in two directions at once ( upload / download ). Here are some results:

1) Packet of 64 bytes



2) Packet of 594 bytes



3) Packet of 1500 bytes



4) Packet of 9000 bytes



In this case, all tests were performed for L3 VPN . For L2 VPN, there will be approximately the same parameters.

What do they write in the datasheet on this piece of iron? The following parameters are listed there:
VPN bandwidth - 2.6 Gb / s;
Bandwidth ME in the basic configuration - 7.5 Gb / s

In general, if we consider our synthetic tests, then the parameters converge (in terms of VPN). In addition, these devices have the IPS function , but this is a topic for a separate article.

Certification

Naturally, when choosing a device with GOST VPN, the first question of interest is the availability of certificates. TSS Diamond devices have the following certificates of conformity:

• “Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information ”(State Technical Commission of Russia, 1992) - 3 class of security;
• "Protection against unauthorized access to information. Part 1. Software for information security. Classification by the level of control of the absence of undeclared opportunities ”(State Technical Commission of Russia, 1999) - by level 2 of control
• as well as documents:
• “Requirements for intrusion detection systems” (FSTEC of Russia, 2011);
• “The security profile of intrusion detection systems of the network level of the fourth class of protection. IT.SOV.S4.PZ ”(FSTEC of Russia, 2012);
• “Requirements for firewalls” (FSTEC of Russia, 2016);
• “Type A firewall protection profile of the fourth protection class IT.ME.A4.PZ (FSTEC of Russia, 2016)”;
• • “Type“ B ”firewall protection profile of the fourth protection class IT.ME.B4.PZ (FSTEC of Russia, 2016)”;
• “Type“ B ”firewall protection profile of the fourth protection class IT.ME.V4.PZ (FSTEC of Russia, 2016).”

The cryptographic subsystem of the DCrypt product has a certificate of conformity in the class KS1 KS2 KS3.

conclusions

In our subjective opinion, this equipment is not bad for solving the problem of organizing a GOST VPN tunnel with high bandwidth (for example, for connecting two data centers ). All declared functions are performed. Demand something more from this device (except VPN) I do not see the point. In addition, the TSS Dimond line has smaller models that are suitable for small and medium-sized branches ( Diamond VPN / FW 1101, 2111, 3101, 4101, 4105 ). The youngest model 1101 in tests issues at least 100 Mbit GOST VPN (packets of 1500).

If you have additional questions about TSS Diamond, then you can feel free to contact us .

PS If in the list of solutions for the organization of GOST VPN there is no some equipment (or software) known to you, then please write this in the comments.