Contenu connexe
En vedette
Power point on linux commands,appache,php,mysql,html,css,web 2.0Power point on linux commands,appache,php,mysql,html,css,web 2.0venkatakrishnan k
Similaire à Managed-Defence-on-Vessels_en
Similaire à Managed-Defence-on-Vessels_en (20)
Managed-Defence-on-Vessels_en
- 2. ©UBIQUETechnologiesGmbH www.ubique-technologies.de
Astableonlineaccessistantamountforthecaptainandcrew,notonlyforretrievalofcurrentdata,butalsoasa
communicationchannelwithhomeandforrecreationalactivities.Ifprivatelaptopsorsmartdevicesareconnectedtothe
ship’snetwork,keyonboardsystemscouldbeaffected.Privatebrowsingortheuseofbandwidth-intensiveapplications
suchasmultimediastreamingorvideochatscanexhaustsatellitelinksquickly,causingcoststoskyrocket.
InfrastructureSecurityandCostcontrol
SecureSolutionsforasecurebusiness
ThemanipulationorfailureofanITorcommunicationsnetworkonboardcanhavefatalconsequences,fromcostlydelays
tomanipulationofon-boardsystemsorcargosoftwaretohazardsfortheshipandcrew.
AdistinguishedCyberSecurityspecialistsince2011,UBIQUE Technologiesoffersworldwideprotectionfordigital
infrastructuresagainstmanipulation,infiltrationandIT-relatedmalfunctions.WithCyberSecurityCommandCenters,
mannedaroundtheclockinitsowndatacentersinGermany,UBIQUETechnologiesstandsfortheimmediatedefense
againstdigitalattacksaswellastargetedinitiationofappropriatecountermeasurestoprotectdigitalandphysicalvalues.
TToday’sshipsusemoreinformationtechnologythanamedium-sizedcompany.Inaddition,thedemandsonseaworthy
hardwaresystemsaremuchhigherthanfornormalhardwaresystems:roughseas,highhumidityandlimitedspacerequire
robustandreliableinfrastructuresystems.Atthesametime,thepotentialrisksandassociatedcostsofafunctionalfailure
oftheonboardITsystembyfarexceedwhatsystemsdesignedfornormalusearecapableofhandling.
DesigninganIT-Protectionsystem tailoredtotheneedsofmoderncommercialshippingrequiresthatsuchfactorsas
acquisitionacquisitionandoperatingcosts,globalavailabilityofpartsandaglobalservicestructurebeconsideredaswellasthefeasi-
bilityofconnectionquality,bandwidthandtheoverallcostsofoperatingthetechnologiesusedineachcase.
- 3. ©UBIQUETechnologiesGmbH www.ubique-technologies.de
Thefirststepstobetakeninordertoincreasenetworksecurityonboardaretocreateseparatenetworksfortheintra-and
inter-shipcommunicationsandcrewusageaswellasintegratingvarioussecurityfiltersinthedatastream.
Theseparationofindividualnetworksectorsservestosimplifynetworkmanagementandimplementcostcontroloftheser-
vicesprovided,aswellasgreatlyenhancingsecurity.
Thetoken-basedInternetaccesssystem enablescompliancewithlegalprivacyrequirementsandprotectsthenetwork
operator,inthiscasetheshipowners,fromliabilityclaimsbyindividualcrewmemberswithoutthenecessityofrestricting
internetusage.TheDualControlprinciplefacilitateslegallycompliantstorageofstoredlogdatawhichcanlaterbeanaly-
zed,ifrequired.
Accesscontrolalsoallowsapersonalorgroup-basedbandwidthallocationandcanprioritizeorblockinternetorapplication
accessonthebasisofoperationalplans.
Thecontentfilteremployedprotectsagainsttheunlawfuluseoftheinternetconnectionbycrewmembersandcanbe
tailoredtomeetthelegalrequirementsofthevariousportsofcallorcountriesatanytime.Atthesametime,downloads
containingmalwareorotherhazardouscontentsarecaughtanddisabled.
GeneraluseofaFleetBroadband(FBB)connectionismoreexpensivethanthecostofasatellitelink(VSAT)link.Incase
ofaVSATconnectionfailure,onlytheoperationalandsecurity-relatedservices,vitaltotheship’soperation,shouldbe
transferredtotheFBBsothattheyremainavailable.
AlthoughAlthoughnon-criticalservices,suchassurfingtheinternet,arenownolongeravailabletothecrew,thesefunctionscanstill
beusedbygroupsofspecificallydefinedcrewmembersontheFBB.Inaddition,personalizedinternetandapplication
accesscanbelimited,eitherconnection-dependentorbyvolumeortime,extendingthesystem’scapabilitiestoensureop-
timumcostcontrol.
