CCTV. Procedure for training in CryptoPro technologies

The course examines the theoretical, practical and legal foundations of using funds cryptographic protection information (CIPF). Particular attention is paid to legal issues of using CIPF in corporate information systems.

Students gain practical skills in working with MS Windows OS certificate stores, setting up working environment user for successful work in corporate network, as well as on the deployment, configuration and use of the CryptoPro IPsec product produced by CRYPTO-PRO LLC.

Classes are conducted using technology virtual machines at specially configured stands.

After completing the course, the student will:

Know:

legal and organizational basis for the use of CIPF;
theoretical foundations for constructing CIPF;
purpose, procedure for installing, configuring and using CIPF “CryptoPro IPsec”.

Be able to:

install and configure CIPF;
use CIPF “CryptoPro IPsec” to organize secure information exchange in the corporate information system.

Successful completion of this course will allow specialists to:

effectively solve problems of protecting information when transmitting it over communication channels.

Purpose of the course

Developing skills in using CryptoPro IPsec software to protect information limited access when transmitting it over communication channels.

The target audience

managers and specialists of structural divisions of organizations using (or planning to use) CIPF in corporate information systems.

Necessary preparation

know the basics information technologies;
have skills to work on personal computer in MS Windows XP or higher level experienced user;
have installation and configuration skills software in MS Windows environment;
have skills in administering local networks built on MS Windows Server 2003/2008/XP Professional;
know the purpose and have the skills to work with software " CryptoPro CSP».

1. Introduction to the subject of cryptographic information protection.

Symmetric encryption algorithms.
Asymmetric encryption algorithms.
Hash algorithms.
Algorithms for creating and verifying a digital signature.

2. The concept of public key infrastructure (PKI).

Basic concepts and definitions.
PKI/PKI architecture.
The concept of a public key certificate.
X.509 standard.

3. Legal regulation of the use of CIPF in corporate information systems.

The role and place of electronic signatures and other cryptographic security technologies in management systems, document flow and e-commerce.
Laws of the Russian Federation, Decrees of the Government of the Russian Federation regulating the use of CIPF.
NMD of the FSB of Russia regulating the use of cryptographic information protection.

4. Practical implementation of CIPF on the MS Windows OS platform.

Architecture of the cryptographic system of MS Windows OS.
Embedding in MS OS Windows additional CIPF.
Storing information about the keys used by cryptographic algorithms and other information in MS Windows.
Use of cryptographic methods of information protection in SSL/TLS and e-mail transport level security protocols.
Configuring applications to use cryptographic methods to protect information.
Practical work: Working with local certificate storage in MS Windows XP.
Practical work: Configuring applications to use CIPF in MS Windows XP.

5. CIPF “CryptoPro IPsec”: installation, configuration, use.

General information about the CryptoPro IPsec CIPF.
Installation of CIPF "CryptoPro IPsec".
Configuring CIPF "CryptoPro IPsec".
Using CIPF "CryptoPro IPsec" to protect information transmitted in communication channels.
Practical work: Protecting information during transmission over communication channels using CryptoPro IPsec.

Received document

Certificate about advanced training, or Certificate.

Good afternoon %username%! Everyone knows that Federal Law of the Russian Federation No. 152 dictates that we must use certified means to protect personal data. The task was to ensure the safety of the channel according to Federal Law-152 for remote connection clients. For this, a VPN server with CryptoPro IPsec and GOST certificates were used.

Instructions inside.

Before setting up services and connections on the server and client machines, you must install CryptoPro CSP and CryptoPro IPSec on them!

Setting it up VPN server on Windows Server 2012 R2

Open the Server Manager snap-in and, through the Add Roles Wizard, select the role-based installation type - Role-based or feature-based installation.

At the role selection step, select the Remote Access role.

We skip the Features step without making any changes. At the step of selecting services for the role to be included, select the DirectAccess and VPN (RAS) service.

After selecting a service, a window will open for adding additional components related to the selected service. We agree to their installation by clicking Add Features.

The Web Server Role (IIS) will be added to the Add Roles Wizard. We skip the corresponding step of the Web Server Role (IIS) wizard and the dependent options of Role Services with the default settings offered and start the installation process, after which a link to the Remote Access services initial setup wizard will be available - Open the Getting Started Wizard.

The RAS Configuration Wizard can be launched by clicking on the appropriate link here, or later from the Server Manager snap-in:

Since setting up DirectAccess in the context of our task is not needed, in the wizard window we select the VPN only option – Deploy VPN only.

Setting up the Routing and Remote Access service

From the Control Panel, open the Administrative Tools\Routing and Remote Access snap-in, select the server name and open context menu. Select the item Configure and Enable Routing and Remote Access.

Since we only need a VPN, we choose.

Choose a VPN.

Setting up a range of addresses for clients.

Let us indicate that we do not use a RADIUS server.

We agree to start the service. After launch, you need to configure user authentication methods.

We issue GOST certificates in CryptoPro CA 2.0 for VPN.

In order for IPSec to work for us, we need:

CA root certificate
Server certificate
Client certificate

And so, let's create two IPSec client IPSec server templates in the CA Manager.

To configure the IPSec client template, add the Client Authentication parameter (1.3.6.1.5.5.7.3.2). IP security IKE intermediate (1.3.6.1.5.5.8.2.2).

The IPSec server template is the same but with the Server Authentication parameter (1.3.6.1.5.5.7.3.1).

After the work has been done, we create users in the CR Management Console to request and generate a certificate.

Let's select a storage location (container) for the private key.

