Certificate pack sable version 3.0. Electronic lock sable

Hardware and software system PAK Sobol 4.0 is an electronic lock to protect your computer from unauthorized access (trusted boot hardware and software module). The Sobol electronic lock can be used as a protection device for a stand-alone computer, as well as a workstation or server that is part of a local area network.
The Sobol electronic lock is used to protect personal computers, including desktops, laptops, ultrabooks, as well as servers and a number of specialized devices (cryptographic gateways, routers, etc.).
The product passed the inspection control in the FSTEC of Russia for compliance with the guidelines for the 2nd level of control for the absence of NDV and can be used in the AU up to class 1B inclusive and ISPDn of the highest level of security. The updated version of the Sobol PAK was also transferred to the FSB of Russia, where control thematic tests are being carried out in order to confirm the existing certificates of conformity.

Possibilities of the electronic lock "Sobol":

  • User authentication.
  • Blocking OS boot from removable media.
  • Monitoring the integrity of the software environment.
  • Checking the integrity of the Windows system registry.
  • Computer configuration control (PCI devices, ACPI, SMBIOS).
  • watchdog timer.
  • Registration of attempts to access the PC.
Advantages of the Sobol electronic lock:
  • Availability of certificates of FSB and FSTEC of Russia.
  • Protection of information constituting a state secret.
  • Assistance in building applied cryptographic applications.
  • Easy to install, configure and operate.
  • Support for 64-bit Windows operating systems (including Windows 8 and Windows Server 2012).
  • Support for iButton, iKey 2032, eToken PRO, eToken PRO (Java) and Rutoken S/RF S IDs.
  • Flexible choice of board formats (PCI, PCI-E, Mini PCI-E) and configuration options.
  • Support for EXT 4 file system in Linux operating systems.
  • Supports USB 2.0/3.0 Hi-Speed ​​Mode for enhanced user authentication.
The main changes in version 4.0 of the PAK Sobol:

1. Operation in a UEFI environment;
2. Support for disk partitioning in GPT format;
3. Compatible with USB 3.0;
4. Support for new operating systems:

  • Alt Linux SPT 7;
  • Astra Linux Special Edition "Smolensk" 1.5;
  • VMware vSphere ESXi 5.5/6.
5. Increased the number of supported users from 32 to 100;
6. The number of security log entries increased from 80 to 2000;
7. Expanded list of supported identifiers:\
  • USB keys JaCarta-2 GOST, JaCarta-2 PKI/GOST, JaCarta SF/GOST, Rutoken EDS and Rutoken Lite;
  • Smart cards JaCarta-2 GOST, JaCarta-2 PKI/GOST.

Sable is a means of protecting information from unauthorized access on personal computers. Sobol acts as a hardware-software trusted boot module. PAK Sobol created for protection of confidential information, information containing information constituting state secret with a degree of secrecy top secret" inclusive of or relating to personal data.

FSTEC certificate No. 1967 confirms that PAK Sobol complies with the requirements of the FSTEC of Russia guidelines for the 2nd level of control for the absence of NDV and can be used in automated systems of security level up to 1B inclusive.

FSB certificate No. SF / 027-1450 confirms that PAK Sobol complies with the requirements of the hardware-software trusted boot module (APMDZ) according to class 1B.

Possibilities of PAK Sobol

PAK Sobol performs the following functions security:

  • Blocks attempts to boot the OS from removable media. After a successful boot of a regular copy of the OS, access to these devices is restored. The download ban applies to all users of the computer, except for the administrator.
  • Identifies and authenticates users.
  • Performs integrity control of files and hard disk sectors (before OS loading). used in the complex Sable the integrity control mechanism allows you to control the immutability of files and physical sectors of the hard disk before loading the operating system.
  • Acts as a watchdog timer. The watchdog timer mechanism provides blocking access to the computer, provided that after turning on the computer and after a specified time interval, control is not transferred to the BIOS extension of the complex " Sable"
  • Logs system security events to its own non-volatile memory.

PAK Sobol supports the following operating systems:

  • OS of the Windows family (support for both 32 and 64 bit)
  • OS WSWS 3.0
  • Trustverse Linux XP Desktop 2008 Secure Edition
  • FreeBSD version 5.3, 6.2, 6.3 or 7.2, 8.0, 8.1, 8.2
  • VMWare ESX 3.5 - 4.0

PAK Sobol supports file systems: NTFS, FAT 32, FAT 16, UFS, EXT3, EXT2.

