Crypto gateways (VPN gateways, VPN routers or crypto routers) perform the functions of ensuring the confidentiality of user data by encrypting them and the functions of monitoring the integrity of user messages at the exit from the GDSN using message authenticators. The VPN control center performs the functions of monitoring and managing the operation of crypto gateways, and is also responsible for the distribution of cryptographic keys between them. A VPN may include individual user workstations, LANs, and other AS.

There are currently four methods for constructing VPN crypto gateways:

Based on network operating systems with built-in VPN organization functions;

Based on routers / switches, the software of which has the functions of building a VPN;

On the basis of ME, in the software of which the functions for the construction of VChS are integrated;

Based on specialized software and hardware designed only for the construction of VChS.

In the framework of VPN, all data, as a rule, is transmitted over the so-called "Tunnels", which represent a virtual connection between two VPN crypto gateways. The algorithm for transmitting messages through the VPN tunnel is as follows. Before sending user messages through the tunnel, the crypto gateway encrypts them, calculates the authenticator for them, after which the messages are encapsulated (repackaged) into new messages, which are transmitted through the tunnel. In this case, the address of the crypto-gateway is indicated in the header field "Recipient address" of the generated message, and not the address of the user's AS that the message is actually intended for, which makes it possible to hide the true addresses of the subjects of the connection. After sending messages at the other end of the tunnel, the crypto gateway extracts the received data, decrypts them, checks their integrity, after which the data is transmitted to the addressees. This method of message transmission is usually called "Tunneling"... The tunneling scheme for user messages is shown in Fig. 19.2.

Figure 19.2 - Scheme of tunneling user messages

Communication between VPN crypto gateways is implemented using special types of protocols called crypto protocols. Crypto protocols can be implemented at various levels of the OSI model (Table 19.1).

Table 19.1. Crypto protocols of different levels of the OSI model

At present, the most commonly used cryptographic protocol for the construction of VPN IPSec , the specification of which is part of the base standard of the sixth version of the IP protocol, through which the functions of the interworking layer of the TCP / IP protocol stack are implemented.

APKSH "Continent"IPC-25 compact crypto gateway for a small office. APKSH "Continent" is a powerful and flexible VPN tool that allows you to build a VPN of any architecture. Provides cryptographic protection of information (in accordance with GOST 28147–89) transmitted over open communication channels between VPN components (local area networks, their segments and individual computers). encrypts individual data packets with unique keys, which guarantees protection against decryption of intercepted data. To protect against tampering, a traffic filtering system is provided. Provides support for VoIP, video conferencing, GPRS, 3G, LTE, ADSL, Dial-Up and satellite communication channels, NAT / PAT technology to hide the network structure.

APKSH "Continent" is designed to solve the following typical tasks:

• All-round network protection
• Provides the ability to combine geographically distributed branches of the organization into a single secure network.
• Provides protection remote access employees to the corporate network.

Manufacturer: Security Code LLC

RUB 180,000.00

The invoice will be generated automatically. Indicate the type of payer "legal entity" and fill in the details.

Version comparison

	APKSH "Continent" - IPC-25	APKSH "Continent" - IPC-100	APKSH "Continent" - IPC-400	APKSH "Continent" - IPC-1000
Price	180,000 RUB Buy	270,000 RUB Buy	665,000 RUR Buy	1,021,000 R Buy
VPN performance (encryption + ME filtering)	up to 50 Mbps	up to 300 Mbps	up to 500 Mbps	up to 950 Mbps
ME performance (open traffic)	up to 100 Mbps	up to 400 Mbps	up to 1 Gbps	up to 1 Gbps
Maximum number of concurrent TCP sessions processed (keep-state)	10000	250000	350000	1000000
Number of secure connections (VPN tunnels)	25	not limited	not limited	not limited

Hardware configuration:

