Ubiquitous secure access to data and systems

1 Introduction

As a middle-market engineering firm, IKN GmbH in Neustadt near Hanover has been thriving since 1982 in the international cement plant construction sector, with core competences centring on clinker firing and cooling processes. With more than 650 installations all over the world, IKN is a market leader when it comes to fitting out new cement plants or implementing modernization and conversion projects at any point along the cement processing chain – from preheater to cooler. Of course, the IKN repertoire also includes the appropriate maintenance services. As René Clausing, Head of IT at IKN, says, “Our systems can be found all around the globe, from Algeria to Vietnam. Consequently, we needed to come up with a good strategy for their maintenance. In the past, modem dial-up was the standard solution but with analogue telephone connections becoming extinct we had to look for a viable alternative, so for the past year we have been working via VPN (Virtual Private Network) tunnels secured by a WatchGuard Firebox. This gives us controlled access to the customer’s systems,” explains Clausing. “Either the customer provides us with an Internet link or we can use an LTE router for wireless access.” Right now, there are about 15 red WatchGuard T10 Fireboxes at work on various customers’ premises. As Clausing notes, “Advanced security is now an integral part of all our projects, be it a new plant, a revamp or a retrofit. Every quotation includes a Firebox option and our experience to date has been exclusively positive.” All it takes to give IKN secure access for remote servicing of a control system is to install the WatchGuard appliance in the customer’s local control cabinet. The security setup ensures that only authorized personnel are able to access the control systems through the VPN. “Compliant access is only possible for a clearly defined group of users in the active directory,” the IT chief explains. “We make sure of this with closely targeted configurations. After all, system security has utmost priority and the support tunnels are secured against unauthorized access in either direction.”

2 Quick commissioning

In line with the company’s global mission, IKN attaches special importance to WatchGuard’s RapidDeploy configuration functionality, available for all its platforms. With the required settings centrally processed and maintained in Neustadt, Firebox hardware can be sent to any place in the world and as soon as the appliance is powered up, it configures itself in accordance with the configuration parameters stored back in Neustadt. “This is a major benefit for us,” explains Clausing, “Since cement plants rarely have their own IT administrator, we just ask one of the technicians to correctly plug in the power and network cables. Everything else either takes place automatically or can be managed by our own people back in Neustadt.” Even if an appliance does break down, only the hardware has to be replaced. “RapidDeploy saves us a lot of time and expense,” says Clausing. “Replacing a firewall does not mean that one of us has to hop on a plane and fly halfway around the world. The centralized configuration is ideal for us and has yet to display the slightest weakness.” No wonder, then, that Fireboxes have also been deployed at IKN’s regional sales offices and even home offices in order to safeguard the transfer of data between staff, offices and the group’s central network. As Clausing explains, “In this case the security settings differ from those used to protect the customers’ platforms and functionally, the prime goal is to protect user drives and ensure secure and reliable communications. Either way, it is just as easy to implement UTM appliances without the need for any in-depth local IT knowledge.”

3 Out-of-box network access

For some time now, IKN has also been taking advantage of the flexibility of WatchGuard security solutions for other applications. Explaining the rationale, René Clausing says, “Originally, the UTM platforms were employed primarily to protect our infrastructure and data in Neustadt.” The in-house system for product data management presently stores some 1.5 million 3D models and drawings that are critical to IKN’s business, so protecting this data is absolutely essential. At the same time, however, it must be ensured that the employees at diverse locations are able to work on these models together. In particular, colleagues at IKN Czech need vital access to the database, as Clausing illustrates by way of example; “Nowadays, laser scans are used for the planning of new cement production facilities and provide a basis for accurate design, fabrication and assembly. While the team in Germany is expert in cooling systems, our Czech engineers’ expertise centres on pyro systems. Both sides can now work together by way of a real-time replicated database.” It also makes sense for IKN engineers at the various construction sites to have access to the current planning status and for this, IKN has adopted a very innovative approach. “Everyone, I suppose, is familiar with the kind of equipment that disc jockeys use,” Clausing explains. “Essentially, we’re using the same boxes, but not with the usual audio components; instead, each box is fitted out with a SIM-card equipped LTE router, a WatchGuard Firebox T10-W with integral WLAN and active-directory authentication options, and in some instances even an encrypted NAS (network attached storage) device for local storage. That way, VPN-authorized engineers out in the field – wherever that may be – can access the central server at will, so working with IT systems at a construction site is just as convenient and secure as back at company headquarters.”

4 Full control

When the old security structures were replaced at IKN it was hardly foreseeable that the WatchGuard products would turn out to be so versatile in everyday use. “At the time my main goal was to get a better handle on the IT security environment and I knew from previous experience that WatchGuard products were very intuitive and user-friendly. Due to deficient logging and reporting, we used to have to call in an external service provider every time we had a problem,” recalls Clausing. “But when we made the changeover to WatchGuard, we were able to take charge of IT security management ourselves, hence gaining a lot more independence – not to mention all the resultant cost savings on service expenditures.” The transition went smoothly and the new WatchGuard infrastructure – starting with a UTM cluster for protecting the data centre in Neustadt and WatchGuard platforms in the Czech Republic and the U.S. for gaining stable VPN access with minimal latency – was quickly established and went live within a few weeks. From the very start the four-member IT team drew benefit from all the features of the integrated data visualization and reporting suite called WatchGuard Dimension. “We monitor Dimension’s security dashboards at regular intervals,” says Clausing, “and are therefore always aware of what is going on in the network. We get a nearly real-time look at attempted cyber attacks as well as the appropriate countermeasures. At the same time, we retain full control over the security setup; in each case, the Traffic Monitor shows which setting was of relevance.” Potential vulnerabilities are easy for the IKN IT team to track down and rectify from one central point for the entire network. Numerous UTM functions – from APT Blocker to data loss prevention (DLP), intrusion prevention service (IPS), spamBlocker and WebBlocker – guarantee comprehensive security for data traffic. “To sum up,” says Clausing, “IT security is essential, but our company’s strategic alignment also emphasizes flexibility, and with WatchGuard, we are keeping all our future options open.”

//www.watchguard.de" target="_blank" >www.watchguard.de:www.watchguard.de

//www.ikn.eu" target="_blank" >www.ikn.eu:www.ikn.eu