Recently Shared in our organization. In the comments, a serious issue of information security of USB over IP hardware solutions was raised, which also worries us a lot.
So, first of all, let's define the initial conditions.
- A large number of electronic security keys.
- They need to be accessed from different geographic locations.
- We are considering only USB over IP hardware solutions and are trying to secure this solution by taking additional organizational and technical measures (we are not considering the issue of alternatives yet).
- Within the framework of the article, I will not fully describe the threat models we are considering (much can be found in ), but I will focus on two points. We exclude social engineering and illegal actions of the users themselves from the model. We are considering the possibility of unauthorized access to USB devices from any of the networks without regular credentials.
To ensure the security of access to USB devices, organizational and technical measures have been taken:
1. Organizational security measures.
The managed USB over IP hub is installed in a high-quality server cabinet that can be locked with a key. Physical access to it is streamlined (access control to the premises itself, video surveillance, keys and access rights for a strictly limited circle of people).
All USB devices used in the organization are conditionally divided into 3 groups:
- Critical. Financial EDS - used in accordance with the recommendations of banks (not via USB over IP)
- Important. EDS for trading platforms, services, EDI, reporting, etc., a number of keys for software - are used using a managed USB over IP hub.
- Not critical. A number of keys for software, cameras, a number of flash drives and disks with non-critical information, USB modems are used using a managed USB over IP hub.
2. Technical security measures.
Network access to a managed USB over IP hub is provided only within an isolated subnet. Access to an isolated subnet is provided:
- from a terminal server farm,
- via VPN (certificate and password) to a limited number of computers and laptops, via VPN they are given permanent addresses,
- over VPN tunnels connecting regional offices.
On the managed USB over IP hub DistKontrolUSB, using its standard tools, the following functions are configured:
- Encryption is used to access the USB devices of the USB over IP hub (SSL encryption is enabled on the hub), although this may already be superfluous.
- "Restricting access to USB devices by IP address" is configured. Depending on the IP address, the user is granted or not access to the assigned USB devices.
- "Restricting access to the USB port by login and password" is configured. Accordingly, users are assigned rights to access USB devices.
- βRestricting access to a USB device by login and passwordβ was decided not to be used, because. all USB keys are permanently connected to the USB over IP hub and are not moved from port to port. It is more logical for us to provide users with access to a USB port with a USB device installed in it for a long time.
- Physical enabling and disabling of USB ports is carried out:
- For keys from software and EDI - using the task scheduler and assigned tasks of the hub (a number of keys were programmed to turn on at 9.00 and turn off at 18.00, a number from 13.00 to 16.00);
- For keys from trading platforms and a number of software - by authorized users through the WEB interface;
- Cameras, a number of flash drives and disks with non-critical information are always on.
We assume that such organization of access to USB devices ensures their safe use:
- from regional offices (conditionally NET No. 1 ...... NET No. N),
- for a limited number of computers and laptops connecting USB devices via the global network,
- for users published on terminal application servers.
In the comments, I would like to hear specific practical measures that increase the information security of providing global access to USB devices.
Source: habr.com