Firewalls were designed to protect conventional networks against cyber threats. However, on board a superyacht it's not so straightforward as the firewall has become an instrumental component not only to protect your yacht's network but also to manipulate the owner/guests experience.
With each person connected to your ship's network in multiples ways, from a smartwatch to their tablet, the firewall has become the network's delegator. It gives allows you to shuffle around the available bandwidth on offer from multiple WAN's and to channel that bandwidth to your desired VLAN.
You will also have the ability to block, throttle or allow your colleagues as a group or an individual. From my experience, you can ask the crew to limit their usage on board during the charter season, however, there is always one who doesn't understand that it's not ok to stream Netflix, as they don't realise they're eating up a lot of data! That's why it’s essential that you don't put that scenario down chance and make sure your firewall’s traffic and bandwidth management rules are optimised and in place.
With the limited amount of bandwidth on offer in some of the remote locations that vessels travel to, the yacht's crew have to be in control of the yacht's network especially since, more than ever, multi-million dollar business owners need to be connected. With the ever-popular Zoom and Microsoft Teams being the go-to platforms for meetings, it's essential that yacht owners can hold business meetings without interruption, stutters or blips in the connection, which is why the firewall has become the go-to place to make all these changes possible.
Why Do I Need A Firewall?
The first step is to understand the benefits of a firewall, and its ability to protect your data in an ever-changing digital age, especially on board superyachts. Even if your vessel only relies on technology and its networks for minimal operations, it's equally important that you enforce the appropriate actions. Firewalls serve as a first line of defence to external threats, malware, and hackers trying to gain access to your data and systems.
Do you know somebody who has had a social media/bank/web account hacked, stolen or abused? We certainly do, and it's our duty as crew members to have the correct layers in place to prevent this from happening to anyone on board on our watch!
What is a Next Generation Firewall?
A next generation firewall is a security solution that protects an IT network from external threats or viruses. Its Intrusive Prevention System (IPS) is scalable and intelligent enough to recognise many forms of threats. From a technology standpoint on board, it's the most crucial piece of equipment to secure and separate your ship's IT network (LAN) from the web; this can be via VSAT, 4G, shore connection, marina WiFi and fleet broadband interfaces (WAN's).
The next-generation firewall protects your ships' network and data from viruses, malware and malicious activity via the Unified Threat Management solution (UTM). It will also offer a VPN, web content and application filtering to block out unwanted monitoring and websites. You can even monitor the demand on your network per device, an essential feature to keep on top of internet abusers.
Below we have highlighted what we believe is vital in a firewall and how it protects your network:
User Friendly User Interface
Not all engineers on board are familiar with IT but, in our opinion, the user must have a clear understanding of how to manage their network. The firewall user interface should be easy to navigate and able to handle all administration and configuration activities from a web-based application. An over-complicated UI or command line would make it difficult to manage regardless of the deployment option you choose. The firewall should give you the ability to operate it anytime and anywhere from your PC. It should show clear visibility of system health and network traffic, allowing quick and secure access to security settings. You can manage users and bandwidth and set traffic policies from an intuitive interface. Automatically back up your custom settings to secure cloud-based storage via integration to Samepage or FTP.
An advanced antivirus should be present alongside a sufficient firewall to keep viruses, worms, trojans and spyware from infecting your network! An integrated antivirus will scan all web and FTP traffic, email attachments and downloads, automatically keeping up to date with the latest virus definitions to stop modern threats. A good antivirus will protect endpoints against viruses and other malware and ransomware infections, rolling back their effects.
Nowadays with nearly all of the onboard tech having a TeamViewer backdoor web application or an internet connection for reference, there are numerous possible entry points to attack your vessel. Every system is getting smarter by the day, and so are the viruses! Do not skimp on this, be open-minded and secure your vessel.
Deep Packet Inspection
Deep packet inspection is an advanced technology that keeps the integrity of your servers to a maximum with advanced network routing capabilities, including simultaneous IPv4 and IPv6 support. Create inbound and outbound traffic policies, restrict communication by specific URL, traffic type, content category and time of day.
The IPS adds a transparent layer of network protection, with snort-based behaviour analysis, and a regularly updated database of rules and blacklisted IP addresses from emerging threats. The added visibility that is provided by DPI's probing analysis helps IT teams to enforce more comprehensive and detailed cybersecurity policies. This is why many firewall manufactures have added it to their feature lists over the years.
