COMPUTER EQUIPMENT IN A PROTECTED VERSION AS PART OF THE SOLUTION TO THE INFORMATION SECURITY PROBLEM.

COMPUTER EQUIPMENT IN A PROTECTED VERSION, AS PART OF THE SOLUTION TO THE PROBLEM OF INFORMATION SECURITY.

Simonyan Tigran Arkadyevich

COMPUTER EQUIPMENT IN A PROTECTED VERSION AS PART OF THE SOLUTION TO THE PROBLEM OF INFORMATION SECURITY

A distinctive feature of modern production, both in Russia and in other countries, is the ever-increasing dependence on information resources and technologies and, as a consequence of this, an increase in problems in the field of information security.

The activity of any institution cannot be imagined without the process of obtaining a wide variety of information, processing it manually or using computer technology (CCT), making specific decisions based on the analysis of this information and transmitting them via communication channels. But it should be understood that computerization, in addition to obvious and widely advertised benefits, brings with it, firstly, significant expenditure of effort and resources, and secondly, numerous problems.

Information becomes useful only when it is presented in a form accessible for perception and processing. Distortion of information, blocking the process of its receipt or introduction of false information contributes to making erroneous decisions. One of the problems — and one of the most complex problems — is the problem of ensuring the safe processing of critical information in automated systems. It is the last decade that has been marked by a significant increase in attention to the problems of information protection. This interest has an objective basis. On the one hand, a commercial secret has appeared in the country, the essence and approaches to the protection of state secrets have been adjusted, there is a need to clarify the concepts and define the boundaries of other types of secrets. On the other hand, the importance of information has increased dramatically, including information that primarily requires protection. The essence of information protection is inextricably linked with the goals of protection, since the substantive part of protection depends on the answer to the question: why, for what purpose should information be protected.

The central problem of information security in the last decade has been the prevention of unauthorized acquisition of information in processing systems built on the basis of modern electronic computing equipment.

A breach of data security may occur as a result of various disturbing influences that result in the destruction (modification) of data or the creation of leakage channels, or as a result of the use of data leakage channels by the intruder.

The classification of data security threats is shown in Fig. 1.

 
Fig. 1. Classification of data security threats

Influences that may result in a breach of data security include:

• random environmental influences (hurricane, earthquake, fire, flood, etc.);

• targeted actions of the intruder (espionage, destruction of components of information computing systems, use of direct information leakage channels);

• internal disturbing factors (hardware failures, errors in mathematical and software, insufficient professional and moral-psychological training of personnel, etc.);

All information leakage channels (data) can be divided into indirect and direct. Indirectare such leakage channels, the use of which for unauthorized access to information does not require direct access to technical devices of automated systems. Indirect leakage channels arise, for example, due to insufficient insulation of premises, miscalculations in the organization of work with information and provide the intruder with the opportunity to use listening devices, remote photography, interception of electromagnetic radiation, theft of information carriers and industrial waste (floppy disks, hard disks, listings of machine programs, etc.). DirectData leakage channels require direct access to the technical means of automated systems and data. The presence of direct leakage channels is due to shortcomings in technical and software protection, operating systems, database management systems, mathematical and software support, as well as miscalculations in the organization of the technological process of working with data. Direct data leakage channels allow an intruder to connect to the equipment of automated systems, gain access to data and perform actions to analyze, modify and destroy information.

When using direct leakage channels, an intruder can perform the following actions:

• read data from files (database elements) of other users;
• read data from storage devices after executing authorized requests;
• copy data carriers;
• impersonate a registered user in order to use their authority or to absolve themselves of responsibility for unauthorized access;
• present their own unauthorized requests as operating system requests;
• obtain protected data using a specially organized series of authorized requests;
• modify software;
• deliberately include special blocks in programs to violate data security;
• deny the fact of generating and issuing data;
• claim to have received data from a user, although in fact the data was generated by the infringer;
• claim to have transferred data to a user, although in fact the data was not transferred;
• deny the fact of receiving data that was actually received;
• examine the access rights of users (even if the data itself remains closed);
• unauthorizedly expand one's powers;
• unauthorized change of permissions of other users;
• hide the fact of presence of some data in other data.

In accordance with existing threats, methods and means of data protection were developed. The classification of methods and means of data protection is presented in Fig. 2 [1].

