gateprotect case study shippping - rohde & … · starting situation information and...
TRANSCRIPT
GATEPROTECT CASE STUDY
SHIPPPING
www.gateprotect.de
Living and working on the high seas presents particular challenges for people and machines: Changing climatic conditions, dependency on weather phenomena and concussion due to heavy seas make life on board difficult. Furthermore, the crew faces social aspects such as living together in confined circumstances and being isolated from family and friends. Unlike in other working environments, not only the working hours but all the leisure time is spent on board, sometimes for several weeks. For the communication with relatives and for leisure activities, shipping companies often offer their employees the possibility to surf on the Internet for private purposes on special terminals or with their own notebooks.
The Internet access is mostly established over a satellite system. To safeguard smooth IT operation even on the high seas and to protect the ship network optimally against malware and cyber-attacks even if several users access the web, a firewall with extensive security features is required. Furthermore, the firewall needs to be able to separate the ship’s IT from a privately used network and to secure private surfing activities of the crew with web filters and virus filters. Cost control should be possible for terminals used by several persons by means of LAN accounting andbre-strictions on volume; likewise, a remote maintenance access from the mainland should be possible via VPN tunnel.
The Next Generation UTM firewall appliance from gateprotect developed in Germany provide for all-round protection against threats from the Internet and protect ship computers and crew accounts against phishing attacks, Trojans or viruses. gateprotect understands the security requirements of shipping companies and develops individual, reliable solutions in order to assure maximum security, stability and smooth operations on board. The hardware is subjected to various performance tests prior to production, for example, a 24-hour “burn-in test” is conducted in a climate chamber.
www.gateprotect.com
„The gateprotect solutions convinced us because of the easy establishment of the VPN SSL tunnel between the ship and the mainland and the clear-ly visualized maintenance of all deployed firewalls thanks to the gateprotect Command Center. The simple and customer-focused display of the eGUI for the configuration of the firewall, the perfect “on site” service of the gateprotect PreSales staff at the Hamburg location and the transparent pricing were further reasons why we replaced our old Cisco firewall“
Torsten Röcker, IT manager and deputy managing director of ITE Solutions.
INTERNET ON BOARD: SAFE SURFING ON THE HIGH SEAS
www.gateprotect.de www.gateprotect.com
Starting Situation
Information and Electrical Technology (ITE) Solutions GmbH is a specialist for IT and electrical engineering on seago-ing vessels and provides its customers with innovative security solutions for shipping and the maritime sector. The Hamburg-based company is maintaining, among others, the IT on 39 vessels of a Hamburg-based shipping company and customers all over the world. Since mid-2013, the company deploys gateprotect solutions in order to assure safe surfing on the seas and oceans of the world.
„The goal of this specific project was, on one hand, to establish a safe Internet access for the ship’s crew and, on the other hand, being able to easily maintain the network from the mainland via a VPN tunnel“, explains Torsten Röcker, IT manager and deputy managing director of ITE Solutions.
For the shipping company’s headquarters in Hamburg, two GPA 600 appliances for up to 100 users have been purchased; each ship was equipped with a GPO 125.
„The gateprotect solutions convinced us because of the easy establishment of the VPN SSL tunnel between the ship and the mainland and the clearly visualized maintenance of all deployed firewalls thanks to the gateprotect Command Center. The simple and customer-focused display of the eGUI for the configuration of the firewall, the perfect “on site” service of the gateprotect PreSales staff at the Hamburg location and the transparent pricing were further reasons why we replaced our old Cisco firewall“, Röcker continues.
Finally, the customer was, above all, convinced by the scope of functions of the gateprotect firewalls. The possibility to monitor the Internet access of the crew with URL and content filters as well as a LAN accounting functionality is helpful not only for the user-related billing of Internet use.
ADVANTAGES:
� Protection against all threats for all users
� Cyber-attacks, the entry of malware and potential loss of
data as a consequence thereof are effectively prevented
� Thanks to the separation of networks, the danger of
attacks against the ship network is minimized
� More bandwidth for important procedures of the ship IT
since the use of the network for chats, videos or social
media activities is restricted
� Crew members are given access rights tailored to their
needs
Safe Surfing & IT Compliance
The flexible handling of content filters (content and URL filter as well as Application Control) of the gateprotect firewall allows to analyze the data traffic in accordance with indi- vidual IT security criteria. Authorized persons may access the required contents on the Internet quickly and safely; undesired applications are blocked.