Streaming media sites, such as Netflix or peer to peer downloads, can use a significant proportion of the available bandwidth, which can slow the internet connection. Limiting the amount of accessible streaming media should maintain a good internet speed for everyone. Web content filtering adds a much needed layer of security to the network by blocking access to sites that raise the alarm such as porn sites or other unwanted sites entering your ship's network. This can be a great tool to manipulate your network as you can selectively block, allow or log access to categories of web content with Web Filter. It also keeps your users from visiting malware sites that are known to contain viruses and spyware, or to engage in phishing or identity theft.
In summary, web filtering protects your network and boosts user productivity by limiting user access to dangerous or inappropriate sites, or those that waste time/bandwidth.
Granular Control Over Users
From a network manager's point of view, it is critical to have granular control of your VLANs and users, especially when charter guests or the owner of the vessel are on board. Every firewall will have the ability to prioritise and monitor network traffic to guarantee high-speed transmission for the most important users and traffic types. Internet Load Balancing optimises internet access by distributing traffic across multiple links. However, one drawback with being at sea is that you need to be careful here as you cannot balance WANs with different latencies (4G 50/60ms and Vsat 600ms). QoS (Quality of service) gives you fine-grained control over how much bandwidth each type of network traffic can consume; you can cap lower priority traffic by setting a bandwidth maximum or guarantee high priority traffic by assigning a minimum.
Real Time Monitoring
Real time monitoring is an absolute must and it's key to get detailed usage reporting with statistics. This component lets engineers, ETO's or captains view the internet activity details of individual users, from a list of all sites visited (and when), to the specific search terms users enter on search engines and regular websites with search capabilities. When you have visibility, it's great to use these granular usage insights to refine traffic shaping rules, monitor your crew and guest performance, and more. In some cases these highly granular reports can automatically run on a schedule and be emailed to you, ready for your review; there will be no need to actively pull reports each week. The monitoring turns the ones and zeros into real-world examples, making it easy for the operator to observe and digest.
VPN Servers & Tunnels
In the current climate, it's become more common and necessary to work from home and, with this, you may need to connect back to your ship’s network/fileserver. There is no more secure way than a VPN tunnel back into your ship's network. The user will have all the benefits of working from home and still be able to connect to the ship's network securely, enabling them to get on with their day as if they are on board. We must get asked to enable this service at least three or four times every week, giving remote users and branch offices the ability to use the VPN tunnel to headquarters securely and efficiently.
VPN tunnelling is simple to set up, requiring minimal configuration, and it provides a high-performance network connection. Alternatively, use industry standard IPsec/L2TP for connectivity from mobile devices or third party firewalls. To add an extra layer of security, you should have the ability to enable two-step verification for all forms of remote access.
Is Your IT Network Likely to be Attacked?
The rate the yachting industry moves in terms of technological advances leaves us incredibly vulnerable. As we introduce more digitally connected devices towards our network, we also invite thieves and criminals. The firewall has become critical in preventing hackers from gaining unauthorised access to your data, emails, systems, and more. A firewall can stop a hacker completely or deter them from choosing an easier target.
How do I know which firewalls right for me?
There is a good handful of firewall brands that have stamped their authority in the maritime market. These are Kerio Control, Sophos, Cisco Meraki MX, Cisco ASA, Fortinet, Palo Alto and PF Sense, to name a few. The most popular is the Kerio Control and the Sophos brand in our experience and I would say this is down to the easy usability of both firewalls - both have a very logical layout of their software. They're not perfect for everyone but, for most users, especially the kind who haven't got the best IT skills, they are user friendly and perform well.
At the other end of the spectrum, IT engineers will probably prefer a Cisco ASA or Palo Alto which require much more in-depth user knowledge and, in some cases, writing command lines to make changes to their firewall. When deciding on a model, be sure to go for the latest generation, which should include excellent build quality with high-powered network processors/CPU's, SSD's and a fair amount of memory.
Get in touch with us!
If you wish to discuss any of the above points, we would love to hear from you! We always offer free one to one advise and offer a health check on every firewall when you purchase a license from us to make sure your firewalls is set up and optimised correctly. For more information on our firewall bundles please email firstname.lastname@example.org or click here.