high speed satellite internet
graphic spacer in satellite internet page header

  Broadband Satellite Internet Access ........... Installed Anywhere
graphic spacer in broadband satellite internet page header
logo skycasters satellite internet access company satellite internet access remote mobile satellite network satellite internet access Hughes Direcway internet satellite internet access Satellite service satellite internet access access via satellite satellite internet
graphic spacer satellite internet service page header
  Home |  Compare Plans | How It Works |  Solutions |  Equipment |  Coverage  |  Support |  Contact |  About Us
satellite internet service
  1-800-853-0434 or sales@skycasters.com
satellite internet service
 


SKYSECURE WHITE PAPER
Summary

This paper explains in relatively non-technical terms why conventional VPN performance over satellite is sluggish when compared to the use of other applications across a space platform. It also presents another unique and powerful Skycasters solution to these performance deficiencies.

Introduction

Virtual Private Networks consist of two or more computers or networks of computers that communicate securely with each other across an unsecured or public network such as the Internet. VPNs are established by using compatible encryption and decryption hardware or software at each end of the connection.

For various reasons, there is a constantly growing requirement from the business and government sectors to provide secure broadband data connections to their remote locations, including employee residences.

Secure access at useful speed is not available with traditional dialup access and faster solutions are in ever increasing demand. While DSL and Cable Internet are clearly the most cost effective solutions, DSL and cable do not reach approximately one-third of the remote locations that seek broadband service.

Two-way satellite Internet service is fast and reliable. It works very well for browsing, email, and most other Internet applications. In fact, reliability exceeds 99 %. The increasing need for broadband services combined with very affordable solutions is driving demand for satellite services across North America. However, until today VPN has typically has a much lower performance (>70% degradation) than traditional web browsing or email over the same satellite link due to factors discussed herein.

Background

In order to perform properly in conjunction with traditional terrestrial networks, satellite data networks must employ special techniques to deal with the increased latency caused by the 46,000 mile space segment of the connection. The increased latency is the extra milliseconds required for data to travel the extra distance. While not related directly to speed , latency can cause a severe speed performance problem over satellite links if not handled properly.

TCP/IP is the “language” of the Internet. It works by sending packets of data, and then waiting for acknowledgments of receipt. These acknowledgments signal the sender to transmit more data. If an acknowledgement does not arrive in a timely manner, TCP assumes the packet was lost or discarded due to network congestion and the packet is resent. TCP then slows the speed at which data is being sent in order to avoid future retransmissions.

TCP works by starting a TCP/IP session slowly, this effect is known as Slow Start. Speed builds as the networks capacity to carry traffic is verified by the rate of the acknowledgments. Since TCP was designed for terrestrial networks that have less latency than a satellite network, the longer satellite latency (>720ms range) causes TCP to expect an acknowledgment before the round trip to the remote site can be completed. TCP interprets this delay as if it were network congestion. If uncorrected, this effect causes all additional data to be sent at the slow-start rate.

In all current-generation satellite data networks some form of IP spoofing compensates for the space-link transit time. Spoofing is accomplished by special acceleration equipment at the carrier’s main satellite hub site. This equipment masquerades itself to the sender so as to appear as if it were the remote location, while acting as a relay or forwarder for data packets going to and from the remote satellite location. When the spoofing equipment receives Internet traffic destined for a remote satellite location, it acknowledges receipt of the packets so more data packets will follow immediately. At the same time, the packets are forwarded to the remote site. As “real” acknowledgments are received from the remote site, the system suppresses these acknowledgments. If the packets are not acknowledged, the system retransmits them from its buffer. In this manner, the latency is “hidden” because the acknowledgments are returned to the sender rapidly. As a result, TCP moves out of slow-start mode quickly and builds to the highest possible speed.

In a traditional VPN-over-satellite session, the packets are encrypted and, therefore, can only be acknowledged by the VPN client software at the remote site – not by the spoofing equipment. Spoofing is bypassed. Consequently, acknowledgments are delayed and the slow-start data rate remains in place during the entire session. This results in substantial performance degradation.

SkySecure 3DES

 SkySecure 3DES encryption operates at the application layer and does not encrypt the packets at the IP layer. Because the IP layer is left undisturbed, satellite TCP/IP spoofing and acceleration techniques are allowed to function in their normal way. Thus, satellite VPN in the SkySecure example does not cause the satellite connection to suffer performance degradation. And, because the IP layer is left undisturbed, SkySecure also offers benefits that include avoiding network address translation and firewall issues, and making use of a single port proxy to provide fine- grained access control to specific TCP/IP based resources.

