I want to share my experience of finding a solution for organizing centralized access to security tokens (electronic protection keys) in one specific organization. I am talking about keys and tokens needed to access stock trading websites, banking wallets, software protection keys, etc.
Due to the presence of several branch offices that are geographically very distant from each other, and the presence of numerous security tokens in each of the offices, there is always a simultaneous need in these tokens. After the fuss with the lost key, the management set the task – to solve this problem and assemble all USB devices (keys) in one place and ensure smooth work with them regardless of the location of the employee who needs the key.
So, we needed to collect in one of the offices all the tokens and other keys for subsequent operation on remote physical and virtual machines. The number of USD devices equaled 60 and growing. Virtualization servers are located outside the office in the data center.
We studied the existing solutions of organizing centralized access to USB devices and decided to focus on USB over IP technology. It turns out that a lot of organizations use this type of solutions. There are different USB over IP hardware and software solutions on the market.
The most popular USB over IP hardware solutions are devices manufactured in the USA and Germany. For a detailed study, we purchased a large rack mount version of the USB over IP, designed for 14 USB ports and the German USB over IP, designed for 20 USB ports. Unfortunately, these manufacturers did not have more USB over IP ports.
The first device is very expensive and interesting (there are a lot of Internet reviews), but it also has a very big drawback – there are no authorization systems for connecting USB devices. Anyone who installs a USB connection application gets access to all keys.
The second USB over IP device seemed to us more suitable. The device has a large set of settings related to network functions. The USB over IP interface is logically partitioned, so the initial setup was fairly simple and fast. Although there were some temporal problems with connecting a number of keys we decided to buy this German one.
Information Security of USB over IP Hardware Solutions
People working in infosec would be reasonably concerned with information security problems associated with USB over IP hardware solutions.
Let’s define the initial conditions:
– A large number of security tokens.
– These tokens should be accessible from various geographic locations.
– We consider here only hardware USB over IP solutions and try to secure this design by taking additional organizational and technical measures.
– Within the framework of the article, I will not touch upon all the threat models and focus on most popular ones like the possibility of unauthorized access to USB devices from any of the networks without having proper credentials.
To ensure the security of access to USB devices, the following organizational and technical measures have been taken:
1. Organizational security measures.
A managed USB over IP hub is installed in a high-quality key-lockable server cabinet. Physical access to it is protected by Physical Access Control System, (PACS) and video surveillance. A strictly limited group of people have access rights.
All USB devices used in the organization are divided into 3 groups:
– Critical. Financial tokens used in accordance with the recommendations of banks (not via USB over IP)
– Important. Tokens for working with trading platforms, software, reporting, etc. A small number of tokens based on a managed USB over IP hub.
– Not critical. A number of tokens for software, cameras, a number of flash drives and disks with non-critical information, USB modems. These are also based on a managed USB over IP hub.
2. Technical security measures.
Network access to a managed USB over IP hub is provided only inside an isolated subnet. Access to an isolated subnet is provided:
– From the terminal server farm.
– Via VPN (based on certificate and password) to a limited number of devices. They receive permanent VPN IP addresses. More about it on Cooltechzone.
– Via VPN tunnels connecting regional offices.
The USB over IP hub has the following functions configured:
– USB over IP hub uses encryption. SSL encryption was selected for this.
– IP \ MAC address restriction is introduced. The user is granted access to the designated USB devices based on the IP and Mac addresses.
– To access the USB port users are assigned personal logins and passwords. Accessing USB devices do not require login and password because all tokens are connected to a USB over IP hub permanently and are not moved from one port another port.
– Physical switching on and off of USB ports is carried out:
– For tokens needed to work with special software. The task scheduler is programmed to turn ports on at 9.00 and turn them off at 18.00.
– For tokens needed to work with trading platforms. Only several authorized users may turn on and off these ports through the web interface.
– Cameras and a number of flash drives and disks with non-critical information are always turned on.
I assume that such a model of organizing access to USB devices ensures their safe use from regional branch offices for a limited number of devices and users that connect to USB devices via the global network.
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.