Case Study
German Armed Services: Infrastructure for the Communication of Restricted Data
Cooperation project of genua GmbH ensures secure clients and infrastructure. The IT strategy of the German armed services calls for the digitization of operations. At the same time, demands on IT security and usability for modern and attractive IT workplaces are increasing. Furthermore, more and more logistical and administrative tasks are being supported and represented using IT and apps.
For the implementation of these objectives, there is a need for a secure communication platform that has been approved by the BSI for use with restricted data. On the one hand, this utilizes the existing infrastructure and, on the other, makes use of modern technologies. In a cooperation project with Bundesdruckerei GmbH and Virtual Solution AG, genua GmbH developed a corresponding solution for the secure communication of restricted data.
Solution Path: Mobile Clients for a Secure Workflow
The system consists of various mobile clients with which employees can work securely and easily. The connection to the cloud system of the German armed services is performed using a virtual private network (VPN) via the Internet or WAN. A further firewall serves to monitor the content of the data traffic using, among other things, virus scanning and anomaly detection. This is performed before the clients can be used to access the applications in the cloud or browse the Internet. The identification of the user, the decoding of the clients and the establishment of the VPN connection occur through the existing eDTA (electronic military ID card) using the public key infrastructure (PKI) of the German armed services.
Four Clients for Various Requirements of Secure Communication
At the time of project implementation, four clients could be connected to the existing infrastructure for various application scenarios: laptops, smart devices such as smartphones and tablets, home office workstations and (small) properties with a group of workstations.
Laptop: The Security Laptop vs-top allows one to work comfortably, for example, under Windows with a VPN connection via mobile telephony, WLAN or Ethernet. The existing electronic military ID card is used here for hard drive encryption, VPN authentication as well as, e.g., the encryption of restricted email with s/mail from cryptovision GmbH or for login into Windows . An extra smart card is not necessary. In addition to a firewall of its own, the vs-top also offers a second, separate compartment for private use. There are currently more than 500 vs-tops in use in a project in the public sector with approval of the BSI.
Smart Devices: Using a smartphone or tablet with iOS or Android operating system, the SecurePIM app from Virtual Solution AG can be used to access e-mail, calendars and contacts. It is thereby also possible to browse the Internet or read documentation on the intranet. The integration of other apps from the German armed services in SecurePIM and the voice encryption of telephone conversations are also planned. The electronic military ID card is used here as well to identify the user and decode the app on the smart device. SecurePIM on iOS together with the central security components genuscreen and genugate in the backend is currently in pilot operation in four government agencies with preliminary approval from the BSI.
Remote Work: Connected at home on a PC or laptop, the Personal Security Device genucard offers a secure connection via WLAN, Ethernet or UMTS to the cloud of the German armed services. An integrated firewall also protects the PC. genucard is approved for use with restricted data. In the German armed services, there are currently more than 12,000 devices in productive use together with the central security components genuscreen and genugate in the backend.
Properties: For properties or mobile locations with a small number of workplaces, the Firewall & VPN Appliance genuscreen is ideal as a gateway for internal security zones or for location connectivity. As a firewall, genuscreen also filters data traffic. With approval for restricted data and Common Criteria (CC) EAL 4+ certification, genuscreen is used in a number of application areas by the German armed services.
Complete Analysis and Monitoring of the Data Traffic
Serving as a central gateway and first system for network security is the Firewall & VPN Appliance genuscreen (see above). All VPN connections of the users are checked and accepted here. Intelligent bandwidth management and cluster capability guarantee performance, availability and flexibility.
genuscreen is compatible with all client types and can also be operated in a fully meshed VPN with many participants. To protect the system, data traffic is completely analyzed and monitored by the High Resistance Firewall genugate. Two different firewall systems – an application level gateway and a packet filter, each on separate hardware – are combined to form a compact solution. This enables, e.g., virus scanning, the filtering of contents and blacklisting as well as the detection of anomalies. The security guidelines are thereby systematically implemented for the clients.
In addition, genugate reliably protects the system against attacks from the Internet, as this Firewall is certified according to CC in EAL 4+ and also classified as the world's only "highly resistant" firewall. Both components currently form the central VPN infrastructure of the RAS with connection of more than 12,000 genucard clients and properties via genuscreens. Clients such as laptops or smart devices can thereby be directly connected to the existing RAS infrastructure of the German armed services.
Central Management
All vs-top, genucard and genuscreen clients from genua can be managed via the Central Management Station genucenter. The user thereby has the status of all systems in view at all times, can make changes and updates and can easily transfer them to entire areas. The separate Mobile Application Management portal (MAM) from Virtual Solution AG configures and manages the SecurePIM apps on smart devices.