Hardware and software complex that implements the functions of a cryptographic gateway. Overview of cryptographic gateways of Russian and foreign manufacturers

From Wikipedia, the free encyclopedia

Crypto gateway (crypto gateway, vpn gateway, crypto router)- hardware and software complex for cryptographic protection of data, voice, video traffic based on packet encryption using IPsec AH and / or IPsec ESP protocols when establishing a connection, which meets the requirements for cryptographic information protection (CIP) of the FSB of Russia and provides the basic functionality of a modern VPN device ...

Appointment

The crypto gateway is designed to ensure the information security of an organization, protect its information networks from intrusion from data transmission networks (Internet), ensure confidentiality when transferring information over open communication channels (VPN), as well as organize safe user access to the resources of public networks.

The crypto gateway provides the basic functionality of a modern VPN device:

1. confidentiality and integrity of the IP packet stream;
2. masking the network topology by encapsulating traffic in a secure tunnel;
3. transparency for NAT;
4. authentication of network nodes and users;
5. unification of security policy for mobile and "internal" users (dynamic configuration of corporate IP addresses for remote users "inside VPN").

Crypto gateways are represented both in the segment of VPN devices and in the segment of unified devices (UTM) that combine several security tools in one.

The difference between crypto gateways and conventional VPN routers is that they operate on the basis of the IPSec protocol and provide protection of information transmitted over communication channels using algorithms that meet the requirements of Russian cryptographic standards (GOST 28147-89 and GOST R 34.10-2001).

Access to information system resources

Crypto gateways allow remote subscribers to provide secure access to the resources of the corporate information system. Access is made using special software installed on the user's computer (VPN client) for secure interaction between remote and mobile users with a crypto gateway.

Crypto-gateway software (access server) identifies and authenticates the user and communicates with the resources of the protected network. With the help of crypto gateways, virtual secure channels are formed in public networks (for example, the Internet), which guarantee the confidentiality and reliability of information, and to organize virtual private networks (Virtual Private Network - VPN), which are a combination of local networks or individual computers connected to a public network. use in a single secure virtual network. To manage such a network, special software (control center) is usually used, which provides centralized management of local security policies of VPN clients and crypto gateways, sends them key information and new configuration data, and maintains system logs.

Write a review about the article "Crypto Gateway"

Notes (edit)

Literature

1. Zhdanov, O. N., Zolotarev, V. V.... - Krasnoyarsk: SibGAU, 2007 .-- 217 p.

Links

• ... logic-soft. Retrieved February 28, 2012.
• ... Security Code company. Retrieved February 28, 2012.
• Konstantin Kuzovkin.... i-teco. Retrieved February 28, 2012.

An excerpt characterizing the Cryptogate

- Qui s "excuse - s" accuse, [Who apologizes, he blames himself.] - Julie said smiling and waving lint and, so that she had the last word, she immediately changed the conversation. - What is it, today I found out: poor Marie Volkonskaya arrived in Moscow yesterday. Did you hear she lost her father?
- Really! Where is she? I would very much like to see her, - said Pierre.
- I spent the evening with her yesterday. She is going to the Moscow Region with her nephew this morning or tomorrow.
- Well, how is she? - said Pierre.
- Nothing, sad. But do you know who saved her? It's a whole novel. Nicolas Rostov. They surrounded her, wanted to kill her, wounded her people. He rushed and rescued her ...
“Another novel,” the militia said. - Decisively, this general escape is made so that all old brides marry. Catiche is one, Princess Bolkonskaya is another.
“You know that I really think she is un petit peu amoureuse du jeune homme. [a little in love with a young man.]
- Fine! Fine! Fine!
- But how can I say this in Russian? ..

When Pierre returned home, he was handed two posters of Rostopchin brought that day.
The first said that the rumor that Count Rostopchin was forbidden to leave Moscow was unfair and that, on the contrary, Count Rostopchin was glad that ladies and merchant wives were leaving Moscow. "Less fear, less news," said the poster, "but I answer with my life that there will be no villain in Moscow." These words for the first time clearly showed Pierre that the French would be in Moscow. The second poster said that our main apartment was in Vyazma, that Count Wittgstein defeated the French, but that since many residents want to arm themselves, there is weapons prepared in the arsenal for them: sabers, pistols, guns, which residents can receive at a cheap price. The tone of the posters was no longer as playful as in the previous Chigirin conversations. Pierre pondered over these posters. Obviously, that terrible thundercloud, which he summoned with all the forces of his soul and which at the same time aroused involuntary horror in him - obviously, this cloud was approaching.
“To enter military service and go to the army or wait? - Pierre asked himself this question for the hundredth time. He took a deck of cards that were on his table and began to play solitaire.
“If this solitaire comes out,” he said to himself, mixing the deck, holding it in his hand and looking up, “if it comes out, then ... what does it mean?” the senior princess asking if it was possible to enter.
“Then it will mean that I have to go to the army,” Pierre said to himself. “Come in, come in,” he added, addressing the princess.
(One older princess, with a long waist and a petrified lid, continued to live in Pierre's house; the two smaller ones got married.)
“Forgive me, mon cousin, that I have come to you,” she said in a reproachfully worried voice. - After all, we must finally decide on something! What will it be? All have left Moscow, and the people are revolting. Why are we staying?
“On the contrary, everything seems to be all right, ma cousine,” said Pierre with that habit of playfulness which Pierre, who always embarrassedly endured his role as benefactor in front of the princess, had assimilated himself in relation to her.
- Yes, it's good ... well-being! Today Varvara Ivanovna told me how our troops differ. Certainly you can attribute honor. Yes, and the people completely rebelled, they stop listening; my girl and she became rude. So soon they will start beating us too. You can't walk the streets. And most importantly, tomorrow the French will be there, so what can we expect! I ask about one thing, mon cousin, "said the princess," order them to take me to Petersburg: whatever I am, I cannot live under Bonaparte rule.
- Yes, fullness, ma cousine, where do you get your information? Against…
- I will not submit to your Napoleon. Others as they want ... If you do not want to do this ...
- Yes, I will, I will now order.
The princess, apparently, was annoyed that there was no one to be angry with. She, whispering something, sat down on a chair.
“But you are not being told this correctly,” said Pierre. “Everything is quiet in the city, and there is no danger. So I just read ... - Pierre showed the princess the posters. - The count writes that he answers with his life that the enemy will not be in Moscow.
“Oh, this count of yours,” the princess spoke angrily, “is a hypocrite, a villain who himself set the people up to rebel. Didn't he write in these stupid posters that whatever it was, drag him by the crest to the exit (and how stupid)! Whoever takes, says, to him both honor and glory. So I didn’t care. Varvara Ivanovna said that the people almost killed her because she spoke French ...
- Why, this is so ... You take everything to heart very much, - said Pierre and began to play solitaire.

