Setting up hardware and software

home Story
Story

Electronic lock sable. Electronic lock sable Pak sable version 3.0

Electronic lock "Sable"(PAK "Sobol") is a certified hardware and software tool for protecting a computer from unauthorized access. Can be used as a device that provides protection for a stand-alone computer, as well as a workstation or server that is part of a local computer network. FSB and FSTEC certificates provide the ability to use Sobol software package to protect information containing information constituting state secret in automated systems of security level up to 1B inclusive.

2018: Obtaining a certificate of conformity from FSTEC of Russia

On December 10, 2018, the Security Code company announced that it had received a certificate of conformity from FSTEC of Russia for the Sobol software package, version 4. Certificate No. 4043 dated December 05, 2018 confirms the compliance of the Sobol electronic lock with 4 requirements FSTEC of Russia to funds trusted download expansion card level of the second protection class.

The received certificate, valid until 12/05/2023, makes it possible to use the Sobol software package, version 4, to protect confidential information and state secrets classified as “top secret”, to use the product in automated systems up to security class 1B inclusive, in ISPDn up to UZ1 inclusive and in GIS up to security class 1 inclusive.

The release of PAK Sobol version 4 “Security Code” was announced in January 2018. The fourth generation of PAK "Sobol" was the next step in the development of the product: the functionality electronic lock, while maintaining the continuity of the interface to which users of the previous version were accustomed. The key differences of this generation of trusted boot modules are support for UEFI technology, compatibility with USB 3.0, and expanded functionality.

The functioning of the Sobol software package in a UEFI environment makes it possible to use modern computers for storing and processing confidential data and state secrets. Support for GPT partitioning allows you to work with hard drives larger than 2 terabytes.

The updated version of the product provides support for USB 3.0 compatibility and makes the transition from 16-bit to 64-bit architecture. Integration with the latest types of identifiers compared to the previous version of Sobol PAK requires significantly lower costs.

In Sobol 4, the list of supported identifiers has been expanded:

  • USB keys: JaCarta -2 GOST, JaCarta-2 PKI / GOST, JaCarta SF / GOST, Rutoken EDS and Rutoken Lite;
  • Smart cards: JaCarta-2 GOST, JaCarta-2 PKI/GOST.

To simplify the use of Sobol software in large infrastructures, the number of supported users was increased from 32 to 100, in addition, the capabilities of the security log were expanded: the number of entries increased from 80 to 2000. To increase convenience, the familiar electronic lock console was replaced GUI, however, the control logic was retained. It also became possible to work with a computer mouse.

The Sobol electronic lock, version 4, has already gone on sale in three formats: on boards PCI Express, Mini PCI Express Half and M.2.

Sobol" 4 is a completely different approach to ensuring trusted downloads modern computers. Now there is no need to switch the BIOS to 16-bit mode, but you can enjoy all the benefits of the 64-bit UEFI environment. We tried to make the updated interface as friendly and intuitive as possible so that administrators do not have any difficulties in mastering the product.

2016

PACK Sobol 3.0 with a new PCI Express card

The Security Code company announced in September 2016 the start of sales of the Sobol software package 3.0 (release 3.0.9) with new board PCI Express. The product passed inspection control in accordance with the requirements of FSTEC of Russia in confirmation of the previously issued certificate No. 1967.

Among the features of the updated version of the Sobol electronic lock are a watchdog timer mechanism, a complete upgrade of the element base and a number of other improvements. Innovations expand the functionality of the product and the scope of its application, the company noted. Among the differences from previous versions- higher performance with less power consumption. At the same time, a wide selection of board formats makes it possible to use the Sobol electronic lock to protect all-in-one PCs, laptops and ultrabooks.

PACK Sobol 3.0 (release 3.0.9) is available on PCI, Mini PCI Express, Mini PCI Express Half Size and new board PCI Express, which implements duplication electrical circuits. Power supply on the new board is provided both from the PCI Express slot and from the SATA connector.