Thanks to the possibility of restricting access to certain web sites by means of Application Control, the shipping com-pany is perfectly able to fulfill its duty of care and enforce the compliance with internal guidelines. By blocking certain sites, it can be assured that the users do not violate any laws, third-party rights or moral standards by the form, contents or purpose pursued by their Internet use from a computer on board.
Thus, binding security guidelines agreed before departure should oblige the users not to display, make accessible to the public or distribute via email or on web platforms any contents protected by copyright, pornographic contents, contents glorifying violence or seditious contents. Encoura-gement of criminal offense is prohibited as well.
This is of importance especially if employees use company-owned hardware, for example an Internet terminal that is made available to employees. Thus, the shipping company also protects itself against liability claims based on potential misconduct of employees.
If crew members use terminals of the shipping company in order to download contents from the Internet, gateprotect solutions can be used to restrict the volume of permitted data storage. Equally, rules for streaming on personal devices of crew members may be imposed. For example, users may not be allowed to send or store data that are suitable based on their nature (e.g. viruses), size or multiplication (e.g. spam) to put at risk the continuance or operation of the data network of the shipping company.
Despite the top performance of the gateprotect firewalls, the crew should be instructed to avoid data traffic with continuous load and high transfer rates and not to provide Internet services for third parties (webhosting, file sharing etc.) so that the bandwidth of the ship network is not over-strained.
INTERNET ON BOARD: SAFE SURFING ON THE HIGH SEAS
www.gateprotect.com
INTERNET ON BOARD: SAFE SURFING ON THE HIGH SEAS
Easy Operation on Shore Saves Time and Money
Best possible network security and comprehensive data pro-tection do not need to be complicated to manage. The security solutions controlled centrally from the mainland do not bind any capacities on board. Thanks to the unique usability approach of the gateprotect security systems, even complex IT networks are displayed clearly. By the wholly ergonomically designed struc-ture of the user interface of the patented eGUI® technology that has been aligned to the standard EN ISO 9241, customers all over the world are able to control their security configurations effectively at any time by just a few clicks.
The clear display of all security-relevant information is re- duced to the essential. This saves gateprotect customers time and money and enables maximum security. International awards confirm this.
If there are several gateprotect Next Generation firewall appliances in use, the gateprotect Command Center® enables the central administration, configuration and monitoring of the firewalls. Several hundreds of appliances, from the GPO 75 to the GPZ 5000, may thus be controlled centrally. Hence, the efficiency is increased substantially for the ongoing maintenance of the systems, which leads to a higher effective security. As a consequence, operating costs may be reduced considerably.
Protected Communication on the Seas and Oceans of the World
With gateprotect Site-to-Site and Client-to-Site VPN connections via IPSEC and SSL, the secure exchange of data be-tween each of the ships and the headquarters of ITE Solutions in Hamburg is assured. gateprotect’s SSL Site-to-Site solution with X.509 certificates works so reliably that the computers on the ships are protected just as well as if they were located within a local network on shore.
The firewalls on the ships are connected with the headquarters of ITE Solutions in Hamburg over a secure VPN-SSL tunnel via satellite (fleet broadband 250/ 500). For this purpose, the system had to be adjusted to the packet runtimes (ping times 800-3000 ms). The VPN connections may be secured and administered by few clicks over the gateprotect Command Center.
With functions like Traffic Shaping and Quality of Service, the gateprotect appliances on shore furthermore allow to prioritize important applications such as internal accounting and billing systems so that they will not fail.
.
ADVANTAGES:
� Optimal remote maintenance of the firewalls from the
mainland via a secure VPN SSL tunnel
� Smoothly operating ship IT without any interruptions
and best data availability on board and on shore
� Highest data security by secured, confidential exchange
of business information and private data
Data Protection
To optimally assure privacy for crew members and to protect the exchange of private data, gateprotect solutions com-prise a variety of security features that also optimally protect the personal data at the headquarters on shore.
