Electronic lock sable. Electronic lock sable Pak sable version 3.0

PAK Sobol 3.0 is a software and hardware complex, which is an electronic lock that provides computer protection from unauthorized access and trusted boot. Application electronic lock"Sable" is possible to ensure the protection of a computer, workstation or server that is connected to local network. Version 3.0 is compatible with USB 2.0/3.0 Hi-Speed ​​Mode.

PAK "Sobol" 3.0 complies with all the requirements and standards of federal legislation, which is confirmed by certificate No. 1967 and the passage of inspection control in the FSTEC of the Russian Federation for compliance with the guidelines for the second level of control.

Sobol 3.0, as an electronic lock, is designed to protect personal computers (including ultrabooks, laptops, desktops), servers and specialized devices, such as routers, cryptographic gateways, and others. An improved version of the Sobol PAK is compatible with Windows 8 and Windows Server 2012, as well as the EXT4 file system in Linux operating systems.

Thanks to the passage of inspection control in the FSTEC of the Russian Federation, this product can be used in automated systems inclusive up to class 1B and information systems personal data with a high level of security. Now PAK Sobol 3.0 passes control tests in the Federal Security Service of Russia to certify existing certificates of conformity.

Functions of the electronic lock PAK "Sobol":

  • managing computer settings (ACPI, PCI devices, SMBIOS);
  • download blocking operating system from external media;
  • registry integrity control Windows systems;
  • registration of attempts to access a personal computer;
  • user authentication;
  • system integrity control;
  • watchdog timer.

Advantages of the PAK Sobol electronic lock:

  • support for operating systems Windows 8 and Windows Server 2012 with a 64-bit system;
  • compatible with USB 2.0/3.0 high-speed mode for enhanced user authentication;
  • interaction with identifiers Rutoken S / RF S, eToken PRO, eToken PRO (Java), iKey 2032, iButton;
  • technical support in creating simple cryptographic solutions;
  • protection of data that is a state secret;
  • flexible choice of configuration options and board formats (PCI-E, Mini PCI-E, PCI);
  • ease of deployment, optimization and operation;
  • FSTEC and FSB of Russia certification.

Hardware and software system PAK Sobol 4.0 is an electronic lock to protect your computer from unauthorized access (trusted boot hardware and software module). Electronic lock Sobol can be used as a protection device for a stand-alone computer, as well as a workstation or server that is part of a local area network.
The Sobol electronic lock is used to protect personal computers, including desktops, laptops, ultrabooks, as well as servers and a number of specialized devices (cryptographic gateways, routers, etc.).
The product has passed inspection control in FSTEC of Russia for compliance with the guidelines for the 2nd level of control for the absence of NDV and can be used in the AU up to class 1B inclusive and ISPD itself high level security. The updated version of the Sobol PAK was also transferred to the FSB of Russia, where control thematic tests are being carried out in order to confirm the existing certificates of conformity.

Possibilities of the electronic lock "Sobol":

  • User authentication.
  • OS boot blocking removable media.
  • Monitoring the integrity of the software environment.
  • System Integrity Control Windows Registry.
  • Computer configuration control (PCI devices, ACPI, SMBIOS).
  • watchdog timer.
  • Registration of attempts to access the PC.
Advantages of the Sobol electronic lock:
  • Availability of certificates of FSB and FSTEC of Russia.
  • Protection of information constituting a state secret.
  • Assistance in building applied cryptographic applications.
  • Easy to install, configure and operate.
  • Support for 64-bit Windows operating systems (including Windows 8 and Windows Server 2012).
  • Support for iButton, iKey 2032, eToken PRO, eToken PRO (Java) and Rutoken S/RF S IDs.
  • Flexible choice of board formats (PCI, PCI-E, Mini PCI-E) and configuration options.
  • EXT 4 file system support in OS Linux families.
  • High speed support USB mode 2.0/3.0 for enhanced user identification.
The main changes in version 4.0 of the PAK Sobol:

1. Operation in a UEFI environment;
2. Support for disk partitioning in GPT format;
3. Compatible with USB 3.0;
4. Support for new operating systems:

  • Alt Linux SPT 7;
  • Astra Linux Special Edition"Smolensk" 1.5;
  • VMware vSphere ESXi 5.5/6.
5. Increased the number of supported users from 32 to 100;
6. The number of security log entries increased from 80 to 2000;
7. Expanded list of supported identifiers:\
  • USB keys JaCarta-2 GOST, JaCarta-2 PKI/GOST, JaCarta SF/GOST, Rutoken EDS and Rutoken Lite;
  • Smart cards JaCarta-2 GOST, JaCarta-2 PKI/GOST.