Advantages PAK Sobol

  • PAK Sobol meets the requirements of the FSTEC for the protection of personal data
  • PAK Sobol received the FSB certificate for APMDS up to class 1B
  • PAK Sobol successfully functions in modern Windows OS (32 and 64 bit)
  • Support for various types of identifiers (Rutoken, eToken, DS iButton tablets)
  • Possibility of software initialization of the complex

Administration options

For settings PAK Sobol administrator has the ability to:

  • Determine the minimum length of a user's password;
  • Define a limit on the number of failed user logins;
  • Add and remove usernames;
  • Block the user's work on the computer;
  • Create backup copies of the administrator's personal ID.
  • Programmatically initialize the complex.

Hardware specifications

PAK Sobol is available as a board that supports 3 and 5 volt PCI bus or PCI Express bus version 1.0a and higher. Sable available in two hardware versions:

Provided for equipment 1 year warranty from the date of purchase.

PAK Sobol used in the Central Bank of the Russian Federation, GAS Elections, the Ministry of Internal Affairs of Russia, the Federal Treasury of Russia, the Pension Fund of Russia.

PAK Sobol 3.0 is a software and hardware complex, which is an electronic lock that protects the computer from unauthorized access and trusted boot. The use of the Sobol electronic lock is possible to protect a computer, workstation or server that is connected to a local network. Version 3.0 is compatible with USB 2.0/3.0 Hi-Speed ​​Mode.

PAK "Sobol" 3.0 complies with all the requirements and standards of federal legislation, which is confirmed by certificate No. 1967 and the passage of inspection control in the FSTEC of the Russian Federation for compliance with the guidelines for the second level of control.

Sobol 3.0, as an electronic lock, is designed to protect personal computers (including ultrabooks, laptops, desktops), servers and specialized devices, such as routers, cryptographic gateways, and others. The improved version of Sobol PAK is compatible with Windows 8 and Windows Server 2012 operating systems, as well as the EXT4 file system in Linux operating systems.

Thanks to the passage of inspection control in the FSTEC of the Russian Federation, this product can be used in automated systems up to and including class 1B and personal data information systems with a high level of security. Now PAK Sobol 3.0 passes control tests in the Federal Security Service of Russia to certify existing certificates of conformity.

Functions of the electronic lock PAK "Sobol":

  • managing computer settings (ACPI, PCI devices, SMBIOS);
  • blocking the loading of the operating system from external media;
  • monitoring the integrity of the Windows system registry;
  • registration of attempts to access a personal computer;
  • user authentication;
  • system integrity control;
  • watchdog timer.

Advantages of the PAK Sobol electronic lock:

  • support for operating systems Windows 8 and Windows Server 2012 with a 64-bit system;
  • compatible with USB 2.0/3.0 high-speed mode for enhanced user authentication;
  • interaction with identifiers Rutoken S / RF S, eToken PRO, eToken PRO (Java), iKey 2032, iButton;
  • technical support in creating simple cryptographic solutions;
  • protection of data that is a state secret;
  • flexible choice of configuration options and board formats (PCI-E, Mini PCI-E, PCI);
  • ease of deployment, optimization and operation;
  • FSTEC and FSB of Russia certification.

PAK Sobol 3 is an electronic lock. It is a board that is inserted into a server or workstation. Safety is everything. This product is installed not at the request of the administrator, but if there are such requirements. Producer: Security Code LLC.

Let's put on the HPE Proliant DL360 Gen10 server.

Links

Why do you need

  • Protection of information from unauthorized access.
  • Integrity control of IS components.
  • Prohibition of booting the OS from external media.
  • Protection of confidential information and state secrets in accordance with the requirements of regulatory documents.
  • Increasing the protection class of CIPF.

Advantages

Here I copied from the leaflet, adding my comments.

  • Control of the integrity of the Windows system registry, hardware configuration of the computer and files before the OS is loaded.
  • Reinforced (what is reinforced? - oil oil) two-factor authentication using modern personal electronic identifiers (if we consider the intercom key as a modern electronic identifier).
  • Ease of installation, configuration and administration.
  • The possibility of software initialization without opening the system unit.
  • Hardware random number generator that meets the requirements of the FSB.

