ubique
TECHNOLOGIES
©UBIQUETechnologiesGmbH www.ubique-technologies.de
Astableonlineaccessistantamountforthecaptainandcrew,notonlyforretrieval...
©UBIQUETechnologiesGmbH www.ubique-technologies.de
Thefirststepstobetakeninordertoincreasenetworksecurityonboardaretocreat...
©UBIQUETechnologiesGmbH www.ubique-technologies.de
State-of-the-artencryptiontechnologiesareusedtoprotectwirelessnetworks(...
©UBIQUETechnologiesGmbH www.ubique-technologies.de
Theadministratingemployeesareauthenticatedthroughatokensystem.Thecentra...
©UBIQUETechnologiesGmbH www.ubique-technologies.de
Incaseitbecomesnecessarytoexchangetheentiresystem,thecentralofficecan„r...
©UBIQUETechnologiesGmbH www.ubique-technologies.de
Often,inadditiontorequiringusernameandpassword,applicationandsystem acc...
©UBIQUETechnologiesGmbH www.ubique-technologies.de
WiththeintroductionofVoIP,theproblem ofachievingtap-proofcommunications...
©UBIQUETechnologiesGmbH www.ubique-technologies.de
FleetinternatVoIP-Encryption
Forfleetinternalencryptedvoicecommunicatio...
©UBIQUETechnologiesGmbH www.ubique-technologies.de
EncryptedEmailCommunication&DataTransfer
Currentencryptionmethodsforema...
©UBIQUETechnologiesGmbH www.ubique-technologies.de
TECHNOLOGIES
ubique
AdistinguishedCyberSecurityspecialistsince2011,UBIQ...
UBIQUETechnologiesGmbH
Mühlstraße50
63762Großostheim
Germany
Telefon:+49(6093)3699990
www.ubique-technologies.dekontakt@ub...
Próxima SlideShare
Cargando en…5
×

Managed-Defence-on-Vessels_en

125 visualizaciones

Publicado el

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Managed-Defence-on-Vessels_en

  1. 1. ubique TECHNOLOGIES
  2. 2. ©UBIQUETechnologiesGmbH www.ubique-technologies.de Astableonlineaccessistantamountforthecaptainandcrew,notonlyforretrievalofcurrentdata,butalsoasa communicationchannelwithhomeandforrecreationalactivities.Ifprivatelaptopsorsmartdevicesareconnectedtothe ship’snetwork,keyonboardsystemscouldbeaffected.Privatebrowsingortheuseofbandwidth-intensiveapplications suchasmultimediastreamingorvideochatscanexhaustsatellitelinksquickly,causingcoststoskyrocket. InfrastructureSecurityandCostcontrol SecureSolutionsforasecurebusiness ThemanipulationorfailureofanITorcommunicationsnetworkonboardcanhavefatalconsequences,fromcostlydelays tomanipulationofon-boardsystemsorcargosoftwaretohazardsfortheshipandcrew. AdistinguishedCyberSecurityspecialistsince2011,UBIQUE Technologiesoffersworldwideprotectionfordigital infrastructuresagainstmanipulation,infiltrationandIT-relatedmalfunctions.WithCyberSecurityCommandCenters, mannedaroundtheclockinitsowndatacentersinGermany,UBIQUETechnologiesstandsfortheimmediatedefense againstdigitalattacksaswellastargetedinitiationofappropriatecountermeasurestoprotectdigitalandphysicalvalues. TToday’sshipsusemoreinformationtechnologythanamedium-sizedcompany.Inaddition,thedemandsonseaworthy hardwaresystemsaremuchhigherthanfornormalhardwaresystems:roughseas,highhumidityandlimitedspacerequire robustandreliableinfrastructuresystems.Atthesametime,thepotentialrisksandassociatedcostsofafunctionalfailure oftheonboardITsystembyfarexceedwhatsystemsdesignedfornormalusearecapableofhandling. DesigninganIT-Protectionsystem tailoredtotheneedsofmoderncommercialshippingrequiresthatsuchfactorsas acquisitionacquisitionandoperatingcosts,globalavailabilityofpartsandaglobalservicestructurebeconsideredaswellasthefeasi- bilityofconnectionquality,bandwidthandtheoverallcostsofoperatingthetechnologiesusedineachcase.