Fig. 2. Methods and means of data protection

Managementis the regulation of the use of all system resources within the established technological cycle of data processing and transmission, where technical means, operating systems, programs, databases, data elements, etc. are considered as resources. Data protection management implements the process of targeted influence of the control subsystem, the data security system on the means and mechanisms of data protection and components of automated systems in order to ensure data security.

Obstaclesphysically block the intruder's path to the protected data.

Maskingis a method of protecting data by cryptographically closing it.

Regulationas a method of protection consists in the development and implementation in the process of functioning of automated systems of complexes of measures that create such conditions of the technological cycle of data processing, in which the risk of unauthorized access to data is minimized. The regulation covers both the structural construction of information computing systems and the technology of data processing, the organization of the work of users and network personnel.

Incentiveconsists in creating such an environment and conditions in which the rules for handling protected data are regulated by moral and ethical standards.

Coercion includes the threat of material, administrative and criminal liability for violating the rules for handling protected data.

Data protection tools are created on the basis of the listed methods.

At the first stages of development of data security concepts, preference was given to software protection tools. However, practice has shown that this is not enough to ensure data security. Therefore, subsequently, all kinds of devices and systems were intensively developed. Gradually, as a systematic approach to the problem of ensuring data security was formed, the need arose for a comprehensive application of protection methods and protection tools and mechanisms created on their basis.

Structurally, the protection scheme of any organization can be represented in the form of the following pyramid, shown in Fig. 3.

Fig. 3. Organization protection levels

1. PKI (Public Key Infrastructure) – public key infrastructure.

All security requirements can be implemented in various ways, with varying levels of durability, efficiency, and cost. Different measures are used based on a specific task, the specifics of information processing, and many other factors. But cryptography is the one that most effectively reflects all security policy requirements. Encryption is used to hide information directly, while certificates guarantee the authenticity of the communicating parties, and electronic signatures guarantee the integrity of information and non-repudiation of transactions. Public key cryptography meets security requirements, but a larger number of users require an automated, system-specific approach based on PKI:

• authorization centers that issue and revoke public key certificates;
• organizational registration centers that are responsible for establishing identical relationships between public keys and certificate holders;
• certificate holders who have certificates and can sign and encrypt digital documents;
• clients that verify digital signatures and their certification paths using the known public key of a trusted authority;
• repositories that store and provide access to certificates and certificate revocation lists.

2. VPNs (Virtual Private Networks)– is a set of software and hardware that enable transparent connection of some local segments of a global communications network through an open public network for application programs, provided that the security (secrecy, authenticity, integrity) of the transmitted data is maintained without physically separating transmission channels and data processing nodes.

Threats that virtual private networks counter:

• the possibility of unauthorized access (UA) to the internal resources of an organization's local network;
• the possibility of UAA to corporate data during its transmission over a public network.

Fig. 4. Purpose of virtual private networks.

The main advantages of VPNs:

• compatibility with the existing network infrastructure;
• integrability with the existing security subsystem;
• complete transparency for existing corporate applications.

3. The third stage includes access control and LAN protection tools. This includes firewalls and hardware and software systems for protecting information in a network version.

The following classes of firewalls are distinguished:

• the simplest filtering routers — class 5;
• packet filters of the network layer — class 4;
• the simplest firewalls of the application layer — class 3;
• basic level firewalls — class 2;
• advanced firewalls — class 1.

Here, attention should be paid to domestic manufacturers of firewalls, among which the firewalls of the firms OOO «Elko Technologies SPB» and «Infosystems Jet» stand out. A special feature of the firewalls of these firms is their focus on domestic buyers.

Firewall «Citadel ME», version 2.0 from Elco is a hardware and software complex based on the Intel Pentium II/III platform and controlled by a specially developed operating system. In a typical configuration, the Citadel ME screen has four 10/100BaseTx Ethernet interfaces. It is possible to support up to 16 Ethernet interfaces in one device. An optional feature is the installation of a WAN interface module (V.35 or X.21) supporting SLIP, PPP, HDLC and Frame Relay.

The Citadel ME complex provides safe, reliable and cost-effective interaction of Internet and Intranet networks thanks to a powerful and flexible IP routing mechanism with built-in packet filtering functions, network address translation (NAT) mechanism and application gateways.

