Functional capabilities of the FPSU-IP complexes.

Functional capabilities of the FPSU-IP complexes.

Functional capabilities of the FPSU-IP complexes

The main functional capabilities of the FPSU-1R complexes are:

• filtering IP packets based on the criteria of compliance with the main «RFC Recommendations for IP Networks»: address validity, size correlation, checksum correctness, etc.;

• IP packet filtering in accordance with rules set by administrators based on the IP addresses of the sender and recipient, frames encapsulated in the IP protocol, time and date of packet transmission, permitted subscriber ports (for TCP/UDP packets), and pairs of subscriber addresses for which a connection is possible:

• translation of network addresses of the sender and recipient in inter-network tunnels, hiding the internal addresses of the subject and object of information interaction;

• concealment of application functions of the protected network and the network protocols they use;

• identification and authentication of interacting FPSUs using methods that are resistant to active interception of information in the network;

• compression of inter-network traffic using a specialized compressor to reduce the costs of companies using corporate networks by reducing traffic and increasing data exchange rates;

• organization of virtual private networks (VPNs) in corporate and public networks based on multiple FPSUs using data tunneling;

• concealment of the fact that the protective properties of the complex are being used;

• prohibition of TCP/UDP connections with individual subscribers of the protected area on ports whose software has errors in the implementation of the use of these ports;

• additional processing of specific IP options in order to exclude the possibility of disclosing the topology of the protected network from the outside;

• registration of information about the functioning of the complex in a special MIB-like storage;

• use of the complex's own protected operating environment to prevent unauthorized modification of software and introduction of destructive software effects;

• ensuring protection against unauthorized access to information and resources of the complex by identifying the administrator, engineer and operators with registration of their actions by a non-copyable unique electronic identifier and the contents of its memory («touchmemory»).

In March 1999, the Bank of Russia's multifunctional test facility conducted two-week tests of the FPSU-1R systems simulating various conditions of their use. Taking this opportunity, we thank all the participants and organizers of these extremely useful tests, with special thanks to the Bank of Russia's expert specialists who creatively applied their extensive experience in testing other information security tools, including those for similar purposes, and who made very useful suggestions for the further development of the FPSU-1R systems.

The main results of these tests were as follows:

1. The FPSU-1R systems successfully passed all types of tests and functioned stably in all modes.

2. When measuring their throughput in various modes, the characteristics presented in Table 1 were obtained. Testing was carried out on HP Vectra computers (Pentium 200, RAM 32Mb, network adapters 3COM ЗС90510/100).

Table 1

3. When measuring the impact of the FPSU-1R complexes on the performance of common IP services using different types of channels (Frame Relay, X.25 and PPP) with speeds of 256.0; 64.0 and 19.2 Kbps, it was found that due to effective data compression with an MTU from 256 to 1500 bytes, the speed is increased by two or more times when transmitting text information, and when transmitting archived data, some speed increase is also achieved (approximately 10%).

4. When building a VPN (tunneling mode), the overhead costs for corporate network traffic are minimal and, in extreme cases (if the packet data is incompressible), amount to no more than 18-20 bytes per packet.

In general, based on the testing results, the FPSU-1R complexes were recognized as capable of satisfying various requirements for the means of constructing reliably protected corporate networks with the appropriate implementation of a number of proposals for increasing functional capabilities (primarily for the implementation of remote control tools similar to those used in the FPSU-X.25 complexes, for ensuring the appropriate processing and tunneling of control and service information of routers). Below is the logical structure of organizing a VPN using the FPSU-1R complexes.

The diagram in Fig. 1 quite clearly demonstrates the possibilities of building effective private virtual networks that meet the requirements of various Russian organizations. Thus, using the appropriate cascade connection of the complexes, reflected in the diagram, it is possible to implement «nested» VPNs, including for isolating network management tools, into a separate secure logical network. At the same time, the mechanisms of filtering, strict authentication of interaction, and the formation of various logical access groups used in the FPSU-1R complexes allow for the flexible application of a particular security policy in complex corporate information networks.

It should be emphasized that we continue to work on developing the functionality of the FPSU-1R complexes within the framework of proposals formed by expert specialists of the Bank of Russia. Therefore, if you are interested in these complexes, including in terms of their further development, you can get more detailed information on our website (HTTP://ORC.RU/-AMICON).