RU2276466C1 - Method for creating protected virtual networks - Google Patents

Abstract

FIELD: computer science, possible use for constructing multiple protected virtual networks.

SUBSTANCE: source IP packet of protected virtual network is encoded, network consisting of separately standing computers or portion of computers from local area network or computers of several local networks, output packet is formed including encoded packet (encapsulation), while at each computer, which can be utilized in several protected virtual networks, for each created protected virtual network separate long-term memory block is assigned, wherein separate operation system is recorded, adjusted for current virtual network, and access to long-term memory block and loading of operation system of each protected virtual network is performed after checking user rights, while access to memory blocks of each protected virtual network from other virtual networks is blocked by means of limiting access.

EFFECT: expanded functional capabilities.

2 cl, 11 dwg

Description

The invention relates to the field of computer technology and can be used to build multiple networks for various purposes based on the same fleet of computers. Its use will allow to obtain a technical result in the form of creating many virtual networks that use the same computers: on the same computer fleet - many simultaneously functioning virtual networks.

There is a method of organizing secure virtual networks, described in detail in the book "Information Security in Corporate Networks and Systems", authors Sokolov AV, Shangin V.F., M .: DMK Press, 2002, chapters 11, 12.

Protection is carried out using a software module (software) that performs the following actions:

- Encryption of the source IP-package using a separately connected software module or hardware encoder (in the form of a board or external device). Encryption can be performed using various encryption algorithms using symmetric or asymmetric keys.

- Creation of a new package with the inclusion of an encrypted package (encapsulation) in accordance with the well-known IpSec, SKIP or proprietary protocol.

This module with encryptors can be installed on a separate computer, on a computer on the network, on a crypto router, on a firewall. Therefore, a virtual network can be built on the basis of:

- freestanding protected computers;

- parts of computers on the same local network;

- computers of several local area networks with secure routers or firewalls;

- combinations of the above methods.

A known implementation of the above method in ViPNet technology (see Ignatov V.V. Universal environment for network protection of information and resources for the safe functioning of corporate networks on any telecommunications. Analytical and informational magazine "Documentary Telecommunications", No. 12, February 2004, p .24-26). This technology is also based on the use of software modules that implement the above steps. The so-called ViPNet module can be installed on every workstation or on a server (coordinator). When installed on a workstation, the module protects one PC, when installed on the coordinator, the entire local network or its segment is protected. In the module installed on the coordinator, routing functions can be performed. With this approach, a virtual secure network can exist inside the local one; a separate computer, many local networks and computers can be included in the virtual network. The ViPNet module encrypts source packets and converts them (encapsulation and other actions). Encryption is carried out programmatically using various encryption algorithms using symmetric and asymmetric keys.

The use of identifiers of the source and recipient of messages in the form of labels is proposed in the article by Nikolaev Nikolaev EV "Private Networks for Corporate Business", published in the analytical and information journal "Documentary Telecommunications", No. 12, February 2004, p.12-13. It describes multi-protocol label switching technology. Thanks to the special labels that are assigned to each package, the schedule management capabilities increase. In addition to the address, the label can be associated with a path, virtual network, priority of service, etc.

There is a method of creating a virtual secure network, presented in patent RU 2182355, adopted as a prototype. To limit access to the transmitted information and hide addresses, traffic encryption of the local computer network, which is part of the virtual corporate network, is used at the third level of the OSI model. IP packets are encrypted along with their addresses. Encryption is performed on a device isolated from the public network. Also in the method identifiers of the source and recipient of messages in the form of labels are determined. Labels define a fixed-length header that identifies many packets transmitted along the same path or in accordance with some class of service. Many packets sent according to certain specified criteria are called a route equivalence class. Routers use the principle of label switching. They establish the label binding to the route equivalence class, and then using the standard protocol distribute label binding information to all routers for which they will use this label when sending packets. In this case, the virtual secure network is built on the basis of secure routers. The router in this version will have at least two network interfaces (one for communication with a PC on the internal LAN, the other for communication with a router connecting to the Internet), an encryption device, and memory for tags.

You can highlight the main features of this method:

- software protection components are installed on routers;

- conversion of IP packets includes encryption of the source packet along with addresses, encapsulation of the encrypted packet in a new IP packet, adding labels to the output packets;

- packet conversion is carried out in accordance with its own format described in the patent.