APKSH "Continent"IPC-25 compact crypto gateway for a small office. APKSH "Continent" is a powerful and flexible VPN tool that allows you to build a VPN of any architecture. Provides cryptographic protection of information (in accordance with GOST 28147–89) transmitted over open communication channels between VPN components (local area networks, their segments and individual computers). encrypts individual data packets with unique keys, which guarantees protection against decryption of intercepted data. To protect against tampering, a traffic filtering system is provided. Provides support for VoIP, video conferencing, GPRS, 3G, LTE, ADSL, Dial-Up and satellite communication channels, NAT / PAT technology to hide the network structure.

APKSH "Continent" is designed to solve the following typical tasks:

• All-round network protection
• Provides the ability to combine geographically distributed branches of the organization into a single secure network.
• Provides protection of remote access of employees to the corporate network.

Manufacturer: Security Code LLC

RUB 180,000.00

The invoice will be generated automatically. Indicate the type of payer "legal entity" and fill in the details.

Version comparison

	APKSH "Continent" - IPC-25	APKSH "Continent" - IPC-100	APKSH "Continent" - IPC-400	APKSH "Continent" - IPC-1000
Price	180,000 RUB Buy	270,000 RUB Buy	665,000 RUR Buy	1,021,000 R Buy
VPN performance (encryption + ME filtering)	up to 50 Mbps	up to 300 Mbps	up to 500 Mbps	up to 950 Mbps
ME performance (open traffic)	up to 100 Mbps	up to 400 Mbps	up to 1 Gbps	up to 1 Gbps
Maximum number of concurrent TCP sessions processed (keep-state)	10000	250000	350000	1000000
Number of secure connections (VPN tunnels)	25	not limited	not limited	not limited

Hardware configuration:

Form Factor	Mini-ITX, 1U height
Dimensions (HxWxD)	155 x 275 x 45 mm
CPU	Intel Atom C2358 1743 MHz
RAM	SODIMM DDR3 DRAM, 2 GB, PC-1333
Network interfaces	4х 1000BASE-T Ethernet 10/100/1000 RJ45 (made in the form of easily replaceable modules)
Hard drives	SATA DOM module 4Gb
Power Supply	external AC adapter 19V, 220V 80W
Reader	Touch Memory
Personal identifiers	Touch Memory iButton DS1992L 2 PCS.
Built-in APMDZ module	PAK "Sobol" 3.0 (mini-PCIe)
USB-flash drive	not less than 512 MB
Acoustic noise level at 100% load (measurement method ISO7779)
Embedded operating system	Continent OS - Advanced Security Enhanced OS based on FreeBSD Kernel

APKSH "Continent" 3.9 includes:

• Cryptographic Gateway Network Control Center (NCC)- carries out the authentication of KSH and AWP of management / monitoring and logging of the state of the KSh network / storage of logs and configuration of KSh / distribution of key and configuration information / centralized management of cryptographic keys / interaction with the control program.
• Crypto gateway (KSH) Is a specialized hardware and software device that receives and transmits IP packets via TCP / IP protocols (static routing) / packet encryption (GOST 28147–89, closed-loop gamma mode, 256-bit key length) / protection of transmitted data from distortion (GOST 28147–89, imitation insertion mode) / packet filtering / hiding the network structure / registering events / notifying the NCC about its activity and events requiring intervention / monitoring the integrity of the KSH software.
• NCC control program (PU NCC)- its main function is a centralized control of settings and operational monitoring of the state of all control units that are part of the complex. Installed in a secure network on the administrator's workstation under MS Windows 2003/2008/7/8.
• NCC and SD agent carries out the establishment of a secure connection and data exchange with the NCC and the CP / receiving from the NCC, storing and transmitting the contents of the logs by the CP / receiving from the NCC and transferring the information about the operation of the complex to the CP.
• User Authentication Client- provides authentication of users working on computers located in a protected network segment when they are connected to a cryptographic gateway.
• Subscriber station (Continent-AP) establishes a VPN tunnel between the user's remote workstation and the internal protected network of the organization. When connected via public access networks and the Internet, it performs user authentication / support for dynamic address allocation / remote access to the resources of the protected network via an encrypted channel / access through dedicated and dial-up communication channels / the ability to access the resources of public networks.
• Access Server provides communication between the remote UA and the protected network, as well as determining the user access level and his authentication.
• Access Server Management Program (PC SD)- provides prompt notification of the network administrator about security events. Designed to manage the settings of all access servers included in the complex.
• Attack detector "Continent" is a software component that analyzes traffic coming from a crypto gateway and filters unauthorized intrusions. Works in conjunction with the Control Center for the network of cryptographic gateways "Continent" version 3.7 and higher.

Certificates

• compliance of the guidelines of the FSTEC of Russia on the 2nd level of control for the absence of NDV and the 2nd class of security for firewalls. It can be used to create automated systems up to security class 1B inclusive and when creating personal data information systems up to class 1 inclusive;
• compliance with the requirements of the FSB of Russia for devices such as a firewall for class 4 security;
• compliance with the requirements of the FSB of Russia for the means of cryptographic protection of information of the KC3 class and the possibility of using for cryptographic protection of information that does not contain information constituting a state secret;
• The Ministry of Telecom and Mass Communications of the Russian Federation - on compliance with the established requirements for routing equipment for information packets and the possibility of using it on public communication networks as equipment for switching and routing information packets.

Possibilities

The complex provides cryptographic protection of information (in accordance with GOST 28147-89) transmitted over open communication channels between VPN components, which can be local computer networks, their segments and individual computers.

The modern key scheme, realizing the encryption of each packet with a unique key, provides guaranteed protection against the possibility of decryption of intercepted data.

To protect against penetration from public networks, the Continent 3.6 complex provides filtering of received and transmitted packets according to various criteria (sender and recipient addresses, protocols, port numbers, additional packet fields, etc.). Provides support for VoIP, video conferencing, ADSL, Dial-Up and satellite communication channels, NAT / PAT technology to hide the network structure.

Key features and characteristics of APCS "Continent" 3.6

Effective protection of corporate networks

• Secure VPN user access to public network resources
• Cryptographic protection of transmitted data in accordance with GOST 28147-89

In APKSH "Continent" 3.6, a modern key scheme is used, which implements encryption of each packet on a unique key. This provides a high degree of data protection against decryption in the event of interception.