Possibilities

  • Monitoring the integrity of the software environment. Control of the immutability of files and physical sectors of the hard disk, as well as file systems: NTFS, FAT16, FAT32, UFS, UFS2, EXT2, EXT3, EXT4 in Linux and Windows operating systems. Supported operating systems:
    • Windows
      • Windows 7/8/8.1/10
      • Windows Server 2008/2008 R2/2012/2012 R2
    • linux
      • WSWS 5.0 x64
      • Alt Linux 7.0 Centaur x86/x64
      • Astra Linux Special Edition "Smolensk" 1.4 x64
      • CentOS 6.5 x86/x64
      • ContinentOS 4.2 x64
      • Debian 7.6x86/x64
      • Mandriva ROSA "Nickel" x86/x64
      • Red Hat Enterprise Linux 7.0 x64
      • Ubuntu 14.04 LTS Desktop/Server x86/x64
      • VMware vSphere ESXi 5.5 x64
    • Support for other operating systems is carried out upon request to the "Security Code" technical support service.
  • Identification and authentication.
    • Use of personal electronic identifiers:
      • iButton
      • eToken PRO
      • eToken PRO (Java)
      • Rutoken
      • Rutoken RF
      • eToken PRO smart cards
    • Loading the operating system from the hard disk is carried out only after the presentation of the registered EI.
  • Journaling. Maintaining a system log, the records of which are stored in a special non-volatile memory. The following events are recorded in the log:
    • User login fact and username.
    • Presentation of an unregistered identifier.
    • Entering the wrong password.
    • Exceeded number of login attempts.
    • Date and time of registration of UA events.
  • Control the integrity of the Windows registry. Control of the invariability of the Windows system registry increases the protection of workstations from unauthorized actions within the operating system.
  • Hardware random number generator. Increasing the protection class of CIPF and providing random numbers to application software.
  • Configuration control. Control of the immutability of the computer configuration: PCI devices, ACPI, SMBIOS and RAM.
  • Disable booting from external media. Ensuring prohibition of booting the operating system from removable media (USB, FDD, DVD/CD-ROM, LPT, SCSI ports, etc.).
  • watchdog timer. Blocking access to the computer using the watchdog timer mechanism if control is not transferred to Sobol when it is turned on.
  • Software initialization. Possibility to initialize HSS "Sobol" programmatically, without opening the system unit and removing the jumper on the board.

Principle of operation

The lineup

  • PCI Express 57x80
  • Mini PCI Express
  • Mini PCI Express Half Size
  • M.2A-E

Admin Reflections

If an attacker gains full access to the server's remote console, this electronic lock will not help. It is enough to switch to UEFI boot mode and Sable does not plow - the two-factor turns into a pumpkin. It seems that Sable 4th version has the opportunity to work in UEFI, I didn’t look at what was there.

I paid attention to the phrase "Easy administration". Just? Yes, it's not difficult. Comfortable? Nifiga is not convenient. The server has rebooted - go to the data center. There are no normal means of remote two-factor authentication.

Registry integrity control is a dubious thing. Yes, it controls. Winda has been updated - a trip to the data center. Windu is generally unsafe to leave without updates, and Sable interferes with these updates.

Equipment

Appearance

One side. There are jumpers on the board, we will need them later. Jumpers in the plane of the board do not affect the operation, only those that are perpendicular to the plane of the board do. One J0 jumper is installed - apparently, Sobol was already standing somewhere. In theory, it should determine that the hardware has changed and prevent it from working, we will check this during installation.

Other side.

Connector view.

Installation

We install in the server.

Back view.

We connect an external reader for iButton.

We turn on the server. We enter the BIOS and switch the boot mode to Legacy.

Save - restart the server.

For Sable to work, the system must attempt to boot. Now I have nothing on the disk, then I mount the ISO image with the OS installer.

And won't allow downloads.

Because he used to be on a different server. Protection works. We turn everything off. We understand everything. We get to the jumpers on Sobol.

Remove jumper J0. We collect everything.

Sable takes control.

Sable without jumper J0 goes into initialization mode. Select "Initialize Board".

The General System Settings window opens. You can set the required parameters. Press Esc.

The Integrity Check window opens. You can set the required parameters. Press Esc.

