Secure Naval WiFi-Solution

The wireless network is based upon Fortinet equipment and software. The Fortinet system consists of a Virtual Controller and Access Points to create a virtualized wireless LAN, which connects the handhelds and other wireless hardware for seamless mobility. The Wifi controller will manage the Access Points in such a way that the handheld device will only connect to one virtual Access Point. Normally when a device is out of range of a fixed Access Point, it will need to connect to another Access Point and all connections will need to be restarted during the handover. This takes time and resources and is inconvenient for streaming applications such as a phone conversation. With the Fortinet Access Point system all connections are moved seamlessly from one Access Point to another in range, meaning that the handheld user will not even realize that the handheld’s association was moved to another Access Point.

End station users such as handhelds, laptops, tablet PC’s and/or other similar devices are able to connect via the Access Points based on 802.11g, 802.11n or 802.11ac. The Wifi controller software. It is also possible to create a virtual LAN (VLAN) for data to be exchanged with hardware such as tablets.

The basic function of the Fortinet Wifi controller is a single point of configuration for the entire wireless network. The Access Points are controlled and configured by the Wifi Controller. During the session lifetime of a wireless device, the Wifi controller will define upon which Access Point the session will exist.  

General Description

The virtual machines come on an external hard drive. After installation the configuration can be imported into the system. The Fotinet Controller is the heart of the WCMS system and controls every connection to a wireless device on the Ship. The Fortinet Network solution utilises virtualisation technology to create an intelligent and self-monitoring wireless network. Where normal handover or roaming occurs with wireless communication, the Fortinet Controller defines when a device is transferred from one Access Point to another without the need for handover or roaming. The Wifi Controller executes load balancing. For example: five users are connected to one Access Point and four users are busy on a phone conversation. If user number five then starts a phone call, the Wifi Controller can move two users to another Access Point.

Wi-Fi

The Fortinet Network provides single channel Wi-Fi architecture. This means that all Access Points (AP) are on the same channel, making Radio Frequency configuration and management easier. Furthermore, since one ‘network’ resides on one channel, you can actually layer multiple channels or networks to improve throughput and capacity, as well as separate applications and/or users on different physical networks/channels. By using this logic the Fortinet Wifi Controller defines when a device is transferred to another AP and not the client, because the client ‘thinks’ that there is only one AP. Since the client only sees one big access point, it will never be triggered to roam.  

Fortinet’s philosophy has been from the start in 2002 to design a wireless solution that is ready for an all-wireless environment.

This means a solution that provides high density access and perfectly supports voice and video application for these high number of users. In order to achieve this, they needed to get control of the network rather than having clients define the speed of the network, when to roam, where to roam, how to distribute themselves over the available resources and thus in essence, define how the user experiences the application.

The roaming decision is no longer taken by one component in the network, but by the controller which has the complete overview of the network. Roaming decisions are thus based upon AP load, AP throughput, number of clients, client signal strength, packet error and packet retries. The roaming itself happens in less than 2.5ms, regardless of the type of security used. This means that it is seamless for the client and guarantees overall seamless use over the network of voice, streaming video and real-time data.

Security

The Wireless Communication System is implemented with Wireless Access Points granting access to users the RADIUS protocol (remote user authentication and accounting). A separate virtual port is created for each device on the network. From a system administrator perspective, the Wifi Controller is configurable from a single point. Instead of configuring all devices all over the Ship, one configuration is created and all devices are attached to that configuration. The Wifi Controller uses the data link Layer 2 to communicate with the devices. No IP addresses are used in this protocol and the Wifi AP will sign up with every Fortinet  Wifi Controller they find in the network. The Wifi Controller will apply RADIUS based MAC filtering, whereby device MAC addresses are set up and managed by a remote RADIUS Server. When a new device attempts to join the network, the WiFi Controller queries the RADIUS server with the MAC address to determine whether the client is permitted or not.

Redundancy

There are two Fortinet WiFi Controllers necessary for redundancy and both are hosted in the network. The Wifi Controllers will failover if one WiFi Controller goes offline or is unusable, ensuring uninterrupted service. The rest of the WiFi Controller equipment consists of access points.

Fortinet defined AirTime Fairness where they actually provide the same airtime for every client and during that same time slot, every client can perform at their highest rate which results in the fast client being done first rather than last. This has been copied by others over time but no one can achieve the uniqueness of Fortinet’s architecture providing this both in down- ánd upstream. Video and voice are small packets which is by default difficult for a network ánd they are both bidirectional. These are not websites you visit and where 90% of the traffic is download.

Ships and Wi-Fi

As an environment, a ship is probably the most difficult one to find. One is faced with a lot of challenges:

  • lots of metal and thus reflections
  • multipath fading in hallways
  • Faraday cages when doors are closed
  • lots of obstructions as in engine rooms
  • white noise from those engines sometimes blocking a big part of the frequency band
  • low ceilings and thus difficult propagation of the signal

Fortinet has proven to be the choice of Wi-Fi solution in this environment when it is mission-critical as it is for voice, alarming, video etc. Due to the nature of a ship, a lot of APs are visible to the client but can just as easily disappear the moment after. A controlled approach where the controller monitors the client assures a seamless roaming throughput the ship.