Data encryption is performed in accordance with GOST 28147–89 in the feedback gamma mode. Data protection from distortion is carried out in accordance with GOST 28147–89 in the imitation insertion mode.

Cryptographic keys are managed centrally from the NCC.

• Firewalling - protection of internal network segments from unauthorized access

Crypto gateway "Continent" 3.6 provides filtering of received and transmitted packets according to various criteria (sender and recipient addresses, protocols, port numbers, additional packet fields, etc.). This allows you to protect internal network segments from penetration from public networks.

• Secure access for remote users to VPN resources

Special software "Continent AP", which is a part of APKSH "Continent" 3.6, allows you to organize secure access from remote computers to the corporate VPN-network.

• Creation of information subsystems with shared access at the physical level

In APKSH "Continent" 3.6, you can connect 1 external and 3–9 internal interfaces on each crypto gateway. This greatly enhances the user's ability to configure the network in accordance with corporate security policy. In particular, the presence of several internal interfaces allows you to divide the subnets of the organization's departments at the level of network cards and establish the necessary degree of interaction between them.

Key features and capabilities

• Support for common communication channels

Working through Dial-Up connections, ADSL equipment connected directly to the crypto gateway, as well as through satellite communication channels.

• "Transparency" for any applications and network services

Crypto gateways "Continent" 3.6 are "transparent" for any applications and network services using the TCP / IP protocol, including such multimedia services as IP telephony and video conferencing.

• Working with high priority traffic

The traffic prioritization mechanism implemented in the Continent 3.6 traffic prioritization mechanism allows protecting voice (VoIP) traffic and video conferencing without loss of communication quality.

• Reserving guaranteed bandwidth for certain services

Reservation of guaranteed bandwidth for certain services ensures the passage of e-mail traffic, document management systems, etc. even with the active use of IP-telephony on low-speed communication channels.

• VLAN support

VLAN support ensures easy integration of APCS into network infrastructure, divided into virtual segments.

• Hide the internal network. Support for NAT / PAT technologies

Support for NAT / PAT technology allows you to hide the internal structure of protected network segments when transmitting open traffic, as well as organize demilitarized zones and segment protected networks.

Hiding the internal structure of protected segments of the corporate network is carried out:

• by the method of encapsulation of transmitted packets (when encrypting traffic);
• using network address translation (NAT) technology when working with public resources.

• Integration with intrusion detection systems

On each crypto gateway, it is possible to specially select one of the interfaces to check traffic passing through the KSH for unauthorized access attempts (network attacks). To do this, you need to define such an interface as a "SPAN port" and connect a computer with an installed intrusion detection system (for example, RealSecure) to it. After that, all packets arriving at the input of the packet filter of the crypto gateway begin to be relayed to this interface.

• Service and management

Convenience and ease of maintenance (maintenance-free mode 24 * 7)

APKSH "Continent" 3.6 does not require constant local administration and can operate in unattended mode 24 * 7х365. Industrial computers used in the production of the complex, together with the possibility of hot and cold backup, guarantee the smooth operation of the complex.

The complex provides prompt notification of administrators about events requiring prompt intervention in real time.

• Remote software update of crypto gateways

The complex has solved the problem of updating the KSH software in geographically distributed systems. The software update is loaded into the complex centrally, sent to all crypto gateways included in the complex, and automatically installed.

• Providing fault tolerance

The fault tolerance of the Complex is ensured by the following measures:

• Hardware redundancy of cryptographic gateways (creation of a high-access cluster). In the event of failure of one of the crypto gateways, switching to the backup one is performed automatically without the intervention of the administrator and without breaking the established connections.
• Automatic backup of the configuration files of the complex. Provides quick recovery of network operation in case of hardware failure.
• Centralized network management

Centralized network management is carried out using the NCC and a management program that allows you to interactively change the settings of all crypto gateways in the network and monitor their current state.

Real-time display of the status of all devices at the administrator's workplace allows you to timely identify deviations from the normal functioning process and promptly respond to them.

• Role-based management - separation of powers for the administration of the complex

The possibility of division of powers for the administration of the complex, for example, for managing key information, for assigning access rights to protected resources, for adding new components, for auditing user actions (including other administrators), has been implemented.

• Interaction with network management systems

Allows you to monitor the state of APPS "Continent" 3.6 using the SNMPv2 protocol from global network management systems (Hewlett-Packard, Cisco, etc.).

In modern conditions, for the effective operation of an organization, it is required to ensure the transfer of information between remote divisions and constant access to corporate services from anywhere in the world. To protect information during its transmission over public communication channels, VPN (Virtual Private Network) technology was developed. In fact, when using a VPN, information is exchanged with a remote local network via a virtual channel over the Internet with an imitation of a private point-to-point connection (an encrypted VPN tunnel or an entire VPN network is created).

Since VPN technology includes cryptography (encryption), then, in accordance with the laws of the Russian Federation, it is possible to use cryptographic means (crypto router / crypto gateway / VPN gateway) of the following types on the territory of Russia:

• Western cryptography (key length up to 56 * bits inclusive);
• Western cryptography (key length from 56 bits) - with notification by the customer of the FSB of Russia;
• Russian cryptography (GOST 28147—89, GOST 34.10—2012, GOST 34.11—2012).

In response to the requirements of the market and legislation on cryptographic means, AltEl has integrated a proprietary cryptographic core based on the GOST 28147-89 algorithm into the ALTELL NEO VPN gateway. This allows you to use ALTELL NEO to unite remote branches into a single VPN network, provide access to the organization's local network from mobile employees (using ALTELL VPN client for mobile devices) to company resources and secure data exchange between branches and counterparties. The wide model range of ALTELL NEO satisfies the need for a secure combination of companies of any size: both a small remote office and the headquarters of a large holding with a staff of several thousand employees.

As a crypto gateway, ALTELL NEO allows remote users to connect via a secure channel (through a VPN tunnel) to an organization's local network without compromising its security level. Users can only be allowed access to specific servers or specific services. To work remotely on mobile devices, a VPN client must be installed.

Topology

Below is a diagram of the organization of a VPN connection between the branches of the company using the ALTELL NEO crypto router (Fig. 1). VPN tunnel is built on the basis of domestic or Western cryptoalgorithms (GOST / AES128 over IPsec or OpenVPN protocols). Inside the VPN tunnel, traffic from converged networks can be transmitted: data, voice, video.

Fig.1 Establishing a VPN connection between branches.

