Secret Net Studio — overview of the comprehensive information security tool
Good day to everyone who reads this article. This is the first article in a series of articles that I want to devote to an overview of information security tools of various kinds. In advance, I ask everyone who has read the article to unsubscribe in the comments on the quality of this article and suggestions for improvement.
I decided to start with one comprehensive information security tool from Russia. I will warn you in advance, I did not describe in detail all the protection mechanisms, since it would have taken too much time and the material would have been enough for a month of work. I have indicated the key features of each protection mechanism. Details on prices and terms of delivery will be at the end of the article. This article and other articles from the review cycle are not promotional.
Introduction.
A significant part of the work on information protection is the task of ensuring the security of workstations and servers. To solve them, Endpoint Security class products are used, which compensate for internal and external threats with the help of various security subsystems (antivirus, means of protecting information from unauthorized access, personal firewall, etc.). The reflection of classic computer security threats can also be found in regulatory documents. These requirements are also met by installing appropriate Endpoint Security class protection tools on workstations and servers. The information security threat model traditionally includes a whole list of threats relevant to workstations and servers. Until today, they could not be neutralized by one or two means of information protection, so administrators installed several different products, each of which performed a certain set of tasks: protection against unauthorized access, viruses, filtering network traffic, cryptographic protection of information, etc. This approach requires administrators to continuously work with consoles of various information security tools. In addition, the products of different vendors are poorly compatible, which leads to a malfunction and slowing down of the protected system, and in some cases, even to a malfunction. Complex solutions that combine several protective mechanisms are appearing on the market today. One of such solutions is the “Secret Net Studio 8.5” product developed by the “Security Code” company.
Specifications
Secret Net Studio 8.5 is available in two versions:
- standalone version — provides only local management of protective mechanisms;
- the network option provides for centralized management of protective mechanisms, as well as centralized receipt of information and changing the state of protected computers.
In the stand-alone version, the protective mechanisms are installed and managed locally.
The product includes the following components:
- The client is installed on servers and workstations and is designed to implement their protection.
- Control Center (local mode) — the control program in local mode performs direct work with the security components on the computer.
- Antivirus update server — designed to provide centralized updating of databases of signs of computer viruses.
In the network version, protective mechanisms are installed on all servers and workstations, with centralized management of all protective mechanisms. In addition to the standalone version , the network version includes:
- The security server is the main element, ensures the interaction of management objects, implements control and management functions, processes, stores and transmits information.
- Management program — used for centralized
management of protected computers.
- Authentication server — ensures the operation of personal firewall mechanisms and authorization of network connections (part of the security server software).
Opportunities
Protection against unauthorized access
Discretionary and mandatory file access management:
- Work on any file system supported by Windows, including FAT.
- Assigning privacy labels via folder and directory properties.
- Flow control, the possibility of strict control of terminal connections.
- Selecting the session privacy level when logging in or automatically assigning the maximum privacy level.
Enhanced login
- Support for two-factor authentication and eToken electronic identifiers,
- Rutoken, ESMART, Jakarta, iButton and others.
-Own enhanced password authentication and password policies.
- Session blocking policies in case of ID inactivity or withdrawal.
- Working with local and domain users.
- Support for terminal servers and VDI.
- Flexible access restriction settings.
- End-to-end user authenticationwhen using the Sobol (hardware and software complex of trusted download).
- Working with iButton IDs,connected to the Sobol.
Shadow copying
- Creating shadow copies when copying documents to removable media and printing.
- Secure storage for shadow copies.
- Local management of shadow copies.
- Control of storage filling.
Print control
- Configure individual printers and rules for all connected devices.
- Discretionary and authoritative access control.
- Support for virtual printers.
- Restricting the printing of documents depending on the level of confidentiality.
- Marking of documents.
Data wipe
- Setting the number of wipe cycles.
- FAT, NTFS and REFS support.
- Wipe data on local and removable media.
Closed software environment and data integrity control
- Creation of a list of applications allowed to run.
- Auto-building of application dependencies.
- Control of files, directories and registry.
- Control time setting.
- Choosing the response to information security events.
- File integrity control management using “Sobol”.
Device monitoring
-Discretionary and authoritative control of access to devices.
- Control by groups, classes, models and individual devices.