Form Factor	Mini-ITX, 1U height
Dimensions (HxWxD)	155 x 275 x 45 mm
CPU	Intel Atom C2358 1743 MHz
RAM	SODIMM DDR3 DRAM, 2 GB, PC-1333
Network interfaces	4х 1000BASE-T Ethernet 10/100/1000 RJ45 (made in the form of easily replaceable modules)
Hard drives	SATA DOM module 4Gb
Power Supply	external adapter alternating current 19V, 220V 80W
Reader	Touch Memory
Personal identifiers	Touch Memory iButton DS1992L 2 PCS.
Built-in APMDZ module	PAK "Sobol" 3.0 (mini-PCIe)
USB-flash drive	not less than 512 MB
Acoustic noise level at 100% load (measurement method ISO7779)
Built-in operating system	Continent OS - Advanced Security Enhanced OS based on FreeBSD Kernel

APKSH "Continent" 3.9 includes:

• Cryptographic Gateway Network Control Center (NCC)- carries out the authentication of KSH and AWP of management / monitoring and logging of the state of the KSh network / storage of logs and configuration of KSh / distribution of key and configuration information / centralized management of cryptographic keys / interaction with the control program.
• Crypto gateway (KSH) Is a specialized hardware and software device that receives and transmits IP packets via TCP / IP protocols (static routing) / packet encryption (GOST 28147–89, gamma mode with feedback, key length 256 bits) / protection of transmitted data from distortion (GOST 28147–89, imitation mode) / packet filtering / hiding the network structure / event registration / notifying the NCC about its activity and events requiring intervention / monitoring the integrity of the KSH software.
• NCC control program (PU NCC)- its main function is a centralized control of settings and operational monitoring of the state of all control units that are part of the complex. Installed in a secure network on the administrator's workstation under MS Windows 2003/2008/7/8.
• NCC and SD agent establishes a secure connection and exchanges data with the NCC and the CP / receiving from the NCC, storing and transmitting the contents of the logs by the CP / receiving from the NCC and transmitting information about the operation of the complex to the CP.
• User Authentication Client- provides authentication of users working on computers located in a protected network segment when they are connected to a cryptographic gateway.
• Subscriber station (Continent-AP) establishes a VPN tunnel between the user's remote workstation and the internal protected network of the organization. When connected over networks general access and the Internet performs user authentication / support for dynamic address allocation / remote access to resources of the protected network via an encrypted channel / access via dedicated and dial-up communication channels / the ability to access resources of public networks.
• Access Server provides communication between the remote UA and the protected network, as well as determining the user access level and his authentication.
• Access Server Management Program (PC SD)- provides prompt notification of the network administrator about security events. Designed to manage the settings of all access servers included in the complex.
• Continent attack detector is a software component that analyzes traffic coming from a crypto gateway and filters unauthorized intrusions. Works in conjunction with the Control Center for the network of cryptographic gateways "Continent" version 3.7 and higher.

Certificates

• compliance of the guidelines of the FSTEC of Russia on the 2nd level of control for the absence of NDV and the 2nd class of security for firewalls. Can be used to create automated systems up to security class 1B inclusive and when creating personal data information systems up to class 1 inclusive;
• compliance with the requirements of the FSB of Russia for devices such as a firewall for class 4 security;
• compliance with the requirements of the FSB of Russia for funds cryptographic protection information of class KC3 and the possibility of using for cryptographic protection of information that does not contain information constituting a state secret;
• The Ministry of Telecom and Mass Communications of the Russian Federation - on compliance with the established requirements for routing equipment for information packets and the possibility of using it on public communication networks as equipment for switching and routing information packets.

Look at this class of solutions from a slightly different angle - from the point of view of the use of cryptography in them.

The tradition of adding VPN server functionality to the firewall (FW) has arisen quite a long time ago and is so successful and logical (some people write it as FW / VPN) that it is impossible to find a perimeter (gateway) firewall (especially in hardware) without VPN support so simple. It is possible that they exist, but I don’t remember them right away. Correct in the comments if I'm wrong.

Naturally, when building VPN (virtual private networks), you want to get a really secure channel, which implies the use of strong cryptography (high encryption). And in Russia, as you know, the area of ​​strong cryptography is no less heavily regulated, because a VPN server is essentially nothing more than a crypto gateway.

It can be argued that a VPN server certified in accordance with Russian legislation must have support for the GOST algorithm and an FSB certificate, since it is this department that oversees encryption issues with us.