  3. 3. ©UBIQUETechnologiesGmbH www.ubique-technologies.de Thefirststepstobetakeninordertoincreasenetworksecurityonboardaretocreateseparatenetworksfortheintra-and inter-shipcommunicationsandcrewusageaswellasintegratingvarioussecurityfiltersinthedatastream. Theseparationofindividualnetworksectorsservestosimplifynetworkmanagementandimplementcostcontroloftheser- vicesprovided,aswellasgreatlyenhancingsecurity. Thetoken-basedInternetaccesssystem enablescompliancewithlegalprivacyrequirementsandprotectsthenetwork operator,inthiscasetheshipowners,fromliabilityclaimsbyindividualcrewmemberswithoutthenecessityofrestricting internetusage.TheDualControlprinciplefacilitateslegallycompliantstorageofstoredlogdatawhichcanlaterbeanaly- zed,ifrequired. Accesscontrolalsoallowsapersonalorgroup-basedbandwidthallocationandcanprioritizeorblockinternetorapplication accessonthebasisofoperationalplans. Thecontentfilteremployedprotectsagainsttheunlawfuluseoftheinternetconnectionbycrewmembersandcanbe tailoredtomeetthelegalrequirementsofthevariousportsofcallorcountriesatanytime.Atthesametime,downloads containingmalwareorotherhazardouscontentsarecaughtanddisabled. GeneraluseofaFleetBroadband(FBB)connectionismoreexpensivethanthecostofasatellitelink(VSAT)link.Incase ofaVSATconnectionfailure,onlytheoperationalandsecurity-relatedservices,vitaltotheship’soperation,shouldbe transferredtotheFBBsothattheyremainavailable. AlthoughAlthoughnon-criticalservices,suchassurfingtheinternet,arenownolongeravailabletothecrew,thesefunctionscanstill beusedbygroupsofspecificallydefinedcrewmembersontheFBB.Inaddition,personalizedinternetandapplication accesscanbelimited,eitherconnection-dependentorbyvolumeortime,extendingthesystem’scapabilitiestoensureop- timumcostcontrol. Theallocationofdefinedbandwidths,eitherfixedorpercentage-wise,fordefinedapplications,links,individualsorgroups provideseachwiththeoptimalavailabilityofimportantsystemsandinformationsources. Networkseparation/Networkdivision Accesscontrol InternetFilter ServiceorientedFailover InfrastructureSecurityandCostcontrol
  4. 4. ©UBIQUETechnologiesGmbH www.ubique-technologies.de State-of-the-artencryptiontechnologiesareusedtoprotectwirelessnetworks(Wi-Fi);however,itisonlyamatteroftime beforeanintrusionintoaWLANissuccessful.Thatiswhywehaveaddedanactiveandtamper-freenetworkaccess control(NAC)tooursecuritysystem. This additionallayerofprotection continuously scans allnetwork activity withoutburdening the network itself. Shouldanattackergainillegalaccesstoanetworksegment,hewillbeidentifiedwithinmillisecondsandany communicationbetweentheattacker’ssystemandtheinternalsystemisprevented. JustJustasthefirewallitselfincludesallthenecessaryprotectivefunctionstopreventagainstcontaminationovertheIP,the NACnotonlyscansallinternalnetworktraffictounknownsystems,butalsochecksfornetworkcommunicationinconsis- tenciesaswellasmonitoringallconnectedsystemsforvulnerabilities. Thesystemrecordsallsecuritybreachestoatamper-proofdatabasewhichispassedontothecontrolroomwhereitcan bepursuedfurtherincompliancereportsandprocess-drivenworkflows,asnecessary. ApplicationContainmentprovidesanotherimportantlayerofsecurityforhighlysensitiveapplications.Acontainerized applicationrunswithinacontainerapplicationandeveryapplicationinterfaceismonitored. Thisprotectstheapplicationitselfaswellasalldatainputagainstmanipulationandanyunlawfuldatatap.Evenkeystrokes themselvesare encrypted before being passed on to the protected application within the containerapplication. Containerizationmakesitpossiblenotonlytorunsafeapplicationsinuncertainenvironments,buttoalsoexecuteunsecu- redapplicationsinsecureenvironments. NetworkAccessControl VulnerabilityManagementandReporting ApplicationContainment InfrastructureSecurityandCostcontrol