- Hierarchical inheritance of settings.
- Monitoring the connection and disconnection of devices.
- Managing device redirection in terminal connections.
Antivirus protection and intrusion detection
-Signature and heuristic methods of malware search.
- Constant protection, scanning from the context menu and on schedule.
- “White” lists of directories and files.
- Selection of scan profiles.
- Local update servers.
- Heuristic and signature analysis of incoming network traffic.
- Automatic temporary blocking of attacking hosts.
- The command to promptly remove the lock.
Data encryption
-Encryption of containers of arbitrary size.
- Storing key information on electronic keys or removable disks.
- Backup keys.
- Configurable access rights to data in the container.
Resistance to attacks
-OS-independent module “Trusted Environment”
- External integrity control of information security protection processes.
- External control of the integrity of drivers in the system.
- Protection of the management system from the actions of the local administrator.
Protection of network interaction
Firewall
- Filtering traffic on L3, L4 and L7.
- Setting up the reaction to the triggering of the rules.
- The ability to set the action of the rules by day of the week and time of day.
- Templates for various network services.
Authorization of network connections
- Access control for terminal servers.
- Protection against Man-in-the-middle attacks.
- Software segmentation of the network without changing the network topology.
- Hiding network traffic.
Centralized management and monitoring
-Centralized management of Secret Net LSP clients (Linux version).
- Configuration templates for bringing the system into compliance with the requirements of the legislation of the Russian Federation.
- Centralized deployment, installation of patches and updates.
- Hierarchical policies for managing security component settings.
- Customizable alarms, separation of events by degree of significance.
- Grouping of protected computers for monitoring and separate status display.
- Getting magazines from Sobol.
- Notification of information security events in the control panel and by e-mail.
- Centralized security management in unrelated domains Active Directory.
Protective mechanisms
The protective mechanisms are controlled by the Control Center. As an example, I will give screenshots made on the stand-alone demo-version of the program.
Protection against unauthorized access
Login protection
Login protection prevents unauthorized persons from accessing the computer. The entry protection mechanism includes the following tools:
- tools for user identification and authentication;
- tools of locking the computer;
- hardware protection against OS booting from removable media.
Tools for user identification and authentication
User identification and authentication are performed at each login. In the Secret Net Studio system, user identification can be performed in the following modes:
- by name (login and password input);
- Mixed (login and password input or Token);
- only Token.
As personal identifiers in Secret Net Studio, identification and authentication tools based on eToken identifiers are used, RuToken, Jakarta, SMART or iButton.
User security tokens are configured in a separate software component “Management of user security settings”.
Tools of locking the computer
Computer locking tools are designed to prevent unauthorized use of the computer. In this mode, input devices (keyboard and mouse) and the monitor screen are blocked.
The following options are available:
- blocking in case of unsuccessful login attempts;
- temporary blocking of the computer;
- locking the computer when the protective subsystems are triggered;
- blocking of the computer by the administrator of operational management.
Functional control
Functional control is designed to ensure that by the time the user logs into the OS (i.e., by the time the user starts working), all the main security subsystems are loaded and functioning.
In case of successful completion of functional control, this fact is recorded in the Secret Net Studio log.
If the functional control fails, an event is registered in the Secret Net Studio log with an indication of the reasons (this is possible under the condition
the performance of the Secret Net Studio kernel). Only users who are members of the local computer administrators group are allowed to log in.
Integrity control
The integrity control mechanism monitors the immutability of controlled objects. The objects of control can be files, directories, system registry items and disk sectors. Integrity control is managed in a separate software component “Application and data control”.
When checking the integrity, various variants of the system’s response to the execution of control tasks can be used. All information about objects, methods, control schedules is concentrated in a special structure called the data model. The data model is stored in the local database of the Secret Net Studio system and is a hierarchical list of objects with a description of the relationships between them.
Discretionary management of access to file system resources
The Secret Net Studio system includes a discretionary access control mechanism for file system resources. This mechanism provides:
- differentiation of user access to directories and files on local disks based on the access matrix of subjects (users, groups) to access objects;
- control of access to objects during local or network calls, including calls on behalf of the system account;
- inability to access objects bypassing the established access rights (if standard OS tools or application programs are used without their own drivers to work with the file system);
- independence of the action from the built-in mechanism of selective access differentiation of Windows OS. That is, the established access rights to file objects in the Secret Net Studio system do not affect similar access rights in Windows OS and vice versa.