Even when certified by FSTEC as a firewall in FW / VPN class products, it is recommended to disable strong cryptography, leaving only the DES algorithm with a key length of 56 bits. Another thing is that not everyone does this, and if they do, then, as an option, they can sell (donate) an activation key for strong cryptography by sending it simply by e-mail. However, now is not about that.

Certification in the FSB has, of course, something similar to a similar procedure in the FSTEC, but it is definitely much more complicated - it can be indirectly estimated, for example, by the fact that there are more than 2000 positions in P, and in a similar one - five times less.

The list of funds certified by the FSB itself, of course, is not encouraging in terms of its design, representing a table inserted into a doc document. An attempt to copy this table into Excel does not help much - some cells turn out to be randomly randomly combined in strange groups, and some (for example, the manufacturer, the name of the product and its description), on the contrary, are split into an arbitrary number of lines from 2 to 6, the start and end dates of the certificate are located in vertically adjacent (!) cells, etc. Probably, you can get used to working with such a presentation of information, but for my convenience I made the List in a more pleasant looking and automatic Excel filter form (available at this link:).

However, if something can still be done with the form, then only a specialist who is deeply versed in the topic can understand the content. There is no particular classification of products, and even each developer names the product at his own discretion. More or less similar descriptions of the functions performed save a little, but it was not immediately possible to understand them.

After a thoughtful study of the products presented in the List, I came to the (hopefully justified) assumption that the crypto gateways we are interested in today are those products, the description of the functions of which mentions the protocol and cryptographic protection. There were as many as 80 such certificates, but in reality there are much fewer products, since there are separate certificates for different versions products or even their modules, and in some cases, a separate certificate with a separate number is issued for each performance.

So, having filtered the rows in Excel, let's see what we can use to encrypt IP traffic.

Of the firewalls certified by FSTEC that have already been encountered in the reviews, the following products are certified by the FSB:

• ViPNet(developer Infotecs)


• Continent(developer of Informzaschita, Security Code)


• CSP VPN(developer of S-Terra CSP)


• OUTPOST(developer ELVIS-PLUS)


• StoneGate SSL VPN(developer of New Security Technologies)


• DioNIS(developer Factor-TS)


• ATLIX-VPN(developer of STC Atlas)


• Tunnel(developer AMIKON, InfoCript -P PAK based on FPSU-IP)

Additionally, there are two highly specialized products and two (if I understood correctly) cryptographic providers:

• ModulePHSM(developer of STC Atlas,)


• M-448-1.4 P (developer of the State Institution of special programs of the President of the Russian Federation, RCZI FORT,)


• IPSec barrier(developer Validat)


• CryptoPro CSP / IPSec(developerP CRYPTO-PRO)

As you can see, the number of firewalls certified not only by the FSTEC, but also by the FSB is extremely small - in fact, one can speak of only seven players. Such a small number of vendors allows the strong to feel relatively safe, while the rest are quite comfortable in their narrow niche. Any change in the established equilibrium does not play into the hands of any of them, well, the market leaders so for sure.

The second observation that can be made is that almost all products are originally made in Russia. Yes, the developer of the FSB-certified CIPF can only be Russian legal entity, but the products themselves are mostly domestic products, in all honesty, developed exclusively to meet the requirements of regulators. None of the presented domestic vendors with their developments have yet achieved any serious success outside of Russia (except, of course, neighboring friendly states).

The situation changed dramatically last year, when a significant (but perhaps not so significant) event took place: it was modified to meet the requirements of Russian realities. Initially developed for the open commercial world market, the product received a certificate from the FSB - are there any more such examples in the List?

But, nevertheless, it was not a classic IPSec crypto gateway, but an SSL solution with all the ensuing nuances that the market still needed to get used to. Around the same time as StoneGate SSL, StoneGate FW / VPN certification was announced.

We can guess and assume what difficulties the team involved in this certification had to face, but all of them were successfully overcome and in October StoneGate FW / VPN received the FSB certificate SF / 124-2027 dated 10/04/2013 (so far in the List from 10/07/2013 for some reason is missing). Now we can already say that a direct threat to existing players has appeared on the crypto gateway market. At the same time, if we remember that StoneGate is a commercially successful product in the world, so successful that P has expanded the range of solutions of this vendor with its product portfolio, then it becomes clear that this threat is more than just a little dangerous.

