• United States

Satellite broadband improves for teleworkers

Apr 12, 20046 mins
BroadbandMobileNetwork Security

We’re at a point where most business people take home-office, high-speed access for granted. But teleworkers and salespeople who operate beyond broadband’s reach remain a problem. Although small in number, these users generate a high volume of support calls when they try to remotely access the same network applications as their broadband-equipped colleagues.

Satellite broadband service looks like a big improvement over dial-up. Providers offer ubiquity, giving firms the ability to put all remote workers on the same bill. Newer ka-band technology allows for higher-speed, bidirectional connections and obviates the need to pay for an additional analog line for data uploads.

Yet, the satellite broadband market remains stifled, despite steady growth in remote work. The top two providers, Hughes Network Systems and StarBand, serve only about 200,000 users combined, according to a recent Gartner report.

The cost of customer premises equipment and installation is one cause. But more to blame are performance problems in technology that relies on transmitting signal to a satellite 22,000 miles away. Another big problem is satellite broadband’s incompatibility with IPSec VPNs.

Years ago, service providers developed techniques that speed performance and minimize the half-second signal delay that causes pages to load so slowly. Spoofing, or TCP acceleration, tricks a client application into making data send and receive requests to the server before it has made a connection. “Prefetching” loads Web pages all at once, rather than waiting for the client to request components individually.

But for spoofing in particular to work, it needs to see the source and destination of data packets to ensure the connections sync. Because IPSec VPNs hide this information in the encryption layer, the connection knocks down to dial-up speeds.

However, user experience varies. J.P. Carcenac, systems engineering manager with NetScout Systems, has used StarBand to sync up his Microsoft Outlook and SalesLogic clients from airports, various corporate offices and his office in Woodstock, Ill., for two years.

Initially, he couldn’t get NetScout’s Cisco VPN client to work at all, but upgrading the VPN software solved the problem. With the VPN turned on, Carcenac reports little degradation in download times, but says “interactive applications like Web pages are rather painful regardless of VPN or not.”

In contrast, Kyle Rather, SCADA/controls engineer for Tuscarora Gas Transmission Company in Reno, Nev., has experienced extreme performance degradation using a mix of IPSec and Secure Sockets Layer (SSL) VPN clients. (SCADA, or Supervisory Control and Data Acquisition, is systems software used in industrial processes like steel making.) Rather recently set up a network of StarBand-connected PCs that a crew of contractors from different companies used to access their networks.

But because the contractors used a mix of VPN clients, “connections were dreadfully painful,” Rather says. “The clients killed the compression algorithm StarBand used, which gave our users 12K bit/sec to 20K bit/sec VPN connections upstream and down. It was easier to set up a few free e-mail accounts and have mail sent there.”

Overall, 15% to 40% of satellite broadband users are corporate teleworkers, according to Hughes. To eliminate the need for a remote-access VPN, Hughes has provided its accounts – mainly those in the pharmaceutical and automotive industries – with dedicated bandwidth over a private network connection.

But a year ago, these customers began pushing Hughes for a way to use their VPNs. “Everybody wants standard IP services. No one wants to do anything special for any network provider anymore,” says Emil Regard, vice president of strategic marketing for the North American division of Hughes.

So Hughes developed TurboVPN, software for its DirecWay service that uses satellite acceleration techniques, including spoofing, in conjunction with an IPSec VPN.

Spoofing typically takes place on an end user’s satellite terminal, or VSAT, which conflicts with VPNs. TurboVPN is software residing on the user’s PC that connects to an acceleration server on the corporate network. This way, spoofing takes place on the client before the data is encrypted and then again on the acceleration server, before the data is encrypted and sent back to the remote site. Regard says TurboVPN increases throughput and response time for intranet and e-mail applications three to five times.

Expected to be finalized next month, the TurboVPN client is in beta-testing with three Fortune 500 companies – two existing and one new customer – all of which declined to be named. The first two pilots, in manufacturing and automotive, involve about 1,000 remote salespeople. The third, an insurance company, will include thousands, Regard says.

Rather than sell a teleworker/VPN branded product, Hughes plans to integrate TurboVPN with VPN clients from Check Point, Cisco and Nortel, with others in the early planning stages. Because the service requires the acceleration server, Regard says the service will “start to make sense” cost-wise for companies with at least 10 to 20 teleworkers. Pricing for bigger companies is handled on a custom basis.

SSL VPNs and application-layer VPNs suffer from fewer conflicts, so Hughes can spoof and prefetch a significant amount of SSL VPN traffic. V-ONE says its SmartGate application-layer VPN software – which is certified by Hughes – delivers between a 5-to-1 and a 15-to-1 improvement over IPSec VPNs.

StarBand last month launched its new 481 Telecommuter Service, which offers 750K bit/sec download and 100K bit/sec upload speeds, 10 free Web mail accounts, free basic Web hosting and an optional static IP address for $110 to $120 per month, with an initial equipment fee of $600 to $700. However, the service supports only one computer and isn’t compatible with IPSec VPNs. On its Web site, StarBand says it won’t support VPNs, and although popular VPN clients work with its service, “specific requirements” might need to be met, such as “loading additional or specific software, or running the application on a PC connected directly to the StarBand computer.”

For firms connecting branch offices, an option is MCI’s new service, MCI Internet Broadband Satellite Corporate, sold through Tachyon Networks, which works with IPSec VPN. Also, start-up Encore Networks has a point-to-point VPN appliance that works with many satellite broadband modem vendors’ acceleration techniques. 

Resolving conflict: How Hughes DirecWay TurboVPN works

To increase data throughput over satellite broadband connections, service providers perform several Web acceleration techniques. One of the most effective is spoofing, or TCP accleration. Spoofing tricks a client application into making data send and receive requests to the server before the actual connection has been made. Another is “prefetching,” which caches entire Web pages all at once, rather than waiting for the client to request individual components.
  1. Before, all Web acceleration tasks took place on the teleworker’s satellite terminal (or VSAT), the box that connects the router or workstation to the satellite dish. But for spoofing in particular to work, it needs to see the source and destination of the data packets to ensure the connections sync up. Because IPSec VPNs hide this information in the encryption layer on the client system, spoofing can’t work. The connection knocks down to dial-up, or slower, speeds.
  2. To solve this problem, Hughes Network Systems has moved Web acceleration operations from the VSAT into software on the user’s desktop and onto a Web acceleration server on the network. Now acceleration takes place before and after the data is encrypted, resolving IPSec VPN conflicts.