Figure 2 shows a diagram of organizing a VPN connection with remote users. A VPN client is installed on mobile devices, through which the user gains secure access to the organization's network.

Fig. 2 Organization of VPN connection with mobile users.

Currently ALTELL NEO VPN gateway supports the following types of VPN connections:

Advantages

• the ability to access internal IT resources of the enterprise from remote branches;
• traffic protection using domestic or Western cryptoalgorithms (GOST / AES128 over IPsec or OpenVPN);
• uninterrupted operation due to the organization of a scheme with a redundant provider or the use of redundant routed rings in the topology;
• organization of a high availability scheme;
• the ability to securely work in the internal network of the enterprise for individual single users from the home office or anywhere on the Internet;
• filtering unwanted traffic in the VPN channel;
• the ability to allocate protected segments in existing networks;
• the immutability of the existing IT infrastructure;
• scalable VPN network;
• a wide range of tools for building a VPN network;
• fast deployment and initial configuration;
• ease of use of the system.

Certificates

The ALTELL NEO crypto gateway has all the necessary certificates for use as a means of protecting information, including certificates of the FSTEC of Russia for the classes ME2 / ME3 / ME4 and NDV2 / NDV3, which allow using this VPN gateway to protect automated systems up to class 1B inclusive and create secure ISPDN in accordance with 152-FZ "On personal data" up to class K1 inclusive.

Free testing

All ALTELL NEO models are available for testing in your organization for free. To get the model you are interested in, you must fill out an application. You can also select the device configuration (additional memory, expansion modules, software version, etc.) and calculate the approximate price of the device using

The article briefly describes the trends in the global VPN market, examines the popular crypto gateways on the Russian market, and provides their key features.

Introduction

Cryptographic gateway (crypto gateway, crypto router, VPN gateway) is a software and hardware complex for cryptographic protection of traffic transmitted over communication channels by encrypting packets using various protocols.

The crypto gateway is designed to ensure the information security of an organization when transferring data over open communication channels.

Crypto gateways on the modern market provide the following basic functions:

• transparency for NAT;
• hiding the network topology by encapsulating traffic in an encrypted tunnel;
• ensuring the integrity and confidentiality of IP packets;
• authentication of secure network nodes and users.

Enterprises of various sizes, government agencies, private companies are the main categories of consumers of crypto gateways.

Today, VPN gateway functionality is an integral part of virtually any network device, be it a corporate router, home Wi-Fi router, or firewall. Taking into account this specificity, below we will consider the key representatives of the Russian market using the GOST encryption algorithm, as well as several foreign examples as an alternative.

In a separate line, we note the presence on the market of solutions for secure remote access based on the TLS protocol (TLS gateways) of both Russian and foreign manufacturers. They are not considered in this review.

Global crypto gateway market

Business continuity for any geographically distributed company is always associated with ensuring the protection of transmitted information. Various VPN devices have been solving this problem for a long time. They differ markedly in their implementation: they can be specialized solutions, solutions based on software and hardware systems, such as firewalls / routers, or completely software systems.

Similar products on the world market are used by companies from different fields of activity: healthcare, industrial enterprises, transport companies, government agencies and many others.

In most cases, the customer needs to solve one or more of the following tasks:

• protection of a distributed corporate network in various topologies;
• connecting remote users to the corporate network (including from mobile devices);
• link layer protection.

SSL VPN has firmly established itself on the global market, as evidenced by research from Alliedmarketresearch. According to them, the global SSL VPN market in 2016 was over US $ 3 billion. Projected growth by 2023 - up to 5.3 billion.

Among the key players in the global market, leading positions are held by Cisco Systems, Citrix Systems, Pulse Secure, F5 Networks.

Figure 1 illustrates the key growth segments of the global SSL VPN market:

• thin client mode;
• full tunneling mode;
• clientless mode.

Russian crypto gateway market

In Russia, the main consumers of crypto gateways are government agencies, as well as organizations that are operators of personal data. On the territory of our country, there are several regulations that determine the criteria by which information security tools can be used to solve certain problems.

These documents include the following:

• Federal Law of 27.07.2006 No. 152-FZ "On Personal Data".
• Decree of the Government of the Russian Federation of 01.11.2012 No. 1119 "On approval of requirements for the protection of personal data when processing them in personal data information systems."
• Order of the FSTEC of Russia dated February 11, 2013 No. 17 "On approval of requirements for the protection of information that does not constitute a state secret contained in state information systems."
• Order of the FSTEC of Russia dated February 18, 2013 No. 21 "On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems."
• Regulations on the development, production, implementation and operation of encryption (cryptographic) information security tools (Regulations PKZ-2005).

One of the main requirements for crypto gateways is the availability of valid certificates of conformity of market regulators - FSB of Russia and FSTEC of Russia. The FSB of Russia certificate for compliance with the requirements for encryption (cryptographic) means is issued only if the crypto gateway is implemented using domestic encryption algorithms in accordance with GOST 28147-89.

Foreign manufacturers rarely support encryption in accordance with GOST and receive such certificates of conformity for their solutions, which is actively used by Russian vendors of cryptographic information protection tools (CIPF).

Separately, it is necessary to note the trend associated with the cybersecurity of automated process control systems (APCS). Today, some cryptographic information protection devices offer the market secured crypto gateways that meet the requirements for dust and moisture protection and special temperature ranges. There were also regulations that form the requirements for the protection of information in such systems:

• Federal Law of July 26, 2017 No. 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation".
• Order of the FSTEC of Russia dated March 14, 2014 No. 31 "On approval of requirements for ensuring the protection of information in automated control systems for production and technological processes at critical facilities, potentially hazardous facilities, as well as facilities posing an increased danger to the life and health of people and the environment. natural environment ".

This allows us to speak about a serious perspective of this direction for cryptographic information security manufacturers in terms of the development of their products.

Let's consider the features of some Russian and foreign crypto gateways in more detail.

Russian crypto gateways

Atlix-VPN ("NTC Atlas")

The Atlix-VPN hardware and software complex (PAC) is a product of the Russian company NTC Atlas. The PAK is designed to ensure the creation and interaction of virtual private networks (VPN) based on the IPsec protocol and the X.509 standard using Russian cryptographic algorithms.

GOST 28147-89, GOST R 34.11-94, GOST R 34.10-2001 are declared as supported standards.

A distinctive feature is the way of entering the key information necessary for the implementation of its functions. For this, the Russian Intellectual Card (RIC) is used - a microprocessor card developed by STC Atlas, CJSC Program Systems and Technologies, OJSC Angstrem. The card is made on the basis of a domestic microprocessor manufactured by JSC Angstrem.