It is clear that this market is rather inert and one should not expect drastic changes tomorrow. In the end, there are well-built sales channels, a certain installation base, which cannot be updated like this one-time, and some personal human relations and agreements, as usual, probably have a place to be. At the same time, this event is undoubtedly important for the entire market, and now Russian customers and integrators implementing projects have an excellent alternative to the usual previous set of certified solutions for building encrypted data transmission channels using Russian cryptography.

Building virtual private networks (VPNs) involves creating tamper-proof tunnels between multiple local networks or remote clients on top of another network with a lower level of trust (for example, the Internet). The level of trust in the constructed logical network does not depend on the level of trust in the underlying networks due to the use of cryptography tools. To create and maintain such tunnels, special protocols are required, software and equipment. Virtual private networks are significantly cheaper than the global one computer network, since there is no need to pay for cable lines connecting local networks.

VPN solutions provide the following features:

• encryption;
• confirmation of authenticity;
• identification;
• traffic control.

VPN implementation methods:

• Intranet VPN is used to unite several distributed branches of one organization into a single secure network, exchanging data over open communication channels.
• Remote Access VPN is used to create a secure channel between a segment of a corporate network (central office or branch office) and a single user who connects remotely.
• Extranet VPN is used on networks to which external users (such as customers or clients) connect. The level of trust in them is much lower than in the employees of the company; therefore, it is necessary to provide special protection measures to prevent or restrict access to confidential information.
• Client / Server VPN is used when transferring data between two nodes of a corporate network located in the same segment. This need arises when several logical networks need to be created in one physical network. Instead of splitting traffic, encryption is used.

Altiriks Systems is a partner of the VPN \ crypto gateway market leaders and offers solutions from Stonesoft, Security Code, Infotex, S-Terra, Cisco.

StoneGate SSL VPN- the possibility of simple and secure remote user access to corporate information resources from anywhere powered by clientless SSL VPN technology. It is ideal for organizations with multiple mobile users accessing the network from different locations, where a secure connection and easy access to the network. StoneGate SSL VPN provides corporate users with flexible and secure access to the corporate network from any Internet-connected device - laptop, PDA or mobile phone. Enterprise applications can include email, intranets and extranets, client / server applications, IP telephony, terminal services and more. Key features solutions: support for up to 5000 simultaneous connections; establishing a connection from any device, regardless of the type of client equipment and the method of connecting to the network (UMTS, WLAN); more than 20 authentication methods preinstalled with the gateway for free, including unique authentication methods using mobile phone; automatic deletion all traces of the connection at its termination (temporary files, cache, downloaded documents, etc.; support for Russian cryptographic algorithms; integration with Microsoft Active Directory and MS Outlook ActiveSync; extended support for Single Sign-On (SSO)); fast integration with access control systems and end applications; built-in support for Outlook Web Access 2000/2003, Domino Web Access 6.5, Citrix MetaFrame Presentation Server, Terminal Server 2000/2003, MS Outlook Client 2000/2003, etc .; the ability to remotely update the software; centralized management of all devices and real-time monitoring; the possibility of redundancy and clustering; extended password policies; context control of sessions; flexibility of installation and ease of administration. StoneGate SSL VPN is certified by the FSTEC of Russia and the FSB of Russia.

Stonesoft FW / VPN- a family of high-performance software and hardware firewalls, which are based on unique architectural solutions that provide an unsurpassed level of protection of information systems. StoneGate FW / VPN uses its own integrated secure operating system, which eliminates the need for any specialized configuration operations, and also allows you to increase the functionality of StoneGate only by adding new components without changing the operating infrastructure and without interrupting work. StoneGate FW / VPN has the most modern technologies traffic analysis and fault tolerance. The patented MultiLayer Inspection technology combines the benefits of Application proxy and Stateful Inspection filters to provide more secure connections and filtering flexibility without any significant speed drop. At the same time, traffic filtering with monitoring the context of established connections is possible not only at 3-4 levels of the OSI model, but also at the application level. Today, more than 20 application protocols are available for inspection (H.323, SIP, FTP, HTTP (S), SMTP, IMAP, POP3, SSH, NBT, MSRPC, Sun RPC, Oracle TNS, etc.), which allows you to inspect the flow according to the full set of rules, performing, among other things, content and URL filtering, anti-virus inspection, etc. Another unique feature of StoneGate FW / VPN firewalls is support for the patented MultiLink technology, which allows for high availability of resources by using dynamic load balancing across communication channels. StoneGate FW / VPN is certified by FSTEC of Russia.

