TLS VPN continent

TLS VPN continent - the certified solution of protection of access for remote users to the protected resources.

The continent of TLS VPN has the client-server architecture and consists of SZKI "Continent TLS VPN Server" which is established on border of perimeter of network, and a CIPF VPN client "the Continent of TLS VPN client" installed on computers of remote users. Continent TLS VPN Server provides confidentiality, integrity and masking of the transmitted data and performs functions:

• authentication of users by certificates of public keys of standard x. 509v3 (GOST P 31.11-94, 34.10–2001);
• verification of the certificate of the user according to the list of the withdrawn CRL;
• establishment of the protected encoded connections under the HTTPS protocol;
• broadcast of requests to Web servers of corporate network and others.

Continent TLS VPN IPC-3000F (S021) Server, 2014

The CIPF "the Continent of TLS VPN client" represents local transparent proxy service which provides mutual authentication with the server, installation of the protected connection, exchange of the ciphered data with the server. It is also compatible to the majority of the existing Internet browsers. Besides, the opportunity for work of users through "the Continent the TLS VPN Server" without installation of the client software of a CIPF "the Continent of TLS VPN client" is allowed. In this case on the computer of the user the Internet Explorer MS browser with the set CryptoPro CSP cryptoservice provider (version 3.6 or 3.9) providing support of cryptoalgorithms of GOST should be used.

The product is intended for:

• safe connection of users to portals of public services, electronic marketplaces, the systems of Internet banking or corporate applications via the web browser.
• cryptographic protection of http-traffic at data transmission through open channels of public service networks.

Main Features

• Cryptographic protection
  • Use of the TLS protocol with enciphering in accordance with GOST 28147–89 provides reliable protection of HTTP traffic at the transport layer

• Monitoring and journalizing of events of cybersecurity
  • Obtaining operational information about statistics of work and the current connections of the TLS VPN Continent server

• Identification and authentication of users
  • Identification and authentication of users by certificates of public keys of standard x. 509. Transfer of authentication data of the user on the Web server.

• Work with the external certification centers (CC)
  • For creation of certificates x. 509 "TLS VPN Continent" uses external UTs "Crypto Pro"

• Transparent proxying of HTTP traffic
  • For a secure sign-in on web service it is enough to user to enter the IP address or domain name in address to a line of the browser.

• Scalability and fault tolerance
  • Support of an operation mode in the scheme of a high-performance cluster with balancing of loading (the external balancer). Increase in fault tolerance is reached by adding in a cluster of an excess note.

Specific Features

• High performance – up to 20,000 simultaneous connections on one note (IPC-3000F).
• Compatibility with any web browsers.
• Convenience of management – all settings are performed by the administrator via the web browser.
• Unlimited scalability of performance – a possibility of consolidation in a high-performance cluster for achievement of performance over 100 thousand simultaneous connections.
• Simplicity of implementation and operation – the ready-made solution saves from need of embedding in the Web server of cryptographic modules and passing of control procedure of embedding of a CIPF.
• Easy integration with the external SIEM systems.

Certificates

• The FSTEC certificate of Russia on compliance to requirements of absence of NDV for the 4th level of control. Also GIS up to 1 class inclusive is applied to protection of AS to class 1G inclusive, ISPDN to UZ 1 inclusive.

• Certificates of FSB of Russia "the Continent the TLS VPN Server" on a CIPF of the class KC2 and "TLS Continent VPN Client" on a CIPF of class KC2 and KC1.

2018: Release "Continent of the TLS server" of version 2.1

Continent TLS server

On July 18, 2018 the Code of Security company announced release of the next version of the product "Continent TLS Server" intended for ensuring the protected remote access to web applications using encryption algorithms GOST. The main differences – performance improvement of a product for 30% and also optimization of the scheme of its licensing.

One of functions to "the Continent the TLS server" 2.1 is a possibility of simultaneous operation with the user certificates supporting algorithms of the electronic signature and hashing – both in accordance with GOST 2001, and in accordance with GOST 2012 – to the standard having more high resistance.