The main subsystems of the Citadel ME complex are:

• Packet filter. Filters TCP/IP traffic according to the criteria specified by the list of filtering rules:

• machine/network address and source and destination ports;
• protocol type and protocol flags;
• input and output network interfaces;
• time interval.

• Traffic shaping allows you to artificially limit the channel capacity for selected types of traffic.
• A mechanism of passive filters designed to analyze the contents of IP packets.
• A mechanism for dynamically generating self-configuring access control rules designed to ensure correct processing of the FTP protocol.
• A mechanism for translating network addresses — direct and reverse.
• Automatic control, logging and reporting.

The hardware and software complex ME «Zastava-Jet» from «Jet Infosystems» functions both at the network and transport levels of the OSI/ISO information exchange model and at the application level, thus providing the necessary degree of protection for the internal information space. This firewall has the following characteristics:

• Network transport protocol – TCP/IP.
• The control protocol is a proprietary protocol that is protected from modification.
• Average performance loss when filtering packets is 2%.
• Supported protocols (proxy servers):

• telnet, rlogin, rsh;
• FTP, gopher;
• HTTP,HTTPS, AHTTP, SSL;
• SMTP, POP3;
• LotusNotes, lpr and others (more than 20 in total).

Among the hardware and software systems, specific models developed in the network version are distinguished. Among such systems, the products of Aladdin Software Security R.D. deserve attention, and in particular the systems for protecting confidential information Secret Disc and Secret Disc Server.

However, the need for mandatory certification of protection systems should be taken into account. Table 1 presents certified hardware and software protection systems.

Table 1. Certified hardware and software protection systems

4. Under SVT protectionfrom technical intelligence means preventing the interception of protected information outside the controlled area of ​​the military equipment facility and eliminating the possibility of uncontrolled interception and recording of this information within the area.

A special place is occupied by the protection of information from leakage through technical channels due to side electromagnetic radiation and interference (SEMI). This channel of information leakage provides violators with a number of advantages:

• information is obtained without direct contact with its sources;
• information is obtained in real time.

One of the well-known channels of information leakage remains relevant to this day. Right now, this channel is the most interesting from the point of view of information protection. The main problem is that the code combinations of ciphers, software and hardware complexes for information protection, as well as all other devices in the above-described pyramidal structure are translated in one way or another into electrical signals that can be correctly deciphered. This primarily concerns the deciphering of monitor signals. Professional equipment for intercepting monitor radiation and displaying information is quite expensive, but the value of the information fully covers all costs. Interception of information due to printer and keyboard radiation is sometimes possible even with lower costs, due to the transmission of information by serial code, all parameters of which are known.

The following protective measures are used: shielding of premises, energy masking devices, purchasing and installing protected SVT (SVT with low radiation levels) at the facility. The active method involves the use of special broadband interference transmitters. But this method has its drawbacks. Firstly, the problem of electromagnetic compatibility is not described properly, and secondly, the generators are unsafe devices for health.

The passive method of ensuring the protection of confidential information significantly increases the environmental safety of the user's workplace, does not violate the standards of electronic compatibility, and ensures normal operating conditions for components in the structure of the computer equipment. The essence of this method lies in the selection of appropriate materials for shielding the radiation source — the computer equipment. The shielding itself consists of applying special materials to the inner surface of the existing case. The computer equipment in a protected version includes the appropriate selection of components, assembly without unnecessary conductors, which are antennas. Here, it is worth paying attention to the products of Nienschanz-Zashchita CJSC, which manufactures and supplies computer equipment protected from information leakage through technical channels. The developed technology based on passive methods made it possible to ensure information protection through technical channels in the Flagman-Z computer without additional technical means.

The stated principles of constructing distributed systems make it possible to solve the problem of secure data processing. It is worth noting that only an integrated approach can solve this problem in real conditions of enterprise operation, and in particular makes information protection the most durable and reliable.

Literature

1. Gerasimenko V.A. Problems of data protection in data processing systems//Foreign Radio Electronics, 1989, No. 12, pp. 5 – 21
2. Law of the Russian Federation “On State Secrets”
3. Law of the Russian Federation “On Information, Informatization, and Information Protection”