TLS VPN Continent

The main articles are:

• Firewall
• Cryptography
• VPN Solutions for Enterprise Networks

The TLS VPN continent is a certified solution for protecting remote users' access to protected resources.

The TLS VPN continent has a client-server architecture and consists of a NWCI "Continent TLS VPN Server," which is installed at the border of the network perimeter, and a CIPF VPN client "Continent TLS VPN Client" installed on computers of remote users. The "Continent TLS VPN Server" ensures the confidentiality, integrity and protection of transmitted information and performs the following functions:

• authentication of users by public key certificates of x.509v3 standard (GOST R 31.11-94, 34.10-2001);
• Checking the user certificate against the list of revoked CRLs
• Establishing secure encrypted HTTPS connections
• Broadcast requests to corporate network web servers and others.

Continent TLS VPN Server IPC-3000F (S021), 2014

CIPF "Continent TLS VPN Client" is a local transparent proxy service that provides mutual authentication with the server, establishment of a secure connection, exchange of encrypted data with the server. It is also compatible with most existing internet browsers. In addition, users can work through the "Continent TLS VPN Server" without installing the CIPF client software "Continent TLS VPN Client." In this case, the user's computer should use the MS Internet Explorer browser with the crypto service provider CryptoPro CSP installed (versions 3.6 or 3.9), which provides support for GOST cryptographic algorithms.

The product is intended for:

• securely connect users to public service portals, electronic trading platforms, internet banking systems, or enterprise applications via a web browser.
• cryptographic protection of http traffic when transmitting data over open channels of public networks.

Key features

• Cryptographic protection
  • The use of the TLS protocol with encryption according to GOST 28147-89 provides reliable protection of HTTP traffic at the transport level

• Monitoring and logging of information security events
  • Getting up-to-date information on operational statistics and current connections of the TLS VPN Continent server

• User Identification and Authentication
  • Identification and authentication of users by x.509 public key certificates. Sends user authentication data to the web server.

• Work with external certification centers (CA)
  • To create x.509 certificates, the "TLS VPN Continent" uses the external CryptoPro CA

• Transparent proxying of HTTP traffic
  • For secure login to the web service, the user just needs to specify the IP address or domain name in the address bar of the browser.

• Scalability and resiliency
  • Supports high-performance cluster schema with load balancing (external balancer). Increased fault tolerance is achieved by adding a redundant node to the cluster.

Features

• High performance - up to 20,000 simultaneous connections per node (IPC-3000F).
• Compatible with any web browser.
• Ease of management - all settings are made by the administrator through a web browser.
• Unlimited performance scalability - Can be combined into a high-performance cluster to achieve performance over 100,000 concurrent connections.
• Ease of implementation and operation - the ready-made solution eliminates the need to embed cryptographic modules into the web server and go through the CIPF embed control procedure.
• Easy integration with external SIEM systems.

Certificates

• Certificate FSTEC Russia for compliance with the requirements for the absence of PVA according to the 4th level of control. It is used to protect NP up to and including 1G class, ISDS up to and including UZ 1 and GIS up to and including class 1.

• Certificates of the FSB of Russia "Continent TLS VPN Server" on CIPF class KS2 and "Continent TLS VPN Client" on CIPF class KS2 and KS1.

2025: "Continent TLS Server" version 2.7

"Security Code" on April 7, 2025 announced the release of version 2.7 of the software and hardware complex "Continent TLS Server," which has improved the functions of comprehensive protection of web applications.

The WAF (Web Application Firewall) software module was integrated into this version, representing protection against various cyber threats.

These capabilities include WAF functionality, including machine learning to protect against attacks, native signature analyzer, bot protection, GeoIP, L7 DDoS attack prevention, JSON validation, XML, MultiPart, GraphQI, HTMLXsd, YAML and HTTP, and logging and auditing.

We have added WAF functionality to protect web applications from profile attacks (OWASP Top 10, DDoS, etc.). Thus, customers will have the opportunity to use a comprehensive platform for comprehensive protection of web applications from one window, "said Dmitry Lebedev, leading specialist in the Security Code product promotion department.

In addition, version 2.7 supports HTTP/2 in the proxy and application portal settings, ensuring faster and more efficient operation of web applications.

