I would like to share our years of experience in finding a solution to organize centralized and streamlined access to electronic security keys in our organization (keys for access to marketplaces, banking, software security keys, etc.). In connection with the presence of our branches, which are geographically very separated from each other, and the presence in each of them of several electronic security keys, the need for them constantly arises, but in different branches. After another fuss with a lost key, the management set the task - to solve this problem and collect ALL USB security devices in one place, and ensure they work regardless of the location of the employee.
So, we need to collect in one office all the keys of the client bank, 1c licenses (hasp), rutokens, ESMART Token USB 64K, etc. available in our company. for subsequent operation on remote physical and virtual Hyper-V machines. The number of usb devices is 50-60 and for sure this is not the limit. Location of virtualization servers outside the office (data center). Location of all USB devices in the office.
We studied the existing technologies for centralized access to USB devices and decided to focus on USB over IP (USB over IP) technology. It turns out that many organizations use this solution. There are both USB over IP hardware and software on the market, but they did not suit us. According to this, further we will only talk about the choice of hardware USB over IP and, first of all, about our choice. Devices from China (unnamed) we also excluded from consideration.
The most described USB over IP hardware solution on the Internet are devices made in the USA and Germany. For a detailed study, we purchased a large rack version of this USB over IP, designed for 14 USB ports, with the ability to mount in a 19 inch rack and German USB over IP, designed for 20 USB ports, also with the ability to mount in a 19 inch rack. Unfortunately, these manufacturers did not have more USB over IP device ports.
The first device is very expensive and interesting (the Internet is full of reviews), but there is a very big minus - there are no authorization systems for connecting USB devices. Anyone who installs the USB connection app gets access to all the keys. In addition, as practice has shown, the USB device "esmart token est64u-r1" is unsuitable for use with the device and, looking ahead, with "German" on Win7 OS - when connected to it, a permanent BSOD.
The second USB over IP device seemed more interesting to us. The device has a large set of settings related to network functions. The USB over IP interface is logically divided into sections, so the initial setup was quite simple and quick. But, as mentioned earlier, there were problems connecting a number of keys.
Studying further hardware USB over IP came across domestic manufacturers. The range includes 16, 32, 48 and 64 port versions with 19" rack mount capability. The functionality described by the manufacturer was even richer than the previous purchased USB over IP. Initially, I liked that the domestic managed USB over IP hub provides two-stage protection for USB devices when sharing USB over a network:
- Remote physical turning on and off of USB devices;
- Authorization for connecting USB devices by login, password and IP address.
- Authorization for connecting USB ports by login, password and IP address.
- Logging of all switching on and connections of USB devices by clients, as well as such attempts (incorrect password entry, etc.).
- Traffic encryption (with which, in principle, it was not bad on the German model).
- Additionally, it was suitable that the device, although not cheap, was several times cheaper than those purchased earlier (the difference becomes especially significant when converted to a port, we considered 64-port USB over IP).
We decided to check with the manufacturer about the situation with support for two types of smart tokens that had connection problems earlier. We were told that they do not give a 100% guarantee of support for absolutely all USB devices, but so far have not found a single device with which there would be problems. This answer did not suit us much and we suggested that the manufacturer transfer the tokens for testing (fortunately, sending by a transport company cost only 150 rubles, and we have enough old tokens). 4 days after the keys were sent, we were informed of the connection data and we wonderfully connected to them with Windows 7, 10 and Windows Server 2008. Everything worked fine, we connected our tokens without any problems and were able to work with them.
We purchased a managed USB over IP hub for 64 USB ports. We connected all 18 ports from 64 computers in different branches (32 keys and the rest - flash drives, hard drives and 3 USB cameras) - all devices worked without problems. In general, the device was satisfied.
I don’t give names and manufacturers of USB over IP devices (so as not to be advertising), they are easy enough to find on the Internet.
Source: habr.com