The content of the article
In the process of reorganizing the IT infrastructure of our company, many problems arose, but I would like to talk about one separately – this is a matter of centralized storage of hardware keys.
This material is provided by the manufacturer of USB over IP hub DistKontrolUSB as an illustration of the implementation of this solution in one of the clients. Read more about the hub in the previous article.
Due to the haphazard development of IT infrastructure, we received a diverse fleet of hardware and a huge number of weakly interconnected software products. The sequencing process was long and rather painful, but in the end we managed to create a virtual private network and transfer users to thin clients. We didn’t even have to give up obsolete staff – they allow us to work with terminal servers located in data centers (along the way, we minimized our own “iron” fleet).
The issues of smooth operation of IT systems and information security were resolved, data backup was set up, etc. etc. The trouble came from where they did not wait: the company’s offices are geographically distributed and each has at least a few keys to protect licensed software, access to banking services, legally significant EDI or trading floors. “1C” (HASP), “Rutoken”, ESMART Token USB 64K – this is not a complete list of the models used. We needed an organizational or technical solution that could steer this zoo centrally and it was not easy to find it.
Reforms in the IT infrastructure did not affect the organization of access to keys and tokens. Their storage on the user side created obvious security problems and a number of technical difficulties. You can’t connect a USB whistle to the thin client for licensed software on the server – after moving most of the remaining “iron” server fleet to a commercial data center and switching to VPS, USB devices were nowhere to be inserted, besides, it is inconvenient to keep them outside the company .
We also did not want to trust users with secure storage media with qualified digital signatures – before they were issued for signature in special magazines and surrendered at the end of the working day, but this option is only good for complacency. You won’t provide secure access to tokens in this way: even a safe at the workplace does not guarantee a careless employee who has thrown the most expensive and needed item next to the monitor, directly under the sticker with passwords and codes stuck on it.
In addition, without a request to the security service, it was impossible to understand which of the employees was using this or that token at a certain point in time. Not that protected media was often lost or handed over to anyone, but there was a certain organizational mess. Such cases happened, especially since the same key is sometimes needed by employees of different offices – this turned accounting and control into a headache for the security department. In the process of reform, the mess was worth getting rid of without spending too much money on it.
… and decisions
There was no need to look for a unified solution for centralized key storage for a long time – there are no other relatively budget options except USB over IP on the market. To implement the approach, a whole bunch of software is available (including free), with which all USB protection devices can be assembled in one place and provide authorized access to them through the network using reliable encryption.
The original idea of making a key server on your own did not go into series: there are too many troubles with the setup, during which compatibility problems can come out. In addition, it is rather difficult to assemble a general-purpose server and insert more than four dozen USB devices into it. At the same time, the server should provide not only secure access to the keys, but also protect them from physical damage, and also have the ability to remotely reboot a “stuck” USB device by power.
As a result, we came to the need to purchase a specialized solution with embedded software in which the security and compatibility problems were solved by the manufacturer out of the box.
Choosing a server and hub
Except for Chinese devices from unknown manufacturers (I didn’t want to trust qualified digital signatures), there are not many USB hubs suitable for our hardware hubs on the market. We considered Western vendor models (Digi Anywhereusb, SEH myUTN, etc.), but they don’t allow us to connect all our USB devices and are too expensive: for example, the price of Anywhereusb for 14 ports exceeds $ 1800.
In addition, it is not clear how these concentrators will work with domestic protected tokens – the question of compatibility and the availability of local support is perhaps the most important here. As a result, we settled on Russian development DistKontrolUSB-64 64 ports rack mountable.
The manufacturer does not claim one hundred percent compatibility with all keys, but if you believe the technical support specialists, they have not been able to find an incompatible option in the vastness of our vast homeland. The price of the option with 64 ports was lower than that of imported analogs with fewer ports – 106,500 rubles. USB over IP hubs for 16, 32 and 48 USB ports are also available.
Features of DistKontrolUSB-64
In short, the hub gives access to its ports and USB devices connected to them through the network, as if they were local. To do this, you need to install special client software on the remote host, which is available for current versions of Windows (desktop and server), GNU / Linux, and macOS.
Access to ports and devices can be limited by logins and passwords and IP addresses, all traffic between the hub and the client is encrypted using SSL / SSH certificates (including self-signed), which can be imported or created directly on the device, and user actions are logged.
There were no problems with the zoo of keys – all the existing ones worked fine on Windows in physical and virtual environments in the two virtualization platforms we use – VMWare and Hyper-V. Note that the cryptographic providers installed in the system worked with the remote ports as with their own, so all the EDS tokens for Windows also wound up. We did not test work on Linux and OSX, since we do not use these OSs.
In the end, it’s worth noting a couple of interesting points: like most network devices, DistKontrolUSB-64 is controlled via the web interface, while you can work through the secure HTTPS protocol, and in command-line mode, the connection is through SSH – it is much better than HTTP and Telnet open to all winds . The hub also supports IPv6, limits the power of USB ports by current and turns them off when overheating. In addition, this model provides for a smooth launch of ports to reduce the triggering throws caused by high load capacities.
Now the hub is in a separate room of the central office and physical access to it is impossible without the control of security personnel. Even system administrators will not be able to uncontrollably remove or install another device in the port DistKontrolUSB-64 – for this they will have to contact the security guards and sign in the magazines. The number of ports with a margin is enough for all the keys, but we have not encountered any special problems with their connection to physical and virtual servers (the technical support of "DistControl" helped to solve minor difficulties).
Most importantly, there is no longer a headache with the transfer of tokens between branches – everything is configured remotely. There are also disadvantages. With a centralized key storage scheme, we have a single point of failure. The hub itself has not yet failed, but there have been short-term problems with data transmission channels: if the Internet is in the remote office, access to the keys will be lost.
On the other hand, since we transferred our server park to a commercial data center and bought VPS from a cloud provider, the office will not be able to work without Internet access in principle. The central office has redundant communication channels, so there have not been any failures there yet. In general, you have to pay for convenience and security – even with a single point of failure, a centralized scheme is still better.