From a hardware point of view, "Atlix-VPN" operates on the basis of a server of a specialized, fixed platform. PAK provides a relatively low encryption performance by today's standards - 85 Mbps. This speed and type of hardware platform is due to the high security class in accordance with the requirements of the FSB of Russia, which is provided by the PAK - KV2.

Figure 2. PAK "Atlix-VPN"

Atlix-VPN has the following valid certificates of conformity:

• FSB of Russia №СФ / 124-2958, confirming that the PAK meets the requirements for encryption (cryptographic) means of the KB2 class and can be used for cryptographic protection (encryption and imitation of IP traffic) of information that does not contain information constituting a state secret;
• FSTEC of Russia No. 1864, confirming that the PAK complies with the requirements of the guidance document “Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information ”- for the 4th security class.

More information about the Atlix-VPN PAK can be found on the manufacturer's website.

ZASTAVA (ELVIS-PLUS)

Hardware and software systems ZASTAVA - development of the Russian company ELVIS-PLUS. PAK provides protection of corporate information systems at the network level using virtual protected networks (VPN) technologies based on IPsec / IKE protocols. ZASTAVA is not only a VPN gateway with support for domestic cryptographic algorithms, but also a firewall. ZASTAVA is the only Russian product that implements the current version of the IKE protocol (IKEv2). Most of the Russian vendors use the IKEv1 protocol, which more than 10 years ago was officially recognized as obsolete by the IETF, including due to security problems. Compared to it, IKEv2 is more resilient to denial of service attacks, more resilient to network problems, and more flexible to use. The IKEv2 protocol is currently undergoing active development in the IETF, including such advanced areas in cryptography as, for example, protecting data from quantum computers or using the principle of proof-of-work to counter DoS attacks. ELVIS-PLUS takes an active part in these works and promptly adds support for new protocol features to PAK ZASTAVA.

ZASTAVA consists of three separate components:

• ZASTAVA-Client implements the functionality of a remote access client via VPN;
• ZASTAVA-Office implements the functions of a VPN gateway and firewall;
• ZASTAVA-Management performs the functions of the Security Policy Management Center for unified management of network security.

Distinctive features:

• use of external cryptographic modules that implement domestic standards GOST R 34.10-2001, GOST R 34.10-2012, GOST R 34.11-2012, GOST 28147-89, in particular, CryptoPro CSP cryptographic protection system;
• support not only for domestic cryptographic algorithms, but also foreign ones - RSA, DH, ECDH, DES, 3DES, AES, SHA1, SHA2;
• authentication of partners using X.509 certificates;
• support for centralized management of PAK through the product ZASTAVA-Management;
• implementation of the functionality of a failover cluster operating in the "active / passive" mode;
• depending on the hardware platform, encryption performance can vary from 40 Mbps to 4 Gbps;
• to ensure encryption of the communication channel from client workstations to the PAK, we use our own development - the ZASTAVA-Client product.

ZASTAVA has several valid certificates of compliance with the requirements of the FSB of Russia and the FSTEC of Russia, in particular:

• FSB of Russia №СФ / 114-3067, confirming compliance with the requirements for cryptographic protection of information that does not contain information constituting a state secret, class KC3; can be used for cryptographic protection (encryption of IP packets based on IPsec ESP, calculating the hash function for IP packets based on IPsec AH and / or IPsec ESP, cryptographic authentication of subscribers when establishing a connection based on IKE v1 or IKE protocol v2) information that does not contain information constituting a state secret;
• FSTEC of Russia No. 2573, certifying that the PAK complies with the requirements of the guidance document “Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information "for the 2nd class of security.

More information about PAK ZASTAVA can be found on the manufacturer's website.

"Continent" ("Security Code")

The Continent hardware and software encryption complex (APKSH) is a cryptographic gateway manufactured by the Russian company Security Code. APKSH provides firewalling and cryptographic protection of open communication channels in accordance with GOST 28147-89.

APPSH allows you to protect network traffic in multiservice networks, divide network segments, organize secure remote access to the local network, and implement internetworking with other secure networks (based on this product). APPS is based on FreeBSD.

APKSH has the following features:

• supports centralized management and monitoring using the Continent Network Management Center product;
• hardware redundancy of APCS in order to implement a fault-tolerant configuration;
• in the model range of the APCSh, there is a performance for protecting information in industrial systems;
• a wide range of models with support for encryption rates from 10 Mbps to 3.5 Gbps when using a standalone solution (up to 10 Gbps - when distributing encrypted traffic between a farm from APPS);
• support for transparent network aggregation at the link layer (L2 VPN);
• traffic filtering at the network application level (DPI);
• filtering commands for HTTP, FTP protocols;
• URL filtering based on static lists and regular expressions;
• medium and high performance gateways (from IPC-400 and higher) are implemented in a 2U form factor;
• the APSH model range includes platforms with up to 34 GbE interfaces, including up to 4 optical 10 Gb SFP +, up to 32 optical 1 Gb SFP;
• The Continent-AP software product is used as a VPN client.

Figure 3. APCS "Continent" IPC -3034

It should be noted that APKSH is supplied with a built-in anti-tampering device - the Sobol software and hardware complex. Also, at the level of the APPS form and the administrator's guide, there is a limitation on the maximum number of crypto gateways in a network with one "Continent" network control center.

APKSH is included in the register of domestic software (No. 310) and has a number of valid certificates of conformity, including:

• FSB of Russia No.СФ / 124-2617, confirming compliance with the requirements for encryption (cryptographic) means of class KC3 and can be used for cryptographic protection (creation and management of key information, encryption and imitation protection of data transmitted in IP packets over general data transmission networks) information that does not contain information constituting a state secret;
• FSTEC of Russia No. 3008, confirming compliance with the requirements for type "A" firewalls (IT.ME.A3.PZ) and network-level intrusion detection tools (IT.COV.S3.PZ) for class 3 (the document for viewing is not available on the manufacturer's website , available upon request).

More information about the APKSH "Continent" can be found on the manufacturer's website.

FPSU-IP (AMIKON, "InfoCrypt")

Hardware and software complex "Network layer packet filter - Internet Protocol" (FPSU-IP) produced by the Russian company AMIKON with the participation of InfoCrypt. PAK is a firewall and virtual private network (VPN).

FPSU-IP supports domestic standards GOST 28147-89, GOST R 34.10-2012, GOST R 34.11-2012, implemented using the CIPF "Tunnel 2.0" manufactured by "InfoCrypt" (in terms of cryptography). PAK operates on the basis of Linux.