The updated version of the product can run on almost all operating systems of the Windows and Linux family, even outdated versions(upon request to technical support of the “Security Code”). Among the compatible new Linux OS distributions are MSVS 5.0, Alt Linux 7.0, Centaur x32/64, Astra Linux Special Edition Smolensk 1.4 x64, Mandriva Rosa Nickel x86/x64.

According to the developers, the product has passed inspection control: the FSTEC of Russia certificate confirms compliance of the updated version of the Sobol software package with the regulator’s requirements for trusted download tools. An electronic lock can be used to ensure the security of ISPDn up to the 1st security level inclusive and GIS up to the 1st security class inclusive.

Sobol 3.0 with PCI Express card

Version of the Sobol software package 3.0 (release 3.0.9) is available in several execution formats: on PCI, Mini PCI Express, Mini PCI Express Half and on PCI Express boards. The product has improved the watchdog timer mechanism.

The PCI Express card used has duplication of electrical circuits: power is supplied both from the PCI Express slot and from the SATA connector. This modification improves the reliability of the watchdog timer.

Since the PCI Express dimensions are half the size of the previous modification, the complex can be installed in mini-cases. Element base The board has been completely updated, the memory capacity has been increased by 4 times, the FPGA (programmable logic integrated circuit) is manufactured using a 45 nm process technology, which means that the product has higher performance with less power consumption. A wide selection of board formats allows you to use the Sobol electronic lock to protect all-in-one PCs, laptops and ultrabooks.

The released version of the Sobol electronic lock supports NTFS, FAT32, FAT16, FAT12, UFS2, UFS, EXT4, EXT3, EXT2 file systems. The product can run on almost all operating systems of the Windows and Linux family, including outdated versions (required software available upon request to technical support "Security Code"). Release 3.0.9 added support for operating system versions:

  • "Alt Linux" 7.0 Centaur x32/64;

As the company stated, the modernized version of the Sobol PAK was submitted for inspection control to the FSTEC of Russia to confirm compliance with the previously issued certificate No. 1967.

The Sobol electronic lock was tested on the Inspur hardware platform

Modified BIOS version included in the HP Service Pack for ProLiant update release (HP SPP 2015.10.0) for all major HP Gen9 ProLiant server models. Integration provides guaranteed support for the operation of the Sobol software package as a means of protecting against unauthorized access on HP ProLiant servers and allows the use of a certified Sobol software package to protect servers from unauthorized access and trusted downloads in accordance with information security requirements.

“The developers of our company, together with specialists, carried out work to ensure compatibility of 9th generation HP ProLiant servers with Sobol complexes. As a result of the improvements, a special version of the BIOS was created for HP servers, which, after comprehensive tests, became official for the entire line of HP ProLiant 9th generation servers. Thus, servers and workstations can now be reliably protected from unauthorized access by a certified trusted boot module - the Sobol complex,” said Andrey Burym, product manager at Code Security.
“A modified version of the BIOS was included in the release of the next Service Pack for ProLiant (HP SPP 2015.10.0). All major models of ninth generation HP ProLiant servers in the DL, ML, BL, XL lines received the update. Integration at the BIOS level guarantees full compatibility of products and allows our users to seamlessly use Sobol APMDZ to protect the server from unauthorized access in accordance with the requirements of FSTEC and the FSB of Russia,” noted Alexey Kazmin, product manager of the server department, HP in Russia.

2014: Sable 3.0.7 on sale

The product has passed inspection control at the Federal Service for Technical and Export Control of Russia for compliance with the guidelines for the 2nd level of control for the absence of non-compliance substances and can be used in power plants up to and including class 1B and ISPDn of the highest level of security. The updated version of the Sobol PAK has also been transferred to the FSB of Russia, where control thematic tests are being carried out in order to confirm the existing certificates of conformity.

Sable 3.0.7

Conformity Certification

The updated version of the Sobol PAK was transferred to the FSTEC of Russia for inspection control and to the FSB of Russia for conducting control thematic tests in order to confirm existing certificates of conformity.