Sable is a means of protecting information from unauthorized access to personal computers. Sobol acts as a hardware-software trusted boot module. PAK Sobol created for protection confidential information , information containing information constituting state secret with a degree of secrecy top secret" inclusive of or relating to personal data.

FSTEC certificate No. 1967 confirms that PAK Sobol complies with the requirements of the guidelines of the FSTEC of Russia on the 2nd level of control for the absence of NDV and can be used in automated systems of security level up to 1B inclusive.

FSB certificate No. SF / 027-1450 confirms that PAK Sobol complies with the requirements of the hardware-software trusted boot module (APMDZ) according to class 1B.

Possibilities of PAK Sobol

PAK Sobol performs following features security:

  • Blocks attempts to boot the OS from removable media. After a successful boot of a regular copy of the OS, access to these devices is restored. The download ban applies to all users of the computer, except for the administrator.
  • Identifies and authenticates users.
  • Performs file integrity checks and hard disk (before booting the OS). used in the complex Sable the integrity control mechanism allows you to control the immutability of files and physical sectors hard drive before loading the operating system.
  • Acts as a watchdog timer. The watchdog timer mechanism provides blocking access to the computer, provided that after the computer is turned on and after a specified time interval, control is not transferred to the BIOS extension of the complex " Sable"
  • Logs system security events to its own non-volatile memory.

PAK Sobol supports the following operating systems:

  • OS Windows families(support both 32 and 64 bit)
  • OS WSWS 3.0
  • Trustverse Linux XP Desktop 2008 Secure Edition
  • FreeBSD version 5.3, 6.2, 6.3 or 7.2, 8.0, 8.1, 8.2
  • VMWare ESX 3.5 - 4.0

PAK Sobol supports file systems: NTFS, FAT 32, FAT 16, UFS, EXT3, EXT2.

Advantages PAK Sobol

  • PAK Sobol meets the requirements of the FSTEC for the protection of personal data
  • PAK Sobol received the FSB certificate for APMDS up to class 1B
  • PAK Sobol successfully functions in modern Windows OS (32 and 64 bit)
  • Support various types identifiers (Rutoken, eToken, "tablet" DS iButton)
  • Possibility of software initialization of the complex

Administration options

For settings PAK Sobol administrator has the ability to:

  • Determine the minimum length of a user's password;
  • Define a limit on the number of failed user logins;
  • Add and remove usernames;
  • Block the user's work on the computer;
  • Create backup copies of the administrator's personal ID.
  • Programmatically initialize the complex.

Hardware specifications

PAK Sobol is available as a board that supports 3 and 5 volt PCI bus or PCI standard bus. PCI Express version 1.0a and above. Sable available in two hardware versions:

Provided for equipment 1 year warranty from the date of purchase.

PAK Sobol used in the Central Bank of the Russian Federation, GAS Elections, the Ministry of Internal Affairs of Russia, Federal Treasury Russia, Pension Fund of Russia.

PAK Sobol 3 is an electronic lock. It is a board that is inserted into a server or workstation. Safety is everything. This product is installed not at the request of the administrator, but if there are such requirements. Producer: Security Code LLC.

Let's put on the HPE Proliant DL360 Gen10 server.

Links

Why do you need

  • Protection of information from unauthorized access.
  • Integrity control of IS components.
  • Prohibition of booting the OS from external media.
  • Protection of confidential information and state secrets in accordance with the requirements of regulatory documents.
  • Increasing the protection class of CIPF.

Advantages

Here I copied from the leaflet, adding my comments.

  • Integrity control system registry Windows, computer hardware configuration and files before the OS is loaded.
  • Reinforced (what is reinforced? - oil oil) two-factor authentication using modern personal electronic identifiers (if we consider the intercom key as a modern electronic identifier).
  • Ease of installation, configuration and administration.
  • Possibility of software initialization without opening system block.
  • Hardware random number generator that meets the requirements of the FSB.

