Embed Size (px)
Citation preview
1
Providing VPN Services with SkyEdge Name and title of the presenter, Date
2
Virtual Private Networks
A method for creating a private network via a public network
segment (e.g. Internet).
Can be used for:
Remote Access VPN –connecting a user to a central site
Site to Site VPN – connecting two sites
Typically mandate secure connections (authentication and
encryption)
3
The challenges of VPN over VSATs
Or, why is there a problem?
TCP spoofing is required for good performance over satellite links
Standard TCP stacks cannot accept spoofed TCP – TCP spoofing
forms a “tunnel”
TCP spoofing can’t work on encrypted data
For the VPN over VSAT to work:
Traffic needs to be accelerated before encryption (at the source)
Traffic needs to be decrypted before translation to standard TCP
TCP Spoofing
VPN Encryption
VPN Encryption
VPN Decryption
TCP deSpoofing
Correct:
VPN Encryption
TCP Spoofing
Unaccelerated traffic
Incorrect:
4
Other Solutions
Internet
TCP Acceleration
Problems: Not cost effective – additional box in each remote site
PCTCP Accelerator
VPN Appliance
Intranet servers
VPN GW
Hub
VSAT
Acceleration software installed on PC*
Problems: Difficult to manage, a variety of OS, Performance
*VPN client can reside on same PC or VPN appliance can be used
Internet
TCP Acceleration
Intranet servers
VPN GW
VSATHub
5
SkyEdge VPN Solution
Embedded VPN Client in the VSAT
( “Client SW free”).
Standard based IPSec
Standard VPN Gateway in central site.
Gilat VPN Acceleration Server (VPNA)
PC
Internet
TCP Acceleration
Intranet servers
VPN GW
VSAT with embeddedVPN client and TCP
acceleration
Hub
6
SkyEdge example
LAN L1
LAN L2
IP
TCP
HTTP
HTTPServer
LAN L1
LAN L2
IP
TCP
HTTP
LAN L1
LAN L2
IP
TCP’
HTTP’
TCP Acceleration
Encrypted
WAN L1
WAN L2
IP
TCP’
HTTP’
IPSec
LAN L1
LAN L2
IP
TCP’
HTTP’
VPN GW / Router
Encrypted
WAN L1
WAN L2
IP
TCP’
HTTP’
IPSec
Encrypted
Sat L1
Sat L2
IP
TCP’
HTTP’
IPSec
SatelliteHub
VSAT with embedded VPN client and
TCP acceleration
LAN L1
LAN L2
IP
TCP
HTTP
Encrypted
Sat L1
Sat L2
IP
TCP’
HTTP’
IPSec IP
LAN L1
LAN L2
IP
TCP
HTTP
TCP`
HTTP`
PC withBrowser
Internet
VPNA
VPNGateway
Company HQ
Remote Branch
Remote Branch
Intranet servers
7
SkyEdge example
Internet
VPNA VPNGateway
VPNA
VPNGateway
Company X
Company Y Commuter of Y
Branch of X
Supports multiple VPNs on network
8
Advantages of using IPSec
Standard
Not a proprietary solution
Encryption of the entire IP packet
For example, SSL encrypts only the application layer
End-to-End
No “man in the middle” attacks
Security is applied transparently to all applications …
Not just HTTP
A common implementation for hybrid networks
Not dependant on transport or access technology
9
SkyEdge VPN details
IPSec peer on the VSAT:
Protocol type: ESP/AH
Authentication by Pre - shared key
Supported Encryption Protocols – 3DES, DES and AES (128bit)
Supported Authentication Protocols – MD5 and SHA1
Supported Diffie-Hellman type 1,2
Supports connection with many native IPSec enabled devices
Management
VSAT – through NMS and local VSAT Web GUI
VPN Acceleration Server (VPNA) – NMS and local
10
VSAT VPN configuration screenshot
11
VPNA configuration screenshot
12
Summary
VPN’s are the best and most cost-effective means
to connect remote offices for an enterprise
IPSec is the standard for implementing VPN’s
Gilat’s SkyEdge enables implementing VPNs on a
satellite network:
No compromise on security – SkyEdge enables
end-to-end VPN
No compromise on performance – traffic is
accelerated
No compromise on cost – minimal HW and simple
operation
13