APKSH "Continent"- a family of tools for building virtual private networks based on global networks general use protocols of the TCP / IP family. Key features: secure access of VPN users to the resources of public networks; cryptographic protection of transmitted data in accordance with GOST 28147-89; firewalling - protection of internal network segments from unauthorized access; secure access of remote users to VPN network resources; creation of information subsystems with division of access to physical level; support for common communication channels; work with high-priority traffic; reservation of guaranteed bandwidth for certain services; VLAN support; hiding the internal network; support for NAT / PAT technologies; the ability to integrate with intrusion detection systems; remote software update of crypto gateways. APKSH "Continent" has certificates of FSTEC of Russia and FSB of Russia.

ViPNet CUSTOM- the most extensive corporate-level product line - a secure network designer that offers a solution to the full range of VPN and PKI tasks. Technical advantages: focus on organizing secure client-client interaction (while most VPN solutions from other manufacturers provide only server-to-server or server-client connections), which makes it possible to implement any necessary access control policy within the entire protected network, as well as reduce the load on VPN servers, since in general, during client-client interaction, the VPN server is not involved in encrypting traffic between these clients; great attention in ViPNet CUSTOM is paid to solving the problem of functioning in the presence of a variety of network equipment and software that implements dynamic or static translation of addresses and ports (NAT / PAT), which greatly facilitates the process of integrating the protection system into the existing network infrastructure; in most cases, manual configuration of ViPNet Client software is not required; ViPNet CUSTOM implements separate filtering of open and encrypted traffic, which allows even among trusted network nodes to restrict the ability to work through unauthorized ports, protocols and thereby increase the security level of the protected network; each ViPNet CUSTOM component contains a built-in firewall and a system for monitoring network activity of applications or works in conjunction with ViPNet Client software, which allows you to get a reliable distributed system of firewalls and personal firewalls; To resolve possible conflicts of IP addresses in local networks included in a single secure network, ViPNet CUSTOM offers an advanced system of virtual addresses. In many cases, it makes it possible to simplify the configuration of the user's application software, since the superimposed virtual network with its virtual addresses hides the real complex structure of the network. Also becomes possible solution problems of interaction local area networks with overlapping IP addressing. ViPNet CUSTOM supports the possibility of internetworking, which allows you to establish the necessary secure communication channels between an arbitrary number of protected networks built using ViPNet CUSTOM. ViPNet CUSTOM provides information protection in modern multiservice communication networks that provide IP telephony and audio and video conferencing services. Traffic prioritization and protocols H.323, Skinny, SIP are supported. ViPNet Coordinator software supports operation on modern multiprocessor and multi-core server platforms, which ensures high speed of traffic encryption. ViPNet CUSTOM is certified by FSTEC of Russia and FSB of Russia.

Cisco VPN is a family of products that offer the full range of Layer 2 and 3 VPN technologies designed for IP and MPLS infrastructures. At Layer 2, Cisco VPN addresses the differentiation of service provider packet infrastructures using two different Layer 2 tunneling protocols: Cisco AToM for MPLS backbones and Layer 2 Tunneling Protocol version 3 (L2TPv3) for IP backbones. Both of these protocols provide high-speed Layer 2 connections between any two nodes and support Layer 2 connectivity technologies (ie, Frame Relay, Ethernet, HDLC, and ATM). In addition, Layer 2 VPNs support new multipoint technologies such as Virtual Private LAN services. For Layer 3, Cisco offers VPN technologies such as Cisco IPsec, GRE, and MPLS / BGP VPN. These technologies support the transport of IP packets as a component of a VPN solution over an IP / MPLS backbone. They operate at the IP layer, providing an intelligent layer for customer traffic management and end-to-end routing. Cisco VPN technologies offer customers the following benefits: One network; any means of access; availability of a complete set of protocols, platforms and tools for creating and configuring services; lower cost of ownership; flexibility, scalability and services required by both providers and large corporate clients.