ADVANTAGES:
� Secure email communication: Real-time spam detection, protection against virus attacks and loss of data. With gateprotect
solutions, undesired emails are retained directly at the gateway.
� Protection against hacker attacks: gateprotect’s Intrusion Prevention System permanently monitors the network traffic, analyzes
the contents of packets and even recognizes hazardous data that come from legitimate ports. In critical cases, the IPS interrupts
or changes the stream of data so that intruders and attacks have no chance.
� Extended User Authentication: By the rule-based security authentication of the gateprotect firewall, single users or user groups
may be individually assigned as many services and user rights as required. All known additional options such as proxy or web
filter may be allocated. Thus, a maximum of data and network security is assured although terminals are shared on board.
Single log-in for all services via Single-Sign-On saves time; logging in via a browser makes operators independent from operating
systems
High Availability and Best Performance at Sea
With a great number of users on board, permanent availability and high transfer rates are the prerequisite for smooth working procedures and frictionless communication with friends and families back home. The high availability of the gateprotect firewalls may be assured by special security mechanisms without any manual interference. Through permanent monitoring and synchronization of the systems, downtimes are virtually excluded.
ADVANTAGES:
� Load Balancing at the Internet gateway enables the flexi-
ble use of different Internet connections
� Data availability and failure safety thanks to a redundant
array of independent hard drives (RAID systems)
� High transfer rates, failover connections and connections
for the distribution of load – without tedious and complica-
ted configuration and maintenance works
ADVANTAGES OF THE EGUI® USER INTERFACE
� Immediate visual feedback on every setting
� Self-explanatory functions
� Central overview of all active services
� Immediate overview of the entire network configuration
� Layer and zoom function for complex networks
www.gateprotect.com
* System performance depends on activated proxies, IDS, application level and number of active VPN connections. We do not offer an express or implied warranty for the correct-ness /up-to-dateness of the information contained here (which may be change at any time). Future products or functions will be made available at the appropriate time.
©2014 gateprotect AG Germany. All rights reserved.
Next Generation UTM GPO 100 GPO 110 GPO 150 GPA 300 GPA 500 GPX 650 GPX 850
InterfacesGBE Ports 4 4 4 5 6 8 8WLAN (optional) Yes Yes Yes
System Performance*Firewall throughput (Mbps) 1 000 1 000 1 700 1 900 2 100 6 000 7 500VPN IPSec throughput (Mbps) 100 200 200 250 320 700 1 500 UTM throughput (Mbps) - 100 100 180 300 450 1 000IDS/IPS throughput (Mbps) - - 250 300 400 1 200 1 500Concurrent Sessions 125 000 175 000 250 000 500 000 1 000 000 1 250 000 1 750 000New Sessions per second 1 500 2 500 2 500 5 000 7 000 10 000 20 000
DimensionsH x W x D (mms) 43 x 165 x 106 43 x 165 x 106 42 x 210 x 210 44 x 426 x 238 44 x 426 x 238 44 x 426 x 365 44 x 426 x 365 Gross Weights (kgs) 1.7 1.7 2.9 3 3 6 6
PowerInput Voltage (V) AC 100-240 AC 100-240 AC 100-240 AC 100-240 AC 100-240 AC 100-240 AC 100-240Consumption (W) - full load 20 35 35 41 41 66 66
EnvironmentalOperating Temperature (°C) 0 ~ 40 0 ~ 40 0 ~ 40 0 ~ 40 0 ~ 40 0 ~ 40 0 ~ 40 Storage Temperature (°C) -10 ~ 70 -10 ~ 70 -10 ~ 70 -10 ~ 70 -10 ~ 70 -10 ~ 70 -10 ~ 70Relative Humidity (Non condensing) 20 ~ 90 % 20 ~ 90 % 20 ~ 90% 20 ~ 90% 20 ~ 90% 20 ~ 90% 20 ~ 90%
Next Generation Firewall GPZ 1000 GPZ 2500 GPZ 5000
InterfacesGBE Ports 10 18 18
SFP / SFP+ (Mini GBIC) Ports 4/0 4/0 4/2