Capabilities

  • Monitoring the integrity of the software environment. Control of the immutability of files and physical sectors of the hard disk, as well as file systems: NTFS, FAT16, FAT32, UFS, UFS2, EXT2, EXT3, EXT4 on Linux and Windows families. Supported operating systems:
    • Windows
      • Windows 7/8/8.1/10
      • Windows Server 2008/2008 R2/2012/2012 R2
    • linux
      • WSWS 5.0 x64
      • Alt Linux 7.0 Centaur x86/x64
      • Astra Linux Special Edition "Smolensk" 1.4 x64
      • CentOS 6.5 x86/x64
      • ContinentOS 4.2 x64
      • Debian 7.6x86/x64
      • Mandriva ROSA "Nickel" x86/x64
      • Red Hat Enterprise Linux 7.0 x64
      • Ubuntu 14.04 LTS Desktop/Server x86/x64
      • VMware vSphere ESXi 5.5 x64
    • Support for other operating systems is available upon request to the service technical support"Security code".
  • Identification and authentication.
    • Use of personal electronic identifiers:
      • iButton
      • eToken PRO
      • eToken PRO (Java)
      • Rutoken
      • Rutoken RF
      • eToken PRO smart cards
    • Loading the operating system from the hard disk is carried out only after the presentation of the registered EI.
  • Journaling. Maintaining a system log, the records of which are stored in a special non-volatile memory. The following events are recorded in the log:
    • User login fact and username.
    • Presentation of an unregistered identifier.
    • Entering the wrong password.
    • Exceeded number of login attempts.
    • Date and time of registration of UA events.
  • Control the integrity of the Windows registry. Control of the invariability of the Windows system registry increases the protection of workstations from unauthorized actions within the operating system.
  • Hardware random number generator. Increasing the protection class of CIPF and providing random numbers to application software.
  • Configuration control. Control of the immutability of the computer configuration: PCI devices, ACPI, SMBIOS and RAM.
  • Disable booting from external media. Ensuring prohibition of booting the operating system from removable media (USB, FDD, DVD/CD-ROM, LPT, SCSI ports, etc.).
  • watchdog timer. Blocking access to the computer using the watchdog mechanism if control is not transferred to Sobol when it is turned on.
  • Software initialization. Possibility to initialize PAK "Sobol" programmatically, without opening the system unit and removing the jumper on the board.

Principle of operation

The lineup

  • PCI Express 57x80
  • Mini PCI Express
  • Mini PCI Express Half Size
  • M.2A-E

Admin Reflections

If an attacker gains full access to the server's remote console, this electronic lock will not help. It is enough to switch to UEFI boot mode and Sable does not plow - the two-factor turns into a pumpkin. It seems that Sable 4th version has the opportunity to work in UEFI, I didn’t look at what was there.

I paid attention to the phrase "Easy administration". Just? Yes, it's not difficult. Comfortable? Nifiga is not convenient. The server has rebooted - go to the data center. There are no normal means of remote two-factor authentication.

Registry integrity control is a dubious thing. Yes, it controls. Winda has been updated - a trip to the data center. Windu is generally unsafe to leave without updates, and Sable interferes with these updates.

Equipment

Appearance

One side. There are jumpers on the board, we will need them later. Jumpers in the plane of the board do not affect the operation, only those that are perpendicular to the plane of the board do. One J0 jumper is installed - apparently, Sobol was already standing somewhere. In theory, it should determine that the hardware has changed and prevent it from working, we will check this during installation.

Other side.

Connector view.

Installation

We install in the server.

Back view.

We connect an external reader for iButton.

We turn on the server. We enter the BIOS and switch the boot mode to Legacy.

Save - restart the server.

For Sable to work, the system must attempt to boot. I have nothing on the disk now, then I mount ISO image with the OS installer.

And won't allow downloads.

Because he used to be on a different server. Protection works. We turn everything off. We understand everything. We get to the jumpers on Sobol.

Remove jumper J0. We collect everything.

Sable takes control.

Sable without jumper J0 goes into initialization mode. Select "Initialize Board".

The window " Common parameters system". You can set the necessary parameters. Press Esc.

The Integrity Check window opens. You can set the required parameters. Press Esc.

We wait. Sobol loves to test the random number generator.

The initial registration of the administrator is carried out. Yes.

We specify the password. Enter.

We repeat the password. Enter.

We are asked to stick the key. We stick the first one that was in the kit.

Warning that the key will be formatted. Yes.

Are you sure? Reminds me of Windu. Yes.

Create backup administrator ID? Of course, we have two keys. We take out the first key. Choose Yes.

We stick the second key.

They tell us to return the jumper back. OK. The server is shutting down.

We get to the sable board and put the jumper back on J0.

We turn on the server.

We are loaded into Legacy. Sable takes control.

We are asked to stick the key. We stick.

We enter the password.

We press any key.