After nervously twitching the mouse (this is necessary for the HRC), we set a password for the container.
Now we need to export the certificate to a closed container.

After copying the certificate, you need to copy the entire container into a file for transfer to the remote client’s workstation. We export using CryptoPro CSP in pfx format.

Using the same algorithm, we create a certificate for the server only using a different template and install them using the CryptoPro CSP Certificates snap-in. Don't forget about the root certificate, which should be in the Trusted Root Certification Authorities.

Setting up an IP security policy on the server

On the Authentication Methods tab, add the Root Certificate.

Using the same algorithm, we configure the IP security policy on each remote workstation.
The correct installation of the certificate and checking the functionality of IPSec, as well as error logging, can be checked using the CryptoPro IPSec cp_ipsec_info.exe utility. After clicking the Refresh list menu, you will see a list of installed certificates. Against installed certificate There should be a tick to confirm that everything is fine with him.

Settings VPN connections to the server

The connection is configured as standard but with minor changes.

I think I’ve told you all the nuances, if you have any comments or suggestions, I’ll be happy to hear them!

"Trinity"– full-cycle system integrator. Construction of IT infrastructure, disaster-proof solutions, virtualization systems, production of servers and storage systems.

Do you need to buy a ready-made server with suitable parameters, but you don’t know which one to choose? Are you confused by the variety of server platforms on the market today? Trinity company specialists offer you a huge selection of modern servers and server platforms according to affordable prices. We do not just sell equipment - it is in our interests to choose the best option for the client, taking into account all his requirements and wishes.

Main areas of work:

Designing server rooms and building disaster-proof solutions.
Information Security.
Virtualization of servers, data storage systems, workstations.
IT solutions for television, automation of broadcasting and production, archival storage of media data, IPTV systems.

Implementation of projects for the construction of data processing centers from the development of technical specifications to turnkey implementation.
High-performance clusters for parallel computing.
Corporate servers and data storage systems.
Infrastructure for business applications (SAP, Microsoft, Oracle, etc.)

Servers and server platforms

In order to buy a server or server platform that will work smoothly and for a long time for the benefit of your enterprise, you need to be confident in the reliability of the purchased device. And this is where the services provided by Trinity can significantly facilitate your choice.

The Trinity company sells high-performance data storage systems and network equipment at affordable prices. From us you can buy a server platform or a server, both new and refurbished from world-famous manufacturers of server equipment, having previously studied the required power and characteristics. Also, our company employs qualified specialists who will be happy to help you choose the appropriate model and select the optimal server configuration, taking into account all the requirements and wishes. Just contact us at the number provided and we will answer all your questions.

(Internet Protocol Security), which provides secure data transmission over IP networks.

The purpose of testing was to confirm that the integration of the CryptoPro IPsec security package with the Microsoft ISA Server 2006 firewall allows for compliance with the order requirements Federal service on technical and export control dated February 5, 2010 N 58 “On approval of the Regulations on methods and means of protecting information in personal data information systems” in terms of ensuring the protection of transmitted personal data through communication channels and firewalling and can be used to build information systems personal data (ISPD) classes 2 and 3.

Testing was carried out on platforms: Windows XP SP3; Windows 7 (32-bit and 64-bit); Windows Server 2003 (32-bit) and Windows Server 2008 R2.

The results showed that the technical procedures complied with the law. Thus, the CryptoPro IPsec package can be used together with the ISA Server 2006 Standard Edition firewall (has FSTEC certificate No. 1386 of May 15, 2007 for compliance with the requirements for class 4 and class 3 firewalls) when building personal data information systems (PDIS).

The development of the CryptoPro IPsec package was carried out according to technical specifications agreed with the FSB of Russia. The software product implements the algorithms of GOST 28147-89, GOST R 34.10-2001 and GOST R 34.11-94 and uses a certified cryptographic information protection tool. Using CryptoPro IPsec, you can ensure confidentiality, integrity, authenticity and protection of data from interception and packet substitution when transmitted over networks common use in tunnel or transport modes. Tunnel mode provides secure remote access client to corporate information systems via a public network (Internet), and transport mode provides protection for connections in the following modes: client-server, server-server and client-client (KC1, KC2, KC3).

"CryptoPro IPsec" provides the following types of secure connections:

gateway-to-gateway connections via global network(WAN);
connections via the Internet using L2TP/IPsec tunnels;
connecting clients to corporate information systems via the Internet using IPsec tunnel mode;
local network (LAN) connections in transport and tunnel modes.

The CRYPTO-PRO company provides the CryptoPro IPsec product to all registered owners of the CryptoPro CSP version 3.6 CIPF at no additional charge.

Information about CRYPTO-PRO

The CRYPTO-PRO company was founded in 2000 and currently occupies a leading position in the distribution of cryptographic information protection and electronic digital signature tools.

The main activity of the company is the development of cryptographic information security tools and the development of Public Key Infrastructure based on the use of international recommendations and Russian cryptographic algorithms.

The company's activities and products were awarded the National Industry Award "For Strengthening the Security of Russia":

market selection (diploma);
for the company’s outstanding contribution to the formation of the Russian market cryptographic means(laureate's diploma);
CryptoPro CSP CryptoPro PKI(gold medals).

The company's products are distributed by more than 400 legal entities based on dealer agreements.

The company has issued more than 3,000,000 licenses for the use of CIPF CryptoPro CSP and over 700 licenses for the use of the CryptoPro CA certification center, which are used by various government and commercial organizations in electronic document management, tax and tax filing systems. financial statements, budget execution systems, city orders, etc.