Redundant - HDD (Raid) Yes Yes Yes
Redundant - Power supply Yes Yes Yes
VPN - Crypto acceleration Yes Yes Yes
IPMI - Remote management Yes Yes Yes
System Performance*Firewall throughput (Mbps) 7 500 10 000 20 000
VPN IPSec throughput (Mbps) 2 000 2 500 4 000
UTM throughput (Mbps) 1 000 1 500 2 500
IDS/IPS throughput (Mbps) 1 500 2 500 3 000
Concurrent Sessions 2 000 000 2 500 000 3 500 000
New Sessions per second 20 000 30 000 40 000
DimensionsH x W x D (mms) 88 x 430 x 633 88 x 430 x 633 88 x 430 x 633
Gross Weights (kgs) 18 18 18
PowerInput Voltage (V) AC 100-240 AC 100-240 AC 100-240
Consumption (W) - full load 85 120 120
Redundant Power Supply Yes Yes Yes
EnvironmentalOperating Temperature (°C) 10 ~ 40 10 ~ 40 10 ~ 40
Storage Temperature (°C) -40 ~ 65 -40 ~ 65 -40 ~ 65
Relative Humidity (Non condensing) 10 ~ 85% 10 ~ 85% 10 ~ 85%
The changing network security requirements of the market mean that companies demand the next generation of security system to meet the challenge. gateprotect combines a wide range of the most modern and innovative security functions in a single system, the gateprotect Next Generation UTM Firewall Appliances.
* Not available in the GPO 100*2 Only available in the GPZ series
LAN / WAN-SUPPORT
- Ethernet 10/100 MBits/s- Gigabit and 10 Gigabit Ethernet*2
- SFP and SFP+ Fibre optics support*2
- MTU changeable (Ethernet/DSL)- PPP-PAP, PPP-CHAP authentication- Inactivity timeout / Forced disconnect time- xDSL- Multi WAN support- WAN failover- Loadbalancing- Time controlled internet connections- Manual and automatic DNS assignment- Multiple dynDNS support- Source based routing - Routing protocols RIP, OSPF- DHCP- DMZ
MONITORING*
- System Info (CPU, HDD, RAM)- Network (interfaces, routing, traffic, errors)- Processes- VPN- User Authentication
SNMP- SNMPv2c- SNMP-traps- HA*
UNIFIED THREAT MANAGEMENT*
Web-filter- URL-Filter with safe search enforcement- Content Filter- Block rules up to user-level- Black-/ White lists- Import / Export of URL lists- File Extension blocking- Category based website-blocking - Self definable categories- Scan technology with online-database- Intransparent HTTP-proxy support
Application Control- Layer 7 Packet filter (DPI)- Filter Applications instead of ports- Detection & Control of Skype, Bittorrent and others as well as Web 2.0 Applications like Facebook
Antivirus- Kaspersky Anti-Virus Engine - Complete Protection from all malware- HTTP, HTTPS- FTP, POP3, SMTP- Exceptions definable- Manual and automatic updates
Antispam- Scan-level adjustable- Real-time Spam Detection - GlobalView Cloud using Recurrent Pattern Detection (RPD)- Mail Filter - Black- / White lists- Automatically reject/delete emails- AD Email address import
Intrusion Prevention- Individual custom rules- Security-level adjustable- Rule groups selectable- Exceptions definable- Scanning of all interfaces- DoS, portscan protection- Malicious network packet protection
Proxies- HTTP (transparent or intransparent)- HTTPS- Support for Radius server, AD server, local user database- FTP, POP3, SMTP, SIP- Time-controlled
HIGH AVAILABILITY
- Active-passive HA- State synchronization- Single and Multiple dedicated links support- Stateful Failover
VPN
- VPN wizard- Certificate wizard- Site-to-Site - Client-to-Site (Road Warrior)- PPTP- Export to One-Click-Connection
X.509 certificates- CRL- OCSP- Multi CA support- Multi Host-cert support
IPSec- Tunnel mode- IKEv1, IKEv2- PSK / Certificates- DPD (Dead Peer Detection)- NAT-T- XAUTH, L2TP
SSL- Routing mode VPN- Bridge mode VPN- TCP/UDP- Specify WINS- and DNS-Servers
USER AUTHENTICATION
- Active Directory / OpenLDAP support - Local User database- Web-interface authentication - Windows-client authentication- Single sign on with Kerberos- Single- and Multi login- Web Landing page
TRAFFIC SHAPING / QOS