PAK "Sobol" 3.0 is a software and hardware complex, which is an electronic lock that protects the computer from unauthorized access and trusted booting. The use of the Sobol electronic lock is possible to protect a computer, workstation or server that is connected to local network. Version 3.0 is compatible with USB 2.0/3.0 Hi-Speed ​​mode.

PAK "Sobol" 3.0 meets all the requirements and standards of federal legislation, which is confirmed by certificate No. 1967 and the passage of inspection control by the FSTEC of the Russian Federation for compliance with the governing documents for the second level of control.

“Sobol” 3.0, like an electronic lock, is designed to protect personal computers (including ultrabooks, laptops, desktops), servers and specialized devices such as routers, cryptographic gateways and others. The improved version of Sobol PAK is compatible with Windows 8 and Windows Server 2012, as well as the EXT4 file system in Linux operating systems.

Thanks to passing inspection control by the Federal Service for Technical and Export Control of the Russian Federation, this product can be used in automated systems up to and including class 1B and information systems personal data from high level security. Now PAK "Sobol" 3.0 undergoes control tests in the FSB of Russia to certify existing certificates of conformity.

Functions of the PAK Sobol electronic lock:

  • managing computer settings (ACPI, PCI devices, SMBIOS);
  • blocking download operating system from external media;
  • registry integrity control Windows systems;
  • recording attempts to access a personal computer;
  • user authentication;
  • system integrity monitoring;
  • watchdog timer.

Advantages of the PAK Sobol electronic lock:

  • support for Windows 8 and Windows Server 2012 operating systems with a 64-bit system;
  • Compatible with USB 2.0/3.0 Hi-Speed ​​mode for enhanced user authentication;
  • interaction with identifiers Rutoken S/RF S, eToken PRO, eToken PRO (Java), iKey 2032, iButton;
  • technical support in creating simple cryptographic solutions;
  • protection of data that is a state secret;
  • flexible choice of configuration options and board formats (PCI-E, Mini PCI-E, PCI);
  • ease of deployment, optimization and operation;
  • certification by FSTEC and FSB of Russia.

Sable is a means of protecting information from unauthorized access to personal computers. Sobol acts as a hardware-software trusted boot module. PAK Sobol created for protection of confidential information, information containing information that constitutes state secret with a degree of secrecy" top secret" inclusive of or relating to personal data.

FSTEC Certificate No. 1967 confirms that PAK Sobol complies with the requirements of the governing documents of the Federal Service for Technical and Export Control of Russia for the 2nd level of control for the absence of non-compliance substances and can be used in automated systems of security level up to 1B inclusive.

FSB Certificate No. SF/027-1450 confirms that PAK Sobol complies with the requirements of the hardware-software module of trusted download (APMDZ) according to class 1B.

Features of PAK Sobol

PAK Sobol performs following functions security:

  • Blocks attempts to boot the OS from removable media. After successfully loading a standard copy of the OS, access to these devices is restored. The download ban applies to all computer users, with the exception of the administrator.
  • Identifies and authenticates users.
  • Performs file and sector integrity checks hard drive(before loading the OS). Used in combination Sable The integrity control mechanism allows you to control the immutability of files and physical sectors of hard disk before loading the operating system.
  • Acts as a Watchdog Timer. The watchdog timer mechanism ensures that access to the computer is blocked, provided that after turning on the computer and after a specified time interval, control is not transferred to the complex BIOS extension " Sable"
  • Logs system security events in its own non-volatile memory.

PAK Sobol supports work with the following operating systems:

  • Windows family OS (supports both 32 and 64 bit)
  • OS MSWS 3.0
  • Trustverse Linux XP Desktop 2008 Secure Edition
  • FreeBSD version 5.3, 6.2, 6.3 or 7.2, 8.0, 8.1, 8.2
  • VMWare ESX 3.5 – 4.0

PAK Sobol supports file systems: NTFS, FAT 32, FAT 16, UFS, EXT3, EXT2.