S-Terra CSP VPN- product family - security gateways for protection individual users, servers, separate networks and specialized devices. Main characteristics: ensuring traffic protection at the level of authentication / encryption of network packets using the IPsec AH and / or IPsec ESP protocols; providing packet filtering of traffic using information in the header fields of the network and transport layers; different sets rules for processing traffic on various interfaces; intelligent tracking of the availability of exchange partners (DPD); integrated firewall; support for the work of the mobile user in accordance with the security policy of the intranet (IKECFG server); the ability to obtain public key certificates using the LDAP protocol; support for masking real IP addresses (traffic tunneling); controlled event logging (syslog); monitoring of global statistics via SNMP protocol, compatibility with CiscoWorks VPN Monitor; transparency for the operation of the QoS service; support for encapsulation of ESP packet in UDP (NAT traversal); compatibility with PKI and LDAP services of foreign and Russian manufacturers... S-Terra CSP VPN is certified by the FSTEC of Russia and the FSB of Russia.

The experts of the Altriks Systems company will help you choose and implement a solution that is with maximum efficiency and minimal cost will cope with the tasks set.

If you would like to receive more detailed information about the offered products, solutions and services, write us an email at [email protected] site, and no later than 24 hours our employee will contact you.

From Wikipedia, the free encyclopedia

Crypto gateway (crypto gateway, vpn gateway, crypto router)- hardware and software complex for cryptographic protection of data, voice, video traffic based on packet encryption using IPsec AH and / or IPsec ESP protocols when establishing a connection, which meets the requirements for cryptographic information protection (CIP) of the FSB of Russia and provides the basic functionality of a modern VPN device ...

Appointment

The crypto gateway is designed to ensure the information security of an organization, protect its information networks from intrusion from data transmission networks (Internet), ensure confidentiality when transferring information over open communication channels (VPN), as well as organize safe user access to the resources of public networks.

The crypto gateway provides the basic functionality of a modern VPN device:

1. confidentiality and integrity of the IP packet stream;
2. masking the network topology by encapsulating traffic in a secure tunnel;
3. transparency for NAT;
4. authentication of network nodes and users;
5. unification of security policy for mobile and "internal" users (dynamic configuration of corporate IP-addresses for remote users"Inside VPN").

Crypto gateways are represented both in the segment of VPN devices and in the segment of unified devices (UTM) that combine several security tools in one.

The difference between crypto gateways and conventional VPN routers is that they operate on the basis of the IPSec protocol and provide protection of information transmitted over communication channels using algorithms that meet the requirements of Russian cryptographic standards (GOST 28147-89 and GOST R 34.10-2001).

Access to information system resources

Crypto gateways allow remote subscribers to provide secure access to the resources of the corporate information system. Access is made using special software installed on the user's computer (VPN client) for secure interaction between remote and mobile users with a crypto gateway.

Crypto-gateway software (access server) identifies and authenticates the user and communicates with the resources of the protected network. With the help of crypto gateways, virtual secure channels are formed in public networks (for example, the Internet), which guarantee confidentiality and reliability of information, and to organize virtual private networks (Virtual Private Network - VPN), which are a combination of local networks or individual computers connected to a public network. use in a single secure virtual network... To manage such a network, special software (control center) is usually used, which provides centralized management local politicians security of VPN clients and crypto gateways, sends them key information and new configuration data, provides system logging.

Write a review about the article "Crypto Gateway"

Notes (edit)

Literature

1. Zhdanov, O. N., Zolotarev, V. V.... - Krasnoyarsk: SibGAU, 2007 .-- 217 p.

Links

• ... logic-soft. Retrieved February 28, 2012.
• ... Security Code company. Retrieved February 28, 2012.
• Konstantin Kuzovkin.... i-teco. Retrieved February 28, 2012.