By default, the access rights management privilege is granted to users who are members of the local administrators group. At the same time, all users have permissive access rights to any resources for reading, writing, executing and deleting (RWXD).
Authorized access control
The mechanism of authorized access control provides:
- differentiation of user access to information that is assigned a privacy category (confidential information);
- monitoring the connection and use of devices with assigned privacy categories;
- control of confidential information flows in the system;
- monitoring the use of network interfaces for which acceptable levels of user session privacy are specified;
- control of printing confidential documents.
In order to ensure the functioning of the mechanism of authorized access control when the flow control mode is enabled, you need to perform additional configuration locally on the computer. To do this, a program is used to configure the authorized access control subsystem for the control mode. The configuration is performed before enabling the flow control mode, as well as when adding new users, programs, printers, to optimize the functioning of the mechanism.
The user’s access to confidential information is carried out in accordance with his level of access. If the user’s access level is lower than the privacy category of the resource, the system blocks access to this resource. After gaining access to confidential information, the confidentiality level of the program (process) upgraded to the privacy category of the resource. This is necessary in order to exclude the possibility of storing confidential data in files with a lower category of confidentiality.
Data wipe
Erasing the deleted information makes it impossible to restore and reuse the data after they are deleted. Guaranteed destruction is achieved by writing random sequences of numbers to the place of deleted information in the released memory area.
Secret Net Studio implements the following options for data wipe:
- automatic wipe when deleting data from certain types of devices (local and removable disks, RAM) when the wipe function is enabled in the management program;
- wipe when deleting file objects selected by the user by command from the context menu;
- wipe by command from the context menu of the Secret Net Studio icon in the Windows taskbar of all data (including partition table, logical volumes, file objects and residual information) on local disks (except the system disk) and removable media connected to the protected computer.
Closed software environment
The mechanism of a closed software environment allows you to determine for any computer user an individual list of software allowed for use. The protection system controls and ensures that the use of the following resources is prohibited:
- program and library startup files that are not included in the list of allowed to run and do not meet certain conditions;
- scripts that are not included in the list of allowed to run and are not registered in the database.
Attempts to launch unauthorized resources are logged as alarm events.
At the stage of configuring the mechanism, a list of resources is compiled that are allowed to run and execute.
Control of connection and modification of computer devices
The mechanism for monitoring the connection and modification of computer devices provides:
- timely detection of changes in the hardware configuration of the computer and response to these changes;
- keeping up-to-date the list of computer devices that is used by the device access control mechanism.
The initial hardware configuration of the computer is determined at the system installation stage. In this case, the values of the control parameters are set by default. You can configure the control policy individually for
each device or apply inherited parameters from the models, classes and groups to which the devices belong to the devices.
When hardware configuration changes are detected, the system waits for the security administrator to approve these changes. The hardware configuration approval procedure is necessary to authorize the detected changes and accept the current hardware configuration as a reference.
Print control
The printing control mechanism provides:
- differentiation of user access to printers;
- registration of events for printing documents in the Secret Net Studio journal;
- printing documents with a certain category of confidentiality;
- automatic addition of a neck to printed documents (marking of documents);
- shadow copying of printed documents.
To implement the functions of marking and/or shadow copying of printed documents, drivers of “virtual printers” are added to the system.
Shadow copying of output data
The shadow copying mechanism ensures the creation of duplicates of data output to removable media in the system. Duplicates (copies) are stored in a special storage, which only authorized users have access to. The mechanism applies to those devices for which the mode of saving copies when recording information is enabled.
When the copy saving mode is enabled, data output to an external device is possible only if a copy of this data is created in the shadow copy storage. If for some reason it is impossible to create a duplicate, the data output operation is blocked.
Shadow copying is supported for the following types of devices:
- pluggable removable disks;
- floppy disk drives;
- optical disc drives with recording function;
- printers.
