Does satellite fit your WAN plan?

The performance and security of satellite WAN services – at the end of the day, the most wide-reaching of all communications networks – are improving.

At least three companies – Encore Networks, V-One, and iDirect – offer equipment or services with performance and security enhancements that aim to bring satellite-based network services up to enterprise-class standards.  Satellite services that overcome the performance degradation caused by ground-to-satellite-to-ground propagation delay and layer on security, such as encryption. They also expand both primary and disaster-recovery connectivity options for organizations, which is a particular boon to those in underserved, rural areas.

As you likely know, satellite has struggled a bit during the broadband era from a performance standpoint, because of its inherent ground-to-satellite-to-ground propagation delay. Also, security has been a question mark (see: “Satellite: What’s at Risk?” at https://www.nwfusion.com/newsletters/wireless/2002/01590351.html).

To compensate for the delay and to improve performance, some very small aperture terminal (VSAT) and satellite modem vendors have enhanced their implementations of communications protocols such as TCP and HTTP. But many IP VPN security solutions don’t interoperate with these protocol flavors.

So Encore Networks and V-One have built VPN products (Encore’s is an appliance and V-One’s is software) that interface to the accelerated versions of these protocols. V-One, for example, claims that its SmartGate application-layer technology delivers between a 5-to-1 and 15-to-1 improvement in throughput over IPSec.  “Performance degradation is negligible -less than 10% – compared to regular TCP/IP traffic data rates,” says a company spokesman.

Encore’s Bandit appliance combines an IP router with quality-of-service capabilities, IPSec VPN technology with DES and Triple-DES encryption (AES is planned for this year) and stateful dynamic firewall filtering. It is currently in network operator trials, according to the company.

Service-wise, there is iDirect’s self-described enterprise-class, two-way satellite service.  The company segregates over-the-air customer transmissions between customer sites and a “hub” site. From there, private IP traffic can be directed to the customer’s headquarters via terrestrial VPN, frame-relay or leased-line transports. 

At the moment the satellite link is unencrypted, but iDirect says each satellite router has an address burned in hardware that precludes it from receiving packets that are not addressed specifically to it.

“We use a dynamic allocation TDMA scheme to transmit data, so an eavesdropper would never know what time slot in which a particular remote is transmitting at any given time,” says a company spokesman. He says iDirect will be adding encryption over the satellite link this year.  It is currently possible, he notes, to run traditional CPE-based VPNs at the customer site with the service, but without the TCP acceleration.