  5. 5. ©UBIQUETechnologiesGmbH www.ubique-technologies.de Theadministratingemployeesareauthenticatedthroughatokensystem.Thecentralmanagementinterfaceallowsthem accessonlytothefunctionsforwhichtheyhavebeenauthorized.Thisenablesagranularimplementationoftheseparation offunctionsbetweenthevariousadministrativetasks. Inordertominimizethebandwidthloadasmuchaspossible,thetransmissionofloginformationandreportscanbe granularlygranularlycontrolledandtimed.Thetransmissionitselfcanbeswitchedfromthecurrentpushmethod,wheretheindividual applicationsautomaticallypasstheirinformationtoheadquarters,tothepullmethod,wherethecentrallogandreporting serveractivelyretrievestheapplianceinformation. Thisalsoappliestochangesinrules.Thesystem rulechangescaneitherbeexecuteddirectlyorthroughthecentral controlcenter.Theyarethensynchronizedagainsteachotherandonbothsides–inthedatacenterandontheindividual applianceonboard–sothatuniformrulesareavailable. ThisThismakesitpossibletosetuprulescentrallyand,aftercentralclearance,pushthem totheconnectedapplianceson boardandactivatethem. Accesscontrolandseparationoffunctions PullundPush Responsibilityforthemanagementoftheprotectionsystemisallocatedtoacentrallocation, eithertheheadquartersoftheshippingcompany,orUBIQUETechnologies’datacenterinGermany, Centrallymanaged,optimalSecurity
  6. 6. ©UBIQUETechnologiesGmbH www.ubique-technologies.de Incaseitbecomesnecessarytoexchangetheentiresystem,thecentralofficecan„refuel“thereplacementdevices remotelyandguideacrewmemberduringtheimplementation.Theglobaluseofthesesystemsensuresthatexchange systemscanbeprocuredandbroughtonboardfrommostnearbyports. Wehighlyrecommendtheuseofacluster,inwhich2identicaldevicesacttogether,asthefailureofonesystemcanbe compensatedbythesecondsystemuntilthereplacementbecomesavailable. UsageUsageReportsserveasproofofsystemusagebyindividuals,systemsandapplicationsandshowtheentiredatatransfer history.Asidefromtheresultingplanningsecurity,itispossibletodrawconclusionsandalsodoaforensicevaluationof thesystem’ssecurity. Usetheexistingreporttemplatesortheoptionofdefiningyourownreports,togeneratecompliancereportsonsystemse- curity,configurationandusageinjustminutes. . Systemexchange UsageandComplianceReports Centrallymanaged,optimalSecurity
  7. 7. ©UBIQUETechnologiesGmbH www.ubique-technologies.de Often,inadditiontorequiringusernameandpassword,applicationandsystem accesscanbelimitedtoasingle, accessingIPaddresswhichfurtherreinforcessystemprotection. UBIQUETechnologies‘centralVPN-Fixed-IPServicemakestheuseofafixedIPintheauthenticationprocesspossible, withoutlosingtheconvenienceofwidespreadorevenmobileaccesses. EmployeesandserviceproviderscansetuptheirVPNinourdatacenterasusual,fromheadquartersorontheroad,using theirlaptops,andcanaccessthesystemstobeadministeredthroughthat. EmployeeEmployeeaccessissecuredthroughtheuseofatokensystem.Thepasswordsusedtologinareclearlydefinedand updatedina30-60secondcycle. Eachemployeeentershisusername,knownonlytohimself,andthepasswordprovidedviaahardorsofttoken,togain accesstothecentralaccesspointwherehethenauthenticateshisidentity. CentrallysecuredaccesseswithfixedIPaddresses