- Multiple Internet connections separately shapeable- All services separately shapeable- Maximum and guaranteed bandwidth adjustable- QoS with TOS-flags support- QoS inside VPN connection support
BACKUP & RECOVERY
- Small backup files - Remote backup & restore- Restore backup on installation- Automatic and time based backups- Automatic upload of backups on FTP- or SCP-Server- USB Drive recovery option
LOGS, REPORTS, STATISTICS
- Email Reporting- Logging to multiple syslog-servers- Logs in admin-client (with filter)- Export to CSV-files- IP and IP-group statistics- Separate services - Single user / groups- TOP-lists (Surfcontrol)- IDS- / Traffic-statistics- Application Control traffic statistics- Antivirus- / Antispam-statistics- Defence statistics
COMMAND CENTER
- Monitor & Active Configuration of 500+ firewalls- Central Configuration and Monitoring of VPN Connections- Single and group backup- Plan automatic backup in groups- Single and group update & licensing- Create configuration templates and apply on multiple firewalls- Certificate Authority- Certificate based 4096 bit encrypted connections to the firewalls- Display settings of all firewalls- Role based User Management
MANAGEMENT
- Role based Firewall Administration - SSH-CLI- Desktop configuration saved / restored separately from backup- Object oriented firewall configuration- Direct Client Update function
Ergonomic Graphic User Interface- ISO 9241 compliant- Immediate visual feedback for each setting- Self-explanatory functions- Overview of all active services- Overview of the whole network- Layer and zoom function
VLAN- 4094 VLAN per interface- 802.1q ethernet header tagging- Combinable with bridging
Bridge-mode- OSI-Layer 2 firewall function- Spanning tree (bride-ID, port-cost)- Unlimited interfaces per bridge - Combinable with VPN-SSL
WLAN (optional)- Dualband (2,4 GHz, 5 GHz)- 802.11 b/g/n/a- WPA, WPA2- TKIP, CCMP- hidden SSID- MAC Filter (Black-, White-list)
CUTTING-EDGE SECURITY FEATURESNEXT GENERATION UTM & FIREWALL APPLIANCES
gateprotect AG Germany has been a leading, globally acting provider of innovative IT security solutions in the area of network security for more than ten years. The solutions developed in Germany comprise next generation firewalls with all commonly used UTM functionalities for small companies and the mid-tier, managed security systems for enter-prise companies as well as VPN client systems for the interconnection of subsidiaries and home offices. Since 2013, gateprotect has also been offering “Complete Security” - effective real-time protection for networks and endpoints from one source.
To quickly defend against targeted cyber-attacks and to assure permanent all-round pro-tection for networks and devices, gateprotect has developed the eGUI® interface con-cept. The patented eGUI® technology is extremely easy to operate and demonstrably increases the factual security in companies by reducing operator errors.
The gateprotect solutions comply with highest international standards. Already in 2007, the company committed itself not to implement any hidden access ways in its firewalls. In March 2013, the firewall packet filtering core of the new development was certified in accordance with “Common Criteria Evaluation Assurance Level 4+ (EAL 4+)” at the Federal Office for Information Security (BSI). For the easy operability and comprehensive security of the UTM firewall solutions, gateprotect has been the first German company to be honored with the Frost & Sullivan Excellence Award. Since 2010, gateprotect has been listed in the renowned “Gartner Magic Quadrant” for UTM firewall appliances. gateprotect AG is a member of the industry association “TeleTrusT e.V.” and of the “Alli-ance for Cyber-Security” of the BSI.
gateprotect AG GermanyValentinskamp 2420354 Hamburg
HotlineTel. +49 (0) 40 278 850