An excerpt characterizing the Cryptogate

- Qui s "excuse - s" accuse, [Who apologizes, he blames himself.] - Julie said smiling and waving lint and, so that she had the last word, she immediately changed the conversation. - What is it, today I found out: poor Marie Volkonskaya arrived in Moscow yesterday. Did you hear she lost her father?
- Really! Where is she? I would very much like to see her, - said Pierre.
- I spent the evening with her yesterday. She is going to the Moscow Region with her nephew this morning or tomorrow.
- Well, how is she? - said Pierre.
- Nothing, sad. But do you know who saved her? It's a whole novel. Nicolas Rostov. They surrounded her, wanted to kill her, wounded her people. He rushed and rescued her ...
“Another novel,” the militia said. - Decisively, this general escape is made so that all old brides marry. Catiche is one, Princess Bolkonskaya is another.
“You know that I really think she is un petit peu amoureuse du jeune homme. [a little in love with a young man.]
- Fine! Fine! Fine!
- But how can I say this in Russian? ..

When Pierre returned home, he was handed two posters of Rostopchin brought that day.
The first said that the rumor that Count Rostopchin was forbidden to leave Moscow was unfair and that, on the contrary, Count Rostopchin was glad that ladies and merchant wives were leaving Moscow. "Less fear, less news," said the poster, "but I answer with my life that there will be no villain in Moscow." These words for the first time clearly showed Pierre that the French would be in Moscow. The second billboard said that our main apartment was in Vyazma, that Count Wittgstein defeated the French, but that since many residents want to arm themselves, they have weapons prepared in the arsenal: sabers, pistols, guns, which residents can get at a cheap price. The tone of the posters was no longer as joking as in the previous Chigirin conversations. Pierre pondered over these posters. Obviously, that terrible thundercloud, which he summoned with all the forces of his soul and which at the same time aroused involuntary horror in him - obviously, this cloud was approaching.
“To enter military service and go to the army or wait? - Pierre asked himself this question for the hundredth time. He took the deck of cards that were on his table and began to play solitaire.
“If this solitaire comes out,” he said to himself, mixing the deck, holding it in his hand and looking up, “if it comes out, then ... what does it mean?” the senior princess asking if it was possible to enter.
“Then it will mean that I have to go to the army,” Pierre said to himself. “Come in, come in,” he added, addressing the princess.
(One older princess, with a long waist and a petrified lid, continued to live in Pierre's house; the two smaller ones got married.)
“Forgive me, mon cousin, that I have come to you,” she said in a reproachfully worried voice. - After all, we must finally decide on something! What will it be? All have left Moscow, and the people are revolting. Why are we staying?
“On the contrary, everything seems to be all right, ma cousine,” said Pierre with that habit of playfulness which Pierre, who always embarrassedly endured his role as benefactor in front of the princess, had assimilated himself in relation to her.
- Yes, it's good ... well-being! Today Varvara Ivanovna told me how our troops differ. Certainly you can attribute honor. Yes, and the people completely rebelled, they stop listening; my girl and she became rude. So soon they will start beating us too. You can't walk the streets. And most importantly, tomorrow the French will be there, so what can we expect! I ask about one thing, mon cousin, "said the princess," order them to take me to Petersburg: whatever I am, I cannot live under Bonaparte rule.
- Yes, fullness, ma cousine, where do you get your information? Against…
- I will not submit to your Napoleon. Others as they want ... If you do not want to do this ...
- Yes, I will, I will now order.
The princess was evidently annoyed that there was no one to be angry with. She, whispering something, sat down on a chair.
“But you are not being told this correctly,” said Pierre. “Everything is quiet in the city, and there is no danger. So I just read ... - Pierre showed the princess the posters. - The count writes that he answers with his life that the enemy will not be in Moscow.
“Oh, this count of yours,” the princess spoke angrily, “this is a hypocrite, a villain who himself set the people up to rebel. Didn't he write in these stupid posters that whatever it was, drag him by the crest to the exit (and how stupid)! Whoever takes, says, to him both honor and glory. So I didn’t care. Varvara Ivanovna said that the people almost killed her because she spoke French ...
- Why, this is so ... You take everything to heart very much, - said Pierre and began to play solitaire.