  8. 8. ©UBIQUETechnologiesGmbH www.ubique-technologies.de WiththeintroductionofVoIP,theproblem ofachievingtap-proofcommunicationschannelswasoftentransferredtothe VoIPtelecommunicationssystembeingused.Widespreadimplementationofthispracticehasgeneratedincreasedattacks onthevulnerabilitieswithintheprotocolitself,inparticular,targetingtheclientsystemsinuse. WithAdhocVoIP-Encryption,wemaketheencryptionofvoicecommunicationpossibleinanend-to-endprocessandby removingtheunknownvariableintheoperatingsystem,whetheritisalaptoporapersonalcomputer,fromtheequation. InInordertominimizethetarget,thesystem encryptsthevoicepacketbeforeitleavestheclientcomputeranddecrypts incomingvoicepacketsafterthesehaveleftthePCusedtosendthem.Thisprocessismadepossiblethroughtheuseof aspecialUSB hardwaresystem inwhichahardware-basedencryptionisemployedwhichallowsasecureand certificate-basedauthenticationofthecommunicationspartner. UsingacommerciallyavailableUSBheadsetorasimpleUSBdeskphonesystemissufficient. AdhocVoIP-Encryption EncryptedVoiceCommunication
  9. 9. ©UBIQUETechnologiesGmbH www.ubique-technologies.de FleetinternatVoIP-Encryption Forfleetinternalencryptedvoicecommunicationweuseanencryptingappliancethatcanbeplacedinorganizations headquarterandneedstogetconnectedinfrontoftheexitingPBX. AsanoptionPBXandVoIP-Encryption-AppiancecanbeplacedinoneofourGermanDatacenter. AfteractivationoftheserviceencryptedVoIP-Callswillbeavailablebetweenthecorporatesheadquarter,vesselsand singlepersons.Ineverycasewegrantthatinfrontoftheconnectiontheuseddeviceswillgetauthenticatedandthatalso thehandshake-infrontoftheestablishingofancommunicationchannel–willbeinitiallycrypted. Fortheusageofthisserviceeverysmartdevice,PCorFortheusageofthisserviceeverysmartdevice,PCorVoIP-enableddevicecangetused. EncryptedVoiceCommunication
  10. 10. ©UBIQUETechnologiesGmbH www.ubique-technologies.de EncryptedEmailCommunication&DataTransfer Currentencryptionmethodsforemailcommunicationareusuallybasedononeoftwostandards:PGPorS/Mime.These standardsaredesignedtoensuresecureend-to-endencryptionandwhenproperlyapplied,bothstandardsmeetthe highestsafetyrequirements. Unfortunately,bothmethodsrequirethattheclientsystemsusedarecleanandfreeofspywareormalwaresuchas RootkitsorTrojans.Basedonourexperiencesandthoseofourparentcompany,wemustalwaysassumethatnosystem istrustworthy. TheThesystem weprovideforthesecureexchangeofemailmessagesisthereforebasedonadedicatedcommunications server,wherepartnerscanexchangesecurecommunicationsandtheencryptedinformationisuploadedtotheindividual emailclientonlyifneeded. Inaddition,thesystemprovidedissupportedbyboththePGPundS/Mimestandards. EncryptedEmailCommunication
  11. 11. ©UBIQUETechnologiesGmbH www.ubique-technologies.de TECHNOLOGIES ubique AdistinguishedCyberSecurityspecialistsince2011,UBIQUETechnologiesoffersworldwideprotectionfordigital infrastructuresagainstmanipulation,infiltrationandIT-relatedmalfunctions.WithCyberSecurityCommand Centers,mannedaroundtheclockinitsowndatacentersinGermany,UBIQUETechnologiesstandsfortheimme- diatedefenseagainstdigitalattacksaswellastargetedinitiationofappropriatecountermeasurestoprotectdigital andphysicalvalues. UBIQUETechnologiesGmbH ChristianNowitzki,Geschäftsführer UBIQUETechnologiesGmbH Economic success is created through entrepreneurial thinkingandaction.Appropriateriskmanagementensures successaswellasmakingeconomicriskspredictable. Becausewespecializeintheprotectionofdigitalinfra- structures,wecanensurethesecurityofyourcompanyand theprotectionofyourinformationandassets.
  12. 12. UBIQUETechnologiesGmbH Mühlstraße50 63762Großostheim Germany Telefon:+49(6093)3699990 www.ubique-technologies.dekontakt@ubique-technologies.de ubique TECHNOLOGIES securesolutionsforasecurebusiness

×