The disadvantages of the above method include the fact that all the computers on the local network are in the virtual network. Also, there is no possibility of remote connection to the virtual network of one computer without an additional router.

In all of the above methods, virtual networks work on the principle that each computer can be in only one virtual network. Therefore, based on physical local area networks, you can build one virtual protected network or several, provided that they include different computers. With this approach, the workstation cannot be used in different virtual networks. Also, the considered networks do not limit the possibility of access to the workplace (personal computer of a virtual network) of unauthorized persons. The latter can gain access to information stored on a hard disk or circulating in a virtual network by intercepting keys or the information itself as a result of modifying the software in the workplace.

To access the network, the proposed methods offer an open network interface that does not encrypt information. Packet processing is carried out in the PC RAM. Therefore, the above methods of creating virtual networks do not provide the fulfillment of the requirements for working with information having a high security classification.

The aim of the invention is the ability to create on the basis of the same local corporate networks and public networks many virtual secure networks. At the same time, access to these networks can be carried out by one or several employees with different powers from the same workplace. Implementation of the proposed method provides information protection even in the event of a computer theft.

The network is built from computers that have one (or several) outputs to the local network. For each protected virtual network that is created in a computer that can be used simultaneously in several protected virtual networks, a separate block of long-term memory is allocated to which a separate OS is written, while access to the block of long-term memory and OS loading of each of the protected virtual networks is performed after presentation by the user authority, that is, identifying and key information, and authentication, and access to the memory blocks of each protected virtual network with side of other virtual networks is blocked.

Access to the long-term memory blocks of each protected virtual network from other virtual networks is blocked by creating a separate encryption key for each block so that when information is written to the block, it is encrypted, and when read, it is decrypted.

The proposed method has novelty, practical significance and is an invention that can be used to build many secure virtual networks for various purposes. Its use allows you to obtain a technical result in the form of many simultaneously functioning virtual secure networks that use the same computers and circulate information of various levels of confidentiality and secrecy.

Distinctive features of the proposed method are as follows.

Firstly, when it boots, the computer receives its address and network settings from the bootable OS and thus gets access to one virtual network. When you reboot into another OS, the computer receives other settings and ends up in another virtual network. Thus, the same computer can be used to work in different virtual networks, moving from one virtual network to another by rebooting.

Secondly, the OS is isolated from each other, that is, each OS has its own space in long-term memory (on the hard disk or other devices) for its files and data. Separation of access to various parts of the disk is carried out either by hardware or by software installed in this instance of the OS. The encryption of data transmitted over the network between different computers is also carried out either by hardware or by software installed in this instance of the OS.

Thirdly, each computer user is granted access rights to one or several OS. When loading the OS, strict user authentication is required. Thus, having access to a specific OS, the user gets access to one of the virtual networks. Differentiation of user access rights to various operating systems is implemented in software or is provided by the use of hardware. This distinction protects access to information of various secure virtual networks.

Suppose there are several local networks, which include 30 computers. Currently, secure virtual networks are built in such a way that the computer is on the same network. In principle, if there are two interfaces, it can be in two virtual networks, but then it is difficult to share access to the information of these two networks. That is, in these two networks the information stamp should not differ significantly. Additionally, network cards and other communication equipment will also be required.

In the proposed method, it is possible to install on each computer, for example, three OSs, and then we can use and see not 30, but 90 computers in virtual networks, that is, three times increase the park for building virtual networks without additional communication equipment.

For example, by installing several OSs on a laptop, a user can log in to different virtual networks from different workstations in different offices and cities from his laptop computer. At home, when installing three OSs, the same computer can be used to access the Internet (one OS), for children’s games (another OS), for serious adult work (third OS).

Graphic Images

The figure 1 presents the block structure of a personal computer (PC) with the allocation of blocks necessary to perform the actions described in the method, where:

1 - Block initial boot;

2 - Device or system for restricting / restricting access;

3 - system board;

4 - Encryption program for logical drives as part of a loaded OS;

5 - Hardware encoder (for example, made in the form of a board);

6 - Drivers for network devices of a virtual network (VPN drivers) as part of a loaded OS;

7 - Built-in network interface in the system board;

8 - Device for restricting / restricting access to partitions of one or more hard drives;

9 - One or more network interfaces separate from the system board;

10 - One or more cryptographic network interfaces separate from the system board;

11 - One or more hard drives.