At application "the Continent the TLS server" 2.1 transition to the GOST 2012 standard will be imperceptible and will not influence use of the protected remote access to web applications. Earlier when using different certificates on client and server side it was impossible to set connection.

The ability to integrate product "Continent TLS Server" 2.1 into a uniform circuit of monitoring of IT infrastructure became important addition.

Customers "the Continent the TLS server" 2.1 had an opportunity on a centralized basis to update a client part of a complex on computers of remote users. Besides, in the provided version the system of licensing of a product was simplified: the cluster from several devices requires only one license for the maximum number of simultaneous connections. Also the decision to integrate licenses for connection to the proxy server and the license for connection through a TLS tunnel was made. All this simplifies operation and the choice of a suitable solution architecture.

For July, 2018 "the Continent the TLS server" 2.1 is transferred to certification of century FSB Russia. After passing of tests the product will be certified on classes KC1 and KC2.

This version of the product "Continent TLS Server" is designed to facilitate work of administrators during change of standards of enciphering, to give an opportunity of convenient monitoring. Changes in a license policy and a possibility of selection of the certain port of product management should expand the field of its application. Support of a broad spectrum of TLS clients will allow to construct quickly the system of secure access to the web application where cryptoproviders of third-party producers are already used. Now our product supports Crypto Pro, Validat and the entrusted browser Sputnik. Alexander Kolybelnikov, product manager of Code of Security company

2016

High dynamics also rather new (released in 2015) products of the line showed Continent – "TLS VPN Continent" and the Continent cryptoswitch. The volume of their sales was 71 million rubles and 62 million rubles respectively. Demand for "TLS VPN Continent" was caused by the growing interest of customers in application of the Russian encryption algorithms for protection of access to state portals and also to the organization of the protected remote access using GOST algorithms. Need of protection of communication channels for geographically distributed data processing centers became a factor of growth in sales of the Continent cryptoswitches.

There was a technical release "TLS VPN Continent" 1.0.9 with the portal of applications

The Code of Security company announced in April, 2016 an exit of technical release of the version of the product "TLS VPN Continent" intended for ensuring secure remote access to the information systems performing personal data processing (ISPDN) and to the state information systems (SIS). In a product a number of new features is implemented.

One of the most significant changes to "TLS VPN Continent" 1.0.9 is a creation of the portal of applications with a possibility of authentication and authorization using credentials from the Active Directory. Such completion considerably simplifies process of management of access to corporate web services to different categories of users. For example, using the portal it is possible to provide uniform access point for the staff of the company and its contractors. At the same time a set of available applications will depend on category and the user's rights.

One more difference – adding of a possibility of creation of the homepage of the server available under the open HTTP protocol. It allows to reduce considerably costs for support of the protected web application.

In version 1.0.9 the product opportunity for work in the TLS tunnel mode is also added that allows to lift from the remote user limits on interaction via the channel ciphered under the TLS protocol. Similar connection allows to provide access not only to web resources, but also to other types of applications, for example, to terminal servers (under the RDP protocol) or to "thick clients" for corporate applications (ERP CRM etc.). Such approach considerably increases the number of scenarios of remote access at which "TLS VPN Continent" can be applied.

"The code of security" estimated terms of transition of state agencies to the Russian means of enciphering

On July 16, 2016 on the website of the Kremlin^[1] order of the president to the head of the government about need to prepare transition of authorities to use of the Russian cryptographic algorithms and means of enciphering till December 1, 2017 was published. In particular, the government should provide development and implementation of a complex of the actions necessary for phased transition on use of the Russian cryptographic algorithms and means of enciphering and also to provide non-paid access for citizens of the Russian Federation to use of the Russian means of enciphering.

The published document will cause certain steps on reduction of IT infrastructures of state bodies to compliance to the stated requirements. In particular, in state structures mass installation in addition to the available solutions of the domestic means of cryptographic information protection (MCIP) is expected.