FPSU-IP has the following features:

• supports the ability to work in "hot" backup mode (offered by the manufacturer as an option);
• implemented on the basis of various hardware platforms of both 1U and 2U standard sizes;
• uses its own VPN protocol;
• FPSU-IP / Client software is used as a remote client component (activation of the ability to interact with client software on the PAK is offered by the manufacturer as an option);
• the lineup provides data encryption speed from 10 Mbps to 12 Gbps (with an IP packet size of 1450 bytes and 56 computing streams).

Figure 4. FPSU-IP gateway

FPSU-IP is a solution based on various hardware platforms and software with built-in certified cryptographic information protection system.

The built-in CIPF has a valid certificate of the FSB of Russia No. СФ / 124-3060 and meets the requirements for cryptographic information protection tools designed to protect information that does not contain information constituting a state secret, classes КС1, КС2, КС3.

More information about FPSU-IP can be found on the manufacturer's website.

ALTELL NEO ("AltEl")

ATLELL NEO hardware and software complex manufactured by AltEl.

The key functionality is firewalling combined with the ability to build secure communication channels. ALTELL NEO is also positioned as a UTM (Unified Threat Management) solution that combines not only the capabilities of a firewall, VPN gateway, but also intrusion detection and prevention, content filtering and protection against malware.

The product is a hardware platform combined with embedded certified software. IPsec, OpenVPN are supported as encryption protocols using GOST 28147-89.

The platforms offered by the manufacturer, with the exception of the younger ones (100 and 110), can operate using one of three software versions: FW (firewall), VPN (crypto gateway), UTM. Each subsequent version of the software includes the functionality of the previous ones.

ALTELL NEO has the following features:

• a wide range of hardware platforms of various configurations;
• Enterprise-class hardware platform (model 340, 2U form factor) has increased density of network interfaces (up to 65 RJ45 GbE ports / up to 64 SFP GbE ports / up to 16 SFP + 10 GbE ports);
• encryption performance (depending on the hardware platform) when using the IPsec algorithm ranges from 18 Mbps to 2.4 Gbps, OpenVPN - from 14 Mbps to 1.4 Gbps.

Figure 5. Gateway ALTELL NEO 340

The software used in the solution is included in the register of domestic software (No. 3768) and has the following certificates of conformity:

• FSB of Russia №SF / SZI-0074, confirming the fulfillment of the requirements for firewalls of the 4th security class and the fact that the software can be used to protect information from unauthorized access in the information and telecommunication systems of the state authorities of the Russian Federation;
• FSTEC of Russia No. 2726, certifying that the software complies with the requirements of the guidance document “Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information "- for the 2nd class of security.

It should be noted that at the time of publication of the review in open sources, it was not possible to find a valid certificate of the FSB of Russia for compliance with the requirements for encryption (cryptographic) means of classes KC1 / KC2 / KC3.

More information about ALTELL NEO can be found on the manufacturer's website.

C-Terra Gateway 4.1 ("C-Terra CSP")

The C-Terra Gateway product manufactured by the Russian company S-Terra CSP is a software package (hereinafter referred to as a PC) based on various hardware platforms.

SS-Terra Gateway 4.1 provides encryption in accordance with GOST 28147-89 and imitation protection of traffic transmitted over open communication channels using the IPsec protocol. In addition to VPN, the product has firewall functionality. Debian is used as the operating system.

Cryptographic functions in the PC are implemented by a proprietary crypto library - C-Terra ST, which is compatible with the CryptoPro CSP CIPF.

C-Terra Gateway 4.1 has the following main features:

• supports centralized remote control through the S-Terra KP system;
• encryption solution performance from 60 Mbps to 2.5 Gbps, depending on the gateway model and hardware platform;
• execution as a virtual machine is possible (C-Terra Virtual Gateway);
• it is possible to install the S-Terra Gateway PC on the customer's AP;
• the manufacturer offers a solution for protecting a 10 Gbps communication channel at the L2 level by placing 4 pairs of 7000 High End model gateways with the C-Terra L2 software module and two pairs of switches in two data centers (taking into account that the traffic in the protected communication channel is mostly TCP, no IP telephony).

Figure 6. С-Terra Gateway 1000

• S-Terra Gateway 4.1 is certified by the FSB of Russia as a cryptographic protection system for the classes KS1, KS2, KS3 and as an ME of class 4, as well as the FSTEC of Russia as a class 3 firewall (ME 3). Among the certificates:

FSB of Russia No.SF / 124-2517, confirming the fulfillment of the requirements for encryption (cryptographic) means of the KC3 class;

FSB of Russia №СФ / 525-2663, confirming the fulfillment of requirements for firewalls of the 4th security class;

FSTEC of Russia No. 3370, certifying that S-Terra Gateway complies with the requirements of the guidance document “Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information "- for the 3rd security class.

More information about S-Terra Gateway can be found on the manufacturer's website.

Diamond VPN (TCC)

The TCC Diamond VPN / FW hardware and software complex is a high-performance UTM solution that combines the functions of a firewall, VPN gateway, and intrusion detection system (IDS).

PAK provides encryption GOST 28147-89 using the DTLS protocol.

The main features are:

• support for creating a fault-tolerant configuration in the "active / passive" mode;
• availability of performance (model 7141), providing high performance (encryption up to 16 Gbps, firewalling up to 40 Gbps);
• high port density in maximum hardware configuration (up to 32 RJ45 GbE ports / up to 32 GbE SFP ports / up to 16 10G SFP + ports);
• availability of an industrial-grade crypto gateway (Diamond VPN / FW Industrial model) to protect information in the process control system.

Figure 7. PAK Diamond VPN / FW

PAK is included in the register of domestic software (No. 1425) and has a valid certificate of the FSTEC of Russia No. 2260, confirming compliance with the requirements of the guidance document “Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information "- for the 2nd class of security.

It should be noted that the valid certificate of the FSB of Russia No. 124-2702 for compliance with the requirements for encryption (cryptographic) means of the KC1 and KC2 classes (depending on the version) is possessed by the CIPF Dcrypt 1.0, which implements the functions of encryption and electronic signature as part of the PAC.

More information about Diamond VPN / FW can be found on the manufacturer's website.

Dionis-NX ("Factor-TS")

The Dionis-NX hardware and software complex is a development of the Russian company Factor-TS. PAK is a UTM device that can be used as a firewall, crypto router, intrusion detection and prevention system.