The figure 2 shows two configuration options for a virtual computer (VK) for working in a virtual network with open information. In this case, the operating system OS1 is used (see Fig. 1), block 7 of network adapters built into the motherboard or made as separate devices (block 9).

In figures 3 and 4 shows two configuration options VK for working in a virtual network with confidential information. In contrast to the VK configuration of FIG. 2, in FIG. 3, block 1 performs software authentication, block 4 — software restricts memory access by encryption, and block 6 — software encryption of packets. Figure 4 proposes authentication and verification of authority to conduct hardware block 2.

In figures 5 and 6 shows the configuration options VK for working in a network with classified information. In both cases, it is proposed that authentication and authorization check be performed in hardware by unit 2, packet encryption is performed in hardware by unit 5 (see Fig. 5) or 10 (see Fig. 6). 6, the encryption of memory blocks is carried out programmatically.

The figure 7 presents the configuration of the VC to work on the network with top secret information. In contrast to the previous options, it is proposed to block access to the memory blocks in hardware by block 8 with information encryption.

The figure 8 presents a variant of a corporate network consisting of four local area networks (LAN), interconnected via an open network (Internet). LAN1 consists of unprotected personal computers (PCs) and protected personal computers (PCZs) and enters the corporate network through an unprotected router (M). LAN2 consists only of secure computers. LAN3, on the contrary, consists of unprotected PCs and enters an open network through secure routers (MHs). There are also two separate secure personal computers (OPKZ).

The figure 9 shows the block structure of a computer to work in three virtual networks: one open and two protected.

Figure 10 shows the block structure of a computer for working in two virtual networks - open and secure.

The figure 11 shows the block structure of a computer for working with open, secret and top-secret information in three virtual networks.

Consider in more detail the proposed method of action.

On each computer, for each secure virtual network, blocks of long-term memory (hard disks, hard disk partitions, compact disks, flash memory, floppy disks, etc.) are allocated block 11 (see Fig. 1). In these blocks, operating systems are installed, one for each virtual network. That is, the number of OSs corresponds to the number of virtual networks to which the computer has access.

At boot, the computer receives its address and network settings from the bootable OS and thus gets access to one virtual network. When you reboot into another OS, the computer receives other settings and ends up in another virtual network. Thus, the same computer can be used to work in different virtual networks, moving from one virtual network to another by rebooting.

To exclude modification of unloaded OS during the operation of one of them, block 8 (see Fig. 1) of access restriction (blocking) is used. Access restriction is provided:

- programmatically (access control system used as part of a loaded OS);

- in hardware, by blocking access to the memory blocks of various OSs in accordance with the authority presented by each user;

- using hardware (block 8) or software (block 4) transparent encryption of information (when writing, the information is encrypted, and when reading, it is decrypted on encryption keys downloaded from access restriction block 2 (see Fig. 1) or directly in blocks 8 and four).

Block 4 is used to transparently encrypt information when writing to logical disks (we will call transparently encrypted logical disk files the virtual disks). It is included as a driver in a loaded OS. Block 4 encrypts the information independently programmatically or uses hardware encryption by block 5.

To perform user authentication and verification of his credentials, blocks 1 or 2 are used (see Fig. 1). Block 1 is a program written in the computer BIOS, which asks for user privileges and, if the authentication result is positive, decrypts the OS control information for it and loads this OS. Block 2 hardware performs the following actions:

- Conducts strict cryptographic user authentication.

- Carries out access control to information. Each user has his own set of authority, which is stored in encrypted form inside block 2 (see figure 1) and transmitted to block 8 or 4.

- Conducts a integrity check of the bootable OS. If the integrity is broken, the OS does not boot. This fact is noted in the security administrator’s log.

- Download encryption keys in blocks 5, 8 and 10.

Packet conversion is performed by block 6, which performs the following actions:

- Encryption of the source IP-package programmatically (independently or using a separately connected software module) or hardware using block 5 (see figure 1.) Encryption can be performed using various encryption algorithms using symmetric or asymmetric keys.

- Creation of a new package (encapsulation) with the inclusion of an encrypted package in accordance with the known IPSec, SKIP or proprietary protocol.

