Hardware and software complex DST PUA "Center-T" is designed to ensure secure loading of software images through the network.
Such an organization of the startup of terminal stations software allows to control its integrity and ensure the prompt administration of rights assigned to users in these images, since the images are signed by a digital signature that is checked prior to loading to the terminal station with the help of a hardware client device (PCDST SHIPKA).
Hardware and software complex "CENTER-T" is characterized by two main features:
- it is independent of the hardware, since it is fully implemented in PCDST SHIPKA (both, client and server components are placed on disks embedded in these devices and can run on any PC);
- it helps to ensure the controlled integrity and authenticity of the images of terminal stations software loaded through the network, with the help of cryptographic methods implemented entirely on the hardware basis.
The presence in the complex of a special automated workstation allows the construction of images of terminal stations software for different users with different sets of possibilities. This allows to respond to changing situations quickly enough (for example, when the user needs to work with the terminal server from another terminal station, where a different local printer and a monitor with different screen parameters are connected) without reducing the level of information security.
The complex offers the possibility to separate the administrative authorities of an administrator and a data security administrator, which enhances its protective properties.
Hardware and software complex DST PUA "Center-T" consists of three components:
- Automated workstation "Center" (AWS "Center");
- Storage and network loading server (SNLS);
- Client PCDST SHIPKA for terminal stations, being the parts of the terminal access system (user SHIPKA).
1. AWS "Center"
1) Hardware requirements. The software is loaded to any designated PC from SHIPKA of the AWS "Center" administrator (based on the PCDST SHIPKA-2.0 KS2 and software), it runs in the main memory of the PC, but does not remain in the PC after disconnecting SHIPKA of the AWS "Center" administrator.
2) Functionality. The construction of images of terminal stations (TS), the development of an authentication code to control their authenticity and integrity, the work with key pairs designed to control the authenticity and integrity of the images of terminal stations software, the initialization and the update of SHIPKAs of the storage and network loading server, as well as of user SHIPKAs.
3) Security. After disconnecting PCDST SHIPKA, the PC on the integration of the images of terminal stations software is performed, retains neither the "Center" software, nor the integrated software images - everything is stored only in SHIPKA of the administrator of AWS "Center". The integrity and authenticity of the images is controlled through authentication codes (AC).
4) Placement requirements. It is enough to install one AWS "Center" for each terminal server farm, but there can be more such workstations, if the organization has a significant number of terminal clients, and it is difficult for one administrator to construct the images of terminal stations software.
2. The server for storage and network loading of terminal stations software
1) Hardware requirements. The software is loaded to any designated PC from SHIPKA of the Server for storage and network loading (based on the PCDST SHIPKA-2.0 KC2 and software), it runs in the main memory of the PC, but does not remain in the PC after disconnecting SHIPKA of the Server for storage and network loading.
2) Functionality. Creation of users, assigning of SHIPKAs for them, comparison of users of the images of terminal stations software with these SHIPKAs.
3) Security. The Sever for storage and network loading is loaded only from SHIPKA of the Sever for storage and network loading. The PC, in which the software of the Sever for storage and network loading is implemented, retains neither the software, nor the images loaded from the Sever for storage and network loading. The Sever for storage and network loading logs the work of users from the moment the terminal station is switched on to the moment a session with the terminal server is started, and from the moment the session ends to the moment the terminal station is switched off, as well as it logs all the actions of the administrator and the data security administrator of the Sever for storage and network loading.
4) Placement requirements. The Server for storage and network loading should be installed within the general protected circuit with terminal clients that are loaded from it.
3. Terminal Stations
1) Hardware requirements. The startup software of terminal stations is loaded from client SHIPKAs (based on SHIPKA-2.0 KC2 with a client license for "Center-T"), so any computer equipment supporting loading from USB-devices can be a terminal client.
2) Functionality. The startup image starts from the user SHIPKA disk, refers to the Server for storage and network loading, receives the image compared with this user SHIPKA, checks authentication codes, and if authentication codes are correct, allows the implementation of terminal stations software. This image of terminal stations software supports the work with hardware and software complex DST PUA Accord-Win32 or Accord-Win64 TSE and server software for PCDST SHIPKA, ensuring the correct operation of PCDST SHIPKA in the terminal mode and all of its internal possibilities.
3) Security. Hardware-based identification/authentication of the user, verification of the integrity and authenticity of loaded images through checking authentication codes.
4) Placement requirements. A user SHIPKA should be given to each user who has access to the terminal server.