Protecting information on local disks
The mechanism for protecting information on local computer disks (the disk protection mechanism) is designed to block access to hard disks in case of unauthorized computer booting. The download is considered authorized if it is performed by means of the operating system with the Secret Net Studio client software installed. All other methods of loading the OS are considered unauthorized (for example, downloading from external media or downloading another OS installed on the computer).
Data encryption in cryptographic containers
The Secret Net Studio system provides the ability to encrypt the contents of file system objects (files and folders). Special storage facilities are used for encryption and decryption operations — cryptographic containers.
Physically, a cryptographic container is a file that can be connected to the system as an additional disk.
The implementation of the key encryption scheme of cryptographic containers is based on the algorithms GOST R 34.10–2012, GOST R 34.11–2012 and GOST 28147–89. During cryptographic operations, certain sets of keys and additional values used to access the cryptographic container are generated and calculated.
Firewall
Secret Net Studio provides network traffic control at the network, transport and application levels based on generated filtering rules.
The Secret Net Studio firewall subsystem implements the following main functions:
- filtering at the network level with independent decision-making for each packet;
- filtering of service protocol packets (ICMP, IGMP, etc.) required for diagnostics and control of network devices;
- filtering based on the input and output network interface to verify the authenticity of network addresses;
- filtering at the transport level of requests for establishing virtual connections (TCP sessions);
- filtering at the application level of requests to application services (filtering by character sequence in packages);
- filtering based on network packet fields;
- filtering based on the date/time of day.
Network traffic is filtered on Ethernet (IEEE 802.3) and Wi-Fi (IEEE 802.11b/g/n) interfaces. Events related to the operation of the firewall are logged in the Secret Net Studio log.
Secret Net Studio implements a mechanism for protecting network interaction between authorized subscribers. This mechanism is based on open standards of protocols of the IPsec family and ensures the security of data exchange.
The subscriber authorization mechanism is based on the Kerberos protocol. This protocol is insensitive to password interception attempts and “Man in the Middle” attacks. This mechanism is used to verify not only access subjects, but also protected objects. This prevents unauthorized substitution (imitation) of the protected information system in order to implementation of some types of attacks.
Intrusion detection and prevention
The operation of the intrusion detection and prevention mechanism is managed centrally in the management program and can be performed at different levels of the structure of management objects:
- at the level of the objects “Domain”, “Security Server” and “Organizational Unit”, you can configure the parameters of this mechanism using group policies. Parameter values at the “Security Server” level have priority over similar values set at the “Computer” object level;
- at the level of the “Computer” objects, you can configure the parameters of the operation of this mechanism for a separate computer, as well as control the operation of the mechanism on this computer.
Antivirus
Secret Net Studio antivirus allows you to check file objects for malware based on data in the signature database and based on heuristic analysis. When checking the computer, hard drives, network folders, external storage devices,
etc. are scanned. This allows you to detect and block external and internal attacks directed at the protected computer.
For antivirus protection, it is possible to use one of the following antivirus options:
- Antivirus;
- Antivirus (ESET technology);
- Antivirus (Kaspersky technology).
The antivirus option used is determined by the Secret Net Studio license.
Event registration
During the operation of the Secret Net Studio system, events occurring on the computer and related to the security of the system are recorded in the Secret Net Studio log. All log entries are stored in a file on the system disk. The data format is identical to the Windows Security Log format.
Features are provided for configuring the list of logged events and log storage parameters. This allows you to ensure an optimal amount of stored information, taking into account the size of the log and the load on the system.
Conclusions
Secret Net Studio is a good and balanced set of security mechanisms that protect information from both external and internal threats. The presence of a single control center makes it easy to administer all information security mechanisms. The interaction of protective mechanisms among themselves excludes the possibility of disruption of the functioning of the protected system.
Price
Secret Net Studio is a very profitable solution. The price varies depending on the number of licenses purchased and the validity period.
The right to use the “Maximum Protection” kit for a period of 1 year:
1–50 devices ~82$ per unit;
51–250 devices ~ 76$ per unit;
251–500 devices ~ 67$ per unit;
501 -….. devices ~ 52$ per unit.
The right to use the “Maximum Protection” kit for a period of 3 year:
1–50 devices ~210$ per unit;
51–250 devices ~ 189$ per unit;
251–500 devices ~ 168$ per unit;
501 -….. devices ~ 147$ per unit.