Instead of blocks 5 and 6, or in conjunction with block 6, a cryptographic network interface unit 10 can be used that performs either both of the above actions or only the first (then block 6 performs the second action).

Consider the various PC configuration options used when working in a secure virtual network with a certain category of information, built on the basis of the PC block structure shown in figure 1. We call these PC configurations a virtual computer (VK). In the particular case, each configuration can be the only one on the computer, and then the computer will work only in one virtual or open network. Two VC configurations for an open enterprise network with Internet access are shown in FIG. 2. A virtual secure network with confidential information can be built on the basis of the VC configuration of FIGS. 3, 4. To work in a secure virtual network with secret information, VC implementation options are shown, shown in FIGS. 5, 6. And, finally, for working with top secret information It is proposed to build a virtual network based on the VC presented in Fig.7.

The proposed structures are advisory in nature. The user has the right to collect his VK configuration on the basis of the proposed tools (see figure 1).

Consider the options for the network shown in Fig.8. There are three LANs with confidential information:

- LAN1 - company administration network. Personal computer PKZ1 belongs to the head of the enterprise. He works on it on the open Internet, in a secure virtual network of accounting ZLVSZ (PKZ1, PKZ2 from LAN1 and the entire LAN3 network), in a virtual secure network of developers ZLVS2 (PKZ1, PKZ2 from LAN1 and PKZ LAN2).

- LAN2 - a network of developers in which a secure virtual network and an open virtual network function. Developers communicate with each other through a virtual secure network, access the Internet through an open network. Developers have Internet access from their PC.

- LAN3 - accounting network. Access to the Internet from this network is prohibited.

To operate in three virtual networks, three OSs are installed on PKZ1 and PKZ2 (see Fig. 9). The first OS is used to access the Internet, exchange mail. The second OS is configured for access to the network of developers, and the third - for access to the accounting network. To switch from one virtual network to another, just restart the computer.

SCZ developers can be equipped with weaker means of protection, as shown in Fig.10. They have two OS installed.

To work with open, secret and top-secret information, the configuration depicted in Fig. 11 is recommended for use.

Three OSs are installed on separate hard drives or on one with encrypted partitions. The first OS (OS1) works with its partitions and is configured to use the open interface 9. The second and third OS (OS2 and OS3) work through the cryptographic interface 10. At the same time, the open interface 9 is blocked by device 2 and does not work when OS2 and OS3 work.

The examples considered show various possibilities for the practical implementation of the proposed method for building secure virtual networks, where you can access different virtual networks from the same computer. For example, the head of the company having one PCZ1 computer (see Fig. 8) on his desk can work from him on the Internet and go into two secure virtual networks: the accounting network and the developer network. At the same time, developers will not be able to enter the accounting network, but they can go online. When using the Internet, OS1 is used and access to the OS2 memory is blocked (Fig. 10). This prevents access to the information of the virtual network of developers from the Internet. The secure virtual network of developers uses graph encryption keys that are different from the accounting network. The information in each virtual network is encrypted on its keys during transmission, so its interception from the Internet or another network operating on the same equipment becomes meaningless.

Claims (2)

1. A method of creating secure virtual networks, including encrypting the original IP packet of a secure virtual network, consisting of stand-alone computers, or part of computers on the same local network, or computers on multiple local networks with firewalls and / or secure routers, using computers software modules for encryption and encapsulation or hardware encryptors, creating an output package with the inclusion of an encrypted package (encapsulation) in accordance with the IpSec, SKIP or a proprietary protocol with the inclusion of the identifiers of the source and recipient of messages, characterized in that on each computer that can be used simultaneously in several protected virtual networks, a separate block of long-term memory is allocated for each created protected virtual network, into which a separate operating system is configured, configured on this virtual network, while the transition from one virtual network to another is done by rebooting the computer, and access to the unit in long-term memory, the loading of the operating system of each secured virtual network is performed after the user has presented the credentials, i.e. identifying and key information, and authentication has been performed, and access to the memory blocks of each secured virtual network from other virtual networks is blocked by an access restriction means. 2. The method according to claim 1, characterized in that the additional blocking of access to the long-term memory blocks of each protected virtual network from other virtual networks is achieved by creating a separate encryption key for each block so that when information is written to the block, it is transparently encrypted, and when reading - stands for.

Images