We wait. Sobol loves to test the random number generator.

The initial registration of the administrator is carried out. Yes.

We specify the password. Enter.

We repeat the password. Enter.

We are asked to stick the key. We stick the first one that was in the kit.

Warning that the key will be formatted. Yes.

Are you sure? Reminds me of Windu. Yes.

Back up admin id? Of course, we have two keys. We take out the first key. Choose Yes.

We stick the second key.

They tell us to return the jumper back. OK. The server is shutting down.

We get to the sable board and put the jumper back on J0.

We turn on the server.

We are loaded into Legacy. Sable takes control.

We are asked to stick the key. We stick.

We enter the password.

We press any key.

Electronic lock "Sobol"(PAK "Sobol") is a certified hardware and software tool for protecting a computer from unauthorized access. It can be used as a device that provides protection for a stand-alone computer, as well as a workstation or server that is part of a local area network. FSB and FSTEC certificates provide the possibility of using Sobol PAK to protect information containing information constituting a state secret in automated systems of security level up to 1B inclusive.

2018: Obtaining a certificate of conformity from the FSTEC of Russia

On December 10, 2018 the Code of Security company announced receipt of the certificate of conformity of FSTEC of Russia on PAK Sobol of version 4. The certificate No. 4043 of 05.12.2018 confirms compliance of the Sobol electronic lock with 4 requirements of FSTEC of Russia to means of trusted loading of level of a payment extensions of the second class of protection.

The received certificate, valid until 12/05/2023, makes it possible to use the Sobol software package version 4 for the protection of confidential information and state secrets with the stamp "top secret", for the use of the product in automated systems up to security class 1B inclusive, in ISPD up to UZ1 inclusive and in GIS up to the 1st security class inclusive.

The release of the PAK "Sobol" version 4 "Security Code" was announced in January 2018. The fourth generation of the Sobol PAK has become another step in the development of the product: the functionality of the electronic lock has changed significantly, while maintaining the continuity of the interface, which users of the previous version are accustomed to. The key differences of this generation of trusted boot modules are support for UEFI technology, USB 3.0 compatibility, and enhanced functionality.

The functioning of the Sobol PAK in the UEFI environment makes it possible to use modern computers for storing and processing confidential data and state secrets. Support for GPT partitioning allows you to work with hard drives larger than 2 terabytes.

The updated version of the product provides support for USB 3.0 compatibility and transition from 16-bit to 64-bit architecture. Integration with the latest types of identifiers in comparison with the previous version of the Sobol PAK requires significantly lower costs.

PAK "Sobol" 4 expanded the list of supported identifiers:

  • USB keys: JaCarta-2 GOST, JaCarta-2 PKI /GOST, JaCarta SF/GOST, Rutoken EDS and Rutoken Lite;
  • Smart cards: JaCarta-2 GOST, JaCarta-2 PKI/GOST.

To simplify the use of the Sobol HSC in large infrastructures, the number of supported users was increased from 32 to 100, in addition, the security log capabilities were expanded: the number of entries increased from 80 to 2000. To improve convenience, the usual electronic lock console was replaced by a graphical interface, but the logic control has been retained. It also became possible to work with a computer mouse.

Electronic lock "Sobol" version 4 has already gone on sale in three execution formats: on PCI Express, Mini PCI Express Half and M.2 boards.

Sobol 4 is a completely different approach to ensuring trusted boot of modern computers. Now there is no need to switch the BIOS to 16-bit mode, but you can enjoy all the benefits of a 64-bit UEFI environment. We have tried to make the updated interface as friendly and intuitive as possible so that administrators do not have any difficulties in mastering the product.

2016

PAK Sobol 3.0 with a new PCI Express card

The Code of Security company announced in September, 2016 the beginning of sales of PAK "Sobol" 3.0 (release 3.0.9) with a new payment of PCI Express. The product passed the inspection control according to the requirements of the FSTEC of Russia in support of the previously issued certificate No. 1967.

Among the features of the updated version of the Sobol electronic lock are the watchdog timer mechanism, a complete upgrade of the element base and a number of other improvements. Innovations expand the functionality of the product and its scope, the company noted. Among the differences from previous versions - higher performance with less power consumption. At the same time, a wide choice of board formats makes it possible to use the Sobol electronic lock to protect monoblocks, laptops and ultrabooks.

