Main » 2011 » Март » 16 » Secure remote terminal
11:25
Secure remote terminal
In this regard the adoption of 152 of the Protection of Personal Data, the market periodically appear solutions that enable enterprises to build an information system that is ready for certification.
In this post I will describe one such decision, which was developed by employees of companies Aladdin, Sitrix, S-Terra and TONK.


To my dear Habrayuzer not looking for determining what is personal data, provide a link to the wiki: ru.wikipedia.org / wiki /% D0% 9F% D0% B5% D1% 80% D1% 81% D0% BE % D0% BD% D0% B0% D0% BB% D1% 8C% D0% BD% D1% 8B% D0% B5_% D0% B4% D0% B0% D0% BD% D0% BD% D1% 8B% D0 % B5

First, I want to note that you should not certify the processing of personal data under the entire information management system, because it is expensive and even on the documents is not required. Must certify only that portion of the information system, in which are stored or handled personal data.

To enable evaluation of the information system, it must be constructed of certified components, ie, of making, possessing certificates of public bodies such as the Federal Technical Committee - a lack of certification in the decision not declared capacity, the FSB - if the product uses cryptography (speech is a national cryptography).

So, described the decision focus primarily on financial and credit sector (banks, insurance companies, etc), in general, those organizations that have points of presence outside the organization and engaged in the processing of personal data.

How to solutions:


As a thin client, followed by remote users, we used thin client TONK 1211. At this thin client additionally revealed the following software:
1. Citrix Online PligIn.
2. CryptoPro CSP (CSP, which provides GOST'ovye encryption)
3. eToken PKI Client (driver to work with key eToken)
4. S-Terra VPN Client

As a VPN-gateway, to connect remote clients to use hardware and software system S-Terra CSP Gate 1000.

Internal infrastructure organizations represented:
1. Domain Controller Active Directory, deployed on a certified version of Windows Server 2003 Std. On the domain controller installed Microsoft Certification Authority in conjunction with CryptoPro CSP, which allows to issue certificates GOST'ovye. Certified eToken TMS 2.0 is designed to manage keys and smart cards eToken in an organization.
2. Certified Citrix XenApp4.5 FP1, expanded at a certified Windows Server 2003 Std.

The script works:
1. User includes a thin client, and starts loading the operating system. Before opening the desktop S-Terra VPN Client requests to connect the eToken key with the certificate and enter the PIN. Verifies the authenticity of the certificate, and between a thin client and the S-Terra CSP Gate 1000 up IPSec VPN using GOST'ovyh encryption algorithms.

Note that the IPSec VPN tunnel is established even before the boot up the desktop.

2. After downloading the desktop starts Internet Explorer, which is registered as homepage Citrix Web Interface, inside the corporate network. The user is authenticated at the Citrix Web Interface for another certificate located on the eToken key and gain access to required applications.


So the described solution covers the requirements for encryption of data transmission channels in the processing of personal data, and use of certified products in the construction of solutions.
Proposed solution consists of certified components and construction of an information system will not create problems with certification.

This decision was presented to the Citrix Virtualization Conference April 4, 2010, as well as on the promotion of Aladdin.

P.S. For those interested in links to websites of companies whose products are used in the decision:
www.aladdin.ru - solutions for multifactor authentication
www.citrix.ru - solutions for virtualization and application delivery
www. s-terra.com - solutions for building IPSec VPN with Russian cryptography
www.tonk.ru - manufacturer of thin clients
www.crypto-pro.ru - developer of CSP provides Russian cryptography
Views: 418 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: