VPN Over Satellite: More Than Viable

By | March 1, 2007 | Feature, Telecom

Internet Protocol (IP)-based virtual private networks (VPNs) have become more popular as companies realize that when it comes to secure and reliable  networking, owning a dedicated network is not the only option.

While VSAT solutions are adapting to a world where the emphasis now is on a hybrid approach using satellites and terrestrial solutions, many niches will need to be filled in the process. VPN over satellite solutions are much in demand thanks to increasing business globalization, says Randy Neck, vice president of marketing at Houston-based CapRock Communications. The solution, which can reduce overhead and increase agility for users, represents an important component in this new and expansive networking arena.
The term VPN is used in the industry to mean a range of solutions, says Sampath Ramaswami, senior director, service development, in the North American division of Hughes Network Systems LLC. “A private network that connects the numerous sites of a distributed enterprise is a VPN, as is secure access over the Internet used by teleworkers to reach a corporate server. The latter is sometimes referred to as remote access VPN,” he says. “… Legacy networks such as dialup and frame relay are being rapidly replaced by always-on, broadband VPNs.”
However, this migration often fails to reach 20 percent to 50 percent for most distributed enterprises, and as a result, “satellite broadband offers a highly effective, cost-competitive, fill-in compared to other terrestrial fill-in options, such as leased line,” says Ramaswami. “We are seeing demand for satellite-based VPNs in two areas — as a complete, unified networking technology connecting all sites of an enterprise and as part of a hybrid terrestrial-satellite broadband network.”

TCP Can Spell Trouble

The VPN-over-satellite environment presents its own set of operating challenges, but VSAT vendors are overcoming them.
Satellite-induced latency coupled with Transmission Control Protocol (TCP) can often yield disappointing results. “The main reason for [signal] degradation is that TCP algorithms are not suited for the long latency of the satellite link and are not optimized by the VSAT,” says Doron Elinav, director of strategic marketing at Gilat Satellite Networks. “The trend we see is towards encrypted VPNs usually based on Internet protocol Security (IPsec). The trend is growing and is common throughout the telecom industry. IPsec has emerged as the modern standard for data security supports key-based authentication, and encrypts the complete data packet — both data and headers — and adds its own header. Thus, it foils most threats — and also any attempt at TCP acceleration.”
For remote access VPNs, the Hughes VPN Accelerator is an off-the-shelf solution that supports IPsec VPNs over satellite. “If a VPN tunnel using IPsec originates on a client (that is, for remote access VPN) residing on a LAN behind a satellite router, then traditional acceleration techniques used to mitigate latency-related performance issues will be inoperable,” says Ramaswami. “The VPN Accelerator enhances performance by using satellite acceleration techniques prior to transmission through the VPN tunnel while maintaining the integrity of the VPN security. [It] integrates easily into the existing corporate security policies and infrastructure of enterprises using Nortel, Cisco or Check Point VPNs.”
One of the key issues for a VPN is ensuring data confidentiality, says Adrian Amelse, director of marketing for Cisco’s data center security technology group. “Identity and encryption are fundamental requirements for customers, and we incorporate these capabilities into all of our communications technologies, including satellite VPNs,” he says. “Based on that, we definitely view VPN over satellite as being viable.”
In addition, these new end-to-end VPNs now permit secure connections to remote locations over the Internet without the need for costly backhaul circuits. “This flexibility and cost effectiveness has created strong demand for VPN capability over satellite,” says Neck. “In the future, as businesses continue to expand globally, the speed and ease with which VPN over satellite solutions can be deployed is a clear advantage over the cumbersome and time consuming point-to-point backhaul alternatives.”
 

TCP Needs Help

As noted, non-accelerated TCP/IPsec-driven traffic can be severely degraded with typical broadband connections yielding what is the equivalent of a 64-kilobit-per-second link. This is unacceptable, and the satellite industry has attacked this problem aggressively.
Gilat embeds TCP acceleration in its SkyEdge VSAT so it can be applied within VPNs using IPSec without requiring additional appliances or PC software. “Having an integrated VPN solution within the VSAT means that standard IPSec VPNs can be used over a satellite network while maintaining the improved user experience gained from the TCP acceleration,” say Elinav. “Most solutions first accelerate and then encrypt in order to provide security and performance,”
Some customers do not require an end-to-end encrypted VPN but rather separation of traffic and private addressing, functionality that can be provided by VLANs, multi-protocol label switching and other technology, Elinav says .
“Besides the inherent satellite delay of 500 milliseconds, VPN is also not designed to take into account that satellite bandwidth is very expensive,” says Oscar Glottmann, vice president at Shiron Satellite Communications. “The Shiron InterSKY system gives the customer the most important feature for VPN applications, bandwidth savings via its Aloha Random Access. IPSec requires about 5 percent to 15 percent more bandwidth due to encryption overhead and added processing delay. Shiron’s jitterless Burst Mode- Frequency Division Multiple Access transmission scheme for the payload and Burst Mode Random Access for small packets combine to reduce overhead and reduce delay as well,” he says.
InterSKY also is a pure IP-based system, says Glottmann. “We have never had to perform any special development for VPN monitoring and network management,” he says. “Surely it is better to work in a native IP, transparent environment, than having to come up with a new solution for every type of specialized IP protocol.”
Beyond TCP acceleration, such issues as data compression and caching, application acceleration and common internet file system acceleration can play an essential role, too, says Neck. However, CapRock’s evaluation of various application acceleration devices has only reinforced the company’s belief that no single technique or technology is best suited for all customers. “The results vary greatly and are heavily dependant on the application profile and usage pattern unique to each customer environment,” he says. “CapRock strongly recommends customers considering application acceleration devices work with their preferred communications service provider to determine the most appropriate acceleration technology for their unique situation.”
Of course, IPSec is not the only solution, says Gary Tomlinson, chief architect at Seattle-based Aventail Corp. He emphasizes that Secure Sockets Layer (SSL) VPN offer much better performance than IPSec VPNs over satellite for a simple reason, they operate at the application layer via TCP and as such can utilize TCP performance enhancing proxies. “Contrast this to IPSec, which prevents performance enhancements due to encryption of the TCP packet information. Also, given the wireless nature of satellites, encryption is necessary to ensure privacy, which distinguishes SSL VPNs from terrestrial multi-protocol label switching VPNs, for example,” he says.