PAK "Sobol" 3.0 (release 3.0.9) is available on PCI, Mini PCI Express, Mini PCI Express Half Size boards and on a new PCI Express board, which implements duplication of electrical circuits. Power is supplied to the new board from both the PCI Express slot and the SATA connector.

The updated version of the product can work in almost all operating systems of the Windows and Linux family, even in outdated versions (upon request to the technical support of the "Security Code"). Among the compatible new Linux OS distributions are MSVS 5.0, Alt Linux 7.0, Centaur x32 / 64, Astra Linux Special Edition Smolensk 1.4 x64, Mandriva Rosa Nickel x86 / x64.

According to the developers, the product has passed inspection control: the FSTEC of Russia certificate confirms the compliance of the updated version of Sobol with the regulator's requirements for trusted downloads. An electronic lock can be used to ensure the security of ISPD up to the 1st security level inclusive and GIS up to the 1st security class inclusive.

Sobol 3.0 with PCI Express card

Sobol PAK version 3.0 (release 3.0.9) is available in several execution formats: on PCI boards, Mini PCI Express, Mini PCI Express Half and on a PCI Express board. The watchdog timer mechanism has been improved in the product.

The used PCI Express board implements duplication of electrical circuits: power is supplied both from the PCI Express slot and from the SATA connector. This modification improves the reliability of the watchdog timer.

Since the dimensions of PCI Express are two times smaller than the board of the previous modification, the complex can be installed in mini-cases. The element base of the board is completely updated, the memory capacity is increased by 4 times, the FPGA (programmable logic integrated circuit) is manufactured using a 45-nm process technology, which means that the product has higher performance with less power consumption. A wide choice of board formats allows using the Sobol electronic lock to protect monoblocks, laptops and ultrabooks.

The released version of the Sobol electronic lock supports NTFS, FAT32, FAT16, FAT12, UFS2, UFS, EXT4, EXT3, EXT2 file systems. The product can work in almost all operating systems of the Windows and Linux families, including outdated versions (the necessary software is provided upon request to the Security Code technical support). Release 3.0.9 added support for operating system versions:

  • Alt Linux 7.0 Centaur x32/64;

According to the company, the modernized version of the Sobol PAK was transferred for inspection control to the FSTEC of Russia to confirm compliance with the previously issued certificate No. 1967.

The Sobol electronic lock has been tested on the Inspur hardware platform

A modified BIOS version is included in the HP Service Pack for ProLiant (HP SPP 2015.10.0) update release for all major HP Gen9 ProLiant server models. The integration provides guaranteed support for the operation of the Sobol HSS as a means of protection against UA on HP ProLiant servers and allows the use of the certified Sobol HSS to protect servers from UA and trusted downloads in accordance with information security requirements.

“The developers of our company, together with specialists, have carried out work to ensure the compatibility of 9th generation HP ProLiant servers with Sobol complexes. As a result of the improvements, a special BIOS version for HP servers was created, which, after extensive testing, became official for the entire line of 9th generation HP ProLiant servers. Thus, servers and workstations can now be reliably protected from unauthorized access by a certified trusted boot module - the Sobol complex, ”said Andrey Burym, Product Manager at Security Code.
“The modified BIOS version is included in the release of the next Service Pack for ProLiant (HP SPP 2015.10.0). The update was received by all major models of the ninth generation HP ProLiant servers in the DL, ML, BL, XL lines. Integration at the BIOS level guarantees full product compatibility and allows our users to freely use Sobol APMDS to protect the server from unauthorized access in accordance with the requirements of the FSTEC and the FSB of Russia,” said Alexey Kazmin, Product Manager, Server Department, HP in Russia.

2014: Sable 3.0.7 on sale

The product passed the inspection control in the FSTEC of Russia for compliance with the guidelines for the 2nd level of control for the absence of NDV and can be used in the AU up to class 1B inclusive and ISPDn of the highest level of security. The updated version of the Sobol PAK was also transferred to the FSB of Russia, where control thematic tests are being carried out in order to confirm the existing certificates of conformity.

Sable 3.0.7

Compliance certification

The updated version of the Sobol PAK was transferred to the FSTEC of Russia for inspection control and to the FSB of Russia for control thematic tests in order to confirm the existing certificates of conformity.

mob_info