Theallocationofdefinedbandwidths,eitherfixedorpercentage-wise,fordefinedapplications,links,individualsorgroups
provideseachwiththeoptimalavailabilityofimportantsystemsandinformationsources.
Networkseparation/Networkdivision
Accesscontrol
InternetFilter
ServiceorientedFailover
InfrastructureSecurityandCostcontrol
- 4. ©UBIQUETechnologiesGmbH www.ubique-technologies.de
State-of-the-artencryptiontechnologiesareusedtoprotectwirelessnetworks(Wi-Fi);however,itisonlyamatteroftime
beforeanintrusionintoaWLANissuccessful.Thatiswhywehaveaddedanactiveandtamper-freenetworkaccess
control(NAC)tooursecuritysystem.
This additionallayerofprotection continuously scans allnetwork activity withoutburdening the network itself.
Shouldanattackergainillegalaccesstoanetworksegment,hewillbeidentifiedwithinmillisecondsandany
communicationbetweentheattacker’ssystemandtheinternalsystemisprevented.
JustJustasthefirewallitselfincludesallthenecessaryprotectivefunctionstopreventagainstcontaminationovertheIP,the
NACnotonlyscansallinternalnetworktraffictounknownsystems,butalsochecksfornetworkcommunicationinconsis-
tenciesaswellasmonitoringallconnectedsystemsforvulnerabilities.
Thesystemrecordsallsecuritybreachestoatamper-proofdatabasewhichispassedontothecontrolroomwhereitcan
bepursuedfurtherincompliancereportsandprocess-drivenworkflows,asnecessary.
ApplicationContainmentprovidesanotherimportantlayerofsecurityforhighlysensitiveapplications.Acontainerized
applicationrunswithinacontainerapplicationandeveryapplicationinterfaceismonitored.
Thisprotectstheapplicationitselfaswellasalldatainputagainstmanipulationandanyunlawfuldatatap.Evenkeystrokes
themselvesare encrypted before being passed on to the protected application within the containerapplication.
Containerizationmakesitpossiblenotonlytorunsafeapplicationsinuncertainenvironments,buttoalsoexecuteunsecu-
redapplicationsinsecureenvironments.
NetworkAccessControl
VulnerabilityManagementandReporting
ApplicationContainment
InfrastructureSecurityandCostcontrol
- 5. ©UBIQUETechnologiesGmbH www.ubique-technologies.de
Theadministratingemployeesareauthenticatedthroughatokensystem.Thecentralmanagementinterfaceallowsthem
accessonlytothefunctionsforwhichtheyhavebeenauthorized.Thisenablesagranularimplementationoftheseparation
offunctionsbetweenthevariousadministrativetasks.
Inordertominimizethebandwidthloadasmuchaspossible,thetransmissionofloginformationandreportscanbe
granularlygranularlycontrolledandtimed.Thetransmissionitselfcanbeswitchedfromthecurrentpushmethod,wheretheindividual
applicationsautomaticallypasstheirinformationtoheadquarters,tothepullmethod,wherethecentrallogandreporting
serveractivelyretrievestheapplianceinformation.
Thisalsoappliestochangesinrules.Thesystem rulechangescaneitherbeexecuteddirectlyorthroughthecentral
controlcenter.Theyarethensynchronizedagainsteachotherandonbothsides–inthedatacenterandontheindividual
applianceonboard–sothatuniformrulesareavailable.
ThisThismakesitpossibletosetuprulescentrallyand,aftercentralclearance,pushthem totheconnectedapplianceson
boardandactivatethem.
Accesscontrolandseparationoffunctions
PullundPush
Responsibilityforthemanagementoftheprotectionsystemisallocatedtoacentrallocation,
eithertheheadquartersoftheshippingcompany,orUBIQUETechnologies’datacenterinGermany,
Centrallymanaged,optimalSecurity
- 7. ©UBIQUETechnologiesGmbH www.ubique-technologies.de
Often,inadditiontorequiringusernameandpassword,applicationandsystem accesscanbelimitedtoasingle,
accessingIPaddresswhichfurtherreinforcessystemprotection.
UBIQUETechnologies‘centralVPN-Fixed-IPServicemakestheuseofafixedIPintheauthenticationprocesspossible,
withoutlosingtheconvenienceofwidespreadorevenmobileaccesses.
EmployeesandserviceproviderscansetuptheirVPNinourdatacenterasusual,fromheadquartersorontheroad,using
theirlaptops,andcanaccessthesystemstobeadministeredthroughthat.
EmployeeEmployeeaccessissecuredthroughtheuseofatokensystem.Thepasswordsusedtologinareclearlydefinedand
updatedina30-60secondcycle.
Eachemployeeentershisusername,knownonlytohimself,andthepasswordprovidedviaahardorsofttoken,togain
accesstothecentralaccesspointwherehethenauthenticateshisidentity.
CentrallysecuredaccesseswithfixedIPaddresses