Advantages PAK Sobol

  • PAK Sobol meets FSTEC requirements for personal data protection
  • PAK Sobol received the FSB certificate for APMDZ up to class 1B
  • PAK Sobol successfully operates in modern Windows operating systems (32 and 64 bit)
  • Support various types identifiers (Rutoken, eToken, “tablets” DS iButton)
  • Possibility of software initialization of the complex

Administration capabilities

For settings PAK Sobol the administrator has the ability to:

  • Determine the minimum length of a user password;
  • Determine the maximum number of unsuccessful user logins;
  • Add and remove usernames;
  • Block the user's work on the computer;
  • Create backup copies of the administrator's personal ID.
  • Programmatically initialize the complex.

Hardware specifications

PAK Sobol is available in the form of a board that supports 3 and 5 volt PCI bus or PCI Express bus version 1.0a and higher. Sable Available in two hardware versions:

Provided for equipment 1 year warranty from the date of purchase.

PAK Sobol used in the Central Bank of the Russian Federation, State Automated System Elections, Ministry of Internal Affairs of Russia, Federal Treasury Russia, Pension Fund Russia.

PAK Sobol 3 is an electronic lock. This is a board that is inserted into the server or workstation. Safety is our everything. This product is installed not at the request of the administrator, but if there are such requirements. Manufacturer: Security Code LLC.

Let's install HPE Proliant DL360 Gen10 on the server.

Links

Why is it needed?

  • Protection of information from unauthorized access.
  • Monitoring the integrity of IS components.
  • Prohibition of loading the OS from external media.
  • Protection of confidential information and state secrets in accordance with the requirements of regulatory documents.
  • Increasing the protection class of CIPF.

Advantages

Here I copied from the leaflet, adding my comments.

  • System integrity monitoring Windows registry, computer hardware configuration and files before loading the OS.
  • Enhanced (what is strengthened? - oil) two-factor authentication using modern personal electronic identifiers (if we consider the intercom key to be a modern electronic identifier).
  • Easy to install, configure and administer.
  • Possibility of software initialization without opening system unit.
  • Hardware sensor random numbers, meeting the requirements of the FSB.

Possibilities

  • Monitoring the integrity of the software environment. Monitoring the immutability of files and physical sectors of the hard drive, as well as file systems: NTFS, FAT16, FAT32, UFS, UFS2, EXT2, EXT3, EXT4 in Linux and Windows operating systems. Operating systems supported:
    • Windows
      • Windows 7/8/8.1/10
      • Windows Server 2008/2008 R2/2012/2012 R2
    • Linux
      • MSWS 5.0 x64
      • Alt Linux 7.0 Centaur x86/x64
      • Astra Linux Special Edition "Smolensk" 1.4 x64
      • CentOS 6.5 x86/x64
      • ContinentOS 4.2 x64
      • Debian 7.6 x86/x64
      • Mandriva ROSA "Nickel" x86/x64
      • Red Hat Enterprise Linux 7.0 x64
      • Ubuntu 14.04 LTS Desktop/Server x86/x64
      • VMware vSphere ESXi 5.5 x64
    • Support for other operating systems is provided upon request to the service technical support"Security code".
  • Identification and authentication.
    • Use of personal electronic identifiers:
      • iButton
      • eToken PRO
      • eToken PRO (Java)
      • Rutoken
      • Rutoken RF
      • eToken PRO smart cards
    • Loading the operating system from the hard drive is carried out only after presenting the registered ID.
  • Journaling. Maintaining a system log, the records of which are stored in a special non-volatile memory. The following events are recorded in the log:
    • The fact that the user is logged in and the username.
    • Presentation of an unregistered ID.
    • Entering the wrong password.
    • Exceeding the number of login attempts.
    • Date and time of registration of NSD events.
  • Windows Registry Integrity Control. Immutability control system registry Windows increases the security of workstations from unauthorized actions within the operating system.
  • Hardware random number sensor. Increasing the security class of CIPF and providing random numbers to application software.
  • Configuration control. Monitoring the consistency of the computer configuration: PCI devices, ACPI, SMBIOS and RAM.
  • Prohibition of loading from external media. Prohibition of loading the operating system from removable media (USB, FDD, DVD/CD-ROM, LPT, SCSI ports, etc.).
  • Watchdog timer. Blocking access to a computer using a watchdog timer mechanism if control is not transferred to the Sobol PAK when it is turned on.
  • Software initialization. Ability to initialize PAK "Sobol" programmatically, without opening the system unit and removing the jumper on the board.