This version will be certified by the FSTEC and the FSB of Russia: according to the protection profile of firewalls of type "D" of class 4 of protection and level 4 of trust - for the WAF functionality, as well as according to the requirements for class KS2/KS3 CIPF - for the TLS server.

2018: TLS Server Continent Release Version 2.1

Continent TLS Server

On July 18, 2018, Security Code announced the release of the next version of the Continent TLS Server product, designed to provide secure remote access to web applications using GOST encryption algorithms. The main differences are an increase in product performance by 30%, as well as optimization of its licensing scheme.

One of the functions in Continent TLS Server 2.1 is the ability to simultaneously work with user certificates that support electronic signing and hashing algorithms - both according to GOST 2001 and GOST 2012 - a standard that has higher resistance.

When using "Continent TLS Server" 2.1, the transition to the GOST 2012 standard will be invisible and will not affect the use of secure remote access to web applications. Previously, when using different certificates on the client and server side, it was impossible to establish a connection.

An important addition was the ability to integrate the Continent TLS Server 2.1 product into a single IT infrastructure monitoring loop.

Continent TLS Server 2.1 customers have the opportunity to centrally update the client part of the complex on remote user computers. In addition, the product licensing system was simplified in the version presented: a cluster of multiple devices requires only one license for the maximum number of simultaneous connections. It was also decided to combine the licenses for connecting to the proxy server and the licenses for connecting through the TLS tunnel. All this makes it easier to operate and choose the right solution architecture.

As of July 2018, "Continent TLS Server" 2.1 has been submitted for certification in. After passing FSB Russia the tests, the product will be certified according to classes KS1 and KS2.

author '= Alexander Kolybelnikov, Security Code Product Manager ' This version of the product "Continent TLS Server" is designed to facilitate the work of administrators during the period of changing encryption standards, to provide the possibility of convenient monitoring. Changes to the licensing policy and the ability to allocate a separate product management port should expand its scope. Support for a wide range of TLS clients will allow you to quickly build a secure access system to a web application where third-party crypto providers are already used. Now our product supports CryptoPro, Validata and the trusted Sputnik browser.

2016

Relatively new (released in 2015) products of the "Continent" line - "Continent TLS VPN" and the "Continent" cryptocommutator also demonstrated high dynamics. Their sales amounted to 71 million rubles. and 62 million rubles. respectively. The demand for the "Continent TLS VPN" was due to the growing interest of customers in the use of Russian encryption algorithms to protect access to state portals, as well as to organize secure remote access using GOST algorithms. A factor in the growth of sales of Continent crypto mutators was the need to protect communication channels in geographically distributed data centers.

TLS VPN Continent technical release 1.0.9 with application portal released

The company "Security Code" announced in April 2016 the release of the technical release of the version of the product "Continent TLS VPN," designed to ensure secure remote access to information systems that process personal data (ISDS) and state information systems (GIS). The product implements a number of new functions.

One of the most significant changes in the "TLS VPN Continent" 1.0.9 is the creation of an application portal with the ability to authenticate and authorize using credentials from Active Directory. This refinement greatly simplifies the process of controlling access to corporate web services to various categories of users. For example, using the portal, you can provide a single access point for company employees and its contractors. In this case, the set of available applications will depend on the category and user rights.

Another difference is the addition of the ability to create a server start page available via the open HTTP protocol. It significantly reduces the cost of supporting a secure web application.

Version 1.0.9 also adds the ability of the product to operate in TLS tunnel mode, which allows you to remove restrictions on communication from the remote user through a channel encrypted using the TLS protocol. Such a connection allows access not only to web resources, but also to other types of applications, for example, terminal servers (over the RDP protocol) or "thick clients" for corporate applications (ERP, CRM, etc.). This approach significantly increases the number of remote access scenarios in which the "TLS VPN Continent" can be used.

"Security Code" estimated the timing of the transition of government agencies to Russian encryption tools

On July 16, 2016^[1] was published on the Kremlin's website^[2], instructing the president to the head of government to prepare the transition of authorities to the use of Russian cryptographic algorithms encryption tools and until December 1, 2017. In particular, the government should ensure the development and implementation of a set of measures necessary for a phased transition to the use of Russian cryptographic algorithms and encryption tools, as well as provide for free access of citizens RUSSIAN FEDERATION to the use of Russian encryption tools.

