As noted, non-accelerated TCP/IPsec-driven traffic can be severely degraded with typical broadband connections yielding what is the equivalent of a 64-kilobit-per-second link. This is unacceptable, and the satellite industry has attacked this problem aggressively. Gilat embeds TCP acceleration in its SkyEdge VSAT so it can be applied within VPNs using IPSec without requiring additional appliances or PC software. “Having an integrated VPN solution within the VSAT means that standard IPSec VPNs can be used over a satellite network while maintaining the improved user experience gained from the TCP acceleration,” say Elinav. “Most solutions first accelerate and then encrypt in order to provide security and performance,” Some customers do not require an end-to-end encrypted VPN but rather separation of traffic and private addressing, functionality that can be provided by VLANs, multi-protocol label switching and other technology, Elinav says . “Besides the inherent satellite delay of 500 milliseconds, VPN is also not designed to take into account that satellite bandwidth is very expensive,” says Oscar Glottmann, vice president at Shiron Satellite Communications. “The Shiron InterSKY system gives the customer the most important feature for VPN applications, bandwidth savings via its Aloha Random Access. IPSec requires about 5 percent to 15 percent more bandwidth due to encryption overhead and added processing delay. Shiron’s jitterless Burst Mode- Frequency Division Multiple Access transmission scheme for the payload and Burst Mode Random Access for small packets combine to reduce overhead and reduce delay as well,” he says. InterSKY also is a pure IP-based system, says Glottmann. “We have never had to perform any special development for VPN monitoring and network management,” he says. “Surely it is better to work in a native IP, transparent environment, than having to come up with a new solution for every type of specialized IP protocol.” Beyond TCP acceleration, such issues as data compression and caching, application acceleration and common internet file system acceleration can play an essential role, too, says Neck. However, CapRock’s evaluation of various application acceleration devices has only reinforced the company’s belief that no single technique or technology is best suited for all customers. “The results vary greatly and are heavily dependant on the application profile and usage pattern unique to each customer environment,” he says. “CapRock strongly recommends customers considering application acceleration devices work with their preferred communications service provider to determine the most appropriate acceleration technology for their unique situation.” Of course, IPSec is not the only solution, says Gary Tomlinson, chief architect at Seattle-based Aventail Corp. He emphasizes that Secure Sockets Layer (SSL) VPN offer much better performance than IPSec VPNs over satellite for a simple reason, they operate at the application layer via TCP and as such can utilize TCP performance enhancing proxies. “Contrast this to IPSec, which prevents performance enhancements due to encryption of the TCP packet information. Also, given the wireless nature of satellites, encryption is necessary to ensure privacy, which distinguishes SSL VPNs from terrestrial multi-protocol label switching VPNs, for example,” he says.