PAK allows you to build VPN tunnels in accordance with GOST 28147-89 by using the GRE, PPTP, OpenVPN protocols.

It has the following distinctive features:

• the manufacturer offers five options for hardware platforms that provide encryption speeds from 100 Mbps to 10 Gbps;
• support for cluster execution in a fault-tolerant configuration ("active / passive" mode);
• support for interaction with the software "Dissek", which implements the functionality of the VPN client.

Dionis-NX is included in the register of domestic software (No. 2772) and has a valid FSTEC certificate of Russia No. 2852, confirming compliance with the requirements of the guidance document “Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information "- for the 2nd class of security.

It should be noted that the valid certificate of the FSB of Russia No. 124-2625 for compliance with the requirements for encryption (cryptographic) means of the KC1 and KC3 classes (depending on the version) is possessed by the CIPF DioNIS-NX, which implements the encryption functions as part of the PAC.

More information about "Dionis-NX" can be found on the manufacturer's website.

ViPNet Coordinator HW (Infotecs)

The ViPNet Coordinator HW hardware and software complex was developed by the Russian company Infotecs and is a certified crypto gateway and firewall.

ViPNet Coordinator HW provides protection - encryption of data transmitted over various communication channels by building a VPN (both on the network and on the channel levels of the OSI model - L3, L2 VPN) in accordance with GOST 28147-89. PAK allows you to organize secure access to both data centers and corporate infrastructure. PACs of medium and high performance are supplied in 1U form factor. Operates on the adapted Linux OS.

ViPNet Coordinator HW has the following features:

• to build a VPN, the proprietary ViPNet VPN protocol is used, which provides unhindered secure interaction regardless of the type of communication channel, automatic roaming between communication channels;
• support for work in modern multiservice networks (using the Cisco SCCP, H.323 protocols);
• encryption performance from 50 Mbps to 5.5 Gbps (for standalone solutions), depending on the model;
• support for fault-tolerant configuration ("active / passive" mode) for models of the middle and high level (from the HW1000 model);
• support for centralized management and remote updates using the ViPNet Administrator software;
• support for interaction with client components (ViPNet Client software) on various operating systems (Windows, Linux, macOS, iOS, Android).

Figure 8. PAK ViPNet Coordinator HW1000

The PAK manufacturer in its solutions uses hardware platforms of a fixed configuration, which makes it possible to obtain a high class of crypto protection (KC3) without the use of additional devices, such as hardware and software modules for trusted loading (APMDZ).

ViPNet Coordinator HW is included in the register of domestic software (No. 2798) and has various valid certificates of conformity, including:

• FSB of Russia №СФ / 124-2981, confirming the fulfillment of the requirements for encryption (cryptographic) means of class KC3;
• FSB of Russia №СФ / 525-3007, confirming the fulfillment of requirements for firewalls of the 4th security class;
• FSTEC of Russia No. 3692, certifying that the PAK is a type "A" firewall and meets the requirements of the documents "Requirements for firewalls" (FSTEC of Russia, 2016) and "Security profile of a type A firewall of the fourth protection class. IT.ME.A4.PZ ".

More information about ViPNet Coordinator HW can be found on the manufacturer's website.

Foreign crypto gateways

In this section, we will take a closer look at the main foreign manufacturers of information security products. Here are a variety of options for solutions in software and hardware design.

The manufacturers listed below offer the modern market UTM-solutions, "combines" from the category of "all-in-one". This includes the functionality of NGFW (Next Generation Firewall), IDS / IPS (intrusion detection and prevention systems), streaming antivirus, and, of course, a VPN gateway. The latter is of particular interest to us in the context of this review.

It should be noted that foreign vendors for their VPN use exclusively foreign encryption algorithms - DES, 3DES, AES. Accordingly, the target customer of such solutions (in terms of VPN) in Russia is not a government agency or organization that operates in accordance with the regulations indicated at the beginning of the review.

Since the market for crypto-security products is regulated on the territory of the Russian Federation, foreign manufacturers must officially import their products in accordance with all applicable norms and requirements. In this case, two options are possible:

• import under a simplified scheme (according to notification, the register is available on the website of the Eurasian Economic Union);
• import under the license of the FSB of Russia or the Ministry of Industry and Trade of Russia.

Due to the use of foreign cryptographic algorithms in the certification system of the FSB of Russia, the solutions considered in this section are not presented.

Cisco VPN Solutions (Cisco ASA 5500-X, Cisco Firepower, Cisco ASAv, Cisco IOS VPN)

The international company Cisco Systems has a large portfolio of solutions for building VPN, which differ not only in the features of the implementation of this opportunity, but also in the basic functionality. For example, the Cisco ASA 5500-X or Cisco Firepower are multifunctional security gateways that include VPNs that can be used especially effectively for Remote Access VPNs. But the Cisco ISR / ASR / GSR / CSR router, designed primarily for connecting to the Internet, has advanced Site-to-Site VPN capabilities.

The Cisco Adaptive Security Appliance (ASA) and Cisco Firepower are among the flagship security products of Cisco. These solutions, along with a virtualized ASAv security gateway and a router with IOS VPN functionality, enable VPN communication using IPSec, IPSec RA, SSL, SSL clientless, DTLS at speeds from 100 Mbps to 51 Gbps and with support for up to 60,000 remote users.

Distinctive features are

• Reservation. There are two options: a failover solution and clustering, including geo-distributed. In the first case, two devices are combined into one logical one. Two operating modes are available: active / standby and active / active. In the second, it is possible to combine up to 16 ASA devices (for the 5585-X model) into one logical one. This capability can significantly improve the performance of the solution.
• Support for DMVPN, GET VPN, Easy VPN technologies.
• Optimization of protection of multimedia traffic.
• Supports per application VPN function (differentiated traffic encryption for different applications).
• Support for assessing the security compliance of a remote site (mobile device) prior to establishing a VPN tunnel.
• Built-in additional security mechanisms such as built-in Certificate Authority (CA).
• API for integration with external filtering systems and service management - Web proxy, AAA and compliance assessment.
• Integration with the security capabilities of the Cisco ASA 5500-X multifunctional security platform, Cisco Firepower or Cisco router, ITU and NGFW, NGIPS, anti-malware subsystem, URL filtering subsystem.

Figure 9. Cisco Firepower 9300

The Cisco ASA 5500-X, Cisco Firepower, or Cisco ISR is managed locally through Cisco Adaptive Security Device Manager (ASDM), Cisco Firepower Device Manager or Cisco Security Device Manager, or centrally through Cisco Security Manager, Cisco Firepower Management Center, or Cisco Defense Orchestrator ...