The SkySecure Server, installed in the customers headquarters or data center, works in conjunction with an easy to use SkySecure client that operates on each PC connected at the remote satellite location. The SkySecure Server allows SkySecure clients to access protected services based on authenticated user identification, not on a site-to-site basis. Authentication of users, in addition to 3DES encryption, allows increased security and flexibility to network administrators.

A single-use 3DES session key is generated every time a user requests connectivity to a protected resource such as a private e-mail server or private corporate web page. SkySecure utilizes two-way authentication meaning that not only does the SkySecure Server validate a SkySecure client user, but the inverse is also true. The server and client engage in a two-factor challenge/response exchange with each other to verify authenticity. A physical smartcard, virtual soft token residing on a hard drive, or biometrics device can be used with SkySecure technology. Third party authentication systems can also be integrated, including RSA SecureID®, PKCS #11, RADIUS® and LDAP.

Security and Administration

The SkySecure client, loaded on machines at remote sites, intercepts all connection requests from an end user’s computing platform bound for an application running on a SkySecure protected server. The SkySecure client encrypts both session and user data with a single-use 3DES key. After the session information is validated, a connection is made between the server and the client thereby completing the secure connection. Data packets are then forwarded to the SkySecure server at the headquarters or data center network where they are decrypted and processed. SkySecure security meets FIPS 140-1 as well as HIPAA requirements.

SkySecure interacts with a powerful, secure Web-based administrative utility that manages users, groups, and access control lists in either a centralized or distributed manner. Four levels of administrative privileges are available. Nested group capabilities allow efficient management of large, closed user communities. Administrators with control privileges can grant specific individuals or groups access rights to entire networks, certain applications, specific URLs, and/or other network resources.

SkySecure On-line Registration capability allows end users to securely register with the server via the Internet and begin accessing secured applications and resources within minutes. After a user gets enabled by an administrator and launches the SkySecure client, the SkySecure server pushes current access permissions to the user’s SkySecure client. These read-only permissions are stored on the user’s computer only for the duration of a session. The SkySecure server loads new permissions at the beginning of each subsequent session and the system allows administrators to modify permissions in real time.

SkySecure clients run on a broad range of computing platforms including Windows, Unix, Mackintosh and WinCE. A Java™ version of the SkySecure client is available which eliminates the need for client software to be pre-loaded on an end users computer.

To allow secure connectivity from an end user’s computing platform to a destination application, all connection requests are processed through the SkySecure client. Access to non-secure sites is not impeded. The SkySecure client only reacts to requests made to access a SkySecure protected service, in which case authentication is enforced and session and user data is encrypted with 3DES.

General Limitations of Satellite

Most regular Internet applications like email and web browsing perform very well over satellite, delivering high speed service similar to DSL or Cable. There are some known issues with certain applications which are expanded upon below.

The VSAT service is asymmetrical, meaning that 80% of the bandwidth is allocated towards download traffic and 20% is allocated for uploads. For this reason, VSAT does not support applications that require a high-speed upload such as web hosting at the remote site or 2-way video conferencing. Applications that are affected by high latency may have problems. Satellite latency in the range of 720ms - 1500 ms can be expected. These latency affected applications include interactive gaming, VoIP, and non-TCP/IP applications. Even though the satellite latency can be hidden from TCP/IP, applications themselves can be affected by latency. SkySecure only supports TCP/IP applications.

Shared folders or drive mapping via NetBIOS will not perform properly over any satellite connection. Shared folders can be used by creating a directory using an application such as Microsoft Internet Information Server (free, and included in Windows 2000 and NT), Apache or other web front-end. SQL server applications need to be set up the same way for the same reasons. Any application that is compatible with a HTML front-end will perform better over satellite when set up in this fashion. Generally, any application that requires client software loaded at the remote site can have problems with latency unless adjustments are made at both the client and server end. These types of applications need to be evaluated individually by checking with the manufacturer to determine the effects of latency on the particular application.

Conclusion

By operating at the application layer and leveraging a satellite network’s TCP protocol spoofing capabilities, SkySecure VPN technology is able to deliver non-degraded throughput efficiency over high latency satellite links. Secure VPN connectivity is provided from an end user all the way into a secure environment without exposing any user data or sensitive addressing information. SkySecure offers a widely deployed FIPS 140-1 validated virtual token that is approved for U.S. Government use.

 

Go Back

 
internet via satellite
Home  |  About Us  | Solutions  | Support  | Contact Us  | Coverage
Privacy policy for this Web site
Usage terms for this Web site
Please read these Terms and Policies before using this site
Copyright © 2005 Skycasters, LLC. All rights reserved