Learn more:

• The Yarovaya Law (About making changes in UK and the Code of Criminal Procedure of the Russian Federation regarding establishment of additional measures of counteraction to terrorism)
• Censorship (control) on the Internet. Experience of Russia

Experts of "The code of security" note that the innovation will concern first of all portals of public services of federal and regional agencies. At the same time implementation of this task affects two aspects: implementation of a CIPF on the party of the Web server and on the party of users. If to assume that on the party of users embedding of the certified cryptolibrary in the browser will be implemented, then it is possible to solve a problem on the party of the Web server by two methods.

One of them is an embedding of a CIPF in Web servers, the second – implementation of the hardware and software system (HSS) with implementation of TLS VPN (one of such products is "the Continent the TLS VPN Server", developed by "The code of security"), which will intercept HTTP/HTTPS traffic and to cipher it according to the encryption algorithm in accordance with GOST (28147-89). Each of options has the features – both in terms of technical implementation, and in terms of project implementation terms.

By estimates of analysts of "The code of security", in the first case (embedding) stages of works will be the following:

• Development of the organizational and administrative documentation (OAD) - 2 months;
• Holding an open competition on 44-FZ - 2.5 months;
• Implementation - 0.5 months;
• Control of embedding of a CIPF in FSB of Russia - 7 months;

As a result such project can be performed during 1 year.

When choosing option of the HSS installation the project will be broken into the following stages:

• Development of ORD - 2 months;
• Holding an open competition on 44-FZ - 2.5 months;
• Supply of equipment and software - 1.5 months;
• Implementation - 0.5 months.

The general project duration in that case will be about 7 months.

Experts of "The code of security" note that, proceeding from the commonly accepted practice, between release of order to the government and the beginning of works of the companies on projects (taking into account need of development and adoption of bylaws) there pass not less than three months. Respectively, there is a risk that the embeddings of a CIPF which selected option in Web servers of the organization hardly will meet the deadline delivered by the president. And in case of a delay of adoption of bylaws over three months implementation failures to meet time constraints are possible.

"In addition to difficulties with terms the first way - embedding - is integrated also to other difficulties. These are additional labor costs at first on registration and approval of a document package for testing laboratory, and then - on making changes in the code and debugging of the application according to the results of the analysis of testing laboratory. But the main thing plus the second option that when choosing a HSS the customer receives the powerful high-performance industrial solution expected the large organizations. It is scaled, it is convenient in management, is compatible to any Internet browsers, is easily integrated with the external SIEM systems", - Korostelev Pavel, the marketing manager of products of Code of Security company told.

Subject to the foregoing "The code of security" recommends to state customers to select an optimal algorithm of execution of requirements of the legislation and to go on the way of implementation of the hardware and software system (HSS) with implementation of TLS VPN. The hardware and software system "TLS VPN Continent" certified by FSB of Russia is applied to secure access of remote users to web resources. It is easily unrolled, has the free TLS client for end users and can support over 100 thousand simultaneous connections.

2015: The continent of TLS VPN is certified for the organization of the protected remote access

On August 06, 2015 the company "Code of Security" announced obtaining certificates FSB Russia on means cryptographic data protection (CIPF) VPN Continent of TLS for the organization of the protected remote access to resources of the company for the TLS protocol with support of the Russian algorithm enciphering of GOST 28147-89.

Certificates of FSB of Russia of 7/30/2015 of the Federation Council/124-2676 on a CIPF "the Continent the TLS VPN Server" and SF/525-2677, SF/525-2678 on a CIPF "the Continent of TLS VPN client" (execution 1 and 2) confirm compliance to requirements imposed on FSB of Russia to cryptographic (cryptographic) tools of class KC2 and KC1. Certificates of FSB of Russia permit application of a CIPF "TLS VPN Continent" for the cryptographic information protection which is not containing the data which are the state secret.

The FSTEC certificate of Russia No. 3286 issued 12/2/2014 on a CIPF "the Continent the TLS VPN Server" confirms compliance of a product to requirements of regulating documents for the 4th level of control of absence of NDV and permits its use during creation of AS to a class of security 1G inclusive and for data protection in ISPDN and GIS to 1 class inclusive.

Notes