Managing Cost And Performance Gets Easier

When it comes to monitoring and network management, one of the strengths of an enterprise VPN is the ability to incorporate multiple access technologies ranging from dialup to leased lines, which allows the enterprise to optimize the network’s cost and performance, says Ramaswami. Hughes offers fully managed services, integrating satellite broadband and terrestrial broadband. The HughesNet VPN service offers enterprises a range of connectivity options, spanning from 100 percent satellite over to 100 percent terrestrial.
“An enterprise can choose the appropriate technology based on its pricing and application requirements,” says Ramaswami. “We also offer HughesNet High Availability VPNs, which combine the strengths of satellite and terrestrial broadband at each site — high-availability, high-bandwidth multicasting — while providing full network and service management. “However, this flexibility comes at the cost of increased network and service management complexity.  To provision a nationwide VPN may require half a dozen access providers or more, several variations of DSL loop technologies, satellite access and cable access,” he says. “Each may have a different [set of] customer premises equipment for accessing the network, different methods of provisioning/installation, fault management and maintenance.”
Enterprises can select managed service providers to oversee this complexity, allowing the enterprise to reap the advantages of a broadband VPN while outsourcing the operational and management complexities to a competent service provider.
As far as SSL VPN over satellite monitoring and network management is concerned, satellites do not look much different than the other physical mediums being traversed. In its own robust way, SSL VPN expects fluctuating latencies and some packet loss, says Tomlinson. “However from the underlying network perspective, given the round trip latency of satellites and possibility of aggregated end-to-end connections being multiplexed in an SSL tunnel, it is very important to configure and monitor TCP enhancing proxies in the satellite pathways being utilized by the SSL VPN,” he says.
Because Gilat embeds its VPN client in the SkyEdge VSAT, one result is a simple and easy to manage console-based integrated network management solution, says Elinav. “Embedding IPsec into the VSAT enables the remote VSAT to become an integral part of the company’s security infrastructure.” That encryption is based on a hardware security engine and can provide DES, 3DES and AES transforms, ensuring high performance for the encrypted traffic. “The SkyEdge Hub also works with the new Cisco VSAT Network Module which plugs into the Cisco integrated services router series as well as into Cisco legacy routers. That means operators of those Cisco routers have access to all of Cisco’s VPN security across a SkyEdge satellite network,” says Elinav.

Enhancing Emergency Response

When the U.S. Federal Emergency Management Agency (FEMA) rolls out either its Mobile Disaster Recovery Centers or Mobile Emergency Response Units, VPN over satellite is there. Soon, FEMA Regional offices will have it installed it, too. UDcast’s UDgateway lies at the heart of this solution based on VPN over satellite, which beams secure transmissions of data and voice over encrypted IP over two-way satellite connections. Oncall and Intelsat also are participating in this project with UDcast.
“By using the UDgateway and VPN over satellite, the U.S. Department of Homeland Security and FEMA achieve maximum flexibility, while managing and controlling their VPN-over-satellite networks with a high level of security,” said Antoine Clergot, UDcast co-founder and vice president of engineering. “Creating an end-to-end VPN environment with the UDgateway, which is very cost efficient, easy to deploy and set up, puts information at their fingertips during a disaster with a guarantee that this high-stress environment will not degrade the quality of transmissions over time.”
In the aftermath of Hurricane Katrina, Cisco worked with the federal government to deploy integrated services routers with VSATs in outlying areas where Red Cross stations had been established. Cisco recommends this approach to its customers — absent suitable terrestrial alternatives, says Amelse. “There were no other alternatives for connectivity. Everything was underwater. So from an application standpoint, satellite VPNs were extremely viable — in fact, mission-critical — for disaster response and emergency communications,” he says.
This all points in one direction. Virtual private networking over satellite may be virtual, but it certainly is real and reliable. And over time, it will become more robust and more efficient both in terms of cost and performance.

Related Stories