ViPNet crypto-gateway implementation experience in ERIS

Hi, Habr! In this article we will talk about the implementation of ViPNet crypto-gateways to protect communication channels in the framework of the personal data protection project in the ERIS information system. We were lucky to become a part of such an important project for Moscow medicine, which takes radiation diagnostics to a new level.

Briefly about ERIS

ERIS (Unified Radiological Information Service) is an information system that combines high-tech medical equipment, workplaces of radiologists and a single archive of diagnostic images. Currently, ERIS combines magnetic resonance, digital devices of classical X-ray, devices for fluorography and computer tomographs in 64 polyclinics of the city of Moscow, including outpatient facilities of Zelenograd.

The main tasks of ERIS are to improve the efficiency of radiation diagnostics in Moscow, to create a single network uniting diagnostic equipment, to provide a modern and reliable system for storing the resulting images, descriptions and conclusions.

The need for crypto-gateway

Since the patient's personal data is processed in the ERIS information system, it is necessary to comply with the requirements of the Federal Law “On Personal Data” and by-laws related to this law. One of the requirements for the protection of personal data is the organization of secure communication channels using the means of cryptographic protection of information (ICTD). In accordance with this requirement, we have begun to design a system for the protection of personal data in general and ICPM in particular.

Selection criteria, testing scheme, pilot, final selection

Our company Elefus, the Customer represented by the company Laval, has put forward a number of requirements that the SKZI had to meet, among them the main ones:

• channel delays (this was the most important criterion because the medical staff using the client application at the workplace connects to the server side in the data center, and the channel delays strongly affect the system performance and patient work speed);
• availability of a certificate by the Federal Security Service of Russia for cryptographic instruments (a requirement of regulatory documents relating to the protection of personal data using the means of cryptographic protection of information necessary for the fulfillment of the requirements for the protection of personal data established by the Government of the Russian Federation for each level of her protection "));
• scalability of the solution (the system is supposed to be extended to additional objects, therefore, we initially had to install equipment with a margin and the possibility of scaling both horizontal and vertical);
• resiliency (if you were in Moscow polyclinics, then you know perfectly well that there is always a queue in radiology rooms, therefore an important factor was ensuring the resiliency of the solution);
• sufficient performance (it was necessary to install equipment of small capacity to radiology rooms, but sufficient to ensure a good communication channel to the data center, our reference was a bandwidth of 20 mb / s);
• monitoring (since the infrastructure is distributed throughout Moscow, it is necessary to ensure continuous monitoring of equipment and monitor the load on the network);
• simplicity of service (general engineers, who do not have deep knowledge of ViPNet (because this is not their main task), must go to the facilities, should solve the problem on site according to the instructions).

Four products were tested:

• ViPNet Coordinator;
• APKSh "Continent";
• CryptoPro IPsec;
• MagPro CryptoPacket execution of "OpenVPN-GOST"

We chose the most popular and well-proven software and hardware solutions (Continent and ViPNet) and purely software solutions (CryptoPro and MagPro). It was not intended to install additional software on the computers of the radiological office, because often to interact with radiological equipment requires very specific and old versions of operating systems and special software. Therefore, the protection of the communication channel was necessary to place on the border network equipment. Two schemes for installing SKZI were considered: installation of hardware and software (Continent and ViPNet) at the perimeter, or installation of a computer serving as a gateway for the radiological office, on which SKZI will be installed (CryptoPro and MagPro). In terms of costs, these options turned out to be comparable, so initially PACKs were preferable, because they were easier to maintain.

The testing scheme was as follows:


Figure 1 - Testing scheme

In the course of testing, three types of images were transmitted: CT, MMG, PETKT (they differ in file sizes, client-server interaction frequency), different versions of images allowed to simulate various types of loads on crypto-gateways. Measurements of delays and speed in the channel were made with WinMTR and iperf3 programs.

According to the testing results, Continent and ViPNet were in the lead, their results were comparable, CryptoPro lagged slightly, and MagPro strongly influenced both the speed and the delays in the channel.

Further, after interacting with vendors, the Customer made the final decision in favor of ViPNet. Let's leave the final choice beyond the brackets of this article, from a technical point of view, the Continent and ViPNet are almost the same.

InfoTeKS (manufacturer ViPNet) provided the following equipment for pilot testing:

• HW50 - 2 pcs. for radiology rooms
• HW1000 - 1 pc. for data center

The equipment was tested for a month in combat conditions. The tests showed that our calculations were correct, and the tests were quite accurate. The equipment worked in a regular mode, without any significant restrictions on the work of medical workers. As a result, the final specification turned out to be just this equipment, the HW50 was installed in radiology cabinets, a cluster of two crypto-gateways HW1000 of the updated model with increased throughput - in the data center).

How to implement? Scheme, complexity, presetting

We needed to approach the implementation with the utmost care. As I said above, the medical workers of the radiology rooms are constantly loaded, so we had 15 minutes to implement the CIPF at the facility. We carried out the implementation together with Laval engineers, who knew the local equipment well.

The implementation consisted of the following steps:

• Pre-configuration (the equipment was pre-configured by our engineers (release and installation of dst-on PAK, setting up network interfaces, setting up a snmp-agent, setting up PAK in ViPNet Administrator);
• Installation of crypto-gateways in the data center (setting up an alternative channel in order not to interrupt the work of ERIS);
• Installation of crypto-gateways in the clinics (the engineer needed to plug equipment into the 15-minute interval and make sure that the tunnel in the data center was raised. Naturally, in ideal cases, everything happened in minutes, but there is always some time to correct the problems that arise. In general, 15 minutes is enough to complete the work);
• Connecting crypto-gateways to the monitoring system (at this stage, revealed a system bug that was reported to the vendor, periodically the snmp agent spontaneously fell off, it had to be restarted. Since we know that ViPNet runs on Linux (Debian), we wrote a script that automatically restarted the process. In the new version, InfoTeX fixed this moment).

Monitoring The load on the processor, RAM, network

Next we will show screenshots from the monitoring system, where you can view the load on the equipment separately for six months and separately for one working day (CPU, RAM, network). The names of network devices are hidden, in terms of semantic load, this does not affect anything.

CPU load

Figure 2 - CPU load for half a year HW1000


Figure 3 - CPU load for 1 day HW1000


Figure 4 - CPU usage for half a year HW50


Figure 5 - CPU load for 1 day HW50

Load on RAM

Figure 6 - Loading RAM for six months HW1000


Figure 7 - Loading RAM for 1 day HW1000


Figure 8 - Loading RAM for half a year HW50


Figure 9 - Loading RAM for 1 day HW50

Network load

Figure 10 - Network load for half a year HW1000


Figure 11 - Network download in 1 day HW1000


Figure 12 - Network load for half a year HW50


Figure 13 - Network load in 1 day HW50

Conclusion

It has been about a year since the implementation of the project, all CIPPs work in a regular mode, not a single crypto gateway has failed. ERIS works in a regular mode with the information security tools installed, providing the necessary level of information security for the personal data of patients in Moscow polyclinics.