Due to the criticality of the solution, the excellent redundancy options of the system; both on the controller side as well as on the AP/channel layer side, assures the system will be always-on.

Consequently, Fortinet’s experience with Wi-Fi on ships is rapidly increasing, both in difficulty and scale:

  • Royal Dutch Navy (4 patrol ships, 1 Joint Support Ship)
  • 32+ large and very large (5000+ passengers and crew) cruise ships, varying from pervasive coverage to streaming video over WLAN for 4000+ passengers
  • 20 on-sea installations
  • 4 Super Yachts (+80 meter long)
  • 5 Yachts (40 to 65 meter long)

The IP Company has over 20 man years of experience with maritime refitting and installation work and continues to be the most sought after vendor for WLAN in challenging and mission critical environments.

Obviously, yachts and cruise ships are not war ships but they add even an extra layer of difficulty: all AP must be invisible to the public and even though the network is crucial to them, we can hardly ever use the ideal spot.

Network Security

Network security refers to the technologies, processes, and policies used to defend any network, network traffic, and network-accessible assets from cyberattacks, unauthorized access, and data loss. Every organization, from small businesses to the largest enterprises and service providers, in every industry requires network security to protect critical assets and infrastructure from a rapidly expanding attack surface.

Network security must protect at the many edges of the network and also inside the network, with a layered approach. Vulnerabilities exist everywhere, from devices and data paths to applications and users. Because organizations encounter so many potential threats, there are also hundreds of network security management tools intended to address individual threats or exploits or assist with other mission-critical infrastructure needs, such as continuous compliance. Organizations should prioritize network security solutions that cover the multitude of threats, using a platform approach that prioritizes integration and automation.

What is the Importance of Network Security?

Today’s threat environment is always changing, and from distributed denial-of-service (DDoS) attacks to ransomware, the frequency, volume, and sophistication of cyberattacks show no signs of slowing down. All organizations require network security because even a minor disruption to network infrastructure—such as a minute of downtime, or a lag in service performance—can cause damage to an navy’s reputation, bottom line, or even long-term viability. Catastrophic cyberattacks, which often begin as seemingly benign intrusions that inadequate network security tools failed to catch, can force organizations to pay crippling fines and even close their doors for good.

A very critical component of network security is a next-generation firewall (NGFW). But to truly protect the network, other technologies are required, and effective network security requires a holistic approach that integrates the firewall with other important capabilities. Essentially, to protect an organization’s entire attack surface, a layered approach with security solutions for all areas of the network must work together as an integrated and collaborative security fabric.

Traditional firewalls have been around for decades, and are a standard security product in use by a majority of organizations. A next-generation firewall (NGFW) moves beyond a traditional firewall’s port/protocol inspection and blocking techniques to add application-level inspection, intrusion prevention, and intelligence from sources outside the firewall.

Both traditional firewalls and NGFW employ packet filtering (both static and dynamic) to ensure connections among the network, the internet, and the firewall itself are secure, and both can translate network and port addresses for IP mapping. NGFWs, however, can filter packets based on applications, using whitelisting or signature-based intrusion prevention systems (IPS) to distinguish between applications that are benign (i.e., safe) and applications that are potentially malicious. There are many other differences, but one major advance between traditional firewalls and NGFWs is the ability to block malware from entering a network—a major advantage over cyberattackers that older-generation firewalls cannot deliver.

Intrusion Prevention System (IPS)

An intrusion prevention system (IPS) identifies suspicious activities and detects or prevents them from attacking computer networks. IPS security technologies monitor for these activities, capture information about them, and report them to network administrators.  IPS will initiate preventative steps such as configuring other network security tools to prevent possible attacks, and adjusting corporate security policies to block staff or guests on the network from engaging in harmful behavior. IPS tools are a critical component of full network security, and increasingly are being integrated into network firewalls instead of their traditional place as a standalone product in the network security infrastructure.

SSL Inspection

SSL inspection is also a critical component of network security infrastructure. SSL, or secure sockets layer, inspection intercepts and decrypts all traffic transmitted through an HTTPS website, identifying malicious content. Organizations often use SSL certificates on their websites to create safe connections. SSL, however, also has a downside—SSL encryption is often today used by attackers to hide malware. Network security solutions therefore must include SSL inspection as a core capability.

VPN

Virtual private networks (VPNs) use virtual connections to create a private network, keeping any endpoint connected to the internet safe, and protecting sensitive information from unauthorized viewing or interception. A VPN routes an endpoint device’s connection through a private server so that when data reaches the internet, it’s not viewable as coming from the device. High-performance crypto VPNs accelerate cloud on-ramp, deliver a better and more secure experience for remote workers, and allow all organizations to maintain a consistent security policy and appropriate access control, regardless of location, for all corporate users, applications, and devices.