The published document will entail certain steps to bring the IT infrastructures of government agencies into compliance with the stated requirements. In particular, a massive installation is expected in government agencies in addition to the available solutions of domestic cryptographic information protection tools (CIPF).

More:

• Spring Law (On Amendments to the Criminal Code and the Code of Criminal Procedure of the Russian Federation in terms of establishing additional measures to counter terrorism)
• Censorship (control) on the Internet. Experience of Russia

Experts of the "Security Code" note that the innovation will primarily affect the portals of state services of federal and regional departments. At the same time, the implementation of this task affects two aspects: the implementation of CIPF on the web server side and on the user side. If we assume that the users will embed a certified crypto library into the browser, then there are two ways to solve the problem on the web server side.

One of them is the integration of CIPF into web servers, the second is the introduction of a hardware and software complex (PAC) with the implementation of TLS VPN (one of these products is the "Continent TLS VPN Server," developed by the "Security Code"), which will intercept HTTP/HTTPS traffic and encrypt it in accordance with the encryption algorithm according to GOST (28147-89). Each of the options has its own characteristics - both in terms of technical implementation and in terms of the timing of the project.

According to analysts of the "Security Code," in the first case (embedding) the stages of work will be as follows:

• Development of organizational and administrative documentation - 2 months;
• Open tender for 44-FZ - 2.5 months;
• Implementation - 0.5 months;
• Control of CIPF integration in the FSB of Russia - 7 months;

As a result, such a project can be carried out within 1 year.

When choosing an installation option, the PAC of project will be divided into the following stages:

• ODR development - 2 months;
• Open tender for 44-FZ - 2.5 months;
• Equipment and software supply - 1.5 months;
• Implementation - 0.5 months

The total duration of the project in this case will be about 7 months.

Experts of the "Safety Code" note that, based on generally accepted practice, at least three months pass between the issue of an order to the government and the start of work of companies on projects (taking into account the need to develop and adopt by-laws). Accordingly, there is a risk that organizations that have chosen the option of embedding CIPF in web servers will hardly meet the deadlines set by the president. And if the adoption of by-laws is delayed for more than three months, implementation deadlines may be disrupted.

"In addition to difficulties with the deadlines, the first path - embedding - is fraught with other difficulties. These are additional labor costs, first to design and approve a package of documents for the test laboratory, and then to make changes to the code and debug the application based on the results of the test laboratory analysis. But the main plus of the second option is that when choosing a PAC, the customer receives a powerful high-performance industrial solution designed for large organizations. It is scalable, easy to manage, compatible with any Internet browsers, easily integrates with external SIEM systems, "said Pavel Korostelev, product marketing manager at Security Code.

Taking into account the above, the "Security Code" recommends that state customers choose the optimal algorithm for fulfilling the requirements of the law and follow the path of introducing a software and hardware complex (PAC) with the implementation of TLS VPN. For secure access of remote users to web resources, the "Continent TLS VPN" software and hardware complex certified by the FSB of Russia is used. It is easily deployed, has a free TLS client for end users, and can support over 100,000 concurrent connections.

2015: TLS VPN continent certified for secure remote access

On August 06, 2015, the company Security Code"" announced the receipt of certificates FSB Russia for the cryptographic (information protection CIPF) means "Continent TLS" VPN to organize secure remote access to the company's resources using the TLS protocol with support for the Russian algorithm enciphering GOST 28147-89.

Certificates of the FSB of Russia from 30.07.2015 SF/124-2676 on CIPF "Continent TLS VPN Server" and SF/525-2677 SF/525-2678 on CIPF "Continent TLS VPN Client" (execution 1 and 2) confirm compliance with the requirements of the FSB of Russia for encryption (cryptographic) means of class KS2 and KS1. Certificates of the FSB of Russia allow the use of CIPF "Continent TLS VPN" for cryptographic protection of information that does not contain information constituting a state secret.

The certificate of the FSTEC of Russia No. 3286 issued by the 02.12.2014 at the CIPF "Continent TLS VPN Server" confirms the compliance of the product with the requirements of the guiding documents for the 4th level of control for the absence of EIA and allows its use when creating an IVS up to and including 1G security class and for the protection of information in the ISDS and GIS up to and including class 1.

Notes