Principle of operation

The lineup

  • PCI Express 57x80
  • Mini PCI Express
  • Mini PCI Express Half Size
  • M.2 A-E

Admin's thoughts

When received by an attacker full access This electronic lock will not help to access a remote server console. Just switch to mode UEFI boot and Sable doesn’t plow - the two-factor turns into a pumpkin. It seems that Sobol version 4 now has the ability to work in UEFI, I haven’t looked at what’s there.

I noticed the phrase “Ease of administration”. Just? Yes, it's not difficult. Comfortable? It's not convenient at all. The server has rebooted - go to the data center. There are no normal means of remote two-factor authentication.

Registry integrity control is a dubious thing. Yes, he controls. Windows has been updated - a trip to the data center. It is generally unsafe to leave Windows without updates, and Sobol interferes with these updates.

Equipment

Appearance

One side. There are jumpers on the board, we will need them later. Jumpers in the plane of the board do not affect operation; only those that are perpendicular to the plane of the board are affected. One jumper J0 is installed - apparently, Sobol was already standing somewhere. In theory, it should detect that the hardware has changed and prevent it from working; we’ll check this during installation.

Other side.

View of the connector.

Installation

Install it on the server.

Back view.

We connect an external reader for iButton.

We turn on the server. We enter the BIOS and switch the boot mode to Legacy.

We save and reboot the server.

In order for Sable to work, the system must try to boot. I don’t have anything on the disk right now, so I’ll mount it ISO image with the OS installer.

And it doesn't allow downloading.

Because it used to be on another server. Protection is working. Turn everything off. Let's sort it all out. We get to the jumpers on Sobol.

Remove jumper J0. We collect everything.

Sable takes control.

Sable without jumper J0 goes into initialization mode. Select "Initialize board".

The General System Settings window opens. You can set the necessary parameters. Press Esc.

The "Integrity Control" window opens. You can set the necessary parameters. Press Esc.

We wait. Sobol likes to test the random number sensor.

The initial registration of the administrator is carried out. Yes.

Specify the password. Enter.

We repeat the password. Enter.

We are asked to insert the key. We plug in the first one from what was included.

Warning that the key will be formatted. Yes.

Are you sure? Reminds me of Windu. Yes.

Create backup copy admin ID? Of course, we have two keys. We take out the first key. Select Yes.

We stick in the second key.

They tell us to return the jumper back. OK. The server is shutting down.

We get to the sable board and put the jumper back on J0.

We turn on the server.

Loading into Legacy. Sable takes control.

We are asked to insert the key. Let's stick it in.

Enter the password.

Press any key.

Did you like the article? Share with your friends!
Twitter
print
Was this article helpful?
Yes
No
Thanks for your feedback!
Something went wrong and your vote was not counted.
Thank you. Your message has been sent
Found an error in the text?
Select it, click Ctrl + Enter and we will fix everything!
Similar tips
What does error d3dx9 37 mean? Where can I get d3dx9_37
What does error d3dx9 37 mean? Where can I get d3dx9_37
How to restore a VKontakte page
How to restore a VKontakte page
Troubleshooting Flash Player failures in Google Chrome Install flash plugin in google chrome browser
Troubleshooting Flash Player failures in Google Chrome Install flash plugin in google chrome browser
Downloading drivers for Lenovo G570 laptop
Downloading drivers for Lenovo G570 laptop
Drivers for Lenovo G570 laptop
Drivers for Lenovo G570 laptop
How to archive a folder or file with Hamster archiver
How to archive a folder or file with Hamster archiver