Providing VPN Services with SkyEdge

Name and title of the presenter, Date

1
 Virtual Private Networks
A method for creating a private network via a public network
segment (e.g. Internet).
Can be used for:
Remote Access VPN –connecting a user to a central site
Site to Site VPN – connecting two sites
Typically mandate secure connections (authentication and
encryption)

2
 The challenges of VPN over VSATs

Or, why is there a problem?

TCP spoofing is required for good performance over satellite links
Standard TCP stacks cannot accept spoofed TCP – TCP spoofing
forms a “tunnel”
TCP spoofing can’t work on encrypted data
For the VPN over VSAT to work:
Traffic needs to be accelerated before encryption (at the source)
Traffic needs to be decrypted before translation to standard TCP
Correct:
TCP VPN VPN TCP
Spoofing Encryption Decryption deSpoofing

Incorrect:
VPN TCP Unaccelerated
Encryption Spoofing traffic
3
 Other Solutions

Internet

Intranet TCP VSAT VPN TCP PC

VPN
servers Acceleration GW Appliance Accelerator
Hub

Problems: Not cost effective – additional box in each remote site

*VPN client can reside on same PC

or VPN appliance can be used

Internet

Intranet TCP VPN Acceleration software

VSAT
servers Acceleration GW Hub installed on PC*

Problems: Difficult to manage, a variety of OS, Performance

4
 SkyEdge VPN Solution
Embedded VPN Client in the VSAT
( “Client SW free”).
Standard based IPSec
Standard VPN Gateway in central site.
Gilat VPN Acceleration Server (VPNA)

Internet

Intranet TCP VPN PC

VSAT with embedded
servers Acceleration GW Hub VPN client and TCP
acceleration

5
 SkyEdge example Remote Branch

Company HQ

VPN
Gateway
VPNA

Intranet servers

Internet Remote Branch

HTTP’ HTTP’ HTTP’ HTTP’

Encrypted

Encrypted
Encrypted
Encrypted

HTTP HTTP HTTP’ HTTP’ TCP’ TCP’ TCP’ TCP’ HTTP` HTTP HTTP
TCP TCP TCP’ TCP’ IP IP IP IP TCP` TCP TCP
IP IP IP IP IPSec IPSec IPSec IPSec IP IP IP
LAN L2 LAN L2 LAN L2 LAN L2 WAN L2 WAN L2 Sat L2 Sat L2 LAN L2 LAN L2
LAN L1 LAN L1 LAN L1 LAN L1 WAN L1 WAN L1 Sat L1 Sat L1 LAN L1 LAN L1

HTTP Satellite VSAT with PC with

TCP VPN GW /
Server Hub embedded VPN client and Browser
Acceleration Router 6
TCP acceleration
 Branch of X
SkyEdge example

Company X

VPN
Gateway
VPNA

Internet

Company Y Commuter of Y

VPNA VPN
Gateway

Supports multiple VPNs on network

7
 Advantages of using IPSec

Standard
Not a proprietary solution
Encryption of the entire IP packet
For example, SSL encrypts only the application layer
End-to-End
No “man in the middle” attacks
Security is applied transparently to all applications …
Not just HTTP
A common implementation for hybrid networks
Not dependant on transport or access technology

8
 SkyEdge VPN details

IPSec peer on the VSAT:

 Protocol type: ESP/AH
 Authentication by Pre - shared key
 Supported Encryption Protocols – 3DES, DES and AES
(128bit)
 Supported Authentication Protocols – MD5 and SHA1
 Supported Diffie-Hellman type 1,2
 Supports connection with many native IPSec enabled devices

Management
 VSAT – through NMS and local VSAT Web GUI
 VPN Acceleration Server (VPNA) – NMS and local
9
VSAT VPN configuration screenshot

10
VPNA configuration screenshot

11
 Summary

VPN’s are the best and most cost-effective means

to connect remote offices for an enterprise
IPSec is the standard for implementing VPN’s
Gilat’s SkyEdge enables implementing VPNs on a
satellite network:
No compromise on security – SkyEdge enables
end-to-end VPN
No compromise on performance – traffic is
accelerated
No compromise on cost – minimal HW and simple
operation

12
13