Tionix Virtual Security

TIONIX Virtual Security is designed to protect against unauthorized access to information in the virtual infrastructure and can be used in government and corporate information systems.

TIONIX Virtual Security has an arsenal of security mechanisms. To prevent the replacement of network devices and services (protection against human-in-the-middle attacks), network connection authentication is carried out, the number of concurrent access sessions for each software user account is limited, and unsuccessful attempts to log on to programs or applications are limited, which protects the system from brutal attacks. At the same time, the product uses Single Sign-On (SSO) technology, which also reduces the risk of unauthorized access to client systems, reduces application access time and centrally manages passwords.

In addition to the flexible user password management policy, you can also log in using ESIA. The mechanism of two-factor authentication using the algorithm for creating one-time passwords allows to increase the reliability of personal data storage. Continuous monitoring of registration (audit) records from various sources of the information system helps to timely detect security incidents and quickly counteract threats.

Main article: Firewall

2021: Add Security Proxy Tool

On December 2, 2021, TIONICS released a product update to protect virtual platforms. TIONIX Virtual Security is designed to protect against unauthorized access to information in the virtual infrastructure and can be used in government and corporate information systems. TIONIX Virtual Security has an impressive arsenal of security mechanisms.

In the updated version, the Security Proxy tool appeared, which allows you to configure protection for external segments of the information system in which the TIONICS solution is not integrated. Thus, interaction between various applications will be carried out using a secure Internet protocol, which allows the customer to avoid certification in FSTEC of their own software products.

Developers have added a hardware resource saving mode that significantly improves system performance. Such a mode will be useful when working in virtual environments with a high load and a large number of users. The description service was also improved, API which made integration with other information systems more convenient, including the possibility of using the protocol. authentications data LDAP

The product documentation service has been completely redesigned so that technicians can install TIONIX Virtual Security into the customer's information system as soon as possible. The technical specification interface has become intuitive, a variety of work scenarios and options for responding to various security events are clearly presented. A number of changes were received by the user interface.

The need to switch to cloud information systems has long been recognized in both the corporate and public sectors. At the same time, every year cyber attacks are becoming more sophisticated, so reliable protection is needed for virtual infrastructure. TIONIX Virtual Security is designed specifically for use on the basis of the TIONIX Cloud Platform, it can also be used with any virtualization platforms built on the basis of KVM. The updated version has expanded functionality and integration capabilities with other systems, "said Natalya Ivanova, product manager at TIONICS.

2020: Obtaining a certificate of compliance with the requirements of regulatory and methodological documents of the FSTEC for the fourth level of trust

The software product Tionix Virtual Security of the Russian company Tionix, a manufacturer of cloud services software, was certified by the FSTEC of Russia in December 2020, having received a certificate of compliance with the requirements of the regulator for the fourth level of trust.

TIONIX Virtual Security is designed to protect against unauthorized access to information in the virtual infrastructure and can be used in government and corporate information systems

There are, as you know, two areas of protection for a virtual infrastructure: creating a secure, certified virtualization environment and using overlaid protection. The FSTEC-certified software product TIONIX Virtual Security (TVS) belongs to the second class, and in a number of parameters is a special product for the Russian market.

The product is designed to protect against unauthorized access to information in a virtual infrastructure built neither by the KVM hypervisor, and has an arsenal of security mechanisms. According to Roman Trainis, Technical Director of TIONIX, TVS closes almost all measures to protect the virtual environment according to the requirements of the FSTEC: identification and authentication of access subjects, access control in the virtual infrastructure, including within virtual machines, registration of security events and others. To prevent the substitution of network devices and services, network connection authentication is carried out, and a limit on the number of concurrent access sessions for each software user account is implemented. To protect against gross attacks by password matching (the so-called "brutforce"), the system has a limit on the number of unsuccessful attempts to log into programs or applications.

At the same time, the product uses Single Sign-On (SSO) technology, which also reduces the risk of unauthorized access to client systems, reduces application access time and centrally manages passwords. The complexity of the approach to protecting the virtual environment, according to Roman Trainis, is a key plus of the software product in the Russian market.