To connect remote client workstations, Cisco AnyConnect Secure Mobility Client localized into Russian or Cisco SSL clientless clientless technology, as well as VPN clients built into Apple iOS and Android, can be used.

Cisco ASA 5500-X, Cisco Firepower and Cisco ISR solutions have dozens of different valid FSTEC certificates of conformity, including No. 3738, which certifies that the PAK complies with the requirements for firewalls in classes A6, B6, and is also certified for the absence of undocumented capabilities. Together with the C-Terra CSP company, Cisco has developed an encryption module based on Russian encryption algorithms (GOST 28147-89, etc.) and certified it in the FSB as a cryptographic protection tool for the KC1 / KC2 classes. This module is designed for the Cisco ISR, which can be used as a platform for running other VPN solutions on it. In particular, the integration and testing of joint Cisco ISR solutions with VipNet and TSS VPN solutions was carried out.

More information about the Cisco ASA 5500-X, Cisco Firepower, Cisco ISR can be found on the manufacturer's website.

F5 Networks VPN Solutions

F5 Networks offers complete solutions and standalone VPN devices. Since 2016, the company has focused on end-to-end solutions, and isolated VPN gateways are gradually being phased out.

The F5 Access Policy Manager (APM) product is a dedicated software module that includes VPN functionality as well as many different features, including BIG-IP, a complete proxy between users and application servers that provides security, application traffic optimization, and balancing. its loads.

The BIG-IP VPN client uses TLS and Datagram TLS (DTLS) to enable latency-sensitive applications. This client is available on all common desktop and mobile platforms.

BIG-IP solutions operate on the basis of the proprietary operating system (OS) F5 TMOS. Among its advantages are:

• An open API that allows you to flexibly manage traffic flow and increase performance using API Control.
• Traffic control is performed using F5 devices using a special scripting language iRules.
• IApps templates that allow you to deploy and manage network services for specific applications.

F5's offerings to date start with the BIG-IP 1600 and end with the BIG-IP 11050, which is their largest standalone VPN device.

The largest blade server solution is the Viprion 4800. It supports up to 30,000 SSL transactions.

Figure 10. F5 Viprion 4800

F5 Networks products are not presented in the state register of certified information security products No. ROSS RU.0001.01BI00 (FSTEC of Russia).

More information about F5 Networks products can be found on the manufacturer's website.

NetScaler (Citrix Systems)

NetScaler is a line of network security products from Citrix Systems. Citrix VPN solutions are built into the NetScaler Gateway product. The NetScaler gateway, like all Citrix equipment, is standardly integrated into many of the company's product lines.

NetScaler Gateway offers SSL VPN functionality, including secure access to Citrix XenDesktop, XenApp, XenMobile, MS RDP, VMware horizon, as well as web applications and resources within the corporate network. Also, the product provides the capabilities of secure network access to any server, along with the analysis and definition of the device.

Citrix Gateway supports both TLS and DTLS, depending on your traffic requirements.

The lowest MPX platform in the product (5550) supports up to 1500 SSL transactions. Most productive (22,120) - up to 560,000 SSL transactions.

Figure 11. Citrix NetScaler MPX-8005

Citrix NetScaler gateways are not presented in the state register of certified information security tools No. ROSS RU.0001.01BI00 (FSTEC of Russia).

For more information on Citrix products, visit the manufacturer's website.

Pulse Secure (Juniper Networks)

Pulse Secure is a series of products from the American company Juniper Networks. Key functionality - SSL VPN.

The manufacturer offers four software and hardware complexes of different performance and form factor.

The minimum configuration model (PSA300) provides 200 Mbps throughput for 200 SSL connections. Highest performance solution (PSA7000) - 10 Gbps for 25,000 SSL connections.

A distinctive feature in the Pulse Secure line is the presence of two power supplies for the PSA7000 model.

Figure 12. Pulse Secure Appliance 7000

Pulse Secure gateways are not presented in the state register of certified information security tools No. ROSS RU.0001.01BI00 (FSTEC of Russia).

More information on Pulse Secure products can be found on the manufacturer's website.

SonicWALL

SonicWALL is an American manufacturer of network security solutions. In 2012, the company was acquired by Dell Software Group. In 2016, Dell sold SonicWALL.

The company offers solutions of various capacities. For the most part, these are UTM solutions that implement the functionality of NGFW, IPS, VPN, streaming antivirus.

In terms of VPN, the manufacturer supports IPSec, SSL. The most powerful solution, shown in the figure below, provides VPN throughput of up to 14 Gbps. The maximum number of VPN connections in this case is 25,000.

SonicWALL gateways run their own operating system - Sonic OS.

Figure 13. SonicWALL SuperMassive 9000 Series

SonicWALL gateways are not presented in the state register of certified information security tools No. ROSS RU.0001.01BI00 (FSTEC of Russia).

More information about SonicWALL products can be found on the manufacturer's website.

conclusions

A cryptographic gateway is not only a specialized VPN solution, but also a multifunctional product that solves a wide range of information security problems of almost any enterprise or government institution. Implementing crypto gateways can be challenging and requires an organization to have qualified staff.

According to the statistical portal Statista.com, in 2014 the global VPN market volume was 45 billion US dollars. At the same time, it is expected to grow to 70 billion by 2019. This allows us to say that devices for building a VPN will become more and more in demand from year to year.

Despite the fact that on the territory of the Russian Federation, the processes of operation of cryptographic protection means are regulated by the "Regulations on the development, production, implementation and operation of encryption (cryptographic) information security tools (Regulations PKZ-2005)", foreign developers still have the opportunity to offer their products to Russian customers ... In accordance with the PKZ-2005, only the participants in the exchange of information (with a number of reservations), if they are not state institutions, determine the need for its cryptographic protection and choose the applied means of cryptographic protection.

The entry into force of the Federal Law No. 187-FZ "On the security of the critical information infrastructure of the Russian Federation" (CII) from January 1, 2018 will oblige companies and facilities of the CII and the fuel and energy complex to inform the authorities about computer incidents and prevent illegal attempts to access information. Such a legislative initiative will create an additional opportunity for the growth of the crypto security segment in the future over the next few years.

Modern domestic crypto gateways are getting more and more functionality (Next Generation Firewall, IDS, IPS, streaming antivirus) that were offered only yesterday by foreign manufacturers. Growing competition, an increase in the number of players in the market allows the customer to be in the most advantageous position and choose what really suits his needs and capabilities.