We position TVS as a comprehensive security tool for cloud technologies, "said Roman Trainis. - Among other things, we also close the tasks of authentication and authorization in application software for cloud solutions. Thus, we implement a single entry point, WEB SSO, which supports a set of different technologies. As a result, any integrated information system closes the authentication and authorization task. In terms of complexity in the market, we are still the only solution for KVM, which closes the maximum number of protection measures for GIS, APCS, KII, HIPD.

In addition to the flexible user password management policy, you can also log in using ESIA.

The two-factor authentication mechanism using one-time passwords improves the reliability of personal data storage, and constant monitoring of registration records from various sources of the information system helps to timely detect security incidents and quickly counteract threats.

The software product does not implement only two protection measures: ZCV5 "Trusted boot of virtualization servers" and ZCV9 "Implementation and management of antivirus protection," and there is a rational explanation for this.

{{quote 'The task of monitoring the load of virtualization servers has always been solved and solved by hardware, "explained Roman Trainis. - For this purpose, the relevant products of a number of vendors are presented on the market. As for antivirus protection, this is also not our niche. The same Kaspersky works well here, which has a set of different solutions for virtualization. Inventing your own antivirus solution would be impractical. }}

The platform consists of three main blocks: a management controller, an authentication and authorization server, virtualization management agents (service agents). The authentication and authorization server includes:

• The authentication and authorization component of the OpenID Connect protocol, whose main functionality is the authentication and authorization of web resources of cloud infrastructure administration, as well as, if necessary, authentication and authorization of client infrastructure virtual machines;
• an LDAP authentication and authorization component whose function is to authenticate and authorize users who have access to computing resources using LDAP.

These two components have a single database of information about domains, users and groups of the managed infrastructure, provide monitoring of all authentication and authorization events in the controlled perimeter.

The management controller includes a management console and a kernel that provides comprehensive management of users, configurations, agents, as well as interaction of components among themselves, event logging.

The service agent is installed directly on monitored virtualization nodes and provides control over the startup, migration, and reconfiguration of virtual machines, virtual networks, and a variety of other important functions, including monitoring the state of virtual machines.

As for hardware specifications, the bottom bar for the security server is a standard server processor with four virtual cores, 16 GB of RAM and a 10 GB hard drive. For the virtualization agent, system requirements are not declared because they are determined by the requirements of the operating system and the virtualization environment itself, and for the client part, TVS supports all browsers.

The FSTEC certification of the TIONIX Virtual Security protection platform makes the range of potential customers of the product large.

Level 4 compliance means that the TVS solution, in conjunction with the TIONIX Cloud Platform or any other cloud platform based on the KVM hypervisor, can be used and provides the maximum class of confidential information protection for:

• IP of critical information infrastructure (CII) facilities;
• state information systems (GIS) of the first security class;
• APCS of the first class of protection;
• IE for processing of personal data of the first level of security;
• Class II public IP processing restricted information, including personal data, proprietary, commercial and other types of confidential information.

Vendor declares and provides a multi-level support system. There is a corporate level within which minimum reaction times are declared - less than two hours, and there is a standard one.

The regulator has certain requirements for supporting the SKZI, "said Roman Trainis. - Even with standard support in the presence of any vulnerabilities, problems with the functioning of security mechanisms, we must provide a solution within three days, that is, provide patches that eliminate security problems.

Although the TIONIX Virtual Security platform has recently been launched, there are already examples of its use. According to Roman Trainis, as of April 2021, the product is being actively introduced within the Rostelecom group of companies. At the end of 2020, the decision was introduced in a number of large-scale state projects, in the company's plans to continue the active development of the TVS platform in technological terms.

We have big plans to develop a platform authorization authentication mechanism, "said Roman Trainis. - We plan to expand support for authentication standards, add mechanisms such as SAML to it, make our own solution to provide Kerberos authentication, because we have customers who need it, implement API management mechanisms.